libgit2 · ethomson · Aug 31, 2023 · Apr 22, 2023 · Feb 15, 2023 · Feb 23, 2023
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -25,40 +25,40 @@ jobs:
     strategy:
       matrix:
         platform:
-        - name: "Linux (Xenial, GCC, OpenSSL)"
+        - name: "Linux (Xenial, GCC, OpenSSL, libssh2)"
           id: xenial-gcc-openssl
           container:
             name: xenial
           env:
             CC: gcc
             CMAKE_GENERATOR: Ninja
-            CMAKE_OPTIONS: -DUSE_HTTPS=OpenSSL -DREGEX_BACKEND=builtin -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=ON -DDEBUG_STRICT_ALLOC=ON -DDEBUG_STRICT_OPEN=ON
+            CMAKE_OPTIONS: -DUSE_HTTPS=OpenSSL -DREGEX_BACKEND=builtin -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=libssh2 -DDEBUG_STRICT_ALLOC=ON -DDEBUG_STRICT_OPEN=ON
           os: ubuntu-latest
-        - name: Linux (Xenial, GCC, mbedTLS)
+        - name: Linux (Xenial, GCC, mbedTLS, OpenSSH)
           id: xenial-gcc-mbedtls
           container:
             name: xenial
           env:
             CC: gcc
             CMAKE_GENERATOR: Ninja
-            CMAKE_OPTIONS: -DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=ON
+            CMAKE_OPTIONS: -DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=exec
           os: ubuntu-latest
-        - name: "Linux (Xenial, Clang, OpenSSL)"
+        - name: "Linux (Xenial, Clang, OpenSSL, OpenSSH)"
           id: xenial-clang-openssl
           container:
             name: xenial
           env:
             CC: clang
             CMAKE_GENERATOR: Ninja
-            CMAKE_OPTIONS: -DUSE_HTTPS=OpenSSL -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=ON
+            CMAKE_OPTIONS: -DUSE_HTTPS=OpenSSL -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=exec
           os: ubuntu-latest
-        - name: "Linux (Xenial, Clang, mbedTLS)"
+        - name: "Linux (Xenial, Clang, mbedTLS, libssh2)"
           id: xenial-clang-mbedtls
           container:
             name: xenial
           env:
             CC: clang
-            CMAKE_OPTIONS: -DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=ON
+            CMAKE_OPTIONS: -DUSE_HTTPS=mbedTLS -DUSE_SHA1=HTTPS -DREGEX_BACKEND=pcre -DDEPRECATE_HARD=ON -DUSE_LEAK_CHECKER=valgrind -DUSE_GSSAPI=ON -DUSE_SSH=libssh2
             CMAKE_GENERATOR: Ninja
           os: ubuntu-latest
         - name: "macOS"

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -30,7 +30,7 @@ option(USE_THREADS             "Use threads for parallel processing when possibl
 option(USE_NSEC                "Support nanosecond precision file mtimes and ctimes"    ON)
 
 # Backend selection
-option(USE_SSH                 "Link with libssh2 to enable SSH support"               OFF)
+option(USE_SSH                 "Enable SSH support. Can be set to a specific backend" OFF)
 option(USE_HTTPS               "Enable HTTPS support. Can be set to a specific backend" ON)
 option(USE_SHA1                "Enable SHA1. Can be set to CollisionDetection(ON)/HTTPS" ON)
 option(USE_SHA256              "Enable SHA256. Can be set to HTTPS/Builtin" ON)

diff --git a/ci/test.sh b/ci/test.sh
@@ -199,6 +199,8 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	PubkeyAuthentication yes
 	ChallengeResponseAuthentication no
 	StrictModes no
+	HostCertificate ${SSHD_DIR}/id_rsa.pub
+	HostKey ${SSHD_DIR}/id_rsa
 	# Required here as sshd will simply close connection otherwise
 	UsePAM no
 	EOF
@@ -414,6 +416,8 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	export GITTEST_REMOTE_SSH_PASSPHRASE=""
 	export GITTEST_REMOTE_SSH_FINGERPRINT="${SSH_FINGERPRINT}"
 
+	export GITTEST_SSH_CMD="ssh -i ${HOME}/.ssh/id_rsa -o UserKnownHostsFile=${HOME}/.ssh/known_hosts"
+
 	echo ""
 	echo "Running ssh tests"
 	echo ""
@@ -430,6 +434,8 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	run_test ssh
 	unset GITTEST_REMOTE_URL
 
