- djm@cvs.openbsd.org 2014/02/26 20:28:44

     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
     sandboxing, as running this code in the sandbox can cause violations;
     ok markus@

diff --git a/ChangeLog b/ChangeLog
index 84833fb3c4b1ee274939922e8223c9589aa53738..6a4b551b997d7992cbd154630a00324ef541e539 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
      [ssh.c]
      bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
      ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
 
 20140224
  - OpenBSD CVS Sync

diff --git a/auth2-gss.c b/auth2-gss.c
index 638d8f88e7d950ded5403e617a8b51e6c5f405f0..c28a705cb6c9cb93c1dc4f04b3044902b1735903 100644 (file)
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
        gss_OID_desc goid = {0, NULL};
        Gssctxt *ctxt = NULL;
        int mechs;
-       gss_OID_set supported;
        int present;
        OM_uint32 ms;
        u_int len;
@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
                return (0);
        }
 
-       ssh_gssapi_supported_oids(&supported);
        do {
                mechs--;
 
@@ -90,15 +88,12 @@ userauth_gssapi(Authctxt *authctxt)
                    doid[1] == len - 2) {
                        goid.elements = doid + 2;
                        goid.length   = len - 2;
-                       gss_test_oid_set_member(&ms, &goid, supported,
-                           &present);
+                       ssh_gssapi_test_oid_supported(&ms, &goid, &present);
                } else {
                        logit("Badly formed OID received");
                }
        } while (mechs > 0 && !present);
 
-       gss_release_oid_set(&ms, &supported);
-
        if (!present) {
                free(doid);
                authctxt->server_caused_failure = 1;

diff --git a/gss-serv.c b/gss-serv.c
index b61e6e1402269970063c4a2389d7d4bc7745a264..e61b37becc768b3fa080875f58f302f881a9f45d 100644 (file)
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= {
        &gssapi_null_mech,
 };
 
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+       ssh_gssapi_supported_oids(&supported_oids);
+}
+
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+       if (supported_oids == NULL)
+               ssh_gssapi_prepare_supported_oids();
+       return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 
 /*
  * Acquire credentials for a server running on the current host.

diff --git a/ssh-gss.h b/ssh-gss.h
index 077e13ce4b970405dbae716a2627db74be259f7c..a99d7f08b30b90536db2bd215754dd548d6f2a1a 100644 (file)
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
  *
@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
 void ssh_gssapi_supported_oids(gss_OID_set *);
 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
+void ssh_gssapi_prepare_supported_oids(void);
+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,

diff --git a/sshd.c b/sshd.c
index 93e698b5d20f5ceea86792ca51ff46126758454c..51d7078e48f2beb2fac1644a3a88f162c79a7499 100644 (file)
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -618,6 +618,10 @@ privsep_preauth_child(void)
        /* Enable challenge-response authentication for privilege separation */
        privsep_challenge_enable();
 
+       /* Cache supported mechanism OIDs for later use */
+       if (options.gss_authentication)
+               ssh_gssapi_prepare_supported_oids();
+
        arc4random_stir();
        arc4random_buf(rnd, sizeof(rnd));
        RAND_seed(rnd, sizeof(rnd));