Attachment #2013 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




		debug("%s: unhandled event %d", __func__, event);
	}
}

void
audit_unsupported_body(int what)
{
	/* not implemented */
}

void
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
{
	/* not implemented */
}
#endif /* BSM */

Lines 28-33 Link Here

(-)openssh-5.8p1/audit.c.audit3 (+36 lines)
28		28
29	#include <stdarg.h>	29	#include <stdarg.h>
30	#include <string.h>	30	#include <string.h>
		31	#include <unistd.h>
31		32
32	#ifdef SSH_AUDIT_EVENTS	33	#ifdef SSH_AUDIT_EVENTS
33		34
Lines 36-41 Link Here
36	#include "key.h"	37	#include "key.h"
37	#include "hostfile.h"	38	#include "hostfile.h"
38	#include "auth.h"	39	#include "auth.h"
		40	#include "ssh-gss.h"
		41	#include "monitor_wrap.h"
39	#include "xmalloc.h"	42	#include "xmalloc.h"
40		43
41	/*	44	/*
Lines 128-133 audit_key(int host_user, int *rv, const Link Here
128	xfree(fp);	131	xfree(fp);
129	}	132	}
130		133
		134	void
		135	audit_unsupported(int what)
		136	{
		137	PRIVSEP(audit_unsupported_body(what));
		138	}
		139
		140	void
		141	audit_kex(int ctos, char enc, char mac, char *comp)
		142	{
		143	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
		144	}
		145
131	# ifndef CUSTOM_SSH_AUDIT_EVENTS	146	# ifndef CUSTOM_SSH_AUDIT_EVENTS
132	/*	147	/*
133	* Null implementations of audit functions.	148	* Null implementations of audit functions.
Lines 238-242 audit_keyusage(int host_user, const char Link Here
238	host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,	253	host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
239	key_fingerprint_prefix(), fp, rv);	254	key_fingerprint_prefix(), fp, rv);
240	}	255	}
		256
		257	/*
		258	* This will be called when the protocol negotiation fails.
		259	*/
		260	void
		261	audit_unsupported_body(int what)
		262	{
		263	debug("audit unsupported protocol euid %d type %d", geteuid(), what);
		264	}
		265
		266	/*
		267	* This will be called on succesfull protocol negotiation.
		268	*/
		269	void
		270	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid,
		271	uid_t uid)
		272	{
		273	debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
		274	(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
		275	(unsigned)uid);
		276	}
241	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	277	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
242	#endif /* SSH_AUDIT_EVENTS */	278	#endif /* SSH_AUDIT_EVENTS */

Lines 58-62 void audit_end_command(int, const char Link Here

(-)openssh-5.8p1/audit.h.audit3 (+4 lines)
58	ssh_audit_event_t audit_classify_auth(const char *);	58	ssh_audit_event_t audit_classify_auth(const char *);
59	int audit_keyusage(int, const char , unsigned, char , int);	59	int audit_keyusage(int, const char , unsigned, char , int);
60	void audit_key(int, int , const Key );	60	void audit_key(int, int , const Key );
		61	void audit_unsupported(int);
		62	void audit_kex(int, char , char , char *);
		63	void audit_unsupported_body(int);
		64	void audit_kex_body(int, char , char , char *, pid_t, uid_t);
61		65
62	#endif /* _SSH_AUDIT_H */	66	#endif /* _SSH_AUDIT_H */

