| version 1.51, 2020/08/27 01:06:18 |
version 1.52, 2020/10/18 11:32:01 |
|
|
| |
|
| /* #define DEBUG_KRL */ |
/* #define DEBUG_KRL */ |
| #ifdef DEBUG_KRL |
#ifdef DEBUG_KRL |
| # define KRL_DBG(x) debug3 x |
# define KRL_DBG(x) debug3_f x |
| #else |
#else |
| # define KRL_DBG(x) |
# define KRL_DBG(x) |
| #endif |
#endif |
|
|
| RB_INIT(&rc->revoked_serials); |
RB_INIT(&rc->revoked_serials); |
| RB_INIT(&rc->revoked_key_ids); |
RB_INIT(&rc->revoked_key_ids); |
| TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); |
TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); |
| KRL_DBG(("%s: new CA %s", __func__, |
KRL_DBG(("new CA %s", ca_key == NULL ? "*" : sshkey_type(ca_key))); |
| ca_key == NULL ? "*" : sshkey_type(ca_key))); |
|
| *rcp = rc; |
*rcp = rc; |
| return 0; |
return 0; |
| } |
} |
|
|
| { |
{ |
| struct revoked_serial rs, *ers, *crs, *irs; |
struct revoked_serial rs, *ers, *crs, *irs; |
| |
|
| KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); |
KRL_DBG(("insert %llu:%llu", lo, hi)); |
| memset(&rs, 0, sizeof(rs)); |
memset(&rs, 0, sizeof(rs)); |
| rs.lo = lo; |
rs.lo = lo; |
| rs.hi = hi; |
rs.hi = hi; |
|
|
| memcpy(irs, &rs, sizeof(*irs)); |
memcpy(irs, &rs, sizeof(*irs)); |
| ers = RB_INSERT(revoked_serial_tree, rt, irs); |
ers = RB_INSERT(revoked_serial_tree, rt, irs); |
| if (ers != NULL) { |
if (ers != NULL) { |
| KRL_DBG(("%s: bad: ers != NULL", __func__)); |
KRL_DBG(("bad: ers != NULL")); |
| /* Shouldn't happen */ |
/* Shouldn't happen */ |
| free(irs); |
free(irs); |
| return SSH_ERR_INTERNAL_ERROR; |
return SSH_ERR_INTERNAL_ERROR; |
| } |
} |
| ers = irs; |
ers = irs; |
| } else { |
} else { |
| KRL_DBG(("%s: overlap found %llu:%llu", __func__, |
KRL_DBG(("overlap found %llu:%llu", ers->lo, ers->hi)); |
| ers->lo, ers->hi)); |
|
| /* |
/* |
| * The inserted entry overlaps an existing one. Grow the |
* The inserted entry overlaps an existing one. Grow the |
| * existing entry. |
* existing entry. |
|
|
| |
|
| /* Check predecessors */ |
/* Check predecessors */ |
| while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { |
while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { |
| KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi)); |
KRL_DBG(("pred %llu:%llu", crs->lo, crs->hi)); |
| if (ers->lo != 0 && crs->hi < ers->lo - 1) |
if (ers->lo != 0 && crs->hi < ers->lo - 1) |
| break; |
break; |
| /* This entry overlaps. */ |
/* This entry overlaps. */ |
| if (crs->lo < ers->lo) { |
if (crs->lo < ers->lo) { |
| ers->lo = crs->lo; |
ers->lo = crs->lo; |
| KRL_DBG(("%s: pred extend %llu:%llu", __func__, |
KRL_DBG(("pred extend %llu:%llu", ers->lo, ers->hi)); |
| ers->lo, ers->hi)); |
|
| } |
} |
| RB_REMOVE(revoked_serial_tree, rt, crs); |
RB_REMOVE(revoked_serial_tree, rt, crs); |
| free(crs); |
free(crs); |
| } |
} |
| /* Check successors */ |
/* Check successors */ |
| while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { |
while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { |
| KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi)); |
KRL_DBG(("succ %llu:%llu", crs->lo, crs->hi)); |
| if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) |
if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) |
| break; |
break; |
| /* This entry overlaps. */ |
/* This entry overlaps. */ |
| if (crs->hi > ers->hi) { |
if (crs->hi > ers->hi) { |
| ers->hi = crs->hi; |
ers->hi = crs->hi; |
| KRL_DBG(("%s: succ extend %llu:%llu", __func__, |
KRL_DBG(("succ extend %llu:%llu", ers->lo, ers->hi)); |
| ers->lo, ers->hi)); |
|
| } |
} |
| RB_REMOVE(revoked_serial_tree, rt, crs); |
RB_REMOVE(revoked_serial_tree, rt, crs); |
| free(crs); |
free(crs); |
| } |
} |
| KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi)); |
KRL_DBG(("done, final %llu:%llu", ers->lo, ers->hi)); |
| return 0; |
return 0; |
| } |
} |
| |
|
|
|
| if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) |
| return r; |
return r; |
| |
|
| KRL_DBG(("%s: revoke %s", __func__, key_id)); |
KRL_DBG(("revoke %s", key_id)); |
| if ((rki = calloc(1, sizeof(*rki))) == NULL || |
if ((rki = calloc(1, sizeof(*rki))) == NULL || |
| (rki->key_id = strdup(key_id)) == NULL) { |
(rki->key_id = strdup(key_id)) == NULL) { |
| free(rki); |
free(rki); |
|
|
| size_t len; |
size_t len; |
| int r; |
int r; |
| |
|
| debug3("%s: revoke type %s", __func__, sshkey_type(key)); |
debug3_f("revoke type %s", sshkey_type(key)); |
| if ((r = plain_key_blob(key, &blob, &len)) != 0) |
if ((r = plain_key_blob(key, &blob, &len)) != 0) |
| return r; |
return r; |
| return revoke_blob(&krl->revoked_keys, blob, len); |
return revoke_blob(&krl->revoked_keys, blob, len); |
|
|
| int |
int |
| ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const u_char *p, size_t len) |
ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const u_char *p, size_t len) |
| { |
{ |
| debug3("%s: revoke by sha1", __func__); |
debug3_f("revoke by sha1"); |
| if (len != 20) |
if (len != 20) |
| return SSH_ERR_INVALID_FORMAT; |
return SSH_ERR_INVALID_FORMAT; |
| return revoke_by_hash(&krl->revoked_sha1s, p, len); |
return revoke_by_hash(&krl->revoked_sha1s, p, len); |
|
|
| int |
int |
| ssh_krl_revoke_key_sha256(struct ssh_krl *krl, const u_char *p, size_t len) |
ssh_krl_revoke_key_sha256(struct ssh_krl *krl, const u_char *p, size_t len) |
| { |
{ |
| debug3("%s: revoke by sha256", __func__); |
debug3_f("revoke by sha256"); |
| if (len != 32) |
if (len != 32) |
| return SSH_ERR_INVALID_FORMAT; |
return SSH_ERR_INVALID_FORMAT; |
| return revoke_by_hash(&krl->revoked_sha256s, p, len); |
return revoke_by_hash(&krl->revoked_sha256s, p, len); |
|
|
| *force_new_section = 1; |
*force_new_section = 1; |
| cost = cost_bitmap_restart; |
cost = cost_bitmap_restart; |
| } |
} |
| KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" |
KRL_DBG(("contig %llu last_gap %llu next_gap %llu final %d, costs:" |
| "list %llu range %llu bitmap %llu new bitmap %llu, " |
"list %llu range %llu bitmap %llu new bitmap %llu, " |
| "selected 0x%02x%s", __func__, (long long unsigned)contig, |
"selected 0x%02x%s", (long long unsigned)contig, |
| (long long unsigned)last_gap, (long long unsigned)next_gap, final, |
(long long unsigned)last_gap, (long long unsigned)next_gap, final, |
| (long long unsigned)cost_list, (long long unsigned)cost_range, |
(long long unsigned)cost_list, (long long unsigned)cost_range, |
| (long long unsigned)cost_bitmap, |
(long long unsigned)cost_bitmap, |
|
|
| for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); |
for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); |
| rs != NULL; |
rs != NULL; |
| rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { |
rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { |
| KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__, |
KRL_DBG(("serial %llu:%llu state 0x%02x", |
| (long long unsigned)rs->lo, (long long unsigned)rs->hi, |
(long long unsigned)rs->lo, (long long unsigned)rs->hi, |
| state)); |
state)); |
| |
|
|
|
| */ |
*/ |
| if (state != 0 && (force_new_sect || next_state != state || |
if (state != 0 && (force_new_sect || next_state != state || |
| state == KRL_SECTION_CERT_SERIAL_RANGE)) { |
state == KRL_SECTION_CERT_SERIAL_RANGE)) { |
| KRL_DBG(("%s: finish state 0x%02x", __func__, state)); |
KRL_DBG(("finish state 0x%02x", state)); |
| switch (state) { |
switch (state) { |
| case KRL_SECTION_CERT_SERIAL_LIST: |
case KRL_SECTION_CERT_SERIAL_LIST: |
| case KRL_SECTION_CERT_SERIAL_RANGE: |
case KRL_SECTION_CERT_SERIAL_RANGE: |
|
|
| |
|
| /* If we are starting a new section then prepare it now */ |
/* If we are starting a new section then prepare it now */ |
| if (next_state != state || force_new_sect) { |
if (next_state != state || force_new_sect) { |
| KRL_DBG(("%s: start state 0x%02x", __func__, |
KRL_DBG(("start state 0x%02x", |
| next_state)); |
next_state)); |
| state = next_state; |
state = next_state; |
| sshbuf_reset(sect); |
sshbuf_reset(sect); |
|
|
| break; |
break; |
| case KRL_SECTION_CERT_SERIAL_BITMAP: |
case KRL_SECTION_CERT_SERIAL_BITMAP: |
| if (rs->lo - bitmap_start > INT_MAX) { |
if (rs->lo - bitmap_start > INT_MAX) { |
| error("%s: insane bitmap gap", __func__); |
error_f("insane bitmap gap"); |
| goto out; |
goto out; |
| } |
} |
| for (i = 0; i < contig; i++) { |
for (i = 0; i < contig; i++) { |
|
|
| } |
} |
| /* Flush the remaining section, if any */ |
/* Flush the remaining section, if any */ |
| if (state != 0) { |
if (state != 0) { |
| KRL_DBG(("%s: serial final flush for state 0x%02x", |
KRL_DBG(("serial final flush for state 0x%02x", state)); |
| __func__, state)); |
|
| switch (state) { |
switch (state) { |
| case KRL_SECTION_CERT_SERIAL_LIST: |
case KRL_SECTION_CERT_SERIAL_LIST: |
| case KRL_SECTION_CERT_SERIAL_RANGE: |
case KRL_SECTION_CERT_SERIAL_RANGE: |
|
|
| (r = sshbuf_put_stringb(buf, sect)) != 0) |
(r = sshbuf_put_stringb(buf, sect)) != 0) |
| goto out; |
goto out; |
| } |
} |
| KRL_DBG(("%s: serial done ", __func__)); |
KRL_DBG(("serial done ")); |
| |
|
| /* Now output a section for any revocations by key ID */ |
/* Now output a section for any revocations by key ID */ |
| sshbuf_reset(sect); |
sshbuf_reset(sect); |
| RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { |
RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { |
| KRL_DBG(("%s: key ID %s", __func__, rki->key_id)); |
KRL_DBG(("key ID %s", rki->key_id)); |
| if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) |
if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) |
| goto out; |
goto out; |
| } |
} |
|
|
| /* Finally, output sections for revocations by public key/hash */ |
/* Finally, output sections for revocations by public key/hash */ |
| sshbuf_reset(sect); |
sshbuf_reset(sect); |
| RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
| KRL_DBG(("%s: key len %zu ", __func__, rb->len)); |
KRL_DBG(("key len %zu ", rb->len)); |
| if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
| goto out; |
goto out; |
| } |
} |
|
|
| } |
} |
| sshbuf_reset(sect); |
sshbuf_reset(sect); |
| RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { |
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { |
| KRL_DBG(("%s: hash len %zu ", __func__, rb->len)); |
KRL_DBG(("hash len %zu ", rb->len)); |
| if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
| goto out; |
goto out; |
| } |
} |
|
|
| } |
} |
| sshbuf_reset(sect); |
sshbuf_reset(sect); |
| RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { |
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { |
| KRL_DBG(("%s: hash len %zu ", __func__, rb->len)); |
KRL_DBG(("hash len %zu ", rb->len)); |
| if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) |
| goto out; |
goto out; |
| } |
} |
|
|
| } |
} |
| |
|
| for (i = 0; i < nsign_keys; i++) { |
for (i = 0; i < nsign_keys; i++) { |
| KRL_DBG(("%s: signature key %s", __func__, |
KRL_DBG(("sig key %s", sshkey_ssh_name(sign_keys[i]))); |
| sshkey_ssh_name(sign_keys[i]))); |
|
| if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || |
if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || |
| (r = sshkey_puts(sign_keys[i], buf)) != 0) |
(r = sshkey_puts(sign_keys[i], buf)) != 0) |
| goto out; |
goto out; |
|
|
| sshbuf_ptr(buf), sshbuf_len(buf), NULL, NULL, |
sshbuf_ptr(buf), sshbuf_len(buf), NULL, NULL, |
| NULL, 0)) != 0) |
NULL, 0)) != 0) |
| goto out; |
goto out; |
| KRL_DBG(("%s: signature sig len %zu", __func__, slen)); |
KRL_DBG(("signature sig len %zu", slen)); |
| if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) |
if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) |
| goto out; |
goto out; |
| } |
} |
|
|
| if ((r = sshbuf_get_u8(buf, &type)) != 0 || |
if ((r = sshbuf_get_u8(buf, &type)) != 0 || |
| (r = sshbuf_froms(buf, &subsect)) != 0) |
(r = sshbuf_froms(buf, &subsect)) != 0) |
| goto out; |
goto out; |
| KRL_DBG(("%s: subsection type 0x%02x", __func__, type)); |
KRL_DBG(("subsection type 0x%02x", type)); |
| /* sshbuf_dump(subsect, stderr); */ |
/* sshbuf_dump(subsect, stderr); */ |
| |
|
| switch (type) { |
switch (type) { |
|
|
| nbits = bitmap_nbits(bitmap); |
nbits = bitmap_nbits(bitmap); |
| for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
for (serial = 0; serial < (u_int64_t)nbits; serial++) { |
| if (serial > 0 && serial_lo + serial == 0) { |
if (serial > 0 && serial_lo + serial == 0) { |
| error("%s: bitmap wraps u64", __func__); |
error_f("bitmap wraps u64"); |
| r = SSH_ERR_INVALID_FORMAT; |
r = SSH_ERR_INVALID_FORMAT; |
| goto out; |
goto out; |
| } |
} |
|
|
| if ((r = sshbuf_get_string(sect, &rdata, &rlen)) != 0) |
if ((r = sshbuf_get_string(sect, &rdata, &rlen)) != 0) |
| return r; |
return r; |
| if (expected_len != 0 && rlen != expected_len) { |
if (expected_len != 0 && rlen != expected_len) { |
| error("%s: bad length", __func__); |
error_f("bad length"); |
| free(rdata); |
free(rdata); |
| return SSH_ERR_INVALID_FORMAT; |
return SSH_ERR_INVALID_FORMAT; |
| } |
} |
|
|
| *krlp = NULL; |
*krlp = NULL; |
| if (sshbuf_len(buf) < sizeof(KRL_MAGIC) - 1 || |
if (sshbuf_len(buf) < sizeof(KRL_MAGIC) - 1 || |
| memcmp(sshbuf_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { |
memcmp(sshbuf_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { |
| debug3("%s: not a KRL", __func__); |
debug3_f("not a KRL"); |
| return SSH_ERR_KRL_BAD_MAGIC; |
return SSH_ERR_KRL_BAD_MAGIC; |
| } |
} |
| |
|
|
|
| goto out; |
goto out; |
| |
|
| if ((krl = ssh_krl_init()) == NULL) { |
if ((krl = ssh_krl_init()) == NULL) { |
| error("%s: alloc failed", __func__); |
error_f("alloc failed"); |
| goto out; |
goto out; |
| } |
} |
| |
|
|
|
| if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
| (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) |
(r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) |
| goto out; |
goto out; |
| KRL_DBG(("%s: first pass, section 0x%02x", __func__, type)); |
KRL_DBG(("first pass, section 0x%02x", type)); |
| if (type != KRL_SECTION_SIGNATURE) { |
if (type != KRL_SECTION_SIGNATURE) { |
| if (sig_seen) { |
if (sig_seen) { |
| error("KRL contains non-signature section " |
error("KRL contains non-signature section " |
|
|
| if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
if ((r = sshbuf_get_u8(copy, &type)) != 0 || |
| (r = sshbuf_froms(copy, §)) != 0) |
(r = sshbuf_froms(copy, §)) != 0) |
| goto out; |
goto out; |
| KRL_DBG(("%s: second pass, section 0x%02x", __func__, type)); |
KRL_DBG(("second pass, section 0x%02x", type)); |
| |
|
| switch (type) { |
switch (type) { |
| case KRL_SECTION_CERTIFICATES: |
case KRL_SECTION_CERTIFICATES: |
|
|
| rki.key_id = key->cert->key_id; |
rki.key_id = key->cert->key_id; |
| erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); |
erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); |
| if (erki != NULL) { |
