diff options
author | Damien Miller <djm@mindrot.org> | 2010-03-04 21:51:11 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2010-03-04 21:51:11 +1100 |
commit | 41396573afc94d64973d9eb824ca510d39260b3e (patch) | |
tree | 4aa4eeda0157ac9d415c1221fa3e79bb971c358a /key.c | |
parent | e1abf4d6bc4bea0bb76e6ff89ca6048122e90d81 (diff) |
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2010/03/03 01:44:36
[auth-options.c key.c]
reject strings with embedded ASCII nul chars in certificate key IDs,
principal names and constraints
Diffstat (limited to 'key.c')
-rw-r--r-- | key.c | 36 |
1 files changed, 23 insertions, 13 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: key.c,v 1.83 2010/02/26 20:29:54 djm Exp $ */ | 1 | /* $OpenBSD: key.c,v 1.84 2010/03/03 01:44:36 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * read_bignum(): | 3 | * read_bignum(): |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1000,7 +1000,7 @@ static int | |||
1000 | cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | 1000 | cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) |
1001 | { | 1001 | { |
1002 | u_char *principals, *constraints, *sig_key, *sig; | 1002 | u_char *principals, *constraints, *sig_key, *sig; |
1003 | u_int signed_len, plen, clen, sklen, slen; | 1003 | u_int signed_len, plen, clen, sklen, slen, kidlen; |
1004 | Buffer tmp; | 1004 | Buffer tmp; |
1005 | char *principal; | 1005 | char *principal; |
1006 | int ret = -1; | 1006 | int ret = -1; |
@@ -1012,7 +1012,7 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1012 | 1012 | ||
1013 | principals = constraints = sig_key = sig = NULL; | 1013 | principals = constraints = sig_key = sig = NULL; |
1014 | if (buffer_get_int_ret(&key->cert->type, b) != 0 || | 1014 | if (buffer_get_int_ret(&key->cert->type, b) != 0 || |
1015 | (key->cert->key_id = buffer_get_string_ret(b, NULL)) == NULL || | 1015 | (key->cert->key_id = buffer_get_string_ret(b, &kidlen)) == NULL || |
1016 | (principals = buffer_get_string_ret(b, &plen)) == NULL || | 1016 | (principals = buffer_get_string_ret(b, &plen)) == NULL || |
1017 | buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || | 1017 | buffer_get_int64_ret(&key->cert->valid_after, b) != 0 || |
1018 | buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || | 1018 | buffer_get_int64_ret(&key->cert->valid_before, b) != 0 || |
@@ -1024,6 +1024,11 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1024 | goto out; | 1024 | goto out; |
1025 | } | 1025 | } |
1026 | 1026 | ||
1027 | if (kidlen != strlen(key->cert->key_id)) { | ||
1028 | error("%s: key ID contains \\0 character", __func__); | ||
1029 | goto out; | ||
1030 | } | ||
1031 | |||
1027 | /* Signature is left in the buffer so we can calculate this length */ | 1032 | /* Signature is left in the buffer so we can calculate this length */ |
1028 | signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); | 1033 | signed_len = buffer_len(&key->cert->certblob) - buffer_len(b); |
1029 | 1034 | ||
@@ -1041,11 +1046,16 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1041 | buffer_append(&tmp, principals, plen); | 1046 | buffer_append(&tmp, principals, plen); |
1042 | while (buffer_len(&tmp) > 0) { | 1047 | while (buffer_len(&tmp) > 0) { |
1043 | if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { | 1048 | if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) { |
1044 | error("Too many principals"); | 1049 | error("%s: Too many principals", __func__); |
1045 | goto out; | 1050 | goto out; |
1046 | } | 1051 | } |
1047 | if ((principal = buffer_get_string_ret(&tmp, NULL)) == NULL) { | 1052 | if ((principal = buffer_get_string_ret(&tmp, &plen)) == NULL) { |
1048 | error("Principals data invalid"); | 1053 | error("%s: Principals data invalid", __func__); |
1054 | goto out; | ||
1055 | } | ||
1056 | if (strlen(principal) != plen) { | ||
1057 | error("%s: Principal contains \\0 character", | ||
1058 | __func__); | ||
1049 | goto out; | 1059 | goto out; |
1050 | } | 1060 | } |
1051 | key->cert->principals = xrealloc(key->cert->principals, | 1061 | key->cert->principals = xrealloc(key->cert->principals, |
@@ -1061,7 +1071,7 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1061 | while (buffer_len(&tmp) != 0) { | 1071 | while (buffer_len(&tmp) != 0) { |
1062 | if (buffer_get_string_ptr(&tmp, NULL) == NULL || | 1072 | if (buffer_get_string_ptr(&tmp, NULL) == NULL || |
1063 | buffer_get_string_ptr(&tmp, NULL) == NULL) { | 1073 | buffer_get_string_ptr(&tmp, NULL) == NULL) { |
1064 | error("Constraints data invalid"); | 1074 | error("%s: Constraints data invalid", __func__); |
1065 | goto out; | 1075 | goto out; |
1066 | } | 1076 | } |
1067 | } | 1077 | } |
@@ -1069,12 +1079,12 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1069 | 1079 | ||
1070 | if ((key->cert->signature_key = key_from_blob(sig_key, | 1080 | if ((key->cert->signature_key = key_from_blob(sig_key, |
1071 | sklen)) == NULL) { | 1081 | sklen)) == NULL) { |
1072 | error("Signature key invalid"); | 1082 | error("%s: Signature key invalid", __func__); |
1073 | goto out; | 1083 | goto out; |
1074 | } | 1084 | } |
1075 | if (key->cert->signature_key->type != KEY_RSA && | 1085 | if (key->cert->signature_key->type != KEY_RSA && |
1076 | key->cert->signature_key->type != KEY_DSA) { | 1086 | key->cert->signature_key->type != KEY_DSA) { |
1077 | error("Invalid signature key type %s (%d)", | 1087 | error("%s: Invalid signature key type %s (%d)", __func__, |
1078 | key_type(key->cert->signature_key), | 1088 | key_type(key->cert->signature_key), |
1079 | key->cert->signature_key->type); | 1089 | key->cert->signature_key->type); |
1080 | goto out; | 1090 | goto out; |
@@ -1083,17 +1093,17 @@ cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen) | |||
1083 | switch (key_verify(key->cert->signature_key, sig, slen, | 1093 | switch (key_verify(key->cert->signature_key, sig, slen, |
1084 | buffer_ptr(&key->cert->certblob), signed_len)) { | 1094 | buffer_ptr(&key->cert->certblob), signed_len)) { |
1085 | case 1: | 1095 | case 1: |
1096 | ret = 0; | ||
1086 | break; /* Good signature */ | 1097 | break; /* Good signature */ |
1087 | case 0: | 1098 | case 0: |
1088 | error("Invalid signature on certificate"); | 1099 | error("%s: Invalid signature on certificate", __func__); |
1089 | goto out; | 1100 | goto out; |
1090 | case -1: | 1101 | case -1: |
1091 | error("Certificate signature verification failed"); | 1102 | error("%s: Certificate signature verification failed", |
1103 | __func__); | ||
1092 | goto out; | 1104 | goto out; |
1093 | } | 1105 | } |
1094 | 1106 | ||
1095 | ret = 0; | ||
1096 | |||
1097 | out: | 1107 | out: |
1098 | buffer_free(&tmp); | 1108 | buffer_free(&tmp); |
1099 | if (principals != NULL) | 1109 | if (principals != NULL) |