From a32aee017a3b956892a9d93a711b25f5667a6150 Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere.ru>
Date: Wed, 13 Sep 2023 03:04:42 +0300
Subject: [PATCH] import keylime-6.5.2-6.el9_2

---
 SOURCES/0004-CVE-2023-38200.patch | 48 +++++++++++++++++++++++++++++++
 SOURCES/0005-CVE-2023-38201.patch | 20 +++++++++++++
 SPECS/keylime.spec                | 12 +++++++-
 3 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0004-CVE-2023-38200.patch
 create mode 100644 SOURCES/0005-CVE-2023-38201.patch

diff --git a/SOURCES/0004-CVE-2023-38200.patch b/SOURCES/0004-CVE-2023-38200.patch
new file mode 100644
index 0000000..a5f8eb2
--- /dev/null
+++ b/SOURCES/0004-CVE-2023-38200.patch
@@ -0,0 +1,48 @@
+diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py
+index fb37e5b..6b550d0 100644
+--- a/keylime/registrar_common.py
++++ b/keylime/registrar_common.py
+@@ -2,7 +2,9 @@ import base64
+ import http.server
+ import ipaddress
+ import os
++import select
+ import signal
++import ssl
+ import sys
+ import threading
+ from http.server import BaseHTTPRequestHandler, HTTPServer
+@@ -30,6 +32,24 @@ except SQLAlchemyError as err:
+ 
+ 
+ class ProtectedHandler(BaseHTTPRequestHandler, SessionManager):
++    def handle(self) -> None:
++        """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """
++        while True:
++            try:
++                self.request.do_handshake()
++                break
++            except ssl.SSLWantReadError:
++                select.select([self.request], [], [])
++            except ssl.SSLWantWriteError:
++                select.select([], [self.request], [])
++            except ssl.SSLError as e:
++                logger.error("SSL connection error: %s", e)
++                return
++            except Exception as e:
++                logger.error("General communication failure: %s", e)
++                return
++        BaseHTTPRequestHandler.handle(self)
++
+     def do_HEAD(self):
+         """HEAD not supported"""
+         web_util.echo_json_response(self, 405, "HEAD not supported")
+@@ -490,7 +510,7 @@ def start(host, tlsport, port):
+     protected_server = RegistrarServer((host, tlsport), ProtectedHandler)
+     context = web_util.init_mtls("registrar", logger=logger)
+     if context is not None:
+-        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True)
++        protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False)
+     thread_protected_server = threading.Thread(target=protected_server.serve_forever)
+ 
+     # Set up the unprotected registrar server
diff --git a/SOURCES/0005-CVE-2023-38201.patch b/SOURCES/0005-CVE-2023-38201.patch
new file mode 100644
index 0000000..4774c3d
--- /dev/null
+++ b/SOURCES/0005-CVE-2023-38201.patch
@@ -0,0 +1,20 @@
+--- a/keylime/registrar_common.py	2023-07-19 17:26:50.320894695 +0200
++++ b/keylime/registrar_common.py	2023-07-19 17:27:16.797790852 +0200
+@@ -456,7 +456,16 @@
+                     logger.error("SQLAlchemy Error: %s", e)
+                     raise
+             else:
+-                raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}")
++                if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete():
++                    try:
++                        session.commit()
++                    except SQLAlchemyError as e:
++                        logger.error("SQLAlchemy Error: %s", e)
++                        raise
++
++                raise Exception(
++                    f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required"
++                )
+ 
+             web_util.echo_json_response(self, 200, "Success")
+             logger.info("PUT activated: %s", agent_id)
diff --git a/SPECS/keylime.spec b/SPECS/keylime.spec
index 8a47a55..cccd595 100644
--- a/SPECS/keylime.spec
+++ b/SPECS/keylime.spec
@@ -9,7 +9,7 @@
 
 Name:    keylime
 Version: 6.5.2
-Release: 4%{?dist}
+Release: 6%{?dist}
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
@@ -20,6 +20,8 @@ Source2:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%
 Patch: 0001-Do-not-use-default-values-that-need-reading-the-conf.patch
 Patch: 0002-Switch-to-sha256-hashes-for-signatures.patch
 Patch: 0003-logging-remove-option-to-log-into-separate-file.patch
+Patch: 0004-CVE-2023-38200.patch
+Patch: 0005-CVE-2023-38201.patch
 
 License: ASL 2.0 and MIT
 
@@ -342,6 +344,14 @@ fi
 %license LICENSE
 
 %changelog
+* Thu Aug 24 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 6.5.2-6
+- Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
+  Resolves: rhbz#2234463
+
+* Fri Jul 21 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 6.5.2-5
+- Fix possible DOS on registrar (CVE-2023-38200)
+  Resolves: rhbz#2228048
+
 * Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
 - Backport upstream PR#1240 - logging: remove option to log into separate file
   Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime