aboutsummaryrefslogtreecommitdiff
path: root/app/src/main/java
diff options
context:
space:
mode:
authorFabian Henneke <FabianHenneke@users.noreply.github.com>2020-08-17 21:58:04 +0200
committerGitHub <noreply@github.com>2020-08-18 01:28:04 +0530
commit14e3754ef33ea0446644d38b3cc0bb812b3ad7dd (patch)
tree3a4163a3d7ce6e2ec79e52de3a6dd8be64022703 /app/src/main/java
parent82ae0a8629a42bc169b4b1993bc8257457703e3f (diff)
Update sshj to 0.30.0 and improve algorithm order (#1026)
Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types and bugfixes related to RSA certificates and Android Keystore backed keys. Along the way, this improves the algorithm preferences to be consistent with the Mozilla Intermediate SSH configuration (as far as possible, given that most certificate types and some encryption algorithms are not yet supported). We also add "ext-info-c" to the kex algorithm proposal to work around certain kinds of "user agent sniffing" that limits the support of rsa-sha2-* key types.
Diffstat (limited to 'app/src/main/java')
-rw-r--r--app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt37
1 files changed, 20 insertions, 17 deletions
diff --git a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt
index 1ea0359c..6c409329 100644
--- a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt
+++ b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt
@@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config
import com.github.ajalt.timberkt.Timber
import com.github.ajalt.timberkt.d
-import com.hierynomus.sshj.signature.SignatureEdDSA
+import com.hierynomus.sshj.key.KeyAlgorithms
import com.hierynomus.sshj.transport.cipher.BlockCiphers
+import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory
import com.hierynomus.sshj.transport.mac.Macs
import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile
import java.security.Security
import net.schmizz.keepalive.KeepAliveProvider
import net.schmizz.sshj.ConfigImpl
import net.schmizz.sshj.common.LoggerFactory
-import net.schmizz.sshj.signature.SignatureECDSA
-import net.schmizz.sshj.signature.SignatureRSA
-import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT
import net.schmizz.sshj.transport.compression.NoneCompression
import net.schmizz.sshj.transport.kex.Curve25519SHA256
import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh
@@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() {
version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1"
initKeyExchangeFactories()
- initSignatureFactories()
+ initKeyAlgorithms()
initRandomFactory()
initFileKeyProviderFactories()
initCipherFactories()
@@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() {
ECDHNistP.Factory384(),
ECDHNistP.Factory256(),
DHGexSHA256.Factory(),
+ // Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get
+ // rsa-sha2-* key types to work with some servers (e.g. GitHub).
+ ExtInfoClientFactory(),
)
}
- private fun initSignatureFactories() {
- signatureFactories = listOf(
- SignatureEdDSA.Factory(),
- SignatureECDSA.Factory256(),
- SignatureECDSA.Factory384(),
- SignatureECDSA.Factory521(),
- SignatureRSA.Factory(),
- FactoryCERT(),
+ private fun initKeyAlgorithms() {
+ keyAlgorithms = listOf(
+ KeyAlgorithms.SSHRSACertV01(),
+ KeyAlgorithms.EdDSA25519(),
+ KeyAlgorithms.RSASHA512(),
+ KeyAlgorithms.RSASHA256(),
+ KeyAlgorithms.ECDSASHANistp521(),
+ KeyAlgorithms.ECDSASHANistp384(),
+ KeyAlgorithms.ECDSASHANistp256(),
+ KeyAlgorithms.SSHRSA(),
)
}
@@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() {
private fun initCipherFactories() {
cipherFactories = listOf(
- BlockCiphers.AES128CTR(),
- BlockCiphers.AES192CTR(),
BlockCiphers.AES256CTR(),
+ BlockCiphers.AES192CTR(),
+ BlockCiphers.AES128CTR(),
)
}
private fun initMACFactories() {
macFactories = listOf(
- Macs.HMACSHA2256(),
+ Macs.HMACSHA2512Etm(),
Macs.HMACSHA2256Etm(),
Macs.HMACSHA2512(),
- Macs.HMACSHA2512Etm(),
+ Macs.HMACSHA2256(),
)
}