Update golang.org/x/crypto

[chmouel]

Dependabot bugs us about it with:

Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass
in golang.org/x/crypto #11

Applications and libraries which misuse the
ServerConfig.PublicKeyCallback callback may be susceptible to an
authorization bypass.

The documentation for ServerConfig.PublicKeyCallback says that "A call
to this function does not guarantee that the key offered is in fact used
to authenticate." Specifically, the SSH protocol allows clients to
inquire about whether a public key is acceptable before proving control
of the corresponding private key. PublicKeyCallback may be called with
multiple keys, and the order in which the keys were provided cannot be
used to infer which key the client successfully authenticated with, if
any. Some applications, which store the key(s) passed to
PublicKeyCallback (or derived information) and make security relevant
determinations based on it once the connection is established, may make
incorrect assumptions.

For example, an attacker may send public keys A and B, and then
authenticate with A. PublicKeyCallback would be called only twice, first
with A and then with B. A vulnerable application may then make
authorization decisions based on key B for which the attacker does not
actually control the private key.

Since this API is widely misused, as a partial mitigation
golang.org/x/[email protected] enforces the property that, when
successfully authenticating via public key, the last key passed to
ServerConfig.PublicKeyCallback will be the key used to authenticate the
connection. PublicKeyCallback will now be called multiple times with the
same key, if necessary. Note that the client may still not control the
last key passed to PublicKeyCallback if the connection is then
authenticated with a different method, such as PasswordCallback,
KeyboardInteractiveCallback, or NoClientAuth.

Users should be using the Extensions field of the Permissions return
value from the various authentication callbacks to record data
associated with the authentication attempt instead of referencing
external state. Once the connection is established the state
corresponding to the successful authentication attempt can be retrieved
via the ServerConn.Permissions field. Note that some third-party
libraries misuse the Permissions type by sharing it across
authentication attempts; users of third-party libraries should refer to
the relevant projects for guidance.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 65.75%. Comparing base (0315a46) to head (7e81251).
Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1861      +/-   ##
==========================================
+ Coverage   65.74%   65.75%   +0.01%     
==========================================
  Files         178      178              
  Lines       13840    13840              
==========================================
+ Hits         9099     9101       +2     
+ Misses       4126     4124       -2     
  Partials      615      615              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.