1 files changed, 22 insertions, 2 deletions
diff --git a/gss-serv.c b/gss-serv.c
index feb1ed763..c33463bdf 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 /*
 * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -72,6 +72,25 @@ ssh_gssapi_mech* supported_mechs[]= {
        &gssapi_null_mech,
 };
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+        ssh_gssapi_supported_oids(&supported_oids);
+}
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+        if (supported_oids == NULL)
+                ssh_gssapi_prepare_supported_oids();
+        return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 /*
 * Acquire credentials for a server running on the current host.
@@ -435,7 +454,8 @@ ssh_gssapi_userok(char *user, struct passwd *pw)
                        gss_release_buffer(&lmin, &gssapi_client.displayname);
                        gss_release_buffer(&lmin, &gssapi_client.exportedname);
                        gss_release_cred(&lmin, &gssapi_client.creds);
-                        memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+                        explicit_bzero(&gssapi_client,
+                            sizeof(ssh_gssapi_client));
                        return 0;
                }
        else

diff --git a/gss-serv.c b/gss-serv.c index feb1ed763..c33463bdf 100644 --- a/gss-serv.c +++ b/gss-serv.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */	1	/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.	4	* Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -72,6 +72,25 @@ ssh_gssapi_mech* supported_mechs[]= {
72	&gssapi_null_mech,	72	&gssapi_null_mech,
73	};	73	};
74		74
		75	/*
		76	* ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
		77	* list of supported mechanisms before privsep is set up.
		78	*/
		79	static gss_OID_set supported_oids;
		80
		81	void
		82	ssh_gssapi_prepare_supported_oids(void)
		83	{
		84	ssh_gssapi_supported_oids(&supported_oids);
		85	}
		86
		87	OM_uint32
		88	ssh_gssapi_test_oid_supported(OM_uint32 ms, gss_OID member, int present)
		89	{
		90	if (supported_oids == NULL)
		91	ssh_gssapi_prepare_supported_oids();
		92	return gss_test_oid_set_member(ms, member, supported_oids, present);
		93	}
75		94
76	/*	95	/*
77	* Acquire credentials for a server running on the current host.	96	* Acquire credentials for a server running on the current host.
@@ -435,7 +454,8 @@ ssh_gssapi_userok(char user, struct passwd pw)
435	gss_release_buffer(&lmin, &gssapi_client.displayname);	454	gss_release_buffer(&lmin, &gssapi_client.displayname);
436	gss_release_buffer(&lmin, &gssapi_client.exportedname);	455	gss_release_buffer(&lmin, &gssapi_client.exportedname);
437	gss_release_cred(&lmin, &gssapi_client.creds);	456	gss_release_cred(&lmin, &gssapi_client.creds);
438	memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));	457	explicit_bzero(&gssapi_client,
		458	sizeof(ssh_gssapi_client));
439	return 0;	459	return 0;
440	}	460	}
441	else	461	else