| diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c |
| |
| |
| @@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch |
| mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m); |
| sshbuf_free(m); |
| } |
| + |
| +int mm_forward_audit_messages(int fdin) |
| +{ |
| + u_char buf[4]; |
| + u_int blen, msg_len; |
| + struct sshbuf *m; |
| + int r, ret = 0; |
| + |
| + debug3_f("entering"); |
| + if ((m = sshbuf_new()) == NULL) |
| + fatal_f("sshbuf_new failed"); |
| + do { |
| + blen = atomicio(read, fdin, buf, sizeof(buf)); |
| + if (blen == 0) /* closed pipe */ |
| + break; |
| + if (blen != sizeof(buf)) { |
| + error_f("Failed to read the buffer from child"); |
| + ret = -1; |
| + break; |
| + } |
| + |
| + msg_len = get_u32(buf); |
| + if (msg_len > 256 * 1024) |
| + fatal_f("read: bad msg_len %d", msg_len); |
| + sshbuf_reset(m); |
| + if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0) |
| + fatal_fr(r, "buffer error"); |
| + if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) { |
| + error_f("Failed to read the the buffer content from the child"); |
| + ret = -1; |
| + break; |
| + } |
| + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || |
| + atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) { |
| + error_f("Failed to write the message to the monitor"); |
| + ret = -1; |
| + break; |
| + } |
| + } while (1); |
| + sshbuf_free(m); |
| + return ret; |
| +} |
| +void mm_set_monitor_pipe(int fd) |
| +{ |
| + pmonitor->m_recvfd = fd; |
| +} |
| #endif /* SSH_AUDIT_EVENTS */ |
| diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h |
| |
| |
| @@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int); |
| void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t); |
| void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t); |
| void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); |
| +int mm_forward_audit_messages(int); |
| +void mm_set_monitor_pipe(int); |
| #endif |
| |
| struct Session; |
| diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c |
| |
| |
| @@ -162,6 +162,10 @@ static Session *sessions = NULL; |
| login_cap_t *lc; |
| #endif |
| |
| +#ifdef SSH_AUDIT_EVENTS |
| +int paudit[2]; |
| +#endif |
| + |
| static int is_child = 0; |
| static int in_chroot = 0; |
| static int have_dev_log = 1; |
| @@ -289,6 +293,8 @@ xauth_valid_string(const char *s) |
| return 1; |
| } |
| |
| +void child_destory_sensitive_data(struct ssh *ssh); |
| + |
| #define USE_PIPES 1 |
| /* |
| * This is called to fork and execute a command when we have no tty. This |
| @@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c |
| close(err[0]); |
| #endif |
| |
| + child_destory_sensitive_data(ssh); |
| + |
| /* Do processing for the child (exec command etc). */ |
| do_child(ssh, s, command); |
| /* NOTREACHED */ |
| @@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm |
| /* Close the extra descriptor for the pseudo tty. */ |
| close(ttyfd); |
| |
| + /* Do this early, so we will not block large MOTDs */ |
| + child_destory_sensitive_data(ssh); |
| + |
| /* record login, etc. similar to login(1) */ |
| #ifndef HAVE_OSF_SIA |
| do_login(ssh, s, command); |
| @@ -717,6 +728,8 @@ do_exec(Session *s, const char *command) |
| } |
| if (s->command != NULL && s->ptyfd == -1) |
| s->command_handle = PRIVSEP(audit_run_command(ssh, s->command)); |
| + if (pipe(paudit) < 0) |
| + fatal("pipe: %s", strerror(errno)); |
| #endif |
| if (s->ttyfd != -1) |
| ret = do_exec_pty(ssh, s, command); |
| @@ -732,6 +745,20 @@ do_exec(Session *s, const char *command) |
| */ |
| sshbuf_reset(loginmsg); |
| |
| +#ifdef SSH_AUDIT_EVENTS |
| + close(paudit[1]); |
| + if (use_privsep && ret == 0) { |
| + /* |
| + * Read the audit messages from forked child and send them |
| + * back to monitor. We don't want to communicate directly, |
| + * because the messages might get mixed up. |
| + * Continue after the pipe gets closed (all messages sent). |
| + */ |
| + ret = mm_forward_audit_messages(paudit[0]); |
| + } |
| + close(paudit[0]); |
| +#endif /* SSH_AUDIT_EVENTS */ |
| + |
| return ret; |
| } |
| |
| @@ -1538,6 +1565,34 @@ child_close_fds(void) |
| log_redirect_stderr_to(NULL); |
| } |
| |
| +void |
| +child_destory_sensitive_data(struct ssh *ssh) |
| +{ |
| +#ifdef SSH_AUDIT_EVENTS |
| + int pparent = paudit[1]; |
| + close(paudit[0]); |
| + /* Hack the monitor pipe to avoid race condition with parent */ |
| + if (use_privsep) |
| + mm_set_monitor_pipe(pparent); |
| +#endif |
| + |
| + /* remove hostkey from the child's memory */ |
| + destroy_sensitive_data(ssh, use_privsep); |
| + /* |
| + * We can audit this, because we hacked the pipe to direct the |
| + * messages over postauth child. But this message requires answer |
| + * which we can't do using one-way pipe. |
| + */ |
| + packet_destroy_all(ssh, 0, 1); |
| + /* XXX this will clean the rest but should not audit anymore */ |
| + /* packet_clear_keys(ssh); */ |
| + |
| +#ifdef SSH_AUDIT_EVENTS |
| + /* Notify parent that we are done */ |
| + close(pparent); |
| +#endif |
| +} |
| + |
| /* |
| * Performs common processing for the child, such as setting up the |
| * environment, closing extra file descriptors, setting the user and group |
| @@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command |
| |
| sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); |
| |
| - /* remove hostkey from the child's memory */ |
| - destroy_sensitive_data(ssh, 1); |
| - ssh_packet_clear_keys(ssh); |
| - /* Don't audit this - both us and the parent would be talking to the |
| - monitor over a single socket, with no synchronization. */ |
| - packet_destroy_all(ssh, 0, 1); |
| - |
| /* Force a password change */ |
| if (s->authctxt->force_pwchange) { |
| do_setusercontext(pw); |