diff options
Diffstat (limited to 'krl.c')
-rw-r--r-- | krl.c | 1227 |
1 files changed, 1227 insertions, 0 deletions
@@ -0,0 +1,1227 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2012 Damien Miller <djm@mindrot.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* $OpenBSD: krl.c,v 1.2 2013/01/18 00:24:58 djm Exp $ */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <sys/types.h> | ||
22 | #include <sys/param.h> | ||
23 | #include <sys/tree.h> | ||
24 | #include <sys/queue.h> | ||
25 | |||
26 | #include <errno.h> | ||
27 | #include <fcntl.h> | ||
28 | #include <limits.h> | ||
29 | #include <string.h> | ||
30 | #include <time.h> | ||
31 | #include <unistd.h> | ||
32 | |||
33 | #include "buffer.h" | ||
34 | #include "key.h" | ||
35 | #include "authfile.h" | ||
36 | #include "err.h" | ||
37 | #include "misc.h" | ||
38 | #include "log.h" | ||
39 | #include "xmalloc.h" | ||
40 | |||
41 | #include "krl.h" | ||
42 | |||
43 | /* #define DEBUG_KRL */ | ||
44 | #ifdef DEBUG_KRL | ||
45 | # define KRL_DBG(x) debug3 x | ||
46 | #else | ||
47 | # define KRL_DBG(x) | ||
48 | #endif | ||
49 | |||
50 | /* | ||
51 | * Trees of revoked serial numbers, key IDs and keys. This allows | ||
52 | * quick searching, querying and producing lists in canonical order. | ||
53 | */ | ||
54 | |||
55 | /* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */ | ||
56 | struct revoked_serial { | ||
57 | u_int64_t lo, hi; | ||
58 | RB_ENTRY(revoked_serial) tree_entry; | ||
59 | }; | ||
60 | static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b); | ||
61 | RB_HEAD(revoked_serial_tree, revoked_serial); | ||
62 | RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp); | ||
63 | |||
64 | /* Tree of key IDs */ | ||
65 | struct revoked_key_id { | ||
66 | char *key_id; | ||
67 | RB_ENTRY(revoked_key_id) tree_entry; | ||
68 | }; | ||
69 | static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b); | ||
70 | RB_HEAD(revoked_key_id_tree, revoked_key_id); | ||
71 | RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp); | ||
72 | |||
73 | /* Tree of blobs (used for keys and fingerprints) */ | ||
74 | struct revoked_blob { | ||
75 | u_char *blob; | ||
76 | u_int len; | ||
77 | RB_ENTRY(revoked_blob) tree_entry; | ||
78 | }; | ||
79 | static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b); | ||
80 | RB_HEAD(revoked_blob_tree, revoked_blob); | ||
81 | RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp); | ||
82 | |||
83 | /* Tracks revoked certs for a single CA */ | ||
84 | struct revoked_certs { | ||
85 | Key *ca_key; | ||
86 | struct revoked_serial_tree revoked_serials; | ||
87 | struct revoked_key_id_tree revoked_key_ids; | ||
88 | TAILQ_ENTRY(revoked_certs) entry; | ||
89 | }; | ||
90 | TAILQ_HEAD(revoked_certs_list, revoked_certs); | ||
91 | |||
92 | struct ssh_krl { | ||
93 | u_int64_t krl_version; | ||
94 | u_int64_t generated_date; | ||
95 | u_int64_t flags; | ||
96 | char *comment; | ||
97 | struct revoked_blob_tree revoked_keys; | ||
98 | struct revoked_blob_tree revoked_sha1s; | ||
99 | struct revoked_certs_list revoked_certs; | ||
100 | }; | ||
101 | |||
102 | /* Return equal if a and b overlap */ | ||
103 | static int | ||
104 | serial_cmp(struct revoked_serial *a, struct revoked_serial *b) | ||
105 | { | ||
106 | if (a->hi >= b->lo && a->lo <= b->hi) | ||
107 | return 0; | ||
108 | return a->lo < b->lo ? -1 : 1; | ||
109 | } | ||
110 | |||
111 | static int | ||
112 | key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b) | ||
113 | { | ||
114 | return strcmp(a->key_id, b->key_id); | ||
115 | } | ||
116 | |||
117 | static int | ||
118 | blob_cmp(struct revoked_blob *a, struct revoked_blob *b) | ||
119 | { | ||
120 | int r; | ||
121 | |||
122 | if (a->len != b->len) { | ||
123 | if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0) | ||
124 | return r; | ||
125 | return a->len > b->len ? 1 : -1; | ||
126 | } else | ||
127 | return memcmp(a->blob, b->blob, a->len); | ||
128 | } | ||
129 | |||
130 | struct ssh_krl * | ||
131 | ssh_krl_init(void) | ||
132 | { | ||
133 | struct ssh_krl *krl; | ||
134 | |||
135 | if ((krl = calloc(1, sizeof(*krl))) == NULL) | ||
136 | return NULL; | ||
137 | RB_INIT(&krl->revoked_keys); | ||
138 | RB_INIT(&krl->revoked_sha1s); | ||
139 | TAILQ_INIT(&krl->revoked_certs); | ||
140 | return krl; | ||
141 | } | ||
142 | |||
143 | static void | ||
144 | revoked_certs_free(struct revoked_certs *rc) | ||
145 | { | ||
146 | struct revoked_serial *rs, *trs; | ||
147 | struct revoked_key_id *rki, *trki; | ||
148 | |||
149 | RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) { | ||
150 | RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs); | ||
151 | free(rs); | ||
152 | } | ||
153 | RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) { | ||
154 | RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki); | ||
155 | free(rki->key_id); | ||
156 | free(rki); | ||
157 | } | ||
158 | if (rc->ca_key != NULL) | ||
159 | key_free(rc->ca_key); | ||
160 | } | ||
161 | |||
162 | void | ||
163 | ssh_krl_free(struct ssh_krl *krl) | ||
164 | { | ||
165 | struct revoked_blob *rb, *trb; | ||
166 | struct revoked_certs *rc, *trc; | ||
167 | |||
168 | if (krl == NULL) | ||
169 | return; | ||
170 | |||
171 | free(krl->comment); | ||
172 | RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) { | ||
