rpms / openssh

Clone
Source Code
GIT

Blame openssh-5.9p1-audit2.patch

86_addmissingnb f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fix_f38_terrapin fix_f39_terrapin gsskexfix main master-future openssh85286 openssh96_rebase_combined openssh_96rebase openssh_rebase_90to93 openssh_rebase_90to93_cont openssh_rebase_90to93_fin private-controlpersist-4_3p2-9-branch private-master-vanilla private-openssh-4_5p1-6-controlpersist-branch rawhide sshkeysign_fix
  1.   69dd72f6efd594bc63f7f5e094901adc61493a78
  2.   openssh-5.9p1-audit2.patch
Blob History Raw
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/audit-bsm.c.audit2 openssh-5.9p0/audit-bsm.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/audit-bsm.c.audit2	2011-08-30 10:55:35.281025258 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/audit-bsm.c	2011-08-30 10:55:37.500052231 +0200
Jan F. Chadima 69dd72f 
@@ -329,6 +329,12 @@ audit_session_close(struct logininfo *li
Jan F. Chadima 69dd72f 
 	/* not implemented */
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	/* not implemented */
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 void
Jan F. Chadima 69dd72f 
 audit_event(ssh_audit_event_t event)
Jan F. Chadima 69dd72f 
 {
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/audit-linux.c.audit2 openssh-5.9p0/audit-linux.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/audit-linux.c.audit2	2011-08-30 10:55:35.385102905 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/audit-linux.c	2011-08-30 10:55:38.009088040 +0200
Jan F. Chadima 69dd72f 
@@ -41,6 +41,8 @@
Jan F. Chadima 69dd72f 
 #include "servconf.h"
Jan F. Chadima 69dd72f 
 #include "canohost.h"
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+#define AUDIT_LOG_SIZE 128
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 extern ServerOptions options;
Jan F. Chadima 69dd72f 
 extern Authctxt *the_authctxt;
Jan F. Chadima 69dd72f 
 extern u_int utmp_len;
Jan F. Chadima 69dd72f 
@@ -130,6 +132,37 @@ fatal_report:
Jan F. Chadima 69dd72f 
 	}
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	char buf[AUDIT_LOG_SIZE];
Jan F. Chadima 69dd72f 
+	int audit_fd, rc, saved_errno;
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+	audit_fd = audit_open();
Jan F. Chadima 69dd72f 
+	if (audit_fd < 0) {
Jan F. Chadima 69dd72f 
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
Jan F. Chadima 69dd72f 
+					 errno == EAFNOSUPPORT)
Jan F. Chadima 69dd72f 
+			return 1; /* No audit support in kernel */
Jan F. Chadima 69dd72f 
+		else
Jan F. Chadima 69dd72f 
+			return 0; /* Must prevent login */
Jan F. Chadima 69dd72f 
+	}
Jan F. Chadima 69dd72f 
+	snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", get_remote_port());
Jan F. Chadima 69dd72f 
+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
Jan F. Chadima 69dd72f 
+		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
Jan F. Chadima 69dd72f 
+	if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
Jan F. Chadima 69dd72f 
+		goto out;
Jan F. Chadima 69dd72f 
+	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d",
Jan F. Chadima 69dd72f 
+			type, bits, key_fingerprint_prefix(), fp, get_remote_port());
Jan F. Chadima 69dd72f 
+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
Jan F. Chadima 69dd72f 
+		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
Jan F. Chadima 69dd72f 
+out:
Jan F. Chadima 69dd72f 
+	saved_errno = errno;
Jan F. Chadima 69dd72f 
+	audit_close(audit_fd);
Jan F. Chadima 69dd72f 
+	errno = saved_errno;
Jan F. Chadima 69dd72f 
+	/* do not report error if the error is EPERM and sshd is run as non root user */
Jan F. Chadima 69dd72f 
+	return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 static int user_login_count = 0;
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 /* Below is the sshd audit API code */
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/audit.c.audit2 openssh-5.9p0/audit.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/audit.c.audit2	2011-08-30 10:55:35.523141273 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/audit.c	2011-08-30 10:55:37.658024710 +0200
Jan F. Chadima 69dd72f 
@@ -36,6 +36,7 @@
Jan F. Chadima 69dd72f 
 #include "key.h"
Jan F. Chadima 69dd72f 
 #include "hostfile.h"
Jan F. Chadima 69dd72f 
 #include "auth.h"
Jan F. Chadima 69dd72f 
+#include "xmalloc.h"
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 /*
Jan F. Chadima 69dd72f 
  * Care must be taken when using this since it WILL NOT be initialized when
Jan F. Chadima 69dd72f 
@@ -111,6 +112,22 @@ audit_event_lookup(ssh_audit_event_t ev)
Jan F. Chadima 69dd72f 
 	return(event_lookup[i].name);
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+void
Jan F. Chadima 69dd72f 
+audit_key(int host_user, int *rv, const Key *key)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	char *fp;
Jan F. Chadima 69dd72f 
+	const char *crypto_name;
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
Jan F. Chadima 69dd72f 
+	if (key->type == KEY_RSA1)
Jan F. Chadima 69dd72f 
+		crypto_name = "ssh-rsa1";
Jan F. Chadima 69dd72f 
+	else
Jan F. Chadima 69dd72f 
+		crypto_name = key_ssh_name(key);
Jan F. Chadima 69dd72f 
+	if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
Jan F. Chadima 69dd72f 
+		*rv = 0;
Jan F. Chadima 69dd72f 
+	xfree(fp);
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72f 
 /*
Jan F. Chadima 69dd72f 
  * Null implementations of audit functions.
Jan F. Chadima 69dd72f 
@@ -209,5 +226,17 @@ audit_end_command(int handle, const char
Jan F. Chadima 69dd72f 
 	    audit_username(), command);
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+/*
Jan F. Chadima 69dd72f 
+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
Jan F. Chadima 69dd72f 
+ *
Jan F. Chadima 69dd72f 
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
Jan F. Chadima 69dd72f 
+ */
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s%s, result %d",
Jan F. Chadima 69dd72f 
+		host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
Jan F. Chadima 69dd72f 
+		key_fingerprint_prefix(), fp, rv);
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
Jan F. Chadima 69dd72f 
 #endif /* SSH_AUDIT_EVENTS */
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/audit.h.audit2 openssh-5.9p0/audit.h
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/audit.h.audit2	2011-08-30 10:55:35.723122290 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/audit.h	2011-08-30 10:55:37.905212176 +0200
Jan F. Chadima 69dd72f 
@@ -28,6 +28,7 @@
Jan F. Chadima 69dd72f 
 # define _SSH_AUDIT_H
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 #include "loginrec.h"
Jan F. Chadima 69dd72f 
+#include "key.h"
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 enum ssh_audit_event_type {
Jan F. Chadima 69dd72f 
 	SSH_LOGIN_EXCEED_MAXTRIES,
Jan F. Chadima 69dd72f 
@@ -55,5 +56,7 @@ void	audit_session_close(struct logininf
Jan F. Chadima 69dd72f 
 int	audit_run_command(const char *);
Jan F. Chadima 69dd72f 
 void 	audit_end_command(int, const char *);
Jan F. Chadima 69dd72f 
 ssh_audit_event_t audit_classify_auth(const char *);
Jan F. Chadima 69dd72f 
+int	audit_keyusage(int, const char *, unsigned, char *, int);
Jan F. Chadima 69dd72f 
+void	audit_key(int, int *, const Key *);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 #endif /* _SSH_AUDIT_H */
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/auth-rsa.c.audit2 openssh-5.9p0/auth-rsa.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/auth-rsa.c.audit2	2011-08-30 10:55:33.120097071 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/auth-rsa.c	2011-08-30 10:55:38.729025376 +0200
Jan F. Chadima 69dd72f 
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
Jan F. Chadima 69dd72f 
 {
Jan F. Chadima 69dd72f 
 	u_char buf[32], mdbuf[16];
Jan F. Chadima 69dd72f 
 	MD5_CTX md;
Jan F. Chadima 69dd72f 
-	int len;
Jan F. Chadima 69dd72f 
+	int len, rv;
Jan F. Chadima 69dd72f 
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72f 
+	char *fp;
Jan F. Chadima 69dd72f 
+#endif
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 	/* don't allow short keys */
Jan F. Chadima 69dd72f 
 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
Jan F. Chadima 69dd72f 
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
Jan F. Chadima 69dd72f 
 	MD5_Final(mdbuf, &md);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 	/* Verify that the response is the original challenge. */
Jan F. Chadima 69dd72f 
-	if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
Jan F. Chadima 69dd72f 
-		/* Wrong answer. */
Jan F. Chadima 69dd72f 
-		return (0);
Jan F. Chadima 69dd72f 
+	rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72f 
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
Jan F. Chadima 69dd72f 
+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
Jan F. Chadima 69dd72f 
+		debug("unsuccessful audit");
Jan F. Chadima 69dd72f 
+		rv = 0;
Jan F. Chadima 69dd72f 
 	}
Jan F. Chadima 69dd72f 
-	/* Correct answer. */
Jan F. Chadima 69dd72f 
-	return (1);
Jan F. Chadima 69dd72f 
+	xfree(fp);
Jan F. Chadima 69dd72f 
+#endif
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+	return rv;
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 /*
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/auth.h.audit2 openssh-5.9p0/auth.h
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/auth.h.audit2	2011-05-29 13:39:38.000000000 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/auth.h	2011-08-30 10:57:43.238087347 +0200
Jan F. Chadima 69dd72f 
@@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 char	*expand_authorized_keys(const char *, struct passwd *pw);
Jan F. Chadima 69dd72f 
 char	*authorized_principals_file(struct passwd *);
Jan F. Chadima 69dd72f 
+int	 user_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 FILE	*auth_openkeyfile(const char *, struct passwd *, int);
Jan F. Chadima 69dd72f 
 FILE	*auth_openprincipals(const char *, struct passwd *, int);
Jan F. Chadima 69dd72f 
@@ -185,6 +186,7 @@ Key	*get_hostkey_public_by_type(int);
Jan F. Chadima 69dd72f 
 Key	*get_hostkey_private_by_type(int);
Jan F. Chadima 69dd72f 
 int	 get_hostkey_index(Key *);
Jan F. Chadima 69dd72f 
 int	 ssh1_session_key(BIGNUM *);
Jan F. Chadima 69dd72f 
+int	 hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 /* debug messages during authentication */
Jan F. Chadima 69dd72f 
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/auth2-hostbased.c.audit2 openssh-5.9p0/auth2-hostbased.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/auth2-hostbased.c.audit2	2011-08-30 10:55:32.696212587 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/auth2-hostbased.c	2011-08-30 10:55:38.120068864 +0200
Jan F. Chadima 69dd72f 
@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt)
Jan F. Chadima 69dd72f 
 	/* test for allowed key and correct signature */
Jan F. Chadima 69dd72f 
 	authenticated = 0;
Jan F. Chadima 69dd72f 
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
Jan F. Chadima 69dd72f 
-	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72f 
+	    PRIVSEP(hostbased_key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72f 
 			buffer_len(&b))) == 1)
Jan F. Chadima 69dd72f 
 		authenticated = 1;
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
@@ -136,6 +136,18 @@ done:
Jan F. Chadima 69dd72f 
 	return authenticated;
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+hostbased_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	int rv;
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+	rv = key_verify(key, sig, slen, data, datalen);
Jan F. Chadima 69dd72f 
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72f 
+	audit_key(0, &rv, key);
Jan F. Chadima 69dd72f 
+#endif
Jan F. Chadima 69dd72f 
+	return rv;
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 /* return 1 if given hostkey is allowed */
Jan F. Chadima 69dd72f 
 int
Jan F. Chadima 69dd72f 
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/auth2-pubkey.c.audit2 openssh-5.9p0/auth2-pubkey.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/auth2-pubkey.c.audit2	2011-08-30 10:55:32.803126151 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/auth2-pubkey.c	2011-08-30 10:55:38.426108672 +0200
Jan F. Chadima 69dd72f 
@@ -140,7 +140,7 @@ userauth_pubkey(Authctxt *authctxt)
Jan F. Chadima 69dd72f 
 		/* test for correct signature */
Jan F. Chadima 69dd72f 
 		authenticated = 0;
Jan F. Chadima 69dd72f 
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
Jan F. Chadima 69dd72f 
-		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72f 
+		    PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72f 
 		    buffer_len(&b))) == 1)
Jan F. Chadima 69dd72f 
 			authenticated = 1;
Jan F. Chadima 69dd72f 
 		buffer_free(&b);
Jan F. Chadima 69dd72f 
@@ -177,6 +177,18 @@ done:
Jan F. Chadima 69dd72f 
 	return authenticated;
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+user_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	int rv;
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+	rv = key_verify(key, sig, slen, data, datalen);
Jan F. Chadima 69dd72f 
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72f 
+	audit_key(1, &rv, key);
Jan F. Chadima 69dd72f 
+#endif
Jan F. Chadima 69dd72f 
+	return rv;
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 static int
Jan F. Chadima 69dd72f 
 match_principals_option(const char *principal_list, struct KeyCert *cert)
Jan F. Chadima 69dd72f 
 {
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/monitor.c.audit2 openssh-5.9p0/monitor.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/monitor.c.audit2	2011-08-30 10:55:35.849023496 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/monitor.c	2011-08-30 10:55:38.848024600 +0200
Jan F. Chadima 69dd72f 
@@ -1318,9 +1318,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72f 
 	Key *key;
Jan F. Chadima 69dd72f 
 	u_char *signature, *data, *blob;
Jan F. Chadima 69dd72f 
 	u_int signaturelen, datalen, bloblen;
Jan F. Chadima 69dd72f 
+	int type = 0;
Jan F. Chadima 69dd72f 
 	int verified = 0;
Jan F. Chadima 69dd72f 
 	int valid_data = 0;
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+	type = buffer_get_int(m);
Jan F. Chadima 69dd72f 
 	blob = buffer_get_string(m, &bloblen);
Jan F. Chadima 69dd72f 
 	signature = buffer_get_string(m, &signaturelen);
Jan F. Chadima 69dd72f 
 	data = buffer_get_string(m, &datalen);
Jan F. Chadima 69dd72f 
@@ -1328,6 +1330,8 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72f 
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
Jan F. Chadima 69dd72f 
 	  !monitor_allowed_key(blob, bloblen))
Jan F. Chadima 69dd72f 
 		fatal("%s: bad key, not previously allowed", __func__);
Jan F. Chadima 69dd72f 
+	if (type != key_blobtype)
Jan F. Chadima 69dd72f 
+		fatal("%s: bad key type", __func__);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 	key = key_from_blob(blob, bloblen);
Jan F. Chadima 69dd72f 
 	if (key == NULL)
Jan F. Chadima 69dd72f 
@@ -1348,7 +1352,17 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72f 
 	if (!valid_data)
Jan F. Chadima 69dd72f 
 		fatal("%s: bad signature data blob", __func__);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
-	verified = key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72f 
+	switch (key_blobtype) {
Jan F. Chadima 69dd72f 
+	case MM_USERKEY:
Jan F. Chadima 69dd72f 
+		verified = user_key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72f 
+		break;
Jan F. Chadima 69dd72f 
+	case MM_HOSTKEY:
Jan F. Chadima 69dd72f 
+		verified = hostbased_key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72f 
+		break;
Jan F. Chadima 69dd72f 
+	default:
Jan F. Chadima 69dd72f 
+		verified = 0;
Jan F. Chadima 69dd72f 
+		break;
Jan F. Chadima 69dd72f 
+	}
Jan F. Chadima 69dd72f 
 	debug3("%s: key %p signature %s",
Jan F. Chadima 69dd72f 
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/monitor_wrap.c.audit2 openssh-5.9p0/monitor_wrap.c
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/monitor_wrap.c.audit2	2011-08-30 10:55:36.431043533 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/monitor_wrap.c	2011-08-30 10:55:39.074038187 +0200
Jan F. Chadima 69dd72f 
@@ -431,7 +431,7 @@ mm_key_allowed(enum mm_keytype type, cha
Jan F. Chadima 69dd72f 
  */
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 int
Jan F. Chadima 69dd72f 
-mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
+mm_key_verify(enum mm_keytype type, Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
 {
Jan F. Chadima 69dd72f 
 	Buffer m;
Jan F. Chadima 69dd72f 
 	u_char *blob;
Jan F. Chadima 69dd72f 
@@ -445,6 +445,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
Jan F. Chadima 69dd72f 
 		return (0);
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
 	buffer_init(&m);
Jan F. Chadima 69dd72f 
+	buffer_put_int(&m, type);
Jan F. Chadima 69dd72f 
 	buffer_put_string(&m, blob, len);
Jan F. Chadima 69dd72f 
 	buffer_put_string(&m, sig, siglen);
Jan F. Chadima 69dd72f 
 	buffer_put_string(&m, data, datalen);
Jan F. Chadima 69dd72f 
@@ -462,6 +463,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
Jan F. Chadima 69dd72f 
 	return (verified);
Jan F. Chadima 69dd72f 
 }
Jan F. Chadima 69dd72f
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+mm_hostbased_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	return mm_key_verify(MM_HOSTKEY, key, sig, siglen, data, datalen);
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+int
Jan F. Chadima 69dd72f 
+mm_user_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72f 
+{
Jan F. Chadima 69dd72f 
+	return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen);
Jan F. Chadima 69dd72f 
+}
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
+
Jan F. Chadima 69dd72f 
 /* Export key state after authentication */
Jan F. Chadima 69dd72f 
 Newkeys *
Jan F. Chadima 69dd72f 
 mm_newkeys_from_blob(u_char *blob, int blen)
Jan F. Chadima 69dd72f 
diff -up openssh-5.9p0/monitor_wrap.h.audit2 openssh-5.9p0/monitor_wrap.h
Jan F. Chadima 69dd72f 
--- openssh-5.9p0/monitor_wrap.h.audit2	2011-08-30 10:55:36.550088263 +0200
Jan F. Chadima 69dd72f 
+++ openssh-5.9p0/monitor_wrap.h	2011-08-30 10:55:39.282151179 +0200
Jan F. Chadima 69dd72f 
@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char
Jan F. Chadima 69dd72f 
 int mm_user_key_allowed(struct passwd *, Key *);
Jan F. Chadima 69dd72f 
 int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
Jan F. Chadima 69dd72f 
 int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
Jan F. Chadima 69dd72f 
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72f 
+int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72f 
+int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72f 
 int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
Jan F. Chadima 69dd72f 
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
Jan F. Chadima 69dd72f 
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.