From 5d54eee87371681b0b8cce4cd9efef3f38cead14 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex@cooperi.net>
Date: Mon, 17 Jun 2024 16:05:59 +1000
Subject: [PATCH] pivy-agent: add zone info to logs, also add info logs about
 ecdh ops

---
 bunyan.c     | 12 ++++++++++++
 bunyan.h     |  1 +
 pivy-agent.c | 33 +++++++++++++++++++++++++++++----
 3 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/bunyan.c b/bunyan.c
index d64e8d5..2bece81 100644
--- a/bunyan.c
+++ b/bunyan.c
@@ -20,12 +20,15 @@
 #include <fcntl.h>
 #include <inttypes.h>
 
+
 #include "debug.h"
 
 #include "bunyan.h"
 #include "errf.h"
 #include "utils.h"
 
+#include "openssh/sshkey.h"
+
 static const char *bunyan_name = NULL;
 
 /*
@@ -470,6 +473,7 @@ bunyan_log(enum bunyan_log_level level, const char *msg, ...)
 		uint uintval;
 		uint64_t uint64val;
 		size_t szval;
+		struct sshkey *pubk;
 
 		propname = va_arg(ap, const char *);
 		if (propname == NULL)
@@ -524,6 +528,14 @@ bunyan_log(enum bunyan_log_level level, const char *msg, ...)
 			evar->bv_next = evars;
 			evars = evar;
 			break;
+		case BNY_SSHKEY:
+			pubk = va_arg(ap, struct sshkey *);
+			wstrval = sshkey_fingerprint(pubk, SSH_DIGEST_SHA256,
+			    SSH_FP_BASE64);
+			printf_buf("%s = %s key (%u bits): %s", propname,
+			    sshkey_type(pubk), sshkey_size(pubk), wstrval);
+			free(wstrval);
+			break;
 		default:
 			abort();
 		}
diff --git a/bunyan.h b/bunyan.h
index 91ec912..f3649f6 100644
--- a/bunyan.h
+++ b/bunyan.h
@@ -30,6 +30,7 @@ enum bunyan_arg_type {
 	BNY_SIZE_T,
 	BNY_BIN_HEX,
 	BNY_ERF,
+	BNY_SSHKEY,
 };
 
 void bunyan_init(void);
diff --git a/pivy-agent.c b/pivy-agent.c
index 2e273ab..b08ebd4 100644
--- a/pivy-agent.c
+++ b/pivy-agent.c
@@ -258,6 +258,10 @@ typedef struct socket_entry {
 	pid_entry_t	*se_pid_ent;
 	uint		 se_pid_idx;
 	sessbind_t	 se_sbind;
+#if defined(__sun)
+	zoneid_t	 se_zid;
+	char		 se_zname[128];
+#endif
 } socket_entry_t;
 
 u_int sockets_alloc = 0;
@@ -1592,6 +1596,10 @@ process_ext_ecdh(socket_entry_t *e, struct sshbuf *buf)
 	}
 	agent_piv_close(B_FALSE);
 
+	bunyan_log(BNY_INFO, "performed ECDH operation",
+	    "partner_pk", BNY_SSHKEY, partner,
+	    NULL);
+
 	if ((r = sshbuf_put_u8(msg, SSH_AGENT_SUCCESS)) != 0 ||
 	    (r = sshbuf_put_string(msg, secret, seclen)) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
@@ -1624,6 +1632,7 @@ process_ext_rebox(socket_entry_t *e, struct sshbuf *buf)
 	size_t seclen, outlen;
 	boolean_t canskip = B_TRUE;
 	enum piv_slot_auth rauth;
+	char *slotstr;
 
 	if ((msg = sshbuf_new()) == NULL)
 		fatal("%s: sshbuf_new failed", __func__);
@@ -1711,6 +1720,15 @@ process_ext_rebox(socket_entry_t *e, struct sshbuf *buf)
 		goto out;
 	}
 
+	slotstr = piv_slotid_to_string(piv_slot_id(slot));
+	bunyan_log(BNY_INFO, "opened ECDH box",
+	    "key_slot", BNY_STRING, slotstr,
+	    "partner_pk", BNY_SSHKEY, partner,
+	    "ephem_pk", BNY_SSHKEY, piv_box_ephem_pubkey(box),
+	    "payload_size", BNY_SIZE_T, piv_box_encsize(box),
+	    NULL);
+	free(slotstr);
+
 	VERIFY0(piv_box_take_data(box, &secret, &seclen));
 	agent_piv_close(B_FALSE);
 
@@ -2304,9 +2322,14 @@ process_message(u_int socknum)
 	    "fd", BNY_INT, e->se_fd,
 	    "msg_type", BNY_INT, (int)type,
 	    "msg_type_name", BNY_STRING, msg_type_to_name(type),
+	    "remote_uid", BNY_INT, (int)e->se_uid,
 	    "remote_pid", BNY_INT, (int)e->se_pid,
 	    "remote_cmd", BNY_STRING,
 	    (e->se_exepath == NULL) ? "???" : e->se_exepath,
+#if defined(__sun)
+	    "remote_zid", BNY_INT, (int)e->se_zid,
+	    "remote_zone", BNY_STRING, e->se_zname,
+#endif
 	    NULL);
 	bunyan_log(BNY_DEBUG, "received ssh-agent message", NULL);
 
@@ -2412,7 +2435,6 @@ check_socket_access(int fd, socket_entry_t *ent)
 	FILE *f;
 	ucred_t *peer = NULL;
 	struct psinfo *psinfo;
-	zoneid_t zid;
 	char fn[128];
 
 	if (getpeerucred(fd, &peer) != 0) {
@@ -2422,7 +2444,10 @@ check_socket_access(int fd, socket_entry_t *ent)
 	ent->se_uid = (euid = ucred_geteuid(peer));
 	ent->se_gid = ucred_getegid(peer);
 	ent->se_pid = ucred_getpid(peer);
-	zid = ucred_getzoneid(peer);
+	ent->se_zid = ucred_getzoneid(peer);
+	ent->se_zname[0] = '\0';
+	(void) getzonenamebyid(ent->se_zid, ent->se_zname,
+	    sizeof (ent->se_zname));
 	ucred_free(peer);
 	psinfo = calloc(1, sizeof (struct psinfo));
 	snprintf(fn, sizeof (fn), "/proc/%d/psinfo", (int)ent->se_pid);
@@ -2437,9 +2462,9 @@ check_socket_access(int fd, socket_entry_t *ent)
 		fclose(f);
 	}
 	free(psinfo);
-	if (!allow_any_zoneid && !check_zid(zid)) {
+	if (!allow_any_zoneid && !check_zid(ent->se_zid)) {
 		error("zoneid mismatch: peer zoneid %u not on allow list",
-		    (u_int) zid);
+		    (u_int) ent->se_zid);
 		return (0);
 	}
 	if (!allow_any_uid && (euid != 0) && !check_uid(euid)) {