{

{

	/* not implemented */

	/* not implemented */

}

}

#endif /* BSM */

#endif /* BSM */

	debug("audit session key discard euid %u direction %d from pid %ld uid %u",

	debug("audit session key discard euid %u direction %d from pid %ld uid %u",

		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);

		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);

}

}

# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */

# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */

#endif /* SSH_AUDIT_EVENTS */

#endif /* SSH_AUDIT_EVENTS */

};

};

typedef enum ssh_audit_event_type ssh_audit_event_t;

typedef enum ssh_audit_event_type ssh_audit_event_t;

void	audit_connection_from(const char *, int);

void	audit_connection_from(const char *, int);

void	audit_event(ssh_audit_event_t);

void	audit_event(ssh_audit_event_t);

void	audit_count_session_open(void);

void	audit_count_session_open(void);

void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);

void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);

void	audit_session_key_free(int ctos);

void	audit_session_key_free(int ctos);

void	audit_session_key_free_body(int ctos, pid_t, uid_t);

void	audit_session_key_free_body(int ctos, pid_t, uid_t);

#endif /* _SSH_AUDIT_H */

#endif /* _SSH_AUDIT_H */

		error("cannot write into audit");

		error("cannot write into audit");

}

}

#endif /* USE_LINUX_AUDIT */

#endif /* USE_LINUX_AUDIT */

}

}

int

int

key_is_cert(const Key *k)

key_is_cert(const Key *k)

{

{

	if (k == NULL)

	if (k == NULL)

Key	*key_from_private(const Key *);

Key	*key_from_private(const Key *);

int	 key_type_from_name(char *);

int	 key_type_from_name(char *);

int	 key_is_cert(const Key *);

int	 key_is_cert(const Key *);

int	 key_type_plain(int);

int	 key_type_plain(int);

int	 key_to_certified(Key *, int);

int	 key_to_certified(Key *, int);

int	 key_drop_cert(Key *);

int	 key_drop_cert(Key *);

extern int auth_debug_init;

extern int auth_debug_init;

extern Buffer loginmsg;

extern Buffer loginmsg;

/* State exported from the child */

/* State exported from the child */

struct {

struct {

int mm_answer_audit_unsupported_body(int, Buffer *);

int mm_answer_audit_unsupported_body(int, Buffer *);

int mm_answer_audit_kex_body(int, Buffer *);

int mm_answer_audit_kex_body(int, Buffer *);

int mm_answer_audit_session_key_free_body(int, Buffer *);

int mm_answer_audit_session_key_free_body(int, Buffer *);

#endif

#endif

static Authctxt *authctxt;

static Authctxt *authctxt;

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

#endif

#endif

#ifdef BSD_AUTH

#ifdef BSD_AUTH

    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},

    {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

#endif

#endif

    {0, 0, NULL}

    {0, 0, NULL}

};

};

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

#endif

#endif

    {0, 0, NULL}

    {0, 0, NULL}

};

};

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

    {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},

#endif

#endif

    {0, 0, NULL}

    {0, 0, NULL}

};

};

		sshpam_cleanup();

		sshpam_cleanup();

#endif

#endif

	while (waitpid(pmonitor->m_pid, &status, 0) == -1)

	while (waitpid(pmonitor->m_pid, &status, 0) == -1)

		if (errno != EINTR)

		if (errno != EINTR)

			exit(1);

			exit(1);

	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);

	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);

	return 0;

	return 0;

}

}

#endif /* SSH_AUDIT_EVENTS */

#endif /* SSH_AUDIT_EVENTS */

	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,

	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,

	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,

	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,

	MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,

	MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,

};

};

struct mm_master;

struct mm_master;

				  &m);

				  &m);

	buffer_free(&m);

	buffer_free(&m);

}

}

#endif /* SSH_AUDIT_EVENTS */

#endif /* SSH_AUDIT_EVENTS */

void mm_audit_unsupported_body(int);

void mm_audit_unsupported_body(int);

void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);

void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);

void mm_audit_session_key_free_body(int, pid_t, uid_t);

void mm_audit_session_key_free_body(int, pid_t, uid_t);

#endif

#endif

struct Session;

struct Session;

extern int debug_flag;

extern int debug_flag;

extern u_int utmp_len;

extern u_int utmp_len;

extern int startup_pipe;

extern int startup_pipe;

extern Buffer loginmsg;

extern Buffer loginmsg;

/* original command from peer. */

/* original command from peer. */

	int r = 0;

	int r = 0;

	/* remove hostkey from the child's memory */

	/* remove hostkey from the child's memory */

	/* Don't audit this - both us and the parent would be talking to the

	/* Don't audit this - both us and the parent would be talking to the

	   monitor over a single socket, with no synchronization. */

	   monitor over a single socket, with no synchronization. */

	packet_destroy_all(0, 1);

	packet_destroy_all(0, 1);

struct passwd *privsep_pw = NULL;

struct passwd *privsep_pw = NULL;

/* Prototypes for various functions defined later in this file. */

/* Prototypes for various functions defined later in this file. */

void demote_sensitive_data(void);

void demote_sensitive_data(void);

static void do_ssh1_kex(void);

static void do_ssh1_kex(void);

	num_listen_socks = -1;

	num_listen_socks = -1;

}

}

static void

static void

close_startup_pipes(void)

close_startup_pipes(void)

{

{

	}

	}

}

}

void

void

{

{

	int i;

	int i;

	if (sensitive_data.server_key) {

	if (sensitive_data.server_key) {

		key_free(sensitive_data.server_key);

		key_free(sensitive_data.server_key);

		sensitive_data.server_key = NULL;

		sensitive_data.server_key = NULL;

	}

	}

	for (i = 0; i < options.num_host_key_files; i++) {

	for (i = 0; i < options.num_host_key_files; i++) {

		if (sensitive_data.host_keys[i]) {

		if (sensitive_data.host_keys[i]) {

			key_free(sensitive_data.host_keys[i]);

			key_free(sensitive_data.host_keys[i]);

			sensitive_data.host_keys[i] = NULL;

			sensitive_data.host_keys[i] = NULL;

		}

		}

			key_free(sensitive_data.host_certificates[i]);

			key_free(sensitive_data.host_certificates[i]);

			sensitive_data.host_certificates[i] = NULL;

			sensitive_data.host_certificates[i] = NULL;

		}

		}

demote_sensitive_data(void)

demote_sensitive_data(void)

{

{

	Key *tmp;

	Key *tmp;

	int i;

	int i;

	if (sensitive_data.server_key) {

	if (sensitive_data.server_key) {

		sensitive_data.server_key = tmp;

		sensitive_data.server_key = tmp;

	}

	}

	for (i = 0; i < options.num_host_key_files; i++) {

	for (i = 0; i < options.num_host_key_files; i++) {

		if (sensitive_data.host_keys[i]) {

		if (sensitive_data.host_keys[i]) {

			tmp = key_demote(sensitive_data.host_keys[i]);

			tmp = key_demote(sensitive_data.host_keys[i]);

			key_free(sensitive_data.host_keys[i]);

			key_free(sensitive_data.host_keys[i]);

			sensitive_data.host_keys[i] = tmp;

			sensitive_data.host_keys[i] = tmp;

			if (tmp->type == KEY_RSA1)

			if (tmp->type == KEY_RSA1)

				sensitive_data.ssh1_host_key = tmp;

				sensitive_data.ssh1_host_key = tmp;

		}

		}

		/* Certs do not need demotion */

		/* Certs do not need demotion */

	}

	}

		if (received_sigterm) {

		if (received_sigterm) {

			logit("Received signal %d; terminating.",

			logit("Received signal %d; terminating.",

			    (int) received_sigterm);

			    (int) received_sigterm);

			close_listen_socks();

			close_listen_socks();

			unlink(options.pid_file);

			unlink(options.pid_file);

			exit(0);

			exit(0);

		privsep_postauth(authctxt);

		privsep_postauth(authctxt);

		/* the monitor process [priv] will not return */

		/* the monitor process [priv] will not return */

		if (!compat20)

		if (!compat20)

	}

	}

	packet_set_timeout(options.client_alive_interval,

	packet_set_timeout(options.client_alive_interval,

	/* The connection has been terminated. */

	/* The connection has been terminated. */

	packet_destroy_all(1, 1);

	packet_destroy_all(1, 1);

	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);

	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);

	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);

	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);

			session_id[i] = session_key[i] ^ session_key[i + 16];

			session_id[i] = session_key[i] ^ session_key[i + 16];

	}

	}

	/* Destroy the private and public keys. No longer. */

	/* Destroy the private and public keys. No longer. */

	if (use_privsep)

	if (use_privsep)

		mm_ssh1_session_id(session_id);

		mm_ssh1_session_id(session_id);

void

void

cleanup_exit(int i)

cleanup_exit(int i)

{

{

	if (the_authctxt)

	if (the_authctxt)

		do_cleanup(the_authctxt);

		do_cleanup(the_authctxt);

	packet_destroy_all(1, is_privsep_child);

	packet_destroy_all(1, is_privsep_child);

#ifdef SSH_AUDIT_EVENTS

#ifdef SSH_AUDIT_EVENTS

	/* done after do_cleanup so it can cancel the PAM auth 'thread' */

	/* done after do_cleanup so it can cancel the PAM auth 'thread' */