mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-09 16:55:16 +00:00
12f97ef51f
The keying modules tries to solve two problems, the lack of key separation and the lack of AEAD being used for encryption. The currently used `secrets` doesn't provide this and is hard to adjust to provide this functionality. For encryption, the additional data is now a parameter that can be used, as the underlying primitive is an AEAD constructions. This allows for context binding to happen and can be seen as defense-in-depth; it ensures that if a value X is encrypted for context Y (e.g. ID=3, Column="private_key") it will only decrypt if that context Y is also given in the Decrypt function. This makes confused deputy attack harder to exploit.[^1] For key separation, HKDF is used to derives subkeys from some IKM, which is the value of the `[service].SECRET_KEY` config setting. The context for subkeys are hardcoded, any variable should be shuffled into the the additional data parameter when encrypting. [^1]: This is still possible, because the used AEAD construction is not key-comitting. For Forgejo's current use-case this risk is negligible, because the subkeys aren't known to a malicious user (which is required for such attack), unless they also have access to the IKM (at which point you can assume the whole system is compromised). See https://scottarc.blog/2022/10/17/lucid-multi-key-deputies-require-commitment/
306 lines
5.7 KiB
Plaintext
306 lines
5.7 KiB
Plaintext
code.gitea.io/gitea/cmd
|
|
NoMainListener
|
|
|
|
code.gitea.io/gitea/cmd/forgejo
|
|
ContextSetNoInit
|
|
ContextSetNoExit
|
|
ContextSetStderr
|
|
ContextGetStderr
|
|
ContextSetStdout
|
|
ContextSetStdin
|
|
|
|
code.gitea.io/gitea/models
|
|
IsErrUpdateTaskNotExist
|
|
ErrUpdateTaskNotExist.Error
|
|
ErrUpdateTaskNotExist.Unwrap
|
|
IsErrSHANotFound
|
|
IsErrMergeDivergingFastForwardOnly
|
|
GetYamlFixturesAccess
|
|
|
|
code.gitea.io/gitea/models/actions
|
|
ScheduleList.GetUserIDs
|
|
ScheduleList.GetRepoIDs
|
|
ScheduleList.LoadTriggerUser
|
|
ScheduleList.LoadRepos
|
|
|
|
code.gitea.io/gitea/models/asymkey
|
|
ErrGPGKeyAccessDenied.Error
|
|
ErrGPGKeyAccessDenied.Unwrap
|
|
HasDeployKey
|
|
|
|
code.gitea.io/gitea/models/auth
|
|
GetSourceByName
|
|
WebAuthnCredentials
|
|
|
|
code.gitea.io/gitea/models/db
|
|
TruncateBeans
|
|
InTransaction
|
|
DumpTables
|
|
|
|
code.gitea.io/gitea/models/dbfs
|
|
file.renameTo
|
|
Create
|
|
Rename
|
|
|
|
code.gitea.io/gitea/models/forgefed
|
|
GetFederationHost
|
|
|
|
code.gitea.io/gitea/models/forgejo/semver
|
|
GetVersion
|
|
SetVersionString
|
|
SetVersion
|
|
|
|
code.gitea.io/gitea/models/git
|
|
RemoveDeletedBranchByID
|
|
|
|
code.gitea.io/gitea/models/issues
|
|
IsErrUnknownDependencyType
|
|
ErrNewIssueInsert.Error
|
|
