strongswan: Fix for CVE-2014-9221

diff --git a/lfs/strongswan b/lfs/strongswan
index dd1f0ac848b7a1bb09d279df8750d831849626c5..642d651823b694171fc16eafeb3add65263c6f6b 100644 (file)
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -78,6 +78,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch
        cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
 
        cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh

diff --git a/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch b/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch
new file mode 100644 (file)
index 0000000..df2cb09
--- /dev/null
+++ b/src/patches/strongswan-5.1.2-5.2.1_modp_custom.patch
@@ -0,0 +1,164 @@
+From a78ecdd47509626711a13481f53696e01d4b8c62 Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Mon, 1 Dec 2014 17:21:59 +0100
+Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range
+
+Before this fix it was possible to crash charon with an IKE_SA_INIT
+message containing a KE payload with DH group MODP_CUSTOM(1025).
+Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
+prevents it from getting negotiated.
+
+Fixes CVE-2014-9221 in version 5.1.2 and newer.
+---
+ src/charon-tkm/src/tkm/tkm_diffie_hellman.c                   |  2 +-
+ src/libstrongswan/crypto/diffie_hellman.c                     | 11 ++++++-----
+ src/libstrongswan/crypto/diffie_hellman.h                     |  6 ++++--
+ src/libstrongswan/plugins/gcrypt/gcrypt_dh.c                  |  2 +-
+ src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c            |  2 +-
+ src/libstrongswan/plugins/ntru/ntru_ke.c                      |  2 +-
+ src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c    |  2 +-
+ src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c |  2 +-
+ src/libstrongswan/plugins/pkcs11/pkcs11_dh.c                  |  2 +-
+ 9 files changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+index 67db5e6d87d6..836e0b7f088d 100644
+--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
++++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /**
+        * Diffie Hellman public value.
+diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
+index bada1c529951..ac106e9c4d45 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.c
++++ b/src/libstrongswan/crypto/diffie_hellman.c
+@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
+       "ECP_256_BP",
+       "ECP_384_BP",
+       "ECP_512_BP");
+-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
+-      "MODP_NULL",
+-      "MODP_CUSTOM");
+-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
++ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
++      "MODP_NULL");
++ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
+       "NTRU_112",
+       "NTRU_128",
+       "NTRU_192",
+       "NTRU_256");
+-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
++ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
++      "MODP_CUSTOM");
++ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
+ 
+ 
+ /**
+diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
+index 105db22f14d4..d5161d077bb2 100644
+--- a/src/libstrongswan/crypto/diffie_hellman.h
++++ b/src/libstrongswan/crypto/diffie_hellman.h
+@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
+       /** insecure NULL diffie hellman group for testing, in PRIVATE USE */
+       MODP_NULL = 1024,
+       /** MODP group with custom generator/prime */
+-      MODP_CUSTOM = 1025,
+       /** Parameters defined by IEEE 1363.1, in PRIVATE USE */
+       NTRU_112_BIT = 1030,
+       NTRU_128_BIT = 1031,
+       NTRU_192_BIT = 1032,
+-      NTRU_256_BIT = 1033
++      NTRU_256_BIT = 1033,
++      /** internally used DH group with additional parameters g and p, outside
++       * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
++      MODP_CUSTOM = 65536,
+ };
+ 
+ /**
+diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+index f418b941db86..299865da2e09 100644
+--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
++++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
+       /**
+        * Diffie Hellman group number
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /*
+        * Generator value
+diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+index b74d35169f44..9936f7e4518f 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
++++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /*
+        * Generator value.
+diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
+index abaa22336221..e64f32b91d0e 100644
+--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
++++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
+@@ -56,7 +56,7 @@ struct private_ntru_ke_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /**
+        * NTRU Parameter Set
+diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+index ff3382473666..1e68ac59b838 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
++++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /**
+        * Diffie Hellman object
+diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+index b487d59a59a3..50853d6f0bde 100644
+--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
++++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /**
+        * EC private (public) key
+diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+index 36cc284bf2b5..23b63d2386af 100644
+--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
++++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
+       /**
+        * Diffie Hellman group number.
+        */
+-      u_int16_t group;
++      diffie_hellman_group_t group;
+ 
+       /**
+        * Handle for own private value
+-- 
+1.9.1
+