From 1e21592a5e62828a84008bdd068dc1a21f5477e5 Mon Sep 17 00:00:00 2001 From: Ben Homer Date: Dec 20 2024 14:22:33 +0000 Subject: Allow sk webauthn signatures to be determined based on structure --- diff --git a/openssh-8.7p1-sk-ecdsa-webauthn.patch b/openssh-8.7p1-sk-ecdsa-webauthn.patch new file mode 100644 index 0000000..8bbc7a4 --- /dev/null +++ b/openssh-8.7p1-sk-ecdsa-webauthn.patch @@ -0,0 +1,30 @@ +Index: openssh-8.7p1/ssh-ecdsa-sk.c +=================================================================== +--- openssh-8.7p1.orig/ssh-ecdsa-sk.c ++++ openssh-8.7p1/ssh-ecdsa-sk.c +@@ -191,14 +191,17 @@ ssh_ecdsa_sk_verify(const struct sshkey + ret = SSH_ERR_INVALID_FORMAT; + goto out; + } +- if (is_webauthn) { +- if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 || +- sshbuf_froms(b, &webauthn_wrapper) != 0 || +- sshbuf_froms(b, &webauthn_exts) != 0) { +- ret = SSH_ERR_INVALID_FORMAT; +- goto out; +- } +- } ++ if (sshbuf_get_cstring(b, &webauthn_origin, NULL) != 0 || ++ sshbuf_froms(b, &webauthn_wrapper) != 0 || ++ sshbuf_froms(b, &webauthn_exts) != 0) { ++ if (is_webauthn) { ++ ret = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ } else { ++ // webauthn signature detected based on structure ++ is_webauthn = 1; ++ } + if (sshbuf_len(b) != 0) { + ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; + goto out; diff --git a/openssh.spec b/openssh.spec index 28ec48a..0dfe21b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 43 +%global openssh_rel 44 %global hyperscale_rel 2 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -302,6 +302,7 @@ Patch1019: openssh-9.6p1-CVE-2023-51385.patch #upstream commit 96faa0de6c673a2ce84736eba37fc9fb723d9e5c Patch1020: openssh-8.7p1-sigpipe.patch Patch1021: openssh-9.8p1-upstream-cve-2024-6387.patch +Patch1022: openssh-8.7p1-sk-ecdsa-webauthn.patch # Add a unique log session identifier to output messages for # each sshd process and its children. @@ -555,6 +556,7 @@ popd %patch1019 -p1 -b .cve-2023-51385 %patch1020 -p1 -b .earlypipe %patch1021 -p1 -b .cve-2024-6387 +%patch1022 -p1 -b .sk-ecdsa-webauthn %if 0%{?facebook} && !0%{?use_quilt} %patch2010 -p1 -b .log_session_id @@ -860,6 +862,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Dec 19 2024 Ben Homer - 8.7p1-44.2 + 0.10.4-5.2 +- Allow webauthn-sk-ecdsa signatures to be detected based on format + * Wed Jul 10 2024 Raymond Colebaugh - 8.7p1-43.2 + 0.10.4-5.43.2 - Reenable keyperm patch in facebook builds