Compare commits

...

9 Commits

Author SHA1 Message Date
2355349d8b Merge pull request #2119 from thaJeztah/19.03_backport_bump_yaml.v2_2.2.3
[19.03 backport] vendor: Bump gopkg.in/yaml.v2
2019-10-03 10:52:44 -07:00
73d513e56a Merge pull request #2120 from thaJeztah/19.03_backport_experimental_note
[19.03 backport] backport docs changes
2019-10-01 14:27:56 -07:00
9fd5604d80 Adding experimental feature info
Signed-off-by: Adrian Plata <adrian.plata@docker.com>
(cherry picked from commit 031bd2d530)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-01 19:11:06 +02:00
82ac89901f Clarifying docker config rules
Signed-off-by: Adrian Plata <adrian.plata@docker.com>
(cherry picked from commit 131eefc54f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-01 19:11:01 +02:00
29e3a70b04 vendor: Bump gopkg.in/yaml.v2
Signed-off-by: Christopher Crone <christopher.crone@docker.com>
(cherry picked from commit 91cf8b04c9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-01 14:54:49 +02:00
3fb239756d Merge pull request #2113 from thaJeztah/19.03_backport_bump_golang_1.12.10
[19.03 backport] bump golang 1.12.10 (CVE-2019-16276)
2019-09-28 01:53:31 +02:00
ff72c27a7a bump golang 1.12.10 (CVE-2019-16276)
full diff: https://github.com/golang/go/compare/go1.12.9...go1.12.10

```
Hi gophers,

We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.1).

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

The issue is CVE-2019-16276 and Go issue golang.org/issue/34540.

Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh) for discovering and reporting this issue.

Downloads are available at https://golang.org/dl for all supported platforms.

Alla prossima,
Filippo on behalf of the Go team
```

From the patch: 6e6f4aaf70

```
net/textproto: don't normalize headers with spaces before the colon

RFC 7230 is clear about headers with a space before the colon, like

X-Answer : 42

being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL 5690059 in 2012.

On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.

For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.

This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8743e36a45)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-27 23:33:06 +02:00
ed54e85144 Merge pull request #2079 from thaJeztah/19.03_backport_bump_pkcs11
[19.03 backport] bump miekg/pkcs11 v1.0.2
2019-09-27 13:41:10 +02:00
0bc3d1fd2d bump miekg/pkcs11 v1.0.2
full diff: 6120d95c0e...v1.0.2

relevant changes:

- miekg/pkcs11#110 Fix issue freeing memory on GetOperationState when NOT CK_OK
- miekg/pkcs11#106 Move to go modules
- miekg/pkcs11#104 Expose login API for vendor specific login types

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 54428b1f37)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-27 11:51:03 +02:00
15 changed files with 146 additions and 43 deletions

View File

@ -4,7 +4,7 @@ clone_folder: c:\gopath\src\github.com\docker\cli
environment:
GOPATH: c:\gopath
GOVERSION: 1.12.9
GOVERSION: 1.12.10
DEPVERSION: v0.4.1
install:

View File

@ -1,4 +1,4 @@
ARG GO_VERSION=1.12.9
ARG GO_VERSION=1.12.10
FROM golang:${GO_VERSION}-alpine

View File

@ -1,4 +1,4 @@
ARG GO_VERSION=1.12.9
ARG GO_VERSION=1.12.10
FROM dockercore/golang-cross:${GO_VERSION}
ENV DISABLE_WARN_OUTSIDE_CONTAINER=1

View File

@ -1,4 +1,4 @@
ARG GO_VERSION=1.12.9
ARG GO_VERSION=1.12.10
FROM golang:${GO_VERSION}-alpine

View File

@ -1,4 +1,4 @@
ARG GO_VERSION=1.12.9
ARG GO_VERSION=1.12.10
# Use Debian based image as docker-compose requires glibc.
FROM golang:${GO_VERSION}

View File

@ -1,4 +1,4 @@
ARG GO_VERSION=1.12.9
ARG GO_VERSION=1.12.10
FROM golang:${GO_VERSION}-alpine

View File

@ -96,28 +96,43 @@ variables.
### Configuration files
By default, the Docker command line stores its configuration files in a
directory called `.docker` within your `$HOME` directory. However, you can
specify a different location via the `DOCKER_CONFIG` environment variable
or the `--config` command line option. If both are specified, then the
`--config` option overrides the `DOCKER_CONFIG` environment variable.
For example:
docker --config ~/testconfigs/ ps
Instructs Docker to use the configuration files in your `~/testconfigs/`
directory when running the `ps` command.
directory called `.docker` within your `$HOME` directory.
Docker manages most of the files in the configuration directory
and you should not modify them. However, you *can modify* the
`config.json` file to control certain aspects of how the `docker`
command behaves.
Currently, you can modify the `docker` command behavior using environment
You can modify the `docker` command behavior using environment
variables or command-line options. You can also use options within
`config.json` to modify some of the same behavior. When using these
mechanisms, you must keep in mind the order of precedence among them. Command
line options override environment variables and environment variables override
properties you specify in a `config.json` file.
`config.json` to modify some of the same behavior. If an environment variable
and the `--config` flag are set, the flag takes precedent over the environment
variable. Command line options override environment variables and environment
variables override properties you specify in a `config.json` file.
#### Change the `.docker` directory
To specify a different directory, use the `DOCKER_CONFIG`
environment variable or the `--config` command line option. If both are
specified, then the `--config` option overrides the `DOCKER_CONFIG` environment
variable. The example below overrides runs the `docker ps` command using a
`config.json` file located in the `~/testconfigs/` directory.
```bash
$ docker --config ~/testconfigs/ ps
```
This flag only applies to whatever command is being ran. For persistent
configuration, you can set the `DOCKER_CONFIG` environment variable in your
shell (e.g. `~/.profile` or `~/.bashrc`). The example below sets the new
directory to be `HOME/newdir/.docker`.
```bash
echo export DOCKER_CONFIG=$HOME/newdir/.docker > ~/.profile
```
#### `config.json` properties
The `config.json` file stores a JSON encoding of several properties:
@ -265,6 +280,31 @@ Following is a sample `config.json` file:
{% endraw %}
```
### Experimental features
Experimental features provide early access to future product functionality.
These features are intended only for testing and feedback as they may change
between releases without warning or can be removed entirely from a future
release.
> Experimental features must not be used in production environments.
{: .warning }
To enable experimental features, edit the `config.json` file and set
`experimental` to `enabled`. The example below enables experimental features
in a `config.json` file that already enables a debug feature.
```json
{
"experimental": "enabled",
"debug": true
}
```
You can also enable experimental features from the Docker Desktop menu. See the
[Docker Desktop Getting Started page](https://docs.docker.com/docker-for-mac#experimental-features)
for more information.
### Notary
If using your own notary server and a self-signed certificate or an internal

