Attachment #1976 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




		debug("%s: unhandled event %d", __func__, event);
	}
}

void
audit_unsupported_body(int what)
{
	/* not implemented */
}

void
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
{
	/* not implemented */
}
#endif /* BSM */

Lines 36-41 Link Here

(-)openssh-5.6p1/audit.c.audit3 (+33 lines)
36	#include "key.h"	36	#include "key.h"
37	#include "hostfile.h"	37	#include "hostfile.h"
38	#include "auth.h"	38	#include "auth.h"
		39	#include "ssh-gss.h"
		40	#include "monitor_wrap.h"
39		41
40	/*	42	/*
41	* Care must be taken when using this since it WILL NOT be initialized when	43	* Care must be taken when using this since it WILL NOT be initialized when
Lines 138-143 audit_key(int type, int rv, const Key Link Here
138	xfree(fp);	140	xfree(fp);
139	}	141	}
140		142
		143	void
		144	audit_unsupported(int what)
		145	{
		146	PRIVSEP(audit_unsupported_body(what));
		147	}
		148
		149	void
		150	audit_kex(int ctos, char enc, char mac, char *comp)
		151	{
		152	PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
		153	}
		154
141	# ifndef CUSTOM_SSH_AUDIT_EVENTS	155	# ifndef CUSTOM_SSH_AUDIT_EVENTS
142	/*	156	/*
143	* Null implementations of audit functions.	157	* Null implementations of audit functions.
Lines 221-225 audit_keyusage(int host_user, const char Link Here
221	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",	235	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
222	host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);	236	host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
223	}	237	}
		238
		239	/*
		240	* This will be called when the protocol negotiation fails.
		241	*/
		242	void
		243	audit_unsupported_body(int what)
		244	{
		245	debug("audit unsupported protocol ieuid %d type %d", geteuid(), what);
		246
		247
		248	/*
		249	* This will be called on succesfull protocol negotiation.
		250	*/
		251	void
		252	audit_kex_body(int ctos, char enc, char mac, char *compress)
		253	{
		254	debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
		255	geteuid(), ctos, enc, mac, compress);
		256	}
224	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	257	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
225	#endif /* SSH_AUDIT_EVENTS */	258	#endif /* SSH_AUDIT_EVENTS */

Lines 56-60 void audit_run_command(const char *); Link Here

(-)openssh-5.6p1/audit.h.audit3 (+4 lines)
56	ssh_audit_event_t audit_classify_auth(const char *);	56	ssh_audit_event_t audit_classify_auth(const char *);
57	int audit_keyusage(int, const char , unsigned, char , int);	57	int audit_keyusage(int, const char , unsigned, char , int);
58	int audit_key(int, int , const Key );	58	int audit_key(int, int , const Key );
		59	void audit_unsupported(int);
		60	void audit_kex(int, char , char , char *);
		61	void audit_unsupported_body(int);
		62	void audit_kex_body(int, char , char , char *);
59		63
60	#endif /* _SSH_AUDIT_H */	64	#endif /* _SSH_AUDIT_H */

