rpm/strongswan
SHA256
1
0
Fork 0
forked from pool/strongswan
Code Pull Requests Activity

removed obsolete patch files [deletion noted in changelog already]

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/strongswan?expand=0&rev=86
This commit is contained in:
Marius Tomaschewski 2015-02-18 12:24:33 +00:00 committed by Git OBS Bridge
parent 055879bc1c
commit 8a2afb449d
2 changed files with 0 additions and 579 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

413
0005-restore-registration-algorithm-order.bug897512.patch
View File

@ -1,413 +0,0 @@
From 76ad8a6f4c83c999b9eb6d1a3506b1a8e593307e Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 20 Jun 2014 16:22:15 +0200
Subject: [PATCH] Merge branch 'algorithm-order'
Upstream: yes
References: bsc#897512
Restores the behavior we had before 2e22333fb (except for RNGs), that is,
algorithms are stored in the registration order again. Which is not optimal
as we must rely on plugins to register them in a sensible order, but ordering
them by identifier definitely caused weaker algorithms to be proposed first
in the default proposal, which was even worse.
---
src/libstrongswan/crypto/crypto_factory.c | 18 +-
src/libstrongswan/tests/Makefile.am | 1 +
.../tests/suites/test_crypto_factory.c | 312 +++++++++++++++++++++
src/libstrongswan/tests/tests.h | 1 +
4 files changed, 327 insertions(+), 5 deletions(-)
create mode 100644 src/libstrongswan/tests/suites/test_crypto_factory.c
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index 6dea30e..96fbc0d 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -392,10 +392,10 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*,
/**
* Insert an algorithm entry to a list
*
- * Entries are sorted by algorithm identifier (which is important for RNGs)
- * while maintaining the order in which algorithms were added, unless they were
+ * Entries maintain the order in which algorithms were added, unless they were
* benchmarked and speed is provided, which then is used to order entries of
* the same algorithm.
+ * An exception are RNG entries, which are sorted by algorithm identifier.
*/
static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
int algo, const char *plugin_name,
@@ -403,6 +403,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
{
enumerator_t *enumerator;
entry_t *entry, *current;
+ bool sort = (list == this->rngs), found = FALSE;
INIT(entry,
.algo = algo,
@@ -415,12 +416,19 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list,
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &current))
{
- if (current->algo > algo)
+ if (sort && current->algo > algo)
{
break;
}
- else if (current->algo == algo && speed &&
- current->speed < speed)
+ else if (current->algo == algo)
+ {
+ if (speed > current->speed)
+ {
+ break;
+ }
+ found = TRUE;
+ }
+ else if (found)
{
break;
}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 331a548..0bdf2b3 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -42,6 +42,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_host.c \
suites/test_hasher.c \
suites/test_crypter.c \
+ suites/test_crypto_factory.c \
suites/test_pen.c \
suites/test_asn1.c \
suites/test_asn1_parser.c \
diff --git a/src/libstrongswan/tests/suites/test_crypto_factory.c b/src/libstrongswan/tests/suites/test_crypto_factory.c
new file mode 100644
index 0000000..94f45da
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_crypto_factory.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <crypto/crypto_factory.h>
+
+static rng_t *rng_create(rng_quality_t quality)
+{
+ rng_quality_t *q = malloc_thing(rng_quality_t);
+ *q = quality;
+ return (rng_t*)q;
+}
+
+static rng_t *rng_create_weak(rng_quality_t quality)
+{
+ ck_assert(quality == RNG_WEAK);
+ return rng_create(RNG_WEAK);
+}
+
+static rng_t *rng_create_strong(rng_quality_t quality)
+{
+ ck_assert(quality <= RNG_STRONG);
+ return rng_create(RNG_STRONG);
+}
+
+static rng_t *rng_create_true(rng_quality_t quality)
+{
+ ck_assert(quality <= RNG_TRUE);
+ return rng_create(RNG_TRUE);
+}
+
+static rng_t *rng_create_true_second(rng_quality_t quality)
+{
+ fail("should never be called");
+ return rng_create(RNG_TRUE);
+}
+
+static rng_quality_t rng_weak = RNG_WEAK;
+static rng_quality_t rng_strong = RNG_STRONG;
+static rng_quality_t rng_true = RNG_TRUE;
+
+static struct {
+ rng_quality_t *exp_weak;
+ rng_quality_t *exp_strong;
+ rng_quality_t *exp_true;
+ struct {
+ rng_quality_t *q;
+ rng_constructor_t create;
+ } data[4];
+} rng_data[] = {
+ { NULL, NULL, NULL, {
+ { NULL, NULL }
+ }},
+ { &rng_weak, NULL, NULL, {
+ { &rng_weak, rng_create_weak },
+ { NULL, NULL }
+ }},
+ { &rng_strong, &rng_strong, NULL, {
+ { &rng_strong, rng_create_strong },
+ { NULL, NULL }
+ }},
+ { &rng_true, &rng_true, &rng_true, {
+ { &rng_true, rng_create_true },
+ { NULL, NULL }
+ }},
+ { &rng_true, &rng_true, &rng_true, {
+ { &rng_true, rng_create_true },
+ { &rng_true, rng_create_true_second },
+ { NULL, NULL }
+ }},
+ { &rng_weak, &rng_true, &rng_true, {
+ { &rng_weak, rng_create_weak },
+ { &rng_true, rng_create_true },
+ { NULL, NULL }
+ }},
+ { &rng_weak, &rng_strong, &rng_true, {
+ { &rng_true, rng_create_true },
+ { &rng_strong, rng_create_strong },
+ { &rng_weak, rng_create_weak },
+ { NULL, NULL }
+ }},
+ { &rng_weak, &rng_strong, &rng_true, {
+ { &rng_weak, rng_create_weak },
+ { &rng_strong, rng_create_strong },
+ { &rng_true, rng_create_true },
+ { NULL, NULL }
+ }},
+};
