#2179 use Go sub-repo ssh to verify public key content

This commit is contained in:
Unknwon 2016-01-15 18:39:51 +08:00
parent c631a4a9b9
commit 7ef9a05588
6 changed files with 14 additions and 62 deletions

View file

@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra
![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true) ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)
##### Current version: 0.8.21 ##### Current version: 0.8.22
| Web | UI | Preview | | Web | UI | Preview |
|:-------------:|:-------:|:-------:| |:-------------:|:-------:|:-------:|

View file

@ -120,21 +120,9 @@ ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/gogits/gogs/issues/165 ; More detail: https://github.com/gogits/gogs/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
; Do not check minimum key size with corresponding type
DISABLE_MINIMUM_KEY_SIZE_CHECK = false
; Enable captcha validation for registration ; Enable captcha validation for registration
ENABLE_CAPTCHA = true ENABLE_CAPTCHA = true
; used to filter keys which are too short
[service.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
NTRU = 1087
MCE = 1702
McE = 1702
RSA = 1024
DSA = 1024
[webhook] [webhook]
; Hook task queue length ; Hook task queue length
QUEUE_LENGTH = 1000 QUEUE_LENGTH = 1000

View file

@ -17,7 +17,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.8.21.0114" const APP_VER = "0.8.22.0115"
func init() { func init() {
runtime.GOMAXPROCS(runtime.NumCPU()) runtime.GOMAXPROCS(runtime.NumCPU())

View file

@ -21,6 +21,7 @@ import (
"github.com/Unknwon/com" "github.com/Unknwon/com"
"github.com/go-xorm/xorm" "github.com/go-xorm/xorm"
"golang.org/x/crypto/ssh"
"github.com/gogits/gogs/modules/log" "github.com/gogits/gogs/modules/log"
"github.com/gogits/gogs/modules/process" "github.com/gogits/gogs/modules/process"
@ -164,48 +165,20 @@ func CheckPublicKeyString(content string) (_ string, err error) {
return "", errors.New("only a single line with a single key please") return "", errors.New("only a single line with a single key please")
} }
// write the key to a file… fields := strings.Fields(content)
tmpFile, err := ioutil.TempFile(os.TempDir(), "keytest") if len(fields) < 2 {
return "", errors.New("too less fields")
}
key, err := base64.StdEncoding.DecodeString(fields[1])
if err != nil { if err != nil {
return "", err return "", fmt.Errorf("StdEncoding.DecodeString: %v", err)
} }
tmpPath := tmpFile.Name() pkey, err := ssh.ParsePublicKey([]byte(key))
defer os.Remove(tmpPath)
tmpFile.WriteString(content)
tmpFile.Close()
// Check if ssh-keygen recognizes its contents.
stdout, stderr, err := process.Exec("CheckPublicKeyString", "ssh-keygen", "-lf", tmpPath)
if err != nil { if err != nil {
return "", errors.New("ssh-keygen -lf: " + stderr) return "", fmt.Errorf("ParsePublicKey: %v", err)
} else if len(stdout) < 2 {
return "", errors.New("ssh-keygen returned not enough output to evaluate the key: " + stdout)
}
// The ssh-keygen in Windows does not print key type, so no need go further.
if setting.IsWindows {
return content, nil
}
sshKeygenOutput := strings.Split(stdout, " ")
if len(sshKeygenOutput) < 4 {
return content, ErrKeyUnableVerify{stdout}
}
// Check if key type and key size match.
if !setting.Service.DisableMinimumKeySizeCheck {
keySize := com.StrTo(sshKeygenOutput[0]).MustInt()
if keySize == 0 {
return "", errors.New("cannot get key size of the given key")
}
keyType := strings.Trim(sshKeygenOutput[len(sshKeygenOutput)-1], " ()\n")
if minimumKeySize := setting.Service.MinimumKeySizes[keyType]; minimumKeySize == 0 {
return "", fmt.Errorf("unrecognized public key type: %s", keyType)
} else if keySize < minimumKeySize {
return "", fmt.Errorf("the minimum accepted size of a public key %s is %d", keyType, minimumKeySize)
}
} }
log.Trace("Key type: %s", pkey.Type())
return content, nil return content, nil
} }

View file

@ -453,8 +453,6 @@ var Service struct {
EnableNotifyMail bool EnableNotifyMail bool
EnableReverseProxyAuth bool EnableReverseProxyAuth bool
EnableReverseProxyAutoRegister bool EnableReverseProxyAutoRegister bool
DisableMinimumKeySizeCheck bool
MinimumKeySizes map[string]int
EnableCaptcha bool EnableCaptcha bool
} }
@ -468,14 +466,7 @@ func newService() {
Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool() Service.EnableCacheAvatar = sec.Key("ENABLE_CACHE_AVATAR").MustBool()
Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool() Service.EnableReverseProxyAuth = sec.Key("ENABLE_REVERSE_PROXY_AUTHENTICATION").MustBool()
Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool() Service.EnableReverseProxyAutoRegister = sec.Key("ENABLE_REVERSE_PROXY_AUTO_REGISTRATION").MustBool()
Service.DisableMinimumKeySizeCheck = sec.Key("DISABLE_MINIMUM_KEY_SIZE_CHECK").MustBool()
Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool() Service.EnableCaptcha = sec.Key("ENABLE_CAPTCHA").MustBool()
minimumKeySizes := Cfg.Section("service.minimum_key_sizes").Keys()
Service.MinimumKeySizes = make(map[string]int)
for _, key := range minimumKeySizes {
Service.MinimumKeySizes[key.Name()] = key.MustInt()
}
} }
var logLevels = map[string]string{ var logLevels = map[string]string{

View file

@ -1 +1 @@
0.8.21.0114 0.8.22.0115