upgrade to 5.9.7 version

2022-08-14 08:39:17 +08:00 · 2022-08-14 08:39:17 +08:00 · d133713afb
commit d133713afb
parent f2fba957e6
9 changed files with 35 additions and 296 deletions
--- a/CVE-2021-41990.patch
+++ b/CVE-2021-41990.patch
@ -1,56 +0,0 @@
 From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Tue, 28 Sep 2021 17:52:08 +0200
 Subject: [PATCH] Reject RSASSA-PSS params with negative salt length
 The `salt_len` member in the struct is of type `ssize_t` because we use
 negative values for special automatic salt lengths when generating
 signatures.
 Not checking this could lead to an integer overflow.  The value is assigned
 to the `len` field of a chunk (`size_t`), which is further used in
 calculations to check the padding structure and (if that is passed by a
 matching crafted signature value) eventually a memcpy() that will result
 in a segmentation fault.
 Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params")
 Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification")
 Fixes: CVE-2021-41990
 ---
 src/libstrongswan/credentials/keys/signature_params.c | 6 +++++-
 src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c    | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c
 index d89bd2c96bb5..837de8443d43 100644
 --- a/src/libstrongswan/credentials/keys/signature_params.c
 +++ b/src/libstrongswan/credentials/keys/signature_params.c
@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params)
 			case RSASSA_PSS_PARAMS_SALT_LEN:
 				if (object.len)
 				{
 -					params->salt_len = (size_t)asn1_parse_integer_uint64(object);
 +					params->salt_len = (ssize_t)asn1_parse_integer_uint64(object);
 +					if (params->salt_len < 0)
 +					{
 +						goto end;
 +					}
 				}
 				break;
 			case RSASSA_PSS_PARAMS_TRAILER:
 diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
 index f9bd1d314dec..3a775090883e 100644
 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
 +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this,
 	int i;
 	bool success = FALSE;
 -	if (!params)
 +	if (!params || params->salt_len < 0)
 	{
 		return FALSE;
 	}
 -- 
 2.25.1
--- a/CVE-2021-41991.patch
+++ b/CVE-2021-41991.patch
@ -1,35 +0,0 @@
 From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Tue, 28 Sep 2021 19:38:22 +0200
 Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change
 random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually
 equaling INT_MAX = 2^31-1.  Previously, values between 0 and 31 were added
 directly to that offset before applying`% CACHE_SIZE` to get an index into
 the cache array.  If the random value was very high, this resulted in an
 integer overflow and a negative index value and, therefore, an out-of-bounds
 access of the array and in turn dereferencing invalid pointers when trying
 to acquire the read lock.  This most likely results in a segmentation fault.
 Fixes: 764e8b2211ce ("reimplemented certificate cache")
 Fixes: CVE-2021-41991
 ---
 src/libstrongswan/credentials/sets/cert_cache.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
 index f1579c60a9bc..ceebb3843725 100644
 --- a/src/libstrongswan/credentials/sets/cert_cache.c
 +++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this,
 	for (try = 0; try < REPLACE_TRIES; try++)
 	{
 		/* replace a random relation */
 -		offset = random();
 +		offset = random() % CACHE_SIZE;
 		for (i = 0; i < CACHE_SIZE; i++)
 		{
 			rel = &this->relations[(i + offset) % CACHE_SIZE];
 -- 
 2.25.1
--- a/CVE-2021-45079.patch
+++ b/CVE-2021-45079.patch
@ -1,151 +0,0 @@
 From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Tue, 14 Dec 2021 10:51:35 +0100
 Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
 Without this, the authentication succeeded if the server sent an early
 EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
 which may be used in EAP-only scenarios but would complete without server
 or client authentication.  For clients configured for such EAP-only
 scenarios, a rogue server could capture traffic after the tunnel is
 established or even access hosts behind the client.  For non-mutual EAP
 methods, public key server authentication has been enforced for a while.
 A server previously could also crash a client by sending an EAP-Success
 immediately without initiating an actual EAP method.
 Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
 Fixes: CVE-2021-45079
 ---
 src/libcharon/plugins/eap_gtc/eap_gtc.c       |  2 +-
 src/libcharon/plugins/eap_md5/eap_md5.c       |  2 +-
 src/libcharon/plugins/eap_radius/eap_radius.c |  4 ++-
 src/libcharon/sa/eap/eap_method.h             |  8 ++++-
 .../ikev2/authenticators/eap_authenticator.c  | 32 ++++++++++++++++---
 5 files changed, 40 insertions(+), 8 deletions(-)
 diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
 index 95ba090b79ce..cffb6222c2f8 100644
 --- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
 +++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
 	private_eap_gtc_t *this, chunk_t *msk)
 {
 -	return FAILED;
 +	return NOT_SUPPORTED;
 }
 METHOD(eap_method_t, get_identifier, uint8_t,
 diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
 index ab5f7ff6a823..3a92ad7c0a04 100644
 --- a/src/libcharon/plugins/eap_md5/eap_md5.c
 +++ b/src/libcharon/plugins/eap_md5/eap_md5.c
@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
 	private_eap_md5_t *this, chunk_t *msk)
 {
 -	return FAILED;
 +	return NOT_SUPPORTED;
 }
 METHOD(eap_method_t, is_mutual, bool,
 diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
 index 2dc7a423e702..5336dead13d9 100644
 --- a/src/libcharon/plugins/eap_radius/eap_radius.c
 +++ b/src/libcharon/plugins/eap_radius/eap_radius.c
@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
 		*out = msk;
 		return SUCCESS;
 	}
 -	return FAILED;
 +	/* we assume the selected method did not establish an MSK, if it failed
 +	 * to establish one, process() would have failed */
 +	return NOT_SUPPORTED;
 }
 METHOD(eap_method_t, get_identifier, uint8_t,
 diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
 index 0b5218dfec15..33564831f86e 100644
 --- a/src/libcharon/sa/eap/eap_method.h
 +++ b/src/libcharon/sa/eap/eap_method.h
@@ -114,10 +114,16 @@ struct eap_method_t {
 	 * Not all EAP methods establish a shared secret. For implementations of
 	 * the EAP-Identity method, get_msk() returns the received identity.
 	 *
 +	 * @note Returning NOT_SUPPORTED is important for implementations of EAP
 +	 * methods that don't establish an MSK.  In particular as client because
 +	 * key-generating EAP methods MUST fail to process EAP-Success messages if
 +	 * no MSK is established.
 +	 *
 	 * @param msk			chunk receiving internal stored MSK
 	 * @return
 -	 *						- SUCCESS, or
 +	 *						- SUCCESS, if MSK is established
 	 * 						- FAILED, if MSK not established (yet)
 +	 *						- NOT_SUPPORTED, for non-MSK-establishing methods
 	 */
 	status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
 diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
 index e1e6cd7ee6f3..87548fc471a6 100644
 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
 +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 				this->method->destroy(this->method);
 				return server_initiate_eap(this, FALSE);
 			}
 -			if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 +			switch (this->method->get_msk(this->method, &this->msk))
 			{
 -				this->msk = chunk_clone(this->msk);
 +				case SUCCESS:
 +					this->msk = chunk_clone(this->msk);
 +					break;
 +				case NOT_SUPPORTED:
 +					break;
 +				case FAILED:
 +				default:
 +					DBG1(DBG_IKE, "failed to establish MSK");
 +					goto failure;
 			}
 			if (vendor)
 			{
@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
 			return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
 		case FAILED:
 		default:
 +failure:
 			/* type might have changed for virtual methods */
 			type = this->method->get_type(this->method, &vendor);
 			if (vendor)
@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t,
 				uint32_t vendor;
 				auth_cfg_t *cfg;
 -				if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
 +				if (!this->method)
 				{
 -					this->msk = chunk_clone(this->msk);
 +					DBG1(DBG_IKE, "received unexpected %N",
 +						 eap_code_names, eap_payload->get_code(eap_payload));
 +					return FAILED;
 +				}
 +				switch (this->method->get_msk(this->method, &this->msk))
