From 14e3754ef33ea0446644d38b3cc0bb812b3ad7dd Mon Sep 17 00:00:00 2001 From: Fabian Henneke Date: Mon, 17 Aug 2020 21:58:04 +0200 Subject: Update sshj to 0.30.0 and improve algorithm order (#1026) Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types and bugfixes related to RSA certificates and Android Keystore backed keys. Along the way, this improves the algorithm preferences to be consistent with the Mozilla Intermediate SSH configuration (as far as possible, given that most certificate types and some encryption algorithms are not yet supported). We also add "ext-info-c" to the kex algorithm proposal to work around certain kinds of "user agent sniffing" that limits the support of rsa-sha2-* key types. --- .../com/zeapo/pwdstore/git/config/SshjConfig.kt | 37 ++++++++++++---------- 1 file changed, 20 insertions(+), 17 deletions(-) (limited to 'app') diff --git a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt index 1ea0359c..6c409329 100644 --- a/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt +++ b/app/src/main/java/com/zeapo/pwdstore/git/config/SshjConfig.kt @@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config import com.github.ajalt.timberkt.Timber import com.github.ajalt.timberkt.d -import com.hierynomus.sshj.signature.SignatureEdDSA +import com.hierynomus.sshj.key.KeyAlgorithms import com.hierynomus.sshj.transport.cipher.BlockCiphers +import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory import com.hierynomus.sshj.transport.mac.Macs import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile import java.security.Security import net.schmizz.keepalive.KeepAliveProvider import net.schmizz.sshj.ConfigImpl import net.schmizz.sshj.common.LoggerFactory -import net.schmizz.sshj.signature.SignatureECDSA -import net.schmizz.sshj.signature.SignatureRSA -import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT import net.schmizz.sshj.transport.compression.NoneCompression import net.schmizz.sshj.transport.kex.Curve25519SHA256 import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh @@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() { version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1" initKeyExchangeFactories() - initSignatureFactories() + initKeyAlgorithms() initRandomFactory() initFileKeyProviderFactories() initCipherFactories() @@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() { ECDHNistP.Factory384(), ECDHNistP.Factory256(), DHGexSHA256.Factory(), + // Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get + // rsa-sha2-* key types to work with some servers (e.g. GitHub). + ExtInfoClientFactory(), ) } - private fun initSignatureFactories() { - signatureFactories = listOf( - SignatureEdDSA.Factory(), - SignatureECDSA.Factory256(), - SignatureECDSA.Factory384(), - SignatureECDSA.Factory521(), - SignatureRSA.Factory(), - FactoryCERT(), + private fun initKeyAlgorithms() { + keyAlgorithms = listOf( + KeyAlgorithms.SSHRSACertV01(), + KeyAlgorithms.EdDSA25519(), + KeyAlgorithms.RSASHA512(), + KeyAlgorithms.RSASHA256(), + KeyAlgorithms.ECDSASHANistp521(), + KeyAlgorithms.ECDSASHANistp384(), + KeyAlgorithms.ECDSASHANistp256(), + KeyAlgorithms.SSHRSA(), ) } @@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() { private fun initCipherFactories() { cipherFactories = listOf( - BlockCiphers.AES128CTR(), - BlockCiphers.AES192CTR(), BlockCiphers.AES256CTR(), + BlockCiphers.AES192CTR(), + BlockCiphers.AES128CTR(), ) } private fun initMACFactories() { macFactories = listOf( - Macs.HMACSHA2256(), + Macs.HMACSHA2512Etm(), Macs.HMACSHA2256Etm(), Macs.HMACSHA2512(), - Macs.HMACSHA2512Etm(), + Macs.HMACSHA2256(), ) } -- cgit v1.2.3