Fix race conditions in GSSAPI calls

The GSSAPI functions are using shared contextId value. We need to use mutex to make sure that simultaneous calls to it work correctly.

Fix race conditions in GSSAPI calls
f45fb8de · Igor Drozdov · 2b2e560e · f45fb8de
Unverified Commit f45fb8de authored 1 year ago by Igor Drozdov
--- a/internal/sshd/gssapi.go
+++ b/internal/sshd/gssapi.go
@@ -4,6 +4,7 @@ package sshd

 import (
 	"fmt"
+	"sync"

 	"github.com/openshift/gssapi"

@@ -41,6 +42,7 @@ type OSGSSAPIServer struct {
 	Keytab               string
 	ServicePrincipalName string

+	mutex     sync.RWMutex
 	contextId *gssapi.CtxId
 }

@@ -62,6 +64,9 @@ func (server *OSGSSAPIServer) AcceptSecContext(
 	needContinue bool,
 	err error,
 ) {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	tokenBuffer, err := lib.MakeBufferBytes(token)
 	if err != nil {
 		return
@@ -111,6 +116,9 @@ func (server *OSGSSAPIServer) VerifyMIC(
 	micField []byte,
 	micToken []byte,
 ) error {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	if server.contextId == nil {
 		return fmt.Errorf("gssapi: uninitialized contextId")
 	}
@@ -132,6 +140,9 @@ func (server *OSGSSAPIServer) VerifyMIC(
 }

 func (server *OSGSSAPIServer) DeleteSecContext() error {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	if server.contextId == nil {
 		return nil
 	}