diff options
| author |   djm <djm@openbsd.org> | 2014-11-17 00:21:40 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2014-11-17 00:21:40 +0000 |
| commit | db70674bea9e7e15a09ca0d8ff794021a1e4a5b6 (patch) | |
| tree | 6244eddf4e41410a16c9162a594985c003382b0f | |
| parent | convert a copystr to strlcpy. (diff) | |
| download | wireguard-openbsd-db70674bea9e7e15a09ca0d8ff794021a1e4a5b6.tar.xz wireguard-openbsd-db70674bea9e7e15a09ca0d8ff794021a1e4a5b6.zip | |
fix KRL generation when multiple CAs are in use
We would generate an invalid KRL when revoking certs by serial
number for multiple CA keys due to a section being written out
twice.
Also extend the regress test to catch this case by having it
produce a multi-CA KRL.
Reported by peter AT pean.org
| -rw-r--r-- | regress/usr.bin/ssh/krl.sh | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/krl.c | 3 |
2 files changed, 10 insertions, 3 deletions
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh index 8a09340795e..4d6364c8c53 100644 --- a/regress/usr.bin/ssh/krl.sh +++ b/regress/usr.bin/ssh/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $ +# $OpenBSD: krl.sh,v 1.4 2014/11/17 00:21:40 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -11,6 +11,8 @@ rm -f $OBJ/revoked-* $OBJ/krl-* # Generate a CA key $SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null || fatal "$SSHKEYGEN CA failed" +$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || + fatal "$SSHKEYGEN CA2 failed" # A specification that revokes some certificates by serial numbers # The serial pattern is chosen to ensure the KRL includes list, range and @@ -87,13 +89,17 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \ >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \ >/dev/null || fatal "$SSHKEYGEN KRL failed" -# KRLs from serial/key-id spec need the CA specified. +# This should fail as KRLs from serial/key-id spec need the CA specified. $SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly" $SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \ >/dev/null || fatal "$SSHKEYGEN KRL failed" +# Revoke the same serials with the second CA key to ensure a multi-CA +# KRL is generated. +$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -u -s $OBJ/revoked-ca2 \ + $OBJ/revoked-serials >/dev/null || fatal "$SSHKEYGEN KRL failed" $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ >/dev/null || fatal "$SSHKEYGEN KRL failed" } diff --git a/usr.bin/ssh/krl.c b/usr.bin/ssh/krl.c index ccc330c7421..3444c049f32 100644 --- a/usr.bin/ssh/krl.c +++ b/usr.bin/ssh/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */ #include <sys/types.h> #include <sys/param.h> @@ -684,6 +684,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, /* Store sections for revoked certificates */ TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { + buffer_clear(§); if (revoked_certs_generate(rc, §) != 0) goto out; buffer_put_char(buf, KRL_SECTION_CERTIFICATES); |