Fix registrar is subject to a DoS against SSL (CVE-2023-38200)

Resolves: rhbz#2222694
2023-08-28 14:27:44 +01:00 · 2023-08-28 14:27:44 +01:00 · 2c457d5430
commit 2c457d5430
parent 6ac5a8f8e6
2 changed files with 75 additions and 1 deletions
--- a/0010-CVE-2023-38200.patch
+++ b/0010-CVE-2023-38200.patch
@ -0,0 +1,69 @@
+From e17d5a6a47c1405a799a06754d3e905856e3035d Mon Sep 17 00:00:00 2001
+From: florian <264356+flozilla@users.noreply.github.com>
+Date: Tue, 11 Jul 2023 21:31:27 +0200
+Subject: [PATCH 10/10] CVE-2023-38200
+
+Extend Registrar SSL socket to be non-blocking
+
+Fixes: CVE-2023-38200
+
+Upstream:
+ - https://github.com/keylime/keylime/commit/c68d8f0b7
+ - https://github.com/keylime/keylime/commit/27d515f4b
+---
+ keylime/registrar_common.py | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
+index d1d20dd..6441e3b 100644
+--- a/keylime/registrar_common.py
+++ b/keylime/registrar_common.py
+@@ -2,8 +2,10 @@ import base64
+ import http.server
+ import ipaddress
+ import os
+import select
+ import signal
+ import socket
+import ssl
+ import sys
+ import threading
+ from http.server import BaseHTTPRequestHandler, HTTPServer
+@@ -77,6 +79,25 @@ class BaseHandler(BaseHTTPRequestHandler, SessionManager):
+ 
+ 
+ class ProtectedHandler(BaseHandler):
+    def handle(self) -> None:
+        """Need to perform SSL handshake here, as
+        do_handshake_on_connect=False for non-blocking SSL socket"""
+        while True:
+            try:
+                self.request.do_handshake()
+                break
+            except ssl.SSLWantReadError:
+                select.select([self.request], [], [])
+            except ssl.SSLWantWriteError:
+                select.select([], [self.request], [])
+            except ssl.SSLError as e:
+                logger.error("SSL connection error: %s", e)
+                return
+            except Exception as e:
+                logger.error("General communication failure: %s", e)
+                return
+        BaseHTTPRequestHandler.handle(self)
+
+     def do_HEAD(self) -> None:
+         """HEAD not supported"""
+         web_util.echo_json_response(self, 405, "HEAD not supported")
+@@ -494,7 +515,7 @@ def start(host: str, tlsport: int, port: int) -> None:
+     protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
+     context = web_util.init_mtls("registrar", logger=logger)
+     if context is not None:
+-        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
+        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
+     thread_protected_server = threading.Thread(target=protected_server.serve_forever)
+ 
+     # Set up the unprotected registrar server
+-- 
+2.41.0
+
--- a/keylime.spec
+++ b/keylime.spec
@ -9,7 +9,7 @@

 Name:    keylime
 Version: 7.3.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust

 URL:            https://github.com/keylime/keylime
@ -26,6 +26,7 @@ Patch: 0006-Revert-mapping-changes.patch
 Patch: 0007-Handle-session-close-using-a-session-manager.patch
 Patch: 0008-verifier-should-read-parameters-from-verifier.conf-o.patch
 Patch: 0009-CVE-2023-38201.patch
+Patch: 0010-CVE-2023-38200.patch

 License: ASL 2.0 and MIT

@ -358,6 +359,10 @@ fi
 %license LICENSE

 %changelog
+* Mon Aug 28 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-6
+- Fix registrar is subject to a DoS against SSL (CVE-2023-38200)
+  Resolves: rhbz#2222694
+
 * Fri Aug 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-5
 - Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
  Resolves: rhbz#2222695