Attachment #2090 for bug #1402

View | Details | Raw Unified | Return to bug 1402 | Differences between

and this patch




{
	/* not implemented */
}

void
audit_destroy_sensitive_data(const char *fp)
{
	/* not implemented */
}

void
audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
{
	/* not implemented */
}

void
audit_generate_ephemeral_server_key(const char *fp)
{
	/* not implemented */
}
#endif /* BSM */




		error("cannot write into audit");
}

void
audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
{
	char buf[AUDIT_LOG_SIZE];
	int audit_fd, audit_ok;

	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=? spid=%jd suid=%jd ",
		fp, (intmax_t)pid, (intmax_t)uid);
	audit_fd = audit_open();
	if (audit_fd < 0) {
		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
					 errno != EAFNOSUPPORT)
			error("cannot open audit");
		return;
	}
	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
			buf, NULL,
			listening_for_clients() ? NULL : get_remote_ipaddr(),
			NULL, 1);
	audit_close(audit_fd);
	/* do not abort if the error is EPERM and sshd is run as non root user */
	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
		error("cannot write into audit");
}

void
audit_generate_ephemeral_server_key(const char *fp)
{
	char buf[AUDIT_LOG_SIZE];
	int audit_fd, audit_ok;

	snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=? ", fp);
	audit_fd = audit_open();
	if (audit_fd < 0) {
		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
					 errno != EAFNOSUPPORT)
			error("cannot open audit");
		return;
	}
	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
			buf, NULL, 0, NULL, 1);
	audit_close(audit_fd);
	/* do not abort if the error is EPERM and sshd is run as non root user */
	if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
		error("cannot write into audit");
}
#endif /* USE_LINUX_AUDIT */




	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
}

/*
 * This will be called on destroy private part of the server key
 */
void
audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
{
	debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
		geteuid(), fp, (long)pid, (unsigned)uid);
}

/*
 * This will be called on generation of the ephemeral server key
 */
void
audit_generate_ephemeral_server_key(const char *)
{
	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
}
# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */

Lines 48-53 enum ssh_audit_event_type { Link Here

(-)openssh-5.9p1/audit.h.audit5 (+4 lines)
48	};	48	};
49	typedef enum ssh_audit_event_type ssh_audit_event_t;	49	typedef enum ssh_audit_event_type ssh_audit_event_t;
50		50
		51	int listening_for_clients(void);
		52
51	void audit_connection_from(const char *, int);	53	void audit_connection_from(const char *, int);
52	void audit_event(ssh_audit_event_t);	54	void audit_event(ssh_audit_event_t);
53	void audit_count_session_open(void);	55	void audit_count_session_open(void);
Lines 64-68 void audit_unsupported_body(int); Link Here
64	void audit_kex_body(int, char , char , char *, pid_t, uid_t);	66	void audit_kex_body(int, char , char , char *, pid_t, uid_t);
65	void audit_session_key_free(int ctos);	67	void audit_session_key_free(int ctos);
66	void audit_session_key_free_body(int ctos, pid_t, uid_t);	68	void audit_session_key_free_body(int ctos, pid_t, uid_t);
		69	void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
		70	void audit_generate_ephemeral_server_key(const char *);
67		71
68	#endif /* _SSH_AUDIT_H */	72	#endif /* _SSH_AUDIT_H */




}

int
key_is_private(const Key *k)
{
	switch (k->type) {
	case KEY_RSA_CERT_V00:
	case KEY_RSA_CERT:
	case KEY_RSA1:
	case KEY_RSA:
		return k->rsa->d != NULL;
	case KEY_DSA_CERT_V00:
	case KEY_DSA_CERT:
	case KEY_DSA:
		return k->dsa->priv_key != NULL;
#ifdef OPENSSL_HAS_ECC
	case KEY_ECDSA_CERT:
	case KEY_ECDSA:
		return EC_KEY_get0_private_key(k->ecdsa) != NULL;
#endif
	default:
		fatal("key_is_private: bad key type %d", k->type);
		return 1;
	}
}

int
key_is_cert(const Key *k)
{
	if (k == NULL)

Lines 109-114 Key *key_generate(int, u_int); Link Here

(-)openssh-5.9p1/key.h.audit5 (+1 lines)
109	Key key_from_private(const Key );	109	Key key_from_private(const Key );
110	int key_type_from_name(char *);	110	int key_type_from_name(char *);
111	int key_is_cert(const Key *);	111	int key_is_cert(const Key *);
		112	int key_is_private(const Key *k);
112	int key_type_plain(int);	113	int key_type_plain(int);
113	int key_to_certified(Key *, int);	114	int key_to_certified(Key *, int);
114	int key_drop_cert(Key *);	115	int key_drop_cert(Key *);

Lines 114-119 extern Buffer auth_debug; Link Here

(-)openssh-5.9p1/monitor.c.audit5 (+30 lines)
114	extern int auth_debug_init;	114	extern int auth_debug_init;
115	extern Buffer loginmsg;	115	extern Buffer loginmsg;
116		116
		117	extern void destroy_sensitive_data(int);
		118
117	/* State exported from the child */	119	/* State exported from the child */
118		120
119	struct {	121	struct {
Lines 191-196 int mm_answer_audit_end_command(int, Buf Link Here
191	int mm_answer_audit_unsupported_body(int, Buffer *);	193	int mm_answer_audit_unsupported_body(int, Buffer *);
192	int mm_answer_audit_kex_body(int, Buffer *);	194	int mm_answer_audit_kex_body(int, Buffer *);
193	int mm_answer_audit_session_key_free_body(int, Buffer *);	195	int mm_answer_audit_session_key_free_body(int, Buffer *);
		196	int mm_answer_audit_server_key_free(int, Buffer *);
194	#endif	197	#endif
195		198
196	static int monitor_read_log(struct monitor *);	199	static int monitor_read_log(struct monitor *);
Lines 244-249 struct mon_table mon_dispatch_proto20[] Link Here
244	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},	247	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
245	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},	248	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
246	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},	249	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
		250	{MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
247	#endif	251	#endif
248	#ifdef BSD_AUTH	252	#ifdef BSD_AUTH
249	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},	253	{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
Lines 285-290 struct mon_table mon_dispatch_postauth20 Link Here
285	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},	289	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
286	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},	290	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
287	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},	291	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
		292	{MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
288	#endif	293	#endif
289	{0, 0, NULL}	294	{0, 0, NULL}
290	};	295	};
Lines 319-324 struct mon_table mon_dispatch_proto15[] Link Here
319	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},	324	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
320	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},	325	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
321	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},	326	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
		327	{MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
322	#endif	328	#endif
323	{0, 0, NULL}	329	{0, 0, NULL}
324	};	330	};
Lines 334-339 struct mon_table mon_dispatch_postauth15 Link Here
334	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},	340	{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
335	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},	341	{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
336	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},	342	{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
		343	{MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
337	#endif	344	#endif
338	{0, 0, NULL}	345	{0, 0, NULL}
339	};	346	};
Lines 1716-1721 mm_answer_term(int sock, Buffer *req) Link Here
1716	sshpam_cleanup();	1723	sshpam_cleanup();
1717	#endif	1724	#endif
1718		1725
		1726	destroy_sensitive_data(0);
		1727
1719	while (waitpid(pmonitor->m_pid, &status, 0) == -1)	1728	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
1720	if (errno != EINTR)	1729	if (errno != EINTR)
1721	exit(1);	1730	exit(1);
Lines 2470-2473 mm_answer_audit_session_key_free_body(in Link Here
2470	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);	2479	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
2471	return 0;	2480	return 0;
2472	}	2481	}
		2482
		2483	int
		2484	mm_answer_audit_server_key_free(int sock, Buffer *m)
		2485	{
		2486	int len;
		2487	char *fp;
		2488	pid_t pid;
		2489	uid_t uid;
		2490
		2491	fp = buffer_get_string(m, &len);
		2492	pid = buffer_get_int64(m);
		2493	uid = buffer_get_int64(m);
		2494
		2495	audit_destroy_sensitive_data(fp, pid, uid);
		2496
		2497	xfree(fp);
		2498	buffer_clear(m);
		2499
		2500	mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
		2501	return 0;
		2502	}
2473	#endif /* SSH_AUDIT_EVENTS */	2503	#endif /* SSH_AUDIT_EVENTS */

