def032aa4e
Resolves: rhbz#2116847 Resolves: rhbz#2095421
428 lines
13 KiB
Diff
428 lines
13 KiB
Diff
patch removed backend crypto
|
|
|
|
the `Makefile` removed a few files containing (unused) crypto
|
|
algorithms from the vendor tarball, which are not used in Grafana.
|
|
This patch removes all references to the deleted files.
|
|
|
|
diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
|
|
new file mode 100644
|
|
index 0000000000..871e612a61
|
|
--- /dev/null
|
|
+++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
|
|
@@ -0,0 +1,25 @@
|
|
+package elgamal
|
|
+
|
|
+import (
|
|
+ "io"
|
|
+ "math/big"
|
|
+)
|
|
+
|
|
+// PublicKey represents an ElGamal public key.
|
|
+type PublicKey struct {
|
|
+ G, P, Y *big.Int
|
|
+}
|
|
+
|
|
+// PrivateKey represents an ElGamal private key.
|
|
+type PrivateKey struct {
|
|
+ PublicKey
|
|
+ X *big.Int
|
|
+}
|
|
+
|
|
+func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) {
|
|
+ panic("ElGamal encryption not available")
|
|
+}
|
|
+
|
|
+func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) {
|
|
+ panic("ElGamal encryption not available")
|
|
+}
|
|
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
|
|
index 0a19794a8e..25a5ee9158 100644
|
|
--- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go
|
|
+++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go
|
|
@@ -22,7 +22,6 @@ import (
|
|
"math/big"
|
|
"math/bits"
|
|
|
|
- "golang.org/x/crypto/cast5"
|
|
"golang.org/x/crypto/openpgp/errors"
|
|
)
|
|
|
|
@@ -493,7 +492,7 @@ func (cipher CipherFunction) KeySize() int {
|
|
case Cipher3DES:
|
|
return 24
|
|
case CipherCAST5:
|
|
- return cast5.KeySize
|
|
+ panic("cast5 cipher not available")
|
|
case CipherAES128:
|
|
return 16
|
|
case CipherAES192:
|
|
@@ -523,7 +522,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) {
|
|
case Cipher3DES:
|
|
block, _ = des.NewTripleDESCipher(key)
|
|
case CipherCAST5:
|
|
- block, _ = cast5.NewCipher(key)
|
|
+ panic("cast5 cipher not available")
|
|
case CipherAES128, CipherAES192, CipherAES256:
|
|
block, _ = aes.NewCipher(key)
|
|
}
|
|
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
|
|
index 6126030eb9..3a54c5f2b1 100644
|
|
--- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
|
|
+++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go
|
|
@@ -5,13 +5,12 @@
|
|
package packet
|
|
|
|
import (
|
|
- "crypto/cipher"
|
|
"crypto/sha1"
|
|
"crypto/subtle"
|
|
- "golang.org/x/crypto/openpgp/errors"
|
|
"hash"
|
|
"io"
|
|
- "strconv"
|
|
+
|
|
+ "golang.org/x/crypto/openpgp/errors"
|
|
)
|
|
|
|
// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The
|
|
@@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error {
|
|
// packet can be read. An incorrect key can, with high probability, be detected
|
|
// immediately and this will result in a KeyIncorrect error being returned.
|
|
func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) {
|
|
- keySize := c.KeySize()
|
|
- if keySize == 0 {
|
|
- return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c)))
|
|
- }
|
|
- if len(key) != keySize {
|
|
- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length")
|
|
- }
|
|
-
|
|
- if se.prefix == nil {
|
|
- se.prefix = make([]byte, c.blockSize()+2)
|
|
- _, err := readFull(se.contents, se.prefix)
|
|
- if err != nil {
|
|
- return nil, err
|
|
- }
|
|
- } else if len(se.prefix) != c.blockSize()+2 {
|
|
- return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths")
|
|
- }
|
|
-
|
|
- ocfbResync := OCFBResync
|
|
- if se.MDC {
|
|
- // MDC packets use a different form of OCFB mode.
|
|
- ocfbResync = OCFBNoResync
|
|
- }
|
|
-
|
|
- s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync)
|
|
- if s == nil {
|
|
- return nil, errors.ErrKeyIncorrect
|
|
- }
|
|
-
|
|
- plaintext := cipher.StreamReader{S: s, R: se.contents}
|
|
-
|
|
- if se.MDC {
|
|
- // MDC packets have an embedded hash that we need to check.
|
|
- h := sha1.New()
|
|
- h.Write(se.prefix)
|
|
- return &seMDCReader{in: plaintext, h: h}, nil
|
|
- }
|
|
-
|
|
- // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser.
|
|
- return seReader{plaintext}, nil
|
|
+ panic("OCFB cipher not available")
|
|
}
|
|
|
|
// seReader wraps an io.Reader with a no-op Close method.
|
|
@@ -254,37 +214,5 @@ func (c noOpCloser) Close() error {
|
|
// written.
|
|
// If config is nil, sensible defaults will be used.