173 | RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb); | ||
174 | free(rb->blob); | ||
175 | free(rb); | ||
176 | } | ||
177 | RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) { | ||
178 | RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb); | ||
179 | free(rb->blob); | ||
180 | free(rb); | ||
181 | } | ||
182 | TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) { | ||
183 | TAILQ_REMOVE(&krl->revoked_certs, rc, entry); | ||
184 | revoked_certs_free(rc); | ||
185 | } | ||
186 | } | ||
187 | |||
188 | void | ||
189 | ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version) | ||
190 | { | ||
191 | krl->krl_version = version; | ||
192 | } | ||
193 | |||
194 | void | ||
195 | ssh_krl_set_comment(struct ssh_krl *krl, const char *comment) | ||
196 | { | ||
197 | free(krl->comment); | ||
198 | if ((krl->comment = strdup(comment)) == NULL) | ||
199 | fatal("%s: strdup", __func__); | ||
200 | } | ||
201 | |||
202 | /* | ||
203 | * Find the revoked_certs struct for a CA key. If allow_create is set then | ||
204 | * create a new one in the tree if one did not exist already. | ||
205 | */ | ||
206 | static int | ||
207 | revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key, | ||
208 | struct revoked_certs **rcp, int allow_create) | ||
209 | { | ||
210 | struct revoked_certs *rc; | ||
211 | |||
212 | *rcp = NULL; | ||
213 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | ||
214 | if (key_equal(rc->ca_key, ca_key)) { | ||
215 | *rcp = rc; | ||
216 | return 0; | ||
217 | } | ||
218 | } | ||
219 | if (!allow_create) | ||
220 | return 0; | ||
221 | /* If this CA doesn't exist in the list then add it now */ | ||
222 | if ((rc = calloc(1, sizeof(*rc))) == NULL) | ||
223 | return -1; | ||
224 | if ((rc->ca_key = key_from_private(ca_key)) == NULL) { | ||
225 | free(rc); | ||
226 | return -1; | ||
227 | } | ||
228 | RB_INIT(&rc->revoked_serials); | ||
229 | RB_INIT(&rc->revoked_key_ids); | ||
230 | TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); | ||
231 | debug3("%s: new CA %s", __func__, key_type(ca_key)); | ||
232 | *rcp = rc; | ||
233 | return 0; | ||
234 | } | ||
235 | |||
236 | static int | ||
237 | insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi) | ||
238 | { | ||
239 | struct revoked_serial rs, *ers, *crs, *irs; | ||
240 | |||
241 | KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); | ||
242 | bzero(&rs, sizeof(rs)); | ||
243 | rs.lo = lo; | ||
244 | rs.hi = hi; | ||
245 | ers = RB_NFIND(revoked_serial_tree, rt, &rs); | ||
246 | if (ers == NULL || serial_cmp(ers, &rs) != 0) { | ||
247 | /* No entry matches. Just insert */ | ||
248 | if ((irs = malloc(sizeof(rs))) == NULL) | ||
249 | return -1; | ||
250 | memcpy(irs, &rs, sizeof(*irs)); | ||
251 | ers = RB_INSERT(revoked_serial_tree, rt, irs); | ||
252 | if (ers != NULL) { | ||
253 | KRL_DBG(("%s: bad: ers != NULL", __func__)); | ||
254 | /* Shouldn't happen */ | ||
255 | free(ers); | ||
256 | return -1; | ||
257 | } | ||
258 | ers = irs; | ||
259 | } else { | ||
260 | KRL_DBG(("%s: overlap found %llu:%llu", __func__, | ||
261 | ers->lo, ers->hi)); | ||
262 | /* | ||
263 | * The inserted entry overlaps an existing one. Grow the | ||
264 | * existing entry. | ||
265 | */ | ||
266 | if (ers->lo > lo) | ||
267 | ers->lo = lo; | ||
268 | if (ers->hi < hi) | ||
269 | ers->hi = hi; | ||
270 | } | ||
271 | /* | ||
272 | * The inserted or revised range might overlap or abut adjacent ones; | ||
273 | * coalesce as necessary. | ||
274 | */ | ||
275 | |||
276 | /* Check predecessors */ | ||
277 | while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { | ||
278 | KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi)); | ||
279 | if (ers->lo != 0 && crs->hi < ers->lo - 1) | ||
280 | break; | ||
281 | /* This entry overlaps. */ | ||
282 | if (crs->lo < ers->lo) { | ||
283 | ers->lo = crs->lo; | ||
284 | KRL_DBG(("%s: pred extend %llu:%llu", __func__, | ||
285 | ers->lo, ers->hi)); | ||
286 | } | ||
287 | RB_REMOVE(revoked_serial_tree, rt, crs); | ||
288 | free(crs); | ||
289 | } | ||
290 | /* Check successors */ | ||
291 | while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { | ||
292 | KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi)); | ||
293 | if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) | ||
294 | break; | ||
295 | /* This entry overlaps. */ | ||
296 | if (crs->hi > ers->hi) { | ||
297 | ers->hi = crs->hi; | ||
298 | KRL_DBG(("%s: succ extend %llu:%llu", __func__, | ||
299 | ers->lo, ers->hi)); | ||
300 | } | ||
301 | RB_REMOVE(revoked_serial_tree, rt, crs); | ||
302 | free(crs); | ||
303 | } | ||
304 | KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi)); | ||
305 | return 0; | ||
306 | } | ||
307 | |||
308 | int | ||
309 | ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key, | ||
310 | u_int64_t serial) | ||
311 | { | ||
312 | return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial); | ||
313 | } | ||
314 | |||
315 | int | ||
316 | ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key, | ||
317 | u_int64_t lo, u_int64_t hi) | ||
318 | { | ||
319 | struct revoked_certs *rc; | ||
320 | |||
321 | if (lo > hi || lo == 0) | ||
322 | return -1; | ||
323 | if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) | ||
324 | return -1; | ||
325 | return insert_serial_range(&rc->revoked_serials, lo, hi); | ||
326 | } | ||
327 | |||
328 | int | ||
