Attachment 2406 Details for Bug 2107 – Cache supported oids before privilege separation

[patch] Cache supported oids before privilege separation

cache-supported-oids.diff (text/plain), 3.26 KB, created by Damien Miller on 2014-02-06 10:54:39 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2014-02-06 10:54:39 AEDT

Size: 3.26 KB

patch

obsolete

>? _buildit
>? regress/setuid-allowed
>Index: auth2-gss.c
>===================================================================
>RCS file: /var/cvs/openssh/auth2-gss.c,v
>retrieving revision 1.23
>diff -u -p -r1.23 auth2-gss.c
>--- auth2-gss.c	1 Jun 2013 21:31:18 -0000	1.23
>+++ auth2-gss.c	5 Feb 2014 23:52:50 -0000
>@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
> 	gss_OID_desc goid = {0, NULL};
> 	Gssctxt *ctxt = NULL;
> 	int mechs;
>-	gss_OID_set supported;
> 	int present;
> 	OM_uint32 ms;
> 	u_int len;
>@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
> 		return (0);
> 	}
> 
>-	ssh_gssapi_supported_oids(&supported);
> 	do {
> 		mechs--;
> 
>@@ -90,14 +88,11 @@ userauth_gssapi(Authctxt *authctxt)
> 		    doid[1] == len - 2) {
> 			goid.elements = doid + 2;
> 			goid.length   = len - 2;
>-			gss_test_oid_set_member(&ms, &goid, supported,
>-			    &present);
>+			ssh_gssapi_test_oid_supported(&ms, &goid, &present);
> 		} else {
> 			logit("Badly formed OID received");
> 		}
> 	} while (mechs > 0 && !present);
>-
>-	gss_release_oid_set(&ms, &supported);
> 
> 	if (!present) {
> 		free(doid);
>Index: gss-serv.c
>===================================================================
>RCS file: /var/cvs/openssh/gss-serv.c,v
>retrieving revision 1.27
>diff -u -p -r1.27 gss-serv.c
>--- gss-serv.c	4 Feb 2014 00:20:15 -0000	1.27
>+++ gss-serv.c	5 Feb 2014 23:52:50 -0000
>@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= {
> 	&gssapi_null_mech,
> };
> 
>+/*
>+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
>+ * list of supported mechanisms before privsep is set up.
>+ */
>+static gss_OID_set supported_oids;
>+
>+void
>+ssh_gssapi_prepare_supported_oids(void)
>+{
>+	ssh_gssapi_supported_oids(&supported_oids);
>+}
>+
>+OM_uint32
>+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
>+{
>+	if (supported_oids == NULL)
>+		ssh_gssapi_prepare_supported_oids();
>+	return gss_test_oid_set_member(ms, member, supported_oids, present);
>+}
> 
> /*
>  * Acquire credentials for a server running on the current host.
>Index: ssh-gss.h
>===================================================================
>RCS file: /var/cvs/openssh/ssh-gss.h,v
>retrieving revision 1.13
>diff -u -p -r1.13 ssh-gss.h
>--- ssh-gss.h	25 Feb 2013 00:24:44 -0000	1.13
>+++ ssh-gss.h	5 Feb 2014 23:52:50 -0000
>@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, 
> void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
> void ssh_gssapi_supported_oids(gss_OID_set *);
> ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
>+void ssh_gssapi_prepare_supported_oids(void);
>+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
> 
> OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
> OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
>Index: sshd.c
>===================================================================
>RCS file: /var/cvs/openssh/sshd.c,v
>retrieving revision 1.446
>diff -u -p -r1.446 sshd.c
>--- sshd.c	4 Feb 2014 00:20:16 -0000	1.446
>+++ sshd.c	5 Feb 2014 23:52:50 -0000
>@@ -618,6 +618,10 @@ privsep_preauth_child(void)
> 	/* Enable challenge-response authentication for privilege separation */
> 	privsep_challenge_enable();
> 
>+	/* Cache supported mechanism OIDs for later use */
>+	if (options.gss_authentication)
>+		ssh_gssapi_prepare_supported_oids();
>+
> 	arc4random_stir();
> 	arc4random_buf(rnd, sizeof(rnd));
> 	RAND_seed(rnd, sizeof(rnd));

Actions: View | Diff

Attachments on bug 2107: 2273 | 2406 | 3168