Skip to content

Add support for specifying IP version #332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ppb2020 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add support for specifying IP version #332

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9690d15
Add support for specifying IP version
ppb2020 Jan 1, 2025
84f5905
Merge branch 'main' into main
ppb2020 Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 80 additions & 8 deletions src/main/java/com/trilead/ssh2/Connection.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,16 @@

public class Connection implements AutoCloseable
{
/**
* Allow the caller to restrict the IP version of the connection to
* be established.
*/
public enum IpVersion {
IPV4_AND_IPV6, ///< Allow both IPV4 and IPv6, the default.
IPV4_ONLY, ///< Require that the connection be over IPv4 only.
IPV6_ONLY ///< Require that the connection be over IPv6 only.
Comment on lines +54 to +56
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C-style comments are not idiomatic in Java. The codebase uses Javadoc-style comments (/** ... */) for documentation. These inline comments after enum values should either be removed or converted to proper Javadoc comments above each enum value, following the pattern used elsewhere in the codebase for documenting class members.

Suggested change
IPV4_AND_IPV6, ///< Allow both IPV4 and IPv6, the default.
IPV4_ONLY, ///< Require that the connection be over IPv4 only.
IPV6_ONLY ///< Require that the connection be over IPv6 only.
/**
* Allow both IPV4 and IPv6, the default.
*/
IPV4_AND_IPV6,
/**
* Require that the connection be over IPv4 only.
*/
IPV4_ONLY,
/**
* Require that the connection be over IPv6 only.
*/
IPV6_ONLY

Copilot uses AI. Check for mistakes.
}

/**
* The identifier presented to the SSH-2 server.
*/
Expand Down Expand Up @@ -564,30 +574,74 @@ private void close(Throwable t, boolean hard)

/**
* Same as
* {@link #connect(ServerHostKeyVerifier, int, int) connect(null, 0, 0)}.
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(null, 0, 0, IpVersion.IPV4_AND_IPV6)}.
*
* @return see comments for the
* {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)}
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(ServerHostKeyVerifier, int, int, IpVersion)}
* method.
* @throws IOException
*/
public synchronized ConnectionInfo connect() throws IOException
{
return connect(null, 0, 0);
return connect(null, 0, 0, IpVersion.IPV4_AND_IPV6);
}

/**
* Same as
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(null, 0, 0, ipVersion)}.
*
* @return see comments for the
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(ServerHostKeyVerifier, int, int, IpVersion)}
* method.
* @throws IOException
*/
public synchronized ConnectionInfo connect(IpVersion ipVersion) throws IOException
{
return connect(null, 0, 0, ipVersion);
}


/**
* Same as
* {@link #connect(ServerHostKeyVerifier, int, int) connect(verifier, 0, 0)}.
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(verifier, 0, 0, IpVersion.IPV4_AND_IPV6)}.
*
* @return see comments for the
* {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)}
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(ServerHostKeyVerifier, int, int, IpVersion)}
* method.
* @throws IOException
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throws IOException
{
return connect(verifier, 0, 0);
return connect(verifier, 0, 0, IpVersion.IPV4_AND_IPV6);
}

/**
* Same as
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(verifier, 0, 0, ipVersion)}.
*
* @return see comments for the
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(ServerHostKeyVerifier, int, int, IpVersion)}
* method.
* @throws IOException
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, IpVersion ipVersion) throws IOException
{
return connect(verifier, 0, 0, ipVersion);
}

/**
* Same as
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(verifier, connectTimeout, kexTimeout, IpVersion.IPV4_AND_IPV6)}.
*
* @return see comments for the
* {@link #connect(ServerHostKeyVerifier, int, int, IpVersion) connect(ServerHostKeyVerifier, int, int, IpVersion)}
* method.
* @throws IOException
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout)
throws IOException
{
return connect(verifier, connectTimeout, kexTimeout, IpVersion.IPV4_AND_IPV6);
}
Comment on lines +598 to 645
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing API documentation: The IpVersion parameter is not documented in overload methods. The new connect overloads at lines 598, 627, and 641 don't document the ipVersion parameter even though they accept it. Only the main connect method at line 734 has documentation for this parameter. For consistency and API clarity, all public methods that accept the ipVersion parameter should document it.

