1 files changed, 35 insertions, 37 deletions
diff --git a/auth.c b/auth.c
index 5e60682ce..f9b767301 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth.c,v 1.110 2015/02/25 17:29:38 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -27,7 +27,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/param.h>
 #include <netinet/in.h>
@@ -50,6 +49,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
+#include <limits.h>
 #include "xmalloc.h"
 #include "match.h"
@@ -71,7 +71,8 @@
 #endif
 #include "authfile.h"
 #include "monitor_wrap.h"
-#include "krl.h"
+#include "authfile.h"
+#include "ssherr.h"
 #include "compat.h"
 /* import */
@@ -330,13 +331,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 void
 auth_maxtries_exceeded(Authctxt *authctxt)
 {
-        packet_disconnect("Too many authentication failures for "
+        error("maximum authentication attempts exceeded for "
            "%s%.100s from %.200s port %d %s",
            authctxt->valid ? "" : "invalid user ",
            authctxt->user,
            get_remote_ipaddr(),
            get_remote_port(),
            compat20 ? "ssh2" : "ssh1");
+        packet_disconnect("Too many authentication failures");
        /* NOTREACHED */
 }
@@ -375,7 +377,7 @@ auth_root_allowed(const char *method)
 char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
-        char *file, ret[MAXPATHLEN];
+        char *file, ret[PATH_MAX];
        int i;
        file = percent_expand(filename, "h", pw->pw_dir,
@@ -467,7 +469,7 @@ int
 auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
    uid_t uid, char *err, size_t errlen)
 {
-        char buf[MAXPATHLEN], homedir[MAXPATHLEN];
+        char buf[PATH_MAX], homedir[PATH_MAX];
        char *cp;
        int comparehome = 0;
        struct stat st;
@@ -673,43 +675,39 @@ getpwnamallow(const char *user)
 int
 auth_key_is_revoked(Key *key)
 {
-#ifdef WITH_OPENSSL
+        char *fp = NULL;
-        char *key_fp;
+        int r;
        if (options.revoked_keys_file == NULL)
                return 0;
-        switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
+        if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
-        case 0:
+            SSH_FP_DEFAULT)) == NULL) {
-                return 0;       /* Not revoked */
+                r = SSH_ERR_ALLOC_FAIL;
-        case -2:
+                error("%s: fingerprint key: %s", __func__, ssh_err(r));
-                break;          /* Not a KRL */
+                goto out;
-        default:
-                goto revoked;
        }
-#endif
-        debug3("%s: treating %s as a key list", __func__,
+        r = sshkey_check_revoked(key, options.revoked_keys_file);
-            options.revoked_keys_file);
+        switch (r) {
-        switch (key_in_file(key, options.revoked_keys_file, 0)) {
        case 0:
-                /* key not revoked */
+                break; /* not revoked */
-                return 0;
+        case SSH_ERR_KEY_REVOKED:
-        case -1:
+                error("Authentication key %s %s revoked by file %s",
-                /* Error opening revoked_keys_file: refuse all keys */
+                    sshkey_type(key), fp, options.revoked_keys_file);
-                error("Revoked keys file is unreadable: refusing public key "
+                goto out;
-                    "authentication");
+        default:
-                return 1;
+                error("Error checking authentication key %s %s in "
-#ifdef WITH_OPENSSL
+                    "revoked keys file %s: %s", sshkey_type(key), fp,
-        case 1:
+                    options.revoked_keys_file, ssh_err(r));
- revoked:
+                goto out;
-                /* Key revoked */
-                key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-                error("WARNING: authentication attempt with a revoked "
-                    "%s key %s ", key_type(key), key_fp);
-                free(key_fp);
-                return 1;
-#endif
        }
-        fatal("key_in_file returned junk");
+        /* Success */
+        r = 0;
+ out:
+        free(fp);
+        return r == 0 ? 0 : 1;
 }
 void

diff --git a/auth.c b/auth.c index 5e60682ce..f9b767301 100644 --- a/auth.c +++ b/auth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */	1	/* $OpenBSD: auth.c,v 1.110 2015/02/25 17:29:38 djm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2000 Markus Friedl. All rights reserved.	3	* Copyright (c) 2000 Markus Friedl. All rights reserved.
