grafana/SOURCES/1001-vendor-patch-removed-backend-crypto.patch
2023-05-09 06:54:57 +00:00

428 lines
13 KiB
Diff

patch removed backend crypto
the `Makefile` removed a few files containing (unused) crypto
algorithms from the vendor tarball, which are not used in Grafana.
This patch removes all references to the deleted files.
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
new file mode 100644
index 0000000000..871e612a61
--- /dev/null
+++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
@@ -0,0 +1,25 @@
+package elgamal
+
+import (
+ "io"
+ "math/big"
+)
+
+// PublicKey represents an ElGamal public key.
+type PublicKey struct {
+ G, P, Y *big.Int
+}
+
+// PrivateKey represents an ElGamal private key.
+type PrivateKey struct {
+ PublicKey
+ X *big.Int
+}
+
+func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
+ panic("ElGamal encryption not available")
+}
+
+func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
+ panic("ElGamal encryption not available")
+}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
index 0a19794a8e..25a5ee9158 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
@@ -22,7 +22,6 @@ import (
"math/big"
"math/bits"
- "golang.org/x/crypto/cast5"
"golang.org/x/crypto/openpgp/errors"
)
@@ -493,7 +492,7 @@ func (cipher CipherFunction) KeySize() int {
case Cipher3DES:
return 24
case CipherCAST5:
- return cast5.KeySize
+ panic("cast5 cipher not available")
case CipherAES128:
return 16
case CipherAES192:
@@ -523,7 +522,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
case Cipher3DES:
block, _ = des.NewTripleDESCipher(key)
case CipherCAST5:
- block, _ = cast5.NewCipher(key)
+ panic("cast5 cipher not available")
case CipherAES128, CipherAES192, CipherAES256:
block, _ = aes.NewCipher(key)
}
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
index 6126030eb9..3a54c5f2b1 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
@@ -5,13 +5,12 @@
package packet
import (
- "crypto/cipher"
"crypto/sha1"
"crypto/subtle"
- "golang.org/x/crypto/openpgp/errors"
"hash"
"io"
- "strconv"
+
+ "golang.org/x/crypto/openpgp/errors"
)
// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
@@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
// packet can be read. An incorrect key can, with high probability, be detected
// immediately and this will result in a KeyIncorrect error being returned.
func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
- keySize := c.KeySize()
- if keySize == 0 {
- return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c)))
- }
- if len(key) != keySize {
- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
- }
-
- if se.prefix == nil {
- se.prefix = make([]byte, c.blockSize()+2)
- _, err := readFull(se.contents, se.prefix)
- if err != nil {
- return nil, err
- }
- } else if len(se.prefix) != c.blockSize()+2 {
- return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
- }
-
- ocfbResync := OCFBResync
- if se.MDC {
- // MDC packets use a different form of OCFB mode.
- ocfbResync = OCFBNoResync
- }
-
- s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
- if s == nil {
- return nil, errors.ErrKeyIncorrect
- }
-
- plaintext := cipher.StreamReader{S: s, R: se.contents}
-
- if se.MDC {
- // MDC packets have an embedded hash that we need to check.
- h := sha1.New()
- h.Write(se.prefix)
- return &seMDCReader{in: plaintext, h: h}, nil
- }
-
- // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
- return seReader{plaintext}, nil
+ panic("OCFB cipher not available")
}
// seReader wraps an io.Reader with a no-op Close method.
@@ -254,37 +214,5 @@ func (c noOpCloser) Close() error {
// written.
// If config is nil, sensible defaults will be used.
func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) {
- if c.KeySize() != len(key) {
- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length")
- }
- writeCloser := noOpCloser{w}
- ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC)
- if err != nil {
- return
- }
-
- _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion})
- if err != nil {
- return
- }
-
- block := c.new(key)
- blockSize := block.BlockSize()
- iv := make([]byte, blockSize)
- _, err = config.Random().Read(iv)
- if err != nil {
- return
- }
- s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
- _, err = ciphertext.Write(prefix)
- if err != nil {
- return
- }
- plaintext := cipher.StreamWriter{S: s, W: ciphertext}
-
- h := sha1.New()
- h.Write(iv)
- h.Write(iv[blockSize-2:])
- contents = &seMDCWriter{w: plaintext, h: h}
- return
+ panic("OCFB cipher not available")
}
diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go
index 484ca51b71..5f502b8df1 100644
--- a/vendor/golang.org/x/crypto/pkcs12/crypto.go
+++ b/vendor/golang.org/x/crypto/pkcs12/crypto.go
@@ -11,8 +11,6 @@ import (
"crypto/x509/pkix"
"encoding/asn1"
"errors"
-
- "golang.org/x/crypto/pkcs12/internal/rc2"
)
var (
@@ -46,10 +44,6 @@ func (shaWithTripleDESCBC) deriveIV(salt, password []byte, iterations int) []byt
type shaWith40BitRC2CBC struct{}
-func (shaWith40BitRC2CBC) create(key []byte) (cipher.Block, error) {
- return rc2.New(key, len(key)*8)
-}
-
func (shaWith40BitRC2CBC) deriveKey(salt, password []byte, iterations int) []byte {
return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 5)
}
@@ -70,7 +64,7 @@ func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher
case algorithm.Algorithm.Equal(oidPBEWithSHAAnd3KeyTripleDESCBC):
cipherType = shaWithTripleDESCBC{}
case algorithm.Algorithm.Equal(oidPBEWithSHAAnd40BitRC2CBC):
- cipherType = shaWith40BitRC2CBC{}
+ panic("RC2 encryption not available")
default:
return nil, 0, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported")
}
diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
index ae3ebc03b9..11dbc3c56e 100644
--- a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
+++ b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
@@ -16,13 +16,11 @@
package web
import (
- "encoding/hex"
"fmt"
"net/http"
"sync"
"github.com/go-kit/log"
- "golang.org/x/crypto/bcrypt"
)
// extraHTTPHeaders is a map of HTTP headers that can be added to HTTP
@@ -36,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{
"Content-Security-Policy": nil,
}
-func validateUsers(configPath string) error {
- c, err := getConfig(configPath)
- if err != nil {
- return err
- }
-
- for _, p := range c.Users {
- _, err = bcrypt.Cost([]byte(p))
- if err != nil {
- return err
- }
- }
-
- return nil
-}
-
// validateHeaderConfig checks that the provided header configuration is correct.
