patch removed backend crypto the `Makefile` removed a few files containing (unused) crypto algorithms from the vendor tarball, which are not used in Grafana. This patch removes all references to the deleted files. diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go new file mode 100644 index 0000000000..871e612a61 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go @@ -0,0 +1,25 @@ +package elgamal + +import ( + "io" + "math/big" +) + +// PublicKey represents an ElGamal public key. +type PublicKey struct { + G, P, Y *big.Int +} + +// PrivateKey represents an ElGamal private key. +type PrivateKey struct { + PublicKey + X *big.Int +} + +func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { + panic("ElGamal encryption not available") +} + +func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { + panic("ElGamal encryption not available") +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go index 0a19794a8e..25a5ee9158 100644 --- a/vendor/golang.org/x/crypto/openpgp/packet/packet.go +++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go @@ -22,7 +22,6 @@ import ( "math/big" "math/bits" - "golang.org/x/crypto/cast5" "golang.org/x/crypto/openpgp/errors" ) @@ -493,7 +492,7 @@ func (cipher CipherFunction) KeySize() int { case Cipher3DES: return 24 case CipherCAST5: - return cast5.KeySize + panic("cast5 cipher not available") case CipherAES128: return 16 case CipherAES192: @@ -523,7 +522,7 @@ func (cipher CipherFunction) new(key []byte) (block cipher.Block) { case Cipher3DES: block, _ = des.NewTripleDESCipher(key) case CipherCAST5: - block, _ = cast5.NewCipher(key) + panic("cast5 cipher not available") case CipherAES128, CipherAES192, CipherAES256: block, _ = aes.NewCipher(key) } diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go index 6126030eb9..3a54c5f2b1 100644 --- a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go +++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go @@ -5,13 +5,12 @@ package packet import ( - "crypto/cipher" "crypto/sha1" "crypto/subtle" - "golang.org/x/crypto/openpgp/errors" "hash" "io" - "strconv" + + "golang.org/x/crypto/openpgp/errors" ) // SymmetricallyEncrypted represents a symmetrically encrypted byte string. The @@ -45,46 +44,7 @@ func (se *SymmetricallyEncrypted) parse(r io.Reader) error { // packet can be read. An incorrect key can, with high probability, be detected // immediately and this will result in a KeyIncorrect error being returned. func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { - keySize := c.KeySize() - if keySize == 0 { - return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) - } - if len(key) != keySize { - return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") - } - - if se.prefix == nil { - se.prefix = make([]byte, c.blockSize()+2) - _, err := readFull(se.contents, se.prefix) - if err != nil { - return nil, err - } - } else if len(se.prefix) != c.blockSize()+2 { - return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") - } - - ocfbResync := OCFBResync - if se.MDC { - // MDC packets use a different form of OCFB mode. - ocfbResync = OCFBNoResync - } - - s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) - if s == nil { - return nil, errors.ErrKeyIncorrect - } - - plaintext := cipher.StreamReader{S: s, R: se.contents} - - if se.MDC { - // MDC packets have an embedded hash that we need to check. - h := sha1.New() - h.Write(se.prefix) - return &seMDCReader{in: plaintext, h: h}, nil - } - - // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. - return seReader{plaintext}, nil + panic("OCFB cipher not available") } // seReader wraps an io.Reader with a no-op Close method. @@ -254,37 +214,5 @@ func (c noOpCloser) Close() error { // written. // If config is nil, sensible defaults will be used. func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { - if c.KeySize() != len(key) { - return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") - } - writeCloser := noOpCloser{w} - ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) - if err != nil { - return - } - - _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) - if err != nil { - return - } - - block := c.new(key) - blockSize := block.BlockSize() - iv := make([]byte, blockSize) - _, err = config.Random().Read(iv) - if err != nil { - return - } - s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) - _, err = ciphertext.Write(prefix) - if err != nil { - return - } - plaintext := cipher.StreamWriter{S: s, W: ciphertext} - - h := sha1.New() - h.Write(iv) - h.Write(iv[blockSize-2:]) - contents = &seMDCWriter{w: plaintext, h: h} - return + panic("OCFB cipher not available") } diff --git a/vendor/golang.org/x/crypto/pkcs12/crypto.go b/vendor/golang.org/x/crypto/pkcs12/crypto.go index 484ca51b71..5f502b8df1 100644 --- a/vendor/golang.org/x/crypto/pkcs12/crypto.go +++ b/vendor/golang.org/x/crypto/pkcs12/crypto.go @@ -11,8 +11,6 @@ import ( "crypto/x509/pkix" "encoding/asn1" "errors" - - "golang.org/x/crypto/pkcs12/internal/rc2" ) var ( @@ -46,10 +44,6 @@ func (shaWithTripleDESCBC) deriveIV(salt, password []byte, iterations int) []byt type shaWith40BitRC2CBC struct{} -func (shaWith40BitRC2CBC) create(key []byte) (cipher.Block, error) { - return rc2.New(key, len(key)*8) -} - func (shaWith40BitRC2CBC) deriveKey(salt, password []byte, iterations int) []byte { return pbkdf(sha1Sum, 20, 64, salt, password, iterations, 1, 5) } @@ -70,7 +64,7 @@ func pbDecrypterFor(algorithm pkix.AlgorithmIdentifier, password []byte) (cipher case algorithm.Algorithm.Equal(oidPBEWithSHAAnd3KeyTripleDESCBC): cipherType = shaWithTripleDESCBC{} case algorithm.Algorithm.Equal(oidPBEWithSHAAnd40BitRC2CBC): - cipherType = shaWith40BitRC2CBC{} + panic("RC2 encryption not available") default: return nil, 0, NotImplementedError("algorithm " + algorithm.Algorithm.String() + " is not supported") } diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go index ae3ebc03b9..11dbc3c56e 100644 --- a/vendor/github.com/prometheus/exporter-toolkit/web/handler.go +++ b/vendor/github.com/prometheus/exporter-toolkit/web/handler.go @@ -16,13 +16,11 @@ package web import ( - "encoding/hex" "fmt" "net/http" "sync" "github.com/go-kit/log" - "golang.org/x/crypto/bcrypt" ) // extraHTTPHeaders is a map of HTTP headers that can be added to HTTP @@ -36,22 +34,6 @@ var extraHTTPHeaders = map[string][]string{ "Content-Security-Policy": nil, } -func validateUsers(configPath string) error { - c, err := getConfig(configPath) - if err != nil { - return err - } - - for _, p := range c.Users { - _, err = bcrypt.Cost([]byte(p)) - if err != nil { - return err - } - } - - return nil -} - // validateHeaderConfig checks that the provided header configuration is correct. // It does not check the validity of all the values, only the ones which are // well-defined enumerations. @@ -83,55 +65,3 @@ type webHandler struct { // only once in parallel as this is CPU intensive. bcryptMtx sync.Mutex } - -func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { - c, err := getConfig(u.tlsConfigPath) - if err != nil { - u.logger.Log("msg", "Unable to parse configuration", "err", err) - http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) - return - } - - // Configure http headers. - for k, v := range c.HTTPConfig.Header { - w.Header().Set(k, v) - } - - if len(c.Users) == 0 { - u.handler.ServeHTTP(w, r) - return - } - - user, pass, auth := r.BasicAuth() - if auth { - hashedPassword, validUser := c.Users[user] - - if !validUser { - // The user is not found. Use a fixed password hash to - // prevent user enumeration by timing requests. - // This is a bcrypt-hashed version of "fakepassword". - hashedPassword = "$2y$10$QOauhQNbBCuQDKes6eFzPeMqBSjb7Mr5DUmpZ/VcEd00UAV/LDeSi" - } - - cacheKey := hex.EncodeToString(append(append([]byte(user), []byte(hashedPassword)...), []byte(pass)...)) - authOk, ok := u.cache.get(cacheKey) - - if !ok { - // This user, hashedPassword, password is not cached. - u.bcryptMtx.Lock() - err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(pass)) - u.bcryptMtx.Unlock() - - authOk = err == nil - u.cache.set(cacheKey, authOk) - } - - if authOk && validUser { - u.handler.ServeHTTP(w, r) - return - } - } - - w.Header().Set("WWW-Authenticate", "Basic") - http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) -} diff --git a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go index 2668964a06..291464ba7e 100644 --- a/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go +++ b/vendor/github.com/prometheus/exporter-toolkit/web/tls_config.go @@ -18,12 +18,8 @@ import ( "crypto/x509" "fmt" "io/ioutil" - "net" - "net/http" "path/filepath" - "github.com/go-kit/log" - "github.com/go-kit/log/level" "github.com/pkg/errors" config_util "github.com/prometheus/common/config" "gopkg.in/yaml.v2" @@ -177,93 +173,6 @@ func ConfigToTLSConfig(c *TLSStruct) (*tls.Config, error) { return cfg, nil } -// ListenAndServe starts the server on the given address. Based on the file -// tlsConfigPath, TLS or basic auth could be enabled. -func ListenAndServe(server *http.Server, tlsConfigPath string, logger log.Logger) error { - listener, err := net.Listen("tcp", server.Addr) - if err != nil { - return err - } - defer listener.Close() - return Serve(listener, server, tlsConfigPath, logger) -} - -// Server starts the server on the given listener. Based on the file -// tlsConfigPath, TLS or basic auth could be enabled. -func Serve(l net.Listener, server *http.Server, tlsConfigPath string, logger log.Logger) error { - if tlsConfigPath == "" { - level.Info(logger).Log("msg", "TLS is disabled.", "http2", false) - return server.Serve(l) - } - - if err := validateUsers(tlsConfigPath); err != nil { - return err - } - - // Setup basic authentication. - var handler http.Handler = http.DefaultServeMux - if server.Handler != nil { - handler = server.Handler - } - - c, err := getConfig(tlsConfigPath) - if err != nil { - return err - } - - server.Handler = &webHandler{ - tlsConfigPath: tlsConfigPath, - logger: logger, - handler: handler, - cache: newCache(), - } - - config, err := ConfigToTLSConfig(&c.TLSConfig) - switch err { - case nil: - if !c.HTTPConfig.HTTP2 { - server.TLSNextProto = make(map[string]func(*http.Server, *tls.Conn, http.Handler)) - } - // Valid TLS config. - level.Info(logger).Log("msg", "TLS is enabled.", "http2", c.HTTPConfig.HTTP2) - case errNoTLSConfig: - // No TLS config, back to plain HTTP. - level.Info(logger).Log("msg", "TLS is disabled.", "http2", false) - return server.Serve(l) - default: - // Invalid TLS config. - return err - } - - server.TLSConfig = config - - // Set the GetConfigForClient method of the HTTPS server so that the config - // and certs are reloaded on new connections. - server.TLSConfig.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) { - return getTLSConfig(tlsConfigPath) - } - return server.ServeTLS(l, "", "") -} - -// Validate configuration file by reading the configuration and the certificates. -func Validate(tlsConfigPath string) error { - if tlsConfigPath == "" { - return nil - } - if err := validateUsers(tlsConfigPath); err != nil { - return err - } - c, err := getConfig(tlsConfigPath) - if err != nil { - return err - } - _, err = ConfigToTLSConfig(&c.TLSConfig) - if err == errNoTLSConfig { - return nil - } - return err -} - type cipher uint16 func (c *cipher) UnmarshalYAML(unmarshal func(interface{}) error) error { @@ -346,11 +255,3 @@ func (tv *tlsVersion) MarshalYAML() (interface{}, error) { } return fmt.Sprintf("%v", tv), nil } - -// Listen starts the server on the given address. Based on the file -// tlsConfigPath, TLS or basic auth could be enabled. -// -// Deprecated: Use ListenAndServe instead. -func Listen(server *http.Server, tlsConfigPath string, logger log.Logger) error { - return ListenAndServe(server, tlsConfigPath, logger) -}