diff --git a/SOURCES/libreswan-3.25-1844621-FIPS-RSA-ECDSA.patch b/SOURCES/libreswan-3.25-1844621-FIPS-RSA-ECDSA.patch new file mode 100644 index 0000000..f8e2cf8 --- /dev/null +++ b/SOURCES/libreswan-3.25-1844621-FIPS-RSA-ECDSA.patch @@ -0,0 +1,36 @@ +diff -Naur libreswan-3.25-orig/include/pluto_constants.h libreswan-3.25/include/pluto_constants.h +--- libreswan-3.25-orig/include/pluto_constants.h 2020-06-15 22:27:53.657860192 -0400 ++++ libreswan-3.25/include/pluto_constants.h 2020-06-15 22:31:23.798926660 -0400 +@@ -38,7 +38,7 @@ + #define IPSEC_SA_LIFETIME_DEFAULT secs_per_hour * 8 + #define IPSEC_SA_LIFETIME_MAXIMUM secs_per_day + #define FIPS_IPSEC_SA_LIFETIME_MAXIMUM secs_per_hour * 8 +-#define FIPS_MIN_RSA_KEY_SIZE 3072 ++#define FIPS_MIN_RSA_KEY_SIZE 2048 /* 112 bits, see SP800-131A */ + + #define PLUTO_SHUNT_LIFE_DURATION_DEFAULT (15 * secs_per_minute) + #define PLUTO_HALFOPEN_SA_LIFE (secs_per_minute ) +diff -Naur libreswan-3.25-orig/programs/pluto/connections.c libreswan-3.25/programs/pluto/connections.c +--- libreswan-3.25-orig/programs/pluto/connections.c 2020-06-15 22:27:53.657860192 -0400 ++++ libreswan-3.25/programs/pluto/connections.c 2020-06-15 22:34:55.652026252 -0400 +@@ -832,7 +832,7 @@ + if (libreswan_fipsmode()) { + SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert); + passert(pk != NULL); +- if (pk->u.rsa.modulus.len * BITS_PER_BYTE < FIPS_MIN_RSA_KEY_SIZE) { ++ if (pk->keyType == rsaKey && ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE)) { + whack_log(RC_FATAL, + "FIPS: Rejecting cert with key size %d which is under %d", + pk->u.rsa.modulus.len * BITS_PER_BYTE, +diff -Naur libreswan-3.25-orig/programs/pluto/nss_cert_verify.c libreswan-3.25/programs/pluto/nss_cert_verify.c +--- libreswan-3.25-orig/programs/pluto/nss_cert_verify.c 2020-06-15 22:27:53.655860154 -0400 ++++ libreswan-3.25/programs/pluto/nss_cert_verify.c 2020-06-15 22:33:52.690807882 -0400 +@@ -458,7 +458,7 @@ + if (libreswan_fipsmode()) { + SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert); + passert(pk != NULL); +- if ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE) { ++ if (pk->keyType == rsaKey && ((pk->u.rsa.modulus.len * BITS_PER_BYTE) < FIPS_MIN_RSA_KEY_SIZE)) { + libreswan_log("FIPS: Rejecting peer cert with key size %d under %d", + pk->u.rsa.modulus.len * BITS_PER_BYTE, + FIPS_MIN_RSA_KEY_SIZE); diff --git a/SPECS/libreswan.spec b/SPECS/libreswan.spec index 417d0ef..fac1da0 100644 --- a/SPECS/libreswan.spec +++ b/SPECS/libreswan.spec @@ -24,7 +24,7 @@ Name: libreswan Summary: IPsec implementation with IKEv1 and IKEv2 keying protocols Version: 3.25 -Release: %{?prever:0.}8.1%{?prever:.%{prever}}%{?dist} +Release: %{?prever:0.}9.1%{?prever:.%{prever}}%{?dist} License: GPLv2 Group: System Environment/Daemons Url: https://libreswan.org/ @@ -45,6 +45,7 @@ Patch9: libreswan-3.25-1679735-critical_flag.patch Patch10: libreswan-3.25-1673105-down-restart.patch Patch11: libreswan-3.25-1686991-ikev1-del.patch Patch12: libreswan-3.25-1724200-halfopen-shunt.patch +Patch13: libreswan-3.25-1844621-FIPS-RSA-ECDSA.patch Requires: iproute >= 2.6.8 Requires: nss-tools nss-softokn @@ -146,6 +147,7 @@ Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04 %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 %build %if %{buildefence} @@ -349,8 +351,11 @@ fi %endif %changelog -* Wed Aug 28 2019 Paul Wouters - 3.25-8.1 -- Resolves: rhbz#1746052 libreswan: XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire [rhel-7.7.z] +* Tue Jun 16 2020 Paul Wouters - 3.25-9.1 +- Resolves: rhbz#1844621 Backport FIPS keysize fixes from RHEL8 + +* Mon Aug 26 2019 Paul Wouters - 3.25-9 +- Resolves: rhbz#1724200 libreswan: XFRM policy for OE/32 peer is deleted when shunts for previous half-open state expire * Tue May 07 2019 Paul Wouters - 3.25-8 - Resolves: rhbz#1686991 IKEv1 traffic interruption when responder deletes SAs 60 seconds before EVENT_SA_REPLACE