This is an automated email from the ASF dual-hosted git repository. twolf pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
commit 53f06e1f3c1dc3ac65be62e1702ba0fec3e05add Author: Thomas Wolf <tw...@apache.org> AuthorDate: Fri Jul 9 16:29:28 2021 +0200 Revert "[SSHD-1017] Add support for chacha20-poly1...@openssh.com" This reverts commit e6e88075ce4fb26190a8b59ec4c0b1da338e2008. The chacha20-poly1305 cipher implementation from PR 176[1] evidently causes KEX failures, at least with a ecdsa-sha2-nistp256 key/signature. See SSHD-1191.[2] [1] https://github.com/apache/mina-sshd/pull/176 [2] https://issues.apache.org/jira/browse/SSHD-1191 --- .../apache/sshd/common/cipher/BaseGCMCipher.java | 2 +- .../apache/sshd/common/cipher/BuiltinCiphers.java | 7 - .../apache/sshd/common/cipher/ChaCha20Cipher.java | 279 --------------------- .../org/apache/sshd/common/mac/Poly1305Mac.java | 270 -------------------- .../sshd/common/cipher/ChaCha20CipherTest.java | 59 ----- .../java/org/apache/sshd/common/BaseBuilder.java | 1 - .../common/session/helpers/AbstractSession.java | 9 +- 7 files changed, 2 insertions(+), 625 deletions(-) diff --git a/sshd-common/src/main/java/org/apache/sshd/common/cipher/BaseGCMCipher.java b/sshd-common/src/main/java/org/apache/sshd/common/cipher/BaseGCMCipher.java index 501de14..d1b3191 100644 --- a/sshd-common/src/main/java/org/apache/sshd/common/cipher/BaseGCMCipher.java +++ b/sshd-common/src/main/java/org/apache/sshd/common/cipher/BaseGCMCipher.java @@ -74,7 +74,7 @@ public class BaseGCMCipher extends BaseCipher { } /** - * Algorithm parameters for AES/GCM that assumes the IV uses an 8-byte counter field as its least significant bytes. + * Algorithm parameters for AES/GCM that assumes the IV uses an 8-byte counter field as its most significant bytes. */ protected static class CounterGCMParameterSpec extends GCMParameterSpec { protected final byte[] iv; diff --git a/sshd-common/src/main/java/org/apache/sshd/common/cipher/BuiltinCiphers.java b/sshd-common/src/main/java/org/apache/sshd/common/cipher/BuiltinCiphers.java index dd92139..732901b 100644 --- a/sshd-common/src/main/java/org/apache/sshd/common/cipher/BuiltinCiphers.java +++ b/sshd-common/src/main/java/org/apache/sshd/common/cipher/BuiltinCiphers.java @@ -102,12 +102,6 @@ public enum BuiltinCiphers implements CipherFactory { */ @Deprecated blowfishcbc(Constants.BLOWFISH_CBC, 8, 0, 16, "Blowfish", 128, "Blowfish/CBC/NoPadding", 8), - cc20p1305_openssh(Constants.CC20P1305_OPENSSH, 8, 16, 64, "ChaCha", 256, "ChaCha", 8) { - @Override - public Cipher create() { - return new ChaCha20Cipher(); - } - }, /** * @deprecated * @see <A HREF="https://issues.apache.org/jira/browse/SSHD-1004">SSHD-1004</A> @@ -377,7 +371,6 @@ public enum BuiltinCiphers implements CipherFactory { public static final String ARCFOUR128 = "arcfour128"; public static final String ARCFOUR256 = "arcfour256"; public static final String BLOWFISH_CBC = "blowfish-cbc"; - public static final String CC20P1305_OPENSSH = "chacha20-poly1...@openssh.com"; public static final String TRIPLE_DES_CBC = "3des-cbc"; private Constants() { diff --git a/sshd-common/src/main/java/org/apache/sshd/common/cipher/ChaCha20Cipher.java b/sshd-common/src/main/java/org/apache/sshd/common/cipher/ChaCha20Cipher.java deleted file mode 100644 index 9d4023d..0000000 --- a/sshd-common/src/main/java/org/apache/sshd/common/cipher/ChaCha20Cipher.java +++ /dev/null @@ -1,279 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.sshd.common.cipher; - -import java.nio.charset.StandardCharsets; -import java.util.Arrays; - -import