Update to 1.2.24 release
Fix improper escaping of Libreswan configuration (CVE-2024-9050) Resolves: RHEL-59769
This commit is contained in:
parent
48837b8bff
commit
03d4d0f88b
1
.gitignore
vendored
1
.gitignore
vendored
@ -21,3 +21,4 @@ NetworkManager-openswan-0.8.tar.gz
|
|||||||
/NetworkManager-libreswan-1.2.18.tar.xz
|
/NetworkManager-libreswan-1.2.18.tar.xz
|
||||||
/NetworkManager-libreswan-1.2.20.tar.xz
|
/NetworkManager-libreswan-1.2.20.tar.xz
|
||||||
/NetworkManager-libreswan-1.2.22.tar.xz
|
/NetworkManager-libreswan-1.2.22.tar.xz
|
||||||
|
/NetworkManager-libreswan-1.2.24.tar.xz
|
||||||
|
@ -1,81 +0,0 @@
|
|||||||
From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
|
|
||||||
Date: Mon, 9 Sep 2024 12:25:58 +0200
|
|
||||||
Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget
|
|
||||||
|
|
||||||
There is no need to do it in 2 different steps, we always have to
|
|
||||||
connect it after creating the widget. Let's do it all together so no
|
|
||||||
developer forgets.
|
|
||||||
---
|
|
||||||
properties/nm-libreswan-editor.c | 47 --------------------------------
|
|
||||||
1 file changed, 47 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
|
|
||||||
index b03d2fe..5687dc7 100644
|
|
||||||
--- a/properties/nm-libreswan-editor.c
|
|
||||||
+++ b/properties/nm-libreswan-editor.c
|
|
||||||
@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self,
|
|
||||||
}
|
|
||||||
gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx);
|
|
||||||
}
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-/* Init the widget on the basis of its actual type.
|
|
||||||
- * widget_name: the name of the widget
|
|
||||||
- * key_name: the name of the key where the config value is stored
|
|
||||||
- * alt_key_name:alternative name of the key
|
|
||||||
- * match_value: used only for toggle_button and combo_box widgets; when matched
|
|
||||||
- * in the former it will set the toggle button as active, in the latter
|
|
||||||
- * will be used as a match for enabling the third index of possible values
|
|
||||||
- * (a three-valued logic value is expected: "no", "yes" or "match_value").
|
|
||||||
- */
|
|
||||||
-static void
|
|
||||||
-hook_stuff_changed_cb (LibreswanEditor *self,
|
|
||||||
- const char *widget_name)
|
|
||||||
-{
|
|
||||||
- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self);
|
|
||||||
- GtkWidget *widget;
|
|
||||||
-
|
|
||||||
- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name));
|
|
||||||
- g_return_if_fail (widget);
|
|
||||||
|
|
||||||
g_signal_connect (G_OBJECT (widget),
|
|
||||||
GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed",
|
|
||||||
@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self,
|
|
||||||
populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL);
|
|
||||||
populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL);
|
|
||||||
populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL);
|
|
||||||
- hook_stuff_changed_cb (self, "gateway_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "user_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "group_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "cert_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "remoteid_entry");
|
|
||||||
-
|
|
||||||
- /* Advanced Dialog */
|
|
||||||
populate_adv_dialog (self);
|
|
||||||
- hook_stuff_changed_cb (self, "domain_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "phase1_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "phase2_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "phase1_lifetime_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "phase2_lifetime_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "rekey_checkbutton");
|
|
||||||
- hook_stuff_changed_cb (self, "pfs_checkbutton");
|
|
||||||
- hook_stuff_changed_cb (self, "local_network_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "remote_network_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "narrowing_checkbutton");
|
|
||||||
- hook_stuff_changed_cb (self, "fragmentation_combo");
|
|
||||||
- hook_stuff_changed_cb (self, "mobike_combo");
|
|
||||||
- hook_stuff_changed_cb (self, "dpd_delay_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "dpd_timeout_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "dpd_action_combo");
|
|
||||||
- hook_stuff_changed_cb (self, "ipsec_interface_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "authby_entry");
|
|
||||||
- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton");
|
|
||||||
- hook_stuff_changed_cb (self, "remote_cert_entry");
|
|
||||||
|
|
||||||
priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog"));
|
|
||||||
g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE);
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,182 +0,0 @@
|
|||||||
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
|
|
||||||
Date: Mon, 9 Sep 2024 11:47:57 +0200
|
|
||||||
Subject: [PATCH] properties: add require-id-on-certificate
|
|
||||||
|
|
||||||
From `man ipsec.conf`:
|
|
||||||
|
|
||||||
require-id-on-certificate:
|
|
||||||
When using certificates, check whether the IKE peer ID is present as
|
|
||||||
a subjectAltName (SAN) on the peer certificate. Accepted values are
|
|
||||||
yes (the default) or no. This check should only be disabled when
|
|
||||||
intentionally using certificates that do not have their peer ID specified
|
|
||||||
as a SAN on the certificate. These certificates violate RFC 4945 Section
|
|
||||||
3.1 and are normally rejected to prevent a compromised host from assuming
|
|
||||||
the IKE identity of another host. The SAN limits the IDs that the
|
|
||||||
peer is able to assume.
