git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
tang
1
0
Fork 0
Files
Tree: 7561ffb4a8
Branches Tags
tang
/
debian
/
patches
/
bullseye
/
1639480721.v10-9-ge82459f.keys-move-signing-part-out-of-find-by-thp-and-to-find-jws-81.patch

1639480721.v10-9-ge82459f.keys-move-signing-part-out-of-find-by-thp-and-to-find-jws-81.patch 5.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 
  1. Subject: Keys: move signing part out of find_by_thp() and to find_jws() (#81)
    2. 

  2. ID: CVE-2021-4076
    3. 

  3. Origin: v10-9-ge82459f <https://github.com/latchset/tang/commit/v10-9-ge82459f>
    4. 

  4. Upstream-Author: Sergio Correia <scorreia@redhat.com>
    5. 

  5. Date: Tue Dec 14 08:18:41 2021 -0300
    6. 

  6. 

  7.     Handle just signing keys in find_jws(), to make sure we are
    8. 

  8.     responding only to proper queries.
    9. 

  9. 

  10.     Tests were also failing to detect this issue and were updated
    11. 

  11.     accordingly.
    12. 

  12. 

  13.     Issue discovered by Twitter Kernel and OS team during a source
    14. 

  14.     code audit while evaluating Tang/Clevis for their needs.
    15. 

  15. 

  16.     Fixes CVE-2021-4076
    17. 

  17. 

  18. --- a/src/keys.c
    19. 

  19. +++ b/src/keys.c
    20. 

  20. @@ -263,20 +263,7 @@
    21. 

  21.              if (strcmp(thumbprint, target) != 0) {
    22. 

  22.                  continue;
    23. 

  23.              }
    24. 

  24. -
    25. 

  25. -            if (jwk_valid_for_deriving_keys(jwk)) {
    26. 

  26. -                return json_incref(jwk);
    27. 

  27. -            } else if (jwk_valid_for_signing(jwk)) {
    28. 

  28. -                json_auto_t* sign = json_deep_copy(tki->m_sign);
    29. 

  29. -                if (json_array_append(sign, jwk) == -1) {
    30. 

  30. -                    return NULL;
    31. 

  31. -                }
    32. 

  32. -                json_auto_t* jws = jwk_sign(tki->m_payload, sign);
    33. 

  33. -                if (!jws) {
    34. 

  34. -                    return NULL;
    35. 

  35. -                }
    36. 

  36. -                return json_incref(jws);
    37. 

  37. -            }
    38. 

  38. +            return json_incref(jwk);
    39. 

  39.          }
    40. 

  40.      }
    41. 

  41.      return NULL;
    42. 

  42. @@ -436,7 +423,21 @@
    43. 

  43.          }
    44. 

  44.          return json_incref(jws);
    45. 

  45.      }
    46. 

  46. -    return find_by_thp(tki, thp);
    47. 

  47. +
    48. 

  48. +    json_auto_t* jwk = find_by_thp(tki, thp);
    49. 

  49. +    if (!jwk_valid_for_signing(jwk)) {
    50. 

  50. +        return NULL;
    51. 

  51. +    }
    52. 

  52. +
    53. 

  53. +    json_auto_t* sign = json_deep_copy(tki->m_sign);
    54. 

  54. +    if (json_array_append(sign, jwk) == -1) {
    55. 

  55. +        return NULL;
    56. 

  56. +    }
    57. 

  57. +    json_auto_t* jws = jwk_sign(tki->m_payload, sign);
    58. 

  58. +    if (!jws) {
    59. 

  59. +        return NULL;
    60. 

  60. +    }
    61. 

  61. +    return json_incref(jws);
    62. 

  62.  }
    63. 

  63.  
    64. 

  64.  json_t*
    65. 

  65. --- a/tests/adv
    66. 

  66. +++ b/tests/adv
    67. 

  67. @@ -36,11 +36,11 @@
    68. 

  68.  sleep 0.5
    69. 

  69.  
    70. 

  70.  # Make sure requests on the root fail
    71. 

  71. -! fetch /
    72. 

  72. +fetch / && expected_fail
    73. 

  73.  
    74. 

  74.  # The request should fail (404) for non-signature key IDs
    75. 

  75. -! fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk`
    76. 

  76. -! fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk`
    77. 

  77. +fetch /adv/`jose jwk thp -i $TMP/db/exc.jwk` && expected_fail
    78. 

  78. +fetch /adv/`jose jwk thp -a S512 -i $TMP/db/exc.jwk` && expected_fail
    79. 

  79.  
    80. 

  80.  # The default advertisement fetch should succeed and pass verification
    81. 

  81.  fetch /adv
    82. 

  82. @@ -52,17 +52,17 @@
    83. 

  83.  fetch /adv/`jose jwk thp -a S512 -i $TMP/db/sig.jwk` | ver $TMP/db/sig.jwk
    84. 

  84.  
    85. 

  85.  # Requesting an adv by an advertised key ID should't be signed by hidden keys
    86. 

  86. -! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk
    87. 

  87. -! fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk
    88. 

  88. +fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.sig.jwk && expected_fail
    89. 

  89. +fetch /adv/`jose jwk thp -i $TMP/db/sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
    90. 

  90.  
    91. 

  91.  # Verify that the default advertisement is not signed with hidden signature keys
    92. 

  92. -! fetch /adv/ | ver $TMP/db/.oth.jwk
    93. 

  93. -! fetch /adv/ | ver $TMP/db/.sig.jwk
    94. 

  94. +fetch /adv/ | ver $TMP/db/.oth.jwk && expected_fail
    95. 

  95. +fetch /adv/ | ver $TMP/db/.sig.jwk && expected_fail
    96. 

  96.  
    97. 

  97.  # A private key advertisement is signed by all advertised keys and the requested private key
    98. 

  98.  fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/sig.jwk
    99. 

  99.  fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.sig.jwk
    100. 

  100. -! fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk
    101. 

  101. +fetch /adv/`jose jwk thp -i $TMP/db/.sig.jwk` | ver $TMP/db/.oth.jwk && expected_fail
    102. 

  102.  
    103. 

  103.  # Verify that the advertisements contain the cty parameter
    104. 

  104.  fetch /adv | jose fmt -j- -Og protected -SyOg cty -Sq "jwk-set+json" -E
    105. 

  105. --- a/tests/helpers
    106. 

  106. +++ b/tests/helpers
    107. 

  107. @@ -60,3 +60,8 @@
    108. 

  108.      # Skip test if socat is not available.
    109. 

  109.      [ -n "${SOCAT}" ] || exit 77
    110. 

  110.  }
    111. 

  111. +
    112. 

  112. +expected_fail () {
    113. 

  113. +    echo "Test was expected to fail" >&2
    114. 

  114. +    exit 1
    115. 

  115. +}
    116. 

  116. --- a/tests/rec
    117. 

  117. +++ b/tests/rec
    118. 

  118. @@ -42,8 +42,8 @@
    119. 

  119.  sleep 0.5
    120. 

  120.  
    121. 

  121.  # Make sure that GET fails
    122. 

  122. -! curl -sf http://127.0.0.1:$PORT/rec
    123. 

  123. -! curl -sf http://127.0.0.1:$PORT/rec/
    124. 

  124. +curl -sf http://127.0.0.1:$PORT/rec && expected_fail
    125. 

  125. +curl -sf http://127.0.0.1:$PORT/rec/ && expected_fail
    126. 

  126.  
    127. 

  127.  # Make a recovery request (NOTE: this is insecure! Don't do this in real code!)
    128. 

  128.  good=`jose jwk exc -i '{"alg":"ECMR","key_ops":["deriveKey"]}' -l $TMP/exc.jwk -r $TMP/db/exc.jwk`
    129. 

  129. --- a/tests/test-keys.c.in
    130. 

  130. +++ b/tests/test-keys.c.in
    131. 

  131. @@ -104,6 +104,11 @@
    132. 

  132.          {"ugJ4Ula-YABQIiJ-0g3B_jpFpF2nl3W-DNpfLdXArhTusV0QCcd1vtgDeGHEPzpm7jEsyC7VYYSSOkZicK22mw", 1},
    133. 

  133.          {"up0Z4fRhpd4O5QwBaMCXDTlrvxCmZacU0MD8kw", 1},
    134. 

  134.          {"vllHS-M0aQFCo2yUCcAahMU4TAtXACyeuRf-zbmmTPBg7V0Pb-RRFGo5C6MnpzdirK8B3ORLOsN8RyXClvtjxA", 1},
    135. 

  135. +        {"-bWkGaJi0Zdvxaj4DCp28umLcRA", 0},
    136. 

  136. +        {"WEpfFyeoNKkE2-TosN_bP-gd9UgRvQCZpVasZQ", 0},
    137. 

  137. +        {"L4xg2tZXTEVbsK39bzOZM1jGWn3HtOxF5gh6F9YVf5Q", 0},
    138. 

  138. +        {"9U8qgy_YjyY6Isuq6QuiKEiYZgNJShcGgJx5FJzCu6m3N6zFaIPy_HDkxkVqAZ9E", 0},
    139. 

  139. +        {"Cy73glFjs6B6RU7wy6vWxAc-2bJy5VJOT9LyK80eKgZ8k27wXZ-3rjsuNU5tua_yHWtluyoSYtjoKXfI0E8ESw", 0},
    140. 

  140.          {NULL, 1},
    141. 

  141.          {"a", 0},
    142. 

  142.          {"foo", 0},
    143.