diff --git a/download b/download index 8462b62690925457c86baf646fd28cd800a707fd..66226917ea182f5327e5f29969c586f834709c82 100644 --- a/download +++ b/download @@ -1,4 +1 @@ -3c6f2ab474534ead7abec57c9484ea75 libreswan-4.6.tar.gz -d8b493de7179635a6ed2a4d0e1b35282 ikev1_dsa.fax.bz2 -c4fe7041300e6c21f4561ce818b5002f ikev1_psk.fax.bz2 -7716c48a1a2b17ba25e89b79889d4004 ikev2.fax.bz2 +584ee91ace5208db1a517b4c8e7a3971 libreswan-4.9.tar.gz diff --git a/ikev1_dsa.fax.bz2 b/ikev1_dsa.fax.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..eb1c5d87f4a5d3f70c32961756c138a1ee1f5956 Binary files /dev/null and b/ikev1_dsa.fax.bz2 differ diff --git a/ikev1_psk.fax.bz2 b/ikev1_psk.fax.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..7f29d6c04dd1223768b4e79ad57ab83bc97bf8ae Binary files /dev/null and b/ikev1_psk.fax.bz2 differ diff --git a/ikev2.fax.bz2 b/ikev2.fax.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..1f9f433e1334cf5d514d1dc5051d7fbdd8545bdb Binary files /dev/null and b/ikev2.fax.bz2 differ diff --git a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch index ebcb2e004d2fb332b18a397d71f1b2b1c5d304b4..40073d5c0e973daa71f3de55610301b79b872ce8 100644 --- a/libreswan-4.6-ikev1-policy-defaults-to-drop.patch +++ b/libreswan-4.6-ikev1-policy-defaults-to-drop.patch @@ -58,23 +58,6 @@ index 5b5aba723f..68fbccf442 100644 #ifdef HAVE_LABELED_IPSEC SOPT(KBF_SECCTX, SECCTX); -diff --git a/programs/pluto/server.c b/programs/pluto/server.c -index 665f0ed8b9..448dbca076 100644 ---- a/programs/pluto/server.c -+++ b/programs/pluto/server.c -@@ -188,12 +188,7 @@ bool pluto_listen_tcp = false; - enum ddos_mode pluto_ddos_mode = DDOS_AUTO; /* default to auto-detect */ - - enum global_ikev1_policy pluto_ikev1_pol = --#ifdef USE_IKEv1 -- GLOBAL_IKEv1_ACCEPT; --#else -- /* there is no IKEv1 code compiled in to send a REJECT */ - GLOBAL_IKEv1_DROP; --#endif - - #ifdef HAVE_SECCOMP - enum seccomp_mode pluto_seccomp_mode = SECCOMP_DISABLED; -- 2.34.1 diff --git a/libreswan-4.6-openssl3.patch b/libreswan-4.6-openssl3.patch deleted file mode 100644 index a5e0f9d3aae797b8a1a3b7399dd526db7f79a427..0000000000000000000000000000000000000000 --- a/libreswan-4.6-openssl3.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 0212bc6a7c0ac3aa5d8da82bf22132993d339ffc Mon Sep 17 00:00:00 2001 -From: Paul Wouters -Date: Thu, 13 Jan 2022 15:31:50 -0500 -Subject: [PATCH] building: fix fedora rawhide build - -Avoid clashing openssl/nss headers - -Patch based on work by Daiki Ueno - -Resolves: https://github.com/libreswan/libreswan/pull/611 ---- - programs/pluto/ikev2_ipseckey.h | 4 ++-- - programs/pluto/ikev2_ipseckey_dnsr.c | 4 +++- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/programs/pluto/ikev2_ipseckey.h b/programs/pluto/ikev2_ipseckey.h -index 243e5b1776..5ef3f966ec 100644 ---- a/programs/pluto/ikev2_ipseckey.h -+++ b/programs/pluto/ikev2_ipseckey.h -@@ -1,5 +1,3 @@ --#include "state.h" -- - #ifndef _IKEV2_IPSECKEY_H - #define _IKEV2_IPSECKEY_H - -@@ -11,6 +9,8 @@ - - #define IS_LIBUNBOUND LSW_LIBUNBOUND_ENABLED - -+struct ike_sa; -+ - typedef enum { - DNS_OK = STF_OK, - DNS_FATAL = STF_FATAL, -diff --git