View File

@ -50,7 +50,7 @@ github.com/mattn/go-shellwords a72fbe27a1b0ed0df2f027549450
github.com/matttproud/golang_protobuf_extensions c12348ce28de40eed0136aa2b644d0ee0650e56c # v1.0.1
github.com/Microsoft/go-winio 84b4ab48a50763fe7b3abcef38e5205c12027fac
github.com/Microsoft/hcsshim 672e52e9209d1e53718c1b6a7d68cc9272654ab5
github.com/miekg/pkcs11 6120d95c0e9576ccf4a78ba40855809dca31a9ed
github.com/miekg/pkcs11 cb39313ec884f2cd77f4762875fe96aecf68f8e3 # v1.0.2
github.com/mitchellh/mapstructure f15292f7a699fcc1a38a80977f80a046874ba8ac
github.com/moby/buildkit ae10b292fefb00e0fbf9fecd1419c5f252e58895
github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
@ -88,7 +88,7 @@ golang.org/x/time fbb02b2291d28baffd63558aa44b
google.golang.org/genproto 02b4e95473316948020af0b7a4f0f22c73929b0e
google.golang.org/grpc 25c4f928eaa6d96443009bd842389fb4fa48664e # v1.20.1
gopkg.in/inf.v0 d2d2541c53f18d2a059457998ce2876cc8e67cbf # v0.9.1
gopkg.in/yaml.v2 5420a8b6744d3b0345ab293f6fcba19c978f1183 # v2.2.1
gopkg.in/yaml.v2 bb4e33bf68bf89cad44d386192cbed201f35b241 # v2.2.3
gotest.tools 1083505acf35a0bd8a696b26837e1fb3187a7a83 # v2.3.0
k8s.io/api 40a48860b5abbba9aa891b02b32da429b08d96a0 # kubernetes-1.14.0
k8s.io/apimachinery d7deff9243b165ee192f5551710ea4285dcfd615 # kubernetes-1.14.0

