Merge pull request #12 from pjbgf/libgit2-1.1.1-4

Author: hiddeco

hack/Makefile

@@ -24,7 +24,7 @@ BUILD_SHARED_LIBS ?= ON
 CMAKE_VERSION ?= 3.21.3
 
 # Libgit2 version to be compiled and installed.
-LIBGIT2_VERSION ?= 1.3.0
+LIBGIT2_VERSION ?= 1.1.1
 # In some scenarios libgit2 needs to be checked out to a specific commit.
 # This takes precedence over LIBGIT_VERSION if defined.
 # Ref: https://github.com/libgit2/git2go/issues/834

hack/static.sh

@@ -2,7 +2,7 @@
 
 set -euxo pipefail
 
-LIBGIT2_URL="${LIBGIT2_URL:-https://github.com/libgit2/libgit2/archive/refs/tags/v1.3.0.tar.gz}"
+LIBGIT2_URL="${LIBGIT2_URL:-https://github.com/libgit2/libgit2/archive/refs/tags/v1.1.1.tar.gz}"
 OPENSSL_URL="${OPENSSL_URL:-https://github.com/openssl/openssl/archive/refs/tags/openssl-3.0.1.tar.gz}"
 LIBSSH2_URL="${LIBSSH2_URL:-https://github.com/libssh2/libssh2/archive/refs/tags/libssh2-1.10.0.tar.gz}"
 

tests/smoketest/go.mod

@@ -2,7 +2,7 @@ module github.com/fluxcd/golang-with-libgit2/tests/sample
 
 go 1.17
 
-require github.com/libgit2/git2go/v33 v33.0.6
+require github.com/libgit2/git2go/v31 v31.7.6
 
 require (
 	github.com/Microsoft/go-winio v0.4.17 // indirect

tests/smoketest/go.sum

@@ -109,8 +109,8 @@ github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/libgit2/git2go/v33 v33.0.6 h1:F//bA3/pgSTVq2hLNahhnof9NxyCzFF/c3MB6lb93Qo=
-github.com/libgit2/git2go/v33 v33.0.6/go.mod h1:KdpqkU+6+++4oHna/MIOgx4GCQ92IPCdpVRMRI80J+4=
+github.com/libgit2/git2go/v31 v31.7.6 h1:jg/pNomrQULnafmfF6XTkozPX5ypyELoWErWkJuYPcI=
+github.com/libgit2/git2go/v31 v31.7.6/go.mod h1:c/rkJcBcUFx6wHaT++UwNpKvIsmPNqCeQ/vzO4DrEec=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=

tests/smoketest/main.go

@@ -3,11 +3,15 @@ package main
 import (
 	"C"
 	"bufio"
+	"bytes"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
 	"fmt"
+	"hash"
 	"io"
 	"io/ioutil"
 	"log"
-	"net"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -16,7 +20,7 @@ import (
 
 	// git2go must be aligned with libgit2 version:
 	// https://github.com/libgit2/git2go#which-go-version-to-use
-	git2go "github.com/libgit2/git2go/v33"
+	git2go "github.com/libgit2/git2go/v31"
 
 	"github.com/fluxcd/pkg/gittestserver"
 	"github.com/fluxcd/pkg/ssh"
@@ -68,17 +72,21 @@ func main() {
 	if err != nil {
 		panic(fmt.Errorf("generating rsa key: %w", err))
 	}
+	privateKey := filepath.Join(testsDir, "id_rsa")
+	os.WriteFile(privateKey, rsa.PrivateKey, 0o644)
+	pubKey := filepath.Join(testsDir, "id_rsa.pub")
+	os.WriteFile(pubKey, rsa.PrivateKey, 0o644)
 
