2c457d5430
Resolves: rhbz#2222694
70 lines
2.5 KiB
Diff
70 lines
2.5 KiB
Diff
From e17d5a6a47c1405a799a06754d3e905856e3035d Mon Sep 17 00:00:00 2001
|
|
From: florian <264356+flozilla@users.noreply.github.com>
|
|
Date: Tue, 11 Jul 2023 21:31:27 +0200
|
|
Subject: [PATCH 10/10] CVE-2023-38200
|
|
|
|
Extend Registrar SSL socket to be non-blocking
|
|
|
|
Fixes: CVE-2023-38200
|
|
|
|
Upstream:
|
|
- https://github.com/keylime/keylime/commit/c68d8f0b7
|
|
- https://github.com/keylime/keylime/commit/27d515f4b
|
|
---
|
|
keylime/registrar_common.py | 23 ++++++++++++++++++++++-
|
|
1 file changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
|
|
index d1d20dd..6441e3b 100644
|
|
--- a/keylime/registrar_common.py
|
|
+++ b/keylime/registrar_common.py
|
|
@@ -2,8 +2,10 @@ import base64
|
|
import http.server
|
|
import ipaddress
|
|
import os
|
|
+import select
|
|
import signal
|
|
import socket
|
|
+import ssl
|
|
import sys
|
|
import threading
|
|
from http.server import BaseHTTPRequestHandler, HTTPServer
|
|
@@ -77,6 +79,25 @@ class BaseHandler(BaseHTTPRequestHandler, SessionManager):
|
|
|
|
|
|
class ProtectedHandler(BaseHandler):
|
|
+ def handle(self) -> None:
|
|
+ """Need to perform SSL handshake here, as
|
|
+ do_handshake_on_connect=False for non-blocking SSL socket"""
|
|
+ while True:
|
|
+ try:
|
|
+ self.request.do_handshake()
|
|
+ break
|
|
+ except ssl.SSLWantReadError:
|
|
+ select.select([self.request], [], [])
|
|
+ except ssl.SSLWantWriteError:
|
|
+ select.select([], [self.request], [])
|
|
+ except ssl.SSLError as e:
|
|
+ logger.error("SSL connection error: %s", e)
|
|
+ return
|
|
+ except Exception as e:
|
|
+ logger.error("General communication failure: %s", e)
|
|
+ return
|
|
+ BaseHTTPRequestHandler.handle(self)
|
|
+
|
|
def do_HEAD(self) -> None:
|
|
"""HEAD not supported"""
|
|
web_util.echo_json_response(self, 405, "HEAD not supported")
|
|
@@ -494,7 +515,7 @@ def start(host: str, tlsport: int, port: int) -> None:
|
|
protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
|
|
context = web_util.init_mtls("registrar", logger=logger)
|
|
if context is not None:
|
|
- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
|
|
+ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
|
|
thread_protected_server = threading.Thread(target=protected_server.serve_forever)
|
|
|
|
# Set up the unprotected registrar server
|
|
--
|
|
2.41.0
|
|
|