summaryrefslogtreecommitdiffstats
path: root/org.eclipse.jgit.ssh.apache/src/org/eclipse
diff options
context:
space:
mode:
Diffstat (limited to 'org.eclipse.jgit.ssh.apache/src/org/eclipse')
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java12
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitKexExtensionHandler.java163
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthFactory.java35
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java224
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java6
5 files changed, 8 insertions, 432 deletions
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
index f9e80121ed..7656fe8d08 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitClientSession.java
@@ -136,8 +136,8 @@ public class JGitClientSession extends ClientSessionImpl {
}
@Override
- protected IoWriteFuture sendIdentification(String ident)
- throws IOException {
+ protected IoWriteFuture sendIdentification(String ident,
+ List<String> extraLines) throws Exception {
StatefulProxyConnector proxy = proxyHandler;
if (proxy != null) {
try {
@@ -145,7 +145,8 @@ public class JGitClientSession extends ClientSessionImpl {
// from the peer only once the initial sendKexInit() following
// this call to sendIdentification() has returned!
proxy.runWhenDone(() -> {
- JGitClientSession.super.sendIdentification(ident);
+ JGitClientSession.super.sendIdentification(ident,
+ extraLines);
return null;
});
// Called only from the ClientSessionImpl constructor, where the
@@ -157,12 +158,11 @@ public class JGitClientSession extends ClientSessionImpl {
throw new IOException(other.getLocalizedMessage(), other);
}
}
- return super.sendIdentification(ident);
+ return super.sendIdentification(ident, extraLines);
}
@Override
- protected byte[] sendKexInit()
- throws IOException, GeneralSecurityException {
+ protected byte[] sendKexInit() throws Exception {
StatefulProxyConnector proxy = proxyHandler;
if (proxy != null) {
try {
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitKexExtensionHandler.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitKexExtensionHandler.java
deleted file mode 100644
index 9446aaa7d6..0000000000
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitKexExtensionHandler.java
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (C) 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Distribution License v. 1.0 which is available at
- * https://www.eclipse.org/org/documents/edl-v10.php.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-package org.eclipse.jgit.internal.transport.sshd;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.apache.sshd.common.AttributeRepository.AttributeKey;
-import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.kex.KexProposalOption;
-import org.apache.sshd.common.kex.extension.KexExtensionHandler;
-import org.apache.sshd.common.kex.extension.KexExtensions;
-import org.apache.sshd.common.kex.extension.parser.ServerSignatureAlgorithms;
-import org.apache.sshd.common.session.Session;
-import org.apache.sshd.common.signature.Signature;
-import org.apache.sshd.common.util.logging.AbstractLoggingBean;
-import org.eclipse.jgit.util.StringUtils;
-
-/**
- * Do not use the DefaultClientKexExtensionHandler from sshd; it doesn't work
- * properly because of misconceptions. See SSHD-1141.
- *
- * @see <a href="https://issues.apache.org/jira/browse/SSHD-1141">SSHD-1141</a>
- */
-public class JGitKexExtensionHandler extends AbstractLoggingBean
- implements KexExtensionHandler {
-
- /** Singleton instance. */
- public static final JGitKexExtensionHandler INSTANCE = new JGitKexExtensionHandler();
-
- /**
- * Session {@link AttributeKey} used to store whether the extension
- * indicator was already sent.
- */
- private static final AttributeKey<Boolean> CLIENT_PROPOSAL_MADE = new AttributeKey<>();
-
- /**
- * Session {@link AttributeKey} storing the algorithms announced by the
- * server as known.
- */
- public static final AttributeKey<Set<String>> SERVER_ALGORITHMS = new AttributeKey<>();
-
- private JGitKexExtensionHandler() {
- // No public instantiation for singleton
- }
-
- @Override
- public boolean isKexExtensionsAvailable(Session session,
- AvailabilityPhase phase) throws IOException {
- return !AvailabilityPhase.PREKEX.equals(phase);
- }
-
- @Override
- public void handleKexInitProposal(Session session, boolean initiator,
- Map<KexProposalOption, String> proposal) throws IOException {
- // If it's the very first time, we may add the marker telling the server
- // that we are ready to handle SSH_MSG_EXT_INFO
- if (session == null || session.isServerSession() || !initiator) {
- return;
- }
- if (session.getAttribute(CLIENT_PROPOSAL_MADE) != null) {
- return;
- }
- String kexAlgorithms = proposal.get(KexProposalOption.SERVERKEYS);
- if (StringUtils.isEmptyOrNull(kexAlgorithms)) {
- return;
- }
- List<String> algorithms = new ArrayList<>();
- // We're a client. We mustn't send the server extension, and we should
- // send the client extension only once.
- for (String algo : kexAlgorithms.split(",")) { //$NON-NLS-1$
- if (KexExtensions.CLIENT_KEX_EXTENSION.equalsIgnoreCase(algo)
- || KexExtensions.SERVER_KEX_EXTENSION
- .equalsIgnoreCase(algo)) {
- continue;
- }
- algorithms.add(algo);
- }
- // Tell the server that we want to receive SSH2_MSG_EXT_INFO
- algorithms.add(KexExtensions.CLIENT_KEX_EXTENSION);
- if (log.isDebugEnabled()) {
- log.debug(
- "handleKexInitProposal({}): proposing HostKeyAlgorithms {}", //$NON-NLS-1$
- session, algorithms);
- }
- proposal.put(KexProposalOption.SERVERKEYS,
- String.join(",", algorithms)); //$NON-NLS-1$
- session.setAttribute(CLIENT_PROPOSAL_MADE, Boolean.TRUE);
- }
-
- @Override
- public boolean handleKexExtensionRequest(Session session, int index,
- int count, String name, byte[] data) throws IOException {
- if (ServerSignatureAlgorithms.NAME.equals(name)) {
- handleServerSignatureAlgorithms(session,
- ServerSignatureAlgorithms.INSTANCE.parseExtension(data));
- }
- return true;
- }
-
- /**
- * Perform updates after a server-sig-algs extension has been received.
- *
- * @param session
- * the message was received for
- * @param serverAlgorithms
- * signature algorithm names announced by the server
- */
- protected void handleServerSignatureAlgorithms(Session session,
- Collection<String> serverAlgorithms) {
- if (log.isDebugEnabled()) {
- log.debug("handleServerSignatureAlgorithms({}): {}", session, //$NON-NLS-1$
- serverAlgorithms);
- }
- // Client determines order; server says what it supports. Re-order
- // such that supported ones are at the front, in client order,
- // followed by unsupported ones, also in client order.
- if (serverAlgorithms != null && !serverAlgorithms.isEmpty()) {
- List<NamedFactory<Signature>> clientAlgorithms = new ArrayList<>(
- session.getSignatureFactories());
- if (log.isDebugEnabled()) {
- log.debug(
- "handleServerSignatureAlgorithms({}): PubkeyAcceptedAlgorithms before: {}", //$NON-NLS-1$
- session, clientAlgorithms);
- }
- List<NamedFactory<Signature>> unknown = new ArrayList<>();
- Set<String> known = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
- known.addAll(serverAlgorithms);
- for (Iterator<NamedFactory<Signature>> iter = clientAlgorithms
- .iterator(); iter.hasNext();) {
- NamedFactory<Signature> algo = iter.next();
- if (!known.contains(algo.getName())) {
- unknown.add(algo);
- iter.remove();
- }
- }
- // Re-add the unknown ones at the end. Per RFC 8308, some
- // servers may not announce _all_ their supported algorithms,
- // and a client may use unknown algorithms.
