summaryrefslogtreecommitdiff
path: root/0010-CVE-2023-38200.patch
diff options
context:
space:
mode:
Diffstat (limited to '0010-CVE-2023-38200.patch')
-rw-r--r--0010-CVE-2023-38200.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/0010-CVE-2023-38200.patch b/0010-CVE-2023-38200.patch
new file mode 100644
index 0000000..7c06151
--- /dev/null
+++ b/0010-CVE-2023-38200.patch
@@ -0,0 +1,69 @@
+From e17d5a6a47c1405a799a06754d3e905856e3035d Mon Sep 17 00:00:00 2001
+From: florian <264356+flozilla@users.noreply.github.com>
+Date: Tue, 11 Jul 2023 21:31:27 +0200
+Subject: [PATCH 10/10] CVE-2023-38200
+
+Extend Registrar SSL socket to be non-blocking
+
+Fixes: CVE-2023-38200
+
+Upstream:
+ - https://github.com/keylime/keylime/commit/c68d8f0b7
+ - https://github.com/keylime/keylime/commit/27d515f4b
+---
+ keylime/registrar_common.py | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
+index d1d20dd..6441e3b 100644
+--- a/keylime/registrar_common.py
++++ b/keylime/registrar_common.py
+@@ -2,8 +2,10 @@ import base64
+ import http.server
+ import ipaddress
+ import os
++import select
+ import signal
+ import socket
++import ssl
+ import sys
+ import threading
+ from http.server import BaseHTTPRequestHandler, HTTPServer
+@@ -77,6 +79,25 @@ class BaseHandler(BaseHTTPRequestHandler, SessionManager):
+
+
+ class ProtectedHandler(BaseHandler):
++ def handle(self) -> None:
++ """Need to perform SSL handshake here, as
++ do_handshake_on_connect=False for non-blocking SSL socket"""
++ while True:
++ try:
++ self.request.do_handshake()
++ break
++ except ssl.SSLWantReadError:
++ select.select([self.request], [], [])
++ except ssl.SSLWantWriteError:
++ select.select([], [self.request], [])
++ except ssl.SSLError as e:
++ logger.error("SSL connection error: %s", e)
++ return
++ except Exception as e:
++ logger.error("General communication failure: %s", e)
++ return
++ BaseHTTPRequestHandler.handle(self)
++
+ def do_HEAD(self) -> None:
+ """HEAD not supported"""
+ web_util.echo_json_response(self, 405, "HEAD not supported")
+@@ -494,7 +515,7 @@ def start(host: str, tlsport: int, port: int) -> None:
+ protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
+ context = web_util.init_mtls("registrar", logger=logger)
+ if context is not None:
+- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
++ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
+ thread_protected_server = threading.Thread(target=protected_server.serve_forever)
+
+ # Set up the unprotected registrar server
+--
+2.41.0
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-18 08:20:16 +0000