Lines 40-45 Link Here

(-)openssh-5.8p1/audit-linux.c.audit3 (+54 lines)
40	#include "auth.h"	40	#include "auth.h"
41	#include "servconf.h"	41	#include "servconf.h"
42	#include "canohost.h"	42	#include "canohost.h"
		43	#include "packet.h"
		44	#include "cipher.h"
43		45
44	#define AUDIT_LOG_SIZE 128	46	#define AUDIT_LOG_SIZE 128
45		47
Lines 269-272 audit_event(ssh_audit_event_t event) Link Here
269	}	271	}
270	}	272	}
271		273
		274	void
		275	audit_unsupported_body(int what)
		276	{
		277	#ifdef AUDIT_CRYPTO_SESSION
		278	char buf[AUDIT_LOG_SIZE];
		279	const static char *name[] = { "cipher", "mac", "comp" };
		280	int audit_fd;
		281
		282	snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
		283	name[what], get_remote_port(), get_local_ipaddr(packet_get_connection_in()),
		284	get_local_port());
		285	audit_fd = audit_open();
		286	if (audit_fd < 0)
		287	/* no problem, the next instruction will be fatal() */
		288	return;
		289	audit_log_user_message(audit_fd, AUDIT_CRYPTO_SESSION,
		290	buf, NULL, get_remote_ipaddr(), NULL, 0);
		291	audit_close(audit_fd);
		292	#endif
		293	}
		294
		295	void
		296	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid,
		297	uid_t uid)
		298	{
		299	#ifdef AUDIT_CRYPTO_SESSION
		300	char buf[AUDIT_LOG_SIZE];
		301	int audit_fd, audit_ok;
		302	const static char *direction[] = { "from-server", "from-client", "both" };
		303	Cipher *cipher = cipher_by_name(enc);
		304
		305	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
		306	direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
		307	(intmax_t)pid, (intmax_t)uid,
		308	get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
		309	audit_fd = audit_open();
		310	if (audit_fd < 0) {
		311	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		312	errno == EAFNOSUPPORT)
		313	return; /* No audit support in kernel */
		314	else
		315	fatal("cannot open audit"); /* Must prevent login */
		316	}
		317	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_SESSION,
		318	buf, NULL, get_remote_ipaddr(), NULL, 1);
		319	audit_close(audit_fd);
		320	/* do not abort if the error is EPERM and sshd is run as non root user */
		321	if ((audit_ok < 0) && ((audit_ok != -1) \|\| (getuid() == 0)))
		322	fatal("cannot write into audit"); /* Must prevent login */
		323	#endif
		324	}
		325
272	#endif /* USE_LINUX_AUDIT */	326	#endif /* USE_LINUX_AUDIT */




/* $Id: auditstub.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */

void
audit_unsupported(int n)
{
}

void
audit_kex(int ctos, char *enc, char *mac, char *comp)
{
}





extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);

struct Cipher ciphers[] = {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
} ciphers[] = {
	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },




typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
};

struct CipherContext {
	int	plaintext;
	EVP_CIPHER_CTX evp;

Lines 49-54 Link Here

(-)openssh-5.8p1/kex.c.audit3 (-3 / +19 lines)
49	#include "dispatch.h"	49	#include "dispatch.h"
50	#include "monitor.h"	50	#include "monitor.h"
51	#include "roaming.h"	51	#include "roaming.h"
		52	#include "audit.h"
52		53
53	#if OPENSSL_VERSION_NUMBER >= 0x00907000L	54	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
54	# if defined(HAVE_EVP_SHA256)	55	# if defined(HAVE_EVP_SHA256)
Lines 286-294 static void Link Here
286	choose_enc(Enc enc, char client, char *server)	287	choose_enc(Enc enc, char client, char *server)
287	{	288	{
288	char *name = match_list(client, server, NULL);	289	char *name = match_list(client, server, NULL);
289	if (name == NULL)	290	if (name == NULL) {
		291	#ifdef SSH_AUDIT_EVENTS
		292	audit_unsupported(0);
		293	#endif
290	fatal("no matching cipher found: client %s server %s",	294	fatal("no matching cipher found: client %s server %s",
291	client, server);	295	client, server);
		296	}
292	if ((enc->cipher = cipher_by_name(name)) == NULL)	297	if ((enc->cipher = cipher_by_name(name)) == NULL)
293	fatal("matching cipher is not supported: %s", name);	298	fatal("matching cipher is not supported: %s", name);
294	enc->name = name;	299	enc->name = name;
Lines 303-311 static void Link Here
303	choose_mac(Mac mac, char client, char *server)	308	choose_mac(Mac mac, char client, char *server)
304	{	309	{
305	char *name = match_list(client, server, NULL);	310	char *name = match_list(client, server, NULL);
306	if (name == NULL)	311	if (name == NULL) {
		312	#ifdef SSH_AUDIT_EVENTS
		313	audit_unsupported(1);
		314	#endif
307	fatal("no matching mac found: client %s server %s",	315	fatal("no matching mac found: client %s server %s",
308	client, server);	316	client, server);
		317	}
309	if (mac_setup(mac, name) < 0)	318	if (mac_setup(mac, name) < 0)
310	fatal("unsupported mac %s", name);	319	fatal("unsupported mac %s", name);
311	/* truncate the key */	320	/* truncate the key */
Lines 320-327 static void Link Here
320	choose_comp(Comp comp, char client, char *server)	329	choose_comp(Comp comp, char client, char *server)
321	{	330	{
322	char *name = match_list(client, server, NULL);	331	char *name = match_list(client, server, NULL);
323	if (name == NULL)	332	if (name == NULL) {
		333	#ifdef SSH_AUDIT_EVENTS
		334	audit_unsupported(2);
		335	#endif
324	fatal("no matching comp found: client %s server %s", client, server);	336	fatal("no matching comp found: client %s server %s", client, server);
		337	}
325	if (strcmp(name, "zlib@openssh.com") == 0) {	338	if (strcmp(name, "zlib@openssh.com") == 0) {
326	comp->type = COMP_DELAYED;	339	comp->type = COMP_DELAYED;
327	} else if (strcmp(name, "zlib") == 0) {	340	} else if (strcmp(name, "zlib") == 0) {
Lines 446-451 kex_choose_conf(Kex *kex) Link Here
446	newkeys->enc.name,	459	newkeys->enc.name,
447	newkeys->mac.name,	460	newkeys->mac.name,
448	newkeys->comp.name);	461	newkeys->comp.name);
		462	#ifdef SSH_AUDIT_EVENTS
		463	audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
		464	#endif
449	}	465	}
450	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);	466	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
451	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],	467	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],

