From patchwork Tue Jun 9 09:24:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F78ACD8CA4 for ; Tue, 9 Jun 2026 09:25:28 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.75306.1780997127822416515 for ; Tue, 09 Jun 2026 02:25:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=eVWcLTBA; spf=pass (domain: gmail.com, ip: 209.85.210.180, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-842204fcca4so365173b3a.3 for ; Tue, 09 Jun 2026 02:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997127; x=1781601927; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=s+O7T1rT9lELc7OPRsrboWxXfR8R9oy8K+CzMG7tM+A=; b=eVWcLTBAcYXk9gzzGXPxc22MOIpkwOB7cXAmLY5ECwA/OgAlM6T7qQT9AHcxbPpLeA g/WmM8NfgJ85YtIeJdppbjrhlibYOu7+xoWIzWi9wuam2WzAKUBd/BSF4r/poTHf0FD1 rpmd+iAk7+cOW5k9aUkRDifjbJ1Zdcb99KVEN9+PsEl3DC5Uw7AHZWt3HI0yp9BLYMzS XA6+Do2s6dHvEMqb4lcWGCVJIlC9IWLCvP39R/bz7K3OVKsnPEbBY+3KPIpKHfLBQoQx /7vY14tLBdXgo1UrJCZpXZNxjJkSKA9DelMZcVZpKMLFEh6cpRcaEmNbEfDyIncMFZ7O TUtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997127; x=1781601927; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=s+O7T1rT9lELc7OPRsrboWxXfR8R9oy8K+CzMG7tM+A=; b=WI+eIQHF9mXVihZjZAfV+I2CZgWJ468uwAVkbES1toNZ9LnSnmqbSZh7LFRbr6FIBU GMmqJxRCsTCCgfZQ8YrlwzKFYO8bM0XeI5pNgzAoDLz4Jttmm+8oVv3HUNS8TdDfp8T0 LVNUzAE5BRlKFp4MXdMInV2n3BX8Z9ZpLv6rmOmPdffwMHIjkGN8SVh54u92D50KZnFr H/bZzN1e92mZtMY47uVIpPhDej+fHhIDUoXGcPQnsvZHE3GmVbCFp+OB4RUsR5bENVnO oelmY9p/59bLhL6BhK4Wdws7qjRMGa9ZwuXqpckJaGBdLGC3rMWHLZOUnK1zQgQKi2iD ZmCQ== X-Gm-Message-State: AOJu0YxRqH47yLSJw8J646W/8I7N7mAPq5UupRovK60PStf5QilqwHE+ IuG+vF2l7xH5s9/v0kw7qXI46FDmIly8GQdvxvljq2hDOSlrE3uFOuOELWRwgkBYf8Z9XA== X-Gm-Gg: Acq92OGdT9Y5jZQUVai42q+st/M/VX5Q7VTQoYkuMYv/BwVbOfxl7AgiWy+JyZSUYux /EBm84hCEbjFTuKpixLqjs6lS5s36db9KtbgQrnKhSWU4Vjfy+WBA7xwkxyLrn0lA5D8UO+JV+K 2KXOFC8X/a4iCpM/ZuvflMaR2bcdoD/uXkMvdJtlHp2uvHXUJqp9fKUPVT05fsnNvL4c3nbab1v 4x8r02VZYwgSDa5i9xHGgbVxlKEcwAWXEM9cXj+qk6UrGaoonkps88TPc/rV/3FahZUDIyvaAqU swhITM4miDNTlJIZ4yJdJhf3CRigvRWUnbkYd+LBVzJO/WeqfdRT3ENTP89J4TCjy10hIEWSbUk 0/8KPqvHFgAPlWkugvtgQO2txJxk0D8M0b0CWVS7HWdVmSGwC/Eb/7wGkA3NZNf9x3JbtsbG5rD VIxdNpJCEDIk9C4VHwlziF4BVKI/kmZQL28JK+/dCgO0O2mTBKbD+Dr+B8k00QTQ== X-Received: by 2002:a05:6a21:4582:b0:3b4:895f:6abf with SMTP id adf61e73a8af0-3b4cd4970acmr11105600637.3.1780997127262; Tue, 09 Jun 2026 02:25:27 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:26 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 1/6] strongswan: Fix CVE-2026-35328 Date: Tue, 9 Jun 2026 14:54:02 +0530 Message-Id: <20260609092407.893299-1-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127446 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/56c7f0d13dffcfebf4255470e375234144d28134] Signed-off-by: Nitin Wankhade --- ...nt-infinite-loop-if-supported-versio.patch | 42 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch new file mode 100644 index 0000000000..9bd26409ff --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Prevent-infinite-loop-if-supported-versio.patch @@ -0,0 +1,42 @@ +From: Tobias Brunner +Date: Wed, 25 Mar 2026 10:17:46 +0100 +Subject: tls-server: Prevent infinite loop if supported versions are too + short + +If the extension doesn't contain a multiple of two bytes, the previous +code would get stuck in an infinite loop as `remaining()` continued to +return TRUE while `read_uint16()` failed to parse a value. Initiating +several connections with such an extension allows a DoS attack as no +threads would eventually be available to handle packets/events. + +Fixes: 7fbe2e27ecf6 ("tls-server: TLS 1.3 support for TLS server implementation") +Fixes: CVE-2026-35328 + +CVE: CVE-2026-35328 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/56c7f0d13dffcfebf4255470e375234144d28134] +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index 3ad9fd2..7b2238e 100644 +--- a/src/libtls/tls_server.c ++++ b/src/libtls/tls_server.c +@@ -471,15 +471,12 @@ static status_t process_client_hello(private_tls_server_t *this, + bio_reader_t *client_versions; + + client_versions = bio_reader_create(versions); +- while (client_versions->remaining(client_versions)) ++ while (client_versions->read_uint16(client_versions, &version)) + { +- if (client_versions->read_uint16(client_versions, &version)) ++ if (this->tls->set_version(this->tls, version, version)) + { +- if (this->tls->set_version(this->tls, version, version)) +- { +- this->client_version = version; +- break; +- } ++ this->client_version = version; ++ break; + } + } + client_versions->destroy(client_versions); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 7cc67e4d92..6fbc345923 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -12,6 +12,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2025-62291.patch \ file://CVE-2026-25075.patch \ file://CVE-2026-35334.patch \ + file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" From patchwork Tue Jun 9 