Corrupt KRL file when using multiple CA.

Damien Miller djm at mindrot.org
Mon Nov 17 11:25:26 EST 2014


On Sat, 15 Nov 2014, Peter Ankerst?l wrote:

> > Did you regenerate the KRL after patching OpenSSH? The bug is in KRL
> > generation, not reading.
> > 
> Yes, exactly.

Found the problem. The certificates section was being written out
incorrectly. This fixes it and adds test coverage for it:

commit 9f9fad0191028edc43d100d0ded39419b6895fdf
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Nov 17 00:21:40 2014 +0000

    upstream commit
    
    fix KRL generation when multiple CAs are in use
    
    We would generate an invalid KRL when revoking certs by serial
    number for multiple CA keys due to a section being written out
    twice.
    
    Also extend the regress test to catch this case by having it
    produce a multi-CA KRL.
    
    Reported by peter AT pean.org

diff --git a/krl.c b/krl.c
index eb31df9..832ac8b 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */
 
 #include "includes.h"
 
@@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
 
        /* Store sections for revoked certificates */
        TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+               buffer_clear(&sect);
                if (revoked_certs_generate(rc, &sect) != 0)
                        goto out;
                buffer_put_char(buf, KRL_SECTION_CERTIFICATES);



More information about the openssh-unix-dev mailing list