aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2017-01-11 05:56:40 +0000
committerXin LI <delphij@FreeBSD.org>2017-01-11 05:56:40 +0000
commitc08456c2b7ec3ef81e628e04b0e67f83d1b07579 (patch)
treeeb90b492036e068f01dc6f7c45560eed9acd9ee7 /crypto
parentf9f5a25beb571577e4cbb3f24b3df4e744837b6d (diff)
downloadsrc-c08456c2b7ec3ef81e628e04b0e67f83d1b07579.tar.gz
src-c08456c2b7ec3ef81e628e04b0e67f83d1b07579.zip
MFC r311914: MFV r311913:
Fix multiple OpenSSH vulnerabilities. Submitted by: des Approved by: so
Notes
Notes: svn path=/stable/11/; revision=311915
Diffstat (limited to 'crypto')
-rw-r--r--crypto/openssh/serverloop.c4
-rw-r--r--crypto/openssh/ssh-agent.115
-rw-r--r--crypto/openssh/ssh-agent.c41
-rw-r--r--crypto/openssh/ssh_config2
-rw-r--r--crypto/openssh/ssh_config.52
-rw-r--r--crypto/openssh/sshd_config2
-rw-r--r--crypto/openssh/sshd_config.52
-rw-r--r--crypto/openssh/version.h2
8 files changed, 55 insertions, 15 deletions
diff --git a/crypto/openssh/serverloop.c b/crypto/openssh/serverloop.c
index 80d1db5490bc..f5c362dfcc59 100644
--- a/crypto/openssh/serverloop.c
+++ b/crypto/openssh/serverloop.c
@@ -995,7 +995,7 @@ server_request_direct_streamlocal(void)
/* XXX fine grained permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
- !no_port_forwarding_flag) {
+ !no_port_forwarding_flag && use_privsep) {
c = channel_connect_to_path(target,
"direct-streamlocal@openssh.com", "direct-streamlocal");
} else {
@@ -1279,7 +1279,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
/* check permissions */
if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
- || no_port_forwarding_flag) {
+ || no_port_forwarding_flag || !use_privsep) {
success = 0;
packet_send_debug("Server has disabled port forwarding.");
} else {
diff --git a/crypto/openssh/ssh-agent.1 b/crypto/openssh/ssh-agent.1
index b8cd0c554b35..3806b6231976 100644
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
.\" $FreeBSD$
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -48,6 +48,7 @@
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
+.Op Fl P Ar pkcs11_whitelist
.Op Ar command Op Ar arg ...
.Nm ssh-agent
.Op Fl c | s
@@ -122,6 +123,18 @@ The default is
Kill the current agent (given by the
.Ev SSH_AGENT_PID
environment variable).
+.It Fl P
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
+that may be added using the
+.Fl s
+option to
+.Xr ssh-add 1 .
+The default is to allow loading PKCS#11 libraries from
+.Dq /usr/lib/*,/usr/local/lib/* .
+PKCS#11 libraries that do not match the whitelist will be refused.
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
.It Fl s
Generate Bourne shell commands on
.Dv stdout .
