forked from rpms/openssh
coverity upgrade
wipe off nonfunctional nss selinux sandbox tweaking
This commit is contained in:
parent
c870e661c7
commit
cff1d0c39d
@ -1,75 +0,0 @@
|
||||
diff -up openssh-5.8p1/log.h.wIm openssh-5.8p1/log.h
|
||||
--- openssh-5.8p1/log.h.wIm 2008-06-13 02:22:54.000000000 +0200
|
||||
+++ openssh-5.8p1/log.h 2011-02-22 09:21:58.000000000 +0100
|
||||
@@ -63,6 +63,8 @@ void verbose(const char *, ...) __at
|
||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
+void _debug_wIm_body(const char *, const char *, const char *, int);
|
||||
+#define debug_wIm(a) _debug_wIm_body(a,__func__,__FILE__,__LINE__)
|
||||
|
||||
void do_log(LogLevel, const char *, va_list);
|
||||
void cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-5.8p1/Makefile.in.wIm openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.wIm 2011-02-04 01:42:13.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-22 09:20:18.000000000 +0100
|
||||
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
diff -up openssh-5.8p1/sshd.c.wIm openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.wIm 2011-01-11 07:20:31.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-22 09:20:18.000000000 +0100
|
||||
@@ -139,6 +139,9 @@ int deny_severity;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+/* trace of fork processes */
|
||||
+extern int whereIam;
|
||||
+
|
||||
/* Server configuration options. */
|
||||
ServerOptions options;
|
||||
|
||||
@@ -652,6 +655,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
} else {
|
||||
/* child */
|
||||
|
||||
+ whereIam = 1;
|
||||
close(pmonitor->m_sendfd);
|
||||
|
||||
/* Demote the child */
|
||||
@@ -693,6 +697,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+ whereIam = 2;
|
||||
close(pmonitor->m_sendfd);
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@@ -1302,6 +1307,8 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ whereIam = 0;
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.8p1/whereIam.c.wIm openssh-5.8p1/whereIam.c
|
||||
--- openssh-5.8p1/whereIam.c.wIm 2011-02-22 09:20:18.000000000 +0100
|
||||
+++ openssh-5.8p1/whereIam.c 2011-02-22 09:24:01.000000000 +0100
|
||||
@@ -0,0 +1,9 @@
|
||||
+
|
||||
+int whereIam = -1;
|
||||
+
|
||||
+void _debug_wIm_body(const char *txt, const char *func, const char *file, int line)
|
||||
+{
|
||||
+ debug("%s: %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, func, file, line, whereIam, getuid(), geteuid());
|
||||
+}
|
||||
+
|
||||
+
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p0/auth.h.2auth openssh-5.9p0/auth.h
|
||||
--- openssh-5.9p0/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200
|
||||
+++ openssh-5.9p0/auth.h 2011-09-05 13:16:00.550626991 +0200
|
||||
diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
|
||||
--- openssh-5.9p1/auth.h.2auth 2011-05-29 13:39:38.000000000 +0200
|
||||
+++ openssh-5.9p1/auth.h 2011-09-13 20:25:22.250474950 +0200
|
||||
@@ -149,6 +149,8 @@ int auth_root_allowed(char *);
|
||||
|
||||
char *auth2_read_banner(void);
|
||||
@ -10,9 +10,9 @@ diff -up openssh-5.9p0/auth.h.2auth openssh-5.9p0/auth.h
|
||||
void privsep_challenge_enable(void);
|
||||
|
||||
int auth2_challenge(Authctxt *, char *);
|
||||
diff -up openssh-5.9p0/auth2.c.2auth openssh-5.9p0/auth2.c
|
||||
--- openssh-5.9p0/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p0/auth2.c 2011-09-05 13:16:00.640626827 +0200
|
||||
diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
|
||||
--- openssh-5.9p1/auth2.c.2auth 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2.c 2011-09-13 20:25:22.348458588 +0200
|
||||
@@ -290,6 +290,23 @@ input_userauth_request(int type, u_int32
|
||||
}
|
||||
|
||||
@ -61,9 +61,9 @@ diff -up openssh-5.9p0/auth2.c.2auth openssh-5.9p0/auth2.c
|
||||
methods = authmethods_get();
|
||||
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
||||
packet_put_cstring(methods);
|
||||
diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
||||
--- openssh-5.9p0/monitor.c.2auth 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p0/monitor.c 2011-09-05 13:37:35.468502112 +0200
|
||||
diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.2auth 2011-09-13 20:25:18.031458843 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-13 20:53:29.345644462 +0200
|
||||
@@ -165,6 +165,7 @@ int mm_answer_jpake_step1(int, Buffer *)
|
||||
int mm_answer_jpake_step2(int, Buffer *);
|
||||
int mm_answer_jpake_key_confirm(int, Buffer *);
|
||||
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
||||
{0, 0, NULL}
|
||||
};
|
||||
|
||||
@@ -378,9 +380,9 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
@@ -378,7 +380,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
}
|
||||
|
||||
/* The first few requests do not require asynchronous access */
|
||||
@ -89,9 +89,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
||||
auth_method = "unknown";
|
||||
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
||||
if (authenticated) {
|
||||
if (!(ent->flags & MON_AUTHDECIDE))
|
||||
fatal("%s: unexpected authentication from %d",
|
||||
@@ -390,7 +393,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
@@ -390,7 +392,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
authenticated = 0;
|
||||
#ifdef USE_PAM
|
||||
/* PAM needs to perform account checks after auth */
|
||||
@ -100,7 +98,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
||||
Buffer m;
|
||||
|
||||
buffer_init(&m);
|
||||
@@ -2000,6 +2006,19 @@ monitor_reinit(struct monitor *mon)
|
||||
@@ -2001,6 +2003,24 @@ monitor_reinit(struct monitor *mon)
|
||||
monitor_openfds(mon, 0);
|
||||
}
|
||||
|
||||
@ -114,15 +112,20 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
|
||||
+
|
||||
+ userauth_restart(method);
|
||||
+
|
||||
+ xfree(method);
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_USERAUTH_RESTART, m);
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+
|
||||
#ifdef GSSAPI
|
||||
int
|
||||
mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
||||
diff -up openssh-5.9p0/monitor.h.2auth openssh-5.9p0/monitor.h
|
||||
--- openssh-5.9p0/monitor.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p0/monitor.h 2011-09-05 13:16:00.855502353 +0200
|
||||
diff -up openssh-5.9p1/monitor.h.2auth openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-13 20:25:22.615458574 +0200
|
||||
@@ -66,6 +66,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
||||
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
||||
@ -131,9 +134,9 @@ diff -up openssh-5.9p0/monitor.h.2auth openssh-5.9p0/monitor.h
|
||||
};
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.9p0/monitor_wrap.c.2auth openssh-5.9p0/monitor_wrap.c
|
||||
--- openssh-5.9p0/monitor_wrap.c.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.c 2011-09-05 13:16:00.968503257 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.2auth openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-13 20:25:22.735468462 +0200
|
||||
@@ -1173,6 +1173,26 @@ mm_auth_rsa_verify_response(Key *key, BI
|
||||
return (success);
|
||||
}
|
||||
@ -161,9 +164,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.2auth openssh-5.9p0/monitor_wrap.c
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
void
|
||||
mm_audit_event(ssh_audit_event_t event)
|
||||
diff -up openssh-5.9p0/monitor_wrap.h.2auth openssh-5.9p0/monitor_wrap.h
|
||||
