forked from rpms/openssh
Fix issue with read-only ssh buffer during gssapi key exchange
(rhbz#1938224) https://github.com/openssh-gsskex/openssh-gsskex/pull/19
This commit is contained in:
parent
4f07bfcfe1
commit
5c1da775a9
@ -42,21 +42,6 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
|||||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
(p = strsep(&cp, ","))) {
|
(p = strsep(&cp, ","))) {
|
||||||
if (sshbuf_len(buf) != 0 &&
|
if (sshbuf_len(buf) != 0 &&
|
||||||
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
|
|
||||||
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
|
|
||||||
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
|
|
||||||
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
|
|
||||||
default:
|
|
||||||
fatal_f("Unexpected KEX type %d", kex->kex_type);
|
|
||||||
}
|
|
||||||
- if (r != 0)
|
|
||||||
+ if (r != 0) {
|
|
||||||
+ ssh_gssapi_delete_ctx(&ctxt);
|
|
||||||
return r;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
token_ptr = GSS_C_NO_BUFFER;
|
|
||||||
|
|
||||||
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
||||||
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@ -1488,7 +1488,7 @@ new file mode 100644
|
|||||||
index 00000000..f6e1405e
|
index 00000000..f6e1405e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgssc.c
|
+++ b/kexgssc.c
|
||||||
@@ -0,0 +1,600 @@
|
@@ -0,0 +1,612 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1589,8 +1589,10 @@ index 00000000..f6e1405e
|
|||||||
+ default:
|
+ default:
|
||||||
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0) {
|
||||||
|
+ ssh_gssapi_delete_ctx(&ctxt);
|
||||||
+ return r;
|
+ return r;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ token_ptr = GSS_C_NO_BUFFER;
|
+ token_ptr = GSS_C_NO_BUFFER;
|
||||||
+
|
+
|
||||||
@ -1653,11 +1655,16 @@ index 00000000..f6e1405e
|
|||||||
+ do {
|
+ do {
|
||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ size_t tmp_len = 0;
|
||||||
|
+
|
||||||
+ debug("Received KEXGSS_HOSTKEY");
|
+ debug("Received KEXGSS_HOSTKEY");
|
||||||
+ if (server_host_key_blob)
|
+ if (server_host_key_blob)
|
||||||
+ fatal("Server host key received more than once");
|
+ fatal("Server host key received more than once");
|
||||||
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
|
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
|
||||||
+ fatal("Failed to read server host key: %s", ssh_err(r));
|
+ fatal("Failed to read server host key: %s", ssh_err(r));
|
||||||
|
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
|
||||||
|
+ fatal("sshbuf_from failed");
|
||||||
+ }
|
+ }
|
||||||
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
||||||
+
|
+
|
||||||
@ -1944,11 +1951,16 @@ index 00000000..f6e1405e
|
|||||||
+ do {
|
+ do {
|
||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
|
||||||
|
+ char *tmp = NULL;
|
||||||
|
+ size_t tmp_len = 0;
|
||||||
|
+
|
||||||
+ debug("Received KEXGSS_HOSTKEY");
|
+ debug("Received KEXGSS_HOSTKEY");
|
||||||
+ if (server_host_key_blob)
|
+ if (server_host_key_blob)
|
||||||
+ fatal("Server host key received more than once");
|
+ fatal("Server host key received more than once");
|
||||||
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
|
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
|
||||||
+ fatal("sshpkt failed: %s", ssh_err(r));
|
+ fatal("sshpkt failed: %s", ssh_err(r));
|
||||||
|
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
|
||||||
|
+ fatal("sshbuf_from failed");
|
||||||
+ }
|
+ }
|
||||||
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
|
||||||
+
|
+
|
||||||
@ -2094,7 +2106,7 @@ new file mode 100644
|
|||||||
index 00000000..60bc02de
|
index 00000000..60bc02de
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgsss.c
|
+++ b/kexgsss.c
|
||||||
@@ -0,0 +1,474 @@
|
@@ -0,0 +1,482 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -2161,7 +2173,7 @@ index 00000000..60bc02de
|
|||||||
+ */
|
+ */
|
||||||
+
|
+
|
||||||
+ OM_uint32 ret_flags = 0;
|
+ OM_uint32 ret_flags = 0;
|
||||||
+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
|
+ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
|
||||||
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
|
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
