ssh: use the correct token from the client

bodgit · gopherbot · commit 1cf1811d7195 · 2023-11-11T11:26:14.000Z
This fixes the case where AcceptSecContext is always called with the first token sent by the client instead of the most recently sent one. Previously, despite being being read from the client and unmarshalled, it was never actually used. Fixes golang/go#43875 Change-Id: I1967d9a107af03d6778a9437b48e785d61710ee5 GitHub-Last-Rev: 0d58e4d GitHub-Pull-Request: #176 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/286252 Run-TryBot: Filippo Valsorda <filippo@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Matthew Dempsky <mdempsky@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Run-TryBot: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Than McIntosh <thanm@google.com>
diff --git a/ssh/server.go b/ssh/server.go
@@ -337,7 +337,7 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
 	return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
 }
 
-func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *connection,
+func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, token []byte, s *connection,
 	sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {
 	gssAPIServer := gssapiConfig.Server
 	defer gssAPIServer.DeleteSecContext()
@@ -347,7 +347,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
 			outToken     []byte
 			needContinue bool
 		)
-		outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)
+		outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token)
 		if err != nil {
 			return err, nil, nil
 		}
@@ -369,6 +369,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
 		if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {
 			return nil, nil, err
 		}
+		token = userAuthGSSAPITokenReq.Token
 	}
 	packet, err := s.transport.readPacket()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -337,7 +337,7 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {`
`337`	`337`	`return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)`
`338`	`338`	`}`
`339`	`339`
`340`		`-func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s connection,`
	`340`	`+func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, token []byte, s connection,`
`341`	`341`	`sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {`
`342`	`342`	`gssAPIServer := gssapiConfig.Server`
`343`	`343`	`defer gssAPIServer.DeleteSecContext()`
`@@ -347,7 +347,7 @@ func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s c`
`347`	`347`	`outToken []byte`
`348`	`348`	`needContinue bool`
`349`	`349`	`)`
`350`		`- outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)`
	`350`	`+ outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token)`
`351`	`351`	`if err != nil {`
`352`	`352`	`return err, nil, nil`
`353`	`353`	`}`
`@@ -369,6 +369,7 @@ func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s c`
`369`	`369`	`if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {`
`370`	`370`	`return nil, nil, err`
`371`	`371`	`}`
	`372`	`+ token = userAuthGSSAPITokenReq.Token`
`372`	`373`	`}`
`373`	`374`	`packet, err := s.transport.readPacket()`
`374`	`375`	`if err != nil {`