This is an archive of the discontinued Mercurial Phabricator instance.

Differential D2061

sshpeer: initial definition and implementation of new SSH protocol
ClosedPublic

Authored by indygreg on Feb 6 2018, 2:31 PM.

Details

Reviewers
durin42
Group Reviewers
hg-reviewers
Commits
rHG48a3a9283f09: sshpeer: initial definition and implementation of new SSH protocol
Summary

The existing SSH protocol has several design flaws. Future commits
will elaborate on these flaws as new features are introduced
to combat these flaws. For now, hopefully you can take me for my
word that a ground up rewrite of the SSH protocol is needed.

This commit lays the foundation for a new SSH protocol by defining
a mechanism to upgrade the SSH transport channel away from the
default (version 1) protocol to something modern (which we'll call
"version 2" for now).

This upgrade process is detailed in the internals documentation
for the wire protocol. The gist of it is the client sends a
request line preceding the "hello" command/line which basically
says "I'm requesting an upgrade: here's what I support." If the
server recognizes that line, it processes the upgrade request and
the transport channel is switched to use the new version of the
protocol. If not, it sends an empty response, which is how all
Mercurial SSH servers from the beginning of time reacted to unknown
commands. The upgrade request is effectively ignored and the client
continues to use the existing version of the protocol as if nothing
happened.

The new version of the SSH protocol is completely identical to
version 1 aside from the upgrade dance and the bytes that follow.
The immediate bytes that follow the protocol switch are defined to
be a length framed "capabilities: " line containing the remote's
advertised capabilities. In reality, this looks very similar to
what the "hello" response would look like. But it will evolve
quickly.

The methodology by which the protocol will evolve is important.

I'm not going to introduce the new protocol all at once. That would
likely lead to endless bike shedding and forward progress would
stall. Instead, I intend to tricle out new features and diversions
from the existing protocol in small, incremental changes.

To support the gradual evolution of the protocol, the on-the-wire
advertised protocol name contains an "exp" to denote "experimental"
and a 4 digit field to capture the sub-version of the protocol.
Whenever we make a BC change to the wire protocol, we can increment
this version and lock out all older clients because it will appear
as a completely different protocol version. This means we can incur
as many breaking changes as we want. We don't have to commit to
supporting any one feature or idea for a long period of time. We
can even evolve the handshake mechanism, because that is defined
as being an implementation detail of the negotiated protocol version!
Hopefully this lowers the barrier to accepting changes to the
protocol and for experimenting with "radical" ideas during its
development.

In core, sshpeer received most of the attention. We haven't even
implemented the server bits for the new protocol in core yet.
Instead, we add very primitive support to our test server, mainly
just to exercise the added code paths in sshpeer.

Diff Detail

Repository
rHG Mercurial
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

indygreg created this revision.Feb 6 2018, 2:31 PM
indygreg added a comment.Feb 6 2018, 9:52 PM

I want to emphasize that I'm not committed to any implementation detail at this point in time. I've very opened minded about alternatives and making backwards incompatible changes throughout the 4.6 release cycle.

That being said, I am trying to make forward progress on a ton of wire protocol changes. These are blocking my planned work for shallow clone this release cycle. (I don't want to deploy shallow clone on the existing wire protocol for various reasons.) So, I would prefer we fall forward and take commits even if there are open bikesheds. I'm more than happy to rework the protocol later. I just don't want my local work to be dozens of changesets ahead of what's reviewed and have to spend hours reworking my code because of a bikeshed. I'd rather commit the flawed work, fix it at the head of my local queue, and move forward. If nothing else, this approach will lead to a more feature complete protocol landing sooner. And only once it is feature complete will we all have the full perspective to bikeshed the protocol.

mercurial/help/internals/wireprotocol.txt
241–243

I chose the query string format here because I don't like reinventing wheels. However, if we wanted to make it a list of space delimited atoms (like the existing capabilities string), I'd be OK with that.

We can always change this later, since we're not locked into any BC guarantees at this juncture.

