1/*
2 * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */
18
19#include "includes.h"
20
21#include <sys/types.h>
22#include <sys/param.h>
23#include <openbsd-compat/sys-tree.h>
24#include <openbsd-compat/sys-queue.h>
25
26#include <errno.h>
27#include <fcntl.h>
28#include <limits.h>
29#include <string.h>
30#include <time.h>
31#include <unistd.h>
32
33#include "buffer.h"
34#include "key.h"
35#include "authfile.h"
36#include "misc.h"
37#include "log.h"
38#include "xmalloc.h"
39
40#include "krl.h"
41
42/* #define DEBUG_KRL */
43#ifdef DEBUG_KRL
44# define KRL_DBG(x) debug3 x
45#else
46# define KRL_DBG(x)
47#endif
48
49/*
50 * Trees of revoked serial numbers, key IDs and keys. This allows
51 * quick searching, querying and producing lists in canonical order.
52 */
53
54/* Tree of serial numbers. XXX make smarter: really need a real sparse bitmap */
55struct revoked_serial {
56	u_int64_t lo, hi;
57	RB_ENTRY(revoked_serial) tree_entry;
58};
59static int serial_cmp(struct revoked_serial *a, struct revoked_serial *b);
60RB_HEAD(revoked_serial_tree, revoked_serial);
61RB_GENERATE_STATIC(revoked_serial_tree, revoked_serial, tree_entry, serial_cmp);
62
63/* Tree of key IDs */
64struct revoked_key_id {
65	char *key_id;
66	RB_ENTRY(revoked_key_id) tree_entry;
67};
68static int key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b);
69RB_HEAD(revoked_key_id_tree, revoked_key_id);
70RB_GENERATE_STATIC(revoked_key_id_tree, revoked_key_id, tree_entry, key_id_cmp);
71
72/* Tree of blobs (used for keys and fingerprints) */
73struct revoked_blob {
74	u_char *blob;
75	u_int len;
76	RB_ENTRY(revoked_blob) tree_entry;
77};
78static int blob_cmp(struct revoked_blob *a, struct revoked_blob *b);
79RB_HEAD(revoked_blob_tree, revoked_blob);
80RB_GENERATE_STATIC(revoked_blob_tree, revoked_blob, tree_entry, blob_cmp);
81
82/* Tracks revoked certs for a single CA */
83struct revoked_certs {
84	Key *ca_key;
85	struct revoked_serial_tree revoked_serials;
86	struct revoked_key_id_tree revoked_key_ids;
87	TAILQ_ENTRY(revoked_certs) entry;
88};
89TAILQ_HEAD(revoked_certs_list, revoked_certs);
90
91struct ssh_krl {
92	u_int64_t krl_version;
93	u_int64_t generated_date;
94	u_int64_t flags;
95	char *comment;
96	struct revoked_blob_tree revoked_keys;
97	struct revoked_blob_tree revoked_sha1s;
98	struct revoked_certs_list revoked_certs;
99};
100
101/* Return equal if a and b overlap */
102static int
103serial_cmp(struct revoked_serial *a, struct revoked_serial *b)
104{
105	if (a->hi >= b->lo && a->lo <= b->hi)
106		return 0;
107	return a->lo < b->lo ? -1 : 1;
108}
109
110static int
111key_id_cmp(struct revoked_key_id *a, struct revoked_key_id *b)
112{
113	return strcmp(a->key_id, b->key_id);
114}
115
116static int
117blob_cmp(struct revoked_blob *a, struct revoked_blob *b)
118{
119	int r;
120
121	if (a->len != b->len) {
122		if ((r = memcmp(a->blob, b->blob, MIN(a->len, b->len))) != 0)
123			return r;
124		return a->len > b->len ? 1 : -1;
125	} else
126		return memcmp(a->blob, b->blob, a->len);
127}
128
129struct ssh_krl *
130ssh_krl_init(void)
131{
132	struct ssh_krl *krl;
133
134	if ((krl = calloc(1, sizeof(*krl))) == NULL)
135		return NULL;
136	RB_INIT(&krl->revoked_keys);
137	RB_INIT(&krl->revoked_sha1s);
138	TAILQ_INIT(&krl->revoked_certs);
139	return krl;
140}
141
142static void
143revoked_certs_free(struct revoked_certs *rc)
144{
145	struct revoked_serial *rs, *trs;
146	struct revoked_key_id *rki, *trki;
147
148	RB_FOREACH_SAFE(rs, revoked_serial_tree, &rc->revoked_serials, trs) {
149		RB_REMOVE(revoked_serial_tree, &rc->revoked_serials, rs);
150		free(rs);
151	}
152	RB_FOREACH_SAFE(rki, revoked_key_id_tree, &rc->revoked_key_ids, trki) {
153		RB_REMOVE(revoked_key_id_tree, &rc->revoked_key_ids, rki);
154		free(rki->key_id);
155		free(rki);
156	}
157	if (rc->ca_key != NULL)
158		key_free(rc->ca_key);
159}
160
161void
162ssh_krl_free(struct ssh_krl *krl)
163{
164	struct revoked_blob *rb, *trb;
165	struct revoked_certs *rc, *trc;
166
167	if (krl == NULL)
168		return;
169
170	free(krl->comment);
171	RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_keys, trb) {
172		RB_REMOVE(revoked_blob_tree, &krl->revoked_keys, rb);
173		free(rb->blob);
174		free(rb);
175	}
176	RB_FOREACH_SAFE(rb, revoked_blob_tree, &krl->revoked_sha1s, trb) {
177		RB_REMOVE(revoked_blob_tree, &krl->revoked_sha1s, rb);
178		free(rb->blob);
179		free(rb);
180	}
181	TAILQ_FOREACH_SAFE(rc, &krl->revoked_certs, entry, trc) {
182		TAILQ_REMOVE(&krl->revoked_certs, rc, entry);
183		revoked_certs_free(rc);
184	}
185}
186
187void
188ssh_krl_set_version(struct ssh_krl *krl, u_int64_t version)
189{
190	krl->krl_version = version;
191}
192
193void
194ssh_krl_set_comment(struct ssh_krl *krl, const char *comment)
195{
196	free(krl->comment);
197	if ((krl->comment = strdup(comment)) == NULL)
198		fatal("%s: strdup", __func__);
199}
200
201/*
202 * Find the revoked_certs struct for a CA key. If allow_create is set then
203 * create a new one in the tree if one did not exist already.
204 */
205static int
206revoked_certs_for_ca_key(struct ssh_krl *krl, const Key *ca_key,
207    struct revoked_certs **rcp, int allow_create)
208{
209	struct revoked_certs *rc;
210
211	*rcp = NULL;
212	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
213		if (key_equal(rc->ca_key, ca_key)) {
214			*rcp = rc;
215			return 0;
216		}
217	}
218	if (!allow_create)
219		return 0;
220	/* If this CA doesn't exist in the list then add it now */
221	if ((rc = calloc(1, sizeof(*rc))) == NULL)
222		return -1;
223	if ((rc->ca_key = key_from_private(ca_key)) == NULL) {
224		free(rc);
225		return -1;
226	}
227	RB_INIT(&rc->revoked_serials);
228	RB_INIT(&rc->revoked_key_ids);
229	TAILQ_INSERT_TAIL(&krl->revoked_certs, rc, entry);
230	debug3("%s: new CA %s", __func__, key_type(ca_key));
231	*rcp = rc;
232	return 0;
233}
234
235static int
236insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
237{
238	struct revoked_serial rs, *ers, *crs, *irs;
239
240	KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi));
241	bzero(&rs, sizeof(rs));
242	rs.lo = lo;
243	rs.hi = hi;
244	ers = RB_NFIND(revoked_serial_tree, rt, &rs);
245	if (ers == NULL || serial_cmp(ers, &rs) != 0) {
246		/* No entry matches. Just insert */
247		if ((irs = malloc(sizeof(rs))) == NULL)
248			return -1;
249		memcpy(irs, &rs, sizeof(*irs));
250		ers = RB_INSERT(revoked_serial_tree, rt, irs);
251		if (ers != NULL) {
252			KRL_DBG(("%s: bad: ers != NULL", __func__));
253			/* Shouldn't happen */
254			free(irs);
255			return -1;
256		}
257		ers = irs;
258	} else {
259		KRL_DBG(("%s: overlap found %llu:%llu", __func__,
260		    ers->lo, ers->hi));
261		/*
262		 * The inserted entry overlaps an existing one. Grow the
263		 * existing entry.
264		 */
265		if (ers->lo > lo)
266			ers->lo = lo;
267		if (ers->hi < hi)
268			ers->hi = hi;
269	}
270	/*
271	 * The inserted or revised range might overlap or abut adjacent ones;
272	 * coalesce as necessary.
273	 */
274
275	/* Check predecessors */
276	while ((crs = RB_PREV(revoked_serial_tree, rt, ers)) != NULL) {
277		KRL_DBG(("%s: pred %llu:%llu", __func__, crs->lo, crs->hi));
278		if (ers->lo != 0 && crs->hi < ers->lo - 1)
279			break;
280		/* This entry overlaps. */
281		if (crs->lo < ers->lo) {
282			ers->lo = crs->lo;
283			KRL_DBG(("%s: pred extend %llu:%llu", __func__,
284			    ers->lo, ers->hi));
285		}
286		RB_REMOVE(revoked_serial_tree, rt, crs);
287		free(crs);
288	}
289	/* Check successors */
290	while ((crs = RB_NEXT(revoked_serial_tree, rt, ers)) != NULL) {
291		KRL_DBG(("%s: succ %llu:%llu", __func__, crs->lo, crs->hi));
292		if (ers->hi != (u_int64_t)-1 && crs->lo > ers->hi + 1)
293			break;
294		/* This entry overlaps. */
295		if (crs->hi > ers->hi) {
296			ers->hi = crs->hi;
297			KRL_DBG(("%s: succ extend %llu:%llu", __func__,
298			    ers->lo, ers->hi));
299		}
300		RB_REMOVE(revoked_serial_tree, rt, crs);
301		free(crs);
302	}
303	KRL_DBG(("%s: done, final %llu:%llu", __func__, ers->lo, ers->hi));
304	return 0;
305}
306
307int
308ssh_krl_revoke_cert_by_serial(struct ssh_krl *krl, const Key *ca_key,
309    u_int64_t serial)
310{
311	return ssh_krl_revoke_cert_by_serial_range(krl, ca_key, serial, serial);
312}
313
314int
315ssh_krl_revoke_cert_by_serial_range(struct ssh_krl *krl, const Key *ca_key,
316    u_int64_t lo, u_int64_t hi)
317{
318	struct revoked_certs *rc;
319
320	if (lo > hi || lo == 0)
321		return -1;
322	if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
323		return -1;
324	return insert_serial_range(&rc->revoked_serials, lo, hi);
325}
326
327int
328ssh_krl_revoke_cert_by_key_id(struct ssh_krl *krl, const Key *ca_key,
329    const char *key_id)
330{
331	struct revoked_key_id *rki, *erki;
332	struct revoked_certs *rc;
333
334	if (revoked_certs_for_ca_key(krl, ca_key, &rc, 1) != 0)
335		return -1;
336
337	debug3("%s: revoke %s", __func__, key_id);
338	if ((rki = calloc(1, sizeof(*rki))) == NULL ||
339	    (rki->key_id = strdup(key_id)) == NULL) {
340		free(rki);
341		fatal("%s: strdup", __func__);
342	}
343	erki = RB_INSERT(revoked_key_id_tree, &rc->revoked_key_ids, rki);
344	if (erki != NULL) {
345		free(rki->key_id);
346		free(rki);
347	}
348	return 0;
349}
350
351/* Convert "key" to a public key blob without any certificate information */
352static int
353plain_key_blob(const Key *key, u_char **blob, u_int *blen)
354{
355	Key *kcopy;
356	int r;
357
358	if ((kcopy = key_from_private(key)) == NULL)
359		return -1;
360	if (key_is_cert(kcopy)) {
361		if (key_drop_cert(kcopy) != 0) {
362			error("%s: key_drop_cert", __func__);
363			key_free(kcopy);
364			return -1;
365		}
366	}
367	r = key_to_blob(kcopy, blob, blen);
368	free(kcopy);
369	return r == 0 ? -1 : 0;
370}
371
372/* Revoke a key blob. Ownership of blob is transferred to the tree */
373static int
374revoke_blob(struct revoked_blob_tree *rbt, u_char *blob, u_int len)
375{
376	struct revoked_blob *rb, *erb;
377
378	if ((rb = calloc(1, sizeof(*rb))) == NULL)
379		return -1;
380	rb->blob = blob;
381	rb->len = len;
382	erb = RB_INSERT(revoked_blob_tree, rbt, rb);
383	if (erb != NULL) {
384		free(rb->blob);
385		free(rb);
386	}
387	return 0;
388}
389
390int
391ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
392{
393	u_char *blob;
394	u_int len;
395
396	debug3("%s: revoke type %s", __func__, key_type(key));
397	if (plain_key_blob(key, &blob, &len) != 0)
398		return -1;
399	return revoke_blob(&krl->revoked_keys, blob, len);
400}
401
402int
403ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
404{
405	u_char *blob;
406	u_int len;
407
408	debug3("%s: revoke type %s by sha1", __func__, key_type(key));
409	if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
410		return -1;
411	return revoke_blob(&krl->revoked_sha1s, blob, len);
412}
413
414int
415ssh_krl_revoke_key(struct ssh_krl *krl, const Key *key)
416{
417	if (!key_is_cert(key))
418		return ssh_krl_revoke_key_sha1(krl, key);
419
420	if (key_cert_is_legacy(key) || key->cert->serial == 0) {
421		return ssh_krl_revoke_cert_by_key_id(krl,
422		    key->cert->signature_key,
423		    key->cert->key_id);
424	} else {
425		return ssh_krl_revoke_cert_by_serial(krl,
426		    key->cert->signature_key,
427		    key->cert->serial);
428	}
429}
430
431/*
432 * Select a copact next section type to emit in a KRL based on the
433 * current section type, the run length of contiguous revoked serial
434 * numbers and the gaps from the last and to the next revoked serial.
435 * Applies a mostly-accurate bit cost model to select the section type
436 * that will minimise the size of the resultant KRL.
437 */
438static int
439choose_next_state(int current_state, u_int64_t contig, int final,
440    u_int64_t last_gap, u_int64_t next_gap, int *force_new_section)
441{
442	int new_state;
443	u_int64_t cost, cost_list, cost_range, cost_bitmap, cost_bitmap_restart;
444
445	/*
446	 * Avoid unsigned overflows.
447	 * The limits are high enough to avoid confusing the calculations.
448	 */
449	contig = MIN(contig, 1ULL<<31);
450	last_gap = MIN(last_gap, 1ULL<<31);
451	next_gap = MIN(next_gap, 1ULL<<31);
452
453	/*
454	 * Calculate the cost to switch from the current state to candidates.
455	 * NB. range sections only ever contain a single range, so their
456	 * switching cost is independent of the current_state.
457	 */
458	cost_list = cost_bitmap = cost_bitmap_restart = 0;
459	cost_range = 8;
460	switch (current_state) {
461	case KRL_SECTION_CERT_SERIAL_LIST:
462		cost_bitmap_restart = cost_bitmap = 8 + 64;
463		break;
464	case KRL_SECTION_CERT_SERIAL_BITMAP:
465		cost_list = 8;
466		cost_bitmap_restart = 8 + 64;
467		break;
468	case KRL_SECTION_CERT_SERIAL_RANGE:
469	case 0:
470		cost_bitmap_restart = cost_bitmap = 8 + 64;
471		cost_list = 8;
472	}
473
474	/* Estimate base cost in bits of each section type */
475	cost_list += 64 * contig + (final ? 0 : 8+64);
476	cost_range += (2 * 64) + (final ? 0 : 8+64);
477	cost_bitmap += last_gap + contig + (final ? 0 : MIN(next_gap, 8+64));
478	cost_bitmap_restart += contig + (final ? 0 : MIN(next_gap, 8+64));
479
480	/* Convert to byte costs for actual comparison */
481	cost_list = (cost_list + 7) / 8;
482	cost_bitmap = (cost_bitmap + 7) / 8;
483	cost_bitmap_restart = (cost_bitmap_restart + 7) / 8;
484	cost_range = (cost_range + 7) / 8;
485
486	/* Now pick the best choice */
487	*force_new_section = 0;
488	new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
489	cost = cost_bitmap;
490	if (cost_range < cost) {
491		new_state = KRL_SECTION_CERT_SERIAL_RANGE;
492		cost = cost_range;
493	}
494	if (cost_list < cost) {
495		new_state = KRL_SECTION_CERT_SERIAL_LIST;
496		cost = cost_list;
497	}
498	if (cost_bitmap_restart < cost) {
499		new_state = KRL_SECTION_CERT_SERIAL_BITMAP;
500		*force_new_section = 1;
501		cost = cost_bitmap_restart;
502	}
503	debug3("%s: contig %llu last_gap %llu next_gap %llu final %d, costs:"
504	    "list %llu range %llu bitmap %llu new bitmap %llu, "
505	    "selected 0x%02x%s", __func__, (long long unsigned)contig,
506	    (long long unsigned)last_gap, (long long unsigned)next_gap, final,
507	    (long long unsigned)cost_list, (long long unsigned)cost_range,
508	    (long long unsigned)cost_bitmap,
509	    (long long unsigned)cost_bitmap_restart, new_state,
510	    *force_new_section ? " restart" : "");
511	return new_state;
512}
513
514/* Generate a KRL_SECTION_CERTIFICATES KRL section */
515static int
516revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
517{
518	int final, force_new_sect, r = -1;
519	u_int64_t i, contig, gap, last = 0, bitmap_start = 0;
520	struct revoked_serial *rs, *nrs;
521	struct revoked_key_id *rki;
522	int next_state, state = 0;
523	Buffer sect;
524	u_char *kblob = NULL;
525	u_int klen;
526	BIGNUM *bitmap = NULL;
527
528	/* Prepare CA scope key blob if we have one supplied */
529	if (key_to_blob(rc->ca_key, &kblob, &klen) == 0)
530		return -1;
531
532	buffer_init(&sect);
533
534	/* Store the header */
535	buffer_put_string(buf, kblob, klen);
536	buffer_put_string(buf, NULL, 0); /* Reserved */
537
538	free(kblob);
539
540	/* Store the revoked serials.  */
541	for (rs = RB_MIN(revoked_serial_tree, &rc->revoked_serials);
542	     rs != NULL;
543	     rs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs)) {
544		debug3("%s: serial %llu:%llu state 0x%02x", __func__,
545		    (long long unsigned)rs->lo, (long long unsigned)rs->hi,
546		    state);
547
548		/* Check contiguous length and gap to next section (if any) */
549		nrs = RB_NEXT(revoked_serial_tree, &rc->revoked_serials, rs);
550		final = nrs == NULL;
551		gap = nrs == NULL ? 0 : nrs->lo - rs->hi;
552		contig = 1 + (rs->hi - rs->lo);
553
554		/* Choose next state based on these */
555		next_state = choose_next_state(state, contig, final,
556		    state == 0 ? 0 : rs->lo - last, gap, &force_new_sect);
557
558		/*
559		 * If the current section is a range section or has a different
560		 * type to the next section, then finish it off now.
561		 */
562		if (state != 0 && (force_new_sect || next_state != state ||
563		    state == KRL_SECTION_CERT_SERIAL_RANGE)) {
564			debug3("%s: finish state 0x%02x", __func__, state);
565			switch (state) {
566			case KRL_SECTION_CERT_SERIAL_LIST:
567			case KRL_SECTION_CERT_SERIAL_RANGE:
568				break;
569			case KRL_SECTION_CERT_SERIAL_BITMAP:
570				buffer_put_bignum2(&sect, bitmap);
571				BN_free(bitmap);
572				bitmap = NULL;
573				break;
574			}
575			buffer_put_char(buf, state);
576			buffer_put_string(buf,
577			    buffer_ptr(&sect), buffer_len(&sect));
578		}
579
580		/* If we are starting a new section then prepare it now */
581		if (next_state != state || force_new_sect) {
582			debug3("%s: start state 0x%02x", __func__, next_state);
583			state = next_state;
584			buffer_clear(&sect);
585			switch (state) {
586			case KRL_SECTION_CERT_SERIAL_LIST:
587			case KRL_SECTION_CERT_SERIAL_RANGE:
588				break;
589			case KRL_SECTION_CERT_SERIAL_BITMAP:
590				if ((bitmap = BN_new()) == NULL)
591					goto out;
592				bitmap_start = rs->lo;
593				buffer_put_int64(&sect, bitmap_start);
594				break;
595			}
596		}
597
598		/* Perform section-specific processing */
599		switch (state) {
600		case KRL_SECTION_CERT_SERIAL_LIST:
601			for (i = 0; i < contig; i++)
602				buffer_put_int64(&sect, rs->lo + i);
603			break;
604		case KRL_SECTION_CERT_SERIAL_RANGE:
