summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--krl.c98
-rw-r--r--krl.h4
2 files changed, 50 insertions, 52 deletions
diff --git a/krl.c b/krl.c
index 47d6d2c3d..d6bd10935 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: krl.c,v 1.24 2015/01/12 19:22:46 markus Exp $ */ 17/* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */
18 18
19#include "includes.h" 19#include "includes.h"
20 20
@@ -31,11 +31,11 @@
31#include <unistd.h> 31#include <unistd.h>
32 32
33#include "sshbuf.h" 33#include "sshbuf.h"
34#include "ssherr.h"
34#include "sshkey.h" 35#include "sshkey.h"
35#include "authfile.h" 36#include "authfile.h"
36#include "misc.h" 37#include "misc.h"
37#include "log.h" 38#include "log.h"
38#include "ssherr.h"
39#include "digest.h" 39#include "digest.h"
40 40
41#include "krl.h" 41#include "krl.h"
@@ -230,7 +230,7 @@ revoked_certs_for_ca_key(struct ssh_krl *krl, const struct sshkey *ca_key,
230 RB_INIT(&rc->revoked_serials); 230 RB_INIT(&rc->revoked_serials);
231 RB_INIT(&rc->revoked_key_ids); 231 RB_INIT(&rc->revoked_key_ids);
232 TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); 232 TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
233 debug3("%s: new CA %s", __func__, sshkey_type(ca_key)); 233 KRL_DBG(("%s: new CA %s", __func__, sshkey_type(ca_key)));
234 *rcp = rc; 234 *rcp = rc;
235 return 0; 235 return 0;
236} 236}
@@ -255,7 +255,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
255 KRL_DBG(("%s: bad: ers != NULL", __func__)); 255 KRL_DBG(("%s: bad: ers != NULL", __func__));
256 /* Shouldn't happen */ 256 /* Shouldn't happen */
257 free(irs); 257 free(irs);
258 return SSH_ERR_ALLOC_FAIL; 258 return SSH_ERR_INTERNAL_ERROR;
259 } 259 }
260 ers = irs; 260 ers = irs;
261 } else { 261 } else {
@@ -270,6 +270,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
270 if (ers->hi < hi) 270 if (ers->hi < hi)
271 ers->hi = hi; 271 ers->hi = hi;
272 } 272 }
273
273 /* 274 /*
274 * The inserted or revised range might overlap or abut adjacent ones; 275 * The inserted or revised range might overlap or abut adjacent ones;
275 * coalesce as necessary. 276 * coalesce as necessary.
@@ -315,14 +316,14 @@ ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key,
315} 316}
316 317
317int 318int
318ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const struct sshkey *ca_key, 319ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl,
319 u_int64_t lo, u_int64_t hi) 320 const struct sshkey *ca_key, u_int64_t lo, u_int64_t hi)
320{ 321{
321 struct revoked_certs *rc; 322 struct revoked_certs *rc;
322 int r; 323 int r;
323 324
324 if (lo > hi || lo == 0) 325 if (lo > hi || lo == 0)
325 return -1; 326 return SSH_ERR_INVALID_ARGUMENT;
326 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) 327 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
327 return r; 328 return r;
328 return insert_serial_range(&rc->revoked_serials, lo, hi); 329 return insert_serial_range(&rc->revoked_serials, lo, hi);
@@ -339,7 +340,7 @@ ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const struct sshkey *ca_key,
339 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) 340 if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
340 return r; 341 return r;
341 342
342 debug3("%s: revoke %s", __func__, key_id); 343 KRL_DBG(("%s: revoke %s", __func__, key_id));
343 if ((rki = calloc(1, sizeof(*rki))) == NULL || 344 if ((rki = calloc(1, sizeof(*rki))) == NULL ||
344 (rki->key_id = strdup(key_id)) == NULL) { 345 (rki->key_id = strdup(key_id)) == NULL) {
345 free(rki); 346 free(rki);
@@ -375,7 +376,7 @@ plain_key_blob(const struct sshkey *key, u_char **blob, size_t *blen)
375 376
376/* Revoke a key blob. Ownership of blob is transferred to the tree */ 377/* Revoke a key blob. Ownership of blob is transferred to the tree */