|
||||||
+ Gssctxt *ctxt = NULL;
|
+ Gssctxt *ctxt = NULL;
|
||||||
+ struct sshbuf *shared_secret = NULL;
|
+ struct sshbuf *shared_secret = NULL;
|
||||||
@ -2201,7 +2213,7 @@ index 00000000..60bc02de
|
|||||||
+ type = ssh_packet_read(ssh);
|
+ type = ssh_packet_read(ssh);
|
||||||
+ switch(type) {
|
+ switch(type) {
|
||||||
+ case SSH2_MSG_KEXGSS_INIT:
|
+ case SSH2_MSG_KEXGSS_INIT:
|
||||||
+ if (client_pubkey != NULL)
|
+ if (gssbuf.value != NULL)
|
||||||
+ fatal("Received KEXGSS_INIT after initialising");
|
+ fatal("Received KEXGSS_INIT after initialising");
|
||||||
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
||||||
+ &recv_tok)) != 0 ||
|
+ &recv_tok)) != 0 ||
|
||||||
@ -2232,6 +2244,31 @@ index 00000000..60bc02de
|
|||||||
+ goto out;
|
+ goto out;
|
||||||
+
|
+
|
||||||
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
|
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
|
||||||
|
+
|
||||||
|
+ /* Calculate the hash early so we can free the
|
||||||
|
+ * client_pubkey, which has reference to the parent
|
||||||
|
+ * buffer state->incoming_packet
|
||||||
|
+ */
|
||||||
|
+ hashlen = sizeof(hash);
|
||||||
|
+ if ((r = kex_gen_hash(
|
||||||
|
+ kex->hash_alg,
|
||||||
|
+ kex->client_version,
|
||||||
|
+ kex->server_version,
|
||||||
|
+ kex->peer,
|
||||||
|
+ kex->my,
|
||||||
|
+ empty,
|
||||||
|
+ client_pubkey,
|
||||||
|
+ server_pubkey,
|
||||||
|
+ shared_secret,
|
||||||
|
+ hash, &hashlen)) != 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ gssbuf.value = hash;
|
||||||
|
+ gssbuf.length = hashlen;
|
||||||
|
+
|
||||||
|
+ sshbuf_free(client_pubkey);
|
||||||
|
+ client_pubkey = NULL;
|
||||||
|
+
|
||||||
+ break;
|
+ break;
|
||||||
+ case SSH2_MSG_KEXGSS_CONTINUE:
|
+ case SSH2_MSG_KEXGSS_CONTINUE:
|
||||||
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
|
||||||
@ -2253,7 +2290,7 @@ index 00000000..60bc02de
|
|||||||
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
|
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
|
||||||
+ fatal("Zero length token output when incomplete");
|
+ fatal("Zero length token output when incomplete");
|
||||||
+
|
+
|
||||||
+ if (client_pubkey == NULL)
|
+ if (gssbuf.value == NULL)
|
||||||
+ fatal("No client public key");
|
+ fatal("No client public key");
|
||||||
+
|
+
|
||||||
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
|
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
|
||||||
@ -2282,23 +2319,6 @@ index 00000000..60bc02de
|
|||||||
+ if (!(ret_flags & GSS_C_INTEG_FLAG))
|
+ if (!(ret_flags & GSS_C_INTEG_FLAG))
|
||||||
+ fatal("Integrity flag wasn't set");
|
+ fatal("Integrity flag wasn't set");
|
||||||
+
|
+
|
||||||
+ hashlen = sizeof(hash);
|
|
||||||
+ if ((r = kex_gen_hash(
|
|
||||||
+ kex->hash_alg,
|
|
||||||
+ kex->client_version,
|
|
||||||
+ kex->server_version,
|
|
||||||
+ kex->peer,
|
|
||||||
+ kex->my,
|
|
||||||
+ empty,
|
|
||||||
+ client_pubkey,
|
|
||||||
+ server_pubkey,
|
|
||||||
+ shared_secret,
|
|
||||||
+ hash, &hashlen)) != 0)
|
|
||||||
+ goto out;
|
|
||||||
+
|
|
||||||
+ gssbuf.value = hash;
|
|
||||||
+ gssbuf.length = hashlen;
|
|
||||||
+
|
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
|
||||||
+ fatal("Couldn't get MIC");
|
+ fatal("Couldn't get MIC");
|
||||||
+
|
+
|
||||||
|
@ -47,7 +47,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 9.3p1
|
%global openssh_ver 9.3p1
|
||||||
%global openssh_rel 12
|
%global openssh_rel 13
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 9
|
%global pam_ssh_agent_rel 9
|
||||||
|
|
||||||
@ -744,6 +744,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Oct 16 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-13
|
||||||
|
- Fix issue with read-only ssh buffer during gssapi key exchange (rhbz#1938224)
|
||||||
|
- https://github.com/openssh-gsskex/openssh-gsskex/pull/19
|
||||||
|
|
||||||
* Sun Oct 15 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-12
|
* Sun Oct 15 2023 Mattias Ellert <mattias.ellert@physics.uu.se> - 9.3p1-12
|
||||||
- Fix FTBFS due to implicit declarations (rhbz#2241211)
|
- Fix FTBFS due to implicit declarations (rhbz#2241211)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user