From dbba7e61b5e8ea576d8605581af6214a69a52ab5 Mon Sep 17 00:00:00 2001 From: zhangxingrong Date: Mon, 20 May 2024 14:35:04 +0800 Subject: [PATCH] backport some upstream patchs --- ...ID-when-parsing-OCSP-response-errors.patch | 51 ++++++++ ...rId-as-ASN.1-CHOICE-in-OCSP-response.patch | 122 ++++++++++++++++++ strongswan.spec | 7 +- 3 files changed, 179 insertions(+), 1 deletion(-) create mode 100644 0001-Correctly-handle-missing-responder-ID-when-parsing-OCSP-response-errors.patch create mode 100644 0002-Correctly-parse-responderId-as-ASN.1-CHOICE-in-OCSP-response.patch diff --git a/0001-Correctly-handle-missing-responder-ID-when-parsing-OCSP-response-errors.patch b/0001-Correctly-handle-missing-responder-ID-when-parsing-OCSP-response-errors.patch new file mode 100644 index 0000000..c669f97 --- /dev/null +++ b/0001-Correctly-handle-missing-responder-ID-when-parsing-OCSP-response-errors.patch @@ -0,0 +1,51 @@ +From 585c40095a3a92e058c5d1d61137232f17f72195 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 23 Nov 2023 11:32:15 +0100 +Subject: [PATCH] x509: Correctly handle missing responder ID when parsing OCSP + response errors + +The has_issuer() and issued_by() methods relied on it to be defined, so +if the OCSP response wasn't successful (i.e. OCSP status indicates an +error and no OCSP response is parsed), a null-pointer dereference was +caused if the caller checked if the OCSP response was issued by a +specific certificate. + +That's a side-effect of the referenced commit. Previously, error codes +caused the OCSP response to not get parsed successfully, which technically +wasn't correct as it's well formed and successfully parsed, it's just +indicating an error state. + +Fixes: 00ab8d62c089 ("x509: Support generation of OCSP responses") + +Conflict:The number of modified lines is different from the upstream community +Reference:https://github.com/strongswan/strongswan/commit/585c40095a3a92e058c5d1d61137232f17f72195 +--- + src/libstrongswan/plugins/x509/x509_ocsp_response.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c +index 3badf36b979..89249c113d9 100644 +--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c ++++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c +@@ -712,7 +712,11 @@ METHOD(certificate_t, get_issuer, identification_t*, + METHOD(certificate_t, has_issuer, id_match_t, + private_x509_ocsp_response_t *this, identification_t *issuer) + { +- return this->responderId->matches(this->responderId, issuer); ++ if (this->responderId) ++ { ++ return this->responderId->matches(this->responderId, issuer); ++ } ++ return ID_MATCH_NONE; + } + + METHOD(certificate_t, issued_by, bool, +@@ -723,7 +727,7 @@ METHOD(certificate_t, issued_by, bool, + bool valid; + x509_t *x509 = (x509_t*)issuer; + +- if (issuer->get_type(issuer) != CERT_X509) ++ if (issuer->get_type(issuer) != CERT_X509 || !this->responderId) + { + return FALSE; + } diff --git a/0002-Correctly-parse-responderId-as-ASN.1-CHOICE-in-OCSP-response.patch b/0002-Correctly-parse-responderId-as-ASN.1-CHOICE-in-OCSP-response.patch new file mode 100644 index 0000000..e0d027c --- /dev/null +++ b/0002-Correctly-parse-responderId-as-ASN.1-CHOICE-in-OCSP-response.patch @@ -0,0 +1,122 @@ +From e7a58f46f97583a532b481bb1805aeb5208af565 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner +Date: Thu, 23 Nov 2023 16:52:55 +0100 +Subject: [PATCH] x509: Correctly parse responderId as ASN.1 CHOICE in OCSP + response + +The two OPTs that were used previously allowed to omit it completely (hence +the fallback to ID_ANY), but that's invalid, so it's better to fail +parsing. + +Conflict:The number of modified lines is different from the upstream community PR +Reference:https://github.com/strongswan/strongswan/commit/e7a58f46f97583a532b481bb1805aeb5208af565 +--- + .../plugins/x509/x509_ocsp_response.c | 85 +++++++++---------- + 1 file changed, 40 insertions(+), 45 deletions(-) + +diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c +index 89249c113d9..a47bcc367cd 100644 +--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c ++++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c +@@ -470,49 +470,49 @@ end: + * ASN.1 definition of basicResponse + */ + static const asn1Object_t basicResponseObjects[] = { +- { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ +- { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ +- { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE | +- ASN1_DEF }, /* 2 */ +- { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */ +- { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */ +- { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ +- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */ +- { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */ +- { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */ +- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ +- { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */ +- { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */ +- { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */ +- { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */ +- { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */ +- { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */ +- { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | +- ASN1_DEF }, /* 16 */ +- { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */ +- { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */ +- { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */ +- { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */ +- { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */ +- { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */ +- { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */ +- { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */ +- { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ ++ { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ ++ { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE|ASN1_DEF }, /* 2 */ ++ { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */ ++ { 2, "responderId", ASN1_EOC, ASN1_CHOICE }, /* 4 */ ++ { 3, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 5 */ ++ { 4, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 7 */ ++ { 3, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 8 */ ++ { 4, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 10 */ ++ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 11 */ ++ { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 12 */ ++ { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 13 */ ++ { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 14 */ ++ { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 15 */ ++ { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 16 */ ++ { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 17 */ ++ { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | ASN1_DEF }, /* 18 */ ++ { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 19 */ ++ { 3, "end loop", ASN1_EOC, ASN1_END }, /* 20 */ ++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 21 */ ++ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 22 */ ++ { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 23 */ ++ { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 24 */ ++ { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 25 */ ++ { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 26 */ ++ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 27 */ ++ { 1, "end opt", ASN1_EOC, ASN1_END }, /* 28 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define BASIC_RESPONSE_TBS_DATA 1 + #define BASIC_RESPONSE_VERSION 3 +-#define BASIC_RESPONSE_ID_BY_NAME 5 +-#define BASIC_RESPONSE_ID_BY_KEY 8 +-#define BASIC_RESPONSE_PRODUCED_AT 10 +-#define BASIC_RESPONSE_RESPONSES 11 +-#define BASIC_RESPONSE_EXT_ID 15 +-#define BASIC_RESPONSE_CRITICAL 16 +-#define BASIC_RESPONSE_EXT_VALUE 17 +-#define BASIC_RESPONSE_ALGORITHM 20 +-#define BASIC_RESPONSE_SIGNATURE 21 +-#define BASIC_RESPONSE_CERTIFICATE 24 ++#define BASIC_RESPONSE_ID_BY_NAME 6 ++#define BASIC_RESPONSE_ID_BY_KEY 9 ++#define BASIC_RESPONSE_PRODUCED_AT 12 ++#define BASIC_RESPONSE_RESPONSES 13 ++#define BASIC_RESPONSE_EXT_ID 17 ++#define BASIC_RESPONSE_CRITICAL 18 ++#define BASIC_RESPONSE_EXT_VALUE 19 ++#define BASIC_RESPONSE_ALGORITHM 22 ++#define BASIC_RESPONSE_SIGNATURE 23 ++#define BASIC_RESPONSE_CERTIFICATE 26 + + /** + * Parse a basicOCSPResponse +@@ -615,11 +615,6 @@ end: + parser->destroy(parser); + if (success) + { +- if (!this->responderId) +- { +- this->responderId = identification_create_from_encoding(ID_ANY, +- chunk_empty); +- } + success = parse_responses(this, responses, responses_level); + } + return success; diff --git a/strongswan.spec b/strongswan.spec index 4da4084..d1ee4c9 100644 --- a/strongswan.spec +++ b/strongswan.spec @@ -1,6 +1,6 @@ Name: strongswan Version: 5.9.10 -Release: 4 +Release: 5 Summary: An OpenSource IPsec-based VPN and TNC solution License: GPLv2+ URL: http://www.strongswan.org/ @@ -10,6 +10,8 @@ Patch0: remove-warning-no-format.patch Patch1: aes-crypter-support-sw64-arch.patch # https://download.strongswan.org/security/CVE-2023-41913/strongswan-5.9.7-5.9.11_charon_tkm_dh_len.patch Patch2: CVE-2023-41913.patch +Patch3: 0001-Correctly-handle-missing-responder-ID-when-parsing-OCSP-response-errors.patch +Patch4: 0002-Correctly-parse-responderId-as-ASN.1-CHOICE-in-OCSP-response.patch BuildRequires: gcc chrpath autoconf automake libtool tpm2-abrmd BuildRequires: systemd-devel gmp-devel libcurl-devel NetworkManager-libnm-devel openldap-devel @@ -195,6 +197,9 @@ echo "%{_libdir}/strongswan" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.co %{_libexecdir}/strongswan/charon-nm %changelog +* Mon May 20 2024 zhangxingrong - 5.9.10-5 +- backport some upstream patchs + * Thu Dec 14 2023 yaoxin - 5.9.10-4 - Fix CVE-2023-41913 -- Gitee