import CS libreswan-4.12-2.el8
This commit is contained in:
parent
ac6553c8f0
commit
4c0a78f7d6
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
|||||||
SOURCES/ikev1_dsa.fax.bz2
|
SOURCES/ikev1_dsa.fax.bz2
|
||||||
SOURCES/ikev1_psk.fax.bz2
|
SOURCES/ikev1_psk.fax.bz2
|
||||||
SOURCES/ikev2.fax.bz2
|
SOURCES/ikev2.fax.bz2
|
||||||
SOURCES/libreswan-4.9.tar.gz
|
SOURCES/libreswan-4.12.tar.gz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
||||||
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
||||||
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
||||||
12b7351ca7e6ba1ac787239e67027a4d82f02f10 SOURCES/libreswan-4.9.tar.gz
|
786c14a4755311ea3103683a3294e1536b1e44a6 SOURCES/libreswan-4.12.tar.gz
|
||||||
|
52
SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
Normal file
52
SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daiki Ueno <dueno@redhat.com>
|
||||||
|
Date: Fri, 14 Apr 2023 14:10:47 +0900
|
||||||
|
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
|
||||||
|
authby=rsa-sha1
|
||||||
|
|
||||||
|
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||||
|
---
|
||||||
|
lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
|
||||||
|
1 file changed, 24 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
|
||||||
|
index 38b44ab61d..9a7c0bc6a8 100644
|
||||||
|
--- a/lib/libswan/pubkey_rsa.c
|
||||||
|
+++ b/lib/libswan/pubkey_rsa.c
|
||||||
|
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
|
||||||
|
* used to generate the signature.
|
||||||
|
*/
|
||||||
|
SECItem signature_result = {0};
|
||||||
|
+
|
||||||
|
+ /* ignore system crypto-policies for the hash algorithm */
|
||||||
|
+ PRUint32 saved_policy;
|
||||||
|
+
|
||||||
|
+ if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
|
||||||
|
+ /* PR_GetError() returns the thread-local error */
|
||||||
|
+ enum_buf tb;
|
||||||
|
+ llog_nss_error(RC_LOG_SERIOUS, logger,
|
||||||
|
+ "NSS_SetAlgorithmPolicy(%s) function failed",
|
||||||
|
+ str_nss_oid(hash_algo->nss.oid_tag, &tb));
|
||||||
|
+ return (struct hash_signature) { .len = 0, };
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
||||||
|
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
||||||
|
+ NSS_USE_ALG_IN_SIGNATURE, 0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
|
||||||
|
hash_algo->nss.oid_tag,
|
||||||
|
&signature_result, &digest);
|
||||||
|
+
|
||||||
|
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
||||||
|
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
||||||
|
+ saved_policy, ~saved_policy);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (s != SECSuccess) {
|
||||||
|
/* PR_GetError() returns the thread-local error */
|
||||||
|
enum_buf tb;
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
|
|
@ -36,8 +36,8 @@
|
|||||||
Name: libreswan
|
Name: libreswan
|
||||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||||
# version is generated in the release script
|
# version is generated in the release script
|
||||||
Version: 4.9
|
Version: 4.12
|
||||||
Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
|
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Url: https://libreswan.org/
|
Url: https://libreswan.org/
|
||||||
|
|
||||||
@ -52,6 +52,7 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
|
|||||||
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
||||||
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
||||||
Patch6: libreswan-4.3-1934186-config.patch
|
Patch6: libreswan-4.3-1934186-config.patch
|
||||||
|
Patch7: libreswan-4.9-2176248-authby-rsasig.patch
|
||||||
|
|
||||||
BuildRequires: audit-libs-devel
|
BuildRequires: audit-libs-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
@ -110,6 +111,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
|||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
|
%patch7 -p1
|
||||||
|
|
||||||
# linking to freebl is not needed
|
# linking to freebl is not needed
|
||||||
sed -i "s/-lfreebl //" mk/config.mk
|
sed -i "s/-lfreebl //" mk/config.mk
|
||||||
@ -213,6 +215,17 @@ certutil -N -d sql:$tmpdir --empty-password
|
|||||||
%attr(0644,root,root) %doc %{_mandir}/*/*
|
%attr(0644,root,root) %doc %{_mandir}/*/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
|
||||||
|
- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
|
||||||
|
|
||||||
|
* Wed Aug 9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
|
||||||
|
- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
|
||||||
|
- Resolves: rhbz#2215955
|
||||||
|
|
||||||
|
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
|
||||||
|
- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
|
||||||
|
- Resolves: rhbz#2187179
|
||||||
|
|
||||||
* Mon Jan 9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
|
* Mon Jan 9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
|
||||||
- Resolves: rhbz#2128672 Rebase libreswan to 4.9
|
- Resolves: rhbz#2128672 Rebase libreswan to 4.9
|
||||||
- Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary
|
- Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary
|
||||||
|
Loading…
Reference in New Issue
Block a user