Ver Fonte

#2179 use Go sub-repo ssh to verify public key content

Unknwon há 8 anos atrás
pai
commit
7ef9a05588
6 ficheiros alterados com 13 adições e 61 exclusões
  1. 1 1
      README.md
  2. 0 12
      conf/app.ini
  3. 1 1
      gogs.go
  4. 10 37
      models/ssh_key.go
  5. 0 9
      modules/setting/setting.go
  6. 1 1
      templates/.VERSION

+ 1 - 1
README.md

@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
 
 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
 
-##### Current version: 0.8.21
+##### Current version: 0.8.22
 
 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|

+ 0 - 12
conf/app.ini

@@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false
 ; More detail: https://github.com/gogits/gogs/issues/165
 ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
-; Do not check minimum key size with corresponding type
-DISABLE_MINIMUM_KEY_SIZE_CHECK = false
 ; Enable captcha validation for registration
 ENABLE_CAPTCHA = true
 
-; used to filter keys which are too short
-[service.minimum_key_sizes]
-ED25519 = 256
-ECDSA   = 256
-NTRU    = 1087
-MCE     = 1702
-McE     = 1702
-RSA     = 1024
-DSA     = 1024
-
 [webhook]
 ; Hook task queue length
 QUEUE_LENGTH = 1000

+ 1 - 1
gogs.go

@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.8.21.0114"
+const APP_VER = "0.8.22.0115"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())

+ 10 - 37
models/ssh_key.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/xorm"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/gogits/gogs/modules/log"
 	"github.com/gogits/gogs/modules/process"
@@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) {
 		return "", errors.New("only a single line with a single key please")
 	}
 
-	// write the key to a file…
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest")
-	if err != nil {
-		return "", err
+	fields := strings.Fields(content)
+	if len(fields) < 2 {
+		return "", errors.New("too less fields")
 	}
-	tmpPath := tmpFile.Name()
-	defer os.Remove(tmpPath)
-	tmpFile.WriteString(content)
-	tmpFile.Close()
 
-	// Check if ssh-keygen recognizes its contents.
-	stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath)
+	key, err := base64.StdEncoding.DecodeString(fields[1])
 	if err != nil {
-		return "", errors.New("ssh-keygen -lf: " + stderr)
-	} else if len(stdout) < 2 {
-		return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
+		return "", fmt.Errorf("StdEncoding.DecodeString: %v", err)
 	}
-
-	// The ssh-keygen in Windows does not print key type, so no need go further.
-	if setting.IsWindows {
-		return content, nil
-	}
-
-	sshKeygenOutput := strings.Split(stdout, " ")
-	if len(sshKeygenOutput) < 4 {
-		return content, ErrKeyUnableVerify{stdout}
-	}
-
-	// Check if key type and key size match.
-	if !setting.Service.DisableMinimumKeySizeCheck {
-		keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
-		if keySize == 0 {
-			return "", errors.New("cannot get key size of the given key")
-		}
-
-		keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n")
-		if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 {
-			return "", fmt.Errorf("unrecognized public key type: %s", keyType)
-		} else if keySize < minimumKeySize {
-			return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
-		}
+	pkey, err := ssh.ParsePublicKey([]byte(key))
+	if err != nil {
+		return "", fmt.Errorf("ParsePublicKey: %v", err)
 	}
+	log.Trace("Key type: %s", pkey.Type())
 
 	return content, nil
 }

+ 0 - 9
modules/setting/setting.go

@@ -453,8 +453,6 @@ var Service struct {
 	EnableNotifyMail               bool
 	EnableReverseProxyAuth         bool
 	EnableReverseProxyAutoRegister bool
-	DisableMinimumKeySizeCheck     bool
-	MinimumKeySizes                map[string]int
 	EnableCaptcha                  bool
 }
 
@@ -468,14 +466,7 @@ func newService() {
 	Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
 	Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
 	Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
-	Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool()
 	Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
-
-	minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys()
-	Service.MinimumKeySizes = make(map[string]int)
-	for _, key := range minimumKeySizes {
-		Service.MinimumKeySizes[key.Name()] = key.MustInt()
-	}
 }
 
 var logLevels = map[string]string{

+ 1 - 1
templates/.VERSION

@@ -1 +1 @@
-0.8.21.0114
+0.8.22.0115