diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-09-21 12:20:12 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-09-21 22:49:09 +1000 |
commit | bbc8af72ba68da014d4de6e21a85eb5123384226 (patch) | |
tree | aba3471d7c568f32eea927574f0d070cc351baca /authfile.c | |
parent | 383a33d160cefbfd1b40fef81f72eadbf9303a66 (diff) |
upstream: In sshkey_in_file(), ignore keys that are considered for
being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered
to be "in the file". This allows key revocation lists to contain short keys
without the entire revocation list being considered invalid.
bz#2897; ok dtucker
OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b
Diffstat (limited to 'authfile.c')
-rw-r--r-- | authfile.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/authfile.c b/authfile.c index be4a57736..b1c92f4ad 100644 --- a/authfile.c +++ b/authfile.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: authfile.c,v 1.130 2018/07/09 21:59:10 markus Exp $ */ | 1 | /* $OpenBSD: authfile.c,v 1.131 2018/09/21 12:20:12 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -459,6 +459,8 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, | |||
459 | return SSH_ERR_SYSTEM_ERROR; | 459 | return SSH_ERR_SYSTEM_ERROR; |
460 | 460 | ||
461 | while (getline(&line, &linesize, f) != -1) { | 461 | while (getline(&line, &linesize, f) != -1) { |
462 | sshkey_free(pub); | ||
463 | pub = NULL; | ||
462 | cp = line; | 464 | cp = line; |
463 | 465 | ||
464 | /* Skip leading whitespace. */ | 466 | /* Skip leading whitespace. */ |
@@ -477,16 +479,20 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, | |||
477 | r = SSH_ERR_ALLOC_FAIL; | 479 | r = SSH_ERR_ALLOC_FAIL; |
478 | goto out; | 480 | goto out; |
479 | } | 481 | } |
480 | if ((r = sshkey_read(pub, &cp)) != 0) | 482 | switch (r = sshkey_read(pub, &cp)) { |
483 | case 0: | ||
484 | break; | ||
485 | case SSH_ERR_KEY_LENGTH: | ||
486 | continue; | ||
487 | default: | ||
481 | goto out; | 488 | goto out; |
489 | } | ||
482 | if (sshkey_compare(key, pub) || | 490 | if (sshkey_compare(key, pub) || |
483 | (check_ca && sshkey_is_cert(key) && | 491 | (check_ca && sshkey_is_cert(key) && |
484 | sshkey_compare(key->cert->signature_key, pub))) { | 492 | sshkey_compare(key->cert->signature_key, pub))) { |
485 | r = 0; | 493 | r = 0; |
486 | goto out; | 494 | goto out; |
487 | } | 495 | } |
488 | sshkey_free(pub); | ||
489 | pub = NULL; | ||
490 | } | 496 | } |
491 | r = SSH_ERR_KEY_NOT_FOUND; | 497 | r = SSH_ERR_KEY_NOT_FOUND; |
492 | out: | 498 | out: |