ran go mod vendor on the whole project

2019-10-24 19:55:06 -04:00 · 2019-10-24 19:55:06 -04:00 · 28d10d9d39
commit 28d10d9d39
parent 26f96f361f
346 changed files with 12917 additions and 66931 deletions
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@ -45,20 +45,6 @@ type Permissions struct {
 	Extensions map[string]string
 }

-type GSSAPIWithMICConfig struct {
-	// AllowLogin, must be set, is called when gssapi-with-mic
-	// authentication is selected (RFC 4462 section 3). The srcName is from the
-	// results of the GSS-API authentication. The format is username@DOMAIN.
-	// GSSAPI just guarantees to the server who the user is, but not if they can log in, and with what permissions.
-	// This callback is called after the user identity is established with GSSAPI to decide if the user can login with
-	// which permissions. If the user is allowed to login, it should return a nil error.
-	AllowLogin func(conn ConnMetadata, srcName string) (*Permissions, error)
-
-	// Server must be set. It's the implementation
-	// of the GSSAPIServer interface. See GSSAPIServer interface for details.
-	Server GSSAPIServer
-}
-
 // ServerConfig holds server specific configuration data.
 type ServerConfig struct {
 	// Config contains configuration shared between client and server.
@ -113,10 +99,6 @@ type ServerConfig struct {
 	// BannerCallback, if present, is called and the return string is sent to
 	// the client after key exchange completed but before authentication.
 	BannerCallback func(conn ConnMetadata) string
-
-	// GSSAPIWithMICConfig includes gssapi server and callback, which if both non-nil, is used
-	// when gssapi-with-mic authentication is selected (RFC 4462 section 3).
-	GSSAPIWithMICConfig *GSSAPIWithMICConfig
 }

 // AddHostKey adds a private key as a host key. If an existing host
@ -193,12 +175,6 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 	if fullConf.MaxAuthTries == 0 {
 		fullConf.MaxAuthTries = 6
 	}
-	// Check if the config contains any unsupported key exchanges
-	for _, kex := range fullConf.KeyExchanges {
-		if _, ok := serverForbiddenKexAlgos[kex]; ok {
-			return nil, nil, nil, fmt.Errorf("ssh: unsupported key exchange %s for server", kex)
-		}
-	}

 	s := &connection{
 		sshConn: sshConn{conn: c},
@ -228,9 +204,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 		return nil, errors.New("ssh: server has no host keys")
 	}

-	if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil &&
-		config.KeyboardInteractiveCallback == nil && (config.GSSAPIWithMICConfig == nil ||
-		config.GSSAPIWithMICConfig.AllowLogin == nil || config.GSSAPIWithMICConfig.Server == nil) {
+	if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
 		return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
 	}

@ -321,55 +295,6 @@ func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
 	return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
 }

-func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, firstToken []byte, s *connection,
-	sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) {
-	gssAPIServer := gssapiConfig.Server
-	defer gssAPIServer.DeleteSecContext()
-	var srcName string
-	for {
-		var (
-			outToken     []byte
-			needContinue bool
-		)
-		outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(firstToken)
-		if err != nil {
-			return err, nil, nil
-		}
-		if len(outToken) != 0 {
-			if err := s.transport.writePacket(Marshal(&userAuthGSSAPIToken{
-				Token: outToken,
-			})); err != nil {
-				return nil, nil, err
-			}
-		}
-		if !needContinue {
-			break
-		}
-		packet, err := s.transport.readPacket()
-		if err != nil {
-			return nil, nil, err
-		}
-		userAuthGSSAPITokenReq := &userAuthGSSAPIToken{}
-		if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {
-			return nil, nil, err
-		}
-	}
-	packet, err := s.transport.readPacket()
-	if err != nil {
-		return nil, nil, err
-	}
-	userAuthGSSAPIMICReq := &userAuthGSSAPIMIC{}
-	if err := Unmarshal(packet, userAuthGSSAPIMICReq); err != nil {
-		return nil, nil, err
-	}
-	mic := buildMIC(string(sessionID), userAuthReq.User, userAuthReq.Service, userAuthReq.Method)
-	if err := gssAPIServer.VerifyMIC(mic, userAuthGSSAPIMICReq.MIC); err != nil {
-		return err, nil, nil
-	}
-	perms, authErr = gssapiConfig.AllowLogin(s, srcName)
-	return authErr, perms, nil
-}
-
 // ServerAuthError represents server authentication errors and is
 // sometimes returned by NewServerConn. It appends any authentication
 // errors that may occur, and is returned if all of the authentication
@ -479,7 +404,7 @@ userAuthLoop:
 			perms, authErr = config.PasswordCallback(s, password)
 		case "keyboard-interactive":
 			if config.KeyboardInteractiveCallback == nil {
-				authErr = errors.New("ssh: keyboard-interactive auth not configured")
+				authErr = errors.New("ssh: keyboard-interactive auth not configubred")
 				break
 			}

@ -559,7 +484,6 @@ userAuthLoop:
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
 				if !isAcceptableAlgo(sig.Format) {
-					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}
 				signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
@ -571,49 +495,6 @@ userAuthLoop:
 				authErr = candidate.result
 				perms = candidate.perms
 			}
-		case "gssapi-with-mic":
-			gssapiConfig := config.GSSAPIWithMICConfig
-			userAuthRequestGSSAPI, err := parseGSSAPIPayload(userAuthReq.Payload)
-			if err != nil {
-				return nil, parseError(msgUserAuthRequest)
-			}
-			// OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication.
-			if userAuthRequestGSSAPI.N == 0 {
-				authErr = fmt.Errorf("ssh: Mechanism negotiation is not supported")
-				break
-			}
-			var i uint32
-			present := false
-			for i = 0; i < userAuthRequestGSSAPI.N; i++ {
-				if userAuthRequestGSSAPI.OIDS[i].Equal(krb5Mesh) {
-					present = true
-					break
-				}
-			}
-			if !present {
-				authErr = fmt.Errorf("ssh: GSSAPI authentication must use the Kerberos V5 mechanism")
-				break
-			}
-			// Initial server response, see RFC 4462 section 3.3.
-			if err := s.transport.writePacket(Marshal(&userAuthGSSAPIResponse{
-				SupportMech: krb5OID,
-			})); err != nil {
-				return nil, err
-			}
-			// Exchange token, see RFC 4462 section 3.4.
-			packet, err := s.transport.readPacket()
-			if err != nil {
-				return nil, err
-			}
-			userAuthGSSAPITokenReq := &userAuthGSSAPIToken{}
-			if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil {
-				return nil, err
-			}
-			authErr, perms, err = gssExchangeToken(gssapiConfig, userAuthGSSAPITokenReq.Token, s, sessionID,
-				userAuthReq)
-			if err != nil {
-				return nil, err
-			}
 		default:
 			authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
 		}
@ -640,10 +521,6 @@ userAuthLoop:
 		if config.KeyboardInteractiveCallback != nil {
 			failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
 		}
-		if config.GSSAPIWithMICConfig != nil && config.GSSAPIWithMICConfig.Server != nil &&
-			config.GSSAPIWithMICConfig.AllowLogin != nil {
-			failureMsg.Methods = append(failureMsg.Methods, "gssapi-with-mic")
-		}

 		if len(failureMsg.Methods) == 0 {
 			return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")