rebase: bump golang.org/x/crypto from 0.29.0 to 0.31.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.29.0 to 0.31.0. - [Commits](https://github.com/golang/crypto/compare/v0.29.0...v0.31.0) updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production Cherry-picked-from: 53d5eda020 Signed-off-by: Niels de Vos <ndevos@ibm.com>
2025-06-13 18:43:34 +00:00 · 2024-12-12 05:48:53 +00:00
parent 887024d700
commit 48455d0b3c
26 changed files with 288 additions and 38 deletions
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
 }

 // cachedPubKey contains the results of querying whether a public key is
-// acceptable for a user.
+// acceptable for a user. This is a FIFO cache.
 type cachedPubKey struct {
 	user       string
 	pubKeyData []byte
@ -157,7 +157,13 @@ type cachedPubKey struct {
 	perms      *Permissions
 }

-const maxCachedPubKeys = 16
+// maxCachedPubKeys is the number of cache entries we store.
+//
+// Due to consistent misuse of the PublicKeyCallback API, we have reduced this
+// to 1, such that the only key in the cache is the most recently seen one. This
+// forces the behavior that the last call to PublicKeyCallback will always be
+// with the key that is used for authentication.
+const maxCachedPubKeys = 1

 // pubKeyCache caches tests for public keys.  Since SSH clients
 // will query whether a public key is acceptable before attempting to
@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {

 // add adds the given tuple to the cache.
 func (c *pubKeyCache) add(candidate cachedPubKey) {
-	if len(c.keys) < maxCachedPubKeys {
-		c.keys = append(c.keys, candidate)
+	if len(c.keys) >= maxCachedPubKeys {
+		c.keys = c.keys[1:]
 	}
+	c.keys = append(c.keys, candidate)
 }

 // ServerConn is an authenticated SSH connection, as seen from the