|
|
func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) {
|
|
- if c.KeySize() != len(key) {
|
|
- return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length")
|
|
- }
|
|
- writeCloser := noOpCloser{w}
|
|
- ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC)
|
|
- if err != nil {
|
|
- return
|
|
- }
|
|
-
|
|
- _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion})
|
|
- if err != nil {
|
|
- return
|
|
- }
|
|
-
|
|
- block := c.new(key)
|
|
- blockSize := block.BlockSize()
|
|
- iv := make([]byte, blockSize)
|
|
- _, err = config.Random().Read(iv)
|
|
- if err != nil {
|
|
- return
|
|
- }
|
|
- s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync)
|
|
- _, err = ciphertext.Write(prefix)
|
|
- if err != nil {
|
|
- return
|
|
- }
|
|
- plaintext := cipher.StreamWriter{S: s, W: ciphertext}
|
|
-
|
|
- h := sha1.New()
|
|
- h.Write(iv)
|
|
- h.Write(iv[blockSize-2:])
|
|
- contents = &seMDCWriter{w: plaintext, h: h}
|
|
- return
|
|
+ panic("OCFB cipher not available")
|
|
}
|
|
diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go
|
|
index 484ca51b71..5f502b8df1 100644
|
|
--- a/vendor/golang.org/x/crypto/pkcs12/crypto.go
|
|
+++ b/vendor/golang.org/x/crypto/pkcs12/crypto.go
|
|
@@ -11,8 +11,6 @@ import (
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"errors"
|
|
-
|
|
- "golang.org/x/crypto/pkcs12/internal/rc2"
|
|
)
|
|
|
|
var (
|
|
@@ -46,10 +44,6 @@ func (shaWithTripleDESCBC) deriveIV(salt, password []byte, iterations int) []byt
|
|
|
|
type shaWith40BitRC2CBC struct{}
|
|
|
|
-func (shaWith40BitRC2CBC) create(key []byte) (cipher.Block, error) {
|
|
- return rc2.New(key, len(key)*8)
|
|
-}
|
|
-
|
|
func (shaWith40BitRC2CBC) deriveKey(salt, password []byte, iterations int) []byte {
|
|
return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 5)
|
|
}
|
|
@@ -70,7 +64,7 @@ func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher
|
|
case algorithm.Algorithm.Equal(oidPBEWithSHAAnd3KeyTripleDESCBC):
|
|
cipherType = shaWithTripleDESCBC{}
|
|
case algorithm.Algorithm.Equal(oidPBEWithSHAAnd40BitRC2CBC):
|
|
- cipherType = shaWith40BitRC2CBC{}
|
|
+ panic("RC2 encryption not available")
|
|
default:
|
|
return nil, 0, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported")
|
|
}
|
|
diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
|
|
index ae3ebc03b9..11dbc3c56e 100644
|
|
--- a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
|
|
+++ b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go
|
|
@@ -16,13 +16,11 @@
|
|
package web
|
|
|
|
import (
|
|
- "encoding/hex"
|
|
"fmt"
|
|
"net/http"
|
|
"sync"
|
|
|
|
"github.com/go-kit/log"
|
|
- "golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
// extraHTTPHeaders is a map of HTTP headers that can be added to HTTP
|
|
@@ -36,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{
|
|
"Content-Security-Policy": nil,
|
|
}
|
|
|
|
-func validateUsers(configPath string) error {
|
|
- c, err := getConfig(configPath)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- for _, p := range c.Users {
|
|
- _, err = bcrypt.Cost([]byte(p))
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
- }
|
|
-
|
|
- return nil
|
|
-}
|
|
-
|
|
// validateHeaderConfig checks that the provided header configuration is correct.
|
|
// It does not check the validity of all the values, only the ones which are
|
|
// well-defined enumerations.
|
|
@@ -83,55 +65,3 @@ type webHandler struct {
|
|
// only once in parallel as this is CPU intensive.
|
|
bcryptMtx sync.Mutex
|
|
}
|
|
-
|
|
-func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
- c, err := getConfig(u.tlsConfigPath)
|
|
- if err != nil {
|
|
- u.logger.Log("msg", "Unable to parse configuration", "err", err)
|
|
- http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
- return
|
|
- }
|
|
-
|
|
- // Configure http headers.
|
|
- for k, v := range c.HTTPConfig.Header {
|
|
- w.Header().Set(k, v)
|
|
- }
|
|
-
|
|
- if len(c.Users) == 0 {
|
|
- u.handler.ServeHTTP(w, r)
|
|
- return
|
|
- }
|
|
-
|
|
- user, pass, auth := r.BasicAuth()
|
|
- if auth {
|
|
- hashedPassword, validUser := c.Users[user]
|
|
-
|
|
- if !validUser {
|
|
- // The user is not found. Use a fixed password hash to
|
|
- // prevent user enumeration by timing requests.
|
|
- // This is a bcrypt-hashed version of "fakepassword".