|
|
||||||
---
|
|
||||||
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
|
|
||||||
properties/nm-libreswan-editor-plugin.c | 2 ++
|
|
||||||
properties/nm-libreswan-editor.c | 9 +++++++++
|
|
||||||
shared/nm-service-defines.h | 1 +
|
|
||||||
shared/utils.c | 5 +++++
|
|
||||||
src/nm-libreswan-service.c | 1 +
|
|
||||||
6 files changed, 44 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
|
|
||||||
index b682895..17a7171 100644
|
|
||||||
--- a/properties/nm-libreswan-dialog.ui
|
|
||||||
+++ b/properties/nm-libreswan-dialog.ui
|
|
||||||
@@ -1222,6 +1222,32 @@ config: authby <value>
|
|
||||||
<property name="top_attach">0</property>
|
|
||||||
</packing>
|
|
||||||
</child>
|
|
||||||
+ <child>
|
|
||||||
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
|
||||||
+ <property name="visible">True</property>
|
|
||||||
+ <property name="can_focus">False</property>
|
|
||||||
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
|
|
||||||
+ <property name="use_underline">True</property>
|
|
||||||
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
|
||||||
+ <property name="xalign">1</property>
|
|
||||||
+ </object>
|
|
||||||
+ <packing>
|
|
||||||
+ <property name="left_attach">0</property>
|
|
||||||
+ <property name="top_attach">1</property>
|
|
||||||
+ </packing>
|
|
||||||
+ </child>
|
|
||||||
+ <child>
|
|
||||||
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
|
||||||
+ <property name="visible">True</property>
|
|
||||||
+ <property name="can_focus">True</property>
|
|
||||||
+ <property name="receives_default">False</property>
|
|
||||||
+ <property name="draw_indicator">True</property>
|
|
||||||
+ </object>
|
|
||||||
+ <packing>
|
|
||||||
+ <property name="left_attach">1</property>
|
|
||||||
+ <property name="top_attach">1</property>
|
|
||||||
+ </packing>
|
|
||||||
+ </child>
|
|
||||||
</object>
|
|
||||||
</child>
|
|
||||||
</object>
|
|
||||||
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
|
|
||||||
index fe473d1..7aa528e 100644
|
|
||||||
--- a/properties/nm-libreswan-editor-plugin.c
|
|
||||||
+++ b/properties/nm-libreswan-editor-plugin.c
|
|
||||||
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
|
|
||||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
|
|
||||||
else if (g_str_has_prefix (str, "clientaddrfamily="))
|
|
||||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
|
|
||||||
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
|
|
||||||
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
|
|
||||||
else if (g_str_has_prefix (str, "rightsubnet=")) {
|
|
||||||
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
|
|
||||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
|
|
||||||
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
|
|
||||||
index 5687dc7..b350819 100644
|
|
||||||
--- a/properties/nm-libreswan-editor.c
|
|
||||||
+++ b/properties/nm-libreswan-editor.c
|
|
||||||
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
|
|
||||||
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
|
|
||||||
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
|
|
||||||
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
|
|
||||||
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
|
|
||||||
}
|
|
||||||
|
|
||||||
static gboolean
|
|
||||||
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
|
|
||||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
|
|
||||||
else
|
|
||||||
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
|
|
||||||
+
|
|
||||||
+ /* Disable Require ID on certificate */
|
|
||||||
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
|
|
||||||
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
|
|
||||||
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
|
|
||||||
+ else
|
|
||||||
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
|
||||||
+
|
|
||||||
}
|
|
||||||
|
|
||||||
static gboolean
|
|
||||||
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
|
|
||||||
index 167b837..5f523bd 100644
|
|
||||||
--- a/shared/nm-service-defines.h
|
|
||||||
+++ b/shared/nm-service-defines.h
|
|
||||||
@@ -73,6 +73,7 @@
|
|
||||||
#define NM_LIBRESWAN_KEY_TYPE "type"
|
|
||||||
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
|
|
||||||
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
|
|
||||||
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
|
|
||||||
|
|
||||||
#define NM_LIBRESWAN_IKEV2_NO "no"
|
|
||||||
#define NM_LIBRESWAN_IKEV2_NEVER "never"
|
|
||||||
diff --git a/shared/utils.c b/shared/utils.c
|
|
||||||
index 65bc603..9394099 100644
|
|
||||||
--- a/shared/utils.c
|
|
||||||
+++ b/shared/utils.c
