diff options
Diffstat (limited to 'krl.c')
-rw-r--r-- | krl.c | 98 |
1 files changed, 48 insertions, 50 deletions
@@ -14,7 +14,7 @@ | |||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
15 | */ | 15 | */ |
16 | 16 | ||
17 | /* $OpenBSD: krl.c,v 1.24 2015/01/12 19:22:46 markus Exp $ */ | 17 | /* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */ |
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
@@ -31,11 +31,11 @@ | |||
31 | #include <unistd.h> | 31 | #include <unistd.h> |
32 | 32 | ||
33 | #include "sshbuf.h" | 33 | #include "sshbuf.h" |
34 | #include "ssherr.h" | ||
34 | #include "sshkey.h" | 35 | #include "sshkey.h" |
35 | #include "authfile.h" | 36 | #include "authfile.h" |
36 | #include "misc.h" | 37 | #include "misc.h" |
37 | #include "log.h" | 38 | #include "log.h" |
38 | #include "ssherr.h" | ||
39 | #include "digest.h" | 39 | #include "digest.h" |
40 | 40 | ||
41 | #include "krl.h" | 41 | #include "krl.h" |
@@ -230,7 +230,7 @@ revoked_certs_for_ca_key(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
230 | RB_INIT(&rc->revoked_serials); | 230 | RB_INIT(&rc->revoked_serials); |
231 | RB_INIT(&rc->revoked_key_ids); | 231 | RB_INIT(&rc->revoked_key_ids); |
232 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); | 232 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); |
233 | debug3("%s: new CA %s", __func__, sshkey_type(ca_key)); | 233 | KRL_DBG(("%s: new CA %s", __func__, sshkey_type(ca_key))); |
234 | *rcp = rc; | 234 | *rcp = rc; |
235 | return 0; | 235 | return 0; |
236 | } | 236 | } |
@@ -255,7 +255,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | |||
255 | KRL_DBG(("%s: bad: ers != NULL", __func__)); | 255 | KRL_DBG(("%s: bad: ers != NULL", __func__)); |
256 | /* Shouldn't happen */ | 256 | /* Shouldn't happen */ |
257 | free(irs); | 257 | free(irs); |
258 | return SSH_ERR_ALLOC_FAIL; | 258 | return SSH_ERR_INTERNAL_ERROR; |
259 | } | 259 | } |
260 | ers = irs; | 260 | ers = irs; |
261 | } else { | 261 | } else { |
@@ -270,6 +270,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | |||
270 | if (ers->hi < hi) | 270 | if (ers->hi < hi) |
271 | ers->hi = hi; | 271 | ers->hi = hi; |
272 | } | 272 | } |
273 | |||
273 | /* | 274 | /* |
274 | * The inserted or revised range might overlap or abut adjacent ones; | 275 | * The inserted or revised range might overlap or abut adjacent ones; |
275 | * coalesce as necessary. | 276 | * coalesce as necessary. |
@@ -315,14 +316,14 @@ ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
315 | } | 316 | } |
316 | 317 | ||
317 | int | 318 | int |
318 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const struct sshkey *ca_key, | 319 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, |
319 | u_int64_t lo, u_int64_t hi) | 320 | const struct sshkey *ca_key, u_int64_t lo, u_int64_t hi) |
320 | { | 321 | { |
321 | struct revoked_certs *rc; | 322 | struct revoked_certs *rc; |
322 | int r; | 323 | int r; |
323 | 324 | ||
324 | if (lo > hi || lo == 0) | 325 | if (lo > hi || lo == 0) |
325 | return -1; | 326 | return SSH_ERR_INVALID_ARGUMENT; |
326 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) | 327 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
327 | return r; | 328 | return r; |
328 | return insert_serial_range(&rc->revoked_serials, lo, hi); | 329 | return insert_serial_range(&rc->revoked_serials, lo, hi); |
@@ -339,7 +340,7 @@ ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const struct sshkey *ca_key, | |||
339 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) | 340 | if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
340 | return r; | 341 | return r; |
341 | 342 | ||
342 | debug3("%s: revoke %s", __func__, key_id); | 343 | KRL_DBG(("%s: revoke %s", __func__, key_id)); |
343 | if ((rki = calloc(1, sizeof(*rki))) == NULL || | 344 | if ((rki = calloc(1, sizeof(*rki))) == NULL || |
344 | (rki->key_id = strdup(key_id)) == NULL) { | 345 | (rki->key_id = strdup(key_id)) == NULL) { |
345 | free(rki); | 346 | free(rki); |