+	unset GITTEST_SSH_CMD
+
 	unset GITTEST_REMOTE_USER
 	unset GITTEST_REMOTE_SSH_KEY
 	unset GITTEST_REMOTE_SSH_PUBKEY

diff --git a/cmake/SelectSSH.cmake b/cmake/SelectSSH.cmake
@@ -1,6 +1,11 @@
-# Optional external dependency: libssh2
-if(USE_SSH)
+if(USE_SSH STREQUAL "exec")
+	set(GIT_SSH 1)
+	set(GIT_SSH_EXEC 1)
+
+	add_feature_info(SSH ON "using OpenSSH exec support")
+elseif(USE_SSH STREQUAL ON OR USE_SSH STREQUAL "libssh2")
 	find_pkglibraries(LIBSSH2 libssh2)
+
 	if(NOT LIBSSH2_FOUND)
 		find_package(LibSSH2)
 		set(LIBSSH2_INCLUDE_DIRS ${LIBSSH2_INCLUDE_DIR})
@@ -12,30 +17,28 @@ if(USE_SSH)
 	if(NOT LIBSSH2_FOUND)
 		message(FATAL_ERROR "LIBSSH2 not found. Set CMAKE_PREFIX_PATH if it is installed outside of the default search path.")
 	endif()
-endif()
 
-if(LIBSSH2_FOUND)
-	set(GIT_SSH 1)
 	list(APPEND LIBGIT2_SYSTEM_INCLUDES ${LIBSSH2_INCLUDE_DIRS})
 	list(APPEND LIBGIT2_SYSTEM_LIBS ${LIBSSH2_LIBRARIES})
 	list(APPEND LIBGIT2_PC_LIBS ${LIBSSH2_LDFLAGS})
 
 	check_library_exists("${LIBSSH2_LIBRARIES}" libssh2_userauth_publickey_frommemory "${LIBSSH2_LIBRARY_DIRS}" HAVE_LIBSSH2_MEMORY_CREDENTIALS)
 	if(HAVE_LIBSSH2_MEMORY_CREDENTIALS)
-		set(GIT_SSH_MEMORY_CREDENTIALS 1)
+		set(GIT_SSH_LIBSSH2_MEMORY_CREDENTIALS 1)
 	endif()
-else()
-	message(STATUS "LIBSSH2 not found. Set CMAKE_PREFIX_PATH if it is installed outside of the default search path.")
-endif()
 
-if(WIN32 AND EMBED_SSH_PATH)
-	file(GLOB SSH_SRC "${EMBED_SSH_PATH}/src/*.c")
-	list(SORT SSH_SRC)
-	list(APPEND LIBGIT2_DEPENDENCY_OBJECTS ${SSH_SRC})
+	if(WIN32 AND EMBED_SSH_PATH)
+		file(GLOB SSH_SRC "${EMBED_SSH_PATH}/src/*.c")
+		list(SORT SSH_SRC)
+		list(APPEND LIBGIT2_DEPENDENCY_OBJECTS ${SSH_SRC})
+
+		list(APPEND LIBGIT2_DEPENDENCY_INCLUDES "${EMBED_SSH_PATH}/include")
+		file(WRITE "${EMBED_SSH_PATH}/src/libssh2_config.h" "#define HAVE_WINCNG\n#define LIBSSH2_WINCNG\n#include \"../win32/libssh2_config.h\"")
+	endif()
 
-	list(APPEND LIBGIT2_DEPENDENCY_INCLUDES "${EMBED_SSH_PATH}/include")
-	file(WRITE "${EMBED_SSH_PATH}/src/libssh2_config.h" "#define HAVE_WINCNG\n#define LIBSSH2_WINCNG\n#include \"../win32/libssh2_config.h\"")
 	set(GIT_SSH 1)
+	set(GIT_SSH_LIBSSH2 1)
+	add_feature_info(SSH ON "using libssh2")
+else()
+	add_feature_info(SSH OFF "SSH transport support")
 endif()
-
-add_feature_info(SSH GIT_SSH "SSH transport support")
diff --git a/script/valgrind.sh b/script/valgrind.sh
@@ -1,2 +1,2 @@
 #!/bin/bash
-exec valgrind --leak-check=full --show-reachable=yes --error-exitcode=125 --num-callers=50 --suppressions="$(dirname "${BASH_SOURCE[0]}")/valgrind.supp" "$@"
+exec valgrind --leak-check=full --show-reachable=yes --child-silent-after-fork=yes --error-exitcode=125 --num-callers=50 --suppressions="$(dirname "${BASH_SOURCE[0]}")/valgrind.supp" "$@"
diff --git a/src/libgit2/libgit2.c b/src/libgit2/libgit2.c
@@ -34,7 +34,7 @@
 #include "streams/socket.h"
 #include "transports/smart.h"
 #include "transports/http.h"
-#include "transports/ssh.h"
+#include "transports/ssh_libssh2.h"
 
 #ifdef GIT_WIN32
 # include "win32/w32_leakcheck.h"
@@ -80,7 +80,7 @@ int git_libgit2_init(void)
 		git_sysdir_global_init,
 		git_filter_global_init,
 		git_merge_driver_global_init,
-		git_transport_ssh_global_init,
+		git_transport_ssh_libssh2_global_init,
 		git_stream_registry_global_init,
 		git_socket_stream_global_init,
 		git_openssl_stream_global_init,
@@ -126,10 +126,10 @@ int git_libgit2_features(void)
 #ifdef GIT_HTTPS
 		| GIT_FEATURE_HTTPS
 #endif
-#if defined(GIT_SSH)
+#ifdef GIT_SSH
 		| GIT_FEATURE_SSH
 #endif
-#if defined(GIT_USE_NSEC)
+#ifdef GIT_USE_NSEC
 		| GIT_FEATURE_NSEC
 #endif
 	;

diff --git a/src/libgit2/transport.c b/src/libgit2/transport.c
@@ -22,6 +22,7 @@ typedef struct transport_definition {
 
 static git_smart_subtransport_definition http_subtransport_definition = { git_smart_subtransport_http, 1, NULL };
 static git_smart_subtransport_definition git_subtransport_definition = { git_smart_subtransport_git, 0, NULL };
+
 #ifdef GIT_SSH
 static git_smart_subtransport_definition ssh_subtransport_definition = { git_smart_subtransport_ssh, 0, NULL };
 #endif
@@ -33,11 +34,13 @@ static transport_definition transports[] = {
 	{ "http://",  git_transport_smart, &http_subtransport_definition },
 	{ "https://", git_transport_smart, &http_subtransport_definition },
 	{ "file://",  git_transport_local, NULL },
+
 #ifdef GIT_SSH
 	{ "ssh://",   git_transport_smart, &ssh_subtransport_definition },
 	{ "ssh+git://",   git_transport_smart, &ssh_subtransport_definition },
 	{ "git+ssh://",   git_transport_smart, &ssh_subtransport_definition },
 #endif
+
 	{ NULL, 0, 0 }
 };
 

diff --git a/src/libgit2/transports/credential.c b/src/libgit2/transports/credential.c
@@ -204,7 +204,7 @@ int git_credential_ssh_key_memory_new(
 	const char *privatekey,
 	const char *passphrase)
 {
-#ifdef GIT_SSH_MEMORY_CREDENTIALS
+#ifdef GIT_SSH_LIBSSH2_MEMORY_CREDENTIALS
 	return git_credential_ssh_key_type_new(
 		cred,
 		username,

diff --git a/src/libgit2/transports/smart.c b/src/libgit2/transports/smart.c
@@ -370,17 +370,27 @@ static int git_smart__close(git_transport *transport)
 	git_vector *common = &t->common;
 	unsigned int i;
 	git_pkt *p;
+	git_smart_service_t service;
 	int ret;
 	git_smart_subtransport_stream *stream;
 	const char flush[] = "0000";
 
+	if (t->direction == GIT_DIRECTION_FETCH) {
+		service = GIT_SERVICE_UPLOADPACK;
+	} else if (t->direction == GIT_DIRECTION_PUSH) {
+		service = GIT_SERVICE_RECEIVEPACK;
+	} else {
+		git_error_set(GIT_ERROR_NET, "invalid direction");
+		return -1;
+	}
+
 	/*
 	 * If we're still connected at this point and not using RPC,
 	 * we should say goodbye by sending a flush, or git-daemon
 	 * will complain that we disconnected unexpectedly.
 	 */
 	if (t->connected && !t->rpc &&
-	    !t->wrapped->action(&stream, t->wrapped, t->url, GIT_SERVICE_UPLOADPACK)) {
+	    !t->wrapped->action(&stream, t->wrapped, t->url, service)) {
 		t->current_stream->write(t->current_stream, flush, 4);
 	}
 
@@ -513,7 +523,6 @@ int git_transport_smart(git_transport **out, git_remote *owner, void *param)
 	    definition->callback(&t->wrapped, &t->parent, definition->param) < 0) {
 		git_vector_free(&t->refs);
 		git_vector_free(&t->heads);
-		t->wrapped->free(t->wrapped);
 		git__free(t);
 		return -1;
 	}

diff --git a/src/libgit2/transports/smart_protocol.c b/src/libgit2/transports/smart_protocol.c
@@ -59,7 +59,7 @@ int git_smart__store_refs(transport_smart *t, int flushes)
 				return recvd;
 
 			if (recvd == 0) {
-				git_error_set(GIT_ERROR_NET, "early EOF");
+				git_error_set(GIT_ERROR_NET, "could not read refs from remote repository");
 				return GIT_EEOF;
 			}
 
@@ -285,7 +285,7 @@ static int recv_pkt(
 		if ((ret = git_smart__recv(t)) < 0) {
 			return ret;
 		} else if (ret == 0) {
-			git_error_set(GIT_ERROR_NET, "early EOF");
+			git_error_set(GIT_ERROR_NET, "could not read from remote repository");
 			return GIT_EEOF;
 		}
 	} while (error);
@@ -940,7 +940,7 @@ static int parse_report(transport_smart *transport, git_push *push)
 			}
 
 			if (recvd == 0) {
-				git_error_set(GIT_ERROR_NET, "early EOF");
+				git_error_set(GIT_ERROR_NET, "could not read report from remote repository");
 				error = GIT_EEOF;
 				goto done;
 			}