proxmox-mirrors/libgit2
1
0
Fork 0
mirror of https://git.proxmox.com/git/libgit2 synced 2025-05-09 16:45:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ssh: do ssh cert info before asking for credentials

Browse Source 
We know the host's key as soon as we connect, so we should perform the
check as soon as we can, before we bother with the user's credentials.
This commit is contained in:
Carlos Martín Nieto 2014-08-29 21:15:36 +02:00
parent 17491f6e56
commit 2f5864c50c
2 changed files with 48 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
src/transports/ssh.c
View File

@ -467,56 +467,12 @@ static int _git_ssh_setup_conn(
GITERR_CHECK_ALLOC(port);
}
/* we need the username to ask for auth methods */
if (!user) {
if ((error = request_creds(&cred, t, NULL, GIT_CREDTYPE_USERNAME)) < 0)
goto on_error;
user = git__strdup(((git_cred_username *) cred)->username);
cred->free(cred);
cred = NULL;
if (!user)
goto on_error;
} else if (user && pass) {
if ((error = git_cred_userpass_plaintext_new(&cred, user, pass)) < 0)
goto on_error;
}
if ((error = gitno_connect(&s->socket, host, port, 0)) < 0)
goto on_error;
if ((error = _git_ssh_session_create(&session, s->socket)) < 0)
goto on_error;
if ((error = list_auth_methods(&auth_methods, session, user)) < 0)
goto on_error;
error = GIT_EAUTH;
/* if we already have something to try */
if (cred && auth_methods & cred->credtype)
error = _git_ssh_authenticate_session(session, cred);
while (error == GIT_EAUTH) {
if (cred) {
cred->free(cred);
cred = NULL;
}
if ((error = request_creds(&cred, t, user, auth_methods)) < 0)
goto on_error;
if (strcmp(user, git_cred__username(cred))) {
giterr_set(GITERR_SSH, "username does not match previous request");
error = -1;
goto on_error;
}
error = _git_ssh_authenticate_session(session, cred);
}
if (error < 0)
goto on_error;
if (t->owner->certificate_check_cb != NULL) {
git_cert_hostkey cert;
const char *key;
@ -554,11 +510,54 @@ static int _git_ssh_setup_conn(
}
}
/* we need the username to ask for auth methods */
if (!user) {
if ((error = request_creds(&cred, t, NULL, GIT_CREDTYPE_USERNAME)) < 0)
goto on_error;
user = git__strdup(((git_cred_username *) cred)->username);
cred->free(cred);
cred = NULL;
if (!user)
goto on_error;
} else if (user && pass) {
if ((error = git_cred_userpass_plaintext_new(&cred, user, pass)) < 0)
goto on_error;
}
if ((error = list_auth_methods(&auth_methods, session, user)) < 0)
goto on_error;
error = GIT_EAUTH;
/* if we already have something to try */
if (cred && auth_methods & cred->credtype)
error = _git_ssh_authenticate_session(session, cred);
while (error == GIT_EAUTH) {
if (cred) {
cred->free(cred);
cred = NULL;
}
if ((error = request_creds(&cred, t, user, auth_methods)) < 0)
goto on_error;
if (strcmp(user, git_cred__username(cred))) {
giterr_set(GITERR_SSH, "username does not match previous request");
error = -1;
goto on_error;
}
error = _git_ssh_authenticate_session(session, cred);
}
if (error < 0)
goto on_error;
channel = libssh2_channel_open_session(session);
if (!channel) {
error = -1;
ssh_error(session, "Failed to open SSH channel");
error = -1;
goto on_error;
}
@ -634,10 +633,8 @@ static int ssh_receivepack_ls(
{
const char *cmd = t->cmd_receivepack ? t->cmd_receivepack : cmd_receivepack;
if (_git_ssh_setup_conn(t, url, cmd, stream) < 0)
return -1;
return 0;
return _git_ssh_setup_conn(t, url, cmd, stream);
}
static int ssh_receivepack(

3
tests/online/clone.c
View File

@ -487,6 +487,9 @@ void test_online_clone__certificate_invalid(void)
cl_git_fail_with(git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options),
GIT_ECERTIFICATE);
cl_git_fail_with(git_clone(&g_repo, "ssh://github.com/libgit2/TestGitRepository", "./foo", &g_options),
GIT_ECERTIFICATE);
}
static int succeed_certificate_check(git_cert_t type, void *data, size_t len, int valid, void *payload)