Update sshj to 0.30.0 and improve algorithm order (#1026)
Updates sshj to 0.30.0, which brings support for rsa-sha2-* key types and bugfixes related to RSA certificates and Android Keystore backed keys. Along the way, this improves the algorithm preferences to be consistent with the Mozilla Intermediate SSH configuration (as far as possible, given that most certificate types and some encryption algorithms are not yet supported). We also add "ext-info-c" to the kex algorithm proposal to work around certain kinds of "user agent sniffing" that limits the support of rsa-sha2-* key types.
This commit is contained in:
parent
82ae0a8629
commit
14e3754ef3
2 changed files with 21 additions and 18 deletions
|
@ -6,17 +6,15 @@ package com.zeapo.pwdstore.git.config
|
||||||
|
|
||||||
import com.github.ajalt.timberkt.Timber
|
import com.github.ajalt.timberkt.Timber
|
||||||
import com.github.ajalt.timberkt.d
|
import com.github.ajalt.timberkt.d
|
||||||
import com.hierynomus.sshj.signature.SignatureEdDSA
|
import com.hierynomus.sshj.key.KeyAlgorithms
|
||||||
import com.hierynomus.sshj.transport.cipher.BlockCiphers
|
import com.hierynomus.sshj.transport.cipher.BlockCiphers
|
||||||
|
import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory
|
||||||
import com.hierynomus.sshj.transport.mac.Macs
|
import com.hierynomus.sshj.transport.mac.Macs
|
||||||
import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile
|
import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile
|
||||||
import java.security.Security
|
import java.security.Security
|
||||||
import net.schmizz.keepalive.KeepAliveProvider
|
import net.schmizz.keepalive.KeepAliveProvider
|
||||||
import net.schmizz.sshj.ConfigImpl
|
import net.schmizz.sshj.ConfigImpl
|
||||||
import net.schmizz.sshj.common.LoggerFactory
|
import net.schmizz.sshj.common.LoggerFactory
|
||||||
import net.schmizz.sshj.signature.SignatureECDSA
|
|
||||||
import net.schmizz.sshj.signature.SignatureRSA
|
|
||||||
import net.schmizz.sshj.signature.SignatureRSA.FactoryCERT
|
|
||||||
import net.schmizz.sshj.transport.compression.NoneCompression
|
import net.schmizz.sshj.transport.compression.NoneCompression
|
||||||
import net.schmizz.sshj.transport.kex.Curve25519SHA256
|
import net.schmizz.sshj.transport.kex.Curve25519SHA256
|
||||||
import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh
|
import net.schmizz.sshj.transport.kex.Curve25519SHA256.FactoryLibSsh
|
||||||
|
@ -202,7 +200,7 @@ class SshjConfig : ConfigImpl() {
|
||||||
version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1"
|
version = "OpenSSH_8.2p1 Ubuntu-4ubuntu0.1"
|
||||||
|
|
||||||
initKeyExchangeFactories()
|
initKeyExchangeFactories()
|
||||||
initSignatureFactories()
|
initKeyAlgorithms()
|
||||||
initRandomFactory()
|
initRandomFactory()
|
||||||
initFileKeyProviderFactories()
|
initFileKeyProviderFactories()
|
||||||
initCipherFactories()
|
initCipherFactories()
|
||||||
|
@ -218,17 +216,22 @@ class SshjConfig : ConfigImpl() {
|
||||||
ECDHNistP.Factory384(),
|
ECDHNistP.Factory384(),
|
||||||
ECDHNistP.Factory256(),
|
ECDHNistP.Factory256(),
|
||||||
DHGexSHA256.Factory(),
|
DHGexSHA256.Factory(),
|
||||||
|
// Sends "ext-info-c" with the list of key exchange algorithms. This is needed to get
|
||||||
|
// rsa-sha2-* key types to work with some servers (e.g. GitHub).
|
||||||
|
ExtInfoClientFactory(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun initSignatureFactories() {
|
private fun initKeyAlgorithms() {
|
||||||
signatureFactories = listOf(
|
keyAlgorithms = listOf(
|
||||||
SignatureEdDSA.Factory(),
|
KeyAlgorithms.SSHRSACertV01(),
|
||||||
SignatureECDSA.Factory256(),
|
KeyAlgorithms.EdDSA25519(),
|
||||||
SignatureECDSA.Factory384(),
|
KeyAlgorithms.RSASHA512(),
|
||||||
SignatureECDSA.Factory521(),
|
KeyAlgorithms.RSASHA256(),
|
||||||
SignatureRSA.Factory(),
|
KeyAlgorithms.ECDSASHANistp521(),
|
||||||
FactoryCERT(),
|
KeyAlgorithms.ECDSASHANistp384(),
|
||||||
|
KeyAlgorithms.ECDSASHANistp256(),
|
||||||
|
KeyAlgorithms.SSHRSA(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -249,18 +252,18 @@ class SshjConfig : ConfigImpl() {
|
||||||
|
|
||||||
private fun initCipherFactories() {
|
private fun initCipherFactories() {
|
||||||
cipherFactories = listOf(
|
cipherFactories = listOf(
|
||||||
BlockCiphers.AES128CTR(),
|
|
||||||
BlockCiphers.AES192CTR(),
|
|
||||||
BlockCiphers.AES256CTR(),
|
BlockCiphers.AES256CTR(),
|
||||||
|
BlockCiphers.AES192CTR(),
|
||||||
|
BlockCiphers.AES128CTR(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
private fun initMACFactories() {
|
private fun initMACFactories() {
|
||||||
macFactories = listOf(
|
macFactories = listOf(
|
||||||
Macs.HMACSHA2256(),
|
Macs.HMACSHA2512Etm(),
|
||||||
Macs.HMACSHA2256Etm(),
|
Macs.HMACSHA2256Etm(),
|
||||||
Macs.HMACSHA2512(),
|
Macs.HMACSHA2512(),
|
||||||
Macs.HMACSHA2512Etm(),
|
Macs.HMACSHA2256(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -59,7 +59,7 @@ object Dependencies {
|
||||||
const val jgit_java7 = "org.eclipse.jgit:org.eclipse.jgit.java7:3.7.1.201504261725-r"
|
const val jgit_java7 = "org.eclipse.jgit:org.eclipse.jgit.java7:3.7.1.201504261725-r"
|
||||||
const val leakcanary = "com.squareup.leakcanary:leakcanary-android:2.4"
|
const val leakcanary = "com.squareup.leakcanary:leakcanary-android:2.4"
|
||||||
const val plumber = "com.squareup.leakcanary:plumber-android:2.4"
|
const val plumber = "com.squareup.leakcanary:plumber-android:2.4"
|
||||||
const val sshj = "com.hierynomus:sshj:0.29.0"
|
const val sshj = "com.hierynomus:sshj:0.30.0"
|
||||||
const val ssh_auth = "org.sufficientlysecure:sshauthentication-api:1.0"
|
const val ssh_auth = "org.sufficientlysecure:sshauthentication-api:1.0"
|
||||||
const val timber = "com.jakewharton.timber:timber:4.7.1"
|
const val timber = "com.jakewharton.timber:timber:4.7.1"
|
||||||
const val timberkt = "com.github.ajalt:timberkt:1.5.1"
|
const val timberkt = "com.github.ajalt:timberkt:1.5.1"
|
||||||
|
|
Loading…
Reference in a new issue