--- openssh-5.9p0/monitor_wrap.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.h 2011-09-05 13:16:01.074502211 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.2auth openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.2auth 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-13 20:25:22.847457505 +0200
|
||||
@@ -53,6 +53,7 @@ int mm_key_verify(Key *, u_char *, u_int
|
||||
int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
|
||||
int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
|
||||
@ -172,9 +175,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.2auth openssh-5.9p0/monitor_wrap.h
|
||||
|
||||
#ifdef GSSAPI
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
diff -up openssh-5.9p0/servconf.c.2auth openssh-5.9p0/servconf.c
|
||||
--- openssh-5.9p0/servconf.c.2auth 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p0/servconf.c 2011-09-05 13:16:01.223441110 +0200
|
||||
diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.2auth 2011-09-13 20:25:18.836495701 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-13 20:25:22.994584169 +0200
|
||||
@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
|
||||
options->hostbased_uses_name_from_packet_only = -1;
|
||||
options->rsa_authentication = -1;
|
||||
@ -328,9 +331,9 @@ diff -up openssh-5.9p0/servconf.c.2auth openssh-5.9p0/servconf.c
|
||||
dump_cfg_fmtint(sPrintMotd, o->print_motd);
|
||||
dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
|
||||
dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
|
||||
diff -up openssh-5.9p0/servconf.h.2auth openssh-5.9p0/servconf.h
|
||||
--- openssh-5.9p0/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p0/servconf.h 2011-09-05 13:16:01.352564530 +0200
|
||||
diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.2auth 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2011-09-13 20:25:23.103459846 +0200
|
||||
@@ -112,6 +112,14 @@ typedef struct {
|
||||
/* If true, permit jpake auth */
|
||||
int permit_empty_passwd; /* If false, do not permit empty
|
||||
@ -346,9 +349,9 @@ diff -up openssh-5.9p0/servconf.h.2auth openssh-5.9p0/servconf.h
|
||||
int permit_user_env; /* If true, read ~/.ssh/environment */
|
||||
int use_login; /* If true, login(1) is used */
|
||||
int compression; /* If true, compression is allowed */
|
||||
diff -up openssh-5.9p0/sshd_config.2auth openssh-5.9p0/sshd_config
|
||||
--- openssh-5.9p0/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200
|
||||
+++ openssh-5.9p0/sshd_config 2011-09-05 13:16:01.461565750 +0200
|
||||
diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.2auth 2011-05-29 13:39:39.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2011-09-13 20:25:23.221458447 +0200
|
||||
@@ -87,6 +87,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
@ -363,9 +366,9 @@ diff -up openssh-5.9p0/sshd_config.2auth openssh-5.9p0/sshd_config
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
diff -up openssh-5.9p0/sshd_config.5.2auth openssh-5.9p0/sshd_config.5
|
||||
--- openssh-5.9p0/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200
|
||||
+++ openssh-5.9p0/sshd_config.5 2011-09-05 13:16:01.572564496 +0200
|
||||
diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.2auth 2011-08-05 22:17:33.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2011-09-13 20:25:23.416458539 +0200
|
||||
@@ -726,6 +726,12 @@ Available keywords are
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RhostsRSAAuthentication ,
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-09 19:27:15.369501615 +0200
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-09 19:30:32.958509941 +0200
|
||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
return 0;
|
||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.akc 2011-08-18 06:48:24.000000000 +0200
|
||||
+++ openssh-5.9p1/configure.ac 2011-09-09 19:27:17.548440048 +0200
|
||||
--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
|
||||
+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
|
||||
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS([ \
|
||||
arc4random \
|
||||
@@ -4235,6 +4247,7 @@ echo " SELinux support
|
||||
@@ -4239,6 +4251,7 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
@ -271,8 +271,8 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.akc 2011-09-09 19:27:03.490455245 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-09 19:27:17.666565662 +0200
|
||||
--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
|
||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1462,6 +1472,20 @@ process_server_config_line(ServerOptions
|
||||
@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
break;
|
||||
|
||||
@ -318,6 +318,10 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
+ charptr = &options->authorized_keys_command_runas;
|
||||
+
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%s line %d: missing account.",
|
||||
+ filename, linenum);
|
||||
+
|
||||
+ if (*activep && *charptr == NULL)
|
||||
+ *charptr = xstrdup(arg);
|
||||
+ break;
|
||||
@ -325,7 +329,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1573,6 +1597,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||
M_CP_INTOPT(second_zero_knowledge_password_authentication);
|
||||
M_CP_INTOPT(two_factor_authentication);
|
||||
@ -334,7 +338,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
M_CP_INTOPT(permit_root_login);
|
||||
M_CP_INTOPT(permit_empty_passwd);
|
||||
|
||||
@@ -1839,6 +1865,8 @@ dump_config(ServerOptions *o)
|
||||
@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
@ -344,8 +348,8 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.akc 2011-09-09 19:27:03.614494286 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2011-09-09 19:27:18.043502934 +0200
|
||||
--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
|
||||
@@ -174,6 +174,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
@ -357,7 +361,7 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||
/*
|
||||
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.0 2011-09-09 19:27:18.168626976 +0200
|
||||
+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
@ -393,8 +397,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.akc 2011-09-09 19:27:03.912515059 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2011-09-09 19:27:18.292494317 +0200
|
||||
--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
|
||||
@@ -706,6 +706,8 @@ Available keywords are
|
||||
.Cm AllowAgentForwarding ,
|
||||
.Cm AllowTcpForwarding ,
|
||||
@ -434,8 +438,8 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
||||
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.akc 2011-09-09 19:27:03.754502770 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2011-09-09 19:27:18.446471121 +0200
|
||||
--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p0/Makefile.in.audit3 openssh-5.9p0/Makefile.in
|
||||
--- openssh-5.9p0/Makefile.in.audit3 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p0/Makefile.in 2011-09-03 19:28:53.226036039 +0200
|
||||
diff -up openssh-5.9p1/Makefile.in.audit3 openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.audit3 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-14 07:05:58.337520327 +0200
|
||||
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
@ -10,9 +10,9 @@ diff -up openssh-5.9p0/Makefile.in.audit3 openssh-5.9p0/Makefile.in
