From f0f4f467e14243784a55a4b7edbf056e66c8a7ae Mon Sep 17 00:00:00 2001 From: Renbo Date: Tue, 5 Dec 2023 17:17:35 +0800 Subject: [PATCH 1/2] update to libreswan-4.12-2 Signed-off-by: Renbo --- dist | 2 +- download | 2 +- libreswan-4.9-cve-2023-23009.patch | 84 ------------------- libreswan-4.9-cve-2023-30570.patch | 129 ----------------------------- libreswan.spec | 30 +++---- 5 files changed, 13 insertions(+), 234 deletions(-) delete mode 100644 libreswan-4.9-cve-2023-23009.patch delete mode 100644 libreswan-4.9-cve-2023-30570.patch diff --git a/dist b/dist index 5aa45c5..9c0e36e 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8_8 +an8 diff --git a/download b/download index 6622691..c71d9f7 100644 --- a/download +++ b/download @@ -1 +1 @@ -584ee91ace5208db1a517b4c8e7a3971 libreswan-4.9.tar.gz +a8dea4d464e1cc58a25cb00fa0298fc4 libreswan-4.12.tar.gz diff --git a/libreswan-4.9-cve-2023-23009.patch b/libreswan-4.9-cve-2023-23009.patch deleted file mode 100644 index bbcf25e..0000000 --- a/libreswan-4.9-cve-2023-23009.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001 -From: Paul Wouters -Date: Tue, 28 Feb 2023 11:24:22 -0500 -Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads - CVE-2023-23009 - -Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009 ---- - programs/pluto/ikev2_ts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c -index 3f7519ca38..f06c40ba46 100644 ---- a/programs/pluto/ikev2_ts.c -+++ b/programs/pluto/ikev2_ts.c -@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd, - d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc, - &ts_h, sizeof(ts_h), &ts_body_pbs); - -+ if (d != NULL) { -+ llog_diag(RC_LOG, logger, &d, "%s", ""); -+ return false; -+ } -+ - switch (ts_h.isath_type) { - case IKEv2_TS_IPV4_ADDR_RANGE: - case IKEv2_TS_IPV6_ADDR_RANGE: --- -2.39.2 - - -From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001 -From: Andrew Cagney -Date: Tue, 28 Feb 2023 14:10:44 -0500 -Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted - -fix #1018 reported by Wolfgang. -see also ecb9c88910df1fb070488835bf3180096f3ccba3: -IKEv1: Remove all IPsec SA's of a connection when newest SA is removed. ---- - programs/pluto/ikev1_main.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c -index a616c5ccf3..21765d4002 100644 ---- a/programs/pluto/ikev1_main.c -+++ b/programs/pluto/ikev1_main.c -@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md, - ntohl(spi)); - } - -- struct connection *rc = dst->st_connection; -+ /* save for post delete_state() code */ -+ co_serial_t rc_serialno = dst->st_connection->serialno; - - if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) { - nat_traversal_change_port_lookup(md, dst); - v1_maybe_natify_initiator_endpoints(st, HERE); - } - -- if (rc->newest_ipsec_sa == dst->st_serialno && -- (rc->policy & POLICY_UP)) { -+ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno && -+ (dst->st_connection->policy & POLICY_UP)) { - /* - * Last IPsec SA for a permanent - * connection that we have initiated. -@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md, - md->v1_st = NULL; - } - -- if (rc->newest_ipsec_sa == SOS_NOBODY) { -+ /* -+ * Either .newest_ipsec_sa matches DST -+ * and is cleared, or was never set. -+ */ -+ struct connection *rc = connection_by_serialno(rc_serialno); -+ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) { - dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name); - rc->policy &= ~POLICY_UP; - if (!shared_phase1_connection(rc)) { --- -2.39.2 - diff --git a/libreswan-4.9-cve-2023-30570.patch b/libreswan-4.9-cve-2023-30570.patch deleted file mode 100644 index d175506..0000000 --- a/libreswan-4.9-cve-2023-30570.patch +++ /dev/null @@ -1,129 +0,0 @@ -diff --git a/programs/pluto/ikev1.c b/programs/pluto/ikev1.c -index e0615323ed..401618b6dd 100644 ---- a/programs/pluto/ikev1.c -+++ b/programs/pluto/ikev1.c -@@ -1101,10 +1101,20 @@ void process_v1_packet(struct msg_digest *md) - struct state *st = NULL; - enum state_kind from_state = STATE_UNDEFINED; /* state we started in */ - -+ /* -+ * For the initial responses, don't leak the responder's SPI. -+ * Hence the use of send_v1_notification_from_md(). -+ * -+ * AGGR mode is a mess in that the R0->R1 transition happens -+ * well before the transition succeeds. -+ */ - #define SEND_NOTIFICATION(t) \ - { \ - pstats(ikev1_sent_notifies_e, t); \ -- if (st != NULL) \ -+ if (st != NULL && \ -+ st->st_state->kind != STATE_AGGR_R0 && \ -+ st->st_state->kind != STATE_AGGR_R1 && \ -+ st->st_state->kind != STATE_MAIN_R0) \ - send_v1_notification_from_state(st, from_state, t); \ - else \ - send_v1_notification_from_md(md, t); \ -@@ -1168,17 +1178,26 @@ void process_v1_packet(struct msg_digest *md) - from_state = (md->hdr.isa_xchg == ISAKMP_XCHG_IDPROT ? - STATE_MAIN_R0 : STATE_AGGR_R0); - } else { -- /* not an initial message */ -+ /* -+ * Possibly not an initial message. Possibly -+ * from initiator. Possibly from responder. -+ * -+ * Possibly. Which is probably hopeless. -+ */ - - st = find_state_ikev1(&md->hdr.isa_ike_spis, - md->hdr.isa_msgid); - - if (st == NULL) { - /* -- * perhaps this is a first message -+ * Perhaps this is a first message - * from the responder and contains a - * responder cookie that we've not yet - * seen. -+ * -+ * Perhaps this is a random message -+ * with a bogus non-zero responder IKE -+ * SPI. - */ - st = find_state_ikev1_init(&md->hdr.isa_ike_initiator_spi, - md->hdr.isa_msgid); -@@ -1189,6 +1208,21 @@ void process_v1_packet(struct msg_digest *md) - /* XXX Could send notification back */ - return; - } -+ if (st->st_state->kind == STATE_AGGR_R0) { -+ /* -+ * The only way for this to -+ * happen is for the attacker -+ * to guess the responder's -+ * IKE SPI that hasn't been -+ * sent over the wire? -+ * -+ * Well that or played 1/2^32 -+ * odds. -+ */ -+ llog_pexpect(md->md_logger, HERE, -+ "phase 1 message matching AGGR_R0 state"); -+ return; -+ } - } - from_state = st->st_state->kind; - } -@@ -2870,7 +2904,28 @@ void complete_v1_state_transition(struct state *st, struct msg_digest *md, stf_s - delete_state(st); - /* wipe out dangling pointer to st */ - md->v1_st = NULL; -+ } else if (st->st_state->kind == STATE_AGGR_R0 || -+ st->st_state->kind == STATE_AGGR_R1 || -+ st->st_state->kind == STATE_MAIN_R0) { -+ /* -+ * -+ * Wipe out the incomplete larval state. -+ * -+ * ARGH! In <=v4.10, the aggr code flipped the -+ * larval state to R1 right at the start of -+ * the transition and not the end, so using -+ * state to figure things out is close to -+ * useless. -+ * -+ * Deleting the state means that pluto has no -+ * way to detect and ignore amplification -+ * attacks. -+ */ -+ delete_state(st); -+ /* wipe out dangling pointer to st */ -+ md->v1_st = NULL; - } -+ - break; - } - } -diff --git a/programs/pluto/ikev1_aggr.c b/programs/pluto/ikev1_aggr.c -index 2732951beb..87be80cb6c 100644 ---- a/programs/pluto/ikev1_aggr.c -+++ b/programs/pluto/ikev1_aggr.c -@@ -169,7 +169,7 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, - /* Set up state */ - struct ike_sa *ike = new_v1_rstate(c, md); - md->v1_st = &ike->sa; /* (caller will reset cur_state) */ -- change_v1_state(&ike->sa, STATE_AGGR_R1); -+ change_v1_state(&ike->sa, STATE_AGGR_R0); - - /* - * Warn when peer is expected to use especially dangerous -@@ -197,7 +197,8 @@ stf_status aggr_inI1_outR1(struct state *null_st UNUSED, - - if (!v1_decode_certs(md)) { - llog_sa(RC_LOG, ike, "X509: CERT payload bogus or revoked"); -- return false; -+ /* XXX notification is in order! */ -+ return STF_FAIL_v1N + v1N_INVALID_ID_INFORMATION; - } - - /* diff --git a/libreswan.spec b/libreswan.spec index f50c3c5..ec97748 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -36,8 +36,8 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script -Version: 4.9 -Release: %{?prever:0.