rpms/NetworkManager-libreswan
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 1.2.24 release

Browse Source 
Fix improper escaping of Libreswan configuration (CVE-2024-9050)

Resolves: RHEL-59769
This commit is contained in:
Lubomir Rintel 2024-09-25 16:32:14 +02:00
parent 48837b8bff
commit 03d4d0f88b
5 changed files with 9 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -21,3 +21,4 @@ NetworkManager-openswan-0.8.tar.gz
/NetworkManager-libreswan-1.2.18.tar.xz /NetworkManager-libreswan-1.2.18.tar.xz
/NetworkManager-libreswan-1.2.20.tar.xz /NetworkManager-libreswan-1.2.20.tar.xz
/NetworkManager-libreswan-1.2.22.tar.xz /NetworkManager-libreswan-1.2.22.tar.xz
/NetworkManager-libreswan-1.2.24.tar.xz

81
1001-editor-connect-stuff_changed_cb-from-populate_widget.patch
View File

@ -1,81 +0,0 @@
From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 12:25:58 +0200
Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget
There is no need to do it in 2 different steps, we always have to
connect it after creating the widget. Let's do it all together so no
developer forgets.
---
properties/nm-libreswan-editor.c | 47 --------------------------------
1 file changed, 47 deletions(-)
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index b03d2fe..5687dc7 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self,
}
gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx);
}
-}
-
-
-/* Init the widget on the basis of its actual type.
- * widget_name: the name of the widget
- * key_name: the name of the key where the config value is stored
- * alt_key_name:alternative name of the key
- * match_value: used only for toggle_button and combo_box widgets; when matched
- * in the former it will set the toggle button as active, in the latter
- * will be used as a match for enabling the third index of possible values
- * (a three-valued logic value is expected: "no", "yes" or "match_value").
- */
-static void
-hook_stuff_changed_cb (LibreswanEditor *self,
- const char *widget_name)
-{
- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self);
- GtkWidget *widget;
-
- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name));
- g_return_if_fail (widget);
g_signal_connect (G_OBJECT (widget),
GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed",
@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self,
populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL);
populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL);
populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL);
- hook_stuff_changed_cb (self, "gateway_entry");
- hook_stuff_changed_cb (self, "user_entry");
- hook_stuff_changed_cb (self, "group_entry");
- hook_stuff_changed_cb (self, "cert_entry");
- hook_stuff_changed_cb (self, "remoteid_entry");
-
- /* Advanced Dialog */
populate_adv_dialog (self);
- hook_stuff_changed_cb (self, "domain_entry");
- hook_stuff_changed_cb (self, "phase1_entry");
- hook_stuff_changed_cb (self, "phase2_entry");
- hook_stuff_changed_cb (self, "phase1_lifetime_entry");
- hook_stuff_changed_cb (self, "phase2_lifetime_entry");
- hook_stuff_changed_cb (self, "rekey_checkbutton");
- hook_stuff_changed_cb (self, "pfs_checkbutton");
- hook_stuff_changed_cb (self, "local_network_entry");
- hook_stuff_changed_cb (self, "remote_network_entry");
- hook_stuff_changed_cb (self, "narrowing_checkbutton");
- hook_stuff_changed_cb (self, "fragmentation_combo");
- hook_stuff_changed_cb (self, "mobike_combo");
- hook_stuff_changed_cb (self, "dpd_delay_entry");
- hook_stuff_changed_cb (self, "dpd_timeout_entry");
- hook_stuff_changed_cb (self, "dpd_action_combo");
- hook_stuff_changed_cb (self, "ipsec_interface_entry");
- hook_stuff_changed_cb (self, "authby_entry");
- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton");
- hook_stuff_changed_cb (self, "remote_cert_entry");
priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog"));
g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE);
--
2.44.0