09:24:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 25CD0CD6E79 for ; Tue, 9 Jun 2026 09:25:38 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.75307.1780997131071014359 for ; Tue, 09 Jun 2026 02:25:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=Sr8u176j; spf=pass (domain: gmail.com, ip: 209.85.216.41, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pj1-f41.google.com with SMTP id 98e67ed59e1d1-36bb43a58c7so485285a91.1 for ; Tue, 09 Jun 2026 02:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997130; x=1781601930; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XtihX0H6VWFmWvZEttFfjIWuKnz2XMOuuUzgEWaAY6I=; b=Sr8u176jkAbrA8V4CfEw9s62AS/qH9T8iCR+M2+bIUVFAc1UKLu9m44CI4TBCSIZXo EtoZ/t8n7ifz8ZRjIs+h1vB86npNRY9ZCo9Gme4VtyPsGwZMToJLTax0/Hv1DiXXzhBx RhwSUcjnlR+l9taCZeBIeBEMphgsKV+OsyQ1wKRlZvOovcFoxkAbjlRuRsmEf4VyUMF9 LLc6Hko8PBKkkkcgSOdg4/1FZ3Q9OR+NwWoGFSI43nC+uVJTuwie93FIajKQOiNdqbwq ZlzpgMKMx1EAFCQAuOdgIrLITIzPaafZ9fRCheI58QnVedfGSv5WLo1qgEMLXZWEfhqR dXOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997130; x=1781601930; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XtihX0H6VWFmWvZEttFfjIWuKnz2XMOuuUzgEWaAY6I=; b=mX3VhuGhHEbW5mFNo0szoLaaHrjvEpR/18EkNg0dw/LhMcQZuhBLqugLkN/+NbHl30 bR93XYGfEEHgSF/XGoB+arVIFht+LqAf2Zf3Qb6VaBNR79DuzG7QQqIwRMoAexInvMbj d5Ypg1a8a++4JYlfj8WNu3dEgKTgj7o6Xr2o4nuDoMB8vO1SlmG2bZKfi5aaDvMjKom9 PNSOFSNc/HjPZNWvrZOQdl7uCDFdlZOCTdpYk/ThwrqcWDrZ+WLVCQRuR/qoSFh04dwA +aOiMv5SaOJaAzR4V1SLHDD4APheqfNbL8BwYX0BQE3+ljNapzL7lKAh+opP4JP3CESW oUgQ== X-Gm-Message-State: AOJu0YwD4HEsmLN18rD5xZN9e7j0Mzkq0/L0u+ijbMZWcl/hg+LN4IeP 8U4UbGNJX5aCxNJJutT1cr9bw/NOKtf/eP3XHZnY2sn19IDyGTggMuASnlRLed3eMz2kZw== X-Gm-Gg: Acq92OE1T7M77eJaGmNGwGdq1KReqhNvZBwPi9Mr+ZBOLDgWoynbLVW5H7G0SbYRlQ1 KqP1QY+gakc/ROtsLc/1MPzZgYMVN3AbIhnkXAS7aCYwqGtx4abDGG3MgYBe9Jd508lihiyN1sr lC9EZsgpac8GlG4kqmzMTgAn97J6k1U8VSRB6QUCYcOQM4JhIeZ5kdNs7FLFdw+3iKl5A0Dtx1Q wDKOVxq7tqKdhZhdQz1GWyAe9X98el+fMx1ynGmxztBfQeIAOL3mPI/22Yxr2QkKP1MtpjOVdWG MO1EDKwOb3AA6bzQVbdSxIdkvdPbz4uvH58iErx7OVjrT9eFSuVir61fmZl+M/i5tC4HN5GTU5U b+jLTu8ZUF99E0PeIgU5Ol4tYI0LRZcMbJJ6qOdYUvNFEEoum6yXbBi/99ZgImKo4Hsw4g3Bwbe GaNo2MKjTRDhruBW8Y/Pazgtdx2X1v2vZ7+T0dAiHUr65ck9BTsTfMk7rFOsRVng== X-Received: by 2002:a05:6a21:6f89:b0:3b4:6f05:8301 with SMTP id adf61e73a8af0-3b4cd48fbd0mr10651249637.7.1780997130301; Tue, 09 Jun 2026 02:25:30 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:29 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 2/6] strongswan: Fix CVE-2026-35329 Date: Tue, 9 Jun 2026 14:54:03 +0530 Message-Id: <20260609092407.893299-2-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260609092407.893299-1-nitin.wankhade333@gmail.com> References: <20260609092407.893299-1-nitin.wankhade333@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127447 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b] [https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e] Signed-off-by: Nitin Wankhade --- ...d-NULL-pointer-dereference-when-veri.patch | 58 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 59 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch new file mode 100644 index 0000000000..c2e730bc54 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch @@ -0,0 +1,58 @@ +From: Tobias Brunner +Date: Wed, 25 Mar 2026 10:28:45 +0100 +Subject: pkcs5/pkcs7: Avoid NULL pointer dereference when verifying padding + +Can be triggered via empty PKCS#7 encrypted- or enveloped-data content +in IKEv1 CERT payload. + +Fixes: 4076e3ee9121 ("Extract PKCS#5 handling from pkcs8 plugin to separate helper class") +Fixes: d7aa09104f08 ("Implement PKCS#7 enveloped-data parsing and decryption") +Fixes: CVE-2026-35329 + +CVE: CVE-2026-35329 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/8dae5605a79666c6def907efd8c872c91d93de5b] + [https://github.com/strongswan/strongswan/commit/4da84019ccec87fea161797af2901244fa5f170e] +Patch is refreshed as per the source code version 5.9.14 +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c +index e48a9ad..134ccd3 100644 +--- a/src/libstrongswan/crypto/pkcs5.c ++++ b/src/libstrongswan/crypto/pkcs5.c +@@ -113,6 +113,11 @@ static bool verify_padding(crypter_t *crypter, chunk_t *blob) + { + uint8_t padding, count; + ++ if (!blob->len) ++ { ++ return FALSE; ++ } ++ + padding = count = blob->ptr[blob->len - 1]; + + if (padding > crypter->get_block_size(crypter)) +diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c +index 8b26bad..3d601d6 100644 +--- a/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c ++++ b/src/libstrongswan/plugins/pkcs7/pkcs7_enveloped_data.c +@@ -182,10 +182,17 @@ static bool decrypt(private_key_t *private, chunk_t key, chunk_t iv, int oid, + */ + static bool remove_padding(private_pkcs7_enveloped_data_t *this) + { +- u_char *pos = this->content.ptr + this->content.len - 1; +- u_char pattern = *pos; +- size_t padding = pattern; ++ u_char *pos, pattern; ++ size_t padding; + ++ if (!this->content.len) ++ { ++ return FALSE; ++ } ++ ++ pos = this->content.ptr + this->content.len - 1; ++ pattern = *pos; ++ padding = pattern; + if (padding > this->content.len) + { + DBG1(DBG_LIB, "padding greater than data length"); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 6fbc345923..ac4bc5380b 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -13,6 +13,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2026-25075.patch \ file://CVE-2026-35334.patch \ file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ + file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" From patchwork Tue Jun 9 09:24:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 272C0CD8CA7 for ; Tue, 9 Jun 2026 09:25:38 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.75308.1780997136379072439 for ; Tue, 09 Jun 2026 02:25:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=icYjT/nP; spf=pass (domain: gmail.com, ip: 209.85.215.174, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-c85a2981725so385480a12.0 for ; Tue, 09 Jun 2026 02:25:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997136; x=1781601936; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xGHjVZuC4ahqLjyXH/jc/J6mqcuAJOP0QbXfuASM34c=; b=icYjT/nPc4PkMwQxi14DFaLpYFdxtWKV2n2owIdlJaI6rEUfZ8y1LV4ieS40rBGSDS gno+A/kL2TebIq5lTgNwZ/JRTf34iqrU8I2EF5HyRDmSz2MCqmSHvZoMD0q5kDuzgeok XfGqbfgSfYrBba7vYMaOsHzZbAigkZQMpthyhTGGTiBbsvBcL2rpC8eTIEwF06NotL8q rTYfhEtW91pAtgcrXS9tAkhCtHkX6M5+Z58dkgcqMB1AUjQQs2BiZDjGPpeYGn1QuLfr qOZXMLnFmjYCdPGeU6z/EY7n0XC7iI026IY2ek03a+58S2zYrwFMHPv8SIKZtPJu3YR2 l/uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997136; x=1781601936; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=xGHjVZuC4ahqLjyXH/jc/J6mqcuAJOP0QbXfuASM34c=; b=HxijSBrR/UuFws2ks892cPUaYKmDDyTGXvuI/tye8fOP+wxvSsGc/GyE2p29vFnnFS 5HgebhdGrgfi26odyvT0xjQhteYPptnEsctA3WkfO6NRK842gsF+2AAKF/BnVW2RLiqg rsPhA2HbAmfrCXyVGBHUTSTTKPu0Tvr6RP3//9nJciavSVTdHw8IUXyhgfbp5Hk1J9zr KqSbA5mRTuO7sL4z8EHldm3v3dGDDxxffARBYEePZG6nQwvrHau1n46aMdjAiT3MdBrb eMtOOt4sqmC5dhKRRW3S16EEYYTsCHA7XN6Dbn49eZQ0W9eccdeQgCM1ydALFok1g2ij cJLQ== X-Gm-Message-State: AOJu0Yzfv6AOpzZpNzOHCDcOtB7PyEd5R+HhJSX3H+IO8JNb7O5t4od7 WjcolRogzR0KMfqDwSffoyEkt8tCdJvfy/ZdM4Y3fbmgd2f2UlURZnkY3bZVmaD6XKJOKg== X-Gm-Gg: Acq92OG4wKXXDFrH4E6WM1AJRWLZ+UFpmj99yP/FS3LYHdImCDf8kL4lppWzB1lDxYq p7VLDkoivG9jzgDo3mD4Uy29Ep4lNtO/gGsJN3O8pLqujlN4R/x+9zlgGATPfjOThPw88xieLAL 45S8NDozczmH57vMraEZYL0yIqHZ4hytQFn6XXh89KBmR6rSm/+FKMVGbHqNE9NNFXE3ER2xlvJ 6a+nm609N1VF3Kg9666xYBnD12E49zXhKralYiMg1qBIBY5zAnpgoGpgEoyeWJLBi8sUCdJWOPX 3OrFhWdCtvIc0sDdhtSfiyyoGxM6DNRmXWtY1wkS+IgS+4TJ/97tH52+TtpPmWmBDaH2fK/kJXq z/2KCe5j5dfSBFeRd2bKB1TMXU692ZsHI5j5oSNxoWgUCqsAXlm8bWLdoa4JqQmGxnZimvtU0E3 iSvYeZGrn8NYowuH00Upsawvo/dQldSWfdiGII784hvS4+Qd5SfugI01w5JuSiIw== X-Received: by 2002:a05:6a21:2d4b:b0:3b2:875c:9ccb with SMTP id adf61e73a8af0-3b4cd441678mr10040682637.3.1780997135660; Tue, 09 Jun 2026 02:25:35 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:35 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 3/6] strongswan: Fix CVE-2026-35330 Date: Tue, 9 Jun 2026 14:54:04 +0530 Message-Id: <20260609092407.893299-3-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260609092407.893299-1-nitin.wankhade333@gmail.com> References: <20260609092407.893299-1-nitin.wankhade333@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127448 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1] Signed-off-by: Nitin Wankhade --- ...-Reject-zero-length-EAP-SIM-AKA-attributes | 54 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 55 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes diff --git a/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes new file mode 100644 index 0000000000..c9f647048f --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes @@ -0,0 +1,54 @@ +From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= +Date: Wed, 11 Mar 2026 16:07:10 +0000 +Subject: libsimaka: Reject zero-length EAP-SIM/AKA attributes +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +parse_attributes() accepts hdr->length == 0 in the AT_ENCR_DATA, +AT_RAND, AT_PADDING, default branches. The code then subtracts the +fixed attribute header size from the encoded length, which underflows +and exposes a wrapped payload length to later code. In particular, +for the cases where add_attribute() is called, this causes a heap-based +buffer overflow (a buffer of 12 bytes is allocated to which the wrapped +length is written). For AT_PADDING, the underflow is irrelevant as +add_attribute() is not called. Instead, this results in an infinite loop. + +Reject zero-length attributes before subtracting the attribute header. + +Signed-off-by: Lukas Johannes Möller + +Fixes: f8330d03953b ("Added a libsimaka library with shared message handling code for EAP-SIM/AKA") +Fixes: CVE-2026-35330 + +CVE: CVE-2026-35330 