From 8cfc35877a4dc087f5d48ca811fcec714f16125e28d78793d4aa3da4f32d9315 Mon Sep 17 00:00:00 2001 From: Nirmoy Das Date: Tue, 1 Aug 2017 07:21:05 +0000 Subject: [PATCH 1/2] Accepting request 513652 from home:ndas:branches:network:vpn - Updated to strongSwan 5.3.5 providing the following changes: *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two requirements regarding the passed exponent and modulus that the plugin did not enforce, if these are not met the calculation will result in a floating point exception that crashes the whole process. This vulnerability has been registered as CVE-2017-9022. Please refer to our blog for details. *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when parsing X.509 extensions that use such types. This vulnerability has been registered as CVE-2017-9023. Please refer to our blog for details. *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA the responder already has everything available to install and use the new CHILD_SA. However, this could lead to lost traffic as the initiator won't be able to process inbound packets until it processed the CREATE_CHILD_SA response and updated the inbound SA. To avoid this the responder now only installs the new inbound SA and delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. *The messages transporting these DELETEs could reach the peer before packets sent with the deleted outbound SAs reach it. To reduce the chance of traffic loss due to this the inbound SA of the replaced CHILD_SA is not removed for a configurable amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. *The code base has been ported to Apple's ARM64 iOS platform, which required several changes regarding the use of variadic functions. This was necessary because the calling conventions for variadic and regular functions are different there. This means that assigning a non-variadic function to a variadic function pointer, as we did with our enumerator_t::enumerate() implementations and several callbacks, will result in crashes as the called function accesses the arguments differently than the OBS-URL: https://build.opensuse.org/request/show/513652 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=99 --- ...-retransmit-Aggressive-Mode-response.patch | 27 +++++ ...Fix-RSA-signature-verification-for-m.patch | 49 +++++++++ strongswan-5.3.5.tar.bz2 | 3 - strongswan-5.3.5.tar.bz2.sig | 14 --- ....5-rpmlintrc => strongswan-5.5.3-rpmlintrc | 0 strongswan-5.5.3.tar.bz2 | 3 + strongswan-5.5.3.tar.bz2.sig | 14 +++ strongswan.changes | 82 ++++++++++++++ strongswan.spec | 30 ++++- strongswan_fipscheck.patch | 26 +++-- strongswan_fipsfilter.patch | 103 +++++++++++------- 11 files changed, 275 insertions(+), 76 deletions(-) create mode 100644 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch create mode 100644 0006-Fix-RSA-signature-verification-for-m.patch delete mode 100644 strongswan-5.3.5.tar.bz2 delete mode 100644 strongswan-5.3.5.tar.bz2.sig rename strongswan-5.3.5-rpmlintrc => strongswan-5.5.3-rpmlintrc (100%) create mode 100644 strongswan-5.5.3.tar.bz2 create mode 100644 strongswan-5.5.3.tar.bz2.sig diff --git a/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch b/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch new file mode 100644 index 0000000..9e428b2 --- /dev/null +++ b/0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch @@ -0,0 +1,27 @@ +From 4e16732c1c668c27e73574724d2d90537a74f67a Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Fri, 17 Jun 2016 18:19:48 +0200 +Subject: [PATCH] ikev1: Don't retransmit Aggressive Mode response + +These could theoretically be used for an amplified DDoS attack. +--- + src/libcharon/sa/ikev1/task_manager_v1.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c +index 48ec3e7..0912555 100644 +--- a/src/libcharon/sa/ikev1/task_manager_v1.c ++++ b/src/libcharon/sa/ikev1/task_manager_v1.c +@@ -770,8 +770,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request) + continue; + case NEED_MORE: + /* processed, but task needs another exchange */ +- if (task->get_type(task) == TASK_QUICK_MODE || +- task->get_type(task) == TASK_AGGRESSIVE_MODE) ++ if (task->get_type(task) == TASK_QUICK_MODE) + { /* we rely on initiator retransmission, except for + * three-message exchanges */ + expect_request = TRUE; +-- +2.13.2 + diff --git a/0006-Fix-RSA-signature-verification-for-m.patch b/0006-Fix-RSA-signature-verification-for-m.patch new file mode 100644 index 0000000..92f9410 --- /dev/null +++ b/0006-Fix-RSA-signature-verification-for-m.patch @@ -0,0 +1,49 @@ +iFrom ed282e9a463c068146c945984fdea7828e663861 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Mon, 29 May 2017 11:59:34 +0200 +Subject: [PATCH] gmp: Fix RSA signature verification for m >= n + +By definition, m must be <= n-1, we didn't enforce that and because +mpz_export() returns NULL if the passed value is zero a crash could have +been triggered with m == n. + +Fixes CVE-2017-11185. +--- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index 32a72ac9600b..a741f85d4f62 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -78,11 +78,17 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data) + mpz_t m, c; + chunk_t encrypted; + +- mpz_init(c); + mpz_init(m); +- + mpz_import(m, data.len, 1, 1, 1, 0, data.ptr); + ++ if (mpz_cmp_ui(m, 0) <= 0 || mpz_cmp(m, this->n) >= 0) ++ { /* m must be <= n-1, but 0 is a valid value, doesn't really make sense ++ * here, though */ ++ mpz_clear(m); ++ return chunk_empty; ++ } ++ ++ mpz_init(c); + mpz_powm(c, m, this->e, this->n); + + encrypted.len = this->k; +@@ -150,7 +156,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, + */ + + /* check magic bytes */ +- if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) ++ if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) + { + goto end; + } +-- +2.7.4 diff --git a/strongswan-5.3.5.tar.bz2 b/strongswan-5.3.5.tar.bz2 deleted file mode 100644 index 4bf4c4b..0000000 --- a/strongswan-5.3.5.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 -size 4415297 diff --git a/strongswan-5.3.5.tar.bz2.sig b/strongswan-5.3.5.tar.bz2.sig deleted file mode 100644 index d4209df..0000000 --- a/strongswan-5.3.5.tar.bz2.sig +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQGcBAABAgAGBQJWVtUVAAoJEN9CwXCzTbp3dpUL/j5Dio8w6LbKtCf4QRItnG2/ -3U6apa56nxDWD3rpnN20OjSUzgulMIOjv/ZtRuruRPGWoFwrG6WzrsY/0ZrV929J -hSmEVuu6qgt/2i/OJdBUHfNGbhJ9JbTXGMxnWUp38mr4SasZlzHZAxbiKmnKXKtO -H5XebtVFR0/yNBPkv6wcJID/vFhJxfWpU2dblvVfSVo9VgV7lXkD0W+S++LJDTVo -PgV/a8NZEFswLIZCPct4i3QBYCDkCiS5MGlGCa+xltPYdLpwQUqhEBUkvF8yur7K -hnpT9cLk/gMSfFQmSOoN/31yx+ZSHTGR75QEh0pXRvo+oLJse7tw5/MJOHEJu+Hp -c/0iVL7qSIXbX5DBF3c03nG3ZdWcVQW32VEp//mC5yEpqFz28dlNSpVwWHLMym/D -kddiJjkZGCm7jBaPWTHSq2l8y9zdQzyHNNQ0HUpchUcpCn7B2nQO4tDSz3AFBECT -32LKSXnpRb7BAnIW/TZhZqWs1WzbQHogUF+wx+Rl6w== -=+fm3 ------END PGP SIGNATURE----- diff --git a/strongswan-5.3.5-rpmlintrc b/strongswan-5.5.3-rpmlintrc similarity index 100% rename from strongswan-5.3.5-rpmlintrc rename to strongswan-5.5.3-rpmlintrc diff --git a/strongswan-5.5.3.tar.bz2 b/strongswan-5.5.3.tar.bz2 new file mode 100644 index 0000000..e778b5e --- /dev/null +++ b/strongswan-5.5.