a/programs/pluto/ikev2_ipseckey_dnsr.c b/programs/pluto/ikev2_ipseckey_dnsr.c -index b07ed72f2b..09767bf65d 100644 ---- a/programs/pluto/ikev2_ipseckey_dnsr.c -+++ b/programs/pluto/ikev2_ipseckey_dnsr.c -@@ -32,7 +32,9 @@ - #include "dnssec.h" /* includes unbound.h */ - #include "ikev2_ipseckey.h" /* for dns_status */ - #include "ikev2_ipseckey_dnsr.h" --#include "secrets.h" -+ -+/* Do not include secrets.h as it will cause conflicts via NSS/OPENSSL headers */ -+extern const struct pubkey_type pubkey_type_rsa; - - struct p_dns_req *pluto_dns_list = NULL; /* DNS queries linked list */ - --- -2.31.1 - diff --git a/libreswan-4.9-cve-2023-23009.patch b/libreswan-4.9-cve-2023-23009.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbcf25ef9466d5c94112a38ed125e31d02acadb0 --- /dev/null +++ b/libreswan-4.9-cve-2023-23009.patch @@ -0,0 +1,84 @@ +From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001 +From: Paul Wouters +Date: Tue, 28 Feb 2023 11:24:22 -0500 +Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads + CVE-2023-23009 + +Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009 +--- + programs/pluto/ikev2_ts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c +index 3f7519ca38..f06c40ba46 100644 +--- a/programs/pluto/ikev2_ts.c ++++ b/programs/pluto/ikev2_ts.c +@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, + d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, + &ts_h, sizeof(ts_h), &ts_body_pbs); + ++ if (d != NULL) { ++ llog_diag(RC_LOG, logger, &d, "%s", ""); ++ return false; ++ } ++ + switch (ts_h.isath_type) { + case IKEv2_TS_IPV4_ADDR_RANGE: + case IKEv2_TS_IPV6_ADDR_RANGE: +-- +2.39.2 + + +From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001 +From: Andrew Cagney +Date: Tue, 28 Feb 2023 14:10:44 -0500 +Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted + +fix #1018 reported by Wolfgang. +see also ecb9c88910df1fb070488835bf3180096f3ccba3: +IKEv1: Remove all IPsec SA's of a connection when newest SA is removed. +--- + programs/pluto/ikev1_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c +index a616c5ccf3..21765d4002 100644 +--- a/programs/pluto/ikev1_main.c ++++ b/programs/pluto/ikev1_main.c +@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md, + ntohl(spi)); + } + +- struct connection *rc = dst->st_connection; ++ /* save for post delete_state() code */ ++ co_serial_t rc_serialno = dst->st_connection->serialno; + + if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) { + nat_traversal_change_port_lookup(md, dst); + v1_maybe_natify_initiator_endpoints(st, HERE); + } + +- if (rc->newest_ipsec_sa == dst->st_serialno && +- (rc->policy & POLICY_UP)) { ++ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno && ++ (dst->st_connection->policy & POLICY_UP)) { + /* + * Last IPsec SA for a permanent + * connection that we have initiated. +@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md, + md->v1_st = NULL; + } + +- if (rc->newest_ipsec_sa == SOS_NOBODY) { ++ /* ++ * Either .newest_ipsec_sa matches DST ++ * and is cleared, or was never set. ++ */ ++ struct connection *rc = connection_by_serialno(rc_serialno); ++ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) { + dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name); + rc->policy &= ~POLICY_UP; + if (!shared_phase1_connection(rc)) { +-- +2.39.2 + diff --git a/libreswan-4.6-ikev1-aggr.patch b/libreswan-4.9-cve-2023-30570.patch similarity index 42% rename from libreswan-4.6-ikev1-aggr.patch rename to libreswan-4.9-cve-2023-30570.patch index 3b76b5c73edbaadd7b0f0aaf7e3f9e2576ad0ebe..d175506c92dd082ec1bd09bdb1075c533403cb04 100644 --- a/libreswan-4.6-ikev1-aggr.patch +++ b/libreswan-4.9-cve-2023-30570.patch @@ -1,19 +1,8 @@ -From 35cf6a8ff4ebb6d163040ec8080eb9e6a2d3fcd9 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 18 Apr 2023 10:36:06 +0900 -Subject: [PATCH 1/2] Fix CVE-2023-30570 - -Signed-off-by: Daiki Ueno ---- - programs/pluto/ikev1.c | 61 +++++++++++++++++++++++++++++++++++-- - programs/pluto/ikev1_aggr.c | 5 +-- - 2 files changed, 61 insertions(+), 5 deletions(-) - diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c -index ebd0d8af9b..22e2a48cd9 100644 +index e0615323ed..401618b6dd 100644 --- a/programs/pluto/ikev1.c +++ b/programs/pluto/ikev1.c -@@ -1098,10 +1098,20 @@ void process_v1_packet(struct msg_digest *md) +@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md) struct state *st = NULL; enum state_kind from_state = STATE_UNDEFINED; /* state we started in */ @@ -32,10 +21,10 @@ index ebd0d8af9b..22e2a48cd9 100644 + st->st_state->kind != STATE_AGGR_R0 && \ + st->st_state->kind != STATE_AGGR_R1 && \ + st->st_state->kind != STATE_MAIN_R0) \ - send_notification_from_state(st, from_state, t); \ + send_v1_notification_from_state(st, from_state, t); \ else \ - send_notification_from_md(md, t); \ -@@ -1165,17 +1175,26 @@ void process_v1_packet(struct msg_digest *md) + send_v1_notification_from_md(md, t); \ +@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md) from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ? STATE_MAIN_R0 : STATE_AGGR_R0); } else { @@ -64,7 +53,7 @@ index ebd0d8af9b..22e2a48cd9 100644 */ st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi, md->hdr.isa_msgid); -@@ -1186,6 +1205,21 @@ void process_v1_packet(struct msg_digest *md) +@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md) /* XXX Could send notification back */ return; } @@ -86,7 +75,7 @@ index ebd0d8af9b..22e2a48cd9 100644 } from_state = st->st_state->kind; } -@@ -2904,7 +2938,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s +@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s delete_state(st); /* wipe out dangling pointer to st */ md->v1_st = NULL; @@ -116,102 +105,25 @@ index ebd0d8af9b..22e2a48cd9 100644 } } diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c -index b533ebb482..7039327b70 100644 +index 2732951beb..87be80cb6c 100644 --- a/programs/pluto/ikev1_aggr.c +++ b/programs/pluto/ikev1_aggr.c -@@ -160,7 +160,7 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED, +@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, + /* Set up state */ struct ike_sa *ike = new_v1_rstate(c, md); - struct state *st = &ike->sa; - md->v1_st = st; /* (caller will reset cur_state) */ -- change_state(st, STATE_AGGR_R1); -+ change_state(st, STATE_AGGR_R0); + md->v1_st = &ike->sa; /* (caller will reset cur_state) */ +- change_v1_state(&ike->sa, STATE_AGGR_R1); ++ change_v1_state(&ike->sa, STATE_AGGR_R0); - /* warn for especially dangerous Aggressive Mode and PSK */ - if (LIN(POLICY_PSK, c->policy) && LIN(POLICY_AGGRESSIVE, c->policy)) { -@@ -177,7 +177,8 @@ stf_status aggr_inI1_outR1(struct state *unused_st UNUSED, + /* + * Warn when peer is expected to use especially dangerous +@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, if (!v1_decode_certs(md)) { - log_state(RC_LOG, st, "X509: CERT payload bogus or revoked"); + llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked"); - return false; + /* XXX notification is in order! */ -+ return STF_FAIL + INVALID_ID_INFORMATION; ++ return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION; } /* --- -2.39.2 - - -From 59a25e2ecfe7cf5192f91a872d775e6ef2044478 Mon Sep 17 00:00:00 2001 -From: Andrew Cagney -Date: Sat, 25 Mar 2023 19:40:52 -0400 -Subject: [PATCH 2/2] ikev1: add --impair - copy_v1_notify_response_SPIs_to_retransmission - ---- - include/impair.h | 2 ++ - lib/libswan/impair.c | 6 ++++++ - programs/pluto/ikev1.c | 10 ++++++++++ - 3 files changed, 18 insertions(+) - -diff --git a/include/impair.h b/include/impair.h -index 6b045b6125..9fb1ed1be5 100644 ---- a/include/impair.h -+++ b/include/impair.h -@@ -155,6 +155,8 @@ struct impair { - - bool event_check_crls; - -+ bool copy_v1_notify_response_SPIs_to_retransmission; -+ - /* - * add more here - */ -diff --git a/lib/libswan/impair.c b/lib/libswan/impair.c -index e4ab1f9b00..a6261451ce 100644 ---- a/lib/libswan/impair.c -+++ b/lib/libswan/impair.c -@@ -97,6 +97,8 @@ struct impairment impairments[] = { - - #define A(WHAT, ACTION, PARAM, HELP, UNSIGNED_HELP, ...) { .what = WHAT, .action = CALL_##ACTION, .param = PARAM, .help = HELP, .unsigned_help = UNSIGNED_HELP, ##__VA_ARGS__, } - #define V(WHAT, VALUE, HELP, ...) { .what = WHAT, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, } -+#define B(VALUE, HELP, ...) \ -+ { .what = #VALUE, .action = CALL_IMPAIR_UPDATE, .value = &impair.VALUE, .help = HELP, .sizeof_value = sizeof(impair.VALUE), ##__VA_ARGS__, } - - V("allow-dns-insecure", allow_dns_insecure, "allow IPSECKEY lookups without DNSSEC protection"), - V("allow-null-none", allow_null_none, "cause pluto to allow esp=null-none and ah=none for testing"), -@@ -202,6 +204,10 @@ struct impairment impairments[] = { - A("event-sa-replace", STATE_EVENT_HANDLER, EVENT_SA_REPLACE, - "trigger the replace event", "SA"), - -+ B(copy_v1_notify_response_SPIs_to_retransmission, -+ "copy SPIs in IKEv1 notify response to last sent packet and then retransmit"), -+ -+#undef B - #undef V - #undef A - -diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c -index 22e2a48cd9..91628e5a2c 100644 ---- a/programs/pluto/ikev1.c -+++ b/programs/pluto/ikev1.c -@@ -2240,6 +2240,16 @@ void process_packet_tail(struct msg_digest *md) - str_enum(& ikev1_notify_names, - p->payload.notification.isan_type, &b)); - } else { -+ if (impair.copy_v1_notify_response_SPIs_to_retransmission) { -+ ldbg(st->st_logger, "IMPAIR: copying notify response SPIs to recorded message