=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/krl.c,v retrieving revision 1.51 retrieving revision 1.52 diff -u -r1.51 -r1.52 --- src/usr.bin/ssh/krl.c 2020/08/27 01:06:18 1.51 +++ src/usr.bin/ssh/krl.c 2020/10/18 11:32:01 1.52 @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.51 2020/08/27 01:06:18 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.52 2020/10/18 11:32:01 djm Exp $ */ #include #include @@ -42,7 +42,7 @@ /* #define DEBUG_KRL */ #ifdef DEBUG_KRL -# define KRL_DBG(x) debug3 x +# define KRL_DBG(x) debug3_f x #else # define KRL_DBG(x) #endif @@ -239,8 +239,7 @@ RB_INIT(&rc->revoked_serials); RB_INIT(&rc->revoked_key_ids); TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry); - KRL_DBG(("%s: new CA %s", __func__, - ca_key == NULL ? "*" : sshkey_type(ca_key))); + KRL_DBG(("new CA %s", ca_key == NULL ? "*" : sshkey_type(ca_key))); *rcp = rc; return 0; } @@ -250,7 +249,7 @@ { struct revoked_serial rs, *ers, *crs, *irs; - KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi)); + KRL_DBG(("insert %llu:%llu", lo, hi)); memset(&rs, 0, sizeof(rs)); rs.lo = lo; rs.hi = hi; @@ -262,15 +261,14 @@ memcpy(irs, &rs, sizeof(*irs)); ers = RB_INSERT(revoked_serial_tree, rt, irs); if (ers != NULL) { - KRL_DBG(("%s: bad: ers != NULL", __func__)); + KRL_DBG(("bad: ers != NULL")); /* Shouldn't happen */ free(irs); return SSH_ERR_INTERNAL_ERROR; } ers = irs; } else { - KRL_DBG(("%s: overlap found %llu:%llu", __func__, - ers->lo, ers->hi)); + KRL_DBG(("overlap found %llu:%llu", ers->lo, ers->hi)); /* * The inserted entry overlaps an existing one. Grow the * existing entry. @@ -288,33 +286,31 @@ /* Check predecessors */ while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) { - KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi)); + KRL_DBG(("pred %llu:%llu", crs->lo, crs->hi)); if (ers->lo != 0 && crs->hi < ers->lo - 1) break; /* This entry overlaps. */ if (crs->lo < ers->lo) { ers->lo = crs->lo; - KRL_DBG(("%s: pred extend %llu:%llu", __func__, - ers->lo, ers->hi)); + KRL_DBG(("pred extend %llu:%llu", ers->lo, ers->hi)); } RB_REMOVE(revoked_serial_tree, rt, crs); free(crs); } /* Check successors */ while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) { - KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi)); + KRL_DBG(("succ %llu:%llu", crs->lo, crs->hi)); if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1) break; /* This entry overlaps. */ if (crs->hi > ers->hi) { ers->hi = crs->hi; - KRL_DBG(("%s: succ extend %llu:%llu", __func__, - ers->lo, ers->hi)); + KRL_DBG(("succ extend %llu:%llu", ers->lo, ers->hi)); } RB_REMOVE(revoked_serial_tree, rt, crs); free(crs); } - KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi)); + KRL_DBG(("done, final %llu:%llu", ers->lo, ers->hi)); return 0; } @@ -350,7 +346,7 @@ if ((r = revoked_certs_for_ca_key(krl, ca_key, &rc, 1)) != 0) return r; - KRL_DBG(("%s: revoke %s", __func__, key_id)); + KRL_DBG(("revoke %s", key_id)); if ((rki = calloc(1, sizeof(*rki))) == NULL || (rki->key_id = strdup(key_id)) == NULL) { free(rki); @@ -409,7 +405,7 @@ size_t len; int r; - debug3("%s: revoke type %s", __func__, sshkey_type(key)); + debug3_f("revoke type %s", sshkey_type(key)); if ((r = plain_key_blob(key, &blob, &len)) != 0) return r; return revoke_blob(&krl->revoked_keys, blob, len); @@ -435,7 +431,7 @@ int ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const u_char *p, size_t len) { - debug3("%s: revoke by sha1", __func__); + debug3_f("revoke by sha1"); if (len != 20) return SSH_ERR_INVALID_FORMAT; return revoke_by_hash(&krl->revoked_sha1s, p, len); @@ -444,7 +440,7 @@ int ssh_krl_revoke_key_sha256(struct ssh_krl *krl, const u_char *p, size_t len) { - debug3("%s: revoke by sha256", __func__); + debug3_f("revoke by sha256"); if (len != 32) return SSH_ERR_INVALID_FORMAT; return revoke_by_hash(&krl->revoked_sha256s, p, len); @@ -540,9 +536,9 @@ *force_new_section = 1; cost = cost_bitmap_restart; } - KRL_DBG(("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:" + KRL_DBG(("contig %llu last_gap %llu next_gap %llu final %d, costs:" "list %llu range %llu bitmap %llu new bitmap %llu, " - "selected 0x%02x%s", __func__, (long long unsigned)contig, + "selected 0x%02x%s", (long long unsigned)contig, (long long unsigned)last_gap, (long long unsigned)next_gap, final, (long long unsigned)cost_list, (long long unsigned)cost_range, (long long unsigned)cost_bitmap, @@ -600,7 +596,7 @@ for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials); rs != NULL; rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) { - KRL_DBG(("%s: serial %llu:%llu state 0x%02x", __func__, + KRL_DBG(("serial %llu:%llu state 0x%02x", (long long unsigned)rs->lo, (long long unsigned)rs->hi, state)); @@ -620,7 +616,7 @@ */ if (state != 0 && (force_new_sect || next_state != state || state == KRL_SECTION_CERT_SERIAL_RANGE)) { - KRL_DBG(("%s: finish state 0x%02x", __func__, state)); + KRL_DBG(("finish state 0x%02x", state)); switch (state) { case KRL_SECTION_CERT_SERIAL_LIST: case KRL_SECTION_CERT_SERIAL_RANGE: @@ -640,7 +636,7 @@ /* If we are starting a new section then prepare it now */ if (next_state != state || force_new_sect) { - KRL_DBG(("%s: start state 0x%02x", __func__, + KRL_DBG(("start state 0x%02x", next_state)); state = next_state; sshbuf_reset(sect); @@ -676,7 +672,7 @@ break; case KRL_SECTION_CERT_SERIAL_BITMAP: if (rs->lo - bitmap_start > INT_MAX) { - error("%s: insane bitmap gap", __func__); + error_f("insane bitmap gap"); goto out; } for (i = 0; i < contig; i++) { @@ -692,8 +688,7 @@ } /* Flush the remaining section, if any */ if (state != 0) { - KRL_DBG(("%s: serial final flush for state 0x%02x", - __func__, state)); + KRL_DBG(("serial final flush for state 0x%02x", state)); switch (state) { case KRL_SECTION_CERT_SERIAL_LIST: case KRL_SECTION_CERT_SERIAL_RANGE: @@ -709,12 +704,12 @@ (r = sshbuf_put_stringb(buf, sect)) != 0) goto out; } - KRL_DBG(("%s: serial done ", __func__)); + KRL_DBG(("serial done ")); /* Now output a section for any revocations by key ID */ sshbuf_reset(sect); RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) { - KRL_DBG(("%s: key ID %s", __func__, rki->key_id)); + KRL_DBG(("key ID %s", rki->key_id)); if ((r = sshbuf_put_cstring(sect, rki->key_id)) != 0) goto out; } @@ -770,7 +765,7 @@ /* Finally, output sections for revocations by public key/hash */ sshbuf_reset(sect); RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { - KRL_DBG(("%s: key len %zu ", __func__, rb->len)); + KRL_DBG(("key len %zu ", rb->len)); if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) goto out; } @@ -781,7 +776,7 @@ } sshbuf_reset(sect); RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) { - KRL_DBG(("%s: hash len %zu ", __func__, rb->len)); + KRL_DBG(("hash len %zu ", rb->len)); if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) goto out; } @@ -793,7 +788,7 @@ } sshbuf_reset(sect); RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha256s) { - KRL_DBG(("%s: hash len %zu ", __func__, rb->len)); + KRL_DBG(("hash len %zu ", rb->len)); if ((r = sshbuf_put_string(sect, rb->blob, rb->len)) != 0) goto out; } @@ -805,8 +800,7 @@ } for (i = 0; i < nsign_keys; i++) { - KRL_DBG(("%s: signature key %s", __func__, - sshkey_ssh_name(sign_keys[i]))); + KRL_DBG(("sig key %s", sshkey_ssh_name(sign_keys[i]))); if ((r = sshbuf_put_u8(buf, KRL_SECTION_SIGNATURE)) != 0 || (r = sshkey_puts(sign_keys[i], buf)) != 0) goto out; @@ -815,7 +809,7 @@ sshbuf_ptr(buf), sshbuf_len(buf), NULL, NULL, NULL, 0)) != 0) goto out; - KRL_DBG(("%s: signature sig len %zu", __func__, slen)); + KRL_DBG(("signature sig len %zu", slen)); if ((r = sshbuf_put_string(buf, sblob, slen)) != 0) goto out; } @@ -872,7 +866,7 @@ if ((r = sshbuf_get_u8(buf, &type)) != 0 || (r = sshbuf_froms(buf, &subsect)) != 0) goto out; - KRL_DBG(("%s: subsection type 0x%02x", __func__, type)); + KRL_DBG(("subsection type 0x%02x", type)); /* sshbuf_dump(subsect, stderr); */ switch (type) { @@ -909,7 +903,7 @@ nbits = bitmap_nbits(bitmap); for (serial = 0; serial < (u_int64_t)nbits; serial++) { if (serial > 0 && serial_lo + serial == 0) { - error("%s: bitmap wraps u64", __func__); + error_f("bitmap wraps u64"); r = SSH_ERR_INVALID_FORMAT; goto out; } @@ -968,7 +962,7 @@ if ((r = sshbuf_get_string(sect, &rdata, &rlen)) != 0) return r; if (expected_len != 0 && rlen != expected_len) { - error("%s: bad length", __func__); + error_f("bad length"); free(rdata); return SSH_ERR_INVALID_FORMAT; } @@ -999,7 +993,7 @@ *krlp = NULL; if (sshbuf_len(buf) < sizeof(KRL_MAGIC) - 1 || memcmp(sshbuf_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) { - debug3("%s: not a KRL", __func__); + debug3_f("not a KRL"); return SSH_ERR_KRL_BAD_MAGIC; } @@ -1012,7 +1006,7 @@ goto out; if ((krl = ssh_krl_init()) == NULL) { - error("%s: alloc failed", __func__); + error_f("alloc failed"); goto out; } @@ -1049,7 +1043,7 @@ if ((r = sshbuf_get_u8(copy, &type)) != 0 || (r = sshbuf_get_string_direct(copy, &blob, &blen)) != 0) goto out; - KRL_DBG(("%s: first pass, section 0x%02x", __func__, type)); + KRL_DBG(("first pass, section 0x%02x", type)); if (type != KRL_SECTION_SIGNATURE) { if (sig_seen) { error("KRL contains non-signature section " @@ -1125,7 +1119,7 @@ if ((r = sshbuf_get_u8(copy, &type)) != 0 || (r = sshbuf_froms(copy, §)) != 0) goto out; - KRL_DBG(("%s: second pass, section 0x%02x", __func__, type)); + KRL_DBG(("second pass, section 0x%02x", type)); switch (type) { case KRL_SECTION_CERTIFICATES: @@ -1228,7 +1222,7 @@ rki.key_id = key->cert->key_id; erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki); if (erki != NULL) { - KRL_DBG(("%s: revoked by key ID", __func__)); + KRL_DBG(("revoked by key ID")); return SSH_ERR_KEY_REVOKED; } @@ -1243,7 +1237,7 @@ rs.lo = rs.hi = key->cert->serial; ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs); if (ers != NULL) { - KRL_DBG(("%s: revoked serial %llu matched %llu:%llu", __func__, + KRL_DBG(("revoked serial %llu matched %llu:%llu", key->cert->serial, ers->lo, ers->hi)); return SSH_ERR_KEY_REVOKED; } @@ -1266,7 +1260,7 @@ erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); free(rb.blob); if (erb != NULL) { - KRL_DBG(("%s: revoked by key SHA1", __func__)); + KRL_DBG(("revoked by key SHA1")); return SSH_ERR_KEY_REVOKED; } memset(&rb, 0, sizeof(rb)); @@ -1276,7 +1270,7 @@ erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb); free(rb.blob); if (erb != NULL) { - KRL_DBG(("%s: revoked by key SHA256", __func__)); + KRL_DBG(("revoked by key SHA256")); return SSH_ERR_KEY_REVOKED; } @@ -1287,7 +1281,7 @@ erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb); free(rb.blob); if (erb != NULL) { - KRL_DBG(("%s: revoked by explicit key", __func__)); + KRL_DBG(("revoked by explicit key")); return SSH_ERR_KEY_REVOKED; } @@ -1310,7 +1304,7 @@ return r; } - KRL_DBG(("%s: %llu no match", __func__, key->cert->serial)); + KRL_DBG(("%llu no match", key->cert->serial)); return 0; } @@ -1319,15 +1313,15 @@ { int r; - KRL_DBG(("%s: checking key", __func__)); + KRL_DBG(("checking key")); if ((r = is_key_revoked(krl, key)) != 0) return r; if (sshkey_is_cert(key)) { - debug2("%s: checking CA key", __func__); + debug2_f("checking CA key"); if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0) return r; } - KRL_DBG(("%s: key okay", __func__)); + KRL_DBG(("key okay")); return 0; } @@ -1346,7 +1340,7 @@ } if ((r = ssh_krl_from_blob(krlbuf, &krl, NULL, 0)) != 0) goto out; - debug2("%s: checking KRL %s", __func__, path); + debug2_f("checking KRL %s", path); r = ssh_krl_check_key(krl, key); out: sshbuf_free(krlbuf); @@ -1383,7 +1377,7 @@ RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) { if ((r = sshkey_from_blob(rb->blob, rb->len, &key)) != 0) { ret = SSH_ERR_INVALID_FORMAT; - error("Parse key in KRL: %s", ssh_err(r)); + error_r(r, "parse KRL key"); continue; } if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT,