diff options
Diffstat (limited to 'krl.c')
-rw-r--r-- | krl.c | 62 |
1 files changed, 41 insertions, 21 deletions
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | 16 | ||
17 | /* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.26 2015/01/14 15:02:39 djm Exp $ */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
@@ -37,6 +37,7 @@ | |||
37 | #include "misc.h" | 37 | #include "misc.h" |
38 | #include "log.h" | 38 | #include "log.h" |
39 | #include "digest.h" | 39 | #include "digest.h" |
40 | #include "bitmap.h" | ||
40 | 41 | ||
41 | #include "krl.h" | 42 | #include "krl.h" |
42 | 43 | ||
@@ -519,6 +520,25 @@ choose_next_state(int current_state, u_int64_t contig, int final, | |||
519 | return new_state; | 520 | return new_state; |
520 | } | 521 | } |
521 | 522 | ||
523 | static int | ||
524 | put_bitmap(struct sshbuf *buf, struct bitmap *bitmap) | ||
525 | { | ||
526 | size_t len; | ||
527 | u_char *blob; | ||
528 | int r; | ||
529 | |||
530 | len = bitmap_nbytes(bitmap); | ||
531 | if ((blob = malloc(len)) == NULL) | ||
532 | return SSH_ERR_ALLOC_FAIL; | ||
533 | if (bitmap_to_string(bitmap, blob, len) != 0) { | ||
534 | free(blob); | ||
535 | return SSH_ERR_INTERNAL_ERROR; | ||
536 | } | ||
537 | r = sshbuf_put_bignum2_bytes(buf, blob, len); | ||
538 | free(blob); | ||
539 | return r; | ||
540 | } | ||
541 | |||
522 | /* Generate a KRL_SECTION_CERTIFICATES KRL section */ | 542 | /* Generate a KRL_SECTION_CERTIFICATES KRL section */ |
523 | static int | 543 | static int |
524 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | 544 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) |
@@ -529,7 +549,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
529 | struct revoked_key_id *rki; | 549 | struct revoked_key_id *rki; |
530 | int next_state, state = 0; | 550 | int next_state, state = 0; |
531 | struct sshbuf *sect; | 551 | struct sshbuf *sect; |
532 | BIGNUM *bitmap = NULL; | 552 | struct bitmap *bitmap = NULL; |
533 | 553 | ||
534 | if ((sect = sshbuf_new()) == NULL) | 554 | if ((sect = sshbuf_new()) == NULL) |
535 | return SSH_ERR_ALLOC_FAIL; | 555 | return SSH_ERR_ALLOC_FAIL; |
@@ -572,9 +592,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
572 | case KRL_SECTION_CERT_SERIAL_RANGE: | 592 | case KRL_SECTION_CERT_SERIAL_RANGE: |
573 | break; | 593 | break; |
574 | case KRL_SECTION_CERT_SERIAL_BITMAP: | 594 | case KRL_SECTION_CERT_SERIAL_BITMAP: |
575 | if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) | 595 | if ((r = put_bitmap(sect, bitmap)) != 0) |
576 | goto out; | 596 | goto out; |
577 | BN_free(bitmap); | 597 | bitmap_free(bitmap); |
578 | bitmap = NULL; | 598 | bitmap = NULL; |
579 | break; | 599 | break; |
580 | } | 600 | } |
@@ -595,7 +615,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
595 | case KRL_SECTION_CERT_SERIAL_RANGE: | 615 | case KRL_SECTION_CERT_SERIAL_RANGE: |
596 | break; | 616 | break; |
597 | case KRL_SECTION_CERT_SERIAL_BITMAP: | 617 | case KRL_SECTION_CERT_SERIAL_BITMAP: |
598 | if ((bitmap = BN_new()) == NULL) { | 618 | if ((bitmap = bitmap_new()) == NULL) { |
599 | r = SSH_ERR_ALLOC_FAIL; | 619 | r = SSH_ERR_ALLOC_FAIL; |
600 | goto out; | 620 | goto out; |
601 | } | 621 | } |
@@ -626,8 +646,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
626 | goto out; | 646 | goto out; |
627 | } | 647 | } |
628 | for (i = 0; i < contig; i++) { | 648 | for (i = 0; i < contig; i++) { |
629 | if (BN_set_bit(bitmap, | 649 | if (bitmap_set_bit(bitmap, |
630 | rs->lo + i - bitmap_start) != 1) { | 650 | rs->lo + i - bitmap_start) != 0) { |
631 | r = SSH_ERR_ALLOC_FAIL; | 651 | r = SSH_ERR_ALLOC_FAIL; |
632 | goto out; | 652 | goto out; |
633 | } | 653 | } |
@@ -645,9 +665,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
645 | case KRL_SECTION_CERT_SERIAL_RANGE: | 665 | case KRL_SECTION_CERT_SERIAL_RANGE: |
646 | break; | 666 | break; |
647 | case KRL_SECTION_CERT_SERIAL_BITMAP: | 667 | case KRL_SECTION_CERT_SERIAL_BITMAP: |
