diff options
author | Damien Miller <djm@mindrot.org> | 2014-02-27 10:17:49 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2014-02-27 10:17:49 +1100 |
commit | e6a74aeeacd01d885262ff8e50eb28faee8c8039 (patch) | |
tree | 5e3bb4872b341d7364268634c7cfeb64658cb50e /gss-serv.c | |
parent | 08b57c67f3609340ff703fe2782d7058acf2529e (diff) |
- djm@cvs.openbsd.org 2014/02/26 20:28:44
[auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
sandboxing, as running this code in the sandbox can cause violations;
ok markus@
Diffstat (limited to 'gss-serv.c')
-rw-r--r-- | gss-serv.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/gss-serv.c b/gss-serv.c index b61e6e140..e61b37bec 100644 --- a/gss-serv.c +++ b/gss-serv.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */ | 1 | /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 4 | * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= { | |||
66 | &gssapi_null_mech, | 66 | &gssapi_null_mech, |
67 | }; | 67 | }; |
68 | 68 | ||
69 | /* | ||
70 | * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the | ||
71 | * list of supported mechanisms before privsep is set up. | ||
72 | */ | ||
73 | static gss_OID_set supported_oids; | ||
74 | |||
75 | void | ||
76 | ssh_gssapi_prepare_supported_oids(void) | ||
77 | { | ||
78 | ssh_gssapi_supported_oids(&supported_oids); | ||
79 | } | ||
80 | |||
81 | OM_uint32 | ||
82 | ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present) | ||
83 | { | ||
84 | if (supported_oids == NULL) | ||
85 | ssh_gssapi_prepare_supported_oids(); | ||
86 | return gss_test_oid_set_member(ms, member, supported_oids, present); | ||
87 | } | ||
69 | 88 | ||
70 | /* | 89 | /* |
71 | * Acquire credentials for a server running on the current host. | 90 | * Acquire credentials for a server running on the current host. |