@@ -375,7 +376,7 @@ plain_key_blob(const struct sshkey *key, u_char **blob, size_t *blen) | |||
375 | 376 | ||
376 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ | 377 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ |
377 | static int | 378 | static int |
378 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) | 379 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, size_t len) |
379 | { | 380 | { |
380 | struct revoked_blob *rb, *erb; | 381 | struct revoked_blob *rb, *erb; |
381 | 382 | ||
@@ -507,14 +508,14 @@ choose_next_state(int current_state, u_int64_t contig, int final, | |||
507 | *force_new_section = 1; | 508 | *force_new_section = 1; |
508 | cost = cost_bitmap_restart; | 509 | cost = cost_bitmap_restart; |
509 | } | 510 | } |
510 | debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" | 511 | KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" |
511 | "list %llu range %llu bitmap %llu new bitmap %llu, " | 512 | "list %llu range %llu bitmap %llu new bitmap %llu, " |
512 | "selected 0x%02x%s", __func__, (long long unsigned)contig, | 513 | "selected 0x%02x%s", __func__, (long long unsigned)contig, |
513 | (long long unsigned)last_gap, (long long unsigned)next_gap, final, | 514 | (long long unsigned)last_gap, (long long unsigned)next_gap, final, |
514 | (long long unsigned)cost_list, (long long unsigned)cost_range, | 515 | (long long unsigned)cost_list, (long long unsigned)cost_range, |
515 | (long long unsigned)cost_bitmap, | 516 | (long long unsigned)cost_bitmap, |
516 | (long long unsigned)cost_bitmap_restart, new_state, | 517 | (long long unsigned)cost_bitmap_restart, new_state, |
517 | *force_new_section ? " restart" : ""); | 518 | *force_new_section ? " restart" : "")); |
518 | return new_state; | 519 | return new_state; |
519 | } | 520 | } |
520 | 521 | ||
@@ -522,7 +523,7 @@ choose_next_state(int current_state, u_int64_t contig, int final, | |||
522 | static int | 523 | static int |
523 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | 524 | revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) |
524 | { | 525 | { |
525 | int final, force_new_sect, r = -1; | 526 | int final, force_new_sect, r = SSH_ERR_INTERNAL_ERROR; |
526 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; | 527 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; |
527 | struct revoked_serial *rs, *nrs; | 528 | struct revoked_serial *rs, *nrs; |
528 | struct revoked_key_id *rki; | 529 | struct revoked_key_id *rki; |
@@ -545,9 +546,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
545 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); | 546 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); |
546 | rs != NULL; | 547 | rs != NULL; |
547 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { | 548 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { |
548 | debug3("%s: serial %llu:%llu state 0x%02x", __func__, | 549 | KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__, |
549 | (long long unsigned)rs->lo, (long long unsigned)rs->hi, | 550 | (long long unsigned)rs->lo, (long long unsigned)rs->hi, |
550 | state); | 551 | state)); |
551 | 552 | ||
552 | /* Check contiguous length and gap to next section (if any) */ | 553 | /* Check contiguous length and gap to next section (if any) */ |
553 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); | 554 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); |
@@ -565,7 +566,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
565 | */ | 566 | */ |
566 | if (state != 0 && (force_new_sect || next_state != state || | 567 | if (state != 0 && (force_new_sect || next_state != state || |
567 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { | 568 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { |
568 | debug3("%s: finish state 0x%02x", __func__, state); | 569 | KRL_DBG(("%s: finish state 0x%02x", __func__, state)); |
569 | switch (state) { | 570 | switch (state) { |
570 | case KRL_SECTION_CERT_SERIAL_LIST: | 571 | case KRL_SECTION_CERT_SERIAL_LIST: |
571 | case KRL_SECTION_CERT_SERIAL_RANGE: | 572 | case KRL_SECTION_CERT_SERIAL_RANGE: |
@@ -585,7 +586,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
585 | 586 | ||
586 | /* If we are starting a new section then prepare it now */ | 587 | /* If we are starting a new section then prepare it now */ |
587 | if (next_state != state || force_new_sect) { | 588 | if (next_state != state || force_new_sect) { |
588 | debug3("%s: start state 0x%02x", __func__, next_state); | 589 | KRL_DBG(("%s: start state 0x%02x", __func__, |
590 | next_state)); | ||
589 | state = next_state; | 591 | state = next_state; |
590 | sshbuf_reset(sect); | 592 | sshbuf_reset(sect); |
591 | switch (state) { | 593 | switch (state) { |
@@ -636,8 +638,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
636 | } | 638 | } |
637 | /* Flush the remaining section, if any */ | 639 | /* Flush the remaining section, if any */ |
638 | if (state != 0) { | 640 | if (state != 0) { |
639 | debug3("%s: serial final flush for state 0x%02x", | 641 | KRL_DBG(("%s: serial final flush for state 0x%02x", |
640 | __func__, state); | 642 | __func__, state)); |
641 | switch (state) { | 643 | switch (state) { |
642 | case KRL_SECTION_CERT_SERIAL_LIST: | 644 | case KRL_SECTION_CERT_SERIAL_LIST: |
643 | case KRL_SECTION_CERT_SERIAL_RANGE: | 645 | case KRL_SECTION_CERT_SERIAL_RANGE: |
@@ -653,12 +655,12 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) | |||
653 | (r = sshbuf_put_stringb(buf, sect)) != 0) | 655 | (r = sshbuf_put_stringb(buf, sect)) != 0) |
654 | goto out; | 656 | goto out; |
655 | } | 657 | } |
656 | debug3("%s: serial done ", __func__); | 658 | KRL_DBG(("%s: serial done ", __func__)); |
657 | 659 | ||
658 | /* Now output a section for any revocations by key ID */ | 660 | /* Now output a section for any revocations by key ID */ |
659 | sshbuf_reset(sect); | 661 | sshbuf_reset(sect); |
660 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { | 662 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { |
661 | debug3("%s: key ID %s", __func__, rki->key_id); | 663 | KRL_DBG(("%s: key ID %s", __func__, rki->key_id)); |
662 | if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) | 664 | if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) |
663 | goto out; | 665 | goto out; |
664 | } | 666 | } |
@@ -679,7 +681,7 @@ int | |||
679 | ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | 681 | ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, |
680 | const struct sshkey **sign_keys, u_int nsign_keys) | 682 | const struct sshkey **sign_keys, u_int nsign_keys) |
681 | { | 683 | { |
682 | int r = -1; | 684 | int r = SSH_ERR_INTERNAL_ERROR; |
683 | struct revoked_certs *rc; | 685 | struct revoked_certs *rc; |
684 | struct revoked_blob *rb; | 686 | struct revoked_blob *rb; |
685 | struct sshbuf *sect; | 687 | struct sshbuf *sect; |
@@ -715,7 +717,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
715 | /* Finally, output sections for revocations by public key/hash */ | 717 | /* Finally, output sections for revocations by public key/hash */ |
716 | sshbuf_reset(sect); | 718 | sshbuf_reset(sect); |
717 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { | 719 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
718 | debug3("%s: key len %zu ", __func__, rb->len); | 720 | KRL_DBG(("%s: key len %u ", __func__, rb->len)); |
719 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) | 721 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
720 | goto out; | 722 | goto out; |
721 | } | 723 | } |
@@ -726,7 +728,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
726 | } | 728 | } |
727 | sshbuf_reset(sect); | 729 | sshbuf_reset(sect); |
728 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { | 730 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { |
729 | debug3("%s: hash len %zu ", __func__, rb->len); | 731 | KRL_DBG(("%s: hash len %u ", __func__, rb->len)); |
730 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) | 732 | if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
731 | goto out; | 733 | goto out; |
732 | } | 734 | } |
@@ -742,7 +744,8 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
742 | if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) | 744 | if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) |
743 | goto out; | 745 | goto out; |
744 | 746 | ||
745 | debug3("%s: signature key len %zu", __func__, sshbuf_len(sect)); | 747 | KRL_DBG(("%s: signature key len %zu", __func__, |
748 | sshbuf_len(sect))); | ||
746 | if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || | 749 | if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || |
747 | (r = sshbuf_put_stringb(buf, sect)) != 0) | 750 | (r = sshbuf_put_stringb(buf, sect)) != 0) |
748 | goto out; | 751 | goto out; |
@@ -750,7 +753,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, | |||
750 | if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, | 753 | if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, |
751 | sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) | 754 | sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) |
752 | goto out; | 755 | goto out; |
753 | debug3("%s: signature sig len %zu", __func__, slen); | 756 | KRL_DBG(("%s: signature sig len %u", __func__, slen)); |
754 | if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) | 757 | if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) |
755 | goto out; | 758 | goto out; |
756 | } | 759 | } |
@@ -781,7 +784,7 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts) | |||
781 | static int | 784 | static int |
782 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | 785 | parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) |
783 | { | 786 | { |
784 | int r = -1, nbits; | 787 | int r = SSH_ERR_INTERNAL_ERROR, nbits; |
785 | u_char type; | 788 | u_char type; |
786 | const u_char *blob; | 789 | const u_char *blob; |
787 | size_t blen; | 790 | size_t blen; |
@@ -809,7 +812,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
809 | if ((r = sshbuf_get_u8(buf, &type)) != 0 || | 812 | if ((r = sshbuf_get_u8(buf, &type)) != 0 || |
810 | (r = sshbuf_froms(buf, &subsect)) != 0) | 813 | (r = sshbuf_froms(buf, &subsect)) != 0) |
811 | goto out; | 814 | goto out; |
812 | debug3("%s: subsection type 0x%02x", __func__, type); | 815 | KRL_DBG(("%s: subsection type 0x%02x", __func__, type)); |
816 | /* sshbuf_dump(subsect, stderr); */ | ||
813 | 817 | ||
814 | switch (type) { | 818 | switch (type) { |
815 | case KRL_SECTION_CERT_SERIAL_LIST: | 819 | case KRL_SECTION_CERT_SERIAL_LIST: |
@@ -842,7 +846,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
842 | r = SSH_ERR_INVALID_FORMAT; | 846 | r = SSH_ERR_INVALID_FORMAT; |
843 | goto out; | 847 | goto out; |
844 | } | 848 | } |
845 | for (serial = 0; serial < (u_int)nbits; serial++) { | 849 | for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
846 | if (serial > 0 && serial_lo + serial == 0) { | 850 | if (serial > 0 && serial_lo + serial == 0) { |
847 | error("%s: bitmap wraps u64", __func__); | 851 | error("%s: bitmap wraps u64", __func__); |
848 | r = SSH_ERR_INVALID_FORMAT; | 852 | r = SSH_ERR_INVALID_FORMAT; |
@@ -895,12 +899,12 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) | |||
895 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ | 899 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ |
896 | int | 900 | int |
897 | ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | 901 | ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, |
898 | const struct sshkey **sign_ca_keys, u_int nsign_ca_keys) | 902 | const struct sshkey **sign_ca_keys, size_t nsign_ca_keys) |
899 | { | 903 | { |
900 | struct sshbuf *copy = NULL, *sect = NULL; | 904 | struct sshbuf *copy = NULL, *sect = NULL; |
901 | struct ssh_krl *krl = NULL; | 905 | struct ssh_krl *krl = NULL; |
902 | char timestamp[64]; | 906 | char timestamp[64]; |
903 | int r = -1, sig_seen; | 907 | int r = SSH_ERR_INTERNAL_ERROR, sig_seen; |
904 | struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; | 908 | struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; |
905 | u_char type, *rdata = NULL; | 909 | u_char type, *rdata = NULL; |
906 | const u_char *blob; | 910 | const u_char *blob; |
@@ -961,12 +965,12 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
961 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || | 965 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
962 | (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) | 966 | (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) |
963 | goto out; | 967 | goto out; |
964 | debug3("%s: first pass, section 0x%02x", __func__, type); | 968 | KRL_DBG(("%s: first pass, section 0x%02x", __func__, type)); |
965 | if (type != KRL_SECTION_SIGNATURE) { | 969 | if (type != KRL_SECTION_SIGNATURE) { |
966 | if (sig_seen) { | 970 | if (sig_seen) { |
967 | r = SSH_ERR_INVALID_FORMAT; | ||
968 | error("KRL contains non-signature section " | 971 | error("KRL contains non-signature section " |
969 | "after signature"); | 972 | "after signature"); |
973 | r = SSH_ERR_INVALID_FORMAT; | ||
970 | goto out; | 974 | goto out; |
971 | } | 975 | } |
972 | /* Not interested for now. */ | 976 | /* Not interested for now. */ |
@@ -976,7 +980,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
976 | /* First string component is the signing key */ | 980 | /* First string component is the signing key */ |
977 | if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { | 981 | if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { |
978 | r = SSH_ERR_INVALID_FORMAT; | 982 | r = SSH_ERR_INVALID_FORMAT; |
979 | error("%s: invalid signature key", __func__); | ||
980 | goto out; | 983 | goto out; |
981 | } | 984 | } |
982 | if (sshbuf_len(buf) < sshbuf_len(copy)) { | 985 | if (sshbuf_len(buf) < sshbuf_len(copy)) { |
@@ -992,16 +995,14 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
992 | } | 995 | } |
993 | /* Check signature over entire KRL up to this point */ | 996 | /* Check signature over entire KRL up to this point */ |
994 | if ((r = sshkey_verify(key, blob, blen, | 997 | if ((r = sshkey_verify(key, blob, blen, |
995 | sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) { | 998 | sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) |
996 | error("bad signaure on KRL"); | ||
997 | goto out; | 999 | goto out; |
998 | } | ||
999 | /* Check if this key has already signed this KRL */ | 1000 | /* Check if this key has already signed this KRL */ |
1000 | for (i = 0; i < nca_used; i++) { | 1001 | for (i = 0; i < nca_used; i++) { |
1001 | if (sshkey_equal(ca_used[i], key)) { | 1002 | if (sshkey_equal(ca_used[i], key)) { |
1002 | error("KRL signed more than once with " | 1003 | error("KRL signed more than once with " |
1003 | "the same key"); | 1004 | "the same key"); |
1004 | r = SSH_ERR_SIGNATURE_INVALID; | 1005 | r = SSH_ERR_INVALID_FORMAT; |
1005 | goto out; | 1006 | goto out; |
1006 | } | 1007 | } |
1007 | } | 1008 | } |
@@ -1041,10 +1042,9 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1041 | sect = NULL; | 1042 | sect = NULL; |
1042 | } | 1043 | } |
1043 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || | 1044 | if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
1044 | (r = sshbuf_froms(copy, §)) != 0) { | 1045 | (r = sshbuf_froms(copy, §)) != 0) |
1045 | goto out; | 1046 | goto out; |
1046 | } | 1047 | KRL_DBG(("%s: second pass, section 0x%02x", __func__, type)); |
1047 | debug3("%s: second pass, section 0x%02x", __func__, type); | ||
1048 | 1048 | ||
1049 | switch (type) { | 1049 | switch (type) { |
1050 | case KRL_SECTION_CERTIFICATES: | 1050 | case KRL_SECTION_CERTIFICATES: |
@@ -1068,7 +1068,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1068 | &krl->revoked_keys : &krl->revoked_sha1s, | 1068 | &krl->revoked_keys : &krl->revoked_sha1s, |
1069 | rdata, rlen)) != 0) | 1069 | rdata, rlen)) != 0) |
1070 | goto out; | 1070 | goto out; |
1071 | rdata = NULL; /* revoke_blob frees blob */ | 1071 | rdata = NULL; /* revoke_blob frees rdata */ |
1072 | } | 1072 | } |
1073 | break; | 1073 | break; |
1074 | case KRL_SECTION_SIGNATURE: | 1074 | case KRL_SECTION_SIGNATURE: |
@@ -1101,8 +1101,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, | |||
1101 | } | 1101 | } |
1102 | } | 1102 | } |
1103 | if (nca_used && !sig_seen) { | 1103 | if (nca_used && !sig_seen) { |
1104 | r = SSH_ERR_SIGNATURE_INVALID; | ||
1105 | error("All keys used to sign KRL were revoked"); | 1104 | error("All keys used to sign KRL were revoked"); |
1105 | r = SSH_ERR_KEY_REVOKED; | ||
1106 | goto out; | 1106 | goto out; |
1107 | } | 1107 | } |
1108 | 1108 | ||
@@ -1159,7 +1159,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
1159 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); | 1159 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); |
1160 | free(rb.blob); | 1160 | free(rb.blob); |
1161 | if (erb != NULL) { | 1161 | if (erb != NULL) { |
1162 | debug("%s: revoked by key SHA1", __func__); | 1162 | KRL_DBG(("%s: revoked by key SHA1", __func__)); |
1163 | return SSH_ERR_KEY_REVOKED; | 1163 | return SSH_ERR_KEY_REVOKED; |
1164 | } | 1164 | } |
1165 | 1165 | ||
@@ -1170,7 +1170,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
1170 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); | 1170 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); |
1171 | free(rb.blob); | 1171 | free(rb.blob); |
1172 | if (erb != NULL) { | 1172 | if (erb != NULL) { |
1173 | debug("%s: revoked by explicit key", __func__); | 1173 | KRL_DBG(("%s: revoked by explicit key", __func__)); |
1174 | return SSH_ERR_KEY_REVOKED; | 1174 | return SSH_ERR_KEY_REVOKED; |
1175 | } | 1175 | } |
1176 | 1176 | ||
@@ -1189,7 +1189,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
1189 | rki.key_id = key->cert->key_id; | 1189 | rki.key_id = key->cert->key_id; |
1190 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); | 1190 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); |
1191 | if (erki != NULL) { | 1191 | if (erki != NULL) { |
1192 | debug("%s: revoked by key ID", __func__); | 1192 | KRL_DBG(("%s: revoked by key ID", __func__)); |
1193 | return SSH_ERR_KEY_REVOKED; | 1193 | return SSH_ERR_KEY_REVOKED; |
1194 | } | 1194 | } |
1195 | 1195 | ||
@@ -1204,13 +1204,11 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key) | |||
1204 | rs.lo = rs.hi = key->cert->serial; | 1204 | rs.lo = rs.hi = key->cert->serial; |
1205 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); | 1205 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); |
1206 | if (ers != NULL) { | 1206 | if (ers != NULL) { |
1207 | KRL_DBG(("%s: %llu matched %llu:%llu", __func__, | 1207 | KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__, |
1208 | key->cert->serial, ers->lo, ers->hi)); | 1208 | key->cert->serial, ers->lo, ers->hi)); |
1209 | debug("%s: revoked by serial", __func__); | ||
1210 | return SSH_ERR_KEY_REVOKED; | 1209 | return SSH_ERR_KEY_REVOKED; |
1211 | } | 1210 | } |
1212 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); | 1211 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); |
1213 | |||
1214 | return 0; | 1212 | return 0; |
1215 | } | 1213 | } |
1216 | 1214 | ||
@@ -1219,7 +1217,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key) | |||
1219 | { | 1217 | { |
1220 | int r; | 1218 | int r; |
1221 | 1219 | ||
1222 | debug2("%s: checking key", __func__); | 1220 | KRL_DBG(("%s: checking key", __func__)); |
1223 | if ((r = is_key_revoked(krl, key)) != 0) | 1221 | if ((r = is_key_revoked(krl, key)) != 0) |
1224 | return r; | 1222 | return r; |
1225 | if (sshkey_is_cert(key)) { | 1223 | if (sshkey_is_cert(key)) { |
@@ -1227,7 +1225,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key) | |||
1227 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) | 1225 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) |
1228 | return r; | 1226 | return r; |
1229 | } | 1227 | } |
1230 | debug3("%s: key okay", __func__); | 1228 | KRL_DBG(("%s: key okay", __func__)); |
1231 | return 0; | 1229 | return 0; |
1232 | } | 1230 | } |
1233 | 1231 | ||