Merge branch 'id-gssapi-race-condition' into 'main'

Fix race conditions in GSSAPI calls See merge request https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/875 Merged-by: Patrick Bajao <ebajao@gitlab.com> Approved-by: Ash McKenzie <amckenzie@gitlab.com> Approved-by: Patrick Bajao <ebajao@gitlab.com> Approved-by: Stan Hu <stanhu@gmail.com> Co-authored-by: Igor Drozdov <idrozdov@gitlab.com>

Merge branch 'id-gssapi-race-condition' into 'main'
04c38c97 · Patrick Bajao · fad20dc2 · f45fb8de · 04c38c97
Commit 04c38c97 authored 1 year ago by Patrick Bajao
--- a/internal/sshd/gssapi.go
+++ b/internal/sshd/gssapi.go
@@ -4,6 +4,7 @@ package sshd

 import (
 	"fmt"
+	"sync"

 	"github.com/openshift/gssapi"

@@ -41,6 +42,7 @@ type OSGSSAPIServer struct {
 	Keytab               string
 	ServicePrincipalName string

+	mutex     sync.RWMutex
 	contextId *gssapi.CtxId
 }

@@ -62,6 +64,9 @@ func (server *OSGSSAPIServer) AcceptSecContext(
 	needContinue bool,
 	err error,
 ) {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	tokenBuffer, err := lib.MakeBufferBytes(token)
 	if err != nil {
 		return
@@ -111,6 +116,9 @@ func (server *OSGSSAPIServer) VerifyMIC(
 	micField []byte,
 	micToken []byte,
 ) error {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	if server.contextId == nil {
 		return fmt.Errorf("gssapi: uninitialized contextId")
 	}
@@ -132,6 +140,9 @@ func (server *OSGSSAPIServer) VerifyMIC(
 }

 func (server *OSGSSAPIServer) DeleteSecContext() error {
+	server.mutex.Lock()
+	defer server.mutex.Unlock()
+
 	if server.contextId == nil {
 		return nil
 	}