245–247

In the future, I want to advertise:

  • compression engine support
  • compression engine settings (e.g. max window size for zstandard so a server won't choose a compression level that will result in excessive memory usage for client)
  • max concurrent responses limit (in the future, the protocol will gain the ability to stream multiple responses for a single request concurrently)
joerg.sonnenberger added a subscriber: joerg.sonnenberger.Feb 7 2018, 9:52 AM
joerg.sonnenberger added inline comments.
tests/test-ssh-proto.t
396

I'm a bit concerned about the order here. I would prefer to stay with the spirit of the original SSH protocol and go with the following order instead:

  • client sends hello to the server
  • server sends its capabilities, including the supported "modern" protocol versions
  • client upgrades to the "best" version it supports and sends any additional wire capabilities it has

I don't think this changes the number of round-trips, but it slightly affects the number of commands that are "unversioned".

durin42 added a subscriber: durin42.Feb 7 2018, 5:04 PM
durin42 added inline comments.
tests/test-ssh-proto.t
396

I don't feel super-strongly. I think my bias is to let the upgrade happen prior to the hello so that we can have custom servers in the future not have to support the bad old framing. I'll land the patch as is, but we can continue discussing it a bit here or on the list if I haven't convinced you. :)

durin42 accepted this revision.Feb 7 2018, 5:04 PM
This revision is now accepted and ready to land.Feb 7 2018, 5:04 PM
Closed by commit rHG48a3a9283f09: sshpeer: initial definition and implementation of new SSH protocol (authored by indygreg). · Explain WhyFeb 7 2018, 5:41 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Diff 5301

mercurial/configitems.py

default='256K', default='256K',
) )
coreconfigitem('experimental', 'treemanifest', coreconfigitem('experimental', 'treemanifest',
default=False, default=False,
) )
coreconfigitem('experimental', 'update.atomic-file', coreconfigitem('experimental', 'update.atomic-file',
default=False, default=False,
) )
coreconfigitem('experimental', 'sshpeer.advertise-v2',
default=False,
)
coreconfigitem('extensions', '.*', coreconfigitem('extensions', '.*',
default=None, default=None,
generic=True, generic=True,
) )
coreconfigitem('extdata', '.*', coreconfigitem('extdata', '.*',
default=None, default=None,
generic=True, generic=True,
) )

mercurial/help/internals/wireprotocol.txt

s: 1\n s: 1\n
s: \n s: \n
Note that output from the ``hello`` command is terminated by a ``\n``. This is Note that output from the ``hello`` command is terminated by a ``\n``. This is
part of the response payload and not part of the wire protocol adding a newline part of the response payload and not part of the wire protocol adding a newline
after responses. In other words, the length of the response contains the after responses. In other words, the length of the response contains the
trailing ``\n``. trailing ``\n``.
Clients supporting version 2 of the SSH transport send a line beginning
with ``upgrade`` before the ``hello`` and ``between`` commands. The line
(which isn't a well-formed command line because it doesn't consist of a
single command name) serves to both communicate the client's intent to
switch to transport version 2 (transports are version 1 by default) as
well as to advertise the client's transport-level capabilities so the
server may satisfy that request immediately.
The upgrade line has the form:
upgrade <token> <transport capabilities>
That is the literal string ``upgrade`` followed by a space, followed by
a randomly generated string, followed by a space, followed by a string
denoting the client's transport capabilities.
The token can be anything. However, a random UUID is recommended. (Use
of version 4 UUIDs is recommended because version 1 UUIDs can leak the
client's MAC address.)
The transport capabilities string is a URL/percent encoded string
containing key-value pairs defining the client's transport-level
capabilities. The following capabilities are defined:
indygregAuthorUnsubmitted
Not Done

I chose the query string format here because I don't like reinventing wheels. However, if we wanted to make it a list of space delimited atoms (like the existing capabilities string), I'd be OK with that.

We can always change this later, since we're not locked into any BC guarantees at this juncture.

indygreg: I chose the //query string// format here because I don't like reinventing wheels. However, if…
proto
A comma-delimited list of transport protocol versions the client
supports. e.g. ``ssh-v2``.
indygregAuthorUnsubmitted
Not Done

In the future, I want to advertise:

  • compression engine support
  • compression engine settings (e.g. max window size for zstandard so a server won't choose a compression level that will result in excessive memory usage for client)
  • max concurrent responses limit (in the future, the protocol will gain the ability to stream multiple responses for a single request concurrently)
indygreg: In the future, I want to advertise: - compression engine support - compression engine…
If the server does not recognize the ``upgrade`` line, it should issue
an empty response and continue processing the ``hello`` and ``between``
commands. Here is an example handshake between a version 2 aware client
and a non version 2 aware server:
c: upgrade 2e82ab3f-9ce3-4b4e-8f8c-6fd1c0e9e23a proto=ssh-v2
c: hello\n
c: between\n
c: pairs 81\n
c: 0000000000000000000000000000000000000000-0000000000000000000000000000000000000000
s: 0\n
s: 324\n
s: capabilities: lookup changegroupsubset branchmap pushkey known getbundle ...\n
s: 1\n
s: \n
(The initial ``0\n`` line from the server indicates an empty response to
the unknown ``upgrade ..`` command/line.)
If the server recognizes the ``upgrade`` line and is willing to satisfy that
upgrade request, it replies to with a payload of the following form:
upgraded <token> <transport name>\n
This line is the literal string ``upgraded``, a space, the token that was
specified by the client in its ``upgrade ...`` request line, a space, and the
name of the transport protocol that was chosen by the server. The transport
name MUST match one of the names the client specified in the ``proto`` field
of its ``upgrade ...`` request line.
If a server issues an ``upgraded`` response, it MUST also read and ignore
the lines associated with the ``hello`` and ``between`` command requests
that were issued by the server. It is assumed that the negotiated transport
will respond with equivalent requested information following the transport
handshake.
All data following the ``\n`` terminating the ``upgraded`` line is the
domain of the negotiated transport. It is common for the data immediately
following to contain additional metadata about the state of the transport and
the server. However, this isn't strictly speaking part of the transport
handshake and isn't covered by this section.
Here is an example handshake between a version 2 aware client and a version
2 aware server:
c: upgrade 2e82ab3f-9ce3-4b4e-8f8c-6fd1c0e9e23a proto=ssh-v2
c: hello\n
c: between\n
c: pairs 81\n
c: 0000000000000000000000000000000000000000-0000000000000000000000000000000000000000
s: upgraded 2e82ab3f-9ce3-4b4e-8f8c-6fd1c0e9e23a ssh-v2\n
s: <additional transport specific data>
The client-issued token that is echoed in the response provides a more
resilient mechanism for differentiating *banner* output from Mercurial
output. In version 1, properly formatted banner output could get confused
for Mercurial server output. By submitting a randomly generated token
that is then present in the response, the client can look for that token
in response lines and have reasonable certainty that the line did not
originate from a *banner* message.
SSH Version 1 Transport SSH Version 1 Transport
----------------------- -----------------------
The SSH transport (version 1) is a custom text-based protocol suitable for The SSH transport (version 1) is a custom text-based protocol suitable for
use over any bi-directional stream transport. It is most commonly used with use over any bi-directional stream transport. It is most commonly used with
SSH. SSH.
A SSH transport server can be started with ``hg serve --stdio``. The stdin, A SSH transport server can be started with ``hg serve --stdio``. The stdin,
message written to ``stderr`` followed by ``\n-\n``. In addition, ``\n`` is message written to ``stderr`` followed by ``\n-\n``. In addition, ``\n`` is
written to ``stdout``. written to ``stdout``.
If the server receives an unknown command, it will send an empty ``string`` If the server receives an unknown command, it will send an empty ``string``
response. response.
The server terminates if it receives an empty command (a ``\n`` character). The server terminates if it receives an empty command (a ``\n`` character).
SSH Version 2 Transport
-----------------------
**Experimental**
Version 2 of the SSH transport behaves identically to version 1 of the SSH
transport with the exception of handshake semantics. See above for how
version 2 of the SSH transport is negotiated.
Immediately following the ``upgraded`` line signaling a switch to version
2 of the SSH protocol, the server automatically sends additional details
about the capabilities of the remote server. This has the form:
<integer length of value>\n
capabilities: ...\n
e.g.
s: upgraded 2e82ab3f-9ce3-4b4e-8f8c-6fd1c0e9e23a ssh-v2\n
s: 240\n
s: capabilities: known getbundle batch ...\n
Following capabilities advertisement, the peers communicate using version
1 of the SSH transport.
Capabilities Capabilities
============ ============
Servers advertise supported wire protocol features. This allows clients to Servers advertise supported wire protocol features. This allows clients to
probe for server features before blindly calling a command or passing a probe for server features before blindly calling a command or passing a
specific argument. specific argument.
The server's features are exposed via a *capabilities* string. This is a The server's features are exposed via a *capabilities* string. This is a

mercurial/sshpeer.py

# sshpeer.py - ssh repository proxy class for mercurial # sshpeer.py - ssh repository proxy class for mercurial
# #
# Copyright 2005, 2006 Matt Mackall <mpm@selenic.com> # Copyright 2005, 2006 Matt Mackall <mpm@selenic.com>
# #
# This software may be used and distributed according to the terms of the # This software may be used and distributed according to the terms of the
# GNU General Public License version 2 or any later version. # GNU General Public License version 2 or any later version.
from __future__ import absolute_import from __future__ import absolute_import
import re import re
import uuid
from .i18n import _ from .i18n import _
from . import ( from . import (
error, error,
pycompat, pycompat,
util, util,
wireproto, wireproto,
wireprotoserver,
) )
def _serverquote(s): def _serverquote(s):
"""quote a string for the remote shell ... which we assume is sh""" """quote a string for the remote shell ... which we assume is sh"""
if not s: if not s:
return s return s
if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s): if re.match('[a-zA-Z0-9@%_+=:,./-]*$', s):
return s return s
return proc, stdin, stdout, stderr return proc, stdin, stdout, stderr
def _performhandshake(ui, stdin, stdout, stderr): def _performhandshake(ui, stdin, stdout, stderr):
def badresponse(): def badresponse():
msg = _('no suitable response from remote hg') msg = _('no suitable response from remote hg')
hint = ui.config('ui', 'ssherrorhint') hint = ui.config('ui', 'ssherrorhint')
raise error.RepoError(msg, hint=hint) raise error.RepoError(msg, hint=hint)
# The handshake consists of sending 2 wire protocol commands: # The handshake consists of sending wire protocol commands in reverse
# ``hello`` and ``between``. # order of protocol implementation and then sniffing for a response
# to one of them.
# #
# The ``hello`` command (which was introduced in Mercurial 0.9.1) # Those commands (from oldest to newest) are:
# instructs the server to advertise its capabilities.
# #
# The ``between`` command (which has existed in all Mercurial servers # ``between``
# for as long as SSH support has existed), asks for the set of revisions # Asks for the set of revisions between a pair of revisions. Command
# between a pair of revisions. # present in all Mercurial server implementations.
#
# ``hello``
# Instructs the server to advertise its capabilities. Introduced in
# Mercurial 0.9.1.
#
# ``upgrade``
# Requests upgrade from default transport protocol version 1 to
# a newer version. Introduced in Mercurial 4.6 as an experimental
# feature.
# #
# The ``between`` command is issued with a request for the null # The ``between`` command is issued with a request for the null
# range. If the remote is a Mercurial server, this request will # range. If the remote is a Mercurial server, this request will
# generate a specific response: ``1\n\n``. This represents the # generate a specific response: ``1\n\n``. This represents the
# wire protocol encoded value for ``\n``. We look for ``1\n\n`` # wire protocol encoded value for ``\n``. We look for ``1\n\n``
# in the output stream and know this is the response to ``between`` # in the output stream and know this is the response to ``between``
# and we're at the end of our handshake reply. # and we're at the end of our handshake reply.
# #
# The response to the ``hello`` command will be a line with the # The response to the ``hello`` command will be a line with the
# length of the value returned by that command followed by that # length of the value returned by that command followed by that
# value. If the server doesn't support ``hello`` (which should be # value. If the server doesn't support ``hello`` (which should be
# rare), that line will be ``0\n``. Otherwise, the value will contain # rare), that line will be ``0\n``. Otherwise, the value will contain
# RFC 822 like lines. Of these, the ``capabilities:`` line contains # RFC 822 like lines. Of these, the ``capabilities:`` line contains
# the capabilities of the server. # the capabilities of the server.
# #
# The ``upgrade`` command isn't really a command in the traditional
# sense of version 1 of the transport because it isn't using the
# proper mechanism for formatting insteads: instead, it just encodes
# arguments on the line, delimited by spaces.
#
# The ``upgrade`` line looks like ``upgrade <token> <capabilities>``.
# If the server doesn't support protocol upgrades, it will reply to
# this line with ``0\n``. Otherwise, it emits an
# ``upgraded <token> <protocol>`` line to both stdout and stderr.
# Content immediately following this line describes additional
# protocol and server state.
#
# In addition to the responses to our command requests, the server # In addition to the responses to our command requests, the server
# may emit "banner" output on stdout. SSH servers are allowed to # may emit "banner" output on stdout. SSH servers are allowed to
# print messages to stdout on login. Issuing commands on connection # print messages to stdout on login. Issuing commands on connection
# allows us to flush this banner output from the server by scanning # allows us to flush this banner output from the server by scanning
# for output to our well-known ``between`` command. Of course, if # for output to our well-known ``between`` command. Of course, if
# the banner contains ``1\n\n``, this will throw off our detection. # the banner contains ``1\n\n``, this will throw off our detection.
requestlog = ui.configbool('devel', 'debug.peer-request') requestlog = ui.configbool('devel', 'debug.peer-request')
# Generate a random token to help identify responses to version 2
# upgrade request.
token = bytes(uuid.uuid4())
upgradecaps = [
('proto', wireprotoserver.SSHV2),
]
upgradecaps = util.urlreq.urlencode(upgradecaps)
try: try:
pairsarg = '%s-%s' % ('0' * 40, '0' * 40) pairsarg = '%s-%s' % ('0' * 40, '0' * 40)
handshake = [ handshake = [
'hello\n', 'hello\n',
'between\n', 'between\n',
'pairs %d\n' % len(pairsarg), 'pairs %d\n' % len(pairsarg),
pairsarg, pairsarg,
] ]
# Request upgrade to version 2 if configured.
if ui.configbool('experimental', 'sshpeer.advertise-v2'):
ui.debug('sending upgrade request: %s %s\n' % (token, upgradecaps))
handshake.insert(0, 'upgrade %s %s\n' % (token, upgradecaps))
if requestlog: if requestlog:
ui.debug('devel-peer-request: hello\n') ui.debug('devel-peer-request: hello\n')
ui.debug('sending hello command\n') ui.debug('sending hello command\n')
if requestlog: if requestlog:
ui.debug('devel-peer-request: between\n') ui.debug('devel-peer-request: between\n')
ui.debug('devel-peer-request: pairs: %d bytes\n' % len(pairsarg)) ui.debug('devel-peer-request: pairs: %d bytes\n' % len(pairsarg))
ui.debug('sending between command\n') ui.debug('sending between command\n')
stdin.write(''.join(handshake)) stdin.write(''.join(handshake))
stdin.flush() stdin.flush()
except IOError: except IOError:
badresponse() badresponse()
# Assume version 1 of wire protocol by default.
protoname = wireprotoserver.SSHV1
reupgraded = re.compile(b'^upgraded %s (.*)$' % re.escape(token))
lines = ['', 'dummy'] lines = ['', 'dummy']
max_noise = 500 max_noise = 500
while lines[-1] and max_noise: while lines[-1] and max_noise:
try: try:
l = stdout.readline() l = stdout.readline()
_forwardoutput(ui, stderr) _forwardoutput(ui, stderr)
# Look for reply to protocol upgrade request. It has a token
# in it, so there should be no false positives.
m = reupgraded.match(l)
if m:
protoname = m.group(1)
ui.debug('protocol upgraded to %s\n' % protoname)
# If an upgrade was handled, the ``hello`` and ``between``
# requests are ignored. The next output belongs to the
# protocol, so stop scanning lines.
break
# Otherwise it could be a banner, ``0\n`` response if server
# doesn't support upgrade.
if lines[-1] == '1\n' and l == '\n': if lines[-1] == '1\n' and l == '\n':
break break
if l: if l:
ui.debug('remote: ', l) ui.debug('remote: ', l)
lines.append(l) lines.append(l)
max_noise -= 1 max_noise -= 1
except IOError: except IOError:
badresponse() badresponse()
else: else:
badresponse() badresponse()
caps = set() caps = set()
# For version 1, we should see a ``capabilities`` line in response to the
# ``hello`` command.
if protoname == wireprotoserver.SSHV1:
for l in reversed(lines): for l in reversed(lines):
# Look for response to ``hello`` command. Scan from the back so # Look for response to ``hello`` command. Scan from the back so
# we don't misinterpret banner output as the command reply. # we don't misinterpret banner output as the command reply.
if l.startswith('capabilities:'): if l.startswith('capabilities:'):
caps.update(l[:-1].split(':')[1].split()) caps.update(l[:-1].split(':')[1].split())
break break
elif protoname == wireprotoserver.SSHV2:
# We see a line with number of bytes to follow and then a value
# looking like ``capabilities: *``.
line = stdout.readline()
try:
valuelen = int(line)
except ValueError:
badresponse()
capsline = stdout.read(valuelen)
if not capsline.startswith('capabilities: '):
badresponse()
caps.update(capsline.split(':')[1].split())
# Trailing newline.
stdout.read(1)
# Error if we couldn't find a response to ``hello``. This could # Error if we couldn't find capabilities, this means:
# mean:
# #
# 1. Remote isn't a Mercurial server # 1. Remote isn't a Mercurial server
# 2. Remote is a <0.9.1 Mercurial server # 2. Remote is a <0.9.1 Mercurial server
# 3. Remote is a future Mercurial server that dropped ``hello`` # 3. Remote is a future Mercurial server that dropped ``hello``
# support. # and other attempted handshake mechanisms.
if not caps: if not caps:
badresponse() badresponse()
return caps return caps
class sshpeer(wireproto.wirepeer): class sshpeer(wireproto.wirepeer):
def __init__(self, ui, url, proc, stdin, stdout, stderr, caps): def __init__(self, ui, url, proc, stdin, stdout, stderr, caps):
"""Create a peer from an existing SSH connection. """Create a peer from an existing SSH connection.

