Retry SSH key verification with additional CRLF if it failed (#28392) (#28464)

Backport #28392 by @nekrondev Windows-based shells will add a CRLF when piping the token into ssh-keygen command resulting in verification error. This resolves #21527. Co-authored-by: nekrondev <heiko@noordsee.de> Co-authored-by: Heiko Besemann <heiko.besemann@qbeyond.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2023-12-14 12:50:26 +08:00 · 2023-12-14 12:50:26 +08:00 · b47482d58e
parent 74ab798033
commit b47482d58e
1 changed files with 9 additions and 4 deletions
--- a/models/asymkey/ssh_key_verify.go
+++ b/models/asymkey/ssh_key_verify.go
@ -29,12 +29,17 @@ func VerifySSHKey(ownerID int64, fingerprint, token, signature string) (string,
 		return "", ErrKeyNotExist{}
 	}

-	if err := sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea"); err != nil {
+	err = sshsig.Verify(bytes.NewBuffer([]byte(token)), []byte(signature), []byte(key.Content), "gitea")
+	if err != nil {
+		// edge case for Windows based shells that will add CR LF if piped to ssh-keygen command
+		// see https://github.com/PowerShell/PowerShell/issues/5974
+		if sshsig.Verify(bytes.NewBuffer([]byte(token+"\r\n")), []byte(signature), []byte(key.Content), "gitea") != nil {
 			log.Error("Unable to validate token signature. Error: %v", err)
 			return "", ErrSSHInvalidTokenSignature{
 				Fingerprint: key.Fingerprint,
 			}
 		}
+	}

 	key.Verified = true
 	if _, err := db.GetEngine(ctx).ID(key.ID).Cols("verified").Update(key); err != nil {