tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-29 08:44:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream commit

Browse Source 
sync changes from libopenssh; prepared by markus@ mostly
 debug output tweaks, a couple of error return value changes and some other
 minor stuff
This commit is contained in:
djm@openbsd.org 2015-01-13 19:04:35 +00:00 committed by Damien Miller
parent 76c0480a85
commit e7fd952f4e
2 changed files with 50 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
krl.c
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $OpenBSD: krl.c,v 1.24 2015/01/12 19:22:46 markus Exp $ */ /* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */
#include "includes.h" #include "includes.h"
@ -31,11 +31,11 @@
#include <unistd.h> #include <unistd.h>
#include "sshbuf.h" #include "sshbuf.h"
#include "ssherr.h"
#include "sshkey.h" #include "sshkey.h"
#include "authfile.h" #include "authfile.h"
#include "misc.h" #include "misc.h"
#include "log.h" #include "log.h"
#include "ssherr.h"
#include "digest.h" #include "digest.h"
#include "krl.h" #include "krl.h"
@ -230,7 +230,7 @@ revoked_certs_for_ca_key(struct ssh_krl *krl, const struct sshkey *ca_key,
RB_INIT(&rc->revoked_serials); RB_INIT(&rc->revoked_serials);
RB_INIT(&rc->revoked_key_ids); RB_INIT(&rc->revoked_key_ids);
TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
debug3("%s: new CA %s", __func__, sshkey_type(ca_key)); KRL_DBG(("%s: new CA %s", __func__, sshkey_type(ca_key)));
*rcp = rc; *rcp = rc;
return 0; return 0;
} }
@ -255,7 +255,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
KRL_DBG(("%s: bad: ers != NULL", __func__)); KRL_DBG(("%s: bad: ers != NULL", __func__));
/* Shouldn't happen */ /* Shouldn't happen */
free(irs); free(irs);
return SSH_ERR_ALLOC_FAIL; return SSH_ERR_INTERNAL_ERROR;
} }
ers = irs; ers = irs;
} else { } else {
@ -270,6 +270,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
if (ers->hi < hi) if (ers->hi < hi)
ers->hi = hi; ers->hi = hi;
} }
/* /*
* The inserted or revised range might overlap or abut adjacent ones; * The inserted or revised range might overlap or abut adjacent ones;
* coalesce as necessary. * coalesce as necessary.
@ -315,14 +316,14 @@ ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const struct sshkey *ca_key,
} }
int int
ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const struct sshkey *ca_key, ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl,
u_int64_t lo, u_int64_t hi) const struct sshkey *ca_key, u_int64_t lo, u_int64_t hi)
{ {
struct revoked_certs *rc; struct revoked_certs *rc;
int r; int r;
if (lo > hi || lo == 0) if (lo > hi || lo == 0)
return -1; return SSH_ERR_INVALID_ARGUMENT;
if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
return r; return r;
return insert_serial_range(&rc->revoked_serials, lo, hi); return insert_serial_range(&rc->revoked_serials, lo, hi);
@ -339,7 +340,7 @@ ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const struct sshkey *ca_key,
if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0)
return r; return r;
debug3("%s: revoke %s", __func__, key_id); KRL_DBG(("%s: revoke %s", __func__, key_id));
if ((rki = calloc(1, sizeof(*rki))) == NULL || if ((rki = calloc(1, sizeof(*rki))) == NULL ||
(rki->key_id = strdup(key_id)) == NULL) { (rki->key_id = strdup(key_id)) == NULL) {
free(rki); free(rki);
@ -375,7 +376,7 @@ plain_key_blob(const struct sshkey *key, u_char **blob, size_t *blen)
/* Revoke a key blob. Ownership of blob is transferred to the tree */ /* Revoke a key blob. Ownership of blob is transferred to the tree */
static int static int
revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len) revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, size_t len)
{ {
struct revoked_blob *rb, *erb; struct revoked_blob *rb, *erb;
