Open Build Service

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Difference Between Revision 5 and openEuler:22.03:LTS:SP1 / apache-sshd

_service:tar_scm_kernel_repo:apache-sshd.spec Deleted

@@ -1,88 +0,0 @@
-Epoch: 1
-Name: apache-sshd
-Version: 2.9.2
-Release: 3
-Summary: Apache SSHD
-License: ASL 2.0 and ISC
-URL: http://mina.apache.org/sshd-project
-Source0: https://archive.apache.org/dist/mina/sshd/%{version}/apache-sshd-%{version}-src.tar.gz
-Patch0: 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
-Patch1: apache-sshd-javadoc.patch
-# https://github.com/apache/mina-sshd/commit/c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b
-Patch2: CVE-2023-35887.patch
-Patch3: CVE-2023-48795.patch
-
-BuildRequires: maven-local mvn(junit:junit) mvn(net.i2p.crypto:eddsa) mvn(org.apache.ant:ant)
-BuildRequires: mvn(org.apache:apache:pom:) mvn(org.apache.felix:maven-bundle-plugin)
-BuildRequires: mvn(org.apache.maven:maven-archiver)
-BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
-BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin)
-BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin)
-BuildRequires: mvn(org.apache.maven.plugins:maven-remote-resources-plugin)
-BuildRequires: mvn(org.apache.maven.surefire:surefire-junit47)
-BuildRequires: mvn(org.bouncycastle:bcpg-jdk15on) mvn(org.bouncycastle:bcpkix-jdk15on)
-BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin)
-BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) mvn(org.slf4j:slf4j-api)
-BuildRequires: mvn(org.slf4j:jcl-over-slf4j)
-BuildArch: noarch
-%description
-Apache SSHD is a 100% pure java library to support the SSH protocols on both
-the client and server side.
-
-%package javadoc
-Summary: API documentation for %{name}
-%description javadoc
-This package provides %{name}.
-
-%prep
-%autosetup -p1
-rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix
-%pom_remove_dep :spring-framework-bom
-%pom_remove_dep :testcontainers-bom sshd-sftp sshd-core
-%pom_disable_module assembly
-%pom_disable_module sshd-mina
-%pom_disable_module sshd-netty
-%pom_disable_module sshd-ldap
-%pom_disable_module sshd-git
-%pom_disable_module sshd-contrib
-%pom_disable_module sshd-spring-sftp
-%pom_disable_module sshd-cli
-%pom_disable_module sshd-openpgp
-%pom_remove_plugin :apache-rat-plugin
-%pom_remove_plugin :gmavenplus-plugin
-%pom_remove_plugin :maven-checkstyle-plugin
-%pom_remove_plugin :maven-enforcer-plugin
-%pom_remove_plugin :maven-pmd-plugin
-%pom_remove_plugin :animal-sniffer-maven-plugin
-%pom_remove_plugin :impsort-maven-plugin
-%pom_remove_plugin :formatter-maven-plugin . sshd-core
-%pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true</_nouses>" .
-
-%build
-%mvn_build -f -- -Dworkspace.root.dir=$(pwd)
-
-%install
-%mvn_install
-
-%files -f .mfiles
-%doc CHANGES.md
-%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt
-
-%files javadoc -f .mfiles-javadoc
-%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt
-
-%changelog
-* Mon Jan 22 2024 wangkai <13474090681@163.com> - 1:2.9.2-3
-- Fix CVE-2023-48795
-
-* Thu Jan 11 2024 yaoxin <yao_xin001@hoperun.com> - 1:2.9.2-2
-- Fix CVE-2023-35887
-
-* Mon Nov 21 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1:2.9.2-1
-- Fix CVE-2022-45047
-	
-* Tue Aug 10 2021 yaoxin <yaoxin30@huawei.com> - 2.2.0-2
-- Fix CVE-2021-30129
-
-* Thu Aug 6 2020 Jeffery.Gao <gaojianxing@huawei.com> - 2.2.0-1
-- Package init

apache-sshd.spec Added

@@ -0,0 +1,83 @@
+Epoch: 1
+Name: apache-sshd
+Version: 2.9.2
+Release: 1
+Summary: Apache SSHD
+License: ASL 2.0 and ISC
+URL: http://mina.apache.org/sshd-project
+Source0: https://archive.apache.org/dist/mina/sshd/%{version}/apache-sshd-%{version}-src.tar.gz
+Patch0: 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
+Patch1: apache-sshd-javadoc.patch
+
+BuildRequires: maven-local mvn(junit:junit) mvn(net.i2p.crypto:eddsa) mvn(org.apache.ant:ant)
+BuildRequires: mvn(org.apache:apache:pom:) mvn(org.apache.felix:maven-bundle-plugin)
+BuildRequires: mvn(org.apache.maven:maven-archiver)
+BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
+BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin)
+BuildRequires: mvn(org.apache.maven.plugins:maven-dependency-plugin)
+BuildRequires: mvn(org.apache.maven.plugins:maven-remote-resources-plugin)
+BuildRequires: mvn(org.apache.maven.surefire:surefire-junit47)
+BuildRequires: mvn(org.bouncycastle:bcpg-jdk15on) mvn(org.bouncycastle:bcpkix-jdk15on)
+BuildRequires: mvn(org.codehaus.mojo:build-helper-maven-plugin)
+BuildRequires: mvn(org.codehaus.plexus:plexus-archiver) mvn(org.slf4j:slf4j-api)
+BuildRequires: mvn(org.slf4j:jcl-over-slf4j)
+BuildRequires:		 maven
+BuildArch: noarch
+%description
+Apache SSHD is a 100% pure java library to support the SSH protocols on both
+the client and server side.
+
+%package javadoc
+Summary: API documentation for %{name}
+%description javadoc
+This package provides %{name}.
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+rm -rf sshd-core/src/main/java/org/apache/sshd/agent/unix
+%pom_remove_dep :spring-framework-bom
+%pom_remove_dep :testcontainers-bom sshd-sftp sshd-core
+%pom_disable_module assembly
+%pom_disable_module sshd-mina
+%pom_disable_module sshd-netty
+%pom_disable_module sshd-ldap
+%pom_disable_module sshd-git
+%pom_disable_module sshd-contrib
+%pom_disable_module sshd-spring-sftp
+%pom_disable_module sshd-cli
+%pom_disable_module sshd-openpgp
+%pom_remove_plugin :apache-rat-plugin
+%pom_remove_plugin :gmavenplus-plugin
+%pom_remove_plugin :maven-checkstyle-plugin
+%pom_remove_plugin :maven-enforcer-plugin
+%pom_remove_plugin :maven-pmd-plugin
+%pom_remove_plugin :animal-sniffer-maven-plugin
+%pom_remove_plugin :impsort-maven-plugin
+%pom_remove_plugin :formatter-maven-plugin . sshd-core
+%pom_xpath_inject "pom:configuration/pom:instructions" "<_nouses>true</_nouses>" .
+
+%build
+%mvn_build -f -- -Dworkspace.root.dir=$(pwd)
+mvn clean install
+
+%install
+%mvn_install
+
+%files -f .mfiles
+%doc CHANGES.md
+%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt
+
+%files javadoc -f .mfiles-javadoc
+%license LICENSE.txt NOTICE.txt assembly/src/main/legal/licenses/jbcrypt.txt
+
+%changelog
+* Mon Nov 21 2022 liangqifeng <liangqifeng@ncti-gba.cn> - 1:2.9.2-1
+- Fix CVE-2022-45047
+	
+* Tue Aug 10 2021 yaoxin <yaoxin30@huawei.com> - 2.2.0-2
+- Fix CVE-2021-30129
+
+* Thu Aug 6 2020 Jeffery.Gao <gaojianxing@huawei.com> - 2.2.0-1
+- Package init

_service:tar_scm_kernel_repo:CVE-2023-35887.patch Deleted

@@ -1,2338 +0,0 @@
-From c20739b43aab0f7bf2ccad982a6cb37b9d5a8a0b Mon Sep 17 00:00:00 2001
-From: Guillaume Nodet <gnodet@gmail.com>
-Date: Tue, 9 May 2023 15:17:26 +0200
-Subject: [PATCH] [SSHD-1234] Rooted file system can leak informations
-
----
- .../file/root/RootedDirectoryStream.java | 63 +++
- .../common/file/root/RootedFileSystem.java | 5 +
- .../file/root/RootedFileSystemProvider.java | 327 ++++++++----
- .../file/root/RootedFileSystemUtils.java | 55 ++
- .../root/RootedSecureDirectoryStream.java | 92 ++++
- .../sshd/common/file/util/BaseFileSystem.java | 23 +-
- .../apache/sshd/common/util/io/IoUtils.java | 160 +++++-
- .../root/RootedFileSystemProviderTest.java | 469 ++++++++++++++----
- .../sshd/common/util/io/IoUtilsTest.java | 48 ++
- .../util/test/CommonTestSupportUtils.java | 4 +-
- .../client/fs/SftpFileSystemProvider.java | 4 +-
- .../server/AbstractSftpSubsystemHelper.java | 101 +++-
- .../sftp/server/SftpFileSystemAccessor.java | 94 +++-
- .../sshd/sftp/server/SftpSubsystem.java | 8 +-
- .../org/apache/sshd/sftp/client/SftpTest.java | 7 +-
- .../sshd/sftp/client/SftpVersionsTest.java | 12 +-
- 16 files changed, 1203 insertions(+), 269 deletions(-)
- create mode 100644 sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedDirectoryStream.java
