vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/audit-bsm.c.audit2 openssh-5.9p0/audit-bsm.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/audit-bsm.c.audit2	2011-08-30 10:55:35.281025258 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/audit-bsm.c	2011-08-30 10:55:37.500052231 +0200
Jan F. Chadima 69dd72
@@ -329,6 +329,12 @@ audit_session_close(struct logininfo *li
Jan F. Chadima 69dd72
 	/* not implemented */
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	/* not implemented */
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 void
Jan F. Chadima 69dd72
 audit_event(ssh_audit_event_t event)
Jan F. Chadima 69dd72
 {
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/audit-linux.c.audit2 openssh-5.9p0/audit-linux.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/audit-linux.c.audit2	2011-08-30 10:55:35.385102905 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/audit-linux.c	2011-08-30 10:55:38.009088040 +0200
Jan F. Chadima 69dd72
@@ -41,6 +41,8 @@
Jan F. Chadima 69dd72
 #include "servconf.h"
Jan F. Chadima 69dd72
 #include "canohost.h"
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+#define AUDIT_LOG_SIZE 128
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 extern ServerOptions options;
Jan F. Chadima 69dd72
 extern Authctxt *the_authctxt;
Jan F. Chadima 69dd72
 extern u_int utmp_len;
Jan F. Chadima 69dd72
@@ -130,6 +132,37 @@ fatal_report:
Jan F. Chadima 69dd72
 	}
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	char buf[AUDIT_LOG_SIZE];
Jan F. Chadima 69dd72
+	int audit_fd, rc, saved_errno;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	audit_fd = audit_open();
Jan F. Chadima 69dd72
+	if (audit_fd < 0) {
Jan F. Chadima 69dd72
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
Jan F. Chadima 69dd72
+					 errno == EAFNOSUPPORT)
Jan F. Chadima 69dd72
+			return 1; /* No audit support in kernel */
Jan F. Chadima 69dd72
+		else                                                                                                                                       
Jan F. Chadima 69dd72
+			return 0; /* Must prevent login */
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
+	snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", get_remote_port());
Jan F. Chadima 69dd72
+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
Jan F. Chadima 69dd72
+		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
Jan F. Chadima 69dd72
+	if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
Jan F. Chadima 69dd72
+		goto out;
Jan F. Chadima 69dd72
+	snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d",
Jan F. Chadima 69dd72
+			type, bits, key_fingerprint_prefix(), fp, get_remote_port());
Jan F. Chadima 69dd72
+	rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
Jan F. Chadima 69dd72
+		buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
Jan F. Chadima 69dd72
+out:
Jan F. Chadima 69dd72
+	saved_errno = errno;
Jan F. Chadima 69dd72
+	audit_close(audit_fd);
Jan F. Chadima 69dd72
+	errno = saved_errno;
Jan F. Chadima 69dd72
+	/* do not report error if the error is EPERM and sshd is run as non root user */
Jan F. Chadima 69dd72
+	return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 static int user_login_count = 0;
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 /* Below is the sshd audit API code */
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/audit.c.audit2 openssh-5.9p0/audit.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/audit.c.audit2	2011-08-30 10:55:35.523141273 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/audit.c	2011-08-30 10:55:37.658024710 +0200
Jan F. Chadima 69dd72
@@ -36,6 +36,7 @@
Jan F. Chadima 69dd72
 #include "key.h"
Jan F. Chadima 69dd72
 #include "hostfile.h"
Jan F. Chadima 69dd72
 #include "auth.h"
Jan F. Chadima 69dd72
+#include "xmalloc.h"
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 /*
Jan F. Chadima 69dd72
  * Care must be taken when using this since it WILL NOT be initialized when
Jan F. Chadima 69dd72
@@ -111,6 +112,22 @@ audit_event_lookup(ssh_audit_event_t ev)
Jan F. Chadima 69dd72
 	return(event_lookup[i].name);
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+void
Jan F. Chadima 69dd72
+audit_key(int host_user, int *rv, const Key *key)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	char *fp;
Jan F. Chadima 69dd72
+	const char *crypto_name;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
Jan F. Chadima 69dd72
+	if (key->type == KEY_RSA1)
Jan F. Chadima 69dd72
+		crypto_name = "ssh-rsa1";
Jan F. Chadima 69dd72
+	else
Jan F. Chadima 69dd72
+		crypto_name = key_ssh_name(key);
Jan F. Chadima 69dd72
+	if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
Jan F. Chadima 69dd72
+		*rv = 0;
Jan F. Chadima 69dd72
+	xfree(fp);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72
 /*
Jan F. Chadima 69dd72
  * Null implementations of audit functions.
Jan F. Chadima 69dd72
@@ -209,5 +226,17 @@ audit_end_command(int handle, const char
Jan F. Chadima 69dd72
 	    audit_username(), command);
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+/*
Jan F. Chadima 69dd72
+ * This will be called when user is successfully autherized by the RSA1/RSA/DSA key.
Jan F. Chadima 69dd72
+ *
Jan F. Chadima 69dd72
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
Jan F. Chadima 69dd72
+ */
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s%s, result %d", 
Jan F. Chadima 69dd72
+		host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
Jan F. Chadima 69dd72
+		key_fingerprint_prefix(), fp, rv);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
Jan F. Chadima 69dd72
 #endif /* SSH_AUDIT_EVENTS */
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/audit.h.audit2 openssh-5.9p0/audit.h
Jan F. Chadima 69dd72
--- openssh-5.9p0/audit.h.audit2	2011-08-30 10:55:35.723122290 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/audit.h	2011-08-30 10:55:37.905212176 +0200
Jan F. Chadima 69dd72
@@ -28,6 +28,7 @@
Jan F. Chadima 69dd72
 # define _SSH_AUDIT_H
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 #include "loginrec.h"
Jan F. Chadima 69dd72
+#include "key.h"
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 enum ssh_audit_event_type {
Jan F. Chadima 69dd72
 	SSH_LOGIN_EXCEED_MAXTRIES,
Jan F. Chadima 69dd72
@@ -55,5 +56,7 @@ void	audit_session_close(struct logininf
Jan F. Chadima 69dd72
 int	audit_run_command(const char *);
Jan F. Chadima 69dd72
 void 	audit_end_command(int, const char *);
Jan F. Chadima 69dd72
 ssh_audit_event_t audit_classify_auth(const char *);
Jan F. Chadima 69dd72
+int	audit_keyusage(int, const char *, unsigned, char *, int);
Jan F. Chadima 69dd72
+void	audit_key(int, int *, const Key *);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 #endif /* _SSH_AUDIT_H */
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/auth-rsa.c.audit2 openssh-5.9p0/auth-rsa.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/auth-rsa.c.audit2	2011-08-30 10:55:33.120097071 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/auth-rsa.c	2011-08-30 10:55:38.729025376 +0200
Jan F. Chadima 69dd72
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
Jan F. Chadima 69dd72
 {
Jan F. Chadima 69dd72
 	u_char buf[32], mdbuf[16];
Jan F. Chadima 69dd72
 	MD5_CTX md;
Jan F. Chadima 69dd72
-	int len;
Jan F. Chadima 69dd72
+	int len, rv;
Jan F. Chadima 69dd72
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72
+	char *fp;
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 	/* don't allow short keys */
Jan F. Chadima 69dd72
 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
Jan F. Chadima 69dd72
@@ -113,12 +116,18 @@ auth_rsa_verify_response(Key *key, BIGNU
Jan F. Chadima 69dd72
 	MD5_Final(mdbuf, &md);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 	/* Verify that the response is the original challenge. */
Jan F. Chadima 69dd72
-	if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
Jan F. Chadima 69dd72
-		/* Wrong answer. */
Jan F. Chadima 69dd72
-		return (0);
Jan F. Chadima 69dd72
+	rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72
+	fp = key_selected_fingerprint(key, SSH_FP_HEX);
Jan F. Chadima 69dd72
+	if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
Jan F. Chadima 69dd72
+		debug("unsuccessful audit");
Jan F. Chadima 69dd72
+		rv = 0;
Jan F. Chadima 69dd72
 	}
Jan F. Chadima 69dd72
-	/* Correct answer. */
Jan F. Chadima 69dd72
-	return (1);
Jan F. Chadima 69dd72
+	xfree(fp);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	return rv;
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 /*
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/auth.h.audit2 openssh-5.9p0/auth.h
Jan F. Chadima 69dd72
--- openssh-5.9p0/auth.h.audit2	2011-05-29 13:39:38.000000000 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/auth.h	2011-08-30 10:57:43.238087347 +0200
Jan F. Chadima 69dd72
@@ -170,6 +170,7 @@ void	abandon_challenge_response(Authctxt
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 char	*expand_authorized_keys(const char *, struct passwd *pw);
Jan F. Chadima 69dd72
 char	*authorized_principals_file(struct passwd *);
Jan F. Chadima 69dd72
+int	 user_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 FILE	*auth_openkeyfile(const char *, struct passwd *, int);
Jan F. Chadima 69dd72
 FILE	*auth_openprincipals(const char *, struct passwd *, int);
Jan F. Chadima 69dd72
@@ -185,6 +186,7 @@ Key	*get_hostkey_public_by_type(int);
Jan F. Chadima 69dd72
 Key	*get_hostkey_private_by_type(int);
Jan F. Chadima 69dd72
 int	 get_hostkey_index(Key *);
Jan F. Chadima 69dd72
 int	 ssh1_session_key(BIGNUM *);
Jan F. Chadima 69dd72
+int	 hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 /* debug messages during authentication */
Jan F. Chadima 69dd72
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/auth2-hostbased.c.audit2 openssh-5.9p0/auth2-hostbased.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/auth2-hostbased.c.audit2	2011-08-30 10:55:32.696212587 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/auth2-hostbased.c	2011-08-30 10:55:38.120068864 +0200
Jan F. Chadima 69dd72
@@ -119,7 +119,7 @@ userauth_hostbased(Authctxt *authctxt)
Jan F. Chadima 69dd72
 	/* test for allowed key and correct signature */
Jan F. Chadima 69dd72
 	authenticated = 0;
Jan F. Chadima 69dd72
 	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
Jan F. Chadima 69dd72
-	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72
+	    PRIVSEP(hostbased_key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72
 			buffer_len(&b))) == 1)
Jan F. Chadima 69dd72
 		authenticated = 1;
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
@@ -136,6 +136,18 @@ done:
Jan F. Chadima 69dd72
 	return authenticated;
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+hostbased_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	int rv;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	rv = key_verify(key, sig, slen, data, datalen);
Jan F. Chadima 69dd72
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72
+	audit_key(0, &rv, key);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	return rv;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 /* return 1 if given hostkey is allowed */
Jan F. Chadima 69dd72
 int
Jan F. Chadima 69dd72
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/auth2-pubkey.c.audit2 openssh-5.9p0/auth2-pubkey.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/auth2-pubkey.c.audit2	2011-08-30 10:55:32.803126151 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/auth2-pubkey.c	2011-08-30 10:55:38.426108672 +0200
Jan F. Chadima 69dd72
@@ -140,7 +140,7 @@ userauth_pubkey(Authctxt *authctxt)
Jan F. Chadima 69dd72
 		/* test for correct signature */
Jan F. Chadima 69dd72
 		authenticated = 0;
Jan F. Chadima 69dd72
 		if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
Jan F. Chadima 69dd72
-		    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72
+		    PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b),
Jan F. Chadima 69dd72
 		    buffer_len(&b))) == 1)
Jan F. Chadima 69dd72
 			authenticated = 1;
Jan F. Chadima 69dd72
 		buffer_free(&b);
Jan F. Chadima 69dd72
@@ -177,6 +177,18 @@ done:
Jan F. Chadima 69dd72
 	return authenticated;
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+user_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	int rv;
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+	rv = key_verify(key, sig, slen, data, datalen);
Jan F. Chadima 69dd72
+#ifdef SSH_AUDIT_EVENTS
Jan F. Chadima 69dd72
+	audit_key(1, &rv, key);
Jan F. Chadima 69dd72
+#endif
Jan F. Chadima 69dd72
+	return rv;
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 static int
Jan F. Chadima 69dd72
 match_principals_option(const char *principal_list, struct KeyCert *cert)
Jan F. Chadima 69dd72
 {
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/monitor.c.audit2 openssh-5.9p0/monitor.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/monitor.c.audit2	2011-08-30 10:55:35.849023496 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/monitor.c	2011-08-30 10:55:38.848024600 +0200
Jan F. Chadima 69dd72
@@ -1318,9 +1318,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72
 	Key *key;
Jan F. Chadima 69dd72
 	u_char *signature, *data, *blob;
Jan F. Chadima 69dd72
 	u_int signaturelen, datalen, bloblen;
Jan F. Chadima 69dd72
+	int type = 0;
Jan F. Chadima 69dd72
 	int verified = 0;
Jan F. Chadima 69dd72
 	int valid_data = 0;
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+	type = buffer_get_int(m);
Jan F. Chadima 69dd72
 	blob = buffer_get_string(m, &bloblen);
Jan F. Chadima 69dd72
 	signature = buffer_get_string(m, &signaturelen);
Jan F. Chadima 69dd72
 	data = buffer_get_string(m, &datalen);
Jan F. Chadima 69dd72
@@ -1328,6 +1330,8 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
Jan F. Chadima 69dd72
 	  !monitor_allowed_key(blob, bloblen))
Jan F. Chadima 69dd72
 		fatal("%s: bad key, not previously allowed", __func__);
Jan F. Chadima 69dd72
+	if (type != key_blobtype)
Jan F. Chadima 69dd72
+		fatal("%s: bad key type", __func__);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 	key = key_from_blob(blob, bloblen);
Jan F. Chadima 69dd72
 	if (key == NULL)
Jan F. Chadima 69dd72
@@ -1348,7 +1352,17 @@ mm_answer_keyverify(int sock, Buffer *m)
Jan F. Chadima 69dd72
 	if (!valid_data)
Jan F. Chadima 69dd72
 		fatal("%s: bad signature data blob", __func__);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
-	verified = key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72
+	switch (key_blobtype) {
Jan F. Chadima 69dd72
+	case MM_USERKEY:
Jan F. Chadima 69dd72
+		verified = user_key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+	case MM_HOSTKEY:
Jan F. Chadima 69dd72
+		verified = hostbased_key_verify(key, signature, signaturelen, data, datalen);
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+	default:
Jan F. Chadima 69dd72
+		verified = 0;
Jan F. Chadima 69dd72
+		break;
Jan F. Chadima 69dd72
+	}
Jan F. Chadima 69dd72
 	debug3("%s: key %p signature %s",
Jan F. Chadima 69dd72
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/monitor_wrap.c.audit2 openssh-5.9p0/monitor_wrap.c
Jan F. Chadima 69dd72
--- openssh-5.9p0/monitor_wrap.c.audit2	2011-08-30 10:55:36.431043533 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/monitor_wrap.c	2011-08-30 10:55:39.074038187 +0200
Jan F. Chadima 69dd72
@@ -431,7 +431,7 @@ mm_key_allowed(enum mm_keytype type, cha
Jan F. Chadima 69dd72
  */
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 int
Jan F. Chadima 69dd72
-mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72
+mm_key_verify(enum mm_keytype type, Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72
 {
Jan F. Chadima 69dd72
 	Buffer m;
Jan F. Chadima 69dd72
 	u_char *blob;
Jan F. Chadima 69dd72
@@ -445,6 +445,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
Jan F. Chadima 69dd72
 		return (0);
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
 	buffer_init(&m);
Jan F. Chadima 69dd72
+	buffer_put_int(&m, type);
Jan F. Chadima 69dd72
 	buffer_put_string(&m, blob, len);
Jan F. Chadima 69dd72
 	buffer_put_string(&m, sig, siglen);
Jan F. Chadima 69dd72
 	buffer_put_string(&m, data, datalen);
Jan F. Chadima 69dd72
@@ -462,6 +463,19 @@ mm_key_verify(Key *key, u_char *sig, u_i
Jan F. Chadima 69dd72
 	return (verified);
Jan F. Chadima 69dd72
 }
Jan F. Chadima 69dd72
 
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+mm_hostbased_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	return mm_key_verify(MM_HOSTKEY, key, sig, siglen, data, datalen);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+int
Jan F. Chadima 69dd72
+mm_user_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
Jan F. Chadima 69dd72
+{
Jan F. Chadima 69dd72
+	return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen);
Jan F. Chadima 69dd72
+}
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
+
Jan F. Chadima 69dd72
 /* Export key state after authentication */
Jan F. Chadima 69dd72
 Newkeys *
Jan F. Chadima 69dd72
 mm_newkeys_from_blob(u_char *blob, int blen)
Jan F. Chadima 69dd72
diff -up openssh-5.9p0/monitor_wrap.h.audit2 openssh-5.9p0/monitor_wrap.h
Jan F. Chadima 69dd72
--- openssh-5.9p0/monitor_wrap.h.audit2	2011-08-30 10:55:36.550088263 +0200
Jan F. Chadima 69dd72
+++ openssh-5.9p0/monitor_wrap.h	2011-08-30 10:55:39.282151179 +0200
Jan F. Chadima 69dd72
@@ -49,7 +49,8 @@ int mm_key_allowed(enum mm_keytype, char
Jan F. Chadima 69dd72
 int mm_user_key_allowed(struct passwd *, Key *);
Jan F. Chadima 69dd72
 int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
Jan F. Chadima 69dd72
 int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
Jan F. Chadima 69dd72
-int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72
+int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72
+int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
Jan F. Chadima 69dd72
 int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
Jan F. Chadima 69dd72
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
Jan F. Chadima 69dd72
 BIGNUM *mm_auth_rsa_generate_challenge(Key *);