From ddbab808e436e4fc28fbf32d3eb4fca8b616eb37 Mon Sep 17 00:00:00 2001 From: Martin Osvald Date: Tue, 10 May 2022 16:32:30 +0200 Subject: [PATCH] omshell: add support for hmac-sha512 algorithm Resolves: #2083553 --- dhcp.spec | 6 +- omshell-hmac-sha512-support.patch | 155 ++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 omshell-hmac-sha512-support.patch diff --git a/dhcp.spec b/dhcp.spec index 2a90752..35706ca 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -15,7 +15,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.4.2 -Release: 16.b1%{?dist} +Release: 17.b1%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and @@ -63,6 +63,7 @@ Patch27: 0027-Add-missed-sd-notify-patch-to-manage-dhcpd-with-syst.patch Patch28: 0028-Fix-for-CVE-2021-25217.patch Patch29: 0029-Use-system-getaddrinfo-for-dhcp.patch Patch30: CVE-2021-25220.patch +Patch31: omshell-hmac-sha512-support.patch BuildRequires: autoconf @@ -513,6 +514,9 @@ done %endif %changelog +* Tue May 10 2022 Martin Osvald - 12:4.4.2-17.b1 +- omshell: add support for hmac-sha512 algorithm (#2083553) + * Thu Apr 14 2022 Martin Osvald - 12:4.4.2-16.b1 - Fix for CVE-2021-25220 diff --git a/omshell-hmac-sha512-support.patch b/omshell-hmac-sha512-support.patch new file mode 100644 index 0000000..479e2dd --- /dev/null +++ b/omshell-hmac-sha512-support.patch @@ -0,0 +1,155 @@ +diff --git a/omapip/connection.c b/omapip/connection.c +index 014ff21..6800514 100644 +--- a/omapip/connection.c ++++ b/omapip/connection.c +@@ -44,6 +44,9 @@ extern omapi_array_t *trace_listeners; + #endif + static isc_result_t omapi_connection_connect_internal (omapi_object_t *); + ++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name, ++ char **cstr); ++ + OMAPI_OBJECT_ALLOC (omapi_connection, + omapi_connection_object_t, omapi_type_connection) + +@@ -763,64 +766,41 @@ isc_result_t omapi_connection_reaper (omapi_object_t *h) + } + + static isc_result_t make_dst_key (dst_key_t **dst_key, omapi_object_t *a) { +- omapi_value_t *name = (omapi_value_t *)0; +- omapi_value_t *algorithm = (omapi_value_t *)0; +- omapi_value_t *key = (omapi_value_t *)0; +- char *name_str = NULL; ++ omapi_value_t *key = 0; ++ char *name_str = 0; ++ char *algorithm_str = 0; + isc_result_t status = ISC_R_SUCCESS; + +- if (status == ISC_R_SUCCESS) +- status = omapi_get_value_str +- (a, (omapi_object_t *)0, "name", &name); +- +- if (status == ISC_R_SUCCESS) +- status = omapi_get_value_str +- (a, (omapi_object_t *)0, "algorithm", &algorithm); +- +- if (status == ISC_R_SUCCESS) +- status = omapi_get_value_str +- (a, (omapi_object_t *)0, "key", &key); +- ++ /* Get the key name as a C string. */ ++ status = ctring_from_attribute(a, "name", &name_str); + if (status == ISC_R_SUCCESS) { +- if ((algorithm->value->type != omapi_datatype_data && +- algorithm->value->type != omapi_datatype_string) || +- strncasecmp((char *)algorithm->value->u.buffer.value, +- NS_TSIG_ALG_HMAC_MD5 ".", +- algorithm->value->u.buffer.len) != 0) { +- status = DHCP_R_INVALIDARG; ++ /* Get the algorithm name as a C string. */ ++ status = ctring_from_attribute(a, "algorithm", &algorithm_str); ++ if (status == ISC_R_SUCCESS) { ++ /* Get the key secret value */ ++ status = omapi_get_value_str(a, 0, "key", &key); ++ if (status == ISC_R_SUCCESS) { ++ /* Now let's try and create the key */ ++ status = isclib_make_dst_key( ++ name_str, ++ algorithm_str, ++ key->value->u.buffer.value, ++ key->value->u.buffer.len, ++ dst_key); ++ ++ if (*dst_key == NULL) { ++ status = ISC_R_NOMEMORY; ++ } ++ } + } + } + +- if (status == ISC_R_SUCCESS) { +- name_str = dmalloc (name -> value -> u.buffer.len + 1, MDL); +- if (!name_str) +- status = ISC_R_NOMEMORY; +- } +- +- if (status == ISC_R_SUCCESS) { +- memcpy (name_str, +- name -> value -> u.buffer.value, +- name -> value -> u.buffer.len); +- name_str [name -> value -> u.buffer.len] = 0; +- +- status = isclib_make_dst_key(name_str, +- DHCP_HMAC_MD5_NAME, +- key->value->u.buffer.value, +- key->value->u.buffer.len, +- dst_key); +- +- if (*dst_key == NULL) +- status = ISC_R_NOMEMORY; +- } +- + if (name_str) + dfree (name_str, MDL); ++ if (algorithm_str) ++ dfree (algorithm_str, MDL); + if (key) + omapi_value_dereference (&key, MDL); +- if (algorithm) +- omapi_value_dereference (&algorithm, MDL); +- if (name) +- omapi_value_dereference (&name, MDL); + + return status; + } +@@ -1103,3 +1083,50 @@ isc_result_t omapi_connection_stuff_values (omapi_object_t *c, + m -> inner); + return ISC_R_SUCCESS; + } ++ ++/* @brief Fetches the value of an attribute in an object as an allocated ++ * C string ++ * ++ * @param obj ompapi object containing the desire attribute ++ * @param attr_name name of the desired attribute ++ * @param[out] cstr pointer in which to place the allocated C string's address ++ * ++ * Caller is responsible for freeing (via dfree) the allocated string. ++ * ++ * @return ISC_R_SUCCESS if successful, otherwise indicates the type of failure ++*/ ++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name, ++ char **cstr) { ++ isc_result_t status = ISC_R_SUCCESS; ++ omapi_value_t *attr = 0; ++ ++ /* Find the attribute in the object. */ ++ status = omapi_get_value_str(obj, (omapi_object_t *)0, attr_name, ++ &attr); ++ if (status != ISC_R_SUCCESS) { ++ return (status); ++ } ++ ++ /* Got it, let's make sure it's either data or string type. */ ++ if (attr->value->type != omapi_datatype_data && ++ attr->value->type != omapi_datatype_string) { ++ return (DHCP_R_INVALIDARG); ++ } ++ ++ /* Make a C string from the attribute value. */ ++ *cstr = dmalloc (attr->value->u.buffer.len + 1, MDL); ++ if (!(*cstr)) { ++ status = ISC_R_NOMEMORY; ++ } else { ++ memcpy (*cstr, attr->value->u.buffer.value, ++ attr->value->u.buffer.len); ++ (*cstr)[attr->value->u.buffer.len] = 0; ++ } ++ ++ /* Get rid of the attribute reference */ ++ if (attr) { ++ omapi_value_dereference (&attr, MDL); ++ } ++ ++ return (status); ++}