@ -507,14 +508,14 @@ choose_next_state(int current_state, u_int64_t contig, int final,
*force_new_section = 1; *force_new_section = 1;
cost = cost_bitmap_restart; cost = cost_bitmap_restart;
} }
debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
"list %llu range %llu bitmap %llu new bitmap %llu, " "list %llu range %llu bitmap %llu new bitmap %llu, "
"selected 0x%02x%s", __func__, (long long unsigned)contig, "selected 0x%02x%s", __func__, (long long unsigned)contig,
(long long unsigned)last_gap, (long long unsigned)next_gap, final, (long long unsigned)last_gap, (long long unsigned)next_gap, final,
(long long unsigned)cost_list, (long long unsigned)cost_range, (long long unsigned)cost_list, (long long unsigned)cost_range,
(long long unsigned)cost_bitmap, (long long unsigned)cost_bitmap,
(long long unsigned)cost_bitmap_restart, new_state, (long long unsigned)cost_bitmap_restart, new_state,
*force_new_section ? " restart" : ""); *force_new_section ? " restart" : ""));
return new_state; return new_state;
} }
@ -522,7 +523,7 @@ choose_next_state(int current_state, u_int64_t contig, int final,
static int static int
revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
{ {
int final, force_new_sect, r = -1; int final, force_new_sect, r = SSH_ERR_INTERNAL_ERROR;
u_int64_t i, contig, gap, last = 0, bitmap_start = 0; u_int64_t i, contig, gap, last = 0, bitmap_start = 0;
struct revoked_serial *rs, *nrs; struct revoked_serial *rs, *nrs;
struct revoked_key_id *rki; struct revoked_key_id *rki;
@ -545,9 +546,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
rs != NULL; rs != NULL;
rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
debug3("%s: serial %llu:%llu state 0x%02x", __func__, KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__,
(long long unsigned)rs->lo, (long long unsigned)rs->hi, (long long unsigned)rs->lo, (long long unsigned)rs->hi,
state); state));
/* Check contiguous length and gap to next section (if any) */ /* Check contiguous length and gap to next section (if any) */
nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs); nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
@ -565,7 +566,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
*/ */
if (state != 0 && (force_new_sect || next_state != state || if (state != 0 && (force_new_sect || next_state != state ||
state == KRL_SECTION_CERT_SERIAL_RANGE)) { state == KRL_SECTION_CERT_SERIAL_RANGE)) {
debug3("%s: finish state 0x%02x", __func__, state); KRL_DBG(("%s: finish state 0x%02x", __func__, state));
switch (state) { switch (state) {
case KRL_SECTION_CERT_SERIAL_LIST: case KRL_SECTION_CERT_SERIAL_LIST:
case KRL_SECTION_CERT_SERIAL_RANGE: case KRL_SECTION_CERT_SERIAL_RANGE:
@ -585,7 +586,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
/* If we are starting a new section then prepare it now */ /* If we are starting a new section then prepare it now */
if (next_state != state || force_new_sect) { if (next_state != state || force_new_sect) {
debug3("%s: start state 0x%02x", __func__, next_state); KRL_DBG(("%s: start state 0x%02x", __func__,
next_state));
state = next_state; state = next_state;
sshbuf_reset(sect); sshbuf_reset(sect);
switch (state) { switch (state) {
@ -636,8 +638,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
} }
/* Flush the remaining section, if any */ /* Flush the remaining section, if any */
if (state != 0) { if (state != 0) {
debug3("%s: serial final flush for state 0x%02x", KRL_DBG(("%s: serial final flush for state 0x%02x",
__func__, state); __func__, state));
switch (state) { switch (state) {
case KRL_SECTION_CERT_SERIAL_LIST: case KRL_SECTION_CERT_SERIAL_LIST:
case KRL_SECTION_CERT_SERIAL_RANGE: case KRL_SECTION_CERT_SERIAL_RANGE:
@ -653,12 +655,12 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf)
