| version 1.25, 2015/01/13 19:04:35 |
version 1.26, 2015/01/14 15:02:39 |
|
|
| #include "misc.h" |
#include "misc.h" |
| #include "log.h" |
#include "log.h" |
| #include "digest.h" |
#include "digest.h" |
| |
#include "bitmap.h" |
| |
|
| #include "krl.h" |
#include "krl.h" |
| |
|
|
|
| return new_state; |
return new_state; |
| } |
} |
| |
|
| |
static int |
| |
put_bitmap(struct sshbuf *buf, struct bitmap *bitmap) |
| |
{ |
| |
size_t len; |
| |
u_char *blob; |
| |
int r; |
| |
|
| |
len = bitmap_nbytes(bitmap); |
| |
if ((blob = malloc(len)) == NULL) |
| |
return SSH_ERR_ALLOC_FAIL; |
| |
if (bitmap_to_string(bitmap, blob, len) != 0) { |
| |
free(blob); |
| |
return SSH_ERR_INTERNAL_ERROR; |
| |
} |
| |
r = sshbuf_put_bignum2_bytes(buf, blob, len); |
| |
free(blob); |
| |
return r; |
| |
} |
| |
|
| /* Generate a KRL_SECTION_CERTIFICATES KRL section */ |
/* Generate a KRL_SECTION_CERTIFICATES KRL section */ |
| static int |
static int |
| revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) |
revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) |
|
|
| struct revoked_key_id *rki; |
struct revoked_key_id *rki; |
| int next_state, state = 0; |
int next_state, state = 0; |
| struct sshbuf *sect; |
struct sshbuf *sect; |
| BIGNUM *bitmap = NULL; |
struct bitmap *bitmap = NULL; |
| |
|
| if ((sect = sshbuf_new()) == NULL) |
if ((sect = sshbuf_new()) == NULL) |
| return SSH_ERR_ALLOC_FAIL; |
return SSH_ERR_ALLOC_FAIL; |
|
|
| case KRL_SECTION_CERT_SERIAL_RANGE: |
case KRL_SECTION_CERT_SERIAL_RANGE: |
| break; |
break; |
| case KRL_SECTION_CERT_SERIAL_BITMAP: |
case KRL_SECTION_CERT_SERIAL_BITMAP: |
| if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) |
if ((r = put_bitmap(sect, bitmap)) != 0) |
| goto out; |
goto out; |
| BN_free(bitmap); |
bitmap_free(bitmap); |
| bitmap = NULL; |
bitmap = NULL; |
| break; |
break; |
| } |
} |
|
|
| case KRL_SECTION_CERT_SERIAL_RANGE: |
case KRL_SECTION_CERT_SERIAL_RANGE: |
| break; |
break; |
| case KRL_SECTION_CERT_SERIAL_BITMAP: |
case KRL_SECTION_CERT_SERIAL_BITMAP: |
| if ((bitmap = BN_new()) == NULL) { |
if ((bitmap = bitmap_new()) == NULL) { |
| r = SSH_ERR_ALLOC_FAIL; |
r = SSH_ERR_ALLOC_FAIL; |
| goto out; |
goto out; |
| } |
} |
|
|
| goto out; |
goto out; |
| } |
} |
| for (i = 0; i < contig; i++) { |
for (i = 0; i < contig; i++) { |
| if (BN_set_bit(bitmap, |
if (bitmap_set_bit(bitmap, |
| rs->lo + i - bitmap_start) != 1) { |
rs->lo + i - bitmap_start) != 0) { |
| r = SSH_ERR_ALLOC_FAIL; |
r = SSH_ERR_ALLOC_FAIL; |
| goto out; |
goto out; |
| } |
} |
|
|
| case KRL_SECTION_CERT_SERIAL_RANGE: |
case KRL_SECTION_CERT_SERIAL_RANGE: |
| break; |
break; |
| case KRL_SECTION_CERT_SERIAL_BITMAP: |
case KRL_SECTION_CERT_SERIAL_BITMAP: |
| if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) |
if ((r = put_bitmap(sect, bitmap)) != 0) |
| goto out; |
goto out; |
| BN_free(bitmap); |
bitmap_free(bitmap); |
| bitmap = NULL; |
bitmap = NULL; |
| break; |
break; |
| } |
} |
|
|
| } |
} |
| r = 0; |
r = 0; |
| out: |
out: |
| if (bitmap != NULL) |
bitmap_free(bitmap); |
| BN_free(bitmap); |
|
| sshbuf_free(sect); |
sshbuf_free(sect); |
| return r; |
return r; |
| } |
} |
|
|
| static int |
static int |
| parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) |
parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) |
| { |
{ |
| int r = SSH_ERR_INTERNAL_ERROR, nbits; |
int r = SSH_ERR_INTERNAL_ERROR; |
| u_char type; |
u_char type; |
| const u_char *blob; |
const u_char *blob; |
| size_t blen; |
size_t blen, nbits; |
| struct sshbuf *subsect = NULL; |
struct sshbuf *subsect = NULL; |
| u_int64_t serial, serial_lo, serial_hi; |
u_int64_t serial, serial_lo, serial_hi; |
| BIGNUM *bitmap = NULL; |
struct bitmap *bitmap = NULL; |
| char *key_id = NULL; |
char *key_id = NULL; |
| struct sshkey *ca_key = NULL; |
struct sshkey *ca_key = NULL; |
| |
|
|
|
| goto out; |
goto out; |
| break; |
break; |
| case KRL_SECTION_CERT_SERIAL_BITMAP: |
case KRL_SECTION_CERT_SERIAL_BITMAP: |
| if ((bitmap = BN_new()) == NULL) { |
if ((bitmap = bitmap_new()) == NULL) { |
| r = SSH_ERR_ALLOC_FAIL; |
r = SSH_ERR_ALLOC_FAIL; |
| goto out; |
goto out; |
| } |
} |
| if ((r = sshbuf_get_u64(subsect, &serial_lo)) != 0 || |
if ((r = sshbuf_get_u64(subsect, &serial_lo)) != 0 || |
| (r = sshbuf_get_bignum2(subsect, bitmap)) != 0) |
(r = sshbuf_get_bignum2_bytes_direct(subsect, |
| |
&blob, &blen)) != 0) |
| goto out; |
goto out; |
| if ((nbits = BN_num_bits(bitmap)) < 0) { |
if (bitmap_from_string(bitmap, blob, blen) != 0) { |
| error("%s: bitmap bits < 0", __func__); |
|
| r = SSH_ERR_INVALID_FORMAT; |
r = SSH_ERR_INVALID_FORMAT; |
| goto out; |
goto out; |
| } |
} |
| |
nbits = bitmap_nbits(bitmap); |
| for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
| if (serial > 0 && serial_lo + serial == 0) { |
if (serial > 0 && serial_lo + serial == 0) { |
| error("%s: bitmap wraps u64", __func__); |
error("%s: bitmap wraps u64", __func__); |
| r = SSH_ERR_INVALID_FORMAT; |
r = SSH_ERR_INVALID_FORMAT; |
| goto out; |
goto out; |
| } |
} |
| if (!BN_is_bit_set(bitmap, serial)) |
if (!bitmap_test_bit(bitmap, serial)) |
| continue; |
continue; |
| if ((r = ssh_krl_revoke_cert_by_serial(krl, |
if ((r = ssh_krl_revoke_cert_by_serial(krl, |
| ca_key, serial_lo + serial)) != 0) |
ca_key, serial_lo + serial)) != 0) |
| goto out; |
goto out; |
| } |
} |
| BN_free(bitmap); |
bitmap_free(bitmap); |
| bitmap = NULL; |
bitmap = NULL; |
| break; |
break; |
| case KRL_SECTION_CERT_KEY_ID: |
case KRL_SECTION_CERT_KEY_ID: |
|
|
| r = 0; |
r = 0; |
| out: |
out: |
| if (bitmap != NULL) |
if (bitmap != NULL) |
| BN_free(bitmap); |
bitmap_free(bitmap); |
| free(key_id); |
free(key_id); |
| sshkey_free(ca_key); |
sshkey_free(ca_key); |
| sshbuf_free(subsect); |
sshbuf_free(subsect); |
![[BACK]](/icons/back.gif){kind=icon}
Return to krl.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh