summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Wolf <thomas.wolf@paranor.ch>2018-06-08 15:47:05 +0200
committerMatthias Sohn <matthias.sohn@sap.com>2018-06-10 12:06:59 +0200
commit4ef8769f81949d1b5759645bdba969b6b5a7289a (patch)
tree974eddea4761f0bb52624bccb4c70027aa98b327
parent6cb0199ffc4f879bc654b28b6e4756abdc6351e5 (diff)
downloadjgit-4ef8769f81949d1b5759645bdba969b6b5a7289a.tar.gz
jgit-4ef8769f81949d1b5759645bdba969b6b5a7289a.zip
Ensure Jsch checks all configured algorithms
Jsch checks only for the availability of the algorithms given by Jsch-internal config keys "CheckCiphers", "CheckKexes", and "CheckSignatures". If the ssh config defines any algorithms unknown to Jsch not listed in those keys, it'll still propose them during the negotiation phase, and run into an NPE later on if the server happens to propose such an algorithm and it gets chosen. Jsch reads those "CheckCiphers" and the other values from either a session-local config, or the global static Jsch config. It bypasses ~/.ssh/config for these values. Therefore, copy these values from the config as read from ~/.ssh/config into the session-specific config. That makes Jsch check _all_ configured algorithms up front, discarding any for which it has no implementation. Thus it proposes only algorithms it actually can handle. Bug: 535672 Change-Id: I6a68e54f4d9a3267e895c536bcf3c58099826ad5 Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
-rw-r--r--org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java21
1 files changed, 21 insertions, 0 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java
index ea2f4b1e3e..1d5248a15d 100644
--- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java
+++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/JschConfigSessionFactory.java
@@ -70,6 +70,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.jcraft.jsch.ConfigRepository;
+import com.jcraft.jsch.ConfigRepository.Config;
import com.jcraft.jsch.JSch;
import com.jcraft.jsch.JSchException;
import com.jcraft.jsch.Session;
@@ -222,10 +223,30 @@ public abstract class JschConfigSessionFactory extends SshSessionFactory {
session.setUserInfo(new CredentialsProviderUserInfo(session,
credentialsProvider));
}
+ safeConfig(session, hc.getConfig());
configure(hc, session);
return session;
}
+ private void safeConfig(Session session, Config cfg) {
+ // Ensure that Jsch checks all configured algorithms, not just its
+ // built-in ones. Otherwise it may propose an algorithm for which it
+ // doesn't have an implementation, and then run into an NPE if that
+ // algorithm ends up being chosen.
+ copyConfigValueToSession(session, cfg, "Ciphers", "CheckCiphers"); //$NON-NLS-1$ //$NON-NLS-2$
+ copyConfigValueToSession(session, cfg, "KexAlgorithms", "CheckKexes"); //$NON-NLS-1$ //$NON-NLS-2$
+ copyConfigValueToSession(session, cfg, "HostKeyAlgorithms", //$NON-NLS-1$
+ "CheckSignatures"); //$NON-NLS-1$
+ }
+
+ private void copyConfigValueToSession(Session session, Config cfg,
+ String from, String to) {
+ String value = cfg.getValue(from);
+ if (value != null) {
+ session.setConfig(to, value);
+ }
+ }
+
private void setUserName(Session session, String userName) {
// Jsch 0.1.54 picks up the user name from the ssh config, even if an
// explicit user name was given! We must correct that if ~/.ssh/config