Compare commits
1 Commits
c8
...
changed/a8
Author | SHA1 | Date | |
---|---|---|---|
1c89fc81f3 |
@ -1,92 +0,0 @@
|
|||||||
From 5101913b1e623121a9222f11eefa18f0a2708b00 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andrew Cagney <cagney@gnu.org>
|
|
||||||
Date: Wed, 27 Mar 2024 10:43:19 -0400
|
|
||||||
Subject: [PATCH] ikev1: in compute_proto_keymat() only allow explicitly
|
|
||||||
handled ESP algorithms
|
|
||||||
|
|
||||||
---
|
|
||||||
programs/pluto/ikev1_quick.c | 41 ++++++++++++++----------------------
|
|
||||||
1 file changed, 16 insertions(+), 25 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c
|
|
||||||
index 81c522c148..22c346afb4 100644
|
|
||||||
--- a/programs/pluto/ikev1_quick.c
|
|
||||||
+++ b/programs/pluto/ikev1_quick.c
|
|
||||||
@@ -203,7 +203,7 @@ static bool emit_subnet_id(enum perspective perspective,
|
|
||||||
* RFC 2409 "IKE" section 5.5
|
|
||||||
* specifies how this is to be done.
|
|
||||||
*/
|
|
||||||
-static void compute_proto_keymat(struct state *st,
|
|
||||||
+static bool compute_proto_keymat(struct state *st,
|
|
||||||
uint8_t protoid,
|
|
||||||
struct ipsec_proto_info *pi,
|
|
||||||
const char *satypename)
|
|
||||||
@@ -297,27 +297,13 @@ static void compute_proto_keymat(struct state *st,
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
- case ESP_CAST:
|
|
||||||
- case ESP_TWOFISH:
|
|
||||||
- case ESP_SERPENT:
|
|
||||||
- /* ESP_SEED is for IKEv1 only and not supported. Its number in IKEv2 has been re-used */
|
|
||||||
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
|
|
||||||
-
|
|
||||||
default:
|
|
||||||
- /* bytes */
|
|
||||||
- needed_len = encrypt_max_key_bit_length(pi->attrs.transattrs.ta_encrypt) / BITS_PER_BYTE;
|
|
||||||
- if (needed_len > 0) {
|
|
||||||
- /* XXX: check key_len coupling with kernel.c's */
|
|
||||||
- if (pi->attrs.transattrs.enckeylen) {
|
|
||||||
- needed_len =
|
|
||||||
- pi->attrs.transattrs.enckeylen
|
|
||||||
- / BITS_PER_BYTE;
|
|
||||||
- dbg("compute_proto_keymat: key_len=%d from peer",
|
|
||||||
- (int)needed_len);
|
|
||||||
- }
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
|
|
||||||
+ {
|
|
||||||
+ enum_buf eb;
|
|
||||||
+ llog(RC_LOG, st->st_logger, "rejecting request for keymat for %s",
|
|
||||||
+ str_enum(&esp_transformid_names, protoid, &eb));
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
dbg("compute_proto_keymat: needed_len (after ESP enc)=%d", (int)needed_len);
|
|
||||||
needed_len += pi->attrs.transattrs.ta_integ->integ_keymat_size;
|
|
||||||
@@ -359,14 +345,17 @@ static void compute_proto_keymat(struct state *st,
|
|
||||||
DBG_dump_hunk(" inbound:", pi->inbound.keymat);
|
|
||||||
DBG_dump_hunk(" outbound:", pi->outbound.keymat);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void compute_keymats(struct state *st)
|
|
||||||
+static bool compute_keymats(struct state *st)
|
|
||||||
{
|
|
||||||
if (st->st_ah.present)
|
|
||||||
- compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
|
|
||||||
+ return compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
|
|
||||||
if (st->st_esp.present)
|
|
||||||
- compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
|
|
||||||
+ return compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
|
|
||||||
+ return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -1460,7 +1449,9 @@ static stf_status quick_inI1_outR1_continue12_tail(struct state *st, struct msg_
|
|
||||||
fixup_v1_HASH(st, &hash_fixup, st->st_v1_msgid.id, rbody.cur);
|
|
||||||
|
|
||||||
/* Derive new keying material */
|
|
||||||
- compute_keymats(st);
|
|
||||||
+ if (!compute_keymats(st)) {
|
|
||||||
+ return STF_FATAL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Tell the kernel to establish the new inbound SA
|
|
||||||
* (unless the commit bit is set -- which we don't support).
|
|
||||||
--
|
|
||||||
2.45.0
|
|
||||||
|
|
@ -37,7 +37,7 @@ Name: libreswan
|
|||||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||||
# version is generated in the release script
|
# version is generated in the release script
|
||||||
Version: 4.12
|
Version: 4.12
|
||||||
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.4
|
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2.alma.1
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Url: https://libreswan.org/
|
Url: https://libreswan.org/
|
||||||
|
|
||||||
@ -53,8 +53,10 @@ Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
|||||||
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
||||||
Patch6: libreswan-4.3-1934186-config.patch
|
Patch6: libreswan-4.3-1934186-config.patch
|
||||||
Patch7: libreswan-4.9-2176248-authby-rsasig.patch
|
Patch7: libreswan-4.9-2176248-authby-rsasig.patch
|
||||||
|
|
||||||
|
# Patches were taken from:
|
||||||
|
# https://gitlab.com/redhat/centos-stream/rpms/libreswan/-/commit/2016c6075dfad82538a348bc9276556e7941d230
|
||||||
Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
|
Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
|
||||||
Patch9: libreswan-4.12-ikev1-compute-keymat-default.patch
|
|
||||||
|
|
||||||
BuildRequires: audit-libs-devel
|
BuildRequires: audit-libs-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
@ -115,7 +117,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
|
||||||
|
|
||||||
# linking to freebl is not needed
|
# linking to freebl is not needed
|
||||||
sed -i "s/-lfreebl //" mk/config.mk
|
sed -i "s/-lfreebl //" mk/config.mk
|
||||||
@ -219,17 +220,9 @@ certutil -N -d sql:$tmpdir --empty-password
|
|||||||
%attr(0644,root,root) %doc %{_mandir}/*/*
|
%attr(0644,root,root) %doc %{_mandir}/*/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Jun 6 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.4
|
* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2.alma.1
|
||||||
- Fix CVE-2024-3652 (RHEL-32482)
|
- ikev2: return STF_FATAL when initiator fails to emit AUTH
|
||||||
|
packet
|
||||||
* Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
|
|
||||||
- Bump release to ensure el8 package is greater than el8_* packages
|
|
||||||
|
|
||||||
* Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
|
|
||||||
- Fix patch application in the previous change
|
|
||||||
|
|
||||||
* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
|
|
||||||
- Fix CVE-2024-2357 (RHEL-28742)
|
|
||||||
|
|
||||||
* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
|
* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
|
||||||
- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
|
- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
|
||||||
|
Loading…
Reference in New Issue
Block a user