From 2e0948c935539d65fe087a307436b7f3be0c4591 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Jan 10 2024 16:11:11 +0000 Subject: Apply destination constraints to all PKCS#11 keys Resolves: CVE-2023-51384 --- diff --git a/openssh-9.6p1-CVE-2023-51384.patch b/openssh-9.6p1-CVE-2023-51384.patch new file mode 100644 index 0000000..673ff1d --- /dev/null +++ b/openssh-9.6p1-CVE-2023-51384.patch @@ -0,0 +1,149 @@ +diff --git a/ssh-agent.c b/ssh-agent.c +index f528611635e..1d4c321eb0b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs) + free(dcs); + } + ++static void ++dup_dest_constraint_hop(const struct dest_constraint_hop *dch, ++ struct dest_constraint_hop *out) ++{ ++ u_int i; ++ int r; ++ ++ out->user = dch->user == NULL ? NULL : xstrdup(dch->user); ++ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname); ++ out->is_ca = dch->is_ca; ++ out->nkeys = dch->nkeys; ++ out->keys = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->keys)); ++ out->key_is_ca = out->nkeys == 0 ? NULL : ++ xcalloc(out->nkeys, sizeof(*out->key_is_ca)); ++ for (i = 0; i < dch->nkeys; i++) { ++ if (dch->keys[i] != NULL && ++ (r = sshkey_from_private(dch->keys[i], ++ &(out->keys[i]))) != 0) ++ fatal_fr(r, "copy key"); ++ out->key_is_ca[i] = dch->key_is_ca[i]; ++ } ++} ++ ++static struct dest_constraint * ++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs) ++{ ++ size_t i; ++ struct dest_constraint *ret; ++ ++ if (ndcs == 0) ++ return NULL; ++ ret = xcalloc(ndcs, sizeof(*ret)); ++ for (i = 0; i < ndcs; i++) { ++ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from); ++ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to); ++ } ++ return ret; ++} ++ ++#ifdef DEBUG_CONSTRAINTS ++static void ++dump_dest_constraint_hop(const struct dest_constraint_hop *dch) ++{ ++ u_int i; ++ char *fp; ++ ++ debug_f("user %s hostname %s is_ca %d nkeys %u", ++ dch->user == NULL ? "(null)" : dch->user, ++ dch->hostname == NULL ? "(null)" : dch->hostname, ++ dch->is_ca, dch->nkeys); ++ for (i = 0; i < dch->nkeys; i++) { ++ fp = NULL; ++ if (dch->keys[i] != NULL && ++ (fp = sshkey_fingerprint(dch->keys[i], ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys, ++ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]), ++ dch->keys[i] == NULL ? "" : " ", ++ dch->keys[i] == NULL ? "none" : fp, ++ dch->key_is_ca[i]); ++ free(fp); ++ } ++} ++#endif /* DEBUG_CONSTRAINTS */ ++ ++static void ++dump_dest_constraints(const char *context, ++ const struct dest_constraint *dcs, size_t ndcs) ++{ ++#ifdef DEBUG_CONSTRAINTS ++ size_t i; ++ ++ debug_f("%s: %zu constraints", context, ndcs); ++ for (i = 0; i < ndcs; i++) { ++ debug_f("constraint %zu / %zu: from: ", i, ndcs); ++ dump_dest_constraint_hop(&dcs[i].from); ++ debug_f("constraint %zu / %zu: to: ", i, ndcs); ++ dump_dest_constraint_hop(&dcs[i].to); ++ } ++ debug_f("done for %s", context); ++#endif /* DEBUG_CONSTRAINTS */ ++} ++ + static void + free_identity(Identity *id) + { +@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e) + Identity *id; + struct sshbuf *msg, *keys; + int r; +- u_int nentries = 0; ++ u_int i = 0, nentries = 0; ++ char *fp; + + debug2_f("entering"); + + if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + TAILQ_FOREACH(id, &idtab->idlist, next) { ++ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal_f("fingerprint failed"); ++ debug_f("key %u / %u: %s %s", i++, idtab->nentries, ++ sshkey_ssh_name(id->key), fp); ++ dump_dest_constraints(__func__, ++ id->dest_constraints, id->ndest_constraints); ++ free(fp); + /* identity not visible, don't include in response */ + if (identity_permitted(id, e, NULL, NULL, NULL) != 0) + continue; +@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e) + sshbuf_reset(e->request); + goto out; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + + if (sk_provider != NULL) { + if (!sshkey_is_sk(k)) { +@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e) + error_f("failed to parse constraints"); + goto send; + } ++ dump_dest_constraints(__func__, dest_constraints, ndest_constraints); + + sane_uri = sanitize_pkcs11_provider(e, provider); + if (sane_uri == NULL) +@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e) + } + id->death = death; + id->confirm = confirm; +- id->dest_constraints = dest_constraints; ++ id->dest_constraints = dup_dest_constraints( ++ dest_constraints, ndest_constraints); + id->ndest_constraints = ndest_constraints; +- dest_constraints = NULL; /* transferred */ +- ndest_constraints = 0; + TAILQ_INSERT_TAIL(&idtab->idlist, id, next); + idtab->nentries++; + success = 1; diff --git a/openssh.spec b/openssh.spec index b9db75d..faf775c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -233,6 +233,7 @@ Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch Patch1016: openssh-9.3p1-openssl-compat.patch Patch1017: openssh-9.6p1-CVE-2023-51385.patch Patch1018: openssh-9.6p1-CVE-2023-48795.patch +Patch1019: openssh-9.6p1-CVE-2023-51384.patch License: BSD Requires: /sbin/nologin @@ -439,6 +440,7 @@ popd %patch -P 1016 -p1 -b .ossl-version %patch -P 1017 -p1 -b .cve-2023-51385 %patch -P 1018 -p1 -b .cve-2023-48795 +%patch -P 1019 -p1 -b .cve-2023-51384 %patch -P 100 -p1 -b .coverity @@ -753,6 +755,8 @@ test -f %{sysconfig_anaconda} && \ Resolves: CVE-2023-51385 - Fix Terrapin attack Resolves: CVE-2023-48795 +- Apply destination constraints to all PKCS#11 keys + Resolves: CVE-2023-51384 * Fri Sep 08 2023 Dmitry Belyavskiy - 9.3p1-9 - Revert "Remove sshd.socket unit (rhbz#2025716)" according to FESCO decision