diff options
author | Kenny Root <kenny@the-b.org> | 2016-02-21 12:56:51 -0800 |
---|---|---|
committer | Kenny Root <kenny@the-b.org> | 2016-02-21 12:56:51 -0800 |
commit | dfb607ffeb77dfea843c5db93d28d035c2188ef4 (patch) | |
tree | bde243133d03df82369c849743ff6b1ef4b08df6 /sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java | |
parent | b0630ae774e769f8db536a6502d924ee9bafdf68 (diff) | |
parent | 771687e2d5355ba0e491e410f98fde6b00fa9434 (diff) | |
download | sshlib-dfb607ffeb77dfea843c5db93d28d035c2188ef4.tar.gz sshlib-dfb607ffeb77dfea843c5db93d28d035c2188ef4.tar.bz2 sshlib-dfb607ffeb77dfea843c5db93d28d035c2188ef4.zip |
Merge pull request #17 from kruton/extended-hostkey
Add extended server hostkey verification API
Diffstat (limited to 'sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java')
-rw-r--r-- | sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java b/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java index ab6d0b6..3b7db3e 100644 --- a/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java +++ b/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java @@ -8,12 +8,14 @@ import java.security.SecureRandom; import java.security.interfaces.DSAPublicKey; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; import java.util.LinkedHashSet; +import java.util.List; import java.util.Set; -import java.util.TreeSet; import com.trilead.ssh2.ConnectionInfo; import com.trilead.ssh2.DHGexParameters; +import com.trilead.ssh2.ExtendedServerHostKeyVerifier; import com.trilead.ssh2.ServerHostKeyVerifier; import com.trilead.ssh2.compression.CompressionFactory; import com.trilead.ssh2.compression.ICompressor; @@ -282,6 +284,8 @@ public class KexManager public synchronized void initiateKEX(CryptoWishList cwl, DHGexParameters dhgex) throws IOException { nextKEXcryptoWishList = cwl; + filterHostKeyTypes(nextKEXcryptoWishList); + nextKEXdhgexParameters = dhgex; if (kxs == null) @@ -295,6 +299,40 @@ public class KexManager } } + /** + * If the verifier can indicate which algorithms it knows about for this host, then + * filter out our crypto wish list to only include those algorithms. Otherwise we'll + * negotiate a host key we have not previously confirmed. + * + * @param cwl crypto wish list to filter + */ + private void filterHostKeyTypes(CryptoWishList cwl) { + if (verifier instanceof ExtendedServerHostKeyVerifier) { + ExtendedServerHostKeyVerifier extendedVerifier = (ExtendedServerHostKeyVerifier) verifier; + + List<String> knownAlgorithms = extendedVerifier.getKnownKeyAlgorithmsForHost(hostname, port); + if (knownAlgorithms != null && knownAlgorithms.size() > 0) { + ArrayList<String> filteredAlgorithms = new ArrayList<String>(knownAlgorithms.size()); + + /* + * Look at our current wish list and adjust it based on what the client already knows, but + * be careful to keep it in the order desired by the wish list. + */ + for (String capableAlgo : cwl.serverHostKeyAlgorithms) { + for (String knownAlgo : knownAlgorithms) { + if (capableAlgo.equals(knownAlgo)) { + filteredAlgorithms.add(knownAlgo); + } + } + } + + if (filteredAlgorithms.size() > 0) { + cwl.serverHostKeyAlgorithms = filteredAlgorithms.toArray(new String[filteredAlgorithms.size()]); + } + } + } + } + private boolean establishKeyMaterial() { try |