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c5ea54b199174708de11af9b8f4ecf28b5b0743d4bc0e380e741f25b28c0f8d4 +size 4768820 diff --git a/strongswan-5.5.3.tar.bz2.sig b/strongswan-5.5.3.tar.bz2.sig new file mode 100644 index 0000000..ff05da8 --- /dev/null +++ b/strongswan-5.5.3.tar.bz2.sig @@ -0,0 +1,14 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQGcBAABAgAGBQJZK+1/AAoJEN9CwXCzTbp3vvAMAJ6SQBu+q41eol6inaXmD1k2 +pwLgBYgMa/TG3dhvX2PxkpypratmYLY96GOy8WFP58/7z2gJL63SjCjN8MaNSZ7V +UemJD5sEqu3lKGhR+q3Vsz/7xTBWYJSNoE1m/AdwftR6oF0CcIQLgrkjQa1OiU71 +SNqb2KFOafsSFicmhW44tdG9YFx56pzuoOgZhfDNEC9kMBKf7/rMpUeqAxsZah1I +fETj26gYKPMZAzFdZJvcVLMT70WaHkDU3Oo3/UfIKrucLm+uvYjcrzQnP00laLvx +LdgjuHXjXixrV92XzWCsa9Bbc39kmz2cBYlm6JPLfyON1x/DtUBdIoRcuO9y8nek +HAiO8rLG0vyQsbhiaW5TJ6wfR/uyNGhKCIyabU90Nmo0dzVMlb5ro/1q0XcQM5Dl +D4+FGErM3UdeDu0gj2klr1TyXwdOF6ZdlOtRBwRVH69mFz7o22Q6eGiw9o3Yf+9b +cJCpzSQXEgZybV8XSYOzGnY9cVeD4Il4FxgYuxViXg== +=9WTk +-----END PGP SIGNATURE----- diff --git a/strongswan.changes b/strongswan.changes index a484b60..2f0467a 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -1,3 +1,85 @@ +------------------------------------------------------------------- +Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de + +- Updated to strongSwan 5.3.5 providing the following changes: + *Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input + validation when verifying RSA signatures. More specifically, mpz_powm_sec() has two + requirements regarding the passed exponent and modulus that the plugin did not + enforce, if these are not met the calculation will result in a floating point exception + that crashes the whole process. + This vulnerability has been registered as CVE-2017-9022. + Please refer to our blog for details. + + *Fixed a DoS vulnerability in the x509 plugin that was caused because the ASN.1 parser + didn't handle ASN.1 CHOICE types properly, which could result in an infinite loop when + parsing X.509 extensions that use such types. + This vulnerability has been registered as CVE-2017-9023. + Please refer to our blog for details. + + *The behavior during IKEv2 CHILD_SA rekeying has been changed in order to avoid + traffic loss. When responding to a CREATE_CHILD_SA request to rekey a CHILD_SA + the responder already has everything available to install and use the new CHILD_SA. + However, this could lead to lost traffic as the initiator won't be able to process + inbound packets until it processed the CREATE_CHILD_SA response and updated the + inbound SA. To avoid this the responder now only installs the new inbound SA and + delays installing the outbound SA until it receives the DELETE for the replaced CHILD_SA. + + *The messages transporting these DELETEs could reach the peer before packets sent + with the deleted outbound SAs reach it. To reduce the chance of traffic loss due + to this the inbound SA of the replaced CHILD_SA is not removed for a configurable + amount of seconds (charon.delete_rekeyed_delay) after the DELETE has been processed. + + *The code base has been ported to Apple's ARM64 iOS platform, which required several + changes regarding the use of variadic functions. This was necessary because the calling + conventions for variadic and regular functions are different there. + This means that assigning a non-variadic function to a variadic function pointer, as we + did with our enumerator_t::enumerate() implementations and several callbacks, will + result in crashes as the called function accesses the arguments differently than the + caller provided them. To avoid this issue the enumerator_t interface has been changed + and the signature of the callback functions for enumerator_create_filter() and two + methods on linked_list_t have been changed. Refer to the developer notes below + for details. + + *Adds support for fuzzing the certificate parser provided by the default plugins + (x509, pem, gmp etc.) on Google's OSS-Fuzz infrastructure (or generally with + libFuzzer). Several issues found while fuzzing these plugins were fixed. + + *Two new options have been added to charon's retransmission settings: + retransmit_limit and retransmit_jitter. The former adds an upper limit to the + calculated retransmission timeout, the latter randomly reduces it. + Refer to Retransmission for details. + + *A bug in swanctl's --load-creds command was fixed that caused unencrypted + private keys to get unloaded if the command was