version 1.392, 2020/01/25 00:03:36 |
version 1.393, 2020/01/25 23:02:13 |
|
|
load_krl(const char *path, struct ssh_krl **krlp) |
load_krl(const char *path, struct ssh_krl **krlp) |
{ |
{ |
struct sshbuf *krlbuf; |
struct sshbuf *krlbuf; |
int r, fd; |
int r; |
|
|
if ((krlbuf = sshbuf_new()) == NULL) |
if ((r = sshbuf_load_file(path, &krlbuf)) != 0) |
fatal("sshbuf_new failed"); |
|
if ((fd = open(path, O_RDONLY)) == -1) |
|
fatal("open %s: %s", path, strerror(errno)); |
|
if ((r = sshkey_load_file(fd, krlbuf)) != 0) |
|
fatal("Unable to load KRL: %s", ssh_err(r)); |
fatal("Unable to load KRL: %s", ssh_err(r)); |
close(fd); |
|
/* XXX check sigs */ |
/* XXX check sigs */ |
if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 || |
if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 || |
*krlp == NULL) |
*krlp == NULL) |
|
|
struct ssh_krl *krl; |
struct ssh_krl *krl; |
struct stat sb; |
struct stat sb; |
struct sshkey *ca = NULL; |
struct sshkey *ca = NULL; |
int fd, i, r, wild_ca = 0; |
int i, r, wild_ca = 0; |
char *tmp; |
char *tmp; |
struct sshbuf *kbuf; |
struct sshbuf *kbuf; |
|
|
|
|
fatal("sshbuf_new failed"); |
fatal("sshbuf_new failed"); |
if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0) |
if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0) |
fatal("Couldn't generate KRL"); |
fatal("Couldn't generate KRL"); |
if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) |
if ((r = sshbuf_write_file(identity_file, kbuf)) != 0) |
fatal("open %s: %s", identity_file, strerror(errno)); |
|
if (atomicio(vwrite, fd, sshbuf_mutable_ptr(kbuf), sshbuf_len(kbuf)) != |
|
sshbuf_len(kbuf)) |
|
fatal("write %s: %s", identity_file, strerror(errno)); |
fatal("write %s: %s", identity_file, strerror(errno)); |
close(fd); |
|
sshbuf_free(kbuf); |
sshbuf_free(kbuf); |
ssh_krl_free(krl); |
ssh_krl_free(krl); |
sshkey_free(ca); |
sshkey_free(ca); |
|
|
sig_verify(const char *signature, const char *sig_namespace, |
sig_verify(const char *signature, const char *sig_namespace, |
const char *principal, const char *allowed_keys, const char *revoked_keys) |
const char *principal, const char *allowed_keys, const char *revoked_keys) |
{ |
{ |
int r, ret = -1, sigfd = -1; |
int r, ret = -1; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshkey *sign_key = NULL; |
struct sshkey *sign_key = NULL; |
char *fp = NULL; |
char *fp = NULL; |
struct sshkey_sig_details *sig_details = NULL; |
struct sshkey_sig_details *sig_details = NULL; |
|
|
memset(&sig_details, 0, sizeof(sig_details)); |
memset(&sig_details, 0, sizeof(sig_details)); |
if ((abuf = sshbuf_new()) == NULL) |
if ((r = sshbuf_load_file(signature, &abuf)) != 0) { |
fatal("%s: sshbuf_new() failed", __func__); |
|
|
|
if ((sigfd = open(signature, O_RDONLY)) < 0) { |
|
error("Couldn't open signature file %s", signature); |
|
goto done; |
|
} |
|
|
|
if ((r = sshkey_load_file(sigfd, abuf)) != 0) { |
|
error("Couldn't read signature file: %s", ssh_err(r)); |
error("Couldn't read signature file: %s", ssh_err(r)); |
goto done; |
goto done; |
} |
} |
|
|
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) { |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
error("%s: sshsig_armor: %s", __func__, ssh_err(r)); |
goto done; |
goto done; |
|
|
printf("Could not verify signature.\n"); |
printf("Could not verify signature.\n"); |
} |
} |
} |
} |
if (sigfd != -1) |
|
close(sigfd); |
|
sshbuf_free(sigbuf); |
sshbuf_free(sigbuf); |
sshbuf_free(abuf); |
sshbuf_free(abuf); |
sshkey_free(sign_key); |
sshkey_free(sign_key); |
|
|
|
|
static int |
static int |
sig_find_principals(const char *signature, const char *allowed_keys) { |
sig_find_principals(const char *signature, const char *allowed_keys) { |
int r, ret = -1, sigfd = -1; |
int r, ret = -1; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshbuf *sigbuf = NULL, *abuf = NULL; |
struct sshkey *sign_key = NULL; |
struct sshkey *sign_key = NULL; |
char *principals = NULL, *cp, *tmp; |
char *principals = NULL, *cp, *tmp; |
|
|
if ((abuf = sshbuf_new()) == NULL) |
if ((r = sshbuf_load_file(signature, &abuf)) != 0) { |
fatal("%s: sshbuf_new() failed", __func__); |
|
|
|
if ((sigfd = open(signature, O_RDONLY)) < 0) { |
|
error("Couldn't open signature file %s", signature); |
|
goto done; |
|
} |
|
|
|
if ((r = sshkey_load_file(sigfd, abuf)) != 0) { |
|
error("Couldn't read signature file: %s", ssh_err(r)); |
error("Couldn't read signature file: %s", ssh_err(r)); |
goto done; |
goto done; |
} |
} |
|
|
} else { |
} else { |
fprintf(stderr, "No principal matched.\n"); |
fprintf(stderr, "No principal matched.\n"); |
} |
} |
if (sigfd != -1) |
|
close(sigfd); |
|
sshbuf_free(sigbuf); |
sshbuf_free(sigbuf); |
sshbuf_free(abuf); |
sshbuf_free(abuf); |
sshkey_free(sign_key); |
sshkey_free(sign_key); |