From bbc8af72ba68da014d4de6e21a85eb5123384226 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 21 Sep 2018 12:20:12 +0000 Subject: [PATCH] upstream: In sshkey_in_file(), ignore keys that are considered for being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered to be "in the file". This allows key revocation lists to contain short keys without the entire revocation list being considered invalid. bz#2897; ok dtucker OpenBSD-Commit-ID: d9f3d857d07194a42ad7e62889a74dc3f9d9924b --- authfile.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/authfile.c b/authfile.c index be4a57736..b1c92f4ad 100644 --- a/authfile.c +++ b/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.130 2018/07/09 21:59:10 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.131 2018/09/21 12:20:12 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -459,6 +459,8 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, return SSH_ERR_SYSTEM_ERROR; while (getline(&line, &linesize, f) != -1) { + sshkey_free(pub); + pub = NULL; cp = line; /* Skip leading whitespace. */ @@ -477,16 +479,20 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, r = SSH_ERR_ALLOC_FAIL; goto out; } - if ((r = sshkey_read(pub, &cp)) != 0) + switch (r = sshkey_read(pub, &cp)) { + case 0: + break; + case SSH_ERR_KEY_LENGTH: + continue; + default: goto out; + } if (sshkey_compare(key, pub) || (check_ca && sshkey_is_cert(key) && sshkey_compare(key->cert->signature_key, pub))) { r = 0; goto out; } - sshkey_free(pub); - pub = NULL; } r = SSH_ERR_KEY_NOT_FOUND; out: