Attachment #246933 for bug #275620

Lines 1-11 Link Here

(-)Makefile (-4 / +1 lines)
1	PORTNAME= strongswan	1	PORTNAME= strongswan
2	DISTVERSION= 5.9.11	2	DISTVERSION= 5.9.13
3	PORTREVISION= 3
4	CATEGORIES= security net-vpn	3	CATEGORIES= security net-vpn
5	MASTER_SITES= https://download.strongswan.org/ \	4	MASTER_SITES= https://download.strongswan.org/ \
6	https://download2.strongswan.org/	5	https://download2.strongswan.org/
7	PATCH_SITES= https://github.com/strongswan/strongswan/commit/
8	PATCHFILES= a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch:-p1
9		6
10	MAINTAINER= strongswan@nanoteq.com	7	MAINTAINER= strongswan@nanoteq.com
11	COMMENT= Open Source IKEv2 IPsec-based VPN solution	8	COMMENT= Open Source IKEv2 IPsec-based VPN solution

Lines 1-5 Link Here

(-)distinfo (-5 / +3 lines)
1	TIMESTAMP = 1690493412	1	TIMESTAMP = 1702006969
2	SHA256 (strongswan-5.9.11.tar.bz2) = ddf53f1f26ad26979d5f55e8da95bd389552f5de3682e35593f9a70b2584ed2d	2	SHA256 (strongswan-5.9.13.tar.bz2) = 56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55
3	SIZE (strongswan-5.9.11.tar.bz2) = 4786552	3	SIZE (strongswan-5.9.13.tar.bz2) = 4825644
4	SHA256 (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 31ba77932b88b611f1f1d54478b7d3a024f40e0bcea0b3249f2d62274e1df19f
5	SIZE (a619356b5f21bfe3c13f1576eb1d16c015532ceb.patch) = 3344




From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 11 Jul 2023 12:12:25 +0200
Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
 overflow

Seems this was forgotten in the referenced commit and actually could lead
to a buffer overflow.  Since charon-tkm is untrusted this isn't that
much of an issue but could at least be easily exploited for a DoS attack
as DH public values are set when handling IKE_SA_INIT requests.

Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
Fixes: CVE-2023-41913
---
 src/charon-tkm/src/tkm/tkm_diffie_hellman.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 2b2d103d03e9..6999ad360d7e 100644
--- src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
 	return TRUE;
 }
 
-
 METHOD(key_exchange_t, set_public_key, bool,
 	private_tkm_diffie_hellman_t *this, chunk_t value)
 {
 	dh_pubvalue_type othervalue;
+
+	if (!key_exchange_verify_pubkey(this->group, value) ||
+		value.len > sizeof(othervalue.data))
+	{
+		return FALSE;
+	}
 	othervalue.size = value.len;
 	memcpy(&othervalue.data, value.ptr, value.len);
 
-- 
2.34.1


Return to bug 275620

Removed Link Here

(-)files/patch-src_swanctl_charon-tkm_src_tkm_tkm_diffie_hellman.c (-42 lines)
1	From 027421cbd2e6e628f5f959c74d722afadc477485 Mon Sep 17 00:00:00 2001
2	From: Tobias Brunner <tobias@strongswan.org>
3	Date: Tue, 11 Jul 2023 12:12:25 +0200
4	Subject: [PATCH] charon-tkm: Validate DH public key to fix potential buffer
5	overflow
6
7	Seems this was forgotten in the referenced commit and actually could lead
8	to a buffer overflow. Since charon-tkm is untrusted this isn't that
9	much of an issue but could at least be easily exploited for a DoS attack
10	as DH public values are set when handling IKE_SA_INIT requests.
11
12	Fixes: 0356089d0f94 ("diffie-hellman: Verify public DH values in backends")
13	Fixes: CVE-2023-41913
14	---
15	src/charon-tkm/src/tkm/tkm_diffie_hellman.c \| 7 ++++++-
16	1 file changed, 6 insertions(+), 1 deletion(-)
17
18	diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
19	index 2b2d103d03e9..6999ad360d7e 100644
20	--- src/charon-tkm/src/tkm/tkm_diffie_hellman.c
21	+++ src/charon-tkm/src/tkm/tkm_diffie_hellman.c
22	@@ -70,11 +70,16 @@ METHOD(key_exchange_t, get_shared_secret, bool,
23	return TRUE;
24	}
25
26	-
27	METHOD(key_exchange_t, set_public_key, bool,
28	private_tkm_diffie_hellman_t *this, chunk_t value)
29	{
30	dh_pubvalue_type othervalue;
31	+
32	+ if (!key_exchange_verify_pubkey(this->group, value) \|\|
33	+ value.len > sizeof(othervalue.data))
34	+ {
35	+ return FALSE;
36	+ }
37	othervalue.size = value.len;
38	memcpy(&othervalue.data, value.ptr, value.len);
39
40	--
41	2.34.1
42

Lines 36-43 Link Here

(-)pkg-plist (-7 / +8 lines)
36	%%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample	36	%%GCM%%@sample %%ETCDIR%%.d/charon/gcm.conf.sample
37	%%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample	37	%%EAPAKA3GPP2%%@sample %%ETCDIR%%.d/charon/gmp.conf.sample
38	@sample %%ETCDIR%%.d/charon/hmac.conf.sample	38	@sample %%ETCDIR%%.d/charon/hmac.conf.sample
39	%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
40	%%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample	39	%%IPSECKEY%%@sample %%ETCDIR%%.d/charon/ipseckey.conf.sample
		40	%%KDF%%@sample %%ETCDIR%%.d/charon/kdf.conf.sample
41	%%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon/kernel-libipsec.conf.sample	41	%%KERNELLIBIPSEC%%@sample %%ETCDIR%%.d/charon/kernel-libipsec.conf.sample
42	@sample %%ETCDIR%%.d/charon/kernel-pfkey.conf.sample	42	@sample %%ETCDIR%%.d/charon/kernel-pfkey.conf.sample
43	@sample %%ETCDIR%%.d/charon/kernel-pfroute.conf.sample	43	@sample %%ETCDIR%%.d/charon/kernel-pfroute.conf.sample
Lines 49-54 Link Here
49	%%MYSQL%%@sample %%ETCDIR%%.d/charon/mysql.conf.sample	49	%%MYSQL%%@sample %%ETCDIR%%.d/charon/mysql.conf.sample
50	@sample %%ETCDIR%%.d/charon/nonce.conf.sample	50	@sample %%ETCDIR%%.d/charon/nonce.conf.sample
51	@sample %%ETCDIR%%.d/charon/openssl.conf.sample	51	@sample %%ETCDIR%%.d/charon/openssl.conf.sample
		52	%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample
52	@sample %%ETCDIR%%.d/charon/pem.conf.sample	53	@sample %%ETCDIR%%.d/charon/pem.conf.sample
53	@sample %%ETCDIR%%.d/charon/pgp.conf.sample	54	@sample %%ETCDIR%%.d/charon/pgp.conf.sample
54	@sample %%ETCDIR%%.d/charon/pkcs1.conf.sample	55	@sample %%ETCDIR%%.d/charon/pkcs1.conf.sample
Lines 207-212 lib/ipsec/plugins/libstrongswan-nonce.la Link Here
207	lib/ipsec/plugins/libstrongswan-nonce.so	208	lib/ipsec/plugins/libstrongswan-nonce.so
208	lib/ipsec/plugins/libstrongswan-openssl.la	209	lib/ipsec/plugins/libstrongswan-openssl.la
209	lib/ipsec/plugins/libstrongswan-openssl.so	210	lib/ipsec/plugins/libstrongswan-openssl.so
		211	%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
		212	%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
210	lib/ipsec/plugins/libstrongswan-pem.la	213	lib/ipsec/plugins/libstrongswan-pem.la
211	lib/ipsec/plugins/libstrongswan-pem.so	214	lib/ipsec/plugins/libstrongswan-pem.so
212	lib/ipsec/plugins/libstrongswan-pgp.la	215	lib/ipsec/plugins/libstrongswan-pgp.la
Lines 285-290 libexec/ipsec/whitelist Link Here
285	%%PKI%%man/man1/pki---gen.1.gz	288	%%PKI%%man/man1/pki---gen.1.gz
286	%%PKI%%man/man1/pki---issue.1.gz	289	%%PKI%%man/man1/pki---issue.1.gz
287	%%PKI%%man/man1/pki---keyid.1.gz	290	%%PKI%%man/man1/pki---keyid.1.gz
		291	%%PKI%%man/man1/pki---ocsp.1.gz
288	%%PKI%%man/man1/pki---pkcs7.1.gz	292	%%PKI%%man/man1/pki---pkcs7.1.gz
289	%%PKI%%man/man1/pki---print.1.gz	293	%%PKI%%man/man1/pki---print.1.gz
290	%%PKI%%man/man1/pki---pub.1.gz	294	%%PKI%%man/man1/pki---pub.1.gz
Lines 313-318 sbin/ipsec Link Here
313	%%DATADIR%%/templates/config/plugins/cmac.conf	317	%%DATADIR%%/templates/config/plugins/cmac.conf
314	%%DATADIR%%/templates/config/plugins/constraints.conf	318	%%DATADIR%%/templates/config/plugins/constraints.conf