Lines 64-69 enum monitor_reqtype { Link Here

(-)openssh-5.9p1/monitor.h.audit5 (+1 lines)
64	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,	64	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
65	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,	65	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
66	MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,	66	MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
		67	MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
67	MONITOR_REQ_TERM,	68	MONITOR_REQ_TERM,
68	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,	69	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
69	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,	70	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,




				  &m);
	buffer_free(&m);
}

void
mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
{
	Buffer m;

	buffer_init(&m);
	buffer_put_cstring(&m, fp);
	buffer_put_int64(&m, pid);
	buffer_put_int64(&m, uid);

	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
				  &m);
	buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */

Lines 81-86 void mm_audit_end_command(int, const cha Link Here

(-)openssh-5.9p1/monitor_wrap.h.audit5 (+1 lines)
81	void mm_audit_unsupported_body(int);	81	void mm_audit_unsupported_body(int);
82	void mm_audit_kex_body(int, char , char , char *, pid_t, uid_t);	82	void mm_audit_kex_body(int, char , char , char *, pid_t, uid_t);
83	void mm_audit_session_key_free_body(int, pid_t, uid_t);	83	void mm_audit_session_key_free_body(int, pid_t, uid_t);
		84	void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
84	#endif	85	#endif
85		86
86	struct Session;	87	struct Session;

Lines 136-142 extern int log_stderr; Link Here

(-)openssh-5.9p1/session.c.audit5 (-2 / +2 lines)
136	extern int debug_flag;	136	extern int debug_flag;
137	extern u_int utmp_len;	137	extern u_int utmp_len;
138	extern int startup_pipe;	138	extern int startup_pipe;
139	extern void destroy_sensitive_data(void);	139	extern void destroy_sensitive_data(int);
140	extern Buffer loginmsg;	140	extern Buffer loginmsg;
141		141
142	/* original command from peer. */	142	/* original command from peer. */
Lines 1633-1639 do_child(Session s, const char command Link Here
1633	int r = 0;	1633	int r = 0;
1634		1634
1635	/* remove hostkey from the child's memory */	1635	/* remove hostkey from the child's memory */
1636	destroy_sensitive_data();	1636	destroy_sensitive_data(1);
1637	/* Don't audit this - both us and the parent would be talking to the	1637	/* Don't audit this - both us and the parent would be talking to the
1638	monitor over a single socket, with no synchronization. */	1638	monitor over a single socket, with no synchronization. */
1639	packet_destroy_all(0, 1);	1639	packet_destroy_all(0, 1);

Lines 254-260 Buffer loginmsg; Link Here

(-)openssh-5.9p1/sshd.c.audit5 (-6 / +60 lines)
254	struct passwd *privsep_pw = NULL;	254	struct passwd *privsep_pw = NULL;
255		255
256	/* Prototypes for various functions defined later in this file. */	256	/* Prototypes for various functions defined later in this file. */
257	void destroy_sensitive_data(void);	257	void destroy_sensitive_data(int);
258	void demote_sensitive_data(void);	258	void demote_sensitive_data(void);
259		259
260	static void do_ssh1_kex(void);	260	static void do_ssh1_kex(void);
Lines 273-278 close_listen_socks(void) Link Here
273	num_listen_socks = -1;	273	num_listen_socks = -1;
274	}	274	}
275		275
		276	/*
		277	* Is this process listening for clients (i.e. not specific to any specific
		278	* client connection?)
		279	*/
		280	int listening_for_clients(void)
		281	{
		282	return num_listen_socks > 0;
		283	}
		284
276	static void	285	static void
277	close_startup_pipes(void)	286	close_startup_pipes(void)
278	{	287	{
Lines 533-554 sshd_exchange_identification(int sock_in Link Here
533	}	542	}
534	}	543	}
535		544
536	/* Destroy the host and server keys. They will no longer be needed. */	545	/*
		546	* Destroy the host and server keys. They will no longer be needed. Careful,
		547	* this can be called from cleanup_exit() - i.e. from just about anywhere.
		548	*/
537	void	549	void
538	destroy_sensitive_data(void)	550	destroy_sensitive_data(int privsep)
539	{	551	{
540	int i;	552	int i;
		553	pid_t pid;
		554	uid_t uid;
541		555
542	if (sensitive_data.server_key) {	556	if (sensitive_data.server_key) {
543	key_free(sensitive_data.server_key);	557	key_free(sensitive_data.server_key);
544	sensitive_data.server_key = NULL;	558	sensitive_data.server_key = NULL;
545	}	559	}
		560	pid = getpid();
		561	uid = getuid();
546	for (i = 0; i < options.num_host_key_files; i++) {	562	for (i = 0; i < options.num_host_key_files; i++) {
547	if (sensitive_data.host_keys[i]) {	563	if (sensitive_data.host_keys[i]) {
		564	char *fp;
		565
		566	if (key_is_private(sensitive_data.host_keys[i]))
		567	fp = key_fingerprint(sensitive_data.host_keys[i],
		568	FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
		569	SSH_FP_HEX);
		570	else
		571	fp = NULL;
548	key_free(sensitive_data.host_keys[i]);	572	key_free(sensitive_data.host_keys[i]);
549	sensitive_data.host_keys[i] = NULL;	573	sensitive_data.host_keys[i] = NULL;
		574	if (fp != NULL) {
		575	if (privsep)
		576	PRIVSEP(audit_destroy_sensitive_data(fp,
		577	pid, uid));
		578	else
		579	audit_destroy_sensitive_data(fp,
		580	pid, uid);
		581	xfree(fp);
		582	}
550	}	583	}
551	if (sensitive_data.host_certificates[i]) {	584	if (sensitive_data.host_certificates
		585	&& sensitive_data.host_certificates[i]) {
552	key_free(sensitive_data.host_certificates[i]);	586	key_free(sensitive_data.host_certificates[i]);
553	sensitive_data.host_certificates[i] = NULL;	587	sensitive_data.host_certificates[i] = NULL;
554	}	588	}
Lines 562-567 void Link Here
562	demote_sensitive_data(void)	596	demote_sensitive_data(void)
563	{	597	{
564	Key *tmp;	598	Key *tmp;
		599	pid_t pid;
		600	uid_t uid;
565	int i;	601	int i;
566		602
567	if (sensitive_data.server_key) {	603	if (sensitive_data.server_key) {
Lines 570-582 demote_sensitive_data(void) Link Here
570	sensitive_data.server_key = tmp;	606	sensitive_data.server_key = tmp;
571	}	607	}
572		608
		609	pid = getpid();
		610	uid = getuid();
573	for (i = 0; i < options.num_host_key_files; i++) {	611	for (i = 0; i < options.num_host_key_files; i++) {
574	if (sensitive_data.host_keys[i]) {	612	if (sensitive_data.host_keys[i]) {
		613	char *fp;
		614
		615	if (key_is_private(sensitive_data.host_keys[i]))
		616	fp = key_fingerprint(sensitive_data.host_keys[i],
		617	FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
		618	SSH_FP_HEX);
		619	else
		620	fp = NULL;
575	tmp = key_demote(sensitive_data.host_keys[i]);	621	tmp = key_demote(sensitive_data.host_keys[i]);
576	key_free(sensitive_data.host_keys[i]);	622	key_free(sensitive_data.host_keys[i]);
577	sensitive_data.host_keys[i] = tmp;	623	sensitive_data.host_keys[i] = tmp;
578	if (tmp->type == KEY_RSA1)	624	if (tmp->type == KEY_RSA1)
579	sensitive_data.ssh1_host_key = tmp;	625	sensitive_data.ssh1_host_key = tmp;
		626	if (fp != NULL) {
		627	audit_destroy_sensitive_data(fp, pid, uid);
		628	xfree(fp);
		629	}
580	}	630	}
581	/* Certs do not need demotion */	631	/* Certs do not need demotion */
582	}	632	}
Lines 1145-1150 server_accept_loop(int sock_in, int so Link Here
1145	if (received_sigterm) {	1195	if (received_sigterm) {
1146	logit("Received signal %d; terminating.",	1196	logit("Received signal %d; terminating.",
1147	(int) received_sigterm);	1197	(int) received_sigterm);
		1198	destroy_sensitive_data(0);
1148	close_listen_socks();	1199	close_listen_socks();
1149	unlink(options.pid_file);	1200	unlink(options.pid_file);
1150	exit(received_sigterm == SIGTERM ? 0 : 255);	1201	exit(received_sigterm == SIGTERM ? 0 : 255);
Lines 2050-2056 main(int ac, char **av) Link Here
2050	privsep_postauth(authctxt);	2101	privsep_postauth(authctxt);
2051	/* the monitor process [priv] will not return */	2102	/* the monitor process [priv] will not return */
2052	if (!compat20)	2103	if (!compat20)
2053	destroy_sensitive_data();	2104	destroy_sensitive_data(0);
2054	}	2105	}
2055		2106
2056	packet_set_timeout(options.client_alive_interval,	2107	packet_set_timeout(options.client_alive_interval,
Lines 2061-2066 main(int ac, char **av) Link Here
2061		2112
2062	/* The connection has been terminated. */	2113	/* The connection has been terminated. */
2063	packet_destroy_all(1, 1);	2114	packet_destroy_all(1, 1);
		2115	destroy_sensitive_data(1);
2064		2116
2065	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);	2117	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
2066	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);	2118	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
Lines 2289-2295 do_ssh1_kex(void) Link Here
2289	session_id[i] = session_key[i] ^ session_key[i + 16];	2341	session_id[i] = session_key[i] ^ session_key[i + 16];
2290	}	2342	}
2291	/* Destroy the private and public keys. No longer. */	2343	/* Destroy the private and public keys. No longer. */
2292	destroy_sensitive_data();	2344	destroy_sensitive_data(0);
2293		2345
2294	if (use_privsep)	2346	if (use_privsep)
2295	mm_ssh1_session_id(session_id);	2347	mm_ssh1_session_id(session_id);
Lines 2392-2397 cleanup_exit(int i) Link Here
2392	if (the_authctxt)	2444	if (the_authctxt)
2393	do_cleanup(the_authctxt);	2445	do_cleanup(the_authctxt);
2394	is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();	2446	is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
		2447	if (sensitive_data.host_keys != NULL)
		2448	destroy_sensitive_data(is_privsep_child);
2395	packet_destroy_all(1, is_privsep_child);	2449	packet_destroy_all(1, is_privsep_child);
2396	#ifdef SSH_AUDIT_EVENTS	2450	#ifdef SSH_AUDIT_EVENTS
2397	/* done after do_cleanup so it can cancel the PAM auth 'thread' */	2451	/* done after do_cleanup so it can cancel the PAM auth 'thread' */

Return to bug 1402

Lines 414-417 audit_session_key_free_body(int ctos, pi Link Here

(-)openssh-5.9p1/audit-bsm.c.audit5 (+18 lines)
414	{	414	{
415	/* not implemented */	415	/* not implemented */
416	}	416	}
		417
		418	void
		419	audit_destroy_sensitive_data(const char *fp)
		420	{
		421	/* not implemented */
		422	}
		423
		424	void
		425	audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
		426	{
		427	/* not implemented */
		428	}
		429
		430	void
		431	audit_generate_ephemeral_server_key(const char *fp)
		432	{
		433	/* not implemented */
		434	}
417	#endif /* BSM */	435	#endif /* BSM */

Lines 350-353 audit_session_key_free_body(int ctos, pi Link Here

(-)openssh-5.9p1/audit-linux.c.audit5 (+46 lines)
350	error("cannot write into audit");	350	error("cannot write into audit");
351	}	351	}
352		352
		353	void
		354	audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
		355	{
		356	char buf[AUDIT_LOG_SIZE];
		357	int audit_fd, audit_ok;
		358
		359	snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=? spid=%jd suid=%jd ",
		360	fp, (intmax_t)pid, (intmax_t)uid);
		361	audit_fd = audit_open();
		362	if (audit_fd < 0) {
		363	if (errno != EINVAL && errno != EPROTONOSUPPORT &&
		364	errno != EAFNOSUPPORT)
		365	error("cannot open audit");
		366	return;
		367	}
		368	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
		369	buf, NULL,
		370	listening_for_clients() ? NULL : get_remote_ipaddr(),
		371	NULL, 1);
		372	audit_close(audit_fd);
		373	/* do not abort if the error is EPERM and sshd is run as non root user */
		374	if ((audit_ok < 0) && ((audit_ok != -1) \|\| (getuid() == 0)))
		375	error("cannot write into audit");
		376	}
		377
		378	void
		379	audit_generate_ephemeral_server_key(const char *fp)
		380	{
		381	char buf[AUDIT_LOG_SIZE];
		382	int audit_fd, audit_ok;
		383
		384	snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=? ", fp);
		385	audit_fd = audit_open();
		386	if (audit_fd < 0) {
		387	if (errno != EINVAL && errno != EPROTONOSUPPORT &&
		388	errno != EAFNOSUPPORT)
		389	error("cannot open audit");
		390	return;
		391	}
		392	audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
		393	buf, NULL, 0, NULL, 1);
		394	audit_close(audit_fd);
		395	/* do not abort if the error is EPERM and sshd is run as non root user */
		396	if ((audit_ok < 0) && ((audit_ok != -1) \|\| (getuid() == 0)))
		397	error("cannot write into audit");
		398	}
353	#endif /* USE_LINUX_AUDIT */	399	#endif /* USE_LINUX_AUDIT */

Lines 1799-1804 key_demote(const Key *k) Link Here

(-)openssh-5.9p1/key.c.audit5 (+24 lines)
1799	}	1799	}
1800		1800
1801	int	1801	int
		1802	key_is_private(const Key *k)
		1803	{
		1804	switch (k->type) {
		1805	case KEY_RSA_CERT_V00:
		1806	case KEY_RSA_CERT:
		1807	case KEY_RSA1:
		1808	case KEY_RSA:
		1809	return k->rsa->d != NULL;
		1810	case KEY_DSA_CERT_V00:
		1811	case KEY_DSA_CERT:
		1812	case KEY_DSA:
		1813	return k->dsa->priv_key != NULL;
		1814	#ifdef OPENSSL_HAS_ECC
		1815	case KEY_ECDSA_CERT:
		1816	case KEY_ECDSA:
		1817	return EC_KEY_get0_private_key(k->ecdsa) != NULL;
		1818	#endif
		1819	default:
		1820	fatal("key_is_private: bad key type %d", k->type);
		1821	return 1;
		1822	}
		1823	}
		1824
		1825	int
1802	key_is_cert(const Key *k)	1826	key_is_cert(const Key *k)
1803	{	1827	{
1804	if (k == NULL)	1828	if (k == NULL)

Lines 1559-1562 mm_audit_session_key_free_body(int ctos, Link Here

(-)openssh-5.9p1/monitor_wrap.c.audit5 (+16 lines)
1559	&m);	1559	&m);
1560	buffer_free(&m);	1560	buffer_free(&m);
1561	}	1561	}
		1562
		1563	void
		1564	mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
		1565	{
		1566	Buffer m;
		1567
		1568	buffer_init(&m);
		1569	buffer_put_cstring(&m, fp);
		1570	buffer_put_int64(&m, pid);
		1571	buffer_put_int64(&m, uid);
		1572
		1573	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
		1574	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
		1575	&m);
		1576	buffer_free(&m);
		1577	}
1562	#endif /* SSH_AUDIT_EVENTS */	1578	#endif /* SSH_AUDIT_EVENTS */

Lines 290-294 audit_session_key_free_body(int ctos, pi Link Here

(-)openssh-5.9p1/audit.c.audit5 (+19 lines)
290	debug("audit session key discard euid %u direction %d from pid %ld uid %u",	290	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
291	(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);	291	(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
292	}	292	}
		293
		294	/*
		295	* This will be called on destroy private part of the server key
		296	*/
		297	void
		298	audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
		299	{
		300	debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
		301	geteuid(), fp, (long)pid, (unsigned)uid);
		302	}
		303
		304	/*
		305	* This will be called on generation of the ephemeral server key
		306	*/
		307	void
		308	audit_generate_ephemeral_server_key(const char *)
		309	{
		310	debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
		311	}
293	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */	312	# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
294	#endif /* SSH_AUDIT_EVENTS */	313	#endif /* SSH_AUDIT_EVENTS */