377static int 378static int
378revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) 379revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, size_t len)
379{ 380{
380 struct revoked_blob *rb, *erb; 381 struct revoked_blob *rb, *erb;
381 382
@@ -507,14 +508,14 @@ choose_next_state(int current_state, u_int64_t contig, int final,
507 *force_new_section = 1; 508 *force_new_section = 1;
508 cost = cost_bitmap_restart; 509 cost = cost_bitmap_restart;
509 } 510 }
510 debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" 511 KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
511 "list %llu range %llu bitmap %llu new bitmap %llu, " 512 "list %llu range %llu bitmap %llu new bitmap %llu, "
512 "selected 0x%02x%s", __func__, (long long unsigned)contig, 513 "selected 0x%02x%s", __func__, (long long unsigned)contig,
513 (long long unsigned)last_gap, (long long unsigned)next_gap, final, 514 (long long unsigned)last_gap, (long long unsigned)next_gap, final,
514 (long long unsigned)cost_list, (long long unsigned)cost_range, 515 (long long unsigned)cost_list, (long long unsigned)cost_range,
515 (long long unsigned)cost_bitmap, 516 (long long unsigned)cost_bitmap,
516 (long long unsigned)cost_bitmap_restart, new_state, 517 (long long unsigned)cost_bitmap_restart, new_state,
517 *force_new_section ? " restart" : ""); 518 *force_new_section ? " restart" : ""));
518 return new_state; 519 return new_state;
519} 520}
520 521
@@ -522,7 +523,7 @@ choose_next_state(int current_state, u_int64_t contig, int final,
522static int 523static int
523revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) 524revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
524{ 525{
525 int final, force_new_sect, r = -1; 526 int final, force_new_sect, r = SSH_ERR_INTERNAL_ERROR;
526 u_int64_t i, contig, gap, last = 0, bitmap_start = 0; 527 u_int64_t i, contig, gap, last = 0, bitmap_start = 0;
527 struct revoked_serial *rs, *nrs; 528 struct revoked_serial *rs, *nrs;
528 struct revoked_key_id *rki; 529 struct revoked_key_id *rki;
@@ -545,9 +546,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
545 for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); 546 for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
546 rs != NULL; 547 rs != NULL;
547 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { 548 rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
548 debug3("%s: serial %llu:%llu state 0x%02x", __func__, 549 KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__,
549 (long long unsigned)rs->lo, (long long unsigned)rs->hi, 550 (long long unsigned)rs->lo, (long long unsigned)rs->hi,
550 state); 551 state));
551 552
552 /* Check contiguous length and gap to next section (if any) */ 553 /* Check contiguous length and gap to next section (if any) */
553 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); 554 nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
@@ -565,7 +566,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
565 */ 566 */
566 if (state != 0 && (force_new_sect || next_state != state || 567 if (state != 0 && (force_new_sect || next_state != state ||
567 state == KRL_SECTION_CERT_SERIAL_RANGE)) { 568 state == KRL_SECTION_CERT_SERIAL_RANGE)) {
568 debug3("%s: finish state 0x%02x", __func__, state); 569 KRL_DBG(("%s: finish state 0x%02x", __func__, state));
569 switch (state) { 570 switch (state) {
570 case KRL_SECTION_CERT_SERIAL_LIST: 571 case KRL_SECTION_CERT_SERIAL_LIST:
571 case KRL_SECTION_CERT_SERIAL_RANGE: 572 case KRL_SECTION_CERT_SERIAL_RANGE:
@@ -585,7 +586,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
585 586
586 /* If we are starting a new section then prepare it now */ 587 /* If we are starting a new section then prepare it now */
587 if (next_state != state || force_new_sect) { 588 if (next_state != state || force_new_sect) {
588 debug3("%s: start state 0x%02x", __func__, next_state); 589 KRL_DBG(("%s: start state 0x%02x", __func__,
590 next_state));
589 state = next_state; 591 state = next_state;
590 sshbuf_reset(sect); 592 sshbuf_reset(sect);
591 switch (state) { 593 switch (state) {
@@ -636,8 +638,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
636 } 638 }
637 /* Flush the remaining section, if any */ 639 /* Flush the remaining section, if any */
638 if (state != 0) { 640 if (state != 0) {
639 debug3("%s: serial final flush for state 0x%02x", 641 KRL_DBG(("%s: serial final flush for state 0x%02x",
640 __func__, state); 642 __func__, state));
641 switch (state) { 643 switch (state) {
642 case KRL_SECTION_CERT_SERIAL_LIST: 644 case KRL_SECTION_CERT_SERIAL_LIST:
643 case KRL_SECTION_CERT_SERIAL_RANGE: 645 case KRL_SECTION_CERT_SERIAL_RANGE:
@@ -653,12 +655,12 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
653 (r = sshbuf_put_stringb(buf, sect)) != 0) 655 (r = sshbuf_put_stringb(buf, sect)) != 0)
654 goto out; 656 goto out;
655 } 657 }
656 debug3("%s: serial done ", __func__); 658 KRL_DBG(("%s: serial done ", __func__));
657 659
658 /* Now output a section for any revocations by key ID */ 660 /* Now output a section for any revocations by key ID */
659 sshbuf_reset(sect); 661 sshbuf_reset(sect);
660 RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { 662 RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
661 debug3("%s: key ID %s", __func__, rki->key_id); 663 KRL_DBG(("%s: key ID %s", __func__, rki->key_id));
662 if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) 664 if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0)
663 goto out; 665 goto out;
664 } 666 }
@@ -679,7 +681,7 @@ int
679ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, 681ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
680 const struct sshkey **sign_keys, u_int nsign_keys) 682 const struct sshkey **sign_keys, u_int nsign_keys)
681{ 683{
682 int r = -1; 684 int r = SSH_ERR_INTERNAL_ERROR;
683 struct revoked_certs *rc; 685 struct revoked_certs *rc;
684 struct revoked_blob *rb; 686 struct revoked_blob *rb;
685 struct sshbuf *sect; 687 struct sshbuf *sect;
@@ -715,7 +717,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
715 /* Finally, output sections for revocations by public key/hash */ 717 /* Finally, output sections for revocations by public key/hash */
716 sshbuf_reset(sect); 718 sshbuf_reset(sect);
717 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { 719 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
718 debug3("%s: key len %zu ", __func__, rb->len); 720 KRL_DBG(("%s: key len %u ", __func__, rb->len));
719 if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) 721 if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0)
720 goto out; 722 goto out;
721 } 723 }
@@ -726,7 +728,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
726 } 728 }
727 sshbuf_reset(sect); 729 sshbuf_reset(sect);
728 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { 730 RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
729 debug3("%s: hash len %zu ", __func__, rb->len); 731 KRL_DBG(("%s: hash len %u ", __func__, rb->len));
730 if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) 732 if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0)
731 goto out; 733 goto out;
732 } 734 }
@@ -742,7 +744,8 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
742 if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) 744 if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0)
743 goto out; 745 goto out;
744 746
745 debug3("%s: signature key len %zu", __func__, sshbuf_len(sect)); 747 KRL_DBG(("%s: signature key len %zu", __func__,
748 sshbuf_len(sect)));
746 if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || 749 if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 ||