329 | ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key, | ||
330 | const char *key_id) | ||
331 | { | ||
332 | struct revoked_key_id *rki, *erki; | ||
333 | struct revoked_certs *rc; | ||
334 | |||
335 | if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0) | ||
336 | return -1; | ||
337 | |||
338 | debug3("%s: revoke %s", __func__, key_id); | ||
339 | if ((rki = calloc(1, sizeof(*rki))) == NULL || | ||
340 | (rki->key_id = strdup(key_id)) == NULL) { | ||
341 | free(rki); | ||
342 | fatal("%s: strdup", __func__); | ||
343 | } | ||
344 | erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki); | ||
345 | if (erki != NULL) { | ||
346 | free(rki->key_id); | ||
347 | free(rki); | ||
348 | } | ||
349 | return 0; | ||
350 | } | ||
351 | |||
352 | /* Convert "key" to a public key blob without any certificate information */ | ||
353 | static int | ||
354 | plain_key_blob(const Key *key, u_char **blob, u_int *blen) | ||
355 | { | ||
356 | Key *kcopy; | ||
357 | int r; | ||
358 | |||
359 | if ((kcopy = key_from_private(key)) == NULL) | ||
360 | return -1; | ||
361 | if (key_is_cert(kcopy)) { | ||
362 | if (key_drop_cert(kcopy) != 0) { | ||
363 | error("%s: key_drop_cert", __func__); | ||
364 | key_free(kcopy); | ||
365 | return -1; | ||
366 | } | ||
367 | } | ||
368 | r = key_to_blob(kcopy, blob, blen); | ||
369 | free(kcopy); | ||
370 | return r == 0 ? -1 : 0; | ||
371 | } | ||
372 | |||
373 | /* Revoke a key blob. Ownership of blob is transferred to the tree */ | ||
374 | static int | ||
375 | revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) | ||
376 | { | ||
377 | struct revoked_blob *rb, *erb; | ||
378 | |||
379 | if ((rb = calloc(1, sizeof(*rb))) == NULL) | ||
380 | return -1; | ||
381 | rb->blob = blob; | ||
382 | rb->len = len; | ||
383 | erb = RB_INSERT(revoked_blob_tree, rbt, rb); | ||
384 | if (erb != NULL) { | ||
385 | free(rb->blob); | ||
386 | free(rb); | ||
387 | } | ||
388 | return 0; | ||
389 | } | ||
390 | |||
391 | int | ||
392 | ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key) | ||
393 | { | ||
394 | u_char *blob; | ||
395 | u_int len; | ||
396 | |||
397 | debug3("%s: revoke type %s", __func__, key_type(key)); | ||
398 | if (plain_key_blob(key, &blob, &len) != 0) | ||
399 | return -1; | ||
400 | return revoke_blob(&krl->revoked_keys, blob, len); | ||
401 | } | ||
402 | |||
403 | int | ||
404 | ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key) | ||
405 | { | ||
406 | u_char *blob; | ||
407 | u_int len; | ||
408 | |||
409 | debug3("%s: revoke type %s by sha1", __func__, key_type(key)); | ||
410 | if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL) | ||
411 | return -1; | ||
412 | return revoke_blob(&krl->revoked_sha1s, blob, len); | ||
413 | } | ||
414 | |||
415 | int | ||
416 | ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key) | ||
417 | { | ||
418 | if (!key_is_cert(key)) | ||
419 | return ssh_krl_revoke_key_sha1(krl, key); | ||
420 | |||
421 | if (key_cert_is_legacy(key) || key->cert->serial == 0) { | ||
422 | return ssh_krl_revoke_cert_by_key_id(krl, | ||
423 | key->cert->signature_key, | ||
424 | key->cert->key_id); | ||
425 | } else { | ||
426 | return ssh_krl_revoke_cert_by_serial(krl, | ||
427 | key->cert->signature_key, | ||
428 | key->cert->serial); | ||
429 | } | ||
430 | } | ||
431 | |||
432 | /* | ||
433 | * Select a copact next section type to emit in a KRL based on the | ||
434 | * current section type, the run length of contiguous revoked serial | ||
435 | * numbers and the gaps from the last and to the next revoked serial. | ||
436 | * Applies a mostly-accurate bit cost model to select the section type | ||
437 | * that will minimise the size of the resultant KRL. | ||
438 | */ | ||
439 | static int | ||
440 | choose_next_state(int current_state, u_int64_t contig, int final, | ||
441 | u_int64_t last_gap, u_int64_t next_gap, int *force_new_section) | ||
442 | { | ||
443 | int new_state; | ||
444 | u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart; | ||
445 | |||
446 | /* | ||
447 | * Avoid unsigned overflows. | ||
448 | * The limits are high enough to avoid confusing the calculations. | ||
449 | */ | ||
450 | contig = MIN(contig, 1ULL<<31); | ||
451 | last_gap = MIN(last_gap, 1ULL<<31); | ||
452 | next_gap = MIN(next_gap, 1ULL<<31); | ||
453 | |||
454 | /* | ||
455 | * Calculate the cost to switch from the current state to candidates. | ||
456 | * NB. range sections only ever contain a single range, so their | ||
457 | * switching cost is independent of the current_state. | ||
458 | */ | ||
459 | cost_list = cost_bitmap = cost_bitmap_restart = 0; | ||
460 | cost_range = 8; | ||
461 | switch (current_state) { | ||
462 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
463 | cost_bitmap_restart = cost_bitmap = 8 + 64; | ||
464 | break; | ||
465 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
466 | cost_list = 8; | ||
467 | cost_bitmap_restart = 8 + 64; | ||
468 | break; | ||
469 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
470 | case 0: | ||
471 | cost_bitmap_restart = cost_bitmap = 8 + 64; | ||
472 | cost_list = 8; | ||
473 | } | ||
474 | |||
475 | /* Estimate base cost in bits of each section type */ | ||
476 | cost_list += 64 * contig + (final ? 0 : 8+64); | ||
477 | cost_range += (2 * 64) + (final ? 0 : 8+64); | ||
