[openssh] improve session keys audit

Jan F. Chadima jfch2222 at fedoraproject.org
Thu Mar 10 14:52:54 UTC 2011 

commit a864d61df9487e3985d3de0de7283203698291c0
Author: Jan F <jfch at kerberos.example.com>
Date:   Thu Mar 10 15:52:21 2011 +0100

    improve session keys audit

 openssh-5.8p1-audit4.patch  |  128 +++++++++++++++++++++++++++----------------
 openssh-5.8p1-audit4a.patch |   79 --------------------------
 openssh-5.8p1-audit5.patch  |   62 ++++++++++++---------
 openssh-5.8p1-audit5a.patch |   11 ----
 openssh.spec                |    6 +-
 5 files changed, 119 insertions(+), 167 deletions(-)
---
diff --git a/openssh-5.8p1-audit4.patch b/openssh-5.8p1-audit4.patch
index abe30ae..c191364 100644
--- a/openssh-5.8p1-audit4.patch
+++ b/openssh-5.8p1-audit4.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit4	2011-03-02 10:06:43.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/audit-bsm.c.audit4	2011-03-10 11:54:15.385855094 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-10 11:54:16.108981513 +0100
 @@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
  {
  	/* not implemented */
@@ -13,8 +13,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit4	2011-03-02 10:06:43.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/audit.c.audit4	2011-03-10 11:54:15.430980093 +0100
++++ openssh-5.8p1/audit.c	2011-03-10 11:54:16.150854915 +0100
 @@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
  	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
  }
@@ -45,8 +45,8 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit4	2011-03-02 10:06:43.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/audit.h.audit4	2011-03-10 11:54:15.474854443 +0100
++++ openssh-5.8p1/audit.h	2011-03-10 11:54:16.195980185 +0100
 @@ -62,5 +62,7 @@ void	audit_unsupported(int);
  void	audit_kex(int, char *, char *, char *);
  void	audit_unsupported_body(int);
@@ -56,8 +56,8 @@ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit4	2011-03-10 11:54:15.513980523 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-10 11:54:16.238854696 +0100
 @@ -292,6 +292,8 @@ audit_unsupported_body(int what)
  #endif
  }
@@ -107,8 +107,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
 +
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
---- openssh-5.8p1/auditstub.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/auditstub.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/auditstub.c.audit4	2011-03-10 11:54:15.543855258 +0100
++++ openssh-5.8p1/auditstub.c	2011-03-10 11:54:16.281980911 +0100
 @@ -27,6 +27,8 @@
   * Red Hat author: Jan F. Chadima <jchadima at redhat.com>
   */
@@ -132,8 +132,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
 +{
 +}
 diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
---- openssh-5.8p1/kex.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/kex.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/kex.c.audit4	2011-03-10 11:54:15.668854854 +0100
++++ openssh-5.8p1/kex.c	2011-03-10 11:54:16.328854758 +0100
 @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
  	fprintf(stderr, "\n");
  }
@@ -171,7 +171,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
 +
 diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
 --- openssh-5.8p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.8p1/kex.h	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/kex.h	2011-03-10 11:54:16.375854867 +0100
 @@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
  void	 kexecdh_client(Kex *);
  void	 kexecdh_server(Kex *);
@@ -183,7 +183,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
 --- openssh-5.8p1/mac.c.audit4	2008-06-13 02:58:50.000000000 +0200
-+++ openssh-5.8p1/mac.c	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/mac.c	2011-03-10 11:54:16.414981731 +0100
 @@ -162,6 +162,20 @@ mac_clear(Mac *mac)
  	mac->umac_ctx = NULL;
  }
@@ -207,15 +207,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
  int
 diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
 --- openssh-5.8p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.8p1/mac.h	2011-03-02 10:06:44.000000000 +0100
++++ openssh-5.8p1/mac.h	2011-03-10 11:54:16.459979897 +0100
 @@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
  int	 mac_init(Mac *);
  u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
  void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-03-02 10:06:44.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit4	2011-03-10 11:54:15.772979889 +0100
++++ openssh-5.8p1/monitor.c	2011-03-10 11:54:16.520854885 +0100
 @@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer 
  int mm_answer_audit_end_command(int, Buffer *);
  int mm_answer_audit_unsupported_body(int, Buffer *);
@@ -311,8 +311,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-03-02 10:06:45.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit4	2011-03-10 11:54:15.820855816 +0100
++++ openssh-5.8p1/monitor.h	2011-03-10 11:54:16.564980955 +0100
 @@ -69,6 +69,7 @@ enum monitor_reqtype {
  	MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@@ -322,8 +322,8 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-03-02 10:06:45.000000000 +0100
+--- openssh-5.8p1/monitor_wrap.c.audit4	2011-03-10 11:54:15.867854835 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-10 11:54:16.611855033 +0100
 @@ -615,12 +615,14 @@ mm_send_keystate(struct monitor *monitor
  		fatal("%s: conversion of newkeys failed", __func__);
  
@@ -360,8 +360,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-03-02 10:07:05.000000000 +0100
+--- openssh-5.8p1/monitor_wrap.h.audit4	2011-03-10 11:54:15.915854621 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-10 11:54:16.655980759 +0100
 @@ -78,6 +78,7 @@ int mm_audit_run_command(const char *);
  void mm_audit_end_command(int, const char *);
  void mm_audit_unsupported_body(int);
@@ -372,7 +372,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
  struct Session;
 diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 --- openssh-5.8p1/packet.c.audit4	2010-11-24 00:46:37.000000000 +0100
-+++ openssh-5.8p1/packet.c	2011-03-02 10:06:45.000000000 +0100
++++ openssh-5.8p1/packet.c	2011-03-10 11:54:16.966855179 +0100
 @@ -60,6 +60,7 @@
  #include <signal.h>
  
@@ -381,15 +381,56 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  #include "buffer.h"
  #include "packet.h"
  #include "crc32.h"
-@@ -497,6 +498,7 @@ packet_close(void)
+@@ -472,6 +473,13 @@ packet_get_connection_out(void)
+ 	return active_state->connection_out;
+ }
+ 
++static int
++packet_state_has_keys (const struct session_state *state)
++{
++	return state != NULL &&
++		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
++}
++
+ /* Closes the connection and clears and frees internal data structures. */
+ 
+ void
+@@ -480,13 +488,6 @@ packet_close(void)
+ 	if (!active_state->initialized)
+ 		return;
+ 	active_state->initialized = 0;
+-	if (active_state->connection_in == active_state->connection_out) {
+-		shutdown(active_state->connection_out, SHUT_RDWR);
+-		close(active_state->connection_out);
+-	} else {
+-		close(active_state->connection_in);
+-		close(active_state->connection_out);
+-	}
+ 	buffer_free(&active_state->input);
+ 	buffer_free(&active_state->output);
+ 	buffer_free(&active_state->outgoing_packet);
+@@ -495,8 +496,18 @@ packet_close(void)
+ 		buffer_free(&active_state->compression_buffer);
+ 		buffer_compress_uninit();
  	}
- 	cipher_cleanup(&active_state->send_context);
- 	cipher_cleanup(&active_state->receive_context);
-+	audit_session_key_free(2);
+-	cipher_cleanup(&active_state->send_context);
+-	cipher_cleanup(&active_state->receive_context);
++	if (packet_state_has_keys(active_state)) {
++		cipher_cleanup(&active_state->send_context);
++		cipher_cleanup(&active_state->receive_context);
++		audit_session_key_free(2);
++	}
++	if (active_state->connection_in == active_state->connection_out) {
++		shutdown(active_state->connection_out, SHUT_RDWR);
++		close(active_state->connection_out);
++	} else {
++		close(active_state->connection_in);
++		close(active_state->connection_out);
++	}
  }
  
  /* Sets remote side protocol flags. */
-@@ -731,6 +733,23 @@ packet_send1(void)
+@@ -731,6 +742,23 @@ packet_send1(void)
  	 */
  }
  
@@ -413,7 +454,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  void
  set_newkeys(int mode)
  {
-@@ -756,18 +775,9 @@ set_newkeys(int mode)
+@@ -756,18 +784,9 @@ set_newkeys(int mode)
  	}
  	if (active_state->newkeys[mode] != NULL) {
  		debug("set_newkeys: rekeying");
@@ -434,7 +475,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  	}
  	active_state->newkeys[mode] = kex_get_newkeys(mode);
  	if (active_state->newkeys[mode] == NULL)
-@@ -1912,6 +1922,54 @@ packet_get_newkeys(int mode)
+@@ -1912,6 +1931,47 @@ packet_get_newkeys(int mode)
  	return (void *)active_state->newkeys[mode];
  }
  
@@ -461,13 +502,6 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 +//	memset(state, 0, sizeof(state));
 +}
 +
-+static int
-+packet_state_has_keys (const struct session_state *state)
-+{
-+	return state != NULL &&
-+		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
-+}
-+
 +void
 +packet_destroy_all(int audit_it, int privsep)
 +{
@@ -489,7 +523,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  /*
   * Save the state for the real connection, and use a separate state when
   * resuming a suspended connection.
-@@ -1919,18 +1977,12 @@ packet_get_newkeys(int mode)
+@@ -1919,18 +1979,12 @@ packet_get_newkeys(int mode)
  void
  packet_backup_state(void)
  {
@@ -509,7 +543,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  }
  
