diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:46:37 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:46:37 +0000 |
| commit | bc2e9d404aa4373a1352088447d0dea245f1d7fd (patch) | |
| tree | 92005dc1e7ff62abf362e1a28ef8f2521a1cef02 /libreswan-4.6-ikev1-policy-defaults-to-drop.patch | |
| parent | a329f3086095d92a2542328492ebd33dcaff93ca (diff) | |
automatic import of libreswanopeneuler24.03_LTS
Diffstat (limited to 'libreswan-4.6-ikev1-policy-defaults-to-drop.patch')
| -rw-r--r-- | libreswan-4.6-ikev1-policy-defaults-to-drop.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch new file mode 100644 index 0000000..40073d5 --- /dev/null +++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -0,0 +1,63 @@ +From 13720e0dedcab1eaf3334a73a42b68581acd9f3b Mon Sep 17 00:00:00 2001 +From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> +Date: Fri, 7 Jan 2022 18:36:47 -0500 +Subject: [PATCH] ikev1-policy defaults to drop + +IKEv2 has been available for 16 years (RFC 4306 was published December +2005). At some point, we should be discouraging IKEv1 adoption. + +To the extent that a user needs IKEv1, they can manually add +ikev1-policy=accept to /etc/ipsec.conf. +--- + configs/d.ipsec.conf/ikev1-policy.xml | 7 ++++--- + include/ipsecconf/keywords.h | 2 +- + lib/libipsecconf/confread.c | 1 + + programs/pluto/server.c | 5 ----- + 4 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/configs/d.ipsec.conf/ikev1-policy.xml b/configs/d.ipsec.conf/ikev1-policy.xml +index 17d1747e3b..3bd6702564 100644 +--- a/configs/d.ipsec.conf/ikev1-policy.xml ++++ b/configs/d.ipsec.conf/ikev1-policy.xml +@@ -3,9 +3,10 @@ + <listitem> + <para> + What to do with received IKEv1 packets. Valid options are +-<emphasis remap='B'>accept</emphasis> (default), <emphasis remap='B'>reject</emphasis> which +-will reply with an error, and <emphasis remap='B'>drop</emphasis> which will silently drop +-any received IKEv1 packet. If this option is set to drop or reject, an attempt to load an ++<emphasis remap='B'>drop</emphasis> (default) which will silently drop ++any received IKEv1 packet, <emphasis remap='B'>accept</emphasis>, and ++<emphasis remap='B'>reject</emphasis> which will reply with an error. ++If this option is set to drop or reject, an attempt to load an + IKEv1 connection will fail, as these connections would never be able to receive a packet + for processing. + </para> +diff --git a/include/ipsecconf/keywords.h b/include/ipsecconf/keywords.h +index 660847733c..31b519242a 100644 +--- a/include/ipsecconf/keywords.h ++++ b/include/ipsecconf/keywords.h +@@ -111,7 +111,7 @@ enum keyword_numeric_config_field { + + KBF_LISTEN_TCP, /* listen on TCP port 4500 - default no */ + KBF_LISTEN_UDP, /* listen on UDP port 500/4500 - default yes */ +- KBF_GLOBAL_IKEv1, /* global ikev1 policy - default accept */ ++ KBF_GLOBAL_IKEv1, /* global ikev1 policy - default drop */ + KBF_ROOF + }; + +diff --git a/lib/libipsecconf/confread.c b/lib/libipsecconf/confread.c +index 5b5aba723f..68fbccf442 100644 +--- a/lib/libipsecconf/confread.c ++++ b/lib/libipsecconf/confread.c +@@ -95,6 +95,7 @@ static void ipsecconf_default_values(struct starter_config *cfg) + /* Don't inflict BSI requirements on everyone */ + SOPT(KBF_SEEDBITS, 0); + SOPT(KBF_DROP_OPPO_NULL, false); ++ SOPT(KBF_GLOBAL_IKEv1, GLOBAL_IKEv1_DROP); + + #ifdef HAVE_LABELED_IPSEC + SOPT(KBF_SECCTX, SECCTX); +-- +2.34.1 + |