Update sshj to 0.30.0 and improve algorithm order (#1026)

Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types
and bugfixes related to RSA certificates and Android Keystore backed
keys.

Along the way, this improves the algorithm preferences to be consistent
with the Mozilla Intermediate SSH configuration (as far as possible,
given that most certificate types and some encryption algorithms are
not yet supported).

We also add "ext-info-c" to the kex algorithm proposal to work around
certain kinds of "user agent sniffing" that limits the support of
rsa-sha2-* key types.
This commit is contained in:
Fabian Henneke 2020-08-17 21:58:04 +02:00 committed by GitHub
parent 82ae0a8629
commit 14e3754ef3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 18 deletions

View file

@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config
import com.github.ajalt.timberkt.Timber import com.github.ajalt.timberkt.Timber
import com.github.ajalt.timberkt.d import com.github.ajalt.timberkt.d
import com.hierynomus.sshj.signature.SignatureEdDSA import com.hierynomus.sshj.key.KeyAlgorithms
import com.hierynomus.sshj.transport.cipher.BlockCiphers import com.hierynomus.sshj.transport.cipher.BlockCiphers
import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory
import com.hierynomus.sshj.transport.mac.Macs import com.hierynomus.sshj.transport.mac.Macs
import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile
import java.security.Security import java.security.Security
import net.schmizz.keepalive.KeepAliveProvider import net.schmizz.keepalive.KeepAliveProvider
import net.schmizz.sshj.ConfigImpl import net.schmizz.sshj.ConfigImpl
import net.schmizz.sshj.common.LoggerFactory import net.schmizz.sshj.common.LoggerFactory
import net.schmizz.sshj.signature.SignatureECDSA
import net.schmizz.sshj.signature.SignatureRSA
import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT
import net.schmizz.sshj.transport.compression.NoneCompression import net.schmizz.sshj.transport.compression.NoneCompression
import net.schmizz.sshj.transport.kex.Curve25519SHA256 import net.schmizz.sshj.transport.kex.Curve25519SHA256
import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh
@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() {
version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1" version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1"
initKeyExchangeFactories() initKeyExchangeFactories()
initSignatureFactories() initKeyAlgorithms()
initRandomFactory() initRandomFactory()
initFileKeyProviderFactories() initFileKeyProviderFactories()
initCipherFactories() initCipherFactories()
@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() {
ECDHNistP.Factory384(), ECDHNistP.Factory384(),
ECDHNistP.Factory256(), ECDHNistP.Factory256(),
DHGexSHA256.Factory(), DHGexSHA256.Factory(),
// Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get
// rsa-sha2-* key types to work with some servers (e.g. GitHub).
ExtInfoClientFactory(),
) )
} }
private fun initSignatureFactories() { private fun initKeyAlgorithms() {
signatureFactories = listOf( keyAlgorithms = listOf(
SignatureEdDSA.Factory(), KeyAlgorithms.SSHRSACertV01(),
SignatureECDSA.Factory256(), KeyAlgorithms.EdDSA25519(),
SignatureECDSA.Factory384(), KeyAlgorithms.RSASHA512(),
SignatureECDSA.Factory521(), KeyAlgorithms.RSASHA256(),
SignatureRSA.Factory(), KeyAlgorithms.ECDSASHANistp521(),
FactoryCERT(), KeyAlgorithms.ECDSASHANistp384(),
KeyAlgorithms.ECDSASHANistp256(),
KeyAlgorithms.SSHRSA(),
) )
} }
@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() {
private fun initCipherFactories() { private fun initCipherFactories() {
cipherFactories = listOf( cipherFactories = listOf(
BlockCiphers.AES128CTR(),
BlockCiphers.AES192CTR(),
BlockCiphers.AES256CTR(), BlockCiphers.AES256CTR(),
BlockCiphers.AES192CTR(),
BlockCiphers.AES128CTR(),
) )
} }
private fun initMACFactories() { private fun initMACFactories() {
macFactories = listOf( macFactories = listOf(
Macs.HMACSHA2256(), Macs.HMACSHA2512Etm(),
Macs.HMACSHA2256Etm(), Macs.HMACSHA2256Etm(),
Macs.HMACSHA2512(), Macs.HMACSHA2512(),
Macs.HMACSHA2512Etm(), Macs.HMACSHA2256(),
) )
} }

View file

@ -59,7 +59,7 @@ object Dependencies {
const val jgit_java7 = "org.eclipse.jgit:org.eclipse.jgit.java7:3.7.1.201504261725-r" const val jgit_java7 = "org.eclipse.jgit:org.eclipse.jgit.java7:3.7.1.201504261725-r"
const val leakcanary = "com.squareup.leakcanary:leakcanary-android:2.4" const val leakcanary = "com.squareup.leakcanary:leakcanary-android:2.4"
const val plumber = "com.squareup.leakcanary:plumber-android:2.4" const val plumber = "com.squareup.leakcanary:plumber-android:2.4"
const val sshj = "com.hierynomus:sshj:0.29.0" const val sshj = "com.hierynomus:sshj:0.30.0"
const val ssh_auth = "org.sufficientlysecure:sshauthentication-api:1.0" const val ssh_auth = "org.sufficientlysecure:sshauthentication-api:1.0"
const val timber = "com.jakewharton.timber:timber:4.7.1" const val timber = "com.jakewharton.timber:timber:4.7.1"
const val timberkt = "com.github.ajalt:timberkt:1.5.1" const val timberkt = "com.github.ajalt:timberkt:1.5.1"