diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 62 |
1 files changed, 29 insertions, 33 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.107 2014/12/04 02:24:32 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -71,7 +71,8 @@ | |||
71 | #endif | 71 | #endif |
72 | #include "authfile.h" | 72 | #include "authfile.h" |
73 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
74 | #include "krl.h" | 74 | #include "authfile.h" |
75 | #include "ssherr.h" | ||
75 | #include "compat.h" | 76 | #include "compat.h" |
76 | 77 | ||
77 | /* import */ | 78 | /* import */ |
@@ -673,43 +674,38 @@ getpwnamallow(const char *user) | |||
673 | int | 674 | int |
674 | auth_key_is_revoked(Key *key) | 675 | auth_key_is_revoked(Key *key) |
675 | { | 676 | { |
676 | #ifdef WITH_OPENSSL | 677 | char *fp = NULL; |
677 | char *key_fp; | 678 | int r; |
678 | 679 | ||
679 | if (options.revoked_keys_file == NULL) | 680 | if (options.revoked_keys_file == NULL) |
680 | return 0; | 681 | return 0; |
681 | switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { | 682 | if ((fp = sshkey_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX)) == NULL) { |
682 | case 0: | 683 | r = SSH_ERR_ALLOC_FAIL; |
683 | return 0; /* Not revoked */ | 684 | error("%s: fingerprint key: %s", __func__, ssh_err(r)); |
684 | case -2: | 685 | goto out; |
685 | break; /* Not a KRL */ | ||
686 | default: | ||
687 | goto revoked; | ||
688 | } | 686 | } |
689 | #endif | 687 | |
690 | debug3("%s: treating %s as a key list", __func__, | 688 | r = sshkey_check_revoked(key, options.revoked_keys_file); |
691 | options.revoked_keys_file); | 689 | switch (r) { |
692 | switch (key_in_file(key, options.revoked_keys_file, 0)) { | ||
693 | case 0: | 690 | case 0: |
694 | /* key not revoked */ | 691 | break; /* not revoked */ |
695 | return 0; | 692 | case SSH_ERR_KEY_REVOKED: |
696 | case -1: | 693 | error("Authentication key %s %s revoked by file %s", |
697 | /* Error opening revoked_keys_file: refuse all keys */ | 694 | sshkey_type(key), fp, options.revoked_keys_file); |
698 | error("Revoked keys file is unreadable: refusing public key " | 695 | goto out; |
699 | "authentication"); | 696 | default: |
700 | return 1; | 697 | error("Error checking authentication key %s %s in " |
701 | #ifdef WITH_OPENSSL | 698 | "revoked keys file %s: %s", sshkey_type(key), fp, |
702 | case 1: | 699 | options.revoked_keys_file, ssh_err(r)); |
703 | revoked: | 700 | goto out; |
704 | /* Key revoked */ | ||
705 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | ||
706 | error("WARNING: authentication attempt with a revoked " | ||
707 | "%s key %s ", key_type(key), key_fp); | ||
708 | free(key_fp); | ||
709 | return 1; | ||
710 | #endif | ||
711 | } | 701 | } |
712 | fatal("key_in_file returned junk"); | 702 | |
703 | /* Success */ | ||
704 | r = 0; | ||
705 | |||
706 | out: | ||
707 | free(fp); | ||
708 | return r == 0 ? 0 : 1; | ||
713 | } | 709 | } |
714 | 710 | ||
715 | void | 711 | void |