Attachment #1945 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




		debug("%s: unhandled event %d", __func__, event);
	}
}

void
audit_unsupported_body(int what)
{
	/* not implemented */
}

void
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
{
	/* not implemented */
}
#endif /* BSM */

Lines 36-41 Link Here

(-)openssh-5.6p1/audit.c.audit3 (+33 lines)
36	#include "key.h"	36	#include "key.h"
37	#include "hostfile.h"	37	#include "hostfile.h"
38	#include "auth.h"	38	#include "auth.h"
		39	#include "ssh-gss.h"
		40	#include "monitor_wrap.h"
39		41
40	/*	42	/*
41	* Care must be taken when using this since it WILL NOT be initialized when	43	* Care must be taken when using this since it WILL NOT be initialized when
Lines 111-116 audit_event_lookup(ssh_audit_event_t ev) Link Here
111	return(event_lookup[i].name);	113	return(event_lookup[i].name);
112	}	114	}
113		115
		116	void
		117	audit_unsupported(int what)
		118	{
		119	PRIVSEP(audit_unsupported_body(what));
		120	}
		121
		122	void
		123	audit_kex(int ctos, char enc, char mac, char *comp)
		124	{
		125	PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
		126	}
		127
114	# ifndef CUSTOM_SSH_AUDIT_EVENTS	128	# ifndef CUSTOM_SSH_AUDIT_EVENTS
115	/*	129	/*
116	* Null implementations of audit functions.	130	* Null implementations of audit functions.
Lines 194-198 audit_keyusage(const char *type, unsigne Link Here
194	debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(),	208	debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(),
195	audit_username(), type, len, fp, rv);	209	audit_username(), type, len, fp, rv);
196	}	210	}
		211
		212	/*
		213	* This will be called when the protocol negotiation fails.
		214	*/
		215	void
		216	audit_unsupported_body(int what)
		217	{
		218	debug("audit unsupported protocol ieuid %d type %d", geteuid(), what);
		219	}
		220
		221	/*
		222	* This will be called on succesfull protocol negotiation.
		223	*/
		224	void
		225	audit_kex_body(int ctos, char enc, char mac, char *compress)
		226	{
		227	debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
		228	geteuid(), ctos, enc, mac, compress);
		229	}
197	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	230	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
198	#endif /* SSH_AUDIT_EVENTS */	231	#endif /* SSH_AUDIT_EVENTS */

Lines 54-58 void audit_session_close(struct logininf Link Here

(-)openssh-5.6p1/audit.h.audit3 (+4 lines)
54	void audit_run_command(const char *);	54	void audit_run_command(const char *);
55	ssh_audit_event_t audit_classify_auth(const char *);	55	ssh_audit_event_t audit_classify_auth(const char *);
56	int audit_keyusage(const char , unsigned, char , int);	56	int audit_keyusage(const char , unsigned, char , int);
		57	void audit_unsupported(int);
		58	void audit_kex(int, char , char , char *);
		59	void audit_unsupported_body(int);
		60	void audit_kex_body(int, char , char , char *);
57		61
58	#endif /* _SSH_AUDIT_H */	62	#endif /* _SSH_AUDIT_H */

Lines 36-41 Link Here

(-)openssh-5.6p1/audit-linux.c.audit3 (+51 lines)
36	#include "log.h"	36	#include "log.h"
37	#include "audit.h"	37	#include "audit.h"
38	#include "canohost.h"	38	#include "canohost.h"
		39	#include "packet.h"
		40	#include "cipher.h"
39		41
40	#define AUDIT_LOG_SIZE 128	42	#define AUDIT_LOG_SIZE 128
41		43
Lines 149-152 audit_event(ssh_audit_event_t event) Link Here
149	}	150	}
150	}	151	}
151		152
		153	void
		154	audit_unsupported_body(int what)
		155	{
		156	#ifdef AUDIT_CRYPTO_SESSION
		157	char buf[AUDIT_LOG_SIZE];
		158	const static char *name[] = { "cipher", "mac", "comp" };
		159	int audit_fd, audit_ok;
		160
		161	snprintf(buf, sizeof(buf), "unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d",
		162	name[what], get_remote_port(), get_local_ipaddr(packet_get_connection_in()),
		163	get_local_port());
		164	audit_fd = audit_open();
		165	if (audit_fd < 0)
		166	/* no problem, the next instruction will be fatal() */
		167	return;
		168	audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
		169	buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 0);
		170	audit_close(audit_fd);
		171	#endif
		172	}
		173
		174	void
		175	audit_kex_body(int ctos, char enc, char mac, char *compress)
		176	{
		177	#ifdef AUDIT_CRYPTO_SESSION
		178	char buf[AUDIT_LOG_SIZE];
		179	int audit_fd, audit_ok;
		180	const static char *direction[] = { "from-server", "from-client", "both" };
		181	Cipher *cipher = cipher_by_name(enc);
		182
		183	snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
		184	direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
		185	get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
		186	audit_fd = audit_open();
		187	if (audit_fd < 0) {
		188	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		189	errno == EAFNOSUPPORT)
		190	return; /* No audit support in kernel */
		191	else
		192	fatal("cannot open audit"); /* Must prevent login */
		193	}
		194	audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
		195	buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
		196	audit_close(audit_fd);
		197	if (audit_ok < 0)
		198	fatal("cannot write into audit"); /* Must prevent login */
		199	#endif
		200	}
		201
152	#endif /* USE_LINUX_AUDIT */	202	#endif /* USE_LINUX_AUDIT */




/* $Id: auditstub.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */

void
audit_unsupported(int n)
{
}

void
audit_kex(int ctos, char *enc, char *mac, char *comp)
{
}





extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);

struct Cipher ciphers[] = {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
} ciphers[] = {
	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },




typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
};

struct CipherContext {
	int	plaintext;
	EVP_CIPHER_CTX evp;

Lines 49-54 Link Here

(-)openssh-5.6p1/kex.c.audit3 (-3 / +19 lines)
49	#include "dispatch.h"	49	#include "dispatch.h"
50	#include "monitor.h"	50	#include "monitor.h"
51	#include "roaming.h"	51	#include "roaming.h"
		52	#include "audit.h"
52		53
53	#if OPENSSL_VERSION_NUMBER >= 0x00907000L	54	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
54	# if defined(HAVE_EVP_SHA256)	55	# if defined(HAVE_EVP_SHA256)
Lines 258-266 static void Link Here
258	choose_enc(Enc enc, char client, char *server)	259	choose_enc(Enc enc, char client, char *server)
259	{	260	{
260	char *name = match_list(client, server, NULL);	261	char *name = match_list(client, server, NULL);
261	if (name == NULL)	262	if (name == NULL) {
		263	#ifdef SSH_AUDIT_EVENTS
		264	audit_unsupported(0);
		265	#endif
262	fatal("no matching cipher found: client %s server %s",	266	fatal("no matching cipher found: client %s server %s",
263	client, server);	267	client, server);
		268	}
264	if ((enc->cipher = cipher_by_name(name)) == NULL)	269	if ((enc->cipher = cipher_by_name(name)) == NULL)
265	fatal("matching cipher is not supported: %s", name);	270	fatal("matching cipher is not supported: %s", name);
266	enc->name = name;	271	enc->name = name;
Lines 275-283 static void Link Here
275	choose_mac(Mac mac, char client, char *server)	280	choose_mac(Mac mac, char client, char *server)
276	{	281	{
277	char *name = match_list(client, server, NULL);	282	char *name = match_list(client, server, NULL);
278	if (name == NULL)	283	if (name == NULL) {
		284	#ifdef SSH_AUDIT_EVENTS
		285	audit_unsupported(1);
		286	#endif
279	fatal("no matching mac found: client %s server %s",	287	fatal("no matching mac found: client %s server %s",
280	client, server);	288	client, server);
		289	}
281	if (mac_setup(mac, name) < 0)	290	if (mac_setup(mac, name) < 0)
282	fatal("unsupported mac %s", name);	291	fatal("unsupported mac %s", name);
283	/* truncate the key */	292	/* truncate the key */
Lines 292-299 static void Link Here
292	choose_comp(Comp comp, char client, char *server)	301	choose_comp(Comp comp, char client, char *server)
293	{	302	{
294	char *name = match_list(client, server, NULL);	303	char *name = match_list(client, server, NULL);
295	if (name == NULL)	304	if (name == NULL) {
		305	#ifdef SSH_AUDIT_EVENTS
		306	audit_unsupported(2);
		307	#endif
296	fatal("no matching comp found: client %s server %s", client, server);	308	fatal("no matching comp found: client %s server %s", client, server);
		309	}
297	if (strcmp(name, "zlib@openssh.com") == 0) {	310	if (strcmp(name, "zlib@openssh.com") == 0) {
298	comp->type = COMP_DELAYED;	311	comp->type = COMP_DELAYED;
299	} else if (strcmp(name, "zlib") == 0) {	312	} else if (strcmp(name, "zlib") == 0) {
Lines 414-419 kex_choose_conf(Kex *kex) Link Here
414	newkeys->enc.name,	427	newkeys->enc.name,
415	newkeys->mac.name,	428	newkeys->mac.name,
416	newkeys->comp.name);	429	newkeys->comp.name);
		430	#ifdef SSH_AUDIT_EVENTS
		431	audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
		432	#endif
417	}	433	}
418	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);	434	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
419	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],	435	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],

Lines 74-80 LIBSSH_OBJS=acss.o authfd.o authfile.o b Link Here

(-)openssh-5.6p1/Makefile.in.audit3 (-1 / +1 lines)
74	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \	74	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
75	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \	75	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
76	entropy.o gss-genr.o umac.o jpake.o schnorr.o \	76	entropy.o gss-genr.o umac.o jpake.o schnorr.o \
77	ssh-pkcs11.o	77	ssh-pkcs11.o auditstub.o
78		78
79	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \	79	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
80	sshconnect.o sshconnect1.o sshconnect2.o mux.o \	80	sshconnect.o sshconnect1.o sshconnect2.o mux.o \

Lines 89-94 Link Here

(-)openssh-5.6p1/monitor.c.audit3 (+44 lines)
89	#include "ssh2.h"	89	#include "ssh2.h"
90	#include "jpake.h"	90	#include "jpake.h"
91	#include "roaming.h"	91	#include "roaming.h"
		92	#include "audit.h"
92		93
93	#ifdef GSSAPI	94	#ifdef GSSAPI
94	static Gssctxt *gsscontext = NULL;	95	static Gssctxt *gsscontext = NULL;
Lines 177-182 int mm_answer_gss_checkmic(int, Buffer * Link Here
177	#ifdef SSH_AUDIT_EVENTS	178	#ifdef SSH_AUDIT_EVENTS
178	int mm_answer_audit_event(int, Buffer *);	179	int mm_answer_audit_event(int, Buffer *);
179	int mm_answer_audit_command(int, Buffer *);	180	int mm_answer_audit_command(int, Buffer *);
		181	int mm_answer_audit_unsupported_body(int, Buffer *);
		182	int mm_answer_audit_kex_body(int, Buffer *);
180	#endif	183	#endif
181		184
182	static Authctxt *authctxt;	185	static Authctxt *authctxt;
Lines 209-214 struct mon_table { Link Here
209	#define MON_PERMIT 0x1000 /* Request is permitted */	212	#define MON_PERMIT 0x1000 /* Request is permitted */
210		213
211	struct mon_table mon_dispatch_proto20[] = {	214	struct mon_table mon_dispatch_proto20[] = {
		215	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		216	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
212	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},	217	{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
213	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	218	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
214	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	219	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
Lines 266-271 struct mon_table mon_dispatch_postauth20 Link Here
266	};	271	};
267		272
268	struct mon_table mon_dispatch_proto15[] = {	273	struct mon_table mon_dispatch_proto15[] = {
		274	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		275	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
269	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	276	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
270	{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},	277	{MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
271	{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},	278	{MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
Lines 2207-2209 mm_answer_jpake_check_confirm(int sock, Link Here
2207	}	2214	}
2208		2215
2209	#endif /* JPAKE */	2216	#endif /* JPAKE */
		2217
		2218	#ifdef SSH_AUDIT_EVENTS
		2219	int
		2220	mm_answer_audit_unsupported_body(int sock, Buffer *m)
		2221	{
		2222	int what;
		2223
		2224	what = buffer_get_int(m);
		2225
		2226	audit_unsupported_body(what);
		2227
		2228	buffer_clear(m);
		2229
		2230	mm_request_send(sock, MONITOR_ANS_AUDIT_UNSUPPORTED, m);
		2231	return 0;
		2232	}
		2233
		2234	int
		2235	mm_answer_audit_kex_body(int sock, Buffer *m)
		2236	{
		2237	int ctos, len;
		2238	char cipher, mac, *compress;
		2239
		2240	ctos = buffer_get_int(m);
		2241	cipher = buffer_get_string(m, &len);
		2242	mac = buffer_get_string(m, &len);
		2243	compress = buffer_get_string(m, &len);
		2244
		2245	audit_kex_body(ctos, cipher, mac, compress);
		2246
		2247	buffer_clear(m);
		2248
		2249	mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
		2250	return 0;
		2251	}
		2252
		2253	#endif /* SSH_AUDIT_EVENTS */

Lines 66-71 enum monitor_reqtype { Link Here

(-)openssh-5.6p1/monitor.h.audit3 (+2 lines)
66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,	66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,	67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,	68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
		69	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
		70	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
69	};	71	};
70		72
71	struct mm_master;	73	struct mm_master;




	return success;
}
#endif /* JPAKE */

#ifdef SSH_AUDIT_EVENTS
void
mm_audit_unsupported_body(int what)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, what);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
				  &m);

	buffer_free(&m);
}

void
mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, ctos);
	buffer_put_cstring(&m, cipher);
	buffer_put_cstring(&m, mac);
	buffer_put_cstring(&m, compress);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
				  &m);

	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 74-79 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.6p1/monitor_wrap.h.audit3 (+2 lines)
74	#include "audit.h"	74	#include "audit.h"
75	void mm_audit_event(ssh_audit_event_t);	75	void mm_audit_event(ssh_audit_event_t);
76	void mm_audit_run_command(const char *);	76	void mm_audit_run_command(const char *);
		77	void mm_audit_unsupported_body(int);
		78	void mm_audit_kex_body(int, char , char , char *);
77	#endif	79	#endif
78		80
79	struct Session;	81	struct Session;

Lines 118-123 Link Here

(-)openssh-5.6p1/sshd.c.audit3 (+5 lines)
118	#endif	118	#endif
119	#include "monitor_wrap.h"	119	#include "monitor_wrap.h"
120	#include "roaming.h"	120	#include "roaming.h"
		121	#include "audit.h"
121	#include "version.h"	122	#include "version.h"
122		123
123	#ifdef LIBWRAP	124	#ifdef LIBWRAP
Lines 2177-2182 do_ssh1_kex(void) Link Here
2177	if (cookie[i] != packet_get_char())	2178	if (cookie[i] != packet_get_char())
2178	packet_disconnect("IP Spoofing check bytes do not match.");	2179	packet_disconnect("IP Spoofing check bytes do not match.");
2179		2180
		2181	#ifdef SSH_AUDIT_EVENTS
		2182	audit_kex(2, cipher_name(cipher_type), "crc", "none");
		2183	#endif
		2184
2180	debug("Encryption type: %.200s", cipher_name(cipher_type));	2185	debug("Encryption type: %.200s", cipher_name(cipher_type));
2181		2186
2182	/* Get the encrypted integer. */	2187	/* Get the encrypted integer. */

Return to bug 1402

Lines 383-386 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.6p1/audit-bsm.c.audit3 (+12 lines)
383	debug("%s: unhandled event %d", __func__, event);	383	debug("%s: unhandled event %d", __func__, event);
384	}	384	}
385	}	385	}
		386
		387	void
		388	audit_unsupported_body(int what)
		389	{
		390	/* not implemented */
		391	}
		392
		393	void
		394	audit_kex_body(int ctos, char enc, char mac, char *compress)
		395	{
		396	/* not implemented */
		397	}
386	#endif /* BSM */	398	#endif /* BSM */

Lines 1411-1413 mm_jpake_check_confirm(const BIGNUM *k, Link Here

(-)openssh-5.6p1/monitor_wrap.c.audit3 (+35 lines)
1411	return success;	1411	return success;
1412	}	1412	}
1413	#endif /* JPAKE */	1413	#endif /* JPAKE */
		1414
		1415	#ifdef SSH_AUDIT_EVENTS
		1416	void
		1417	mm_audit_unsupported_body(int what)
		1418	{
		1419	Buffer m;
		1420
		1421	buffer_init(&m);
		1422	buffer_put_int(&m, what);
		1423
		1424	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
		1425	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
		1426	&m);
		1427
		1428	buffer_free(&m);
		1429	}
		1430
		1431	void
		1432	mm_audit_kex_body(int ctos, char cipher, char mac, char *compress)
		1433	{
		1434	Buffer m;
		1435
		1436	buffer_init(&m);
		1437	buffer_put_int(&m, ctos);
		1438	buffer_put_cstring(&m, cipher);
		1439	buffer_put_cstring(&m, mac);
		1440	buffer_put_cstring(&m, compress);
		1441
		1442	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
		1443	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
		1444	&m);
		1445
		1446	buffer_free(&m);
		1447	}
		1448	#endif /* SSH_AUDIT_EVENTS */

Line 0 Link Here

(-)openssh-5.6p1/auditstub.c.audit3 (+39 lines)
	1	/* $Id: auditstub.c,v 1.1 jfch Exp $ */
	2
	3	/*
	4	* Copyright 2010 Red Hat, Inc. All rights reserved.
	5	* Use is subject to license terms.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*
	27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
	28	*/
	29
	30	void
	31	audit_unsupported(int n)
	32	{
	33	}
	34
	35	void
	36	audit_kex(int ctos, char enc, char mac, char *comp)
	37	{
	38	}
	39

Lines 59-73 extern void ssh1_3des_iv(EVP_CIPHER_CTX Link Here

(-)openssh-5.6p1/cipher.c.audit3 (-9 / +1 lines)
59	extern const EVP_CIPHER *evp_aes_128_ctr(void);	59	extern const EVP_CIPHER *evp_aes_128_ctr(void);
60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);	60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);
61		61
62	struct Cipher {	62	struct Cipher ciphers[] = {
63	char *name;
64	int number; /* for ssh1 only */
65	u_int block_size;
66	u_int key_len;
67	u_int discard_len;
68	u_int cbc_mode;
69	const EVP_CIPHER (evptype)(void);
70	} ciphers[] = {
71	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },	63	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
72	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },	64	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
73	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },	65	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },

Lines 61-67 Link Here

(-)openssh-5.6p1/cipher.h.audit3 (-1 / +10 lines)
61	typedef struct Cipher Cipher;	61	typedef struct Cipher Cipher;
62	typedef struct CipherContext CipherContext;	62	typedef struct CipherContext CipherContext;
63		63
64	struct Cipher;	64	struct Cipher {
		65	char *name;
		66	int number; /* for ssh1 only */
		67	u_int block_size;
		68	u_int key_len;
		69	u_int discard_len;
		70	u_int cbc_mode;
		71	const EVP_CIPHER (evptype)(void);
		72	};
		73
65	struct CipherContext {	74	struct CipherContext {
66	int plaintext;	75	int plaintext;
67	EVP_CIPHER_CTX evp;	76	EVP_CIPHER_CTX evp;