diff --git a/0001-libreswan-anolis-rebrand-to-anolis.patch b/0001-libreswan-anolis-rebrand-to-anolis.patch new file mode 100644 index 0000000000000000000000000000000000000000..21068ddbe717a63231880fb31567b2762731b8d1 --- /dev/null +++ b/0001-libreswan-anolis-rebrand-to-anolis.patch @@ -0,0 +1,87 @@ +From c0ae1f9070d386036a793d3e8eac7a787e7017a0 Mon Sep 17 00:00:00 2001 +From: "yangxiaoxuan@openanolis.org" +Date: Mon, 21 Jun 2021 22:48:03 +0800 +Subject: [PATCH] libreswan anolis rebrand to anolis + +--- + Makefile | 2 +- + mk/defaults/linux.mk | 2 +- + programs/barf/barf.in | 2 +- + testing/guestbin/docker-transmogrify | 8 +++++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/Makefile b/Makefile +index db230d4..bafddc2 100644 +--- a/Makefile ++++ b/Makefile +@@ -27,7 +27,7 @@ include ${LIBRESWANSRCDIR}/Makefile.inc + MAIN_RPM_VERSION = $(shell make showversion | sed "s/-.*//") + MAIN_RPM_PREVER = $(shell make showversion | sed -e "s/^.[^-]*-\([^-]*\)-\(.*\)/rc\1_\2/" -e "s/-/_/g") + MAIN_RPM_PREFIX = libreswan-$(MAIN_RPM_VERSION)$(MAIN_RPM_PREVER) +-MAIN_RPM_RHEL_PKG = $(shell rpm -qf /etc/redhat-release) ++MAIN_RPM_RHEL_PKG = $(shell rpm -qf /etc/anolis-release) + MAIN_RPM_RHEL_VERSION = $(shell echo $(MAIN_RPM_RHEL_PKG) | sed "s/.*-release-\(.\).*/\1/") + MAIN_RPM_SPECFILE = $(shell if [ -f /etc/fedora-release ]; then echo packaging/fedora/libreswan.spec; elif [ -n "$(MAIN_RPM_RHEL_VERSION)" ]; then echo packaging/rhel/$(MAIN_RPM_RHEL_VERSION)/libreswan.spec; else echo "unknown distro, cannot find spec file to use in packaging directory"; fi) + RHEL_LIKE= $(shell cat /etc/os-release | grep ID_LIKE | sed -e "s/ID_LIKE=//" -e 's/"//g' -e "s/ .*//") +diff --git a/mk/defaults/linux.mk b/mk/defaults/linux.mk +index c286a7d..56a3e20 100644 +--- a/mk/defaults/linux.mk ++++ b/mk/defaults/linux.mk +@@ -131,7 +131,7 @@ ifndef INITSYSTEM + INITSYSTEM=systemd + else ifneq ($(and $(wildcard /lib/systemd/systemd),$(wildcard /var/run/systemd)),) + INITSYSTEM=systemd +- else ifneq ($(and $(wildcard /sbin/start),$(wildcard /etc/redhat-release)),) ++ else ifneq ($(and $(wildcard /sbin/start),$(wildcard /etc/anolis-release)),) + # override for rhel/centos to use sysvinit + INITSYSTEM=sysvinit + else ifneq ($(wildcard /sbin/start),) +diff --git a/programs/barf/barf.in b/programs/barf/barf.in +index e76c62f..7a7a61a 100755 +--- a/programs/barf/barf.in ++++ b/programs/barf/barf.in +@@ -248,7 +248,7 @@ if [ -r /proc/config_built_with ]; then + cat /proc/config_built_with + fi + _________________________ distro-release +-for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release ++for distro in /etc/redhat-release /etc/anolis-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + do + if [ -f ${distro} ]; then + cat ${distro} +diff --git a/testing/guestbin/docker-transmogrify b/testing/guestbin/docker-transmogrify +index 0afa1f1..4dc7539 100755 +--- a/testing/guestbin/docker-transmogrify ++++ b/testing/guestbin/docker-transmogrify +@@ -34,7 +34,9 @@ macs['sunset'] = "12:00:00:ab:cd:01" + # conflicts with north + #macs['japan'] = "12:00:00:ab:cd:02" + +-if os.path.isfile("/etc/redhat-release"): ++if os.path.isfile("/etc/anolis-release"): ++ GUESTOS = "anolis" ++elif os.path.isfile("/etc/redhat-release"): + GUESTOS = "redhat" + elif os.path.isfile("/etc/debian_version"): + GUESTOS = "debian" +@@ -136,7 +138,7 @@ else: + if os.path.isfile(hostname_file): + shutil.copyfile(hostname_file, "/etc/hostname") + +-if