Compare commits
4 Commits
imports/c8
...
c8
Author | SHA1 | Date | |
---|---|---|---|
7e40263f49 | |||
89da7232f3 | |||
c48dde0be5 | |||
|
841aaa158c |
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
|||||||
SOURCES/ikev1_dsa.fax.bz2
|
SOURCES/ikev1_dsa.fax.bz2
|
||||||
SOURCES/ikev1_psk.fax.bz2
|
SOURCES/ikev1_psk.fax.bz2
|
||||||
SOURCES/ikev2.fax.bz2
|
SOURCES/ikev2.fax.bz2
|
||||||
SOURCES/libreswan-4.9.tar.gz
|
SOURCES/libreswan-4.12.tar.gz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
b35cd50b8bc0a08b9c07713bf19c72d53bfe66bb SOURCES/ikev1_dsa.fax.bz2
|
||||||
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
861d97bf488f9e296cad8c43ab72f111a5b1a848 SOURCES/ikev1_psk.fax.bz2
|
||||||
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
fcaf77f3deae3d8e99cdb3b1f8abea63167a0633 SOURCES/ikev2.fax.bz2
|
||||||
12b7351ca7e6ba1ac787239e67027a4d82f02f10 SOURCES/libreswan-4.9.tar.gz
|
786c14a4755311ea3103683a3294e1536b1e44a6 SOURCES/libreswan-4.12.tar.gz
|
||||||
|
92
SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch
Normal file
92
SOURCES/libreswan-4.12-ikev1-compute-keymat-default.patch
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
From 5101913b1e623121a9222f11eefa18f0a2708b00 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Cagney <cagney@gnu.org>
|
||||||
|
Date: Wed, 27 Mar 2024 10:43:19 -0400
|
||||||
|
Subject: [PATCH] ikev1: in compute_proto_keymat() only allow explicitly
|
||||||
|
handled ESP algorithms
|
||||||
|
|
||||||
|
---
|
||||||
|
programs/pluto/ikev1_quick.c | 41 ++++++++++++++----------------------
|
||||||
|
1 file changed, 16 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/programs/pluto/ikev1_quick.c b/programs/pluto/ikev1_quick.c
|
||||||
|
index 81c522c148..22c346afb4 100644
|
||||||
|
--- a/programs/pluto/ikev1_quick.c
|
||||||
|
+++ b/programs/pluto/ikev1_quick.c
|
||||||
|
@@ -203,7 +203,7 @@ static bool emit_subnet_id(enum perspective perspective,
|
||||||
|
* RFC 2409 "IKE" section 5.5
|
||||||
|
* specifies how this is to be done.
|
||||||
|
*/
|
||||||
|
-static void compute_proto_keymat(struct state *st,
|
||||||
|
+static bool compute_proto_keymat(struct state *st,
|
||||||
|
uint8_t protoid,
|
||||||
|
struct ipsec_proto_info *pi,
|
||||||
|
const char *satypename)
|
||||||
|
@@ -297,27 +297,13 @@ static void compute_proto_keymat(struct state *st,
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
- case ESP_CAST:
|
||||||
|
- case ESP_TWOFISH:
|
||||||
|
- case ESP_SERPENT:
|
||||||
|
- /* ESP_SEED is for IKEv1 only and not supported. Its number in IKEv2 has been re-used */
|
||||||
|
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
|
||||||
|
-
|
||||||
|
default:
|
||||||
|
- /* bytes */
|
||||||
|
- needed_len = encrypt_max_key_bit_length(pi->attrs.transattrs.ta_encrypt) / BITS_PER_BYTE;
|
||||||
|
- if (needed_len > 0) {
|
||||||
|
- /* XXX: check key_len coupling with kernel.c's */
|
||||||
|
- if (pi->attrs.transattrs.enckeylen) {
|
||||||
|
- needed_len =
|
||||||
|
- pi->attrs.transattrs.enckeylen
|
||||||
|
- / BITS_PER_BYTE;
|
||||||
|
- dbg("compute_proto_keymat: key_len=%d from peer",
|
||||||
|
- (int)needed_len);
|
||||||
|
- }
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- bad_case(pi->attrs.transattrs.ta_ikev1_encrypt);
|
||||||
|
+ {
|
