From bde8e9ac6f26a85c1a757ac0fa298f8b0c3c5783 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C5=A1a=20=C5=BDivkov?= Date: Tue, 2 Dec 2014 15:06:54 +0100 Subject: [PATCH] Downgrade SSHD to 0.9.0-4-g5967cfd Since there is no official 0.9.1 release of the SSHD yet, the 0.9.0-4-g5967cfd version was built from the 0.9.x branch and uploaded to the Google cloud storage. This change reverts the following Gerrit commits: 3d9c70c SSHD: Update to 0.13.0 52e4e0c Bump SSHD Mina version to 2.0.8 3921163 Don't use deprecated PGPPublicKeyRingCollection constructor 13452f4 Bump Bouncycastle version to 1.51 5f7d5a7 Update EncryptedContactStore to not use deprecated/removed methods f69698c Update SSHD to 0.11.1-atlassian-1 67c38c8 Added global request handlers to SshDaemon c31e17f Update sshd to 0.11.0 b9c66ea Bump SSHD version to 0.10.1 and enable nio2 backend The reason for the downgrade (copied from the change 60161): SSHD release 0.9 is known to be free from exhausting thread pool problem [1]. Unfortunately 0.9 release suffers from sporadic handshake failures [2]. The fix cannot be cleanly cherry-picked to 0.9 release. The back port of this fix [3] is tracked under its own issue [4], was uploaded as PR for SSHD Mina's GH repository [5] and merged recently [6]. Moreover, 0.9 suffers from "Authenticated with partial success" issue [7] that was fixed by [8], [9]; this patch must be applied as well. This reverts commit dc7318b8eeda15732d4d2865fc5a7a0a68b3be15. [1] https://issues.apache.org/jira/browse/SSHD-348 [2] https://issues.apache.org/jira/browse/SSHD-330 [3] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\ h=2aed686bdb21681a421033c6ee5997e5cd8a9a83 [4] https://issues.apache.org/jira/browse/SSHD-356 [5] https://github.com/apache/mina-sshd/pull/7 [6] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\ h=cc7162acf7ca89561ca57a9c68de735f17bf168b [7] https://issues.apache.org/jira/browse/SSHD-254 [8] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\ h=28a8ae258b08c6b41ab64ac25f2331168dc0415a [9] https://gerrit-review.googlesource.com/51516 Change-Id: I889fb02c2cb1aa5df2cf8dcabace086f5094a914 --- Documentation/config-gerrit.txt | 8 ----- .../com/google/gerrit/pgm/libraries.config | 12 +++---- .../server/contact/EncryptedContactStore.java | 15 +++----- .../com/google/gerrit/sshd/SshDaemon.java | 35 +++---------------- lib/bouncycastle/BUCK | 8 ++--- lib/mina/BUCK | 9 ++--- 6 files changed, 24 insertions(+), 63 deletions(-) diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt index dcc3df3682..95d5283e3f 100644 --- a/Documentation/config-gerrit.txt +++ b/Documentation/config-gerrit.txt @@ -2696,14 +2696,6 @@ namespace. To alias `replication start` to `gerrit replicate`: [[sshd]] === Section sshd -[[sshd.backend]]sshd.backend:: -+ -Starting from version 0.9.0 Apache SSHD project added support for NIO2 -IoSession. To use the new NIO2 session the `backend` option must be set -to `NIO2`. -+ -By default, `MINA`. - [[sshd.listenAddress]]sshd.listenAddress:: + Specifies the local addresses the internal SSHD should listen diff --git a/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config b/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config index 16bceeeb51..b5e702f3d4 100644 --- a/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config +++ b/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config @@ -15,16 +15,16 @@ # Version should match lib/bouncycastle/BUCK [library "bouncyCastleProvider"] - name = Bouncy Castle Crypto Provider v151 - url = http://www.bouncycastle.org/download/bcprov-jdk15on-151.jar - sha1 = 9ab8afcc2842d5ef06eb775a0a2b12783b99aa80 + name = Bouncy Castle Crypto Provider v149 + url = http://www.bouncycastle.org/download/bcprov-jdk15on-149.jar + sha1 = f5155f04330459104b79923274db5060c1057b99 remove = bcprov-.