nodegit · ianhattendorf · Feb 8, 2022 · Jan 11, 2022 · Jan 11, 2022 · Jan 14, 2022
diff --git a/.jshintrc b/.jshintrc
@@ -1,8 +1,8 @@
 {
+  "esversion": 9,
   "boss": true,
   "curly": true,
   "eqnull": true,
-  "esnext": true,
   "evil": true,
   "futurehostile": true,
   "globals": {
@@ -16,7 +16,7 @@
     "it": true
   },
   "immed": false,
-  "maxlen": 80,
+  "maxlen": 120,
   "node": true,
   "predef": [
     "Promise",

diff --git a/package.json b/package.json
@@ -58,7 +58,7 @@
     "coveralls": "^3.0.2",
     "istanbul": "^0.4.5",
     "js-beautify": "~1.5.10",
-    "jshint": "^2.9.6",
+    "jshint": "^2.10.0",
     "lcov-result-merger": "^3.1.0",
     "mocha": "^5.2.0",
     "walk": "^2.3.9"

diff --git a/test/tests/clone.js b/test/tests/clone.js
@@ -3,6 +3,9 @@ var assert = require("assert");
 var fse = require("fs-extra");
 var local = path.join.bind(path, __dirname);
 var _ = require("lodash");
+const util = require("util");
+const exec = util.promisify(require("child_process").exec);
+
 
 const generatePathWithLength = (base, length) => {
   let path = `${base}/`;
@@ -286,6 +289,62 @@ describe("Clone", function() {
     });
   });
 
+  if (process.platform === "win32") {
+    it("can clone with ssh using old agent with sha1 signing support only",
+      async function () {
+      var pageant = local("../../vendor/pageant.exe");
+      var old_pageant = local("../../vendor/pageant_sha1.exe");
+      var privateKey = local("../../vendor/private.ppk");
+      var test = this;
+      var url = "git@github.com:nodegit/test.git";
+      var opts = {
+        fetchOpts: {
+          callbacks: {
+            certificateCheck: () => 0,
+            credentials: function(url, userName) {
+              return NodeGit.Credential.sshKeyFromAgent(userName);
+            }
+          }
+        }
+      };
+
+      try {
+        await exec("taskkill /im pageant.exe /f /t");
+      } catch (e) {
+        try {
+          await exec("taskkill /im pageant_sha1.exe /f /t");
+        } catch(e) {}
+      }
+      try {
+        await exec(`powershell -command "Start-Process ${old_pageant} ${privateKey}`);
+      } catch (e) {
+        try {
+          await exec(`powershell -command "Start-Process ${pageant} ${privateKey}`);
+        } catch (e) {}
+        return assert.fail("Cannot run old pageant");
+      }
+
+      try {
+        const repo = await Clone(url, clonePath, opts);
+        test.repository = repo;
+      } catch(e) {
+        return assert.fail("Clone error: " + e.message);
+      }
+
+      try {
+        await exec("taskkill /im pageant_sha1.exe /f /t");
+      } catch(e) {}
+
+      try {
+        await exec(`powershell -command "Start-Process ${pageant} ${privateKey}`);
+      } catch (e) {
+        return assert.fail("Cannot run pageant");
+      }
+
+      return assert.ok(test.repository instanceof Repository);
+    });
+  }
+
   it("can clone with ssh", function() {
     var test = this;
     var url = "git@github.com:nodegit/test.git";

diff --git a/vendor/libssh2/docs/CMakeLists.txt b/vendor/libssh2/docs/CMakeLists.txt
@@ -193,6 +193,7 @@ set(MAN_PAGES
   libssh2_trace.3
   libssh2_trace_sethandler.3
   libssh2_userauth_authenticated.3
+  libssh2_userauth_banner.3
   libssh2_userauth_hostbased_fromfile.3
   libssh2_userauth_hostbased_fromfile_ex.3
   libssh2_userauth_keyboard_interactive.3

diff --git a/vendor/libssh2/docs/HACKING-CRYPTO b/vendor/libssh2/docs/HACKING-CRYPTO
@@ -637,6 +637,32 @@ Note: this procedure is not used if macro _libssh2_rsa_sha1_signv() is defined.
 void _libssh2_rsa_free(libssh2_rsa_ctx *rsactx);
 Releases the RSA computation context at rsactx.
 
+LIBSSH2_RSA_SHA2
+#define as 1 if the crypto library supports RSA SHA2 256/512, else 0.
+If defined as 0, the rest of this section can be omitted.
+
+int _libssh2_rsa_sha2_sign(LIBSSH2_SESSION * session,
+                           libssh2_rsa_ctx * rsactx,
+                           const unsigned char *hash,
+                           size_t hash_len,
+                           unsigned char **signature,
+                           size_t *signature_len);
+RSA signs the (hash, hashlen) SHA-2 hash bytes based on hash length and stores
+the allocated signature at (signature, signature_len).
+Signature buffer must be allocated from the given session.
+Returns 0 if OK, else -1.
+This procedure is already prototyped in crypto.h.
+Note: this procedure is not used if macro _libssh2_rsa_sha1_signv() is defined.
+
+int _libssh2_rsa_sha2_verify(libssh2_rsa_ctx * rsa,
+                             size_t hash_len,
+                             const unsigned char *sig,
+                             unsigned long sig_len,
+                             const unsigned char *m, unsigned long m_len);
+Verify (sig, sig_len) signature of (m, m_len) using an SHA-2 hash based on
+hash length and the RSA context.
+Return 0 if OK, else -1.
+This procedure is already prototyped in crypto.h.
 
 7.2) DSA
 LIBSSH2_DSA
@@ -900,3 +926,14 @@ If this is not needed, it should be defined as an empty macro.
 int _libssh2_random(unsigned char *buf, int len);
 Store len random bytes at buf.
 Returns 0 if OK, else -1.
+
+const char * _libssh2_supported_key_sign_algorithms(LIBSSH2_SESSION *session,
+                                                    unsigned char *key_method,
+                                                    size_t key_method_len);
+
+This function is for implementing key hash upgrading as defined in RFC 8332.
+
+Based on the incoming key_method value, this function will return a
+list of supported algorithms that can upgrade the original key method algorithm
+as a comma seperated list, if there is no upgrade option this function should
+return NULL.
diff --git a/vendor/libssh2/docs/Makefile.am b/vendor/libssh2/docs/Makefile.am
@@ -163,6 +163,7 @@ dist_man_MANS = \
 	libssh2_trace.3 \
 	libssh2_trace_sethandler.3 \
 	libssh2_userauth_authenticated.3 \
+	libssh2_userauth_banner.3 \
 	libssh2_userauth_hostbased_fromfile.3 \
 	libssh2_userauth_hostbased_fromfile_ex.3 \
 	libssh2_userauth_keyboard_interactive.3 \

diff --git a/vendor/libssh2/docs/libssh2_session_methods.3 b/vendor/libssh2/docs/libssh2_session_methods.3
@@ -1,4 +1,4 @@
-.TH libssh2_session_methods 3 "1 Jun 2007" "libssh2 0.15" "libssh2 manual"
+.TH libssh2_session_methods 3 "8 Nov 2021" "libssh2 1.11" "libssh2 manual"
 .SH NAME
 libssh2_session_methods - return the currently active algorithms
 .SH SYNOPSIS
@@ -8,13 +8,14 @@ const char *
 libssh2_session_methods(LIBSSH2_SESSION *session, int method_type);
 
 .SH DESCRIPTION
-\fIsession\fP - Session instance as returned by 
+\fIsession\fP - Session instance as returned by
 .BR libssh2_session_init_ex(3)
 
 \fImethod_type\fP - one of the method type constants: LIBSSH2_METHOD_KEX,
 LIBSSH2_METHOD_HOSTKEY, LIBSSH2_METHOD_CRYPT_CS, LIBSSH2_METHOD_CRYPT_SC,
 LIBSSH2_METHOD_MAC_CS, LIBSSH2_METHOD_MAC_SC, LIBSSH2_METHOD_COMP_CS,
-LIBSSH2_METHOD_COMP_SC, LIBSSH2_METHOD_LANG_CS, LIBSSH2_METHOD_LANG_SC.
+LIBSSH2_METHOD_COMP_SC, LIBSSH2_METHOD_LANG_CS, LIBSSH2_METHOD_LANG_SC,
+LIBSSH2_METHOD_SIGN_ALGO.
 
