From e16196124eff47924691b3e5c70c6f4d5dcca9b1 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Sun, 11 Jun 2017 02:06:26 -0400
Subject: [PATCH] setting: disable SSH minimum key size check when not eligible
 (#4507)

---
 gogs.go                |  2 +-
 models/ssh_key.go      |  5 -----
 pkg/setting/setting.go | 44 ++++++++++++++++++++++++++++++++++--------
 templates/.VERSION     |  2 +-
 4 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/gogs.go b/gogs.go
index 08f2a9050..88752f8cb 100644
--- a/gogs.go
+++ b/gogs.go
@@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/pkg/setting"
 )
 
-const APP_VER = "0.11.20.0611"
+const APP_VER = "0.11.21.0611"
 
 func init() {
 	setting.AppVer = APP_VER
diff --git a/models/ssh_key.go b/models/ssh_key.go
index 814f0db04..798c58f21 100644
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -194,11 +194,6 @@ func writeTmpKeyFile(content string) (string, error) {
 
 // SSHKeyGenParsePublicKey extracts key type and length using ssh-keygen.
 func SSHKeyGenParsePublicKey(key string) (string, int, error) {
-	// The ssh-keygen in Windows does not print key type, so no need go further.
-	if setting.IsWindows {
-		return "", 0, nil
-	}
-
 	tmpName, err := writeTmpKeyFile(key)
 	if err != nil {
 		return "", 0, fmt.Errorf("writeTmpKeyFile: %v", err)
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
index 09bc49699..039c29c6e 100644
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@@ -21,12 +21,14 @@ import (
 	_ "github.com/go-macaron/cache/redis"
 	"github.com/go-macaron/session"
 	_ "github.com/go-macaron/session/redis"
+	"github.com/mcuadros/go-version"
 	log "gopkg.in/clog.v1"
 	"gopkg.in/ini.v1"
 
 	"github.com/gogits/go-libravatar"
 
 	"github.com/gogits/gogs/pkg/bindata"
+	"github.com/gogits/gogs/pkg/process"
 	"github.com/gogits/gogs/pkg/user"
 )
 
@@ -90,7 +92,7 @@ var (
 		ServerCiphers       []string       `ini:"SSH_SERVER_CIPHERS"`
 		KeyTestPath         string         `ini:"SSH_KEY_TEST_PATH"`
 		KeygenPath          string         `ini:"SSH_KEYGEN_PATH"`
-		MinimumKeySizeCheck bool           `ini:"-"`
+		MinimumKeySizeCheck bool           `ini:"MINIMUM_KEY_SIZE_CHECK"`
 		MinimumKeySizes     map[string]int `ini:"-"`
 	}
 
@@ -377,6 +379,21 @@ func IsRunUserMatchCurrentUser(runUser string) (string, bool) {
 	return currentUser, runUser == currentUser
 }
 
+// getOpenSSHVersion parses and returns string representation of OpenSSH version
+// returned by command "ssh -V".
+func getOpenSSHVersion() string {
+	// Note: somehow version is printed to stderr
+	_, stderr, err := process.Exec("getOpenSSHVersion", "ssh", "-V")
+	if err != nil {
+		log.Fatal(2, "Fail to get OpenSSH version: %v - %s", err, stderr)
+	}
+
+	// Trim unused information: https://github.com/gogits/gogs/issues/4507#issuecomment-305150441
+	version := strings.TrimRight(strings.Fields(stderr)[0], ",1234567890")
+	version = strings.TrimSuffix(strings.TrimPrefix(version, "OpenSSH_"), "p")
+	return version
+}
+
 // NewContext initializes configuration context.
 // NOTE: do not print any log except error.
 func NewContext() {
@@ -474,9 +491,9 @@ func NewContext() {
 	if err = Cfg.Section("server").MapTo(&SSH); err != nil {
 		log.Fatal(2, "Fail to map SSH settings: %v", err)
 	}
-	// When disable SSH, start builtin server value is ignored.
 	if SSH.Disabled {
 		SSH.StartBuiltinServer = false
+		SSH.MinimumKeySizeCheck = false
 	}
 
 	if !SSH.Disabled && !SSH.StartBuiltinServer {
@@ -487,12 +504,23 @@ func NewContext() {
 		}
 	}
 
-	SSH.MinimumKeySizeCheck = sec.Key("MINIMUM_KEY_SIZE_CHECK").MustBool()
-	SSH.MinimumKeySizes = map[string]int{}
-	minimumKeySizes := Cfg.Section("ssh.minimum_key_sizes").Keys()
-	for _, key := range minimumKeySizes {
-		if key.MustInt() != -1 {
-			SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
+	// Check if server is eligible for minimum key size check when user choose to enable.
+	// Windows server and OpenSSH version lower than 5.1 (https://github.com/gogits/gogs/issues/4507)
+	// are forced to be disabled because the "ssh-keygen" in Windows does not print key type.
+	if SSH.MinimumKeySizeCheck &&
+		(IsWindows || version.Compare(getOpenSSHVersion(), "5.1", "<")) {
+		SSH.MinimumKeySizeCheck = false
+		log.Warn(`SSH minimum key size check is forced to be disabled because server is not eligible:
+1. Windows server
+2. OpenSSH version is lower than 5.1`)
+	}
+
+	if SSH.MinimumKeySizeCheck {
+		SSH.MinimumKeySizes = map[string]int{}
+		for _, key := range Cfg.Section("ssh.minimum_key_sizes").Keys() {
+			if key.MustInt() != -1 {
+				SSH.MinimumKeySizes[strings.ToLower(key.Name())] = key.MustInt()
+			}
 		}
 	}
 
diff --git a/templates/.VERSION b/templates/.VERSION
index e14c9273a..abc4523a3 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.11.20.0611
\ No newline at end of file
+0.11.21.0611
\ No newline at end of file