mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-11 20:29:32 +00:00
upstream: fix memleaks in private key deserialisation; enforce more
consistency between redundant fields in private key certificate and private key body; ok markus@ OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240
This commit is contained in:
parent
3287790e78
commit
f71219a01d
21
sshkey.c
21
sshkey.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: sshkey.c,v 1.114 2021/01/26 00:49:30 djm Exp $ */
|
||||
/* $OpenBSD: sshkey.c,v 1.115 2021/02/02 22:36:46 djm Exp $ */
|
||||
/*
|
||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
||||
@ -3411,10 +3411,12 @@ int
|
||||
sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
||||
{
|
||||
char *tname = NULL, *curve = NULL, *xmss_name = NULL;
|
||||
char *expect_sk_application = NULL;
|
||||
struct sshkey *k = NULL;
|
||||
size_t pklen = 0, sklen = 0;
|
||||
int type, r = SSH_ERR_INTERNAL_ERROR;
|
||||
u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
|
||||
u_char *expect_ed25519_pk = NULL;
|
||||
u_char *xmss_pk = NULL, *xmss_sk = NULL;
|
||||
#ifdef WITH_OPENSSL
|
||||
BIGNUM *exponent = NULL;
|
||||
@ -3447,6 +3449,14 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
||||
r = SSH_ERR_KEY_CERT_MISMATCH;
|
||||
goto out;
|
||||
}
|
||||
/*
|
||||
* Several fields are redundant between certificate and
|
||||
* private key body, we require these to match.
|
||||
*/
|
||||
expect_sk_application = k->sk_application;
|
||||
expect_ed25519_pk = k->ed25519_pk;
|
||||
k->sk_application = NULL;
|
||||
k->ed25519_pk = NULL;
|
||||
} else {
|
||||
if ((k = sshkey_new(type)) == NULL) {
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
@ -3668,6 +3678,13 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
||||
break;
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
if ((expect_sk_application != NULL && (k->sk_application == NULL ||
|
||||
strcmp(expect_sk_application, k->sk_application) != 0)) ||
|
||||
(expect_ed25519_pk != NULL && (k->ed25519_pk == NULL ||
|
||||
memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) {
|
||||
r = SSH_ERR_KEY_CERT_MISMATCH;
|
||||
goto out;
|
||||
}
|
||||
/* success */
|
||||
r = 0;
|
||||
if (kp != NULL) {
|
||||
@ -3697,6 +3714,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
||||
free(xmss_name);
|
||||
freezero(xmss_pk, pklen);
|
||||
freezero(xmss_sk, sklen);
|
||||
free(expect_sk_application);
|
||||
free(expect_ed25519_pk);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user