From a47e3c924500a74049251abe637dab7f346d1fac Mon Sep 17 00:00:00 2001
From: Paul Wouters <paul.wouters@aiven.io>
Date: Jan 12 2022 03:43:31 +0000
Subject: - Resolves: CVE-2022-23094


- Resolves: rhbz#2039604 libreswan-4.6 is available
- Add gpg key and signature check for build
- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash

---

diff --git a/.gitignore b/.gitignore
index 390cf93..ae89163 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,6 @@
 /libreswan-4.3.tar.gz
 /libreswan-4.4.tar.gz
 /libreswan-4.5.tar.gz
+/libreswan-4.6.tar.gz
+/libreswan-4.6.tar.gz.asc
+/LIBRESWAN-GPG-KEY.txt
diff --git a/libreswan.spec b/libreswan.spec
index a607ac6..88396ff 100644
--- a/libreswan.spec
+++ b/libreswan.spec
@@ -13,7 +13,7 @@
     INITSYSTEM=systemd \\\
     PYTHON_BINARY=%{__python3} \\\
     SHELL_BINARY=%{_bindir}/sh \\\
-    USE_DNSSEC=true \\\
+    USE_DNSSEC=false \\\
     USE_LABELED_IPSEC=true \\\
     USE_LDAP=true \\\
     USE_LIBCAP_NG=true \\\
@@ -30,28 +30,32 @@
 Name: libreswan
 Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec
 # version is generated in the release script
-Version: 4.5
+Version: 4.6
 Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
 License: GPLv2
 Url: https://libreswan.org/
 Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz
+Source1: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz.asc
+Source2: https://download.libreswan.org/LIBRESWAN-GPG-KEY.txt
 %if 0%{with_cavstests}
-Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
-Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
-Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2
+Source3: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2
+Source4: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2
+Source5: https://download.libreswan.org/cavs/ikev2.fax.bz2
 %endif
 
 BuildRequires: audit-libs-devel
 BuildRequires: bison
 BuildRequires: curl-devel
 BuildRequires: flex
-BuildRequires: gcc make
+BuildRequires: gcc
+BuildRequires: gnupg2
 BuildRequires: hostname
 BuildRequires: ldns-devel
 BuildRequires: libcap-ng-devel
 BuildRequires: libevent-devel
 BuildRequires: libseccomp-devel
 BuildRequires: libselinux-devel
+BuildRequires: make
 BuildRequires: nspr-devel
 BuildRequires: nss-devel >= %{nss_version}
 BuildRequires: nss-tools >= %{nss_version}
@@ -96,10 +100,12 @@ Libreswan also supports IKEv2 (RFC7296) and Secure Labeling
 Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %setup -q -n libreswan-%{version}%{?prever}
 # enable crypto-policies support
 sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in
 sed -i "s/SUBDIRS += ipcheck/#SUBDIRS += ipchec/" testing/programs/Makefile
+%autopatch -p1
 
 %build
 make %{?_smp_mflags} \
@@ -142,8 +148,8 @@ rm -fr %{buildroot}%{_sysconfdir}/rc.d/rc*
 %check
 # There is an elaborate upstream testing infrastructure which we do not
 # run here - it takes hours and uses kvm
-# We only run the CAVS tests.
-cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
+# We only run the CAVS tests and startup selftest
+cp %{SOURCE3} %{SOURCE4} %{SOURCE5} .
 bunzip2 *.fax.bz2
 
 : starting CAVS test for IKEv2
@@ -200,6 +206,12 @@ certutil -N -d sql:$tmpdir --empty-password
 %doc %{_mandir}/*/*
 
 %changelog
+* Wed Jan 12 2022 Paul Wouters <paul.wouters@aiven.io> - 4.6-1
+- Resolves: CVE-2022-23094
+- Resolves: rhbz#2039604 libreswan-4.6 is available
+- Add gpg key and signature check for build
+- Temporarilly disable USE_DNSSEC in rawhide while we figure out openssl vs nss include clash
+
 * Thu Aug 26 2021 Paul Wouters <paul.wouters@aiven.io> - 4.5-1
 - Resolves rhbz#1996250 libreswan-4.5 is available
 
diff --git a/sources b/sources
index 5dbddff..1136740 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,6 @@
+SHA512 (LIBRESWAN-GPG-KEY.txt) = 4df07b77a8026b071dbd99723cf475f76948364c7e63c59ad59444595e042b6c426e28106ba614806c11f0f1d1f32570b60d5cfbaf0beada0621dd242a399000
 SHA512 (ikev1_dsa.fax.bz2) = 627cbac14248bd68e8d22fbca247668a7749ef0c2e41df8d776d62df9a21403d3a246c0bd82c3faedce62de90b9f91a87f753e17b056319000bba7d2038461ac
 SHA512 (ikev1_psk.fax.bz2) = 1b2daec32edc56b410c036db2688c92548a9bd9914994bc7e555b301dd6db4497a6b3e89dc12ddf36826ae90b40fcde501a5a45c0d59098e07839073d219d467
 SHA512 (ikev2.fax.bz2) = 65c65d86fd1a7539c0ad516b0f49546d5722b710225857ee2d2f5f3415ac7d023264746398f3637fd248a4ce2364957c516c31214ee33faefe58ac8e4e333a10
-SHA512 (libreswan-4.5.tar.gz) = 451a4f71099aa4776624a4c127fdaff492acc38a44228255dcbf955efa0982fd963c989d63522f56279eec6a9ef738febb573dde34aa541724ab11e37a554f9e
+SHA512 (libreswan-4.6.tar.gz.asc) = c8dca0e0800124603ec8d41ef2edcf6d9d1df999aa4127861223b9af8e376e2afd7cdbf71449299fa12a5ce7e53fb0e3bf04566f069e6543507accc88559940b
+SHA512 (libreswan-4.6.tar.gz) = c1c3efd7665dee6caaf08cb5aa50fcd37c299acad4b62648284fdb04edd50ba8fc8d33a9fb210edaf2312697f8cd251f33a6b16587eb2cfefd1269b4482dd499