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/aa5aaebc33e0f326d8a0dbe01b236f2bfa0e6ea1] +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c +index 6706568..4862048 100644 +--- a/src/libsimaka/simaka_message.c ++++ b/src/libsimaka/simaka_message.c +@@ -416,7 +416,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) + case AT_ENCR_DATA: + case AT_RAND: + { +- if (hdr->length * 4 > in.len || in.len < 4) ++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } +@@ -439,7 +439,7 @@ static bool parse_attributes(private_simaka_message_t *this, chunk_t in) + case AT_PADDING: + default: + { +- if (hdr->length * 4 > in.len || in.len < 4) ++ if (hdr->length == 0 || hdr->length * 4 > in.len || in.len < 4) + { + return invalid_length(hdr->type); + } +@@ -932,4 +932,3 @@ simaka_message_t *simaka_message_create(bool request, uint8_t identifier, + return simaka_message_create_data(chunk_create((char*)&hdr, sizeof(hdr)), + crypto); + } +- diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index ac4bc5380b..85fd95d6b8 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -14,6 +14,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://CVE-2026-35334.patch \ file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ + file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" From patchwork Tue Jun 9 09:24:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C5FCCD6E79 for ; Tue, 9 Jun 2026 09:25:48 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.75310.1780997138879593564 for ; Tue, 09 Jun 2026 02:25:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=I3A5WWgj; spf=pass (domain: gmail.com, ip: 209.85.210.169, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-8422575d1e4so358394b3a.0 for ; Tue, 09 Jun 2026 02:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997138; x=1781601938; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OKb3F8u6yu9zILsWpMAVzjxjiBLrRTje3kO2A+7q7jA=; b=I3A5WWgjmGtGSZkrj5Bsn2PopcHvkbE1QaeEbmgUQrwTE17MQaw4+EWiKVT08jwcyR EJK25w6WkxzEHKNZ1qKeHpnBf2mzki0ZQoQwzDrxvZWr4Np/iVdytBMefDogCjAAPXPu 7ygQfhRDjcI9JUrSSQbzzGSfmtEpLpjar9ZiPLt8cIEdiU0VMGktwJEvlKoP5imQ9MQH tODx6OY41WK5dT2W7suponmuK2X+O7MIhHkgD9rYt3dZgkCX2oCajmcHGjAZpoKIGeBx LzIXyca6bCn/sobEYbo6ACeIxvjGxU3lDCAZDtzBmuTCHRJKgUtEU3JJry++KlLa2XsQ eXnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997138; x=1781601938; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OKb3F8u6yu9zILsWpMAVzjxjiBLrRTje3kO2A+7q7jA=; b=MzxrE8mhqmFEkboA8LdXjXa1m2AHu6OJCjTBBTTZH1XajzaF8dMkXHtxzZVsyCf8MU yUmx/vVLZHjMeS2MVuYta+2FOMqkd427nM950N9UB7admj6altY8qQFtL9Eazx7mbiJn EGmYptkkXGUUm/9wJbrIQ56FqL69K7mrXJ6H7iTTq+U3SkUqvnfxLypiTQz5L52/beR+ +KnkMpM/AxaLnQTDciEzZxbF5ze8naZ6V3FUQvc8kRY8w+kfDNJO+kMg0SkkrQak+CnT B1ahrHorGcUfXZoBzvYaNpimxrvXs/G1nHrKXs9dC4RnXh4b6kKUNlhT8cRb7ZE7gUNx 1l3g== X-Gm-Message-State: AOJu0YyFVZsRrOJZsT9rze/0An1nAD8eBZZ07At+7tbBI3ROzHT4PEpG eQ8MTD9TRVb5DusjU+mdNEp9fDjgryr6veVS25vYyZvc3e7VNxk9fzg2oYPzAT3SyPBNng== X-Gm-Gg: Acq92OG+Ov+QP9k+2XHch+jZFsboD2SF4iAkjaCpbl+913xqkY6sKbbgPk4quiDrTfg dti+r9SOD0a2T0QoO5o/2QYLM57e/2HW71lLT+90abqdmGsYvENsYpIWhxQFbGxzITy5mG+gUKI vQsaxxx0XLMSGsO/IcXpODA1e71gukfoagj9hUxbiEGRSCk/1M8lQ3lVP/PnqJlrN3Q6PYvWvzZ ujrWUs+uxB1+k6ShM/GJQjV4yqfnZTKyUooTGPGWg4Lg/MXn4/zPG+H9dGBibePIMM8IoTU8Q58 Y1PyH0q04079q8F7Td7UANYeN4QV9YT5s+HoQR58hmPXatWO0rOWLgQNKoh1Dq2KhBGV1J4HD8o nMb0fWCC/ghpFhvcBvA2JOjUlp11uAQGbSzB3oATQ6vj/WItYU2iPUIrLVKq/zZLxh5KSNFiWto a5ldmCubCDIvBdBtWwwO4R4UYZLBv9EH9OCMXBYaFyD29B6ZR5dDG3S2CIk5B3/w== X-Received: by 2002:a05:6a21:35c6:b0:39f:1dc2:70c with SMTP id adf61e73a8af0-3b4cd4de4a1mr7523997637.6.1780997138167; Tue, 09 Jun 2026 02:25:38 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:37 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 4/6] strongswan: Fix CVE-2026-35331 Date: Tue, 9 Jun 2026 14:54:05 +0530 Message-Id: <20260609092407.893299-4-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260609092407.893299-1-nitin.wankhade333@gmail.com> References: <20260609092407.893299-1-nitin.wankhade333@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127449 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/64130ede5cd8f61edd35a1b488c874fa328a42b0] [https://github.com/strongswan/strongswan/commit/c66143db48bab9eb82cc86190687938b809611eb] Signed-off-by: Nitin Wankhade --- ...