Add all patches from https://bugzilla.redhat.com/show_bug.cgi?id=1153315

91ef48e8 · CeRiAl · 4ec4f4fd · 91ef48e8 · 91ef48e8 · 91ef48e8
Commit 91ef48e8 authored Mar 26, 2015 by CeRiAl
6 changed files
--- a/patches/ipsec-setup-patch-948191.patch
+++ b/patches/ipsec-setup-patch-948191.patch
+When the ipsec setup script is called with a "restart" argument, it
+doesn't start up the ipsec service unless the service is already
+running.  That's bad because the service is not started by default.
+This patch changes the script so that if the service isn't already
+running, it will be started.
+Index: /usr/libexec/ipsec/setup
+===================================================================
+--- /usr/libexec/ipsec/setup.orig	2014-09-09 14:38:45.000000000 -0400
+++ /usr/libexec/ipsec/setup	2014-10-18 17:11:22.138693113 -0400
+@@ -156,16 +156,16 @@
+ 	exit 0
+ 	;;
+     restart|--restart)
+-	# assumes preparations for running have already been done, as service should be running now
+ 	if [ ${initsystem} = systemd ]; then
+	    # do not use 'restart' because systemd is overly "smart"
+	    # and will refuse the restart when stopped.
+ 	    systemctl status ipsec.service > /dev/null
+ 	    RETVAL=$?
+ 	    if [ $RETVAL -ne 0 ]; then
+ 		echo "systemd: ipsec service is not running"
+-		exit 1
+		# start everything from scratch
+		exec $0 start
+ 	    else
+-		# do not use 'restart' because systemd is overly "smart"
+-		# and will refuse the restart when stopped.
+ 		echo "Redirecting to: systemctl stop+start ipsec.service"
+ 		systemctl stop ipsec.service
+ 		exec systemctl start ipsec.service
--- a/patches/nm-l2tp-hide-secrets-948194.patch
+++ b/patches/nm-l2tp-hide-secrets-948194.patch
+When nm-l2tp-service creates a temporary file to hold the secret key
+for an IPsec connection, the file it creates is world-readable!  Even
+though the file persists for a short time, this is clearly a security
+risk.
+This patch changes the umask so that the temp file will be accessible
+only to root.
+ src/nm-l2tp-service.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+Index: NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+===================================================================
+--- NetworkManager-l2tp-0.9.8.7.orig/src/nm-l2tp-service.c
+++ NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+@@ -888,6 +888,7 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 	char session_name[128];
+ 	guint sys=0;
+ 	FILE *fp;
+	mode_t orig_umask;
+ 	if (!(ipsec_binary=nm_find_ipsec())) {
+ 		g_set_error (error,
+@@ -938,7 +939,9 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 		return FALSE;
+ 	}
+	orig_umask = umask(0077);
+ 	if(!(fp=fopen("/etc/ipsec.secrets","w"))) {
+		umask(orig_umask);
+ 		rename(tmp_secrets, "/etc/ipsec.secrets");
+ 		g_set_error (error,
+ 		             NM_VPN_PLUGIN_ERROR,
+@@ -957,6 +960,7 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 	if(!value)value="";
+ 	fprintf(fp, ": PSK \"%s\"\n",value);
+ 	fclose(fp);
+	umask(orig_umask);
+ 	sys += system("PATH=\"/sbin:/usr/sbin:/usr/local/sbin:$PATH\" ipsec secrets");
+ 	sys += system(cmd11);
--- a/patches/nm-l2tp-parameters-948197.patch
+++ b/patches/nm-l2tp-parameters-948197.patch
+The IPsec parameters set up by nm-l2tp-service contain several
+obsolete and redundant entries.  More importantly, they omit the
+rightprotoport option; without the port number, the remote server
+won't realize that the connection is intended to carry an L2TP tunnel
+and (in the case of my server, at least) won't accept the connection.
+The nat_traversal and force_keepalive options are obsolete.  The esp
+and ike options are unnecessary since the daemon's defaults allow a
+wider choice and are updated now and then to remove encryption and
+authentication algorithms that are no longer secure.  This patch
+removes all four, and it adds the rightprotoport and leftprotoport
+(for symmetry, though it's not really necessary) options.