4	*	4	*
@@ -27,7 +27,6 @@
27		27
28	#include <sys/types.h>	28	#include <sys/types.h>
29	#include <sys/stat.h>	29	#include <sys/stat.h>
30	#include <sys/param.h>
31		30
32	#include <netinet/in.h>	31	#include <netinet/in.h>
33		32
@@ -50,6 +49,7 @@
50	#include <stdio.h>	49	#include <stdio.h>
51	#include <string.h>	50	#include <string.h>
52	#include <unistd.h>	51	#include <unistd.h>
		52	#include <limits.h>
53		53
54	#include "xmalloc.h"	54	#include "xmalloc.h"
55	#include "match.h"	55	#include "match.h"
@@ -71,7 +71,8 @@
71	#endif	71	#endif
72	#include "authfile.h"	72	#include "authfile.h"
73	#include "monitor_wrap.h"	73	#include "monitor_wrap.h"
74	#include "krl.h"	74	#include "authfile.h"
		75	#include "ssherr.h"
75	#include "compat.h"	76	#include "compat.h"
76		77
77	/* import */	78	/* import */
@@ -330,13 +331,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
330	void	331	void
331	auth_maxtries_exceeded(Authctxt *authctxt)	332	auth_maxtries_exceeded(Authctxt *authctxt)
332	{	333	{
333	packet_disconnect("Too many authentication failures for "	334	error("maximum authentication attempts exceeded for "
334	"%s%.100s from %.200s port %d %s",	335	"%s%.100s from %.200s port %d %s",
335	authctxt->valid ? "" : "invalid user ",	336	authctxt->valid ? "" : "invalid user ",
336	authctxt->user,	337	authctxt->user,
337	get_remote_ipaddr(),	338	get_remote_ipaddr(),
338	get_remote_port(),	339	get_remote_port(),
339	compat20 ? "ssh2" : "ssh1");	340	compat20 ? "ssh2" : "ssh1");
		341	packet_disconnect("Too many authentication failures");
340	/* NOTREACHED */	342	/* NOTREACHED */
341	}	343	}
342		344
@@ -375,7 +377,7 @@ auth_root_allowed(const char *method)
375	char *	377	char *
376	expand_authorized_keys(const char filename, struct passwd pw)	378	expand_authorized_keys(const char filename, struct passwd pw)
377	{	379	{
378	char *file, ret[MAXPATHLEN];	380	char *file, ret[PATH_MAX];
379	int i;	381	int i;
380		382
381	file = percent_expand(filename, "h", pw->pw_dir,	383	file = percent_expand(filename, "h", pw->pw_dir,
@@ -467,7 +469,7 @@ int
467	auth_secure_path(const char name, struct stat stp, const char *pw_dir,	469	auth_secure_path(const char name, struct stat stp, const char *pw_dir,
468	uid_t uid, char *err, size_t errlen)	470	uid_t uid, char *err, size_t errlen)
469	{	471	{
470	char buf[MAXPATHLEN], homedir[MAXPATHLEN];	472	char buf[PATH_MAX], homedir[PATH_MAX];
471	char *cp;	473	char *cp;
472	int comparehome = 0;	474	int comparehome = 0;
473	struct stat st;	475	struct stat st;
@@ -673,43 +675,39 @@ getpwnamallow(const char *user)
673	int	675	int
674	auth_key_is_revoked(Key *key)	676	auth_key_is_revoked(Key *key)
675	{	677	{
676	#ifdef WITH_OPENSSL	678	char *fp = NULL;
677	char *key_fp;	679	int r;
678		680
679	if (options.revoked_keys_file == NULL)	681	if (options.revoked_keys_file == NULL)
680	return 0;	682	return 0;
681	switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {	683	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
682	case 0:	684	SSH_FP_DEFAULT)) == NULL) {
683	return 0; /* Not revoked */	685	r = SSH_ERR_ALLOC_FAIL;
684	case -2:	686	error("%s: fingerprint key: %s", __func__, ssh_err(r));
685	break; /* Not a KRL */	687	goto out;
686	default:
687	goto revoked;
688	}	688	}
689	#endif	689
690	debug3("%s: treating %s as a key list", __func__,	690	r = sshkey_check_revoked(key, options.revoked_keys_file);
691	options.revoked_keys_file);	691	switch (r) {
692	switch (key_in_file(key, options.revoked_keys_file, 0)) {
693	case 0:	692	case 0:
694	/* key not revoked */	693	break; /* not revoked */
695	return 0;	694	case SSH_ERR_KEY_REVOKED:
696	case -1:	695	error("Authentication key %s %s revoked by file %s",
697	/* Error opening revoked_keys_file: refuse all keys */	696	sshkey_type(key), fp, options.revoked_keys_file);
698	error("Revoked keys file is unreadable: refusing public key "	697	goto out;
699	"authentication");	698	default:
700	return 1;	699	error("Error checking authentication key %s %s in "
701	#ifdef WITH_OPENSSL	700	"revoked keys file %s: %s", sshkey_type(key), fp,
702	case 1:	701	options.revoked_keys_file, ssh_err(r));
703	revoked:	702	goto out;
704	/* Key revoked */
705	key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
706	error("WARNING: authentication attempt with a revoked "
707	"%s key %s ", key_type(key), key_fp);
708	free(key_fp);
709	return 1;
710	#endif
711	}	703	}
712	fatal("key_in_file returned junk");	704
		705	/* Success */
		706	r = 0;
		707
		708	out:
		709	free(fp);
		710	return r == 0 ? 0 : 1;
713	}	711	}
714		712
715	void	713	void