* Wrap IllegalArgumentException thrown by Base64 decoder
Some time ago, there had been `net.schmizz.sshj.common.Base64`. This class used to throw `IOException` in case of any problem. Although `IOException` isn't an appropriate class for indicating on parsing issues, a lot of code has been expecting `IOException` from Base64.
Once, the old Base64 decoder was replaced with the one, bundled into Java 14 (see f35c2bd4ce). Copy-paste elimination and switching to standard implementations is undoubtedly a good decision.
Unfortunately, `java.util.Base64.Decoder` brought a pesky issue. It throws `IllegalArgumentException` in case of any problem. Since it is an unchecked exception, it was quite challenging to notice it. It's especially challenging because the error appears during processing malformed base64 strings. So, a lot of places in the code kept expecting `IOException`. Sudden `IllegalArgumentException` led to authentication termination in cases where everything used to work perfectly.
One of such issues is already found and fixed: 03f8b2224d
This commit represents a work, based on revising every change made in f35c2bd4ce. It should fix all other similar issues.
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Rename Base64DecodeError -> Base64DecodingException
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better warning message in KnownHostMatchers
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyFileUtil
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyV1KeyFile
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Get rid of unnecessary `throws IOException` in Base64Decoder
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Better error messages in OpenSSHKeyFileUtil and PuTTYKeyFile
* adds fallback to posix-rename@openssh.com extension if possible and communicates possible problems with flags to the developer
* Adds '{}' around if/else statements
* adds basic tests for file rename
* fix comments
* fixes indentation
* adds helper methods to make existing sftp rename tests more concise
* adds basic test for atomic rewrite
* adds possibility to request a specific client version (e.g. for testing purposes)
* adds testcases for SFTP rename flags fallback behaviour
* refactoring to make SFTPEngine.init(int requestedVersion) protected
---------
Co-authored-by: Florian Klemenz <florian.klemenz@fau.de>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Add ChaCha20-Poly1305 Support for OpenSSH Keys
- Updated ChachaPolyCipher to support decryption without Additional Authenticated Data
* Added test for ChachaPolyCipher without AAD
* Streamlined ChachaPolyCipher.update() method
* Added DefaultSecurityProviderConfig with Bouncy Castle disabled
* Upgrade test to junit jupiter
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Upgraded Bouncy Castle from 1.70 to 1.75
- Upgraded SLF4J from 1.7.36 to 2.0.7
- Upgraded Logback from 1.2.11 to 1.3.8
- Upgraded Apache MINA SSHD from 2.8.0 to 2.10.0
- Upgraded Grizzly HTTP Server from 2.4.4 to 3.0.1
- Upgraded Testcontainers from 1.16.2 to 1.18.3
- Refactored references and removed HttpClient dependency
- Upgraded GitHub Actions setup-java from 1 to 3
- Updated GitHub Actions to use Temurin JDK 11
- Added OpenSSL upgrade to RSA Key Tests
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Fix#805: Prevent CHANNEL_CLOSE to be sent between Channel.isOpen and a Transport.write call
Otherwise, a disconnect with a "packet referred to nonexistent channel" message can occur.
This particularly happens when the transport.Reader thread passes an eof from the server to the ChannelInputStream, the reading library-user thread returns, and closes the channel at the same time as the transport.Reader thread receives the subsequent CHANNEL_CLOSE from the server.
* Add integration test for #805
* Added Transport.isKeyExchangeRequired() to avoid unnecessary KEXINIT
- Updated SSHClient.onConnect() to check isKeyExchangeRequired() before calling doKex()
- Added started timestamp in ThreadNameProvider for improved tracking
* Moved KeepAliveThread State check after authentication to avoid test timing issues
Previously, AuthGssApiWithMic used params.getUsername() to create the
local client credential object. However, at least when using the native
GSS libraries (sun.security.jgss.native=true), the username would need
to be something like "user@EXAMPLE.COM", not "user", or the library is
unable to find credentials. Also, your remote username might not be your
local username.
Instead, and more simply, call the GSSManager#createCredential variant
that just uses default credentials, which should handle both of these
cases.
Tested on Windows using SSPI. I haven't tested this patch on Linux but I
have confirmed that this form of call to createCredential works as I
expect when using the native GSS/Kerberos library there too.
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Replaced PKCS5 parsing with PKCS8
- Moved tests for PEM-encoded PKCS1 files to PKCS8
- Removed PKCS5 Key File implementation
* Added PKCS8 test to retry password after initial failure
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Added SFTP file transfer resume support on both PUT and GET. Internally SFTPFileTransfer has a few sanity checks to fall back to full replacement even if the resume flag is set.
SCP file transfers have not been changed to support this at this time.
* Added JUnit tests for issue-700
* Throw SCPException when attempting to resume SCP transfers.
* Licensing
* Small bug resuming a completed file was restarting since the bytes were equal.
* Enhanced test cases to validate the expected bytes transferred for each scenario are the actual bytes transferred.
* Removed author info which was pre-filled from company IDE template
* Added "fall through" comment for switch
* Changed the API for requesting a resume from a boolean flag with some internal decisions to be a user-specified long byte offset. This is cleaner but puts the onus on the caller to know exactly what they're asking for in their circumstance, which is ultimately better for a library like sshj.
* Reverted some now-unnecessary changes to SFTPFileTransfer.Uploader.prepareFile()
* Fix gradle exclude path for test files
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
Due to a bug in logic introduced by #769, RemoteFile.ReadAheadRemoteFileInputStream started to send new read ahead requests for file parts that had already been requested.
Every call to read() asked the server to send parts of the file from the point which is already downloaded. Instead, it should have asked to send parts after the last requested part. This commit adds exactly this logic.
The bug didn't cause content corruption. It only affected performance, both on servers and on clients.
