fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remvoe support for sha1 and md5 hashing for public keys 

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
This commit is contained in:
Sanskar Jaiswal 2022-05-26 15:46:19 +05:30
parent 7501e8622c
commit 94c50fa3a8
3 changed files with 6 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/git/libgit2/managed/ssh.go
View File

@ -165,7 +165,7 @@ func (t *sshSmartSubtransport) Action(transportOptionsURL string, action git2go.
cert := &git2go.Certificate{ cert := &git2go.Certificate{
Kind: git2go.CertificateHostkey, Kind: git2go.CertificateHostkey,
Hostkey: git2go.HostkeyCertificate{ Hostkey: git2go.HostkeyCertificate{
Kind: git2go.HostkeySHA256, Kind: git2go.HostkeySHA256 | git2go.HostkeyRaw,
HashSHA256: sha256.Sum256(marshaledKey), HashSHA256: sha256.Sum256(marshaledKey),
Hostkey: marshaledKey, Hostkey: marshaledKey,
SSHPublicKey: key, SSHPublicKey: key,

12
pkg/git/libgit2/managed/transport.go
View File

@ -1,8 +1,6 @@
package managed package managed
import ( import (
"crypto/md5"
"crypto/sha1"
"crypto/sha256" "crypto/sha256"
"fmt" "fmt"
"hash" "hash"
@ -49,16 +47,8 @@ func KnownHostsCallback(host string, knownHosts []byte) git2go.CertificateCheckC
case cert.Hostkey.Kind&git2go.HostkeySHA256 > 0: case cert.Hostkey.Kind&git2go.HostkeySHA256 > 0:
fingerprint = cert.Hostkey.HashSHA256[:] fingerprint = cert.Hostkey.HashSHA256[:]
hasher = sha256.New() hasher = sha256.New()
// SHA1 and MD5 are present here, because they're used for unmanaged transport.
// TODO: get rid of this, when unmanaged transport is completely removed.
case cert.Hostkey.Kind&git2go.HostkeySHA1 > 0:
fingerprint = cert.Hostkey.HashSHA1[:]
hasher = sha1.New()
case cert.Hostkey.Kind&git2go.HostkeyMD5 > 0:
fingerprint = cert.Hostkey.HashMD5[:]
hasher = md5.New()
default: default:
return fmt.Errorf("invalid host key kind, expected to be one of SHA256, SHA1, MD5") return fmt.Errorf("invalid host key kind, expected to be of kind SHA256")
} }
// We are now certain that the configured host and the hostname // We are now certain that the configured host and the hostname

23
pkg/git/libgit2/managed/transport_test.go
View File

@ -29,7 +29,7 @@ func TestKnownHostsCallback(t *testing.T) {
name: "Match", name: "Match",
host: "github.com", host: "github.com",
knownHosts: []byte(knownHostsFixture), knownHosts: []byte(knownHostsFixture),
hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")}, hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
expectedHost: "github.com", expectedHost: "github.com",
want: nil, want: nil,
}, },
@ -37,7 +37,7 @@ func TestKnownHostsCallback(t *testing.T) {
name: "Match with port", name: "Match with port",
host: "github.com", host: "github.com",
knownHosts: []byte(knownHostsFixture), knownHosts: []byte(knownHostsFixture),
hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")}, hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
expectedHost: "github.com:22", expectedHost: "github.com:22",
want: nil, want: nil,
}, },
@ -45,7 +45,7 @@ func TestKnownHostsCallback(t *testing.T) {
name: "Hostname mismatch", name: "Hostname mismatch",
host: "github.com", host: "github.com",
knownHosts: []byte(knownHostsFixture), knownHosts: []byte(knownHostsFixture),
hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA1 | git2go.HostkeyMD5, HashSHA1: sha1Fingerprint("v2toJdKXfFEaR1u++4iq1UqSrHM")}, hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8")},
expectedHost: "example.com", expectedHost: "example.com",
want: fmt.Errorf("host mismatch: %q %q", "example.com", "github.com"), want: fmt.Errorf("host mismatch: %q %q", "example.com", "github.com"),
}, },
@ -53,7 +53,7 @@ func TestKnownHostsCallback(t *testing.T) {
name: "Hostkey mismatch", name: "Hostkey mismatch",
host: "github.com", host: "github.com",
knownHosts: []byte(knownHostsFixture), knownHosts: []byte(knownHostsFixture),
hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeyMD5, HashMD5: md5Fingerprint("\xb6\x03\x0e\x39\x97\x9e\xd0\xe7\x24\xce\xa3\x77\x3e\x01\x42\x09")}, hostkey: git2go.HostkeyCertificate{Kind: git2go.HostkeySHA256, HashSHA256: sha256Fingerprint("ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ")},
expectedHost: "github.com", expectedHost: "github.com",
want: fmt.Errorf("hostkey could not be verified"), want: fmt.Errorf("hostkey could not be verified"),
}, },
@ -73,21 +73,6 @@ func TestKnownHostsCallback(t *testing.T) {
}) })
} }
} }
func md5Fingerprint(in string) [16]byte {
var out [16]byte
copy(out[:], in)
return out
}
func sha1Fingerprint(in string) [20]byte {
d, err := base64.RawStdEncoding.DecodeString(in)
if err != nil {
panic(err)
}
var out [20]byte
copy(out[:], d)
return out
}
func sha256Fingerprint(in string) [32]byte { func sha256Fingerprint(in string) [32]byte {
d, err := base64.RawStdEncoding.DecodeString(in) d, err := base64.RawStdEncoding.DecodeString(in)