On 11/17/2014 01:25 AM, Damien Miller wrote:
On Sat, 15 Nov 2014, Peter Ankerst?l wrote:Did you regenerate the KRL after patching OpenSSH? The bug is in KRL generation, not reading.Yes, exactly.Found the problem. The certificates section was being written out incorrectly. This fixes it and adds test coverage for it: commit 9f9fad0191028edc43d100d0ded39419b6895fdf Author: djm@xxxxxxxxxxx <djm@xxxxxxxxxxx> Date: Mon Nov 17 00:21:40 2014 +0000 upstream commit fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org diff --git a/krl.c b/krl.c index eb31df9..832ac8b 100644 --- a/krl.c +++ b/krl.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */ #include "includes.h" @@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys, /* Store sections for revoked certificates */ TAILQ_FOREACH(rc, &krl->revoked_certs, entry) { + buffer_clear(§); if (revoked_certs_generate(rc, §) != 0) goto out; buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
I have confirmed that this fixes my problem. Thanks!
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
