From 4aafb529aeba2b66603e14588990e49a8fce07f2 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Sun, 15 Dec 2024 17:01:47 +0100
Subject: [PATCH] gerrit: bump sshd to 2.14.0

This brings back support for wrapped hardware security token backed keys
without breaking connection to it via 'incorrect signature'.

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
 default.nix                                   |  4 +-
 gerrit/3_10.nix                               |  6 +-
 gerrit/bump-sshd-to-2_14_0.patch              | 61 +++++++++++++++++++
 gerrit/gerrit-cl-431977-bump-sshd.patch       | 40 ------------
 ...t-cl-431977-part-2-bump-bouncycastle.patch | 43 -------------
 5 files changed, 66 insertions(+), 88 deletions(-)
 create mode 100644 gerrit/bump-sshd-to-2_14_0.patch
 delete mode 100644 gerrit/gerrit-cl-431977-bump-sshd.patch
 delete mode 100644 gerrit/gerrit-cl-431977-part-2-bump-bouncycastle.patch

diff --git a/default.nix b/default.nix
index 9708029..6c6bd82 100644
--- a/default.nix
+++ b/default.nix
@@ -8,8 +8,8 @@
 let
   depsHashes = {
     "3_10" = {
-      "oauth" = "sha256-LnfVTPvGDpLqAQ1QfAwFv0FA0aCg6H1WUgxVjjYTLoY=";
-      "metric-reporter-prometheus" = "sha256-95JXlLwyxgMPk9z/weZWCdxAabasv6hHVdPPIfFq5ks=";
+      "oauth" = "sha256-GukI0DN47YjRJT3WdDr+nVoj2sOJoWsmJQs4Lqhr1e8=";
+      "metric-reporter-prometheus" = "sha256-eKm2RJ7KO1cSh7+27iZQubkB64Sjs7+5VCXj99JKGkI=";
     };
     "3_11" = {
       "oauth" = "sha256-Xx607OSqlRMr8mlkVhfXiqM9hWcJqx4dmpf+cm10uSA=";
diff --git a/gerrit/3_10.nix b/gerrit/3_10.nix
index 45b4a35..b10d9ff 100644
--- a/gerrit/3_10.nix
+++ b/gerrit/3_10.nix
@@ -38,15 +38,15 @@ in
       find "$dir" -name .git -print0 | xargs -0 rm -rf
     '';
   });
-  depsHash = "sha256-Pq04IfyYnEYDbvnv3P8SDp3ONPYS8r3dipV5wwRaudM=";
+  depsHash = "sha256-W2lbytrDZP5PqdO+cG3LZvEP2vVj8c+XA1hnptML2uc=";
 
   patches = [
     ./0001-Syntax-highlight-nix.patch
     ./0002-Syntax-highlight-rules.pl.patch
     ./0003-Add-titles-to-CLs-over-HTTP.patch
 
-    ./gerrit-cl-431977-bump-sshd.patch
-    ./gerrit-cl-431977-part-2-bump-bouncycastle.patch
+    # sshd: 2.14.0
+    ./bump-sshd-to-2_14_0.patch
   ];
 