Lines 76-82 LIBSSH_OBJS=acss.o authfd.o authfile.o b Link Here

(-)openssh-5.8p1/Makefile.in.audit3 (-1 / +1 lines)
76	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \	76	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
77	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \	77	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
78	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \	78	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
79	schnorr.o ssh-pkcs11.o	79	schnorr.o ssh-pkcs11.o auditstub.o
80		80
81	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \	81	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
82	sshconnect.o sshconnect1.o sshconnect2.o mux.o \	82	sshconnect.o sshconnect1.o sshconnect2.o mux.o \

Lines 89-94 Link Here

(-)openssh-5.8p1/monitor.c.audit3 (+52 lines)
89	#include "ssh2.h"	89	#include "ssh2.h"
90	#include "jpake.h"	90	#include "jpake.h"
91	#include "roaming.h"	91	#include "roaming.h"
		92	#include "audit.h"
92		93
93	#ifdef GSSAPI	94	#ifdef GSSAPI
94	static Gssctxt *gsscontext = NULL;	95	static Gssctxt *gsscontext = NULL;
Lines 178-183 int mm_answer_gss_checkmic(int, Buffer * Link Here
178	int mm_answer_audit_event(int, Buffer *);	179	int mm_answer_audit_event(int, Buffer *);
179	int mm_answer_audit_command(int, Buffer *);	180	int mm_answer_audit_command(int, Buffer *);
180	int mm_answer_audit_end_command(int, Buffer *);	181	int mm_answer_audit_end_command(int, Buffer *);
		182	int mm_answer_audit_unsupported_body(int, Buffer *);
		183	int mm_answer_audit_kex_body(int, Buffer *);
181	#endif	184	#endif
182		185
183	static Authctxt *authctxt;	186	static Authctxt *authctxt;
Lines 226-231 struct mon_table mon_dispatch_proto20[] Link Here
226	#endif	229	#endif
227	#ifdef SSH_AUDIT_EVENTS	230	#ifdef SSH_AUDIT_EVENTS
228	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	231	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		232	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		233	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
229	#endif	234	#endif
230	#ifdef BSD_AUTH	235	#ifdef BSD_AUTH
231	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	236	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
Lines 263-268 struct mon_table mon_dispatch_postauth20 Link Here
263	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	268	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
264	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},	269	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
265	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},	270	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
		271	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		272	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
266	#endif	273	#endif
267	{0, 0, NULL}	274	{0, 0, NULL}
268	};	275	};
Lines 294-299 struct mon_table mon_dispatch_proto15[] Link Here
294	#endif	301	#endif
295	#ifdef SSH_AUDIT_EVENTS	302	#ifdef SSH_AUDIT_EVENTS
296	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	303	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		304	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		305	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
297	#endif	306	#endif
298	{0, 0, NULL}	307	{0, 0, NULL}
299	};	308	};
Lines 306-311 struct mon_table mon_dispatch_postauth15 Link Here
306	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	315	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
307	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},	316	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
308	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},	317	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
		318	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		319	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
309	#endif	320	#endif
310	{0, 0, NULL}	321	{0, 0, NULL}
311	};	322	};
Lines 2252-2254 mm_answer_jpake_check_confirm(int sock, Link Here
2252	}	2263	}
2253		2264
2254	#endif /* JPAKE */	2265	#endif /* JPAKE */
		2266
		2267	#ifdef SSH_AUDIT_EVENTS
		2268	int
		2269	mm_answer_audit_unsupported_body(int sock, Buffer *m)
		2270	{
		2271	int what;
		2272
		2273	what = buffer_get_int(m);
		2274
		2275	audit_unsupported_body(what);
		2276
		2277	buffer_clear(m);
		2278
		2279	mm_request_send(sock, MONITOR_ANS_AUDIT_UNSUPPORTED, m);
		2280	return 0;
		2281	}
		2282
		2283	int
		2284	mm_answer_audit_kex_body(int sock, Buffer *m)
		2285	{
		2286	int ctos, len;
		2287	char cipher, mac, *compress;
		2288	pid_t pid;
		2289	uid_t uid;
		2290
		2291	ctos = buffer_get_int(m);
		2292	cipher = buffer_get_string(m, &len);
		2293	mac = buffer_get_string(m, &len);
		2294	compress = buffer_get_string(m, &len);
		2295	pid = buffer_get_int64(m);
		2296	uid = buffer_get_int64(m);
		2297
		2298	audit_kex_body(ctos, cipher, mac, compress, pid, uid);
		2299
		2300	buffer_clear(m);
		2301
		2302	mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
		2303	return 0;
		2304	}
		2305
		2306	#endif /* SSH_AUDIT_EVENTS */

Lines 67-72 enum monitor_reqtype { Link Here

(-)openssh-5.8p1/monitor.h.audit3 (+2 lines)
67	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,	67	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
68	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,	68	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
69	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,	69	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
		70	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
		71	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
70	};	72	};
71		73
72	struct mm_master;	74	struct mm_master;




	return success;
}
#endif /* JPAKE */

#ifdef SSH_AUDIT_EVENTS
void
mm_audit_unsupported_body(int what)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, what);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
				  &m);

	buffer_free(&m);
}

void
mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
		  uid_t uid)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, ctos);
	buffer_put_cstring(&m, cipher);
	buffer_put_cstring(&m, mac);
	buffer_put_cstring(&m, compress);
	buffer_put_int64(&m, pid);
	buffer_put_int64(&m, uid);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
				  &m);

	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 76-81 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.8p1/monitor_wrap.h.audit3 (+2 lines)
76	void mm_audit_event(ssh_audit_event_t);	76	void mm_audit_event(ssh_audit_event_t);
77	int mm_audit_run_command(const char *);	77	int mm_audit_run_command(const char *);
78	void mm_audit_end_command(int, const char *);	78	void mm_audit_end_command(int, const char *);
		79	void mm_audit_unsupported_body(int);
		80	void mm_audit_kex_body(int, char , char , char *, pid_t, uid_t);
79	#endif	81	#endif
80		82
81	struct Session;	83	struct Session;

Lines 118-123 Link Here

(-)openssh-5.8p1/sshd.c.audit3 (+5 lines)
118	#endif	118	#endif
119	#include "monitor_wrap.h"	119	#include "monitor_wrap.h"
120	#include "roaming.h"	120	#include "roaming.h"
		121	#include "audit.h"
121	#include "version.h"	122	#include "version.h"
122		123
123	#ifdef LIBWRAP	124	#ifdef LIBWRAP
Lines 2182-2187 do_ssh1_kex(void) Link Here
2182	if (cookie[i] != packet_get_char())	2183	if (cookie[i] != packet_get_char())
2183	packet_disconnect("IP Spoofing check bytes do not match.");	2184	packet_disconnect("IP Spoofing check bytes do not match.");
2184		2185
		2186	#ifdef SSH_AUDIT_EVENTS
		2187	audit_kex(2, cipher_name(cipher_type), "crc", "none");
		2188	#endif
		2189
2185	debug("Encryption type: %.200s", cipher_name(cipher_type));	2190	debug("Encryption type: %.200s", cipher_name(cipher_type));
2186		2191
2187	/* Get the encrypted integer. */	2192	/* Get the encrypted integer. */

Return to bug 1402

Lines 396-399 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.8p1/audit-bsm.c.audit3 (+12 lines)
396	debug("%s: unhandled event %d", __func__, event);	396	debug("%s: unhandled event %d", __func__, event);
397	}	397	}
398	}	398	}
		399
		400	void
		401	audit_unsupported_body(int what)
		402	{
		403	/* not implemented */
		404	}
		405
		406	void
		407	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid, uid_t uid)
		408	{
		409	/* not implemented */
		410	}
399	#endif /* BSM */	411	#endif /* BSM */

Lines 1447-1449 mm_jpake_check_confirm(const BIGNUM *k, Link Here

(-)openssh-5.8p1/monitor_wrap.c.audit3 (+38 lines)
1447	return success;	1447	return success;
1448	}	1448	}
1449	#endif /* JPAKE */	1449	#endif /* JPAKE */
		1450
		1451	#ifdef SSH_AUDIT_EVENTS
		1452	void
		1453	mm_audit_unsupported_body(int what)
		1454	{
		1455	Buffer m;
		1456
		1457	buffer_init(&m);
		1458	buffer_put_int(&m, what);
		1459
		1460	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
		1461	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
		1462	&m);
		1463
		1464	buffer_free(&m);
		1465	}
		1466
		1467	void
		1468	mm_audit_kex_body(int ctos, char cipher, char mac, char *compress, pid_t pid,
		1469	uid_t uid)
		1470	{
		1471	Buffer m;
		1472
		1473	buffer_init(&m);
		1474	buffer_put_int(&m, ctos);
		1475	buffer_put_cstring(&m, cipher);
		1476	buffer_put_cstring(&m, mac);
		1477	buffer_put_cstring(&m, compress);
		1478	buffer_put_int64(&m, pid);
		1479	buffer_put_int64(&m, uid);
		1480
		1481	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
		1482	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
		1483	&m);
		1484
		1485	buffer_free(&m);
		1486	}
		1487	#endif /* SSH_AUDIT_EVENTS */

Line 0 Link Here

(-)openssh-5.8p1/auditstub.c.audit3 (+39 lines)
	1	/* $Id: auditstub.c,v 1.1 jfch Exp $ */
	2
	3	/*
	4	* Copyright 2010 Red Hat, Inc. All rights reserved.
	5	* Use is subject to license terms.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*
	27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
	28	*/
	29
	30	void
	31	audit_unsupported(int n)
	32	{
	33	}
	34
	35	void
	36	audit_kex(int ctos, char enc, char mac, char *comp)
	37	{
	38	}
	39

Lines 59-73 extern void ssh1_3des_iv(EVP_CIPHER_CTX Link Here

(-)openssh-5.8p1/cipher.c.audit3 (-9 / +1 lines)
59	extern const EVP_CIPHER *evp_aes_128_ctr(void);	59	extern const EVP_CIPHER *evp_aes_128_ctr(void);
60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);	60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);
61		61
62	struct Cipher {	62	struct Cipher ciphers[] = {
63	char *name;
64	int number; /* for ssh1 only */
65	u_int block_size;
66	u_int key_len;
67	u_int discard_len;
68	u_int cbc_mode;
69	const EVP_CIPHER (evptype)(void);
70	} ciphers[] = {
71	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },	63	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
72	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },	64	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
73	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },	65	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },

Lines 61-67 Link Here

(-)openssh-5.8p1/cipher.h.audit3 (-1 / +10 lines)
61	typedef struct Cipher Cipher;	61	typedef struct Cipher Cipher;
62	typedef struct CipherContext CipherContext;	62	typedef struct CipherContext CipherContext;
63		63
64	struct Cipher;	64	struct Cipher {
		65	char *name;
		66	int number; /* for ssh1 only */
		67	u_int block_size;
		68	u_int key_len;
		69	u_int discard_len;
		70	u_int cbc_mode;
		71	const EVP_CIPHER (evptype)(void);
		72	};
		73
65	struct CipherContext {	74	struct CipherContext {
66	int plaintext;	75	int plaintext;
67	EVP_CIPHER_CTX evp;	76	EVP_CIPHER_CTX evp;