- djm@cvs.openbsd.org 2014/02/26 20:28:44

     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
     sandboxing, as running this code in the sandbox can cause violations;
     ok markus@

ChangeLog

@@ -4,6 +4,11 @@
      [ssh.c]
      bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
      ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
 
 20140224
  - OpenBSD CVS Sync

auth2-gss.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
 	gss_OID_desc goid = {0, NULL};
 	Gssctxt *ctxt = NULL;
 	int mechs;
-	gss_OID_set supported;
 	int present;
 	OM_uint32 ms;
 	u_int len;
@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
 		return (0);
 	}
 
-	ssh_gssapi_supported_oids(&supported);
 	do {
 		mechs--;
 
@@ -90,15 +88,12 @@ userauth_gssapi(Authctxt *authctxt)
 		    doid[1] == len - 2) {
 			goid.elements = doid + 2;
 			goid.length   = len - 2;
-			gss_test_oid_set_member(&ms, &goid, supported,
-			    &present);
+			ssh_gssapi_test_oid_supported(&ms, &goid, &present);
 		} else {
 			logit("Badly formed OID received");
 		}
 	} while (mechs > 0 && !present);
 
-	gss_release_oid_set(&ms, &supported);
-
 	if (!present) {
 		free(doid);
 		authctxt->server_caused_failure = 1;

gss-serv.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= {
 	&gssapi_null_mech,
 };
 
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+	ssh_gssapi_supported_oids(&supported_oids);
+}
+
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+	if (supported_oids == NULL)
+		ssh_gssapi_prepare_supported_oids();
+	return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 
 /*
  * Acquire credentials for a server running on the current host.

ssh-gss.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
  *
@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
 void ssh_gssapi_supported_oids(gss_OID_set *);
 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
+void ssh_gssapi_prepare_supported_oids(void);
+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,

sshd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -618,6 +618,10 @@ privsep_preauth_child(void)
 	/* Enable challenge-response authentication for privilege separation */
 	privsep_challenge_enable();
 
+	/* Cache supported mechanism OIDs for later use */
+	if (options.gss_authentication)
+		ssh_gssapi_prepare_supported_oids();
+
 	arc4random_stir();
 	arc4random_buf(rnd, sizeof(rnd));
 	RAND_seed(rnd, sizeof(rnd));