 +				{
 +					case SUCCESS:
 +						this->msk = chunk_clone(this->msk);
 +						break;
 +					case NOT_SUPPORTED:
 +						break;
 +					case FAILED:
 +					default:
 +						DBG1(DBG_IKE, "received %N but failed to establish MSK",
 +							 eap_code_names, eap_payload->get_code(eap_payload));
 +						return FAILED;
 				}
 				type = this->method->get_type(this->method, &vendor);
 				if (vendor)
 -- 
 2.25.1
--- a/fix-use-of-uninitialized-value.patch
+++ b/fix-use-of-uninitialized-value.patch
@ -1,25 +0,0 @@
 From 25fb99653f3f7c7ba5279beb00379089987cca50 Mon Sep 17 00:00:00 2001
 From: caodongxia <315816521@qq.com>
 Date: Wed, 1 Sep 2021 15:13:18 +0800
 Subject: [PATCH] fix use of uninitialized value
 ---
 src/libstrongswan/bio/bio_reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/libstrongswan/bio/bio_reader.c b/src/libstrongswan/bio/bio_reader.c
 index e6b459b..2ae629e 100644
 --- a/src/libstrongswan/bio/bio_reader.c
 +++ b/src/libstrongswan/bio/bio_reader.c
@@ -122,7 +122,7 @@ static bool read_uint16_internal(private_bio_reader_t *this, uint16_t *res,
 static bool read_uint24_internal(private_bio_reader_t *this, uint32_t *res,
 								 bool from_end)
 {
 -	uint32_t tmp;
 +	uint32_t tmp = 0;
 	if (this->buf.len < 3)
 	{
 -- 
 2.27.0
--- a/remove-warning-no-format.patch
+++ b/remove-warning-no-format.patch
@ -0,0 +1,15 @@
 diff --git a/configure.ac b/configure.ac
 index dd9d128c1..2b9fa8139 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -1455,8 +1455,8 @@ if test x$warnings = xtrue; then
 fi
 # disable some warnings, whether explicitly enabled above or by default
 # these are not compatible with our custom printf specifiers
 -WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
 -WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
 +#WARN_CFLAGS="$WARN_CFLAGS -Wno-format"
 +#WARN_CFLAGS="$WARN_CFLAGS -Wno-format-security"
 # we generally use comments, but GCC doesn't seem to recognize many of them
 WARN_CFLAGS="$WARN_CFLAGS -Wno-implicit-fallthrough"
 # we often omit fields when initializing structs (e.g. when using INIT)
--- a/strongswan-5.7.2.tar.bz2
+++ b/strongswan-5.7.2.tar.bz2
--- a/strongswan-5.9.7.tar.bz2
+++ b/strongswan-5.9.7.tar.bz2
--- a/strongswan-multiple-definition.patch
+++ b/strongswan-multiple-definition.patch
@ -1,11 +0,0 @@
 --- ./src/swanctl/swanctl.h.xiugai	2021-08-03 19:08:13.634660548 +0800
 +++ ./src/swanctl/swanctl.h	2021-08-03 19:08:30.770825041 +0800
@@ -30,7 +30,7 @@
 /**
  * Base directory for credentials and config
  */
 -char *swanctl_dir;
 +extern char *swanctl_dir;
 /**
  * Configuration file for connections, etc.
--- a/strongswan.spec
+++ b/strongswan.spec
@ -1,24 +1,21 @@
 Name:             strongswan
-Version:          5.7.2
+Version:          5.9.7
-Release:          11
+Release:          1
 Summary:          An OpenSource IPsec-based VPN and TNC solution
 License:          GPLv2+
 URL:              http://www.strongswan.org/
 Source0:          http://download.strongswan.org/strongswan-%{version}.tar.bz2
-Patch0:	          strongswan-multiple-definition.patch
+Patch0:           remove-warning-no-format.patch
 Patch1:           fix-use-of-uninitialized-value.patch
 Patch2:           CVE-2021-41990.patch
 Patch3:           CVE-2021-41991.patch
 Patch4:           CVE-2021-45079.patch
-
+BuildRequires:    gcc chrpath autoconf automake libtool tpm2-abrmd
-BuildRequires:    gcc systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
+BuildRequires:    systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel
 BuildRequires:    openssl-devel sqlite-devel gettext-devel trousers-devel libxml2-devel pam-devel
-BuildRequires:    json-c-devel libgcrypt-devel systemd-devel iptables-devel chrpath
+BuildRequires:    json-c-devel libgcrypt-devel systemd-devel iptables-devel tpm2-tss-devel tpm2-abrmd-devel
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
 Requires:         tpm2-abrmd
 %description
 The strongSwan IPsec implementation supports both the IKEv1 and IKEv2 key exchange
@ -65,9 +62,11 @@ PT-TLS to support TNC over TLS.
