tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

fix KRL generation when multiple CAs are in use

We would generate an invalid KRL when revoking certs by serial
number for multiple CA keys due to a section being written out
twice.

Also extend the regress test to catch this case by having it
produce a multi-CA KRL.

Reported by peter AT pean.org
This commit is contained in:
djm@openbsd.org 2014-11-17 00:21:40 +00:00 committed by Damien Miller
parent da8af83d3f
commit 9f9fad0191
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
krl.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */ /* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */
#include "includes.h" #include "includes.h"
@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
/* Store sections for revoked certificates */ /* Store sections for revoked certificates */
TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
buffer_clear(&sect);
if (revoked_certs_generate(rc, &sect) != 0) if (revoked_certs_generate(rc, &sect) != 0)
goto out; goto out;
buffer_put_char(buf, KRL_SECTION_CERTIFICATES); buffer_put_char(buf, KRL_SECTION_CERTIFICATES);