*[.]jar # Version should match lib/bouncycastle/BUCK [library "bouncyCastleSSL"] - name = Bouncy Castle Crypto SSL v151 - url = http://www.bouncycastle.org/download/bcpkix-jdk15on-151.jar - sha1 = 6c8c1f61bf27a09f9b1a8abc201523669bba9597 + name = Bouncy Castle Crypto SSL v149 + url = http://www.bouncycastle.org/download/bcpkix-jdk15on-149.jar + sha1 = 924cc7ad2f589630c97b918f044296ebf1bb6855 needs = bouncyCastleProvider remove = bcpkix-.*[.]jar diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java b/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java index d82180deaf..8c1fdb6b79 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java @@ -38,9 +38,6 @@ import org.bouncycastle.openpgp.PGPPublicKey; import org.bouncycastle.openpgp.PGPPublicKeyRing; import org.bouncycastle.openpgp.PGPPublicKeyRingCollection; import org.bouncycastle.openpgp.PGPUtil; -import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRingCollection; -import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder; -import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -114,7 +111,7 @@ class EncryptedContactStore implements ContactStore { private static PGPPublicKeyRingCollection readPubRing(final File pub) { try (InputStream fin = new FileInputStream(pub); InputStream in = PGPUtil.getDecoderStream(fin)) { - return new BcPGPPublicKeyRingCollection(in); + return new PGPPublicKeyRingCollection(in); } catch (IOException e) { throw new ProvisionException("Cannot read " + pub, e); } catch (PGPException e) { @@ -170,16 +167,12 @@ class EncryptedContactStore implements ContactStore { } } + @SuppressWarnings("deprecation") private final PGPEncryptedDataGenerator cpk() throws NoSuchProviderException, PGPException { - final BcPGPDataEncryptorBuilder builder = - new BcPGPDataEncryptorBuilder(PGPEncryptedData.CAST5) - .setSecureRandom(prng); PGPEncryptedDataGenerator cpk = - new PGPEncryptedDataGenerator(builder, true); - final BcPublicKeyKeyEncryptionMethodGenerator methodGenerator = - new BcPublicKeyKeyEncryptionMethodGenerator(dest); - cpk.addMethod(methodGenerator); + new PGPEncryptedDataGenerator(PGPEncryptedData.CAST5, true, prng, "BC"); + cpk.addMethod(dest); return cpk; } diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java index 92ab653c9c..ba5465573b 100644 --- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java +++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java @@ -45,7 +45,6 @@ import org.apache.sshd.common.ForwardingFilter; import org.apache.sshd.common.KeyExchange; import org.apache.sshd.common.KeyPairProvider; import org.apache.sshd.common.NamedFactory; -import org.apache.sshd.common.RequestHandler; import org.apache.sshd.common.Session; import org.apache.sshd.common.Signature; import org.apache.sshd.common.SshdSocketAddress; @@ -68,11 +67,10 @@ import org.apache.sshd.common.forward.TcpipServerChannel; import org.apache.sshd.common.future.CloseFuture; import org.apache.sshd.common.future.SshFutureListener; import org.apache.sshd.common.io.IoAcceptor; -import org.apache.sshd.common.io.IoServiceFactoryFactory; +import org.apache.sshd.common.io.IoServiceFactory; import org.apache.sshd.common.io.IoSession; -import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; +import org.apache.sshd.common.io.mina.MinaServiceFactory; import org.apache.sshd.common.io.mina.MinaSession; -import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; import org.apache.sshd.common.mac.HMACMD5; import org.apache.sshd.common.mac.HMACMD596; import org.apache.sshd.common.mac.HMACSHA1; @@ -81,7 +79,6 @@ import org.apache.sshd.common.random.BouncyCastleRandom; import org.apache.sshd.common.random.JceRandom; import org.apache.sshd.common.random.SingletonRandomFactory; import org.apache.sshd.common.session.AbstractSession; -import org.apache.sshd.common.session.ConnectionService; import org.apache.sshd.common.signature.SignatureDSA; import org.apache.sshd.common.signature.SignatureRSA; import org.apache.sshd.common.util.Buffer; @@ -94,10 +91,6 @@ import