MFS (r296781):

  MFH (r296633): upgrade to 7.2p2 (fixes xauth command injection bug)
  MFH (r296634): re-add aes-cbc to server-side default cipher list
  MFH (r296651, r296657): fix gcc build of pam_ssh

PR:		207679
Security:	CVE-2016-3115
Approved by:	re (marius)

1 files changed, 65 insertions, 46 deletions

diff --git a/crypto/openssh/auth-options.c b/crypto/openssh/auth-options.c
index e387697..edbaf80 100644
--- a/crypto/openssh/auth-options.c
+++ b/crypto/openssh/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -75,19 +75,45 @@ auth_clear_options(void)
 		free(ce->s);
 		free(ce);
 	}
-	if (forced_command) {
-		free(forced_command);
-		forced_command = NULL;
-	}
-	if (authorized_principals) {
-		free(authorized_principals);
-		authorized_principals = NULL;
-	}
+	free(forced_command);
+	forced_command = NULL;
+	free(authorized_principals);
+	authorized_principals = NULL;
 	forced_tun_device = -1;
 	channel_clear_permitted_opens();
 }
 
 /*
+ * Match flag 'opt' in *optsp, and if allow_negate is set then also match
+ * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
+ * if negated option matches. 
+ * If the option or negated option matches, then *optsp is updated to
+ * point to the first character after the option and, if 'msg' is not NULL
+ * then a message based on it added via auth_debug_add().
+ */
+static int
+match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
+{
+	size_t opt_len = strlen(opt);
+	char *opts = *optsp;
+	int negate = 0;
+
+	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
+		opts += 3;
+		negate = 1;
+	}
+	if (strncasecmp(opts, opt, opt_len) == 0) {
+		*optsp = opts + opt_len;
+		if (msg != NULL) {
+			auth_debug_add("%s %s.", msg,
+			    negate ? "disabled" : "enabled");
+		}
+		return negate ? 0 : 1;
+	}
+	return -1;
+}
+
+/*
  * return 1 if access is granted, 0 if not.
  * side effect: sets key option flags
  */
@@ -95,7 +121,7 @@ int
 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 {
 	const char *cp;
-	int i;
+	int i, r;
 
 	/* reset options */
 	auth_clear_options();
@@ -104,52 +130,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		return 1;
 
 	while (*opts && *opts != ' ' && *opts != '\t') {
-		cp = "cert-authority";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			key_is_cert_authority = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
+			key_is_cert_authority = r;
 			goto next_option;
 		}
-		cp = "no-port-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Port forwarding disabled.");
+		if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
+			auth_debug_add("Key is restricted.");
 			no_port_forwarding_flag = 1;
-			opts += strlen(cp);
+			no_agent_forwarding_flag = 1;
+			no_x11_forwarding_flag = 1;
+			no_pty_flag = 1;
+			no_user_rc = 1;
 			goto next_option;
 		}
-		cp = "no-agent-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Agent forwarding disabled.");
-			no_agent_forwarding_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("port-forwarding", 1, &opts,
+		    "Port forwarding")) != -1) {
+			no_port_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-X11-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("X11 forwarding disabled.");
-			no_x11_forwarding_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("agent-forwarding", 1, &opts,
+		    "Agent forwarding")) != -1) {
+			no_agent_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-pty";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Pty allocation disabled.");
-			no_pty_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("x11-forwarding", 1, &opts,
+		    "X11 forwarding")) != -1) {
+			no_x11_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-user-rc";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("User rc file execution disabled.");
-			no_user_rc = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("pty", 1, &opts,
+		    "PTY allocation")) != -1) {
+			no_pty_flag = r != 1;
+			goto next_option;
+		}
+		if ((r = match_flag("user-rc", 1, &opts,
+		    "User rc execution")) != -1) {
+			no_user_rc = r != 1;
 			goto next_option;
 		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
-			if (forced_command != NULL)
-				free(forced_command);
+			free(forced_command);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -179,8 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		cp = "principals=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
-			if (authorized_principals != NULL)
-				free(authorized_principals);
+			free(authorized_principals);
 			authorized_principals = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -566,8 +587,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
 		free(*cert_forced_command);
 		*cert_forced_command = NULL;
 	}
-	if (name != NULL)
-		free(name);
+	free(name);
 	sshbuf_free(data);
 	sshbuf_free(c);
 	return ret;
@@ -611,8 +631,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
 	no_user_rc |= cert_no_user_rc;
 	/* CA-specified forced command supersedes key option */
 	if (cert_forced_command != NULL) {
-		if (forced_command != NULL)
-			free(forced_command);
+		free(forced_command);
 		forced_command = cert_forced_command;
 	}
 	return 0;