diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-02-02 22:36:46 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@dtucker.net> | 2021-02-05 13:38:57 +1100 |
| commit | f71219a01d8f71c4b3ed7e456337a84ddba1653e (patch) | |
| tree | b53d479ef55bf5704315d81e96ac24c23d1f5365 | |
| parent | 3287790e78bf5b53c4a3cafb67bb5aa03e3910f0 (diff) | |
| download | openssh-git-f71219a01d8f71c4b3ed7e456337a84ddba1653e.tar.gz | |
upstream: fix memleaks in private key deserialisation; enforce more
consistency between redundant fields in private key certificate and private
key body; ok markus@
OpenBSD-Commit-ID: dec344e414d47f0a7adc13aecf3760fe58101240
| -rw-r--r-- | sshkey.c | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.114 2021/01/26 00:49:30 djm Exp $ */ +/* $OpenBSD: sshkey.c,v 1.115 2021/02/02 22:36:46 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -3411,10 +3411,12 @@ int sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) { char *tname = NULL, *curve = NULL, *xmss_name = NULL; + char *expect_sk_application = NULL; struct sshkey *k = NULL; size_t pklen = 0, sklen = 0; int type, r = SSH_ERR_INTERNAL_ERROR; u_char *ed25519_pk = NULL, *ed25519_sk = NULL; + u_char *expect_ed25519_pk = NULL; u_char *xmss_pk = NULL, *xmss_sk = NULL; #ifdef WITH_OPENSSL BIGNUM *exponent = NULL; @@ -3447,6 +3449,14 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) r = SSH_ERR_KEY_CERT_MISMATCH; goto out; } + /* + * Several fields are redundant between certificate and + * private key body, we require these to match. + */ + expect_sk_application = k->sk_application; + expect_ed25519_pk = k->ed25519_pk; + k->sk_application = NULL; + k->ed25519_pk = NULL; } else { if ((k = sshkey_new(type)) == NULL) { r = SSH_ERR_ALLOC_FAIL; @@ -3668,6 +3678,13 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) break; } #endif /* WITH_OPENSSL */ + if ((expect_sk_application != NULL && (k->sk_application == NULL || + strcmp(expect_sk_application, k->sk_application) != 0)) || + (expect_ed25519_pk != NULL && (k->ed25519_pk == NULL || + memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ) != 0))) { + r = SSH_ERR_KEY_CERT_MISMATCH; + goto out; + } /* success */ r = 0; if (kp != NULL) { @@ -3697,6 +3714,8 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) free(xmss_name); freezero(xmss_pk, pklen); freezero(xmss_sk, sklen); + free(expect_sk_application); + free(expect_ed25519_pk); return r; } |