From e6a74aeeacd01d885262ff8e50eb28faee8c8039 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 27 Feb 2014 10:17:49 +1100
Subject: [PATCH]    - djm@cvs.openbsd.org 2014/02/26 20:28:44     
 [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]      bz#2107 - cache OIDs of
 supported GSSAPI mechanisms before privsep      sandboxing, as running this
 code in the sandbox can cause violations;      ok markus@

---
 ChangeLog   |  5 +++++
 auth2-gss.c |  9 ++-------
 gss-serv.c  | 21 ++++++++++++++++++++-
 ssh-gss.h   |  4 +++-
 sshd.c      |  6 +++++-
 5 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 84833fb3c..6a4b551b9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,11 @@
      [ssh.c]
      bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
      ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
 
 20140224
  - OpenBSD CVS Sync
diff --git a/auth2-gss.c b/auth2-gss.c
index 638d8f88e..c28a705cb 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -62,7 +62,6 @@ userauth_gssapi(Authctxt *authctxt)
 	gss_OID_desc goid = {0, NULL};
 	Gssctxt *ctxt = NULL;
 	int mechs;
-	gss_OID_set supported;
 	int present;
 	OM_uint32 ms;
 	u_int len;
@@ -77,7 +76,6 @@ userauth_gssapi(Authctxt *authctxt)
 		return (0);
 	}
 
-	ssh_gssapi_supported_oids(&supported);
 	do {
 		mechs--;
 
@@ -90,15 +88,12 @@ userauth_gssapi(Authctxt *authctxt)
 		    doid[1] == len - 2) {
 			goid.elements = doid + 2;
 			goid.length   = len - 2;
-			gss_test_oid_set_member(&ms, &goid, supported,
-			    &present);
+			ssh_gssapi_test_oid_supported(&ms, &goid, &present);
 		} else {
 			logit("Badly formed OID received");
 		}
 	} while (mechs > 0 && !present);
 
-	gss_release_oid_set(&ms, &supported);
-
 	if (!present) {
 		free(doid);
 		authctxt->server_caused_failure = 1;
diff --git a/gss-serv.c b/gss-serv.c
index b61e6e140..e61b37bec 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.25 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -66,6 +66,25 @@ ssh_gssapi_mech* supported_mechs[]= {
 	&gssapi_null_mech,
 };
 
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+	ssh_gssapi_supported_oids(&supported_oids);
+}
+
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+	if (supported_oids == NULL)
+		ssh_gssapi_prepare_supported_oids();
+	return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 
 /*
  * Acquire credentials for a server running on the current host.
diff --git a/ssh-gss.h b/ssh-gss.h
index 077e13ce4..a99d7f08b 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
  *
@@ -104,6 +104,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
 void ssh_gssapi_supported_oids(gss_OID_set *);
 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
+void ssh_gssapi_prepare_supported_oids(void);
+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
diff --git a/sshd.c b/sshd.c
index 93e698b5d..51d7078e4 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.418 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.419 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -618,6 +618,10 @@ privsep_preauth_child(void)
 	/* Enable challenge-response authentication for privilege separation */
 	privsep_challenge_enable();
 
+	/* Cache supported mechanism OIDs for later use */
+	if (options.gss_authentication)
+		ssh_gssapi_prepare_supported_oids();
+
 	arc4random_stir();
 	arc4random_buf(rnd, sizeof(rnd));
 	RAND_seed(rnd, sizeof(rnd));