- clientAlgorithms.addAll(unknown);
- if (log.isDebugEnabled()) {
- log.debug(
- "handleServerSignatureAlgorithms({}): PubkeyAcceptedAlgorithms after: {}", //$NON-NLS-1$
- session, clientAlgorithms);
- }
- session.setAttribute(SERVER_ALGORITHMS, known);
- session.setSignatureFactories(clientAlgorithms);
- }
- }
-}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthFactory.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthFactory.java
deleted file mode 100644
index 0e3e24dcff..0000000000
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthFactory.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Distribution License v. 1.0 which is available at
- * https://www.eclipse.org/org/documents/edl-v10.php.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-package org.eclipse.jgit.internal.transport.sshd;
-
-import java.io.IOException;
-
-import org.apache.sshd.client.auth.pubkey.UserAuthPublicKey;
-import org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
-import org.apache.sshd.client.session.ClientSession;
-
-/**
- * A customized authentication factory for public key user authentication.
- */
-public class JGitPublicKeyAuthFactory extends UserAuthPublicKeyFactory {
-
- /** The singleton {@link JGitPublicKeyAuthFactory}. */
- public static final JGitPublicKeyAuthFactory FACTORY = new JGitPublicKeyAuthFactory();
-
- private JGitPublicKeyAuthFactory() {
- super();
- }
-
- @Override
- public UserAuthPublicKey createUserAuth(ClientSession session)
- throws IOException {
- return new JGitPublicKeyAuthentication(getSignatureFactories());
- }
-}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
deleted file mode 100644
index 6755094420..0000000000
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/internal/transport/sshd/JGitPublicKeyAuthentication.java
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Copyright (C) 2018, 2021 Thomas Wolf <thomas.wolf@paranor.ch> and others
- *
- * This program and the accompanying materials are made available under the
- * terms of the Eclipse Distribution License v. 1.0 which is available at
- * https://www.eclipse.org/org/documents/edl-v10.php.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-package org.eclipse.jgit.internal.transport.sshd;
-
-import java.io.IOException;
-import java.security.PublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.text.MessageFormat;
-import java.util.Deque;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sshd.client.auth.pubkey.UserAuthPublicKey;
-import org.apache.sshd.client.session.ClientSession;
-import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.NamedResource;
-import org.apache.sshd.common.RuntimeSshException;
-import org.apache.sshd.common.SshConstants;
-import org.apache.sshd.common.config.keys.KeyUtils;
-import org.apache.sshd.common.signature.Signature;
-import org.apache.sshd.common.signature.SignatureFactoriesHolder;
-import org.apache.sshd.common.util.buffer.Buffer;
-
-/**
- * Custom {@link UserAuthPublicKey} implementation fixing SSHD-1105: if there
- * are several signature algorithms applicable for a public key type, we must
- * try them all, in the correct order.
- *
- * @see <a href="https://issues.apache.org/jira/browse/SSHD-1105">SSHD-1105</a>
- * @see <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=572056">Bug
- * 572056</a>
- */
-public class JGitPublicKeyAuthentication extends UserAuthPublicKey {
-
- private final Deque<String> currentAlgorithms = new LinkedList<>();
-
- private String chosenAlgorithm;
-
- JGitPublicKeyAuthentication(List<NamedFactory<Signature>> factories) {
- super(factories);
- }
-
- @Override
- protected boolean sendAuthDataRequest(ClientSession session, String service)
- throws Exception {
- if (current == null) {
- currentAlgorithms.clear();
- chosenAlgorithm = null;
- }
- String currentAlgorithm = null;
- if (current != null && !currentAlgorithms.isEmpty()) {
- currentAlgorithm = currentAlgorithms.poll();
- if (chosenAlgorithm != null) {
- Set<String> knownServerAlgorithms = session.getAttribute(
- JGitKexExtensionHandler.SERVER_ALGORITHMS);
- if (knownServerAlgorithms != null
- && knownServerAlgorithms.contains(chosenAlgorithm)) {
- // We've tried key 'current' with 'chosenAlgorithm', but it
- // failed. However, the server had told us it supported
- // 'chosenAlgorithm'. Thus it makes no sense to continue
- // with this key and other signature algorithms. Skip to the
- // next key, if any.
