packages/strongswan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!43 Upgrade to 5.9.7 version

Browse Source 
From: @openhosec 
Reviewed-by: @gwei3 
Signed-off-by: @gwei3
This commit is contained in:
openeuler-ci-bot 2022-08-25 07:51:39 +00:00 committed by Gitee
commit 3953a7e3a9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
9 changed files with 35 additions and 296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
CVE-2021-41990.patch
View File

@ -1,56 +0,0 @@
From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 17:52:08 +0200
Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
The `salt_len` member in the struct is of type `ssize_t` because we use
negative values for special automatic salt lengths when generating
signatures.
Not checking this could lead to an integer overflow. The value is assigned
to the `len` field of a chunk (`size_t`), which is further used in
calculations to check the padding structure and (if that is passed by a
matching crafted signature value) eventually a memcpy() that will result
in a segmentation fault.
Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
Fixes: CVE-2021-41990
---
src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
index d89bd2c96bb5..837de8443d43 100644
--- a/src/libstrongswan/credentials/keys/signature_params.c
+++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
case RSASSA_PSS_PARAMS_SALT_LEN:
if (object.len)
{
- params->salt_len = (size_t)asn1_parse_integer_uint64(object);
+ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
+ if (params->salt_len < 0)
+ {
+ goto end;
+ }
}
break;
case RSASSA_PSS_PARAMS_TRAILER:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index f9bd1d314dec..3a775090883e 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
int i;
bool success = FALSE;
- if (!params)
+ if (!params || params->salt_len < 0)
{
return FALSE;
}
--
2.25.1

35
CVE-2021-41991.patch
View File

@ -1,35 +0,0 @@
From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 28 Sep 2021 19:38:22 +0200
Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added
directly to that offset before applying`% CACHE_SIZE` to get an index into
the cache array. If the random value was very high, this resulted in an
integer overflow and a negative index value and, therefore, an out-of-bounds
access of the array and in turn dereferencing invalid pointers when trying
to acquire the read lock. This most likely results in a segmentation fault.
Fixes: 764e8b2211ce ("reimplemented certificate cache")
Fixes: CVE-2021-41991
---
src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index f1579c60a9bc..ceebb3843725 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
for (try = 0; try < REPLACE_TRIES; try++)
{
/* replace a random relation */
- offset = random();
+ offset = random() % CACHE_SIZE;
for (i = 0; i < CACHE_SIZE; i++)
{
rel = &this->relations[(i + offset) % CACHE_SIZE];
--
2.25.1