GUESTOS == "redhat": ++if GUESTOS == "anolis": + + # these files are needed for systemd-networkd too + fnames = glob.glob("/testing/baseconfigs/all/etc/sysconfig/*") +@@ -216,7 +218,7 @@ for dbfile in glob.glob("/etc/ipsec.d/*.db"): + os.chmod(dbfile, 0o600) + + # SElinux fixup +-if GUESTOS == "redhat": ++if GUESTOS == "anolis": + output += "\n" + subprocess.getoutput("restorecon -R /etc/") + + # selinux does not like our /testing include files +-- +2.18.4 + diff --git a/download b/download index 31fb840a4a06c56a749ff9e829dc1e780178a075..8462b62690925457c86baf646fd28cd800a707fd 100644 --- a/download +++ b/download @@ -1 +1,4 @@ 3c6f2ab474534ead7abec57c9484ea75 libreswan-4.6.tar.gz +d8b493de7179635a6ed2a4d0e1b35282 ikev1_dsa.fax.bz2 +c4fe7041300e6c21f4561ce818b5002f ikev1_psk.fax.bz2 +7716c48a1a2b17ba25e89b79889d4004 ikev2.fax.bz2 diff --git a/ikev1_dsa.fax.bz2 b/ikev1_dsa.fax.bz2 deleted file mode 100644 index eb1c5d87f4a5d3f70c32961756c138a1ee1f5956..0000000000000000000000000000000000000000 Binary files a/ikev1_dsa.fax.bz2 and /dev/null differ diff --git a/ikev1_psk.fax.bz2 b/ikev1_psk.fax.bz2 deleted file mode 100644 index 7f29d6c04dd1223768b4e79ad57ab83bc97bf8ae..0000000000000000000000000000000000000000 Binary files a/ikev1_psk.fax.bz2 and /dev/null differ diff --git a/ikev2.fax.bz2 b/ikev2.fax.bz2 deleted file mode 100644 index 1f9f433e1334cf5d514d1dc5051d7fbdd8545bdb..0000000000000000000000000000000000000000 Binary files a/ikev2.fax.bz2 and /dev/null differ diff --git a/libreswan-4.6-ikev1-aggr.patch b/libreswan-4.6-ikev1-aggr.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b76b5c73edbaadd7b0f0aaf7e3f9e2576ad0ebe --- /dev/null +++ b/libreswan-4.6-ikev1-aggr.patch @@ -0,0 +1,217 @@ +From 35cf6a8ff4ebb6d163040ec8080eb9e6a2d3fcd9 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 18 Apr 2023 10:36:06 +0900 +Subject: [PATCH 1/2] Fix CVE-2023-30570 + +Signed-off-by: Daiki Ueno +--- + programs/pluto/ikev1.c | 61 +++++++++++++++++++++++++++++++++++-- + programs/pluto/ikev1_aggr.c | 5 +-- + 2 files changed, 61 insertions(+), 5 deletions(-) + +diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c +index ebd0d8af9b..22e2a48cd9 100644 +--- a/programs/pluto/ikev1.c ++++ b/programs/pluto/ikev1.c +@@ -1098,10 +1098,20 @@ void process_v1_packet(struct msg_digest *md) + struct state *st = NULL; + enum state_kind from_state = STATE_UNDEFINED; /* state we started in */ + ++ /* ++ * For the initial responses, don't leak the responder's SPI. ++ * Hence the use of send_v1_notification_from_md(). ++ * ++ * AGGR mode is a mess in that the R0->R1 transition happens ++ * well before the transition succeeds. ++ */ + #define SEND_NOTIFICATION(t) \ + { \ + pstats(ikev1_sent_notifies_e, t); \ +- if (st != NULL) \ ++ if (st != NULL && \ ++ st->st_state->kind != STATE_AGGR_R0 && \ ++ st->st_state->kind != STATE_AGGR_R1 && \ ++ st->st_state->kind != STATE_MAIN_R0) \ + send_notification_from_state(st, from_state, t); \ + else \ + send_notification_from_md(md, t); \ +@@ -1165,17 +1175,26 @@ void process_v1_packet(struct msg_digest *md) + from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ? + STATE_MAIN_R0 : STATE_AGGR_R0); + } else { +- /* not an initial message */ ++ /* ++ * Possibly not an initial message. Possibly ++ * from initiator. Possibly from responder. ++ * ++ * Possibly. Which is probably hopeless. ++ */ + + st = find_state_ikev1(&md->hdr.isa_ike_spis, + md->hdr.isa_msgid); + + if (st == NULL) { + /* +- * perhaps this is a first message ++ * Perhaps this is a first message + * from the responder and contains a + * responder cookie that we've not yet + * seen. ++ * ++ * Perhaps this is a random message ++ * with a bogus non-zero responder IKE ++ * SPI. + */ + st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi, + md->hdr.isa_msgid); +@@ -1186,6 +1205,21 @@ void process_v1_packet(struct msg_digest *md) + /* XXX Could send notification back */ + return; + } ++ if (st->st_state->kind == STATE_AGGR_R0) { ++ /* ++ * The only way for this to ++ * happen is for the attacker ++ * to guess the responder's ++ * IKE SPI that hasn't been ++ * sent over the wire? ++ * ++ * Well that or played 1/2^32 ++ * odds. ++ */ ++ llog_pexpect(md->md_logger, HERE, ++ "phase 1 message matching AGGR_R0 state"); ++ return; ++ } + } + from_state = st->st_state->kind; + } +@@ -2904,7 +2938,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s + delete_state(st); + /* wipe out dangling pointer to st */ + md->v1_st = NULL; ++ } else if (st->st_state->kind == STATE_AGGR_R0 || ++ st->st_state->kind == STATE_AGGR_R1 || ++ st->st_state->kind == STATE_MAIN_R0) { ++ /* ++ * ++ * Wipe out the incomplete larval state. ++ * ++ * ARGH! In <=v4.10, the aggr code flipped the ++ * larval state to R1 right at the start of ++ * the transition and not the end, so using ++ * state to figure things out is close to ++ * useless. ++ * ++ * Deleting the state means that pluto has no ++ * way to detect and ignore amplification ++ * attacks. ++ */ ++ delete_state(st); ++ /* wipe out dangling pointer to st */ ++ md->v1_st = NULL; + } ++ + break; + } + } +diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c +index b533ebb482..7039327b70 100644 +--- a/programs/pluto/ikev1_aggr.c ++++ b/programs/pluto/ikev1_aggr.c +@@ -160,7 +160,7 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED, + struct ike_sa *ike = new_v1_rstate(c, md); + struct state *st = &ike->sa; + md->v1_st = st; /* (caller will reset cur_state) */ +- change_state(st, STATE_AGGR_R1); ++ change_state(st, STATE_AGGR_R0); + + /* warn for especially dangerous Aggressive Mode and PSK */ + if (LIN(POLICY_PSK, c->policy) && LIN(POLICY_AGGRESSIVE, c->policy)) { +@@ -177,7 +177,8 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED, + + if (!v1_decode_certs(md)) { + log_state(RC_LOG, st, "X509: CERT payload bogus or revoked"); +- return false; ++ /* XXX notification is in order! */ ++ return STF_FAIL + INVALID_ID_INFORMATION; + } + + /* +-- +2.39.2 + + +From 59a25e2ecfe7cf5192f91a872d775e6ef2044478 Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Sat, 25 Mar 2023 19:40:52 -0400 +Subject: [PATCH 2/2] ikev1: add --impair + copy_v1_notify_response_SPIs_to_retransmission + +--- + include/impair.h | 2 ++ + lib/libswan/impair.c | 6 ++++++ + programs/pluto/ikev1.c | 10 ++++++++++ + 3 files changed, 18 insertions(+) + +diff --git a/include/impair.h b/include/impair.h +index 6b045b6125..9fb1ed1be5 100644 +--- a/include/impair.h ++++ b/include/impair.h +@@ -155,6 +155,8 @@ struct impair { + + bool event_check_crls; + ++ bool copy_v1_notify_response_SPIs_to_retransmission; ++ + /* + * add more here + */ +diff --git a/lib/libswan/impair.c b/lib/libswan/impair.c +index e4ab1f9b00..a6261451ce 100644 +--- a/lib/libswan/impair.c ++++ b/lib/libswan/impair.c +@@ -97,6 +97,8 @@ struct impairment impairments[] = { + + #define