From 2f5864c50c3c82d01837570cb0b7e629295c65cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Mart=C3=ADn=20Nieto?= Date: Fri, 29 Aug 2014 21:15:36 +0200 Subject: [PATCH] ssh: do ssh cert info before asking for credentials We know the host's key as soon as we connect, so we should perform the check as soon as we can, before we bother with the user's credentials. --- src/transports/ssh.c | 93 +++++++++++++++++++++----------------------- tests/online/clone.c | 3 ++ 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/src/transports/ssh.c b/src/transports/ssh.c index 8344714f3..a25ab6315 100644 --- a/src/transports/ssh.c +++ b/src/transports/ssh.c @@ -467,56 +467,12 @@ static int _git_ssh_setup_conn( GITERR_CHECK_ALLOC(port); } - /* we need the username to ask for auth methods */ - if (!user) { - if ((error = request_creds(&cred, t, NULL, GIT_CREDTYPE_USERNAME)) < 0) - goto on_error; - - user = git__strdup(((git_cred_username *) cred)->username); - cred->free(cred); - cred = NULL; - if (!user) - goto on_error; - } else if (user && pass) { - if ((error = git_cred_userpass_plaintext_new(&cred, user, pass)) < 0) - goto on_error; - } - if ((error = gitno_connect(&s->socket, host, port, 0)) < 0) goto on_error; if ((error = _git_ssh_session_create(&session, s->socket)) < 0) goto on_error; - if ((error = list_auth_methods(&auth_methods, session, user)) < 0) - goto on_error; - - error = GIT_EAUTH; - /* if we already have something to try */ - if (cred && auth_methods & cred->credtype) - error = _git_ssh_authenticate_session(session, cred); - - while (error == GIT_EAUTH) { - if (cred) { - cred->free(cred); - cred = NULL; - } - - if ((error = request_creds(&cred, t, user, auth_methods)) < 0) - goto on_error; - - if (strcmp(user, git_cred__username(cred))) { - giterr_set(GITERR_SSH, "username does not match previous request"); - error = -1; - goto on_error; - } - - error = _git_ssh_authenticate_session(session, cred); - } - - if (error < 0) - goto on_error; - if (t->owner->certificate_check_cb != NULL) { git_cert_hostkey cert; const char *key; @@ -554,11 +510,54 @@ static int _git_ssh_setup_conn( } } + /* we need the username to ask for auth methods */ + if (!user) { + if ((error = request_creds(&cred, t, NULL, GIT_CREDTYPE_USERNAME)) < 0) + goto on_error; + + user = git__strdup(((git_cred_username *) cred)->username); + cred->free(cred); + cred = NULL; + if (!user) + goto on_error; + } else if (user && pass) { + if ((error = git_cred_userpass_plaintext_new(&cred, user, pass)) < 0) + goto on_error; + } + + if ((error = list_auth_methods(&auth_methods, session, user)) < 0) + goto on_error; + + error = GIT_EAUTH; + /* if we already have something to try */ + if (cred && auth_methods & cred->credtype) + error = _git_ssh_authenticate_session(session, cred); + + while (error == GIT_EAUTH) { + if (cred) { + cred->free(cred); + cred = NULL; + } + + if ((error = request_creds(&cred, t, user, auth_methods)) < 0) + goto on_error; + + if (strcmp(user, git_cred__username(cred))) { + giterr_set(GITERR_SSH, "username does not match previous request"); + error = -1; + goto on_error; + } + + error = _git_ssh_authenticate_session(session, cred); + } + + if (error < 0) + goto on_error; + channel = libssh2_channel_open_session(session); if (!channel) { error = -1; ssh_error(session, "Failed to open SSH channel"); - error = -1; goto on_error; } @@ -634,10 +633,8 @@ static int ssh_receivepack_ls( { const char *cmd = t->cmd_receivepack ? t->cmd_receivepack : cmd_receivepack; - if (_git_ssh_setup_conn(t, url, cmd, stream) < 0) - return -1; - return 0; + return _git_ssh_setup_conn(t, url, cmd, stream); } static int ssh_receivepack( diff --git a/tests/online/clone.c b/tests/online/clone.c index 0e9a17663..66e614e15 100644 --- a/tests/online/clone.c +++ b/tests/online/clone.c @@ -487,6 +487,9 @@ void test_online_clone__certificate_invalid(void) cl_git_fail_with(git_clone(&g_repo, "http://github.com/libgit2/TestGitRepository", "./foo", &g_options), GIT_ECERTIFICATE); + + cl_git_fail_with(git_clone(&g_repo, "ssh://github.com/libgit2/TestGitRepository", "./foo", &g_options), + GIT_ECERTIFICATE); } static int succeed_certificate_check(git_cert_t type, void *data, size_t len, int valid, void *payload)