Lines 36-41 Link Here

(-)openssh-5.6p1/audit-linux.c.audit3 (+52 lines)
36	#include "log.h"	36	#include "log.h"
37	#include "audit.h"	37	#include "audit.h"
38	#include "canohost.h"	38	#include "canohost.h"
		39	#include "packet.h"
		40	#include "cipher.h"
39		41
40	#define AUDIT_LOG_SIZE 128	42	#define AUDIT_LOG_SIZE 128
41		43
Lines 151-154 audit_event(ssh_audit_event_t event) Link Here
151	}	153	}
152	}	154	}
153		155
		156	void
		157	audit_unsupported_body(int what)
		158	{
		159	#ifdef AUDIT_CRYPTO_SESSION
		160	char buf[AUDIT_LOG_SIZE];
		161	const static char *name[] = { "cipher", "mac", "comp" };
		162	int audit_fd, audit_ok;
		163
		164	snprintf(buf, sizeof(buf), "unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d",
		165	name[what], get_remote_port(), get_local_ipaddr(packet_get_connection_in()),
		166	get_local_port());
		167	audit_fd = audit_open();
		168	if (audit_fd < 0)
		169	/* no problem, the next instruction will be fatal() */
		170	return;
		171	audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
		172	buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 0);
		173	audit_close(audit_fd);
		174	#endif
		175	}
		176
		177	void
		178	audit_kex_body(int ctos, char enc, char mac, char *compress)
		179	{
		180	#ifdef AUDIT_CRYPTO_SESSION
		181	char buf[AUDIT_LOG_SIZE];
		182	int audit_fd, audit_ok;
		183	const static char *direction[] = { "from-server", "from-client", "both" };
		184	Cipher *cipher = cipher_by_name(enc);
		185
		186	snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
		187	direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
		188	get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
		189	audit_fd = audit_open();
		190	if (audit_fd < 0) {
		191	if (errno == EINVAL \|\| errno == EPROTONOSUPPORT \|\|
		192	errno == EAFNOSUPPORT)
		193	return; /* No audit support in kernel */
		194	else
		195	fatal("cannot open audit"); /* Must prevent login */
		196	}
		197	audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_SESSION, NULL,
		198	buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
		199	audit_close(audit_fd);
		200	/* do not abort if the error is EPERM and sshd is run as non root user */
		201	if ((audit_ok < 0) && ((audit_ok != -1) \|\| (getuid() == 0)))
		202	fatal("cannot write into audit"); /* Must prevent login */
		203	#endif
		204	}
		205
154	#endif /* USE_LINUX_AUDIT */	206	#endif /* USE_LINUX_AUDIT */




/* $Id: auditstub.c,v 1.1 jfch Exp $ */

/*
 * Copyright 2010 Red Hat, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
 */

void
audit_unsupported(int n)
{
}

void
audit_kex(int ctos, char *enc, char *mac, char *comp)
{
}





extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);

struct Cipher ciphers[] = {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
} ciphers[] = {
	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },




typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext;

struct Cipher {
	char	*name;
	int	number;		/* for ssh1 only */
	u_int	block_size;
	u_int	key_len;
	u_int	discard_len;
	u_int	cbc_mode;
	const EVP_CIPHER	*(*evptype)(void);
};

struct CipherContext {
	int	plaintext;
	EVP_CIPHER_CTX evp;

Lines 49-54 Link Here

(-)openssh-5.6p1/kex.c.audit3 (-3 / +19 lines)
49	#include "dispatch.h"	49	#include "dispatch.h"
50	#include "monitor.h"	50	#include "monitor.h"
51	#include "roaming.h"	51	#include "roaming.h"
		52	#include "audit.h"
52		53
53	#if OPENSSL_VERSION_NUMBER >= 0x00907000L	54	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
54	# if defined(HAVE_EVP_SHA256)	55	# if defined(HAVE_EVP_SHA256)
Lines 258-266 static void Link Here
258	choose_enc(Enc enc, char client, char *server)	259	choose_enc(Enc enc, char client, char *server)
259	{	260	{
260	char *name = match_list(client, server, NULL);	261	char *name = match_list(client, server, NULL);
261	if (name == NULL)	262	if (name == NULL) {
		263	#ifdef SSH_AUDIT_EVENTS
		264	audit_unsupported(0);
		265	#endif
262	fatal("no matching cipher found: client %s server %s",	266	fatal("no matching cipher found: client %s server %s",
263	client, server);	267	client, server);
		268	}
264	if ((enc->cipher = cipher_by_name(name)) == NULL)	269	if ((enc->cipher = cipher_by_name(name)) == NULL)
265	fatal("matching cipher is not supported: %s", name);	270	fatal("matching cipher is not supported: %s", name);
266	enc->name = name;	271	enc->name = name;
Lines 275-283 static void Link Here
275	choose_mac(Mac mac, char client, char *server)	280	choose_mac(Mac mac, char client, char *server)
276	{	281	{
277	char *name = match_list(client, server, NULL);	282	char *name = match_list(client, server, NULL);
278	if (name == NULL)	283	if (name == NULL) {
		284	#ifdef SSH_AUDIT_EVENTS
		285	audit_unsupported(1);
		286	#endif
279	fatal("no matching mac found: client %s server %s",	287	fatal("no matching mac found: client %s server %s",
280	client, server);	288	client, server);
		289	}
281	if (mac_setup(mac, name) < 0)	290	if (mac_setup(mac, name) < 0)
282	fatal("unsupported mac %s", name);	291	fatal("unsupported mac %s", name);
283	/* truncate the key */	292	/* truncate the key */
Lines 292-299 static void Link Here
292	choose_comp(Comp comp, char client, char *server)	301	choose_comp(Comp comp, char client, char *server)
293	{	302	{
294	char *name = match_list(client, server, NULL);	303	char *name = match_list(client, server, NULL);
295	if (name == NULL)	304	if (name == NULL) {
		305	#ifdef SSH_AUDIT_EVENTS
		306	audit_unsupported(2);
		307	#endif
296	fatal("no matching comp found: client %s server %s", client, server);	308	fatal("no matching comp found: client %s server %s", client, server);
		309	}
297	if (strcmp(name, "zlib@openssh.com") == 0) {	310	if (strcmp(name, "zlib@openssh.com") == 0) {
298	comp->type = COMP_DELAYED;	311	comp->type = COMP_DELAYED;
299	} else if (strcmp(name, "zlib") == 0) {	312	} else if (strcmp(name, "zlib") == 0) {
Lines 414-419 kex_choose_conf(Kex *kex) Link Here
414	newkeys->enc.name,	427	newkeys->enc.name,
415	newkeys->mac.name,	428	newkeys->mac.name,
416	newkeys->comp.name);	429	newkeys->comp.name);
		430	#ifdef SSH_AUDIT_EVENTS
		431	audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
		432	#endif
417	}	433	}
418	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);	434	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
419	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],	435	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],

Lines 74-80 LIBSSH_OBJS=acss.o authfd.o authfile.o b Link Here

(-)openssh-5.6p1/Makefile.in.audit3 (-1 / +1 lines)
74	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \	74	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
75	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \	75	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
76	entropy.o gss-genr.o umac.o jpake.o schnorr.o \	76	entropy.o gss-genr.o umac.o jpake.o schnorr.o \
77	ssh-pkcs11.o	77	ssh-pkcs11.o auditstub.o
78		78
79	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \	79	SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
80	sshconnect.o sshconnect1.o sshconnect2.o mux.o \	80	sshconnect.o sshconnect1.o sshconnect2.o mux.o \

Lines 89-94 Link Here

(-)openssh-5.6p1/monitor.c.audit3 (+48 lines)
89	#include "ssh2.h"	89	#include "ssh2.h"
90	#include "jpake.h"	90	#include "jpake.h"
91	#include "roaming.h"	91	#include "roaming.h"
		92	#include "audit.h"
92		93
93	#ifdef GSSAPI	94	#ifdef GSSAPI
94	static Gssctxt *gsscontext = NULL;	95	static Gssctxt *gsscontext = NULL;
Lines 177-182 int mm_answer_gss_checkmic(int, Buffer * Link Here
177	#ifdef SSH_AUDIT_EVENTS	178	#ifdef SSH_AUDIT_EVENTS
178	int mm_answer_audit_event(int, Buffer *);	179	int mm_answer_audit_event(int, Buffer *);
179	int mm_answer_audit_command(int, Buffer *);	180	int mm_answer_audit_command(int, Buffer *);
		181	int mm_answer_audit_unsupported_body(int, Buffer *);
		182	int mm_answer_audit_kex_body(int, Buffer *);
180	#endif	183	#endif
181		184
182	static Authctxt *authctxt;	185	static Authctxt *authctxt;
Lines 225-230 struct mon_table mon_dispatch_proto20[] Link Here
225	#endif	228	#endif
226	#ifdef SSH_AUDIT_EVENTS	229	#ifdef SSH_AUDIT_EVENTS
227	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	230	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		231	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		232	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
228	#endif	233	#endif
229	#ifdef BSD_AUTH	234	#ifdef BSD_AUTH
230	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	235	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
Lines 261-266 struct mon_table mon_dispatch_postauth20 Link Here
261	#ifdef SSH_AUDIT_EVENTS	266	#ifdef SSH_AUDIT_EVENTS
262	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	267	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
263	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},	268	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
		269	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		270	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
264	#endif	271	#endif
265	{0, 0, NULL}	272	{0, 0, NULL}
266	};	273	};
Lines 292-297 struct mon_table mon_dispatch_proto15[] Link Here
292	#endif	299	#endif
293	#ifdef SSH_AUDIT_EVENTS	300	#ifdef SSH_AUDIT_EVENTS
294	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	301	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
		302	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		303	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
295	#endif	304	#endif
296	{0, 0, NULL}	305	{0, 0, NULL}
297	};	306	};
Lines 303-308 struct mon_table mon_dispatch_postauth15 Link Here
303	#ifdef SSH_AUDIT_EVENTS	312	#ifdef SSH_AUDIT_EVENTS
304	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},	313	{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
305	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},	314	{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT\|MON_ONCE, mm_answer_audit_command},
		315	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
		316	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
306	#endif	317	#endif
307	{0, 0, NULL}	318	{0, 0, NULL}
308	};	319	};
Lines 2205-2207 mm_answer_jpake_check_confirm(int sock, Link Here
2205	}	2216	}
2206		2217
2207	#endif /* JPAKE */	2218	#endif /* JPAKE */
		2219
		2220	#ifdef SSH_AUDIT_EVENTS
		2221	int
		2222	mm_answer_audit_unsupported_body(int sock, Buffer *m)
		2223	{
		2224	int what;
		2225
		2226	what = buffer_get_int(m);
		2227
		2228	audit_unsupported_body(what);
		2229
		2230	buffer_clear(m);
		2231
		2232	mm_request_send(sock, MONITOR_ANS_AUDIT_UNSUPPORTED, m);
		2233	return 0;
		2234	}
		2235
		2236	int
		2237	mm_answer_audit_kex_body(int sock, Buffer *m)
		2238	{
		2239	int ctos, len;
		2240	char cipher, mac, *compress;
		2241
		2242	ctos = buffer_get_int(m);
		2243	cipher = buffer_get_string(m, &len);
		2244	mac = buffer_get_string(m, &len);
		2245	compress = buffer_get_string(m, &len);
		2246
		2247	audit_kex_body(ctos, cipher, mac, compress);
		2248
		2249	buffer_clear(m);
		2250
		2251	mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
		2252	return 0;
		2253	}
		2254
		2255	#endif /* SSH_AUDIT_EVENTS */

Lines 66-71 enum monitor_reqtype { Link Here

(-)openssh-5.6p1/monitor.h.audit3 (+2 lines)
66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,	66	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,	67	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,	68	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
		69	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
		70	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
69	};	71	};
70		72
71	struct mm_master;	73	struct mm_master;




	return success;
}
#endif /* JPAKE */

#ifdef SSH_AUDIT_EVENTS
void
mm_audit_unsupported_body(int what)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, what);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
				  &m);

	buffer_free(&m);
}

void
mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_int(&m, ctos);
	buffer_put_cstring(&m, cipher);
	buffer_put_cstring(&m, mac);
	buffer_put_cstring(&m, compress);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
				  &m);

	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 74-79 void mm_sshpam_free_ctx(void *); Link Here

(-)openssh-5.6p1/monitor_wrap.h.audit3 (+2 lines)
74	#include "audit.h"	74	#include "audit.h"
75	void mm_audit_event(ssh_audit_event_t);	75	void mm_audit_event(ssh_audit_event_t);
76	void mm_audit_run_command(const char *);	76	void mm_audit_run_command(const char *);
		77	void mm_audit_unsupported_body(int);
		78	void mm_audit_kex_body(int, char , char , char *);
77	#endif	79	#endif
78		80
79	struct Session;	81	struct Session;

Lines 118-123 Link Here

(-)openssh-5.6p1/sshd.c.audit3 (+5 lines)
118	#endif	118	#endif
119	#include "monitor_wrap.h"	119	#include "monitor_wrap.h"
120	#include "roaming.h"	120	#include "roaming.h"
		121	#include "audit.h"
121	#include "version.h"	122	#include "version.h"
122		123
123	#ifdef LIBWRAP	124	#ifdef LIBWRAP
Lines 2177-2182 do_ssh1_kex(void) Link Here
2177	if (cookie[i] != packet_get_char())	2178	if (cookie[i] != packet_get_char())
2178	packet_disconnect("IP Spoofing check bytes do not match.");	2179	packet_disconnect("IP Spoofing check bytes do not match.");
2179		2180
		2181	#ifdef SSH_AUDIT_EVENTS
		2182	audit_kex(2, cipher_name(cipher_type), "crc", "none");
		2183	#endif
		2184
2180	debug("Encryption type: %.200s", cipher_name(cipher_type));	2185	debug("Encryption type: %.200s", cipher_name(cipher_type));
2181		2186
2182	/* Get the encrypted integer. */	2187	/* Get the encrypted integer. */

Return to bug 1402

Lines 383-386 audit_event(ssh_audit_event_t event) Link Here

(-)openssh-5.6p1/audit-bsm.c.audit3 (+12 lines)
383	debug("%s: unhandled event %d", __func__, event);	383	debug("%s: unhandled event %d", __func__, event);
384	}	384	}
385	}	385	}
		386
		387	void
		388	audit_unsupported_body(int what)
		389	{
		390	/* not implemented */
		391	}
		392
		393	void
		394	audit_kex_body(int ctos, char enc, char mac, char *compress)
		395	{
		396	/* not implemented */
		397	}
386	#endif /* BSM */	398	#endif /* BSM */

Lines 1411-1413 mm_jpake_check_confirm(const BIGNUM *k, Link Here

(-)openssh-5.6p1/monitor_wrap.c.audit3 (+35 lines)
1411	return success;	1411	return success;
1412	}	1412	}
1413	#endif /* JPAKE */	1413	#endif /* JPAKE */
		1414
		1415	#ifdef SSH_AUDIT_EVENTS
		1416	void
		1417	mm_audit_unsupported_body(int what)
		1418	{
		1419	Buffer m;
		1420
		1421	buffer_init(&m);
		1422	buffer_put_int(&m, what);
		1423
		1424	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, &m);
		1425	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
		1426	&m);
		1427
		1428	buffer_free(&m);
		1429	}
		1430
		1431	void
		1432	mm_audit_kex_body(int ctos, char cipher, char mac, char *compress)
		1433	{
		1434	Buffer m;
		1435
		1436	buffer_init(&m);
		1437	buffer_put_int(&m, ctos);
		1438	buffer_put_cstring(&m, cipher);
		1439	buffer_put_cstring(&m, mac);
		1440	buffer_put_cstring(&m, compress);
		1441
		1442	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
		1443	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
		1444	&m);
		1445
		1446	buffer_free(&m);
		1447	}
		1448	#endif /* SSH_AUDIT_EVENTS */

Line 0 Link Here

(-)openssh-5.6p1/auditstub.c.audit3 (+39 lines)
	1	/* $Id: auditstub.c,v 1.1 jfch Exp $ */
	2
	3	/*
	4	* Copyright 2010 Red Hat, Inc. All rights reserved.
	5	* Use is subject to license terms.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	*
	16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	26	*
	27	* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
	28	*/
	29
	30	void
	31	audit_unsupported(int n)
	32	{
	33	}
	34
	35	void
	36	audit_kex(int ctos, char enc, char mac, char *comp)
	37	{
	38	}
	39

Lines 59-73 extern void ssh1_3des_iv(EVP_CIPHER_CTX Link Here

(-)openssh-5.6p1/cipher.c.audit3 (-9 / +1 lines)
59	extern const EVP_CIPHER *evp_aes_128_ctr(void);	59	extern const EVP_CIPHER *evp_aes_128_ctr(void);
60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);	60	extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX , int, u_char , u_int);
61		61
62	struct Cipher {	62	struct Cipher ciphers[] = {
63	char *name;
64	int number; /* for ssh1 only */
65	u_int block_size;
66	u_int key_len;
67	u_int discard_len;
68	u_int cbc_mode;
69	const EVP_CIPHER (evptype)(void);
70	} ciphers[] = {
71	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },	63	{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
72	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },	64	{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
73	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },	65	{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },

Lines 61-67 Link Here

(-)openssh-5.6p1/cipher.h.audit3 (-1 / +10 lines)
61	typedef struct Cipher Cipher;	61	typedef struct Cipher Cipher;
62	typedef struct CipherContext CipherContext;	62	typedef struct CipherContext CipherContext;
63		63
64	struct Cipher;	64	struct Cipher {
		65	char *name;
		66	int number; /* for ssh1 only */
		67	u_int block_size;
		68	u_int key_len;
		69	u_int discard_len;
		70	u_int cbc_mode;
		71	const EVP_CIPHER (evptype)(void);
		72	};
		73
65	struct CipherContext {	74	struct CipherContext {
66	int plaintext;	75	int plaintext;
67	EVP_CIPHER_CTX evp;	76	EVP_CIPHER_CTX evp;