  /*
-@@ -1947,9 +1999,7 @@ packet_restore_state(void)
+@@ -1947,9 +2001,7 @@ packet_restore_state(void)
  	backup_state = active_state;
  	active_state = tmp;
  	active_state->connection_in = backup_state->connection_in;
@@ -519,7 +553,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
  	len = buffer_len(&backup_state->input);
  	if (len > 0) {
  		buf = buffer_ptr(&backup_state->input);
-@@ -1957,4 +2007,10 @@ packet_restore_state(void)
+@@ -1957,4 +2009,10 @@ packet_restore_state(void)
  		buffer_clear(&backup_state->input);
  		add_recv_bytes(len);
  	}
@@ -532,7 +566,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
 +
 diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 --- openssh-5.8p1/packet.h.audit4	2010-11-20 05:19:38.000000000 +0100
-+++ openssh-5.8p1/packet.h	2011-03-02 10:06:45.000000000 +0100
++++ openssh-5.8p1/packet.h	2011-03-10 11:54:16.753854671 +0100
 @@ -125,4 +125,5 @@ void	 packet_restore_state(void);
  void	*packet_get_input(void);
  void	*packet_get_output(void);
@@ -540,8 +574,8 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
 +void	 packet_destroy_all(int, int);
  #endif				/* PACKET_H */
 diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
---- openssh-5.8p1/session.c.audit4	2011-03-02 10:06:43.000000000 +0100
-+++ openssh-5.8p1/session.c	2011-03-02 10:06:45.000000000 +0100
+--- openssh-5.8p1/session.c.audit4	2011-03-10 11:54:14.556854925 +0100
++++ openssh-5.8p1/session.c	2011-03-10 11:54:16.805855439 +0100
 @@ -1627,6 +1627,9 @@ do_child(Session *s, const char *command
  
  	/* remove hostkey from the child's memory */
@@ -553,8 +587,8 @@ diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
  	/* Force a password change */
  	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit4	2011-03-02 10:06:44.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-03-02 10:06:45.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit4	2011-03-10 11:54:15.966980273 +0100
++++ openssh-5.8p1/sshd.c	2011-03-10 11:54:17.027854614 +0100
 @@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
  	return (0);
  }
@@ -587,7 +621,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
  	do_authenticated(authctxt);
  