mercurial/wireprotoserver.py

urlreq = util.urlreq urlreq = util.urlreq
HTTP_OK = 200 HTTP_OK = 200
HGTYPE = 'application/mercurial-0.1' HGTYPE = 'application/mercurial-0.1'
HGTYPE2 = 'application/mercurial-0.2' HGTYPE2 = 'application/mercurial-0.2'
HGERRTYPE = 'application/hg-error' HGERRTYPE = 'application/hg-error'
# Names of the SSH protocol implementations.
SSHV1 = 'ssh-v1'
# This is advertised over the wire. Incremental the counter at the end
# to reflect BC breakages.
SSHV2 = 'exp-ssh-v2-0001'
class abstractserverproto(object): class abstractserverproto(object):
"""abstract class that summarizes the protocol API """abstract class that summarizes the protocol API
Used as reference and documentation. Used as reference and documentation.
""" """
__metaclass__ = abc.ABCMeta __metaclass__ = abc.ABCMeta

tests/sshprotoext.py

self._sendresponse(b'') self._sendresponse(b'')
l = self._fin.readline() l = self._fin.readline()
assert l == b'between\n' assert l == b'between\n'
rsp = wireproto.dispatch(self._repo, self, b'between') rsp = wireproto.dispatch(self._repo, self, b'between')
self._handlers[rsp.__class__](self, rsp) self._handlers[rsp.__class__](self, rsp)
super(prehelloserver, self).serve_forever() super(prehelloserver, self).serve_forever()
class upgradev2server(wireprotoserver.sshserver):
"""Tests behavior for clients that issue upgrade to version 2."""
def serve_forever(self):
name = wireprotoserver.SSHV2
l = self._fin.readline()
assert l.startswith(b'upgrade ')
token, caps = l[:-1].split(b' ')[1:]
assert caps == b'proto=%s' % name
# Filter hello and between requests.
l = self._fin.readline()
assert l == b'hello\n'
l = self._fin.readline()
assert l == b'between\n'
l = self._fin.readline()
assert l == 'pairs 81\n'
self._fin.read(81)
# Send the upgrade response.
self._fout.write(b'upgraded %s %s\n' % (token, name))
servercaps = wireproto.capabilities(self._repo, self)
rsp = b'capabilities: %s' % servercaps
self._fout.write(b'%d\n' % len(rsp))
self._fout.write(rsp)
self._fout.write(b'\n')
self._fout.flush()
super(upgradev2server, self).serve_forever()
def performhandshake(orig, ui, stdin, stdout, stderr): def performhandshake(orig, ui, stdin, stdout, stderr):
"""Wrapped version of sshpeer._performhandshake to send extra commands.""" """Wrapped version of sshpeer._performhandshake to send extra commands."""
mode = ui.config(b'sshpeer', b'handshake-mode') mode = ui.config(b'sshpeer', b'handshake-mode')
if mode == b'pre-no-args': if mode == b'pre-no-args':
ui.debug(b'sending no-args command\n') ui.debug(b'sending no-args command\n')