747 (r = sshbuf_put_stringb(buf, sect)) != 0) 750 (r = sshbuf_put_stringb(buf, sect)) != 0)
748 goto out; 751 goto out;
@@ -750,7 +753,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
750 if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, 753 if ((r = sshkey_sign(sign_keys[i], &sblob, &slen,
751 sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) 754 sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1)
752 goto out; 755 goto out;
753 debug3("%s: signature sig len %zu", __func__, slen); 756 KRL_DBG(("%s: signature sig len %u", __func__, slen));
754 if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) 757 if ((r = sshbuf_put_string(buf, sblob, slen)) != 0)
755 goto out; 758 goto out;
756 } 759 }
@@ -781,7 +784,7 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
781static int 784static int
782parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) 785parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
783{ 786{
784 int r = -1, nbits; 787 int r = SSH_ERR_INTERNAL_ERROR, nbits;
785 u_char type; 788 u_char type;
786 const u_char *blob; 789 const u_char *blob;
787 size_t blen; 790 size_t blen;
@@ -809,7 +812,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
809 if ((r = sshbuf_get_u8(buf, &type)) != 0 || 812 if ((r = sshbuf_get_u8(buf, &type)) != 0 ||
810 (r = sshbuf_froms(buf, &subsect)) != 0) 813 (r = sshbuf_froms(buf, &subsect)) != 0)
811 goto out; 814 goto out;
812 debug3("%s: subsection type 0x%02x", __func__, type); 815 KRL_DBG(("%s: subsection type 0x%02x", __func__, type));
816 /* sshbuf_dump(subsect, stderr); */
813 817
814 switch (type) { 818 switch (type) {
815 case KRL_SECTION_CERT_SERIAL_LIST: 819 case KRL_SECTION_CERT_SERIAL_LIST:
@@ -842,7 +846,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
842 r = SSH_ERR_INVALID_FORMAT; 846 r = SSH_ERR_INVALID_FORMAT;
843 goto out; 847 goto out;
844 } 848 }
845 for (serial = 0; serial < (u_int)nbits; serial++) { 849 for (serial = 0; serial < (u_int64_t)nbits; serial++) {
846 if (serial > 0 && serial_lo + serial == 0) { 850 if (serial > 0 && serial_lo + serial == 0) {
847 error("%s: bitmap wraps u64", __func__); 851 error("%s: bitmap wraps u64", __func__);
848 r = SSH_ERR_INVALID_FORMAT; 852 r = SSH_ERR_INVALID_FORMAT;
@@ -895,12 +899,12 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
895/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ 899/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
896int 900int
897ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, 901ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
898 const struct sshkey **sign_ca_keys, u_int nsign_ca_keys) 902 const struct sshkey **sign_ca_keys, size_t nsign_ca_keys)
899{ 903{
900 struct sshbuf *copy = NULL, *sect = NULL; 904 struct sshbuf *copy = NULL, *sect = NULL;
901 struct ssh_krl *krl = NULL; 905 struct ssh_krl *krl = NULL;
902 char timestamp[64]; 906 char timestamp[64];
903 int r = -1, sig_seen; 907 int r = SSH_ERR_INTERNAL_ERROR, sig_seen;
904 struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; 908 struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used;
905 u_char type, *rdata = NULL; 909 u_char type, *rdata = NULL;
906 const u_char *blob; 910 const u_char *blob;
@@ -961,12 +965,12 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
961 if ((r = sshbuf_get_u8(copy, &type)) != 0 || 965 if ((r = sshbuf_get_u8(copy, &type)) != 0 ||
962 (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) 966 (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0)
963 goto out; 967 goto out;
964 debug3("%s: first pass, section 0x%02x", __func__, type); 968 KRL_DBG(("%s: first pass, section 0x%02x", __func__, type));
965 if (type != KRL_SECTION_SIGNATURE) { 969 if (type != KRL_SECTION_SIGNATURE) {
966 if (sig_seen) { 970 if (sig_seen) {
967 r = SSH_ERR_INVALID_FORMAT;
968 error("KRL contains non-signature section " 971 error("KRL contains non-signature section "
969 "after signature"); 972 "after signature");
973 r = SSH_ERR_INVALID_FORMAT;
970 goto out; 974 goto out;
971 } 975 }
972 /* Not interested for now. */ 976 /* Not interested for now. */
@@ -976,7 +980,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
976 /* First string component is the signing key */ 980 /* First string component is the signing key */
977 if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { 981 if ((r = sshkey_from_blob(blob, blen, &key)) != 0) {
978 r = SSH_ERR_INVALID_FORMAT; 982 r = SSH_ERR_INVALID_FORMAT;
979 error("%s: invalid signature key", __func__);
980 goto out; 983 goto out;
981 } 984 }
982 if (sshbuf_len(buf) < sshbuf_len(copy)) { 985 if (sshbuf_len(buf) < sshbuf_len(copy)) {
@@ -992,16 +995,14 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
992 } 995 }
993 /* Check signature over entire KRL up to this point */ 996 /* Check signature over entire KRL up to this point */
994 if ((r = sshkey_verify(key, blob, blen, 997 if ((r = sshkey_verify(key, blob, blen,
995 sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) { 998 sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0)
996 error("bad signaure on KRL");
997 goto out; 999 goto out;
998 }
999 /* Check if this key has already signed this KRL */ 1000 /* Check if this key has already signed this KRL */
1000 for (i = 0; i < nca_used; i++) { 1001 for (i = 0; i < nca_used; i++) {
1001 if (sshkey_equal(ca_used[i], key)) { 1002 if (sshkey_equal(ca_used[i], key)) {
1002 error("KRL signed more than once with " 1003 error("KRL signed more than once with "
1003 "the same key"); 1004 "the same key");
1004 r = SSH_ERR_SIGNATURE_INVALID; 1005 r = SSH_ERR_INVALID_FORMAT;
1005 goto out; 1006 goto out;
1006 } 1007 }
1007 } 1008 }
@@ -1041,10 +1042,9 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
1041 sect = NULL; 1042 sect = NULL;
1042 } 1043 }
1043 if ((r = sshbuf_get_u8(copy, &type)) != 0 || 1044 if ((r = sshbuf_get_u8(copy, &type)) != 0 ||
1044 (r = sshbuf_froms(copy, &sect)) != 0) { 1045 (r = sshbuf_froms(copy, &sect)) != 0)
1045 goto out; 1046 goto out;
1046 } 1047 KRL_DBG(("%s: second pass, section 0x%02x", __func__, type));
1047 debug3("%s: second pass, section 0x%02x", __func__, type);
1048 1048
1049 switch (type) { 1049 switch (type) {
1050 case KRL_SECTION_CERTIFICATES: 1050 case KRL_SECTION_CERTIFICATES:
@@ -1068,7 +1068,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
1068 &krl->revoked_keys : &krl->revoked_sha1s, 1068 &krl->revoked_keys : &krl->revoked_sha1s,
1069 rdata, rlen)) != 0) 1069 rdata, rlen)) != 0)
1070 goto out; 1070 goto out;
1071 rdata = NULL; /* revoke_blob frees blob */ 1071 rdata = NULL; /* revoke_blob frees rdata */
1072 } 1072 }
1073 break; 1073 break;
1074 case KRL_SECTION_SIGNATURE: 1074 case KRL_SECTION_SIGNATURE:
@@ -1101,8 +1101,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
1101 } 1101 }
1102 } 1102 }
1103 if (nca_used && !sig_seen) { 1103 if (nca_used && !sig_seen) {
1104 r = SSH_ERR_SIGNATURE_INVALID;
1105 error("All keys used to sign KRL were revoked"); 1104 error("All keys used to sign KRL were revoked");
1105 r = SSH_ERR_KEY_REVOKED;
1106 goto out; 1106 goto out;
1107 } 1107 }
1108 1108
@@ -1159,7 +1159,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
1159 erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); 1159 erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
1160 free(rb.blob); 1160 free(rb.blob);
1161 if (erb != NULL) { 1161 if (erb != NULL) {
1162 debug("%s: revoked by key SHA1", __func__); 1162 KRL_DBG(("%s: revoked by key SHA1", __func__));
1163 return SSH_ERR_KEY_REVOKED; 1163 return SSH_ERR_KEY_REVOKED;
1164 } 1164 }
1165 1165
@@ -1170,7 +1170,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
1170 erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); 1170 erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
1171 free(rb.blob); 1171 free(rb.blob);
1172 if (erb != NULL) { 1172 if (erb != NULL) {
1173 debug("%s: revoked by explicit key", __func__); 1173 KRL_DBG(("%s: revoked by explicit key", __func__));
1174 return SSH_ERR_KEY_REVOKED; 1174 return SSH_ERR_KEY_REVOKED;
1175 } 1175 }
1176 1176
@@ -1189,7 +1189,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
1189 rki.key_id = key->cert->key_id; 1189 rki.key_id = key->cert->key_id;
1190 erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); 1190 erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
1191 if (erki != NULL) { 1191 if (erki != NULL) {
1192 debug("%s: revoked by key ID", __func__); 1192 KRL_DBG(("%s: revoked by key ID", __func__));
1193 return SSH_ERR_KEY_REVOKED; 1193 return SSH_ERR_KEY_REVOKED;
1194 } 1194 }
1195 1195
@@ -1204,13 +1204,11 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
1204 rs.lo = rs.hi = key->cert->serial; 1204 rs.lo = rs.hi = key->cert->serial;
1205 ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); 1205 ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
1206 if (ers != NULL) { 1206 if (ers != NULL) {
1207 KRL_DBG(("%s: %llu matched %llu:%llu", __func__, 1207 KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__,
1208 key->cert->serial, ers->lo, ers->hi)); 1208 key->cert->serial, ers->lo, ers->hi));
1209 debug("%s: revoked by serial", __func__);
1210 return SSH_ERR_KEY_REVOKED; 1209 return SSH_ERR_KEY_REVOKED;
1211 } 1210 }
1212 KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); 1211 KRL_DBG(("%s: %llu no match", __func__, key->cert->serial));
1213
1214 return 0; 1212 return 0;
1215} 1213}
1216 1214
@@ -1219,7 +1217,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key)
1219{ 1217{
1220 int r; 1218 int r;
1221 1219
1222 debug2("%s: checking key", __func__); 1220 KRL_DBG(("%s: checking key", __func__));
1223 if ((r = is_key_revoked(krl, key)) != 0) 1221 if ((r = is_key_revoked(krl, key)) != 0)
1224 return r; 1222 return r;
1225 if (sshkey_is_cert(key)) { 1223 if (sshkey_is_cert(key)) {
@@ -1227,7 +1225,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key)
1227 if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) 1225 if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
1228 return r; 1226 return r;
1229 } 1227 }
1230 debug3("%s: key okay", __func__); 1228 KRL_DBG(("%s: key okay", __func__));
1231 return 0; 1229 return 0;
1232} 1230}
1233 1231
diff --git a/krl.h b/krl.h
index c98cc139d..4e12befc3 100644
--- a/krl.h
+++ b/krl.h
@@ -14,7 +14,7 @@
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */ 15 */
16 16
17/* $OpenBSD: krl.h,v 1.3 2014/12/04 01:49:59 djm Exp $ */ 17/* $OpenBSD: krl.h,v 1.4 2015/01/13 19:06:49 djm Exp $ */
18 18
19#ifndef _KRL_H 19#ifndef _KRL_H
20#define _KRL_H 20#define _KRL_H
@@ -57,7 +57,7 @@ int ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key);
57int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, 57int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
58 const struct sshkey **sign_keys, u_int nsign_keys); 58 const struct sshkey **sign_keys, u_int nsign_keys);
59int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, 59int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
60 const struct sshkey **sign_ca_keys, u_int nsign_ca_keys); 60 const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
61int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); 61int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
62int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); 62int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);
63 63