 %autosetup -n %{name}-%{version} -p1
 %build
-%configure --disable-static --with-ipsec-script=strongswan --sysconfdir=%{_sysconfdir}/strongswan \
+autoreconf -i
-           --with-ipsecdir=%{_libexecdir}/strongswan --bindir=%{_libexecdir}/strongswan \
+%configure --bindir=%{_libexecdir}/strongswan --sysconfdir=%{_sysconfdir}/strongswan \
-           --with-ipseclibdir=%{_libdir}/strongswan --with-fips-mode=2 --enable-bypass-lan \
+           --with-ipsecdir=%{_libexecdir}/strongswan --with-ipseclibdir=%{_libdir}/strongswan \
           --with-ipsec-script=ipsec --with-fips-mode=2 \
           --disable-static \
           --enable-tss-trousers --enable-nm --enable-systemd --enable-openssl --enable-unity \
           --enable-ctr --enable-ccm --enable-gcm --enable-chapoly --enable-md4 --enable-gcrypt \
           --enable-newhope --enable-xauth-eap --enable-xauth-pam --enable-xauth-noauth \
@ -81,7 +80,7 @@ PT-TLS to support TNC over TLS.
           --enable-imv-attestation --enable-imv-os --enable-imc-os --enable-imc-swid --enable-imv-swid \
           --enable-imc-swima --enable-imv-swima --enable-imc-hcd --enable-imv-hcd --enable-curl \
           --enable-cmd --enable-acert --enable-aikgen --enable-vici --enable-swanctl --enable-duplicheck \
-           --enable-kernel-libipsec \
+           --enable-kernel-libipsec --enable-bypass-lan \
 %ifarch x86_64 %{ix86}
           --enable-aesni
 %endif
@ -95,7 +94,7 @@ make %{?_smp_mflags}
 %install
 %make_install
-mv %{buildroot}%{_sysconfdir}/strongswan/dbus-1 %{buildroot}%{_sysconfdir}/
+mv %{buildroot}%{_datadir}/dbus-1 %{buildroot}%{_sysconfdir}/
 # prefix man pages
 for i in %{buildroot}%{_mandir}/*/*; do
    if echo "$i" | grep -vq '/strongswan[^\/]*$'; then
@ -107,7 +106,7 @@ rm -rf %{buildroot}%{_libdir}/strongswan/*.so
 chmod 644 %{buildroot}%{_sysconfdir}/strongswan/strongswan.conf
 install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d
-install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts acerts cacerts certs crls ocspcerts private reqs}
+install -d -m 700 %{buildroot}%{_sysconfdir}/strongswan/ipsec.d/{aacerts,acerts,cacerts,certs,crls,ocspcerts,private,reqs}
 %delete_la
@ -141,10 +140,10 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
 %dir %{_libdir}/strongswan/plugins
 %dir %{_libexecdir}/strongswan
 %{_unitdir}/strongswan.service
-%{_unitdir}/strongswan-swanctl.service
+%{_unitdir}/strongswan-starter.service
 %{_sbindir}/charon-cmd
 %{_sbindir}/charon-systemd
-%{_sbindir}/strongswan
+%{_sbindir}/ipsec
 %{_sbindir}/swanctl
 %{_libdir}/strongswan/*.so.*
 %exclude %{_libdir}/strongswan/libimcv.so.*
@ -190,6 +189,9 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co
 %{_libexecdir}/strongswan/charon-nm
 %changelog
 * Sat Aug 13 2022 openhosec <openhosec@hosec.net> - 5.9.7-1
 - Upgrade to 5.9.7 version
 * Tue Feb 08 2022 wangkai <wangkai385@huawei.com> - 5.7.2-11
 - fix CVE-2021-45079