summaryrefslogtreecommitdiff
path: root/usr.bin/signify
diff options
context:
space:
mode:
authorMarc Espie <espie@cvs.openbsd.org>2023-04-29 10:08:19 +0000
committerMarc Espie <espie@cvs.openbsd.org>2023-04-29 10:08:19 +0000
commit2cc277100f7115edde3ba97d76a1bdd1db2e3c00 (patch)
treee09fa9da385c367d89276c1681fe3e25e175a3bf /usr.bin/signify
parent83b1ba6984c287af7d73148afef4277fc6c4611d (diff)
as noticed by sdk@, a package with an exact numbers of 64K chunks would
produce a spurious error (so 1 chance in 2^26) It's like read/write: we need to recognize 0 as EOF and not try to checksum a non-existing block. while there, also make sure that we got all the signed blocks at EOF before exit(0) Note that none of those two bugs affect the actual security of signed packages: the basic assertion that only signed data gets written through the pipe is still 100% valid ! but it's a good idea to not emit spurious messages for valid files, and also to recognize truncated files ! okay tb@ (thanks a lot)
Diffstat (limited to 'usr.bin/signify')
-rw-r--r--usr.bin/signify/zsig.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.bin/signify/zsig.c b/usr.bin/signify/zsig.c
index e3533fdd1d7..ca76b5c6cf5 100644
--- a/usr.bin/signify/zsig.c
+++ b/usr.bin/signify/zsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: zsig.c,v 1.18 2019/12/22 06:37:25 espie Exp $ */
+/* $OpenBSD: zsig.c,v 1.19 2023/04/29 10:08:18 espie Exp $ */
/*
* Copyright (c) 2016 Marc Espie <espie@openbsd.org>
*
@@ -160,6 +160,8 @@ copy_blocks(int fdout, int fdin, const char *sha, const char *endsha,
if (more == 0)
break;
}
+ if (n == 0)
+ break;
SHA512_256Data(buffer, n, output);
if (endsha - sha < SHA512_256_DIGEST_STRING_LENGTH-1)
errx(4, "signature truncated");
@@ -172,6 +174,8 @@ copy_blocks(int fdout, int fdin, const char *sha, const char *endsha,
if (n != bufsize)
break;
}
+ if (endsha != sha)
+ errx(4, "file truncated");
free(buffer);
}