diff options
| author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:51:11 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:51:11 +1100 |
| commit | 41396573afc94d64973d9eb824ca510d39260b3e (patch) | |
| tree | 4aa4eeda0157ac9d415c1221fa3e79bb971c358a /auth-options.c | |
| parent | e1abf4d6bc4bea0bb76e6ff89ca6048122e90d81 (diff) | |
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/03 01:44:36
[auth-options.c key.c]
reject strings with embedded ASCII nul chars in certificate key IDs,
principal names and constraints
Diffstat (limited to 'auth-options.c')
| -rw-r--r-- | auth-options.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/auth-options.c b/auth-options.c index 396bda62f..d14624bf4 100644 --- a/auth-options.c +++ b/auth-options.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-options.c,v 1.45 2010/02/26 20:29:54 djm Exp $ */ | 1 | /* $OpenBSD: auth-options.c,v 1.46 2010/03/03 01:44:36 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -391,7 +391,7 @@ int | |||
| 391 | auth_cert_constraints(Buffer *c_orig, struct passwd *pw) | 391 | auth_cert_constraints(Buffer *c_orig, struct passwd *pw) |
| 392 | { | 392 | { |
| 393 | u_char *name = NULL, *data_blob = NULL; | 393 | u_char *name = NULL, *data_blob = NULL; |
| 394 | u_int len; | 394 | u_int nlen, dlen, clen; |
| 395 | Buffer c, data; | 395 | Buffer c, data; |
| 396 | int ret = -1; | 396 | int ret = -1; |
| 397 | 397 | ||
| @@ -410,14 +410,18 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) | |||
| 410 | buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); | 410 | buffer_append(&c, buffer_ptr(c_orig), buffer_len(c_orig)); |
| 411 | 411 | ||
| 412 | while (buffer_len(&c) > 0) { | 412 | while (buffer_len(&c) > 0) { |
| 413 | if ((name = buffer_get_string_ret(&c, NULL)) == NULL || | 413 | if ((name = buffer_get_string_ret(&c, &nlen)) == NULL || |
| 414 | (data_blob = buffer_get_string_ret(&c, &len)) == NULL) { | 414 | (data_blob = buffer_get_string_ret(&c, &dlen)) == NULL) { |
| 415 | error("Certificate constraints corrupt"); | 415 | error("Certificate constraints corrupt"); |
| 416 | goto out; | 416 | goto out; |
| 417 | } | 417 | } |
| 418 | buffer_append(&data, data_blob, len); | 418 | buffer_append(&data, data_blob, dlen); |
| 419 | debug3("found certificate constraint \"%.100s\" len %u", | 419 | debug3("found certificate constraint \"%.100s\" len %u", |
| 420 | name, len); | 420 | name, dlen); |
| 421 | if (strlen(name) != nlen) { | ||
| 422 | error("Certificate constraint name contains \\0"); | ||
| 423 | goto out; | ||
| 424 | } | ||
| 421 | if (strcmp(name, "permit-X11-forwarding") == 0) | 425 | if (strcmp(name, "permit-X11-forwarding") == 0) |
| 422 | cert_no_x11_forwarding_flag = 0; | 426 | cert_no_x11_forwarding_flag = 0; |
| 423 | else if (strcmp(name, "permit-agent-forwarding") == 0) | 427 | else if (strcmp(name, "permit-agent-forwarding") == 0) |
| @@ -429,13 +433,17 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) | |||
| 429 | else if (strcmp(name, "permit-user-rc") == 0) | 433 | else if (strcmp(name, "permit-user-rc") == 0) |
| 430 | cert_no_user_rc = 0; | 434 | cert_no_user_rc = 0; |
| 431 | else if (strcmp(name, "force-command") == 0) { | 435 | else if (strcmp(name, "force-command") == 0) { |
| 432 | char *command = buffer_get_string_ret(&data, NULL); | 436 | char *command = buffer_get_string_ret(&data, &clen); |
| 433 | 437 | ||
| 434 | if (command == NULL) { | 438 | if (command == NULL) { |
| 435 | error("Certificate constraint \"%s\" corrupt", | 439 | error("Certificate constraint \"%s\" corrupt", |
| 436 | name); | 440 | name); |
| 437 | goto out; | 441 | goto out; |
| 438 | } | 442 | } |
| 443 | if (strlen(command) != clen) { | ||
| 444 | error("force-command constrain contains \\0"); | ||
| 445 | goto out; | ||
| 446 | } | ||
| 439 | if (cert_forced_command != NULL) { | 447 | if (cert_forced_command != NULL) { |
| 440 | error("Certificate has multiple " | 448 | error("Certificate has multiple " |
| 441 | "forced-command constraints"); | 449 | "forced-command constraints"); |
| @@ -444,7 +452,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) | |||
| 444 | } | 452 | } |
| 445 | cert_forced_command = command; | 453 | cert_forced_command = command; |
| 446 | } else if (strcmp(name, "source-address") == 0) { | 454 | } else if (strcmp(name, "source-address") == 0) { |
| 447 | char *allowed = buffer_get_string_ret(&data, NULL); | 455 | char *allowed = buffer_get_string_ret(&data, &clen); |
| 448 | const char *remote_ip = get_remote_ipaddr(); | 456 | const char *remote_ip = get_remote_ipaddr(); |
| 449 | 457 | ||
| 450 | if (allowed == NULL) { | 458 | if (allowed == NULL) { |
| @@ -452,6 +460,10 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) | |||
| 452 | name); | 460 | name); |
| 453 | goto out; | 461 | goto out; |
| 454 | } | 462 | } |
| 463 | if (strlen(allowed) != clen) { | ||
| 464 | error("source-address constrain contains \\0"); | ||
| 465 | goto out; | ||
| 466 | } | ||
| 455 | if (cert_source_address_done++) { | 467 | if (cert_source_address_done++) { |
| 456 | error("Certificate has multiple " | 468 | error("Certificate has multiple " |
| 457 | "source-address constraints"); | 469 | "source-address constraints"); |