||||||
|
+ enum_buf eb;
|
||||||
|
+ llog(RC_LOG, st->st_logger, "rejecting request for keymat for %s",
|
||||||
|
+ str_enum(&esp_transformid_names, protoid, &eb));
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
dbg("compute_proto_keymat: needed_len (after ESP enc)=%d", (int)needed_len);
|
||||||
|
needed_len += pi->attrs.transattrs.ta_integ->integ_keymat_size;
|
||||||
|
@@ -359,14 +345,17 @@ static void compute_proto_keymat(struct state *st,
|
||||||
|
DBG_dump_hunk(" inbound:", pi->inbound.keymat);
|
||||||
|
DBG_dump_hunk(" outbound:", pi->outbound.keymat);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void compute_keymats(struct state *st)
|
||||||
|
+static bool compute_keymats(struct state *st)
|
||||||
|
{
|
||||||
|
if (st->st_ah.present)
|
||||||
|
- compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
|
||||||
|
+ return compute_proto_keymat(st, PROTO_IPSEC_AH, &st->st_ah, "AH");
|
||||||
|
if (st->st_esp.present)
|
||||||
|
- compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
|
||||||
|
+ return compute_proto_keymat(st, PROTO_IPSEC_ESP, &st->st_esp, "ESP");
|
||||||
|
+ return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1460,7 +1449,9 @@ static stf_status quick_inI1_outR1_continue12_tail(struct state *st, struct msg_
|
||||||
|
fixup_v1_HASH(st, &hash_fixup, st->st_v1_msgid.id, rbody.cur);
|
||||||
|
|
||||||
|
/* Derive new keying material */
|
||||||
|
- compute_keymats(st);
|
||||||
|
+ if (!compute_keymats(st)) {
|
||||||
|
+ return STF_FATAL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Tell the kernel to establish the new inbound SA
|
||||||
|
* (unless the commit bit is set -- which we don't support).
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
54
SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch
Normal file
54
SOURCES/libreswan-4.12-ikev2-auth-delete-state.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
From 2ec448884a7467743699803f8a36ee28d237666c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Cagney <cagney@gnu.org>
|
||||||
|
Date: Wed, 28 Feb 2024 08:29:53 -0500
|
||||||
|
Subject: [PATCH] ikev2: return STF_FATAL when initiator fails to emit AUTH
|
||||||
|
packet
|
||||||
|
|
||||||
|
---
|
||||||
|
programs/pluto/ikev2_ike_auth.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
|
||||||
|
index 192eb1b3b6..a54a109699 100644
|
||||||
|
--- a/programs/pluto/ikev2_ike_auth.c
|
||||||
|
+++ b/programs/pluto/ikev2_ike_auth.c
|
||||||
|
@@ -1267,7 +1267,7 @@ static stf_status process_v2_IKE_AUTH_request_auth_signature_continue(struct ike
|
||||||
|
/* now send AUTH payload */
|
||||||
|
|
||||||
|
if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, response.pbs)) {
|
||||||
|
- return STF_INTERNAL_ERROR;
|
||||||
|
+ return STF_FATAL;
|
||||||
|
}
|
||||||
|
ike->sa.st_v2_ike_intermediate.used = false;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
||||||
|
From 16272f2475d25baab58fbed2af7c67cfb459137f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Cagney <cagney@gnu.org>
|
||||||
|
Date: Thu, 29 Feb 2024 12:19:20 -0500
|
||||||
|
Subject: [PATCH] ikev2: always return STF_FATAL if emitting AUTH fails
|
||||||
|
|
||||||
|
Fix:
|
||||||
|
ikev2: return STF_FATAL when initiator fails to emit AUTH packet
|
||||||
|
which really fixed the responder.
|
||||||
|
---
|
||||||
|
programs/pluto/ikev2_ike_auth.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/programs/pluto/ikev2_ike_auth.c b/programs/pluto/ikev2_ike_auth.c
|
||||||
|
index a54a109699..491053fb10 100644
|
||||||
|
--- a/programs/pluto/ikev2_ike_auth.c
|
||||||
|
+++ b/programs/pluto/ikev2_ike_auth.c
|
||||||
|
@@ -397,7 +397,7 @@ stf_status initiate_v2_IKE_AUTH_request_signature_continue(struct ike_sa *ike,
|
||||||
|
/* send out the AUTH payload */
|
||||||
|
|
||||||
|
if (!emit_local_v2AUTH(ike, auth_sig, &ike->sa.st_v2_id_payload.mac, request.pbs)) {
|
||||||
|
- return STF_INTERNAL_ERROR;
|
||||||
|
+ return STF_FATAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (LIN(POLICY_MOBIKE, ike->sa.st_connection->policy)) {
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
@ -1,84 +0,0 @@
|
|||||||
From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paul Wouters <paul.wouters@aiven.io>
|
|
||||||
Date: Tue, 28 Feb 2023 11:24:22 -0500
|
|
||||||
Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
|
|
||||||
CVE-2023-23009
|
|
||||||
|
|
||||||
Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
|
|
||||||
---
|
|
||||||
programs/pluto/ikev2_ts.c | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
|
|
||||||
index 3f7519ca38..f06c40ba46 100644
|
|
||||||
--- a/programs/pluto/ikev2_ts.c
|
|
||||||
+++ b/programs/pluto/ikev2_ts.c
|
|
||||||
@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
|
|
||||||
d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
|
|
||||||
&ts_h, sizeof(ts_h), &ts_body_pbs);
|
|
||||||
|
|
||||||
+ if (d != NULL) {
|
|
||||||
+ llog_diag(RC_LOG, logger, &d, "%s", "");
|
|
||||||
+ return false;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
switch (ts_h.isath_type) {
|
|
||||||
case IKEv2_TS_IPV4_ADDR_RANGE:
|
|
||||||
case IKEv2_TS_IPV6_ADDR_RANGE:
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
||||||
|
|
||||||
From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andrew Cagney <cagney@gnu.org>
|
|
||||||
Date: Tue, 28 Feb 2023 14:10:44 -0500
|
|
||||||
Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
|
|
||||||
|
|
||||||
fix #1018 reported by Wolfgang.
|
|
||||||
see also ecb9c88910df1fb070488835bf3180096f3ccba3:
|
|
||||||
IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
|
|
||||||
---
|
|
||||||
programs/pluto/ikev1_main.c | 14 ++++++++++----
|
|
||||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
|
|
||||||
index a616c5ccf3..21765d4002 100644
|
|
||||||
--- a/programs/pluto/ikev1_main.c
|
|
||||||
+++ b/programs/pluto/ikev1_main.c
|
|
||||||
@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
|
|
||||||
ntohl(spi));
|
|
||||||
}
|
|
||||||
|
|
||||||
- struct connection *rc = dst->st_connection;
|
|
||||||
+ /* save for post delete_state() code */
|
|
||||||
+ co_serial_t rc_serialno = dst->st_connection->serialno;
|
|
||||||
|
|
||||||
if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
|
|
||||||
nat_traversal_change_port_lookup(md, dst);
|
|
||||||
v1_maybe_natify_initiator_endpoints(st, HERE);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rc->newest_ipsec_sa == dst->st_serialno &&
|
|
||||||
- (rc->policy & POLICY_UP)) {
|
|
||||||
+ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
|
|
||||||
+ (dst->st_connection->policy & POLICY_UP)) {
|
|
||||||
/*
|
|
||||||
* Last IPsec SA for a permanent
|
|
||||||
* connection that we have initiated.
|
|
||||||
@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
|
|
||||||
md->v1_st = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rc->newest_ipsec_sa == SOS_NOBODY) {
|
|
||||||
+ /*
|
|
||||||
+ * Either .newest_ipsec_sa matches DST
|
|
||||||
+ * and is cleared, or was never set.
