Corrupt KRL file when using multiple CA.
Peter Ankerstål
peter at pean.org
Mon Nov 17 18:04:55 EST 2014
On 11/17/2014 01:25 AM, Damien Miller wrote:
> On Sat, 15 Nov 2014, Peter Ankerst?l wrote:
>
>>> Did you regenerate the KRL after patching OpenSSH? The bug is in KRL
>>> generation, not reading.
>>>
>> Yes, exactly.
>
> Found the problem. The certificates section was being written out
> incorrectly. This fixes it and adds test coverage for it:
>
> commit 9f9fad0191028edc43d100d0ded39419b6895fdf
> Author: djm at openbsd.org <djm at openbsd.org>
> Date: Mon Nov 17 00:21:40 2014 +0000
>
> upstream commit
>
> fix KRL generation when multiple CAs are in use
>
> We would generate an invalid KRL when revoking certs by serial
> number for multiple CA keys due to a section being written out
> twice.
>
> Also extend the regress test to catch this case by having it
> produce a multi-CA KRL.
>
> Reported by peter AT pean.org
>
> diff --git a/krl.c b/krl.c
> index eb31df9..832ac8b 100644
> --- a/krl.c
> +++ b/krl.c
> @@ -14,7 +14,7 @@
> * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> */
>
> -/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */
> +/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */
>
> #include "includes.h"
>
> @@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
>
> /* Store sections for revoked certificates */
> TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
> + buffer_clear(§);
> if (revoked_certs_generate(rc, §) != 0)
> goto out;
> buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
>
>
I have confirmed that this fixes my problem.
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3738 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141117/86c4234c/attachment.bin>
More information about the openssh-unix-dev
mailing list