import CS libreswan-4.12-2.el8.3

.gitignore

@@ -1,4 +1,4 @@
 SOURCES/ikev1_dsa.fax.bz2
 SOURCES/ikev1_psk.fax.bz2
 SOURCES/ikev2.fax.bz2
-SOURCES/libreswan-4.9.tar.gz
+SOURCES/libreswan-4.12.tar.gz

.libreswan.metadata

@@ -1,4 +1,4 @@
 b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
 861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
 fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
-12b7351ca7e6ba1ac787239e67027a4d82f02f10 SOURCES/libreswan-4.9.tar.gz
+786c14a4755311ea3103683a3294e1536b1e44a6 SOURCES/libreswan-4.12.tar.gz

SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch

@@ -0,0 +1,54 @@
+From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Wed, 28 Feb 2024 08:29:53 -0500
+Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH
+ packet
+
+---
+ programs/pluto/ikev2_ike_auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
+index 192eb1b3b6..a54a109699 100644
+--- a/programs/pluto/ikev2_ike_auth.c
++++ b/programs/pluto/ikev2_ike_auth.c
+@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike
+ 	/* now send AUTH payload */
+ 
+ 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) {
+-		return STF_INTERNAL_ERROR;
++		return STF_FATAL;
+ 	}
+ 	ike->sa.st_v2_ike_intermediate.used = false;
+ 
+-- 
+2.44.0
+
+From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Thu, 29 Feb 2024 12:19:20 -0500
+Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails
+
+Fix:
+  ikev2: return STF_FATAL when initiator fails to emit AUTH packet
+which really fixed the responder.
+---
+ programs/pluto/ikev2_ike_auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
+index a54a109699..491053fb10 100644
+--- a/programs/pluto/ikev2_ike_auth.c
++++ b/programs/pluto/ikev2_ike_auth.c
+@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike,
+ 	/* send out the AUTH payload */
+ 
+ 	if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) {
+-		return STF_INTERNAL_ERROR;
++		return STF_FATAL;
+ 	}
+ 
+ 	if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) {
+-- 
+2.44.0
+

SOURCES/libreswan-4.9-cve-2023-23009.patch

@@ -1,84 +0,0 @@
-From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
-From: Paul Wouters <paul.wouters@aiven.io>
-Date: Tue, 28 Feb 2023 11:24:22 -0500
-Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
- CVE-2023-23009
-
-Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
----
- programs/pluto/ikev2_ts.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
-index 3f7519ca38..f06c40ba46 100644
---- a/programs/pluto/ikev2_ts.c
-+++ b/programs/pluto/ikev2_ts.c
-@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
- 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
- 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
- 
-+		if (d != NULL) {
-+			llog_diag(RC_LOG, logger, &d, "%s", "");
-+			return false;
-+		}
-+
- 		switch (ts_h.isath_type) {
- 		case IKEv2_TS_IPV4_ADDR_RANGE:
- 		case IKEv2_TS_IPV6_ADDR_RANGE:
--- 
-2.39.2
-
-
-From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
-From: Andrew Cagney <cagney@gnu.org>
-Date: Tue, 28 Feb 2023 14:10:44 -0500
-Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
-
-fix #1018 reported by Wolfgang.
-see also ecb9c88910df1fb070488835bf3180096f3ccba3:
-IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
----
- programs/pluto/ikev1_main.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
-index a616c5ccf3..21765d4002 100644
---- a/programs/pluto/ikev1_main.c
-+++ b/programs/pluto/ikev1_main.c
-@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
- 						  ntohl(spi));
- 				}
- 
--				struct connection *rc = dst->st_connection;
-+				/* save for post delete_state() code */
-+				co_serial_t rc_serialno = dst->st_connection->serialno;
- 
- 				if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
- 					nat_traversal_change_port_lookup(md, dst);
- 					v1_maybe_natify_initiator_endpoints(st, HERE);
- 				}
- 
--				if (rc->newest_ipsec_sa == dst->st_serialno &&
--					(rc->policy & POLICY_UP)) {
-+				if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
-+				    (dst->st_connection->policy & POLICY_UP)) {
- 					/*
- 					 * Last IPsec SA for a permanent
- 					 * connection that we have initiated.
-@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
- 						md->v1_st = NULL;
- 				}
- 
--				if (rc->newest_ipsec_sa == SOS_NOBODY) {
-+				/*
-+				 * Either .newest_ipsec_sa matches DST
-+				 * and is cleared, or was never set.
-+				 */
-+				struct connection *rc = connection_by_serialno(rc_serialno);
-+				if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
- 					dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
- 					rc->policy &= ~POLICY_UP;
- 					if (!shared_phase1_connection(rc)) {
--- 
-2.39.2
-

SPECS/libreswan.spec

@@ -36,8 +36,8 @@
 Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
-Version: 4.9
-Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2
+Version: 4.12
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.3
 License: GPLv2
 Url: https://libreswan.org/
 
@@ -52,8 +52,8 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
 Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
 Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
 Patch6: libreswan-4.3-1934186-config.patch
-Patch7: libreswan-4.9-cve-2023-23009.patch
-Patch8: libreswan-4.9-2176248-authby-rsasig.patch
+Patch7: libreswan-4.9-2176248-authby-rsasig.patch
+Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
@@ -217,15 +217,25 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %doc %{_mandir}/*/*
 
 %changelog
-* Tue Apr 25 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.2
-- Update libreswan-4.9-2176248-authby-rsasig.patch
+* Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
+- Bump release to ensure el8 package is greater than el8_* packages
 
-* Fri Apr 14 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.1
-- Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy
+* Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
+- Fix patch application in the previous change
 
-* Tue Apr  4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
-- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
-  incorrect selector length (rhbz#2186127)
+* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
+- Fix CVE-2024-2357 (RHEL-28742)
+
+* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
+- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
+
+* Wed Aug  9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
+- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
+- Resolves: rhbz#2215955
+
+* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
+- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
+- Resolves: rhbz#2187179
 
 * Mon Jan  9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
 - Resolves: rhbz#2128672 Rebase libreswan to 4.9