IsErrIssueWasClosed
|
|
ChangeMilestoneStatus
|
|
|
|
code.gitea.io/gitea/models/organization
|
|
GetTeamNamesByID
|
|
UpdateTeamUnits
|
|
SearchMembersOptions.ToConds
|
|
UsersInTeamsCount
|
|
|
|
code.gitea.io/gitea/models/perm/access
|
|
GetRepoWriters
|
|
|
|
code.gitea.io/gitea/models/project
|
|
UpdateColumnSorting
|
|
ChangeProjectStatus
|
|
|
|
code.gitea.io/gitea/models/repo
|
|
DeleteAttachmentsByIssue
|
|
FindReposMapByIDs
|
|
IsErrTopicNotExist
|
|
ErrTopicNotExist.Error
|
|
ErrTopicNotExist.Unwrap
|
|
GetTopicByName
|
|
WatchRepoMode
|
|
|
|
code.gitea.io/gitea/models/user
|
|
ErrUserInactive.Error
|
|
ErrUserInactive.Unwrap
|
|
IsErrExternalLoginUserAlreadyExist
|
|
IsErrExternalLoginUserNotExist
|
|
NewFederatedUser
|
|
IsErrUserSettingIsNotExist
|
|
GetUserAllSettings
|
|
DeleteUserSetting
|
|
GetUserEmailsByNames
|
|
GetUserNamesByIDs
|
|
|
|
code.gitea.io/gitea/modules/activitypub
|
|
NewContext
|
|
Context.APClientFactory
|
|
|
|
code.gitea.io/gitea/modules/assetfs
|
|
Bindata
|
|
|
|
code.gitea.io/gitea/modules/auth/password/hash
|
|
DummyHasher.HashWithSaltBytes
|
|
NewDummyHasher
|
|
|
|
code.gitea.io/gitea/modules/auth/password/pwn
|
|
WithHTTP
|
|
|
|
code.gitea.io/gitea/modules/base
|
|
SetupGiteaRoot
|
|
|
|
code.gitea.io/gitea/modules/cache
|
|
GetInt
|
|
WithNoCacheContext
|
|
RemoveContextData
|
|
|
|
code.gitea.io/gitea/modules/charset
|
|
BreakWriter.Write
|
|
|
|
code.gitea.io/gitea/modules/emoji
|
|
ReplaceCodes
|
|
|
|
code.gitea.io/gitea/modules/eventsource
|
|
Event.String
|
|
|
|
code.gitea.io/gitea/modules/forgefed
|
|
GetItemByType
|
|
JSONUnmarshalerFn
|
|
NotEmpty
|
|
ToRepository
|
|
OnRepository
|
|
|
|
code.gitea.io/gitea/modules/git
|
|
AllowLFSFiltersArgs
|
|
AddChanges
|
|
AddChangesWithArgs
|
|
CommitChanges
|
|
CommitChangesWithArgs
|
|
IsErrExecTimeout
|
|
ErrExecTimeout.Error
|
|
ErrUnsupportedVersion.Error
|
|
SetUpdateHook
|
|
openRepositoryWithDefaultContext
|
|
IsTagExist
|
|
ToEntryMode
|
|
LimitedReaderCloser.Read
|
|
LimitedReaderCloser.Close
|
|
|
|
code.gitea.io/gitea/modules/gitgraph
|
|
Parser.Reset
|
|
|
|
code.gitea.io/gitea/modules/gitrepo
|
|
GetBranchCommitID
|
|
GetWikiDefaultBranch
|
|
|
|
code.gitea.io/gitea/modules/graceful
|
|
Manager.TerminateContext
|
|
Manager.Err
|
|
Manager.Value
|
|
Manager.Deadline
|
|
|
|
code.gitea.io/gitea/modules/hcaptcha
|
|
WithHTTP
|
|
|
|
code.gitea.io/gitea/modules/json
|
|
StdJSON.Marshal
|
|
StdJSON.Unmarshal
|
|
StdJSON.NewEncoder
|
|
StdJSON.NewDecoder
|
|
StdJSON.Indent
|
|
|
|
code.gitea.io/gitea/modules/keying
|
|
DeriveKey
|
|
Key.Encrypt
|
|
Key.Decrypt
|
|
|
|
code.gitea.io/gitea/modules/markup
|
|
GetRendererByType
|
|
RenderString
|
|
IsMarkupFile
|
|
|
|
code.gitea.io/gitea/modules/markup/console
|
|
Render
|
|
