Only refuse to use OpenSSL 3.0.4 on x86_64.
The potential RCE only impacts x86_64, so only refuse to use it if we're targetting a potentially impacted architecture. ok djm@
This commit is contained in:
parent
e75bbc1d88
commit
76f4e48631
10
configure.ac
10
configure.ac
|
@ -2796,7 +2796,6 @@ if test "x$openssl" = "xyes" ; then
|
||||||
;;
|
;;
|
||||||
101*) ;; # 1.1.x
|
101*) ;; # 1.1.x
|
||||||
200*) ;; # LibreSSL
|
200*) ;; # LibreSSL
|
||||||
3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;;
|
|
||||||
300*)
|
300*)
|
||||||
# OpenSSL 3; we use the 1.1x API
|
# OpenSSL 3; we use the 1.1x API
|
||||||
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
|
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
|
||||||
|
@ -2820,6 +2819,15 @@ if test "x$openssl" = "xyes" ; then
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
|
case "$host" in
|
||||||
|
x86_64-*)
|
||||||
|
case "$ssl_library_ver" in
|
||||||
|
3000004*)
|
||||||
|
AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
esac
|
||||||
|
|
||||||
# Sanity check OpenSSL headers
|
# Sanity check OpenSSL headers
|
||||||
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
|
AC_MSG_CHECKING([whether OpenSSL's headers match the library])
|
||||||
AC_RUN_IFELSE(
|
AC_RUN_IFELSE(
|
||||||
|
|
|
@ -23,3 +23,16 @@ for t in $SSH_KEYTYPES; do
|
||||||
fail "ssh-keyscan -t $t failed with: $r"
|
fail "ssh-keyscan -t $t failed with: $r"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
stop_sshd
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
trace "keyscan banner length"
|
||||||
|
banner=""
|
||||||
|
for i in `seq 245 256`; do
|
||||||
|
trace "keyscan length $i"
|
||||||
|
banner=`perl -le "print 'A'x$i"`
|
||||||
|
(printf "SSH-2.0-${banner}" | ${NC} -N -l $PORT >/dev/null) &
|
||||||
|
${SSHKEYSCAN} -p $PORT 127.0.0.1
|
||||||
|
sleep 3
|
||||||
|
done
|
||||||
|
|
|
@ -42,8 +42,6 @@ main(int argc, char **argv)
|
||||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
seed_rng();
|
|
||||||
|
|
||||||
if ((user_pw = getpwuid(getuid())) == NULL) {
|
if ((user_pw = getpwuid(getuid())) == NULL) {
|
||||||
fprintf(stderr, "No user found for uid %lu\n",
|
fprintf(stderr, "No user found for uid %lu\n",
|
||||||
(u_long)getuid());
|
(u_long)getuid());
|
||||||
|
|
Loading…
Reference in New Issue