Attachment #2088 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch

Lines 71-77 LIBSSH_OBJS=acss.o authfd.o authfile.o b Link Here

(-)openssh-5.9p1/Makefile.in.audit3 (-1 / +1 lines)
71	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \	71	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
72	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \	72	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
73	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \	73	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \
74	schnorr.o ssh-pkcs11.o	74	schnorr.o ssh-pkcs11.o auditstub.o
75		75
76	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \	76	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
77	sshconnect.o sshconnect1.o sshconnect2.o mux.o \	77	sshconnect.o sshconnect1.o sshconnect2.o mux.o \




		debug("%s: unhandled event %d", __func__, event);
	}
}

void
audit_unsupported_body(int what)
{
	/* not implemented */
}

void
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
{
	/* not implemented */
}
#endif /* BSM */

Lines 40-45 Link Here

(-)openssh-5.9p1/audit-linux.c.audit3 (+58 lines)
40	#include "auth.h"	40	#include "auth.h"
41	#include "servconf.h"	41	#include "servconf.h"
42	#include "canohost.h"	42	#include "canohost.h"
		43	#include "packet.h"
		44	#include "cipher.h"
43		45
44	#define AUDIT_LOG_SIZE 128	46	#define AUDIT_LOG_SIZE 128
45		47
Lines 269-272 audit_event(ssh_audit_event_t event) Link Here
269	}	271	}
270	}	272	}
271		273
		274	void
		275	audit_unsupported_body(int what)
		276	{
		277	#ifdef AUDIT_CRYPTO_SESSION
		278	char buf[AUDIT_LOG_SIZE];
		279	const static char *name[] = { "cipher", "mac", "comp" };
		280	char *s;
		281	int audit_fd;
		282
		283	snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
		284	name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
		285	get_local_port());
		286	xfree(s);
		287	audit_fd = audit_open();
		288	if (audit_fd < 0)
		289	/* no problem, the next instruction will be fatal() */
		290	return;
		291	audit_log_user_message(audit_fd, AUDIT_CRYPTO_SESSION,
		292	buf, NULL, get_remote_ipaddr(), NULL, 0);
		293	audit_close(audit_fd);
		294	#endif
		295	}
		296
		297	void
		298	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid,
		299	uid_t uid)
		300	{
		301	#ifdef AUDIT_CRYPTO_SESSION
		302	char buf[AUDIT_LOG_SIZE];
		303	int audit_fd, audit_ok;
		304	const static char *direction[] = { "from-server", "from-client", "both" };
		305	Cipher *cipher = cipher_by_name(enc);
		306	char *s;
		307
		308	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
		309	direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
		310	(intmax_t)pid, (intmax_t)uid,
		311	get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
		312	xfree(s);
		313	audit_fd = audit_open();
		314	if (audit_fd < 0) {
		315	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		316	errno == EAFNOSUPPORT)
		317	return; /* No audit support in kernel */
		318	else
		319	fatal("cannot open audit"); /* Must prevent login */
		320	}
		321	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_SESSION,
		322	buf, NULL, get_remote_ipaddr(), NULL, 1);
		323	audit_close(audit_fd);
		324	/* do not abort if the error is EPERM and sshd is run as non root user */
		325	if ((audit_ok < 0) && ((audit_ok != -1) \|\| (getuid() == 0)))
		326	fatal("cannot write into audit"); /* Must prevent login */
		327	#endif
		328	}
		329
272	#endif /* USE_LINUX_AUDIT */	330	#endif /* USE_LINUX_AUDIT */

Lines 28-33 Link Here

(-)openssh-5.9p1/audit.c.audit3 (+36 lines)
28		28
29	#include <stdarg.h>	29	#include <stdarg.h>
30	#include <string.h>	30	#include <string.h>
		31	#include <unistd.h>
31		32
32	#ifdef SSH_AUDIT_EVENTS	33	#ifdef SSH_AUDIT_EVENTS
33		34
Lines 36-41 Link Here
36	#include "key.h"	37	#include "key.h"
37	#include "hostfile.h"	38	#include "hostfile.h"
38	#include "auth.h"	39	#include "auth.h"
		40	#include "ssh-gss.h"
		41	#include "monitor_wrap.h"
39	#include "xmalloc.h"	42	#include "xmalloc.h"
40		43
41	/*	44	/*
Lines 128-133 audit_key(int host_user, int *rv, const Link Here
128	xfree(fp);	131	xfree(fp);
129	}	132	}
130		133
		134	void
		135	audit_unsupported(int what)
		136	{
		137	PRIVSEP(audit_unsupported_body(what));
		138	}
		139
		140	void
		141	audit_kex(int ctos, char enc, char mac, char *comp)
		142	{
		143	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
		144	}
		145
131	# ifndef CUSTOM_SSH_AUDIT_EVENTS	146	# ifndef CUSTOM_SSH_AUDIT_EVENTS
132	/*	147	/*
133	* Null implementations of audit functions.	148	* Null implementations of audit functions.
Lines 238-242 audit_keyusage(int host_user, const char Link Here
238	host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,	253	host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
239	key_fingerprint_prefix(), fp, rv);	254	key_fingerprint_prefix(), fp, rv);
240	}	255	}
		256
		257	/*
		258	* This will be called when the protocol negotiation fails.
		259	*/
		260	void
		261	audit_unsupported_body(int what)
		262	{
		263	debug("audit unsupported protocol euid %d type %d", geteuid(), what);
		264	}
		265
		266	/*
		267	* This will be called on succesfull protocol negotiation.
		268	*/
		269	void
		270	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid,
		271	uid_t uid)
		272	{
		273	debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
		274	(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
		275	(unsigned)uid);
		276	}
241	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	277	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
242	#endif /* SSH_AUDIT_EVENTS */	278	#endif /* SSH_AUDIT_EVENTS */

Lines 58-62 void audit_end_command(int, const char Link Here

(-)openssh-5.9p1/audit.h.audit3 (+4 lines)
58	ssh_audit_event_t audit_classify_auth(const char *);	58	ssh_audit_event_t audit_classify_auth(const char *);
59	int audit_keyusage(int, const char , unsigned, char , int);	59	int audit_keyusage(int, const char , unsigned, char , int);
60	void audit_key(int, int , const Key );	60	void audit_key(int, int , const Key );
		61	void audit_unsupported(int);
		62	void audit_kex(int, char , char , char *);
		63	void audit_unsupported_body(int);
		64	void audit_kex_body(int, char , char , char *, pid_t, uid_t);
61		65
62	#endif /* _SSH_AUDIT_H */	66	#endif /* _SSH_AUDIT_H */




/* $Id: auditstub.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */

void
audit_unsupported(int n)
{
}

void
audit_kex(int ctos, char *enc, char *mac, char *comp)
{
}





extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);

struct Cipher ciphers[] = {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
} ciphers[] = {
	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },




typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
};

struct CipherContext {
	int	plaintext;
	EVP_CIPHER_CTX evp;

