diff options
Diffstat (limited to 'usr.bin/ssh')
| -rw-r--r-- | usr.bin/ssh/auth2-gss.c | 9 | ||||
| -rw-r--r-- | usr.bin/ssh/gss-serv.c | 21 | ||||
| -rw-r--r-- | usr.bin/ssh/ssh-gss.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd.c | 6 |
4 files changed, 30 insertions, 10 deletions
diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c index 70e7d6d4ae3..99331306ef9 100644 --- a/usr.bin/ssh/auth2-gss.c +++ b/usr.bin/ssh/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -58,7 +58,6 @@ userauth_gssapi(Authctxt *authctxt) gss_OID_desc goid = {0, NULL}; Gssctxt *ctxt = NULL; int mechs; - gss_OID_set supported; int present; OM_uint32 ms; u_int len; @@ -73,7 +72,6 @@ userauth_gssapi(Authctxt *authctxt) return (0); } - ssh_gssapi_supported_oids(&supported); do { mechs--; @@ -86,15 +84,12 @@ userauth_gssapi(Authctxt *authctxt) doid[1] == len - 2) { goid.elements = doid + 2; goid.length = len - 2; - gss_test_oid_set_member(&ms, &goid, supported, - &present); + ssh_gssapi_test_oid_supported(&ms, &goid, &present); } else { logit("Badly formed OID received"); } } while (mechs > 0 && !present); - gss_release_oid_set(&ms, &supported); - if (!present) { free(doid); authctxt->server_caused_failure = 1; diff --git a/usr.bin/ssh/gss-serv.c b/usr.bin/ssh/gss-serv.c index b4ea7c4e7ec..8974c5f780f 100644 --- a/usr.bin/ssh/gss-serv.c +++ b/usr.bin/ssh/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -62,6 +62,25 @@ ssh_gssapi_mech* supported_mechs[]= { &gssapi_null_mech, }; +/* + * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the + * list of supported mechanisms before privsep is set up. + */ +static gss_OID_set supported_oids; + +void +ssh_gssapi_prepare_supported_oids(void) +{ + ssh_gssapi_supported_oids(&supported_oids); +} + +OM_uint32 +ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present) +{ + if (supported_oids == NULL) + ssh_gssapi_prepare_supported_oids(); + return gss_test_oid_set_member(ms, member, supported_oids, present); +} /* * Acquire credentials for a server running on the current host. diff --git a/usr.bin/ssh/ssh-gss.h b/usr.bin/ssh/ssh-gss.h index 22367cc8c34..f5e744ff629 100644 --- a/usr.bin/ssh/ssh-gss.h +++ b/usr.bin/ssh/ssh-gss.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -83,6 +83,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); void ssh_gssapi_set_oid(Gssctxt *, gss_OID); void ssh_gssapi_supported_oids(gss_OID_set *); ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *); +void ssh_gssapi_prepare_supported_oids(void); +OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *); OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *); OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int, diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index abe65a5a7b6..ee8cb02b2d2 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -598,6 +598,10 @@ privsep_preauth_child(void) /* Enable challenge-response authentication for privilege separation */ privsep_challenge_enable(); + /* Cache supported mechanism OIDs for later use */ + if (options.gss_authentication) + ssh_gssapi_prepare_supported_oids(); + arc4random_buf(rnd, sizeof(rnd)); RAND_seed(rnd, sizeof(rnd)); explicit_bzero(rnd, sizeof(rnd)); |