[strongSwan] User openssl's PUBKEY_VERIFY instead of gmp's for CVE-2017-11185

karthik kumar kumarkarthikn at gmail.com
Sun Aug 20 09:49:49 CEST 2017 

Hi,
   We are trying to mitigate CVE-2017-11185. We use older than 5.6.0
version of strongswan and upgrading will take significant time/effort.

The vulnerability is while gmp plugin doing signature verification, and I
found that the same feature is provided by openssl (and gcrypt) so our plan
is to use openssl plugin,

*OPENSSL is enabled *
*Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
in plugin 'openssl'*
*Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
in plugin 'openssl'*
*Aug 19 19:14:41 00[LIB] loading feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224 in plugin 'openssl'*
*Aug 19 19:14:41 00[LIB] loading feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256 in plugin 'openssl'*
*Aug 19 19:14:41 00[LIB] loading feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384 in plugin 'openssl'*
*.... <and so on>*

*GMP*
Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_NULL
in plugin 'gmp'
Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA1
in plugin 'gmp'
Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA224
in plugin 'gmp'
Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA256
in plugin 'gmp'
Aug 19 19:14:41 00[LIB] loading feature PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA384
in plugin 'gmp'
... <and so on>

I have a couple of questions,
a. how do I determine if its safe to disable (load = no) the gmp plugin ? I
compared all features of GMP listed in the log against openssl plugin
features, and all of them are available in Openssl plugin. Is that enough
or anything else I should consider checking before turning off gmp plugin ?
(i have tested disabling gmp in my local and esp packets are created and
sent properly)

b. I tried to increase the priority of openssl (load = 2) plugin. But I
can't find a way to verify that signature verification is done by openssl
plugin and not gmp plugin. Is there a way I can verify that ? (or rather
how do I verify which plugin is executing certain feature when the same
feature is provided by two loaded plugins)


Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170820/fbbe86c8/attachment.html>

More information about the Users mailing list