File CVE-2023-38200-01.patch of Package keylime
From c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17 Mon Sep 17 00:00:00 2001
From: florian <264356+flozilla@users.noreply.github.com>
Date: Tue, 11 Jul 2023 21:31:27 +0200
Subject: [PATCH] Extend Registrar SSL socket to be non-blocking
Signed-off-by: florian <264356+flozilla@users.noreply.github.com>
---
keylime/registrar_common.py | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
Index: keylime-v6.3.2/keylime/registrar_common.py
===================================================================
--- keylime-v6.3.2.orig/keylime/registrar_common.py
+++ keylime-v6.3.2/keylime/registrar_common.py
@@ -8,6 +8,7 @@ import ipaddress
import threading
import sys
import signal
+import ssl
import os
import http.server
from http.server import HTTPServer, BaseHTTPRequestHandler
@@ -40,6 +41,23 @@ except SQLAlchemyError as err:
class ProtectedHandler(BaseHTTPRequestHandler, SessionManager):
+ def handle(self) -> None:
+ """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """
+ while True:
+ try:
+ self.request.do_handshake()
+ break
+ except ssl.SSLWantReadError:
+ select.select([sock], [], [])
+ except ssl.SSLWantWriteError:
+ select.select([], [sock], [])
+ except ssl.SSLError as e:
+ logger.error("SSL connection error: %s", e)
+ return
+ except Exception as e:
+ logger.error("General communication failure: %s", e)
+ return
+ BaseHTTPRequestHandler.handle(self)
def do_HEAD(self):
"""HEAD not supported"""
@@ -530,7 +548,7 @@ def start(host, tlsport, port):
protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
context, _ = web_util.init_mtls(section='registrar', generatedir='reg_ca', logger=logger)
if context is not None:
- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
+ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
thread_protected_server = threading.Thread(target=protected_server.serve_forever)
# Set up the unprotected registrar server