3
vendor/github.com/miekg/pkcs11/go.mod generated vendored Normal file
View File

@ -0,0 +1,3 @@
module github.com/miekg/pkcs11
go 1.12

View File

@ -42,19 +42,21 @@ type GCMParams struct {
// NewGCMParams returns a pointer to AES-GCM parameters that can be used with the CKM_AES_GCM mechanism.
// The Free() method must be called after the operation is complete.
//
// *NOTE*
// Some HSMs, like CloudHSM, will ignore the IV you pass in and write their
// Note that some HSMs, like CloudHSM, will ignore the IV you pass in and write their
// own. As a result, to support all libraries, memory is not freed
// automatically, so that after the EncryptInit/Encrypt operation the HSM's IV
// can be read back out. It is up to the caller to ensure that Free() is called
// on the GCMParams object at an appropriate time, which is after
//
// Encrypt/Decrypt. As an example:
//
// gcmParams := pkcs11.NewGCMParams(make([]byte, 12), nil, 128)
// p.ctx.EncryptInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_AES_GCM, gcmParams)}, aesObjHandle)
// ct, _ := p.ctx.Encrypt(session, pt)
// iv := gcmParams.IV()
// gcmParams.Free()
// gcmParams := pkcs11.NewGCMParams(make([]byte, 12), nil, 128)
// p.ctx.EncryptInit(session, []*pkcs11.Mechanism{pkcs11.NewMechanism(pkcs11.CKM_AES_GCM, gcmParams)},
// aesObjHandle)
// ct, _ := p.ctx.Encrypt(session, pt)
// iv := gcmParams.IV()
// gcmParams.Free()
//
func NewGCMParams(iv, aad []byte, tagSize int) *GCMParams {
return &GCMParams{
iv: iv,
@ -112,7 +114,7 @@ func (p *GCMParams) Free() {
p.arena = nil
}
// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism
// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism.
func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
p := C.CK_RSA_PKCS_PSS_PARAMS{
hashAlg: C.CK_MECHANISM_TYPE(hashAlg),
@ -122,7 +124,7 @@ func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
return C.GoBytes(unsafe.Pointer(&p), C.int(unsafe.Sizeof(p)))
}
// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP
// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP.
type OAEPParams struct {
HashAlg uint
MGF uint
@ -130,7 +132,7 @@ type OAEPParams struct {
SourceData []byte
}
// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism
// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism.
func NewOAEPParams(hashAlg, mgf, sourceType uint, sourceData []byte) *OAEPParams {
return &OAEPParams{
HashAlg: hashAlg,
@ -154,14 +156,14 @@ func cOAEPParams(p *OAEPParams, arena arena) ([]byte, arena) {
return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
}
// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS
// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS.
type ECDH1DeriveParams struct {
KDF uint
SharedData []byte
PublicKeyData []byte
}
// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism
// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism.
func NewECDH1DeriveParams(kdf uint, sharedData []byte, publicKeyData []byte) *ECDH1DeriveParams {
return &ECDH1DeriveParams{
KDF: kdf,

View File

@ -800,13 +800,13 @@ func (c *Ctx) Destroy() {
c.ctx = nil
}
// Initialize initializes the Cryptoki library. */
// Initialize initializes the Cryptoki library.
func (c *Ctx) Initialize() error {
e := C.Initialize(c.ctx)
return toError(e)
}
// Finalize indicates that an application is done with the Cryptoki library. */
// Finalize indicates that an application is done with the Cryptoki library.
func (c *Ctx) Finalize() error {
if c.ctx == nil {
return toError(CKR_CRYPTOKI_NOT_INITIALIZED)
@ -815,7 +815,7 @@ func (c *Ctx) Finalize() error {
return toError(e)
}
// GetInfo returns general information about Cryptoki. */
// GetInfo returns general information about Cryptoki.
func (c *Ctx) GetInfo() (Info, error) {
var p C.ckInfo
e := C.GetInfo(c.ctx, &p)
@ -829,7 +829,7 @@ func (c *Ctx) GetInfo() (Info, error) {
return i, toError(e)
}
// GetSlotList obtains a list of slots in the system. */
// GetSlotList obtains a list of slots in the system.
func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) {
var (
slotList C.CK_ULONG_PTR
@ -843,7 +843,7 @@ func (c *Ctx) GetSlotList(tokenPresent bool) ([]uint, error) {
return l, nil
}
// GetSlotInfo obtains information about a particular slot in the system. */
// GetSlotInfo obtains information about a particular slot in the system.
func (c *Ctx) GetSlotInfo(slotID uint) (SlotInfo, error) {
var csi C.CK_SLOT_INFO
e := C.GetSlotInfo(c.ctx, C.CK_ULONG(slotID), &csi)
@ -885,7 +885,7 @@ func (c *Ctx) GetTokenInfo(slotID uint) (TokenInfo, error) {
return s, toError(e)
}
// GetMechanismList obtains a list of mechanism types supported by a token. */
// GetMechanismList obtains a list of mechanism types supported by a token.
func (c *Ctx) GetMechanismList(slotID uint) ([]*Mechanism, error) {
var (
mech C.CK_ULONG_PTR // in pkcs#11 we're all CK_ULONGs \o/
@ -997,11 +997,11 @@ func (c *Ctx) GetOperationState(sh SessionHandle) ([]byte, error) {
statelen C.CK_ULONG
)
e := C.GetOperationState(c.ctx, C.CK_SESSION_HANDLE(sh), &state, &statelen)
defer C.free(unsafe.Pointer(state))
if toError(e) != nil {
return nil, toError(e)
}
b := C.GoBytes(unsafe.Pointer(state), C.int(statelen))
C.free(unsafe.Pointer(state))
return b, nil
}

