diff --git a/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch b/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch deleted file mode 100644 index b63e6c5..0000000 --- a/strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 980750bde07136255784d6ef6cdb5c085d30e2f9 Mon Sep 17 00:00:00 2001 -From: Tobias Brunner -Date: Fri, 17 Feb 2023 15:07:20 +0100 -Subject: [PATCH] libtls: Fix authentication bypass and expired pointer - dereference - -`public` is returned, but previously only if a trusted key was found. -We obviously don't want to return untrusted keys. However, since the -reference is released after determining the key type, the returned -object also doesn't have the correct refcount. - -So when the returned reference is released after verifying the TLS -signature, the public key object is actually destroyed. The certificate -object then points to an expired pointer, which is dereferenced once it -itself is destroyed after the authentication is complete. Depending on -whether the pointer is valid (i.e. points to memory allocated to the -process) and what was allocated there after the public key was freed, -this could result in a segmentation fault or even code execution. - -Fixes: 63fd718915b5 ("libtls: call create_public_enumerator() with key_type") -Fixes: CVE-2023-26463 ---- - src/libtls/tls_server.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c -index c9c300917dd6..573893f2efb5 100644 ---- a/src/libtls/tls_server.c -+++ b/src/libtls/tls_server.c -@@ -183,11 +183,11 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id) - cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { -- public = cert->get_public_key(cert); -- if (public) -+ current = cert->get_public_key(cert); -+ if (current) - { -- key_type = public->get_type(public); -- public->destroy(public); -+ key_type = current->get_type(current); -+ current->destroy(current); - } - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - key_type, id, peer_auth, TRUE); --- -2.25.1 - diff --git a/strongswan-5.9.9-man-paths.patch b/strongswan-5.9.9-man-paths.patch deleted file mode 100644 index 9472c26..0000000 --- a/strongswan-5.9.9-man-paths.patch +++ /dev/null @@ -1,348 +0,0 @@ -From 111cbd3d2ca4385d326db333ee86843ada652663 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= -Date: Mon, 16 Jan 2023 19:38:17 +0100 -Subject: [PATCH] Make manual paths follow build configuration -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use build-configured paths in manual pages instead of default values. -Makes easier customization to non-default values as done on Fedora for -example. - -Squashed commit of the following: - -commit e99de2aee9f26e3ab97d88902308107d9f048acd -Merge: 8effb06d6 29e324709 -Author: Tobias Brunner -Date: Mon Jan 16 11:41:17 2023 +0100 - - Merge branch 'man-sysconfdir' - - Closes strongswan/strongswan#1511 - -commit 29e32470974aea614c2486c2982767bd62670063 -Author: Tobias Brunner -Date: Mon Jan 16 11:39:29 2023 +0100 - - swanctl: Don't use hard-coded path to sysconfdir - -commit 1c0b14baa3c04606ad9357dfc658d11f0f96ca65 -Author: Tobias Brunner -Date: Mon Jan 16 11:37:27 2023 +0100 - - conf: Add swanctl.conf and swanctl man pages to SEE ALSO - -commit 7e43a5f3d28424abfb648b7afd24e25a042efd24 -Author: Tobias Brunner -Date: Mon Jan 16 11:35:42 2023 +0100 - - conf: Replace hard-coded /etc where appropriate - - Also document the actual value of ${sysconfdir}. - -commit ee046552bb1f3c98d89837d58f7da7d83c8fbb82 -Author: Petr Menšík -Date: Sun Jan 15 16:55:45 2023 +0100 - - man: Use configured path for config files in man pages - -commit ab4ed21b5cb28eafbc29b09523b062bee159a0d0 -Author: Petr Menšík -Date: Sun Jan 15 16:17:07 2023 +0100 - - ipsec: Include IPSEC_CONFDIR variable replacement in man page - - Fedora has chosena different default directory to avoid conflicts with - libreswan. Use ${sysconfdir} variable to provide the correct location. ---- - conf/options/charon.opt | 4 ++-- - conf/plugins/unbound.opt | 2 +- - conf/strongswan.conf.5.tail.in | 10 ++++++---- - man/ipsec.conf.5.in | 22 +++++++++++----------- - man/ipsec.secrets.5.in | 8 ++++---- - src/ipsec/Makefile.am | 1 + - src/ipsec/_ipsec.8.in | 20 ++++++++++---------- - src/swanctl/swanctl.conf.5.tail.in | 2 +- - 8 files changed, 36 insertions(+), 33 deletions(-) - -diff --git a/conf/options/charon.opt b/conf/options/charon.opt -index 00949222a..72efd17de 100644 ---- a/conf/options/charon.opt -+++ b/conf/options/charon.opt -@@ -38,8 +38,8 @@ charon.cert_cache = yes - charon.cache_crls = no - Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should - be saved under a unique file name derived from the public key of the -- Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or -- **/etc/swanctl/x509crl** (vici), respectively. -+ Certification Authority (CA) to **${sysconfdir}/ipsec.d/crls** (stroke) or -+ **${sysconfdir}/swanctl/x509crl** (vici), respectively. - - charon.check_current_path = no - Whether to use DPD to check if the current path still works after any -diff --git a/conf/plugins/unbound.opt b/conf/plugins/unbound.opt -index f8ca9ca12..007797310 100644 ---- a/conf/plugins/unbound.opt -+++ b/conf/plugins/unbound.opt -@@ -1,7 +1,7 @@ - charon.plugins.unbound.resolv_conf = /etc/resolv.conf - File to read DNS resolver configuration from. - --charon.plugins.unbound.trust_anchors = /etc/ipsec.d/dnssec.keys -+charon.plugins.unbound.trust_anchors = ${sysconfdir}/ipsec.d/dnssec.keys - File to read DNSSEC trust anchors from (usually root zone KSK). - - File to read DNSSEC trust anchors from (usually root zone KSK). The format -diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in -index baad476d1..74bbd8eec 100644 ---- a/conf/strongswan.conf.5.tail.in -+++ b/conf/strongswan.conf.5.tail.in -@@ -458,6 +458,7 @@ The variables used above are configured as follows: - .na - ${piddir} @piddir@ - ${prefix} @prefix@ -+${sysconfdir} @sysconfdir@ - ${random_device} @random_device@ - ${urandom_device} @urandom_device@ - .ad -@@ -467,18 +468,19 @@ ${urandom_device} @urandom_device@ - . - .nf - .na --/etc/strongswan.conf configuration file --/etc/strongswan.d/ directory containing included config snippets --/etc/strongswan.d/charon/ plugin specific config snippets -+@sysconfdir@/strongswan.conf configuration file -+@sysconfdir@/strongswan.d/ directory containing included config snippets -+@sysconfdir@/strongswan.d/charon/ plugin specific config snippets - .ad - .fi - . - .SH SEE ALSO -+\fBswanctl.conf\fR(5), \fBswanctl\fR(8), - \fBipsec.conf\fR(5), \fBipsec.secrets\fR(5), \fBipsec\fR(8), \fBcharon-cmd\fR(8) - - .SH HISTORY - Written for the --.UR http://www.strongswan.org -+.UR https://www.strongswan.org - strongSwan project - .UE - by Tobias Brunner, Andreas Steffen and Martin Willi. -diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in -index ced12680f..4e256538e 100644 ---- a/man/ipsec.conf.5.in -+++ b/man/ipsec.conf.5.in -@@ -690,7 +690,7 @@ but for the second authentication round (IKEv2 only). - .BR leftcert " = " - the path to the left participant's X.509 certificate. The file can be encoded - either in PEM or DER format. OpenPGP certificates are supported as well. --Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -+Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP - are accepted. By default - .B leftcert - sets -@@ -871,7 +871,7 @@ prefix in front of 0x or 0s, the public key is expected to be in either - the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format, - respectively. - Also accepted is the path to a file containing the public key in PEM, DER or SSH --encoding. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP -+encoding. Both absolute paths or paths relative to \fI@sysconfdir@/ipsec.d/certs\fP - are accepted. - .TP - .BR leftsendcert " = never | no | " ifasked " | always | yes" -@@ -1219,7 +1219,7 @@ of this connection will be used as peer ID. - .SH "CA SECTIONS" - These are optional sections that can be used to assign special - parameters to a Certification Authority (CA). Because the daemons --automatically import CA certificates from \fI/etc/ipsec.d/cacerts\fP, -+automatically import CA certificates from \fI@sysconfdir@/ipsec.d/cacerts\fP, - there is no need to explicitly add them with a CA section, unless you - want to assign special parameters (like a CRL) to a CA. - .TP -@@ -1235,7 +1235,7 @@ currently can have either the value - .TP - .BR cacert " = " - defines a path to the CA certificate either relative to --\fI/etc/ipsec.d/cacerts\fP or as an absolute path. -+\fI@sysconfdir@/ipsec.d/cacerts\fP or as an absolute path. - .br - A value in the form - .B %smartcard[[@]]: -@@ -1284,7 +1284,7 @@ section are: - .BR cachecrls " = yes | " no - if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will - be cached in --.I /etc/ipsec.d/crls/ -+.I @sysconfdir@/ipsec.d/crls/ - under a unique file name derived from the certification authority's public key. - .TP - .BR charondebug " = " -@@ -1463,12 +1463,12 @@ time equals zero and, thus, rekeying gets disabled. - - .SH FILES - .nf --/etc/ipsec.conf --/etc/ipsec.d/aacerts --/etc/ipsec.d/acerts --/etc/ipsec.d/cacerts --/etc/ipsec.d/certs --/etc/ipsec.d/crls -+@sysconfdir@/ipsec.conf -+@sysconfdir@/ipsec.d/aacerts -+@sysconfdir@/ipsec.d/acerts -+@sysconfdir@/ipsec.d/cacerts -+@sysconfdir@/ipsec.d/certs -+@sysconfdir@/ipsec.d/crls - - .SH SEE ALSO - strongswan.conf(5), ipsec.secrets(5), ipsec(8) -diff --git a/man/ipsec.secrets.5.in b/man/ipsec.secrets.5.in -index 15e36faff..c54e1a18b 100644 ---- a/man/ipsec.secrets.5.in -+++ b/man/ipsec.secrets.5.in -@@ -15,7 +15,7 @@ Here is an example. - .LP - .RS - .nf --# /etc/ipsec.secrets - strongSwan IPsec secrets file -+# @sysconfdir@/ipsec.secrets - strongSwan IPsec secrets file - 192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" - - : RSA moonKey.pem -@@ -140,7 +140,7 @@ is interpreted as Base64 encoded binary data. - .TQ - .B : ECDSA [ | %prompt ] - For the private key file both absolute paths or paths relative to --\fI/etc/ipsec.d/private\fP are accepted. If the private key file is -+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the private key file is - encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase - .B %prompt - can be used which then causes the daemon to ask the user for the password -@@ -148,7 +148,7 @@ whenever it is required to decrypt the key. - .TP - .B : P12 [ | %prompt ] - For the PKCS#12 file both absolute paths or paths relative to --\fI/etc/ipsec.d/private\fP are accepted. If the container is -+\fI@sysconfdir@/ipsec.d/private\fP are accepted. If the container is - encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase - .B %prompt - can be used which then causes the daemon to ask the user for the password -@@ -182,7 +182,7 @@ can be specified, which causes the daemon to ask the user for the pin code. - .LP - - .SH FILES --/etc/ipsec.secrets -+@sysconfdir@/ipsec.secrets - .SH SEE ALSO - ipsec.conf(5), strongswan.conf(5), ipsec(8) - .br -diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am -index 0ab9ab27c..656eba49b 100644 ---- a/src/ipsec/Makefile.am -+++ b/src/ipsec/Makefile.am -@@ -10,6 +10,7 @@ _ipsec.8 : _ipsec.8.in - -e "s:@IPSEC_SCRIPT@:$(ipsec_script):g" \ - -e "s:@IPSEC_SCRIPT_UPPER@:$(ipsec_script_upper):g" \ - -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -+ -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ - $(srcdir)/$@.in > $@ - - _ipsec : _ipsec.in -diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in -index bfc4d50c2..de00d3075 100644 ---- a/src/ipsec/_ipsec.8.in -+++ b/src/ipsec/_ipsec.8.in -@@ -145,25 +145,25 @@ locally by the IKE daemon or received via the IKE protocol. - .TP - .BI "listcacerts [" --utc ] - returns a list of X.509 Certification Authority (CA) certificates that were --loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP -+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts/\fP - directory or received via the IKE protocol. - . - .TP - .BI "listaacerts [" --utc ] - returns a list of X.509 Authorization Authority (AA) certificates that were --loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP -+loaded locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts/\fP - directory. - . - .TP - .BI "listocspcerts [" --utc ] - returns a list of X.509 OCSP Signer certificates that were either loaded --locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP -+locally by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP - directory or were sent by an OCSP server. - . - .TP - .BI "listacerts [" --utc ] - returns a list of X.509 Attribute certificates that were loaded locally by --the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. -+the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP directory. - . - .TP - .BI "listgroups [" --utc ] -@@ -179,7 +179,7 @@ sections in \fIipsec.conf\fP. - .TP - .BI "listcrls [" --utc ] - returns a list of Certificate Revocation Lists (CRLs) that were either loaded --by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from -+by the IKE daemon from the \fI@IPSEC_CONFDIR@/ipsec.d/crls\fP directory or fetched from - an HTTP- or LDAP-based CRL distribution point. - . - .TP -@@ -211,7 +211,7 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP. - .TP - .B "rereadcacerts" - removes previously loaded CA certificates, reads all certificate files --contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list -+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/cacerts\fP directory and adds them to the list - of Certification Authority (CA) certificates. This does not affect certificates - explicitly defined in a - .BR ipsec.conf (5) -@@ -220,23 +220,23 @@ ca section, which may be separately updated using the \fBupdate\fP command. - .TP - .B "rereadaacerts" - removes previously loaded AA certificates, reads all certificate files --contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list -+contained in the \fI@IPSEC_CONFDIR@/ipsec.d/aacerts\fP directory and adds them to the list - of Authorization Authority (AA) certificates. - . - .TP - .B "rereadocspcerts" --reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP -+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/ocspcerts/\fP - directory and adds them to the list of OCSP signer certificates. - . - .TP - .B "rereadacerts" --reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP -+reads all certificate files contained in the \fI@IPSEC_CONFDIR@/ipsec.d/acerts/\fP - directory and adds them to the list of attribute certificates. - . - .TP - .B "rereadcrls" - reads all Certificate Revocation Lists (CRLs) contained in the --\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. -+\fI@IPSEC_CONFDIR@/ipsec.d/crls/\fP directory and adds them to the list of CRLs. - . - .TP - .B "rereadall" -diff --git a/src/swanctl/swanctl.conf.5.tail.in b/src/swanctl/swanctl.conf.5.tail.in -index 4d24608da..036443843 100644 ---- a/src/swanctl/swanctl.conf.5.tail.in -+++ b/src/swanctl/swanctl.conf.5.tail.in -@@ -2,7 +2,7 @@ - . - .nf - .na --/etc/swanctl/swanctl.conf configuration file -+@sysconfdir@/swanctl/swanctl.conf configuration file - .ad - .fi - . --- -2.39.0 - diff --git a/strongswan.spec b/strongswan.spec index 2460660..b6f9006 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -28,10 +28,6 @@ Source3: tmpfiles-strongswan.conf Patch0: strongswan-5.6.0-uintptr_t.patch # https://github.com/strongswan/strongswan/issues/1198 Patch1: strongswan-5.9.7-error-no-format.patch -# https://github.com/strongswan/strongswan/pull/1511 -# https://github.com/strongswan/strongswan/commit/e99de2aee9f26e3ab97d88902308107d9f048acd -Patch2: strongswan-5.9.9-man-paths.patch -Patch3: strongswan-5.9.8-5.9.9_tls_auth_bypass_exp_pointer.patch BuildRequires: autoconf BuildRequires: automake