On Sat, 15 Nov 2014, Peter Ankerst?l wrote: > > Did you regenerate the KRL after patching OpenSSH? The bug is in KRL > > generation, not reading. > > > Yes, exactly. Found the problem. The certificates section was being written out incorrectly. This fixes it and adds test coverage for it: commit 9f9fad0191028edc43d100d0ded39419b6895fdf Author: djm@xxxxxxxxxxx <djm@xxxxxxxxxxx> Date: Mon Nov 17 00:21:40 2014 +0000 upstream commit fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org diff --git a/krl.c b/krl.c index eb31df9..832ac8b 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */ #include "includes.h" @@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, /* Store sections for revoked certificates */ TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { + buffer_clear(§); if (revoked_certs_generate(rc, §) != 0) goto out; buffer_put_char(buf, KRL_SECTION_CERTIFICATES); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev