upstream commit

fix KRL generation when multiple CAs are in use We would generate an invalid KRL when revoking certs by serial number for multiple CA keys due to a section being written out twice. Also extend the regress test to catch this case by having it produce a multi-CA KRL. Reported by peter AT pean.org
author: djm@openbsd.org <djm@openbsd.org> 2014-11-17 01:21:40 +0100
committer: Damien Miller <djm@mindrot.org> 2014-11-17 01:20:39 +0100
commit: 9f9fad0191028edc43d100d0ded39419b6895fdf (patch)
tree: 83a1dabec592abd8220ff622857d5e50d15e4c75 /krl.c
parent: upstream commit (diff)
download: openssh-9f9fad0191028edc43d100d0ded39419b6895fdf.tar.xz
openssh-9f9fad0191028edc43d100d0ded39419b6895fdf.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/krl.c b/krl.c
index eb31df90f..832ac8b0a 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.18 2014/11/17 00:21:40 djm Exp $ */
 
 #include "includes.h"
 
@@ -686,6 +686,7 @@ ssh_krl_to_blob(struct ssh_krl *krl, Buffer *buf, const Key **sign_keys,
 
 	/* Store sections for revoked certificates */
 	TAILQ_FOREACH(rc, &krl->revoked_certs, entry) {
+		buffer_clear(&sect);
 		if (revoked_certs_generate(rc, &sect) != 0)
 			goto out;
 		buffer_put_char(buf, KRL_SECTION_CERTIFICATES);
author	djm@openbsd.org <djm@openbsd.org>	2014-11-17 01:21:40 +0100
committer	Damien Miller <djm@mindrot.org>	2014-11-17 01:20:39 +0100
commit	9f9fad0191028edc43d100d0ded39419b6895fdf (patch)
tree	83a1dabec592abd8220ff622857d5e50d15e4c75 /krl.c
parent	upstream commit (diff)
download	openssh-9f9fad0191028edc43d100d0ded39419b6895fdf.tar.xz openssh-9f9fad0191028edc43d100d0ded39419b6895fdf.zip