From 76ed2199491397e0f9902ade80d5271e4a9b2630 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 16 Oct 2019 06:05:39 +0000 Subject: upstream: potential NULL dereference for revoked hostkeys; reported by krishnaiah bommu OpenBSD-Commit-ID: 35ff685e7cc9dd2e3fe2e3dfcdcb9bc5c79f6506 --- auth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'auth.c') diff --git a/auth.c b/auth.c index ca450f4e4..b092f212c 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.141 2019/10/02 00:42:30 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.142 2019/10/16 06:05:39 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -489,7 +489,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, host_status = check_key_in_hostkeys(hostkeys, key, &found); if (host_status == HOST_REVOKED) error("WARNING: revoked key for %s attempted authentication", - found->host); + host); else if (host_status == HOST_OK) debug("%s: key for %s found at %s:%ld", __func__, found->host, found->file, found->line); -- cgit v1.2.3 From 2e71263b80fec7ad977e098004fef7d122169d40 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 25 Nov 2019 00:54:23 +0000 Subject: upstream: add a "no-touch-required" option for authorized_keys and a similar extension for certificates. This option disables the default requirement that security key signatures attest that the user touched their key to authorize them. feedback deraadt, ok markus OpenBSD-Commit-ID: f1fb56151ba68d55d554d0f6d3d4dba0cf1a452e --- auth-options.c | 38 ++++++++++++++++++++++++++------------ auth-options.h | 5 ++++- auth.c | 7 ++++--- auth2-pubkey.c | 5 +++-- monitor.c | 5 +++-- ssh-keygen.1 | 12 ++++++++++-- ssh-keygen.c | 25 +++++++++++++++++-------- sshd.8 | 13 +++++++++++-- 8 files changed, 78 insertions(+), 32 deletions(-) (limited to 'auth.c') diff --git a/auth-options.c b/auth-options.c index 90b0d7f25..2d200944c 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.89 2019/09/13 04:36:43 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.90 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller * @@ -96,7 +96,10 @@ cert_option_list(struct sshauthopt *opts, struct sshbuf *oblob, name, sshbuf_len(data)); found = 0; if ((which & OPTIONS_EXTENSIONS) != 0) { - if (strcmp(name, "permit-X11-forwarding") == 0) { + if (strcmp(name, "no-touch-required") == 0) { + opts->no_require_user_presence = 1; + found = 1; + } else if (strcmp(name, "permit-X11-forwarding") == 0) { opts->permit_x11_forwarding_flag = 1; found = 1; } else if (strcmp(name, @@ -347,6 +350,8 @@ sshauthopt_parse(const char *opts, const char **errstrp) ret->permit_agent_forwarding_flag = r == 1; } else if ((r = opt_flag("x11-forwarding", 1, &opts)) != -1) { ret->permit_x11_forwarding_flag = r == 1; + } else if ((r = opt_flag("touch-required", 1, &opts)) != -1) { + ret->no_require_user_presence = r != 1; /* NB. flip */ } else if ((r = opt_flag("pty", 1, &opts)) != -1) { ret->permit_pty_flag = r == 1; } else if ((r = opt_flag("user-rc", 1, &opts)) != -1) { @@ -567,14 +572,15 @@ sshauthopt_merge(const struct sshauthopt *primary, goto alloc_fail; } - /* Flags are logical-AND (i.e. must be set in both for permission) */ -#define OPTFLAG(x) ret->x = (primary->x == 1) && (additional->x == 1) - OPTFLAG(permit_port_forwarding_flag); - OPTFLAG(permit_agent_forwarding_flag); - OPTFLAG(permit_x11_forwarding_flag); - OPTFLAG(permit_pty_flag); - OPTFLAG(permit_user_rc); -#undef OPTFLAG +#define OPTFLAG_AND(x) ret->x = (primary->x == 1) && (additional->x == 1) + /* Permissive flags are logical-AND (i.e. must be set in both) */ + OPTFLAG_AND(permit_port_forwarding_flag); + OPTFLAG_AND(permit_agent_forwarding_flag); + OPTFLAG_AND(permit_x11_forwarding_flag); + OPTFLAG_AND(permit_pty_flag); + OPTFLAG_AND(permit_user_rc); + OPTFLAG_AND(no_require_user_presence); +#undef OPTFLAG_AND /* Earliest expiry time should win */ if (primary->valid_before != 0) @@ -643,6 +649,7 @@ sshauthopt_copy(const struct sshauthopt *orig) OPTSCALAR(cert_authority); OPTSCALAR(force_tun_device); OPTSCALAR(valid_before); + OPTSCALAR(no_require_user_presence); #undef OPTSCALAR #define OPTSTRING(x) \ do { \ @@ -765,7 +772,7 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, { int r = SSH_ERR_INTERNAL_ERROR; - /* Flag and simple integer options */ + /* Flag options */ if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 || (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 || @@ -773,7 +780,11 @@ sshauthopt_serialise(const struct sshauthopt *opts, struct sshbuf *m, (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 || (r = sshbuf_put_u8(m, opts->restricted)) != 0 || (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 || - (r = sshbuf_put_u64(m, opts->valid_before)) != 0) + (r = sshbuf_put_u8(m, opts->no_require_user_presence)) != 0) + return r; + + /* Simple integer options */ + if ((r = sshbuf_put_u64(m, opts->valid_before)) != 0) return r; /* tunnel number can be negative to indicate "unset" */ @@ -817,6 +828,7 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) if ((opts = calloc(1, sizeof(*opts))) == NULL) return SSH_ERR_ALLOC_FAIL; + /* Flag options */ #define OPT_FLAG(x) \ do { \ if ((r = sshbuf_get_u8(m, &f)) != 0) \ @@ -830,8 +842,10 @@ sshauthopt_deserialise(struct sshbuf *m, struct sshauthopt **optsp) OPT_FLAG(permit_user_rc); OPT_FLAG(restricted); OPT_FLAG(cert_authority); + OPT_FLAG(no_require_user_presence); #undef OPT_FLAG + /* Simple integer options */ if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0) goto out; diff --git a/auth-options.h b/auth-options.h index 14cbfa49d..d96ffedee 100644 --- a/auth-options.h +++ b/auth-options.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.h,v 1.28 2019/07/09 04:15:00 djm Exp $ */ +/* $OpenBSD: auth-options.h,v 1.29 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2018 Damien Miller @@ -68,6 +68,9 @@ struct sshauthopt { */ char *required_from_host_cert; char *required_from_host_keys; + + /* Key requires user presence asserted */ + int no_require_user_presence; }; struct sshauthopt *sshauthopt_new(void); diff --git a/auth.c b/auth.c index b092f212c..0a46e1d8a 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.142 2019/10/16 06:05:39 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.143 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -1005,7 +1005,7 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) snprintf(buf, sizeof(buf), "%d", opts->force_tun_device); /* Try to keep this alphabetically sorted */ - snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s", + snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s", opts->permit_agent_forwarding_flag ? " agent-forwarding" : "", opts->force_command == NULL ? "" : " command", do_env ? " environment" : "", @@ -1018,7 +1018,8 @@ auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote) opts->force_tun_device == -1 ? "" : " tun=", opts->force_tun_device == -1 ? "" : buf, opts->permit_user_rc ? " user-rc" : "", - opts->permit_x11_forwarding_flag ? " x11-forwarding" : ""); + opts->permit_x11_forwarding_flag ? " x11-forwarding" : "", + opts->no_require_user_presence ? " no-touch-required" : ""); debug("%s: %s", loc, msg); if (do_remote) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 0ef982a48..b656b1f8c 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.96 2019/11/25 00:52:46 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.97 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -225,7 +225,8 @@ userauth_pubkey(struct ssh *ssh) __func__, sig_details->sk_counter, sig_details->sk_flags); req_presence = (options.pubkey_auth_options & - PUBKEYAUTH_TOUCH_REQUIRED); + PUBKEYAUTH_TOUCH_REQUIRED) || + !authopts->no_require_user_presence; if (req_presence && (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { error("public key %s signature for %s%s from " diff --git a/monitor.c b/monitor.c index 9b171c447..d4be7409e 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.203 2019/11/25 00:52:46 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.204 2019/11/25 00:54:23 djm Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -1440,7 +1440,8 @@ mm_answer_keyverify(struct ssh *ssh, int sock, struct sshbuf *m) if (ret == 0 && key_blobtype == MM_USERKEY && sig_details != NULL) { req_presence = (options.pubkey_auth_options & - PUBKEYAUTH_TOUCH_REQUIRED); + PUBKEYAUTH_TOUCH_REQUIRED) || + !key_opts->no_require_user_presence; if (req_presence && (sig_details->sk_flags & SSH_SK_USER_PRESENCE_REQD) == 0) { error("public key %s %s signature for %s%s from %.128s " diff --git a/ssh-keygen.1 b/ssh-keygen.1 index feaa69efe..06aead348 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.176 2019/11/18 23:16:49 naddy Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.177 2019/11/25 00:54:23 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 18 2019 $ +.Dd $Mdocdate: November 25 2019 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -534,6 +534,14 @@ by .It Ic permit-X11-forwarding Allows X11 forwarding. .Pp +.It Ic no-touch-required +Do not require signatures made using this key require demonstration +of user presence (e.g. by having the user touch the key). +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . +.Pp .It Ic source-address Ns = Ns Ar address_list Restrict the source addresses from which the certificate is considered valid. The diff --git a/ssh-keygen.c b/ssh-keygen.c index 08dd7cb8a..16d196fc8 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.370 2019/11/25 00:51:37 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.371 2019/11/25 00:54:23 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -120,11 +120,12 @@ static u_int64_t cert_valid_from = 0; static u_int64_t cert_valid_to = ~0ULL; /* Certificate options */ -#define CERTOPT_X_FWD (1) -#define CERTOPT_AGENT_FWD (1<<1) -#define CERTOPT_PORT_FWD (1<<2) -#define CERTOPT_PTY (1<<3) -#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_X_FWD (1) +#define CERTOPT_AGENT_FWD (1<<1) +#define CERTOPT_PORT_FWD (1<<2) +#define CERTOPT_PTY (1<<3) +#define CERTOPT_USER_RC (1<<4) +#define CERTOPT_NO_REQUIRE_USER_PRESENCE (1<<5) #define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \ CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC) static u_int32_t certflags_flags = CERTOPT_DEFAULT; @@ -1665,6 +1666,9 @@ prepare_options_buf(struct sshbuf *c, int which) if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); + if ((which & OPTIONS_CRITICAL) != 0 && + (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) + add_flag_option(c, "no-touch-required"); if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); @@ -1967,6 +1971,10 @@ add_cert_option(char *opt) certflags_flags &= ~CERTOPT_USER_RC; else if (strcasecmp(opt, "permit-user-rc") == 0) certflags_flags |= CERTOPT_USER_RC; + else if (strcasecmp(opt, "touch-required") == 0) + certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE; + else if (strcasecmp(opt, "no-touch-required") == 0) + certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE; else if (strncasecmp(opt, "force-command=", 14) == 0) { val = opt + 14; if (*val == '\0') @@ -2020,9 +2028,10 @@ show_options(struct sshbuf *optbuf, int in_critical) strcmp(name, "permit-agent-forwarding") == 0 || strcmp(name, "permit-port-forwarding") == 0 || strcmp(name, "permit-pty") == 0 || - strcmp(name, "permit-user-rc") == 0)) + strcmp(name, "permit-user-rc") == 0 || + strcmp(name, "no-touch-required") == 0)) { printf("\n"); - else if (in_critical && + } else if (in_critical && (strcmp(name, "force-command") == 0 || strcmp(name, "source-address") == 0)) { if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0) diff --git a/sshd.8 b/sshd.8 index 042610a03..b32da282f 100644 --- a/sshd.8 +++ b/sshd.8 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.306 2019/11/18 04:55:02 djm Exp $ -.Dd $Mdocdate: November 18 2019 $ +.\" $OpenBSD: sshd.8,v 1.307 2019/11/25 00:54:23 djm Exp $ +.Dd $Mdocdate: November 25 2019 $ .Dt SSHD 8 .Os .Sh NAME @@ -627,6 +627,13 @@ option. Permits tty allocation previously disabled by the .Cm restrict option. +.It Cm no-touch-required +Do not require demonstration of user presence +for signatures made using this key. +This option only makes sense for the Security Key algorithms +.Cm ecdsa-sk +and +.Cm ed25519-sk . .It Cm restrict Enable all restrictions, i.e. disable port, agent and X11 forwarding, as well as disabling PTY allocation @@ -670,6 +677,8 @@ restrict,command="uptime" ssh-rsa AAAA1C8...32Tv== user@example.net restrict,pty,command="nethack" ssh-rsa AAAA1f8...IrrC5== user@example.net +no-touch-required sk-ecdsa-sha2-nistp256@openssh.com AAAAInN...Ko== +user@example.net .Ed .Sh SSH_KNOWN_HOSTS FILE FORMAT The -- cgit v1.2.3 From f65cf1163ff01531ae02f3f9210391d0d692f699 Mon Sep 17 00:00:00 2001 From: "tobhe@openbsd.org" Date: Mon, 16 Dec 2019 13:58:53 +0000 Subject: upstream: strdup may return NULL if memory allocation fails. Use the safer xstrdup which fatals on allocation failures. ok markus@ OpenBSD-Commit-ID: 8b608d387120630753cbcb8110e0b019c0c9a0d0 --- auth.c | 14 +++++++------- packet.c | 6 +++--- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'auth.c') diff --git a/auth.c b/auth.c index 0a46e1d8a..48838508e 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.143 2019/11/25 00:54:23 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.144 2019/12/16 13:58:53 tobhe Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -748,7 +748,7 @@ remote_hostname(struct ssh *ssh) if (getpeername(ssh_packet_get_connection_in(ssh), (struct sockaddr *)&from, &fromlen) == -1) { debug("getpeername failed: %.100s", strerror(errno)); - return strdup(ntop); + return xstrdup(ntop); } ipv64_normalise_mapped(&from, &fromlen); @@ -760,7 +760,7 @@ remote_hostname(struct ssh *ssh) if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), NULL, 0, NI_NAMEREQD) != 0) { /* Host name not found. Use ip address. */ - return strdup(ntop); + return xstrdup(ntop); } /* @@ -775,7 +775,7 @@ remote_hostname(struct ssh *ssh) logit("Nasty PTR record \"%s\" is set up for %s, ignoring", name, ntop); freeaddrinfo(ai); - return strdup(ntop); + return xstrdup(ntop); } /* Names are stored in lowercase. */ @@ -796,7 +796,7 @@ remote_hostname(struct ssh *ssh) if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { logit("reverse mapping checking getaddrinfo for %.700s " "[%s] failed.", name, ntop); - return strdup(ntop); + return xstrdup(ntop); } /* Look for the address from the list of addresses. */ for (ai = aitop; ai; ai = ai->ai_next) { @@ -811,9 +811,9 @@ remote_hostname(struct ssh *ssh) /* Address not found for the host name. */ logit("Address %.100s maps to %.600s, but this does not " "map back to the address.", ntop, name); - return strdup(ntop); + return xstrdup(ntop); } - return strdup(name); + return xstrdup(name); } /* diff --git a/packet.c b/packet.c index 7a703d695..2b50ef415 100644 --- a/packet.c +++ b/packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: packet.c,v 1.286 2019/06/28 13:35:04 deraadt Exp $ */ +/* $OpenBSD: packet.c,v 1.287 2019/12/16 13:58:53 tobhe Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -530,9 +530,9 @@ ssh_remote_ipaddr(struct ssh *ssh) ssh->local_ipaddr = get_local_ipaddr(sock); ssh->local_port = get_local_port(sock); } else { - ssh->remote_ipaddr = strdup("UNKNOWN"); + ssh->remote_ipaddr = xstrdup("UNKNOWN"); ssh->remote_port = 65535; - ssh->local_ipaddr = strdup("UNKNOWN"); + ssh->local_ipaddr = xstrdup("UNKNOWN"); ssh->local_port = 65535; } } -- cgit v1.2.3 From 3bf2a6ac791d64046a537335a0f1d5e43579c5ad Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 23 Jan 2020 07:10:22 +0000 Subject: upstream: Replace all calls to signal(2) with a wrapper around sigaction(2). This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations. OpenBSD-Commit-ID: 5e047663fd77a40d7b07bdabe68529df51fd2519 --- auth-pam.c | 8 ++++---- auth.c | 4 ++-- auth2-pubkey.c | 10 +++++----- clientloop.c | 26 +++++++++++++------------- entropy.c | 4 ++-- misc.c | 19 ++++++++++++++++++- misc.h | 4 +++- monitor.c | 10 +++++----- mux.c | 22 +++++++++++----------- openbsd-compat/bsd-openpty.c | 4 ++-- progressmeter.c | 6 +++--- readconf.c | 4 ++-- readpass.c | 14 +++++++------- sandbox-systrace.c | 6 +++--- scp.c | 22 +++++++++++----------- serverloop.c | 10 +++++----- session.c | 4 ++-- sftp.c | 26 +++++++++++++------------- ssh-agent.c | 10 +++++----- ssh-sk-client.c | 9 +++++---- ssh.c | 6 +++--- sshbuf.c | 4 ++-- sshconnect.c | 10 +++++----- sshconnect2.c | 8 ++++---- sshd.c | 34 ++++++++++++++++++---------------- 25 files changed, 153 insertions(+), 131 deletions(-) (limited to 'auth.c') diff --git a/auth-pam.c b/auth-pam.c index 856fdd40f..0cd2b0019 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -156,7 +156,7 @@ static mysig_t sshpam_oldsig; static void sshpam_sigchld_handler(int sig) { - signal(SIGCHLD, SIG_DFL); + ssh_signal(SIGCHLD, SIG_DFL); if (cleanup_ctxt == NULL) return; /* handler called after PAM cleanup, shouldn't happen */ if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG) @@ -208,7 +208,7 @@ pthread_create(sp_pthread_t *thread, const void *attr, *thread = pid; close(ctx->pam_csock); ctx->pam_csock = -1; - sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler); + sshpam_oldsig = ssh_signal(SIGCHLD, sshpam_sigchld_handler); return (0); } } @@ -216,7 +216,7 @@ pthread_create(sp_pthread_t *thread, const void *attr, static int pthread_cancel(sp_pthread_t thread) { - signal(SIGCHLD, sshpam_oldsig); + ssh_signal(SIGCHLD, sshpam_oldsig); return (kill(thread, SIGTERM)); } @@ -228,7 +228,7 @@ pthread_join(sp_pthread_t thread, void **value) if (sshpam_thread_status != -1) return (sshpam_thread_status); - signal(SIGCHLD, sshpam_oldsig); + ssh_signal(SIGCHLD, sshpam_oldsig); while (waitpid(thread, &status, 0) == -1) { if (errno == EINTR) continue; diff --git a/auth.c b/auth.c index 48838508e..b42d7e76c 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.144 2019/12/16 13:58:53 tobhe Exp $ */ +/* $OpenBSD: auth.c,v 1.145 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -921,7 +921,7 @@ subprocess(const char *tag, struct passwd *pw, const char *command, child_set_env(&child_env, &envsize, "LANG", cp); for (i = 0; i < NSIG; i++) - signal(i, SIG_DFL); + ssh_signal(i, SIG_DFL); if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { error("%s: open %s: %s", tag, _PATH_DEVNULL, diff --git a/auth2-pubkey.c b/auth2-pubkey.c index b656b1f8c..5b4a2cc02 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.97 2019/11/25 00:54:23 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.98 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -460,7 +460,7 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw, * NB. all returns later this function should go via "out" to * ensure the original SIGCHLD handler is restored properly. */ - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); /* Prepare and verify the user for the command */ username = percent_expand(options.authorized_principals_command_user, @@ -548,7 +548,7 @@ match_principals_command(struct ssh *ssh, struct passwd *user_pw, out: if (f != NULL) fclose(f); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); for (i = 0; i < ac; i++) free(av[i]); free(av); @@ -898,7 +898,7 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, * NB. all returns later this function should go via "out" to * ensure the original SIGCHLD handler is restored properly. */ - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); /* Prepare and verify the user for the command */ username = percent_expand(options.authorized_keys_command_user, @@ -987,7 +987,7 @@ user_key_command_allowed2(struct ssh *ssh, struct passwd *user_pw, out: if (f != NULL) fclose(f); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); for (i = 0; i < ac; i++) free(av[i]); free(av); diff --git a/clientloop.c b/clientloop.c index 4acf2806d..d4c23d554 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.331 2020/01/23 02:46:49 dtucker Exp $ */ +/* $OpenBSD: clientloop.c,v 1.332 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -785,7 +785,7 @@ process_cmdline(struct ssh *ssh) memset(&fwd, 0, sizeof(fwd)); leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - handler = signal(SIGINT, SIG_IGN); + handler = ssh_signal(SIGINT, SIG_IGN); cmd = s = read_passphrase("\r\nssh> ", RP_ECHO); if (s == NULL) goto out; @@ -883,7 +883,7 @@ process_cmdline(struct ssh *ssh) } out: - signal(SIGINT, handler); + ssh_signal(SIGINT, handler); enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); free(cmd); free(fwd.listen_host); @@ -1306,15 +1306,15 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, * Set signal handlers, (e.g. to restore non-blocking mode) * but don't overwrite SIG_IGN, matches behaviour from rsh(1) */ - if (signal(SIGHUP, SIG_IGN) != SIG_IGN) - signal(SIGHUP, signal_handler); - if (signal(SIGINT, SIG_IGN) != SIG_IGN) - signal(SIGINT, signal_handler); - if (signal(SIGQUIT, SIG_IGN) != SIG_IGN) - signal(SIGQUIT, signal_handler); - if (signal(SIGTERM, SIG_IGN) != SIG_IGN) - signal(SIGTERM, signal_handler); - signal(SIGWINCH, window_change_handler); + if (ssh_signal(SIGHUP, SIG_IGN) != SIG_IGN) + ssh_signal(SIGHUP, signal_handler); + if (ssh_signal(SIGINT, SIG_IGN) != SIG_IGN) + ssh_signal(SIGINT, signal_handler); + if (ssh_signal(SIGQUIT, SIG_IGN) != SIG_IGN) + ssh_signal(SIGQUIT, signal_handler); + if (ssh_signal(SIGTERM, SIG_IGN) != SIG_IGN) + ssh_signal(SIGTERM, signal_handler); + ssh_signal(SIGWINCH, window_change_handler); if (have_pty) enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); @@ -1413,7 +1413,7 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, /* Terminate the session. */ /* Stop watching for window change. */ - signal(SIGWINCH, SIG_DFL); + ssh_signal(SIGWINCH, SIG_DFL); if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_BY_APPLICATION)) != 0 || diff --git a/entropy.c b/entropy.c index 5de68016b..2eebadf4a 100644 --- a/entropy.c +++ b/entropy.c @@ -110,7 +110,7 @@ get_random_bytes_prngd(unsigned char *buf, int len, strlen(socket_path) + 1; } - old_sigpipe = signal(SIGPIPE, SIG_IGN); + old_sigpipe = ssh_signal(SIGPIPE, SIG_IGN); errors = 0; rval = -1; @@ -160,7 +160,7 @@ reopen: rval = 0; done: - signal(SIGPIPE, old_sigpipe); + ssh_signal(SIGPIPE, old_sigpipe); if (fd != -1) close(fd); return rval; diff --git a/misc.c b/misc.c index 5204c1e9f..f25b8cf5c 100644 --- a/misc.c +++ b/misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.c,v 1.143 2019/11/22 06:50:30 dtucker Exp $ */ +/* $OpenBSD: misc.c,v 1.144 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2005,2006 Damien Miller. All rights reserved. @@ -2221,3 +2221,20 @@ opt_match(const char **opts, const char *term) return 0; } +sshsig_t +ssh_signal(int signum, sshsig_t handler) +{ + struct sigaction sa, osa; + + /* mask all other signals while in handler */ + bzero(&sa, sizeof(sa)); + sa.sa_handler = handler; + sigfillset(&sa.sa_mask); + if (signum != SIGALRM) + sa.sa_flags = SA_RESTART; + if (sigaction(signum, &sa, &osa) == -1) { + debug3("sigaction(%s): %s", strsignal(signum), strerror(errno)); + return SIG_ERR; + } + return osa.sa_handler; +} diff --git a/misc.h b/misc.h index 7421fbdf9..2221a54c8 100644 --- a/misc.h +++ b/misc.h @@ -1,4 +1,4 @@ -/* $OpenBSD: misc.h,v 1.82 2019/11/12 22:34:20 djm Exp $ */ +/* $OpenBSD: misc.h,v 1.83 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen @@ -190,4 +190,6 @@ void notify_complete(struct notifier_ctx *); #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) +typedef void (*sshsig_t)(int); +sshsig_t ssh_signal(int, sshsig_t); #endif /* _MISC_H */ diff --git a/monitor.c b/monitor.c index 6ee44204c..dc6d78d3c 100644 --- a/monitor.c +++ b/monitor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.206 2019/12/15 18:57:30 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright 2002 Niels Provos * Copyright 2002 Markus Friedl @@ -393,11 +393,11 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) pmonitor->m_recvfd = -1; monitor_set_child_handler(pmonitor->m_pid); - signal(SIGHUP, &monitor_child_handler); - signal(SIGTERM, &monitor_child_handler); - signal(SIGINT, &monitor_child_handler); + ssh_signal(SIGHUP, &monitor_child_handler); + ssh_signal(SIGTERM, &monitor_child_handler); + ssh_signal(SIGINT, &monitor_child_handler); #ifdef SIGXFSZ - signal(SIGXFSZ, SIG_IGN); + ssh_signal(SIGXFSZ, SIG_IGN); #endif mon_dispatch = mon_dispatch_postauth20; diff --git a/mux.c b/mux.c index f3ea11cdc..5efc849c4 100644 --- a/mux.c +++ b/mux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mux.c,v 1.80 2019/06/28 13:35:04 deraadt Exp $ */ +/* $OpenBSD: mux.c,v 1.81 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2002-2008 Damien Miller * @@ -1911,7 +1911,7 @@ mux_client_request_session(int fd) return -1; } - signal(SIGPIPE, SIG_IGN); + ssh_signal(SIGPIPE, SIG_IGN); if (stdin_null_flag) { if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) @@ -2012,10 +2012,10 @@ mux_client_request_session(int fd) fatal("%s pledge(): %s", __func__, strerror(errno)); platform_pledge_mux(); - signal(SIGHUP, control_client_sighandler); - signal(SIGINT, control_client_sighandler); - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); + ssh_signal(SIGHUP, control_client_sighandler); + ssh_signal(SIGINT, control_client_sighandler); + ssh_signal(SIGTERM, control_client_sighandler); + ssh_signal(SIGWINCH, control_client_sigrelay); rawmode = tty_flag; if (tty_flag) @@ -2145,7 +2145,7 @@ mux_client_request_stdio_fwd(int fd) return -1; } - signal(SIGPIPE, SIG_IGN); + ssh_signal(SIGPIPE, SIG_IGN); if (stdin_null_flag) { if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) @@ -2219,10 +2219,10 @@ mux_client_request_stdio_fwd(int fd) } muxclient_request_id++; - signal(SIGHUP, control_client_sighandler); - signal(SIGINT, control_client_sighandler); - signal(SIGTERM, control_client_sighandler); - signal(SIGWINCH, control_client_sigrelay); + ssh_signal(SIGHUP, control_client_sighandler); + ssh_signal(SIGINT, control_client_sighandler); + ssh_signal(SIGTERM, control_client_sighandler); + ssh_signal(SIGWINCH, control_client_sigrelay); /* * Stick around until the controlee closes the client_fd. diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c index 123a9be56..b6b5ab49b 100644 --- a/openbsd-compat/bsd-openpty.c +++ b/openbsd-compat/bsd-openpty.c @@ -103,10 +103,10 @@ openpty(int *amaster, int *aslave, char *name, struct termios *termp, return (-1); /* XXX: need to close ptm on error? */ - old_signal = signal(SIGCHLD, SIG_DFL); + old_signal = ssh_signal(SIGCHLD, SIG_DFL); if (grantpt(ptm) < 0) return (-1); - signal(SIGCHLD, old_signal); + ssh_signal(SIGCHLD, old_signal); if (unlockpt(ptm) < 0) return (-1); diff --git a/progressmeter.c b/progressmeter.c index 72f40f8f9..8baf798f1 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: progressmeter.c,v 1.49 2019/10/29 07:47:27 dtucker Exp $ */ +/* $OpenBSD: progressmeter.c,v 1.50 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2003 Nils Nordman. All rights reserved. * @@ -252,8 +252,8 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) setscreensize(); refresh_progress_meter(1); - signal(SIGALRM, sig_alarm); - signal(SIGWINCH, sig_winch); + ssh_signal(SIGALRM, sig_alarm); + ssh_signal(SIGWINCH, sig_winch); alarm(UPDATE_INTERVAL); } diff --git a/readconf.c b/readconf.c index ff551c856..59443bfdb 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.320 2020/01/23 02:46:49 dtucker Exp $ */ +/* $OpenBSD: readconf.c,v 1.321 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -528,7 +528,7 @@ execute_in_shell(const char *cmd) execv(argv[0], argv); error("Unable to execute '%.100s': %s", cmd, strerror(errno)); /* Die with signal to make this error apparent to parent. */ - signal(SIGTERM, SIG_DFL); + ssh_signal(SIGTERM, SIG_DFL); kill(getpid(), SIGTERM); _exit(1); } diff --git a/readpass.c b/readpass.c index 4172bbc56..974d67f0b 100644 --- a/readpass.c +++ b/readpass.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readpass.c,v 1.60 2019/12/06 03:06:08 djm Exp $ */ +/* $OpenBSD: readpass.c,v 1.61 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * @@ -65,10 +65,10 @@ ssh_askpass(char *askpass, const char *msg, const char *env_hint) error("%s: pipe: %s", __func__, strerror(errno)); return NULL; } - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); if ((pid = fork()) == -1) { error("%s: fork: %s", __func__, strerror(errno)); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); return NULL; } if (pid == 0) { @@ -98,7 +98,7 @@ ssh_askpass(char *askpass, const char *msg, const char *env_hint) while ((ret = waitpid(pid, &status, 0)) == -1) if (errno != EINTR) break; - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); if (ret == -1 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) { explicit_bzero(buf, sizeof(buf)); return NULL; @@ -243,10 +243,10 @@ notify_start(int force_askpass, const char *fmt, ...) free(prompt); return NULL; } - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); if ((pid = fork()) == -1) { error("%s: fork: %s", __func__, strerror(errno)); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); free(prompt); return NULL; } @@ -289,6 +289,6 @@ notify_complete(struct notifier_ctx *ctx) } if (ret == -1) fatal("%s: waitpid: %s", __func__, strerror(errno)); - signal(SIGCHLD, ctx->osigchld); + ssh_signal(SIGCHLD, ctx->osigchld); free(ctx); } diff --git a/sandbox-systrace.c b/sandbox-systrace.c index 93e63b8e0..e61d581ae 100644 --- a/sandbox-systrace.c +++ b/sandbox-systrace.c @@ -105,7 +105,7 @@ ssh_sandbox_init(struct monitor *monitor) box = xcalloc(1, sizeof(*box)); box->systrace_fd = -1; box->child_pid = 0; - box->osigchld = signal(SIGCHLD, SIG_IGN); + box->osigchld = ssh_signal(SIGCHLD, SIG_IGN); return box; } @@ -114,7 +114,7 @@ void ssh_sandbox_child(struct ssh_sandbox *box) { debug3("%s: ready", __func__); - signal(SIGCHLD, box->osigchld); + ssh_signal(SIGCHLD, box->osigchld); if (kill(getpid(), SIGSTOP) != 0) fatal("%s: kill(%d, SIGSTOP)", __func__, getpid()); debug3("%s: started", __func__); @@ -133,7 +133,7 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid, do { pid = waitpid(child_pid, &status, WUNTRACED); } while (pid == -1 && errno == EINTR); - signal(SIGCHLD, box->osigchld); + ssh_signal(SIGCHLD, box->osigchld); if (!WIFSTOPPED(status)) { if (WIFSIGNALED(status)) fatal("%s: child terminated with signal %d", diff --git a/scp.c b/scp.c index 762286c73..6901e0c94 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.206 2019/09/09 02:31:19 dtucker Exp $ */ +/* $OpenBSD: scp.