- create mode 100644 sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemUtils.java
- create mode 100644 sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedSecureDirectoryStream.java
-
-diff --git a/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedDirectoryStream.java b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedDirectoryStream.java
-new file mode 100644
-index 000000000..dde9e748d
---- /dev/null
-+++ b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedDirectoryStream.java
-@@ -0,0 +1,63 @@
-+/*
-+ * Licensed to the Apache Software Foundation (ASF) under one
-+ * or more contributor license agreements. See the NOTICE file
-+ * distributed with this work for additional information
-+ * regarding copyright ownership. The ASF licenses this file
-+ * to you under the Apache License, Version 2.0 (the
-+ * "License"); you may not use this file except in compliance
-+ * with the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing,
-+ * software distributed under the License is distributed on an
-+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-+ * KIND, either express or implied. See the License for the
-+ * specific language governing permissions and limitations
-+ * under the License.
-+ */
-+package org.apache.sshd.common.file.root;
-+
-+import java.io.IOException;
-+import java.nio.file.DirectoryStream;
-+import java.nio.file.Path;
-+import java.util.Iterator;
-+
-+/**
-+ * secure directory stream proxy for a {@link RootedFileSystem}
-+ *
-+ * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
-+ */
-+public class RootedDirectoryStream implements DirectoryStream<Path> {
-+ protected final RootedFileSystem rfs;
-+ protected final DirectoryStream<Path> delegate;
-+
-+ public RootedDirectoryStream(RootedFileSystem rfs, DirectoryStream<Path> delegate) {
-+ this.rfs = rfs;
-+ this.delegate = delegate;
-+ }
-+
-+ @Override
-+ public Iterator<Path> iterator() {
-+ return root(rfs, delegate.iterator());
-+ }
-+
-+ @Override
-+ public void close() throws IOException {
-+ delegate.close();
-+ }
-+
-+ protected Iterator<Path> root(RootedFileSystem rfs, Iterator<Path> iter) {
-+ return new Iterator<Path>() {
-+ @Override
-+ public boolean hasNext() {
-+ return iter.hasNext();
-+ }
-+
-+ @Override
-+ public Path next() {
-+ return rfs.provider().root(rfs, iter.next());
-+ }
-+ };
-+ }
-+}
-diff --git a/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystem.java b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystem.java
-index 1b9a71ca1..efd0b134d 100644
---- a/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystem.java
-+++ b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystem.java
-@@ -94,6 +94,11 @@ public Iterable<FileStore> getFileStores() {
- return rootFs.getFileStores();
- }
- 
-+ @Override
-+ protected boolean hostFsHasWindowsSeparator() {
-+ return "\\".equals(getRoot().getFileSystem().getSeparator());
-+ }
-+
- @Override
- public String toString() {
- return rootPath.toString();
-diff --git a/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemProvider.java b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemProvider.java
-index 0855c7751..9922582b1 100644
---- a/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemProvider.java
-+++ b/sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemProvider.java
-@@ -18,6 +18,7 @@
- */
- package org.apache.sshd.common.file.root;
- 
-+import java.io.FileNotFoundException;
- import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
-@@ -26,32 +27,40 @@
- import java.nio.channels.AsynchronousFileChannel;
- import java.nio.channels.FileChannel;
- import java.nio.channels.SeekableByteChannel;
-+import java.nio.file.AccessDeniedException;
- import java.nio.file.AccessMode;
-+import java.nio.file.AtomicMoveNotSupportedException;
- import java.nio.file.CopyOption;
-+import java.nio.file.DirectoryNotEmptyException;
- import java.nio.file.DirectoryStream;
-+import java.nio.file.FileAlreadyExistsException;
- import java.nio.file.FileStore;
- import java.nio.file.FileSystem;
- import java.nio.file.FileSystemAlreadyExistsException;
-+import java.nio.file.FileSystemException;
-+import java.nio.file.FileSystemLoopException;
- import java.nio.file.FileSystemNotFoundException;
- import java.nio.file.Files;
- import java.nio.file.InvalidPathException;
- import java.nio.file.LinkOption;
-+import java.nio.file.NoSuchFileException;
-+import java.nio.file.NotDirectoryException;
-+import java.nio.file.NotLinkException;
- import java.nio.file.OpenOption;
- import java.nio.file.Path;
- import java.nio.file.Paths;
- import java.nio.file.ProviderMismatchException;
-+import java.nio.file.SecureDirectoryStream;
- import java.nio.file.attribute.BasicFileAttributes;
- import java.nio.file.attribute.FileAttribute;
- import java.nio.file.attribute.FileAttributeView;
- import java.nio.file.spi.FileSystemProvider;
- import java.util.HashMap;
--import java.util.Iterator;
- import java.util.Map;
- import java.util.Objects;
- import java.util.Set;
- import java.util.concurrent.ExecutorService;
- 
--import org.apache.sshd.common.util.ValidateUtils;
- import org.apache.sshd.common.util.io.IoUtils;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
-@@ -157,14 +166,22 @@ public Path getPath(URI uri) {
- public InputStream newInputStream(Path path, OpenOption... options) throws IOException {
- Path r = unroot(path);
- FileSystemProvider p = provider(r);
-- return p.newInputStream(r, options);
-+ try {
-+ return p.newInputStream(r, options);
-+ } catch (IOException ex) {
-+ throw translateIoException(ex, path);
-+ }
- }
- 
- @Override
- public OutputStream newOutputStream(Path path, OpenOption... options) throws IOException {
- Path r = unroot(path);
- FileSystemProvider p = provider(r);
-- return p.newOutputStream(r, options);
-+ try {
-+ return p.newOutputStream(r, options);
-+ } catch (IOException ex) {
-+ throw translateIoException(ex, path);
-+ }
- }
- 
- @Override
-@@ -172,7 +189,11 @@ public FileChannel newFileChannel(Path path, Set<? extends OpenOption> options,
- throws IOException {
- Path r = unroot(path);
- FileSystemProvider p = provider(r);
-- return p.newFileChannel(r, options, attrs);
-+ try {
-+ return p.newFileChannel(r, options, attrs);

_service:tar_scm_kernel_repo:CVE-2023-48795.patch Deleted

@@ -1,976 +0,0 @@
-From 6b0fd46f64bcb75eeeee31d65f10242660aad7c1 Mon Sep 17 00:00:00 2001
-From: Thomas Wolf <twolf@apache.org>
-Date: Fri, 29 Dec 2023 17:39:14 +0100
-Subject: [PATCH 1/3] GH-445: OpenSSH "strict KEX" protocol extension
-
-Origin: https://github.com/apache/mina-sshd/pull/449
-
-Implements the OpenSSH "strict KEX" protocol extension.[1] If both
-parties in a an SSH connection announce support for strict KEX in the
-initial KEX_INIT message, strict KEX is active; otherwise it isn't.
-
-With strict KEX active, there must be only KEX-related messages during
-the initial key exchange (no IGNORE or DEBUG messages are allowed), and
-the KEX_INIT message must be the first one to have been received after
-the initial version exchange. If these conditions are violated, the
-connection is terminated.
-
-Strict KEX also resets message sequence numbers to zero after each
-NEW_KEYS message sent or received.
-
-[1] https://github.com/openssh/openssh-portable/blob/master/PROTOCOL
----
- CHANGES.md | 11 ++
- docs/standards.md | 35 ++--
- docs/technical/kex.md | 15 ++
- .../common/kex/extension/KexExtensions.java | 20 ++-
- .../session/helpers/AbstractSession.java | 161 ++++++++++++++++--
- .../session/helpers/AbstractSessionTest.java | 1 +
- 6 files changed, 213 insertions(+), 30 deletions(-)
-
-diff --git a/docs/technical/kex.md b/docs/technical/kex.md
-index e5d353a92..a3f5facc1 100644
---- a/docs/technical/kex.md
-+++ b/docs/technical/kex.md
-@@ -129,3 +129,18 @@ thread is not overrun by producers and actually can finish.
- Again, "client" and "server" could also be inverted. For instance, a client uploading
- files via SFTP might have an application thread pumping data through a channel, which
- might be blocked during KEX.
-+
-+### Strict Key Exchange
-+
-+"Strict KEX" is an SSH protocol extension introduced in 2023 to harden the protocol against
-+a particular form of attack. For details, see ["Terrapin attack"](https://www.terrapin-attack.com/)
-+and [CVE-2023-48795](https://nvd.nist.gov/vuln/detail/CVE-2023-48795). The "strict KEX"
-+counter-measures are active if both peers indicate support for it at the start of the initial
-+key exchange. By default, Apache MINA sshd always supports "strict kex" and advertises it, and
-+thus it will always be active if the other party also supports it.
-+
-+If for whatever reason you want to disable using "strict KEX", this can be achieved by setting
-+a custom session factory on the `SshClient` or `SshServer`. This custom session factory would create
-+custom sessions subclassed from `ClientSessionImpl`or `ServerSessionImpl` that do not do anything
-+in method `doStrictKexProposal()` (just return the proposal unchanged).
-+
-diff --git a/sshd-common/src/main/java/org/apache/sshd/common/kex/extension/KexExtensions.java b/sshd-common/src/main/java/org/apache/sshd/common/kex/extension/KexExtensions.java
-index 9fac45c13..f275227e1 100644
---- a/sshd-common/src/main/java/org/apache/sshd/common/kex/extension/KexExtensions.java
-+++ b/sshd-common/src/main/java/org/apache/sshd/common/kex/extension/KexExtensions.java
-@@ -59,9 +59,23 @@ public final class KexExtensions {
- public static final String CLIENT_KEX_EXTENSION = "ext-info-c";
- public static final String SERVER_KEX_EXTENSION = "ext-info-s";
- 
-- @SuppressWarnings("checkstyle:Indentation")
-- public static final Predicate<String> IS_KEX_EXTENSION_SIGNAL
-- = n -> CLIENT_KEX_EXTENSION.equalsIgnoreCase(n) || SERVER_KEX_EXTENSION.equalsIgnoreCase(n);
-+ public static final Predicate<String> IS_KEX_EXTENSION_SIGNAL = //
-+ n -> CLIENT_KEX_EXTENSION.equalsIgnoreCase(n) || SERVER_KEX_EXTENSION.equalsIgnoreCase(n);
-+
-+ /**
-+ * Reminder:
-+ *
-+ * These pseudo-algorithms are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored if they are present in
-+ * subsequent SSH2_MSG_KEXINIT packets.
-+ *
-+ * Note: these values are appended to the initial proposals and removed if received before proceeding
-+ * with the standard KEX proposals negotiation.
-+ *
-+ * @see <A HREF="https://github.com/openssh/openssh-portable/blob/master/PROTOCOL">OpenSSH PROTOCOL - 1.9 transport:
-+ * strict key exchange extension</A>
-+ */
-+ public static final String STRICT_KEX_CLIENT_EXTENSION = "kex-strict-c-v00@openssh.com";
-+ public static final String STRICT_KEX_SERVER_EXTENSION = "kex-strict-s-v00@openssh.com";
- 
- /**
- * A case insensitive map of all the default known {@link KexExtensionParser} where key=the extension name
-diff --git a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
-index 4bdb39c4c..b05a3ab92 100644
---- a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
-+++ b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java
-@@ -27,13 +27,17 @@
- import java.time.Duration;
- import java.time.Instant;
- import java.util.AbstractMap.SimpleImmutableEntry;
-+import java.util.ArrayList;
-+import java.util.Arrays;
- import java.util.Collection;
- import java.util.Collections;
- import java.util.Deque;
- import java.util.EnumMap;
-+import java.util.LinkedHashSet;
- import java.util.List;
- import java.util.Map;
- import java.util.Objects;
-+import java.util.Set;
- import java.util.concurrent.ConcurrentHashMap;
- import java.util.concurrent.ConcurrentLinkedDeque;
- import java.util.concurrent.CopyOnWriteArraySet;
-@@ -45,6 +49,7 @@
- import java.util.concurrent.atomic.AtomicReference;
- import java.util.function.LongConsumer;
- import java.util.logging.Level;
-+import java.util.stream.Collectors;
- 
- import org.apache.sshd.common.Closeable;
- import org.apache.sshd.common.Factory;
-@@ -109,6 +114,7 @@
- *
- * @author <a href="mailto:dev@mina.apache.org">Apache MINA SSHD Project</a>
- */
-+@SuppressWarnings("checkstyle:MethodCount")
- public abstract class AbstractSession extends SessionHelper {
- /**
- * Name of the property where this session is stored in the attributes of the underlying MINA session. See
-@@ -192,6 +198,22 @@ public abstract class AbstractSession extends SessionHelper {
- protected final Object decodeLock = new Object();
- protected final Object requestLock = new Object();
- 
-+ /**
-+ * "Strict KEX" is a mitigation for the "Terrapin attack". The KEX protocol is modified as follows:
-+ * <ol>
-+ * <li>During the initial (unencrypted) KEX, no extra messages not strictly necessary for KEX are allowed. The
-+ * KEX_INIT message must be the first one after the version identification, and no IGNORE or DEBUG messages are
-+ * allowed until the KEX is completed. If a party receives such a message, it terminates the connection.</li>
-+ * <li>Message sequence numbers are reset to zero after a key exchange (initial or later). When the NEW_KEYS message
-+ * has been sent, the outgoing message number is reset; after a NEW_KEYS message has been received, the incoming
-+ * message number is reset.</li>
-+ * </ol>
-+ * Strict KEX is negotiated in the original KEX proposal; it is active if and only if both parties indicate that
-+ * they support strict KEX.
-+ */
-+ protected boolean strictKex;
-+ protected long initialKexInitSequenceNumber = -1;
-+
- /**
- * The {@link KeyExchangeMessageHandler} instance also serves as lock protecting {@link #kexState} changes from DONE
- * to INIT or RUN, and from KEYS to DONE.
-@@ -550,18 +572,24 @@ protected void doHandleMessage(Buffer buffer) throws Exception {
- handleDisconnect(buffer);
- break;
- case SshConstants.SSH_MSG_IGNORE:
-+ failStrictKex(cmd);
- handleIgnore(buffer);
- break;
- case SshConstants.SSH_MSG_UNIMPLEMENTED:
-+ failStrictKex(cmd);
- handleUnimplemented(buffer);
- break;
- case SshConstants.SSH_MSG_DEBUG:
-+ // Fail after handling -- by default a message will be logged, which might be helpful.
- handleDebug(buffer);
-+ failStrictKex(cmd);
- break;
- case SshConstants.SSH_MSG_SERVICE_REQUEST:
-+ failStrictKex(cmd);
- handleServiceRequest(buffer);
- break;
- case SshConstants.SSH_MSG_SERVICE_ACCEPT:
-+ failStrictKex(cmd);
- handleServiceAccept(buffer);
- break;
- case SshConstants.SSH_MSG_KEXINIT:
-@@ -571,9 +599,11 @@ protected void doHandleMessage(Buffer buffer) throws Exception {
- handleNewKeys(cmd, buffer);
- break;
- case KexExtensions.SSH_MSG_EXT_INFO:
-+ failStrictKex(cmd);
- handleKexExtension(cmd, buffer);
- break;
- case KexExtensions.SSH_MSG_NEWCOMPRESS:
-+ failStrictKex(cmd);
- handleNewCompression(cmd, buffer);
- break;
- default:
-@@ -589,26 +619,35 @@ protected void doHandleMessage(Buffer buffer) throws Exception {
- }
- 
- handleKexMessage(cmd, buffer);
-- } else if (currentService.process(cmd, buffer)) {
-- resetIdleTimeout();
- } else {
-- /*
-- * According to https://tools.ietf.org/html/rfc4253#section-11.4
-- *
-- * An implementation MUST respond to all unrecognized messages with an SSH_MSG_UNIMPLEMENTED message
-- * in the order in which the messages were received.
-- */
-- if (log.isDebugEnabled()) {
-- log.debug("process({}) Unsupported command: {}",
-- this, SshConstants.getCommandMessageName(cmd));
-+ failStrictKex(cmd);

_service Changed