- djm@cvs.openbsd.org 2004/10/29 23:57:05

[key.c] use new buffer API to avoid fatal errors on corrupt keys in authorized_keys files; ok markus@
2004-11-05 20:42:28 +11:00 · 2004-11-05 20:42:28 +11:00 · 08d04faf24
parent 50dbe8314b
commit 08d04faf24
2 changed files with 32 additions and 12 deletions
--- a/6
+++ b/6
@ -58,6 +58,10 @@
     [bufaux.c bufaux.h buffer.c buffer.h]
     introduce a new buffer API that returns an error rather than fatal()ing
     when presented with bad data; ok markus@
+   - djm@cvs.openbsd.org 2004/10/29 23:57:05
+     [key.c]
+     use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
+     files; ok markus@

 20041102
 - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
@ -1837,4 +1841,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu

-$Id: ChangeLog,v 1.3577 2004/11/05 09:41:24 dtucker Exp $
+$Id: ChangeLog,v 1.3578 2004/11/05 09:42:28 dtucker Exp $
--- a/key.c
+++ b/key.c
@ -32,7 +32,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: key.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
+RCSID("$OpenBSD: key.c,v 1.57 2004/10/29 23:57:05 djm Exp $");

 #include <openssl/evp.h>

@ -681,8 +681,8 @@ Key *
 key_from_blob(const u_char *blob, u_int blen)
 {
 	Buffer b;
-	char *ktype;
 	int rlen, type;
+	char *ktype = NULL;
 	Key *key = NULL;

 #ifdef DEBUG_PK
@ -690,24 +690,38 @@ key_from_blob(const u_char *blob, u_int blen)
 #endif
 	buffer_init(&b);
 	buffer_append(&b, blob, blen);
-	ktype = buffer_get_string(&b, NULL);
+	if ((ktype = buffer_get_string_ret(&b, NULL)) == NULL) {
+		error("key_from_blob: can't read key type");
+		goto out;
+	}
+
 	type = key_type_from_name(ktype);

 	switch (type) {
 	case KEY_RSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->rsa->e);
-		buffer_get_bignum2(&b, key->rsa->n);
+		if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
+			error("key_from_blob: can't read rsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		RSA_print_fp(stderr, key->rsa, 8);
 #endif
 		break;
 	case KEY_DSA:
 		key = key_new(type);
-		buffer_get_bignum2(&b, key->dsa->p);
-		buffer_get_bignum2(&b, key->dsa->q);
-		buffer_get_bignum2(&b, key->dsa->g);
-		buffer_get_bignum2(&b, key->dsa->pub_key);
+		if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+		    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
+			error("key_from_blob: can't read dsa key");
+			key_free(key);
+			key = NULL;
+			goto out;
+		}
 #ifdef DEBUG_PK
 		DSA_print_fp(stderr, key->dsa, 8);
 #endif
@ -717,12 +731,14 @@ key_from_blob(const u_char *blob, u_int blen)
 		break;
 	default:
 		error("key_from_blob: cannot handle type %s", ktype);
-		break;
+		goto out;
 	}
 	rlen = buffer_len(&b);
 	if (key != NULL && rlen != 0)
 		error("key_from_blob: remaining bytes in key blob %d", rlen);
-	xfree(ktype);
+ out:
+	if (ktype != NULL)
+		xfree(ktype);
 	buffer_free(&b);
 	return key;
 }