(r = sshbuf_put_stringb(buf, sect)) != 0) (r = sshbuf_put_stringb(buf, sect)) != 0)
goto out; goto out;
} }
debug3("%s: serial done ", __func__); KRL_DBG(("%s: serial done ", __func__));
/* Now output a section for any revocations by key ID */ /* Now output a section for any revocations by key ID */
sshbuf_reset(sect); sshbuf_reset(sect);
RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
debug3("%s: key ID %s", __func__, rki->key_id); KRL_DBG(("%s: key ID %s", __func__, rki->key_id));
if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0)
goto out; goto out;
} }
@ -679,7 +681,7 @@ int
ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
const struct sshkey **sign_keys, u_int nsign_keys) const struct sshkey **sign_keys, u_int nsign_keys)
{ {
int r = -1; int r = SSH_ERR_INTERNAL_ERROR;
struct revoked_certs *rc; struct revoked_certs *rc;
struct revoked_blob *rb; struct revoked_blob *rb;
struct sshbuf *sect; struct sshbuf *sect;
@ -715,7 +717,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
/* Finally, output sections for revocations by public key/hash */ /* Finally, output sections for revocations by public key/hash */
sshbuf_reset(sect); sshbuf_reset(sect);
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
debug3("%s: key len %zu ", __func__, rb->len); KRL_DBG(("%s: key len %u ", __func__, rb->len));
if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0)
goto out; goto out;
} }
@ -726,7 +728,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
} }
sshbuf_reset(sect); sshbuf_reset(sect);
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
debug3("%s: hash len %zu ", __func__, rb->len); KRL_DBG(("%s: hash len %u ", __func__, rb->len));
if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0)
goto out; goto out;
} }
@ -742,7 +744,8 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0) if ((r = sshkey_to_blob_buf(sign_keys[i], sect)) != 0)
goto out; goto out;
debug3("%s: signature key len %zu", __func__, sshbuf_len(sect)); KRL_DBG(("%s: signature key len %zu", __func__,
sshbuf_len(sect)));
if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 ||
(r = sshbuf_put_stringb(buf, sect)) != 0) (r = sshbuf_put_stringb(buf, sect)) != 0)
goto out; goto out;
@ -750,7 +753,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
if ((r = sshkey_sign(sign_keys[i], &sblob, &slen, if ((r = sshkey_sign(sign_keys[i], &sblob, &slen,
sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1) sshbuf_ptr(buf), sshbuf_len(buf), 0)) == -1)
goto out; goto out;
debug3("%s: signature sig len %zu", __func__, slen); KRL_DBG(("%s: signature sig len %u", __func__, slen));
if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) if ((r = sshbuf_put_string(buf, sblob, slen)) != 0)
goto out; goto out;
} }
@ -781,7 +784,7 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
static int static int
parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
{ {
int r = -1, nbits; int r = SSH_ERR_INTERNAL_ERROR, nbits;
u_char type; u_char type;
const u_char *blob; const u_char *blob;
size_t blen; size_t blen;
@ -809,7 +812,8 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
if ((r = sshbuf_get_u8(buf, &type)) != 0 || if ((r = sshbuf_get_u8(buf, &type)) != 0 ||
(r = sshbuf_froms(buf, &subsect)) != 0) (r = sshbuf_froms(buf, &subsect)) != 0)
goto out; goto out;
debug3("%s: subsection type 0x%02x", __func__, type); KRL_DBG(("%s: subsection type 0x%02x", __func__, type));
/* sshbuf_dump(subsect, stderr); */
switch (type) { switch (type) {
case KRL_SECTION_CERT_SERIAL_LIST: case KRL_SECTION_CERT_SERIAL_LIST:
@ -842,7 +846,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
r = SSH_ERR_INVALID_FORMAT; r = SSH_ERR_INVALID_FORMAT;
goto out; goto out;
} }
for (serial = 0; serial < (u_int)nbits; serial++) { for (serial = 0; serial < (u_int64_t)nbits; serial++) {
