From 771687e2d5355ba0e491e410f98fde6b00fa9434 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Tue, 26 Jan 2016 23:28:03 -0800 Subject: Add extended server hostkey verification API This allows the SSH library to query the user of the library about which key algorithms they know about for this particular host. Otherwise when the library is upgraded or the host is upgraded, it may select and previously unknown key to authenticate against the database. Note there are two APIs added here called "removeServerHostKey" and "addServerHostKey" which currently are not called, but they are there for future support for hostkeys@openssh.com support. --- .../com/trilead/ssh2/transport/KexManager.java | 40 +++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) (limited to 'sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java') diff --git a/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java b/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java index ab6d0b6..3b7db3e 100644 --- a/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java +++ b/sshlib/src/main/java/com/trilead/ssh2/transport/KexManager.java @@ -8,12 +8,14 @@ import java.security.SecureRandom; import java.security.interfaces.DSAPublicKey; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; import java.util.LinkedHashSet; +import java.util.List; import java.util.Set; -import java.util.TreeSet; import com.trilead.ssh2.ConnectionInfo; import com.trilead.ssh2.DHGexParameters; +import com.trilead.ssh2.ExtendedServerHostKeyVerifier; import com.trilead.ssh2.ServerHostKeyVerifier; import com.trilead.ssh2.compression.CompressionFactory; import com.trilead.ssh2.compression.ICompressor; @@ -282,6 +284,8 @@ public class KexManager public synchronized void initiateKEX(CryptoWishList cwl, DHGexParameters dhgex) throws IOException { nextKEXcryptoWishList = cwl; + filterHostKeyTypes(nextKEXcryptoWishList); + nextKEXdhgexParameters = dhgex; if (kxs == null) @@ -295,6 +299,40 @@ public class KexManager } } + /** + * If the verifier can indicate which algorithms it knows about for this host, then + * filter out our crypto wish list to only include those algorithms. Otherwise we'll + * negotiate a host key we have not previously confirmed. + * + * @param cwl crypto wish list to filter + */ + private void filterHostKeyTypes(CryptoWishList cwl) { + if (verifier instanceof ExtendedServerHostKeyVerifier) { + ExtendedServerHostKeyVerifier extendedVerifier = (ExtendedServerHostKeyVerifier) verifier; + + List knownAlgorithms = extendedVerifier.getKnownKeyAlgorithmsForHost(hostname, port); + if (knownAlgorithms != null && knownAlgorithms.size() > 0) { + ArrayList filteredAlgorithms = new ArrayList(knownAlgorithms.size()); + + /* + * Look at our current wish list and adjust it based on what the client already knows, but + * be careful to keep it in the order desired by the wish list. + */ + for (String capableAlgo : cwl.serverHostKeyAlgorithms) { + for (String knownAlgo : knownAlgorithms) { + if (capableAlgo.equals(knownAlgo)) { + filteredAlgorithms.add(knownAlgo); + } + } + } + + if (filteredAlgorithms.size() > 0) { + cwl.serverHostKeyAlgorithms = filteredAlgorithms.toArray(new String[filteredAlgorithms.size()]); + } + } + } + } + private boolean establishKeyMaterial() { try -- cgit v1.2.3