diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/libreswan-4.12-ikev2-auth-delete-state.patch b/libreswan-4.12-ikev2-auth-delete-state.patch new file mode 100644 index 0000000000000000000000000000000000000000..c17b457d72abc831ed95890dda618a9d218a3532 --- /dev/null +++ b/libreswan-4.12-ikev2-auth-delete-state.patch @@ -0,0 +1,54 @@ +From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Wed, 28 Feb 2024 08:29:53 -0500 +Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH + packet + +--- + programs/pluto/ikev2_ike_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c +index 192eb1b3b6..a54a109699 100644 +--- a/programs/pluto/ikev2_ike_auth.c ++++ b/programs/pluto/ikev2_ike_auth.c +@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike + /* now send AUTH payload */ + + if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) { +- return STF_INTERNAL_ERROR; ++ return STF_FATAL; + } + ike->sa.st_v2_ike_intermediate.used = false; + +-- +2.44.0 + +From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Thu, 29 Feb 2024 12:19:20 -0500 +Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails + +Fix: + ikev2: return STF_FATAL when initiator fails to emit AUTH packet +which really fixed the responder. +--- + programs/pluto/ikev2_ike_auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c +index a54a109699..491053fb10 100644 +--- a/programs/pluto/ikev2_ike_auth.c ++++ b/programs/pluto/ikev2_ike_auth.c +@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike, + /* send out the AUTH payload */ + + if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) { +- return STF_INTERNAL_ERROR; ++ return STF_FATAL; + } + + if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) { +-- +2.44.0 + diff --git a/libreswan.spec b/libreswan.spec index c5c764d09d1dabdc40ddd3dc99f5b58da84d5915..61d794b042b572d6231f4fa8fae1f59f169e24f4 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -38,7 +38,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script Version: 4.12 -Release: %{?prever:0.}2%{?prever:.%{prever}}%{anolis_release}%{?dist} +Release: %{?prever:0.}2%{?prever:.%{prever}}%{anolis_release}%{?dist}.3 License: GPLv2 Url: https://libreswan.org/ @@ -54,6 +54,7 @@ Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch Patch3: libreswan-4.1-maintain-obsolete-keywords.patch Patch6: libreswan-4.3-1934186-config.patch Patch7: libreswan-4.9-2176248-authby-rsasig.patch +Patch8: libreswan-4.12-ikev2-auth-delete-state.patch #Add by Anolis Patch1000: 0001-libreswan-anolis-rebrand-to-anolis.patch @@ -117,6 +118,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch3 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %patch1000 -p1 # linking to freebl is not needed @@ -221,12 +223,18 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog -* Tue Mar 19 2024 yangxiaoxuan - 4.12-2.0.2 -- Rebuild due to unbound-libs update - -* Wed Dec 06 2023 yangxiaoxuan - 4.12-2.0.1 +* Fri Jun 28 2024 yangxiaoxuan - 4.12-2.0.2.3 - Rebrand to anolis +* Wed Apr 17 2024 Daiki Ueno - 4.12-2.3 +- Bump release to ensure el8 package is greater than el8_* packages + +* Tue Apr 16 2024 Daiki Ueno - 4.12-2.2 +- Fix patch application in the previous change + +* Mon Apr 15 2024 Daiki Ueno - 4.12-2.1 +- Fix CVE-2024-2357 (RHEL-28742) + * Fri Aug 25 2023 Daiki Ueno - 4.12-2 - Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy