parent
28853dfc6b
commit
63c9ac352a
@ -0,0 +1,52 @@
|
||||
From 000b230258dd272ab15b384c330c31f996d0ba18 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Fri, 14 Apr 2023 14:10:47 +0900
|
||||
Subject: [PATCH] Ignore system crypto-policies for SHA-1 for legacy
|
||||
authby=rsa-sha1
|
||||
|
||||
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
||||
---
|
||||
lib/libswan/pubkey_rsa.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/lib/libswan/pubkey_rsa.c b/lib/libswan/pubkey_rsa.c
|
||||
index 38b44ab61d..9a7c0bc6a8 100644
|
||||
--- a/lib/libswan/pubkey_rsa.c
|
||||
+++ b/lib/libswan/pubkey_rsa.c
|
||||
@@ -501,9 +501,33 @@ static struct hash_signature RSA_sign_hash_pkcs1_1_5_rsa(const struct secret_stu
|
||||
* used to generate the signature.
|
||||
*/
|
||||
SECItem signature_result = {0};
|
||||
+
|
||||
+ /* ignore system crypto-policies for the hash algorithm */
|
||||
+ PRUint32 saved_policy;
|
||||
+
|
||||
+ if (NSS_GetAlgorithmPolicy(hash_algo->nss.oid_tag, &saved_policy) != SECSuccess) {
|
||||
+ /* PR_GetError() returns the thread-local error */
|
||||
+ enum_buf tb;
|
||||
+ llog_nss_error(RC_LOG_SERIOUS, logger,
|
||||
+ "NSS_SetAlgorithmPolicy(%s) function failed",
|
||||
+ str_nss_oid(hash_algo->nss.oid_tag, &tb));
|
||||
+ return (struct hash_signature) { .len = 0, };
|
||||
+ }
|
||||
+
|
||||
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
||||
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
||||
+ NSS_USE_ALG_IN_SIGNATURE, 0);
|
||||
+ }
|
||||
+
|
||||
SECStatus s = SGN_Digest(pks->u.pubkey.private_key,
|
||||
hash_algo->nss.oid_tag,
|
||||
&signature_result, &digest);
|
||||
+
|
||||
+ if (!(saved_policy & NSS_USE_ALG_IN_SIGNATURE)) {
|
||||
+ (void)NSS_SetAlgorithmPolicy(hash_algo->nss.oid_tag,
|
||||
+ saved_policy, ~saved_policy);
|
||||
+ }
|
||||
+
|
||||
if (s != SECSuccess) {
|
||||
/* PR_GetError() returns the thread-local error */
|
||||
enum_buf tb;
|
||||
--
|
||||
2.40.0
|
||||
|
@ -0,0 +1,84 @@
|
||||
From 7a6c217f47b1ae37e32b173dc6d3ea7fdb86d532 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Wouters <paul.wouters@aiven.io>
|
||||
Date: Tue, 28 Feb 2023 11:24:22 -0500
|
||||
Subject: [PATCH 1/2] pluto: abort processing corrupt TS payloads
|
||||
CVE-2023-23009
|
||||
|
||||
Latest updates on this issue at https://libreswan.org/security/CVE-2023-23009
|
||||
---
|
||||
programs/pluto/ikev2_ts.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/programs/pluto/ikev2_ts.c b/programs/pluto/ikev2_ts.c
|
||||
index 3f7519ca38..f06c40ba46 100644
|
||||
--- a/programs/pluto/ikev2_ts.c
|
||||
+++ b/programs/pluto/ikev2_ts.c
|
||||
@@ -437,6 +437,11 @@ static bool v2_parse_tss(struct payload_digest *const ts_pd,
|
||||
d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
|
||||
&ts_h, sizeof(ts_h), &ts_body_pbs);
|
||||
|
||||
+ if (d != NULL) {
|
||||
+ llog_diag(RC_LOG, logger, &d, "%s", "");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
switch (ts_h.isath_type) {
|
||||
case IKEv2_TS_IPV4_ADDR_RANGE:
|
||||
case IKEv2_TS_IPV6_ADDR_RANGE:
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
||||
From 52c19ccc9455ccd91fa4946b09f8e11222f1c923 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Cagney <cagney@gnu.org>
|
||||
Date: Tue, 28 Feb 2023 14:10:44 -0500
|
||||
Subject: [PATCH 2/2] ikev1: only clean up a connection when it isn't deleted
|
||||
|
||||
fix #1018 reported by Wolfgang.
|
||||
see also ecb9c88910df1fb070488835bf3180096f3ccba3:
|
||||
IKEv1: Remove all IPsec SA's of a connection when newest SA is removed.
|
||||
---
|
||||
programs/pluto/ikev1_main.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/programs/pluto/ikev1_main.c b/programs/pluto/ikev1_main.c
|
||||
index a616c5ccf3..21765d4002 100644
|
||||
--- a/programs/pluto/ikev1_main.c
|
||||
+++ b/programs/pluto/ikev1_main.c
|
||||
@@ -2130,15 +2130,16 @@ bool accept_delete(struct msg_digest *md,
|
||||
ntohl(spi));
|
||||
}
|
||||
|
||||
- struct connection *rc = dst->st_connection;
|
||||
+ /* save for post delete_state() code */
|
||||
+ co_serial_t rc_serialno = dst->st_connection->serialno;
|
||||
|
||||
if (nat_traversal_enabled && dst->st_connection->ikev1_natt != NATT_NONE) {
|
||||
nat_traversal_change_port_lookup(md, dst);
|
||||
v1_maybe_natify_initiator_endpoints(st, HERE);
|
||||
}
|
||||
|
||||
- if (rc->newest_ipsec_sa == dst->st_serialno &&
|
||||
- (rc->policy & POLICY_UP)) {
|
||||
+ if (dst->st_connection->newest_ipsec_sa == dst->st_serialno &&
|
||||
+ (dst->st_connection->policy & POLICY_UP)) {
|
||||
/*
|
||||
* Last IPsec SA for a permanent
|
||||
* connection that we have initiated.
|
||||
@@ -2162,7 +2163,12 @@ bool accept_delete(struct msg_digest *md,
|
||||
md->v1_st = NULL;
|
||||
}
|
||||
|
||||
- if (rc->newest_ipsec_sa == SOS_NOBODY) {
|
||||
+ /*
|
||||
+ * Either .newest_ipsec_sa matches DST
|
||||
+ * and is cleared, or was never set.
|
||||
+ */
|
||||
+ struct connection *rc = connection_by_serialno(rc_serialno);
|
||||
+ if (rc != NULL && rc->newest_ipsec_sa == SOS_NOBODY) {
|
||||
dbg("%s() connection '%s' -POLICY_UP", __func__, rc->name);
|
||||
rc->policy &= ~POLICY_UP;
|
||||
if (!shared_phase1_connection(rc)) {
|
||||
--
|
||||
2.39.2
|
||||
|
Loading…
Reference in new issue