// It does not check the validity of all the values, only the ones which are
// well-defined enumerations.
@@ -83,55 +65,3 @@ type webHandler struct {
// only once in parallel as this is CPU intensive.
bcryptMtx sync.Mutex
}
-
-func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
- c, err := getConfig(u.tlsConfigPath)
- if err != nil {
- u.logger.Log("msg", "Unable to parse configuration", "err", err)
- http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
- return
- }
-
- // Configure http headers.
- for k, v := range c.HTTPConfig.Header {
- w.Header().Set(k, v)
- }
-
- if len(c.Users) == 0 {
- u.handler.ServeHTTP(w, r)
- return
- }
-
- user, pass, auth := r.BasicAuth()
- if auth {
- hashedPassword, validUser := c.Users[user]
-
- if !validUser {
- // The user is not found. Use a fixed password hash to
- // prevent user enumeration by timing requests.
- // This is a bcrypt-hashed version of "fakepassword".
- hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
- }
-
- cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...))
- authOk, ok := u.cache.get(cacheKey)
-
- if !ok {
- // This user, hashedPassword, password is not cached.
- u.bcryptMtx.Lock()
- err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
- u.bcryptMtx.Unlock()
-
- authOk = err == nil
- u.cache.set(cacheKey, authOk)
- }
-
- if authOk && validUser {
- u.handler.ServeHTTP(w, r)
- return
- }
- }
-
- w.Header().Set("WWW-Authenticate", "Basic")
- http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-}
diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
index 2668964a06..291464ba7e 100644
--- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
+++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
@@ -18,12 +18,8 @@ import (
"crypto/x509"
"fmt"
"io/ioutil"
- "net"
- "net/http"
"path/filepath"
- "github.com/go-kit/log"
- "github.com/go-kit/log/level"
"github.com/pkg/errors"
config_util "github.com/prometheus/common/config"
"gopkg.in/yaml.v2"
@@ -177,93 +173,6 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
return cfg, nil
}
-// ListenAndServe starts the server on the given address. Based on the file
-// tlsConfigPath, TLS or basic auth could be enabled.
-func ListenAndServe(server *http.Server, tlsConfigPath string, logger log.Logger) error {
- listener, err := net.Listen("tcp", server.Addr)
- if err != nil {
- return err
- }
- defer listener.Close()
- return Serve(listener, server, tlsConfigPath, logger)
-}
-
-// Server starts the server on the given listener. Based on the file
-// tlsConfigPath, TLS or basic auth could be enabled.
-func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error {
- if tlsConfigPath == "" {
- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
- return server.Serve(l)
- }
-
- if err := validateUsers(tlsConfigPath); err != nil {
- return err
- }
-
- // Setup basic authentication.
- var handler http.Handler = http.DefaultServeMux
- if server.Handler != nil {
- handler = server.Handler
- }
-
- c, err := getConfig(tlsConfigPath)
- if err != nil {
- return err
- }
-
- server.Handler = &webHandler{
- tlsConfigPath: tlsConfigPath,
- logger: logger,
- handler: handler,
- cache: newCache(),
- }
-
- config, err := ConfigToTLSConfig(&c.TLSConfig)
- switch err {
- case nil:
- if !c.HTTPConfig.HTTP2 {
- server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
- }
- // Valid TLS config.
- level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2)
- case errNoTLSConfig:
- // No TLS config, back to plain HTTP.
- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
- return server.Serve(l)
- default:
- // Invalid TLS config.
- return err
- }
-
- server.TLSConfig = config
-
- // Set the GetConfigForClient method of the HTTPS server so that the config
- // and certs are reloaded on new connections.
- server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
- return getTLSConfig(tlsConfigPath)
- }
- return server.ServeTLS(l, "", "")
-}
-
-// Validate configuration file by reading the configuration and the certificates.
-func Validate(tlsConfigPath string) error {
- if tlsConfigPath == "" {
- return nil
- }
- if err := validateUsers(tlsConfigPath); err != nil {
- return err
- }
- c, err := getConfig(tlsConfigPath)
- if err != nil {
- return err
- }
- _, err = ConfigToTLSConfig(&c.TLSConfig)
- if err == errNoTLSConfig {
- return nil
- }
- return err
-}
-
type cipher uint16
func (c *cipher) UnmarshalYAML(unmarshal func(interface{}) error) error {
@@ -346,11 +255,3 @@ func (tv *tlsVersion) MarshalYAML() (interface{}, error) {
}
return fmt.Sprintf("%v", tv), nil
}
-
-// Listen starts the server on the given address. Based on the file
-// tlsConfigPath, TLS or basic auth could be enabled.
-//
-// Deprecated: Use ListenAndServe instead.
-func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
- return ListenAndServe(server, tlsConfigPath, logger)
-}