 Returns the actual method negotiated for a particular transport parameter.
 .SH RETURN VALUE

diff --git a/vendor/libssh2/docs/libssh2_userauth_banner.3 b/vendor/libssh2/docs/libssh2_userauth_banner.3
@@ -0,0 +1,30 @@
+.TH libssh2_userauth_banner 3 "1 Jun 2021" "libssh2 1.9.0" "libssh2 manual"
+.SH NAME
+libssh2_userauth_banner - get the server's userauth banner message
+.SH SYNOPSIS
+.nf
+#include <libssh2.h>
+
+int
+libssh2_userauth_banner(LIBSSH2_SESSION *session, char **banner);
+.SH DESCRIPTION
+\fIsession\fP - Session instance as returned by
+.BR libssh2_session_init_ex(3)
+
+\fIbanner\fP - Should point to a pointer that gets filled with banner message.
+
+After an authentication has been attempted, such as a
+\fBSSH_USERAUTH_NONE\fP request sent by
+.BR libssh2_userauth_list(3) ,
+this function can be called to retrieve the userauth banner sent by
+the server. If no such banner is sent, or if an authentication has not
+yet been attempted, returns LIBSSH2_ERROR_MISSING_USERAUTH_BANNER.
+.SH RETURN VALUE
+On success returns 0 and an UTF-8 NUL-terminated string is stored in the
+\fIbanner\fP. This string is internally managed by libssh2 and will be
+deallocated upon session termination.
+On failure returns
+LIBSSH2_ERROR_MISSING_USERAUTH_BANNER.
+.SH SEE ALSO
+.BR libssh2_session_init_ex(3),
+.BR libssh2_userauth_list(3)
diff --git a/vendor/libssh2/include/libssh2.h b/vendor/libssh2/include/libssh2.h
@@ -356,6 +356,7 @@ typedef struct _LIBSSH2_USERAUTH_KBDINT_RESPONSE
 #define LIBSSH2_METHOD_COMP_SC      7
 #define LIBSSH2_METHOD_LANG_CS      8
 #define LIBSSH2_METHOD_LANG_SC      9
+#define LIBSSH2_METHOD_SIGN_ALGO    10
 
 /* flags */
 #define LIBSSH2_FLAG_SIGPIPE        1
@@ -506,6 +507,8 @@ typedef struct _LIBSSH2_POLLFD {
 #define LIBSSH2_ERROR_CHANNEL_WINDOW_FULL       -47
 #define LIBSSH2_ERROR_KEYFILE_AUTH_FAILED       -48
 #define LIBSSH2_ERROR_RANDGEN                   -49
+#define LIBSSH2_ERROR_MISSING_USERAUTH_BANNER   -50
+#define LIBSSH2_ERROR_ALGO_UNSUPPORTED          -51
 
 /* this is a define to provide the old (<= 1.2.7) name */
 #define LIBSSH2_ERROR_BANNER_NONE LIBSSH2_ERROR_BANNER_RECV
@@ -614,6 +617,8 @@ LIBSSH2_API const char *libssh2_session_banner_get(LIBSSH2_SESSION *session);
 LIBSSH2_API char *libssh2_userauth_list(LIBSSH2_SESSION *session,
                                         const char *username,
                                         unsigned int username_len);
+LIBSSH2_API int libssh2_userauth_banner(LIBSSH2_SESSION *session,
+                                        char **banner);
 LIBSSH2_API int libssh2_userauth_authenticated(LIBSSH2_SESSION *session);
 
 LIBSSH2_API int

diff --git a/vendor/libssh2/src/agent.c b/vendor/libssh2/src/agent.c
@@ -94,6 +94,10 @@
 #define SSH_AGENT_CONSTRAIN_LIFETIME 1
 #define SSH_AGENT_CONSTRAIN_CONFIRM 2
 
+/* Signature request methods */
+#define SSH_AGENT_RSA_SHA2_256 2
+#define SSH_AGENT_RSA_SHA2_512 4
+
 #ifdef PF_UNIX
 static int
 agent_connect_unix(LIBSSH2_AGENT *agent)
@@ -375,6 +379,8 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
     ssize_t method_len;
     unsigned char *s;
     int rc;
+    unsigned char *method_name;
+    uint32_t sign_flags = 0;
 
     /* Create a request to sign the data */
     if(transctx->state == agent_NB_state_init) {
@@ -391,7 +397,18 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
         _libssh2_store_str(&s, (const char *)data, data_len);
 
