- ikev2: return STF_FATAL when initiator fails to emit AUTH

packet

SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch

@@ -0,0 +1,54 @@
+From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Wed, 28 Feb 2024 08:29:53 -0500
+Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH
+ packet
+
+---
+ programs/pluto/ikev2_ike_auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
+index 192eb1b3b6..a54a109699 100644
+--- a/programs/pluto/ikev2_ike_auth.c
++++ b/programs/pluto/ikev2_ike_auth.c
+@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike
+ 	/* now send AUTH payload */
+ 
+ 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) {
+-		return STF_INTERNAL_ERROR;
++		return STF_FATAL;
+ 	}
+ 	ike->sa.st_v2_ike_intermediate.used = false;
+ 
+-- 
+2.44.0
+
+From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Thu, 29 Feb 2024 12:19:20 -0500
+Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails
+
+Fix:
+  ikev2: return STF_FATAL when initiator fails to emit AUTH packet
+which really fixed the responder.
+---
+ programs/pluto/ikev2_ike_auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
+index a54a109699..491053fb10 100644
+--- a/programs/pluto/ikev2_ike_auth.c
++++ b/programs/pluto/ikev2_ike_auth.c
+@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike,
+ 	/* send out the AUTH payload */
+ 
+ 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) {
+-		return STF_INTERNAL_ERROR;
++		return STF_FATAL;
+ 	}
+ 
+ 	if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) {
+-- 
+2.44.0
+

SPECS/libreswan.spec

@@ -37,7 +37,7 @@ Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
 Version: 4.12
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2.alma.1
 License: GPLv2
 Url: https://libreswan.org/
 
@@ -54,6 +54,10 @@ Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
 Patch6: libreswan-4.3-1934186-config.patch
 Patch7: libreswan-4.9-2176248-authby-rsasig.patch
 
+# Patches were taken from:
+# https://gitlab.com/redhat/centos-stream/rpms/libreswan/-/commit/2016c6075dfad82538a348bc9276556e7941d230
+Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
+
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
@@ -112,6 +116,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %patch3 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 # linking to freebl is not needed
 sed -i "s/-lfreebl //" mk/config.mk
@@ -215,6 +220,10 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
+* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2.alma.1
+- ikev2: return STF_FATAL when initiator fails to emit AUTH
+ packet
+
 * Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
 - Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy