diff options
| -rw-r--r-- | krl.c | 98 | ||||
| -rw-r--r-- | krl.h | 4 |
2 files changed, 50 insertions, 52 deletions
| @@ -14,7 +14,7 @@ | |||
| 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 15 | */ | 15 | */ |
| 16 | 16 | ||
| 17 | /* $OpenBSD: krl.c,v 1.24 2015/01/12 19:22:46 markus Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */ |
| 18 | 18 | ||
| 19 | #include "includes.h" | 19 | #include "includes.h" |
| 20 | 20 | ||
| @@ -31,11 +31,11 @@ | |||
| 31 | #include <unistd.h> | 31 | #include <unistd.h> |
| 32 | 32 | ||
| 33 | #include "sshbuf.h" | 33 | #include "sshbuf.h" |
| 34 | #include "ssherr.h" | ||
| 34 | #include "sshkey.h" | 35 | #include "sshkey.h" |
| 35 | #include "authfile.h" | 36 | #include "authfile.h" |
| 36 | #include "misc.h" | 37 | #include "misc.h" |
| 37 | #include "log.h" | 38 | #include "log.h" |
| 38 | #include "ssherr.h" | ||
| 39 | #include "digest.h" | 39 | #include "digest.h" |
| 40 | 40 | ||
| 41 | #include "krl.h" | 41 | #include "krl.h" |
| @@ -230,7 +230,7 @@ revoked_certs_for_ca_key(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
| 230 | RB_INIT(&rc->revoked_serials); | 230 | RB_INIT(&rc->revoked_serials); |
| 231 | RB_INIT(&rc->revoked_key_ids); | 231 | RB_INIT(&rc->revoked_key_ids); |
| 232 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); | 232 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); |
| 233 | debug3("%s: new CA %s", __func__, sshkey_type(ca_key)); | 233 | KRL_DBG(("%s: new CA %s", __func__, sshkey_type(ca_key))); |
| 234 | *rcp = rc; | 234 | *rcp = rc; |
| 235 | return 0; | 235 | return 0; |
| 236 | } | 236 | } |
| @@ -255,7 +255,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | |||
| 255 | KRL_DBG(("%s: bad: ers != NULL", __func__)); | 255 | KRL_DBG(("%s: bad: ers != NULL", __func__)); |
| 256 | /* Shouldn't happen */ | 256 | /* Shouldn't happen */ |
| 257 | free(irs); | 257 | free(irs); |
| 258 | return SSH_ERR_ALLOC_FAIL; | 258 | return SSH_ERR_INTERNAL_ERROR; |
| 259 | } | 259 | } |
| 260 | ers = irs; | 260 | ers = irs; |
| 261 | } else { | 261 | } else { |
| @@ -270,6 +270,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | |||
| 270 | if (ers->hi < hi) | 270 | if (ers->hi < hi) |
| 271 | ers->hi = hi; | 271 | ers->hi = hi; |
| 272 | } | 272 | } |
| 273 | |||
| 273 | /* | 274 | /* |
| 274 | * The inserted or revised range might overlap or abut adjacent ones; | 275 | * The inserted or revised range might overlap or abut adjacent ones; |
| 275 | * coalesce as necessary. | 276 | * coalesce as necessary. |
| @@ -315,14 +316,14 @@ ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
| 315 | } | 316 | } |
| 316 | 317 | ||
| 317 | int | 318 | int |
| 318 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const struct sshkey *ca_key, | 319 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, |
| 319 | u_int64_t lo, u_int64_t hi) | 320 | const struct sshkey *ca_key, u_int64_t lo, u_int64_t hi) |
| 320 | { | 321 | { |
| 321 | struct revoked_certs *rc; | 322 | struct revoked_certs *rc; |
| 322 | int r; | 323 | int r; |
| 323 | 324 | ||
| 324 | if (lo > hi || lo == 0) | 325 | if (lo > hi || lo == 0) |
| 325 | return -1; | 326 | return SSH_ERR_INVALID_ARGUMENT; |
| 326 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) | 327 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
| 327 | return r; | 328 | return r; |
| 328 | return insert_serial_range(&rc->revoked_serials, lo, hi); | 329 | return insert_serial_range(&rc->revoked_serials, lo, hi); |
| @@ -339,7 +340,7 @@ ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
| 339 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) | 340 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
| 340 | return r; | 341 | return r; |
| 341 | 342 | ||
| 342 | debug3("%s: revoke %s", __func__, key_id); | 343 | KRL_DBG(("%s: revoke %s", __func__, key_id)); |
| 343 | if ((rki = calloc(1, sizeof(*rki))) == NULL || | 344 | if ((rki = calloc(1, sizeof(*rki))) == NULL || |
| 344 | (rki->key_id = strdup(key_id)) == NULL) { | 345 | (rki->key_id = strdup(key_id)) == NULL) { |
| 345 | free(rki); | 346 | free(rki); |
| @@ -375,7 +376,7 @@ plain_key_blob(const struct sshkey *key, u_char **blob, size_t *blen) | |||
| 375 | 376 | ||
| 376 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ | 377 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ |
| 377 | static int | 378 | static int |
| 378 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) | 379 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, size_t len) |
| 379 | { | 380 | { |
| 380 | struct revoked_blob *rb, *erb; | 381 | struct revoked_blob *rb, *erb; |
| 381 | 382 | ||
| @@ -507,14 +508,14 @@ choose_next_state(int current_state, u_int64_t contig, int final, | |||
| 507 | *force_new_section = 1; | 508 | *force_new_section = 1; |
| 508 | cost = cost_bitmap_restart; | 509 | cost = cost_bitmap_restart; |
| 509 | } | 510 | } |
| 510 | debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" | 511 | KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" |
| 511 | "list %llu range %llu bitmap %llu new bitmap %llu, " | 512 | "list %llu range %llu bitmap %llu new bitmap %llu, " |
| 512 | "selected 0x%02x%s", __func__, (long long unsigned)contig, | 513 | "selected 0x%02x%s", __func__, (long long unsigned)contig, |
| 513 | (long long unsigned)last_gap, (long long unsigned)next_gap, final, | 514 | (long long unsigned)last_gap, (long long unsigned)next_gap, final, |
| 514 | (long long unsigned)cost_list, (long long unsigned)cost_range, | 515 | (long long unsigned)cost_list, (long long unsigned)cost_range, |
| 515 | (long long unsigned)cost_bitmap, | 516 | (long long unsigned)cost_bitmap, |
| 516 | (long long unsigned)cost_bitmap_restart, new_state, | 517 | (long long unsigned)cost_bitmap_restart, new_state, |
| 517 | *force_new_section ? " restart" : ""); | 518 | *force_new_section ? " restart" : "")); |
| 518 | return new_state; | 519 | return new_state; |
| 519 | } | 520 | } |
| 520 | 521 | ||
| @@ -522,7 +523,7 @@ choose_next_state(int current_state, u_int64_t contig, int final, | |||
| 522 | static int | 523 | static int |
| 523 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | 524 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) |
| 524 | { | 525 | { |
| 525 | int final, force_new_sect, r = -1; | 526 | int final, force_new_sect, r = SSH_ERR_INTERNAL_ERROR; |
| 526 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; | 527 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; |
| 527 | struct revoked_serial *rs, *nrs; | 528 | struct revoked_serial *rs, *nrs; |
| 528 | struct revoked_key_id *rki; | 529 | struct revoked_key_id *rki; |
| @@ -545,9 +546,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
| 545 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); | 546 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); |
| 546 | rs != NULL; | 547 | rs != NULL; |
| 547 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { | 548 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { |
| 548 | debug3("%s: serial %llu:%llu state 0x%02x", __func__, | 549 | KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__, |
| 549 | (long long unsigned)rs->lo, (long long unsigned)rs->hi, | 550 | (long long unsigned)rs->lo, (long long unsigned)rs->hi, |
| 550 | state); | 551 | state)); |
| 551 | 552 | ||
| 552 | /* Check contiguous length and gap to next section (if any) */ | 553 | /* Check contiguous length and gap to next section (if any) */ |
| 553 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); | 554 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); |
| @@ -565,7 +566,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
| 565 | */ | 566 | */ |
| 566 | if (state != 0 && (force_new_sect || next_state != state || | 567 | if (state != 0 && (force_new_sect || next_state != state || |
| 567 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { | 568 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { |
| 568 | debug3("%s: finish state 0x%02x", __func__, state); | 569 | KRL_DBG(("%s: finish state 0x%02x", __func__, state)); |
| 569 | switch (state) { | 570 | switch (state) { |
| 570 | case KRL_SECTION_CERT_SERIAL_LIST: | 571 | case KRL_SECTION_CERT_SERIAL_LIST: |
| 571 | case KRL_SECTION_CERT_SERIAL_RANGE: | 572 | case KRL_SECTION_CERT_SERIAL_RANGE: |
| @@ -585,7 +586,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
| 585 | 586 | ||
| 586 | /* If we are starting a new section then prepare it now */ | 587 | /* If we are starting a new section then prepare it now */ |
| 587 | if (next_state != state || force_new_sect) { | 588 | if (next_state != state || force_new_sect) { |
| 588 | debug3("%s: start state 0x%02x", __func__, next_state); | 589 | KRL_DBG(("%s: start state 0x%02x", __func__, |
| 590 | next_state)); | ||
| 589 | state = next_state; | 591 | state = next_state; |
| 590 | sshbuf_reset(sect); | 592 | sshbuf_reset(sect); |
| 591 | switch (state) { | 593 | switch (state) { |
| @@ -636,8 +638,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
| 636 | } | 638 | } |
| 637 | /* Flush the remaining section, if any */ | 639 | /* Flush the remaining section, if any */ |
| 638 | if (state != 0) { | 640 | if (state != 0) { |
| 639 | debug3("%s: serial final flush for state 0x%02x", | 641 | KRL_DBG(("%s: serial final flush for state 0x%02x", |
| 640 | __func__, state); | 642 | __func__, state)); |
| 641 | switch (state) { | 643 | switch (state) { |
| 642 | case KRL_SECTION_CERT_SERIAL_LIST: | 644 | case KRL_SECTION_CERT_SERIAL_LIST: |
| 643 | case KRL_SECTION_CERT_SERIAL_RANGE: | 645 | case KRL_SECTION_CERT_SERIAL_RANGE: |
| @@ -653,12 +655,12 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
| 653 | (r = sshbuf_put_stringb(buf, sect)) != 0) | 655 | (r = sshbuf_put_stringb(buf, sect)) != 0) |
| 654 | goto out; | 656 | goto out; |
| 655 | } | 657 | } |
| 656 | debug3("%s: serial done ", __func__); | 658 | KRL_DBG(("%s: serial done ", __func__)); |
| 657 | 659 | ||
| 658 | /* Now output a section for any revocations by key ID */ | 660 | /* Now output a section for any revocations by key ID */ |
| 659 | sshbuf_reset(sect); | 661 | sshbuf_reset(sect); |
| 660 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { | 662 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { |
| 661 | debug3("%s: key ID %s", __func__, rki->key_id); | 663 | KRL_DBG(("%s: key ID %s", __func__, rki->key_id)); |
| 662 | if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) | 664 | if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) |
| 663 | goto out; | 665 | goto out; |
| 664 | } | 666 | } |
| @@ -679,7 +681,7 @@ int | |||
| 679 | ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | 681 | ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, |
| 680 | const struct sshkey **sign_keys, u_int nsign_keys) | 682 | const struct sshkey **sign_keys, u_int nsign_keys) |
| 681 | { | 683 | { |
| 682 | int r = -1; | 684 | int r = SSH_ERR_INTERNAL_ERROR; |
| 683 | struct revoked_certs *rc; | 685 | struct revoked_certs *rc; |
| 684 | struct revoked_blob *rb; | 686 | struct revoked_blob *rb; |
| 685 | struct sshbuf *sect; | 687 | struct sshbuf *sect; |
| @@ -715,7 +717,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
| 715 | /* Finally, output sections for revocations by public key/hash */ | 717 | /* Finally, output sections for revocations by public key/hash */ |
| 716 | sshbuf_reset(sect); | 718 | sshbuf_reset(sect); |
| 717 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { | 719 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
| 718 | debug3("%s: key len %zu ", __func__, rb->len); | 720 | KRL_DBG(("%s: key len %u ", __func__, rb->len)); |
| 719 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) | 721 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
| 720 | goto out; | 722 | goto out; |
| 721 | } | 723 | } |
| @@ -726,7 +728,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
| 726 | } | 728 | } |
| 727 | sshbuf_reset(sect); | 729 | sshbuf_reset(sect); |
| 728 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { | 730 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { |
| 729 | debug3("%s: hash len %zu ", __func__, rb->len); | 731 | KRL_DBG(("%s: hash len %u ", __func__, rb->len)); |
| 730 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) | 732 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
| 731 | goto out; | 733 | goto out; |
| 732 | } | 734 | } |
| @@ -742,7 +744,8 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
| 742 | if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) | 744 | if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) |
| 743 | goto out; | 745 | goto out; |
| 744 | 746 | ||
| 745 | debug3("%s: signature key len %zu", __func__, sshbuf_len(sect)); | 747 | KRL_DBG(("%s: signature key len %zu", __func__, |
| 748 | sshbuf_len(sect))); | ||
| 746 | if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || | 749 | if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || |
| 747 | (r = sshbuf_put_stringb(buf, sect)) != 0) | 750 | (r = sshbuf_put_stringb(buf, sect)) != 0) |
| 748 | goto out; | 751 | goto out; |
| @@ -750,7 +753,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
| 750 | if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, | 753 | if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, |
| 751 | sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) | 754 | sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) |
| 752 | goto out; | 755 | goto out; |
| 753 | debug3("%s: signature sig len %zu", __func__, slen); | 756 | KRL_DBG(("%s: signature sig len %u", __func__, slen)); |
| 754 | if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) | 757 | if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) |
| 755 | goto out; | 758 | goto out; |
| 756 | } | 759 | } |
| @@ -781,7 +784,7 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts) | |||
| 781 | static int | 784 | static int |
| 782 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | 785 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) |
| 783 | { | 786 | { |
| 784 | int r = -1, nbits; | 787 | int r = SSH_ERR_INTERNAL_ERROR, nbits; |
| 785 | u_char type; | 788 | u_char type; |
| 786 | const u_char *blob; | 789 | const u_char *blob; |
| 787 | size_t blen; | 790 | size_t blen; |
| @@ -809,7 +812,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
| 809 | if ((r = sshbuf_get_u8(buf, &type)) != 0 || | 812 | if ((r = sshbuf_get_u8(buf, &type)) != 0 || |
| 810 | (r = sshbuf_froms(buf, &subsect)) != 0) | 813 | (r = sshbuf_froms(buf, &subsect)) != 0) |
| 811 | goto out; | 814 | goto out; |
| 812 | debug3("%s: subsection type 0x%02x", __func__, type); | 815 | KRL_DBG(("%s: subsection type 0x%02x", __func__, type)); |
| 816 | /* sshbuf_dump(subsect, stderr); */ | ||
| 813 | 817 | ||
| 814 | switch (type) { | 818 | switch (type) { |
| 815 | case KRL_SECTION_CERT_SERIAL_LIST: | 819 | case KRL_SECTION_CERT_SERIAL_LIST: |
| @@ -842,7 +846,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
| 842 | r = SSH_ERR_INVALID_FORMAT; | 846 | r = SSH_ERR_INVALID_FORMAT; |
| 843 | goto out; | 847 | goto out; |
| 844 | } | 848 | } |
| 845 | for (serial = 0; serial < (u_int)nbits; serial++) { | 849 | for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
| 846 | if (serial > 0 && serial_lo + serial == 0) { | 850 | if (serial > 0 && serial_lo + serial == 0) { |
| 847 | error("%s: bitmap wraps u64", __func__); | 851 | error("%s: bitmap wraps u64", __func__); |
| 848 | r = SSH_ERR_INVALID_FORMAT; | 852 | r = SSH_ERR_INVALID_FORMAT; |
| @@ -895,12 +899,12 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
| 895 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ | 899 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ |
| 896 | int | 900 | int |
| 897 | ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | 901 | ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, |
| 898 | const struct sshkey **sign_ca_keys, u_int nsign_ca_keys) | 902 | const struct sshkey **sign_ca_keys, size_t nsign_ca_keys) |
| 899 | { | 903 | { |
| 900 | struct sshbuf *copy = NULL, *sect = NULL; | 904 | struct sshbuf *copy = NULL, *sect = NULL; |
| 901 | struct ssh_krl *krl = NULL; | 905 | struct ssh_krl *krl = NULL; |
| 902 | char timestamp[64]; | 906 | char timestamp[64]; |
| 903 | int r = -1, sig_seen; | 907 | int r = SSH_ERR_INTERNAL_ERROR, sig_seen; |
| 904 | struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; | 908 | struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; |
| 905 | u_char type, *rdata = NULL; | 909 | u_char type, *rdata = NULL; |
| 906 | const u_char *blob; | 910 | const u_char *blob; |
| @@ -961,12 +965,12 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 961 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || | 965 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
| 962 | (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) | 966 | (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) |
| 963 | goto out; | 967 | goto out; |
| 964 | debug3("%s: first pass, section 0x%02x", __func__, type); | 968 | KRL_DBG(("%s: first pass, section 0x%02x", __func__, type)); |
| 965 | if (type != KRL_SECTION_SIGNATURE) { | 969 | if (type != KRL_SECTION_SIGNATURE) { |
| 966 | if (sig_seen) { | 970 | if (sig_seen) { |
| 967 | r = SSH_ERR_INVALID_FORMAT; | ||
| 968 | error("KRL contains non-signature section " | 971 | error("KRL contains non-signature section " |
| 969 | "after signature"); | 972 | "after signature"); |
| 973 | r = SSH_ERR_INVALID_FORMAT; | ||
| 970 | goto out; | 974 | goto out; |
| 971 | } | 975 | } |
| 972 | /* Not interested for now. */ | 976 | /* Not interested for now. */ |
| @@ -976,7 +980,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 976 | /* First string component is the signing key */ | 980 | /* First string component is the signing key */ |
| 977 | if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { | 981 | if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { |
| 978 | r = SSH_ERR_INVALID_FORMAT; | 982 | r = SSH_ERR_INVALID_FORMAT; |
| 979 | error("%s: invalid signature key", __func__); | ||
| 980 | goto out; | 983 | goto out; |
| 981 | } | 984 | } |
| 982 | if (sshbuf_len(buf) < sshbuf_len(copy)) { | 985 | if (sshbuf_len(buf) < sshbuf_len(copy)) { |
| @@ -992,16 +995,14 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 992 | } | 995 | } |
| 993 | /* Check signature over entire KRL up to this point */ | 996 | /* Check signature over entire KRL up to this point */ |
| 994 | if ((r = sshkey_verify(key, blob, blen, | 997 | if ((r = sshkey_verify(key, blob, blen, |
| 995 | sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) { | 998 | sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) |
| 996 | error("bad signaure on KRL"); | ||
| 997 | goto out; | 999 | goto out; |
| 998 | } | ||
| 999 | /* Check if this key has already signed this KRL */ | 1000 | /* Check if this key has already signed this KRL */ |
| 1000 | for (i = 0; i < nca_used; i++) { | 1001 | for (i = 0; i < nca_used; i++) { |
| 1001 | if (sshkey_equal(ca_used[i], key)) { | 1002 | if (sshkey_equal(ca_used[i], key)) { |
| 1002 | error("KRL signed more than once with " | 1003 | error("KRL signed more than once with " |
| 1003 | "the same key"); | 1004 | "the same key"); |
| 1004 | r = SSH_ERR_SIGNATURE_INVALID; | 1005 | r = SSH_ERR_INVALID_FORMAT; |
| 1005 | goto out; | 1006 | goto out; |
| 1006 | } | 1007 | } |
| 1007 | } | 1008 | } |
| @@ -1041,10 +1042,9 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 1041 | sect = NULL; | 1042 | sect = NULL; |
| 1042 | } | 1043 | } |
| 1043 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || | 1044 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
| 1044 | (r = sshbuf_froms(copy, §)) != 0) { | 1045 | (r = sshbuf_froms(copy, §)) != 0) |
| 1045 | goto out; | 1046 | goto out; |
| 1046 | } | 1047 | KRL_DBG(("%s: second pass, section 0x%02x", __func__, type)); |
| 1047 | debug3("%s: second pass, section 0x%02x", __func__, type); | ||
| 1048 | 1048 | ||
| 1049 | switch (type) { | 1049 | switch (type) { |
| 1050 | case KRL_SECTION_CERTIFICATES: | 1050 | case KRL_SECTION_CERTIFICATES: |
| @@ -1068,7 +1068,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 1068 | &krl->revoked_keys : &krl->revoked_sha1s, | 1068 | &krl->revoked_keys : &krl->revoked_sha1s, |
| 1069 | rdata, rlen)) != 0) | 1069 | rdata, rlen)) != 0) |
| 1070 | goto out; | 1070 | goto out; |
| 1071 | rdata = NULL; /* revoke_blob frees blob */ | 1071 | rdata = NULL; /* revoke_blob frees rdata */ |
| 1072 | } | 1072 | } |
| 1073 | break; | 1073 | break; |
| 1074 | case KRL_SECTION_SIGNATURE: | 1074 | case KRL_SECTION_SIGNATURE: |
| @@ -1101,8 +1101,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
| 1101 | } | 1101 | } |
| 1102 | } | 1102 | } |
| 1103 | if (nca_used && !sig_seen) { | 1103 | if (nca_used && !sig_seen) { |
| 1104 | r = SSH_ERR_SIGNATURE_INVALID; | ||
| 1105 | error("All keys used to sign KRL were revoked"); | 1104 | error("All keys used to sign KRL were revoked"); |
| 1105 | r = SSH_ERR_KEY_REVOKED; | ||
| 1106 | goto out; | 1106 | goto out; |
| 1107 | } | 1107 | } |
| 1108 | 1108 | ||
| @@ -1159,7 +1159,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1159 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); | 1159 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); |
| 1160 | free(rb.blob); | 1160 | free(rb.blob); |
| 1161 | if (erb != NULL) { | 1161 | if (erb != NULL) { |
| 1162 | debug("%s: revoked by key SHA1", __func__); | 1162 | KRL_DBG(("%s: revoked by key SHA1", __func__)); |
| 1163 | return SSH_ERR_KEY_REVOKED; | 1163 | return SSH_ERR_KEY_REVOKED; |
| 1164 | } | 1164 | } |
| 1165 | 1165 | ||
| @@ -1170,7 +1170,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1170 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); | 1170 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); |
| 1171 | free(rb.blob); | 1171 | free(rb.blob); |
| 1172 | if (erb != NULL) { | 1172 | if (erb != NULL) { |
| 1173 | debug("%s: revoked by explicit key", __func__); | 1173 | KRL_DBG(("%s: revoked by explicit key", __func__)); |
| 1174 | return SSH_ERR_KEY_REVOKED; | 1174 | return SSH_ERR_KEY_REVOKED; |
| 1175 | } | 1175 | } |
| 1176 | 1176 | ||
| @@ -1189,7 +1189,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1189 | rki.key_id = key->cert->key_id; | 1189 | rki.key_id = key->cert->key_id; |
| 1190 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); | 1190 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); |
| 1191 | if (erki != NULL) { | 1191 | if (erki != NULL) { |
| 1192 | debug("%s: revoked by key ID", __func__); | 1192 | KRL_DBG(("%s: revoked by key ID", __func__)); |
| 1193 | return SSH_ERR_KEY_REVOKED; | 1193 | return SSH_ERR_KEY_REVOKED; |
| 1194 | } | 1194 | } |
| 1195 | 1195 | ||
| @@ -1204,13 +1204,11 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1204 | rs.lo = rs.hi = key->cert->serial; | 1204 | rs.lo = rs.hi = key->cert->serial; |
| 1205 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); | 1205 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); |
| 1206 | if (ers != NULL) { | 1206 | if (ers != NULL) { |
| 1207 | KRL_DBG(("%s: %llu matched %llu:%llu", __func__, | 1207 | KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__, |
| 1208 | key->cert->serial, ers->lo, ers->hi)); | 1208 | key->cert->serial, ers->lo, ers->hi)); |
| 1209 | debug("%s: revoked by serial", __func__); | ||
| 1210 | return SSH_ERR_KEY_REVOKED; | 1209 | return SSH_ERR_KEY_REVOKED; |
| 1211 | } | 1210 | } |
| 1212 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); | 1211 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); |
| 1213 | |||
| 1214 | return 0; | 1212 | return 0; |
| 1215 | } | 1213 | } |
| 1216 | 1214 | ||
| @@ -1219,7 +1217,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1219 | { | 1217 | { |
| 1220 | int r; | 1218 | int r; |
| 1221 | 1219 | ||
| 1222 | debug2("%s: checking key", __func__); | 1220 | KRL_DBG(("%s: checking key", __func__)); |
| 1223 | if ((r = is_key_revoked(krl, key)) != 0) | 1221 | if ((r = is_key_revoked(krl, key)) != 0) |
| 1224 | return r; | 1222 | return r; |
| 1225 | if (sshkey_is_cert(key)) { | 1223 | if (sshkey_is_cert(key)) { |
| @@ -1227,7 +1225,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key) | |||
| 1227 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) | 1225 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) |
| 1228 | return r; | 1226 | return r; |
| 1229 | } | 1227 | } |
| 1230 | debug3("%s: key okay", __func__); | 1228 | KRL_DBG(("%s: key okay", __func__)); |
| 1231 | return 0; | 1229 | return 0; |
| 1232 | } | 1230 | } |
| 1233 | 1231 | ||
| @@ -14,7 +14,7 @@ | |||
| 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 15 | */ | 15 | */ |
| 16 | 16 | ||
| 17 | /* $OpenBSD: krl.h,v 1.3 2014/12/04 01:49:59 djm Exp $ */ | 17 | /* $OpenBSD: krl.h,v 1.4 2015/01/13 19:06:49 djm Exp $ */ |
| 18 | 18 | ||
| 19 | #ifndef _KRL_H | 19 | #ifndef _KRL_H |
| 20 | #define _KRL_H | 20 | #define _KRL_H |
| @@ -57,7 +57,7 @@ int ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key); | |||
| 57 | int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | 57 | int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, |
| 58 | const struct sshkey **sign_keys, u_int nsign_keys); | 58 | const struct sshkey **sign_keys, u_int nsign_keys); |
| 59 | int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | 59 | int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, |
| 60 | const struct sshkey **sign_ca_keys, u_int nsign_ca_keys); | 60 | const struct sshkey **sign_ca_keys, size_t nsign_ca_keys); |
| 61 | int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); | 61 | int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); |
| 62 | int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); | 62 | int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); |
| 63 | 63 | ||