diff --git a/CVE-2024-26306.patch b/CVE-2024-26306.patch deleted file mode 100644 index 3cd27342696c5d04fa9cfcc5468862959294e802..0000000000000000000000000000000000000000 --- a/CVE-2024-26306.patch +++ /dev/null @@ -1,286 +0,0 @@ -Origin: -https://github.com/esnet/iperf/pull/1695 -https://github.com/esnet/iperf/releases/tag/3.17 - -From 299b356df6939f71619bf45bf7a7d2222e17d840 Mon Sep 17 00:00:00 2001 -From: Sarah Larsen -Date: Wed, 20 Mar 2024 17:02:31 -0700 -Subject: [PATCH 1/3] Using OAEP padding instead of PKCS1 padding for OpenSSL. - Fix for CVE-2024-26306. - -Special thanks to Hubert Kario at Red Hat for finding the vulnerability. ---- - src/iperf.h | 1 + - src/iperf_api.c | 8 ++++++-- - src/iperf_api.h | 1 + - src/iperf_auth.c | 32 ++++++++++++++++++++++++-------- - src/iperf_auth.h | 4 ++-- - src/iperf_locale.c | 1 + - src/t_auth.c | 5 +++-- - 7 files changed, 38 insertions(+), 14 deletions(-) - -diff --git a/src/iperf.h b/src/iperf.h -index c1d839be1..527e549ed 100644 ---- a/src/iperf.h -+++ b/src/iperf.h -@@ -319,6 +319,7 @@ struct iperf_test - char *server_authorized_users; - EVP_PKEY *server_rsa_private_key; - int server_skew_threshold; -+ int use_pkcs1_padding; - #endif // HAVE_SSL - - /* boolean variables for Options */ -diff --git a/src/iperf_api.c b/src/iperf_api.c -index d40561c10..7fb741e77 100644 ---- a/src/iperf_api.c -+++ b/src/iperf_api.c -@@ -1137,6 +1137,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv) - {"rsa-private-key-path", required_argument, NULL, OPT_SERVER_RSA_PRIVATE_KEY}, - {"authorized-users-path", required_argument, NULL, OPT_SERVER_AUTHORIZED_USERS}, - {"time-skew-threshold", required_argument, NULL, OPT_SERVER_SKEW_THRESHOLD}, -+ {"use-pkcs1-padding", no_argument, NULL, OPT_USE_PKCS1_PADDING}, - #endif /* HAVE_SSL */ - {"fq-rate", required_argument, NULL, OPT_FQ_RATE}, - {"pacing-timer", required_argument, NULL, OPT_PACING_TIMER}, -@@ -1630,6 +1631,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv) - return -1; - } - break; -+ case OPT_USE_PKCS1_PADDING: -+ test->use_pkcs1_padding = 1; -+ break; - #endif /* HAVE_SSL */ - case OPT_PACING_TIMER: - test->settings->pacing_timer = unit_atoi(optarg); -@@ -2070,7 +2074,7 @@ int test_is_authorized(struct iperf_test *test){ - if (test->settings->authtoken){ - char *username = NULL, *password = NULL; - time_t ts; -- int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts); -+ int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts, test->use_pkcs1_padding); - if (rc) { - return -1; - } -@@ -2255,7 +2259,7 @@ send_parameters(struct iperf_test *test) - #if defined(HAVE_SSL) - /* Send authentication parameters */ - if (test->settings->client_username && test->settings->client_password && test->settings->client_rsa_pubkey){ -- int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken); -+ int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken, test->use_pkcs1_padding); - - if (rc) { - cJSON_Delete(j); -diff --git a/src/iperf_api.h b/src/iperf_api.h -index d2bbdfe96..131314243 100644 ---- a/src/iperf_api.h -+++ b/src/iperf_api.h -@@ -100,6 +100,7 @@ typedef atomic_uint_fast64_t atomic_iperf_size_t; - #define OPT_DONT_FRAGMENT 26 - #define OPT_RCV_TIMEOUT 27 - #define OPT_SND_TIMEOUT 28 -+#define OPT_USE_PKCS1_PADDING 30 - - /* states */ - #define TEST_START 1 -diff --git a/src/iperf_auth.c b/src/iperf_auth.c -index c89bde7c3..398e7d76b 100644 ---- a/src/iperf_auth.c -+++ b/src/iperf_auth.c -@@ -230,7 +230,7 @@ int test_load_private_key_from_file(const char *file){ - return 0; - } - --int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext) { -+int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext, int use_pkcs1_padding) { - #if OPENSSL_VERSION_MAJOR >= 3 - EVP_PKEY_CTX *ctx; - #else -@@ -257,12 +257,19 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch - - BIO *bioBuff = BIO_new_mem_buf((void*)plaintext, (int)strlen(plaintext)); - rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); -+ -+ int padding = RSA_PKCS1_OAEP_PADDING; -+ if (use_pkcs1_padding){ -+ padding = RSA_PKCS1_PADDING; -+ } - #if OPENSSL_VERSION_MAJOR >= 3 - EVP_PKEY_encrypt_init(ctx); -+ EVP_PKEY_CTX_set_rsa_padding(ctx, padding); -+ - EVP_PKEY_encrypt(ctx, *encryptedtext, &encryptedtext_len, rsa_buffer, rsa_buffer_len); - EVP_PKEY_CTX_free(ctx); - #else -- encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, RSA_PKCS1_PADDING); -+ encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, padding); - RSA_free(rsa); - #endif - -@@ -280,7 +287,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch - return 