client: Check buffer size returned by apc_priv_decrypt().

The decoded challenge buffer contains the challenge and the two session
keys but nothing else. So we know its size up-front and should fail
the handshake if the size of the rsa-decrypted buffer differs.

diff --git a/client_common.c b/client_common.c
index fe8234f98fe90f6ce74ea5e22699fbfc0059a042..32a94492968dadae99f3b50ab1505449849ad293 100644 (file)
--- a/client_common.c
+++ b/client_common.c
@@ -342,6 +342,10 @@ static int client_post_monitor(struct sched *s, void *context)
                free(sbb.iov.iov_base);
                if (ret < 0)
                        goto out;
+               if (ret != APC_CHALLENGE_SIZE + 2 * SESSION_KEY_LEN) {
+                       ret = -E_DECRYPT;
+                       goto out;
+               }
                ct->challenge_hash = alloc(HASH2_SIZE);
                if (has_feature("sha256", ct)) {
                        hash2_function((char *)crypt_buf, APC_CHALLENGE_SIZE,