182
1002-properties-add-require-id-on-certificate.patch
View File

@ -1,182 +0,0 @@
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 11:47:57 +0200
Subject: [PATCH] properties: add require-id-on-certificate
From `man ipsec.conf`:
require-id-on-certificate:
When using certificates, check whether the IKE peer ID is present as
a subjectAltName (SAN) on the peer certificate. Accepted values are
yes (the default) or no. This check should only be disabled when
intentionally using certificates that do not have their peer ID specified
as a SAN on the certificate. These certificates violate RFC 4945 Section
3.1 and are normally rejected to prevent a compromised host from assuming
the IKE identity of another host. The SAN limits the IDs that the
peer is able to assume.
---
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
properties/nm-libreswan-editor-plugin.c | 2 ++
properties/nm-libreswan-editor.c | 9 +++++++++
shared/nm-service-defines.h | 1 +
shared/utils.c | 5 +++++
src/nm-libreswan-service.c | 1 +
6 files changed, 44 insertions(+)
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
index b682895..17a7171 100644
--- a/properties/nm-libreswan-dialog.ui
+++ b/properties/nm-libreswan-dialog.ui
@@ -1222,6 +1222,32 @@ config: authby &lt;value&gt;
<property name="top_attach">0</property>
</packing>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="receives_default">False</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
</object>
</child>
</object>
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..7aa528e 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
else if (g_str_has_prefix (str, "clientaddrfamily="))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
else if (g_str_has_prefix (str, "rightsubnet=")) {
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index 5687dc7..b350819 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
}
static gboolean
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
else
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
+
+ /* Disable Require ID on certificate */
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
+ else
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+
}
static gboolean
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 167b837..5f523bd 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,7 @@
#define NM_LIBRESWAN_KEY_TYPE "type"
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
#define NM_LIBRESWAN_IKEV2_NO "no"
#define NM_LIBRESWAN_IKEV2_NEVER "never"
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..9394099 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
const char *mobike;
const char *pfs;
const char *client_family;
+ const char *require_id_on_certificate;
const char *item;
gboolean is_ikev2 = FALSE;
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
if (client_family && strlen (client_family))
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
+
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..984e991 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
/* Ignored option for internal use */
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
--- a/gtk4/nm-libreswan-dialog.ui
+++ b/gtk4/nm-libreswan-dialog.ui
@@ -979,6 +979,27 @@
</layout>
</object>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="label" translatable="1">Don&apos;t require remote certificate name</property>
+ <property name="use_underline">1</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ <layout>
+ <property name="column">0</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="focusable">1</property>
+ <layout>
+ <property name="column">1</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
</object>
</child>
</object>
--
2.44.0

12
NetworkManager-libreswan.spec
View File

@ -9,9 +9,9 @@
%bcond_without gtk4 %bcond_without gtk4
%endif %endif
%global real_version 1.2.22 %global real_version 1.2.24
%global rpm_version 1.2.22 %global rpm_version 1.2.24
%global release_version 2 %global release_version 1
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
@ -33,8 +33,6 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve
# Bugfixes that are only relevant until next rebase of the package. # Bugfixes that are only relevant until next rebase of the package.
# Patch1001: 1001-some.patch # Patch1001: 1001-some.patch
Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch
Patch1002: 1002-properties-add-require-id-on-certificate.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
@ -136,6 +134,10 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%endif %endif
%changelog %changelog
* Tue Oct 22 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.24-1
- Update to 1.2.24 release
- Fix improper escaping of Libreswan configuration (CVE-2024-9050)
* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-2 * Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-2
- Support require-id-on-certificate (RHEL-58040) - Support require-id-on-certificate (RHEL-58040)

2
sources
View File

@ -1 +1 @@
SHA512 (NetworkManager-libreswan-1.2.22.tar.xz) = 80885a276344ab512fb7b3d4b9932525787006781f3c8e0ab93343b78172f1d971c7753df53f21db8f45ea873469d80fc1e12f8d56d6e05d31a536069ff46e16 SHA512 (NetworkManager-libreswan-1.2.24.tar.xz) = 8b7c8d7736b3ffcb27d6e28c9073f0cad5098decc41342643dd7392c361a7d2664bdac17ca895b14c9b224d330637d4f5d095f242b06e3d312b00803993c6e5c