Lines 49-54 Link Here

(-)openssh-5.9p1/kex.c.audit3 (-3 / +19 lines)
49	#include "dispatch.h"	49	#include "dispatch.h"
50	#include "monitor.h"	50	#include "monitor.h"
51	#include "roaming.h"	51	#include "roaming.h"
		52	#include "audit.h"
52		53
53	#if OPENSSL_VERSION_NUMBER >= 0x00907000L	54	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
54	# if defined(HAVE_EVP_SHA256)	55	# if defined(HAVE_EVP_SHA256)
Lines 286-294 static void Link Here
286	choose_enc(Enc enc, char client, char *server)	287	choose_enc(Enc enc, char client, char *server)
287	{	288	{
288	char *name = match_list(client, server, NULL);	289	char *name = match_list(client, server, NULL);
289	if (name == NULL)	290	if (name == NULL) {
		291	#ifdef SSH_AUDIT_EVENTS
		292	audit_unsupported(0);
		293	#endif
290	fatal("no matching cipher found: client %s server %s",	294	fatal("no matching cipher found: client %s server %s",
291	client, server);	295	client, server);
		296	}
292	if ((enc->cipher = cipher_by_name(name)) == NULL)	297	if ((enc->cipher = cipher_by_name(name)) == NULL)
293	fatal("matching cipher is not supported: %s", name);	298	fatal("matching cipher is not supported: %s", name);
294	enc->name = name;	299	enc->name = name;
Lines 303-311 static void Link Here
303	choose_mac(Mac mac, char client, char *server)	308	choose_mac(Mac mac, char client, char *server)
304	{	309	{
305	char *name = match_list(client, server, NULL);	310	char *name = match_list(client, server, NULL);
306	if (name == NULL)	311	if (name == NULL) {
		312	#ifdef SSH_AUDIT_EVENTS
		313	audit_unsupported(1);
		314	#endif
307	fatal("no matching mac found: client %s server %s",	315	fatal("no matching mac found: client %s server %s",
308	client, server);	316	client, server);
		317	}
309	if (mac_setup(mac, name) < 0)	318	if (mac_setup(mac, name) < 0)
310	fatal("unsupported mac %s", name);	319	fatal("unsupported mac %s", name);
311	/* truncate the key */	320	/* truncate the key */
Lines 320-327 static void Link Here
320	choose_comp(Comp comp, char client, char *server)	329	choose_comp(Comp comp, char client, char *server)
321	{	330	{
322	char *name = match_list(client, server, NULL);	331	char *name = match_list(client, server, NULL);
323	if (name == NULL)	332	if (name == NULL) {
		333	#ifdef SSH_AUDIT_EVENTS
		334	audit_unsupported(2);
		335	#endif
324	fatal("no matching comp found: client %s server %s", client, server);	336	fatal("no matching comp found: client %s server %s", client, server);
		337	}
325	if (strcmp(name, "zlib@openssh.com") == 0) {	338	if (strcmp(name, "zlib@openssh.com") == 0) {
326	comp->type = COMP_DELAYED;	339	comp->type = COMP_DELAYED;
327	} else if (strcmp(name, "zlib") == 0) {	340	} else if (strcmp(name, "zlib") == 0) {
Lines 446-451 kex_choose_conf(Kex *kex) Link Here
446	newkeys->enc.name,	459	newkeys->enc.name,
447	newkeys->mac.name,	460	newkeys->mac.name,
448	newkeys->comp.name);	461	newkeys->comp.name);
		462	#ifdef SSH_AUDIT_EVENTS
		463	audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
		464	#endif
449	}	465	}
450	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);	466	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
451	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],	467	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],

Lines 97-102 Link Here

(-)openssh-5.9p1/monitor.c.audit3 (+55 lines)
97	#include "ssh2.h"	97	#include "ssh2.h"
98	#include "jpake.h"	98	#include "jpake.h"
99	#include "roaming.h"	99	#include "roaming.h"
		100	#include "audit.h"
100		101
101	#ifdef GSSAPI	102	#ifdef GSSAPI
102	static Gssctxt *gsscontext = NULL;	103	static Gssctxt *gsscontext = NULL;
Lines 187-192 int mm_answer_gss_checkmic(int, Buffer * Link Here
187	int mm_answer_audit_event(int, Buffer *);	188	int mm_answer_audit_event(int, Buffer *);
188	int mm_answer_audit_command(int, Buffer *);	189	int mm_answer_audit_command(int, Buffer *);
189	int mm_answer_audit_end_command(int, Buffer *);	190	int mm_answer_audit_end_command(int, Buffer *);
		191	int mm_answer_audit_unsupported_body(int, Buffer *);
		192	int mm_answer_audit_kex_body(int, Buffer *);
190	#endif	193	#endif
191		194
192	static int monitor_read_log(struct monitor *);	195	static int monitor_read_log(struct monitor *);
Lines 237-242 struct mon_table mon_dispatch_proto20[] Link Here
237	#endif	240	#endif
238	#ifdef SSH_AUDIT_EVENTS	241	#ifdef SSH_AUDIT_EVENTS
239	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	242	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		243	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		244	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
240	#endif	245	#endif
241	#ifdef BSD_AUTH	246	#ifdef BSD_AUTH
242	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	247	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
Lines 275-280 struct mon_table mon_dispatch_postauth20 Link Here
275	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	280	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
276	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},	281	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
277	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},	282	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
		283	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		284	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
278	#endif	285	#endif
279	{0, 0, NULL}	286	{0, 0, NULL}
280	};	287	};
Lines 306-311 struct mon_table mon_dispatch_proto15[] Link Here
306	#endif	313	#endif
307	#ifdef SSH_AUDIT_EVENTS	314	#ifdef SSH_AUDIT_EVENTS
308	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	315	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		316	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		317	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
309	#endif	318	#endif
310	{0, 0, NULL}	319	{0, 0, NULL}
311	};	320	};
Lines 318-323 struct mon_table mon_dispatch_postauth15 Link Here
318	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	327	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
319	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},	328	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
320	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},	329	{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
		330	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		331	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
321	#endif	332	#endif
322	{0, 0, NULL}	333	{0, 0, NULL}
323	};	334	};
Lines 2383-2385 mm_answer_jpake_check_confirm(int sock, Link Here
2383	}	2394	}
2384		2395
2385	#endif /* JPAKE */	2396	#endif /* JPAKE */
		2397
		2398	#ifdef SSH_AUDIT_EVENTS
		2399	int
		2400	mm_answer_audit_unsupported_body(int sock, Buffer *m)
		2401	{
		2402	int what;
		2403
		2404	what = buffer_get_int(m);
		2405
		2406	audit_unsupported_body(what);
		2407
		2408	buffer_clear(m);
		2409
		2410	mm_request_send(sock, MONITOR_ANS_AUDIT_UNSUPPORTED, m);
		2411	return 0;
		2412	}
		2413
		2414	int
		2415	mm_answer_audit_kex_body(int sock, Buffer *m)
		2416	{
		2417	int ctos, len;
		2418	char cipher, mac, *compress;
		2419	pid_t pid;
		2420	uid_t uid;
		2421
		2422	ctos = buffer_get_int(m);
		2423	cipher = buffer_get_string(m, &len);
		2424	mac = buffer_get_string(m, &len);
		2425	compress = buffer_get_string(m, &len);
		2426	pid = buffer_get_int64(m);
		2427	uid = buffer_get_int64(m);
		2428
		2429	audit_kex_body(ctos, cipher, mac, compress, pid, uid);
		2430
		2431	xfree(cipher);
		2432	xfree(mac);
		2433	xfree(compress);
		2434	buffer_clear(m);
		2435
		2436	mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
		2437	return 0;
		2438	}
		2439
		2440	#endif /* SSH_AUDIT_EVENTS */

Lines 61-66 enum monitor_reqtype { Link Here

(-)openssh-5.9p1/monitor.h.audit3 (+2 lines)
61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,	61	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,	62	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
63	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,	63	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
		64	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
		65	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
64	MONITOR_REQ_TERM,	66	MONITOR_REQ_TERM,
65	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,	67	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
66	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,	68	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,




	return success;
}
#endif /* JPAKE */

#ifdef SSH_AUDIT_EVENTS
void
mm_audit_unsupported_body(int what)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, what);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
				  &m);

	buffer_free(&m);
}

void
mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
		  uid_t uid)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, ctos);
	buffer_put_cstring(&m, cipher);
	buffer_put_cstring(&m, mac);
	buffer_put_cstring(&m, compress);
	buffer_put_int64(&m, pid);
	buffer_put_int64(&m, uid);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
				  &m);

	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 78-83 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.9p1/monitor_wrap.h.audit3 (+2 lines)
78	void mm_audit_event(ssh_audit_event_t);	78	void mm_audit_event(ssh_audit_event_t);
79	int mm_audit_run_command(const char *);	79	int mm_audit_run_command(const char *);
80	void mm_audit_end_command(int, const char *);	80	void mm_audit_end_command(int, const char *);
		81	void mm_audit_unsupported_body(int);
		82	void mm_audit_kex_body(int, char , char , char *, pid_t, uid_t);
81	#endif	83	#endif
82		84
83	struct Session;	85	struct Session;

Lines 118-123 Link Here

(-)openssh-5.9p1/sshd.c.audit3 (+5 lines)
118	#endif	118	#endif
119	#include "monitor_wrap.h"	119	#include "monitor_wrap.h"
120	#include "roaming.h"	120	#include "roaming.h"
		121	#include "audit.h"
121	#include "ssh-sandbox.h"	122	#include "ssh-sandbox.h"
122	#include "version.h"	123	#include "version.h"
123		124
Lines 2209-2214 do_ssh1_kex(void) Link Here
2209	if (cookie[i] != packet_get_char())	2210	if (cookie[i] != packet_get_char())
2210	packet_disconnect("IP Spoofing check bytes do not match.");	2211	packet_disconnect("IP Spoofing check bytes do not match.");
2211		2212
		2213	#ifdef SSH_AUDIT_EVENTS
		2214	audit_kex(2, cipher_name(cipher_type), "crc", "none");
		2215	#endif
		2216
2212	debug("Encryption type: %.200s", cipher_name(cipher_type));	2217	debug("Encryption type: %.200s", cipher_name(cipher_type));
2213		2218
2214	/* Get the encrypted integer. */	2219	/* Get the encrypted integer. */

Return to bug 1402

Lines 1505-1507 mm_jpake_check_confirm(const BIGNUM *k, Link Here

(-)openssh-5.9p1/monitor_wrap.c.audit3 (+38 lines)
1505	return success;	1505	return success;
1506	}	1506	}
1507	#endif /* JPAKE */	1507	#endif /* JPAKE */
		1508
		1509	#ifdef SSH_AUDIT_EVENTS
		1510	void
		1511	mm_audit_unsupported_body(int what)
		1512	{
		1513	Buffer m;
		1514
		1515	buffer_init(&m);
		1516	buffer_put_int(&m, what);
		1517
		1518	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
		1519	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
		1520	&m);
		1521
		1522	buffer_free(&m);
		1523	}
		1524
		1525	void
		1526	mm_audit_kex_body(int ctos, char cipher, char mac, char *compress, pid_t pid,
		1527	uid_t uid)
		1528	{
		1529	Buffer m;
		1530
		1531	buffer_init(&m);
		1532	buffer_put_int(&m, ctos);
		1533	buffer_put_cstring(&m, cipher);
		1534	buffer_put_cstring(&m, mac);
		1535	buffer_put_cstring(&m, compress);
		1536	buffer_put_int64(&m, pid);
		1537	buffer_put_int64(&m, uid);
		1538
		1539	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
		1540	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
		1541	&m);
		1542
		1543	buffer_free(&m);
		1544	}
		1545	#endif /* SSH_AUDIT_EVENTS */

Lines 396-399 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.9p1/audit-bsm.c.audit3 (+12 lines)
396	debug("%s: unhandled event %d", __func__, event);	396	debug("%s: unhandled event %d", __func__, event);
397	}	397	}
398	}	398	}
		399
		400	void
		401	audit_unsupported_body(int what)
		402	{
		403	/* not implemented */
		404	}
		405
		406	void
		407	audit_kex_body(int ctos, char enc, char mac, char *compress, pid_t pid, uid_t uid)
		408	{
		409	/* not implemented */
		410	}
399	#endif /* BSM */	411	#endif /* BSM */

Line 0 Link Here

(-)openssh-5.9p1/auditstub.c.audit3 (+39 lines)
	1	/* $Id: auditstub.c,v 1.1 jfch Exp $ */
	2
	3	/*
	4	* Copyright 2010 Red Hat, Inc. All rights reserved.
	5	* Use is subject to license terms.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*
	27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
	28	*/
	29
	30	void
	31	audit_unsupported(int n)
	32	{
	33	}
	34
	35	void
	36	audit_kex(int ctos, char enc, char mac, char *comp)
	37	{
	38	}
	39

Lines 60-74 extern void ssh1_3des_iv(EVP_CIPHER_CTX Link Here

(-)openssh-5.9p1/cipher.c.audit3 (-9 / +1 lines)
60	extern const EVP_CIPHER *evp_aes_128_ctr(void);	60	extern const EVP_CIPHER *evp_aes_128_ctr(void);
61	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);	61	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);
62		62
63	struct Cipher {	63	struct Cipher ciphers[] = {
64	char *name;
65	int number; /* for ssh1 only */
66	u_int block_size;
67	u_int key_len;
68	u_int discard_len;
69	u_int cbc_mode;
70	const EVP_CIPHER (evptype)(void);
71	} ciphers[] = {
72	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },	64	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
73	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },	65	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
74	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },	66	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },

Lines 61-67 Link Here

(-)openssh-5.9p1/cipher.h.audit3 (-1 / +10 lines)
61	typedef struct Cipher Cipher;	61	typedef struct Cipher Cipher;
62	typedef struct CipherContext CipherContext;	62	typedef struct CipherContext CipherContext;
63		63
64	struct Cipher;	64	struct Cipher {
		65	char *name;
		66	int number; /* for ssh1 only */
		67	u_int block_size;
		68	u_int key_len;
		69	u_int discard_len;
		70	u_int cbc_mode;
		71	const EVP_CIPHER (evptype)(void);
		72	};
		73
65	struct CipherContext {	74	struct CipherContext {
66	int plaintext;	75	int plaintext;
67	EVP_CIPHER_CTX evp;	76	EVP_CIPHER_CTX evp;