17
vendor/github.com/miekg/pkcs11/release.go generated vendored Normal file
View File

@ -0,0 +1,17 @@
// +build release
package pkcs11
import "fmt"
// Release is current version of the pkcs11 library.
var Release = R{1, 0, 2}
// R holds the version of this library.
type R struct {
Major, Minor, Patch int
}
func (r R) String() string {
return fmt.Sprintf("%d.%d.%d", r.Major, r.Minor, r.Patch)
}

13
vendor/gopkg.in/yaml.v2/decode.go generated vendored
View File

@ -229,6 +229,10 @@ type decoder struct {
mapType reflect.Type
terrors []string
strict bool
decodeCount int
aliasCount int
aliasDepth int
}
var (
@ -315,6 +319,13 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
}
func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
d.decodeCount++
if d.aliasDepth > 0 {
d.aliasCount++
}
if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > 0.99 {
failf("document contains excessive aliasing")
}
switch n.kind {
case documentNode:
return d.document(n, out)
@ -353,7 +364,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
failf("anchor '%s' value contains itself", n.value)
}
d.aliases[n] = true
d.aliasDepth++
good = d.unmarshal(n.alias, out)
d.aliasDepth--
delete(d.aliases, n)
return good
}

28
vendor/gopkg.in/yaml.v2/encode.go generated vendored
View File

@ -13,6 +13,19 @@ import (
"unicode/utf8"
)
// jsonNumber is the interface of the encoding/json.Number datatype.
// Repeating the interface here avoids a dependency on encoding/json, and also
// supports other libraries like jsoniter, which use a similar datatype with
// the same interface. Detecting this interface is useful when dealing with
// structures containing json.Number, which is a string under the hood. The
// encoder should prefer the use of Int64(), Float64() and string(), in that
// order, when encoding this type.
type jsonNumber interface {
Float64() (float64, error)
Int64() (int64, error)
String() string
}
type encoder struct {
emitter yaml_emitter_t
event yaml_event_t
@ -89,6 +102,21 @@ func (e *encoder) marshal(tag string, in reflect.Value) {
}
iface := in.Interface()
switch m := iface.(type) {
case jsonNumber:
integer, err := m.Int64()
if err == nil {
// In this case the json.Number is a valid int64
in = reflect.ValueOf(integer)
break
}
float, err := m.Float64()
if err == nil {
// In this case the json.Number is a valid float64
in = reflect.ValueOf(float)
break
}
// fallback case - no number could be obtained
in = reflect.ValueOf(m.String())
case time.Time, *time.Time:
// Although time.Time implements TextMarshaler,
// we don't want to treat it as a string for YAML

2
vendor/gopkg.in/yaml.v2/resolve.go generated vendored
View File

@ -81,7 +81,7 @@ func resolvableTag(tag string) bool {
return false
}
var yamlStyleFloat = regexp.MustCompile(`^[-+]?[0-9]*\.?[0-9]+([eE][-+][0-9]+)?$`)
var yamlStyleFloat = regexp.MustCompile(`^[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?$`)
func resolve(tag string, in string) (rtag string, out interface{}) {
if !resolvableTag(tag) {