}3%{?prever:.%{prever}}%{?dist} +Version: 4.12 +Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} License: GPLv2 Url: https://libreswan.org/ @@ -52,9 +52,7 @@ Patch1: libreswan-4.3-maintain-different-v1v2-split.patch Patch2: libreswan-3.32-1861360-nodefault-rsa-pss.patch Patch3: libreswan-4.1-maintain-obsolete-keywords.patch Patch6: libreswan-4.3-1934186-config.patch -Patch7: libreswan-4.9-cve-2023-23009.patch -Patch8: libreswan-4.9-2176248-authby-rsasig.patch -Patch9: libreswan-4.9-cve-2023-30570.patch +Patch7: libreswan-4.9-2176248-authby-rsasig.patch BuildRequires: audit-libs-devel BuildRequires: bison @@ -114,8 +112,6 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch3 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 -%patch9 -p1 # linking to freebl is not needed sed -i "s/-lfreebl //" mk/config.mk @@ -219,20 +215,16 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog -* Fri May 05 2023 Sahana Prasad - 4.9-3 -- Fix CVE-2023-30570: Malicious IKEv1 Aggressive Mode packets can crash - libreswan -- Resolves: rhbz#2187179 - -* Tue Apr 25 2023 Daiki Ueno - 4.9-2.2 -- Update libreswan-4.9-2176248-authby-rsasig.patch +* Fri Aug 25 2023 Daiki Ueno - 4.12-2 +- Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy -* Fri Apr 14 2023 Daiki Ueno - 4.9-2.1 -- Resolves: rhbz#2187647 authby=rsasig fails in FIPS policy +* Wed Aug 9 2023 Daiki Ueno - 4.12-1 +- Update to 4.12 to fix CVE-2023-38710, CVE-2023-38711, CVE-2023-38712 +- Resolves: rhbz#2215955 -* Tue Apr 4 2023 Daiki Ueno - 4.9-2 -- Fix CVE-2023-23009: remote DoS via crafted TS payload with an - incorrect selector length (rhbz#2186127) +* Thu May 04 2023 Sahana Prasad - 4.9-2 +- Fix CVE-2023-30570 Malicious IKEv1 Aggressive Mode packets can crash libreswan +- Resolves: rhbz#2187179 * Mon Jan 9 2023 Daiki Ueno - 4.9-1 - Resolves: rhbz#2128672 Rebase libreswan to 4.9 -- Gitee From e4c9e127518423980aaedfeed29c63231ee568aa Mon Sep 17 00:00:00 2001 From: "yangxiaoxuan@openanolis.org" Date: Mon, 21 Jun 2021 23:08:28 +0800 Subject: [PATCH 2/2] rebrand: rebrand to anolis Signed-off-by: yangxiaoxuan@openanolis.org Signed-off-by: hongwei-qin --- 0001-libreswan-anolis-rebrand-to-anolis.patch | 87 +++++++++++++++++++ libreswan.spec | 11 ++- 2 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 0001-libreswan-anolis-rebrand-to-anolis.patch diff --git a/0001-libreswan-anolis-rebrand-to-anolis.patch b/0001-libreswan-anolis-rebrand-to-anolis.patch new file mode 100644 index 0000000..d8c4d71 --- /dev/null +++ b/0001-libreswan-anolis-rebrand-to-anolis.patch @@ -0,0 +1,87 @@ +From c0ae1f9070d386036a793d3e8eac7a787e7017a0 Mon Sep 17 00:00:00 2001 +From: "yangxiaoxuan@openanolis.org" +Date: Mon, 21 Jun 2021 22:48:03 +0800 +Subject: [PATCH] libreswan anolis rebrand to anolis + +--- + Makefile | 2 +- + mk/defaults/linux.mk | 2 +- + programs/barf/barf.in | 2 +- + testing/guestbin/docker-transmogrify | 8 +++++--- + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/Makefile b/Makefile +index db230d4..bafddc2 100644 +--- a/Makefile ++++ b/Makefile +@@ -27,7 +27,7 @@ include ${LIBRESWANSRCDIR}/Makefile.inc + MAIN_RPM_VERSION = $(shell make showversion | sed "s/-.*//") + MAIN_RPM_PREVER = $(shell make showversion | sed -e "s/^.[^-]*-\([^-]*\)-\(.*\)/rc\1_\2/" -e "s/-/_/g") + MAIN_RPM_PREFIX = libreswan-$(MAIN_RPM_VERSION)$(MAIN_RPM_PREVER) +-MAIN_RPM_RHEL_PKG = $(shell rpm -qf /etc/redhat-release) ++MAIN_RPM_RHEL_PKG = $(shell rpm -qf /etc/anolis-release) + MAIN_RPM_RHEL_VERSION = $(shell echo $(MAIN_RPM_RHEL_PKG) | sed "s/.*-release-\(.\).*/\1/") + MAIN_RPM_SPECFILE = $(shell if [ -f /etc/fedora-release ]; then echo packaging/fedora/libreswan.spec; elif [ -n "$(MAIN_RPM_RHEL_VERSION)" ]; then echo packaging/rhel/$(MAIN_RPM_RHEL_VERSION)/libreswan.spec; else echo "unknown distro, cannot find spec file to use in packaging directory"; fi) + RHEL_LIKE= $(shell cat /etc/os-release | grep ID_LIKE | sed -e "s/ID_LIKE=//" -e 's/"//g' -e "s/ .