+
+static void verify_rng(crypto_factory_t *factory, rng_quality_t request,
+ rng_quality_t *expected)
+{
+ rng_quality_t *res;
+
+ res = (rng_quality_t*)factory->create_rng(factory, request);
+ if (!expected)
+ {
+ ck_assert(!res);
+ }
+ else
+ {
+ ck_assert(res);
+ ck_assert_int_eq(*expected, *res);
+ free(res);
+ }
+}
+
+START_TEST(test_create_rng)
+{
+ crypto_factory_t *factory;
+ int i;
+
+ factory = crypto_factory_create();
+ for (i = 0; rng_data[_i].data[i].q; i++)
+ {
+ ck_assert(factory->add_rng(factory, *rng_data[_i].data[i].q, "test",
+ rng_data[_i].data[i].create));
+ }
+ verify_rng(factory, RNG_WEAK, rng_data[_i].exp_weak);
+ verify_rng(factory, RNG_STRONG, rng_data[_i].exp_strong);
+ verify_rng(factory, RNG_TRUE, rng_data[_i].exp_true);
+ for (i = 0; rng_data[_i].data[i].q; i++)
+ {
+ factory->remove_rng(factory, rng_data[_i].data[i].create);
+ }
+ factory->destroy(factory);
+}
+END_TEST
+
+static diffie_hellman_t *dh_create(char *plugin)
+{
+ return (diffie_hellman_t*)plugin;
+}
+
+static diffie_hellman_t *dh_create_modp1024(diffie_hellman_group_t group, ...)
+{
+ ck_assert(group == MODP_1024_BIT);
+ return dh_create("plugin1");
+}
+
+static diffie_hellman_t *dh_create_modp1024_second(diffie_hellman_group_t group,
+ ...)
+{
+ ck_assert(group == MODP_1024_BIT);
+ return dh_create("plugin2");
+}
+
+static diffie_hellman_t *dh_create_modp2048(diffie_hellman_group_t group, ...)
+{
+ ck_assert(group == MODP_2048_BIT);
+ return dh_create("plugin1");
+}
+
+static diffie_hellman_t *dh_create_modp2048_second(diffie_hellman_group_t group,
+ ...)
+{
+ ck_assert(group == MODP_2048_BIT);
+ return dh_create("plugin2");
+}
+
+static struct {
+ char *exp1024;
+ char *exp2048;
+ struct {
+ diffie_hellman_group_t g;
+ dh_constructor_t create;
+ char *plugin;
+ } data[4];
+} dh_data[] = {
+ { NULL, NULL, {
+ { MODP_NONE, NULL, NULL }
+ }},
+ { "plugin1", NULL, {
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_NONE, NULL, NULL }
+ }},
+ { "plugin1", NULL, {
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_1024_BIT, dh_create_modp1024_second, "plugin2" },
+ { MODP_NONE, NULL, NULL }
+ }},
+ { "plugin2", NULL, {
+ { MODP_1024_BIT, dh_create_modp1024_second, "plugin2" },
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_NONE, NULL, NULL }
+ }},
+ { "plugin1", "plugin1", {
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
+ { MODP_NONE, NULL }
+ }},
+ { "plugin1", "plugin1", {
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_NONE, NULL }
+ }},
+ { "plugin1", "plugin1", {
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
+ { MODP_2048_BIT, dh_create_modp2048_second, "plugin2" },
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_NONE, NULL }
+ }},
+ { "plugin1", "plugin2", {
+ { MODP_2048_BIT, dh_create_modp2048_second, "plugin2" },
+ { MODP_2048_BIT, dh_create_modp2048, "plugin1" },
+ { MODP_1024_BIT, dh_create_modp1024, "plugin1" },
+ { MODP_NONE, NULL }
+ }},
+};
+
+static void verify_dh(crypto_factory_t *factory, diffie_hellman_group_t request,
+ char *expected)
+{
+ char *plugin;
+
+ plugin = (char*)factory->create_dh(factory, request);
+ if (!expected)
+ {
+ ck_assert(!plugin);
+ }
+ else
+ {
+ ck_assert(plugin);
+ ck_assert_str_eq(expected, plugin);
+ }
+}
+
+START_TEST(test_create_dh)
+{
+ enumerator_t *enumerator;
+ crypto_factory_t *factory;
+ diffie_hellman_group_t group;
+ char *plugin;
+ int i, len = 0;
+
+
+ factory = crypto_factory_create();
+ for (i = 0; dh_data[_i].data[i].g != MODP_NONE; i++)
+ {
+ ck_assert(factory->add_dh(factory, dh_data[_i].data[i].g,
+ dh_data[_i].data[i].plugin,
+ dh_data[_i].data[i].create));
+ }
+ verify_dh(factory, MODP_1024_BIT, dh_data[_i].exp1024);
+ verify_dh(factory, MODP_2048_BIT, dh_data[_i].exp2048);
+
+ len = countof(dh_data[_i].data);
+ enumerator = factory->create_dh_enumerator(factory);
+ for (i = 0; enumerator->enumerate(enumerator, &group, &plugin) && i < len;)
+ {
+ ck_assert_int_eq(dh_data[_i].data[i].g, group);
+ while (dh_data[_i].data[i].g == group)
+ { /* skip other entries by the same group */
+ i++;
+ }
+ switch (group)
+ {
+ case MODP_1024_BIT:
+ ck_assert(dh_data[_i].exp1024);
+ ck_assert_str_eq(dh_data[_i].exp1024, plugin);
+ break;
+ case MODP_2048_BIT:
+ ck_assert(dh_data[_i].exp2048);
+ ck_assert_str_eq(dh_data[_i].exp2048, plugin);
+ break;
+ default:
+ fail("unexpected DH group");
+ break;
+ }
+ }
+ ck_assert(!enumerator->enumerate(enumerator));
+ ck_assert_int_eq(dh_data[_i].data[i].g, MODP_NONE);
+ enumerator->destroy(enumerator);
+
+ for (i = 0; dh_data[_i].data[i].g != MODP_NONE; i++)
+ {
+ factory->remove_dh(factory, dh_data[_i].data[i].create);
+ }
+ factory->destroy(factory);
+}
+END_TEST
+
+Suite *crypto_factory_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("crypto-factory");
+
+ tc = tcase_create("create_rng");
+ tcase_add_loop_test(tc, test_create_rng, 0, countof(rng_data));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("create_dh");
+ tcase_add_loop_test(tc, test_create_dh, 0, countof(dh_data));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 82a5137..ab0f642 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -35,6 +35,7 @@ TEST_SUITE(host_suite_create)
TEST_SUITE(printf_suite_create)
TEST_SUITE(hasher_suite_create)
TEST_SUITE(crypter_suite_create)
+TEST_SUITE(crypto_factory_suite_create)
TEST_SUITE(pen_suite_create)
TEST_SUITE(asn1_suite_create)
TEST_SUITE(asn1_parser_suite_create)
--
2.1.2

