opendev/gerrit
Code Issues Proposed changes

Merge "Merge branch 'stable-3.1' into stable-3.2" into stable-3.2

Browse Source
This commit is contained in:
Marco Miller
2020-11-20 14:07:27 +00:00
committed by Gerrit Code Review
parent 2ec720f38c ebce1f5d30
commit b0b473c147
6 changed files with 89 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Documentation/concept-patch-sets.txt
View File

@@ -89,7 +89,7 @@ evolves, such as "Added more unit tests." Unlike the change description, a patch
set description does not become a part of the project's history. set description does not become a part of the project's history.
To add a patch set description, click *Add a patch set description*, located in To add a patch set description, click *Add a patch set description*, located in
the file list. the file list, or provide it link:user-upload.html#patch_set_description[on upload].
GERRIT GERRIT
------ ------

8
Documentation/user-upload.txt
View File

@@ -315,11 +315,11 @@ link:intro-user.html#work-in-progress-by-default[user preference]. If the
preference is set so the default behavior is to create `work-in-progress` preference is set so the default behavior is to create `work-in-progress`
changes, this can be overridden with the `ready` option. changes, this can be overridden with the `ready` option.
[[message]] [[patch_set_description]]
==== Message ==== Patch Set Description
A comment message can be applied to the change by using the `message` (or `m`) A link:concept-patch-sets.html#_description[patch set description] can be
option: applied by using the `message` (or `m`) option:
---- ----
git push ssh://john.doe@git.example.com:29418/kernel/common HEAD:refs/for/experimental%m=This_is_a_rebase_on_master%21 git push ssh://john.doe@git.example.com:29418/kernel/common HEAD:refs/for/experimental%m=This_is_a_rebase_on_master%21

8
java/com/google/gerrit/server/mail/send/SmtpEmailSender.java
View File

@@ -391,11 +391,7 @@ public class SmtpEmailSender implements EmailSender {
} }
private SMTPClient open() throws EmailException { private SMTPClient open() throws EmailException {
final AuthSMTPClient client = new AuthSMTPClient(UTF_8.name()); final AuthSMTPClient client = new AuthSMTPClient(smtpEncryption == Encryption.SSL, sslVerify);
if (smtpEncryption == Encryption.SSL) {
client.enableSSL(sslVerify);
}
client.setConnectTimeout(connectTimeout); client.setConnectTimeout(connectTimeout);
try { try {
@@ -411,7 +407,7 @@ public class SmtpEmailSender implements EmailSender {
} }
if (smtpEncryption == Encryption.TLS) { if (smtpEncryption == Encryption.TLS) {
if (!client.startTLS(smtpHost, smtpPort, sslVerify)) { if (!client.execTLS()) {
throw new EmailException("SMTP server does not support TLS"); throw new EmailException("SMTP server does not support TLS");
} }
if (!client.login()) { if (!client.login()) {

15
java/com/google/gerrit/util/ssl/BlindSSLSocketFactory.java
View File

@@ -20,7 +20,6 @@ import java.net.Socket;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory; import javax.net.SocketFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.SSLSocketFactory;
@@ -32,19 +31,7 @@ public class BlindSSLSocketFactory extends SSLSocketFactory {
private static final BlindSSLSocketFactory INSTANCE; private static final BlindSSLSocketFactory INSTANCE;
static { static {
final X509TrustManager dummyTrustManager = final X509TrustManager dummyTrustManager = new BlindTrustManager();
new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
};
try { try {
final SSLContext context = SSLContext.getInstance("SSL"); final SSLContext context = SSLContext.getInstance("SSL");

33
java/com/google/gerrit/util/ssl/BlindTrustManager.java Normal file
View File

@@ -0,0 +1,33 @@
// Copyright (C) 2020 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.gerrit.util.ssl;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
/** TrustManager implementation that accepts all certificates without validation. */
public class BlindTrustManager implements X509TrustManager {
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {}
}