and then resending it"); -+ /* skip non-ESP marker if needed */ -+ size_t skip = (st->st_interface->esp_encapsulation_enabled ? NON_ESP_MARKER_SIZE : 0); -+ size_t spis = sizeof(md->hdr.isa_ike_spis); -+ PASSERT(st->st_logger, st->st_v1_tpacket.len >= skip + spis); -+ memcpy(st->st_v1_tpacket.ptr + skip, &md->hdr.isa_ike_spis, spis); -+ resend_recorded_v1_ike_msg(st, "IMPAIR: retransmitting mangled packet"); -+ } -+ - enum_buf b; - LOG_PACKET(RC_LOG_SERIOUS, - "ignoring informational payload %s, msgid=%08" PRIx32 ", length=%d", --- -2.39.2 - diff --git a/libreswan.spec b/libreswan.spec index 6aeebba5d0749635561eb0ad29de783b5ddfd512..2cee677d95150b9d96aa3f4dea601ce6e1c02da6 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -31,8 +31,8 @@ Name: libreswan Summary: Internet Key Exchange (IKEv1 and IKEv2) implementation for IPsec # version is generated in the release script -Version: 4.6 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{anolis_release}%{?dist}.1 +Version: 4.9 +Release: %{?prever:0.}4%{?prever:.%{prever}}%{anolis_release}%{?dist} License: GPLv2 Url: https://libreswan.org/ Source0: https://download.libreswan.org/%{?prever:development/}%{name}-%{version}%{?prever}.tar.gz @@ -41,9 +41,9 @@ Source1: https://download.libreswan.org/cavs/ikev1_dsa.fax.bz2 Source2: https://download.libreswan.org/cavs/ikev1_psk.fax.bz2 Source3: https://download.libreswan.org/cavs/ikev2.fax.bz2 %endif -Patch0: libreswan-4.6-openssl3.patch -Patch1: libreswan-4.6-ikev1-policy-defaults-to-drop.patch -Patch2: libreswan-4.6-ikev1-aggr.patch +Patch: libreswan-4.6-ikev1-policy-defaults-to-drop.patch +Patch: libreswan-4.9-cve-2023-23009.patch +Patch: libreswan-4.9-cve-2023-30570.patch #Add by Anolis Patch1000: 0001-libreswan-anolis-rebrand-to-anolis.patch @@ -101,13 +101,9 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %prep %setup -q -n libreswan-%{version}%{?prever} -%patch0 -p1 -b .openssl3 -%patch1 -p1 -b .ikev1-drop -%patch2 -p1 -b .ikev1-aggr - -%patch1000 -p1 # enable crypto-policies support sed -i "s:#[ ]*include \(.*\)\(/crypto-policies/back-ends/libreswan.config\)$:include \1\2:" configs/ipsec.conf.in +%autopatch -p1 %build make %{?_smp_mflags} \ @@ -207,11 +203,25 @@ certutil -N -d sql:$tmpdir --empty-password %doc %{_mandir}/*/* %changelog -* Fri May 5 2023 yangxiaoxuan - 4.6-3.0.1.1 +* Wed Jun 28 2023 yangxiaoxuan - 4.9-4.0.1 - Rebrand to anolis -* Fri Apr 21 2023 Daiki Ueno - 4.6-3.1 -- Resolves: rhbz#2187170 fix handling of IKEv1 aggressive mode packets +* Thu May 04 2023 Sahana Prasad - 4.9-4 +- Just bumping up the version as an incorrect 9.3 build was created. +- Related: rhbz#2187171 + +* Thu May 04 2023 Sahana Prasad - 4.9-3 +- Fix CVE-2023-30570:Malicious IKEv1 Aggressive Mode packets can crash + libreswan +- Resolves: rhbz#2187171 + +* Tue Apr 4 2023 Daiki Ueno - 4.9-2 +- Fix CVE-2023-23009: remote DoS via crafted TS payload with an + incorrect selector length (rhbz#2173674) + +* Wed Jan 4 2023 Daiki Ueno - 4.9-1 +- Update to 4.9. Resolves: rhbz#2128669 +- Switch to using %%autopatch as in Fedora * Wed Feb 2 2022 Daiki Ueno - 4.6-3 - Drop IKEv1 packets by default, based on the Debian patch