  	/* The connection has been terminated. */
-+	packet_destroy_all(1, 0);
++	packet_destroy_all(1, 1);
 +
  	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
  	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-audit4a.patch b/openssh-5.8p1-audit4a.patch
index e6e6720..e69de29 100644
--- a/openssh-5.8p1-audit4a.patch
+++ b/openssh-5.8p1-audit4a.patch
@@ -1,79 +0,0 @@
-diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
---- openssh-5.8p1/packet.c.audit4a	2011-03-08 08:52:12.000000000 +0100
-+++ openssh-5.8p1/packet.c	2011-03-08 08:52:39.000000000 +0100
-@@ -473,6 +473,13 @@ packet_get_connection_out(void)
- 	return active_state->connection_out;
- }
- 
-+static int
-+packet_state_has_keys (const struct session_state *state)
-+{
-+	return state != NULL &&
-+		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
-+}
-+
- /* Closes the connection and clears and frees internal data structures. */
- 
- void
-@@ -481,13 +488,6 @@ packet_close(void)
- 	if (!active_state->initialized)
- 		return;
- 	active_state->initialized = 0;
--	if (active_state->connection_in == active_state->connection_out) {
--		shutdown(active_state->connection_out, SHUT_RDWR);
--		close(active_state->connection_out);
--	} else {
--		close(active_state->connection_in);
--		close(active_state->connection_out);
--	}
- 	buffer_free(&active_state->input);
- 	buffer_free(&active_state->output);
- 	buffer_free(&active_state->outgoing_packet);
-@@ -496,9 +496,18 @@ packet_close(void)
- 		buffer_free(&active_state->compression_buffer);
- 		buffer_compress_uninit();
- 	}
--	cipher_cleanup(&active_state->send_context);
--	cipher_cleanup(&active_state->receive_context);
--	audit_session_key_free(2);
-+	if (packet_state_has_keys(active_state)) {
-+		cipher_cleanup(&active_state->send_context);
-+		cipher_cleanup(&active_state->receive_context);
-+		audit_session_key_free(2);
-+	}
-+	if (active_state->connection_in == active_state->connection_out) {
-+		shutdown(active_state->connection_out, SHUT_RDWR);
-+		close(active_state->connection_out);
-+	} else {
-+		close(active_state->connection_in);
-+		close(active_state->connection_out);
-+	}
- }
- 
- /* Sets remote side protocol flags. */
-@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
- //	memset(state, 0, sizeof(state));
- }
- 
--static int
--packet_state_has_keys (const struct session_state *state)
--{
--	return state != NULL &&
--		(state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
--}
--
- void
- packet_destroy_all(int audit_it, int privsep)
- {
-diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit4a	2011-03-08 08:53:02.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-03-08 08:55:23.000000000 +0100
-@@ -2033,7 +2033,7 @@ main(int ac, char **av)
- 	do_authenticated(authctxt);
- 
- 	/* The connection has been terminated. */
--	packet_destroy_all(1, 0);
-+	packet_destroy_all(1, 1);
- 
- 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
- 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh-5.8p1-audit5.patch b/openssh-5.8p1-audit5.patch
index 6d0bee4..3e4238a 100644
--- a/openssh-5.8p1-audit5.patch
+++ b/openssh-5.8p1-audit5.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
---- openssh-5.8p1/audit-bsm.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/audit-bsm.c	2011-03-02 08:30:41.000000000 +0100
+--- openssh-5.8p1/audit-bsm.c.audit5	2011-03-10 11:58:54.075979941 +0100
++++ openssh-5.8p1/audit-bsm.c	2011-03-10 11:58:55.029855000 +0100
 @@ -414,4 +414,22 @@ audit_session_key_free_body(int ctos, pi
  {
  	/* not implemented */
@@ -25,8 +25,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
---- openssh-5.8p1/audit.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/audit.c	2011-03-02 08:30:41.000000000 +0100
+--- openssh-5.8p1/audit.c.audit5	2011-03-10 11:58:54.121980174 +0100
++++ openssh-5.8p1/audit.c	2011-03-10 11:58:55.077854964 +0100
 @@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
  	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
  		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
@@ -53,8 +53,8 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
---- openssh-5.8p1/audit.h.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/audit.h	2011-03-02 08:31:15.000000000 +0100
+--- openssh-5.8p1/audit.h.audit5	2011-03-10 11:58:54.167979998 +0100
++++ openssh-5.8p1/audit.h	2011-03-10 11:58:55.126854627 +0100
 @@ -48,6 +48,8 @@ enum ssh_audit_event_type {
  };
  typedef enum ssh_audit_event_type ssh_audit_event_t;
@@ -73,8 +73,8 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
---- openssh-5.8p1/audit-linux.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/audit-linux.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/audit-linux.c.audit5	2011-03-10 11:58:54.215855001 +0100
++++ openssh-5.8p1/audit-linux.c	2011-03-10 11:58:55.170980918 +0100
 @@ -350,4 +350,50 @@ audit_session_key_free_body(int ctos, pi
  		error("cannot write into audit");
  }
@@ -127,8 +127,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
 +}
  #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
---- openssh-5.8p1/key.c.audit5	2011-03-02 08:30:38.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/key.c.audit5	2011-03-10 11:58:51.406979467 +0100
++++ openssh-5.8p1/key.c	2011-03-10 11:58:55.229855219 +0100
 @@ -1797,6 +1797,30 @@ key_demote(const Key *k)
  }
  