*//") +diff --git a/mk/defaults/linux.mk b/mk/defaults/linux.mk +index c286a7d..56a3e20 100644 +--- a/mk/defaults/linux.mk ++++ b/mk/defaults/linux.mk +@@ -131,7 +131,7 @@ ifndef INITSYSTEM + ifndef INITSYSTEM + ifneq ($(and $(wildcard /lib/systemd/systemd),$(wildcard /run/systemd)),) + INITSYSTEM=systemd +- else ifneq ($(and $(wildcard /sbin/start),$(wildcard /etc/redhat-release)),) ++ else ifneq ($(and $(wildcard /sbin/start),$(wildcard /etc/anolis-release)),) + # override for rhel/centos to use sysvinit + INITSYSTEM=sysvinit + else ifneq ($(wildcard /sbin/start),) +diff --git a/programs/barf/barf.in b/programs/barf/barf.in +index e76c62f..7a7a61a 100755 +--- a/programs/barf/barf.in ++++ b/programs/barf/barf.in +@@ -248,7 +248,7 @@ if [ -r /proc/config_built_with ]; then + cat /proc/config_built_with + fi + _________________________ distro-release +-for distro in /etc/redhat-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release ++for distro in /etc/redhat-release /etc/anolis-release /etc/debian-release /etc/SuSE-release /etc/mandrake-release /etc/mandriva-release /etc/gentoo-release + do + if [ -f ${distro} ]; then + cat ${distro} +diff --git a/testing/guestbin/docker-transmogrify b/testing/guestbin/docker-transmogrify +index 0afa1f1..4dc7539 100755 +--- a/testing/guestbin/docker-transmogrify ++++ b/testing/guestbin/docker-transmogrify +@@ -34,7 +34,9 @@ macs['sunset'] = "12:00:00:ab:cd:01" + # conflicts with north + #macs['japan'] = "12:00:00:ab:cd:02" + +-if os.path.isfile("/etc/redhat-release"): ++if os.path.isfile("/etc/anolis-release"): ++ GUESTOS = "anolis" ++elif os.path.isfile("/etc/redhat-release"): + GUESTOS = "redhat" + elif os.path.isfile("/etc/debian_version"): + GUESTOS = "debian" +@@ -136,7 +138,7 @@ else: + if os.path.isfile(hostname_file): + shutil.copyfile(hostname_file, "/etc/hostname") + +-if GUESTOS == "redhat": ++if GUESTOS == "anolis": + + # these files are needed for systemd-networkd too + fnames = glob.glob("/testing/baseconfigs/all/etc/sysconfig/*") +@@ -216,7 +218,7 @@ for dbfile in glob.glob("/etc/ipsec.d/*.db"): + os.chmod(dbfile, 0o600) + + # SElinux fixup +-if GUESTOS == "redhat": ++if GUESTOS == "anolis": + output += "\n" + subprocess.getoutput("restorecon -R /etc/") + + # selinux does not like our /testing include files +-- +2.18.4 + diff --git a/libreswan.spec b/libreswan.spec index ec97748..568f35d 100644 --- a/libreswan.spec +++ b/libreswan.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global _hardened_build 1 # These are rpm macros and are 0 or 1 %global with_efence 0 @@ -37,7 +38,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols # version is generated in the release script Version: 4.12 -Release: %{?prever:0.}2%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}2%{?prever:.%{prever}}%{anolis_release}%{?dist} License: GPLv2 Url: https://libreswan.org/ @@ -54,6 +55,10 @@ Patch3: libreswan-4.1-maintain-obsolete-keywords.patch Patch6: libreswan-4.3-1934186-config.patch Patch7: libreswan-4.9-2176248-authby-rsasig.patch +#Add by Anolis +Patch1000: 0001-libreswan-anolis-rebrand-to-anolis.patch +#End + BuildRequires: audit-libs-devel BuildRequires: bison BuildRequires: curl-devel @@ -112,6 +117,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch3 -p1 %patch6 -p1 %patch7 -p1 +%patch1000 -p1 # linking to freebl is not needed sed -i "s/-lfreebl //" mk/config.mk @@ -215,6 +221,9 @@ certutil -N -d sql:$tmpdir --empty-password %attr(0644,root,root) %doc %{_mandir}/*/* %changelog +* Wed Dec 06 2023 yangxiaoxuan - 4.12-2.0.1 +- Rebrand to anolis + * Fri Aug 25 2023 Daiki Ueno - 4.12-2 - Resolves: rhbz#2234731 authby=rsasig fails in FIPS policy -- Gitee