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff -up openssh-5.9p0/audit-bsm.c.audit3 openssh-5.9p0/audit-bsm.c
|
||||
--- openssh-5.9p0/audit-bsm.c.audit3 2011-09-03 19:28:51.922034646 +0200
|
||||
+++ openssh-5.9p0/audit-bsm.c 2011-09-03 19:28:53.475151642 +0200
|
||||
diff -up openssh-5.9p1/audit-bsm.c.audit3 openssh-5.9p1/audit-bsm.c
|
||||
--- openssh-5.9p1/audit-bsm.c.audit3 2011-09-14 07:05:56.719459048 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-14 07:05:58.430520147 +0200
|
||||
@@ -396,4 +396,16 @@ audit_event(ssh_audit_event_t event)
|
||||
debug("%s: unhandled event %d", __func__, event);
|
||||
}
|
||||
@ -30,9 +30,9 @@ diff -up openssh-5.9p0/audit-bsm.c.audit3 openssh-5.9p0/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
|
||||
--- openssh-5.9p0/audit-linux.c.audit3 2011-09-03 19:28:52.053030306 +0200
|
||||
+++ openssh-5.9p0/audit-linux.c 2011-09-03 19:28:53.583026470 +0200
|
||||
diff -up openssh-5.9p1/audit-linux.c.audit3 openssh-5.9p1/audit-linux.c
|
||||
--- openssh-5.9p1/audit-linux.c.audit3 2011-09-14 07:05:56.820460613 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-14 07:07:29.651459660 +0200
|
||||
@@ -40,6 +40,8 @@
|
||||
#include "auth.h"
|
||||
#include "servconf.h"
|
||||
@ -42,7 +42,7 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
|
||||
|
||||
#define AUDIT_LOG_SIZE 128
|
||||
|
||||
@@ -269,4 +271,56 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -269,4 +271,60 @@ audit_event(ssh_audit_event_t event)
|
||||
}
|
||||
}
|
||||
|
||||
@ -52,11 +52,13 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
|
||||
+#ifdef AUDIT_CRYPTO_SESSION
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ const static char *name[] = { "cipher", "mac", "comp" };
|
||||
+ char *s;
|
||||
+ int audit_fd;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
|
||||
+ name[what], get_remote_port(), get_local_ipaddr(packet_get_connection_in()),
|
||||
+ name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
|
||||
+ get_local_port());
|
||||
+ xfree(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0)
|
||||
+ /* no problem, the next instruction will be fatal() */
|
||||
@ -76,11 +78,13 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
|
||||
+ int audit_fd, audit_ok;
|
||||
+ const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
+ Cipher *cipher = cipher_by_name(enc);
|
||||
+ char *s;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
|
||||
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
|
||||
+ (intmax_t)pid, (intmax_t)uid,
|
||||
+ get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
|
||||
+ get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
|
||||
+ xfree(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
@ -99,9 +103,9 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.9p0/audit.c.audit3 openssh-5.9p0/audit.c
|
||||
--- openssh-5.9p0/audit.c.audit3 2011-09-03 19:28:52.166026259 +0200
|
||||
+++ openssh-5.9p0/audit.c 2011-09-03 19:28:53.673151432 +0200
|
||||
diff -up openssh-5.9p1/audit.c.audit3 openssh-5.9p1/audit.c
|
||||
--- openssh-5.9p1/audit.c.audit3 2011-09-14 07:05:56.937585272 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-14 07:05:58.646521393 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -165,9 +169,9 @@ diff -up openssh-5.9p0/audit.c.audit3 openssh-5.9p0/audit.c
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p0/audit.h.audit3 openssh-5.9p0/audit.h
|
||||
--- openssh-5.9p0/audit.h.audit3 2011-09-03 19:28:52.286024211 +0200
|
||||
+++ openssh-5.9p0/audit.h 2011-09-03 19:28:53.783027870 +0200
|
||||
diff -up openssh-5.9p1/audit.h.audit3 openssh-5.9p1/audit.h
|
||||
--- openssh-5.9p1/audit.h.audit3 2011-09-14 07:05:57.391522394 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-14 07:05:58.766586362 +0200
|
||||
@@ -58,5 +58,9 @@ void audit_end_command(int, const char
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
@ -178,9 +182,9 @@ diff -up openssh-5.9p0/audit.h.audit3 openssh-5.9p0/audit.h
|
||||
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.9p0/auditstub.c.audit3 openssh-5.9p0/auditstub.c
|
||||
--- openssh-5.9p0/auditstub.c.audit3 2011-09-03 19:28:53.879026270 +0200
|
||||
+++ openssh-5.9p0/auditstub.c 2011-09-03 19:28:53.882025491 +0200
|
||||
diff -up openssh-5.9p1/auditstub.c.audit3 openssh-5.9p1/auditstub.c
|
||||
--- openssh-5.9p1/auditstub.c.audit3 2011-09-14 07:05:58.866461077 +0200
|
||||
+++ openssh-5.9p1/auditstub.c 2011-09-14 07:05:58.870569033 +0200
|
||||
@@ -0,0 +1,39 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -221,9 +225,9 @@ diff -up openssh-5.9p0/auditstub.c.audit3 openssh-5.9p0/auditstub.c
|
||||
+{
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.9p0/cipher.c.audit3 openssh-5.9p0/cipher.c
|
||||
--- openssh-5.9p0/cipher.c.audit3 2011-08-30 10:34:01.000000000 +0200
|
||||
+++ openssh-5.9p0/cipher.c 2011-09-03 19:28:53.966162869 +0200
|
||||
diff -up openssh-5.9p1/cipher.c.audit3 openssh-5.9p1/cipher.c
|
||||
--- openssh-5.9p1/cipher.c.audit3 2011-09-07 15:05:09.000000000 +0200
|
||||
+++ openssh-5.9p1/cipher.c 2011-09-14 07:05:58.955582581 +0200
|
||||
@@ -60,15 +60,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
||||
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||
@ -241,9 +245,9 @@ diff -up openssh-5.9p0/cipher.c.audit3 openssh-5.9p0/cipher.c
|
||||
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
|
||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
||||
diff -up openssh-5.9p0/cipher.h.audit3 openssh-5.9p0/cipher.h
|
||||
--- openssh-5.9p0/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.9p0/cipher.h 2011-09-03 19:28:54.068070077 +0200
|
||||
diff -up openssh-5.9p1/cipher.h.audit3 openssh-5.9p1/cipher.h
|
||||
--- openssh-5.9p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.9p1/cipher.h 2011-09-14 07:05:59.063459363 +0200
|
||||
@@ -61,7 +61,16 @@
|
||||
typedef struct Cipher Cipher;
|
||||
typedef struct CipherContext CipherContext;
|
||||
@ -262,9 +266,9 @@ diff -up openssh-5.9p0/cipher.h.audit3 openssh-5.9p0/cipher.h
|
||||
struct CipherContext {
|
||||
int plaintext;
|
||||
EVP_CIPHER_CTX evp;
|
||||
diff -up openssh-5.9p0/kex.c.audit3 openssh-5.9p0/kex.c
|
||||
--- openssh-5.9p0/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.9p0/kex.c 2011-09-03 19:28:54.177212272 +0200
|
||||
diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
|
||||
--- openssh-5.9p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.9p1/kex.c 2011-09-14 07:05:59.171457800 +0200
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
@ -327,9 +331,9 @@ diff -up openssh-5.9p0/kex.c.audit3 openssh-5.9p0/kex.c
|
||||
}
|
||||
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
|
||||
--- openssh-5.9p0/monitor.c.audit3 2011-09-03 19:28:52.851088094 +0200
|
||||
+++ openssh-5.9p0/monitor.c 2011-09-03 19:28:54.298087612 +0200
|
||||
diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.audit3 2011-09-14 07:05:57.952459820 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-14 07:05:59.272520466 +0200
|
||||
@@ -97,6 +97,7 @@
|
||||
#include "ssh2.h"
|
||||
#include "jpake.h"
|
||||
@ -383,7 +387,7 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2380,3 +2391,44 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
@@ -2383,3 +2394,47 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
}
|
||||
|
||||
#endif /* JPAKE */
|
||||
@ -421,6 +425,9 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
|
||||
+
|
||||
+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
|
||||
+
|
||||
+ xfree(cipher);
|
||||
+ xfree(mac);
|
||||
+ xfree(compress);
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
|
||||
@ -428,9 +435,9 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
|
||||
+}
|
||||
+
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p0/monitor.h.audit3 openssh-5.9p0/monitor.h
|
||||
--- openssh-5.9p0/monitor.h.audit3 2011-09-03 19:28:51.000000000 +0200
|
||||
+++ openssh-5.9p0/monitor.h 2011-09-03 19:29:52.565211520 +0200
|
||||
diff -up openssh-5.9p1/monitor.h.audit3 openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.audit3 2011-09-14 07:05:55.510580908 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-14 07:05:59.378647273 +0200
|
||||
@@ -61,6 +61,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
|
||||
MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
|
||||
@ -440,9 +447,9 @@ diff -up openssh-5.9p0/monitor.h.audit3 openssh-5.9p0/monitor.h
|
||||
MONITOR_REQ_TERM,
|
||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||
diff -up openssh-5.9p0/monitor_wrap.c.audit3 openssh-5.9p0/monitor_wrap.c
|
||||
--- openssh-5.9p0/monitor_wrap.c.audit3 2011-09-03 19:28:52.963088596 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.c 2011-09-03 19:28:54.602024893 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.audit3 openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit3 2011-09-14 07:05:58.059501118 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 07:05:59.511503364 +0200
|
||||
@@ -1505,3 +1505,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
return success;
|
||||
}
|
||||
@ -485,9 +492,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.audit3 openssh-5.9p0/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p0/monitor_wrap.h.audit3 openssh-5.9p0/monitor_wrap.h
|
||||
--- openssh-5.9p0/monitor_wrap.h.audit3 2011-09-03 19:28:53.069087341 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.h 2011-09-03 19:28:54.704055439 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.audit3 openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit3 2011-09-14 07:05:58.171521245 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-14 07:05:59.624646515 +0200
|
||||
@@ -78,6 +78,8 @@ void mm_sshpam_free_ctx(void *);
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
int mm_audit_run_command(const char *);
|
||||
@ -497,9 +504,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.audit3 openssh-5.9p0/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.9p0/sshd.c.audit3 openssh-5.9p0/sshd.c
|
||||
--- openssh-5.9p0/sshd.c.audit3 2011-09-03 19:28:51.758025429 +0200
|
||||
+++ openssh-5.9p0/sshd.c 2011-09-03 19:28:54.835049403 +0200
|
||||
diff -up openssh-5.9p1/sshd.c.audit3 openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.audit3 2011-09-14 07:05:56.554583874 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-14 07:05:59.828466112 +0200
|
||||
@@ -118,6 +118,7 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
@ -508,7 +515,7 @@ diff -up openssh-5.9p0/sshd.c.audit3 openssh-5.9p0/sshd.c
|
||||
#include "ssh-sandbox.h"
|
||||
#include "version.h"
|
||||
|
||||
@@ -2204,6 +2205,10 @@ do_ssh1_kex(void)
|
||||
@@ -2209,6 +2210,10 @@ do_ssh1_kex(void)
|
||||
if (cookie[i] != packet_get_char())
|
||||
packet_disconnect("IP Spoofing check bytes do not match.");
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
||||
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-13 07:36:58.921674464 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-13 07:36:59.171674206 +0200
|
||||
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-14 07:20:13.580471755 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-14 07:20:15.087521491 +0200
|
||||
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
@ -13,9 +13,9 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-13 07:36:58.938720835 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-13 07:36:59.187673990 +0200
|
||||
@@ -292,6 +292,8 @@ audit_unsupported_body(int what)
|
||||
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-14 07:20:13.692465249 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-14 07:21:51.559462876 +0200
|
||||
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -24,15 +24,15 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
void
|
||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
uid_t uid)
|
||||
@@ -299,7 +301,6 @@ audit_kex_body(int ctos, char *enc, char
|
||||
@@ -301,7 +303,6 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
- const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
char *s;
|
||||
|
||||
snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
|
||||
@@ -323,4 +324,30 @@ audit_kex_body(int ctos, char *enc, char
|
||||
@@ -327,4 +328,32 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -41,12 +41,14 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+ char *s;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=destroy kind=session fp=? direction=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
|
||||
+ direction[ctos], (intmax_t)pid, (intmax_t)uid,
|
||||
+ get_remote_port(),
|
||||
+ get_local_ipaddr(packet_get_connection_in()),
|
||||
+ (s = get_local_ipaddr(packet_get_connection_in())),
|
||||
+ get_local_port());
|
||||
+ xfree(s);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
@ -64,8 +66,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
||||
--- openssh-5.9p1/audit.c.audit4 2011-09-13 07:36:58.954674484 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-13 07:36:59.202799426 +0200
|
||||
--- openssh-5.9p1/audit.c.audit4 2011-09-14 07:20:13.787520896 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-14 07:20:15.619521843 +0200
|
||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
@ -96,8 +98,8 @@ diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
||||
--- openssh-5.9p1/audit.h.audit4 2011-09-13 07:36:58.971799421 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-13 07:36:59.216674281 +0200
|
||||
--- openssh-5.9p1/audit.h.audit4 2011-09-14 07:20:13.893524944 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-14 07:20:15.739523476 +0200
|
||||
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
@ -107,8 +109,8 @@ diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
||||
--- openssh-5.9p1/auditstub.c.audit4 2011-09-13 07:36:58.986674407 +0200
|
||||
+++ openssh-5.9p1/auditstub.c 2011-09-13 07:36:59.230674500 +0200
|
||||
--- openssh-5.9p1/auditstub.c.audit4 2011-09-14 07:20:13.993523515 +0200
|
||||
+++ openssh-5.9p1/auditstub.c 2011-09-14 07:20:15.843531733 +0200
|
||||
@@ -27,6 +27,8 @@
|
||||
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||
*/
|
||||
@ -132,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
||||
--- openssh-5.9p1/kex.c.audit4 2011-09-13 07:36:59.032798982 +0200
|
||||
+++ openssh-5.9p1/kex.c 2011-09-13 07:36:59.243799057 +0200
|
||||
--- openssh-5.9p1/kex.c.audit4 2011-09-14 07:20:14.294645864 +0200
|
||||
+++ openssh-5.9p1/kex.c 2011-09-14 07:20:15.948646500 +0200
|
||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
@ -171,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
||||
+
|
||||
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
||||
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.9p1/kex.h 2011-09-13 07:36:59.259674391 +0200
|
||||
+++ openssh-5.9p1/kex.h 2011-09-14 07:20:16.045521582 +0200
|
||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
@ -183,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
||||
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
|
||||
+++ openssh-5.9p1/mac.c 2011-09-13 07:36:59.273799275 +0200
|
||||
+++ openssh-5.9p1/mac.c 2011-09-14 07:20:16.173477847 +0200
|
||||
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -207,15 +209,15 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
||||
int
|
||||
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
|
||||
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.9p1/mac.h 2011-09-13 07:36:59.286674543 +0200
|
||||
+++ openssh-5.9p1/mac.h 2011-09-14 07:20:16.287522108 +0200
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.audit4 2011-09-13 07:36:59.058688802 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-13 07:38:37.825674060 +0200
|
||||
--- openssh-5.9p1/monitor.c.audit4 2011-09-14 07:20:14.404521153 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-14 07:20:16.400462714 +0200
|
||||
@@ -190,6 +190,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_end_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
@ -261,7 +263,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
}
|
||||
|
||||
- /* Drain any buffered messages from the child */
|
||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
- while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
- ;
|
||||
-
|
||||
if (!authctxt->valid)
|
||||
@ -297,13 +299,13 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
+#endif
|
||||
+
|
||||
+ /* Drain any buffered messages from the child */
|
||||
+ while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
+ ;
|
||||
+
|
||||
}
|
||||
|
||||
|
||||
@@ -2429,4 +2447,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
@@ -2437,4 +2455,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -327,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.audit4 2011-09-13 07:36:59.076799458 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-13 07:36:59.322799576 +0200
|
||||
--- openssh-5.9p1/monitor.h.audit4 2011-09-14 07:20:14.518521791 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-14 07:20:16.512585387 +0200
|
||||
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
||||
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -338,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-13 07:36:59.100724984 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-13 07:36:59.339674340 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-14 07:20:14.713521378 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 07:20:16.640587362 +0200
|
||||
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
||||
fatal("%s: conversion of newkeys failed", __func__);
|
||||
|
||||
@ -376,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-13 07:36:59.118674223 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-13 07:36:59.353674499 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-14 07:20:14.821520100 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-14 07:20:16.749585355 +0200
|
||||
@@ -80,6 +80,7 @@ int mm_audit_run_command(const char *);
|
||||
void mm_audit_end_command(int, const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
@ -387,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
||||
--- openssh-5.9p1/packet.c.audit4 2011-09-13 07:36:58.244674109 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-13 07:36:59.373710318 +0200
|
||||
--- openssh-5.9p1/packet.c.audit4 2011-09-14 07:20:09.337458270 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-14 07:20:16.892461022 +0200
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <signal.h>
|
||||
|
||||
@ -582,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
||||
+
|
||||
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
||||
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
|
||||
+++ openssh-5.9p1/packet.h 2011-09-13 07:36:59.390799281 +0200
|
||||
+++ openssh-5.9p1/packet.h 2011-09-14 07:20:17.003583853 +0200
|
||||
@@ -124,4 +124,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
@ -590,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
||||
--- openssh-5.9p1/session.c.audit4 2011-09-13 07:36:58.637798995 +0200
|
||||
+++ openssh-5.9p1/session.c 2011-09-13 07:36:59.411690264 +0200
|
||||
--- openssh-5.9p1/session.c.audit4 2011-09-14 07:20:11.774521404 +0200
|
||||
+++ openssh-5.9p1/session.c 2011-09-14 07:20:17.134462420 +0200
|
||||
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -603,9 +605,9 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.audit4 2011-09-13 07:36:59.143674103 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-13 07:39:06.125718627 +0200
|
||||
@@ -684,6 +684,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
--- openssh-5.9p1/sshd.c.audit4 2011-09-14 07:20:14.946521214 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-14 07:20:17.258458657 +0200
|
||||
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
}
|
||||
}
|
||||
|
||||
@ -614,7 +616,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
static void
|
||||
privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
@@ -708,6 +710,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -710,6 +712,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||
else if (pmonitor->m_pid != 0) {
|
||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||
buffer_clear(&loginmsg);
|
||||
@ -625,7 +627,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1999,6 +2005,7 @@ main(int ac, char **av)
|
||||
@@ -2001,6 +2007,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
@ -633,7 +635,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2051,6 +2058,8 @@ main(int ac, char **av)
|
||||
@@ -2053,6 +2060,8 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -642,7 +644,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
@@ -2368,8 +2377,20 @@ do_ssh2_kex(void)
|
||||
@@ -2370,8 +2379,20 @@ do_ssh2_kex(void)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
|
||||
--- openssh-5.9p1/audit-bsm.c.audit5 2011-09-10 19:40:19.638521318 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-10 19:40:21.675487204 +0200
|
||||
--- openssh-5.9p1/audit-bsm.c.audit5 2011-09-13 22:07:31.262575526 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-13 22:07:33.268491813 +0200
|
||||
@@ -414,4 +414,22 @@ audit_session_key_free_body(int ctos, pi
|
||||
{
|
||||
/* not implemented */
|
||||
@ -25,8 +25,8 @@ diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
|
||||
--- openssh-5.9p1/audit-linux.c.audit5 2011-09-10 19:40:19.713521349 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-10 19:40:21.765473529 +0200
|
||||
--- openssh-5.9p1/audit-linux.c.audit5 2011-09-13 22:07:31.400584308 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-13 22:07:33.357460348 +0200
|
||||
@@ -350,4 +350,50 @@ audit_session_key_free_body(int ctos, pi
|
||||
error("cannot write into audit");
|
||||
}
|
||||
@ -79,8 +79,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.9p1/audit.c.audit5 openssh-5.9p1/audit.c
|
||||
--- openssh-5.9p1/audit.c.audit5 2011-09-10 19:40:19.814646179 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-10 19:40:21.872459880 +0200
|
||||
--- openssh-5.9p1/audit.c.audit5 2011-09-13 22:07:31.495458797 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-13 22:07:33.478458341 +0200
|
||||
@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
|
||||
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
@ -107,8 +107,8 @@ diff -up openssh-5.9p1/audit.c.audit5 openssh-5.9p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/audit.h.audit5 openssh-5.9p1/audit.h
|
||||
--- openssh-5.9p1/audit.h.audit5 2011-09-10 19:40:19.945521685 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-10 19:40:21.990457118 +0200
|
||||
--- openssh-5.9p1/audit.h.audit5 2011-09-13 22:07:31.616459125 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-13 22:07:33.612458074 +0200
|
||||
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
|
||||
};
|
||||
typedef enum ssh_audit_event_type ssh_audit_event_t;
|
||||
@ -127,8 +127,8 @@ diff -up openssh-5.9p1/audit.h.audit5 openssh-5.9p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
|
||||
--- openssh-5.9p1/key.c.audit5 2011-09-10 19:40:11.396460430 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-10 19:40:22.096459112 +0200
|
||||
--- openssh-5.9p1/key.c.audit5 2011-09-13 22:07:23.054490740 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-13 22:07:33.721583661 +0200
|
||||
@@ -1799,6 +1799,30 @@ key_demote(const Key *k)
|
||||
}
|
||||
|
||||
@ -161,8 +161,8 @@ diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
|
||||
{
|
||||
if (k == NULL)
|
||||
diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
|
||||
--- openssh-5.9p1/key.h.audit5 2011-09-10 19:40:11.510460018 +0200
|
||||
+++ openssh-5.9p1/key.h 2011-09-10 19:40:22.208459363 +0200
|
||||
--- openssh-5.9p1/key.h.audit5 2011-09-13 22:07:23.160459285 +0200
|
||||
+++ openssh-5.9p1/key.h 2011-09-13 22:07:33.847459341 +0200
|
||||
@@ -109,6 +109,7 @@ Key *key_generate(int, u_int);
|
||||
Key *key_from_private(const Key *);
|
||||
int key_type_from_name(char *);
|
||||
@ -172,8 +172,8 @@ diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.audit5 2011-09-10 19:40:20.635514835 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-10 19:40:22.327585849 +0200
|
||||
--- openssh-5.9p1/monitor.c.audit5 2011-09-13 22:07:32.285495537 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-13 22:10:04.148554239 +0200
|
||||
@@ -114,6 +114,8 @@ extern Buffer auth_debug;
|
||||
extern int auth_debug_init;
|
||||
extern Buffer loginmsg;
|
||||
@ -223,7 +223,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1720,6 +1727,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
@@ -1716,6 +1723,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -232,7 +232,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -2466,4 +2475,24 @@ mm_answer_audit_session_key_free_body(in
|
||||
@@ -2470,4 +2479,25 @@ mm_answer_audit_session_key_free_body(in
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
return 0;
|
||||
}
|
||||
@ -251,6 +251,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
|
||||
+
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
+
|
||||
+ xfree(fp);
|
||||
+ buffer_clear(m);
|
||||
+
|
||||
+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
|
||||
@ -258,8 +259,8 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.audit5 2011-09-10 19:40:20.741522656 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-10 19:40:22.440461159 +0200
|
||||
--- openssh-5.9p1/monitor.h.audit5 2011-09-13 22:07:32.385522626 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-13 22:07:34.098459356 +0200
|
||||
@@ -64,6 +64,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -269,8 +270,8 @@ diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
|
||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit5 2011-09-10 19:40:20.871609482 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-10 19:40:22.559458727 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit5 2011-09-13 22:07:32.510521163 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-13 22:07:34.610458275 +0200
|
||||
@@ -1559,4 +1559,20 @@ mm_audit_session_key_free_body(int ctos,
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
@ -293,8 +294,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit5 2011-09-10 19:40:20.983521729 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-10 19:40:22.730460011 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit5 2011-09-13 22:07:32.607520810 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-13 22:07:34.716458214 +0200
|
||||
@@ -81,6 +81,7 @@ void mm_audit_end_command(int, const cha
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
@ -304,8 +305,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
|
||||
--- openssh-5.9p1/session.c.audit5 2011-09-10 19:40:21.385531298 +0200
|
||||
+++ openssh-5.9p1/session.c 2011-09-10 19:40:22.903583654 +0200
|
||||
--- openssh-5.9p1/session.c.audit5 2011-09-13 22:07:32.973544819 +0200
|
||||
+++ openssh-5.9p1/session.c 2011-09-13 22:07:34.849585578 +0200
|
||||
@@ -136,7 +136,7 @@ extern int log_stderr;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -325,8 +326,8 @@ diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
|
||||
monitor over a single socket, with no synchronization. */
|
||||
packet_destroy_all(0, 1);
|
||||
diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.audit5 2011-09-10 19:40:21.520510716 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-10 19:42:06.573520393 +0200
|
||||
--- openssh-5.9p1/sshd.c.audit5 2011-09-13 22:07:33.106516378 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-13 22:07:34.989470331 +0200
|
||||
@@ -254,7 +254,7 @@ Buffer loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
@ -440,7 +441,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -1143,6 +1193,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1145,6 +1195,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||
--- openssh-5.9p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.9p1/auth-pam.c 2011-09-13 08:41:24.635521346 +0200
|
||||
+++ openssh-5.9p1/auth-pam.c 2011-09-14 08:09:47.074520582 +0200
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
@ -17,7 +17,7 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
|
||||
#endif
|
||||
diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||
--- openssh-5.9p1/channels.c.coverity 2011-06-23 00:31:57.000000000 +0200
|
||||
+++ openssh-5.9p1/channels.c 2011-09-13 08:26:11.771584519 +0200
|
||||
+++ openssh-5.9p1/channels.c 2011-09-14 08:09:47.556582810 +0200
|
||||
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
@ -50,8 +50,8 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
|
||||
}
|
||||
diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
--- openssh-5.9p1/clientloop.c.coverity 2011-06-23 00:31:58.000000000 +0200
|
||||
+++ openssh-5.9p1/clientloop.c 2011-09-13 08:26:11.889458598 +0200
|
||||
@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
|
||||
+++ openssh-5.9p1/clientloop.c 2011-09-14 08:17:41.556521887 +0200
|
||||
@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
|
||||
char *rtype;
|
||||
int want_reply;
|
||||
int success = 0;
|
||||
@ -59,9 +59,19 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
|
||||
|
||||
rtype = packet_get_string(NULL);
|
||||
want_reply = packet_get_char();
|
||||
debug("client_input_global_request: rtype %s want_reply %d",
|
||||
rtype, want_reply);
|
||||
if (want_reply) {
|
||||
- packet_start(success ?
|
||||
- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
|
||||
+ packet_start(/*success ?
|
||||
+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
}
|
||||
diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
--- openssh-5.9p1/key.c.coverity 2011-05-20 11:03:08.000000000 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-13 08:26:12.000459857 +0200
|
||||
+++ openssh-5.9p1/key.c 2011-09-14 08:09:47.803458435 +0200
|
||||
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
|
||||
success = 1;
|
||||
/*XXXX*/
|
||||
@ -73,9 +83,19 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
|
||||
/* advance cp: skip whitespace and data */
|
||||
while (*cp == ' ' || *cp == '\t')
|
||||
cp++;
|
||||
diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
|
||||
diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.coverity 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-13 08:26:12.132583409 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-14 08:09:47.914584009 +0200
|
||||
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
}
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
;
|
||||
|
||||
if (!authctxt->valid)
|
||||
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
@ -97,9 +117,26 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.coverity 2011-09-14 08:11:36.480500123 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-14 08:14:11.279520598 +0200
|
||||
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
error("%s: cannot allocate fds for pty", __func__);
|
||||
- if (tmp1 > 0)
|
||||
+ if (tmp1 >= 0)
|
||||
close(tmp1);
|
||||
- if (tmp2 > 0)
|
||||
- close(tmp2);
|
||||
+ /*DEAD CODE if (tmp2 >= 0)
|
||||
+ close(tmp2);*/
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
|
||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-13 08:26:12.298464549 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/bindresvport.c 2011-09-14 08:09:48.084459344 +0200
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
@ -111,7 +148,7 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
--- openssh-5.9p1/packet.c.coverity 2011-05-15 00:58:15.000000000 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-13 08:26:12.405461249 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-14 08:09:48.184587842 +0200
|
||||
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
|
||||
case DEATTACK_DETECTED:
|
||||
packet_disconnect("crc32 compensation attack: "
|
||||
@ -131,7 +168,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
|
||||
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
|
||||
diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
--- openssh-5.9p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.c 2011-09-13 08:26:12.511520013 +0200
|
||||
+++ openssh-5.9p1/progressmeter.c 2011-09-14 08:09:48.300586004 +0200
|
||||
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
|
||||
|
||||
static time_t start; /* start progress */
|
||||
@ -152,7 +189,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
|
||||
file = f;
|
||||
diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
--- openssh-5.9p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-5.9p1/progressmeter.h 2011-09-13 08:26:12.630521541 +0200
|
||||
+++ openssh-5.9p1/progressmeter.h 2011-09-14 08:09:48.420645724 +0200
|
||||
@@ -23,5 +23,5 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
@ -162,7 +199,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
|
||||
void stop_progress_meter(void);
|
||||
diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
--- openssh-5.9p1/scp.c.coverity 2011-01-06 12:41:21.000000000 +0100
|
||||
+++ openssh-5.9p1/scp.c 2011-09-13 08:26:12.748520967 +0200
|
||||
+++ openssh-5.9p1/scp.c 2011-09-14 08:09:48.531505457 +0200
|
||||
@@ -155,7 +155,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
@ -174,7 +211,16 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
|
||||
if (signo)
|
||||
diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.coverity 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-13 08:26:12.854521290 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-14 08:30:17.557468182 +0200
|
||||
@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
|
||||
debug3("checking syntax for 'Match %s'", cp);
|
||||
else
|
||||
debug3("checking match for '%s' user %s host %s addr %s", cp,
|
||||
- user ? user : "(null)", host ? host : "(null)",
|
||||
+ user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
|
||||
address ? address : "(null)");
|
||||
|
||||
while ((attrib = strdelim(&cp)) && *attrib != '\0') {
|
||||
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
@ -184,9 +230,21 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
- if (intptr != NULL)
|
||||
- *intptr = *intptr + 1;
|
||||
+ /* DEAD CODE intptr is still NULL ;)
|
||||
+ if (intptr != NULL)
|
||||
+ *intptr = *intptr + 1; */
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
--- openssh-5.9p1/serverloop.c.coverity 2011-05-20 11:02:50.000000000 +0200
|
||||
+++ openssh-5.9p1/serverloop.c 2011-09-13 08:26:12.968645756 +0200
|
||||
+++ openssh-5.9p1/serverloop.c 2011-09-14 08:09:48.793586380 +0200
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
@ -298,7 +356,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
--- openssh-5.9p1/sftp-client.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.c 2011-09-13 08:26:13.083520760 +0200
|
||||
+++ openssh-5.9p1/sftp-client.c 2011-09-14 08:09:48.910470343 +0200
|
||||
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
|
||||
}
|
||||
|
||||
@ -523,7 +581,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
|
||||
size_t len = strlen(p1) + strlen(p2) + 2;
|
||||
diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
--- openssh-5.9p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp-client.h 2011-09-13 08:26:13.181525164 +0200
|
||||
+++ openssh-5.9p1/sftp-client.h 2011-09-14 08:09:49.021583940 +0200
|
||||
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
|
||||
u_int sftp_proto_version(struct sftp_conn *);
|
||||
|
||||
@ -623,7 +681,7 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
|
||||
#endif
|
||||
diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||
--- openssh-5.9p1/sftp.c.coverity 2010-12-04 23:02:48.000000000 +0100
|
||||
+++ openssh-5.9p1/sftp.c 2011-09-13 08:26:13.311521187 +0200
|
||||
+++ openssh-5.9p1/sftp.c 2011-09-14 08:09:49.468493585 +0200
|
||||
@@ -206,7 +206,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
@ -738,7 +796,7 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
--- openssh-5.9p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200
|
||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-13 08:26:13.416521025 +0200
|
||||
+++ openssh-5.9p1/ssh-agent.c 2011-09-14 08:09:49.572460295 +0200
|
||||
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
@ -752,8 +810,20 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.coverity 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-13 08:26:13.565519531 +0200
|
||||
@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-14 08:09:49.687509968 +0200
|
||||
@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
if (getuid() == 0 || geteuid() == 0)
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
- if (box != NULL)
|
||||
+ if (box != NULL) {
|
||||
ssh_sandbox_child(box);
|
||||
+ xfree(box);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
@ -763,7 +833,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
|
||||
}
|
||||
|
||||
|
||||
@@ -1774,7 +1777,7 @@ main(int ac, char **av)
|
||||
@@ -1774,7 +1779,7 @@ main(int ac, char **av)
|
||||
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
|
@ -26,7 +26,7 @@ diff -up openssh-5.9p1/configure.ac.sesandbox openssh-5.9p1/configure.ac
|
||||
AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
|
||||
SANDBOX_STYLE="darwin"
|
||||
AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
|
||||
+elif test "x$sandbox_arg" = "xselinux" \\
|
||||
+elif test "x$sandbox_arg" = "xselinux" || \
|
||||
+ test "x$WITH_SELINUX" = "x1"; then
|
||||
+ SANDBOX_STYLE="selinux"
|
||||
+ AC_DEFINE([SANDBOX_SELINUX], [1], [Sandbox using selinux(8)])
|
||||
@ -105,7 +105,7 @@ diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox openssh-5.9p1/openb
|
||||
diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux.c
|
||||
--- openssh-5.9p1/sandbox-selinux.c.sesandbox 2011-09-13 16:01:08.715520826 +0200
|
||||
+++ openssh-5.9p1/sandbox-selinux.c 2011-09-13 16:20:02.463511312 +0200
|
||||
@@ -0,0 +1,120 @@
|
||||
@@ -0,0 +1,121 @@
|
||||
+/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
|
||||
+
|
||||
+/*
|
||||
@ -148,11 +148,12 @@ diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include <sys/resource.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "ssh-sandbox.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "openbsd-comnpat/port-linux.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
+
|
||||
+/* selinux based sandbox */
|
||||
+
|
||||
|
78
openssh-5.9p1-wIm.patch
Normal file
78
openssh-5.9p1-wIm.patch
Normal file
@ -0,0 +1,78 @@
|
||||
diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.wIm 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-12 16:24:18.643674014 +0200
|
||||
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
|
||||
--- openssh-5.9p1/log.h.wIm 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/log.h 2011-09-12 16:34:52.984674326 +0200
|
||||
@@ -65,6 +65,8 @@ void verbose(const char *, ...) __at
|
||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
+void _debug_wIm_body(const char *, int, const char *, const char *, int);
|
||||
+#define debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
|
||||
|
||||
|
||||
void set_log_handler(log_handler_fn *, void *);
|
||||
diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.wIm 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-12 16:38:35.787816490 +0200
|
||||
@@ -140,6 +140,9 @@ int deny_severity;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+/* trace of fork processes */
|
||||
+extern int whereIam;
|
||||
+
|
||||
/* Server configuration options. */
|
||||
ServerOptions options;
|
||||
|
||||
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return 1;
|
||||
} else {
|
||||
/* child */
|
||||
+ whereIam = 1;
|
||||
close(pmonitor->m_sendfd);
|
||||
close(pmonitor->m_log_recvfd);
|
||||
|
||||
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
/* child */
|
||||
|
||||
+ whereIam = 2;
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ whereIam = 0;
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
|
||||
--- openssh-5.9p1/whereIam.c.wIm 2011-09-12 16:24:18.722674167 +0200
|
||||
+++ openssh-5.9p1/whereIam.c 2011-09-12 16:24:18.724674418 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+
|
||||
+int whereIam = -1;
|
||||
+
|
||||
+void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
|
||||
+{
|
||||
+ if (txt)
|
||||
+ debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
|
||||
+ else
|
||||
+ debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
|
||||
+}
|
||||
+
|
||||
+
|
27
openssh.spec
27
openssh.spec
@ -34,10 +34,6 @@
|
||||
# Do we want LDAP support
|
||||
%define ldap 1
|
||||
|
||||
# Do we want NSS tokens support
|
||||
# NSS support is broken from 5.4p1
|
||||
%define nss 0
|
||||
|
||||
# Whether or not /sbin/nologin exists.
|
||||
%define nologin 1
|
||||
|
||||
@ -79,7 +75,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.9p1
|
||||
%define openssh_rel 8
|
||||
%define openssh_rel 9
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 32
|
||||
|
||||
@ -109,7 +105,7 @@ Source11: sshd.service
|
||||
Source13: sshd-keygen
|
||||
|
||||
# Internal debug
|
||||
Patch0: openssh-5.8p1-wIm.patch
|
||||
Patch0: openssh-5.9p1-wIm.patch
|
||||
|
||||
#?
|
||||
Patch100: openssh-5.9p1-coverity.patch
|
||||
@ -251,10 +247,6 @@ BuildRequires: krb5-devel
|
||||
BuildRequires: libedit-devel ncurses-devel
|
||||
%endif
|
||||
|
||||
%if %{nss}
|
||||
BuildRequires: nss-devel
|
||||
%endif
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
Requires: libselinux >= 1.27.7
|
||||
BuildRequires: libselinux-devel >= 1.27.7
|
||||
@ -505,9 +497,6 @@ fi
|
||||
--with-ssl-engine \
|
||||
--with-authorized-keys-command \
|
||||
--with-ipaddr-display \
|
||||
%if %{nss}
|
||||
--with-nss \
|
||||
%endif
|
||||
%if %{scard}
|
||||
--with-smartcard \
|
||||
%endif
|
||||
@ -520,7 +509,7 @@ fi
|
||||
--with-pam \
|
||||
%endif
|
||||
%if %{WITH_SELINUX}
|
||||
--with-selinux --with-audit=linux --with-sandbox-style=selinux \
|
||||
--with-selinux --with-audit=linux --with-sandbox=selinux \
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
||||
@ -622,11 +611,6 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
|
||||
|
||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||
|
||||
rm -f README.nss.nss-keys
|
||||
%if ! %{nss}
|
||||
rm -f README.nss
|
||||
%endif
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
@ -789,6 +773,11 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Sep 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-9 + 0.9.2-32
|
||||
- coverity upgrade
|
||||
- wipe off nonfunctional nss
|
||||
- selinux sandbox tweaking
|
||||
|
||||
* Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
|
||||
- coverity upgrade
|
||||
- experimental selinux sandbox
|
||||
|
Loading…
Reference in New Issue
Block a user