From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 1 Oct 2021 16:35:49 +1000 Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough ok dtucker Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] CVE: CVE-2023-38408 Signed-off-by: Shubham Kulkarni --- ssh-pkcs11-client.c | 16 ++++++++-------- ssh-pkcs11.c | 26 +++++++++++++------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c index 8a0ffef..41114c7 100644 --- a/ssh-pkcs11-client.c +++ b/ssh-pkcs11-client.c @@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) return (ret); } -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) static ECDSA_SIG * ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, const BIGNUM *rp, EC_KEY *ec) @@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, sshbuf_free(msg); return (ret); } -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ static RSA_METHOD *helper_rsa; -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) static EC_KEY_METHOD *helper_ecdsa; -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ /* redirect private key crypto operations to the ssh-pkcs11-helper */ static void @@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) { if (k->type == KEY_RSA) RSA_set_method(k->rsa, helper_rsa); -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) else if (k->type == KEY_ECDSA) EC_KEY_set_method(k->ecdsa, helper_ecdsa); -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ else fatal("%s: unknown key type", __func__); } @@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) if (helper_rsa != NULL) return (0); -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) int (*orig_sign)(int, const unsigned char *, int, unsigned char *, unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; if (helper_ecdsa != NULL) @@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) return (-1); EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) fatal("%s: RSA_meth_dup failed", __func__); diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index a302c79..b56a41b 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -78,7 +78,7 @@ struct pkcs11_key { int pkcs11_interactive = 0; -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) static void ossl_error(const char *msg) { @@ -89,7 +89,7 @@ ossl_error(const char *msg) error("%s: libcrypto error: %.100s", __func__, ERR_error_string(e, NULL)); } -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ int pkcs11_init(int interactive) @@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) static RSA_METHOD *rsa_method; static int rsa_idx = 0; -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) static EC_KEY_METHOD *ec_key_method; static int ec_key_idx = 0; -#endif +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ /* release a wrapped object */ static void @@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, return (0); } -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) /* openssl callback doing the actual signing operation */ static ECDSA_SIG * ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, @@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, return (0); } -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ /* remove trailing spaces */ static void @@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) return (0); } -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) static struct sshkey * pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, CK_OBJECT_HANDLE *obj) @@ -802,7 +802,7 @@ fail: return (key); } -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ static struct sshkey * pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, @@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, #endif struct sshkey *key = NULL; int i; -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) int nid; #endif const u_char *cp; @@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, key->type = KEY_RSA; key->flags |= SSHKEY_FLAG_EXT; rsa = NULL; /* now owned by key */ -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { error("invalid x509; no ec key"); @@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, key->type = KEY_ECDSA; key->flags |= SSHKEY_FLAG_EXT; ec = NULL; /* now owned by key */ -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ } else { error("unknown certificate key type"); goto out; @@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, case CKK_RSA: key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); break; -#ifdef HAVE_EC_KEY_METHOD_NEW +#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) case CKK_ECDSA: key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); break; -#endif /* HAVE_EC_KEY_METHOD_NEW */ +#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ default: /* XXX print key type? */ key = NULL; -- 2.41.0