0; - } - --int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext) { -+int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { - #if OPENSSL_VERSION_MAJOR >= 3 - EVP_PKEY_CTX *ctx; - #else -@@ -307,13 +314,22 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt - - BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); - rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); -+ -+ int padding = RSA_PKCS1_OAEP_PADDING; -+ if (use_pkcs1_padding){ -+ padding = RSA_PKCS1_PADDING; -+ } - #if OPENSSL_VERSION_MAJOR >= 3 - plaintext_len = keysize; - EVP_PKEY_decrypt_init(ctx); -+ int ret = EVP_PKEY_CTX_set_rsa_padding(ctx, padding); -+ if (ret < 0){ -+ goto errreturn; -+ } - EVP_PKEY_decrypt(ctx, *plaintext, &plaintext_len, rsa_buffer, rsa_buffer_len); - EVP_PKEY_CTX_free(ctx); - #else -- plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, RSA_PKCS1_PADDING); -+ plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); - RSA_free(rsa); - #endif - -@@ -331,7 +347,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt - return 0; - } - --int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken){ -+int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding){ - time_t t = time(NULL); - time_t utc_seconds = mktime(localtime(&t)); - -@@ -348,7 +364,7 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu - - unsigned char *encrypted = NULL; - int encrypted_len; -- encrypted_len = encrypt_rsa_message(text, public_key, &encrypted); -+ encrypted_len = encrypt_rsa_message(text, public_key, &encrypted, use_pkcs1_padding); - free(text); - if (encrypted_len < 0) { - return -1; -@@ -359,7 +375,7 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu - return (0); //success - } - --int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts){ -+int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding){ - unsigned char *encrypted_b64 = NULL; - size_t encrypted_len_b64; - int64_t utc_seconds; -@@ -367,7 +383,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva - - unsigned char *plaintext = NULL; - int plaintext_len; -- plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext); -+ plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); - free(encrypted_b64); - if (plaintext_len < 0) { - return -1; -diff --git a/src/iperf_auth.h b/src/iperf_auth.h -index ffadbf3e5..eedd45abd 100644 ---- a/src/iperf_auth.h -+++ b/src/iperf_auth.h -@@ -35,7 +35,7 @@ EVP_PKEY *load_pubkey_from_file(const char *file); - EVP_PKEY *load_pubkey_from_base64(const char *buffer); - EVP_PKEY *load_privkey_from_file(const char *file); - EVP_PKEY *load_privkey_from_base64(const char *buffer); --int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken); --int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts); -+int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding); -+int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding); - int check_authentication(const char *username, const char *password, const time_t ts, const char *filename, int skew_threshold); - ssize_t iperf_getpass (char **lineptr, size_t *n, FILE *stream); -diff --git a/src/iperf_locale.c b/src/iperf_locale.c -index ae0f63a41..9d94e0234 100644 ---- a/src/iperf_locale.c -+++ b/src/iperf_locale.c -@@ -148,6 +148,7 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n" - " credentials\n" - " --time-skew-threshold time skew threshold (in seconds) between the server\n" - " and client during the authentication process\n" -+ " --use-pkcs1-padding use pkcs1 padding at your own risk\n" - #endif //HAVE_SSL - "Client specific:\n" - " -c, --client [%%] run in client mode, connecting to \n" -diff --git a/src/t_auth.c b/src/t_auth.c -index 77c225531..3b0fd2f32 100644 ---- a/src/t_auth.c -+++ b/src/t_auth.c -@@ -101,8 +101,9 @@ test_authtoken(const char *authUser, const char *authPassword, EVP_PKEY *pubkey, - char *decodePassword; - time_t decodeTime; - -- assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken) == 0); -- assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime) == 0); -+ int use_pkcs1_padding = 1; -+ assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken, use_pkcs1_padding) == 0); -+ assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime, use_pkcs1_padding) == 0); - - assert(strcmp(decodeUser, authUser) == 0); - assert(strcmp(decodePassword, authPassword) == 0); - -From 3006413849c0aa9a70503b736497130c781b4675 Mon Sep 17 00:00:00 2001 -From: "Bruce A. Mah" -Date: Mon, 22 Apr 2024 15:19:51 -0700 -Subject: [PATCH 2/3] Manual page update for --use-pkcs1-padding. - ---- - src/iperf3.1 | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/src/iperf3.1 b/src/iperf3.1 -index 2efd53dea..2561414f5 100644 ---- a/src/iperf3.1 -+++ b/src/iperf3.1 -@@ -193,6 +193,15 @@ parameter is specified in ms, and defaults to the system settings. - This functionality depends on the TCP_USER_TIMEOUT socket option, and - will not work on systems that do not support it. - .TP -+.BR --use-pkcs1-padding -+This option is only meaningful when using iperf3's authentication -+features. Versions of iperf3 prior to 3.17 used PCKS1 padding in the -+RSA-encrypted credentials, which was vulnerable to a side-channel -+attack that could reveal a server's private key. Beginning with -+iperf-3.17, OAEP padding is used, however this is a breaking change -+that is not compatible with older iperf3 versions. Use this option to -+preserve the less secure, but more compatible, behavior. -+.TP - .BR -d ", " --debug " " - emit debugging output. - Primarily (perhaps exclusively) of use to developers. - -From fbd99b145c3e1b3890ff1dbdb20b91f631b3e85b Mon Sep 17 00:00:00 2001 -From: "Bruce A. Mah" -Date: Mon, 22 Apr 2024 16:13:19 -0700 -Subject: [PATCH 3/3] Treat a decryption error as an empty string. - ---- - src/iperf_auth.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/iperf_auth.c b/src/iperf_auth.c -index 398e7d76b..72e85fc9a 100644 ---- a/src/iperf_auth.c -+++ b/src/iperf_auth.c -@@ -336,8 +336,9 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt - OPENSSL_free(rsa_buffer); - BIO_free(bioBuff); - -- if (plaintext_len <= 0) { -- goto errreturn; -+ /* Treat a decryption error as an empty string. */ -+ if (plaintext_len < 0) { -+ plaintext_len = 0; - } - - return plaintext_len; diff --git a/iperf-3.16.tar.gz b/iperf-3.16.tar.gz deleted file mode 100644 index 3320ee949dc47da69880cdad0d143caaf2d7c100..0000000000000000000000000000000000000000 Binary files a/iperf-3.16.tar.gz and /dev/null differ diff --git a/iperf-3.18.tar.gz b/iperf-3.18.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..5ad512f9885110d4270d4a5ee83c207dabc3017a Binary files /dev/null and b/iperf-3.18.tar.gz differ diff --git a/iperf3.spec b/iperf3.spec index 12e3b532695fd9769c19883753043d053260205a..bbd37e9c32d1ee9e46b02801c20f3434f6e027d7 100644 --- a/iperf3.spec +++ b/iperf3.spec @@ -1,11 +1,10 @@ Name: iperf3 -Version: 3.16 -Release: 3 +Version: 3.18 +Release: 1 Summary: TCP,UDP,and SCTP network bandwidth measurement tool -License: BSD -URL: http://github.com/esnet/iperf +License: BSD-3-Clause +URL: https://github.com/esnet/iperf Source0: https://github.com/esnet/iperf/archive/%{version}/iperf-%{version}.tar.gz -Patch0: CVE-2024-26306.patch BuildRequires: libuuid-devel gcc lksctp-tools-devel Requires: lksctp-tools @@ -41,7 +40,7 @@ mkdir -p %{buildroot}%{_mandir}/man1 %files %defattr(-,root,root) %doc README.md RELNOTES.md -%license LICENSE _esnet/LICENSE +%license LICENSE %{_bindir}/iperf3 %{_libdir}/*.so.* @@ -56,6 +55,31 @@ mkdir -p %{buildroot}%{_mandir}/man1 %{_mandir}/man3/libiperf.3.gz %changelog +* Mon Dec 23 2024 yaoxin - 3.18-1 +- Update to 3.18 for fix CVE-2024-53580 + +* Sun Sep 29 2024 jiangjixiang - 3.17.1-4 +- Relocate patches from upstream communities to performance enhancement for iperf_time_add(). + +* Sun Sep 29 2024 jiangjixiang - 3.17.1-3 +- Relocate patches from upstream communities to fix incorrect freeaddrinfo call. + +* Thu Sep 26 2024 jiangjixiang - 3.17.1-2 +- Relocate patches from upstream communities to fix thread duplicate recycling issue. + +* Tue Jul 09 2024 wangkai <13474090681@163.com> - 3.17.1-1 +- Update to 3.17.1 +- iperf3 no longer changes its current working directory in --daemon mode. This results in more + predictable behavior with relative paths, in particular finding key and credential files for authentication. +- A new --json-stream option has been added to enable a streaming output format, consisting of + a series of JSON objects (for the start of the test, each measurement interval, and the end of the test) separated by newlines +- UDP tests now work correctly between different endian hosts +- The --fq-rate parameter now works for --reverse tests +- The statistics reporting interval is now available in the --json start test object + +* Thu Jun 06 2024 zhangxingrong - 3.16-4 +- iperf3 now builds correctly on architectures without native support for 64-bit atomic types, by linking with the libatomic library + * Tue May 14 2024 wangkai <13474090681@163.com> - 3.16-3 - Fix CVE-2024-26306 diff --git a/iperf3.yaml b/iperf3.yaml index bef9c112ef841fd5ba4e1dcb32ea4a26e7b26ff6..9bf298060ee4fe529d42702723c4465490352cc8 100644 --- a/iperf3.yaml +++ b/iperf3.yaml @@ -1,4 +1,4 @@ version_control: github src_repo: esnet/iperf -tag_prefix: ^v -seperator: . +tag_prefix: ^ +separator: .