import libreswan-4.9-2.el8_8.2

2023-05-16 09:16:54 +00:00 · 2023-05-16 09:16:54 +00:00 · 697aa0d4b4
parent 2f6f01707b
commit 697aa0d4b4
3 changed files with 151 additions and 1 deletions
--- a/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
+++ b/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch
@ -0,0 +1,52 @@
+From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Fri, 14 Apr 2023 14:10:47 +0900
+Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
+ authby=rsa-sha1
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
+index 38b44ab61d..9a7c0bc6a8 100644
+--- a/lib/libswan/pubkey_rsa.c
+++ b/lib/libswan/pubkey_rsa.c
+@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
+ 	 * used to generate the signature.
+ 	 */
+ 	SECItem signature_result = {0};
+
+	/* ignore system crypto-policies for the hash algorithm */
+	PRUint32 saved_policy;
+
+	if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
+		/* PR_GetError() returns the thread-local error */
+		enum_buf tb;
+		llog_nss_error(RC_LOG_SERIOUS, logger,
+			       "NSS_SetAlgorithmPolicy(%s) function failed",
+			       str_nss_oid(hash_algo->nss.oid_tag, &tb));
+		return (struct hash_signature) { .len = 0, };
+	}
+
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+					     NSS_USE_ALG_IN_SIGNATURE, 0);
+	}
+
+ 	SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
+ 				 hash_algo->nss.oid_tag,
+ 				 &signature_result, &digest);
+
+	if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
+		(void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
+					     saved_policy, ~saved_policy);
+	}
+
+ 	if (s != SECSuccess) {
+ 		/* PR_GetError() returns the thread-local error */
+ 		enum_buf tb;
+-- 
+2.40.0
+
--- a/SOURCES/libreswan-4.9-cve-2023-23009.patch
+++ b/SOURCES/libreswan-4.9-cve-2023-23009.patch
@ -0,0 +1,84 @@
+From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
+From: Paul Wouters <paul.wouters@aiven.io>
+Date: Tue, 28 Feb 2023 11:24:22 -0500
+Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
+ CVE-2023-23009
+
+Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
+---
+ programs/pluto/ikev2_ts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
+index 3f7519ca38..f06c40ba46 100644
+--- a/programs/pluto/ikev2_ts.c
+++ b/programs/pluto/ikev2_ts.c
+@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
+ 		d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
+ 			  &ts_h, sizeof(ts_h), &ts_body_pbs);
+ 
+		if (d != NULL) {
+			llog_diag(RC_LOG, logger, &d, "%s", "");
+			return false;
+		}
+
+ 		switch (ts_h.isath_type) {
+ 		case IKEv2_TS_IPV4_ADDR_RANGE:
+ 		case IKEv2_TS_IPV6_ADDR_RANGE:
+-- 
+2.39.2
+
+
+From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
+From: Andrew Cagney <cagney@gnu.org>
+Date: Tue, 28 Feb 2023 14:10:44 -0500
+Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
+
+fix #1018 reported by Wolfgang.
+see also ecb9c88910df1fb070488835bf3180096f3ccba3:
+IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
+---
+ programs/pluto/ikev1_main.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
+index a616c5ccf3..21765d4002 100644
+--- a/programs/pluto/ikev1_main.c
+++ b/programs/pluto/ikev1_main.c
+@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
+ 						  ntohl(spi));
+ 				}
+ 
+-				struct connection *rc = dst->st_connection;
+				/* save for post delete_state() code */
+				co_serial_t rc_serialno = dst->st_connection->serialno;
+ 
+ 				if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
+ 					nat_traversal_change_port_lookup(md, dst);
+ 					v1_maybe_natify_initiator_endpoints(st, HERE);
+ 				}
+ 
+-				if (rc->newest_ipsec_sa == dst->st_serialno &&
+-					(rc->policy & POLICY_UP)) {
+				if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
+				    (dst->st_connection->policy & POLICY_UP)) {
+ 					/*
+ 					 * Last IPsec SA for a permanent
+ 					 * connection that we have initiated.
+@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
+ 						md->v1_st = NULL;
+ 				}
+ 
+-				if (rc->newest_ipsec_sa == SOS_NOBODY) {
+				/*
+				 * Either .newest_ipsec_sa matches DST
+				 * and is cleared, or was never set.
+				 */
+				struct connection *rc = connection_by_serialno(rc_serialno);
+				if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
+ 					dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
+ 					rc->policy &= ~POLICY_UP;
+ 					if (!shared_phase1_connection(rc)) {
+-- 
+2.39.2
+
--- a/SPECS/libreswan.spec
+++ b/SPECS/libreswan.spec
@ -37,7 +37,7 @@ Name: libreswan
 Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
 # version is generated in the release script
 Version: 4.9
-Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist}
+Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2
 License: GPLv2
 Url: https://libreswan.org/

@ -52,6 +52,8 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
 Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
 Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
 Patch6: libreswan-4.3-1934186-config.patch
+Patch7: libreswan-4.9-cve-2023-23009.patch
+Patch8: libreswan-4.9-2176248-authby-rsasig.patch

 BuildRequires: audit-libs-devel
 BuildRequires: bison
@ -110,6 +112,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
 %patch2 -p1
 %patch3 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1

 # linking to freebl is not needed
 sed -i "s/-lfreebl //" mk/config.mk
@ -213,6 +217,16 @@ certutil -N -d sql:$tmpdir --empty-password
 %attr(0644,root,root) %doc %{_mandir}/*/*

 %changelog
+* Tue Apr 25 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.2
+- Update libreswan-4.9-2176248-authby-rsasig.patch
+
+* Fri Apr 14 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.1
+- Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy
+
+* Tue Apr  4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
+- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
+  incorrect selector length (rhbz#2186127)
+
 * Mon Jan  9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
 - Resolves: rhbz#2128672 Rebase libreswan to 4.9
 - Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary