- clean the data structures in the non privileged process
- clean the data structures when roaming
This commit is contained in:
Jan F
parent
865391f74f
commit
cfb0f30feb
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
|
||||
--- openssh-5.6p1/audit-bsm.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2011-02-06 14:24:44.000000000 +0100
|
||||
--- openssh-5.6p1/audit-bsm.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-bsm.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
/* not implemented */
|
||||
@ -13,8 +13,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
|
||||
--- openssh-5.6p1/audit.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2011-02-06 14:24:44.000000000 +0100
|
||||
--- openssh-5.6p1/audit.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
@ -31,8 +31,8 @@ diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
|
||||
--- openssh-5.6p1/audit.h.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2011-02-06 14:24:44.000000000 +0100
|
||||
--- openssh-5.6p1/audit.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
void audit_session_key_free(int ctos);
|
||||
@ -41,8 +41,8 @@ diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
|
||||
--- openssh-5.6p1/audit-linux.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2011-02-06 14:24:44.000000000 +0100
|
||||
--- openssh-5.6p1/audit-linux.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/audit-linux.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -226,4 +226,26 @@ audit_session_key_free_body(int ctos)
|
||||
error("cannot write into audit");
|
||||
}
|
||||
@ -71,8 +71,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c
|
||||
--- openssh-5.6p1/kex.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.c 2011-02-06 14:24:44.000000000 +0100
|
||||
--- openssh-5.6p1/kex.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -592,3 +592,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
@ -110,7 +110,7 @@ diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c
|
||||
+
|
||||
diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h
|
||||
--- openssh-5.6p1/kex.h.audit5 2010-02-26 21:55:05.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.h 2011-02-06 14:24:45.000000000 +0100
|
||||
+++ openssh-5.6p1/kex.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -146,6 +146,8 @@ void kexdh_server(Kex *);
|
||||
void kexgex_client(Kex *);
|
||||
void kexgex_server(Kex *);
|
||||
@ -122,7 +122,7 @@ diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c
|
||||
--- openssh-5.6p1/mac.c.audit5 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.6p1/mac.c 2011-02-06 14:24:45.000000000 +0100
|
||||
+++ openssh-5.6p1/mac.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -146,15 +146,15 @@ diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c
|
||||
int
|
||||
diff -up openssh-5.6p1/mac.h.audit5 openssh-5.6p1/mac.h
|
||||
--- openssh-5.6p1/mac.h.audit5 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.6p1/mac.h 2011-02-06 14:24:45.000000000 +0100
|
||||
+++ openssh-5.6p1/mac.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
|
||||
--- openssh-5.6p1/monitor.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2011-02-06 14:24:45.000000000 +0100
|
||||
--- openssh-5.6p1/monitor.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
@ -212,8 +212,8 @@ diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
|
||||
--- openssh-5.6p1/monitor.h.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2011-02-06 14:24:45.000000000 +0100
|
||||
--- openssh-5.6p1/monitor.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -223,8 +223,8 @@ diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
|
||||
--- openssh-5.6p1/monitor_wrap.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2011-02-06 14:24:45.000000000 +0100
|
||||
--- openssh-5.6p1/monitor_wrap.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.c 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -1458,4 +1458,16 @@ mm_audit_session_key_free_body(int ctos)
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
@ -243,8 +243,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
|
||||
--- openssh-5.6p1/monitor_wrap.h.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2011-02-06 14:24:45.000000000 +0100
|
||||
--- openssh-5.6p1/monitor_wrap.h.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/monitor_wrap.h 2011-02-07 18:53:53.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
@ -254,8 +254,8 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c
|
||||
--- openssh-5.6p1/packet.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/packet.c 2011-02-07 08:51:31.000000000 +0100
|
||||
--- openssh-5.6p1/packet.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/packet.c 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <signal.h>
|
||||
|
||||
@ -353,7 +353,7 @@ diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c
|
||||
+
|
||||
diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h
|
||||
--- openssh-5.6p1/packet.h.audit5 2009-07-05 23:11:13.000000000 +0200
|
||||
+++ openssh-5.6p1/packet.h 2011-02-06 14:24:45.000000000 +0100
|
||||
+++ openssh-5.6p1/packet.h 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -115,4 +115,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
@ -362,7 +362,7 @@ diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
|
||||
--- openssh-5.6p1/session.c.audit5 2010-06-26 02:00:15.000000000 +0200
|
||||
+++ openssh-5.6p1/session.c 2011-02-06 14:24:45.000000000 +0100
|
||||
+++ openssh-5.6p1/session.c 2011-02-07 18:53:54.000000000 +0100
|
||||
@@ -1677,6 +1677,7 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -372,8 +372,8 @@ diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
|
||||
--- openssh-5.6p1/sshd.c.audit5 2011-02-06 14:24:44.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd.c 2011-02-06 14:24:45.000000000 +0100
|
||||
--- openssh-5.6p1/sshd.c.audit5 2011-02-07 18:53:53.000000000 +0100
|
||||
+++ openssh-5.6p1/sshd.c 2011-02-07 19:08:56.000000000 +0100
|
||||
@@ -579,6 +579,7 @@ demote_sensitive_data(void)
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
@ -402,25 +402,16 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -709,6 +716,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
skip:
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(pmonitor);
|
||||
+//drop here ??
|
||||
|
||||
/*
|
||||
* Tell the packet layer that authentication was successful, since
|
||||
@@ -1970,6 +1978,9 @@ main(int ac, char **av)
|
||||
@@ -1970,6 +1977,8 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
+//umac_clear
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2011,8 +2022,10 @@ main(int ac, char **av)
|
||||
@@ -2011,8 +2020,10 @@ main(int ac, char **av)
|
||||
if (use_privsep) {
|
||||
privsep_postauth(authctxt);
|
||||
/* the monitor process [priv] will not return */
|
||||
@ -432,7 +423,17 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
|
||||
}
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
@@ -2249,6 +2262,7 @@ do_ssh1_kex(void)
|
||||
@@ -2022,6 +2033,9 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
+ packet_destroy_all();
|
||||
+ audit_session_key_free(2);
|
||||
+
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes", obytes, ibytes);
|
||||
@@ -2249,6 +2263,7 @@ do_ssh1_kex(void)
|
||||
}
|
||||
/* Destroy the private and public keys. No longer. */
|
||||
destroy_sensitive_data();
|
||||
|
||||
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.6p1
|
||||
%define openssh_rel 29
|
||||
%define openssh_rel 30
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 29
|
||||
|
||||
@ -603,7 +603,8 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Feb 2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-29 + 0.9.2-29
|
||||
* Mon Feb 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-30 + 0.9.2-29
|
||||
- clean the data structures in the non privileged process
|
||||
- clean the data structures when roaming
|
||||
|
||||
* Tue Feb 2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
|
||||
|
||||
Loading…
Reference in New Issue
Block a user