151
CVE-2021-45079.patch
View File

@ -1,151 +0,0 @@
From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 14 Dec 2021 10:51:35 +0100
Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
Without this, the authentication succeeded if the server sent an early
EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
which may be used in EAP-only scenarios but would complete without server
or client authentication. For clients configured for such EAP-only
scenarios, a rogue server could capture traffic after the tunnel is
established or even access hosts behind the client. For non-mutual EAP
methods, public key server authentication has been enforced for a while.
A server previously could also crash a client by sending an EAP-Success
immediately without initiating an actual EAP method.
Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
Fixes: CVE-2021-45079
---
src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +-
src/libcharon/plugins/eap_md5/eap_md5.c | 2 +-
src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++-
src/libcharon/sa/eap/eap_method.h | 8 ++++-
.../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++---
5 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
index 95ba090b79ce..cffb6222c2f8 100644
--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
+++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
METHOD(eap_method_t, get_msk, status_t,
private_eap_gtc_t *this, chunk_t *msk)
{
- return FAILED;
+ return NOT_SUPPORTED;
}
METHOD(eap_method_t, get_identifier, uint8_t,
diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
index ab5f7ff6a823..3a92ad7c0a04 100644
--- a/src/libcharon/plugins/eap_md5/eap_md5.c
+++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
METHOD(eap_method_t, get_msk, status_t,
private_eap_md5_t *this, chunk_t *msk)
{
- return FAILED;
+ return NOT_SUPPORTED;
}
METHOD(eap_method_t, is_mutual, bool,
diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
index 2dc7a423e702..5336dead13d9 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
*out = msk;
return SUCCESS;
}
- return FAILED;
+ /* we assume the selected method did not establish an MSK, if it failed
+ * to establish one, process() would have failed */
+ return NOT_SUPPORTED;
}
METHOD(eap_method_t, get_identifier, uint8_t,
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 0b5218dfec15..33564831f86e 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -114,10 +114,16 @@ struct eap_method_t {
* Not all EAP methods establish a shared secret. For implementations of
* the EAP-Identity method, get_msk() returns the received identity.
*
+ * @note Returning NOT_SUPPORTED is important for implementations of EAP
+ * methods that don't establish an MSK. In particular as client because
+ * key-generating EAP methods MUST fail to process EAP-Success messages if
+ * no MSK is established.
+ *
* @param msk chunk receiving internal stored MSK
* @return
- * - SUCCESS, or
+ * - SUCCESS, if MSK is established
* - FAILED, if MSK not established (yet)
+ * - NOT_SUPPORTED, for non-MSK-establishing methods
*/
status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index e1e6cd7ee6f3..87548fc471a6 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
this->method->destroy(this->method);
return server_initiate_eap(this, FALSE);
}
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+ switch (this->method->get_msk(this->method, &this->msk))
{
- this->msk = chunk_clone(this->msk);
+ case SUCCESS:
+ this->msk = chunk_clone(this->msk);
+ break;
+ case NOT_SUPPORTED:
+ break;
+ case FAILED:
+ default:
+ DBG1(DBG_IKE, "failed to establish MSK");
+ goto failure;
}
if (vendor)
{
@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
case FAILED:
default:
+failure:
/* type might have changed for virtual methods */
type = this->method->get_type(this->method, &vendor);
if (vendor)
@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t,
uint32_t vendor;
auth_cfg_t *cfg;
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+ if (!this->method)
{
- this->msk = chunk_clone(this->msk);
+ DBG1(DBG_IKE, "received unexpected %N",
+ eap_code_names, eap_payload->get_code(eap_payload));
+ return FAILED;
+ }
+ switch (this->method->get_msk(this->method, &this->msk))
+ {
+ case SUCCESS:
+ this->msk = chunk_clone(this->msk);
+ break;
+ case NOT_SUPPORTED:
+ break;
+ case FAILED:
+ default:
+ DBG1(DBG_IKE, "received %N but failed to establish MSK",
+ eap_code_names, eap_payload->get_code(eap_payload));
+ return FAILED;
}
type = this->method->get_type(this->method, &vendor);
if (vendor)
--
2.25.1

25
fix-use-of-uninitialized-value.patch
View File

@ -1,25 +0,0 @@
From 25fb99653f3f7c7ba5279beb00379089987cca50 Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Wed, 1 Sep 2021 15:13:18 +0800
Subject: [PATCH] fix use of uninitialized value
---
src/libstrongswan/bio/bio_reader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
index e6b459b..2ae629e 100644
--- a/src/libstrongswan/bio/bio_reader.c
+++ b/src/libstrongswan/bio/bio_reader.c
@@ -122,7 +122,7 @@ static bool read_uint16_internal(private_bio_reader_t *this, uint16_t *res,
static bool read_uint24_internal(private_bio_reader_t *this, uint32_t *res,
bool from_end)
{
- uint32_t tmp;
+ uint32_t tmp = 0;
if (this->buf.len < 3)
{
--
2.27.0

15
remove-warning-no-format.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/configure.ac b/configure.ac
index dd9d128c1..2b9fa8139 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1455,8 +1455,8 @@ if test x$warnings = xtrue; then
fi
# disable some warnings, whether explicitly enabled above or by default
# these are not compatible with our custom printf specifiers
-WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
-WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
+#WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
+#WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
# we generally use comments, but GCC doesn't seem to recognize many of them
WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
# we often omit fields when initializing structs (e.g. when using INIT)

BIN
strongswan-5.7.2.tar.bz2
View File

Binary file not shown.

BIN
strongswan-5.9.7.tar.bz2 Normal file
View File

Binary file not shown.

11
strongswan-multiple-definition.patch
View File

@ -1,11 +0,0 @@
--- ./src/swanctl/swanctl.h.xiugai 2021-08-03 19:08:13.634660548 +0800
+++ ./src/swanctl/swanctl.h 2021-08-03 19:08:30.770825041 +0800
@@ -30,7 +30,7 @@
/**
* Base directory for credentials and config
*/
-char *swanctl_dir;
+extern char *swanctl_dir;
/**
* Configuration file for connections, etc.