|
|
||||||
+ */
|
|
||||||
+ struct connection *rc = connection_by_serialno(rc_serialno);
|
|
||||||
+ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
|
|
||||||
dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
|
|
||||||
rc->policy &= ~POLICY_UP;
|
|
||||||
if (!shared_phase1_connection(rc)) {
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
@ -36,8 +36,8 @@
|
|||||||
Name: libreswan
|
Name: libreswan
|
||||||
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols
|
||||||
# version is generated in the release script
|
# version is generated in the release script
|
||||||
Version: 4.9
|
Version: 4.12
|
||||||
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.2
|
Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist}.4
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Url: https://libreswan.org/
|
Url: https://libreswan.org/
|
||||||
|
|
||||||
@ -52,8 +52,9 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch
|
|||||||
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch
|
||||||
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
Patch3: libreswan-4.1-maintain-obsolete-keywords.patch
|
||||||
Patch6: libreswan-4.3-1934186-config.patch
|
Patch6: libreswan-4.3-1934186-config.patch
|
||||||
Patch7: libreswan-4.9-cve-2023-23009.patch
|
Patch7: libreswan-4.9-2176248-authby-rsasig.patch
|
||||||
Patch8: libreswan-4.9-2176248-authby-rsasig.patch
|
Patch8: libreswan-4.12-ikev2-auth-delete-state.patch
|
||||||
|
Patch9: libreswan-4.12-ikev1-compute-keymat-default.patch
|
||||||
|
|
||||||
BuildRequires: audit-libs-devel
|
BuildRequires: audit-libs-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
@ -114,6 +115,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
|
%patch9 -p1
|
||||||
|
|
||||||
# linking to freebl is not needed
|
# linking to freebl is not needed
|
||||||
sed -i "s/-lfreebl //" mk/config.mk
|
sed -i "s/-lfreebl //" mk/config.mk
|
||||||
@ -217,15 +219,28 @@ certutil -N -d sql:$tmpdir --empty-password
|
|||||||
%attr(0644,root,root) %doc %{_mandir}/*/*
|
%attr(0644,root,root) %doc %{_mandir}/*/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 25 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.2
|
* Thu Jun 6 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.4
|
||||||
- Update libreswan-4.9-2176248-authby-rsasig.patch
|
- Fix CVE-2024-3652 (RHEL-32482)
|
||||||
|
|
||||||
* Fri Apr 14 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2.1
|
* Wed Apr 17 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.3
|
||||||
- Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy
|
- Bump release to ensure el8 package is greater than el8_* packages
|
||||||
|
|
||||||
* Tue Apr 4 2023 Daiki Ueno <dueno@redhat.com> - 4.9-2
|
* Tue Apr 16 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.2
|
||||||
- Fix CVE-2023-23009: remote DoS via crafted TS payload with an
|
- Fix patch application in the previous change
|
||||||
incorrect selector length (rhbz#2186127)
|
|
||||||
|
* Mon Apr 15 2024 Daiki Ueno <dueno@redhat.com> - 4.12-2.1
|
||||||
|
- Fix CVE-2024-2357 (RHEL-28742)
|
||||||
|
|
||||||
|
* Fri Aug 25 2023 Daiki Ueno <dueno@redhat.com> - 4.12-2
|
||||||
|
- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy
|
||||||
|
|
||||||
|
* Wed Aug 9 2023 Daiki Ueno <dueno@redhat.com> - 4.12-1
|
||||||
|
- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712
|
||||||
|
- Resolves: rhbz#2215955
|
||||||
|
|
||||||
|
* Thu May 04 2023 Sahana Prasad <sahana@redhat.com> - 4.9-2
|
||||||
|
- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan
|
||||||
|
- Resolves: rhbz#2187179
|
||||||
|
|
||||||
* Mon Jan 9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
|
* Mon Jan 9 2023 Daiki Ueno <dueno@redhat.com> - 4.9-1
|
||||||
- Resolves: rhbz#2128672 Rebase libreswan to 4.9
|
- Resolves: rhbz#2128672 Rebase libreswan to 4.9
|
||||||
|
Loading…
Reference in New Issue
Block a user