|
|
||||||
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
|
|
||||||
const char *mobike;
|
|
||||||
const char *pfs;
|
|
||||||
const char *client_family;
|
|
||||||
+ const char *require_id_on_certificate;
|
|
||||||
const char *item;
|
|
||||||
gboolean is_ikev2 = FALSE;
|
|
||||||
|
|
||||||
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
|
|
||||||
if (client_family && strlen (client_family))
|
|
||||||
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
|
|
||||||
|
|
||||||
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
|
||||||
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
|
|
||||||
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
|
|
||||||
+
|
|
||||||
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
|
|
||||||
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
|
|
||||||
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
|
|
||||||
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
|
|
||||||
index e5956af..984e991 100644
|
|
||||||
--- a/src/nm-libreswan-service.c
|
|
||||||
+++ b/src/nm-libreswan-service.c
|
|
||||||
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
|
|
||||||
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
|
|
||||||
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
|
||||||
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
|
||||||
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
|
|
||||||
/* Ignored option for internal use */
|
|
||||||
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
|
||||||
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
|
||||||
--- a/gtk4/nm-libreswan-dialog.ui
|
|
||||||
+++ b/gtk4/nm-libreswan-dialog.ui
|
|
||||||
@@ -979,6 +979,27 @@
|
|
||||||
</layout>
|
|
||||||
</object>
|
|
||||||
</child>
|
|
||||||
+ <child>
|
|
||||||
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
|
||||||
+ <property name="label" translatable="1">Don't require remote certificate name</property>
|
|
||||||
+ <property name="use_underline">1</property>
|
|
||||||
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
|
||||||
+ <property name="xalign">1</property>
|
|
||||||
+ <layout>
|
|
||||||
+ <property name="column">0</property>
|
|
||||||
+ <property name="row">1</property>
|
|
||||||
+ </layout>
|
|
||||||
+ </object>
|
|
||||||
+ </child>
|
|
||||||
+ <child>
|
|
||||||
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
|
||||||
+ <property name="focusable">1</property>
|
|
||||||
+ <layout>
|
|
||||||
+ <property name="column">1</property>
|
|
||||||
+ <property name="row">1</property>
|
|
||||||
+ </layout>
|
|
||||||
+ </object>
|
|
||||||
+ </child>
|
|
||||||
</object>
|
|
||||||
</child>
|
|
||||||
</object>
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -9,9 +9,9 @@
|
|||||||
%bcond_without gtk4
|
%bcond_without gtk4
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%global real_version 1.2.22
|
%global real_version 1.2.24
|
||||||
%global rpm_version 1.2.22
|
%global rpm_version 1.2.24
|
||||||
%global release_version 2
|
%global release_version 1
|
||||||
|
|
||||||
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
|
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
|
||||||
|
|
||||||
@ -33,8 +33,6 @@ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_ve
|
|||||||
|
|
||||||
# Bugfixes that are only relevant until next rebase of the package.
|
# Bugfixes that are only relevant until next rebase of the package.
|
||||||
# Patch1001: 1001-some.patch
|
# Patch1001: 1001-some.patch
|
||||||
Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch
|
|
||||||
Patch1002: 1002-properties-add-require-id-on-certificate.patch
|
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -136,6 +134,10 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 22 2024 Lubomir Rintel <lkundrak@v3.sk> - 1.2.24-1
|
||||||
|
- Update to 1.2.24 release
|
||||||
|
- Fix improper escaping of Libreswan configuration (CVE-2024-9050)
|
||||||
|
|
||||||
* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-2
|
* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-2
|
||||||
- Support require-id-on-certificate (RHEL-58040)
|
- Support require-id-on-certificate (RHEL-58040)
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (NetworkManager-libreswan-1.2.22.tar.xz) = 80885a276344ab512fb7b3d4b9932525787006781f3c8e0ab93343b78172f1d971c7753df53f21db8f45ea873469d80fc1e12f8d56d6e05d31a536069ff46e16
|
SHA512 (NetworkManager-libreswan-1.2.24.tar.xz) = 8b7c8d7736b3ffcb27d6e28c9073f0cad5098decc41342643dd7392c361a7d2664bdac17ca895b14c9b224d330637d4f5d095f242b06e3d312b00803993c6e5c
|
||||||
|
Loading…
Reference in New Issue
Block a user