From 77bcd0d8f2c9296c7999c56a16bc401bd8b070f9 Mon Sep 17 00:00:00 2001 From: Gusted Date: Tue, 15 Mar 2022 18:27:14 +0100 Subject: [PATCH 1/3] Update golang.org/x/crypto (#19097) - Backport #19097 --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 7bc75154c7e74..2d0c3b491cb75 100644 --- a/go.mod +++ b/go.mod @@ -121,7 +121,7 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.7.0 // indirect go.uber.org/zap v1.19.0 // indirect - golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 + golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e diff --git a/go.sum b/go.sum index bc82137fdda8a..b2ec18f6b091f 100644 --- a/go.sum +++ b/go.sum @@ -1260,8 +1260,9 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI= golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd h1:XcWmESyNjXJMLahc3mqVQJcgSTDxFxhETVlfk9uGc38= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 9a45c41481e8cc026d0adb05aa05e7d5fc025047 Mon Sep 17 00:00:00 2001 From: Gusted Date: Tue, 15 Mar 2022 18:39:03 +0100 Subject: [PATCH 2/3] Fix deprecation notice --- modules/ssh/ssh.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 4f876ec39aa1d..0e80bde88c0dd 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -329,11 +329,11 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) { signers = append(signers, &wrapSigner{ Signer: signer, - algorithm: gossh.SigAlgoRSASHA2512, + algorithm: gossh.KeyAlgoRSASHA512, }, &wrapSigner{ Signer: signer, - algorithm: gossh.SigAlgoRSASHA2256, + algorithm: gossh.KeyAlgoRSASHA256, }, ) } @@ -342,7 +342,6 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) { srv.HostSigners = signers go listen(&srv) - } // wrapSigner wraps a signer and overrides its public key type with the provided algorithm From 81b02e60ce5f577ac718911af0312d45f3e5a0e3 Mon Sep 17 00:00:00 2001 From: Gusted Date: Tue, 15 Mar 2022 19:16:55 +0100 Subject: [PATCH 3/3] Backport workaround removal --- modules/ssh/ssh.go | 56 ---------------------------------------------- 1 file changed, 56 deletions(-) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 0e80bde88c0dd..5b09e0e37e223 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -317,65 +317,9 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) { } } - // Workaround slightly broken behaviour in x/crypto/ssh/handshake.go:458-463 - // - // Fundamentally the issue here is that HostKeyAlgos make the incorrect assumption - // that the PublicKey().Type() matches the signature algorithm. - // - // Therefore we need to add duplicates for the RSA with different signing algorithms. - signers := make([]ssh.Signer, 0, len(srv.HostSigners)) - for _, signer := range srv.HostSigners { - if signer.PublicKey().Type() == "ssh-rsa" { - signers = append(signers, - &wrapSigner{ - Signer: signer, - algorithm: gossh.KeyAlgoRSASHA512, - }, - &wrapSigner{ - Signer: signer, - algorithm: gossh.KeyAlgoRSASHA256, - }, - ) - } - signers = append(signers, signer) - } - srv.HostSigners = signers - go listen(&srv) } -// wrapSigner wraps a signer and overrides its public key type with the provided algorithm -type wrapSigner struct { - ssh.Signer - algorithm string -} - -// PublicKey returns an associated PublicKey instance. -func (s *wrapSigner) PublicKey() gossh.PublicKey { - return &wrapPublicKey{ - PublicKey: s.Signer.PublicKey(), - algorithm: s.algorithm, - } -} - -// Sign returns raw signature for the given data. This method -// will apply the hash specified for the keytype to the data using -// the algorithm assigned for this key -func (s *wrapSigner) Sign(rand io.Reader, data []byte) (*gossh.Signature, error) { - return s.Signer.(gossh.AlgorithmSigner).SignWithAlgorithm(rand, data, s.algorithm) -} - -// wrapPublicKey wraps a PublicKey and overrides its type -type wrapPublicKey struct { - gossh.PublicKey - algorithm string -} - -// Type returns the algorithm -func (k *wrapPublicKey) Type() string { - return k.algorithm -} - // GenKeyPair make a pair of public and private keys for SSH access. // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file. // Private Key generated is PEM encoded