Use the correct token from the client

bodgit · bodgit · commit 0d58e4d50014 · 2021-01-25T10:13:25.000Z
This fixes the case where AcceptSecContext is always called with the first token sent by the client instead of the most recently sent one. Fixes golang/go#43875
diff --git a/ssh/server.go b/ssh/server.go
@@ -321,7 +321,7 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
 	return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
 }
 
-func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *connection,
+func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, token []byte, s *connection,
 	sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {
 	gssAPIServer := gssapiConfig.Server
 	defer gssAPIServer.DeleteSecContext()
@@ -331,7 +331,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
 			outToken     []byte
 			needContinue bool
 		)
-		outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)
+		outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token)
 		if err != nil {
 			return err, nil, nil
 		}
@@ -353,6 +353,7 @@ func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *c
 		if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {
 			return nil, nil, err
 		}
+		token = userAuthGSSAPITokenReq.Token
 	}
 	packet, err := s.transport.readPacket()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,7 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {`
`321`	`321`	`return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)`
`322`	`322`	`}`
`323`	`323`
`324`		`-func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s connection,`
	`324`	`+func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, token []byte, s connection,`
`325`	`325`	`sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {`
`326`	`326`	`gssAPIServer := gssapiConfig.Server`
`327`	`327`	`defer gssAPIServer.DeleteSecContext()`
`@@ -331,7 +331,7 @@ func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s c`
`331`	`331`	`outToken []byte`
`332`	`332`	`needContinue bool`
`333`	`333`	`)`
`334`		`- outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)`
	`334`	`+ outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token)`
`335`	`335`	`if err != nil {`
`336`	`336`	`return err, nil, nil`
`337`	`337`	`}`
`@@ -353,6 +353,7 @@ func gssExchangeToken(gssapiConfig GSSAPIWithMICConfig, firstToken []byte, s c`
`353`	`353`	`if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {`
`354`	`354`	`return nil, nil, err`
`355`	`355`	`}`
	`356`	`+ token = userAuthGSSAPITokenReq.Token`
`356`	`357`	`}`
`357`	`358`	`packet, err := s.transport.readPacket()`
`358`	`359`	`if err != nil {`