- djm@cvs.openbsd.org 2014/02/26 20:28:44

[auth2-gss.c gss-serv.c ssh-gss.h sshd.c] bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep sandboxing, as running this code in the sandbox can cause violations; ok markus@
author: Damien Miller <djm@mindrot.org> 2014-02-27 10:17:49 +1100
committer: Damien Miller <djm@mindrot.org> 2014-02-27 10:17:49 +1100
commit: e6a74aeeacd01d885262ff8e50eb28faee8c8039 (patch)
tree: 5e3bb4872b341d7364268634c7cfeb64658cb50e
parent: 08b57c67f3609340ff703fe2782d7058acf2529e (diff)
5 files changed, 35 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index 84833fb3c..6a4b551b9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
     [ssh.c]
     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
     ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
 20140224
 - OpenBSD CVS Sync
diff --git a/auth2-gss.c b/auth2-gss.c
index 638d8f88e..c28a705cb 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
        gss_OID_desc goid = {0, NULL};
        Gssctxt *ctxt = NULL;
        int mechs;
-        gss_OID_set supported;
        int present;
        OM_uint32 ms;
        u_int len;
@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
                return (0);
        }
-        ssh_gssapi_supported_oids(&supported);
        do {
                mechs--;
@@ -90,15 +88,12 @@ userauth_gssapi(Authctxt *authctxt)
                    doid[1] == len - 2) {
                        goid.elements = doid + 2;
                        goid.length   = len - 2;
-                        gss_test_oid_set_member(&ms, &goid, supported,
+                        ssh_gssapi_test_oid_supported(&ms, &goid, &present);
-                            &present);
                } else {
                        logit("Badly formed OID received");
                }
        } while (mechs > 0 && !present);
-        gss_release_oid_set(&ms, &supported);
        if (!present) {
                free(doid);
                authctxt->server_caused_failure = 1;
diff --git a/gss-serv.c b/gss-serv.c
index b61e6e140..e61b37bec 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= {
        &gssapi_null_mech,
 };
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+        ssh_gssapi_supported_oids(&supported_oids);
+}
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+        if (supported_oids == NULL)
+                ssh_gssapi_prepare_supported_oids();
+        return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 /*
 * Acquire credentials for a server running on the current host.
diff --git a/ssh-gss.h b/ssh-gss.h
index 077e13ce4..a99d7f08b 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 *
@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
 void ssh_gssapi_supported_oids(gss_OID_set *);
 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
+void ssh_gssapi_prepare_supported_oids(void);
+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
diff --git a/sshd.c b/sshd.c
index 93e698b5d..51d7078e4 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -618,6 +618,10 @@ privsep_preauth_child(void)
        /* Enable challenge-response authentication for privilege separation */
        privsep_challenge_enable();
+        /* Cache supported mechanism OIDs for later use */
+        if (options.gss_authentication)
+                ssh_gssapi_prepare_supported_oids();
        arc4random_stir();
        arc4random_buf(rnd, sizeof(rnd));
        RAND_seed(rnd, sizeof(rnd));
author	Damien Miller <djm@mindrot.org>	2014-02-27 10:17:49 +1100
committer	Damien Miller <djm@mindrot.org>	2014-02-27 10:17:49 +1100
commit	e6a74aeeacd01d885262ff8e50eb28faee8c8039 (patch)
tree	5e3bb4872b341d7364268634c7cfeb64658cb50e
parent	08b57c67f3609340ff703fe2782d7058acf2529e (diff)