From 6ab4a96855e472f3a8f86b2e7f66a9cc714fa447 Mon Sep 17 00:00:00 2001 From: Gusted Date: Wed, 16 Mar 2022 01:59:53 +0000 Subject: [PATCH] Update golang.org/x/crypto (#19097) * Update golang.org/x/crypto - Update dependency to include fix for CVE. - See https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ?utm_medium=email&utm_source=footer * Fix deprecation notice * Remove workaround - Introduced in https://github.com/go-gitea/gitea/pull/17281 - Fixed in x/crypto: - https://github.com/golang/crypto/commit/5d542ad81a58c89581d596f49d0ba5d435481bcf - & https://github.com/golang/crypto/commit/3147a52a75dda54ac3a611ef8978640d85188a2a * Update Kex Algorithms - Use standardized name for curve22519-sha256. https://github.com/golang/crypto/commit/9b076918e3c7e908b2bdea932f272a9979f2488a - Prefer SHA256 version over SHA1 version. https://github.com/golang/crypto/commit/e4b3678e5f38521e67eba223ddd1902ceb3a303c --- custom/conf/app.example.ini | 2 +- .../doc/advanced/config-cheat-sheet.en-us.md | 2 +- go.mod | 2 +- go.sum | 4 +- modules/setting/setting.go | 2 +- modules/ssh/ssh.go | 56 ------------------- 6 files changed, 6 insertions(+), 62 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index ad58e6bda..c4d5413a6 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -117,7 +117,7 @@ RUN_MODE = ; prod ;; ;; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, ;; for system SSH this setting has no effect -;SSH_SERVER_KEY_EXCHANGES = curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1 +;SSH_SERVER_KEY_EXCHANGES = curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1 ;; ;; For the built-in SSH server, choose the MACs to support for SSH connections, ;; for system SSH this setting has no effect diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 70bc2ee82..2fbfdde6b 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -280,7 +280,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `SSH_AUTHORIZED_PRINCIPALS_BACKUP`: **false/true**: Enable SSH Authorized Principals Backup when rewriting all keys, default is true if `SSH_AUTHORIZED_PRINCIPALS_ALLOW` is not `off`. - `SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE`: **{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}**: Set the template for the command to passed on authorized keys. Possible keys are: AppPath, AppWorkPath, CustomConf, CustomPath, Key - where Key is a `models/asymkey.PublicKey` and the others are strings which are shellquoted. - `SSH_SERVER_CIPHERS`: **chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com**: For the built-in SSH server, choose the ciphers to support for SSH connections, for system SSH this setting has no effect. -- `SSH_SERVER_KEY_EXCHANGES`: **curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect. +- `SSH_SERVER_KEY_EXCHANGES`: **curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1**: For the built-in SSH server, choose the key exchange algorithms to support for SSH connections, for system SSH this setting has no effect. - `SSH_SERVER_MACS`: **hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect - `SSH_SERVER_HOST_KEYS`: **ssh/gitea.rsa, ssh/gogs.rsa**: For the built-in SSH server, choose the keypairs to offer as the host key. The private key should be at `SSH_SERVER_HOST_KEY` and the public `SSH_SERVER_HOST_KEY.pub`. Relative paths are made absolute relative to the `APP_DATA_PATH`. If no key exists a 4096 bit RSA key will be created for you. - `SSH_KEY_TEST_PATH`: **/tmp**: Directory to create temporary files in when testing public keys using ssh-keygen, default is the system temporary directory. diff --git a/go.mod b/go.mod index e859e24c6..d1f4b7c4c 100644 --- a/go.mod +++ b/go.mod @@ -122,7 +122,7 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.21.0 // indirect - golang.org/x/crypto v0.0.0-20220214200702-86341886e292 + golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd golang.org/x/net v0.0.0-20220225172249-27dd8689420f golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 diff --git a/go.sum b/go.sum index cec6e231a..f1e719284 100644 --- a/go.sum +++ b/go.sum @@ -1683,8 +1683,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE= -golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f93dc53c3..2a189ec9b 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -164,7 +164,7 @@ var ( Domain: "", Port: 22, ServerCiphers: []string{"chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com"}, - ServerKeyExchanges: []string{"curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha1"}, + ServerKeyExchanges: []string{"curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1"}, ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"}, KeygenPath: "ssh-keygen", MinimumKeySizeCheck: true, diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 6f4e99345..1a92edb79 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -317,65 +317,9 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) { } } - // Workaround slightly broken behaviour in x/crypto/ssh/handshake.go:458-463 - // - // Fundamentally the issue here is that HostKeyAlgos make the incorrect assumption - // that the PublicKey().Type() matches the signature algorithm. - // - // Therefore we need to add duplicates for the RSA with different signing algorithms. - signers := make([]ssh.Signer, 0, len(srv.HostSigners)) - for _, signer := range srv.HostSigners { - if signer.PublicKey().Type() == "ssh-rsa" { - signers = append(signers, - &wrapSigner{ - Signer: signer, - algorithm: gossh.SigAlgoRSASHA2512, - }, - &wrapSigner{ - Signer: signer, - algorithm: gossh.SigAlgoRSASHA2256, - }, - ) - } - signers = append(signers, signer) - } - srv.HostSigners = signers - go listen(&srv) } -// wrapSigner wraps a signer and overrides its public key type with the provided algorithm -type wrapSigner struct { - ssh.Signer - algorithm string -} - -// PublicKey returns an associated PublicKey instance. -func (s *wrapSigner) PublicKey() gossh.PublicKey { - return &wrapPublicKey{ - PublicKey: s.Signer.PublicKey(), - algorithm: s.algorithm, - } -} - -// Sign returns raw signature for the given data. This method -// will apply the hash specified for the keytype to the data using -// the algorithm assigned for this key -func (s *wrapSigner) Sign(rand io.Reader, data []byte) (*gossh.Signature, error) { - return s.Signer.(gossh.AlgorithmSigner).SignWithAlgorithm(rand, data, s.algorithm) -} - -// wrapPublicKey wraps a PublicKey and overrides its type -type wrapPublicKey struct { - gossh.PublicKey - algorithm string -} - -// Type returns the algorithm -func (k *wrapPublicKey) Type() string { - return k.algorithm -} - // GenKeyPair make a pair of public and private keys for SSH access. // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file. // Private Key generated is PEM encoded