summaryrefslogtreecommitdiff
path: root/vendor/golang.org/x/crypto/ssh
diff options
context:
space:
mode:
authorLibravatar dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>2025-02-10 15:52:55 +0000
committerLibravatar GitHub <noreply@github.com>2025-02-10 15:52:55 +0000
commit4ac5447ad61f9afc73b542d9d6eb36e29fd79af4 (patch)
tree2a9c14fa9e8e984e6db9646213255563171e0508 /vendor/golang.org/x/crypto/ssh
parent[chore]: Bump github.com/minio/minio-go/v7 from 7.0.84 to 7.0.85 (#3772) (diff)
downloadgotosocial-4ac5447ad61f9afc73b542d9d6eb36e29fd79af4.tar.xz
[chore]: Bump golang.org/x/crypto from 0.32.0 to 0.33.0 (#3771)
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh')
-rw-r--r--vendor/golang.org/x/crypto/ssh/handshake.go14
-rw-r--r--vendor/golang.org/x/crypto/ssh/server.go50
2 files changed, 49 insertions, 15 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index 56cdc7c21..fef687db0 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -80,6 +80,7 @@ type handshakeTransport struct {
pendingPackets [][]byte // Used when a key exchange is in progress.
writePacketsLeft uint32
writeBytesLeft int64
+ userAuthComplete bool // whether the user authentication phase is complete
// If the read loop wants to schedule a kex, it pings this
// channel, and the write loop will send out a kex
@@ -552,16 +553,25 @@ func (t *handshakeTransport) sendKexInit() error {
return nil
}
+var errSendBannerPhase = errors.New("ssh: SendAuthBanner outside of authentication phase")
+
func (t *handshakeTransport) writePacket(p []byte) error {
+ t.mu.Lock()
+ defer t.mu.Unlock()
+
switch p[0] {
case msgKexInit:
return errors.New("ssh: only handshakeTransport can send kexInit")
case msgNewKeys:
return errors.New("ssh: only handshakeTransport can send newKeys")
+ case msgUserAuthBanner:
+ if t.userAuthComplete {
+ return errSendBannerPhase
+ }
+ case msgUserAuthSuccess:
+ t.userAuthComplete = true
}
- t.mu.Lock()
- defer t.mu.Unlock()
if t.writeError != nil {
return t.writeError
}
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 5b5ccd96f..1839ddc6a 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -59,6 +59,27 @@ type GSSAPIWithMICConfig struct {
Server GSSAPIServer
}
+// SendAuthBanner implements [ServerPreAuthConn].
+func (s *connection) SendAuthBanner(msg string) error {
+ return s.transport.writePacket(Marshal(&userAuthBannerMsg{
+ Message: msg,
+ }))
+}
+
+func (*connection) unexportedMethodForFutureProofing() {}
+
+// ServerPreAuthConn is the interface available on an incoming server
+// connection before authentication has completed.
+type ServerPreAuthConn interface {
+ unexportedMethodForFutureProofing() // permits growing ServerPreAuthConn safely later, ala testing.TB
+
+ ConnMetadata
+
+ // SendAuthBanner sends a banner message to the client.
+ // It returns an error once the authentication phase has ended.
+ SendAuthBanner(string) error
+}
+
// ServerConfig holds server specific configuration data.
type ServerConfig struct {
// Config contains configuration shared between client and server.
@@ -118,6 +139,12 @@ type ServerConfig struct {
// attempts.
AuthLogCallback func(conn ConnMetadata, method string, err error)
+ // PreAuthConnCallback, if non-nil, is called upon receiving a new connection
+ // before any authentication has started. The provided ServerPreAuthConn
+ // can be used at any time before authentication is complete, including
+ // after this callback has returned.
+ PreAuthConnCallback func(ServerPreAuthConn)
+
// ServerVersion is the version identification string to announce in
// the public handshake.
// If empty, a reasonable default is used.
@@ -488,6 +515,10 @@ func (b *BannerError) Error() string {
}
func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
+ if config.PreAuthConnCallback != nil {
+ config.PreAuthConnCallback(s)
+ }
+
sessionID := s.transport.getSessionID()
var cache pubKeyCache
var perms *Permissions
@@ -495,7 +526,7 @@ func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, err
authFailures := 0
noneAuthCount := 0
var authErrs []error
- var displayedBanner bool
+ var calledBannerCallback bool
partialSuccessReturned := false
// Set the initial authentication callbacks from the config. They can be
// changed if a PartialSuccessError is returned.
@@ -542,14 +573,10 @@ userAuthLoop:
s.user = userAuthReq.User
- if !displayedBanner && config.BannerCallback != nil {
- displayedBanner = true
- msg := config.BannerCallback(s)
- if msg != "" {
- bannerMsg := &userAuthBannerMsg{
- Message: msg,
- }
- if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
+ if !calledBannerCallback && config.BannerCallback != nil {
+ calledBannerCallback = true
+ if msg := config.BannerCallback(s); msg != "" {
+ if err := s.SendAuthBanner(msg); err != nil {
return nil, err
}
}
@@ -762,10 +789,7 @@ userAuthLoop:
var bannerErr *BannerError
if errors.As(authErr, &bannerErr) {
if bannerErr.Message != "" {
- bannerMsg := &userAuthBannerMsg{
- Message: bannerErr.Message,
- }
- if err := s.transport.writePacket(Marshal(bannerMsg)); err != nil {
+ if err := s.SendAuthBanner(bannerErr.Message); err != nil {
return nil, err
}
}