summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarlos Martín Nieto <cmn@dwim.me>2014-04-18 17:08:10 +0200
committerCarlos Martín Nieto <cmn@dwim.me>2014-04-18 17:33:26 +0200
commitbd270b70f9f1339ac26bbf6e483b3ebf64814d50 (patch)
tree4b106e244681fe550c1a24a5f352e02636dc675f
parent28fd7206b1359b6564bad3c66382b47a8f2e3eb1 (diff)
downloadlibgit2-bd270b70f9f1339ac26bbf6e483b3ebf64814d50.tar.gz
cred: tighten username rules
The ssh-specific credentials allow the username to be missing. The idea being that the ssh transport will then use the username provided in the url, if it's available. There are two main issues with this. The credential callback already knows what username was provided by the url and needs to figure out whether it wants to ask the user for it or it can reuse it, so passing NULL as the username means the credential callback is suspicious. The username provided in the url is not in fact used by the transport. The only time it even considers it is for the user/pass credential, which asserts the existence of a username in its constructor. For the ssh-specific ones, it passes in the username stored in the credential, which is NULL. The libssh2 macro we use runs strlen() against this value (which is no different from what we would be doing ourselves), so we then crash. As the documentation doesn't suggest to leave out the username, assert the need for a username in the code, which removes this buggy behavior and removes implicit state. git_cred_has_username() becomes a blacklist of credential types that do not have a username. The only one at the moment is the 'default' one, which is meant to call up some Microsoft magic.
-rw-r--r--src/transports/cred.c51
-rw-r--r--src/transports/ssh.c13
2 files changed, 14 insertions, 50 deletions
diff --git a/src/transports/cred.c b/src/transports/cred.c
index abae70b51..460ed04a2 100644
--- a/src/transports/cred.c
+++ b/src/transports/cred.c
@@ -11,31 +11,10 @@
int git_cred_has_username(git_cred *cred)
{
- int ret = 0;
+ if (cred->credtype == GIT_CREDTYPE_DEFAULT)
+ return 0;
- switch (cred->credtype) {
- case GIT_CREDTYPE_USERPASS_PLAINTEXT: {
- git_cred_userpass_plaintext *c = (git_cred_userpass_plaintext *)cred;
- ret = !!c->username;
- break;
- }
- case GIT_CREDTYPE_SSH_KEY: {
- git_cred_ssh_key *c = (git_cred_ssh_key *)cred;
- ret = !!c->username;
- break;
- }
- case GIT_CREDTYPE_SSH_CUSTOM: {
- git_cred_ssh_custom *c = (git_cred_ssh_custom *)cred;
- ret = !!c->username;
- break;
- }
- case GIT_CREDTYPE_DEFAULT: {
- ret = 0;
- break;
- }
- }
-
- return ret;
+ return 1;
}
static void plaintext_free(struct git_cred *cred)
@@ -135,7 +114,7 @@ int git_cred_ssh_key_new(
{
git_cred_ssh_key *c;
- assert(cred && privatekey);
+ assert(username && cred && privatekey);
c = git__calloc(1, sizeof(git_cred_ssh_key));
GITERR_CHECK_ALLOC(c);
@@ -143,10 +122,8 @@ int git_cred_ssh_key_new(
c->parent.credtype = GIT_CREDTYPE_SSH_KEY;
c->parent.free = ssh_key_free;
- if (username) {
- c->username = git__strdup(username);
- GITERR_CHECK_ALLOC(c->username);
- }
+ c->username = git__strdup(username);
+ GITERR_CHECK_ALLOC(c->username);
c->privatekey = git__strdup(privatekey);
GITERR_CHECK_ALLOC(c->privatekey);
@@ -168,7 +145,7 @@ int git_cred_ssh_key_new(
int git_cred_ssh_key_from_agent(git_cred **cred, const char *username) {
git_cred_ssh_key *c;
- assert(cred);
+ assert(username && cred);
c = git__calloc(1, sizeof(git_cred_ssh_key));
GITERR_CHECK_ALLOC(c);
@@ -176,10 +153,8 @@ int git_cred_ssh_key_from_agent(git_cred **cred, const char *username) {
c->parent.credtype = GIT_CREDTYPE_SSH_KEY;
c->parent.free = ssh_key_free;
- if (username) {
- c->username = git__strdup(username);
- GITERR_CHECK_ALLOC(c->username);
- }
+ c->username = git__strdup(username);
+ GITERR_CHECK_ALLOC(c->username);
c->privatekey = NULL;
@@ -197,7 +172,7 @@ int git_cred_ssh_custom_new(
{
git_cred_ssh_custom *c;
- assert(cred);
+ assert(username && cred);
c = git__calloc(1, sizeof(git_cred_ssh_custom));
GITERR_CHECK_ALLOC(c);
@@ -205,10 +180,8 @@ int git_cred_ssh_custom_new(
c->parent.credtype = GIT_CREDTYPE_SSH_CUSTOM;
c->parent.free = ssh_custom_free;
- if (username) {
- c->username = git__strdup(username);
- GITERR_CHECK_ALLOC(c->username);
- }
+ c->username = git__strdup(username);
+ GITERR_CHECK_ALLOC(c->username);
if (publickey_len > 0) {
c->publickey = git__malloc(publickey_len);
diff --git a/src/transports/ssh.c b/src/transports/ssh.c
index bece0b45d..879af9059 100644
--- a/src/transports/ssh.c
+++ b/src/transports/ssh.c
@@ -282,7 +282,6 @@ shutdown:
static int _git_ssh_authenticate_session(
LIBSSH2_SESSION* session,
- const char *user,
git_cred* cred)
{
int rc;
@@ -291,13 +290,11 @@ static int _git_ssh_authenticate_session(
switch (cred->credtype) {
case GIT_CREDTYPE_USERPASS_PLAINTEXT: {
git_cred_userpass_plaintext *c = (git_cred_userpass_plaintext *)cred;
- user = c->username ? c->username : user;
- rc = libssh2_userauth_password(session, user, c->password);
+ rc = libssh2_userauth_password(session, c->username, c->password);
break;
}
case GIT_CREDTYPE_SSH_KEY: {
git_cred_ssh_key *c = (git_cred_ssh_key *)cred;
- user = c->username ? c->username : user;
if (c->privatekey)
rc = libssh2_userauth_publickey_fromfile(
@@ -311,7 +308,6 @@ static int _git_ssh_authenticate_session(
case GIT_CREDTYPE_SSH_CUSTOM: {
git_cred_ssh_custom *c = (git_cred_ssh_custom *)cred;
- user = c->username ? c->username : user;
rc = libssh2_userauth_publickey(
session, c->username, (const unsigned char *)c->publickey,
c->publickey_len, c->sign_callback, &c->sign_data);
@@ -415,15 +411,10 @@ static int _git_ssh_setup_conn(
}
assert(t->cred);
- if (!user && !git_cred_has_username(t->cred)) {
- giterr_set_str(GITERR_NET, "Cannot authenticate without a username");
- goto on_error;
- }
-
if (_git_ssh_session_create(&session, s->socket) < 0)
goto on_error;
- if (_git_ssh_authenticate_session(session, user, t->cred) < 0)
+ if (_git_ssh_authenticate_session(session, t->cred) < 0)
goto on_error;
channel = libssh2_channel_open_session(session);