From fadffa6d6064b800ccc79142f57c79b50bd142758aea08bc05f19949c18a5d0d Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Mon, 5 Jan 2015 13:04:19 +0000 Subject: [PATCH] - Disallow brainpool elliptic curve groups in fips mode (bnc#856322). [* strongswan_fipsfilter.patch] - Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] - Adjusted whilelist of approved algorithms in fips mode (bsc#856322). [* strongswan_fipsfilter.patch] - Renamed patch file to match it's patch number: [- 0001-restore-registration-algorithm-order.bug897512.patch, + 0005-restore-registration-algorithm-order.bug897512.patch] OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=84 --- ...gistration-algorithm-order.bug897512.patch | 0 ....1.2-5.2.1_modp_custom.CVE-2014-9221.patch | 166 ++++++++++++++++++ strongswan.changes | 19 ++ strongswan.spec | 6 +- strongswan_fipsfilter.patch | 36 ++-- 5 files changed, 208 insertions(+), 19 deletions(-) rename 0001-restore-registration-algorithm-order.bug897512.patch => 0005-restore-registration-algorithm-order.bug897512.patch (100%) create mode 100644 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch diff --git a/0001-restore-registration-algorithm-order.bug897512.patch b/0005-restore-registration-algorithm-order.bug897512.patch similarity index 100% rename from 0001-restore-registration-algorithm-order.bug897512.patch rename to 0005-restore-registration-algorithm-order.bug897512.patch diff --git a/0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch b/0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch new file mode 100644 index 0000000..aa3ff37 --- /dev/null +++ b/0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch @@ -0,0 +1,166 @@ +From a78ecdd47509626711a13481f53696e01d4b8c62 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 1 Dec 2014 17:21:59 +0100 +Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range +References: bsc#910491,CVE-2014-9221 +Upstream: yes + +Before this fix it was possible to crash charon with an IKE_SA_INIT +message containing a KE payload with DH group MODP_CUSTOM(1025). +Defining MODP_CUSTOM outside of the two byte IKE DH identifier range +prevents it from getting negotiated. + +Fixes CVE-2014-9221 in version 5.1.2 and newer. +--- + src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 2 +- + src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++----- + src/libstrongswan/crypto/diffie_hellman.h | 6 ++++-- + src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 +- + src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/ntru/ntru_ke.c | 2 +- + src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +- + src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +- + 9 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +index 67db5e6d87d6..836e0b7f088d 100644 +--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c ++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Diffie Hellman public value. +diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c +index bada1c529951..ac106e9c4d45 100644 +--- a/src/libstrongswan/crypto/diffie_hellman.c ++++ b/src/libstrongswan/crypto/diffie_hellman.c +@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT, + "ECP_256_BP", + "ECP_384_BP", + "ECP_512_BP"); +-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP, +- "MODP_NULL", +- "MODP_CUSTOM"); +-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM, ++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP, ++ "MODP_NULL"); ++ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL, + "NTRU_112", + "NTRU_128", + "NTRU_192", + "NTRU_256"); +-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT); ++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT, ++ "MODP_CUSTOM"); ++ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); + + + /** +diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h +index 105db22f14d4..d5161d077bb2 100644 +--- a/src/libstrongswan/crypto/diffie_hellman.h ++++ b/src/libstrongswan/crypto/diffie_hellman.h +@@ -63,12 +63,14 @@ enum diffie_hellman_group_t { + /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ + MODP_NULL = 1024, + /** MODP group with custom generator/prime */ +- MODP_CUSTOM = 1025, + /** Parameters defined by IEEE 1363.1, in PRIVATE USE */ + NTRU_112_BIT = 1030, + NTRU_128_BIT = 1031, + NTRU_192_BIT = 1032, +- NTRU_256_BIT = 1033 ++ NTRU_256_BIT = 1033, ++ /** internally used DH group with additional parameters g and p, outside ++ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ ++ MODP_CUSTOM = 65536, + }; + + /** +diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +index f418b941db86..299865da2e09 100644 +--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c ++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c +@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t { + /** + * Diffie Hellman group number + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /* + * Generator value +diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +index b74d35169f44..9936f7e4518f 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c ++++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c +@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /* + * Generator value. +diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c +index abaa22336221..e64f32b91d0e 100644 +--- a/src/libstrongswan/plugins/ntru/ntru_ke.c ++++ b/src/libstrongswan/plugins/ntru/ntru_ke.c +@@ -56,7 +56,7 @@ struct private_ntru_ke_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * NTRU Parameter Set +diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +index ff3382473666..1e68ac59b838 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c ++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c +@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Diffie Hellman object +diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +index b487d59a59a3..50853d6f0bde 100644 +--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c ++++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * EC private (public) key +diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +index 36cc284bf2b5..23b63d2386af 100644 +--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c ++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c +@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t { + /** + * Diffie Hellman group number. + */ +- u_int16_t group; ++ diffie_hellman_group_t group; + + /** + * Handle for own private value +-- +1.9.1 + diff --git a/strongswan.changes b/strongswan.changes index eb5afb9..cfb2771 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Wed Dec 17 10:15:23 UTC 2014 - mt@suse.de + +- Disallow brainpool elliptic curve groups in fips mode (bnc#856322). + [* strongswan_fipsfilter.patch] + +------------------------------------------------------------------- +Thu Dec 11 10:21:01 UTC 2014 - mt@suse.de + +- Applied an upstream fix for a denial-of-service vulnerability, + which can be triggered by an IKEv2 Key Exchange payload, that + contains the Diffie-Hellman group 1025 (bsc#910491,CVE-2014-9221). + [+ 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch] +- Adjusted whilelist of approved algorithms in fips mode (bsc#856322). + [* strongswan_fipsfilter.patch] +- Renamed patch file to match it's patch number: + [- 0001-restore-registration-algorithm-order.bug897512.patch, + + 0005-restore-registration-algorithm-order.bug897512.patch] + ------------------------------------------------------------------- Tue Nov 25 11:22:06 UTC 2014 - mt@suse.de diff --git a/strongswan.spec b/strongswan.spec index 0807214..e99aee5 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -82,7 +82,8 @@ Patch2: %{name}_ipsec_service.patch Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif -Patch5: 0001-restore-registration-algorithm-order.bug897512.patch +Patch5: 0005-restore-registration-algorithm-order.bug897512.patch +Patch6: 0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -294,6 +295,7 @@ and the load testing plugin for IKEv2 daemon. %patch4 -p1 %endif %patch5 -p1 +%patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init diff --git a/strongswan_fipsfilter.patch b/strongswan_fipsfilter.patch index 81eee37..3e4a2bd 100644 --- a/strongswan_fipsfilter.patch +++ b/strongswan_fipsfilter.patch @@ -1,5 +1,12 @@ +From aa709f291994a74271271b6dd61563cc3844e3ad Mon Sep 17 00:00:00 2001 +From: Marius Tomaschewski +Date: Tue, 16 Dec 2014 23:19:20 +0100 +Subject: [PATCH] strongswan: filter algorithms for fips mode + +References: fate#316931,bnc#856322 + diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c -index 2ecdb4f..85767ab 100644 +index 2ecdb4f..a858162 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -26,6 +26,11 @@ @@ -14,7 +21,7 @@ index 2ecdb4f..85767ab 100644 ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, "PROTO_NONE", -@@ -185,6 +190,130 @@ METHOD(proposal_t, strip_dh, void, +@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void, enumerator->destroy(enumerator); } @@ -104,24 +111,16 @@ index 2ecdb4f..85767ab 100644 + case DIFFIE_HELLMAN_GROUP: + switch (alg) + { -+ case MODP_1024_BIT: -+ case MODP_1536_BIT: + case MODP_2048_BIT: + case MODP_3072_BIT: + case MODP_4096_BIT: + case MODP_8192_BIT: -+ case MODP_1024_160: + case MODP_2048_224: + case MODP_2048_256: -+ case ECP_192_BIT: + case ECP_224_BIT: + case ECP_256_BIT: + case ECP_384_BIT: + case ECP_521_BIT: -+ case ECP_224_BP: -+ case ECP_256_BP: -+ case ECP_384_BP: -+ case ECP_512_BP: + return TRUE; + default: + break; @@ -145,7 +144,7 @@ index 2ecdb4f..85767ab 100644 /** * Select a matching proposal from this and other, insert into selected. */ -@@ -500,6 +629,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) +@@ -500,6 +621,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) return FALSE; } @@ -157,7 +156,7 @@ index 2ecdb4f..85767ab 100644 add_algorithm(this, token->type, token->algorithm, token->keysize); return TRUE; -@@ -639,6 +773,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -639,6 +765,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -166,7 +165,7 @@ index 2ecdb4f..85767ab 100644 switch (encryption) { case ENCR_AES_CBC: -@@ -665,6 +801,9 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -665,6 +793,9 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator = lib->crypto->create_aead_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -176,7 +175,7 @@ index 2ecdb4f..85767ab 100644 switch (encryption) { case ENCR_AES_CCM_ICV8: -@@ -690,6 +829,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -690,6 +821,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator = lib->crypto->create_signer_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { @@ -185,7 +184,7 @@ index 2ecdb4f..85767ab 100644 switch (integrity) { case AUTH_HMAC_SHA1_96: -@@ -710,6 +851,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -710,6 +843,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { @@ -194,7 +193,7 @@ index 2ecdb4f..85767ab 100644 switch (prf) { case PRF_HMAC_SHA1: -@@ -730,6 +873,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) +@@ -730,6 +865,8 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator = lib->crypto->create_dh_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &group, &plugin_name)) { @@ -203,7 +202,7 @@ index 2ecdb4f..85767ab 100644 switch (group) { case MODP_NULL: -@@ -776,31 +921,35 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -776,31 +913,35 @@ proposal_t *proposal_create_default(protocol_id_t protocol) { private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); @@ -252,3 +251,6 @@ index 2ecdb4f..85767ab 100644 return &this->public; } +-- +2.2.0 +