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -215,9 +215,9 @@ do_local_cmd(arglist *a) } do_cmd_pid = pid; - signal(SIGTERM, killchild); - signal(SIGINT, killchild); - signal(SIGHUP, killchild); + ssh_signal(SIGTERM, killchild); + ssh_signal(SIGINT, killchild); + ssh_signal(SIGHUP, killchild); while (waitpid(pid, &status, 0) == -1) if (errno != EINTR) @@ -268,9 +268,9 @@ do_cmd(char *host, char *remuser, int port, char *cmd, int *fdin, int *fdout) close(reserved[0]); close(reserved[1]); - signal(SIGTSTP, suspchild); - signal(SIGTTIN, suspchild); - signal(SIGTTOU, suspchild); + ssh_signal(SIGTSTP, suspchild); + ssh_signal(SIGTTIN, suspchild); + ssh_signal(SIGTTOU, suspchild); /* Fork a child to execute the command on the remote host using ssh. */ do_cmd_pid = fork(); @@ -307,9 +307,9 @@ do_cmd(char *host, char *remuser, int port, char *cmd, int *fdin, int *fdout) *fdout = pin[1]; close(pout[1]); *fdin = pout[0]; - signal(SIGTERM, killchild); - signal(SIGINT, killchild); - signal(SIGHUP, killchild); + ssh_signal(SIGTERM, killchild); + ssh_signal(SIGINT, killchild); + ssh_signal(SIGHUP, killchild); return 0; } @@ -561,7 +561,7 @@ main(int argc, char **argv) iamrecursive ? " -r" : "", pflag ? " -p" : "", targetshouldbedirectory ? " -d" : ""); - (void) signal(SIGPIPE, lostconn); + (void) ssh_signal(SIGPIPE, lostconn); if (colon(argv[argc - 1])) /* Dest is remote host. */ toremote(argc, argv); diff --git a/serverloop.c b/serverloop.c index 99d259201..1babc7a51 100644 --- a/serverloop.c +++ b/serverloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: serverloop.c,v 1.218 2019/11/27 05:38:43 dtucker Exp $ */ +/* $OpenBSD: serverloop.c,v 1.219 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -402,15 +402,15 @@ server_loop2(struct ssh *ssh, Authctxt *authctxt) debug("Entering interactive session for SSH2."); - signal(SIGCHLD, sigchld_handler); + ssh_signal(SIGCHLD, sigchld_handler); child_terminated = 0; connection_in = ssh_packet_get_connection_in(ssh); connection_out = ssh_packet_get_connection_out(ssh); if (!use_privsep) { - signal(SIGTERM, sigterm_handler); - signal(SIGINT, sigterm_handler); - signal(SIGQUIT, sigterm_handler); + ssh_signal(SIGTERM, sigterm_handler); + ssh_signal(SIGINT, sigterm_handler); + ssh_signal(SIGQUIT, sigterm_handler); } notify_setup(); diff --git a/session.c b/session.c index e16f876c5..8c0e54f79 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.317 2019/11/13 04:47:52 deraadt Exp $ */ +/* $OpenBSD: session.c,v 1.318 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1642,7 +1642,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) do_rc_files(ssh, s, shell); /* restore SIGPIPE for child */ - signal(SIGPIPE, SIG_DFL); + ssh_signal(SIGPIPE, SIG_DFL); if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) { error("Connection from %s: refusing non-sftp session", diff --git a/sftp.c b/sftp.c index 54538ff96..ff14d3c29 100644 --- a/sftp.c +++ b/sftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp.c,v 1.196 2019/11/01 03:54:33 djm Exp $ */ +/* $OpenBSD: sftp.c,v 1.197 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2001-2004 Damien Miller * @@ -2243,7 +2243,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) interactive = !batchmode && isatty(STDIN_FILENO); err = 0; for (;;) { - signal(SIGINT, SIG_IGN); + ssh_signal(SIGINT, SIG_IGN); if (el == NULL) { if (interactive) @@ -2275,14 +2275,14 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2) /* Handle user interrupts gracefully during commands */ interrupted = 0; - signal(SIGINT, cmd_interrupt); + ssh_signal(SIGINT, cmd_interrupt); err = parse_dispatch_command(conn, cmd, &remote_path, startdir, batchmode, !interactive && el == NULL); if (err != 0) break; } - signal(SIGCHLD, SIG_DFL); + ssh_signal(SIGCHLD, SIG_DFL); free(remote_path); free(startdir); free(conn); @@ -2339,20 +2339,20 @@ connect_to_server(char *path, char **args, int *in, int *out) * kill it too. Contrawise, since sftp sends SIGTERMs to the * underlying ssh, it must *not* ignore that signal. */ - signal(SIGINT, SIG_IGN); - signal(SIGTERM, SIG_DFL); + ssh_signal(SIGINT, SIG_IGN); + ssh_signal(SIGTERM, SIG_DFL); execvp(path, args); fprintf(stderr, "exec: %s: %s\n", path, strerror(errno)); _exit(1); } - signal(SIGTERM, killchild); - signal(SIGINT, killchild); - signal(SIGHUP, killchild); - signal(SIGTSTP, suspchild); - signal(SIGTTIN, suspchild); - signal(SIGTTOU, suspchild); - signal(SIGCHLD, sigchld_handler); + ssh_signal(SIGTERM, killchild); + ssh_signal(SIGINT, killchild); + ssh_signal(SIGHUP, killchild); + ssh_signal(SIGTSTP, suspchild); + ssh_signal(SIGTTIN, suspchild); + ssh_signal(SIGTTOU, suspchild); + ssh_signal(SIGCHLD, sigchld_handler); close(c_in); close(c_out); } diff --git a/ssh-agent.c b/ssh-agent.c index 09d12dc3f..dd5d21d5a 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.251 2019/12/13 19:09:10 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.252 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1404,10 +1404,10 @@ skip: if (ac > 0) parent_alive_interval = 10; idtab_init(); - signal(SIGPIPE, SIG_IGN); - signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN); - signal(SIGHUP, cleanup_handler); - signal(SIGTERM, cleanup_handler); + ssh_signal(SIGPIPE, SIG_IGN); + ssh_signal(SIGINT, (d_flag | D_flag) ? cleanup_handler : SIG_IGN); + ssh_signal(SIGHUP, cleanup_handler); + ssh_signal(SIGTERM, cleanup_handler); if (pledge("stdio rpath cpath unix id proc exec", NULL) == -1) fatal("%s: pledge: %s", __progname, strerror(errno)); diff --git a/ssh-sk-client.c b/ssh-sk-client.c index 359327b68..8d7e6c305 100644 --- a/ssh-sk-client.c +++ b/ssh-sk-client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-sk-client.c,v 1.6 2020/01/21 07:07:31 djm Exp $ */ +/* $OpenBSD: ssh-sk-client.c,v 1.7 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2019 Google LLC * @@ -39,6 +39,7 @@ #include "digest.h" #include "pathnames.h" #include "ssh-sk.h" +#include "misc.h" /* #define DEBUG_SK 1 */ @@ -73,13 +74,13 @@ start_helper(int *fdp, pid_t *pidp, void (**osigchldp)(int)) error("socketpair: %s", strerror(errno)); return SSH_ERR_SYSTEM_ERROR; } - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); if ((pid = fork()) == -1) { oerrno = errno; error("fork: %s", strerror(errno)); close(pair[0]); close(pair[1]); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); errno = oerrno; return SSH_ERR_SYSTEM_ERROR; } @@ -220,7 +221,7 @@ client_converse(struct sshbuf *msg, struct sshbuf **respp, u_int type) } sshbuf_free(req); sshbuf_free(resp); - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); errno = oerrno; return r; diff --git a/ssh.c b/ssh.c index 947558d1c..c0511f2a0 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.511 2020/01/05 16:28:22 beck Exp $ */ +/* $OpenBSD: ssh.c,v 1.512 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1535,8 +1535,8 @@ main(int ac, char **av) options.num_system_hostfiles); tilde_expand_paths(options.user_hostfiles, options.num_user_hostfiles); - signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ - signal(SIGCHLD, main_sigchld_handler); + ssh_signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + ssh_signal(SIGCHLD, main_sigchld_handler); /* Log into the remote system. Never returns if the login fails. */ ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr, diff --git a/sshbuf.c b/sshbuf.c index adfddf775..f4f7a220f 100644 --- a/sshbuf.c +++ b/sshbuf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshbuf.c,v 1.13 2018/11/16 06:10:29 djm Exp $ */ +/* $OpenBSD: sshbuf.c,v 1.14 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2011 Damien Miller * @@ -42,7 +42,7 @@ sshbuf_check_sanity(const struct sshbuf *buf) buf->off > buf->size)) { /* Do not try to recover from corrupted buffer internals */ SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR")); - signal(SIGSEGV, SIG_DFL); + ssh_signal(SIGSEGV, SIG_DFL); raise(SIGSEGV); return SSH_ERR_INTERNAL_ERROR; } diff --git a/sshconnect.c b/sshconnect.c index a2d759819..690240716 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.326 2020/01/22 07:38:30 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.327 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -259,7 +259,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, /* Execute the proxy command. Note that we gave up any extra privileges above. */ - signal(SIGPIPE, SIG_DFL); + ssh_signal(SIGPIPE, SIG_DFL); execv(argv[0], argv); perror(argv[0]); exit(1); @@ -1383,10 +1383,10 @@ ssh_local_cmd(const char *args) if ((shell = getenv("SHELL")) == NULL || *shell == '\0') shell = _PATH_BSHELL; - osighand = signal(SIGCHLD, SIG_DFL); + osighand = ssh_signal(SIGCHLD, SIG_DFL); pid = fork(); if (pid == 0) { - signal(SIGPIPE, SIG_DFL); + ssh_signal(SIGPIPE, SIG_DFL); debug3("Executing %s -c \"%s\"", shell, args); execl(shell, shell, "-c", args, (char *)NULL); error("Couldn't execute %s -c \"%s\": %s", @@ -1397,7 +1397,7 @@ ssh_local_cmd(const char *args) while (waitpid(pid, &status, 0) == -1) if (errno != EINTR) fatal("Couldn't wait for child: %s", strerror(errno)); - signal(SIGCHLD, osighand); + ssh_signal(SIGCHLD, osighand); if (!WIFEXITED(status)) return (1); diff --git a/sshconnect2.c b/sshconnect2.c index 7f52cc55e..8d13310f2 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect2.c,v 1.316 2020/01/23 02:46:49 dtucker Exp $ */ +/* $OpenBSD: sshconnect2.c,v 1.317 2020/01/23 07:10:22 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2008 Damien Miller. All rights reserved. @@ -1924,7 +1924,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, error("%s: fork: %s", __func__, strerror(errno)); return -1; } - osigchld = signal(SIGCHLD, SIG_DFL); + osigchld = ssh_signal(SIGCHLD, SIG_DFL); if (pid == 0) { close(from[0]); if (dup2(from[1], STDOUT_FILENO) == -1) @@ -1996,11 +1996,11 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp, if ((r = sshbuf_get_string(b, sigp, lenp)) != 0) { error("%s: buffer error: %s", __func__, ssh_err(r)); fail: - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); sshbuf_free(b); return -1; } - signal(SIGCHLD, osigchld); + ssh_signal(SIGCHLD, osigchld); sshbuf_free(b); return 0; diff --git a/sshd.c b/sshd.c index 46f693a8e..c447edfe1 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.543 2020/01/21 22:39:57 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.544 2020/01/23 07:10:22 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -313,7 +313,7 @@ sighup_restart(void) close_listen_socks(); close_startup_pipes(); alarm(0); /* alarm timer persists across exec */ - signal(SIGHUP, SIG_IGN); /* will be restored after exec */ + ssh_signal(SIGHUP, SIG_IGN); /* will be restored after exec */ execv(saved_argv[0], saved_argv); logit("RESTART FAILED: av[0]='%.100s', error: %.100s.", saved_argv[0], strerror(errno)); @@ -342,6 +342,8 @@ main_sigchld_handler(int sig) pid_t pid; int status; + debug("main_sigchld_handler: %s", strsignal(sig)); + while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || (pid == -1 && errno == EINTR)) ; @@ -363,7 +365,7 @@ grace_alarm_handler(int sig) * keys command helpers. */ if (getpgid(0) == getpid()) { - signal(SIGTERM, SIG_IGN); + ssh_signal(SIGTERM, SIG_IGN); kill(0, SIGTERM); } @@ -1941,7 +1943,7 @@ main(int ac, char **av) error("chdir(\"/\"): %s", strerror(errno)); /* ignore SIGPIPE */ - signal(SIGPIPE, SIG_IGN); + ssh_signal(SIGPIPE, SIG_IGN); /* Get a connection, either from inetd or a listening TCP socket */ if (inetd_flag) { @@ -1950,10 +1952,10 @@ main(int ac, char **av) platform_pre_listen(); server_listen(); - signal(SIGHUP, sighup_handler); - signal(SIGCHLD, main_sigchld_handler); - signal(SIGTERM, sigterm_handler); - signal(SIGQUIT, sigterm_handler); + ssh_signal(SIGHUP, sighup_handler); + ssh_signal(SIGCHLD, main_sigchld_handler); + ssh_signal(SIGTERM, sigterm_handler); + ssh_signal(SIGQUIT, sigterm_handler); /* * Write out the pid file after the sigterm handler @@ -2043,12 +2045,12 @@ main(int ac, char **av) * will not restart on SIGHUP since it no longer makes sense. */ alarm(0); - signal(SIGALRM, SIG_DFL); - signal(SIGHUP, SIG_DFL); - signal(SIGTERM, SIG_DFL); - signal(SIGQUIT, SIG_DFL); - signal(SIGCHLD, SIG_DFL); - signal(SIGINT, SIG_DFL); + ssh_signal(SIGALRM, SIG_DFL); + ssh_signal(SIGHUP, SIG_DFL); + ssh_signal(SIGTERM, SIG_DFL); + ssh_signal(SIGQUIT, SIG_DFL); + ssh_signal(SIGCHLD, SIG_DFL); + ssh_signal(SIGINT, SIG_DFL); /* * Register our connection. This turns encryption off because we do @@ -2109,7 +2111,7 @@ main(int ac, char **av) * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ - signal(SIGALRM, grace_alarm_handler); + ssh_signal(SIGALRM, grace_alarm_handler); if (!debug_flag) alarm(options.login_grace_time); @@ -2167,7 +2169,7 @@ main(int ac, char **av) * authentication. */ alarm(0); - signal(SIGALRM, SIG_DFL); + ssh_signal(SIGALRM, SIG_DFL); authctxt->authenticated = 1; if (startup_pipe != -1) { close(startup_pipe); -- cgit v1.2.3 From c2bd7f74b0e0f3a3ee9d19ac549e6ba89013abaf Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 31 Jan 2020 22:42:45 +0000 Subject: upstream: Add a sshd_config "Include" directive to allow inclusion of files. This has sensible semantics wrt Match blocks and accepts glob(3) patterns to specify the included files. Based on patch by Jakub Jelen in bz2468; feedback and ok markus@ OpenBSD-Commit-ID: 36ed0e845b872e33f03355b936a4fff02d5794ff --- auth.c | 5 +- servconf.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++++++------- servconf.h | 20 +++++-- sshd.c | 65 +++++++++++++++++------ sshd_config.5 | 19 +++++-- 5 files changed, 232 insertions(+), 44 deletions(-) (limited to 'auth.c') diff --git a/auth.c b/auth.c index b42d7e76c..086b8ebb1 100644 --- a/auth.c +++ b/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.145 2020/01/23 07:10:22 dtucker Exp $ */ +/* $OpenBSD: auth.c,v 1.146 2020/01/31 22:42:45 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -79,6 +79,7 @@ /* import */ extern ServerOptions options; +extern struct include_list includes; extern int use_privsep; extern struct sshbuf *loginmsg; extern struct passwd *privsep_pw; @@ -571,7 +572,7 @@ getpwnamallow(struct ssh *ssh, const char *user) ci = get_connection_info(ssh, 1, options.use_dns); ci->user = user; - parse_server_match_config(&options, ci); + parse_server_match_config(&options, &includes, ci); log_change_level(options.log_level); process_permitopen(ssh, &options); diff --git a/servconf.c b/servconf.c index 1e0718139..70f5f73f0 100644 --- a/servconf.c +++ b/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.359 2020/01/23 10:24:29 dtucker Exp $ */ +/* $OpenBSD: servconf.c,v 1.360 2020/01/31 22:42:45 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -40,6 +40,11 @@ #ifdef HAVE_UTIL_H #include #endif +#ifdef USE_SYSTEM_GLOB +# include +#else +# include "openbsd-compat/glob.h" +#endif #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" @@ -69,6 +74,9 @@ static void add_listen_addr(ServerOptions *, const char *, const char *, int); static void add_one_listen_addr(ServerOptions *, const char *, const char *, int); +void parse_server_config_depth(ServerOptions *options, const char *filename, + struct sshbuf *conf, struct include_list *includes, + struct connection_info *connectinfo, int flags, int *activep, int depth); /* Use of privilege separation or not */ extern int use_privsep; @@ -526,7 +534,7 @@ typedef enum { sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, - sHostCertificate, + sHostCertificate, sInclude, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, @@ -538,9 +546,10 @@ typedef enum { sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -#define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ -#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ -#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) +#define SSHCFG_GLOBAL 0x01 /* allowed in main section of config */ +#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ +#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) +#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */ /* Textual representation of the tokens. */ static struct { @@ -669,6 +678,7 @@ static struct { { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, + { "include", sInclude, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, @@ -1240,13 +1250,14 @@ static const struct multistate multistate_tcpfwd[] = { { NULL, -1 } }; -int -process_server_config_line(ServerOptions *options, char *line, +static int +process_server_config_line_depth(ServerOptions *options, char *line, const char *filename, int linenum, int *activep, - struct connection_info *connectinfo) + struct connection_info *connectinfo, int inc_flags, int depth, + struct include_list *includes) { char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; - int cmdline = 0, *intptr, value, value2, n, port; + int cmdline = 0, *intptr, value, value2, n, port, oactive, r, found; SyslogFacility *log_facility_ptr; LogLevel *log_level_ptr; ServerOpCodes opcode; @@ -1255,6 +1266,8 @@ process_server_config_line(ServerOptions *options, char *line, long long val64; const struct multistate *multistate_ptr; const char *errstr; + struct include_item *item; + glob_t gbuf; /* Strip trailing whitespace. Allow \f (form feed) at EOL only */ if ((len = strlen(line)) == 0) @@ -1281,7 +1294,7 @@ process_server_config_line(ServerOptions *options, char *line, cmdline = 1; activep = &cmdline; } - if (*activep && opcode != sMatch) + if (*activep && opcode != sMatch && opcode != sInclude) debug3("%s:%d setting %s %s", filename, linenum, arg, cp); if (*activep == 0 && !(flags & SSHCFG_MATCH)) { if (connectinfo == NULL) { @@ -1954,6 +1967,96 @@ process_server_config_line(ServerOptions *options, char *line, *intptr = value; break; + case sInclude: + if (cmdline) { + fatal("Include directive not supported as a " + "command-line option"); + } + value = 0; + while ((arg2 = strdelim(&cp)) != NULL && *arg2 != '\0') { + value++; + found = 0; + if (*arg2 != '/' && *arg2 != '~') { + xasprintf(&arg, "%s/%s", SSHDIR, arg); + } else + arg = xstrdup(arg2); + + /* + * Don't let included files clobber the containing + * file's Match state. + */ + oactive = *activep; + + /* consult cache of include files */ + TAILQ_FOREACH(item, includes, entry) { + if (strcmp(item->selector, arg) != 0) + continue; + if (item->filename != NULL) { + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, + (oactive ? 0 : SSHCFG_NEVERMATCH), + activep, depth + 1); + } + found = 1; + *activep = oactive; + } + if (found != 0) { + free(arg); + continue; + } + + /* requested glob was not in cache */ + debug2("%s line %d: new include %s", + filename, linenum, arg); + if ((r = glob(arg, 0, NULL, &gbuf)) != 0) { + if (r != GLOB_NOMATCH) { + fatal("%s line %d: include \"%s\" " + "glob failed", filename, + linenum, arg); + } + /* + * If no entry matched then record a + * placeholder to skip later glob calls. + */ + debug2("%s line %d: no match for %s", + filename, linenum, arg); + item = xcalloc(1, sizeof(*item)); + item->selector = strdup(arg); + TAILQ_INSERT_TAIL(includes, + item, entry); + } + if (gbuf.gl_pathc > INT_MAX) + fatal("%s: too many glob results", __func__); + for (n = 0; n < (int)gbuf.gl_pathc; n++) { + debug2("%s line %d: including %s", + filename, linenum, gbuf.gl_pathv[n]); + item = xcalloc(1, sizeof(*item)); + item->selector = strdup(arg); + item->filename = strdup(gbuf.gl_pathv[n]); + if ((item->contents = sshbuf_new()) == NULL) { + fatal("%s: sshbuf_new failed", + __func__); + } + load_server_config(item->filename, + item->contents); + parse_server_config_depth(options, + item->filename, item->contents, + includes, connectinfo, + (oactive ? 0 : SSHCFG_NEVERMATCH), + activep, depth + 1); + *activep = oactive; + TAILQ_INSERT_TAIL(includes, item, entry); + } + globfree(&gbuf); + free(arg); + } + if (value == 0) { + fatal("%s line %d: Include missing filename argument", + filename, linenum); + } + break; + case sMatch: if (cmdline) fatal("Match directive not supported as a command-line " @@ -1962,7 +2065,7 @@ process_server_config_line(ServerOptions *options, char *line, if (value < 0) fatal("%s line %d: Bad Match condition", filename, linenum); - *activep = value; + *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; break; case sPermitListen: @@ -2256,6 +2359,16 @@ process_server_config_line(ServerOptions *options, char *line, return 0; } +int +process_server_config_line(ServerOptions *options, char *line, + const char *filename, int linenum, int *activep, + struct connection_info *connectinfo, struct include_list *includes) +{ + return process_server_config_line_depth(options, line, filename, + linenum, activep, connectinfo, 0, 0, includes); +} + + /* Reads the server configuration file. */ void @@ -2294,12 +2407,13 @@ load_server_config(const char *filename, struct sshbuf *conf) void parse_server_match_config(ServerOptions *options, - struct connection_info *connectinfo) + struct include_list *includes, struct connection_info *connectinfo) { ServerOptions mo; initialize_server_options(&mo); - parse_server_config(&mo, "reprocess config", cfg, connectinfo); + parse_server_config(&mo, "reprocess config", cfg, includes, + connectinfo); copy_set_server_options(options, &mo, 0); } @@ -2443,22 +2557,27 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) #undef M_CP_STROPT #undef M_CP_STRARRAYOPT +#define SERVCONF_MAX_DEPTH 16 void -parse_server_config(ServerOptions *options, const char *filename, - struct sshbuf *conf, struct connection_info *connectinfo) +parse_server_config_depth(ServerOptions *options, const char *filename, + struct sshbuf *conf, struct include_list *includes, + struct connection_info *connectinfo, int flags, int *activep, int depth) { - int active, linenum, bad_options = 0; + int linenum, bad_options = 0; char *cp, *obuf, *cbuf; + if (depth < 0 || depth > SERVCONF_MAX_DEPTH) + fatal("Too many recursive configuration includes"); + debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf)); if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) fatal("%s: sshbuf_dup_string failed", __func__); - active = connectinfo ? 