 	test("SSH clone with rsa key",
 		filepath.Join(testsDir, "/ssh-clone-rsa"),
 		sshRepoURL,
 		&git2go.CloneOptions{
 			Bare: true,
-			FetchOptions: git2go.FetchOptions{
+			FetchOptions: &git2go.FetchOptions{
 				RemoteCallbacks: git2go.RemoteCallbacks{
 					CredentialsCallback: func(url string, username string, allowedTypes git2go.CredentialType) (*git2go.Credential, error) {
-						return git2go.NewCredentialSSHKeyFromMemory("git",
-							string(rsa.PublicKey), string(rsa.PrivateKey), "")
+						return git2go.NewCredentialSSHKey("git",
+							pubKey, privateKey, "")
 					},
 					CertificateCheckCallback: knownHostsCallback(u.Host, knownHosts),
 				},
@@ -89,16 +97,21 @@ func main() {
 	if err != nil {
 		panic(fmt.Errorf("generating ed25519 key: %w", err))
 	}
+	privateKey = filepath.Join(testsDir, "id_ed25519")
+	os.WriteFile(privateKey, ed25519.PrivateKey, 0o644)
+	pubKey = filepath.Join(testsDir, "id_ed25519.pub")
+	os.WriteFile(pubKey, ed25519.PrivateKey, 0o644)
+
 	test("SSH clone with ed25519 key",
 		filepath.Join(testsDir, "/ssh-clone-ed25519"),
 		sshRepoURL,
 		&git2go.CloneOptions{
 			Bare: true,
-			FetchOptions: git2go.FetchOptions{
+			FetchOptions: &git2go.FetchOptions{
 				RemoteCallbacks: git2go.RemoteCallbacks{
 					CredentialsCallback: func(url string, username string, allowedTypes git2go.CredentialType) (*git2go.Credential, error) {
-						return git2go.NewCredentialSSHKeyFromMemory("git",
-							string(ed25519.PublicKey), string(ed25519.PrivateKey), "")
+						return git2go.NewCredentialSSHKey("git",
+							pubKey, privateKey, "")
 					},
 					CertificateCheckCallback: knownHostsCallback(u.Host, knownHosts),
 				},
@@ -150,44 +163,39 @@ func test(description, targetDir, repoURI string, cloneOptions *git2go.CloneOpti
 // the key of Git server against the given host and known_hosts for
 // git.SSH Transports.
 func knownHostsCallback(host string, knownHosts []byte) git2go.CertificateCheckCallback {
-	return func(cert *git2go.Certificate, valid bool, hostname string) error {
+	return func(cert *git2go.Certificate, valid bool, hostname string) git2go.ErrorCode {
 		if cert == nil {
-			return fmt.Errorf("no certificate returned for %s", hostname)
+			return git2go.ErrorCodeCertificate
 		}
 
 		kh, err := parseKnownHosts(string(knownHosts))
 		if err != nil {
-			return err
+			return git2go.ErrorCodeCertificate
 		}
 
 		fmt.Printf("Known keys: %d\n", len(kh))
 
-		// First, attempt to split the configured host and port to validate
-		// the port-less hostname given to the callback.
-		h, _, err := net.SplitHostPort(host)
-		if err != nil {
-			// SplitHostPort returns an error if the host is missing
-			// a port, assume the host has no port.
-			h = host
-		}
-
 		// Check if the configured host matches the hostname given to
 		// the callback.
-		if h != hostname {
-			return fmt.Errorf("host mismatch: %q %q\n", h, hostname)
+		// In libgit 1.1.* hostname also includes its with port.
+		if host != hostname {
+			fmt.Printf("host and hostname:\n%q\n%q\n",
+				host,
+				hostname)
+			return git2go.ErrorCodeUser
 		}
 
 		// We are now certain that the configured host and the hostname
 		// given to the callback match. Use the configured host (that
 		// includes the port), and normalize it, so we can check if there
 		// is an entry for the hostname _and_ port.
-		h = knownhosts.Normalize(host)
+		h := knownhosts.Normalize(host)
 		for _, k := range kh {
 			if k.matches(h, cert.Hostkey) {
-				return nil
+				return git2go.ErrorCodeOK
 			}
 		}
-		return fmt.Errorf("hostkey cannot be verified")
+		return git2go.ErrorCodeCertificate
 	}
 }
 
@@ -226,24 +234,26 @@ func parseKnownHosts(s string) ([]knownKey, error) {
 
 func (k knownKey) matches(host string, hostkey git2go.HostkeyCertificate) bool {
 	if !containsHost(k.hosts, host) {
-		fmt.Println("HOST NOT FOUND")
 		return false
 	}
 
-	if hostkey.Kind&git2go.HostkeySHA256 > 0 {
-		knownFingerprint := cryptossh.FingerprintSHA256(k.key)
-		returnedFingerprint := cryptossh.FingerprintSHA256(hostkey.SSHPublicKey)
-
-		fmt.Printf("known and found fingerprints:\n%q\n%q\n",
-			knownFingerprint,
-			returnedFingerprint)
-		if returnedFingerprint == knownFingerprint {
-			return true
-		}
+	var fingerprint []byte
+	var hasher hash.Hash
+	switch {
+	case hostkey.Kind&git2go.HostkeySHA256 > 0:
+		fingerprint = hostkey.HashSHA256[:]
+		hasher = sha256.New()
+	case hostkey.Kind&git2go.HostkeySHA1 > 0:
+		fingerprint = hostkey.HashSHA1[:]
+		hasher = sha1.New()
+	case hostkey.Kind&git2go.HostkeyMD5 > 0:
+		fingerprint = hostkey.HashMD5[:]
+		hasher = md5.New()
+	default:
+		return false
 	}
-
-	fmt.Println("host kind not supported")
-	return false
+	hasher.Write(k.key.Marshal())
+	return bytes.Equal(hasher.Sum(nil), fingerprint)
 }
 
 func containsHost(hosts []string, host string) bool {