Since [1] the gerrit project includes jgit as a submodule, and has this
warning enabled, resulting in 100s of warnings in the console.
Also enable the warning here, and fix them.
At the same time, add missing braces around adjacent and nearby one-line
blocks.
[1] https://gerrit-review.googlesource.com/c/gerrit/+/227897
Change-Id: I81df3fc7ed6eedf6874ce1a3bedfa727a1897e4c
Signed-off-by: David Pursehouse <david.pursehouse@gmail.com>
The java.net.ProxySelector is quite a bit different from the one
in Eclipse. Eclipse (and the OS) uses "socks" as URI scheme to
look up a SOCKS proxy. java.net.ProxySelector needs "socket" as
scheme (and internally maps that to "socks" if and when it asks
the OS about the proxies).
Moreover, java.net.ProxySelector may return unresolved addresses,
whereas the Eclipse proxy selector always returns resolved addresses.
Fix both by explicitly resolving unresolved proxy addresses and using
scheme "socket" in the DefaultProxyDataFactory.
Tested manually with the jgit command-line tool using ssh -vvv -D7020
localhost and 3proxy as SOCKS5 proxies on localhost (3proxy with
user/password authentication). Start jgit with _JAVA_OPTIONS set to
"-DsocksProxyHost=<host> -DsocksProxyPort=<port>
-Djava.net.useSystemProxies=false" to test manually.
Bug: 548965
Change-Id: Ib81ae8255ac2f9c48268f172e7d8ebb4a792b66d
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Add the constant, and implement hashing of known host names in
OpenSshServerKeyDatabase. Add a test verifying that the hashing
works.
Bug: 548492
Change-Id: Iabe82b666da627bd7f4d82519a366d166aa9ddd4
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Provide a wrapper interface and change the implementation such that
a client can substitute its own database of known hosts keys instead
of the default file-based mechanism.
Bug: 547619
Change-Id: Ifc25a4519fa5bcf7bb8541b9f3e2de15215e3d66
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
The same effect could already be obtained if the ~/.ssh/config file
did not exist. But that is more difficult to control by clients,
since JGit would pick up the config if it was then created. Therefore
allow specifying a null config explicitly to permanently switch off
config file handling.
Change-Id: Iedf8a7f4d5c1ca08e0a513ed28301d8e5261b22a
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Reduce the dependency on the ClientSession in preparation to
remove it altogether. Remove the internal helper, re-implement
the needed bits. We have not implemented any configuration
possibility in JGit for creating hashed host names in known hosts
files, so we don't need the sshd code that theoretically would
enable this.
Change-Id: I295f5106b60e1cc3a9d085b0cb7ff747daae88be
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
We're actually interested only in the known public keys, we don't need
the corresponding host entry from the config.
Change-Id: Ibde6dffe9e3f87bfbb7c70d1f733b2b0e28cad71
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
The proxy handler may be re-set from an unspecified I/O thread.
Declare the shared variable as volatile.
Change-Id: I4e7ce393ae2cdc7f1cd4edf40c137da6d6c50ad5
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
RFC 4253 section 4.2 allows an ssh server to send additional lines
before its server identification string. Apache MINA sshd enforces
for these lines the constraints specified for the server identification
line, too: no NUL characters and not longer than 255 characters. That
is too strict. RFC 4253 doesn't mandate this, and it also doesn't
make sense given the rationale for these lines in RFC 4253: a TCP
wrapper may not be aware of SSH restrictions, and may not adhere to
these constraints.
Be more lenient when parsing the server's protocol version. Allow
NULs and longer lines in the preamble, and also handle line endings
more leniently. Only enforce the restrictions for the actual server
identification line.
Bug: 545939
Change-Id: I75955e9d8a8daef7c04fc0f39539c2ee93514e1c
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
The placeholders in manifest and plugin.properties did not match. To
avoid similar issues, all placeholders have been changed to
Bundle-Vendor and Bundle-Name now.
Bug:548503
Change-Id: Ibd4b9bc237b323e614506b97e5fbc99416365040
Signed-off-by: Michael Keppler <Michael.Keppler@gmx.de>
Add encrypted ed25519 keys in the tests; sshd 2.2.0 can finally
decrypt encrypted new-style OpenSSH key files. (Needs the "unlimited
strength" JCE, which is the default since Java 8u161. On older JREs,
users should install the policy files available from Oracle.)
The "expensive" key added has been generated with OpenSSH's
ssh-keygen -t ed25519 -a 256, i.e., with 256 bcrypt KDF rounds
instead of the default 16. On my machine it takes about 2sec to
decrypt.
Bug: 541703
Change-Id: Id3872ca2fd75d8f009cbc932eeb6357d3d1f267c
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Update target platforms, maven and bazel builds to use sshd 2.2.0.
Adapt internal classes to changed sshd interfaces and remove previous
work-arounds for asking repeatedly for key passwords and for loading
keys lazily; both are now done by sshd.
CQ: 19034
CQ: 19035
Bug: 541425
Change-Id: I85e1df6ebb8a94953a912d9b2b8a7b5bdfbd608a
Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Matthias Sohn
David Pursehouse
Thomas Wolf
Michael Keppler
Carsten Hammer