Copilot uses AI. Check for mistakes.
Comment on lines +598 to 645
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing test coverage: The new IpVersion feature and all the new connect() method overloads lack test coverage. The repository has comprehensive integration tests (OpenSSHCompatibilityTest, DropbearCompatibilityTest) that test connection functionality, but none test the IPv4-only, IPv6-only, or default behavior of the new ipVersion parameter. Consider adding tests to verify: 1) connections work correctly with each IpVersion value, 2) appropriate errors are thrown when a hostname doesn't resolve to the requested IP version, and 3) backwards compatibility with existing code that doesn't specify ipVersion.

Copilot uses AI. Check for mistakes.

/**
Expand Down Expand Up @@ -649,6 +703,11 @@ public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throw
* but it will only have an effect after the
* <code>verifier</code> returns.
*
* @param ipVersion
* Specify whether the connection should be restricted to one of
* IPv4 or IPv6, with a default of allowing both. See
* {@link IpVersion}.
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing feature documentation: The IP version restriction feature is not documented in the main method Javadoc. The parameter is documented, but there's no mention of limitations (e.g., that ipVersion is ignored when using a proxy connection). Consider adding a note in the documentation explaining when ipVersion applies and when it doesn't.

Suggested change
* {@link IpVersion}.
* {@link IpVersion}. <b>Note:</b> This parameter is ignored if a proxy connection is used
* (i.e., if {@link #setProxyData(ProxyData)} has been called); in that case, the proxy
* determines the IP version used for the connection.

Copilot uses AI. Check for mistakes.
*
* @return A {@link ConnectionInfo} object containing the details of the
* established connection.
*
Expand All @@ -672,7 +731,7 @@ public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throw
* proxy is buggy and does not return a proper HTTP response,
* then a normal IOException is thrown instead.
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout)
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout, IpVersion ipVersion)
throws IOException
{
final class TimeoutState
Expand Down Expand Up @@ -745,9 +804,22 @@ public void run()
token = TimeoutService.addTimeoutHandler(timeoutHorizont, timeoutHandler);
}

TransportManager.IpVersion tmIpVersion;
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing input validation: The ipVersion parameter is not validated for null. If a caller passes null for ipVersion, the code will fail with a NullPointerException at line 808. Consider adding a null check and either throwing an IllegalArgumentException with a clear message or defaulting to IPV4_AND_IPV6.

Suggested change
TransportManager.IpVersion tmIpVersion;
TransportManager.IpVersion tmIpVersion;
// Default to IPV4_AND_IPV6 if ipVersion is null
if (ipVersion == null) {
ipVersion = IpVersion.IPV4_AND_IPV6;
}

Copilot uses AI. Check for mistakes.
if (ipVersion == IpVersion.IPV4_ONLY)
{
tmIpVersion = TransportManager.IpVersion.IPV4_ONLY;
}
else if (ipVersion == IpVersion.IPV6_ONLY) {
tmIpVersion = TransportManager.IpVersion.IPV6_ONLY;
}
else // Assume (ipVersion == IpVersion.IPV4_AND_IPV6), the default.
{
tmIpVersion = TransportManager.IpVersion.IPV4_AND_IPV6;
}
Comment on lines +807 to +818
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicate enum definition: The IpVersion enum is defined identically in both Connection and TransportManager classes. This violates the DRY principle and creates a maintenance burden. Consider defining the enum once in a shared location (e.g., in Connection as the public API) and having TransportManager reference it directly, or create a shared constants class. The current approach requires maintaining two identical enums and manual conversion code (lines 807-818).

Copilot uses AI. Check for mistakes.

try
{
tm.initialize(cryptoWishList, verifier, dhgexpara, connectTimeout, getOrCreateSecureRND(), proxyData);
tm.initialize(cryptoWishList, verifier, dhgexpara, connectTimeout, tmIpVersion, getOrCreateSecureRND(), proxyData);
}
catch (SocketTimeoutException se)
{
Expand Down
52 changes: 46 additions & 6 deletions src/main/java/com/trilead/ssh2/transport/TransportManager.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.trilead.ssh2.ExtensionInfo;
import com.trilead.ssh2.packets.PacketExtInfo;
import java.io.IOException;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
Expand Down Expand Up @@ -49,6 +50,16 @@
*/
public class TransportManager
{
/**
* Allow the caller to restrict the IP version of the connection to
* be established.
*/
public enum IpVersion {
IPV4_AND_IPV6, ///< Allow both IPV4 and IPv6, the default.
IPV4_ONLY, ///< Require that the connection be over IPv4 only.
IPV6_ONLY ///< Require that the connection be over IPv6 only.
Comment on lines +58 to +60
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C-style comments are not idiomatic in Java. The codebase uses Javadoc-style comments (/** ... */) for documentation. These inline comments after enum values should either be removed or converted to proper Javadoc comments above each enum value, following the pattern used elsewhere in the codebase for documenting class members.

Suggested change
IPV4_AND_IPV6, ///< Allow both IPV4 and IPv6, the default.
IPV4_ONLY, ///< Require that the connection be over IPv4 only.
IPV6_ONLY ///< Require that the connection be over IPv6 only.
/**
* Allow both IPV4 and IPv6, the default.
*/
IPV4_AND_IPV6,
/**
* Require that the connection be over IPv4 only.
*/
IPV4_ONLY,
/**
* Require that the connection be over IPv6 only.
*/
IPV6_ONLY

Copilot uses AI. Check for mistakes.
}

private static final Logger log = Logger.getLogger(TransportManager.class);

class HandlerEntry
Expand Down Expand Up @@ -265,30 +276,59 @@ public void close(Throwable cause, boolean useDisconnectPacket)
}
}

private void establishConnection(ProxyData proxyData, int connectTimeout) throws IOException
private static InetAddress getIPv4Address(InetAddress[] addresses) {
for (InetAddress address : addresses) {
if (! (address instanceof Inet6Address)) {
return address;
}
}
return null;
}
private static Inet6Address getIPv6Address(InetAddress[] addresses) {
for (InetAddress address : addresses) {
if (address instanceof Inet6Address) {
return (Inet6Address) address;
}
}
return null;
}

private void establishConnection(ProxyData proxyData, int connectTimeout, IpVersion ipVersion) throws IOException
{
if (proxyData == null)
sock = connectDirect(hostname, port, connectTimeout);
sock = connectDirect(hostname, port, connectTimeout, ipVersion);
else
sock = proxyData.openConnection(hostname, port, connectTimeout);
}

private static Socket connectDirect(String hostname, int port, int connectTimeout)
private static Socket connectDirect(String hostname, int port, int connectTimeout, IpVersion ipVersion)
throws IOException
{
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing input validation: The ipVersion parameter is not validated for null. If a caller passes null for ipVersion, the code will fail with a NullPointerException at line 309. Consider adding a null check and either throwing an IllegalArgumentException with a clear message or defaulting to IPV4_AND_IPV6.

Suggested change
{
{
if (ipVersion == null) {
ipVersion = IpVersion.IPV4_AND_IPV6;
}

Copilot uses AI. Check for mistakes.
Socket sock = new Socket();
InetAddress addr = InetAddress.getByName(hostname);
InetAddress addr;
if (ipVersion == IpVersion.IPV4_ONLY)
{
addr = getIPv4Address(InetAddress.getAllByName(hostname));
}
else if (ipVersion == IpVersion.IPV6_ONLY)
{
addr = getIPv6Address(InetAddress.getAllByName(hostname));
}
else // Assume (ipVersion == IpVersion.IPV4_AND_IPV6), the default.
{
addr = InetAddress.getByName(hostname);
}
Copy link

Copilot AI Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Null pointer exception risk: When ipVersion is IPV4_ONLY or IPV6_ONLY, getIPv4Address or getIPv6Address may return null if the hostname doesn't resolve to that IP version. The null address will cause a NullPointerException when passed to InetSocketAddress constructor. Add null check and throw an IOException with a clear error message explaining that the hostname doesn't resolve to the requested IP version.

Suggested change
}
}
if (addr == null) {
throw new IOException("The hostname '" + hostname + "' does not resolve to the requested IP version: " + ipVersion);
}

Copilot uses AI. Check for mistakes.
sock.connect(new InetSocketAddress(addr, port), connectTimeout);
sock.setSoTimeout(0);
return sock;
}

public void initialize(CryptoWishList cwl, ServerHostKeyVerifier verifier, DHGexParameters dhgex,
int connectTimeout, SecureRandom rnd, ProxyData proxyData) throws IOException
int connectTimeout, IpVersion ipVersion, SecureRandom rnd, ProxyData proxyData) throws IOException
{
/* First, establish the TCP connection to the SSH-2 server */

establishConnection(proxyData, connectTimeout);
establishConnection(proxyData, connectTimeout, ipVersion);

/* Parse the server line and say hello - important: this information is later needed for the
* key exchange (to stop man-in-the-middle attacks) - that is why we wrap it into an object
Expand Down