diff options
| author | Ted Unangst <tedu@cvs.openbsd.org> | 2016-09-26 17:49:53 +0000 |
|---|---|---|
| committer | Ted Unangst <tedu@cvs.openbsd.org> | 2016-09-26 17:49:53 +0000 |
| commit | 18960b6b6275424fc4923d6e04a6ed53af1398b1 (patch) | |
| tree | cf4ad614fa3ef6bedf23d787c45865e06cadcc02 /usr.bin | |
| parent | 004bc49fab4f6ac0d3077a8a7b3db7208911f22b (diff) | |
there's a hidden feature to infer the public key from the signature
comment, but it doesn't work well because it encodes the full path.
signature creaters don't usually keep the secret keys in /etc/signify,
but that's where we look for public keys.
switch to saving only the basename, and have the verifier add the path.
should make it easier to start using this feature.
anybody depending on the current behavior may have to adjust, but
there's a reason this was never officially documented.
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/signify/signify.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/usr.bin/signify/signify.c b/usr.bin/signify/signify.c index ef58078a92d..225a26c3053 100644 --- a/usr.bin/signify/signify.c +++ b/usr.bin/signify/signify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: signify.c,v 1.118 2016/09/10 12:23:16 deraadt Exp $ */ +/* $OpenBSD: signify.c,v 1.119 2016/09/26 17:49:52 tedu Exp $ */ /* * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org> * @@ -361,8 +361,12 @@ createsig(const char *seckeyfile, const char *msgfile, uint8_t *msg, secname = strstr(seckeyfile, ".sec"); if (secname && strlen(secname) == 4) { + const char *keyname; + /* basename may or may not modify input */ + if (!(keyname = strrchr(seckeyfile, '/'))) + keyname = seckeyfile; if ((nr = snprintf(sigcomment, sizeof(sigcomment), VERIFYWITH "%.*s.pub", - (int)strlen(seckeyfile) - 4, seckeyfile)) == -1 || nr >= sizeof(sigcomment)) + (int)strlen(keyname) - 4, keyname)) == -1 || nr >= sizeof(sigcomment)) errx(1, "comment too long"); } else { if ((nr = snprintf(sigcomment, sizeof(sigcomment), "signature from %s", @@ -468,23 +472,28 @@ static void readpubkey(const char *pubkeyfile, struct pubkey *pubkey, const char *sigcomment, const char *keytype) { - const char *safepath = "/etc/signify/"; + const char *safepath = "/etc/signify"; + char keypath[1024]; if (!pubkeyfile) { pubkeyfile = strstr(sigcomment, VERIFYWITH); - if (pubkeyfile) { + if (pubkeyfile && strchr(pubkeyfile, '/') == NULL) { pubkeyfile += strlen(VERIFYWITH); - if (strncmp(pubkeyfile, safepath, strlen(safepath)) != 0 || - strstr(pubkeyfile, "/../") != NULL) - errx(1, "untrusted path %s", pubkeyfile); #ifndef VERIFYONLY if (keytype) check_keytype(pubkeyfile, keytype); #endif + if (snprintf(keypath, sizeof(keypath), "%s/%s", + safepath, pubkeyfile) >= sizeof(keypath)) + errx(1, "name too long %s", pubkeyfile); } else usage("must specify pubkey"); + } else { + if (strlcpy(keypath, pubkeyfile, sizeof(keypath)) >= + sizeof(keypath)) + errx(1, "name too long %s", pubkeyfile); } - readb64file(pubkeyfile, pubkey, sizeof(*pubkey), NULL); + readb64file(keypath, pubkey, sizeof(*pubkey), NULL); } static void |