called multiple times. + The load-key VICI command now returns the key ID of the loaded key on success. + + *The credential manager now enumerates local credential sets before global ones. + This means certificates supplied by the peer will now be preferred over certificates + with the same identity that may be locally stored (e.g. in the certificate cache). + + *Adds support for hardware offload of IPsec SAs as introduced by Linux 4.11 for + specific hardware that supports this. + + *The pki tool loads the curve25519 plugin by default. + [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + - 0007-asn1-parser-Fix-CHOICE-parsing.patch] +- libhydra is removed as all kernel plugins moved to libcharon +- Fix RSA signature verification for m >= n (bsc#1051222 CVE-2017-11185) + [+ 0006-Fix-RSA-signature-verification-for-m.patch] + +------------------------------------------------------------------- +Tue May 23 14:25:32 CEST 2017 - ndas@suse.de + +- Applied patch for "Don't retransmit Aggressive Mode response" + bsc#985012. +- Applied upstream patch for "Insufficient Input Validation in gmp Plugin" + bsc#1039514(CVE-2017-9022). +- Applied upstream patch for "Incorrect x509 ASN.1 parser error handling" + bsc#1039515(CVE-2017-9023). + [+0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch, + +0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, + +0007-asn1-parser-Fix-CHOICE-parsing.patch] + ------------------------------------------------------------------- Mon Jul 4 12:00:00 UTC 2016 - doug@uq.edu.au diff --git a/strongswan.spec b/strongswan.spec index 93050d9..1b0cf60 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,7 +1,7 @@ # # spec file for package strongswan # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: strongswan -Version: 5.3.5 +Version: 5.5.3 Release: 0 %define upstream_version %{version} %define strongswan_docdir %{_docdir}/%{name} @@ -82,6 +82,8 @@ Patch2: %{name}_ipsec_service.patch Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif +Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch +Patch6: 0006-Fix-RSA-signature-verification-for-m.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -289,9 +291,11 @@ and the load testing plugin for IKEv2 daemon. %patch1 -p0 %patch2 -p0 %if %{with fipscheck} -%patch3 -p0 +%patch3 -p1 %patch4 -p1 %endif +%patch5 -p1 +%patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init @@ -566,13 +570,14 @@ fi %{_libexecdir}/ipsec/_fipscheck %{_libexecdir}/ipsec/.*.hmac %{_sbindir}/.ipsec.hmac - %endif %files ipsec %defattr(-,root,root) %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.conf %config(noreplace) %attr(600,root,root) %{_sysconfdir}/ipsec.secrets +%config(noreplace) %attr(600,root,root) %{_sysconfdir}/swanctl/swanctl.conf +%dir %{_sysconfdir}/swanctl %dir %{_sysconfdir}/ipsec.d %dir %{_sysconfdir}/ipsec.d/crls %dir %{_sysconfdir}/ipsec.d/reqs @@ -584,6 +589,7 @@ fi %dir %attr(700,root,root) %{_sysconfdir}/ipsec.d/private %if %{with systemd} %{_unitdir}/strongswan.service +%{_sysconfdir}/dbus-1/system.d/nm-strongswan-service.conf %{_sbindir}/rcstrongswan %else %config %{_sysconfdir}/init.d/ipsec @@ -591,6 +597,7 @@ fi %endif %{_bindir}/pki %{_sbindir}/ipsec +%{_sbindir}/swanctl %{_mandir}/man1/pki*.1* %{_mandir}/man8/ipsec.8* %{_mandir}/man5/ipsec.conf.5* @@ -626,6 +633,8 @@ fi %{strongswan_docdir}/AUTHORS %{strongswan_docdir}/ChangeLog %{_mandir}/man8/scepclient.8* +%{_mandir}/man5/swanctl.conf.5.* +%{_mandir}/man8/swanctl.8.* %files libs0 %defattr(-,root,root) @@ -643,8 +652,11 @@ fi %config(noreplace) %attr(600,root,root) %{strongswan_configs}/scepclient.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/starter.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/tnc.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/swanctl.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/addrblock.conf %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/aes.