summaryrefslogtreecommitdiffstats
path: root/vendor/golang.org/x/crypto/ssh
diff options
context:
space:
mode:
authorWim <wim@42.be>2022-03-12 23:02:04 +0100
committerWim <wim@42.be>2022-03-20 14:57:48 +0100
commitaefa70891cfd489fccb8a9567b5bdafb0f863ede (patch)
tree90fe7c91d7b33b2a1ed08ea3a94840860adc6fc1 /vendor/golang.org/x/crypto/ssh
parent1b9877fda45be021ea6a5677c78648cecc19dcd5 (diff)
downloadmatterbridge-msglm-aefa70891cfd489fccb8a9567b5bdafb0f863ede.tar.gz
matterbridge-msglm-aefa70891cfd489fccb8a9567b5bdafb0f863ede.tar.bz2
matterbridge-msglm-aefa70891cfd489fccb8a9567b5bdafb0f863ede.zip
Update vendor (whatsapp)
Diffstat (limited to 'vendor/golang.org/x/crypto/ssh')
-rw-r--r--vendor/golang.org/x/crypto/ssh/cipher.go8
-rw-r--r--vendor/golang.org/x/crypto/ssh/server.go24
2 files changed, 32 insertions, 0 deletions
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
index bddbde5d..f8bdf498 100644
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
}
c.incIV()
+ if len(plain) == 0 {
+ return nil, errors.New("ssh: empty packet")
+ }
+
padding := plain[0]
if padding < 4 {
// padding is a byte, so it automatically satisfies
@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
plain := c.buf[4:contentEnd]
s.XORKeyStream(plain, plain)
+ if len(plain) == 0 {
+ return nil, errors.New("ssh: empty packet")
+ }
+
padding := plain[0]
if padding < 4 {
// padding is a byte, so it automatically satisfies
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 6a58e120..bf5364c3 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -633,6 +633,30 @@ userAuthLoop:
}
authFailures++
+ if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries {
+ // If we have hit the max attempts, don't bother sending the
+ // final SSH_MSG_USERAUTH_FAILURE message, since there are
+ // no more authentication methods which can be attempted,
+ // and this message may cause the client to re-attempt
+ // authentication while we send the disconnect message.
+ // Continue, and trigger the disconnect at the start of
+ // the loop.
+ //
+ // The SSH specification is somewhat confusing about this,
+ // RFC 4252 Section 5.1 requires each authentication failure
+ // be responded to with a respective SSH_MSG_USERAUTH_FAILURE
+ // message, but Section 4 says the server should disconnect
+ // after some number of attempts, but it isn't explicit which
+ // message should take precedence (i.e. should there be a failure
+ // message than a disconnect message, or if we are going to
+ // disconnect, should we only send that message.)
+ //
+ // Either way, OpenSSH disconnects immediately after the last
+ // failed authnetication attempt, and given they are typically
+ // considered the golden implementation it seems reasonable
+ // to match that behavior.
+ continue
+ }
var failureMsg userAuthFailureMsg
if config.PasswordCallback != nil {