- currentAlgorithm = null;
- }
- }
- }
- if (currentAlgorithm == null) {
- try {
- if (keys == null || !keys.hasNext()) {
- if (log.isDebugEnabled()) {
- log.debug(
- "sendAuthDataRequest({})[{}] no more keys to send", //$NON-NLS-1$
- session, service);
- }
- current = null;
- return false;
- }
- current = keys.next();
- currentAlgorithms.clear();
- chosenAlgorithm = null;
- } catch (Error e) { // Copied from superclass
- throw new RuntimeSshException(e);
- }
- }
- PublicKey key;
- try {
- key = current.getPublicKey();
- } catch (Error e) { // Copied from superclass
- throw new RuntimeSshException(e);
- }
- if (currentAlgorithm == null) {
- String keyType = KeyUtils.getKeyType(key);
- Set<String> aliases = new HashSet<>(
- KeyUtils.getAllEquivalentKeyTypes(keyType));
- aliases.add(keyType);
- List<NamedFactory<Signature>> existingFactories;
- if (current instanceof SignatureFactoriesHolder) {
- existingFactories = ((SignatureFactoriesHolder) current)
- .getSignatureFactories();
- } else {
- existingFactories = getSignatureFactories();
- }
- if (existingFactories != null) {
- if (log.isDebugEnabled()) {
- log.debug(
- "sendAuthDataRequest({})[{}] selecting from PubKeyAcceptedAlgorithms {}", //$NON-NLS-1$
- session, service,
- NamedResource.getNames(existingFactories));
- }
- // Select the factories by name and in order
- existingFactories.forEach(f -> {
- if (aliases.contains(f.getName())) {
- currentAlgorithms.add(f.getName());
- }
- });
- }
- currentAlgorithm = currentAlgorithms.isEmpty() ? keyType
- : currentAlgorithms.poll();
- }
- String name = getName();
- if (log.isDebugEnabled()) {
- log.debug(
- "sendAuthDataRequest({})[{}] send SSH_MSG_USERAUTH_REQUEST request {} type={} - fingerprint={}", //$NON-NLS-1$
- session, service, name, currentAlgorithm,
- KeyUtils.getFingerPrint(key));
- }
-
- chosenAlgorithm = currentAlgorithm;
- Buffer buffer = session
- .createBuffer(SshConstants.SSH_MSG_USERAUTH_REQUEST);
- buffer.putString(session.getUsername());
- buffer.putString(service);
- buffer.putString(name);
- buffer.putBoolean(false);
- buffer.putString(currentAlgorithm);
- buffer.putPublicKey(key);
- session.writePacket(buffer);
- return true;
- }
-
- @Override
- protected boolean processAuthDataRequest(ClientSession session,
- String service, Buffer buffer) throws Exception {
- String name = getName();
- int cmd = buffer.getUByte();
- if (cmd != SshConstants.SSH_MSG_USERAUTH_PK_OK) {
- throw new IllegalStateException(MessageFormat.format(
- SshdText.get().pubkeyAuthWrongCommand,
- SshConstants.getCommandMessageName(cmd),
- session.getConnectAddress(), session.getServerVersion()));
- }
- PublicKey key;
- try {
- key = current.getPublicKey();
- } catch (Error e) { // Copied from superclass
- throw new RuntimeSshException(e);
- }
- String rspKeyAlgorithm = buffer.getString();
- PublicKey rspKey = buffer.getPublicKey();
- if (log.isDebugEnabled()) {
- log.debug(
- "processAuthDataRequest({})[{}][{}] SSH_MSG_USERAUTH_PK_OK type={}, fingerprint={}", //$NON-NLS-1$
- session, service, name, rspKeyAlgorithm,
- KeyUtils.getFingerPrint(rspKey));
- }
- if (!KeyUtils.compareKeys(rspKey, key)) {
- throw new InvalidKeySpecException(MessageFormat.format(
- SshdText.get().pubkeyAuthWrongKey,
- KeyUtils.getFingerPrint(key),
- KeyUtils.getFingerPrint(rspKey),
- session.getConnectAddress(), session.getServerVersion()));
- }
- if (!chosenAlgorithm.equalsIgnoreCase(rspKeyAlgorithm)) {
- // 'algo' SHOULD be the same as 'chosenAlgorithm', which is the one
- // we sent above. See https://tools.ietf.org/html/rfc4252#page-9 .