A(WHAT, ACTION, PARAM, HELP, UNSIGNED_HELP, ...) { .what = WHAT, .action = CALL_##ACTION, .param = PARAM, .help = HELP, .unsigned_help = UNSIGNED_HELP, ##__VA_ARGS__, } + #define V(WHAT, VALUE, HELP, ...) { .what = WHAT, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, } ++#define B(VALUE, HELP, ...) \ ++ { .what = #VALUE, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, } + + V("allow-dns-insecure", allow_dns_insecure, "allow IPSECKEY lookups without DNSSEC protection"), + V("allow-null-none", allow_null_none, "cause pluto to allow esp=null-none and ah=none for testing"), +@@ -202,6 +204,10 @@ struct impairment impairments[] = { + A("event-sa-replace", STATE_EVENT_HANDLER, EVENT_SA_REPLACE, + "trigger the replace event", "SA"), + ++ B(copy_v1_notify_response_SPIs_to_retransmission, ++ "copy SPIs in IKEv1 notify response to last sent packet and then retransmit"), ++ ++#undef B + #undef V + #undef A + +diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c +index 22e2a48cd9..91628e5a2c 100644 +--- a/programs/pluto/ikev1.c ++++ b/programs/pluto/ikev1.c +@@ -2240,6 +2240,16 @@ void process_packet_tail(struct msg_digest *md) + str_enum(& ikev1_notify_names, + p->payload.notification.isan_type, &b)); + } else { ++ if (impair.copy_v1_notify_response_SPIs_to_retransmission) { ++ ldbg(st->st_logger, "IMPAIR: copying notify response SPIs to recorded message and then resending it"); ++ /* skip non-ESP marker if needed */ ++ size_t skip = (st->st_interface->esp_encapsulation_enabled ? NON_ESP_MARKER_SIZE : 0); ++ size_t spis = sizeof(md->hdr.isa_ike_spis); ++ PASSERT(st->st_logger, st->st_v1_tpacket.len >= skip + spis); ++ memcpy(st->st_v1_tpacket.ptr + skip, &md->hdr.isa_ike_spis, spis); ++ resend_recorded_v1_ike_msg(st, "IMPAIR: retransmitting mangled packet"); ++ } ++ + enum_buf b; + LOG_PACKET(RC_LOG_SERIOUS, + "ignoring informational payload %s, msgid=%08" PRIx32 ", length=%d", +-- +2.39.2 + diff --git a/libreswan.spec b/libreswan.spec index ca104ebb5515ef75d10b09e435932050a0dc2e13..6aeebba5d0749635561eb0ad29de783b5ddfd512 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -32,7 +32,7 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script Version: 4.6 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{anolis_release}%{?dist} +Release: %{?prever:0.}3%{?prever:.%{prever}}%{anolis_release}%{?dist}.1 License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -43,6 +43,11 @@ Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif Patch0: libreswan-4.6-openssl3.patch Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch +Patch2: libreswan-4.6-ikev1-aggr.patch + +#Add by Anolis +Patch1000: 0001-libreswan-anolis-rebrand-to-anolis.patch +#End BuildRequires: audit-libs-devel BuildRequires: bison @@ -98,6 +103,9 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %setup -q -n libreswan-%{version}%{?prever} %patch0 -p1 -b .openssl3 %patch1 -p1 -b .ikev1-drop +%patch2 -p1 -b .ikev1-aggr + +%patch1000 -p1 # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in @@ -199,8 +207,11 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog -* Mon Dec 26 2022 Xiaoping Liu - 4.6-3.0.1 -- Rebuild for Anolis OS 8 +* Fri May 5 2023 yangxiaoxuan - 4.6-3.0.1.1 +- Rebrand to anolis + +* Fri Apr 21 2023 Daiki Ueno - 4.6-3.1 +- Resolves: rhbz#2187170 fix handling of IKEv1 aggressive mode packets * Wed Feb 2 2022 Daiki Ueno - 4.6-3 - Drop IKEv1 packets by default, based on the Debian patch