605			buffer_put_int64(&sect, rs->lo);
606			buffer_put_int64(&sect, rs->hi);
607			break;
608		case KRL_SECTION_CERT_SERIAL_BITMAP:
609			if (rs->lo - bitmap_start > INT_MAX) {
610				error("%s: insane bitmap gap", __func__);
611				goto out;
612			}
613			for (i = 0; i < contig; i++) {
614				if (BN_set_bit(bitmap,
615				    rs->lo + i - bitmap_start) != 1)
616					goto out;
617			}
618			break;
619		}
620		last = rs->hi;
621	}
622	/* Flush the remaining section, if any */
623	if (state != 0) {
624		debug3("%s: serial final flush for state 0x%02x",
625		    __func__, state);
626		switch (state) {
627		case KRL_SECTION_CERT_SERIAL_LIST:
628		case KRL_SECTION_CERT_SERIAL_RANGE:
629			break;
630		case KRL_SECTION_CERT_SERIAL_BITMAP:
631			buffer_put_bignum2(&sect, bitmap);
632			BN_free(bitmap);
633			bitmap = NULL;
634			break;
635		}
636		buffer_put_char(buf, state);
637		buffer_put_string(buf,
638		    buffer_ptr(&sect), buffer_len(&sect));
639	}
640	debug3("%s: serial done ", __func__);
641
642	/* Now output a section for any revocations by key ID */
643	buffer_clear(&sect);
644	RB_FOREACH(rki, revoked_key_id_tree, &rc->revoked_key_ids) {
645		debug3("%s: key ID %s", __func__, rki->key_id);
646		buffer_put_cstring(&sect, rki->key_id);
647	}
648	if (buffer_len(&sect) != 0) {
649		buffer_put_char(buf, KRL_SECTION_CERT_KEY_ID);
650		buffer_put_string(buf, buffer_ptr(&sect),
651		    buffer_len(&sect));
652	}
653	r = 0;
654 out:
655	if (bitmap != NULL)
656		BN_free(bitmap);
657	buffer_free(&sect);
658	return r;
659}
660
661int
662ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
663    u_int nsign_keys)
664{
665	int r = -1;
666	struct revoked_certs *rc;
667	struct revoked_blob *rb;
668	Buffer sect;
669	u_char *kblob = NULL, *sblob = NULL;
670	u_int klen, slen, i;
671
672	if (krl->generated_date == 0)
673		krl->generated_date = time(NULL);
674
675	buffer_init(&sect);
676
677	/* Store the header */
678	buffer_append(buf, KRL_MAGIC, sizeof(KRL_MAGIC) - 1);
679	buffer_put_int(buf, KRL_FORMAT_VERSION);
680	buffer_put_int64(buf, krl->krl_version);
681	buffer_put_int64(buf, krl->generated_date);
682	buffer_put_int64(buf, krl->flags);
683	buffer_put_string(buf, NULL, 0);
684	buffer_put_cstring(buf, krl->comment ? krl->comment : "");
685
686	/* Store sections for revoked certificates */
687	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
688		if (revoked_certs_generate(rc, &sect) != 0)
689			goto out;
690		buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
691		buffer_put_string(buf, buffer_ptr(&sect),
692		    buffer_len(&sect));
693	}
694
695	/* Finally, output sections for revocations by public key/hash */
696	buffer_clear(&sect);
697	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_keys) {
698		debug3("%s: key len %u ", __func__, rb->len);
699		buffer_put_string(&sect, rb->blob, rb->len);
700	}
701	if (buffer_len(&sect) != 0) {
702		buffer_put_char(buf, KRL_SECTION_EXPLICIT_KEY);
703		buffer_put_string(buf, buffer_ptr(&sect),
704		    buffer_len(&sect));
705	}
706	buffer_clear(&sect);
707	RB_FOREACH(rb, revoked_blob_tree, &krl->revoked_sha1s) {
708		debug3("%s: hash len %u ", __func__, rb->len);
709		buffer_put_string(&sect, rb->blob, rb->len);
710	}
711	if (buffer_len(&sect) != 0) {
712		buffer_put_char(buf, KRL_SECTION_FINGERPRINT_SHA1);
713		buffer_put_string(buf, buffer_ptr(&sect),
714		    buffer_len(&sect));
715	}
716
717	for (i = 0; i < nsign_keys; i++) {
718		if (key_to_blob(sign_keys[i], &kblob, &klen) == 0)
719			goto out;
720
721		debug3("%s: signature key len %u", __func__, klen);
722		buffer_put_char(buf, KRL_SECTION_SIGNATURE);
723		buffer_put_string(buf, kblob, klen);
724
725		if (key_sign(sign_keys[i], &sblob, &slen,
726		    buffer_ptr(buf), buffer_len(buf)) == -1)
727			goto out;
728		debug3("%s: signature sig len %u", __func__, slen);
729		buffer_put_string(buf, sblob, slen);
730	}
731
732	r = 0;
733 out:
734	free(kblob);
735	free(sblob);
736	buffer_free(&sect);
737	return r;
738}
739
740static void
741format_timestamp(u_int64_t timestamp, char *ts, size_t nts)
742{
743	time_t t;
744	struct tm *tm;
745
746	t = timestamp;
747	tm = localtime(&t);
748	*ts = '\0';
749	strftime(ts, nts, "%Y%m%dT%H%M%S", tm);
750}
751
752static int
753parse_revoked_certs(Buffer *buf, struct ssh_krl *krl)
754{
755	int ret = -1, nbits;
756	u_char type, *blob;
757	u_int blen;
758	Buffer subsect;
759	u_int64_t serial, serial_lo, serial_hi;
760	BIGNUM *bitmap = NULL;
761	char *key_id = NULL;
762	Key *ca_key = NULL;
763
764	buffer_init(&subsect);
765
766	if ((blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL ||
767	    buffer_get_string_ptr_ret(buf, NULL) == NULL) { /* reserved */
768		error("%s: buffer error", __func__);
769		goto out;
770	}
771	if ((ca_key = key_from_blob(blob, blen)) == NULL)
772		goto out;
773
774	while (buffer_len(buf) > 0) {
775		if (buffer_get_char_ret(&type, buf) != 0 ||
776		    (blob = buffer_get_string_ptr_ret(buf, &blen)) == NULL) {
777			error("%s: buffer error", __func__);
778			goto out;
779		}
780		buffer_clear(&subsect);
781		buffer_append(&subsect, blob, blen);
782		debug3("%s: subsection type 0x%02x", __func__, type);
783		/* buffer_dump(&subsect); */
784
785		switch (type) {
786		case KRL_SECTION_CERT_SERIAL_LIST:
787			while (buffer_len(&subsect) > 0) {
788				if (buffer_get_int64_ret(&serial,
789				    &subsect) != 0) {
790					error("%s: buffer error", __func__);
791					goto out;
792				}
793				if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
794				    serial) != 0) {
795					error("%s: update failed", __func__);
796					goto out;
797				}
798			}
799			break;
800		case KRL_SECTION_CERT_SERIAL_RANGE:
801			if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
802			    buffer_get_int64_ret(&serial_hi, &subsect) != 0) {
803				error("%s: buffer error", __func__);
804				goto out;
805			}
806			if (ssh_krl_revoke_cert_by_serial_range(krl, ca_key,
807			    serial_lo, serial_hi) != 0) {
808				error("%s: update failed", __func__);
809				goto out;
810			}
811			break;
812		case KRL_SECTION_CERT_SERIAL_BITMAP:
813			if ((bitmap = BN_new()) == NULL) {
814				error("%s: BN_new", __func__);
815				goto out;
816			}
817			if (buffer_get_int64_ret(&serial_lo, &subsect) != 0 ||
818			    buffer_get_bignum2_ret(&subsect, bitmap) != 0) {
819				error("%s: buffer error", __func__);
820				goto out;
821			}
822			if ((nbits = BN_num_bits(bitmap)) < 0) {
823				error("%s: bitmap bits < 0", __func__);
824				goto out;
825			}
826			for (serial = 0; serial < (u_int)nbits; serial++) {
827				if (serial > 0 && serial_lo + serial == 0) {
828					error("%s: bitmap wraps u64", __func__);
829					goto out;
830				}
831				if (!BN_is_bit_set(bitmap, serial))
832					continue;
833				if (ssh_krl_revoke_cert_by_serial(krl, ca_key,
834				    serial_lo + serial) != 0) {
835					error("%s: update failed", __func__);
836					goto out;
837				}
838			}
839			BN_free(bitmap);
840			bitmap = NULL;
841			break;
842		case KRL_SECTION_CERT_KEY_ID:
843			while (buffer_len(&subsect) > 0) {
844				if ((key_id = buffer_get_cstring_ret(&subsect,
845				    NULL)) == NULL) {
846					error("%s: buffer error", __func__);
847					goto out;
848				}
849				if (ssh_krl_revoke_cert_by_key_id(krl, ca_key,
850				    key_id) != 0) {
851					error("%s: update failed", __func__);
852					goto out;
853				}
854				free(key_id);
855				key_id = NULL;
856			}
857			break;
858		default:
859			error("Unsupported KRL certificate section %u", type);
860			goto out;
861		}
862		if (buffer_len(&subsect) > 0) {
863			error("KRL certificate section contains unparsed data");
864			goto out;
865		}
866	}
867
868	ret = 0;
869 out:
870	if (ca_key != NULL)
871		key_free(ca_key);
872	if (bitmap != NULL)
873		BN_free(bitmap);
874	free(key_id);
875	buffer_free(&subsect);
876	return ret;
877}
878
879
880/* Attempt to parse a KRL, checking its signature (if any) with sign_ca_keys. */
881int
882ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
883    const Key **sign_ca_keys, u_int nsign_ca_keys)
884{
885	Buffer copy, sect;
886	struct ssh_krl *krl;
887	char timestamp[64];
888	int ret = -1, r, sig_seen;
889	Key *key = NULL, **ca_used = NULL;
890	u_char type, *blob, *rdata = NULL;
891	u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
892
893	nca_used = 0;
894	*krlp = NULL;
895	if (buffer_len(buf) < sizeof(KRL_MAGIC) - 1 ||
896	    memcmp(buffer_ptr(buf), KRL_MAGIC, sizeof(KRL_MAGIC) - 1) != 0) {
897		debug3("%s: not a KRL", __func__);
898		/*
899		 * Return success but a NULL *krlp here to signal that the
900		 * file might be a simple list of keys.
901		 */
902		return 0;
903	}
904
905	/* Take a copy of the KRL buffer so we can verify its signature later */
906	buffer_init(&copy);
907	buffer_append(&copy, buffer_ptr(buf), buffer_len(buf));
908
909	buffer_init(&sect);
910	buffer_consume(&copy, sizeof(KRL_MAGIC) - 1);
911
912	if ((krl = ssh_krl_init()) == NULL) {
913		error("%s: alloc failed", __func__);
914		goto out;
915	}
916
917	if (buffer_get_int_ret(&format_version, &copy) != 0) {
918		error("%s: KRL truncated", __func__);
919		goto out;
920	}
921	if (format_version != KRL_FORMAT_VERSION) {
922		error("%s: KRL unsupported format version %u",
923		    __func__, format_version);
924		goto out;
925	}
926	if (buffer_get_int64_ret(&krl->krl_version, &copy) != 0 ||
927	    buffer_get_int64_ret(&krl->generated_date, &copy) != 0 ||
928	    buffer_get_int64_ret(&krl->flags, &copy) != 0 ||
929	    buffer_get_string_ptr_ret(&copy, NULL) == NULL || /* reserved */
930	    (krl->comment = buffer_get_cstring_ret(&copy, NULL)) == NULL) {
931		error("%s: buffer error", __func__);
932		goto out;
933	}
934
935	format_timestamp(krl->generated_date, timestamp, sizeof(timestamp));
936	debug("KRL version %llu generated at %s%s%s",
937	    (long long unsigned)krl->krl_version, timestamp,
938	    *krl->comment ? ": " : "", krl->comment);
939
940	/*
941	 * 1st pass: verify signatures, if any. This is done to avoid
942	 * detailed parsing of data whose provenance is unverified.
