Downgrade SSHD to 0.9.0-4-g5967cfd

Since there is no official 0.9.1 release of the SSHD yet, the
0.9.0-4-g5967cfd version was built from the 0.9.x branch and uploaded to
the Google cloud storage.

This change reverts the following Gerrit commits:

3d9c70c SSHD: Update to 0.13.0
52e4e0c Bump SSHD Mina version to 2.0.8
3921163 Don't use deprecated PGPPublicKeyRingCollection constructor
13452f4 Bump Bouncycastle version to 1.51
5f7d5a7 Update EncryptedContactStore to not use deprecated/removed methods
f69698c Update SSHD to 0.11.1-atlassian-1
67c38c8 Added global request handlers to SshDaemon
c31e17f Update sshd to 0.11.0
b9c66ea Bump SSHD version to 0.10.1 and enable nio2 backend

The reason for the downgrade (copied from the change 60161):

SSHD release 0.9 is known to be free from exhausting thread pool problem
[1]. Unfortunately 0.9 release suffers from sporadic handshake failures
[2].  The fix cannot be cleanly cherry-picked to 0.9 release. The back
port of this fix [3] is tracked under its own issue [4], was uploaded as
PR for SSHD Mina's GH repository [5] and merged recently [6].

Moreover, 0.9 suffers from "Authenticated with partial success" issue
[7]
that was fixed by [8], [9]; this patch must be applied as well.

This reverts commit dc7318b8eeda15732d4d2865fc5a7a0a68b3be15.

[1] https://issues.apache.org/jira/browse/SSHD-348
[2] https://issues.apache.org/jira/browse/SSHD-330
[3] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=2aed686bdb21681a421033c6ee5997e5cd8a9a83
[4] https://issues.apache.org/jira/browse/SSHD-356
[5] https://github.com/apache/mina-sshd/pull/7
[6] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=cc7162acf7ca89561ca57a9c68de735f17bf168b
[7] https://issues.apache.org/jira/browse/SSHD-254
[8] https://git-wip-us.apache.org/repos/asf?p=mina-sshd.git;a=commit;\
h=28a8ae258b08c6b41ab64ac25f2331168dc0415a
[9] https://gerrit-review.googlesource.com/51516

Change-Id: I889fb02c2cb1aa5df2cf8dcabace086f5094a914

6 files changed, 24 insertions, 63 deletions

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index dcc3df3682..95d5283e3f 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt
@@ -2696,14 +2696,6 @@ namespace. To alias `replication start` to `gerrit replicate`:
 [[sshd]]
 === Section sshd
 
-[[sshd.backend]]sshd.backend::
-+
-Starting from version 0.9.0 Apache SSHD project added support for NIO2
-IoSession. To use the new NIO2 session the `backend` option must be set
-to `NIO2`.
-+
-By default, `MINA`.
-
 [[sshd.listenAddress]]sshd.listenAddress::
 +
 Specifies the local addresses the internal SSHD should listen
diff --git a/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config b/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config
index 16bceeeb51..b5e702f3d4 100644
--- a/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config
+++ b/gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config
@@ -15,16 +15,16 @@
 
 # Version should match lib/bouncycastle/BUCK
 [library "bouncyCastleProvider"]
-  name = Bouncy Castle Crypto Provider v151
-  url = http://www.bouncycastle.org/download/bcprov-jdk15on-151.jar
-  sha1 = 9ab8afcc2842d5ef06eb775a0a2b12783b99aa80
+  name = Bouncy Castle Crypto Provider v149
+  url = http://www.bouncycastle.org/download/bcprov-jdk15on-149.jar
+  sha1 = f5155f04330459104b79923274db5060c1057b99
   remove = bcprov-.*[.]jar
 
 # Version should match lib/bouncycastle/BUCK
 [library "bouncyCastleSSL"]
-  name = Bouncy Castle Crypto SSL v151
-  url = http://www.bouncycastle.org/download/bcpkix-jdk15on-151.jar
-  sha1 = 6c8c1f61bf27a09f9b1a8abc201523669bba9597
+  name = Bouncy Castle Crypto SSL v149
+  url = http://www.bouncycastle.org/download/bcpkix-jdk15on-149.jar
+  sha1 = 924cc7ad2f589630c97b918f044296ebf1bb6855
   needs = bouncyCastleProvider
   remove = bcpkix-.*[.]jar
 