478 | cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64)); | ||
479 | cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64)); | ||
480 | |||
481 | /* Convert to byte costs for actual comparison */ | ||
482 | cost_list = (cost_list + 7) / 8; | ||
483 | cost_bitmap = (cost_bitmap + 7) / 8; | ||
484 | cost_bitmap_restart = (cost_bitmap_restart + 7) / 8; | ||
485 | cost_range = (cost_range + 7) / 8; | ||
486 | |||
487 | /* Now pick the best choice */ | ||
488 | *force_new_section = 0; | ||
489 | new_state = KRL_SECTION_CERT_SERIAL_BITMAP; | ||
490 | cost = cost_bitmap; | ||
491 | if (cost_range < cost) { | ||
492 | new_state = KRL_SECTION_CERT_SERIAL_RANGE; | ||
493 | cost = cost_range; | ||
494 | } | ||
495 | if (cost_list < cost) { | ||
496 | new_state = KRL_SECTION_CERT_SERIAL_LIST; | ||
497 | cost = cost_list; | ||
498 | } | ||
499 | if (cost_bitmap_restart < cost) { | ||
500 | new_state = KRL_SECTION_CERT_SERIAL_BITMAP; | ||
501 | *force_new_section = 1; | ||
502 | cost = cost_bitmap_restart; | ||
503 | } | ||
504 | debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" | ||
505 | "list %llu range %llu bitmap %llu new bitmap %llu, " | ||
506 | "selected 0x%02x%s", __func__, contig, last_gap, next_gap, final, | ||
507 | cost_list, cost_range, cost_bitmap, cost_bitmap_restart, new_state, | ||
508 | *force_new_section ? " restart" : ""); | ||
509 | return new_state; | ||
510 | } | ||
511 | |||
512 | /* Generate a KRL_SECTION_CERTIFICATES KRL section */ | ||
513 | static int | ||
514 | revoked_certs_generate(struct revoked_certs *rc, Buffer *buf) | ||
515 | { | ||
516 | int final, force_new_sect, r = -1; | ||
517 | u_int64_t i, contig, gap, last = 0, bitmap_start = 0; | ||
518 | struct revoked_serial *rs, *nrs; | ||
519 | struct revoked_key_id *rki; | ||
520 | int next_state, state = 0; | ||
521 | Buffer sect; | ||
522 | u_char *kblob = NULL; | ||
523 | u_int klen; | ||
524 | BIGNUM *bitmap = NULL; | ||
525 | |||
526 | /* Prepare CA scope key blob if we have one supplied */ | ||
527 | if (key_to_blob(rc->ca_key, &kblob, &klen) == 0) | ||
528 | return -1; | ||
529 | |||
530 | buffer_init(§); | ||
531 | |||
532 | /* Store the header */ | ||
533 | buffer_put_string(buf, kblob, klen); | ||
534 | buffer_put_string(buf, NULL, 0); /* Reserved */ | ||
535 | |||
536 | free(kblob); | ||
537 | |||
538 | /* Store the revoked serials. */ | ||
539 | for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); | ||
540 | rs != NULL; | ||
541 | rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { | ||
542 | debug3("%s: serial %llu:%llu state 0x%02x", __func__, | ||
543 | rs->lo, rs->hi, state); | ||
544 | |||
545 | /* Check contiguous length and gap to next section (if any) */ | ||
546 | nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); | ||
547 | final = nrs == NULL; | ||
548 | gap = nrs == NULL ? 0 : nrs->lo - rs->hi; | ||
549 | contig = 1 + (rs->hi - rs->lo); | ||
550 | |||
551 | /* Choose next state based on these */ | ||
552 | next_state = choose_next_state(state, contig, final, | ||
553 | state == 0 ? 0 : rs->lo - last, gap, &force_new_sect); | ||
554 | |||
555 | /* | ||
556 | * If the current section is a range section or has a different | ||
557 | * type to the next section, then finish it off now. | ||
558 | */ | ||
559 | if (state != 0 && (force_new_sect || next_state != state || | ||
560 | state == KRL_SECTION_CERT_SERIAL_RANGE)) { | ||
561 | debug3("%s: finish state 0x%02x", __func__, state); | ||
562 | switch (state) { | ||
563 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
564 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
565 | break; | ||
566 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
567 | buffer_put_bignum2(§, bitmap); | ||
568 | BN_free(bitmap); | ||
569 | bitmap = NULL; | ||
570 | break; | ||
571 | } | ||
572 | buffer_put_char(buf, state); | ||
573 | buffer_put_string(buf, | ||
574 | buffer_ptr(§), buffer_len(§)); | ||
575 | } | ||
576 | |||
577 | /* If we are starting a new section then prepare it now */ | ||
578 | if (next_state != state || force_new_sect) { | ||
579 | debug3("%s: start state 0x%02x", __func__, next_state); | ||
580 | state = next_state; | ||
581 | buffer_clear(§); | ||
582 | switch (state) { | ||
583 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
584 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
585 | break; | ||
586 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
587 | if ((bitmap = BN_new()) == NULL) | ||
588 | goto out; | ||
589 | bitmap_start = rs->lo; | ||
590 | buffer_put_int64(§, bitmap_start); | ||
591 | break; | ||
592 | } | ||
593 | } | ||
594 | |||
595 | /* Perform section-specific processing */ | ||
596 | switch (state) { | ||
597 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
598 | for (i = rs->lo; i < contig; i++) | ||
599 | buffer_put_int64(§, rs->lo + i); | ||
600 | break; | ||
601 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
602 | buffer_put_int64(§, rs->lo); | ||
603 | buffer_put_int64(§, rs->hi); | ||
604 | break; | ||
605 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
606 | if (rs->lo - bitmap_start > INT_MAX) { | ||
607 | error("%s: insane bitmap gap", __func__); | ||
608 | goto out; | ||
609 | } | ||
610 | for (i = 0; i < contig; i++) { | ||
611 | if (BN_set_bit(bitmap, | ||
612 | rs->lo + i - bitmap_start) != 1) | ||
613 | goto out; | ||
614 | } | ||
615 | break; | ||
616 | } | ||
617 | last = rs->hi; | ||
618 | } | ||
619 | /* Flush the remaining section, if any */ | ||
620 | if (state != 0) { | ||
621 | debug3("%s: serial final flush for state 0x%02x", | ||
622 | __func__, state); | ||
623 | switch (state) { | ||
624 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
625 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
626 | break; | ||
627 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
628 | buffer_put_bignum2(§, bitmap); | ||
629 | BN_free(bitmap); | ||
630 | bitmap = NULL; | ||
631 | break; | ||
632 | } | ||
633 | buffer_put_char(buf, state); | ||
634 | buffer_put_string(buf, | ||
635 | buffer_ptr(§), buffer_len(§)); | ||
636 | } | ||
637 | debug3("%s: serial done ", __func__); | ||
638 | |||
639 | /* Now output a section for any revocations by key ID */ | ||
640 | buffer_clear(§); | ||
641 | RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { | ||
642 | debug3("%s: key ID %s", __func__, rki->key_id); | ||
643 | buffer_put_cstring(§, rki->key_id); | ||
644 | } | ||
645 | if (buffer_len(§) != 0) { | ||
646 | buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID); | ||
647 | buffer_put_string(buf, buffer_ptr(§), | ||
648 | buffer_len(§)); | ||
649 | } | ||
650 | r = 0; | ||
651 | out: | ||
652 | if (bitmap != NULL) | ||
653 | BN_free(bitmap); | ||
654 | buffer_free(§); | ||
655 | return r; | ||
656 | } | ||
657 | |||
658 | int | ||
659 | ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, | ||
660 | u_int nsign_keys) | ||
661 | { | ||
662 | int r = -1; | ||
663 | struct revoked_certs *rc; | ||
664 | struct revoked_blob *rb; | ||
665 | Buffer sect; | ||
666 | u_char *kblob = NULL, *sblob = NULL; | ||
667 | u_int klen, slen, i; | ||
668 | |||
669 | if (krl->generated_date == 0) | ||
670 | krl->generated_date = time(NULL); | ||
671 | |||
672 | buffer_init(§); | ||
673 | |||
674 | /* Store the header */ | ||
675 | buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1); | ||
676 | buffer_put_int(buf, KRL_FORMAT_VERSION); | ||
677 | buffer_put_int64(buf, krl->krl_version); | ||
678 | buffer_put_int64(buf, krl->generated_date); | ||
679 | buffer_put_int64(buf, krl->flags); | ||
680 | buffer_put_string(buf, NULL, 0); | ||
681 | buffer_put_cstring(buf, krl->comment ? krl->comment : ""); | ||
682 | |||
683 | /* Store sections for revoked certificates */ | ||
684 | TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { | ||
685 | if (revoked_certs_generate(rc, §) != 0) | ||
686 | goto out; | ||
687 | buffer_put_char(buf, KRL_SECTION_CERTIFICATES); | ||
688 | buffer_put_string(buf, buffer_ptr(§), | ||
689 | buffer_len(§)); | ||
690 | } | ||
691 | |||
692 | /* Finally, output sections for revocations by public key/hash */ | ||
693 | buffer_clear(§); | ||
694 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { | ||
695 | debug3("%s: key len %u ", __func__, rb->len); | ||
696 | buffer_put_string(§, rb->blob, rb->len); | ||
697 | } | ||
698 | if (buffer_len(§) != 0) { | ||
699 | buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY); | ||
700 | buffer_put_string(buf, buffer_ptr(§), | ||
701 | buffer_len(§)); | ||
702 | } | ||
703 | buffer_clear(§); | ||
704 | RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { | ||
705 | debug3("%s: hash len %u ", __func__, rb->len); | ||
706 | buffer_put_string(§, rb->blob, rb->len); | ||
707 | } | ||
708 | if (buffer_len(§) != 0) { | ||
709 | buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1); | ||
710 | buffer_put_string(buf, buffer_ptr(§), | ||
711 | buffer_len(§)); | ||
712 | } | ||
713 | |||
714 | for (i = 0; i < nsign_keys; i++) { | ||
715 | if (key_to_blob(sign_keys[i], &kblob, &klen) == 0) | ||
716 | goto out; | ||
717 | |||
718 | debug3("%s: signature key len %u", __func__, klen); | ||
719 | buffer_put_char(buf, KRL_SECTION_SIGNATURE); | ||
720 | buffer_put_string(buf, kblob, klen); | ||
721 | |||
722 | if (key_sign(sign_keys[i], &sblob, &slen, | ||
723 | buffer_ptr(buf), buffer_len(buf)) == -1) | ||
724 | goto out; | ||
725 | debug3("%s: signature sig len %u", __func__, slen); | ||
726 | buffer_put_string(buf, sblob, slen); | ||
727 | } | ||
728 | |||
729 | r = 0; | ||
730 | out: | ||
731 | free(kblob); | ||
732 | free(sblob); | ||
733 | buffer_free(§); | ||
734 | return r; | ||
735 | } | ||
736 | |||
737 | static void | ||
738 | format_timestamp(u_int64_t timestamp, char *ts, size_t nts) | ||
739 | { | ||
740 | time_t t; | ||
741 | struct tm *tm; | ||
742 | |||
743 | t = timestamp; | ||
744 | tm = localtime(&t); | ||
745 | *ts = '\0'; | ||
746 | strftime(ts, nts, "%Y%m%dT%H%M%S", tm); | ||
747 | } | ||
748 | |||
749 | static int | ||
750 | parse_revoked_certs(Buffer *buf, struct ssh_krl *krl) | ||
751 | { | ||
752 | int ret = -1, nbits; | ||
753 | u_char type, *blob; | ||
754 | u_int blen; | ||
755 | Buffer subsect; | ||
756 | u_int64_t serial, serial_lo, serial_hi; | ||
757 | BIGNUM *bitmap = NULL; | ||
758 | char *key_id = NULL; | ||
759 | Key *ca_key = NULL; | ||
760 | |||
761 | buffer_init(&subsect); | ||
762 | |||
763 | if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL || | ||
764 | buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */ | ||
765 | error("%s: buffer error", __func__); | ||
766 | goto out; | ||
767 | } | ||
768 | if ((ca_key = key_from_blob(blob, blen)) == NULL) | ||
769 | goto out; | ||
