chore(agent,pkg): migrate from libxcrypt to yescrypt-go

shellhub-io · Dec 2, 2024 · 88d0184 · 88d0184
1 parent f7667b5
commit 88d0184
Show file tree

Hide file tree

Showing 13 changed files with 113 additions and 114 deletions.
diff --git a/agent/Dockerfile b/agent/Dockerfile
@@ -3,17 +3,6 @@ FROM golang:1.22.6-alpine3.19 AS base
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates build-base bash util-linux setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
-RUN ln -sf /bin/bash /bin/sh
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./

diff --git a/agent/Dockerfile.amd64 b/agent/Dockerfile.amd64
@@ -2,15 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -37,7 +28,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-x86_64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]
diff --git a/agent/Dockerfile.arm32v6 b/agent/Dockerfile.arm32v6
@@ -4,15 +4,6 @@ FROM arm32v6/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -39,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]
diff --git a/agent/Dockerfile.arm32v7 b/agent/Dockerfile.arm32v7
@@ -4,15 +4,6 @@ FROM arm32v7/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -39,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]
diff --git a/agent/Dockerfile.arm64v8 b/agent/Dockerfile.arm64v8
@@ -4,14 +4,6 @@ FROM arm64v8/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -39,7 +31,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-aarch64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]
diff --git a/agent/Dockerfile.i386 b/agent/Dockerfile.i386
@@ -2,15 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -37,7 +28,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-*.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]
diff --git a/agent/Dockerfile.test b/agent/Dockerfile.test
@@ -2,17 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-RUN apk add openssh
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 RUN ln -sf /bin/bash /bin/sh
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub

diff --git a/agent/go.mod b/agent/go.mod
@@ -1,6 +1,8 @@
 module github.com/shellhub-io/shellhub/agent
 
-go 1.21
+go 1.22.4
+
+toolchain go1.23.0
 
 require (
 	github.com/Masterminds/semver v1.5.0
@@ -45,6 +47,7 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/openwall/yescrypt-go v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.5 // indirect
 	github.com/sethvargo/go-envconfig v0.9.0 // indirect
@@ -55,10 +58,10 @@ require (
 	go.opentelemetry.io/otel/metric v1.26.0 // indirect
 	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )
 

diff --git a/agent/go.sum b/agent/go.sum
@@ -84,6 +84,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/openwall/yescrypt-go v1.0.0 h1:jsGk48zkFvtUjGVOhYPGh+CS595JmTRcKnpggK2AON4=
+github.com/openwall/yescrypt-go v1.0.0/go.mod h1:e6CWtFizUEOUttaOjeVMiv1lJaJie3mfOtLJ9CCD6sA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
@@ -141,8 +143,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -173,19 +175,19 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

diff --git a/go.mod b/go.mod
@@ -1,6 +1,8 @@
 module github.com/shellhub-io/shellhub
 
-go 1.21
+go 1.22.4
+
+toolchain go1.23.0
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
@@ -22,16 +24,17 @@ require (
 	github.com/labstack/echo/v4 v4.10.2
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mholt/archiver/v4 v4.0.0-alpha.8
+	github.com/openwall/yescrypt-go v1.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/sftp v1.13.5
 	github.com/sethvargo/go-envconfig v0.9.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
 	github.com/testcontainers/testcontainers-go/modules/redis v0.32.0
-	golang.org/x/crypto v0.22.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/sys v0.19.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/sys v0.22.0
 )
 
 require (
@@ -116,7 +119,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	go4.org v0.0.0-20200411211856-f5505b9728dd // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 	google.golang.org/grpc v1.63.2 // indirect

diff --git a/pkg/agent/pkg/yescrypt/yescript.go b/pkg/agent/pkg/yescrypt/yescript.go
diff --git a/pkg/agent/pkg/yescrypt/yescrypt.go b/pkg/agent/pkg/yescrypt/yescrypt.go
@@ -0,0 +1,18 @@
+package yescrypt
+
+import (
+	"github.com/openwall/yescrypt-go"
+	log "github.com/sirupsen/logrus"
+)
+
+// Verify verifies a yescrypt hash against a given key.
+func Verify(password, hash string) bool {
+	hashed, err := yescrypt.Hash([]byte(password), []byte(hash))
+	if err != nil {
+		log.WithError(err).Debug("failed to hash the password for comparision")
+
+		return false
+	}
+
+	return hash == string(hashed)
+}
diff --git a/pkg/agent/pkg/yescrypt/yescrypt_test.go b/pkg/agent/pkg/yescrypt/yescrypt_test.go
@@ -0,0 +1,70 @@
+package yescrypt
+
+import (
+	"crypto/rand"
+	"math/big"
+	"testing"
+
+	"github.com/openwall/yescrypt-go"
+	"github.com/stretchr/testify/assert"
+)
+
+func FuzzVerify(f *testing.F) {
+	const settings = "$y$j9T$AAt9R641xPvCI9nXw1HHW/"
+
+	for i := 0; i < 100; i++ {
+		v, err := rand.Int(rand.Reader, big.NewInt(64))
+		assert.NoError(f, err)
+
+		password := make([]byte, v.Int64())
+		_, err = rand.Read(password)
+		assert.NoError(f, err)
+
+		hash, err := yescrypt.Hash(password, []byte(settings))
+		assert.NoError(f, err)
+
+		f.Add(string(password), string(hash))
+	}
+
+	f.Fuzz(func(t *testing.T, a string, b string) {
+		assert.True(f, Verify(a, b))
+	})
+}
+
+func TestVeirfy(t *testing.T) {
+	const settings = "$y$j9T$AAt9R641xPvCI9nXw1HHW/"
+
+	cases := []struct {
+		description string
+		password    string
+		hash        string
+		expected    bool
+	}{
+		{
+			description: "invalid password",
+			password:    "invalid",
+			hash:        "$y$j9T$AAt9R641xPvCI9nXw1HHW/$nCv3bckjDEC9Q5ahIEpyXVNGZhySye/ZdjxNxTY5ttB",
+			expected:    false,
+		},
+		{
+			description: "invalid hash",
+			password:    "password",
+			hash:        "invalid",
+			expected:    false,
+		},
+		{
+			description: "valid",
+			password:    "password",
+			hash:        "$y$j9T$AAt9R641xPvCI9nXw1HHW/$nCv3bckjDEC9Q5ahIEpyXVNGZhySye/ZdjxNxTY5ttB",
+			expected:    true,
+		},
+	}
+
+	for _, test := range cases {
+		t.Run(test.description, func(tt *testing.T) {
+			result := Verify(test.password, string(test.hash))
+
+			assert.Equal(tt, test.expected, result)
+		})
+	}
+}