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java b/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java
index d82180deaf..8c1fdb6b79 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/contact/EncryptedContactStore.java
@@ -38,9 +38,6 @@ import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
 import org.bouncycastle.openpgp.PGPUtil;
-import org.bouncycastle.openpgp.bc.BcPGPPublicKeyRingCollection;
-import org.bouncycastle.openpgp.operator.bc.BcPGPDataEncryptorBuilder;
-import org.bouncycastle.openpgp.operator.bc.BcPublicKeyKeyEncryptionMethodGenerator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -114,7 +111,7 @@ class EncryptedContactStore implements ContactStore {
   private static PGPPublicKeyRingCollection readPubRing(final File pub) {
     try (InputStream fin = new FileInputStream(pub);
         InputStream in = PGPUtil.getDecoderStream(fin)) {
-        return new BcPGPPublicKeyRingCollection(in);
+        return new PGPPublicKeyRingCollection(in);
     } catch (IOException e) {
       throw new ProvisionException("Cannot read " + pub, e);
     } catch (PGPException e) {
@@ -170,16 +167,12 @@ class EncryptedContactStore implements ContactStore {
     }
   }
 
+  @SuppressWarnings("deprecation")
   private final PGPEncryptedDataGenerator cpk()
       throws NoSuchProviderException, PGPException {
-    final BcPGPDataEncryptorBuilder builder =
-        new BcPGPDataEncryptorBuilder(PGPEncryptedData.CAST5)
-            .setSecureRandom(prng);
     PGPEncryptedDataGenerator cpk =
-        new PGPEncryptedDataGenerator(builder, true);
-    final BcPublicKeyKeyEncryptionMethodGenerator methodGenerator =
-        new BcPublicKeyKeyEncryptionMethodGenerator(dest);
-    cpk.addMethod(methodGenerator);
+        new PGPEncryptedDataGenerator(PGPEncryptedData.CAST5, true, prng, "BC");
+    cpk.addMethod(dest);
     return cpk;
   }
 
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
index 92ab653c9c..ba5465573b 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
@@ -45,7 +45,6 @@ import org.apache.sshd.common.ForwardingFilter;
 import org.apache.sshd.common.KeyExchange;
 import org.apache.sshd.common.KeyPairProvider;
 import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.RequestHandler;
 import org.apache.sshd.common.Session;
 import org.apache.sshd.common.Signature;
 import org.apache.sshd.common.SshdSocketAddress;
@@ -68,11 +67,10 @@ import org.apache.sshd.common.forward.TcpipServerChannel;
 import org.apache.sshd.common.future.CloseFuture;
 import org.apache.sshd.common.future.SshFutureListener;
 import org.apache.sshd.common.io.IoAcceptor;
-import org.apache.sshd.common.io.IoServiceFactoryFactory;
+import org.apache.sshd.common.io.IoServiceFactory;
 import org.apache.sshd.common.io.IoSession;
-import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
+import org.apache.sshd.common.io.mina.MinaServiceFactory;
 import org.apache.sshd.common.io.mina.MinaSession;
-import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
 import org.apache.sshd.common.mac.HMACMD5;
 import org.apache.sshd.common.mac.HMACMD596;
 import org.apache.sshd.common.mac.HMACSHA1;
@@ -81,7 +79,6 @@ import org.apache.sshd.common.random.BouncyCastleRandom;
 import org.apache.sshd.common.random.JceRandom;
 import org.apache.sshd.common.random.SingletonRandomFactory;
 import org.apache.sshd.common.session.AbstractSession;
-import org.apache.sshd.common.session.ConnectionService;
 import org.apache.sshd.common.signature.SignatureDSA;
 import org.apache.sshd.common.signature.SignatureRSA;
 import org.apache.sshd.common.util.Buffer;
@@ -94,10 +91,6 @@ import org.apache.sshd.server.auth.UserAuthPublicKey;
 import org.apache.sshd.server.auth.gss.GSSAuthenticator;
 import org.apache.sshd.server.auth.gss.UserAuthGSS;
 import org.apache.sshd.server.channel.ChannelSession;
-import org.apache.sshd.server.global.CancelTcpipForwardHandler;
-import org.apache.sshd.server.global.KeepAliveHandler;
-import org.apache.sshd.server.global.NoMoreSessionsHandler;
-import org.apache.sshd.server.global.TcpipForwardHandler;
 import org.apache.sshd.server.kex.DHG1;
 import org.apache.sshd.server.kex.DHG14;
 import org.apache.sshd.server.session.SessionFactory;
@@ -200,13 +193,8 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
     final String kerberosPrincipal = cfg.getString(
         "sshd", null, "kerberosPrincipal");
 
