Attachment #1951 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch

Lines 316-321 audit_session_close(struct logininfo *li Link Here

(-)openssh-5.6p1/audit-bsm.c.audit2 (+6 lines)
316	/* not implemented */	316	/* not implemented */
317	}	317	}
318		318
		319	int
		320	audit_keyusage(int host_user, const char type, unsigned len, char fp, int rv)
		321	{
		322	/* not implemented */
		323	}
		324
319	void	325	void
320	audit_event(ssh_audit_event_t event)	326	audit_event(ssh_audit_event_t event)
321	{	327	{




	return(event_lookup[i].name);
}

int
audit_key(int type, int *rv, const Key *key)
{
	char *fp;
	unsigned size = 0;
	const char *crypto_name[] = {
		"ssh-rsa1",
		"ssh-rsa",
		"ssh-dsa",
		"unknown" };

	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
	switch(key->type) {
		case KEY_RSA1:
		case KEY_RSA:
			size = RSA_size(key->rsa);
			break;
		case KEY_DSA:
			size = DSA_size(key->dsa);
			break;
	}

	if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
		*rv = 0;
	xfree(fp);
}

# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
 * Null implementations of audit functions.

	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
	    audit_username(), command);
}

/*
 * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
 *
 * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
 */
int
audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
{
	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", 
		host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
}
# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

Lines 28-33 Link Here

(-)openssh-5.6p1/audit.h.audit2 (+3 lines)
28	# define _SSH_AUDIT_H	28	# define _SSH_AUDIT_H
29		29
30	#include "loginrec.h"	30	#include "loginrec.h"
		31	#include "key.h"
31		32
32	enum ssh_audit_event_type {	33	enum ssh_audit_event_type {
33	SSH_LOGIN_EXCEED_MAXTRIES,	34	SSH_LOGIN_EXCEED_MAXTRIES,
Lines 53-57 void audit_session_open(struct logininfo Link Here
53	void audit_session_close(struct logininfo *);	54	void audit_session_close(struct logininfo *);
54	void audit_run_command(const char *);	55	void audit_run_command(const char *);
55	ssh_audit_event_t audit_classify_auth(const char *);	56	ssh_audit_event_t audit_classify_auth(const char *);
		57	int audit_keyusage(int, const char , unsigned, char , int);
		58	int audit_key(int, int , const Key );
56		59
57	#endif /* _SSH_AUDIT_H */	60	#endif /* _SSH_AUDIT_H */

Lines 37-42 Link Here

(-)openssh-5.6p1/audit-linux.c.audit2 (+32 lines)
37	#include "audit.h"	37	#include "audit.h"
38	#include "canohost.h"	38	#include "canohost.h"
39		39
		40	#define AUDIT_LOG_SIZE 128
		41
40	const char* audit_username(void);	42	const char* audit_username(void);
41		43
42	int	44	int
Lines 62-67 linux_audit_record_event(int uid, const Link Here
62	return (rc >= 0);	64	return (rc >= 0);
63	}	65	}
64		66
		67	int
		68	audit_keyusage(int host_user, const char type, unsigned len, char fp, int rv)
		69	{
		70	char buf[AUDIT_LOG_SIZE];
		71	int audit_fd, rc, saved_errno;
		72
		73	audit_fd = audit_open();
		74	if (audit_fd < 0) {
		75	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		76	errno == EAFNOSUPPORT)
		77	return 1; /* No audit support in kernel */
		78	else
		79	return 0; /* Must prevent login */
		80	}
		81	snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port());
		82	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
		83	buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
		84	if (rc < 0)
		85	goto out;
		86	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
		87	type, 8 * len, fp, get_remote_port());
		88	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
		89	buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
		90	out:
		91	saved_errno = errno;
		92	audit_close(audit_fd);
		93	errno = saved_errno;
		94	return (rc >= 0);
		95	}
		96
65	/* Below is the sshd audit API code */	97	/* Below is the sshd audit API code */
66		98
67	void	99	void




	return authenticated;
}

int
hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
{
	int rv;

	rv = key_verify(key, sig, slen, data, datalen);
#ifdef SSH_AUDIT_EVENTS
	audit_key(0, &rv, key);
#endif
	return rv;
}