770 | |||
771 | while (buffer_len(buf) > 0) { | ||
772 | if (buffer_get_char_ret(&type, buf) != 0 || | ||
773 | (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) { | ||
774 | error("%s: buffer error", __func__); | ||
775 | goto out; | ||
776 | } | ||
777 | buffer_clear(&subsect); | ||
778 | buffer_append(&subsect, blob, blen); | ||
779 | debug3("%s: subsection type 0x%02x", __func__, type); | ||
780 | /* buffer_dump(&subsect); */ | ||
781 | |||
782 | switch (type) { | ||
783 | case KRL_SECTION_CERT_SERIAL_LIST: | ||
784 | while (buffer_len(&subsect) > 0) { | ||
785 | if (buffer_get_int64_ret(&serial, | ||
786 | &subsect) != 0) { | ||
787 | error("%s: buffer error", __func__); | ||
788 | goto out; | ||
789 | } | ||
790 | if (ssh_krl_revoke_cert_by_serial(krl, ca_key, | ||
791 | serial) != 0) { | ||
792 | error("%s: update failed", __func__); | ||
793 | goto out; | ||
794 | } | ||
795 | } | ||
796 | break; | ||
797 | case KRL_SECTION_CERT_SERIAL_RANGE: | ||
798 | if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || | ||
799 | buffer_get_int64_ret(&serial_hi, &subsect) != 0) { | ||
800 | error("%s: buffer error", __func__); | ||
801 | goto out; | ||
802 | } | ||
803 | if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key, | ||
804 | serial_lo, serial_hi) != 0) { | ||
805 | error("%s: update failed", __func__); | ||
806 | goto out; | ||
807 | } | ||
808 | break; | ||
809 | case KRL_SECTION_CERT_SERIAL_BITMAP: | ||
810 | if ((bitmap = BN_new()) == NULL) { | ||
811 | error("%s: BN_new", __func__); | ||
812 | goto out; | ||
813 | } | ||
814 | if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 || | ||
815 | buffer_get_bignum2_ret(&subsect, bitmap) != 0) { | ||
816 | error("%s: buffer error", __func__); | ||
817 | goto out; | ||
818 | } | ||
819 | if ((nbits = BN_num_bits(bitmap)) < 0) { | ||
820 | error("%s: bitmap bits < 0", __func__); | ||
821 | goto out; | ||
822 | } | ||
823 | for (serial = 0; serial < (u_int)nbits; serial++) { | ||
824 | if (serial > 0 && serial_lo + serial == 0) { | ||
825 | error("%s: bitmap wraps u64", __func__); | ||
826 | goto out; | ||
827 | } | ||
828 | if (!BN_is_bit_set(bitmap, serial)) | ||
829 | continue; | ||
830 | if (ssh_krl_revoke_cert_by_serial(krl, ca_key, | ||
831 | serial_lo + serial) != 0) { | ||
832 | error("%s: update failed", __func__); | ||
833 | goto out; | ||
834 | } | ||
835 | } | ||
836 | BN_free(bitmap); | ||
837 | bitmap = NULL; | ||
838 | break; | ||
839 | case KRL_SECTION_CERT_KEY_ID: | ||
840 | while (buffer_len(&subsect) > 0) { | ||
841 | if ((key_id = buffer_get_cstring_ret(&subsect, | ||
842 | NULL)) == NULL) { | ||
843 | error("%s: buffer error", __func__); | ||
844 | goto out; | ||
845 | } | ||
846 | if (ssh_krl_revoke_cert_by_key_id(krl, ca_key, | ||
847 | key_id) != 0) { | ||
848 | error("%s: update failed", __func__); | ||
849 | goto out; | ||
850 | } | ||
851 | free(key_id); | ||
852 | key_id = NULL; | ||
853 | } | ||
854 | break; | ||
855 | default: | ||
856 | error("Unsupported KRL certificate section %u", type); | ||
857 | goto out; | ||
858 | } | ||
859 | if (buffer_len(&subsect) > 0) { | ||
860 | error("KRL certificate section contains unparsed data"); | ||
861 | goto out; | ||
862 | } | ||
863 | } | ||
864 | |||
865 | ret = 0; | ||
866 | out: | ||
867 | if (ca_key != NULL) | ||
868 | key_free(ca_key); | ||
869 | if (bitmap != NULL) | ||
870 | BN_free(bitmap); | ||
871 | free(key_id); | ||
872 | buffer_free(&subsect); | ||
873 | return ret; | ||
874 | } | ||
875 | |||
876 | |||
877 | /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ | ||
878 | int | ||
879 | ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp, | ||
880 | const Key **sign_ca_keys, u_int nsign_ca_keys) | ||
881 | { | ||
882 | Buffer copy, sect; | ||
883 | struct ssh_krl *krl; | ||
884 | char timestamp[64]; | ||
885 | int ret = -1, r, sig_seen; | ||
886 | Key *key = NULL, **ca_used = NULL; | ||
887 | u_char type, *blob; | ||
888 | u_int i, j, sig_off, sects_off, blen, format_version, nca_used = 0; | ||
889 | |||
890 | *krlp = NULL; | ||
891 | if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 || | ||
892 | memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { | ||
893 | debug3("%s: not a KRL", __func__); | ||
894 | /* | ||
895 | * Return success but a NULL *krlp here to signal that the | ||
896 | * file might be a simple list of keys. | ||
897 | */ | ||
898 | return 0; | ||
899 | } | ||
900 | |||
901 | /* Take a copy of the KRL buffer so we can verify its signature later */ | ||
902 | buffer_init(©); | ||
903 | buffer_append(©, buffer_ptr(buf), buffer_len(buf)); | ||
904 | |||
905 | buffer_init(§); | ||
906 | buffer_consume(©, sizeof(KRL_MAGIC) - 1); | ||
907 | |||
908 | if ((krl = ssh_krl_init()) == NULL) { | ||
909 | error("%s: alloc failed", __func__); | ||
910 | goto out; | ||
911 | } | ||
912 | |||
913 | if (buffer_get_int_ret(&format_version, ©) != 0) { | ||
914 | error("%s: KRL truncated", __func__); | ||
915 | goto out; | ||
916 | } | ||
917 | if (format_version != KRL_FORMAT_VERSION) { | ||
918 | error("%s: KRL unsupported format version %u", | ||
919 | __func__, format_version); | ||
920 | goto out; | ||
921 | } | ||
922 | if (buffer_get_int64_ret(&krl->krl_version, ©) != 0 || | ||
923 | buffer_get_int64_ret(&krl->generated_date, ©) != 0 || | ||
924 | buffer_get_int64_ret(&krl->flags, ©) != 0 || | ||