38
strongswan.spec
View File

@ -1,24 +1,21 @@
Name: strongswan
Version: 5.7.2
Release: 11
Version: 5.9.7
Release: 1
Summary: An OpenSource IPsec-based VPN and TNC solution
License: GPLv2+
URL: http://www.strongswan.org/
Source0: http://download.strongswan.org/strongswan-%{version}.tar.bz2
Patch0: strongswan-multiple-definition.patch
Patch1: fix-use-of-uninitialized-value.patch
Patch2: CVE-2021-41990.patch
Patch3: CVE-2021-41991.patch
Patch4: CVE-2021-45079.patch
Patch0: remove-warning-no-format.patch
BuildRequires: gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
BuildRequires: gcc chrpath autoconf automake libtool tpm2-abrmd
BuildRequires: systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
BuildRequires: openssl-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel
BuildRequires: json-c-devel libgcrypt-devel systemd-devel iptables-devel chrpath
BuildRequires: json-c-devel libgcrypt-devel systemd-devel iptables-devel tpm2-tss-devel tpm2-abrmd-devel
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires: tpm2-abrmd
%description
The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange
@ -65,9 +62,11 @@ PT-TLS to support TNC over TLS.
%autosetup -n %{name}-%{version} -p1
%build
%configure --disable-static --with-ipsec-script=strongswan --sysconfdir=%{_sysconfdir}/strongswan \
--with-ipsecdir=%{_libexecdir}/strongswan --bindir=%{_libexecdir}/strongswan \
--with-ipseclibdir=%{_libdir}/strongswan --with-fips-mode=2 --enable-bypass-lan \
autoreconf -i
%configure --bindir=%{_libexecdir}/strongswan --sysconfdir=%{_sysconfdir}/strongswan \
--with-ipsecdir=%{_libexecdir}/strongswan --with-ipseclibdir=%{_libdir}/strongswan \
--with-ipsec-script=ipsec --with-fips-mode=2 \
--disable-static \
--enable-tss-trousers --enable-nm --enable-systemd --enable-openssl --enable-unity \
--enable-ctr --enable-ccm --enable-gcm --enable-chapoly --enable-md4 --enable-gcrypt \
--enable-newhope --enable-xauth-eap --enable-xauth-pam --enable-xauth-noauth \
@ -81,7 +80,7 @@ PT-TLS to support TNC over TLS.
--enable-imv-attestation --enable-imv-os --enable-imc-os --enable-imc-swid --enable-imv-swid \
--enable-imc-swima --enable-imv-swima --enable-imc-hcd --enable-imv-hcd --enable-curl \
--enable-cmd --enable-acert --enable-aikgen --enable-vici --enable-swanctl --enable-duplicheck \
--enable-kernel-libipsec \
--enable-kernel-libipsec --enable-bypass-lan \
%ifarch x86_64 %{ix86}
--enable-aesni
%endif
@ -95,7 +94,7 @@ make %{?_smp_mflags}
%install
%make_install
mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
mv %{buildroot}%{_datadir}/dbus-1 %{buildroot}%{_sysconfdir}/
# prefix man pages
for i in %{buildroot}%{_mandir}/*/*; do
if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@ -107,7 +106,7 @@ rm -rf %{buildroot}%{_libdir}/strongswan/*.so
chmod 644 %{buildroot}%{_sysconfdir}/strongswan/strongswan.conf
install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts cacerts certs crls ocspcerts private reqs}
install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private,reqs}
%delete_la
@ -141,10 +140,10 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
%dir %{_libdir}/strongswan/plugins
%dir %{_libexecdir}/strongswan
%{_unitdir}/strongswan.service
%{_unitdir}/strongswan-swanctl.service
%{_unitdir}/strongswan-starter.service
%{_sbindir}/charon-cmd
%{_sbindir}/charon-systemd
%{_sbindir}/strongswan
%{_sbindir}/ipsec
%{_sbindir}/swanctl
%{_libdir}/strongswan/*.so.*
%exclude %{_libdir}/strongswan/libimcv.so.*
@ -190,6 +189,9 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
%{_libexecdir}/strongswan/charon-nm
%changelog
* Sat Aug 13 2022 openhosec <openhosec@hosec.net> - 5.9.7-1
- Upgrade to 5.9.7 version
* Tue Feb 08 2022 wangkai <wangkai385@huawei.com> - 5.7.2-11
- fix CVE-2021-45079