ssh: disallow gssapi-with-mic if GSSAPIWithMICConfig is not set

The ability to trigger the 'gssapi-with-mic' authentication method is
not properly gated by the presence of the GSSAPIWithMICConfig field of
the ServerConfig type. If this field is not set and a client sends a
'gssapi-with-mic' request, regardless of if the server advertises it,
the server will panic.

This issue was discovered and reported by Joern Schneewesiz, GitLab
Security Research Team.

Fixes CVE-2020-29652

Change-Id: Ie25de2766e442c8ab46680aae3ac89b0823cdeed
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/278852
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
1 file changed
tree: 0183928d2fafb2f715756a35d986eeae89f39afa
  1. .gitattributes
  2. .gitignore
  3. AUTHORS
  4. CONTRIBUTING.md
  5. CONTRIBUTORS
  6. LICENSE
  7. PATENTS
  8. README.md
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20/
  18. chacha20poly1305/
  19. codereview.cfg
  20. cryptobyte/
  21. curve25519/
  22. ed25519/
  23. go.mod
  24. go.sum
  25. hkdf/
  26. internal/
  27. md4/
  28. nacl/
  29. ocsp/
  30. openpgp/
  31. otr/
  32. pbkdf2/
  33. pkcs12/
  34. poly1305/
  35. ripemd160/
  36. salsa20/
  37. scrypt/
  38. sha3/
  39. ssh/
  40. tea/
  41. twofish/
  42. xtea/
  43. xts/
README.md

Go Cryptography

Go Reference

This repository holds supplementary Go cryptography libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/crypto/.... You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.