From 697aa0d4b435acdad36054dc7927623c5c34d3c5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 09:16:54 +0000 Subject: [PATCH] import libreswan-4.9-2.el8_8.2 --- .../libreswan-4.9-2176248-authby-rsasig.patch | 52 ++++++++++++ SOURCES/libreswan-4.9-cve-2023-23009.patch | 84 +++++++++++++++++++ SPECS/libreswan.spec | 16 +++- 3 files changed, 151 insertions(+), 1 deletion(-) create mode 100644 SOURCES/libreswan-4.9-2176248-authby-rsasig.patch create mode 100644 SOURCES/libreswan-4.9-cve-2023-23009.patch diff --git a/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch b/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch new file mode 100644 index 0000000..9569e86 --- /dev/null +++ b/SOURCES/libreswan-4.9-2176248-authby-rsasig.patch @@ -0,0 +1,52 @@ +From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 14 Apr 2023 14:10:47 +0900 +Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy + authby=rsa-sha1 + +Signed-off-by: Daiki Ueno +--- + lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c +index 38b44ab61d..9a7c0bc6a8 100644 +--- a/lib/libswan/pubkey_rsa.c ++++ b/lib/libswan/pubkey_rsa.c +@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu + * used to generate the signature. + */ + SECItem signature_result = {0}; ++ ++ /* ignore system crypto-policies for the hash algorithm */ ++ PRUint32 saved_policy; ++ ++ if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) { ++ /* PR_GetError() returns the thread-local error */ ++ enum_buf tb; ++ llog_nss_error(RC_LOG_SERIOUS, logger, ++ "NSS_SetAlgorithmPolicy(%s) function failed", ++ str_nss_oid(hash_algo->nss.oid_tag, &tb)); ++ return (struct hash_signature) { .len = 0, }; ++ } ++ ++ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) { ++ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag, ++ NSS_USE_ALG_IN_SIGNATURE, 0); ++ } ++ + SECStatus s = SGN_Digest(pks->u.pubkey.private_key, + hash_algo->nss.oid_tag, + &signature_result, &digest); ++ ++ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) { ++ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag, ++ saved_policy, ~saved_policy); ++ } ++ + if (s != SECSuccess) { + /* PR_GetError() returns the thread-local error */ + enum_buf tb; +-- +2.40.0 + diff --git a/SOURCES/libreswan-4.9-cve-2023-23009.patch b/SOURCES/libreswan-4.9-cve-2023-23009.patch new file mode 100644 index 0000000..bbcf25e --- /dev/null +++ b/SOURCES/libreswan-4.9-cve-2023-23009.patch @@ -0,0 +1,84 @@ +From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001 +From: Paul Wouters +Date: Tue, 28 Feb 2023 11:24:22 -0500 +Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads + CVE-2023-23009 + +Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009 +--- + programs/pluto/ikev2_ts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c +index 3f7519ca38..f06c40ba46 100644 +--- a/programs/pluto/ikev2_ts.c ++++ b/programs/pluto/ikev2_ts.c +@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, + d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, + &ts_h, sizeof(ts_h), &ts_body_pbs); + ++ if (d != NULL) { ++ llog_diag(RC_LOG, logger, &d, "%s", ""); ++ return false; ++ } ++ + switch (ts_h.isath_type) { + case IKEv2_TS_IPV4_ADDR_RANGE: + case IKEv2_TS_IPV6_ADDR_RANGE: +-- +2.39.2 + + +From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Tue, 28 Feb 2023 14:10:44 -0500 +Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted + +fix #1018 reported by Wolfgang. +see also ecb9c88910df1fb070488835bf3180096f3ccba3: +IKEv1: Remove all IPsec SA's of a connection when newest SA is removed. +--- + programs/pluto/ikev1_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c +index a616c5ccf3..21765d4002 100644 +--- a/programs/pluto/ikev1_main.c ++++ b/programs/pluto/ikev1_main.c +@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md, + ntohl(spi)); + } + +- struct connection *rc = dst->st_connection; ++ /* save for post delete_state() code */ ++ co_serial_t rc_serialno = dst->st_connection->serialno; + + if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) { + nat_traversal_change_port_lookup(md, dst); + v1_maybe_natify_initiator_endpoints(st, HERE); + } + +- if (rc->newest_ipsec_sa == dst->st_serialno && +- (rc->policy & POLICY_UP)) { ++ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno && ++ (dst->st_connection->policy & POLICY_UP)) { + /* + * Last IPsec SA for a permanent + * connection that we have initiated. +@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md, + md->v1_st = NULL; + } + +- if (rc->newest_ipsec_sa == SOS_NOBODY) { ++ /* ++ * Either .newest_ipsec_sa matches DST ++ * and is cleared, or was never set. ++ */ ++ struct connection *rc = connection_by_serialno(rc_serialno); ++ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) { + dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name); + rc->policy &= ~POLICY_UP; + if (!shared_phase1_connection(rc)) { +-- +2.39.2 + diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 5fb72dd..e40912d 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -37,7 +37,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script Version: 4.9 -Release: %{?prever:0.}1%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2 License: GPLv2 Url: https://libreswan.org/ @@ -52,6 +52,8 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch Patch3: libreswan-4.1-maintain-obsolete-keywords.patch Patch6: libreswan-4.3-1934186-config.patch +Patch7: libreswan-4.9-cve-2023-23009.patch +Patch8: libreswan-4.9-2176248-authby-rsasig.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -110,6 +112,8 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch2 -p1 %patch3 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 # linking to freebl is not needed sed -i "s/-lfreebl //" mk/config.mk @@ -213,6 +217,16 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog +* Tue Apr 25 2023 Daiki Ueno - 4.9-2.2 +- Update libreswan-4.9-2176248-authby-rsasig.patch + +* Fri Apr 14 2023 Daiki Ueno - 4.9-2.1 +- Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy + +* Tue Apr 4 2023 Daiki Ueno - 4.9-2 +- Fix CVE-2023-23009: remote DoS via crafted TS payload with an + incorrect selector length (rhbz#2186127) + * Mon Jan 9 2023 Daiki Ueno - 4.9-1 - Resolves: rhbz#2128672 Rebase libreswan to 4.9 - Remove libreswan-4.4-ikev1-disable-diagnostics.patch no longer necessary