libssh/SOURCES/auth_bypass.patch

diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c
--- ../libssh-0.10.4/src/pki_crypto.c	2023-04-27 13:24:03.105744519 +0200
+++ ./src/pki_crypto.c	2023-04-27 13:30:24.016756496 +0200
@@ -3186,8 +3186,12 @@
     unsigned char *raw_sig_data = NULL;
     unsigned int raw_sig_len;
 
+    /* Function return code
+     * Do not change this variable throughout the function until the signature
+     * is successfully verified!
+     */
     int rc = SSH_ERROR;
-    int evp_rc;
+    int ok;
 
     if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
         signature == NULL || (signature->raw_sig == NULL
@@ -3202,8 +3206,8 @@
     }
 
     /* Check if public key and hash type are compatible */
-    rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
-    if (rc != SSH_OK) {
+    ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+    if (ok != SSH_OK) {
         return SSH_ERROR;
     }
 
@@ -3248,8 +3252,8 @@
     }
 
     /* Verify the signature */
-    evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
-    if (evp_rc != 1){
+    ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+    if (ok != 1){
         SSH_LOG(SSH_LOG_TRACE,
                 "EVP_DigestVerifyInit() failed: %s",
                 ERR_error_string(ERR_get_error(), NULL));
@@ -3257,32 +3261,30 @@
     }
 
 #ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
-    evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+    ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
 #else
-    evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
-    if (evp_rc != 1) {
+    ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
+    if (ok != 1) {
         SSH_LOG(SSH_LOG_TRACE,
                 "EVP_DigestVerifyUpdate() failed: %s",
                 ERR_error_string(ERR_get_error(), NULL));
         goto out;
     }
 
-    evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+    ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
 #endif
-    if (evp_rc == 1) {
-        SSH_LOG(SSH_LOG_TRACE, "Signature valid");
-        rc = SSH_OK;
-    } else {
+    if (ok != 1) {
         SSH_LOG(SSH_LOG_TRACE,
                 "Signature invalid: %s",
                 ERR_error_string(ERR_get_error(), NULL));
-        rc = SSH_ERROR;
+        goto out;
     }
 
+    SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+    rc = SSH_OK;
+
 out:
-    if (ctx != NULL) {
-        EVP_MD_CTX_free(ctx);
-    }
+    EVP_MD_CTX_free(ctx);
     EVP_PKEY_free(pkey);
     return rc;
 }
import UBI libssh-0.10.4-11.el9 2023-11-07 11:17:57 +00:00			`diff --color -ru ../libssh-0.10.4/src/pki_crypto.c ./src/pki_crypto.c`
			`--- ../libssh-0.10.4/src/pki_crypto.c 2023-04-27 13:24:03.105744519 +0200`
			`+++ ./src/pki_crypto.c 2023-04-27 13:30:24.016756496 +0200`
			`@@ -3186,8 +3186,12 @@`
			`unsigned char *raw_sig_data = NULL;`
			`unsigned int raw_sig_len;`

			`+ /* Function return code`
			`+ * Do not change this variable throughout the function until the signature`
			`+ * is successfully verified!`
			`+ */`
			`int rc = SSH_ERROR;`
			`- int evp_rc;`
			`+ int ok;`

			`if (pubkey == NULL \|\| ssh_key_is_private(pubkey) \|\| input == NULL \|\|`
			`signature == NULL \|\| (signature->raw_sig == NULL`
			`@@ -3202,8 +3206,8 @@`
			`}`

			`/* Check if public key and hash type are compatible */`
			`- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);`
			`- if (rc != SSH_OK) {`
			`+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);`
			`+ if (ok != SSH_OK) {`
			`return SSH_ERROR;`
			`}`

			`@@ -3248,8 +3252,8 @@`
			`}`

			`/* Verify the signature */`
			`- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);`
			`- if (evp_rc != 1){`
			`+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);`
			`+ if (ok != 1){`
			`SSH_LOG(SSH_LOG_TRACE,`
			`"EVP_DigestVerifyInit() failed: %s",`
			`ERR_error_string(ERR_get_error(), NULL));`
			`@@ -3257,32 +3261,30 @@`
			`}`

			`#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY`
			`- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);`
			`+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);`
			`#else`
			`- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);`
			`- if (evp_rc != 1) {`
			`+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);`
			`+ if (ok != 1) {`
			`SSH_LOG(SSH_LOG_TRACE,`
			`"EVP_DigestVerifyUpdate() failed: %s",`
			`ERR_error_string(ERR_get_error(), NULL));`
			`goto out;`
			`}`

			`- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);`
			`+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);`
			`#endif`
			`- if (evp_rc == 1) {`
			`- SSH_LOG(SSH_LOG_TRACE, "Signature valid");`
			`- rc = SSH_OK;`
			`- } else {`
			`+ if (ok != 1) {`
			`SSH_LOG(SSH_LOG_TRACE,`
			`"Signature invalid: %s",`
			`ERR_error_string(ERR_get_error(), NULL));`
			`- rc = SSH_ERROR;`
			`+ goto out;`
			`}`

			`+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");`
			`+ rc = SSH_OK;`
			`+`
			`out:`
			`- if (ctx != NULL) {`
			`- EVP_MD_CTX_free(ctx);`
			`- }`
			`+ EVP_MD_CTX_free(ctx);`
			`EVP_PKEY_free(pkey);`
			`return rc;`
			`}`