libssh/auth_bypass.patch
Norbert Pocs e4977b1a4e Fix CVE-2023-1667 and CVE-2023-2283
- NULL dereference during rekeying
- Possible authentication bypass

- Resolves: rhbz#2182251, rhbz#2189742

Signed-off-by: Norbert Pocs <npocs@redhat.com>
2023-04-27 13:10:49 +02:00

87 lines
2.6 KiB
Diff

diff --color -ru ../libssh-0.9.6/src/pki_crypto.c ./src/pki_crypto.c
--- ../libssh-0.9.6/src/pki_crypto.c 2023-04-27 12:59:08.463259052 +0200
+++ ./src/pki_crypto.c 2023-04-27 13:05:24.020610873 +0200
@@ -2291,8 +2291,12 @@
unsigned char *raw_sig_data = NULL;
unsigned int raw_sig_len;
+ /* Function return code
+ * Do not change this variable throughout the function until the signature
+ * is successfully verified!
+ */
int rc = SSH_ERROR;
- int evp_rc;
+ int ok;
if (pubkey == NULL || ssh_key_is_private(pubkey) || input == NULL ||
signature == NULL || (signature->raw_sig == NULL
@@ -2307,8 +2311,8 @@
}
/* Check if public key and hash type are compatible */
- rc = pki_key_check_hash_compatible(pubkey, signature->hash_type);
- if (rc != SSH_OK) {
+ ok = pki_key_check_hash_compatible(pubkey, signature->hash_type);
+ if (ok != SSH_OK) {
return SSH_ERROR;
}
@@ -2351,8 +2355,8 @@
}
/* Verify the signature */
- evp_rc = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
- if (evp_rc != 1){
+ ok = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
+ if (ok != 1){
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyInit() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -2360,35 +2364,31 @@
}
#ifdef HAVE_OPENSSL_EVP_DIGESTVERIFY
- evp_rc = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
+ ok = EVP_DigestVerify(ctx, raw_sig_data, raw_sig_len, input, input_len);
#else
- evp_rc = EVP_DigestVerifyUpdate(ctx, input, input_len);
- if (evp_rc != 1) {
+ ok = EVP_DigestVerifyUpdate(ctx, input, input_len);
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"EVP_DigestVerifyUpdate() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
goto out;
}
- evp_rc = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
+ ok = EVP_DigestVerifyFinal(ctx, raw_sig_data, raw_sig_len);
#endif
- if (evp_rc == 1) {
- SSH_LOG(SSH_LOG_TRACE, "Signature valid");
- rc = SSH_OK;
- } else {
+ if (ok != 1) {
SSH_LOG(SSH_LOG_TRACE,
"Signature invalid: %s",
ERR_error_string(ERR_get_error(), NULL));
- rc = SSH_ERROR;
+ goto out;
}
+ SSH_LOG(SSH_LOG_TRACE, "Signature valid");
+ rc = SSH_OK;
+
out:
- if (ctx != NULL) {
- EVP_MD_CTX_free(ctx);
- }
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
+ EVP_MD_CTX_free(ctx);
+ EVP_PKEY_free(pkey);
return rc;
}