if (serial > 0 && serial_lo + serial == 0) { if (serial > 0 && serial_lo + serial == 0) {
error("%s: bitmap wraps u64", __func__); error("%s: bitmap wraps u64", __func__);
r = SSH_ERR_INVALID_FORMAT; r = SSH_ERR_INVALID_FORMAT;
@ -895,12 +899,12 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl)
/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */ /* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
int int
ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
const struct sshkey **sign_ca_keys, u_int nsign_ca_keys) const struct sshkey **sign_ca_keys, size_t nsign_ca_keys)
{ {
struct sshbuf *copy = NULL, *sect = NULL; struct sshbuf *copy = NULL, *sect = NULL;
struct ssh_krl *krl = NULL; struct ssh_krl *krl = NULL;
char timestamp[64]; char timestamp[64];
int r = -1, sig_seen; int r = SSH_ERR_INTERNAL_ERROR, sig_seen;
struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used; struct sshkey *key = NULL, **ca_used = NULL, **tmp_ca_used;
u_char type, *rdata = NULL; u_char type, *rdata = NULL;
const u_char *blob; const u_char *blob;
@ -961,12 +965,12 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
if ((r = sshbuf_get_u8(copy, &type)) != 0 || if ((r = sshbuf_get_u8(copy, &type)) != 0 ||
(r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0)
goto out; goto out;
debug3("%s: first pass, section 0x%02x", __func__, type); KRL_DBG(("%s: first pass, section 0x%02x", __func__, type));
if (type != KRL_SECTION_SIGNATURE) { if (type != KRL_SECTION_SIGNATURE) {
if (sig_seen) { if (sig_seen) {
r = SSH_ERR_INVALID_FORMAT;
error("KRL contains non-signature section " error("KRL contains non-signature section "
"after signature"); "after signature");
r = SSH_ERR_INVALID_FORMAT;
goto out; goto out;
} }
/* Not interested for now. */ /* Not interested for now. */
@ -976,7 +980,6 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
/* First string component is the signing key */ /* First string component is the signing key */
if ((r = sshkey_from_blob(blob, blen, &key)) != 0) { if ((r = sshkey_from_blob(blob, blen, &key)) != 0) {
r = SSH_ERR_INVALID_FORMAT; r = SSH_ERR_INVALID_FORMAT;
error("%s: invalid signature key", __func__);
goto out; goto out;
} }
if (sshbuf_len(buf) < sshbuf_len(copy)) { if (sshbuf_len(buf) < sshbuf_len(copy)) {
@ -992,16 +995,14 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
} }
/* Check signature over entire KRL up to this point */ /* Check signature over entire KRL up to this point */
if ((r = sshkey_verify(key, blob, blen, if ((r = sshkey_verify(key, blob, blen,
sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0) { sshbuf_ptr(buf), sshbuf_len(buf) - sig_off, 0)) != 0)
error("bad signaure on KRL");
goto out; goto out;
}
/* Check if this key has already signed this KRL */ /* Check if this key has already signed this KRL */
for (i = 0; i < nca_used; i++) { for (i = 0; i < nca_used; i++) {
if (sshkey_equal(ca_used[i], key)) { if (sshkey_equal(ca_used[i], key)) {
error("KRL signed more than once with " error("KRL signed more than once with "
"the same key"); "the same key");
r = SSH_ERR_SIGNATURE_INVALID; r = SSH_ERR_INVALID_FORMAT;
goto out; goto out;
} }
} }
@ -1041,10 +1042,9 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
sect = NULL; sect = NULL;
} }
if ((r = sshbuf_get_u8(copy, &type)) != 0 || if ((r = sshbuf_get_u8(copy, &type)) != 0 ||
(r = sshbuf_froms(copy, &sect)) != 0) { (r = sshbuf_froms(copy, &sect)) != 0)
goto out; goto out;
} KRL_DBG(("%s: second pass, section 0x%02x", __func__, type));
debug3("%s: second pass, section 0x%02x", __func__, type);
switch (type) { switch (type) {
case KRL_SECTION_CERTIFICATES: case KRL_SECTION_CERTIFICATES:
@ -1068,7 +1068,7 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
&krl->revoked_keys : &krl->revoked_sha1s, &krl->revoked_keys : &krl->revoked_sha1s,