@@ -161,8 +161,8 @@ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
  {
  	if (k == NULL)
 diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
---- openssh-5.8p1/key.h.audit5	2011-03-02 08:30:38.000000000 +0100
-+++ openssh-5.8p1/key.h	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/key.h.audit5	2011-03-10 11:58:51.452981181 +0100
++++ openssh-5.8p1/key.h	2011-03-10 11:58:55.276854914 +0100
 @@ -109,6 +109,7 @@ Key	*key_generate(int, u_int);
  Key	*key_from_private(const Key *);
  int	 key_type_from_name(char *);
@@ -172,8 +172,8 @@ diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
  int	 key_to_certified(Key *, int);
  int	 key_drop_cert(Key *);
 diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
---- openssh-5.8p1/monitor.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/monitor.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/monitor.c.audit5	2011-03-10 11:58:54.503854586 +0100
++++ openssh-5.8p1/monitor.c	2011-03-10 11:58:55.333855125 +0100
 @@ -106,6 +106,8 @@ extern Buffer auth_debug;
  extern int auth_debug_init;
  extern Buffer loginmsg;
@@ -258,8 +258,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
---- openssh-5.8p1/monitor.h.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/monitor.h	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/monitor.h.audit5	2011-03-10 11:58:54.545980156 +0100
++++ openssh-5.8p1/monitor.h	2011-03-10 11:58:55.378854631 +0100
 @@ -70,6 +70,7 @@ enum monitor_reqtype {
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
  	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@@ -269,8 +269,8 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
---- openssh-5.8p1/monitor_wrap.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/monitor_wrap.c.audit5	2011-03-10 11:58:54.602854916 +0100
++++ openssh-5.8p1/monitor_wrap.c	2011-03-10 11:58:55.432980073 +0100
 @@ -1501,4 +1501,20 @@ mm_audit_session_key_free_body(int ctos,
  				  &m);
  	buffer_free(&m);
@@ -293,9 +293,9 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
---- openssh-5.8p1/monitor_wrap.h.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/monitor_wrap.h	2011-03-02 08:30:42.000000000 +0100
-@@ -79,6 +79,7 @@ void mm_audit_end_command(const char *);
+--- openssh-5.8p1/monitor_wrap.h.audit5	2011-03-10 11:58:54.648980503 +0100
++++ openssh-5.8p1/monitor_wrap.h	2011-03-10 11:58:55.480855200 +0100
+@@ -79,6 +79,7 @@ void mm_audit_end_command(int, const cha
  void mm_audit_unsupported_body(int);
  void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
  void mm_audit_session_key_free_body(int, pid_t, uid_t);
@@ -304,8 +304,8 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
  
  struct Session;
 diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
---- openssh-5.8p1/session.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/session.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/session.c.audit5	2011-03-10 11:58:54.800854988 +0100
++++ openssh-5.8p1/session.c	2011-03-10 11:58:55.540854785 +0100
 @@ -132,7 +132,7 @@ extern int log_stderr;
  extern int debug_flag;
  extern u_int utmp_len;
@@ -325,8 +325,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
  	   monitor over a single socket, with no synchronization. */
  	packet_destroy_all(0, 1);
 diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit5	2011-03-02 08:30:41.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-03-02 08:30:42.000000000 +0100
+--- openssh-5.8p1/sshd.c.audit5	2011-03-10 11:58:54.856979886 +0100
++++ openssh-5.8p1/sshd.c	2011-03-10 11:58:55.728855905 +0100
 @@ -253,7 +253,7 @@ Buffer loginmsg;
  struct passwd *privsep_pw = NULL;
  
@@ -457,7 +457,15 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
  	}
  
  	packet_set_timeout(options.client_alive_interval,
-@@ -2262,7 +2313,7 @@ do_ssh1_kex(void)
+@@ -2034,6 +2085,7 @@ main(int ac, char **av)
+ 
+ 	/* The connection has been terminated. */
+ 	packet_destroy_all(1, 1);
++	destroy_sensitive_data(1);
+ 
+ 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
+ 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
+@@ -2262,7 +2314,7 @@ do_ssh1_kex(void)
  			session_id[i] = session_key[i] ^ session_key[i + 16];
  	}
  	/* Destroy the private and public keys. No longer. */
@@ -466,7 +474,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
  
  	if (use_privsep)
  		mm_ssh1_session_id(session_id);
-@@ -2352,8 +2403,22 @@ do_ssh2_kex(void)
+@@ -2352,8 +2404,22 @@ do_ssh2_kex(void)
  void
  cleanup_exit(int i)
  {
diff --git a/openssh-5.8p1-audit5a.patch b/openssh-5.8p1-audit5a.patch
index 31a0dce..e69de29 100644
--- a/openssh-5.8p1-audit5a.patch
+++ b/openssh-5.8p1-audit5a.patch
@@ -1,11 +0,0 @@
-diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.audit5a	2011-03-08 09:03:49.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-03-08 09:06:23.000000000 +0100
-@@ -2085,6 +2085,7 @@ main(int ac, char **av)
- 
- 	/* The connection has been terminated. */
- 	packet_destroy_all(1, 1);
-+	destroy_sensitive_data(1);
- 
- 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
- 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
diff --git a/openssh.spec b/openssh.spec
index bea7512..b913f3d 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -357,9 +357,9 @@ popd
 %patch56 -p1 -b .edns
 %patch57 -p1 -b .manpage
 %patch58 -p1 -b .keycat
-###%patch158 -p1 -b .keycat2
-###%patch60 -p1 -b .gsskex
-###%patch61 -p1 -b .canohost
+%patch158 -p1 -b .keycat2
+%patch60 -p1 -b .gsskex
+%patch61 -p1 -b .canohost
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}

More information about the scm-commits mailing list