[openssh-commits] [openssh] 01/01: Only refuse to use OpenSSL 3.0.4 on x86_64.

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jul 13 13:19:24 AEST 2022 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 76f4e48631d7b09fb243b47d7b393d100d3741b7
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Wed Jul 13 13:17:47 2022 +1000

    Only refuse to use OpenSSL 3.0.4 on x86_64.
    
    The potential RCE only impacts x86_64, so only refuse to use it if we're
    targetting a potentially impacted architecture.  ok djm@
---
 configure.ac       | 10 +++++++++-
 regress/keyscan.sh | 13 +++++++++++++
 sftp-server-main.c |  2 --
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 6ebdd06a..0c6a57eb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2796,7 +2796,6 @@ if test "x$openssl" = "xyes" ; then
 				;;
 			101*)   ;; # 1.1.x
 			200*)   ;; # LibreSSL
-			3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;;
 			300*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2820,6 +2819,15 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
+	case "$host" in
+	x86_64-*)
+		case "$ssl_library_ver" in
+		3000004*)
+			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
+			;;
+		esac
+	esac
+
 	# Sanity check OpenSSL headers
 	AC_MSG_CHECKING([whether OpenSSL's headers match the library])
 	AC_RUN_IFELSE(
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 75a14ee0..0b8c33aa 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -23,3 +23,16 @@ for t in $SSH_KEYTYPES; do
 		fail "ssh-keyscan -t $t failed with: $r"
 	fi
 done
+
+stop_sshd
+sleep 1
+
+trace "keyscan banner length"
+banner=""
+for i in `seq 245 256`; do
+	trace "keyscan length $i"
+	banner=`perl -le "print 'A'x$i"`
+	(printf "SSH-2.0-${banner}" | ${NC} -N -l $PORT >/dev/null) &
+	${SSHKEYSCAN} -p $PORT 127.0.0.1
+	sleep 3
+done
diff --git a/sftp-server-main.c b/sftp-server-main.c
index 06566d36..2c70f89b 100644
--- a/sftp-server-main.c
+++ b/sftp-server-main.c
@@ -42,8 +42,6 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 
-	seed_rng();
-
 	if ((user_pw = getpwuid(getuid())) == NULL) {
 		fprintf(stderr, "No user found for uid %lu\n",
 		    (u_long)getuid());

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list