From 384febcdc2d9817dcfaf0598f5401b8a167176aa Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 14 Oct 2024 15:29:16 +0200 Subject: [PATCH] Gssapi-keyex: fix issues found by static analysis Related: RHEL-60564 Signed-off-by: Zoltan Fridrich --- openssh-9.6p1-gssapi-keyex.patch | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/openssh-9.6p1-gssapi-keyex.patch b/openssh-9.6p1-gssapi-keyex.patch index 2fb5514..ef1f97e 100644 --- a/openssh-9.6p1-gssapi-keyex.patch +++ b/openssh-9.6p1-gssapi-keyex.patch @@ -1240,8 +1240,8 @@ diff --color -ruNp a/kexgen.c b/kexgen.c const struct sshbuf *client_version, diff --color -ruNp a/kexgssc.c b/kexgssc.c --- a/kexgssc.c 1970-01-01 01:00:00.000000000 +0100 -+++ b/kexgssc.c 2024-09-16 11:46:34.709940203 +0200 -@@ -0,0 +1,704 @@ ++++ b/kexgssc.c 2024-10-14 15:18:02.491798105 +0200 +@@ -0,0 +1,706 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1603,6 +1603,7 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c + if (gss->major & GSS_S_CONTINUE_NEEDED) + return kexgss_init_ctx(ssh, &recv_tok); + ++ gss_release_buffer(&gss->minor, &recv_tok); + return kexgss_final(ssh); +} + @@ -1942,14 +1943,15 @@ diff --color -ruNp a/kexgssc.c b/kexgssc.c + if (gss->major & GSS_S_CONTINUE_NEEDED) + return kexgssgex_init_ctx(ssh, &recv_tok); + ++ gss_release_buffer(&gss->minor, &recv_tok); + return kexgssgex_final(ssh); +} + +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ diff --color -ruNp a/kexgsss.c b/kexgsss.c --- a/kexgsss.c 1970-01-01 01:00:00.000000000 +0100 -+++ b/kexgsss.c 2024-09-16 11:46:34.710940224 +0200 -@@ -0,0 +1,590 @@ ++++ b/kexgsss.c 2024-10-14 15:18:02.491798105 +0200 +@@ -0,0 +1,601 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -2082,6 +2084,9 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + struct kex *kex = ssh->kex; + Gssctxt *gss = kex->gss; + gss_buffer_desc msg_tok; ++ u_char hash[SSH_DIGEST_MAX_LENGTH]; ++ size_t hashlen; ++ struct sshbuf *shared_secret = NULL; + int r; + + ssh_dispatch_set(ssh, SSH2_MSG_KEXGSS_INIT, NULL); @@ -2125,12 +2130,18 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + gss_release_buffer(&gss->minor, send_tok); + gss_release_buffer(&gss->minor, &msg_tok); + ++ hashlen = gss->hashlen; ++ memcpy(hash, gss->hash, hashlen); ++ explicit_bzero(gss->hash, sizeof(gss->hash)); ++ shared_secret = gss->shared_secret; ++ gss->shared_secret = NULL; ++ + if (gss_kex_context == NULL) + gss_kex_context = gss; + else + ssh_gssapi_delete_ctx(&kex->gss); + -+ if ((r = kex_derive_keys(ssh, gss->hash, gss->hashlen, gss->shared_secret)) == 0) ++ if ((r = kex_derive_keys(ssh, hash, hashlen, shared_secret)) == 0) + r = kex_send_newkeys(ssh); + + /* If this was a rekey, then save out any delegated credentials we @@ -2139,12 +2150,11 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + ssh_gssapi_rekey_creds(); + + if (kex->gss != NULL) { -+ explicit_bzero(gss->hash, sizeof(gss->hash)); -+ sshbuf_free(gss->shared_secret); -+ gss->shared_secret = NULL; + sshbuf_free(gss->server_pubkey); + gss->server_pubkey = NULL; + } ++ explicit_bzero(hash, sizeof(hash)); ++ sshbuf_free(shared_secret); + return r; +} + @@ -2187,7 +2197,8 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + } + if (r != 0) { + sshbuf_free(client_pubkey); -+ ssh_gssapi_delete_ctx(&kex->gss); ++ gss_release_buffer(&gss->minor, &recv_tok); ++ ssh_gssapi_delete_ctx(&kex->gss); + return r; + } + @@ -2195,6 +2206,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + + if ((empty = sshbuf_new()) == NULL) { + sshbuf_free(client_pubkey); ++ gss_release_buffer(&gss->minor, &recv_tok); + ssh_gssapi_delete_ctx(&kex->gss); + return SSH_ERR_ALLOC_FAIL; + } @@ -2210,6 +2222,7 @@ diff --color -ruNp a/kexgsss.c b/kexgsss.c + sshbuf_free(empty); + sshbuf_free(client_pubkey); + if (r != 0) { ++ gss_release_buffer(&gss->minor, &recv_tok); + ssh_gssapi_delete_ctx(&kex->gss); + return r; + }