From 7ef9a055886574655d9f2be70c957bc16bf30500 Mon Sep 17 00:00:00 2001 From: Unknwon Date: Fri, 15 Jan 2016 18:39:51 +0800 Subject: [PATCH] #2179 use Go sub-repo ssh to verify public key content --- README.md | 2 +- conf/app.ini | 12 ---------- gogs.go | 2 +- models/ssh_key.go | 49 +++++++++----------------------------- modules/setting/setting.go | 9 ------- templates/.VERSION | 2 +- 6 files changed, 14 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index 301ec69884..69e375d33f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true) -##### Current version: 0.8.21 +##### Current version: 0.8.22 | Web | UI | Preview | |:-------------:|:-------:|:-------:| diff --git a/conf/app.ini b/conf/app.ini index c1ca838ac0..69829fcaba 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false ; More detail: https://github.com/gogits/gogs/issues/165 ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false -; Do not check minimum key size with corresponding type -DISABLE_MINIMUM_KEY_SIZE_CHECK = false ; Enable captcha validation for registration ENABLE_CAPTCHA = true -; used to filter keys which are too short -[service.minimum_key_sizes] -ED25519 = 256 -ECDSA = 256 -NTRU = 1087 -MCE = 1702 -McE = 1702 -RSA = 1024 -DSA = 1024 - [webhook] ; Hook task queue length QUEUE_LENGTH = 1000 diff --git a/gogs.go b/gogs.go index cc790b5f93..81b28c6bb2 100644 --- a/gogs.go +++ b/gogs.go @@ -17,7 +17,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.8.21.0114" +const APP_VER = "0.8.22.0115" func init() { runtime.GOMAXPROCS(runtime.NumCPU()) diff --git a/models/ssh_key.go b/models/ssh_key.go index f0db4de430..a7b1680f67 100644 --- a/models/ssh_key.go +++ b/models/ssh_key.go @@ -21,6 +21,7 @@ import ( "github.com/Unknwon/com" "github.com/go-xorm/xorm" + "golang.org/x/crypto/ssh" "github.com/gogits/gogs/modules/log" "github.com/gogits/gogs/modules/process" @@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) { return "", errors.New("only a single line with a single key please") } - // write the key to a fileā€¦ - tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest") + fields := strings.Fields(content) + if len(fields) < 2 { + return "", errors.New("too less fields") + } + + key, err := base64.StdEncoding.DecodeString(fields[1]) if err != nil { - return "", err + return "", fmt.Errorf("StdEncoding.DecodeString: %v", err) } - tmpPath := tmpFile.Name() - defer os.Remove(tmpPath) - tmpFile.WriteString(content) - tmpFile.Close() - - // Check if ssh-keygen recognizes its contents. - stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath) + pkey, err := ssh.ParsePublicKey([]byte(key)) if err != nil { - return "", errors.New("ssh-keygen -lf: " + stderr) - } else if len(stdout) < 2 { - return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout) - } - - // The ssh-keygen in Windows does not print key type, so no need go further. - if setting.IsWindows { - return content, nil - } - - sshKeygenOutput := strings.Split(stdout, " ") - if len(sshKeygenOutput) < 4 { - return content, ErrKeyUnableVerify{stdout} - } - - // Check if key type and key size match. - if !setting.Service.DisableMinimumKeySizeCheck { - keySize := com.StrTo(sshKeygenOutput[0]).MustInt() - if keySize == 0 { - return "", errors.New("cannot get key size of the given key") - } - - keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n") - if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 { - return "", fmt.Errorf("unrecognized public key type: %s", keyType) - } else if keySize < minimumKeySize { - return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize) - } + return "", fmt.Errorf("ParsePublicKey: %v", err) } + log.Trace("Key type: %s", pkey.Type()) return content, nil } diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 0ab0eafaa1..e719153ae2 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -453,8 +453,6 @@ var Service struct { EnableNotifyMail bool EnableReverseProxyAuth bool EnableReverseProxyAutoRegister bool - DisableMinimumKeySizeCheck bool - MinimumKeySizes map[string]int EnableCaptcha bool } @@ -468,14 +466,7 @@ func newService() { Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool() Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() - Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool() Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool() - - minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys() - Service.MinimumKeySizes = make(map[string]int) - for _, key := range minimumKeySizes { - Service.MinimumKeySizes[key.Name()] = key.MustInt() - } } var logLevels = map[string]string{ diff --git a/templates/.VERSION b/templates/.VERSION index 51bb73689e..fbe31ee632 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.8.21.0114 \ No newline at end of file +0.8.22.0115 \ No newline at end of file