315	%%DATADIR%%/templates/config/plugins/counters.conf	319	%%DATADIR%%/templates/config/plugins/counters.conf
		320	%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
316	%%CURL%%%%DATADIR%%/templates/config/plugins/curl.conf	321	%%CURL%%%%DATADIR%%/templates/config/plugins/curl.conf
317	%%DATADIR%%/templates/config/plugins/curve25519.conf	322	%%DATADIR%%/templates/config/plugins/curve25519.conf
318	%%DATADIR%%/templates/config/plugins/des.conf	323	%%DATADIR%%/templates/config/plugins/des.conf
Lines 335-342 sbin/ipsec Link Here
335	%%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf	340	%%GCM%%%%DATADIR%%/templates/config/plugins/gcm.conf
336	%%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf	341	%%EAPAKA3GPP2%%%%DATADIR%%/templates/config/plugins/gmp.conf
337	%%DATADIR%%/templates/config/plugins/hmac.conf	342	%%DATADIR%%/templates/config/plugins/hmac.conf
338	%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
339	%%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf	343	%%IPSECKEY%%%%DATADIR%%/templates/config/plugins/ipseckey.conf
		344	%%KDF%%%%DATADIR%%/templates/config/plugins/kdf.conf
340	%%KERNELLIBIPSEC%%%%DATADIR%%/templates/config/plugins/kernel-libipsec.conf	345	%%KERNELLIBIPSEC%%%%DATADIR%%/templates/config/plugins/kernel-libipsec.conf
341	%%DATADIR%%/templates/config/plugins/kernel-pfkey.conf	346	%%DATADIR%%/templates/config/plugins/kernel-pfkey.conf
342	%%DATADIR%%/templates/config/plugins/kernel-pfroute.conf	347	%%DATADIR%%/templates/config/plugins/kernel-pfroute.conf
Lines 348-358 sbin/ipsec Link Here
348	%%MYSQL%%%%DATADIR%%/templates/config/plugins/mysql.conf	353	%%MYSQL%%%%DATADIR%%/templates/config/plugins/mysql.conf
349	%%DATADIR%%/templates/config/plugins/nonce.conf	354	%%DATADIR%%/templates/config/plugins/nonce.conf
350	%%DATADIR%%/templates/config/plugins/openssl.conf	355	%%DATADIR%%/templates/config/plugins/openssl.conf
		356	%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
351	%%DATADIR%%/templates/config/plugins/pem.conf	357	%%DATADIR%%/templates/config/plugins/pem.conf
352	%%DATADIR%%/templates/config/plugins/pgp.conf	358	%%DATADIR%%/templates/config/plugins/pgp.conf
353	%%DATADIR%%/templates/config/plugins/pkcs1.conf	359	%%DATADIR%%/templates/config/plugins/pkcs1.conf
354	%%PKCS11%%%%DATADIR%%/templates/config/plugins/pkcs11.conf	360	%%PKCS11%%%%DATADIR%%/templates/config/plugins/pkcs11.conf
355	%%CTR%%%%DATADIR%%/templates/config/plugins/ctr.conf
356	%%DATADIR%%/templates/config/plugins/pkcs12.conf	361	%%DATADIR%%/templates/config/plugins/pkcs12.conf
357	%%DATADIR%%/templates/config/plugins/pkcs7.conf	362	%%DATADIR%%/templates/config/plugins/pkcs7.conf
358	%%DATADIR%%/templates/config/plugins/pkcs8.conf	363	%%DATADIR%%/templates/config/plugins/pkcs8.conf
Lines 412-418 sbin/ipsec Link Here
412	%%SWANCTL%%@dir etc/swanctl/x509ca	417	%%SWANCTL%%@dir etc/swanctl/x509ca
413	%%SWANCTL%%@dir etc/swanctl/x509crl	418	%%SWANCTL%%@dir etc/swanctl/x509crl
414	%%SWANCTL%%@dir etc/swanctl/x509ocsp	419	%%SWANCTL%%@dir etc/swanctl/x509ocsp
415	%%VIA%%%%DATADIR%%/templates/config/plugins/padlock.conf
416	%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.la
417	%%VIA%%lib/ipsec/plugins/libstrongswan-padlock.so
418	%%VIA%%@sample %%ETCDIR%%.d/charon/padlock.conf.sample