         /* flags */
-        _libssh2_store_u32(&s, 0);
+        if(session->userauth_pblc_method_len > 0 &&
+            session->userauth_pblc_method) {
+            if(session->userauth_pblc_method_len == 12 &&
+                !memcmp(session->userauth_pblc_method, "rsa-sha2-512", 12)) {
+                sign_flags = SSH_AGENT_RSA_SHA2_512;
+            }
+            else if(session->userauth_pblc_method_len == 12 &&
+                !memcmp(session->userauth_pblc_method, "rsa-sha2-256", 12)) {
+                sign_flags = SSH_AGENT_RSA_SHA2_256;
+            }
+        }
+        _libssh2_store_u32(&s, sign_flags);
 
         transctx->request_len = s - transctx->request;
         transctx->send_recv_total = 0;
@@ -449,8 +466,38 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
         rc = LIBSSH2_ERROR_AGENT_PROTOCOL;
         goto error;
     }
+
+    /* method name */
+    method_name = LIBSSH2_ALLOC(session, method_len);
+    if(!method_name) {
+        rc = LIBSSH2_ERROR_ALLOC;
+        goto error;
+    }
+    memcpy(method_name, s, method_len);
     s += method_len;
 
+    /* check to see if we match requested */
+    if((size_t)method_len == session->userauth_pblc_method_len) {
+        if(memcmp(method_name, session->userauth_pblc_method, method_len)) {
+            _libssh2_debug(session,
+                           LIBSSH2_TRACE_KEX,
+                           "Agent sign method %.*s",
+                           method_len, method_name);
+
+            rc = LIBSSH2_ERROR_ALGO_UNSUPPORTED;
+            goto error;
+        }
+    }
+    else {
+        _libssh2_debug(session,
+                       LIBSSH2_TRACE_KEX,
+                       "Agent sign method %.*s",
+                       method_len, method_name);
+
+        rc = LIBSSH2_ERROR_ALGO_UNSUPPORTED;
+        goto error;
+    }
+
     /* Read the signature */
     len -= 4;
     if(len < 0) {
@@ -479,6 +526,8 @@ agent_sign(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len,
     LIBSSH2_FREE(session, transctx->response);
     transctx->response = NULL;
 
+    transctx->state = agent_NB_state_init;
+
     return _libssh2_error(session, rc, "agent sign failure");
 }
 

diff --git a/vendor/libssh2/src/crypto.h b/vendor/libssh2/src/crypto.h
@@ -93,6 +93,19 @@ int _libssh2_rsa_sha1_sign(LIBSSH2_SESSION * session,
                            size_t hash_len,
                            unsigned char **signature,
                            size_t *signature_len);
+#if LIBSSH2_RSA_SHA2
+int _libssh2_rsa_sha2_sign(LIBSSH2_SESSION * session,
+                           libssh2_rsa_ctx * rsactx,
+                           const unsigned char *hash,
+                           size_t hash_len,
+                           unsigned char **signature,
+                           size_t *signature_len);
+int _libssh2_rsa_sha2_verify(libssh2_rsa_ctx * rsa,
+                             size_t hash_len,
+                             const unsigned char *sig,
+                             unsigned long sig_len,
+                             const unsigned char *m, unsigned long m_len);
+#endif
 int _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx ** rsa,
                                         LIBSSH2_SESSION * session,
                                         const char *filedata,
@@ -245,4 +258,23 @@ int _libssh2_pub_priv_keyfilememory(LIBSSH2_SESSION *session,
                                     size_t privatekeydata_len,
                                     const char *passphrase);
 
+
+/**
+ * @function _libssh2_supported_key_sign_algorithms
+ * @abstract Returns supported algorithms used for upgrading public
+ * key signing RFC 8332
+ * @discussion Based on the incoming key_method value, this function
+ * will return supported algorithms that can upgrade the key method
+ * @related _libssh2_key_sign_algorithm()
+ * @param key_method current key method, usually the default key sig method
+ * @param key_method_len length of the key method buffer
+ * @result comma seperated list of supported upgrade options per RFC 8332, if
+ * there is no upgrade option return NULL
+ */
+
+const char *
+_libssh2_supported_key_sign_algorithms(LIBSSH2_SESSION *session,
+                                       unsigned char *key_method,
+                                       size_t key_method_len);
+
 #endif /* __LIBSSH2_CRYPTO_H */