diff options
author | Marc Espie <espie@cvs.openbsd.org> | 2016-10-06 22:38:26 +0000 |
---|---|---|
committer | Marc Espie <espie@cvs.openbsd.org> | 2016-10-06 22:38:26 +0000 |
commit | 6b07d4615c5a6a3e38d1fdda0387ae64e182c9aa (patch) | |
tree | c294d19455e195189c45d406354c404c3c3b2b82 /usr.bin/signify/signify.c | |
parent | 9babffb950ad1ed3d3f1f7f7ba88b7eb948e370a (diff) |
- better check for seckeyname/pubkeyname "equality", remove the path
(you could legitimately store secret keys on a temporary mount
- error out if seckeyname does not follow the *.sec pattern for signing,
augment the check to deal with that.
- special case: seckeyfile can come from a pipe, and then, well, there's no
way to store *.pub in the comment.
okay tedu@
Diffstat (limited to 'usr.bin/signify/signify.c')
-rw-r--r-- | usr.bin/signify/signify.c | 59 |
1 files changed, 32 insertions, 27 deletions
diff --git a/usr.bin/signify/signify.c b/usr.bin/signify/signify.c index 2f6b4c56126..51583267d0f 100644 --- a/usr.bin/signify/signify.c +++ b/usr.bin/signify/signify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: signify.c,v 1.125 2016/10/05 15:58:50 tedu Exp $ */ +/* $OpenBSD: signify.c,v 1.126 2016/10/06 22:38:25 espie Exp $ */ /* * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> * @@ -343,23 +343,36 @@ generate(const char *pubkeyfile, const char *seckeyfile, int rounds, sizeof(pubkey), O_EXCL, 0666); } -static void +static const char * check_keyname_compliance(const char *pubkeyfile, const char *seckeyfile) { - size_t len; + const char *pos; - len = strlen(pubkeyfile); - if (strlen(seckeyfile) != len) - goto bad; + /* basename may or may not modify input */ + pos = strrchr(seckeyfile, '/'); + if (pos != NULL) + seckeyfile = pos+1; + + size_t len; + len = strlen(seckeyfile); if (len < 5) /* ?.key */ goto bad; - if (strcmp(pubkeyfile + len - 4, ".pub") != 0 || - strcmp(seckeyfile + len - 4, ".sec") != 0) - goto bad; - if (strncmp(pubkeyfile, seckeyfile, len - 4) != 0) + if (strcmp(seckeyfile + len - 4, ".sec") != 0) goto bad; + if (pubkeyfile != NULL) { + pos = strrchr(pubkeyfile, '/'); + if (pos != NULL) + pubkeyfile = pos+1; + + if (strlen(pubkeyfile) != len) + goto bad; + if (strcmp(pubkeyfile + len - 4, ".pub") != 0) + goto bad; + if (strncmp(pubkeyfile, seckeyfile, len - 4) != 0) + goto bad; + } - return; + return seckeyfile; bad: errx(1, "please use naming scheme of keyname.pub and keyname.sec"); } @@ -372,7 +385,6 @@ createsig(const char *seckeyfile, const char *msgfile, uint8_t *msg, uint8_t xorkey[sizeof(enckey.seckey)]; struct sig sig; char *sighdr; - char *extname; uint8_t digest[SHA512_DIGEST_LENGTH]; int i, nr, rounds; SHA2_CTX ctx; @@ -380,24 +392,17 @@ createsig(const char *seckeyfile, const char *msgfile, uint8_t *msg, readb64file(seckeyfile, &enckey, sizeof(enckey), comment); - extname = strrchr(seckeyfile, '.'); - if (extname && strcmp(extname, ".sec") == 0) { - const char *keyname; - /* basename may or may not modify input */ - if (!(keyname = strrchr(seckeyfile, '/'))) - keyname = seckeyfile; - else - keyname++; - nr = snprintf(sigcomment, sizeof(sigcomment), - VERIFYWITH "%.*s.pub", (int)strlen(keyname) - 4, keyname); - if (nr == -1 || nr >= sizeof(sigcomment)) - errx(1, "comment too long"); + if (strcmp(seckeyfile, "-") == 0) { + nr = snprintf(sigcomment, sizeof(sigcomment), + "signature from %s", comment); } else { + const char *keyname = check_keyname_compliance(NULL, + seckeyfile); nr = snprintf(sigcomment, sizeof(sigcomment), - "signature from %s", comment); - if (nr == -1 || nr >= sizeof(sigcomment)) - errx(1, "comment too long"); + VERIFYWITH "%.*s.pub", (int)strlen(keyname) - 4, keyname); } + if (nr == -1 || nr >= sizeof(sigcomment)) + errx(1, "comment too long"); if (memcmp(enckey.kdfalg, KDFALG, 2) != 0) errx(1, "unsupported KDF"); |