From 036a096f05921ed2701a90eb64cd826abbafe714 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 21 Sep 2018 12:20:12 +0000 Subject: [PATCH] In sshkey_in_file(), ignore keys that are considered for being too short (i.e. SSH_ERR_KEY_LENGTH). These keys will not be considered to be "in the file". This allows key revocation lists to contain short keys without the entire revocation list being considered invalid. bz#2897; ok dtucker --- usr.bin/ssh/authfile.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/usr.bin/ssh/authfile.c b/usr.bin/ssh/authfile.c index 6309e185390..3b81fa7d972 100644 --- a/usr.bin/ssh/authfile.c +++ b/usr.bin/ssh/authfile.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authfile.c,v 1.130 2018/07/09 21:59:10 markus Exp $ */ +/* $OpenBSD: authfile.c,v 1.131 2018/09/21 12:20:12 djm Exp $ */ /* * Copyright (c) 2000, 2013 Markus Friedl. All rights reserved. * @@ -454,6 +454,8 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, return SSH_ERR_SYSTEM_ERROR; while (getline(&line, &linesize, f) != -1) { + sshkey_free(pub); + pub = NULL; cp = line; /* Skip leading whitespace. */ @@ -472,16 +474,20 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type, r = SSH_ERR_ALLOC_FAIL; goto out; } - if ((r = sshkey_read(pub, &cp)) != 0) + switch (r = sshkey_read(pub, &cp)) { + case 0: + break; + case SSH_ERR_KEY_LENGTH: + continue; + default: goto out; + } if (sshkey_compare(key, pub) || (check_ca && sshkey_is_cert(key) && sshkey_compare(key->cert->signature_key, pub))) { r = 0; goto out; } - sshkey_free(pub); - pub = NULL; } r = SSH_ERR_KEY_NOT_FOUND; out: -- 2.20.1