+ src/nm-l2tp-service.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+Index: NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+===================================================================
+--- NetworkManager-l2tp-0.9.8.7.orig/src/nm-l2tp-service.c
+++ NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+@@ -1153,8 +1153,6 @@ nm_l2tp_config_write (NML2tpPlugin *plug
+ 	}
+ 	write_config_option (ipsec_fd, "version 2.0\n"
+ "config setup\n"
+-"  nat_traversal=yes\n"
+-"  force_keepalive=yes\n"
+ "  protostack=netkey\n"
+ "  keep_alive=60\n"
+ "\n");
+@@ -1167,16 +1165,17 @@ nm_l2tp_config_write (NML2tpPlugin *plug
+ "  authby=secret\n"
+ "  keyingtries=0\n"
+ "  left=%%defaultroute\n");
+	write_config_option (ipsec_fd, "  leftprotoport=17/0\n");
+ 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GROUP_NAME);
+ 	if(value)write_config_option (ipsec_fd, "  leftid=@%s\n", value);
+ 	/* value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_GATEWAY); */
+
+ 	write_config_option (ipsec_fd, "  right=%s\n", priv->saddr);
+	write_config_option (ipsec_fd, "  rightprotoport=17/1701\n");
+ 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
+ 	if(value)write_config_option (ipsec_fd, "  rightid=@%s\n", value);
+ 	write_config_option (ipsec_fd,
+-"  esp=3des-sha1\n"
+ "  keyexchange=ike\n"
+-"  ike=3des-sha1-modp1024\n"
+ "  aggrmode=no\n"
+ "  forceencaps=yes\n");
--- a/patches/nm-l2tp-startup-delay-948193.patch
+++ b/patches/nm-l2tp-startup-delay-948193.patch
+The pluto daemon takes some time to initialize.  It can't be used
+immediately after start-up.  Wait for one second before trying to
+connect to it.
+ src/nm-l2tp-service.c |    3 +++
+ 1 file changed, 3 insertions(+)
+Index: NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+===================================================================
+--- NetworkManager-l2tp-0.9.8.7.orig/src/nm-l2tp-service.c
+++ NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+@@ -903,6 +903,9 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 	"PATH=/usr/local/sbin:/usr/sbin:/sbin; export PATH;"
+ 	"[ \"x$defaultrouteaddr\" = \"x\" ] && ipsec setup restart");
+	/* Give pluto time to start up */
+	sleep(1);
+
+ 	sys += system("PATH=/usr/local/sbin:/usr/sbin:/sbin ipsec whack"
+ 			" --listen");
+ 	sprintf(cmd1,"test -e /var/run/pluto/ipsec.info && . /var/run/pluto/ipsec.info;"
--- a/patches/nm-l2tp-track-state-948196.patch
+++ b/patches/nm-l2tp-track-state-948196.patch
+The nm-l2tp-service program doesn't keep proper track of the state of
+the IPsec connection.  Although a flag is tested to see whether the
+connection is up, this flag is never set or cleared.  As a result, the
+connection information doesn't get deleted from the ipsec daemon's
+memory after it is taken down, and the daemon keeps trying to
+re-establish it.
+This patch sets and clears the priv->ipsec_up flag at the appropriate
+times.
+ src/nm-l2tp-service.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+Index: NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+===================================================================
+--- NetworkManager-l2tp-0.9.8.7.orig/src/nm-l2tp-service.c
+++ NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+@@ -636,6 +636,7 @@ l2tpd_watch_cb (GPid pid, gint status, g
+ 	if(priv->ipsec_up) {
+ 		nm_l2tp_stop_ipsec();
+		priv->ipsec_up = FALSE;
+ 	}
+ 	/* Cleaning up config files */
+@@ -880,7 +881,7 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+                             NMSettingVPN *s_vpn,
+                             GError **error)
+ {
+-	// NML2tpPluginPrivate *priv = NM_L2TP_PLUGIN_GET_PRIVATE (plugin);
+	NML2tpPluginPrivate *priv = NM_L2TP_PLUGIN_GET_PRIVATE (plugin);
+ 	const char *ipsec_binary;
+ 	const char *value;
+ 	char tmp_secrets[128];
+@@ -980,6 +981,7 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 		return FALSE;
+ 	}
+	priv->ipsec_up = TRUE;
+ 	g_message(_("ipsec ready for action"));
+ 	return TRUE;
+ }
+@@ -1539,6 +1541,7 @@ real_disconnect (NMVPNPlugin   *plugin,
+ 	if(priv->ipsec_up) {
+ 		nm_l2tp_stop_ipsec();
+		priv->ipsec_up = FALSE;
+ 	}
+ 	if (priv->connection) {
--- a/patches/nm-l2tp-unneeded-cmd-948195.patch
+++ b/patches/nm-l2tp-unneeded-cmd-948195.patch
+The nm-l2tp-service program issues an apparently redundant command to
+the ipsec daemon -- it ends up adding the parameters for new
+connection twice.  There's no obvious reason for this, so this patch
+comments out the extra command.
+ src/nm-l2tp-service.c |    2 ++
+ 1 file changed, 2 insertions(+)
+Index: NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+===================================================================
+--- NetworkManager-l2tp-0.9.8.7.orig/src/nm-l2tp-service.c
+++ NetworkManager-l2tp-0.9.8.7/src/nm-l2tp-service.c
+@@ -963,7 +963,9 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin
+ 	umask(orig_umask);
+ 	sys += system("PATH=\"/sbin:/usr/sbin:/usr/local/sbin:$PATH\" ipsec secrets");
+#if 0
+ 	sys += system(cmd11);
+#endif
+ 	sys += system(cmd1);
+ 	sys += system(cmd2);