mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-11 20:29:32 +00:00
upstream: fix memleaks in private key deserialisation; enforce more
consistency between redundant fields in private key certificate and private key body; ok markus@ OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240
This commit is contained in:
djm@openbsd.org
Darren Tucker
parent
3287790e78
commit
f71219a01d
21
sshkey.c
21
sshkey.c
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: sshkey.c,v 1.114 2021/01/26 00:49:30 djm Exp $ */
|
/* $OpenBSD: sshkey.c,v 1.115 2021/02/02 22:36:46 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
|
||||||
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
|
||||||
@ -3411,10 +3411,12 @@ int
|
|||||||
sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
||||||
{
|
{
|
||||||
char *tname = NULL, *curve = NULL, *xmss_name = NULL;
|
char *tname = NULL, *curve = NULL, *xmss_name = NULL;
|
||||||
|
char *expect_sk_application = NULL;
|
||||||
struct sshkey *k = NULL;
|
struct sshkey *k = NULL;
|
||||||
size_t pklen = 0, sklen = 0;
|
size_t pklen = 0, sklen = 0;
|
||||||
int type, r = SSH_ERR_INTERNAL_ERROR;
|
int type, r = SSH_ERR_INTERNAL_ERROR;
|
||||||
u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
|
u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
|
||||||
|
u_char *expect_ed25519_pk = NULL;
|
||||||
u_char *xmss_pk = NULL, *xmss_sk = NULL;
|
u_char *xmss_pk = NULL, *xmss_sk = NULL;
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
BIGNUM *exponent = NULL;
|
BIGNUM *exponent = NULL;
|
||||||
@ -3447,6 +3449,14 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
|||||||
r = SSH_ERR_KEY_CERT_MISMATCH;
|
r = SSH_ERR_KEY_CERT_MISMATCH;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
/*
|
||||||
|
* Several fields are redundant between certificate and
|
||||||
|
* private key body, we require these to match.
|
||||||
|
*/
|
||||||
|
expect_sk_application = k->sk_application;
|
||||||
|
expect_ed25519_pk = k->ed25519_pk;
|
||||||
|
k->sk_application = NULL;
|
||||||
|
k->ed25519_pk = NULL;
|
||||||
} else {
|
} else {
|
||||||
if ((k = sshkey_new(type)) == NULL) {
|
if ((k = sshkey_new(type)) == NULL) {
|
||||||
r = SSH_ERR_ALLOC_FAIL;
|
r = SSH_ERR_ALLOC_FAIL;
|
||||||
@ -3668,6 +3678,13 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
|
if ((expect_sk_application != NULL && (k->sk_application == NULL ||
|
||||||
|
strcmp(expect_sk_application, k->sk_application) != 0)) ||
|
||||||
|
(expect_ed25519_pk != NULL && (k->ed25519_pk == NULL ||
|
||||||
|
memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) {
|
||||||
|
r = SSH_ERR_KEY_CERT_MISMATCH;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
/* success */
|
/* success */
|
||||||
r = 0;
|
r = 0;
|
||||||
if (kp != NULL) {
|
if (kp != NULL) {
|
||||||
@ -3697,6 +3714,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
|
|||||||
free(xmss_name);
|
free(xmss_name);
|
||||||
freezero(xmss_pk, pklen);
|
freezero(xmss_pk, pklen);
|
||||||
freezero(xmss_sk, sklen);
|
freezero(xmss_sk, sklen);
|
||||||
|
free(expect_sk_application);
|
||||||
|
free(expect_ed25519_pk);
|
||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user