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/curve25519.conf +%config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/vici.conf %if %{with afalg} %config(noreplace) %attr(600,root,root) %{strongswan_configs}/charon/af-alg.conf %endif @@ -739,7 +751,10 @@ fi %{strongswan_libdir}/libchecksum.so %endif %{strongswan_libdir}/libcharon.so.* -%{strongswan_libdir}/libhydra.so.* +%{strongswan_libdir}/libtpmtss.so.* +%{strongswan_libdir}/libtpmtss.so +%{strongswan_libdir}/libvici.so +%{strongswan_libdir}/libvici.so.* %{strongswan_libdir}/libpttls.so.* %{strongswan_libdir}/libradius.so.* %{strongswan_libdir}/libsimaka.so.* @@ -842,6 +857,8 @@ fi %{strongswan_plugins}/libstrongswan-xauth-generic.so %{strongswan_plugins}/libstrongswan-xauth-pam.so %{strongswan_plugins}/libstrongswan-xcbc.so +%{strongswan_plugins}/libstrongswan-curve25519.so +%{strongswan_plugins}/libstrongswan-vici.so %dir %{strongswan_datadir} %dir %{strongswan_templates} %dir %{strongswan_templates}/config @@ -942,6 +959,8 @@ fi %{strongswan_templates}/config/plugins/xauth-generic.conf %{strongswan_templates}/config/plugins/xauth-pam.conf %{strongswan_templates}/config/plugins/xcbc.conf +%{strongswan_templates}/config/plugins/curve25519.conf +%{strongswan_templates}/config/plugins/vici.conf %{strongswan_templates}/config/strongswan.d/charon-logging.conf %{strongswan_templates}/config/strongswan.d/charon.conf %{strongswan_templates}/config/strongswan.d/imcv.conf @@ -950,6 +969,7 @@ fi %{strongswan_templates}/config/strongswan.d/scepclient.conf %{strongswan_templates}/config/strongswan.d/starter.conf %{strongswan_templates}/config/strongswan.d/tnc.conf +%{strongswan_templates}/config/strongswan.d/swanctl.conf %{strongswan_templates}/database/imv/data.sql %{strongswan_templates}/database/imv/tables.sql diff --git a/strongswan_fipscheck.patch b/strongswan_fipscheck.patch index 18839be..50bfb3f 100644 --- a/strongswan_fipscheck.patch +++ b/strongswan_fipscheck.patch @@ -1,8 +1,10 @@ ---- src/ipsec/_ipsec.in -+++ src/ipsec/_ipsec.in -@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR +diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in +index ea399b8..ea8ed8a 100644 +--- a/src/ipsec/_ipsec.in ++++ b/src/ipsec/_ipsec.in +@@ -46,6 +46,26 @@ IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity o - IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland" + command_dir="$IPSEC_DIR" +fipscheck() +{ @@ -27,7 +29,7 @@ case "$1" in '') echo "$IPSEC_SCRIPT command [arguments]" -@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters) +@@ -153,6 +173,7 @@ rereadall|purgeocsp|listcounters|resetcounters) shift if [ -e $IPSEC_CHARON_PID ] then @@ -35,7 +37,7 @@ $IPSEC_STROKE "$op" "$@" rc="$?" fi -@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts) +@@ -162,6 +183,7 @@ purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -43,7 +45,7 @@ $IPSEC_STROKE "$1" rc="$?" fi -@@ -197,6 +219,7 @@ route|unroute) +@@ -195,6 +217,7 @@ route|unroute) fi if [ -e $IPSEC_CHARON_PID ] then @@ -51,7 +53,7 @@ $IPSEC_STROKE "$op" "$1" rc="$?" fi -@@ -206,6 +229,7 @@ secrets) +@@ -204,6 +227,7 @@ secrets) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -59,7 +61,7 @@ $IPSEC_STROKE rereadsecrets rc="$?" fi -@@ -213,6 +237,7 @@ secrets) +@@ -211,6 +235,7 @@ secrets) ;; start) shift @@ -67,7 +69,7 @@ if [ -d /var/lock/subsys ]; then touch /var/lock/subsys/ipsec fi -@@ -286,6 +311,7 @@ up) +@@ -289,6 +314,7 @@ up) rc=7 if [ -e $IPSEC_CHARON_PID ] then @@ -75,7 +77,7 @@ $IPSEC_STROKE up "$1" rc="$?" fi -@@ -325,6 +351,11 @@ esac +@@ -338,6 +364,11 @@ esac cmd="$1" shift @@ -84,6 +86,6 @@ +*) fipscheck || exit $? ;; +esac + - path="$IPSEC_DIR/$cmd" + path="$command_dir/$cmd" if [ ! -x "$path" ] diff --git a/strongswan_fipsfilter.patch b/strongswan_fipsfilter.patch index 94b5db0..f523913 