925 | buffer_get_string_ptr_ret(©, NULL) == NULL || /* reserved */ | ||
926 | (krl->comment = buffer_get_cstring_ret(©, NULL)) == NULL) { | ||
927 | error("%s: buffer error", __func__); | ||
928 | goto out; | ||
929 | } | ||
930 | |||
931 | format_timestamp(krl->generated_date, timestamp, sizeof(timestamp)); | ||
932 | debug("KRL version %llu generated at %s%s%s", krl->krl_version, | ||
933 | timestamp, *krl->comment ? ": " : "", krl->comment); | ||
934 | |||
935 | /* | ||
936 | * 1st pass: verify signatures, if any. This is done to avoid | ||
937 | * detailed parsing of data whose provenance is unverified. | ||
938 | */ | ||
939 | sig_seen = 0; | ||
940 | sects_off = buffer_len(buf) - buffer_len(©); | ||
941 | while (buffer_len(©) > 0) { | ||
942 | if (buffer_get_char_ret(&type, ©) != 0 || | ||
943 | (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
944 | error("%s: buffer error", __func__); | ||
945 | goto out; | ||
946 | } | ||
947 | debug3("%s: first pass, section 0x%02x", __func__, type); | ||
948 | if (type != KRL_SECTION_SIGNATURE) { | ||
949 | if (sig_seen) { | ||
950 | error("KRL contains non-signature section " | ||
951 | "after signature"); | ||
952 | goto out; | ||
953 | } | ||
954 | /* Not interested for now. */ | ||
955 | continue; | ||
956 | } | ||
957 | sig_seen = 1; | ||
958 | /* First string component is the signing key */ | ||
959 | if ((key = key_from_blob(blob, blen)) == NULL) { | ||
960 | error("%s: invalid signature key", __func__); | ||
961 | goto out; | ||
962 | } | ||
963 | sig_off = buffer_len(buf) - buffer_len(©); | ||
964 | /* Second string component is the signature itself */ | ||
965 | if ((blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
966 | error("%s: buffer error", __func__); | ||
967 | goto out; | ||
968 | } | ||
969 | /* Check signature over entire KRL up to this point */ | ||
970 | if (key_verify(key, blob, blen, | ||
971 | buffer_ptr(buf), buffer_len(buf) - sig_off) == -1) { | ||
972 | error("bad signaure on KRL"); | ||
973 | goto out; | ||
974 | } | ||
975 | /* Check if this key has already signed this KRL */ | ||
976 | for (i = 0; i < nca_used; i++) { | ||
977 | if (key_equal(ca_used[i], key)) { | ||
978 | error("KRL signed more than once with " | ||
979 | "the same key"); | ||
980 | goto out; | ||
981 | } | ||
982 | } | ||
983 | /* Record keys used to sign the KRL */ | ||
984 | xrealloc(ca_used, nca_used + 1, sizeof(*ca_used)); | ||
985 | ca_used[nca_used++] = key; | ||
986 | key = NULL; | ||
987 | break; | ||
988 | } | ||
989 | |||
990 | /* | ||
991 | * 2nd pass: parse and load the KRL, skipping the header to the point | ||
992 | * where the section start. | ||
993 | */ | ||
994 | buffer_append(©, (u_char*)buffer_ptr(buf) + sects_off, | ||
995 | buffer_len(buf) - sects_off); | ||
996 | while (buffer_len(©) > 0) { | ||
997 | if (buffer_get_char_ret(&type, ©) != 0 || | ||
998 | (blob = buffer_get_string_ptr_ret(©, &blen)) == NULL) { | ||
999 | error("%s: buffer error", __func__); | ||
1000 | goto out; | ||
1001 | } | ||
1002 | debug3("%s: second pass, section 0x%02x", __func__, type); | ||
1003 | buffer_clear(§); | ||
1004 | buffer_append(§, blob, blen); | ||
1005 | |||
1006 | switch (type) { | ||
1007 | case KRL_SECTION_CERTIFICATES: | ||
1008 | if ((r = parse_revoked_certs(§, krl)) != 0) | ||
1009 | goto out; | ||
1010 | break; | ||
1011 | case KRL_SECTION_EXPLICIT_KEY: | ||
1012 | case KRL_SECTION_FINGERPRINT_SHA1: | ||
1013 | while (buffer_len(§) > 0) { | ||
1014 | if ((blob = buffer_get_string_ret(§, | ||
1015 | &blen)) == NULL) { | ||
1016 | error("%s: buffer error", __func__); | ||
1017 | goto out; | ||
1018 | } | ||
1019 | if (type == KRL_SECTION_FINGERPRINT_SHA1 && | ||
1020 | blen != 20) { | ||
1021 | error("%s: bad SHA1 length", __func__); | ||
1022 | goto out; | ||
1023 | } | ||
1024 | if (revoke_blob( | ||
1025 | type == KRL_SECTION_EXPLICIT_KEY ? | ||
1026 | &krl->revoked_keys : &krl->revoked_sha1s, | ||
1027 | blob, blen) != 0) | ||
1028 | goto out; /* revoke_blob frees blob */ | ||
1029 | } | ||
1030 | break; | ||
1031 | case KRL_SECTION_SIGNATURE: | ||
1032 | /* Handled above, but still need to stay in synch */ | ||
1033 | buffer_clear(§); | ||
1034 | if ((blob = buffer_get_string_ptr_ret(§, | ||
1035 | &blen)) == NULL) { | ||
1036 | error("%s: buffer error", __func__); | ||
1037 | goto out; | ||
1038 | } | ||
1039 | break; | ||
1040 | default: | ||
1041 | error("Unsupported KRL section %u", type); | ||
1042 | goto out; | ||
1043 | } | ||
1044 | if (buffer_len(§) > 0) { | ||
1045 | error("KRL section contains unparsed data"); | ||
1046 | goto out; | ||
1047 | } | ||
1048 | } | ||
1049 | |||
1050 | /* Check that the key(s) used to sign the KRL weren't revoked */ | ||
1051 | sig_seen = 0; | ||
1052 | for (i = 0; i < nca_used; i++) { | ||
1053 | if (ssh_krl_check_key(krl, ca_used[i]) == 0) | ||
1054 | sig_seen = 1; | ||
1055 | else { | ||
1056 | key_free(ca_used[i]); | ||
1057 | ca_used[i] = NULL; | ||
1058 | } | ||
1059 | } | ||
1060 | if (nca_used && !sig_seen) { | ||
1061 | error("All keys used to sign KRL were revoked"); | ||
1062 | goto out; | ||
1063 | } | ||
1064 | |||
1065 | /* If we have CA keys, then verify that one was used to sign the KRL */ | ||
1066 | if (sig_seen && nsign_ca_keys != 0) { | ||
1067 | sig_seen = 0; | ||
1068 | for (i = 0; !sig_seen && i < nsign_ca_keys; i++) { | ||
