mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 16:53:57 +00:00
Update crypto fork to v0.6.0-1 tag (#22564)
This tag includes the most recent updates from the upstream in order to address recently fixed CVE's. Changes included:903e65687e...c3f983bc73
In addition this adds `utils/bcrypto.go` to restore the prior crypto behavior of truncating input > 72 chars. This commit in Crypto breaks functionality with long passwords or more commonly our reset tokens which are > 72 characters:bc7d1d1eb5
As described in the commit message, the prior behavior was to ignore the extra data. Since 72 bytes are plenty of data to prevent brute force attacks, there is not a significant need to report this error to the user.
This commit is contained in:
parent
1c3188a38a
commit
eafa23404e
2
e
2
e
|
@ -1 +1 @@
|
|||
Subproject commit b3710b8225e844c9807b3c3b071e13ffbb7123a2
|
||||
Subproject commit 15a99c576b46a7fcbddfadd75c5454280a3ece77
|
2
go.mod
2
go.mod
|
@ -377,5 +377,5 @@ replace (
|
|||
github.com/sirupsen/logrus => github.com/gravitational/logrus v1.4.4-0.20210817004754-047e20245621
|
||||
github.com/vulcand/predicate => github.com/gravitational/predicate v1.3.0
|
||||
// Use our internal crypto fork, to work around the issue with OpenSSH <= 7.6 mentioned here: https://github.com/golang/go/issues/53391
|
||||
golang.org/x/crypto => github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59
|
||||
golang.org/x/crypto => github.com/gravitational/crypto v0.6.0-1
|
||||
)
|
||||
|
|
8
go.sum
8
go.sum
|
@ -630,8 +630,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
|
|||
github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
|
||||
github.com/gravitational/configure v0.0.0-20180808141939-c3428bd84c23 h1:havbccuFO5fRj0O67oHXI7doShLig3rSIXfMrd/UnkA=
|
||||
github.com/gravitational/configure v0.0.0-20180808141939-c3428bd84c23/go.mod h1:XL9nebvlfNVvRzRPWdDcWootcyA0l7THiH/A+W1233g=
|
||||
github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59 h1:BzLRQAkAmmY2cZjVb8zEEG1dBkCxtJcBQyHnwKG+Qw0=
|
||||
github.com/gravitational/crypto v0.0.0-20221221152432-903e65687e59/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
|
||||
github.com/gravitational/crypto v0.6.0-1 h1:PHdaDbgIneHt29YwVXiUO0KCc1X9hQSeeHQlc2Ng9rQ=
|
||||
github.com/gravitational/crypto v0.6.0-1/go.mod h1:OXMgkmYHB/mOGFjhfCB+oiAcU38UEDWtRVcTFNqk8zg=
|
||||
github.com/gravitational/form v0.0.0-20151109031454-c4048f792f70 h1:To76nCJtM3DI0mdq3nGLzXqTV1wNOJByxv01+u9/BxM=
|
||||
github.com/gravitational/form v0.0.0-20151109031454-c4048f792f70/go.mod h1:88hFR45MpUd23d2vNWE/dYtesU50jKsbz0I9kH7UaBY=
|
||||
github.com/gravitational/go-cassandra-native-protocol v0.0.0-20221005103706-b9e66c056e90 h1:fPNJE2kaWC0Oy2YKxk1tbnqhKl3aTeXVAfjXzphJmI8=
|
||||
|
@ -1423,7 +1423,6 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug
|
|||
golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
|
||||
golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
|
||||
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
|
||||
golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
|
||||
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
|
||||
|
@ -1525,7 +1524,6 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
|
|||
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
|
||||
|
@ -1533,7 +1531,6 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
|||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
|
||||
golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
|
||||
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
|
||||
golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
|
||||
|
@ -1548,7 +1545,6 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
|||
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
|
||||
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
|
||||
|
|
|
@ -35,6 +35,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/events"
|
||||
"github.com/gravitational/teleport/lib/modules"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
|
@ -531,7 +532,7 @@ func (s *Server) generateAndUpsertRecoveryCodes(ctx context.Context, username st
|
|||
|
||||
hashedCodes := make([]types.RecoveryCode, len(codes))
|
||||
for i, token := range codes {
|
||||
hashedCode, err := bcrypt.GenerateFromPassword([]byte(token), bcrypt.DefaultCost)
|
||||
hashedCode, err := utils.BcryptFromPassword([]byte(token), bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return nil, trace.Wrap(err)
|
||||
}
|
||||
|
|
|
@ -43,6 +43,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/backend"
|
||||
"github.com/gravitational/teleport/lib/defaults"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/utils"
|
||||
)
|
||||
|
||||
// GlobalSessionDataMaxEntries represents the maximum number of in-flight
|
||||
|
@ -541,7 +542,7 @@ func (s *IdentityService) UpsertPassword(user string, password []byte) error {
|
|||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
hash, err := bcrypt.GenerateFromPassword(password, bcrypt.DefaultCost)
|
||||
hash, err := utils.BcryptFromPassword(password, bcrypt.DefaultCost)
|
||||
if err != nil {
|
||||
return trace.Wrap(err)
|
||||
}
|
||||
|
|
39
lib/utils/bcrypt.go
Normal file
39
lib/utils/bcrypt.go
Normal file
|
@ -0,0 +1,39 @@
|
|||
/*
|
||||
Copyright 2023 Gravitational, Inc.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package utils
|
||||
|
||||
import (
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
const maxInputSize = 72
|
||||
|
||||
// truncateToMaxSize Make sure input is truncated to the maximum length crypto accepts. Crypto changed the behavior
|
||||
// from ignoring the extra input to returning an error, this truncation is necessary to maintain compatibility with
|
||||
// customers who have long passwords, or more commonly our recovery codes.
|
||||
func truncateToMaxSize(input []byte) []byte {
|
||||
if len(input) > maxInputSize {
|
||||
return input[:maxInputSize]
|
||||
}
|
||||
return input
|
||||
}
|
||||
|
||||
// BcryptFromPassword delegates to bcrypt.GenerateFromPassword, but maintains the prior behavior of only hashing the
|
||||
// first 72 bytes. BCrypt as an algorithm can not hash inputs > 72 bytes.
|
||||
func BcryptFromPassword(password []byte, cost int) ([]byte, error) {
|
||||
return bcrypt.GenerateFromPassword(truncateToMaxSize(password), cost)
|
||||
}
|
Loading…
Reference in a new issue