98
java/org/apache/commons/net/smtp/AuthSMTPClient.java
View File

@@ -17,68 +17,66 @@ package org.apache.commons.net.smtp;
import static java.nio.charset.StandardCharsets.UTF_8; import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.common.io.BaseEncoding; import com.google.common.io.BaseEncoding;
import com.google.gerrit.util.ssl.BlindSSLSocketFactory; import com.google.gerrit.util.ssl.BlindTrustManager;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException; import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.SocketException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import javax.crypto.Mac; import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public class AuthSMTPClient extends SMTPClient { /**
* SMTP Client with authentication support and optional SSL processing and verification. {@link
* org.apache.commons.net.smtp.SMTPSClient} is used for the SSL handshake and hostname verification.
*
* <p>If shouldHandshakeOnConnect mode is selected, SSL/TLS negotiation starts right after the
* connection has been established. Otherwise SSL/TLS negotiation will only occur if {@link
* AuthSMTPClient#execTLS} is explicitly called and the server accepts the command.
*
* <p>Examples:
*
* <ul>
* <li>For SSL connection:
* <pre>
* AuthSMTPClient c = new AuthSMTPClient(true, sslVerify);
* c.connect("127.0.0.1", 465);
* </pre>
* <li>For TLS connection:
* <pre>
* AuthSMTPClient c = new AuthSMTPClient(false, sslVerify);
* c.connect("127.0.0.1", 25);
* if (c.execTLS()) { /rest of the commands here/ }
* </pre>
* <li>If SSL encryption is not required:
* <pre>
* AuthSMTPClient c = new AuthSMTPClient(false, false);
* c.connect("127.0.0.1", port);
* </pre>
*/
public class AuthSMTPClient extends SMTPSClient {
private String authTypes; private String authTypes;
public AuthSMTPClient(String charset) { /**
super(charset); * Constructs AuthSMTPClient.
} *
* @param shouldHandshakeOnConnect the SSL processing mode, {@code true} if SSL negotiation should
public void enableSSL(boolean verify) { * start right after connect, {@code false} if it will be started by the user explicitly or
_socketFactory_ = sslFactory(verify); * SSL negotiation is not required.
} * @param sslVerificationEnabled {@code true} if the SMTP server's SSL certificate and hostname
* should be verified, {@code false} otherwise.
public boolean startTLS(String hostname, int port, boolean verify) */
throws SocketException, IOException { public AuthSMTPClient(boolean shouldHandshakeOnConnect, boolean sslVerificationEnabled) {
if (sendCommand("STARTTLS") != 220) { // If SSL Encryption is required, SMTPSClient is used for the handshake.
return false; // Otherwise, use SMTPSClient in 'explicit' mode without calling execTLS().
// See SMTPSClient._connectAction_ in commons-net-3.6.
super("TLS", shouldHandshakeOnConnect, UTF_8.name());
this.setEndpointCheckingEnabled(sslVerificationEnabled);
if (!sslVerificationEnabled) {
this.setTrustManager(new BlindTrustManager());
} }
_socket_ = sslFactory(verify).createSocket(_socket_, hostname, port, true);
if (verify) {
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
((SSLSocket) _socket_).setSSLParameters(sslParams);
}
// XXX: Can't call _connectAction_() because SMTP server doesn't
// give banner information again after STARTTLS, thus SMTP._connectAction_()
// will wait on __getReply() forever, see source code of commons-net-2.2.
//
// The lines below are copied from SocketClient._connectAction_() and
// SMTP._connectAction_() in commons-net-2.2.
_socket_.setSoTimeout(_timeout_);
_input_ = _socket_.getInputStream();
_output_ = _socket_.getOutputStream();
_reader = new BufferedReader(new InputStreamReader(_input_, UTF_8));
_writer = new BufferedWriter(new OutputStreamWriter(_output_, UTF_8));
return true;
}
private static SSLSocketFactory sslFactory(boolean verify) {
if (verify) {
return (SSLSocketFactory) SSLSocketFactory.getDefault();
}
return (SSLSocketFactory) BlindSSLSocketFactory.getDefault();
} }
@Override @Override