943	 */
944	sig_seen = 0;
945	sects_off = buffer_len(buf) - buffer_len(&copy);
946	while (buffer_len(&copy) > 0) {
947		if (buffer_get_char_ret(&type, &copy) != 0 ||
948		    (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
949			error("%s: buffer error", __func__);
950			goto out;
951		}
952		debug3("%s: first pass, section 0x%02x", __func__, type);
953		if (type != KRL_SECTION_SIGNATURE) {
954			if (sig_seen) {
955				error("KRL contains non-signature section "
956				    "after signature");
957				goto out;
958			}
959			/* Not interested for now. */
960			continue;
961		}
962		sig_seen = 1;
963		/* First string component is the signing key */
964		if ((key = key_from_blob(blob, blen)) == NULL) {
965			error("%s: invalid signature key", __func__);
966			goto out;
967		}
968		sig_off = buffer_len(buf) - buffer_len(&copy);
969		/* Second string component is the signature itself */
970		if ((blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
971			error("%s: buffer error", __func__);
972			goto out;
973		}
974		/* Check signature over entire KRL up to this point */
975		if (key_verify(key, blob, blen,
976		    buffer_ptr(buf), buffer_len(buf) - sig_off) != 1) {
977			error("bad signaure on KRL");
978			goto out;
979		}
980		/* Check if this key has already signed this KRL */
981		for (i = 0; i < nca_used; i++) {
982			if (key_equal(ca_used[i], key)) {
983				error("KRL signed more than once with "
984				    "the same key");
985				goto out;
986			}
987		}
988		/* Record keys used to sign the KRL */
989		ca_used = xrealloc(ca_used, nca_used + 1, sizeof(*ca_used));
990		ca_used[nca_used++] = key;
991		key = NULL;
992		break;
993	}
994
995	/*
996	 * 2nd pass: parse and load the KRL, skipping the header to the point
997	 * where the section start.
998	 */
999	buffer_append(&copy, (u_char*)buffer_ptr(buf) + sects_off,
1000	    buffer_len(buf) - sects_off);
1001	while (buffer_len(&copy) > 0) {
1002		if (buffer_get_char_ret(&type, &copy) != 0 ||
1003		    (blob = buffer_get_string_ptr_ret(&copy, &blen)) == NULL) {
1004			error("%s: buffer error", __func__);
1005			goto out;
1006		}
1007		debug3("%s: second pass, section 0x%02x", __func__, type);
1008		buffer_clear(&sect);
1009		buffer_append(&sect, blob, blen);
1010
1011		switch (type) {
1012		case KRL_SECTION_CERTIFICATES:
1013			if ((r = parse_revoked_certs(&sect, krl)) != 0)
1014				goto out;
1015			break;
1016		case KRL_SECTION_EXPLICIT_KEY:
1017		case KRL_SECTION_FINGERPRINT_SHA1:
1018			while (buffer_len(&sect) > 0) {
1019				if ((rdata = buffer_get_string_ret(&sect,
1020				    &rlen)) == NULL) {
1021					error("%s: buffer error", __func__);
1022					goto out;
1023				}
1024				if (type == KRL_SECTION_FINGERPRINT_SHA1 &&
1025				    rlen != 20) {
1026					error("%s: bad SHA1 length", __func__);
1027					goto out;
1028				}
1029				if (revoke_blob(
1030				    type == KRL_SECTION_EXPLICIT_KEY ?
