diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:16:05 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:30:18 +0200 |
| commit | f209ca275064d416621d64cc4426369b16a1ea49 (patch) | |
| tree | cbca04c3466ca7294aa127e6c50da17a3ade09f1 | |
| parent | 933453fef40b406404760c992830e487619be944 (diff) | |
| download | vyos-strongswan-f209ca275064d416621d64cc4426369b16a1ea49.tar.gz vyos-strongswan-f209ca275064d416621d64cc4426369b16a1ea49.zip | |
CVE-2014-9221_modp_custom dropped, included upstream.
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/CVE-2014-9221_modp_custom.patch | 165 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
3 files changed, 1 insertions, 166 deletions
diff --git a/debian/changelog b/debian/changelog index 6138bbf40..88cc137ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ strongswan (5.3.0-1) UNRELEASED; urgency=medium * debian/patches: - 01_fix-manpages refreshed for new upstream release. - 02_chunk-endianness dropped, included upstream. + - CVE-2014-9221_modp_custom dropped, included upstream. -- Yves-Alexis Perez <corsac@debian.org> Sat, 11 Apr 2015 22:10:44 +0200 diff --git a/debian/patches/CVE-2014-9221_modp_custom.patch b/debian/patches/CVE-2014-9221_modp_custom.patch deleted file mode 100644 index 1bfc4bc3c..000000000 --- a/debian/patches/CVE-2014-9221_modp_custom.patch +++ /dev/null @@ -1,165 +0,0 @@ -From a78ecdd47509626711a13481f53696e01d4b8c62 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner <tobias@strongswan.org> -Date: Mon, 1 Dec 2014 17:21:59 +0100 -Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range - -Before this fix it was possible to crash charon with an IKE_SA_INIT -message containing a KE payload with DH group MODP_CUSTOM(1025). -Defining MODP_CUSTOM outside of the two byte IKE DH identifier range -prevents it from getting negotiated. - -Fixes CVE-2014-9221 in version 5.1.2 and newer. ---- - src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 2 +- - src/libstrongswan/crypto/diffie_hellman.c | 11 ++++++----- - src/libstrongswan/crypto/diffie_hellman.h | 6 ++++-- - src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 +- - src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 +- - src/libstrongswan/plugins/ntru/ntru_ke.c | 2 +- - src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 +- - src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +- - src/libstrongswan/plugins/pkcs11/pkcs11_dh.c | 2 +- - 9 files changed, 17 insertions(+), 14 deletions(-) - -diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c -index 67db5e6d87d6..836e0b7f088d 100644 ---- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c -+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c -@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /** - * Diffie Hellman public value. -diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c -index bada1c529951..ac106e9c4d45 100644 ---- a/src/libstrongswan/crypto/diffie_hellman.c -+++ b/src/libstrongswan/crypto/diffie_hellman.c -@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT, - "ECP_256_BP", - "ECP_384_BP", - "ECP_512_BP"); --ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP, -- "MODP_NULL", -- "MODP_CUSTOM"); --ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM, -+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP, -+ "MODP_NULL"); -+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL, - "NTRU_112", - "NTRU_128", - "NTRU_192", - "NTRU_256"); --ENUM_END(diffie_hellman_group_names, NTRU_256_BIT); -+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT, -+ "MODP_CUSTOM"); -+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM); - - - /** -diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h -index 105db22f14d4..d5161d077bb2 100644 ---- a/src/libstrongswan/crypto/diffie_hellman.h -+++ b/src/libstrongswan/crypto/diffie_hellman.h -@@ -63,12 +63,14 @@ enum diffie_hellman_group_t { - /** insecure NULL diffie hellman group for testing, in PRIVATE USE */ - MODP_NULL = 1024, - /** MODP group with custom generator/prime */ -- MODP_CUSTOM = 1025, - /** Parameters defined by IEEE 1363.1, in PRIVATE USE */ - NTRU_112_BIT = 1030, - NTRU_128_BIT = 1031, - NTRU_192_BIT = 1032, -- NTRU_256_BIT = 1033 -+ NTRU_256_BIT = 1033, -+ /** internally used DH group with additional parameters g and p, outside -+ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */ -+ MODP_CUSTOM = 65536, - }; - - /** -diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c -index f418b941db86..299865da2e09 100644 ---- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c -+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c -@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t { - /** - * Diffie Hellman group number - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /* - * Generator value -diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c -index b74d35169f44..9936f7e4518f 100644 ---- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c -+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c -@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /* - * Generator value. -diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c -index abaa22336221..e64f32b91d0e 100644 ---- a/src/libstrongswan/plugins/ntru/ntru_ke.c -+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c -@@ -56,7 +56,7 @@ struct private_ntru_ke_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /** - * NTRU Parameter Set -diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -index ff3382473666..1e68ac59b838 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c -@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /** - * Diffie Hellman object -diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c -index b487d59a59a3..50853d6f0bde 100644 ---- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c -+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c -@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /** - * EC private (public) key -diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c -index 36cc284bf2b5..23b63d2386af 100644 ---- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c -+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c -@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t { - /** - * Diffie Hellman group number. - */ -- u_int16_t group; -+ diffie_hellman_group_t group; - - /** - * Handle for own private value --- -1.9.1 - -
diff --git a/debian/patches/series b/debian/patches/series index 4601374ea..6d7cc1dfa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,3 @@ 01_fix-manpages.patch 03_systemd-service.patch 04_disable-libtls-tests.patch -CVE-2014-9221_modp_custom.patch |