4 files changed, 46 insertions, 17 deletions

diff --git a/auth2.c b/auth2.c
index 3a803e697..93e355ff6 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.133 2014/12/18 23:58:04 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.134 2014/12/22 07:55:51 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -151,9 +151,7 @@ userauth_banner(void)
 {
         char *banner = NULL;
 
-        if (options.banner == NULL ||
-            strcasecmp(options.banner, "none") == 0 ||
-            (datafellows & SSH_BUG_BANNER) != 0)
+        if (options.banner == NULL || (datafellows & SSH_BUG_BANNER) != 0)
                 return;
 
         if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
diff --git a/servconf.c b/servconf.c
index abc3c72fb..6eb368661 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.256 2014/12/21 22:27:56 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.257 2014/12/22 07:55:51 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -162,9 +162,18 @@ initialize_server_options(ServerOptions *options)
         options->fingerprint_hash = -1;
 }
 
+/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+static int
+option_clear_or_none(const char *o)
+{
+        return o == NULL || strcasecmp(o, "none") == 0;
+}
+
 void
 fill_default_server_options(ServerOptions *options)
 {
+        int i;
+
         /* Portable-specific options */
         if (options->use_pam == -1)
                 options->use_pam = 0;
@@ -196,7 +205,7 @@ fill_default_server_options(ServerOptions *options)
         if (options->listen_addrs == NULL)
                 add_listen_addr(options, NULL, 0);
         if (options->pid_file == NULL)
-                options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
+                options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE);
         if (options->server_key_bits == -1)
                 options->server_key_bits = 1024;
         if (options->login_grace_time == -1)
@@ -220,7 +229,7 @@ fill_default_server_options(ServerOptions *options)
         if (options->x11_use_localhost == -1)
                 options->x11_use_localhost = 1;
         if (options->xauth_location == NULL)
-                options->xauth_location = _PATH_XAUTH;
+                options->xauth_location = xstrdup(_PATH_XAUTH);
         if (options->permit_tty == -1)
                 options->permit_tty = 1;
         if (options->permit_user_rc == -1)
@@ -321,6 +330,24 @@ fill_default_server_options(ServerOptions *options)
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
 
+#define CLEAR_ON_NONE(v) \
+        do { \
+                if (option_clear_or_none(v)) { \
+                        free(v); \
+                        v = NULL; \
+                } \
+        } while(0)
+        CLEAR_ON_NONE(options->pid_file);
+        CLEAR_ON_NONE(options->xauth_location);
+        CLEAR_ON_NONE(options->banner);
+        CLEAR_ON_NONE(options->trusted_user_ca_keys);
+        CLEAR_ON_NONE(options->revoked_keys_file);
+        for (i = 0; i < options->num_host_key_files; i++)
+                CLEAR_ON_NONE(options->host_key_files[i]);
+        for (i = 0; i < options->num_host_cert_files; i++)
+                CLEAR_ON_NONE(options->host_cert_files[i]);
+#undef CLEAR_ON_NONE
+
 #ifndef HAVE_MMAP
         if (use_privsep && options->compression == 1) {
                 error("This platform does not support both privilege "
@@ -538,6 +565,8 @@ derelativise_path(const char *path)
 {
         char *expanded, *ret, cwd[MAXPATHLEN];
 
+        if (strcasecmp(path, "none") == 0)
+                return xstrdup("none");
         expanded = tilde_expand_filename(path, getuid());
         if (*expanded == '/')
                 return expanded;
@@ -1982,7 +2011,8 @@ dump_cfg_string(ServerOpCodes code, const char *val)
 {
         if (val == NULL)
                 return;
-        printf("%s %s\n", lookup_opcode_name(code), val);
+        printf("%s %s\n", lookup_opcode_name(code),
+            val == NULL ? "none" : val);
 }
 
 static void
diff --git a/session.c b/session.c
index 3e96557b8..e12f6677e 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.274 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: session.c,v 1.275 2014/12/22 07:55:51 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -2648,7 +2648,7 @@ session_setup_x11fwd(Session *s)
                 debug("X11 forwarding disabled in server configuration file.");
                 return 0;
         }
-        if (!options.xauth_location ||
+        if (options.xauth_location == NULL ||
             (stat(options.xauth_location, &st) == -1)) {
                 packet_send_debug("No xauth program; cannot forward with spoofing.");
                 return 0;
diff --git a/sshd.c b/sshd.c
index 4e01855ca..a957ce005 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.429 2014/12/11 08:20:09 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.430 2014/12/22 07:55:51 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1208,7 +1208,8 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                         logit("Received signal %d; terminating.",
                             (int) received_sigterm);
                         close_listen_socks();
-                        unlink(options.pid_file);
+                        if (options.pid_file != NULL)
+                                unlink(options.pid_file);
                         exit(received_sigterm == SIGTERM ? 0 : 255);
                 }
                 if (key_used && key_do_regen) {
@@ -1694,10 +1695,6 @@ main(int ac, char **av)
             sizeof(Key *));
         sensitive_data.host_pubkeys = xcalloc(options.num_host_key_files,
             sizeof(Key *));
-        for (i = 0; i < options.num_host_key_files; i++) {
-                sensitive_data.host_keys[i] = NULL;
-                sensitive_data.host_pubkeys[i] = NULL;
-        }
 
         if (options.host_key_agent) {
                 if (strcmp(options.host_key_agent, SSH_AUTHSOCKET_ENV_NAME))
@@ -1707,6 +1704,8 @@ main(int ac, char **av)
         }
 
         for (i = 0; i < options.num_host_key_files; i++) {
+                if (options.host_key_files[i] == NULL)
+                        continue;
                 key = key_load_private(options.host_key_files[i], "", NULL);
                 pubkey = key_load_public(options.host_key_files[i], NULL);
                 sensitive_data.host_keys[i] = key;
@@ -1765,6 +1764,8 @@ main(int ac, char **av)
                 sensitive_data.host_certificates[i] = NULL;
 
         for (i = 0; i < options.num_host_cert_files; i++) {
+                if (options.host_cert_files[i] == NULL)
+                        continue;
                 key = key_load_public(options.host_cert_files[i], NULL);
                 if (key == NULL) {
                         error("Could not load host certificate: %s",
@@ -1932,7 +1933,7 @@ main(int ac, char **av)
                  * Write out the pid file after the sigterm handler
                  * is setup and the listen sockets are bound
                  */
-                if (!debug_flag) {
+                if (options.pid_file != NULL && !debug_flag) {
                         FILE *f = fopen(options.pid_file, "w");
 
                         if (f == NULL) {