diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-07-28 00:26:49 +0200 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-07-28 00:31:01 +0200 |
| commit | 6958f00acf3b9e0b3730f7287e69996bcf3ceda4 (patch) | |
| tree | bac6836510fa6e2e5715945edaca0aab55ba17d0 /ssh-pkcs11.c | |
| parent | upstream: make sshd_config AuthorizedPrincipalsCommand and (diff) | |
| download | openssh-6958f00acf3b9e0b3730f7287e69996bcf3ceda4.tar.xz openssh-6958f00acf3b9e0b3730f7287e69996bcf3ceda4.zip | |
upstream: don't incorrectly truncate logged strings retrieved from
PKCS#11 modules; based on GHPR406 by Jakub Jelen; ok markus
OpenBSD-Commit-ID: 7ed1082f23a13b38c373008f856fd301d50012f9
Diffstat (limited to 'ssh-pkcs11.c')
| -rw-r--r-- | ssh-pkcs11.c | 39 |
1 files changed, 19 insertions, 20 deletions
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 8e2b9cb97..35e98be72 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-pkcs11.c,v 1.58 2023/07/19 14:02:27 djm Exp $ */ +/* $OpenBSD: ssh-pkcs11.c,v 1.59 2023/07/27 22:26:49 djm Exp $ */ /* * Copyright (c) 2010 Markus Friedl. All rights reserved. * Copyright (c) 2014 Pedro Martelletto. All rights reserved. @@ -623,19 +623,22 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ /* remove trailing spaces */ -static void +static char * rmspace(u_char *buf, size_t len) { size_t i; - if (!len) - return; - for (i = len - 1; i > 0; i--) - if (i == len - 1 || buf[i] == ' ') + if (len == 0) + return buf; + for (i = len - 1; i > 0; i--) + if (buf[i] == ' ') buf[i] = '\0'; else break; + return buf; } +/* Used to printf fixed-width, space-padded, unterminated strings using %.*s */ +#define RMSPACE(s) (int)sizeof(s), rmspace(s, sizeof(s)) /* * open a pkcs11 session and login if required. @@ -1564,15 +1567,13 @@ pkcs11_register_provider(char *provider_id, char *pin, provider_id, rv); goto fail; } - rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); - rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); - debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" - " libraryDescription <%s> libraryVersion %d.%d", + debug("provider %s: manufacturerID <%.*s> cryptokiVersion %d.%d" + " libraryDescription <%.*s> libraryVersion %d.%d", provider_id, - p->info.manufacturerID, + RMSPACE(p->info.manufacturerID), p->info.cryptokiVersion.major, p->info.cryptokiVersion.minor, - p->info.libraryDescription, + RMSPACE(p->info.libraryDescription), p->info.libraryVersion.major, p->info.libraryVersion.minor); if ((rv = f->C_GetSlotList(CK_TRUE, NULL, &p->nslots)) != CKR_OK) { @@ -1607,15 +1608,13 @@ pkcs11_register_provider(char *provider_id, char *pin, "provider %s slot %lu", provider_id, (u_long)i); continue; } - rmspace(token->label, sizeof(token->label)); - rmspace(token->manufacturerID, sizeof(token->manufacturerID)); - rmspace(token->model, sizeof(token->model)); - rmspace(token->serialNumber, sizeof(token->serialNumber)); - debug("provider %s slot %lu: label <%s> manufacturerID <%s> " - "model <%s> serial <%s> flags 0x%lx", + debug("provider %s slot %lu: label <%.*s> " + "manufacturerID <%.*s> model <%.*s> serial <%.*s> " + "flags 0x%lx", provider_id, (unsigned long)i, - token->label, token->manufacturerID, token->model, - token->serialNumber, token->flags); + RMSPACE(token->label), RMSPACE(token->manufacturerID), + RMSPACE(token->model), RMSPACE(token->serialNumber), + token->flags); /* * open session, login with pin and retrieve public * keys (if keyp is provided) |