648 | if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) | 668 | if ((r = put_bitmap(sect, bitmap)) != 0) |
649 | goto out; | 669 | goto out; |
650 | BN_free(bitmap); | 670 | bitmap_free(bitmap); |
651 | bitmap = NULL; | 671 | bitmap = NULL; |
652 | break; | 672 | break; |
653 | } | 673 | } |
@@ -671,8 +691,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
671 | } | 691 | } |
672 | r = 0; | 692 | r = 0; |
673 | out: | 693 | out: |
674 | if (bitmap != NULL) | 694 | bitmap_free(bitmap); |
675 | BN_free(bitmap); | ||
676 | sshbuf_free(sect); | 695 | sshbuf_free(sect); |
677 | return r; | 696 | return r; |
678 | } | 697 | } |
@@ -784,13 +803,13 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts) | |||
784 | static int | 803 | static int |
785 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | 804 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) |
786 | { | 805 | { |
787 | int r = SSH_ERR_INTERNAL_ERROR, nbits; | 806 | int r = SSH_ERR_INTERNAL_ERROR; |
788 | u_char type; | 807 | u_char type; |
789 | const u_char *blob; | 808 | const u_char *blob; |
790 | size_t blen; | 809 | size_t blen, nbits; |
791 | struct sshbuf *subsect = NULL; | 810 | struct sshbuf *subsect = NULL; |
792 | u_int64_t serial, serial_lo, serial_hi; | 811 | u_int64_t serial, serial_lo, serial_hi; |
793 | BIGNUM *bitmap = NULL; | 812 | struct bitmap *bitmap = NULL; |
794 | char *key_id = NULL; | 813 | char *key_id = NULL; |
795 | struct sshkey *ca_key = NULL; | 814 | struct sshkey *ca_key = NULL; |
796 | 815 | ||
@@ -834,31 +853,32 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
834 | goto out; | 853 | goto out; |
835 | break; | 854 | break; |
836 | case KRL_SECTION_CERT_SERIAL_BITMAP: | 855 | case KRL_SECTION_CERT_SERIAL_BITMAP: |
837 | if ((bitmap = BN_new()) == NULL) { | 856 | if ((bitmap = bitmap_new()) == NULL) { |
838 | r = SSH_ERR_ALLOC_FAIL; | 857 | r = SSH_ERR_ALLOC_FAIL; |
839 | goto out; | 858 | goto out; |
840 | } | 859 | } |
841 | if ((r = sshbuf_get_u64(subsect, &serial_lo)) != 0 || | 860 | if ((r = sshbuf_get_u64(subsect, &serial_lo)) != 0 || |
842 | (r = sshbuf_get_bignum2(subsect, bitmap)) != 0) | 861 | (r = sshbuf_get_bignum2_bytes_direct(subsect, |
862 | &blob, &blen)) != 0) | ||
843 | goto out; | 863 | goto out; |
844 | if ((nbits = BN_num_bits(bitmap)) < 0) { | 864 | if (bitmap_from_string(bitmap, blob, blen) != 0) { |
845 | error("%s: bitmap bits < 0", __func__); | ||
846 | r = SSH_ERR_INVALID_FORMAT; | 865 | r = SSH_ERR_INVALID_FORMAT; |
847 | goto out; | 866 | goto out; |
848 | } | 867 | } |
868 | nbits = bitmap_nbits(bitmap); | ||
849 | for (serial = 0; serial < (u_int64_t)nbits; serial++) { | 869 | for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
850 | if (serial > 0 && serial_lo + serial == 0) { | 870 | if (serial > 0 && serial_lo + serial == 0) { |
851 | error("%s: bitmap wraps u64", __func__); | 871 | error("%s: bitmap wraps u64", __func__); |
852 | r = SSH_ERR_INVALID_FORMAT; | 872 | r = SSH_ERR_INVALID_FORMAT; |
853 | goto out; | 873 | goto out; |
854 | } | 874 | } |
855 | if (!BN_is_bit_set(bitmap, serial)) | 875 | if (!bitmap_test_bit(bitmap, serial)) |
856 | continue; | 876 | continue; |
857 | if ((r = ssh_krl_revoke_cert_by_serial(krl, | 877 | if ((r = ssh_krl_revoke_cert_by_serial(krl, |
858 | ca_key, serial_lo + serial)) != 0) | 878 | ca_key, serial_lo + serial)) != 0) |
859 | goto out; | 879 | goto out; |
860 | } | 880 | } |
861 | BN_free(bitmap); | 881 | bitmap_free(bitmap); |
862 | bitmap = NULL; | 882 | bitmap = NULL; |
863 | break; | 883 | break; |
864 | case KRL_SECTION_CERT_KEY_ID: | 884 | case KRL_SECTION_CERT_KEY_ID: |
@@ -888,7 +908,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
888 | r = 0; | 908 | r = 0; |
889 | out: | 909 | out: |
890 | if (bitmap != NULL) | 910 | if (bitmap != NULL) |
891 | BN_free(bitmap); | 911 | bitmap_free(bitmap); |
892 | free(key_id); | 912 | free(key_id); |
893 | sshkey_free(ca_key); | 913 | sshkey_free(ca_key); |
894 | sshbuf_free(subsect); | 914 | sshbuf_free(subsect); |