166
0006-strongswan-5.1.2-5.2.1_modp_custom.CVE-2014-9221.patch
View File

@ -1,166 +0,0 @@
From a78ecdd47509626711a13481f53696e01d4b8c62 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 1 Dec 2014 17:21:59 +0100
Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range
References: bsc#910491,CVE-2014-9221
Upstream: yes
Before this fix it was possible to crash charon with an IKE_SA_INIT
message containing a KE payload with DH group MODP_CUSTOM(1025).
Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
prevents it from getting negotiated.
Fixes CVE-2014-9221 in version 5.1.2 and newer.
---
src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 2 +-
src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++-----
src/libstrongswan/crypto/diffie_hellman.h | 6 ++++--
src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 +-
src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 +-
src/libstrongswan/plugins/ntru/ntru_ke.c | 2 +-
src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 +-
src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +-
src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +-
9 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 67db5e6d87d6..836e0b7f088d 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Diffie Hellman public value.
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index bada1c529951..ac106e9c4d45 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
"ECP_256_BP",
"ECP_384_BP",
"ECP_512_BP");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
- "MODP_NULL",
- "MODP_CUSTOM");
-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
+ "MODP_NULL");
+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
"NTRU_112",
"NTRU_128",
"NTRU_192",
"NTRU_256");
-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
+ "MODP_CUSTOM");
+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
/**
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 105db22f14d4..d5161d077bb2 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
MODP_NULL = 1024,
/** MODP group with custom generator/prime */
- MODP_CUSTOM = 1025,
/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
NTRU_112_BIT = 1030,
NTRU_128_BIT = 1031,
NTRU_192_BIT = 1032,
- NTRU_256_BIT = 1033
+ NTRU_256_BIT = 1033,
+ /** internally used DH group with additional parameters g and p, outside
+ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
+ MODP_CUSTOM = 65536,
};
/**
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index f418b941db86..299865da2e09 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
/**
* Diffie Hellman group number
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/*
* Generator value
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index b74d35169f44..9936f7e4518f 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/*
* Generator value.
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index abaa22336221..e64f32b91d0e 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -56,7 +56,7 @@ struct private_ntru_ke_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* NTRU Parameter Set
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index ff3382473666..1e68ac59b838 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Diffie Hellman object
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index b487d59a59a3..50853d6f0bde 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* EC private (public) key
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index 36cc284bf2b5..23b63d2386af 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Handle for own private value
--
1.9.1