1031				    &krl->revoked_keys : &krl->revoked_sha1s,
1032				    rdata, rlen) != 0)
1033					goto out;
1034				rdata = NULL; /* revoke_blob frees blob */
1035			}
1036			break;
1037		case KRL_SECTION_SIGNATURE:
1038			/* Handled above, but still need to stay in synch */
1039			buffer_clear(&sect);
1040			if ((blob = buffer_get_string_ptr_ret(&copy,
1041			    &blen)) == NULL) {
1042				error("%s: buffer error", __func__);
1043				goto out;
1044			}
1045			break;
1046		default:
1047			error("Unsupported KRL section %u", type);
1048			goto out;
1049		}
1050		if (buffer_len(&sect) > 0) {
1051			error("KRL section contains unparsed data");
1052			goto out;
1053		}
1054	}
1055
1056	/* Check that the key(s) used to sign the KRL weren't revoked */
1057	sig_seen = 0;
1058	for (i = 0; i < nca_used; i++) {
1059		if (ssh_krl_check_key(krl, ca_used[i]) == 0)
1060			sig_seen = 1;
1061		else {
1062			key_free(ca_used[i]);
1063			ca_used[i] = NULL;
1064		}
1065	}
1066	if (nca_used && !sig_seen) {
1067		error("All keys used to sign KRL were revoked");
1068		goto out;
1069	}
1070
1071	/* If we have CA keys, then verify that one was used to sign the KRL */
1072	if (sig_seen && nsign_ca_keys != 0) {
1073		sig_seen = 0;
1074		for (i = 0; !sig_seen && i < nsign_ca_keys; i++) {
1075			for (j = 0; j < nca_used; j++) {
1076				if (ca_used[j] == NULL)
1077					continue;
1078				if (key_equal(ca_used[j], sign_ca_keys[i])) {
1079					sig_seen = 1;
1080					break;
1081				}
1082			}
1083		}
1084		if (!sig_seen) {
1085			error("KRL not signed with any trusted key");
1086			goto out;
1087		}
1088	}
1089
1090	*krlp = krl;
1091	ret = 0;
1092 out:
1093	if (ret != 0)
1094		ssh_krl_free(krl);
1095	for (i = 0; i < nca_used; i++) {
1096		if (ca_used[i] != NULL)
1097			key_free(ca_used[i]);
1098	}
1099	free(ca_used);
1100	free(rdata);
1101	if (key != NULL)
1102		key_free(key);
1103	buffer_free(&copy);
1104	buffer_free(&sect);
1105	return ret;
1106}
1107
1108/* Checks whether a given key/cert is revoked. Does not check its CA */
1109static int
1110is_key_revoked(struct ssh_krl *krl, const Key *key)
1111{
1112	struct revoked_blob rb, *erb;
1113	struct revoked_serial rs, *ers;
1114	struct revoked_key_id rki, *erki;
1115	struct revoked_certs *rc;
1116
1117	/* Check explicitly revoked hashes first */
1118	bzero(&rb, sizeof(rb));
1119	if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
1120		return -1;
1121	erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
1122	free(rb.blob);
1123	if (erb != NULL) {
1124		debug("%s: revoked by key SHA1", __func__);
1125		return -1;
1126	}
1127
1128	/* Next, explicit keys */
1129	bzero(&rb, sizeof(rb));
1130	if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
1131		return -1;
1132	erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
1133	free(rb.blob);
1134	if (erb != NULL) {
1135		debug("%s: revoked by explicit key", __func__);
1136		return -1;
1137	}
1138
1139	if (!key_is_cert(key))
1140		return 0;
1141
1142	/* Check cert revocation */
1143	if (revoked_certs_for_ca_key(krl, key->cert->signature_key,
1144	    &rc, 0) != 0)
1145		return -1;
1146	if (rc == NULL)
1147		return 0; /* No entry for this CA */
1148
1149	/* Check revocation by cert key ID */
1150	bzero(&rki, sizeof(rki));
1151	rki.key_id = key->cert->key_id;
1152	erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
1153	if (erki != NULL) {
1154		debug("%s: revoked by key ID", __func__);
1155		return -1;
1156	}
1157
1158	/*
1159	 * Legacy cert formats lack serial numbers. Zero serials numbers
1160	 * are ignored (it's the default when the CA doesn't specify one).
1161	 */
1162	if (key_cert_is_legacy(key) || key->cert->serial == 0)
1163		return 0;
1164
1165	bzero(&rs, sizeof(rs));
1166	rs.lo = rs.hi = key->cert->serial;
1167	ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
1168	if (ers != NULL) {
1169		KRL_DBG(("%s: %llu matched %llu:%llu", __func__,
1170		    key->cert->serial, ers->lo, ers->hi));
1171		debug("%s: revoked by serial", __func__);
1172		return -1;
1173	}
1174	KRL_DBG(("%s: %llu no match", __func__, key->cert->serial));
1175
1176	return 0;
1177}
1178
1179int
1180ssh_krl_check_key(struct ssh_krl *krl, const Key *key)
1181{
1182	int r;
1183
1184	debug2("%s: checking key", __func__);
1185	if ((r = is_key_revoked(krl, key)) != 0)
1186		return r;
1187	if (key_is_cert(key)) {
1188		debug2("%s: checking CA key", __func__);
1189		if ((r = is_key_revoked(krl, key->cert->signature_key)) != 0)
1190			return r;
1191	}
1192	debug3("%s: key okay", __func__);
1193	return 0;
1194}
1195
1196/* Returns 0 on success, -1 on error or key revoked, -2 if path is not a KRL */
1197int
1198ssh_krl_file_contains_key(const char *path, const Key *key)
1199{
1200	Buffer krlbuf;
1201	struct ssh_krl *krl;
1202	int revoked, fd;
1203
1204	if (path == NULL)
1205		return 0;
1206
1207	if ((fd = open(path, O_RDONLY)) == -1) {
1208		error("open %s: %s", path, strerror(errno));
1209		error("Revoked keys file not accessible - refusing public key "
1210		    "authentication");
1211		return -1;
1212	}
1213	buffer_init(&krlbuf);
1214	if (!key_load_file(fd, path, &krlbuf)) {
1215		close(fd);
1216		buffer_free(&krlbuf);
1217		error("Revoked keys file not readable - refusing public key "
1218		    "authentication");
1219		return -1;
1220	}
1221	close(fd);
1222	if (ssh_krl_from_blob(&krlbuf, &krl, NULL, 0) != 0) {
1223		buffer_free(&krlbuf);
1224		error("Invalid KRL, refusing public key "
1225		    "authentication");
1226		return -1;
1227	}
1228	buffer_free(&krlbuf);
1229	if (krl == NULL) {
1230		debug3("%s: %s is not a KRL file", __func__, path);
1231		return -2;
1232	}
1233	debug2("%s: checking KRL %s", __func__, path);
1234	revoked = ssh_krl_check_key(krl, key) != 0;
1235	ssh_krl_free(krl);
1236	return revoked ? -1 : 0;
1237}
1238