|
|
- hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi"
|
|
- }
|
|
-
|
|
- cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...))
|
|
- authOk, ok := u.cache.get(cacheKey)
|
|
-
|
|
- if !ok {
|
|
- // This user, hashedPassword, password is not cached.
|
|
- u.bcryptMtx.Lock()
|
|
- err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass))
|
|
- u.bcryptMtx.Unlock()
|
|
-
|
|
- authOk = err == nil
|
|
- u.cache.set(cacheKey, authOk)
|
|
- }
|
|
-
|
|
- if authOk && validUser {
|
|
- u.handler.ServeHTTP(w, r)
|
|
- return
|
|
- }
|
|
- }
|
|
-
|
|
- w.Header().Set("WWW-Authenticate", "Basic")
|
|
- http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
|
-}
|
|
diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
|
|
index 2668964a06..291464ba7e 100644
|
|
--- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
|
|
+++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go
|
|
@@ -18,12 +18,8 @@ import (
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
- "net"
|
|
- "net/http"
|
|
"path/filepath"
|
|
|
|
- "github.com/go-kit/log"
|
|
- "github.com/go-kit/log/level"
|
|
"github.com/pkg/errors"
|
|
config_util "github.com/prometheus/common/config"
|
|
"gopkg.in/yaml.v2"
|
|
@@ -177,93 +173,6 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) {
|
|
return cfg, nil
|
|
}
|
|
|
|
-// ListenAndServe starts the server on the given address. Based on the file
|
|
-// tlsConfigPath, TLS or basic auth could be enabled.
|
|
-func ListenAndServe(server *http.Server, tlsConfigPath string, logger log.Logger) error {
|
|
- listener, err := net.Listen("tcp", server.Addr)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
- defer listener.Close()
|
|
- return Serve(listener, server, tlsConfigPath, logger)
|
|
-}
|
|
-
|
|
-// Server starts the server on the given listener. Based on the file
|
|
-// tlsConfigPath, TLS or basic auth could be enabled.
|
|
-func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error {
|
|
- if tlsConfigPath == "" {
|
|
- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
|
|
- return server.Serve(l)
|
|
- }
|
|
-
|
|
- if err := validateUsers(tlsConfigPath); err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- // Setup basic authentication.
|
|
- var handler http.Handler = http.DefaultServeMux
|
|
- if server.Handler != nil {
|
|
- handler = server.Handler
|
|
- }
|
|
-
|
|
- c, err := getConfig(tlsConfigPath)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
-
|
|
- server.Handler = &webHandler{
|
|
- tlsConfigPath: tlsConfigPath,
|
|
- logger: logger,
|
|
- handler: handler,
|
|
- cache: newCache(),
|
|
- }
|
|
-
|
|
- config, err := ConfigToTLSConfig(&c.TLSConfig)
|
|
- switch err {
|
|
- case nil:
|
|
- if !c.HTTPConfig.HTTP2 {
|
|
- server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
|
|
- }
|
|
- // Valid TLS config.
|
|
- level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2)
|
|
- case errNoTLSConfig:
|
|
- // No TLS config, back to plain HTTP.
|
|
- level.Info(logger).Log("msg", "TLS is disabled.", "http2", false)
|
|
- return server.Serve(l)
|
|
- default:
|
|
- // Invalid TLS config.
|
|
- return err
|
|
- }
|
|
-
|
|
- server.TLSConfig = config
|
|
-
|
|
- // Set the GetConfigForClient method of the HTTPS server so that the config
|
|
- // and certs are reloaded on new connections.
|
|
- server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) {
|
|
- return getTLSConfig(tlsConfigPath)
|
|
- }
|
|
- return server.ServeTLS(l, "", "")
|
|
-}
|
|
-
|
|
-// Validate configuration file by reading the configuration and the certificates.
|
|
-func Validate(tlsConfigPath string) error {
|
|
- if tlsConfigPath == "" {
|
|
- return nil
|
|
- }
|
|
- if err := validateUsers(tlsConfigPath); err != nil {
|
|
- return err
|
|
- }
|
|
- c, err := getConfig(tlsConfigPath)
|
|
- if err != nil {
|
|
- return err
|
|
- }
|
|
- _, err = ConfigToTLSConfig(&c.TLSConfig)
|
|
- if err == errNoTLSConfig {
|
|
- return nil
|
|
- }
|
|
- return err
|
|
-}
|
|
-
|
|
type cipher uint16
|
|
|
|
func (c *cipher) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|
@@ -346,11 +255,3 @@ func (tv *tlsVersion) MarshalYAML() (interface{}, error) {
|
|
}
|
|
return fmt.Sprintf("%v", tv), nil
|
|
}
|
|
-
|
|
-// Listen starts the server on the given address. Based on the file
|
|
-// tlsConfigPath, TLS or basic auth could be enabled.
|
|
-//
|
|
-// Deprecated: Use ListenAndServe instead.
|
|
-func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error {
|
|
- return ListenAndServe(server, tlsConfigPath, logger)
|
|
-}
|