237 lines
8.4 KiB
Diff
237 lines
8.4 KiB
Diff
diff -up openssh-5.6p1/audit-bsm.c.audit4 openssh-5.6p1/audit-bsm.c
|
|
--- openssh-5.6p1/audit-bsm.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
|
+++ openssh-5.6p1/audit-bsm.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
|
|
{
|
|
/* not implemented */
|
|
}
|
|
+
|
|
+void
|
|
+audit_session_key_free_body(int ctos)
|
|
+{
|
|
+ /* not implemented */
|
|
+}
|
|
#endif /* BSM */
|
|
diff -up openssh-5.6p1/audit.c.audit4 openssh-5.6p1/audit.c
|
|
--- openssh-5.6p1/audit.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
|
+++ openssh-5.6p1/audit.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
|
|
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
|
|
}
|
|
|
|
+void
|
|
+audit_session_key_free(int ctos)
|
|
+{
|
|
+ PRIVSEP(audit_session_key_free_body(ctos));
|
|
+}
|
|
+
|
|
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
|
/*
|
|
* Null implementations of audit functions.
|
|
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
|
|
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
|
|
geteuid(), ctos, enc, mac, compress);
|
|
}
|
|
+
|
|
+/*
|
|
+ * This will be called on succesfull session key discard
|
|
+ */
|
|
+audit_session_key_free_body(int ctos)
|
|
+{
|
|
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
|
+}
|
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
|
#endif /* SSH_AUDIT_EVENTS */
|
|
diff -up openssh-5.6p1/audit.h.audit4 openssh-5.6p1/audit.h
|
|
--- openssh-5.6p1/audit.h.audit4 2011-01-12 14:01:50.000000000 +0100
|
|
+++ openssh-5.6p1/audit.h 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -60,5 +60,7 @@ void audit_unsupported(int);
|
|
void audit_kex(int, char *, char *, char *);
|
|
void audit_unsupported_body(int);
|
|
void audit_kex_body(int, char *, char *, char *);
|
|
+void audit_session_key_free(int ctos);
|
|
+void audit_session_key_free_body(int ctos);
|
|
|
|
#endif /* _SSH_AUDIT_H */
|
|
diff -up openssh-5.6p1/audit-linux.c.audit4 openssh-5.6p1/audit-linux.c
|
|
--- openssh-5.6p1/audit-linux.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
|
+++ openssh-5.6p1/audit-linux.c 2011-01-12 14:04:15.000000000 +0100
|
|
@@ -174,13 +174,14 @@ audit_unsupported_body(int what)
|
|
#endif
|
|
}
|
|
|
|
+const static char *direction[] = { "from-server", "from-client", "both" };
|
|
+
|
|
void
|
|
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
|
{
|
|
#ifdef AUDIT_CRYPTO_SESSION
|
|
char buf[AUDIT_LOG_SIZE];
|
|
int audit_fd, audit_ok;
|
|
- const static char *direction[] = { "from-server", "from-client", "both" };
|
|
Cipher *cipher = cipher_by_name(enc);
|
|
|
|
snprintf(buf, sizeof(buf), "start direction=%s cipher=%s, ksize=%d rport=%d laddr=%s lport=%d",
|
|
@@ -203,4 +204,26 @@ audit_kex_body(int ctos, char *enc, char
|
|
#endif
|
|
}
|
|
|
|
+void
|
|
+audit_session_key_free_body(int ctos)
|
|
+{
|
|
+ char buf[AUDIT_LOG_SIZE];
|
|
+ int audit_fd, audit_ok;
|
|
+
|
|
+ snprintf(buf, sizeof(buf), "destroy kind=session direction=%s", direction[ctos]);
|
|
+ audit_fd = audit_open();
|
|
+ if (audit_fd < 0) {
|
|
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
|
+ errno != EAFNOSUPPORT)
|
|
+ error("cannot open audit");
|
|
+ return;
|
|
+ }
|
|
+ audit_ok = audit_log_acct_message(audit_fd, AUDIT_CRYPTO_KEY_USER, NULL,
|
|
+ buf, NULL, -1, NULL, get_remote_ipaddr(), NULL, 1);
|
|
+ audit_close(audit_fd);
|
|
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
|
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
+ error("cannot write into audit");
|
|
+}
|
|
+
|
|
#endif /* USE_LINUX_AUDIT */
|
|
diff -up openssh-5.6p1/auditstub.c.audit4 openssh-5.6p1/auditstub.c
|
|
--- openssh-5.6p1/auditstub.c.audit4 2011-01-12 14:01:50.000000000 +0100
|
|
+++ openssh-5.6p1/auditstub.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
|
|
{
|
|
}
|
|
|
|
+void
|
|
+audit_session_key_free(int ctos)
|
|
+{
|
|
+}
|
|
diff -up openssh-5.6p1/monitor.c.audit4 openssh-5.6p1/monitor.c
|
|
--- openssh-5.6p1/monitor.c.audit4 2011-01-12 14:01:51.000000000 +0100
|
|
+++ openssh-5.6p1/monitor.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
|
|
int mm_answer_audit_command(int, Buffer *);
|
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
|
int mm_answer_audit_kex_body(int, Buffer *);
|
|
+int mm_answer_audit_session_key_free_body(int, Buffer *);
|
|
#endif
|
|
|
|
static Authctxt *authctxt;
|
|
@@ -230,6 +231,7 @@ struct mon_table mon_dispatch_proto20[]
|
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
|
#endif
|
|
#ifdef BSD_AUTH
|
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
|
@@ -268,6 +270,7 @@ struct mon_table mon_dispatch_postauth20
|
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
|
#endif
|
|
{0, 0, NULL}
|
|
};
|
|
@@ -301,6 +304,7 @@ struct mon_table mon_dispatch_proto15[]
|
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
|
#endif
|
|
{0, 0, NULL}
|
|
};
|
|
@@ -314,6 +318,7 @@ struct mon_table mon_dispatch_postauth15
|
|
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
|
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
|
#endif
|
|
{0, 0, NULL}
|
|
};
|
|
@@ -2252,4 +2257,18 @@ mm_answer_audit_kex_body(int sock, Buffe
|
|
return 0;
|
|
}
|
|
|
|
+int
|
|
+mm_answer_audit_session_key_free_body(int sock, Buffer *m)
|
|
+{
|
|
+ int ctos;
|
|
+
|
|
+ ctos = buffer_get_int(m);
|
|
+
|
|
+ audit_session_key_free_body(ctos);
|
|
+
|
|
+ buffer_clear(m);
|
|
+
|
|
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
|
+ return 0;
|
|
+}
|
|
#endif /* SSH_AUDIT_EVENTS */
|
|
diff -up openssh-5.6p1/monitor.h.audit4 openssh-5.6p1/monitor.h
|
|
--- openssh-5.6p1/monitor.h.audit4 2011-01-12 14:01:51.000000000 +0100
|
|
+++ openssh-5.6p1/monitor.h 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -68,6 +68,7 @@ enum monitor_reqtype {
|
|
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
|
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
|
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
|
+ MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
|
};
|
|
|
|
struct mm_master;
|
|
diff -up openssh-5.6p1/monitor_wrap.c.audit4 openssh-5.6p1/monitor_wrap.c
|
|
--- openssh-5.6p1/monitor_wrap.c.audit4 2011-01-12 14:01:51.000000000 +0100
|
|
+++ openssh-5.6p1/monitor_wrap.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -1445,4 +1445,17 @@ mm_audit_kex_body(int ctos, char *cipher
|
|
|
|
buffer_free(&m);
|
|
}
|
|
+
|
|
+void
|
|
+mm_audit_session_key_free_body(int ctos)
|
|
+{
|
|
+ Buffer m;
|
|
+
|
|
+ buffer_init(&m);
|
|
+ buffer_put_int(&m, ctos);
|
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
|
+ &m);
|
|
+ buffer_free(&m);
|
|
+}
|
|
#endif /* SSH_AUDIT_EVENTS */
|
|
diff -up openssh-5.6p1/monitor_wrap.h.audit4 openssh-5.6p1/monitor_wrap.h
|
|
--- openssh-5.6p1/monitor_wrap.h.audit4 2011-01-12 14:01:51.000000000 +0100
|
|
+++ openssh-5.6p1/monitor_wrap.h 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
|
void mm_audit_run_command(const char *);
|
|
void mm_audit_unsupported_body(int);
|
|
void mm_audit_kex_body(int, char *, char *, char *);
|
|
+void mm_audit_session_key_free_body(int);
|
|
#endif
|
|
|
|
struct Session;
|
|
diff -up openssh-5.6p1/packet.c.audit4 openssh-5.6p1/packet.c
|
|
--- openssh-5.6p1/packet.c.audit4 2010-07-16 05:58:37.000000000 +0200
|
|
+++ openssh-5.6p1/packet.c 2011-01-12 14:01:51.000000000 +0100
|
|
@@ -495,6 +495,7 @@ packet_close(void)
|
|
buffer_free(&active_state->compression_buffer);
|
|
buffer_compress_uninit();
|
|
}
|
|
+ audit_session_key_free(2);
|
|
cipher_cleanup(&active_state->send_context);
|
|
cipher_cleanup(&active_state->receive_context);
|
|
}
|
|
@@ -749,6 +750,7 @@ set_newkeys(int mode)
|
|
}
|
|
if (active_state->newkeys[mode] != NULL) {
|
|
debug("set_newkeys: rekeying");
|
|
+ audit_session_key_free(mode);
|
|
cipher_cleanup(cc);
|
|
enc = &active_state->newkeys[mode]->enc;
|
|
mac = &active_state->newkeys[mode]->mac;
|