-    SshSessionBackend backend = cfg.getEnum(
-        "sshd", null, "backend", SshSessionBackend.MINA);
-
-    System.setProperty(IoServiceFactoryFactory.class.getName(),
-        backend == SshSessionBackend.MINA
-            ? MinaServiceFactoryFactory.class.getName()
-            : Nio2ServiceFactoryFactory.class.getName());
+    System.setProperty(IoServiceFactory.class.getName(),
+        MinaServiceFactory.class.getName());
 
     if (SecurityUtils.isBouncyCastleRegistered()) {
       initProviderBouncyCastle();
@@ -263,12 +251,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
         return new GerritServerSession(server, ioSession);
       }
     });
-    setGlobalRequestHandlers(Arrays.<RequestHandler<ConnectionService>> asList(
-          new KeepAliveHandler(),
-          new NoMoreSessionsHandler(),
-          new TcpipForwardHandler(),
-          new CancelTcpipForwardHandler()
-        ));
 
     hostKeys = computeHostKeys();
   }
@@ -318,10 +300,8 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
   public synchronized void stop() {
     if (acceptor != null) {
       try {
-        acceptor.close(true).await();
+        acceptor.dispose();
         log.info("Stopped Gerrit SSHD");
-      } catch (InterruptedException e) {
-        log.warn("Exception caught while closing", e);
       } finally {
         acceptor = null;
       }
@@ -607,11 +587,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
           @Override
           public SshFile getFile(String file) {
             return null;
-          }
-
-          @Override
-          public FileSystemView getNormalizedView() {
-            return null;
           }};
       }
     });
diff --git a/lib/bouncycastle/BUCK b/lib/bouncycastle/BUCK
index d1ec48de1b..99f960e81c 100644
--- a/lib/bouncycastle/BUCK
+++ b/lib/bouncycastle/BUCK
@@ -2,19 +2,19 @@ include_defs('//lib/maven.defs')
 
 # This version must match the version that also appears in
 # gerrit-pgm/src/main/resources/com/google/gerrit/pgm/libraries.config
-VERSION = '1.51'
+VERSION = '1.49'
 
 maven_jar(
   name = 'bcprov',
   id = 'org.bouncycastle:bcprov-jdk15on:' + VERSION,
-  sha1 = '9ab8afcc2842d5ef06eb775a0a2b12783b99aa80',
+  sha1 = 'f5155f04330459104b79923274db5060c1057b99',
   license = 'DO_NOT_DISTRIBUTE', #'bouncycastle'
 )
 
 maven_jar(
   name = 'bcpg',
   id = 'org.bouncycastle:bcpg-jdk15on:' + VERSION,
-  sha1 = 'b5fa4c280dfbf8bf7c260bc1e78044c7a1de5133',
+  sha1 = '081d84be5b125e1997ab0e2244d1a2276b5de76c',
   license = 'DO_NOT_DISTRIBUTE', #'bouncycastle'
   deps = [':bcprov'],
 )
@@ -22,7 +22,7 @@ maven_jar(
 maven_jar(
   name = 'bcpkix',
   id = 'org.bouncycastle:bcpkix-jdk15on:' + VERSION,
-  sha1 = '6c8c1f61bf27a09f9b1a8abc201523669bba9597',
+  sha1 = '924cc7ad2f589630c97b918f044296ebf1bb6855',
   license = 'DO_NOT_DISTRIBUTE', #'bouncycastle'
   deps = [':bcprov'],
 )
diff --git a/lib/mina/BUCK b/lib/mina/BUCK
index 5c51d3a22c..ff1df5a40e 100644
--- a/lib/mina/BUCK
+++ b/lib/mina/BUCK
@@ -8,17 +8,18 @@ EXCLUDE = [
 
 maven_jar(
   name = 'sshd',
-  id = 'org.apache.sshd:sshd-core:0.13.0',
-  sha1 = 'c616c5865cc55473c6d63c6fcf46e60d382be172',
+  id = 'org.apache.sshd:sshd-core:0.9.0-4-g5967cfd',
+  sha1 = '8f4b6f7ebc54655dc7d25a77665cf51f2b1288b2',
   license = 'Apache2.0',
   deps = [':core'],
   exclude = EXCLUDE,
+  repository = GERRIT,
 )
 
 maven_jar(
   name = 'core',
-  id = 'org.apache.mina:mina-core:2.0.8',
-  sha1 = 'd6ff69fa049aeaecdf0c04cafbb1ab53b7487883',
+  id = 'org.apache.mina:mina-core:2.0.7',
+  sha1 = 'c878e2aa82de748474a624ec3933e4604e446dec',
   license = 'Apache2.0',
   exclude = EXCLUDE,
 )