rdata, rlen)) != 0) rdata, rlen)) != 0)
goto out; goto out;
rdata = NULL; /* revoke_blob frees blob */ rdata = NULL; /* revoke_blob frees rdata */
} }
break; break;
case KRL_SECTION_SIGNATURE: case KRL_SECTION_SIGNATURE:
@ -1101,8 +1101,8 @@ ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
} }
} }
if (nca_used && !sig_seen) { if (nca_used && !sig_seen) {
r = SSH_ERR_SIGNATURE_INVALID;
error("All keys used to sign KRL were revoked"); error("All keys used to sign KRL were revoked");
r = SSH_ERR_KEY_REVOKED;
goto out; goto out;
} }
@ -1159,7 +1159,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob); free(rb.blob);
if (erb != NULL) { if (erb != NULL) {
debug("%s: revoked by key SHA1", __func__); KRL_DBG(("%s: revoked by key SHA1", __func__));
return SSH_ERR_KEY_REVOKED; return SSH_ERR_KEY_REVOKED;
} }
@ -1170,7 +1170,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob); free(rb.blob);
if (erb != NULL) { if (erb != NULL) {
debug("%s: revoked by explicit key", __func__); KRL_DBG(("%s: revoked by explicit key", __func__));
return SSH_ERR_KEY_REVOKED; return SSH_ERR_KEY_REVOKED;
} }
@ -1189,7 +1189,7 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
rki.key_id = key->cert->key_id; rki.key_id = key->cert->key_id;
erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
if (erki != NULL) { if (erki != NULL) {
debug("%s: revoked by key ID", __func__); KRL_DBG(("%s: revoked by key ID", __func__));
return SSH_ERR_KEY_REVOKED; return SSH_ERR_KEY_REVOKED;
} }
@ -1204,13 +1204,11 @@ is_key_revoked(struct ssh_krl *krl, const struct sshkey *key)
rs.lo = rs.hi = key->cert->serial; rs.lo = rs.hi = key->cert->serial;
ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
if (ers != NULL) { if (ers != NULL) {
KRL_DBG(("%s: %llu matched %llu:%llu", __func__, KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__,
key->cert->serial, ers->lo, ers->hi)); key->cert->serial, ers->lo, ers->hi));
debug("%s: revoked by serial", __func__);
return SSH_ERR_KEY_REVOKED; return SSH_ERR_KEY_REVOKED;
} }
KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); KRL_DBG(("%s: %llu no match", __func__, key->cert->serial));
return 0; return 0;
} }
@ -1219,7 +1217,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key)
{ {
int r; int r;
debug2("%s: checking key", __func__); KRL_DBG(("%s: checking key", __func__));
if ((r = is_key_revoked(krl, key)) != 0) if ((r = is_key_revoked(krl, key)) != 0)
return r; return r;
if (sshkey_is_cert(key)) { if (sshkey_is_cert(key)) {
@ -1227,7 +1225,7 @@ ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key)
if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
return r; return r;
} }
debug3("%s: key okay", __func__); KRL_DBG(("%s: key okay", __func__));
return 0; return 0;
} }

4
krl.h
View File

@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $OpenBSD: krl.h,v 1.3 2014/12/04 01:49:59 djm Exp $ */ /* $OpenBSD: krl.h,v 1.4 2015/01/13 19:06:49 djm Exp $ */
#ifndef _KRL_H #ifndef _KRL_H
#define _KRL_H #define _KRL_H
@ -57,7 +57,7 @@ int ssh_krl_revoke_key(struct ssh_krl *krl, const struct sshkey *key);
int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf, int ssh_krl_to_blob(struct ssh_krl *krl, struct sshbuf *buf,
const struct sshkey **sign_keys, u_int nsign_keys); const struct sshkey **sign_keys, u_int nsign_keys);
int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp, int ssh_krl_from_blob(struct sshbuf *buf, struct ssh_krl **krlp,
const struct sshkey **sign_ca_keys, u_int nsign_ca_keys); const struct sshkey **sign_ca_keys, size_t nsign_ca_keys);
int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key); int ssh_krl_check_key(struct ssh_krl *krl, const struct sshkey *key);
int ssh_krl_file_contains_key(const char *path, const struct sshkey *key); int ssh_krl_file_contains_key(const char *path, const struct sshkey *key);