0 : 1; linenum = 1; while ((cp = strsep(&cbuf, "\n")) != NULL) { - if (process_server_config_line(options, cp, filename, - linenum++, &active, connectinfo) != 0) + if (process_server_config_line_depth(options, cp, + filename, linenum++, activep, connectinfo, flags, + depth, includes) != 0) bad_options++; } free(obuf); @@ -2468,6 +2587,16 @@ parse_server_config(ServerOptions *options, const char *filename, process_queued_listen_addrs(options); } +void +parse_server_config(ServerOptions *options, const char *filename, + struct sshbuf *conf, struct include_list *includes, + struct connection_info *connectinfo) +{ + int active = connectinfo ? 0 : 1; + parse_server_config_depth(options, filename, conf, includes, + connectinfo, 0, &active, 0); +} + static const char * fmt_multistate_int(int val, const struct multistate *m) { diff --git a/servconf.h b/servconf.h index 6fc1efb2c..deda09d93 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.142 2019/12/15 18:57:30 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.143 2020/01/31 22:42:45 djm Exp $ */ /* * Author: Tatu Ylonen @@ -16,6 +16,8 @@ #ifndef SERVCONF_H #define SERVCONF_H +#include + #define MAX_PORTS 256 /* Max # ports. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -230,6 +232,15 @@ struct connection_info { * unspecified */ }; +/* List of included files for re-exec from the parsed configuration */ +struct include_item { + char *selector; + char *filename; + struct sshbuf *contents; + TAILQ_ENTRY(include_item) entry; +}; +TAILQ_HEAD(include_list, include_item); + /* * These are string config options that must be copied between the @@ -269,12 +280,13 @@ struct connection_info *get_connection_info(struct ssh *, int, int); void initialize_server_options(ServerOptions *); void fill_default_server_options(ServerOptions *); int process_server_config_line(ServerOptions *, char *, const char *, int, - int *, struct connection_info *); + int *, struct connection_info *, struct include_list *includes); void process_permitopen(struct ssh *ssh, ServerOptions *options); void load_server_config(const char *, struct sshbuf *); void parse_server_config(ServerOptions *, const char *, struct sshbuf *, - struct connection_info *); -void parse_server_match_config(ServerOptions *, struct connection_info *); + struct include_list *includes, struct connection_info *); +void parse_server_match_config(ServerOptions *, + struct include_list *includes, struct connection_info *); int parse_server_match_testspec(struct connection_info *, char *); int server_match_spec_complete(struct connection_info *); void copy_set_server_options(ServerOptions *, ServerOptions *, int); diff --git a/sshd.c b/sshd.c index 46fdf7ee3..57fab0425 100644 --- a/sshd.c +++ b/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.545 2020/01/24 23:56:01 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.546 2020/01/31 22:42:45 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -251,6 +251,9 @@ struct sshauthopt *auth_opts = NULL; /* sshd_config buffer */ struct sshbuf *cfg; +/* Included files from the configuration file */ +struct include_list includes = TAILQ_HEAD_INITIALIZER(includes); + /* message to be displayed after login */ struct sshbuf *loginmsg; @@ -870,30 +873,45 @@ usage(void) static void send_rexec_state(int fd, struct sshbuf *conf) { - struct sshbuf *m; + struct sshbuf *m = NULL, *inc = NULL; + struct include_item *item = NULL; int r; debug3("%s: entering fd = %d config len %zu", __func__, fd, sshbuf_len(conf)); + if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + + /* pack includes into a string */ + TAILQ_FOREACH(item, &includes, entry) { + if ((r = sshbuf_put_cstring(inc, item->selector)) != 0 || + (r = sshbuf_put_cstring(inc, item->filename)) != 0 || + (r = sshbuf_put_stringb(inc, item->contents)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } + /* * Protocol from reexec master to child: * string configuration - * string rngseed (only if OpenSSL is not self-seeded) + * string included_files[] { + * string selector + * string filename + * string contents + * } + * string rng_seed (if required) */ - if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); - if ((r = sshbuf_put_stringb(m, conf)) != 0) + if ((r = sshbuf_put_stringb(m, conf)) != 0 || + (r = sshbuf_put_stringb(m, inc)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); - #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) rexec_send_rng_seed(m); #endif - if (ssh_msg_send(fd, 0, m) == -1) fatal("%s: ssh_msg_send failed", __func__); sshbuf_free(m); + sshbuf_free(inc); debug3("%s: done", __func__); } @@ -901,14 +919,15 @@ send_rexec_state(int fd, struct sshbuf *conf) static void recv_rexec_state(int fd, struct sshbuf *conf) { - struct sshbuf *m; + struct sshbuf *m, *inc; u_char *cp, ver; size_t len; int r; + struct include_item *item; debug3("%s: entering fd = %d", __func__, fd); - if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL || (inc = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); if (ssh_msg_recv(fd, m) == -1) fatal("%s: ssh_msg_recv failed", __func__); @@ -916,14 +935,28 @@ recv_rexec_state(int fd, struct sshbuf *conf) fatal("%s: buffer error: %s", __func__, ssh_err(r)); if (ver != 0) fatal("%s: rexec version mismatch", __func__); - if ((r = sshbuf_get_string(m, &cp, &len)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (conf != NULL && (r = sshbuf_put(conf, cp, len))) + if ((r = sshbuf_get_string(m, &cp, &len)) != 0 || + (r = sshbuf_get_stringb(m, inc)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); + #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) rexec_recv_rng_seed(m); #endif + if (conf != NULL && (r = sshbuf_put(conf, cp, len))) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + while (sshbuf_len(inc) != 0) { + item = xcalloc(1, sizeof(*item)); + if ((item->contents = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_get_cstring(inc, &item->selector, NULL)) != 0 || + (r = sshbuf_get_cstring(inc, &item->filename, NULL)) != 0 || + (r = sshbuf_get_stringb(inc, item->contents)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + TAILQ_INSERT_TAIL(&includes, item, entry); + } + free(cp); sshbuf_free(m); @@ -1600,7 +1633,7 @@ main(int ac, char **av) case 'o': line = xstrdup(optarg); if (process_server_config_line(&options, line, - "command-line", 0, NULL, NULL) != 0) + "command-line", 0, NULL, NULL, &includes) != 0) exit(1); free(line); break; @@ -1669,7 +1702,7 @@ main(int ac, char **av) load_server_config(config_file_name, cfg); parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, NULL); + cfg, &includes, NULL); /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1895,7 +1928,7 @@ main(int ac, char **av) if (connection_info == NULL) connection_info = get_connection_info(ssh, 0, 0); connection_info->test = 1; - parse_server_match_config(&options, connection_info); + parse_server_match_config(&options, &includes, connection_info); dump_config(&options); } diff --git a/sshd_config.5 b/sshd_config.5 index 1395a5e6d..6c3b5e5e0 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.303 2020/01/28 01:49:36 djm Exp $ -.Dd $Mdocdate: January 28 2020 $ +.\" $OpenBSD: sshd_config.5,v 1.304 2020/01/31 22:42:45 djm Exp $ +.Dd $Mdocdate: January 31 2020 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -801,7 +801,20 @@ during and use only the system-wide known hosts file .Pa /etc/ssh/known_hosts . The default is -.Cm no . +.Dq no . +.It Cm Include +Include the specified configuration file(s). +Multiple path names may be specified and each pathname may contain +.Xr glob 7 +wildcards. +Files without absolute paths are assumed to be in +.Pa /etc/ssh . +A +.Cm Include +directive may appear inside a +.Cm Match +block +to perform conditional inclusion. .It Cm IPQoS Specifies the IPv4 type-of-service or DSCP class for the connection. Accepted values are -- cgit v1.2.3