net-misc/strongswan/files/strongswan-5.0.2-modp_custom.patch - mirrors/cros/chromiumos/overlays/chromiumos-overlay - Git at Google

 From 3541bf4f446fc1c55c74b4b2cbbc195706936b10 Mon Sep 17 00:00:00 2001
 From: Tobias Brunner <tobias@strongswan.org>
 Date: Thu, 4 Dec 2014 12:02:45 +0100
 Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range

 Before this fix it was possible to crash charon with an IKE_SA_INIT
 message containing a KE payload with DH group MODP_CUSTOM(1025).
 Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
 prevents it from getting negotiated.

 Fixes CVE-2014-9221 in versions 4.6.0 up to 5.0.2.
 ---
  src/libstrongswan/crypto/diffie_hellman.c                     | 5 +++--
  src/libstrongswan/crypto/diffie_hellman.h                     | 5 +++--
  src/libstrongswan/plugins/gcrypt/gcrypt_dh.c                  | 2 +-
  src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c            | 2 +-
  src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c    | 2 +-
  src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 +-
  src/libstrongswan/plugins/pkcs11/pkcs11_dh.c                  | 2 +-
  8 files changed, 12 insertions(+), 10 deletions(-)

 diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
 index 1124ee6f76a0..a5bf81b4f56c 100644
 --- a/src/libstrongswan/crypto/diffie_hellman.c
 +++ b/src/libstrongswan/crypto/diffie_hellman.c
 @@ -38,8 +38,9 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
  	"MODP_2048_256",
  	"ECP_192",
  	"ECP_224");
 -ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT,
 -	"MODP_NULL",
 +ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
 +	"MODP_NULL");
 +ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, MODP_NULL,
  	"MODP_CUSTOM");
  ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);

 diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
 index cab3b1ba7532..d9dda14dfd85 100644
 --- a/src/libstrongswan/crypto/diffie_hellman.h
 +++ b/src/libstrongswan/crypto/diffie_hellman.h
 @@ -57,8 +57,9 @@ enum diffie_hellman_group_t {
  	ECP_224_BIT   = 26,
  	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
  	MODP_NULL = 1024,
 -	/** MODP group with custom generator/prime */
 -	MODP_CUSTOM = 1025,
 +	/** internally used DH group with additional parameters g and p, outside
 +	 * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
 +	MODP_CUSTOM = 65536,
  };

  /**
 diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
 index f418b941db86..299865da2e09 100644
 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
 +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
 @@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
  	/**
  	 * Diffie Hellman group number
  	 */
 -	u_int16_t group;
 +	diffie_hellman_group_t group;

  	/*
  	 * Generator value
 diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
 index b74d35169f44..9936f7e4518f 100644
 --- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
 +++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
 @@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
  	/**
  	 * Diffie Hellman group number.
  	 */
 -	u_int16_t group;
 +	diffie_hellman_group_t group;

  	/*
  	 * Generator value.
 diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
 index ff3382473666..1e68ac59b838 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
 @@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
  	/**
  	 * Diffie Hellman group number.
  	 */
 -	u_int16_t group;
 +	diffie_hellman_group_t group;

  	/**
  	 * Diffie Hellman object
 diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
 index d846278c821a..4ed84af6f44e 100644
 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
 +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
 @@ -39,7 +39,7 @@ struct private_openssl_ec_diffie_hellman_t {
  	/**
  	 * Diffie Hellman group number.
  	 */
 -	u_int16_t group;
 +	diffie_hellman_group_t group;

  	/**
  	 * EC private (public) key
 diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
 index 2e5af95fff0d..068ce7d2a74b 100644
 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
 +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
 @@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
  	/**
  	 * Diffie Hellman group number.
  	 */
 -	u_int16_t group;
 +	diffie_hellman_group_t group;

  	/**
  	 * Handle for own private value
 --
 1.9.1
	From 3541bf4f446fc1c55c74b4b2cbbc195706936b10 Mon Sep 17 00:00:00 2001
	From: Tobias Brunner <tobias@strongswan.org>
	Date: Thu, 4 Dec 2014 12:02:45 +0100
	Subject: [PATCH] crypto: Define MODP_CUSTOM outside of IKE DH range

	Before this fix it was possible to crash charon with an IKE_SA_INIT
	message containing a KE payload with DH group MODP_CUSTOM(1025).
	Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
	prevents it from getting negotiated.

	Fixes CVE-2014-9221 in versions 4.6.0 up to 5.0.2.
	---
	src/libstrongswan/crypto/diffie_hellman.c \| 5 +++--
	src/libstrongswan/crypto/diffie_hellman.h \| 5 +++--
	src/libstrongswan/plugins/gcrypt/gcrypt_dh.c \| 2 +-
	src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c \| 2 +-
	src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c \| 2 +-
	src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c \| 2 +-
	src/libstrongswan/plugins/pkcs11/pkcs11_dh.c \| 2 +-
	8 files changed, 12 insertions(+), 10 deletions(-)

	diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
	index 1124ee6f76a0..a5bf81b4f56c 100644
	--- a/src/libstrongswan/crypto/diffie_hellman.c
	+++ b/src/libstrongswan/crypto/diffie_hellman.c
	@@ -38,8 +38,9 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_224_BIT, ECP_521_BIT,
	"MODP_2048_256",
	"ECP_192",
	"ECP_224");
	-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_224_BIT,
	- "MODP_NULL",
	+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_224_BIT,
	+ "MODP_NULL");
	+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, MODP_NULL,
	"MODP_CUSTOM");
	ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);

	diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
	index cab3b1ba7532..d9dda14dfd85 100644
	--- a/src/libstrongswan/crypto/diffie_hellman.h
	+++ b/src/libstrongswan/crypto/diffie_hellman.h
	@@ -57,8 +57,9 @@ enum diffie_hellman_group_t {
	ECP_224_BIT = 26,
	/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
	MODP_NULL = 1024,
	- /** MODP group with custom generator/prime */
	- MODP_CUSTOM = 1025,
	+ /** internally used DH group with additional parameters g and p, outside
	+ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
	+ MODP_CUSTOM = 65536,
	};

	/**
	diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
	index f418b941db86..299865da2e09 100644
	--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
	+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
	@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
	/**
	* Diffie Hellman group number
	*/
	- u_int16_t group;
	+ diffie_hellman_group_t group;

	/*
	* Generator value
	diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
	index b74d35169f44..9936f7e4518f 100644
	--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
	+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
	@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
	/**
	* Diffie Hellman group number.
	*/
	- u_int16_t group;
	+ diffie_hellman_group_t group;

	/*
	* Generator value.
	diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
	index ff3382473666..1e68ac59b838 100644
	--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
	+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
	@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
	/**
	* Diffie Hellman group number.
	*/
	- u_int16_t group;
	+ diffie_hellman_group_t group;

	/**
	* Diffie Hellman object
	diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
	index d846278c821a..4ed84af6f44e 100644
	--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
	+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
	@@ -39,7 +39,7 @@ struct private_openssl_ec_diffie_hellman_t {
	/**
	* Diffie Hellman group number.
	*/
	- u_int16_t group;
	+ diffie_hellman_group_t group;

	/**
	* EC private (public) key
	diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
	index 2e5af95fff0d..068ce7d2a74b 100644
	--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
	+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
	@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
	/**
	* Diffie Hellman group number.
	*/
	- u_int16_t group;
	+ diffie_hellman_group_t group;

	/**
	* Handle for own private value
	--
	1.9.1