stdin.write(b'no-args\n') stdin.write(b'no-args\n')
stdin.flush() stdin.flush()
return orig(ui, stdin, stdout, stderr) return orig(ui, stdin, stdout, stderr)
# has to be invoked with a certain form for security reasons and # has to be invoked with a certain form for security reasons and
# `dummyssh` can't just add `--config` flags to the command line. # `dummyssh` can't just add `--config` flags to the command line.
servermode = ui.environ.get(b'SSHSERVERMODE') servermode = ui.environ.get(b'SSHSERVERMODE')
if servermode == b'banner': if servermode == b'banner':
wireprotoserver.sshserver = bannerserver wireprotoserver.sshserver = bannerserver
elif servermode == b'no-hello': elif servermode == b'no-hello':
wireprotoserver.sshserver = prehelloserver wireprotoserver.sshserver = prehelloserver
elif servermode == b'upgradev2':
wireprotoserver.sshserver = upgradev2server
elif servermode: elif servermode:
raise error.ProgrammingError(b'unknown server mode: %s' % servermode) raise error.ProgrammingError(b'unknown server mode: %s' % servermode)
peermode = ui.config(b'sshpeer', b'mode') peermode = ui.config(b'sshpeer', b'mode')
if peermode == b'extra-handshake-commands': if peermode == b'extra-handshake-commands':
extensions.wrapfunction(sshpeer, '_performhandshake', performhandshake) extensions.wrapfunction(sshpeer, '_performhandshake', performhandshake)
elif peermode: elif peermode:
raise error.ProgrammingError(b'unknown peer mode: %s' % peermode) raise error.ProgrammingError(b'unknown peer mode: %s' % peermode)

tests/test-ssh-proto.t

capabilities: lookup changegroupsubset branchmap pushkey known getbundle unbundlehash batch streamreqs=generaldelta,revlogv1 $USUAL_BUNDLE2_CAPS_SERVER$ unbundle=HG10GZ,HG10BZ,HG10UN capabilities: lookup changegroupsubset branchmap pushkey known getbundle unbundlehash batch streamreqs=generaldelta,revlogv1 $USUAL_BUNDLE2_CAPS_SERVER$ unbundle=HG10GZ,HG10BZ,HG10UN
1 1
0 0
0 0
0 0
0 0
0 0
Send an upgrade request to a server that doesn't support that command
$ hg -R server serve --stdio << EOF
> upgrade 2e82ab3f-9ce3-4b4e-8f8c-6fd1c0e9e23a proto=irrelevant1%2Cirrelevant2
> hello
joerg.sonnenbergerUnsubmitted
Not Done

I'm a bit concerned about the order here. I would prefer to stay with the spirit of the original SSH protocol and go with the following order instead:

  • client sends hello to the server
  • server sends its capabilities, including the supported "modern" protocol versions
  • client upgrades to the "best" version it supports and sends any additional wire capabilities it has

