godotengine / godot-git-plugin

Git implementation of the VCS interface in Godot
MIT License
717 stars 75 forks source link

Plugin freezes the editor on remote commands with SSH using Ed25519 key. #193

Open Jordyfel opened 1 year ago

Jordyfel commented 1 year ago

After building from source, I traced it to the while loop in thirdparty\git2\libgit2\src\transports\ssh.c, on lines 670-694. After following with the debugger for a while, I reached a function that checks the key algorithm against an array of supported ones, and Ed25519 is not among them (thirdparty\ssh2\libssh2\src\userauth.c, file_read_privatekey()).

Github recommends this algorithm, so other new users may use it. This should fail with a clear error instead of freezing the editor.

Jordyfel commented 1 year ago

I hoped #191 would fix it, but I built it and it still freezes, not sure if the failure point is the same.

Faless commented 1 year ago

It appears that the native windows crypto backend wincng doesn't seem to support elliptic curves at all.

I have a branch where I enabled the openssl build for windows too, would be great if you could try it out.

You can build it cross-compiling from linux unsing mingw, or natively on windows using MSVC, but you need a valid perl installation (see Strawberry Perl for example), and NASM (I also had to manually add to the installation dir as part of the PATH env variable, but YMMV).

Jordyfel commented 1 year ago

This blog post says that it's a limitation of libssh2, it supposedly doesn't implement ecdsa with wincng even though wincng supports it (the microsoft documentation says that it's supported too). Edit: EdDSA and ECDSA are different, my bad.

After building the branch, the issue is fixed if the credentials are correct, but if they're not (if one forgets to enter their passphrase), the editor still freezes in the same way.

In the API docs for libgit2, the description for git_credential_acquire_cb says

Note that most authentication details are your responsibility - this callback will be called until the authentication succeeds, or you report an error. As such, it's easy to get in a loop if you fail to stop providing the same incorrect credentials.

As far as I can tell this callback is involved only with ssh auth. It seems gitlib2 expects this callback to return an error for incorrect credentials, which seems like a weird design decision to me. Even when authentication works, the blocking loop makes the editor freeze for around 4 seconds.