From owner-svn-src-stable@freebsd.org  Wed Jan 11 05:56:42 2017
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 333A7CAAA52;
 Wed, 11 Jan 2017 05:56:42 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 057091978;
 Wed, 11 Jan 2017 05:56:41 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0B5ufVO099248;
 Wed, 11 Jan 2017 05:56:41 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0B5ueBx099240;
 Wed, 11 Jan 2017 05:56:40 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201701110556.v0B5ueBx099240@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 11 Jan 2017 05:56:40 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r311915 - in stable: 10/crypto/openssh 11/crypto/openssh
X-SVN-Group: stable-11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 05:56:42 -0000

Author: delphij
Date: Wed Jan 11 05:56:40 2017
New Revision: 311915
URL: https://svnweb.freebsd.org/changeset/base/311915

Log:
  MFC r311914: MFV r311913:
  
  Fix multiple OpenSSH vulnerabilities.
  
  Submitted by:	des
  Approved by:	so

Modified:
  stable/11/crypto/openssh/serverloop.c
  stable/11/crypto/openssh/ssh-agent.1
  stable/11/crypto/openssh/ssh-agent.c
  stable/11/crypto/openssh/ssh_config
  stable/11/crypto/openssh/ssh_config.5
  stable/11/crypto/openssh/sshd_config
  stable/11/crypto/openssh/sshd_config.5
  stable/11/crypto/openssh/version.h
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/crypto/openssh/serverloop.c
  stable/10/crypto/openssh/ssh-agent.1
  stable/10/crypto/openssh/ssh-agent.c
  stable/10/crypto/openssh/ssh_config
  stable/10/crypto/openssh/ssh_config.5
  stable/10/crypto/openssh/sshd_config
  stable/10/crypto/openssh/sshd_config.5
  stable/10/crypto/openssh/version.h
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/crypto/openssh/serverloop.c
==============================================================================
--- stable/11/crypto/openssh/serverloop.c	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/serverloop.c	Wed Jan 11 05:56:40 2017	(r311915)
@@ -995,7 +995,7 @@ server_request_direct_streamlocal(void)
 
 	/* XXX fine grained permissions */
 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
-	    !no_port_forwarding_flag) {
+	    !no_port_forwarding_flag && use_privsep) {
 		c = channel_connect_to_path(target,
 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
 	} else {
@@ -1279,7 +1279,7 @@ server_input_global_request(int type, u_
 
 		/* check permissions */
 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
-		    || no_port_forwarding_flag) {
+		    || no_port_forwarding_flag || !use_privsep) {
 			success = 0;
 			packet_send_debug("Server has disabled port forwarding.");
 		} else {

Modified: stable/11/crypto/openssh/ssh-agent.1
==============================================================================
--- stable/11/crypto/openssh/ssh-agent.1	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/ssh-agent.1	Wed Jan 11 05:56:40 2017	(r311915)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.62 2015/11/15 23:54:15 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.63 2016/11/30 03:07:37 djm Exp $
 .\" $FreeBSD$
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -48,6 +48,7 @@
 .Op Fl a Ar bind_address
 .Op Fl E Ar fingerprint_hash
 .Op Fl t Ar life
+.Op Fl P Ar pkcs11_whitelist
 .Op Ar command Op Ar arg ...
 .Nm ssh-agent
 .Op Fl c | s
@@ -122,6 +123,18 @@ The default is
 Kill the current agent (given by the
 .Ev SSH_AGENT_PID
 environment variable).
+.It Fl P
+Specify a pattern-list of acceptable paths for PKCS#11 shared libraries
+that may be added using the
+.Fl s
+option to
+.Xr ssh-add 1 .
+The default is to allow loading PKCS#11 libraries from
+.Dq /usr/lib/*,/usr/local/lib/* .
+PKCS#11 libraries that do not match the whitelist will be refused.
+See PATTERNS in
+.Xr ssh_config 5
+for a description of pattern-list syntax.
 .It Fl s
 Generate Bourne shell commands on
 .Dv stdout .

Modified: stable/11/crypto/openssh/ssh-agent.c
==============================================================================
--- stable/11/crypto/openssh/ssh-agent.c	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/ssh-agent.c	Wed Jan 11 05:56:40 2017	(r311915)
@@ -84,11 +84,16 @@ __RCSID("$FreeBSD$");
 #include "misc.h"
 #include "digest.h"
 #include "ssherr.h"
+#include "match.h"
 
 #ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
 #endif
 
+#ifndef DEFAULT_PKCS11_WHITELIST
+# define DEFAULT_PKCS11_WHITELIST "/usr/lib/*,/usr/local/lib/*"
+#endif
+
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
 #endif
@@ -140,6 +145,9 @@ pid_t cleanup_pid = 0;
 char socket_name[PATH_MAX];
 char socket_dir[PATH_MAX];
 
+/* PKCS#11 path whitelist */
+static char *pkcs11_whitelist;
+
 /* locking */
 #define LOCK_SIZE	32
 #define LOCK_SALT_SIZE	16
@@ -761,7 +769,7 @@ no_identities(SocketEntry *e, u_int type
 static void
 process_add_smartcard_key(SocketEntry *e)
 {
-	char *provider = NULL, *pin;
+	char *provider = NULL, *pin, canonical_provider[PATH_MAX];
 	int r, i, version, count = 0, success = 0, confirm = 0;
 	u_int seconds;
 	time_t death = 0;
@@ -793,10 +801,21 @@ process_add_smartcard_key(SocketEntry *e
 			goto send;
 		}
 	}
+	if (realpath(provider, canonical_provider) == NULL) {
+		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
+		    provider, strerror(errno));
+		goto send;
+	}
+	if (match_pattern_list(canonical_provider, pkcs11_whitelist, 0) != 1) {
+		verbose("refusing PKCS#11 add of \"%.100s\": "
+		    "provider not whitelisted", canonical_provider);
+		goto send;
+	}
+	debug("%s: add %.100s", __func__, canonical_provider);
 	if (lifetime && !death)
 		death = monotime() + lifetime;
 
-	count = pkcs11_add_provider(provider, pin, &keys);
+	count = pkcs11_add_provider(canonical_provider, pin, &keys);
 	for (i = 0; i < count; i++) {
 		k = keys[i];
 		version = k->type == KEY_RSA1 ? 1 : 2;
@@ -804,8 +823,8 @@ process_add_smartcard_key(SocketEntry *e
 		if (lookup_identity(k, version) == NULL) {
 			id = xcalloc(1, sizeof(Identity));
 			id->key = k;
-			id->provider = xstrdup(provider);
-			id->comment = xstrdup(provider); /* XXX */
+			id->provider = xstrdup(canonical_provider);
+			id->comment = xstrdup(canonical_provider); /* XXX */
 			id->death = death;
 			id->confirm = confirm;
 			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
@@ -1200,7 +1219,7 @@ usage(void)
 {
 	fprintf(stderr,
 	    "usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]\n"
-	    "                 [-t life] [command [arg ...]]\n"
+	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
 	    "       ssh-agent [-c | -s] -k\n");
 	fprintf(stderr, "  -x          Exit when the last client disconnects.\n");
 	exit(1);
@@ -1246,7 +1265,7 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 
-	while ((ch = getopt(ac, av, "cDdksE:a:t:x")) != -1) {
+	while ((ch = getopt(ac, av, "cDdksE:a:P:t:x")) != -1) {
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1261,6 +1280,11 @@ main(int ac, char **av)
 		case 'k':
 			k_flag++;
 			break;
+		case 'P':
+			if (pkcs11_whitelist != NULL)
+				fatal("-P option already specified");
+			pkcs11_whitelist = xstrdup(optarg);
+			break;
 		case 's':
 			if (c_flag)
 				usage();
@@ -1298,6 +1322,9 @@ main(int ac, char **av)
 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
 		usage();
 
+	if (pkcs11_whitelist == NULL)
+		pkcs11_whitelist = xstrdup(DEFAULT_PKCS11_WHITELIST);
+
 	if (ac == 0 && !c_flag && !s_flag) {
 		shell = getenv("SHELL");
 		if (shell != NULL && (len = strlen(shell)) > 2 &&
@@ -1445,7 +1472,7 @@ skip:
 	signal(SIGTERM, cleanup_handler);
 	nalloc = 0;
 
-	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
+	if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1)
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 	platform_pledge_agent();
 

Modified: stable/11/crypto/openssh/ssh_config
==============================================================================
--- stable/11/crypto/openssh/ssh_config	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/ssh_config	Wed Jan 11 05:56:40 2017	(r311915)
@@ -50,4 +50,4 @@
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 #   VerifyHostKeyDNS yes
-#   VersionAddendum FreeBSD-20160310
+#   VersionAddendum FreeBSD-20161230

Modified: stable/11/crypto/openssh/ssh_config.5
==============================================================================
--- stable/11/crypto/openssh/ssh_config.5	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/ssh_config.5	Wed Jan 11 05:56:40 2017	(r311915)
@@ -1727,7 +1727,7 @@ See also VERIFYING HOST KEYS in
 Specifies a string to append to the regular version string to identify
 OS- or site-specific modifications.
 The default is
-.Dq FreeBSD-20160310 .
+.Dq FreeBSD-20161230 .
 The value
 .Dq none
 may be used to disable this.

Modified: stable/11/crypto/openssh/sshd_config
==============================================================================
--- stable/11/crypto/openssh/sshd_config	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/sshd_config	Wed Jan 11 05:56:40 2017	(r311915)
@@ -121,7 +121,7 @@
 #PermitTunnel no
 #ChrootDirectory none
 #UseBlacklist no
-#VersionAddendum FreeBSD-20160310
+#VersionAddendum FreeBSD-20161230
 
 # no default banner path
 #Banner none

Modified: stable/11/crypto/openssh/sshd_config.5
==============================================================================
--- stable/11/crypto/openssh/sshd_config.5	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/sshd_config.5	Wed Jan 11 05:56:40 2017	(r311915)
@@ -1634,7 +1634,7 @@ The default is
 Optionally specifies additional text to append to the SSH protocol banner
 sent by the server upon connection.
 The default is
-.Dq FreeBSD-20160310 .
+.Dq FreeBSD-20161230 .
 The value
 .Dq none
 may be used to disable this.

Modified: stable/11/crypto/openssh/version.h
==============================================================================
--- stable/11/crypto/openssh/version.h	Wed Jan 11 05:49:39 2017	(r311914)
+++ stable/11/crypto/openssh/version.h	Wed Jan 11 05:56:40 2017	(r311915)
@@ -6,7 +6,7 @@
 #define SSH_PORTABLE	"p2"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 
-#define SSH_VERSION_FREEBSD	"FreeBSD-20160310"
+#define SSH_VERSION_FREEBSD	"FreeBSD-20161230"
 
 #ifdef WITH_OPENSSL
 #define OPENSSL_VERSION	SSLeay_version(SSLEAY_VERSION)