forked from forgejo/forgejo
Update golang.org/x/crypto (#19097)
* Update golang.org/x/crypto - Update dependency to include fix for CVE. - See https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ?utm_medium=email&utm_source=footer * Fix deprecation notice * Remove workaround - Introduced in https://github.com/go-gitea/gitea/pull/17281 - Fixed in x/crypto: -5d542ad81a- &3147a52a75* Update Kex Algorithms - Use standardized name for curve22519-sha256.9b076918e3- Prefer SHA256 version over SHA1 version.e4b3678e5f
This commit is contained in:
Gusted
GitHub
parent
c88f2e2acc
commit
6ab4a96855
6 changed files with 6 additions and 62 deletions
|
|
@ -317,65 +317,9 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
|
|||
}
|
||||
}
|
||||
|
||||
// Workaround slightly broken behaviour in x/crypto/ssh/handshake.go:458-463
|
||||
//
|
||||
// Fundamentally the issue here is that HostKeyAlgos make the incorrect assumption
|
||||
// that the PublicKey().Type() matches the signature algorithm.
|
||||
//
|
||||
// Therefore we need to add duplicates for the RSA with different signing algorithms.
|
||||
signers := make([]ssh.Signer, 0, len(srv.HostSigners))
|
||||
for _, signer := range srv.HostSigners {
|
||||
if signer.PublicKey().Type() == "ssh-rsa" {
|
||||
signers = append(signers,
|
||||
&wrapSigner{
|
||||
Signer: signer,
|
||||
algorithm: gossh.SigAlgoRSASHA2512,
|
||||
},
|
||||
&wrapSigner{
|
||||
Signer: signer,
|
||||
algorithm: gossh.SigAlgoRSASHA2256,
|
||||
},
|
||||
)
|
||||
}
|
||||
signers = append(signers, signer)
|
||||
}
|
||||
srv.HostSigners = signers
|
||||
|
||||
go listen(&srv)
|
||||
}
|
||||
|
||||
// wrapSigner wraps a signer and overrides its public key type with the provided algorithm
|
||||
type wrapSigner struct {
|
||||
ssh.Signer
|
||||
algorithm string
|
||||
}
|
||||
|
||||
// PublicKey returns an associated PublicKey instance.
|
||||
func (s *wrapSigner) PublicKey() gossh.PublicKey {
|
||||
return &wrapPublicKey{
|
||||
PublicKey: s.Signer.PublicKey(),
|
||||
algorithm: s.algorithm,
|
||||
}
|
||||
}
|
||||
|
||||
// Sign returns raw signature for the given data. This method
|
||||
// will apply the hash specified for the keytype to the data using
|
||||
// the algorithm assigned for this key
|
||||
func (s *wrapSigner) Sign(rand io.Reader, data []byte) (*gossh.Signature, error) {
|
||||
return s.Signer.(gossh.AlgorithmSigner).SignWithAlgorithm(rand, data, s.algorithm)
|
||||
}
|
||||
|
||||
// wrapPublicKey wraps a PublicKey and overrides its type
|
||||
type wrapPublicKey struct {
|
||||
gossh.PublicKey
|
||||
algorithm string
|
||||
}
|
||||
|
||||
// Type returns the algorithm
|
||||
func (k *wrapPublicKey) Type() string {
|
||||
return k.algorithm
|
||||
}
|
||||
|
||||
// GenKeyPair make a pair of public and private keys for SSH access.
|
||||
// Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
|
||||
// Private Key generated is PEM encoded
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue