diff options
Diffstat (limited to 'authfile.c')
| -rw-r--r-- | authfile.c | 59 |
1 files changed, 37 insertions, 22 deletions
diff --git a/authfile.c b/authfile.c index a18509a50..9ab90e3c8 100644 --- a/authfile.c +++ b/authfile.c | |||
| @@ -679,22 +679,10 @@ key_load_public(const char *filename, char **commentp) | |||
| 679 | return NULL; | 679 | return NULL; |
| 680 | } | 680 | } |
| 681 | 681 | ||
| 682 | char * | 682 | /* Scan a blacklist of known-vulnerable keys in blacklist_file. */ |
| 683 | blacklist_filename(const Key *key) | 683 | static int |
| 684 | { | 684 | blacklisted_key_in_file(const Key *key, const char *blacklist_file) |
| 685 | char *name; | ||
| 686 | |||
| 687 | xasprintf(&name, "%s.%s-%u", | ||
| 688 | _PATH_BLACKLIST, key_type(key), key_size(key)); | ||
| 689 | return name; | ||
| 690 | } | ||
| 691 | |||
| 692 | /* Scan a blacklist of known-vulnerable keys. */ | ||
| 693 | int | ||
| 694 | blacklisted_key(const Key *key) | ||
| 695 | { | 685 | { |
| 696 | Key *public; | ||
| 697 | char *blacklist_file; | ||
| 698 | int fd = -1; | 686 | int fd = -1; |
| 699 | char *dgst_hex = NULL; | 687 | char *dgst_hex = NULL; |
| 700 | char *dgst_packed = NULL, *p; | 688 | char *dgst_packed = NULL, *p; |
| @@ -705,17 +693,14 @@ blacklisted_key(const Key *key) | |||
| 705 | off_t start, lower, upper; | 693 | off_t start, lower, upper; |
| 706 | int ret = 0; | 694 | int ret = 0; |
| 707 | 695 | ||
| 708 | public = key_demote(key); | ||
| 709 | if (public->type == KEY_RSA1) | ||
| 710 | public->type = KEY_RSA; | ||
| 711 | |||
| 712 | blacklist_file = blacklist_filename(public); | ||
| 713 | debug("Checking blacklist file %s", blacklist_file); | 696 | debug("Checking blacklist file %s", blacklist_file); |
| 714 | fd = open(blacklist_file, O_RDONLY); | 697 | fd = open(blacklist_file, O_RDONLY); |
| 715 | if (fd < 0) | 698 | if (fd < 0) { |
| 699 | ret = -1; | ||
| 716 | goto out; | 700 | goto out; |
| 701 | } | ||
| 717 | 702 | ||
| 718 | dgst_hex = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); | 703 | dgst_hex = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
| 719 | /* Remove all colons */ | 704 | /* Remove all colons */ |
| 720 | dgst_packed = xcalloc(1, strlen(dgst_hex) + 1); | 705 | dgst_packed = xcalloc(1, strlen(dgst_hex) + 1); |
| 721 | for (i = 0, p = dgst_packed; dgst_hex[i]; i++) | 706 | for (i = 0, p = dgst_packed; dgst_hex[i]; i++) |
| @@ -790,7 +775,37 @@ out: | |||
| 790 | xfree(dgst_hex); | 775 | xfree(dgst_hex); |
| 791 | if (fd >= 0) | 776 | if (fd >= 0) |
| 792 | close(fd); | 777 | close(fd); |
| 778 | return ret; | ||
| 779 | } | ||
| 780 | |||
| 781 | /* Scan blacklists of known-vulnerable keys. */ | ||
| 782 | int | ||
| 783 | blacklisted_key(const Key *key) | ||
| 784 | { | ||
| 785 | Key *public; | ||
| 786 | char *blacklist_file; | ||
| 787 | int ret, ret2; | ||
| 788 | |||
| 789 | public = key_demote(key); | ||
| 790 | if (public->type == KEY_RSA1) | ||
| 791 | public->type = KEY_RSA; | ||
| 792 | |||
| 793 | xasprintf(&blacklist_file, "%s.%s-%u", | ||
| 794 | _PATH_BLACKLIST, key_type(public), key_size(public)); | ||
| 795 | ret = blacklisted_key_in_file(public, blacklist_file); | ||
| 793 | xfree(blacklist_file); | 796 | xfree(blacklist_file); |
| 797 | if (ret > 0) { | ||
| 798 | key_free(public); | ||
| 799 | return ret; | ||
| 800 | } | ||
| 801 | |||
| 802 | xasprintf(&blacklist_file, "%s.%s-%u", | ||
| 803 | _PATH_BLACKLIST_CONFIG, key_type(public), key_size(public)); | ||
| 804 | ret2 = blacklisted_key_in_file(public, blacklist_file); | ||
| 805 | xfree(blacklist_file); | ||
| 806 | if (ret2 > ret) | ||
| 807 | ret = ret2; | ||
| 808 | |||
| 794 | key_free(public); | 809 | key_free(public); |
| 795 | return ret; | 810 | return ret; |
| 796 | } | 811 | } |