diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-12-31 00:33:52 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-01-07 20:13:33 +1100 |
commit | 422d1b3ee977ff4c724b597fb2e437d38fc8de9d (patch) | |
tree | 8f3a52dcb3011352e8abd00a7509cc182b34776c | |
parent | 6074c84bf95d00f29cc7d5d3cd3798737851aa1a (diff) |
upstream commit
fix three bugs in KRL code related to (unused) signature
support: verification length was being incorrectly calculated, multiple
signatures were being incorrectly processed and a NULL dereference that
occurred when signatures were verified. Reported by Carl Jackson
Upstream-ID: e705e97ad3ccce84291eaa651708dd1b9692576b
-rw-r--r-- | krl.c | 7 |
1 files changed, 3 insertions, 4 deletions
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | 16 | ||
17 | /* $OpenBSD: krl.c,v 1.36 2015/12/11 04:21:12 mmcc Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.37 2015/12/31 00:33:52 djm Exp $ */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
@@ -1015,7 +1015,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1015 | } | 1015 | } |
1016 | /* Check signature over entire KRL up to this point */ | 1016 | /* Check signature over entire KRL up to this point */ |
1017 | if ((r = sshkey_verify(key, blob, blen, | 1017 | if ((r = sshkey_verify(key, blob, blen, |
1018 | sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) | 1018 | sshbuf_ptr(buf), sig_off, 0)) != 0) |
1019 | goto out; | 1019 | goto out; |
1020 | /* Check if this key has already signed this KRL */ | 1020 | /* Check if this key has already signed this KRL */ |
1021 | for (i = 0; i < nca_used; i++) { | 1021 | for (i = 0; i < nca_used; i++) { |
@@ -1036,7 +1036,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1036 | ca_used = tmp_ca_used; | 1036 | ca_used = tmp_ca_used; |
1037 | ca_used[nca_used++] = key; | 1037 | ca_used[nca_used++] = key; |
1038 | key = NULL; | 1038 | key = NULL; |
1039 | break; | ||
1040 | } | 1039 | } |
1041 | 1040 | ||
1042 | if (sshbuf_len(copy) != 0) { | 1041 | if (sshbuf_len(copy) != 0) { |
@@ -1101,7 +1100,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1101 | r = SSH_ERR_INVALID_FORMAT; | 1100 | r = SSH_ERR_INVALID_FORMAT; |
1102 | goto out; | 1101 | goto out; |
1103 | } | 1102 | } |
1104 | if (sshbuf_len(sect) > 0) { | 1103 | if (sect != NULL && sshbuf_len(sect) > 0) { |
1105 | error("KRL section contains unparsed data"); | 1104 | error("KRL section contains unparsed data"); |
1106 | r = SSH_ERR_INVALID_FORMAT; | 1105 | r = SSH_ERR_INVALID_FORMAT; |
1107 | goto out; | 1106 | goto out; |