100644 --- a/strongswan_fipsfilter.patch +++ b/strongswan_fipsfilter.patch @@ -5,11 +5,20 @@ Subject: [PATCH] strongswan: filter algorithms for fips mode References: fate#316931,bnc#856322 +From 818cd5f1b6455237a82f385b60a2513cdd9c5eef Mon Sep 17 00:00:00 2001 +From: Nirmoy Das +Date: Mon, 17 Jul 2017 15:15:14 +0200 +Subject: [PATCH] strongswan_fipsfilter + +--- + src/libcharon/config/proposal.c | 184 +++++++++++++++++++++++++++++++++++----- + 1 file changed, 165 insertions(+), 19 deletions(-) + diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c -index e59dcd9..f07f4a2 100644 +index 6c71f78..0640140 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c -@@ -26,6 +26,11 @@ +@@ -27,6 +27,11 @@ #include #include #include @@ -21,7 +30,7 @@ index e59dcd9..f07f4a2 100644 ENUM(protocol_id_names, PROTO_NONE, PROTO_IPCOMP, "PROTO_NONE", -@@ -185,6 +190,122 @@ METHOD(proposal_t, strip_dh, void, +@@ -190,6 +195,122 @@ METHOD(proposal_t, strip_dh, void, enumerator->destroy(enumerator); } @@ -144,7 +153,7 @@ index e59dcd9..f07f4a2 100644 /** * Select a matching proposal from this and other, insert into selected. */ -@@ -502,6 +623,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) +@@ -611,6 +732,11 @@ static bool add_string_algo(private_proposal_t *this, const char *alg) return FALSE; } @@ -156,7 +165,7 @@ index e59dcd9..f07f4a2 100644 add_algorithm(this, token->type, token->algorithm, token->keysize); return TRUE; -@@ -643,6 +769,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -753,6 +879,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_aead_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -165,8 +174,8 @@ index e59dcd9..f07f4a2 100644 + switch (encryption) { - case ENCR_AES_CCM_ICV8: -@@ -675,6 +804,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + case ENCR_AES_GCM_ICV16: +@@ -806,6 +935,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { @@ -176,7 +185,7 @@ index e59dcd9..f07f4a2 100644 switch (encryption) { case ENCR_AES_CBC: -@@ -706,6 +838,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -850,6 +982,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_signer_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { @@ -185,8 +194,8 @@ index e59dcd9..f07f4a2 100644 + switch (integrity) { - case AUTH_HMAC_SHA1_96: -@@ -727,6 +862,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) + case AUTH_HMAC_SHA2_256_128: +@@ -905,6 +1040,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_prf_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { @@ -196,7 +205,7 @@ index e59dcd9..f07f4a2 100644 switch (prf) { case PRF_HMAC_SHA1: -@@ -747,6 +885,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) +@@ -964,6 +1102,9 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) enumerator = lib->crypto->create_dh_enumerator(lib->crypto); while (enumerator->enumerate(enumerator, &group, &plugin_name)) { @@ -206,7 +215,7 @@ index e59dcd9..f07f4a2 100644 switch (group) { case MODP_NULL: -@@ -795,6 +936,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -1004,6 +1145,10 @@ proposal_t *proposal_create_default(protocol_id_t protocol) { private_proposal_t *this = (private_proposal_t*)proposal_create(protocol, 0); @@ -217,48 +226,58 @@ index e59dcd9..f07f4a2 100644 switch (protocol) { case PROTO_IKE: -@@ -805,25 +950,28 @@ proposal_t *proposal_create_default(protocol_id_t protocol) +@@ -1014,31 +1159,32 @@ proposal_t *proposal_create_default(protocol_id_t protocol) } break; case PROTO_ESP: -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); -- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); -+ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); +- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); +- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); ++ fips_add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); ++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); -+ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); -+ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); +- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); +- add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); ++ fips_add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); ++ fips_add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; default: break; } -+ +#undef fips_add_algorithm -+ return &this->public; } -- -2.2.1 +2.13.2 From 339326d8bca6a42c1f4178137439a734e55b434ce50eded5ec71f06320bd3742 Mon Sep 17 00:00:00 2001 From: Nirmoy Das Date: Fri, 4 Aug 2017 11:47:37 +0000 Subject: [PATCH 2/2] Accepting request 514548 from home:ndas:branches:network:vpn OBS-URL: https://build.opensuse.org/request/show/514548 OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=100 --- ...Fix-RSA-signature-verification-for-m.patch | 49 ------------------- strongswan.changes | 2 - strongswan.spec | 2 - 3 files changed, 53 deletions(-) delete mode 100644 0006-Fix-RSA-signature-verification-for-m.patch diff --git a/0006-Fix-RSA-signature-verification-for-m.patch b/0006-Fix-RSA-signature-verification-for-m.patch deleted file mode 100644 index 92f9410..0000000 --- a/0006-Fix-RSA-signature-verification-for-m.patch +++ /dev/null @@ -1,49 +0,0 @@ -iFrom ed282e9a463c068146c945984fdea7828e663861 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Mon, 29 May 2017 11:59:34 +0200 -Subject: [PATCH] gmp: Fix RSA signature verification for m >= n - -By definition, m must be <= n-1, we didn't enforce that and because -mpz_export() returns NULL if the passed value is zero a crash could have -been triggered with m == n. - -Fixes CVE-2017-11185. ---- - src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -index 32a72ac9600b..a741f85d4f62 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c -@@ -78,11 +78,17 @@ static chunk_t rsaep(private_gmp_rsa_public_key_t *this, chunk_t data) - mpz_t m, c; - chunk_t encrypted; - -- mpz_init(c); - mpz_init(m); -- - mpz_import(m, data.len, 1, 1, 1, 0, data.ptr); - -+ if (mpz_cmp_ui(m, 0) <= 0 || mpz_cmp(m, this->n) >= 0) -+ { /* m must be <= n-1, but 0 is a valid value, doesn't really make sense -+ * here, though */ -+ mpz_clear(m); -+ return chunk_empty; -+ } -+ -+ mpz_init(c); - mpz_powm(c, m, this->e, this->n); - - encrypted.len = this->k; -@@ -150,7 +156,7 @@ static bool verify_emsa_pkcs1_signature(private_gmp_rsa_public_key_t *this, - */ - - /* check magic bytes */ -- if (*(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) -+ if (em.len < 2 || *(em.ptr) != 0x00 || *(em.ptr+1) != 0x01) - { - goto end; - } --- -2.7.4 diff --git a/strongswan.changes b/strongswan.changes index 2f0467a..8634b62 100644 --- a/strongswan.changes +++ b/strongswan.changes @@ -64,8 +64,6 @@ Mon Jul 31 18:30:28 CEST 2017 - ndas@suse.de [- 0006-Make-sure-the-modulus-is-odd-and-the-exponent-not-zero.patch, - 0007-asn1-parser-Fix-CHOICE-parsing.patch] - libhydra is removed as all kernel plugins moved to libcharon -- Fix RSA signature verification for m >= n (bsc#1051222 CVE-2017-11185) - [+ 0006-Fix-RSA-signature-verification-for-m.patch] ------------------------------------------------------------------- Tue May 23 14:25:32 CEST 2017 - ndas@suse.de diff --git a/strongswan.spec b/strongswan.spec index 1b0cf60..cbe3898 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -83,7 +83,6 @@ Patch3: %{name}_fipscheck.patch Patch4: %{name}_fipsfilter.patch %endif Patch5: 0005-ikev1-Don-t-retransmit-Aggressive-Mode-response.patch -Patch6: 0006-Fix-RSA-signature-verification-for-m.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: bison BuildRequires: curl-devel @@ -295,7 +294,6 @@ and the load testing plugin for IKEv2 daemon. %patch4 -p1 %endif %patch5 -p1 -%patch6 -p1 sed -e 's|@libexecdir@|%_libexecdir|g' \ < $RPM_SOURCE_DIR/strongswan.init.in \ > strongswan.init