From 6be3843d5d8f117f57ee18815eea0806b2a59d86 Mon Sep 17 00:00:00 2001
From: Christian Neukirchen <chneukirchen@gmail.com>
Date: Fri, 30 Sep 2016 14:57:43 +0200
Subject: cvs update

---
 src/usr.bin/signify/signify.1 |  6 ++---
 src/usr.bin/signify/signify.c | 55 +++++++++++++++++++++++--------------------
 src/usr.bin/signify/zsig.c    |  7 ++----
 3 files changed, 35 insertions(+), 33 deletions(-)

(limited to 'src')

diff --git a/src/usr.bin/signify/signify.1 b/src/usr.bin/signify/signify.1
index 92b13f9..0207091 100644
--- a/src/usr.bin/signify/signify.1
+++ b/src/usr.bin/signify/signify.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: signify.1,v 1.38 2016/09/02 21:04:26 tedu Exp $
+.\" $OpenBSD: signify.1,v 1.39 2016/09/19 21:15:58 tedu Exp $
 .\"
 .\"Copyright (c) 2013 Marc Espie <espie@openbsd.org>
 .\"Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
@@ -14,7 +14,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: September 2 2016 $
+.Dd $Mdocdate: September 19 2016 $
 .Dt SIGNIFY 1
 .Os
 .Sh NAME
@@ -108,7 +108,7 @@ to sign a message.
 .It Fl t Ar keytype
 When deducing the correct key to check a signature, make sure
 the actual key matches
-.Pa /etc/signify/<somekey>-keytype.pub .
+.Pa /etc/signify/*-keytype.pub .
 .It Fl x Ar sigfile
 The signature file to create or verify.
 The default is
diff --git a/src/usr.bin/signify/signify.c b/src/usr.bin/signify/signify.c
index 268a403..73be96d 100644
--- a/src/usr.bin/signify/signify.c
+++ b/src/usr.bin/signify/signify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: signify.c,v 1.118 2016/09/10 12:23:16 deraadt Exp $ */
+/* $OpenBSD: signify.c,v 1.122 2016/09/27 02:13:27 tedu Exp $ */
 /*
  * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
  *
@@ -363,8 +363,14 @@ createsig(const char *seckeyfile, const char *msgfile, uint8_t *msg,
 
 	secname = strstr(seckeyfile, ".sec");
 	if (secname && strlen(secname) == 4) {
+		const char *keyname;
+		/* basename may or may not modify input */
+		if (!(keyname = strrchr(seckeyfile, '/')))
+			keyname = seckeyfile;
+		else
+			keyname++;
 		if ((nr = snprintf(sigcomment, sizeof(sigcomment), VERIFYWITH "%.*s.pub",
-		    (int)strlen(seckeyfile) - 4, seckeyfile)) == -1 || nr >= sizeof(sigcomment))
+		    (int)strlen(keyname) - 4, keyname)) == -1 || nr >= sizeof(sigcomment))
 			errx(1, "comment too long");
 	} else {
 		if ((nr = snprintf(sigcomment, sizeof(sigcomment), "signature from %s",
@@ -445,44 +451,43 @@ verifymsg(struct pubkey *pubkey, uint8_t *msg, unsigned long long msglen,
 	free(dummybuf);
 }
 
-#ifndef VERIFYONLY
 static void
 check_keytype(const char *pubkeyfile, const char *keytype)
 {
-	size_t len;
-	char *cmp;
-	int slen;
-
-	len = strlen(pubkeyfile);
-	slen = asprintf(&cmp, "-%s.pub", keytype);
-	if (slen < 0)
-		err(1, "asprintf error");
-	if (len < slen)
-		errx(1, "too short");
-
-	if (strcmp(pubkeyfile + len - slen, cmp) != 0)
-		errx(1, "wrong keytype");
-	free(cmp);
+	const char *p;
+	size_t typelen;
+
+	if (!(p = strrchr(pubkeyfile, '-')))
+		goto bad;
+	p++;
+	typelen = strlen(keytype);
+	if (strncmp(p, keytype, typelen) != 0)
+		goto bad;
+	if (strcmp(p + typelen, ".pub") != 0)
+		goto bad;
+	return;
+
+bad:
+	errx(1, "incorrect keytype: %s is not %s", pubkeyfile, keytype);
 }
-#endif
 
 static void
 readpubkey(const char *pubkeyfile, struct pubkey *pubkey,
     const char *sigcomment, const char *keytype)
 {
-	const char *safepath = "/etc/signify/";
+	const char *safepath = "/etc/signify";
+	char keypath[1024];
 
 	if (!pubkeyfile) {
 		pubkeyfile = strstr(sigcomment, VERIFYWITH);
-		if (pubkeyfile) {
+		if (pubkeyfile && strchr(pubkeyfile, '/') == NULL) {
 			pubkeyfile += strlen(VERIFYWITH);
-			if (strncmp(pubkeyfile, safepath, strlen(safepath)) != 0 ||
-			    strstr(pubkeyfile, "/../") != NULL)
-				errx(1, "untrusted path %s", pubkeyfile);
-#ifndef VERIFYONLY
 			if (keytype)
 				check_keytype(pubkeyfile, keytype);
-#endif
+			if (snprintf(keypath, sizeof(keypath), "%s/%s",
+			    safepath, pubkeyfile) >= sizeof(keypath))
+				errx(1, "name too long %s", pubkeyfile);
+			pubkeyfile = keypath;
 		} else
 			usage("must specify pubkey");
 	}
diff --git a/src/usr.bin/signify/zsig.c b/src/usr.bin/signify/zsig.c
index d721d8a..5538065 100644
--- a/src/usr.bin/signify/zsig.c
+++ b/src/usr.bin/signify/zsig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: zsig.c,v 1.12 2016/09/10 12:23:16 deraadt Exp $ */
+/* $OpenBSD: zsig.c,v 1.13 2016/09/27 02:16:40 tedu Exp $ */
 /*
  * Copyright (c) 2016 Marc Espie <espie@openbsd.org>
  *
@@ -52,10 +52,7 @@ struct gzheader {
 
 static uint8_t fake[10] = { 0x1f, 0x8b, 8, FCOMMENT_FLAG, 0, 0, 0, 0, 0, 3 };
 
-/* XXX no static there, confuses the hell out of gcc which displays
- * non-existent warnings.
- */
-uint8_t *
+static uint8_t *
 readgz_header(struct gzheader *h, int fd)
 {
 	size_t sz = 1024;
-- 
cgit 1.4.1