mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
Update crypto fork to v0.6.0-1 tag (#22564)
This tag includes the most recent updates from the upstream in order to address recently fixed CVE's. Changes included:903e65687e...c3f983bc73In addition this adds `utils/bcrypto.go` to restore the prior crypto behavior of truncating input > 72 chars. This commit in Crypto breaks functionality with long passwords or more commonly our reset tokens which are > 72 characters:bc7d1d1eb5As described in the commit message, the prior behavior was to ignore the extra data. Since 72 bytes are plenty of data to prevent brute force attacks, there is not a significant need to report this error to the user.
This commit is contained in:
Mike Jensen
GitHub
parent
1c3188a38a
commit
eafa23404e
2
e
2
e
|
|
@ -1 +1 @@
|
|||
Subproject commit b3710b8225e844c9807b3c3b071e13ffbb7123a2
|
||||
Subproject commit 15a99c576b46a7fcbddfadd75c5454280a3ece77
|
||||
2
go.mod
2
go.mod
|
|
@ -377,5 +377,5 @@ replace (
|
|||
github.com/sirupsen/logrus => github.com/gravitational/logrus v1.4.4-0.20210817004754-047e20245621
|
||||
github.com/vulcand/predicate => github.com/gravitational/predicate v1.3.0
|
||||
// Use our internal crypto fork, to work around the issue with OpenSSH <= 7.6 mentioned here: https://github.com/golang/go/issues/53391
|
||||
golang.org/x/crypto => github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59
|
||||
golang.org/x/crypto => github.com/gravitational/crypto v0.6.0-1
|
||||
)
|
||||
|
|
|
|||
8
go.sum
8
go.sum
|
|
@ -630,8 +630,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
|
|||
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
|
||||
github.com/gravitational/configure v0.0.0-20180808141939-c3428bd84c23 h1:havbccuFO5fRj0O67oHXI7doShLig3rSIXfMrd/UnkA=
|
||||
github.com/gravitational/configure v0.0.0-20180808141939-c3428bd84c23/go.mod h1:XL9nebvlfNVvRzRPWdDcWootcyA0l7THiH/A+W1233g=
|
||||
github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59 h1:BzLRQAkAmmY2cZjVb8zEEG1dBkCxtJcBQyHnwKG+Qw0=
|
||||
github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
|
||||
github.com/gravitational/crypto v0.6.0-1 h1:PHdaDbgIneHt29YwVXiUO0KCc1X9hQSeeHQlc2Ng9rQ=
|
||||
github.com/gravitational/crypto v0.6.0-1/go.mod h1:OXMgkmYHB/mOGFjhfCB+oiAcU38UEDWtRVcTFNqk8zg=
|
||||
github.com/gravitational/form v0.0.0-20151109031454-c4048f792f70 h1:To76nCJtM3DI0mdq3nGLzXqTV1wNOJByxv01+u9/BxM=
|
||||
github.com/gravitational/form v0.0.0-20151109031454-c4048f792f70/go.mod h1:88hFR45MpUd23d2vNWE/dYtesU50jKsbz0I9kH7UaBY=
|
||||
github.com/gravitational/go-cassandra-native-protocol v0.0.0-20221005103706-b9e66c056e90 h1:fPNJE2kaWC0Oy2YKxk1tbnqhKl3aTeXVAfjXzphJmI8=
|
||||
|
|
@ -1423,7 +1423,6 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug
|
|||
golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
|
||||
golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
|
||||
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
|
||||
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
|
||||
|
|
@ -1525,7 +1524,6 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
|
|||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
|
||||
|
|
@ -1533,7 +1531,6 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
|||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
|
||||
golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
|
||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||
golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
|
||||
|
|
@ -1548,7 +1545,6 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
|||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
|
||||
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
|
|
|
|||
|
|
@ -35,6 +35,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/events"
|
||||
"github.com/gravitational/teleport/lib/modules"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -531,7 +532,7 @@ func (s *Server) generateAndUpsertRecoveryCodes(ctx context.Context, username st
|
|||
|
||||
hashedCodes := make([]types.RecoveryCode, len(codes))
|
||||
for i, token := range codes {
|
||||
hashedCode, err := bcrypt.GenerateFromPassword([]byte(token), bcrypt.DefaultCost)
|
||||
hashedCode, err := utils.BcryptFromPassword([]byte(token), bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,6 +43,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/backend"
|
||||
"github.com/gravitational/teleport/lib/defaults"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/utils"
|
||||
)
|
||||
|
||||
// GlobalSessionDataMaxEntries represents the maximum number of in-flight
|
||||
|
|
@ -541,7 +542,7 @@ func (s *IdentityService) UpsertPassword(user string, password []byte) error {
|
|||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
hash, err := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
|
||||
hash, err := utils.BcryptFromPassword(password, bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
|
|
|
|||
39
lib/utils/bcrypt.go
Normal file
39
lib/utils/bcrypt.go
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
/*
|
||||
Copyright 2023 Gravitational, Inc.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package utils
|
||||
|
||||
import (
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
const maxInputSize = 72
|
||||
|
||||
// truncateToMaxSize Make sure input is truncated to the maximum length crypto accepts. Crypto changed the behavior
|
||||
// from ignoring the extra input to returning an error, this truncation is necessary to maintain compatibility with
|
||||
// customers who have long passwords, or more commonly our recovery codes.
|
||||
func truncateToMaxSize(input []byte) []byte {
|
||||
if len(input) > maxInputSize {
|
||||
return input[:maxInputSize]
|
||||
}
|
||||
return input
|
||||
}
|
||||
|
||||
// BcryptFromPassword delegates to bcrypt.GenerateFromPassword, but maintains the prior behavior of only hashing the
|
||||
// first 72 bytes. BCrypt as an algorithm can not hash inputs > 72 bytes.
|
||||
func BcryptFromPassword(password []byte, cost int) ([]byte, error) {
|
||||
return bcrypt.GenerateFromPassword(truncateToMaxSize(password), cost)
|
||||
}
|
||||
Loading…
Reference in a new issue