/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,




	return authenticated;
}

int
pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
{
	int rv;

	rv = key_verify(key, sig, slen, data, datalen);
#ifdef SSH_AUDIT_EVENTS
	audit_key(1, &rv, key);
#endif
	return rv;
}

static int
match_principals_option(const char *principal_list, struct KeyCert *cert)
{

Lines 170-175 void abandon_challenge_response(Authctxt Link Here

(-)openssh-5.6p1/auth.h.audit2 (+2 lines)
170	char authorized_keys_file(struct passwd );	170	char authorized_keys_file(struct passwd );
171	char authorized_keys_file2(struct passwd );	171	char authorized_keys_file2(struct passwd );
172	char authorized_principals_file(struct passwd );	172	char authorized_principals_file(struct passwd );
		173	int pubkey_key_verify(const Key , const u_char , u_int, const u_char *, u_int);
173		174
174	FILE auth_openkeyfile(const char , struct passwd *, int);	175	FILE auth_openkeyfile(const char , struct passwd *, int);
175	FILE auth_openprincipals(const char , struct passwd *, int);	176	FILE auth_openprincipals(const char , struct passwd *, int);
Lines 185-190 Key *get_hostkey_public_by_type(int); Link Here
185	Key *get_hostkey_private_by_type(int);	186	Key *get_hostkey_private_by_type(int);
186	int get_hostkey_index(Key *);	187	int get_hostkey_index(Key *);
187	int ssh1_session_key(BIGNUM *);	188	int ssh1_session_key(BIGNUM *);
		189	int hostkey_key_verify(const Key , const u_char , u_int, const u_char *, u_int);
188		190
189	/* debug messages during authentication */	191	/* debug messages during authentication */
190	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));	192	void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

Lines 92-98 auth_rsa_verify_response(Key *key, BIGNU Link Here

(-)openssh-5.6p1/auth-rsa.c.audit2 (-6 / +15 lines)
92	{	92	{
93	u_char buf[32], mdbuf[16];	93	u_char buf[32], mdbuf[16];
94	MD5_CTX md;	94	MD5_CTX md;
95	int len;	95	int len, rv;
		96	#ifdef SSH_AUDIT_EVENTS
		97	char *fp;
		98	#endif
96		99
97	if (auth_key_is_revoked(key))	100	if (auth_key_is_revoked(key))
98	return 0;	101	return 0;
Lines 116-127 auth_rsa_verify_response(Key *key, BIGNU Link Here
116	MD5_Final(mdbuf, &md);	119	MD5_Final(mdbuf, &md);
117		120
118	/* Verify that the response is the original challenge. */	121	/* Verify that the response is the original challenge. */
119	if (timingsafe_bcmp(response, mdbuf, 16) != 0) {	122	rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
120	/* Wrong answer. */	123
121	return (0);	124	#ifdef SSH_AUDIT_EVENTS
		125	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		126	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
		127	debug("unsuccessful audit");
		128	rv = 0;
122	}	129	}
123	/* Correct answer. */	130	xfree(fp);
124	return (1);	131	#endif
		132
		133	return rv;
125	}	134	}
126		135
127	/*	136	/*




	if (!valid_data)
		fatal("%s: bad signature data blob", __func__);

	switch (key_blobtype) {
	case MM_USERKEY:
		verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
		break;
	case MM_HOSTKEY:
		verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
		valid_data = monitor_valid_hostbasedblob(data, datalen,
		    hostbased_cuser, hostbased_chost);
		break;
	default:
		verified = 0;
		break;
	}
	debug3("%s: key %p signature %s",
	    __func__, key, (verified == 1) ? "verified" : "unverified");


Return to bug 1402

Lines 136-141 done: Link Here

(-)openssh-5.6p1/auth2-hostbased.c.audit2 (+12 lines)
136	return authenticated;	136	return authenticated;
137	}	137	}
138		138
		139	int
		140	hostkey_key_verify(const Key key, const u_char sig, u_int slen, const u_char *data, u_int datalen)
		141	{
		142	int rv;
		143
		144	rv = key_verify(key, sig, slen, data, datalen);
		145	#ifdef SSH_AUDIT_EVENTS
		146	audit_key(0, &rv, key);
		147	#endif
		148	return rv;
		149	}
		150
139	/* return 1 if given hostkey is allowed */	151	/* return 1 if given hostkey is allowed */
140	int	152	int
141	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,	153	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,

Lines 1235-1241 mm_answer_keyverify(int sock, Buffer *m) Link Here

(-)openssh-5.6p1/monitor.c.audit2 (-1 / +13 lines)
1235	if (!valid_data)	1235	if (!valid_data)
1236	fatal("%s: bad signature data blob", __func__);	1236	fatal("%s: bad signature data blob", __func__);
1237		1237
1238	verified = key_verify(key, signature, signaturelen, data, datalen);	1238	switch (key_blobtype) {
		1239	case MM_USERKEY:
		1240	verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
		1241	break;
		1242	case MM_HOSTKEY:
		1243	verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
		1244	valid_data = monitor_valid_hostbasedblob(data, datalen,
		1245	hostbased_cuser, hostbased_chost);
		1246	break;
		1247	default:
		1248	verified = 0;
		1249	break;
		1250	}
1239	debug3("%s: key %p signature %s",	1251	debug3("%s: key %p signature %s",
1240	__func__, key, (verified == 1) ? "verified" : "unverified");	1252	__func__, key, (verified == 1) ? "verified" : "unverified");
1241		1253

Lines 111-116 audit_event_lookup(ssh_audit_event_t ev) Link Here

(-)openssh-5.6p1/audit.c.audit2 (+39 lines)
111	return(event_lookup[i].name);	111	return(event_lookup[i].name);
112	}	112	}
113		113
		114	int
		115	audit_key(int type, int rv, const Key key)
		116	{
		117	char *fp;
		118	unsigned size = 0;
		119	const char *crypto_name[] = {
		120	"ssh-rsa1",
		121	"ssh-rsa",
		122	"ssh-dsa",
		123	"unknown" };
		124
		125	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
		126	switch(key->type) {
		127	case KEY_RSA1:
		128	case KEY_RSA:
		129	size = RSA_size(key->rsa);
		130	break;
		131	case KEY_DSA:
		132	size = DSA_size(key->dsa);
		133	break;
		134	}
		135
		136	if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
		137	*rv = 0;
		138	xfree(fp);
		139	}
		140
114	# ifndef CUSTOM_SSH_AUDIT_EVENTS	141	# ifndef CUSTOM_SSH_AUDIT_EVENTS
115	/*	142	/*
116	* Null implementations of audit functions.	143	* Null implementations of audit functions.
Lines 182-186 audit_run_command(const char *command) Link Here
182	debug("audit run command euid %d user %s command '%.200s'", geteuid(),	209	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
183	audit_username(), command);	210	audit_username(), command);
184	}	211	}
		212
		213	/*
		214	* This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
		215	*
		216	* Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
		217	*/
		218	int
		219	audit_keyusage(int host_user, const char type, unsigned len, char fp, int rv)
		220	{
		221	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
		222	host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
		223	}
185	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	224	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
186	#endif /* SSH_AUDIT_EVENTS */	225	#endif /* SSH_AUDIT_EVENTS */

Lines 177-182 done: Link Here

(-)openssh-5.6p1/auth2-pubkey.c.audit2 (+12 lines)
177	return authenticated;	177	return authenticated;
178	}	178	}
179		179
		180	int
		181	pubkey_key_verify(const Key key, const u_char sig, u_int slen, const u_char *data, u_int datalen)
		182	{
		183	int rv;
		184
		185	rv = key_verify(key, sig, slen, data, datalen);
		186	#ifdef SSH_AUDIT_EVENTS
		187	audit_key(1, &rv, key);
		188	#endif
		189	return rv;
		190	}
		191
180	static int	192	static int
181	match_principals_option(const char principal_list, struct KeyCert cert)	193	match_principals_option(const char principal_list, struct KeyCert cert)
182	{	194	{