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index 8113022ec723..9cad00a281f9 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -84,11 +84,16 @@ __RCSID("$FreeBSD$");
#include "misc.h"
#include "digest.h"
#include "ssherr.h"
+#include "match.h"
#ifdef ENABLE_PKCS11
#include "ssh-pkcs11.h"
#endif
+#ifndef DEFAULT_PKCS11_WHITELIST
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+#endif
+
#if defined(HAVE_SYS_PRCTL_H)
#include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
#endif
@@ -140,6 +145,9 @@ pid_t cleanup_pid = 0;
char socket_name[PATH_MAX];
char socket_dir[PATH_MAX];
+/* PKCS#11 path whitelist */
+static char *pkcs11_whitelist;
+
/* locking */
#define LOCK_SIZE 32
#define LOCK_SALT_SIZE 16
@@ -761,7 +769,7 @@ no_identities(SocketEntry *e, u_int type)
static void
process_add_smartcard_key(SocketEntry *e)
{
- char *provider = NULL, *pin;
+ char *provider = NULL, *pin, canonical_provider[PATH_MAX];
int r, i, version, count = 0, success = 0, confirm = 0;
u_int seconds;
time_t death = 0;
@@ -793,10 +801,21 @@ process_add_smartcard_key(SocketEntry *e)
goto send;
}
}
+ if (realpath(provider, canonical_provider) == NULL) {
+ verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+ provider, strerror(errno));
+ goto send;
+ }
+ if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
+ verbose("refusing PKCS#11 add of \"%.100s\": "
+ "provider not whitelisted", canonical_provider);
+ goto send;
+ }
+ debug("%s: add %.100s", __func__, canonical_provider);
if (lifetime && !death)
death = monotime() + lifetime;
- count = pkcs11_add_provider(provider, pin, &keys);
+ count = pkcs11_add_provider(canonical_provider, pin, &keys);
for (i = 0; i < count; i++) {
k = keys[i];
version = k->type == KEY_RSA1 ? 1 : 2;
@@ -804,8 +823,8 @@ process_add_smartcard_key(SocketEntry *e)
if (lookup_identity(k, version) == NULL) {
id = xcalloc(1, sizeof(Identity));
id->key = k;
- id->provider = xstrdup(provider);
- id->comment = xstrdup(provider); /* XXX */
+ id->provider = xstrdup(canonical_provider);
+ id->comment = xstrdup(canonical_provider); /* XXX */
id->death = death;
id->confirm = confirm;
TAILQ_INSERT_TAIL(&tab->idlist, id, next);
@@ -1200,7 +1219,7 @@ usage(void)
{
fprintf(stderr,
"usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
- " [-t life] [command [arg ...]]\n"
+ " [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
" ssh-agent [-c | -s] -k\n");
fprintf(stderr, " -x Exit when the last client disconnects.\n");
exit(1);
@@ -1246,7 +1265,7 @@ main(int ac, char **av)
__progname = ssh_get_progname(av[0]);
seed_rng();
- while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
+ while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
switch (ch) {
case 'E':
fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1261,6 +1280,11 @@ main(int ac, char **av)
case 'k':
k_flag++;
break;
+ case 'P':
+ if (pkcs11_whitelist != NULL)
+ fatal("-P option already specified");
+ pkcs11_whitelist = xstrdup(optarg);
+ break;
case 's':
if (c_flag)
usage();
@@ -1298,6 +1322,9 @@ main(int ac, char **av)
if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
usage();
+ if (pkcs11_whitelist == NULL)
+ pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
+
if (ac == 0 && !c_flag && !s_flag) {
shell = getenv("SHELL");
if (shell != NULL && (len = strlen(shell)) > 2 &&
@@ -1445,7 +1472,7 @@ skip:
signal(SIGTERM, cleanup_handler);
nalloc = 0;
- if (pledge("stdio cpath unix id proc exec", NULL) == -1)
+ if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
fatal("%s: pledge: %s", __progname, strerror(errno));
platform_pledge_agent();
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 8eca3453e298..54dffac92e77 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -50,4 +50,4 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# VerifyHostKeyDNS yes
-# VersionAddendum FreeBSD-20160310
+# VersionAddendum FreeBSD-20161230
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 0a21247f0d77..f6b22581e6d6 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -1727,7 +1727,7 @@ See also VERIFYING HOST KEYS in
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
-.Dq FreeBSD-20160310 .
+.Dq FreeBSD-20161230 .
The value
.Dq none
may be used to disable this.
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index a842e6efef9a..075857c354dc 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -121,7 +121,7 @@
#PermitTunnel no
#ChrootDirectory none
#UseBlacklist no
-#VersionAddendum FreeBSD-20160310
+#VersionAddendum FreeBSD-20161230
# no default banner path
#Banner none
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index 54c95ad74220..1359a20bced9 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -1634,7 +1634,7 @@ The default is
Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
The default is
-.Dq FreeBSD-20160310 .
+.Dq FreeBSD-20161230 .
The value
.Dq none
may be used to disable this.
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index 031bb87ea6b8..540aad8f5df1 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -6,7 +6,7 @@
#define SSH_PORTABLE "p2"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-#define SSH_VERSION_FREEBSD "FreeBSD-20160310"
+#define SSH_VERSION_FREEBSD "FreeBSD-20161230"
#ifdef WITH_OPENSSL
#define OPENSSL_VERSION SSLeay_version(SSLEAY_VERSION)