diff options
author | djm@openbsd.org <djm@openbsd.org> | 2015-01-30 01:10:33 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-30 12:17:07 +1100 |
commit | 669aee994348468af8b4b2ebd29b602cf2860b22 (patch) | |
tree | 47acfa09dd5b13cbab745b70c5cf2b7de3777f5a /ssh-keygen.c | |
parent | 7a2c368477e26575d0866247d3313da4256cb2b5 (diff) |
upstream commit
permit KRLs that revoke certificates by serial number or
key ID without scoping to a particular CA; ok markus@
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index b435498cb..2c6a56839 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.260 2015/01/30 00:59:19 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.261 2015/01/30 01:10:33 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1973,7 +1973,7 @@ load_krl(const char *path, struct ssh_krl **krlp) | |||
1973 | } | 1973 | } |
1974 | 1974 | ||
1975 | static void | 1975 | static void |
1976 | update_krl_from_file(struct passwd *pw, const char *file, | 1976 | update_krl_from_file(struct passwd *pw, const char *file, int wild_ca, |
1977 | const struct sshkey *ca, struct ssh_krl *krl) | 1977 | const struct sshkey *ca, struct ssh_krl *krl) |
1978 | { | 1978 | { |
1979 | struct sshkey *key = NULL; | 1979 | struct sshkey *key = NULL; |
@@ -2015,7 +2015,7 @@ update_krl_from_file(struct passwd *pw, const char *file, | |||
2015 | if (*cp == '\0') | 2015 | if (*cp == '\0') |
2016 | continue; | 2016 | continue; |
2017 | if (strncasecmp(cp, "serial:", 7) == 0) { | 2017 | if (strncasecmp(cp, "serial:", 7) == 0) { |
2018 | if (ca == NULL) { | 2018 | if (ca == NULL && !wild_ca) { |
2019 | fatal("revoking certificates by serial number " | 2019 | fatal("revoking certificates by serial number " |
2020 | "requires specification of a CA key"); | 2020 | "requires specification of a CA key"); |
2021 | } | 2021 | } |
@@ -2052,7 +2052,7 @@ update_krl_from_file(struct passwd *pw, const char *file, | |||
2052 | __func__); | 2052 | __func__); |
2053 | } | 2053 | } |
2054 | } else if (strncasecmp(cp, "id:", 3) == 0) { | 2054 | } else if (strncasecmp(cp, "id:", 3) == 0) { |
2055 | if (ca == NULL) { | 2055 | if (ca == NULL && !wild_ca) { |
2056 | fatal("revoking certificates by key ID " | 2056 | fatal("revoking certificates by key ID " |
2057 | "requires specification of a CA key"); | 2057 | "requires specification of a CA key"); |
2058 | } | 2058 | } |
@@ -2103,7 +2103,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
2103 | struct ssh_krl *krl; | 2103 | struct ssh_krl *krl; |
2104 | struct stat sb; | 2104 | struct stat sb; |
2105 | struct sshkey *ca = NULL; | 2105 | struct sshkey *ca = NULL; |
2106 | int fd, i, r; | 2106 | int fd, i, r, wild_ca = 0; |
2107 | char *tmp; | 2107 | char *tmp; |
2108 | struct sshbuf *kbuf; | 2108 | struct sshbuf *kbuf; |
2109 | 2109 | ||
@@ -2117,11 +2117,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
2117 | fatal("KRL \"%s\" does not exist", identity_file); | 2117 | fatal("KRL \"%s\" does not exist", identity_file); |
2118 | } | 2118 | } |
2119 | if (ca_key_path != NULL) { | 2119 | if (ca_key_path != NULL) { |
2120 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); | 2120 | if (strcasecmp(ca_key_path, "none") == 0) |
2121 | if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) | 2121 | wild_ca = 1; |
2122 | fatal("Cannot load CA public key %s: %s", | 2122 | else { |
2123 | tmp, ssh_err(r)); | 2123 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
2124 | free(tmp); | 2124 | if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) |
2125 | fatal("Cannot load CA public key %s: %s", | ||
2126 | tmp, ssh_err(r)); | ||
2127 | free(tmp); | ||
2128 | } | ||
2125 | } | 2129 | } |
2126 | 2130 | ||
2127 | if (updating) | 2131 | if (updating) |
@@ -2135,7 +2139,7 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
2135 | ssh_krl_set_comment(krl, identity_comment); | 2139 | ssh_krl_set_comment(krl, identity_comment); |
2136 | 2140 | ||
2137 | for (i = 0; i < argc; i++) | 2141 | for (i = 0; i < argc; i++) |
2138 | update_krl_from_file(pw, argv[i], ca, krl); | 2142 | update_krl_from_file(pw, argv[i], wild_ca, ca, krl); |
2139 | 2143 | ||
2140 | if ((kbuf = sshbuf_new()) == NULL) | 2144 | if ((kbuf = sshbuf_new()) == NULL) |
2141 | fatal("sshbuf_new failed"); | 2145 | fatal("sshbuf_new failed"); |