org.apache.sshd.server.auth.UserAuthPublicKey; import org.apache.sshd.server.auth.gss.GSSAuthenticator; import org.apache.sshd.server.auth.gss.UserAuthGSS; import org.apache.sshd.server.channel.ChannelSession; -import org.apache.sshd.server.global.CancelTcpipForwardHandler; -import org.apache.sshd.server.global.KeepAliveHandler; -import org.apache.sshd.server.global.NoMoreSessionsHandler; -import org.apache.sshd.server.global.TcpipForwardHandler; import org.apache.sshd.server.kex.DHG1; import org.apache.sshd.server.kex.DHG14; import org.apache.sshd.server.session.SessionFactory; @@ -200,13 +193,8 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { final String kerberosPrincipal = cfg.getString( "sshd", null, "kerberosPrincipal"); - SshSessionBackend backend = cfg.getEnum( - "sshd", null, "backend", SshSessionBackend.MINA); - - System.setProperty(IoServiceFactoryFactory.class.getName(), - backend == SshSessionBackend.MINA - ? MinaServiceFactoryFactory.class.getName() - : Nio2ServiceFactoryFactory.class.getName()); + System.setProperty(IoServiceFactory.class.getName(), + MinaServiceFactory.class.getName()); if (SecurityUtils.isBouncyCastleRegistered()) { initProviderBouncyCastle(); @@ -263,12 +251,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { return new GerritServerSession(server, ioSession); } }); - setGlobalRequestHandlers(Arrays.> asList( - new KeepAliveHandler(), - new NoMoreSessionsHandler(), - new TcpipForwardHandler(), - new CancelTcpipForwardHandler() - )); hostKeys = computeHostKeys(); } @@ -318,10 +300,8 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { public synchronized void stop() { if (acceptor != null) { try { - acceptor.close(true).await(); + acceptor.dispose(); log.info("Stopped Gerrit SSHD"); - } catch (InterruptedException e) { - log.warn("Exception caught while closing", e); } finally { acceptor = null; } @@ -607,11 +587,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { @Override public SshFile getFile(String file) { return null; - } - - @Override - public FileSystemView getNormalizedView() { - return null; }}; } }); diff --git a/lib/bouncycastle/BUCK b/lib/bouncycastle/BUCK index d1ec48de1b..99f960e81c 100644 --- a/lib/bouncycastle/BUCK +++ b/lib/bouncycastle/BUCK @@ -2,19 +2,19 @@ include_defs('//lib/maven.defs') # This version must match the version that also appears in # gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config -VERSION = '1.51' +VERSION = '1.49' maven_jar( name = 'bcprov', id = 'org.bouncycastle:bcprov-jdk15on:' + VERSION, - sha1 = '9ab8afcc2842d5ef06eb775a0a2b12783b99aa80', + sha1 = 'f5155f04330459104b79923274db5060c1057b99', license = 'DO_NOT_DISTRIBUTE', #'bouncycastle' ) maven_jar( name = 'bcpg', id = 'org.bouncycastle:bcpg-jdk15on:' + VERSION, - sha1 = 'b5fa4c280dfbf8bf7c260bc1e78044c7a1de5133', + sha1 = '081d84be5b125e1997ab0e2244d1a2276b5de76c', license = 'DO_NOT_DISTRIBUTE', #'bouncycastle' deps = [':bcprov'], ) @@ -22,7 +22,7 @@ maven_jar( maven_jar( name = 'bcpkix', id = 'org.bouncycastle:bcpkix-jdk15on:' + VERSION, - sha1 = '6c8c1f61bf27a09f9b1a8abc201523669bba9597', + sha1 = '924cc7ad2f589630c97b918f044296ebf1bb6855', license = 'DO_NOT_DISTRIBUTE', #'bouncycastle' deps = [':bcprov'], ) diff --git a/lib/mina/BUCK b/lib/mina/BUCK index 5c51d3a22c..ff1df5a40e 100644 --- a/lib/mina/BUCK +++ b/lib/mina/BUCK @@ -8,17 +8,18 @@ EXCLUDE = [ maven_jar( name = 'sshd', - id = 'org.apache.sshd:sshd-core:0.13.0', - sha1 = 'c616c5865cc55473c6d63c6fcf46e60d382be172', + id = 'org.apache.sshd:sshd-core:0.9.0-4-g5967cfd', + sha1 = '8f4b6f7ebc54655dc7d25a77665cf51f2b1288b2', license = 'Apache2.0', deps = [':core'], exclude = EXCLUDE, + repository = GERRIT, ) maven_jar( name = 'core', - id = 'org.apache.mina:mina-core:2.0.8', - sha1 = 'd6ff69fa049aeaecdf0c04cafbb1ab53b7487883', + id = 'org.apache.mina:mina-core:2.0.7', + sha1 = 'c878e2aa82de748474a624ec3933e4604e446dec', license = 'Apache2.0', exclude = EXCLUDE, )