if (erki != NULL) { |
| KRL_DBG(("%s: revoked by key ID", __func__)); |
KRL_DBG(("revoked by key ID")); |
| return SSH_ERR_KEY_REVOKED; |
return SSH_ERR_KEY_REVOKED; |
| } |
} |
| |
|
|
|
| rs.lo = rs.hi = key->cert->serial; |
rs.lo = rs.hi = key->cert->serial; |
| ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); |
ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); |
| if (ers != NULL) { |
if (ers != NULL) { |
| KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__, |
KRL_DBG(("revoked serial %llu matched %llu:%llu", |
| key->cert->serial, ers->lo, ers->hi)); |
key->cert->serial, ers->lo, ers->hi)); |
| return SSH_ERR_KEY_REVOKED; |
return SSH_ERR_KEY_REVOKED; |
| } |
} |
|
|
| erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); |
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); |
| free(rb.blob); |
free(rb.blob); |
| if (erb != NULL) { |
if (erb != NULL) { |
| KRL_DBG(("%s: revoked by key SHA1", __func__)); |
KRL_DBG(("revoked by key SHA1")); |
| return SSH_ERR_KEY_REVOKED; |
return SSH_ERR_KEY_REVOKED; |
| } |
} |
| memset(&rb, 0, sizeof(rb)); |
memset(&rb, 0, sizeof(rb)); |
|
|
| erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb); |
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb); |
| free(rb.blob); |
free(rb.blob); |
| if (erb != NULL) { |
if (erb != NULL) { |
| KRL_DBG(("%s: revoked by key SHA256", __func__)); |
KRL_DBG(("revoked by key SHA256")); |
| return SSH_ERR_KEY_REVOKED; |
return SSH_ERR_KEY_REVOKED; |
| } |
} |
| |
|
|
|
| erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); |
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); |
| free(rb.blob); |
free(rb.blob); |
| if (erb != NULL) { |
if (erb != NULL) { |
| KRL_DBG(("%s: revoked by explicit key", __func__)); |
KRL_DBG(("revoked by explicit key")); |
| return SSH_ERR_KEY_REVOKED; |
return SSH_ERR_KEY_REVOKED; |
| } |
} |
| |
|
|
|
| return r; |
return r; |
| } |
} |
| |
|
| KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); |
KRL_DBG(("%llu no match", key->cert->serial)); |
| return 0; |
return 0; |
| } |
} |
| |
|
|
|
| { |
{ |
| int r; |
int r; |
| |
|
| KRL_DBG(("%s: checking key", __func__)); |
KRL_DBG(("checking key")); |
| if ((r = is_key_revoked(krl, key)) != 0) |
if ((r = is_key_revoked(krl, key)) != 0) |
| return r; |
return r; |
| if (sshkey_is_cert(key)) { |
if (sshkey_is_cert(key)) { |
| debug2("%s: checking CA key", __func__); |
debug2_f("checking CA key"); |
| if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) |
if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) |
| return r; |
return r; |
| } |
} |
| KRL_DBG(("%s: key okay", __func__)); |
KRL_DBG(("key okay")); |
| return 0; |
return 0; |
| } |
} |
| |
|
|
|
| } |
} |
| if ((r = ssh_krl_from_blob(krlbuf, &krl, NULL, 0)) != 0) |
if ((r = ssh_krl_from_blob(krlbuf, &krl, NULL, 0)) != 0) |
| goto out; |
goto out; |
| debug2("%s: checking KRL %s", __func__, path); |
debug2_f("checking KRL %s", path); |
| r = ssh_krl_check_key(krl, key); |
r = ssh_krl_check_key(krl, key); |
| out: |
out: |
| sshbuf_free(krlbuf); |
sshbuf_free(krlbuf); |
|
|
| RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { |
| if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) { |
if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) { |
| ret = SSH_ERR_INVALID_FORMAT; |
ret = SSH_ERR_INVALID_FORMAT; |
| error("Parse key in KRL: %s", ssh_err(r)); |
error_r(r, "parse KRL key"); |
| continue; |
continue; |
| } |
} |
| if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, |
if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, |
![[BACK]](/icons/back.gif){kind=icon}
Return to krl.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh