version 1.106, 2014/07/15 15:54:14 |
version 1.107, 2014/12/04 02:24:32 |
|
|
#endif |
#endif |
#include "authfile.h" |
#include "authfile.h" |
#include "monitor_wrap.h" |
#include "monitor_wrap.h" |
#include "krl.h" |
#include "authfile.h" |
|
#include "ssherr.h" |
#include "compat.h" |
#include "compat.h" |
|
|
/* import */ |
/* import */ |
|
|
int |
int |
auth_key_is_revoked(Key *key) |
auth_key_is_revoked(Key *key) |
{ |
{ |
#ifdef WITH_OPENSSL |
char *fp = NULL; |
char *key_fp; |
int r; |
|
|
if (options.revoked_keys_file == NULL) |
if (options.revoked_keys_file == NULL) |
return 0; |
return 0; |
switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) { |
if ((fp = sshkey_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX)) == NULL) { |
|
r = SSH_ERR_ALLOC_FAIL; |
|
error("%s: fingerprint key: %s", __func__, ssh_err(r)); |
|
goto out; |
|
} |
|
|
|
r = sshkey_check_revoked(key, options.revoked_keys_file); |
|
switch (r) { |
case 0: |
case 0: |
return 0; /* Not revoked */ |
break; /* not revoked */ |
case -2: |
case SSH_ERR_KEY_REVOKED: |
break; /* Not a KRL */ |
error("Authentication key %s %s revoked by file %s", |
|
sshkey_type(key), fp, options.revoked_keys_file); |
|
goto out; |
default: |
default: |
goto revoked; |
error("Error checking authentication key %s %s in " |
|
"revoked keys file %s: %s", sshkey_type(key), fp, |
|
options.revoked_keys_file, ssh_err(r)); |
|
goto out; |
} |
} |
#endif |
|
debug3("%s: treating %s as a key list", __func__, |
/* Success */ |
options.revoked_keys_file); |
r = 0; |
switch (key_in_file(key, options.revoked_keys_file, 0)) { |
|
case 0: |
out: |
/* key not revoked */ |
free(fp); |
return 0; |
return r == 0 ? 0 : 1; |
case -1: |
|
/* Error opening revoked_keys_file: refuse all keys */ |
|
error("Revoked keys file is unreadable: refusing public key " |
|
"authentication"); |
|
return 1; |
|
#ifdef WITH_OPENSSL |
|
case 1: |
|
revoked: |
|
/* Key revoked */ |
|
key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
|
error("WARNING: authentication attempt with a revoked " |
|
"%s key %s ", key_type(key), key_fp); |
|
free(key_fp); |
|
return 1; |
|
#endif |
|
} |
|
fatal("key_in_file returned junk"); |
|
} |
} |
|
|
void |
void |