   nativeBuildInputs = [
diff --git a/gerrit/bump-sshd-to-2_14_0.patch b/gerrit/bump-sshd-to-2_14_0.patch
new file mode 100644
index 0000000..d9e05c0
--- /dev/null
+++ b/gerrit/bump-sshd-to-2_14_0.patch
@@ -0,0 +1,61 @@
+From adbaba47b11683ebddd80e774b984a1c96fb5048 Mon Sep 17 00:00:00 2001
+From: Nasser Grainawi <nasser.grainawi@linaro.org>
+Date: Tue, 13 Aug 2024 14:01:45 -0700
+Subject: [PATCH] Bump SSHD to 2.14.0
+
+This fixes an 'incorrect signature' error when trying to use the keys
+generated by SSHD during server init with an OpenSSH client.
+
+Gerrit had downgraded to 2.12.0 from 2.13.1 due to this issue.
+
+This also includes a few other changes since 2.13.2:
+* GH-524 Performance improvements
+* GH-533 Fix multi-step authentication
+* GH-582 Fix filtering in NamedFactory
+* GH-587 Prevent NullPointerExceptionon closed channel in NettyIoSession
+* GH-590 Better support for FIPS
+* GH-597 Pass on Charset in ClientSession.executeRemoteCommand()
+
+https://github.com/apache/mina-sshd/releases/tag/sshd-2.14.0
+
+Release-Notes: Bump SSHD to 2.14.0
+Change-Id: Id71702e952f285678775000d21de15e3cbda09c5
+---
+ tools/nongoogle.bzl | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/nongoogle.bzl b/tools/nongoogle.bzl
+index 91caf313e013..39697be36465 100644
+--- a/tools/nongoogle.bzl
++++ b/tools/nongoogle.bzl
+@@ -137,18 +137,18 @@ def declare_nongoogle_deps():
+         sha1 = "cb2f351bf4463751201f43bb99865235d5ba07ca",
+     )
+ 
+-    SSHD_VERS = "2.12.0"
++    SSHD_VERS = "2.14.0"
+ 
+     maven_jar(
+         name = "sshd-osgi",
+         artifact = "org.apache.sshd:sshd-osgi:" + SSHD_VERS,
+-        sha1 = "32b8de1cbb722ba75bdf9898e0c41d42af00ce57",
++        sha1 = "6ef66228a088f8ac1383b2ff28f3102f80ebc01a",
+     )
+ 
+     maven_jar(
+         name = "sshd-sftp",
+         artifact = "org.apache.sshd:sshd-sftp:" + SSHD_VERS,
+-        sha1 = "0f96f00a07b186ea62838a6a4122e8f4cad44df6",
++        sha1 = "c070ac920e72023ae9ab0a3f3a866bece284b470",
+     )
+ 
+     maven_jar(
+@@ -166,7 +166,7 @@ def declare_nongoogle_deps():
+     maven_jar(
+         name = "sshd-mina",
+         artifact = "org.apache.sshd:sshd-mina:" + SSHD_VERS,
+-        sha1 = "8b202f7d4c0d7b714fd0c93a1352af52aa031149",
++        sha1 = "05e1293af53a196ac3c5a4b01dd88985e8672e9e",
+     )
+ 
+     maven_jar(
diff --git a/gerrit/gerrit-cl-431977-bump-sshd.patch b/gerrit/gerrit-cl-431977-bump-sshd.patch
deleted file mode 100644
index 3a08df2..0000000
--- a/gerrit/gerrit-cl-431977-bump-sshd.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Bump SSHD version to 2.13.1
-
-Release-Notes: Update SSHD version to 2.13.1
-Change-Id: Ib7bc185bfd9e7eda0cc04230da8bd87ee1bb2358
-
-diff --git a/tools/nongoogle.bzl b/tools/nongoogle.bzl
-index 91caf31..d9b90d8 100644
---- a/tools/nongoogle.bzl
-+++ b/tools/nongoogle.bzl
-@@ -137,18 +137,18 @@
-         sha1 = "cb2f351bf4463751201f43bb99865235d5ba07ca",
-     )
- 
--    SSHD_VERS = "2.12.0"
-+    SSHD_VERS = "2.13.1"
- 
-     maven_jar(
-         name = "sshd-osgi",
-         artifact = "org.apache.sshd:sshd-osgi:" + SSHD_VERS,
--        sha1 = "32b8de1cbb722ba75bdf9898e0c41d42af00ce57",
-+        sha1 = "50958cc44076749e790d7332021cff546707624c",
-     )
- 
-     maven_jar(
-         name = "sshd-sftp",
-         artifact = "org.apache.sshd:sshd-sftp:" + SSHD_VERS,
--        sha1 = "0f96f00a07b186ea62838a6a4122e8f4cad44df6",
-+        sha1 = "e1b6da4ef604718e32cad59ef32618610da7a170",
-     )
- 
-     maven_jar(
-@@ -166,7 +166,7 @@
-     maven_jar(
-         name = "sshd-mina",
-         artifact = "org.apache.sshd:sshd-mina:" + SSHD_VERS,
--        sha1 = "8b202f7d4c0d7b714fd0c93a1352af52aa031149",
-+        sha1 = "ff4a9fac41a111d806f6a058d23278b0819da7ce",
-     )
- 
-     maven_jar(
diff --git a/gerrit/gerrit-cl-431977-part-2-bump-bouncycastle.patch b/gerrit/gerrit-cl-431977-part-2-bump-bouncycastle.patch
deleted file mode 100644
index ddf91cd..0000000
--- a/gerrit/gerrit-cl-431977-part-2-bump-bouncycastle.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-diff --git a/tools/deps.bzl b/tools/deps.bzl
-index d056483891...c7b88e94b8 100644
---- a/tools/deps.bzl
-+++ b/tools/deps.bzl
-@@ -21,7 +21,7 @@
- GITILES_REPO = GERRIT
- 
- # When updating Bouncy Castle, also update it in bazlets.
--BC_VERS = "1.72"
-+BC_VERS = "1.78.1"
- HTTPCOMP_VERS = "4.5.14"
- JETTY_VERS = "9.4.53.v20231009"
- BYTE_BUDDY_VERSION = "1.14.9"
-@@ -423,25 +423,25 @@
-     maven_jar(
-         name = "bcprov",
-         artifact = "org.bouncycastle:bcprov-jdk18on:" + BC_VERS,
--        sha1 = "d8dc62c28a3497d29c93fee3e71c00b27dff41b4",
-+        sha1 = "39e9e45359e20998eb79c1828751f94a818d25f8",
-     )
- 
-     maven_jar(
-         name = "bcpg",
-         artifact = "org.bouncycastle:bcpg-jdk18on:" + BC_VERS,
--        sha1 = "1a36a1740d07869161f6f0d01fae8d72dd1d8320",
-+        sha1 = "6c8dbcec20355278ec54840e735f63db2479150e",
-     )
- 
-     maven_jar(
-         name = "bcpkix",
-         artifact = "org.bouncycastle:bcpkix-jdk18on:" + BC_VERS,
--        sha1 = "bb3fdb5162ccd5085e8d7e57fada4d8eaa571f5a",
-+        sha1 = "17b3541f736df97465f87d9f5b5dfa4991b37bb3",
-     )
- 
-     maven_jar(
-         name = "bcutil",
-         artifact = "org.bouncycastle:bcutil-jdk18on:" + BC_VERS,
--        sha1 = "41f19a69ada3b06fa48781120d8bebe1ba955c77",
-+        sha1 = "5353ca39fe2f148dab9ca1d637a43d0750456254",
-     )
- 
-     maven_jar(