- //
- // However, at least Github (SSH-2.0-babeld-383743ad) servers seem
- // to return the key type, not the algorithm name.
- //
- // So we don't check but just log the inconsistency. We sign using
- // 'chosenAlgorithm' in any case, so we don't really care what the
- // server says here.
- log.warn(MessageFormat.format(
- SshdText.get().pubkeyAuthWrongSignatureAlgorithm,
- chosenAlgorithm, rspKeyAlgorithm, session.getConnectAddress(),
- session.getServerVersion()));
- }
- String username = session.getUsername();
- Buffer out = session
- .createBuffer(SshConstants.SSH_MSG_USERAUTH_REQUEST);
- out.putString(username);
- out.putString(service);
- out.putString(name);
- out.putBoolean(true);
- out.putString(chosenAlgorithm);
- out.putPublicKey(key);
- if (log.isDebugEnabled()) {
- log.debug(
- "processAuthDataRequest({})[{}][{}]: signing with algorithm {}", //$NON-NLS-1$
- session, service, name, chosenAlgorithm);
- }
- appendSignature(session, service, name, username, chosenAlgorithm, key,
- out);
- session.writePacket(out);
- return true;
- }
-
- @Override
- protected void releaseKeys() throws IOException {
- currentAlgorithms.clear();
- current = null;
- chosenAlgorithm = null;
- super.releaseKeys();
- }
-}
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
index 2d7e0c7c77..d52e24adfb 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
@@ -32,6 +32,7 @@ import org.apache.sshd.client.ClientBuilder;
import org.apache.sshd.client.SshClient;
import org.apache.sshd.client.auth.UserAuthFactory;
import org.apache.sshd.client.auth.keyboard.UserAuthKeyboardInteractiveFactory;
+import org.apache.sshd.client.auth.pubkey.UserAuthPublicKeyFactory;
import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.SshException;
@@ -47,9 +48,7 @@ import org.eclipse.jgit.internal.transport.ssh.OpenSshConfigFile;
import org.eclipse.jgit.internal.transport.sshd.AuthenticationCanceledException;
import org.eclipse.jgit.internal.transport.sshd.CachingKeyPairProvider;
import org.eclipse.jgit.internal.transport.sshd.GssApiWithMicAuthFactory;
-import org.eclipse.jgit.internal.transport.sshd.JGitKexExtensionHandler;
import org.eclipse.jgit.internal.transport.sshd.JGitPasswordAuthFactory;
-import org.eclipse.jgit.internal.transport.sshd.JGitPublicKeyAuthFactory;
import org.eclipse.jgit.internal.transport.sshd.JGitServerKeyVerifier;
import org.eclipse.jgit.internal.transport.sshd.JGitSshClient;
import org.eclipse.jgit.internal.transport.sshd.JGitSshConfig;
@@ -217,7 +216,6 @@ public class SshdSessionFactory extends SshSessionFactory implements Closeable {
new JGitUserInteraction(credentialsProvider));
client.setUserAuthFactories(getUserAuthFactories());
client.setKeyIdentityProvider(defaultKeysProvider);
- client.setKexExtensionHandler(JGitKexExtensionHandler.INSTANCE);
// JGit-specific things:
JGitSshClient jgitClient = (JGitSshClient) client;
jgitClient.setKeyCache(getKeyCache());
@@ -579,7 +577,7 @@ public class SshdSessionFactory extends SshSessionFactory implements Closeable {
// Password auth doesn't have this problem.
return Collections.unmodifiableList(
Arrays.asList(GssApiWithMicAuthFactory.INSTANCE,
- JGitPublicKeyAuthFactory.FACTORY,
+ UserAuthPublicKeyFactory.INSTANCE,
JGitPasswordAuthFactory.INSTANCE,
UserAuthKeyboardInteractiveFactory.INSTANCE));
}