diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-01-14 15:02:39 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-01-15 02:22:18 +1100 |
| commit | a165bab605f7be55940bb8fae977398e8c96a46d (patch) | |
| tree | 8a805f18a1f3cc5412b5f94ef64baa275f559a0b /krl.c | |
| parent | 7d845f4a0b7ec97887be204c3760e44de8bf1f32 (diff) | |
| download | openssh-git-a165bab605f7be55940bb8fae977398e8c96a46d.tar.gz | |
upstream commit
avoid BIGNUM in KRL code by using a simple bitmap;
feedback and ok markus
Diffstat (limited to 'krl.c')
| -rw-r--r-- | krl.c | 62 |
1 files changed, 41 insertions, 21 deletions
@@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: krl.c,v 1.25 2015/01/13 19:04:35 djm Exp $ */ +/* $OpenBSD: krl.c,v 1.26 2015/01/14 15:02:39 djm Exp $ */ #include "includes.h" @@ -37,6 +37,7 @@ #include "misc.h" #include "log.h" #include "digest.h" +#include "bitmap.h" #include "krl.h" @@ -519,6 +520,25 @@ choose_next_state(int current_state, u_int64_t contig, int final, return new_state; } +static int +put_bitmap(struct sshbuf *buf, struct bitmap *bitmap) +{ + size_t len; + u_char *blob; + int r; + + len = bitmap_nbytes(bitmap); + if ((blob = malloc(len)) == NULL) + return SSH_ERR_ALLOC_FAIL; + if (bitmap_to_string(bitmap, blob, len) != 0) { + free(blob); + return SSH_ERR_INTERNAL_ERROR; + } + r = sshbuf_put_bignum2_bytes(buf, blob, len); + free(blob); + return r; +} + /* Generate a KRL_SECTION_CERTIFICATES KRL section */ static int revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) @@ -529,7 +549,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) struct revoked_key_id *rki; int next_state, state = 0; struct sshbuf *sect; - BIGNUM *bitmap = NULL; + struct bitmap *bitmap = NULL; if ((sect = sshbuf_new()) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -572,9 +592,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) case KRL_SECTION_CERT_SERIAL_RANGE: break; case KRL_SECTION_CERT_SERIAL_BITMAP: - if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) + if ((r = put_bitmap(sect, bitmap)) != 0) goto out; - BN_free(bitmap); + bitmap_free(bitmap); bitmap = NULL; break; } @@ -595,7 +615,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) case KRL_SECTION_CERT_SERIAL_RANGE: break; case KRL_SECTION_CERT_SERIAL_BITMAP: - if ((bitmap = BN_new()) == NULL) { + if ((bitmap = bitmap_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -626,8 +646,8 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) goto out; } for (i = 0; i < contig; i++) { - if (BN_set_bit(bitmap, - rs->lo + i - bitmap_start) != 1) { + if (bitmap_set_bit(bitmap, + rs->lo + i - bitmap_start) != 0) { r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -645,9 +665,9 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) case KRL_SECTION_CERT_SERIAL_RANGE: break; case KRL_SECTION_CERT_SERIAL_BITMAP: - if ((r = sshbuf_put_bignum2(sect, bitmap)) != 0) + if ((r = put_bitmap(sect, bitmap)) != 0) goto out; - BN_free(bitmap); + bitmap_free(bitmap); bitmap = NULL; break; } @@ -671,8 +691,7 @@ revoked_certs_generate(struct revoked_certs *rc, struct sshbuf *buf) } r = 0; out: - if (bitmap != NULL) - BN_free(bitmap); + bitmap_free(bitmap); sshbuf_free(sect); return r; } @@ -784,13 +803,13 @@ format_timestamp(u_int64_t timestamp, char *ts, size_t nts) static int parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) { - int r = SSH_ERR_INTERNAL_ERROR, nbits; + int r = SSH_ERR_INTERNAL_ERROR; u_char type; const u_char *blob; - size_t blen; + size_t blen, nbits; struct sshbuf *subsect = NULL; u_int64_t serial, serial_lo, serial_hi; - BIGNUM *bitmap = NULL; + struct bitmap *bitmap = NULL; char *key_id = NULL; struct sshkey *ca_key = NULL; @@ -834,31 +853,32 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) goto out; break; case KRL_SECTION_CERT_SERIAL_BITMAP: - if ((bitmap = BN_new()) == NULL) { + if ((bitmap = bitmap_new()) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } if ((r = sshbuf_get_u64(subsect, &serial_lo)) != 0 || - (r = sshbuf_get_bignum2(subsect, bitmap)) != 0) + (r = sshbuf_get_bignum2_bytes_direct(subsect, + &blob, &blen)) != 0) goto out; - if ((nbits = BN_num_bits(bitmap)) < 0) { - error("%s: bitmap bits < 0", __func__); + if (bitmap_from_string(bitmap, blob, blen) != 0) { r = SSH_ERR_INVALID_FORMAT; goto out; } + nbits = bitmap_nbits(bitmap); for (serial = 0; serial < (u_int64_t)nbits; serial++) { if (serial > 0 && serial_lo + serial == 0) { error("%s: bitmap wraps u64", __func__); r = SSH_ERR_INVALID_FORMAT; goto out; } - if (!BN_is_bit_set(bitmap, serial)) + if (!bitmap_test_bit(bitmap, serial)) continue; if ((r = ssh_krl_revoke_cert_by_serial(krl, ca_key, serial_lo + serial)) != 0) goto out; } - BN_free(bitmap); + bitmap_free(bitmap); bitmap = NULL; break; case KRL_SECTION_CERT_KEY_ID: @@ -888,7 +908,7 @@ parse_revoked_certs(struct sshbuf *buf, struct ssh_krl *krl) r = 0; out: if (bitmap != NULL) - BN_free(bitmap); + bitmap_free(bitmap); free(key_id); sshkey_free(ca_key); sshbuf_free(subsect); |