-insensitive-matching-and-reject-exc.patch | 176 ++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 177 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch b/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch new file mode 100644 index 0000000000..86e530d7e0 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/constraints-Case-insensitive-matching-and-reject-exc.patch @@ -0,0 +1,176 @@ +From: Tobias Brunner +Date: Mon, 23 Mar 2026 17:45:11 +0100 +Subject: constraints: Case-insensitive matching and reject excluded DN name + constraints + +The case is generally ignored when matching identities. So this is +an issue with excluded name constraints where a malicious intermediate +CA could evade the constraints by issuing certificates with names that +just modify the case (e.g. strongSwan.org instead strongswan.org). + +Note that it's likely that permitted name constraints are preferred over +excluded name constraints as it might be difficult to come up with a +conclusive list of names to exclude. + +With directoryName (DN) name constraints the issue is a bit more comples. +Some RDNs have to be matched in a case-insensitive manner, which we e.g. +do in `identification.c::rdn_equals`. By not doing it for name +constraints, a malicious intermediate CA could evade an excluded name +constraint just by modifying the case in such an RDN. + +While we could use the mentioned function in `dn_matches`, this doesn't +properly fix the problem because the function is basically too strict. +Especially in regards to RDNs of type UTF8String, which are only compared +binary. To match these properly, we'd have to implement the string +preparation described in RFC 5280, section 7.1 and the referenced RFCs. +Until that's the case, we reject excluded name constraints of type +directoryName as we are unable to enforce them. + +Fixes: a2b340764fac ("Implemented NameConstraint matching in constraints plugin") +Fixes: CVE-2026-35331 + +CVE: CVE-2026-35331 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/64130ede5cd8f61edd35a1b488c874fa328a42b0] + [https://github.com/strongswan/strongswan/commit/c66143db48bab9eb82cc86190687938b809611eb] +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c +index 27bdb89..daa7bfa 100644 +--- a/src/libstrongswan/plugins/constraints/constraints_validator.c ++++ b/src/libstrongswan/plugins/constraints/constraints_validator.c +@@ -55,6 +55,18 @@ static bool check_pathlen(x509_t *issuer, int pathlen) + return TRUE; + } + ++/** ++ * Check if the constraint and ID strings match case-insensitively ++ */ ++static bool string_matches(chunk_t constraint, chunk_t id) ++{ ++ /* make sure the two strings have actually the same length */ ++ return constraint.len == id.len && ++ memchr(constraint.ptr, 0, constraint.len) == NULL && ++ memchr(id.ptr, 0, id.len) == NULL && ++ strncasecmp(constraint.ptr, id.ptr, constraint.len) == 0; ++} ++ + /** + * Check if a FQDN constraint matches + */ +@@ -70,7 +82,7 @@ static bool fqdn_matches(identification_t *constraint, identification_t *id) + return FALSE; + } + diff = chunk_create(i.ptr, i.len - c.len); +- if (!chunk_equals(c, chunk_skip(i, diff.len))) ++ if (!string_matches(c, chunk_skip(i, diff.len))) + { + return FALSE; + } +@@ -101,10 +113,10 @@ static bool email_matches(identification_t *constraint, identification_t *id) + } + if (memchr(c.ptr, '@', c.len)) + { /* constraint is a full email address */ +- return chunk_equals(c, i); ++ return string_matches(c, i); + } + diff = chunk_create(i.ptr, i.len - c.len); +- if (!chunk_equals(c, chunk_skip(i, diff.len))) ++ if (!string_matches(c, chunk_skip(i, diff.len))) + { + return FALSE; + } +@@ -389,9 +401,17 @@ static bool collect_constraints(x509_t *x509, bool permitted, hashtable_t **out) + type = constraint->get_type(constraint); + switch (type) + { ++ case ID_DER_ASN1_DN: ++ if (!permitted) ++ { ++ DBG1(DBG_CFG, "excluded %N NameConstraint not supported", ++ id_type_names, type); ++ success = FALSE; ++ break; ++ } ++ /* fall-through */ + case ID_FQDN: + case ID_RFC822_ADDR: +- case ID_DER_ASN1_DN: + case ID_IPV4_ADDR_SUBNET: + case ID_IPV6_ADDR_SUBNET: + break; +diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c +index 2549fb6..14570ee 100644 +--- a/src/libstrongswan/tests/suites/test_certnames.c ++++ b/src/libstrongswan/tests/suites/test_certnames.c +@@ -207,8 +207,10 @@ static struct { + bool good; + } permitted_san[] = { + { ".strongswan.org", "test.strongswan.org", TRUE }, ++ { ".strongswan.org", "test.strongSwan.org", TRUE }, + { "strongswan.org", "test.strongswan.org", TRUE }, + { "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", TRUE }, ++ { "a.b.c.strongswan.org", "d.A.b.C.strongswan.org", TRUE }, + { "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", FALSE }, + { "strongswan.org", "strongswan.org.com", FALSE }, + { ".strongswan.org", "strongswan.org", FALSE }, +@@ -216,8 +218,11 @@ static struct { + { "strongswan.org", "swan.org", FALSE }, + { "strongswan.org", "swan.org", FALSE }, + { "tester@strongswan.org", "tester@strongswan.org", TRUE }, ++ { "tester@strongswan.org", "tester@strongSwan.org", TRUE }, ++ { "tester@strongswan.org", "TESTER@strongswan.org", TRUE }, + { "tester@strongswan.org", "atester@strongswan.org", FALSE }, + { "email:strongswan.org", "tester@strongswan.org", TRUE }, ++ { "email:strongswan.org", "tester@strongSwan.org", TRUE }, + { "email:strongswan.org", "tester@test.strongswan.org", FALSE }, + { "email:.strongswan.org", "tester@test.strongswan.org", TRUE }, + { "email:.strongswan.org", "tester@strongswan.org", FALSE }, +@@ -248,11 +253,11 @@ static struct { + char *subject; + bool good; + } excluded_dn[] = { +- { "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE }, +- { "C=CH, O=another", "C=CH, O=anot", TRUE }, +- { "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE }, ++ { "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", FALSE }, ++ { "C=CH, O=another", "C=CH, O=anot", FALSE }, ++ { "C=CH, O=another", "C=CH, O=anot, CN=tester", FALSE }, + { "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE }, +- { "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE }, ++ { "C=CH, O=another", "C=CH, CN=tester, O=another", FALSE }, + }; + + START_TEST(test_excluded_dn) +@@ -281,7 +286,9 @@ static struct { + } excluded_san[] = { + { ".strongswan.org", "test.strongswan.org", FALSE }, + { "strongswan.org", "test.strongswan.org", FALSE }, ++ { "strongswan.org", "test.strongSwan.org", FALSE }, + { "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", FALSE }, ++ { "a.b.c.strongswan.org", "d.a.b.C.strongswan.org", FALSE }, + { "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", TRUE }, + { "strongswan.org", "strongswan.org.com", TRUE }, + { ".strongswan.org", "strongswan.org", TRUE }, +@@ -289,8 +296,10 @@ static struct { + { "strongswan.org", "swan.org", TRUE }, + { "strongswan.org", "swan.org", TRUE }, + { "tester@strongswan.org", "tester@strongswan.org", FALSE }, ++ { "tester@strongswan.org", "TESTER@strongswan.org", FALSE }, + { "tester@strongswan.org", "atester@strongswan.org", TRUE }, + { "email:strongswan.org", "tester@strongswan.org", FALSE }, ++ { "email:strongswan.org", "tester@strongSwan.org", FALSE }, + { "email:strongswan.org", "tester@test.strongswan.org", TRUE }, + { "email:.strongswan.org", "tester@test.strongswan.org", FALSE }, + { "email:.strongswan.org", "tester@strongswan.org", TRUE }, +@@ -418,9 +427,9 @@ static struct { + char *subject; + bool good; + } excluded_dn_levels[] = { +- { "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE }, ++ { "C=CH, O=strongSwan", "C=CH", "C=DE", FALSE }, + { "C=CH, O=strongSwan", "C=CH", "C=CH", FALSE }, +- { "C=CH, O=strongSwan", "C=DE", "C=CH", TRUE }, ++ { "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE }, + { "C=CH, O=strongSwan", "C=DE", "C=DE", FALSE }, + { "C=CH, O=strongSwan", "C=DE", "C=CH, O=strongSwan", FALSE }, + { NULL, "C=CH", "C=CH, O=strongSwan", FALSE }, diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 85fd95d6b8..41a4de845f 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -15,6 +15,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://tls-server-Prevent-infinite-loop-if-supported-versio.patch \ file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ + file://constraints-Case-insensitive-matching-and-reject-exc.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" From patchwork Tue Jun 9 09:24:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E305CD8CA7 for ; Tue, 9 Jun 2026 09:25:48 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.75496.1780997141687540254 for ; Tue, 09 Jun 2026 02:25:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=AVAzmZ5n; spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-842204fcca4so365198b3a.3 for ; Tue, 09 Jun 2026 02:25:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997141; x=1781601941; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4syNLdw/8EPTlZs2bnNiwXpamLt4agIrFWHYzFPfNnI=; b=AVAzmZ5nK4ln7mau13mNFKt8hV+QYvtQGEIXbklN/R5k2jCEs8P/8i60XTRB1fiA5p hF6nlIVnM5P+P9OzFaTbF5s35zh2PpFsQMnMryKHb5aRdOBIggLJ428DijaX9BEdaWl/ 2GNqFzZqUGFuncoFAe/tuDkhSZL9lm4JM8auazwB5Zepn45YO51AFFp5MVwEAQvbrQyH icyQeJRMOSUdoVRbIPbZ+9tNxSvzgP5QgrZ6TnBjeLs3yfkQRJnD77YGLC4ESDELQGhw lDjyEK9iHjSfGnUMamcc2jfvMz+aQAaG3c1c/ETUK6kh1F9wFzRgD1/0RR0Jqk4TdzSV GjPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997141; x=1781601941; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=4syNLdw/8EPTlZs2bnNiwXpamLt4agIrFWHYzFPfNnI=; b=CuFjzLo7KHBxUHh6T1aeSF6eyKKR3AF4LEINCeYZbv8r30098fIn0gl83Ghi7QxjAe 7zxpAdbHogijw8jvDSP8evRUXxCKxM7+0Bw/mU8BNeDX2c9V28KGe6P07eqA/V4oxJC5 XtELaGK5WCn+juXpovyFjwleu0fXf2HUsKh3jTw/7D6KT6bAPCmG/nOyw57CgFd7QX3o YUTqOGhTLpTSFJaGrAi35Ovtqik+oKK2FKrLjpqnY9wq4SAqECcv3QzhPJYfz3RdaGra KvXVzXGiE42fZ073NW4ZYIh9VhdfPxbsuZtJ0kK/ND0WtYJgqAPO5ZNOLKYoG0i+vfjG HjDA== X-Gm-Message-State: AOJu0YzAd/E/47gdit0w2qnWvhe/pA6RiaEhhjG8lHZwpmY3lkDw50VX W18mkXob/ymJFo7PIrCS3KRjwSwzlLCHp5TXdoClYkxX7G/AhRTYnSf8/lT5gjfX/8rZYw== X-Gm-Gg: Acq92OH7bqrdwjGhyXJgjdxxGboxii8v/pMBANl+rHgeHd1ObNharaSo4lEtFKc+ZUx UKageZlr9Xm4yLw1n6LKgX2z8ZiXx55Fqd2x6wRE6MRhI/Kgr+UrT2a6/n4o/wQE6vMHaSGDMUl f9BR5fG2hofyYP9oAwmVL3wIrS+ESQmvsfk8UFwLG383pPHG3SsQ+VZnYl8fgFSpBLzhIdOO+On CHbuXdvKG24a3ZQn0BXql2g8QRno2nqZx3RYepsut862B3VzOkgVkHY1Nahq//gusxWVAs7RBV2 dQYylgWEv7OihXPnE6H4ntSLE4Trv/StQEl5wNNB8cXv9oeeOamBSC0LLahb91sq+bMTt0cSdw+ fLkNZVvRSS6KBa+n9gInN3mtpokeRt0x3pg5xbcZXSaaqBqbKJ5PVQjCVgT6AJIsH1MRWONPWKG jxyswwY4Y/HL5FrtvHXzG7KlTwDgUR7Ra7KYhme0fAW/RcvcU1h0Ugy8SgmM2Okg== X-Received: by 2002:a05:6a21:4d8e:b0:3b3:cff:cb54 with SMTP id adf61e73a8af0-3b4cd1ed3b0mr10343226637.2.1780997141104; Tue, 09 Jun 2026 02:25:41 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:40 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 5/6] strongswan: Fix CVE-2026-35332 Date: Tue, 9 Jun 2026 14:54:06 +0530 Message-Id: <20260609092407.893299-5-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260609092407.893299-1-nitin.wankhade333@gmail.com> References: <20260609092407.893299-1-nitin.wankhade333@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127450 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f] Signed-off-by: Nitin Wankhade --- ...accept-non-empty-ECDH-public-keys-wi.patch | 51 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 52 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch new file mode 100644 index 0000000000..a05fd9bced --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch @@ -0,0 +1,51 @@ +From: Tobias Brunner +Date: Fri, 20 Mar 2026 17:38:07 +0100 +Subject: tls-server: Only accept non-empty ECDH public keys with TLS < 1.3 + +This prevents a crash due to a null-pointer dereference when processing +an empty ECDH public key. + +The previous length check only applied in the `!ec` case, so in the `ec` +case, the access to `pub.ptr[0]` was unguarded. If a crafted TLS +record ends with an empty ClientKeyExchange, then `read_data8` sets +`pub` to `chunk_empty`, causing a null-pointer dereference. + +Note that if some data follows the empty ClientKeyExchange, this just +causes a 1-byte out-of-bounds read that has no further effect as the +TLS session is aborted immediately. Either because the read value +doesn't equal TLS_ANSI_UNCOMPRESSED or because the empty public key +is rejected by `set_public_key()`. + +The referenced commit that introduced the pointer access, added the +check for `pub.len` specifically to the `!ec` case, while the pointer +access was initially unconditional (probably because the code was just +copied from `tls_peer.c` which processes ECDH public keys in a separate +function, so there was no `ec` flag). The latter was fixed a couple of +days later with 7b3c01845f63 ("Read the compression type byte for EC +groups, only"). However, that commit didn't change the length check. +Anyway, it's possible that the original intention was to add the check +to the `ec` case on the previous line, or that there was some confusion +with the parenthesis and something like the current code was intended to +begin with. + +Fixes: e6cce7ff0d1b ("Prepend point format to ECDH public key") +Fixes: CVE-2026-35332 + +CVE: CVE-2026-35332 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/1e0643bef105704337efc141a37dfcfbaa53cb1f] +Patch is refreshed as per the source code version 5.9.14 +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c +index 7b2238e..bffc01c 100644 +--- a/src/libtls/tls_server.c ++++ b/src/libtls/tls_server.c +@@ -857,7 +857,7 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this, + group = this->dh->get_method(this->dh); + ec = key_exchange_is_ecdh(group); + if ((ec && !reader->read_data8(reader, &pub)) || +- (!ec && (!reader->read_data16(reader, &pub) || pub.len == 0))) ++ (!ec && !reader->read_data16(reader, &pub)) || pub.len == 0) + { + DBG1(DBG_TLS, "received invalid Client Key Exchange"); + this->alert->add(this->alert, TLS_FATAL, TLS_DECODE_ERROR); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index 41a4de845f..f65a94dd73 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -16,6 +16,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://pkcs5-pkcs7-Avoid-NULL-pointer-dereference-when-veri.patch \ file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ file://constraints-Case-insensitive-matching-and-reject-exc.patch \ + file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678" From patchwork Tue Jun 9 09:24:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nitin Wankhade X-Patchwork-Id: 89533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11160CD8CA4 for ; Tue, 9 Jun 2026 09:25:48 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.75497.1780997145675420037 for ; Tue, 09 Jun 2026 02:25:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20251104 header.b=nOk9yo5x; spf=pass (domain: gmail.com, ip: 209.85.214.179, mailfrom: nitin.wankhade333@gmail.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2c0c35980c6so10944625ad.2 for ; Tue, 09 Jun 2026 02:25:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780997145; x=1781601945; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Uvyfpl4yTZ6kX8YrhNL3zznQuqSnD324PUNXAHSVVUo=; b=nOk9yo5xErmePVwIm2s3BMuBXQZBPfLAxlgN9nMGw90/SIcEXxq61rG24YLpV7LV6F ny8fwZwoBCNISW+QKbVuENyahlUq4w0RAIXjfxin4RscoSeREZF5Z5PKGc2zW/PPrjVg lXSnwRME2arnZRUu7jYryXRO7ZB/I6f1c9x78MayRb8d8XIs60pYK864OLyyfBnYBbkX jMg8QgmaEOHmAFfUOnH3gvBUH0ZDmvf1wf/ThKqfvkS8PKQaNvLlBFAlR7NqX41VpmVu E/M7PmjoQipktK4DmyKNMKQzkMsbggrYkWnqiHh7KEzP8nmSo57aN15gK+1YUAlVZ+yj CXuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780997145; x=1781601945; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Uvyfpl4yTZ6kX8YrhNL3zznQuqSnD324PUNXAHSVVUo=; b=Nfk/yT0Kwec6wx1SdIOWnb5bum54p8EWpxyylPWKFbJ2NeRwO2DOPv64lHGj753dgC NujH7cF6GgbrqAIlqjukXsBou7CiWGbEA2n+NZaRzlBv5I3B3UrJ34Pjh46oNjOZYDLE v+zxIp3L3z3pNN8Ve6/VavWaSBWIiSj5rGtgxjlJOW0LWgs/IVS5oUWdccDIy/cnNMS1 NG8oAGURh5IMkgYDiXr9PSYMlXiWXdxCMNwG0xXrohHNWkWb0vpTfAw+LbOnu5k7LALX Msxp8Qy9UwQvSvhJ5ZTXBAP2KHpKAHYzaUlXSDy2hLGEg4w4WQdMcVTMcYOpqqEgTY1x KTMA== X-Gm-Message-State: AOJu0Yz52eJg3yanFyKPkV5279kURwE00xjn47PAD4HIXwbyqgSK/KTn 5yzqe/79UPoyBGKWwcEY6RzWMWjPdzNHp/dD05IRChCATpn6/UI4zyCjMWAWvOTrrUcFFA== X-Gm-Gg: Acq92OFejbj5VVv7m8rJcR6RC+j3JsZkva0lKb1t3ZLj1okatk53Eo/8PGWoK5RFho1 JbfhP5pNfmdWpFicnR2ui0BDBGQsktvMWUQXMNpldyeq9n89x7GqXiwrZHKrpcWHIIGN4N4rM0C c4taP/Pd5CJccFALkzOYnzFO/z1OjZIRGUFy2Hn2gsvvNvR5ID77YsVqx5P61cETg/EJPXAmmpM 0tSTsFW2xlL/5oAErF0MEOYt46qwUNLtRqh4xD4i2YBA+vBNS0Xda1+nW/JMDgOmSBnoVZy7ysP G2BNNSPp2phqDlj7sQFZtAlqpW02SiSjVHcWSE9vF58eZJSWbwIfz8MJBI2D+4hFq3HDwffgxlB dQ8Trcgk3I2t09BnTHzo9Y1eB34IYZ+d7pjEizNW4TlBkOGh68HQ554kntv3mSV6OXpWtnxJTul 71nmVgbRDHIwpbO53yYOjQ6yr82DSSovwp3j7Xv11gv8i2ArG8BDChFYhoWnEkLEpnZ2FtVMvK X-Received: by 2002:a05:6a21:9d84:b0:3b4:7b2a:6a0b with SMTP id adf61e73a8af0-3b53ba967f1mr1413540637.7.1780997145033; Tue, 09 Jun 2026 02:25:45 -0700 (PDT) Received: from L-15597L.www.tendawifi.com ([36.255.86.179]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c85df043223sm16496633a12.8.2026.06.09.02.25.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 02:25:44 -0700 (PDT) From: Nitin Wankhade To: openembedded-devel@lists.openembedded.org Cc: Nitin.Wankhade@kpit.com Subject: [OE-core][scarthgap][PATCH V2 6/6] strongswan: Fix CVE-2026-35333 Date: Tue, 9 Jun 2026 14:54:07 +0530 Message-Id: <20260609092407.893299-6-nitin.wankhade333@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260609092407.893299-1-nitin.wankhade333@gmail.com> References: <20260609092407.893299-1-nitin.wankhade333@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 Jun 2026 09:25:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/127451 Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd] Signed-off-by: Nitin Wankhade --- ...-undersized-attributes-in-enumerator.patch | 41 +++++++++++++++++++ .../strongswan/strongswan_5.9.14.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch diff --git a/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch new file mode 100644 index 0000000000..27cdb485e7 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/strongswan/libradius-Reject-undersized-attributes-in-enumerator.patch @@ -0,0 +1,41 @@ +From: =?utf-8?q?Lukas_Johannes_M=C3=B6ller?= +Date: Thu, 12 Mar 2026 10:24:45 +0000 +Subject: libradius: Reject undersized attributes in enumerator +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +attribute_enumerate() accepts RADIUS attributes whose length byte is +smaller than sizeof(rattr_t) (2). For length == 0, the iterator never +advances and traps callers — including verify() — in a non-advancing +loop. For length == 1, misaligned packed-struct reads occur. + +Add a separate check for this->next->length < sizeof(rattr_t) after +the existing truncation guard. This mirrors radius_message_parse(), +which already distinguishes invalid length from truncation. + +Signed-off-by: Lukas Johannes Möller + +Fixes: 4a6b84a93461 ("reintegrated eap-radius branch into trunk") +Fixes: CVE-2026-35333 + +CVE: CVE-2026-35333 +Upstream-Status: Backport [https://github.com/strongswan/strongswan/commit/e067d24293953cff56011a1ea6989872bdd98fcd] +Signed-off-by: Nitin Wankhade +=== +diff --git a/src/libradius/radius_message.c b/src/libradius/radius_message.c +index 8e2db0c..2bbbb48 100644 +--- a/src/libradius/radius_message.c ++++ b/src/libradius/radius_message.c +@@ -261,6 +261,11 @@ METHOD(enumerator_t, attribute_enumerate, bool, + DBG1(DBG_IKE, "RADIUS message truncated"); + return FALSE; + } ++ if (this->next->length < sizeof(rattr_t)) ++ { ++ DBG1(DBG_IKE, "RADIUS attribute has invalid length"); ++ return FALSE; ++ } + *type = this->next->type; + data->ptr = this->next->value; + data->len = this->next->length - sizeof(rattr_t); diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb index f65a94dd73..661727e501 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.9.14.bb @@ -17,6 +17,7 @@ SRC_URI = "https://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://libsimaka-Reject-zero-length-EAP-SIM-AKA-attributes.patch \ file://constraints-Case-insensitive-matching-and-reject-exc.patch \ file://tls-server-Only-accept-non-empty-ECDH-public-keys-wi.patch \ + file://libradius-Reject-undersized-attributes-in-enumerator.patch \ " SRC_URI[sha256sum] = "728027ddda4cb34c67c4cec97d3ddb8c274edfbabdaeecf7e74693b54fc33678"