1069 | for (j = 0; j < nca_used; j++) { | ||
1070 | if (ca_used[j] == NULL) | ||
1071 | continue; | ||
1072 | if (key_equal(ca_used[j], sign_ca_keys[i])) { | ||
1073 | sig_seen = 1; | ||
1074 | break; | ||
1075 | } | ||
1076 | } | ||
1077 | } | ||
1078 | if (!sig_seen) { | ||
1079 | error("KRL not signed with any trusted key"); | ||
1080 | goto out; | ||
1081 | } | ||
1082 | } | ||
1083 | |||
1084 | *krlp = krl; | ||
1085 | ret = 0; | ||
1086 | out: | ||
1087 | if (ret != 0) | ||
1088 | ssh_krl_free(krl); | ||
1089 | for (i = 0; i < nca_used; i++) { | ||
1090 | if (ca_used[i] != NULL) | ||
1091 | key_free(ca_used[i]); | ||
1092 | } | ||
1093 | free(ca_used); | ||
1094 | if (key != NULL) | ||
1095 | key_free(key); | ||
1096 | buffer_free(©); | ||
1097 | buffer_free(§); | ||
1098 | return ret; | ||
1099 | } | ||
1100 | |||
1101 | /* Checks whether a given key/cert is revoked. Does not check its CA */ | ||
1102 | static int | ||
1103 | is_key_revoked(struct ssh_krl *krl, const Key *key) | ||
1104 | { | ||
1105 | struct revoked_blob rb, *erb; | ||
1106 | struct revoked_serial rs, *ers; | ||
1107 | struct revoked_key_id rki, *erki; | ||
1108 | struct revoked_certs *rc; | ||
1109 | |||
1110 | /* Check explicitly revoked hashes first */ | ||
1111 | bzero(&rb, sizeof(rb)); | ||
1112 | if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL) | ||
1113 | return -1; | ||
1114 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); | ||
1115 | free(rb.blob); | ||
1116 | if (erb != NULL) { | ||
1117 | debug("%s: revoked by key SHA1", __func__); | ||
1118 | return -1; | ||
1119 | } | ||
1120 | |||
1121 | /* Next, explicit keys */ | ||
1122 | bzero(&rb, sizeof(rb)); | ||
1123 | if (plain_key_blob(key, &rb.blob, &rb.len) != 0) | ||
1124 | return -1; | ||
1125 | erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); | ||
1126 | free(rb.blob); | ||
1127 | if (erb != NULL) { | ||
1128 | debug("%s: revoked by explicit key", __func__); | ||
1129 | return -1; | ||
1130 | } | ||
1131 | |||
1132 | if (!key_is_cert(key)) | ||
1133 | return 0; | ||
1134 | |||
1135 | /* Check cert revocation */ | ||
1136 | if (revoked_certs_for_ca_key(krl, key->cert->signature_key, | ||
1137 | &rc, 0) != 0) | ||
1138 | return -1; | ||
1139 | if (rc == NULL) | ||
1140 | return 0; /* No entry for this CA */ | ||
1141 | |||
1142 | /* Check revocation by cert key ID */ | ||
1143 | bzero(&rki, sizeof(rki)); | ||
1144 | rki.key_id = key->cert->key_id; | ||
1145 | erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); | ||
1146 | if (erki != NULL) { | ||
1147 | debug("%s: revoked by key ID", __func__); | ||
1148 | return -1; | ||
1149 | } | ||
1150 | |||
1151 | /* Legacy cert formats lack serial numbers */ | ||
1152 | if (key_cert_is_legacy(key)) | ||
1153 | return 0; | ||
1154 | |||
1155 | bzero(&rs, sizeof(rs)); | ||
1156 | rs.lo = rs.hi = key->cert->serial; | ||
1157 | ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); | ||
1158 | if (ers != NULL) { | ||
1159 | KRL_DBG(("%s: %llu matched %llu:%llu", __func__, | ||
1160 | key->cert->serial, ers->lo, ers->hi)); | ||
1161 | debug("%s: revoked by serial", __func__); | ||
1162 | return -1; | ||
1163 | } | ||
1164 | KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); | ||
1165 | |||
1166 | return 0; | ||
1167 | } | ||
1168 | |||
1169 | int | ||
1170 | ssh_krl_check_key(struct ssh_krl *krl, const Key *key) | ||
1171 | { | ||
1172 | int r; | ||
1173 | |||
1174 | debug2("%s: checking key", __func__); | ||
1175 | if ((r = is_key_revoked(krl, key)) != 0) | ||
1176 | return r; | ||
1177 | if (key_is_cert(key)) { | ||
1178 | debug2("%s: checking CA key", __func__); | ||
1179 | if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) | ||
1180 | return r; | ||
1181 | } | ||
1182 | debug3("%s: key okay", __func__); | ||
1183 | return 0; | ||
1184 | } | ||
1185 | |||
1186 | /* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */ | ||
1187 | int | ||
1188 | ssh_krl_file_contains_key(const char *path, const Key *key) | ||
1189 | { | ||
1190 | Buffer krlbuf; | ||
1191 | struct ssh_krl *krl; | ||
1192 | int revoked, fd; | ||
1193 | |||
1194 | if (path == NULL) | ||
1195 | return 0; | ||
1196 | |||
1197 | if ((fd = open(path, O_RDONLY)) == -1) { | ||
1198 | error("open %s: %s", path, strerror(errno)); | ||
1199 | error("Revoked keys file not accessible - refusing public key " | ||
1200 | "authentication"); | ||
1201 | return -1; | ||
1202 | } | ||
1203 | buffer_init(&krlbuf); | ||
1204 | if (!key_load_file(fd, path, &krlbuf)) { | ||
1205 | close(fd); | ||
1206 | buffer_free(&krlbuf); | ||
1207 | error("Revoked keys file not readable - refusing public key " | ||
1208 | "authentication"); | ||
1209 | return -1; | ||
1210 | } | ||
1211 | close(fd); | ||
1212 | if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) { | ||
1213 | buffer_free(&krlbuf); | ||
1214 | error("Invalid KRL, refusing public key " | ||
1215 | "authentication"); | ||
1216 | return -1; | ||
1217 | } | ||
1218 | buffer_free(&krlbuf); | ||
1219 | if (krl == NULL) { | ||
1220 | debug3("%s: %s is not a KRL file", __func__, path); | ||
1221 | return -2; | ||
1222 | } | ||
1223 | debug2("%s: checking KRL %s", __func__, path); | ||
1224 | revoked = ssh_krl_check_key(krl, key) != 0; | ||
1225 | ssh_krl_free(krl); | ||
1226 | return revoked ? -1 : 0; | ||
1227 | } | ||