Overview

File CVE-2023-38200-01.patch of Package keylime

From c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17 Mon Sep 17 00:00:00 2001
From: florian <264356+flozilla@users.noreply.github.com>
Date: Tue, 11 Jul 2023 21:31:27 +0200
Subject: [PATCH] Extend Registrar SSL socket to be non-blocking

Signed-off-by: florian <264356+flozilla@users.noreply.github.com>
---
 keylime/registrar_common.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

Index: keylime-v6.3.2/keylime/registrar_common.py
===================================================================
--- keylime-v6.3.2.orig/keylime/registrar_common.py
+++ keylime-v6.3.2/keylime/registrar_common.py
@@ -8,6 +8,7 @@ import ipaddress
 import threading
 import sys
 import signal
+import ssl
 import os
 import http.server
 from http.server import HTTPServer, BaseHTTPRequestHandler
@@ -40,6 +41,23 @@ except SQLAlchemyError as err:
 
 
 class ProtectedHandler(BaseHTTPRequestHandler, SessionManager):
+    def handle(self) -> None:
+        """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """
+        while True:
+            try:
+                self.request.do_handshake()
+                break
+            except ssl.SSLWantReadError:
+                select.select([sock], [], [])
+            except ssl.SSLWantWriteError:
+                select.select([], [sock], [])
+            except ssl.SSLError as e:
+                logger.error("SSL connection error: %s", e)
+                return
+            except Exception as e:
+                logger.error("General communication failure: %s", e)
+                return
+        BaseHTTPRequestHandler.handle(self)
 
     def do_HEAD(self):
         """HEAD not supported"""
@@ -530,7 +548,7 @@ def start(host, tlsport, port):
     protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
     context, _ = web_util.init_mtls(section='registrar', generatedir='reg_ca', logger=logger)
     if context is not None:
-        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
+        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
     thread_protected_server = threading.Thread(target=protected_server.serve_forever)
 
     # Set up the unprotected registrar server
openSUSE Build Service is sponsored by
Places