I don't think this changes the number of round-trips, but it slightly affects the number of commands that are "unversioned".

joerg.sonnenberger: I'm a bit concerned about the order here. I would prefer to stay with the spirit of the…
durin42Unsubmitted
Not Done

I don't feel super-strongly. I think my bias is to let the upgrade happen prior to the hello so that we can have custom servers in the future not have to support the bad old framing. I'll land the patch as is, but we can continue discussing it a bit here or on the list if I haven't convinced you. :)

durin42: I don't feel super-strongly. I think my bias is to let the upgrade happen prior to the hello so…
> between
> pairs 81
> 0000000000000000000000000000000000000000-0000000000000000000000000000000000000000
> EOF
0
384
capabilities: lookup changegroupsubset branchmap pushkey known getbundle unbundlehash batch streamreqs=generaldelta,revlogv1 $USUAL_BUNDLE2_CAPS_SERVER$ unbundle=HG10GZ,HG10BZ,HG10UN
1
$ hg --config experimental.sshpeer.advertise-v2=true --debug debugpeer ssh://user@dummy/server
running * "*/tests/dummyssh" 'user@dummy' 'hg -R server serve --stdio' (glob)
sending upgrade request: * proto=exp-ssh-v2-0001 (glob)
devel-peer-request: hello
sending hello command
devel-peer-request: between
devel-peer-request: pairs: 81 bytes
sending between command
remote: 0
remote: 384
remote: capabilities: lookup changegroupsubset branchmap pushkey known getbundle unbundlehash batch streamreqs=generaldelta,revlogv1 $USUAL_BUNDLE2_CAPS_SERVER$ unbundle=HG10GZ,HG10BZ,HG10UN
remote: 1
url: ssh://user@dummy/server
local: no
pushable: yes
Send an upgrade request to a server that supports upgrade
$ SSHSERVERMODE=upgradev2 hg -R server serve --stdio << EOF
> upgrade this-is-some-token proto=exp-ssh-v2-0001
> hello
> between
> pairs 81
> 0000000000000000000000000000000000000000-0000000000000000000000000000000000000000
> EOF
upgraded this-is-some-token exp-ssh-v2-0001
383
capabilities: lookup changegroupsubset branchmap pushkey known getbundle unbundlehash batch streamreqs=generaldelta,revlogv1 $USUAL_BUNDLE2_CAPS_SERVER$ unbundle=HG10GZ,HG10BZ,HG10UN
$ SSHSERVERMODE=upgradev2 hg --config experimental.sshpeer.advertise-v2=true --debug debugpeer ssh://user@dummy/server
running * "*/tests/dummyssh" 'user@dummy' 'hg -R server serve --stdio' (glob)
sending upgrade request: * proto=exp-ssh-v2-0001 (glob)
devel-peer-request: hello
sending hello command
devel-peer-request: between
devel-peer-request: pairs: 81 bytes
sending between command
protocol upgraded to exp-ssh-v2-0001
url: ssh://user@dummy/server
local: no
pushable: yes
Verify the peer has capabilities
$ SSHSERVERMODE=upgradev2 hg --config experimental.sshpeer.advertise-v2=true --debug debugcapabilities ssh://user@dummy/server
running * "*/tests/dummyssh" 'user@dummy' 'hg -R server serve --stdio' (glob)
sending upgrade request: * proto=exp-ssh-v2-0001 (glob)
devel-peer-request: hello
sending hello command
devel-peer-request: between
devel-peer-request: pairs: 81 bytes
sending between command
protocol upgraded to exp-ssh-v2-0001
Main capabilities:
batch
branchmap
$USUAL_BUNDLE2_CAPS_SERVER$
changegroupsubset
getbundle
known
lookup
pushkey
streamreqs=generaldelta,revlogv1
unbundle=HG10GZ,HG10BZ,HG10UN
unbundlehash
Bundle2 capabilities:
HG20
bookmarks
changegroup
01
02
digests
md5
sha1
sha512
error
abort
unsupportedcontent
pushraced
pushkey
hgtagsfnodes
listkeys
phases
heads
pushkey
remote-changegroup
http
https