Upgrade libgit2 to 1.3.0 #3962
Upgrade libgit2 to 1.3.0 #3962
Conversation
| @@ -111,6 +111,14 @@ typedef struct { | ||
| * have the SHA-256 hash of the hostkey. | ||
| */ | ||
| unsigned char hash_sha256[32]; | ||
| + | ||
| + /** | ||
| + * Hostkey itself. | ||
| + */ | ||
| + int hostkey_type; | ||
| + size_t hostkey_len; | ||
| + unsigned char hostkey[1024]; | ||
| + | ||
| } git_cert_hostkey; | ||
|
|
||
| /** | ||
| diff --git a/src/transports/ssh.c b/src/transports/ssh.c | ||
| index f4ed05bb1..ec6366a5f 100644 | ||
| index 471c3273ed..32189d0979 100644 | ||
| --- a/src/transports/ssh.c | ||
| +++ b/src/transports/ssh.c | ||
| @@ -523,6 +523,7 @@ static int _git_ssh_setup_conn( | ||
| @@ -525,6 +525,7 @@ static int _git_ssh_setup_conn( | ||
| git_credential *cred = NULL; | ||
| LIBSSH2_SESSION* session=NULL; | ||
| LIBSSH2_CHANNEL* channel=NULL; | ||
| LIBSSH2_SESSION *session=NULL; | ||
| LIBSSH2_CHANNEL *channel=NULL; | ||
| + char *host_and_port; | ||
|
|
||
| t->current_stream = NULL; | ||
|
|
||
| @@ -566,6 +567,12 @@ post_extract: | ||
|
|
||
| cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2; | ||
|
|
||
| + key = libssh2_session_hostkey(session, &cert.hostkey_len, &cert.hostkey_type); | ||
| + bzero(&cert.hostkey, sizeof(cert.hostkey)); | ||
| + if (cert.hostkey_len > sizeof(cert.hostkey)) | ||
| + cert.hostkey_len = sizeof(cert.hostkey); | ||
| + memcpy(&cert.hostkey, key, cert.hostkey_len); | ||
| + | ||
| #ifdef LIBSSH2_HOSTKEY_HASH_SHA256 | ||
| key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256); | ||
| if (key != NULL) { |
There was a problem hiding this comment.
@StefanKarpinski This part of the patch seems to have been replaced by libgit2/libgit2@29fe5f6. I'm not sure whether it's perfectly equivalent though. x-ref #2419.
There was a problem hiding this comment.
Fun. I guess we need to make sure that the certificate_callback and ssh_knownhost_check stuff in LibGit2 still works with the new libgit2 version. The patch was required, IIRC, because the old version of libgit2 was doing several broken things:
- It was failing to pass the port number with the host, which is necessary when connecting over SSH using different ports and using the known hosts file.
- It didn't pass the actual hostkey info from the connection to the callback, which made it impossible to do hostkey verification.
It's unclear how (or if) anyone was actually using SSH hostkey checking previously.
There was a problem hiding this comment.
It looks like the first thing is still broken but the second thing got fixed but in an incompatible way because they stuck that raw_type field in there instead of just appending the hostkey data.
There was a problem hiding this comment.
Thanks. So AFAIK I kept the patch for the first thing so it should be OK. For the second one, tests added by JuliaLang/julia#39324 cover it, right? At least they pass with libgit2 1.3 and this branch.
There was a problem hiding this comment.
I don't think that tests the port part but it looks like it tests the hostkey part. I was testing by actually connecting to a host that I was proxying through to github.
There was a problem hiding this comment.
OK. I've just done this, and it seems to work!
For the record, here's what I did to forward port 22 on my machine to github.com:
sudo iptables -t nat -A PREROUTING -i wlo1 -p tcp --dport 32800 -j DNAT --to 38.140.156.5:22
sudo iptables -A FORWARD -i wlo1 -p tcp --dport 22 -d 38.140.156.5 -j ACCEPT
Then I had to go through my router as trying to connect from the same machine avoids the forwarding.
Then I installed a package via (after manually adding A.B.C.D to ~/.ssh/known_hosts with the signature for github.com):
]add ssh://git@A.B.C.D:32800/nalimilan/FreqTables.jl.git
One weird fact is that if I call git clone ssh://git@A.B.C.D:32800/nalimilan/FreqTables.jl.git, an entry for [A.B.C.D]:32800 is added to ~/.ssh/known_hosts, but that entry isn't used by ]add ... to work. I need to add the signature without the port. I guess that's expected since the same happens on Julia 1.6.
Anything I missed?
giordano
added
the
julia 💜 ❤️ 💚
|
Would it make sense to pin this to MbedTLS 2.28.0? |
|
JuliaLang/julia#42311 will not be able to succeed until we move the pin for LibGit2 to 2.28 |
|
What do we need to get this merged? |
|
Besides the fact it isn't clear to me whether the discussion above finished, we should decide whether to ship MbedTLS 2.28 in julia v1.8: if so, we must link libgit2 to that version (mbedtls breaks the ABI every time....) |
|
I do believe we want to ship MbedTLS 2.28 in julia v1.8, and because of the security vulnerabilities, we may even need to backport to 1.7 and 1.6 |
That's not going to work: since mbedtls breaks the ABI, it'll break any package depending on it, like libcurl, libgit2. |
|
I think everything is ready, we just need a confirmation by @StefanKarpinski. JuliaLang/julia#43250 bumps libgit2 in Julia and should be merged soon after this one. |
Right - but if we don't that would mean that we have an LTS with know security vulnerabilities. It appears to me that we will probably need to update that whole bunch. |
|
@nalimilan If things are good and passing tests, I suggest merging. |
|
I think we still need to pin to MbedTLS 2.28 before merging. |
|
Note that you'll first need to update mbedtls 2.28 in julia, and perhaps update all dependent packages together at the same time, otherwise nothing will work at all. |
|
I assume that all Ygg PRs need to be merged first, and then Julia 1.8-dev does a single PR to bump them all. We still need an upstream release of libssh2. Going step by step - can we merge this PR now? |
|
@giordano Could you confirm what steps we should take? |
|
The issue to watch is #4208 for libssh2. It would be preferable to have a version bump upstream, although we need to consider if we should just create a libssh2 |
|
Yes, libgit2 and libssh2 linking to the new mbedtls must all go together. |
|
OK. TBH I don't really understand the situation with libssh2: is there anything preventing us from upgrading to 1.10.0 and handling the security fix after the feature freeze? |
|
We can certainly after the freeze. It is just a crucial CVE in mbedtls, so sooner the better. |
|
@nalimilan We now have libssh2 1.10.1 merged in #4208. Updating this PR to use that version. |
Co-authored-by: Mosè Giordano <giordano@users.noreply.github.com>
|
Only one way to find out. |
* Upgrade libgit2 to 1.3.0 * Delete libgit2-continue-zlib.patch * Update libgit2-hostkey.patch * Update libgit2-hostkey.patch * Pin MbedTLS to 2.28 * Update L/LibGit2/build_tarballs.jl * Update build_tarballs.jl * Update build_tarballs.jl * Update L/LibGit2/build_tarballs.jl Co-authored-by: Mosè Giordano <giordano@users.noreply.github.com> Co-authored-by: Viral B. Shah <ViralBShah@users.noreply.github.com> Co-authored-by: Mosè Giordano <giordano@users.noreply.github.com>
Goes with JuliaLang/julia#43250.