rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Fixing broken GSS KEX beginning with (GSI-)OpenSSH 8.0p1

Browse Source 
Resolves: rhbz#1957306
This commit is contained in:
Dmitry Belyavskiy 2021-05-06 15:14:23 +02:00
parent 9dff9c0419
commit d075fa1cd6
3 changed files with 46 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
openssh-6.7p1-coverity.patch
View File

@ -169,21 +169,6 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 && if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
}
- if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
return r;
+ }
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100 --- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100 +++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100

70
openssh-8.0p1-gssapi-keyex.patch
View File

@ -1492,7 +1492,7 @@ new file mode 100644
index 00000000..f6e1405e index 00000000..f6e1405e
--- /dev/null --- /dev/null
+++ b/kexgssc.c +++ b/kexgssc.c
@@ -0,0 +1,599 @@ @@ -0,0 +1,611 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1593,8 +1593,10 @@ index 00000000..f6e1405e
+ default: + default:
+ fatal_f("Unexpected KEX type %d", kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ } + }
+ if (r != 0) + if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
+ return r; + return r;
+ }
+ +
+ token_ptr = GSS_C_NO_BUFFER; + token_ptr = GSS_C_NO_BUFFER;
+ +
@ -1657,11 +1659,16 @@ index 00000000..f6e1405e
+ do { + do {
+ type = ssh_packet_read(ssh); + type = ssh_packet_read(ssh);
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) { + if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+ char *tmp = NULL;
+ size_t tmp_len = 0;
+
+ debug("Received KEXGSS_HOSTKEY"); + debug("Received KEXGSS_HOSTKEY");
+ if (server_host_key_blob) + if (server_host_key_blob)
+ fatal("Server host key received more than once"); + fatal("Server host key received more than once");
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) + if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
+ fatal("Failed to read server host key: %s", ssh_err(r)); + fatal("Failed to read server host key: %s", ssh_err(r));
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+ fatal("sshbuf_from failed");
+ } + }
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+ +
@ -1948,11 +1955,16 @@ index 00000000..f6e1405e
+ do { + do {
+ type = ssh_packet_read(ssh); + type = ssh_packet_read(ssh);
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) { + if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+ char *tmp = NULL;
+ size_t tmp_len = 0;
+
+ debug("Received KEXGSS_HOSTKEY"); + debug("Received KEXGSS_HOSTKEY");
+ if (server_host_key_blob) + if (server_host_key_blob)
+ fatal("Server host key received more than once"); + fatal("Server host key received more than once");
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0) + if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
+ fatal("sshpkt failed: %s", ssh_err(r)); + fatal("sshpkt failed: %s", ssh_err(r));
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+ fatal("sshbuf_from failed");
+ } + }
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY); + } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+ +
@ -2097,7 +2109,7 @@ new file mode 100644
index 00000000..60bc02de index 00000000..60bc02de
--- /dev/null --- /dev/null
+++ b/kexgsss.c +++ b/kexgsss.c
@@ -0,0 +1,474 @@ @@ -0,0 +1,482 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -2164,7 +2176,7 @@ index 00000000..60bc02de
+ */ + */
+ +
+ OM_uint32 ret_flags = 0; + OM_uint32 ret_flags = 0;
+ gss_buffer_desc gssbuf, recv_tok, msg_tok; + gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL; + Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL; + struct sshbuf *shared_secret = NULL;
@ -2204,7 +2216,7 @@ index 00000000..60bc02de
+ type = ssh_packet_read(ssh); + type = ssh_packet_read(ssh);
+ switch(type) { + switch(type) {
+ case SSH2_MSG_KEXGSS_INIT: + case SSH2_MSG_KEXGSS_INIT:
+ if (client_pubkey != NULL) + if (gssbuf.value != NULL)
+ fatal("Received KEXGSS_INIT after initialising"); + fatal("Received KEXGSS_INIT after initialising");
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
+ &recv_tok)) != 0 || + &recv_tok)) != 0 ||
@ -2235,6 +2247,31 @@ index 00000000..60bc02de
+ goto out; + goto out;
+ +
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ + /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+
+ /* Calculate the hash early so we can free the
+ * client_pubkey, which has reference to the parent
+ * buffer state->incoming_packet
+ */
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ empty,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
+ sshbuf_free(client_pubkey);
+ client_pubkey = NULL;
+
+ break; + break;
+ case SSH2_MSG_KEXGSS_CONTINUE: + case SSH2_MSG_KEXGSS_CONTINUE:
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh, + if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
@ -2256,7 +2293,7 @@ index 00000000..60bc02de
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) + if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete"); + fatal("Zero length token output when incomplete");
+ +
+ if (client_pubkey == NULL) + if (gssbuf.value == NULL)
+ fatal("No client public key"); + fatal("No client public key");
+ +
+ if (maj_status & GSS_S_CONTINUE_NEEDED) { + if (maj_status & GSS_S_CONTINUE_NEEDED) {
@ -2285,23 +2322,6 @@ index 00000000..60bc02de
+ if (!(ret_flags & GSS_C_INTEG_FLAG)) + if (!(ret_flags & GSS_C_INTEG_FLAG))
+ fatal("Integrity flag wasn't set"); + fatal("Integrity flag wasn't set");
+ +
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ empty,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) + if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
+ fatal("Couldn't get MIC"); + fatal("Couldn't get MIC");
+ +

1
openssh.spec
View File

@ -658,6 +658,7 @@ test -f %{sysconfig_anaconda} && \
%changelog %changelog
* Thu May 06 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1 + 0.10.4-3 * Thu May 06 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1 + 0.10.4-3
- New upstream release (#1952957) - New upstream release (#1952957)
- GSS KEX broken beginning with (GSI-)OpenSSH 8.0p1 (#1957306)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.5p1-3.1 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.5p1-3.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937