RenderString
|
|
|
|
code.gitea.io/gitea/modules/markup/markdown
|
|
IsDetails
|
|
IsSummary
|
|
IsTaskCheckBoxListItem
|
|
IsIcon
|
|
RenderRawString
|
|
|
|
code.gitea.io/gitea/modules/markup/markdown/math
|
|
WithInlineDollarParser
|
|
WithBlockDollarParser
|
|
|
|
code.gitea.io/gitea/modules/markup/mdstripper
|
|
stripRenderer.AddOptions
|
|
StripMarkdown
|
|
|
|
code.gitea.io/gitea/modules/markup/orgmode
|
|
RenderString
|
|
|
|
code.gitea.io/gitea/modules/private
|
|
ActionsRunnerRegister
|
|
|
|
code.gitea.io/gitea/modules/process
|
|
Manager.ExecTimeout
|
|
|
|
code.gitea.io/gitea/modules/queue
|
|
newBaseChannelSimple
|
|
newBaseChannelUnique
|
|
newBaseRedisSimple
|
|
newBaseRedisUnique
|
|
testStateRecorder.Records
|
|
testStateRecorder.Reset
|
|
newWorkerPoolQueueForTest
|
|
|
|
code.gitea.io/gitea/modules/queue/lqinternal
|
|
QueueItemIDBytes
|
|
QueueItemKeyBytes
|
|
ListLevelQueueKeys
|
|
|
|
code.gitea.io/gitea/modules/setting
|
|
NewConfigProviderFromData
|
|
GitConfigType.GetOption
|
|
InitLoggersForTest
|
|
|
|
code.gitea.io/gitea/modules/storage
|
|
ErrInvalidConfiguration.Error
|
|
IsErrInvalidConfiguration
|
|
|
|
code.gitea.io/gitea/modules/structs
|
|
ParseCreateHook
|
|
ParsePushHook
|
|
|
|
code.gitea.io/gitea/modules/sync
|
|
StatusTable.Start
|
|
StatusTable.IsRunning
|
|
|
|
code.gitea.io/gitea/modules/timeutil
|
|
GetExecutableModTime
|
|
MockSet
|
|
MockUnset
|
|
|
|
code.gitea.io/gitea/modules/translation
|
|
MockLocale.Language
|
|
MockLocale.TrString
|
|
MockLocale.Tr
|
|
MockLocale.TrN
|
|
MockLocale.TrSize
|
|
MockLocale.PrettyNumber
|
|
|
|
code.gitea.io/gitea/modules/util/filebuffer
|
|
CreateFromReader
|
|
|
|
code.gitea.io/gitea/modules/validation
|
|
IsErrNotValid
|
|
|
|
code.gitea.io/gitea/modules/web
|
|
RouteMock
|
|
RouteMockReset
|
|
|
|
code.gitea.io/gitea/modules/web/middleware
|
|
DeleteLocaleCookie
|
|
|
|
code.gitea.io/gitea/modules/zstd
|
|
NewWriter
|
|
Writer.Write
|
|
Writer.Close
|
|
|
|
code.gitea.io/gitea/routers/web
|
|
NotFound
|
|
|
|
code.gitea.io/gitea/routers/web/org
|
|
MustEnableProjects
|
|
|
|
code.gitea.io/gitea/services/context
|
|
GetPrivateContext
|
|
|
|
code.gitea.io/gitea/services/convert
|
|
ToSecret
|
|
|
|
code.gitea.io/gitea/services/forms
|
|
DeadlineForm.Validate
|
|
|
|
code.gitea.io/gitea/services/pull
|
|
IsCommitStatusContextSuccess
|
|
|
|
code.gitea.io/gitea/services/repository
|
|
IsErrForkAlreadyExist
|
|
|
|
code.gitea.io/gitea/services/repository/archiver
|
|
ArchiveRepository
|
|
|
|
code.gitea.io/gitea/services/repository/files
|
|
ContentType.String
|
|
GetFileResponseFromCommit
|
|
TemporaryUploadRepository.GetLastCommit
|
|
TemporaryUploadRepository.GetLastCommitByRef
|
|
|
|
code.gitea.io/gitea/services/webhook
|
|
NewNotifier
|
|
|