javax.crypto.AEADBadTagException; - -import org.apache.sshd.common.mac.Mac; -import org.apache.sshd.common.mac.Poly1305Mac; -import org.apache.sshd.common.util.NumberUtils; -import org.apache.sshd.common.util.ValidateUtils; -import org.apache.sshd.common.util.buffer.BufferUtils; - -/** - * AEAD cipher based on the - * <a href="https://github.com/openbsd/src/blob/master/usr.bin/ssh/PROTOCOL.chacha20poly1305">OpenSSH - * ChaCha20-Poly1305</a> cipher extension. - */ -public class ChaCha20Cipher implements Cipher { - protected final ChaChaEngine headerEngine = new ChaChaEngine(); - protected final ChaChaEngine bodyEngine = new ChaChaEngine(); - protected final Mac mac = new Poly1305Mac(); - protected Mode mode; - - public ChaCha20Cipher() { - // empty - } - - @Override - public String getAlgorithm() { - return "ChaCha20"; - } - - @Override - public void init(Mode mode, byte[] key, byte[] iv) throws Exception { - this.mode = mode; - - bodyEngine.initKey(Arrays.copyOfRange(key, 0, 32)); - bodyEngine.initNonce(iv); - mac.init(bodyEngine.polyKey()); - - headerEngine.initKey(Arrays.copyOfRange(key, 32, 64)); - headerEngine.initNonce(iv); - headerEngine.initCounter(0); - } - - @Override - public void updateAAD(byte[] data, int offset, int length) throws Exception { - ValidateUtils.checkState(mode != null, "Cipher not initialized"); - ValidateUtils.checkTrue(length == 4, "AAD only supported for encrypted packet length"); - - if (mode == Mode.Decrypt) { - mac.update(data, offset, length); - } - - headerEngine.crypt(data, offset, length, data, offset); - - if (mode == Mode.Encrypt) { - mac.update(data, offset, length); - } - } - - @Override - public void update(byte[] input, int inputOffset, int inputLen) throws Exception { - ValidateUtils.checkState(mode != null, "Cipher not initialized"); - - if (mode == Mode.Decrypt) { - mac.update(input, inputOffset, inputLen); - byte[] actual = mac.doFinal(); - if (!Mac.equals(input, inputOffset + inputLen, actual, 0, actual.length)) { - throw new AEADBadTagException("Tag mismatch"); - } - } - - bodyEngine.crypt(input, inputOffset, inputLen, input, inputOffset); - - if (mode == Mode.Encrypt) { - mac.update(input, inputOffset, inputLen); - mac.doFinal(input, inputOffset + inputLen); - } - - headerEngine.advanceNonce(); - headerEngine.initCounter(0); - bodyEngine.advanceNonce(); - mac.init(bodyEngine.polyKey()); - } - - @Override - public String getTransformation() { - return "ChaCha20"; - } - - @Override - public int getIVSize() { - return 8; - } - - @Override - public int getAuthenticationTagSize() { - return 16; - } - - @Override - public int getCipherBlockSize() { - return 8; - } - - @Override - public int getKdfSize() { - return 64; - } - - @Override - public int getKeySize() { - return 256; - } - - protected static class ChaChaEngine { - private static final int BLOCK_BYTES = 64; - private static final int BLOCK_INTS = BLOCK_BYTES / Integer.BYTES; - private static final int KEY_OFFSET = 4; - private static final int KEY_BYTES = 32; - private static final int KEY_INTS = KEY_BYTES / Integer.BYTES; - private static final int COUNTER_OFFSET = 12; - private static final int NONCE_OFFSET = 14; - private static final int NONCE_BYTES = 8; - private static final int NONCE_INTS = NONCE_BYTES / Integer.BYTES; - private static final int[] ENGINE_STATE_HEADER - = unpackSigmaString("expand 32-byte k".getBytes(StandardCharsets.US_ASCII)); - - protected final int[] x = new int[BLOCK_INTS]; - protected final int[] engineState = new int[BLOCK_INTS]; - protected final byte[] nonce = new byte[NONCE_BYTES]; - protected long initialNonce; - - protected ChaChaEngine() { - System.arraycopy(ENGINE_STATE_HEADER, 0, engineState, 0, 4); - } - - protected void initKey(byte[] key) { - unpackIntsLE(key, 0, KEY_INTS, engineState, KEY_OFFSET); - } - - protected void initNonce(byte[] nonce) { - initialNonce = BufferUtils.getLong(nonce, 0, NumberUtils.length(nonce)); - unpackIntsLE(nonce, 0, NONCE_INTS, engineState, NONCE_OFFSET); - System.arraycopy(nonce, 0, this.nonce, 0, NONCE_BYTES); - } - - protected void advanceNonce() { - long counter = BufferUtils.getLong(nonce, 0, NONCE_BYTES) + 1; - ValidateUtils.checkState(counter != initialNonce, "Packet sequence number cannot be reused with the same key"); - BufferUtils.putLong(counter, nonce, 0, NONCE_BYTES); - unpackIntsLE(nonce, 0, NONCE_INTS, engineState, NONCE_OFFSET); - } - - protected void initCounter(long counter) { - engineState[COUNTER_OFFSET] = (int) counter; - engineState[COUNTER_OFFSET + 1] = (int) (counter >>> Integer.SIZE); - } - - // one-shot usage - protected void crypt(byte[] in, int offset, int length, byte[] out, int outOffset) { - while (length > 0) { - System.arraycopy(engineState, 0, x, 0, BLOCK_INTS); - permute(x); - int want = Math.min(BLOCK_BYTES, length); - for (int i = 0, j = 0; i < want; i += Integer.BYTES, j++) { - int keyStream = engineState[j] + x[j]; - int take = Math.min(Integer.BYTES, length); - int input = unpackIntLE(in, offset, take); - int output = keyStream ^ input; - packIntLE(output, out, outOffset, take); - offset += take; - outOffset += take; - length -= take; - } - int lo = ++engineState[COUNTER_OFFSET]; - if (lo == 0) { - // overflow - ++engineState[COUNTER_OFFSET + 1]; - } - } - } - - protected byte[] polyKey() { - byte[] block = new byte[Poly1305Mac.KEY_BYTES]; - initCounter(0); - crypt(block, 0, block.length, block, 0); - initCounter(1); - return block; - } - - protected static void permute(int[] state) { - for (int i = 0; i < 10; i++) { - columnRound(state); - diagonalRound(state); - } - } - - protected static void columnRound(int[] state) { - quarterRound(state, 0, 4, 8, 12); - quarterRound(state, 1, 5, 9, 13); - quarterRound(state, 2, 6, 10, 14); - quarterRound(state, 3, 7, 11, 15); - } - - protected static void diagonalRound(int[] state) { - quarterRound(state, 0, 5, 10, 15); - quarterRound(state, 1, 6, 11, 12); - quarterRound(state, 2, 7, 8, 13); - quarterRound(state, 3, 4, 9, 14); - } - - protected static void quarterRound(int[] state, int a, int b, int c, int d) { - state[a] += state[b]; - state[d] = Integer.rotateLeft(state[d] ^ state[a], 16); - - state[c] += state[d]; - state[b] = Integer.rotateLeft(state[b] ^ state[c], 12); - - state[a] += state[b]; - state[d] = Integer.rotateLeft(state[d] ^ state[a], 8); - - state[c] += state[d]; - state[b] = Integer.rotateLeft(state[b] ^ state[c], 7); - } - - private static int unpackIntLE(byte[] buf, int off) { - return unpackIntLE(buf, off, Integer.BYTES); - } - - private static int unpackIntLE(byte[] buf, int off, int len) { - int ret = 0; - for (int i = 0; i < len; i++) { - ret |= Byte.toUnsignedInt(buf[off + i]) << i * Byte.SIZE; - } - return ret; - } - - private static void unpackIntsLE(byte[] buf, int off, int nrInts, int[] dst, int dstOff) { - for (int i = 0; i < nrInts; i++) { - dst[dstOff++] = unpackIntLE(buf, off); - off += Integer.BYTES; - } - } - - private static int[] unpackSigmaString(byte[] buf) { - int[] values = new int[4]; - unpackIntsLE(buf, 0, 4, values, 0); - return values; - } - - private static void packIntLE(int value, byte[] dst, int off, int len) { - for (int i = 0; i < len; i++) { - dst[off + i] = (byte) (value >>> i * Byte.SIZE); - } - } - } -} diff --git a/sshd-common/src/main/java/org/apache/sshd/common/mac/Poly1305Mac.java b/sshd-common/src/main/java/org/apache/sshd/common/mac/Poly1305Mac.java deleted file mode 100644 index dcb8919..0000000 --- a/sshd-common/src/main/java/org/apache/sshd/common/mac/Poly1305Mac.java +++ /dev/null @@ -1,270 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.sshd.common.mac; - -import java.nio.BufferOverflowException; -import java.security.InvalidKeyException; -import java.util.Arrays; - -import org.apache.sshd.common.util.NumberUtils; -import org.apache.sshd.common.util.buffer.BufferUtils; - -/** - * Poly1305 one-time message authentication code. This implementation is derived from the public domain C library - * <a href="https://github.com/floodyberry/poly1305-donna">poly1305-donna</a>. - * - * @see <a href="http://cr.yp.to/mac/poly1305-20050329.pdf">The Poly1305-AES message-authentication code</a> - */ -public class Poly1305Mac implements Mac { - public static final int KEY_BYTES = 32; - private static final int BLOCK_SIZE = 16; - - private int r0; - private int r1; - private int r2; - private int r3; - private int r4; - private int s1; - private int s2; - private int s3; - private int s4; - private int k0; - private int k1; - private int k2; - private int k3; - - private int h0; - private int h1; - private int h2; - private int h3; - private int h4; - private final byte[] currentBlock = new byte[BLOCK_SIZE]; - private int currentBlockOffset; - - public Poly1305Mac() { - // empty - } - - @Override - public String getAlgorithm() { - return "Poly1305"; - } - - @Override - public void init(byte[] key) throws Exception { - if (NumberUtils.length(key) != KEY_BYTES) { - throw new InvalidKeyException("Poly1305 key must be 32 bytes"); - } - - int t0 = unpackIntLE(key, 0); - int t1 = unpackIntLE(key, 4); - int t2 = unpackIntLE(key, 8); - int t3 = unpackIntLE(key, 12); - - // NOTE: The masks perform the key "clamping" implicitly - r0 = t0 & 0x03FFFFFF; - r1 = (t0 >>> 26 | t1 << 6) & 0x03FFFF03; - r2 = (t1 >>> 20 | t2 << 12) & 0x03FFC0FF; - r3 = (t2 >>> 14 | t3 << 18) & 0x03F03FFF; - r4 = t3 >>> 8 & 0x000FFFFF; - - // Precompute multipliers - s1 = r1 * 5; - s2 = r2 * 5; - s3 = r3 * 5; - s4 = r4 * 5; - - k0 = unpackIntLE(key, 16); - k1 = unpackIntLE(key, 20); - k2 = unpackIntLE(key, 24); - k3 = unpackIntLE(key, 28); - } - - @Override - public void update(byte[] in, int offset, int length) { - while (length > 0) { - if (currentBlockOffset == BLOCK_SIZE) { - processBlock(); - } - - int toCopy = Math.min(length, BLOCK_SIZE - currentBlockOffset); - System.arraycopy(in, offset, currentBlock, currentBlockOffset, toCopy); - offset += toCopy; - length -= toCopy; - currentBlockOffset += toCopy; - } - } - - @Override - public void updateUInt(long value) { - byte[] encoded = new byte[Integer.BYTES]; - BufferUtils.putUInt(value, encoded); - update(encoded); - } - - @Override - public void doFinal(byte[] out, int offset) throws Exception { - if (offset + BLOCK_SIZE > NumberUtils.length(out)) { - throw new BufferOverflowException(); - } - if (currentBlockOffset > 0) { - processBlock(); - } - - h1 += h0 >>> 26; - h0 &= 0x3ffffff; - h2 += h1 >>> 26; - h1 &= 0x3ffffff; - h3 += h2 >>> 26; - h2 &= 0x3ffffff; - h4 += h3 >>> 26; - h3 &= 0x3ffffff; - h0 += (h4 >>> 26) * 5; - h4 &= 0x3ffffff; - h1 += h0 >>> 26; - h0 &= 0x3ffffff; - - int g0 = h0 + 5; - int b = g0 >>> 26; - g0 &= 0x3ffffff; - int g1 = h1 + b; - b = g1 >>> 26; - g1 &= 0x3ffffff; - int g2 = h2 + b; - b = g2 >>> 26; - g2 &= 0x3ffffff; - int g3 = h3 + b; - b = g3 >>> 26; - g3 &= 0x3ffffff; - int g4 = h4 + b - (1 << 26); - - b = (g4 >>> 31) - 1; - int nb = ~b; - h0 = h0 & nb | g0 & b; - h1 = h1 & nb | g1 & b; - h2 = h2 & nb | g2 & b; - h3 = h3 & nb | g3 & b; - h4 = h4 & nb | g4 & b; - - long f0 = Integer.toUnsignedLong(h0 | h1 << 26) + Integer.toUnsignedLong(k0); - long f1 = Integer.toUnsignedLong(h1 >>> 6 | h2 << 20) + Integer.toUnsignedLong(k1); - long f2 = Integer.toUnsignedLong(h2 >>> 12 | h3 << 14) + Integer.toUnsignedLong(k2); - long f3 = Integer.toUnsignedLong(h3 >>> 18 | h4 << 8) + Integer.toUnsignedLong(k3); - - packIntLE((int) f0, out, offset); - f1 += f0 >>> 32; - packIntLE((int) f1, out, offset + 4); - f2 += f1 >>> 32; - packIntLE((int) f2, out, offset + 8); - f3 += f2 >>> 32; - packIntLE((int) f3, out, offset + 12); - - reset(); - } - - private void processBlock() { - if (currentBlockOffset < BLOCK_SIZE) { - // padding - currentBlock[currentBlockOffset] = 1; - for (int i = currentBlockOffset + 1; i < BLOCK_SIZE; i++) { - currentBlock[i] = 0; - } - } - - long t0 = Integer.toUnsignedLong(unpackIntLE(currentBlock, 0)); - long t1 = Integer.toUnsignedLong(unpackIntLE(currentBlock, 4)); - long t2 = Integer.toUnsignedLong(unpackIntLE(currentBlock, 8)); - long t3 = Integer.toUnsignedLong(unpackIntLE(currentBlock, 12)); - - h0 += t0 & 0x3ffffff; - h1 += (t1 << 32 | t0) >>> 26 & 0x3ffffff; - h2 += (t2 << 32 | t1) >>> 20 & 0x3ffffff; - h3 += (t3 << 32 | t2) >>> 14 & 0x3ffffff; - h4 += t3 >>> 8; - - if (currentBlockOffset == BLOCK_SIZE) { - h4 += 1 << 24; - } - - long tp0 = unsignedProduct(h0, r0) + unsignedProduct(h1, s4) + unsignedProduct(h2, s3) + unsignedProduct(h3, s2) - + unsignedProduct(h4, s1); - long tp1 = unsignedProduct(h0, r1) + unsignedProduct(h1, r0) + unsignedProduct(h2, s4) + unsignedProduct(h3, s3) - + unsignedProduct(h4, s2); - long tp2 = unsignedProduct(h0, r2) + unsignedProduct(h1, r1) + unsignedProduct(h2, r0) + unsignedProduct(h3, s4) - + unsignedProduct(h4, s3); - long tp3 = unsignedProduct(h0, r3) + unsignedProduct(h1, r2) + unsignedProduct(h2, r1) + unsignedProduct(h3, r0) - + unsignedProduct(h4, s4); - long tp4 = unsignedProduct(h0, r4) + unsignedProduct(h1, r3) + unsignedProduct(h2, r2) + unsignedProduct(h3, r1) - + unsignedProduct(h4, r0); - - h0 = (int) tp0 & 0x3ffffff; - tp1 += tp0 >>> 26; - h1 = (int) tp1 & 0x3ffffff; - tp2 += tp1 >>> 26; - h2 = (int) tp2 & 0x3ffffff; - tp3 += tp2 >>> 26; - h3 = (int) tp3 & 0x3ffffff; - tp4 += tp3 >>> 26; - h4 = (int) tp4 & 0x3ffffff; - h0 += (int) (tp4 >>> 26) * 5; - h1 += h0 >>> 26; - h0 &= 0x3ffffff; - - currentBlockOffset = 0; - } - - private void reset() { - h0 = 0; - h1 = 0; - h2 = 0; - h3 = 0; - h4 = 0; - currentBlockOffset = 0; - Arrays.fill(currentBlock, (byte) 0); - } - - @Override - public int getBlockSize() { - return BLOCK_SIZE; - } - - @Override - public int getDefaultBlockSize() { - return BLOCK_SIZE; - } - - private static int unpackIntLE(byte[] buf, int off) { - int ret = 0; - for (int i = 0; i < Integer.BYTES; i++) { - ret |= Byte.toUnsignedInt(buf[off + i]) << i * Byte.SIZE; - } - return ret; - } - - private static void packIntLE(int value, byte[] dst, int off) { - for (int i = 0; i < Integer.BYTES; i++) { - dst[off + i] = (byte) (value >>> i * Byte.SIZE); - } - } - - private static long unsignedProduct(int i1, int i2) { - return Integer.toUnsignedLong(i1) * Integer.toUnsignedLong(i2); - } -} diff --git a/sshd-common/src/test/java/org/apache/sshd/common/cipher/ChaCha20CipherTest.java b/sshd-common/src/test/java/org/apache/sshd/common/cipher/ChaCha20CipherTest.java deleted file mode 100644 index 92b8725..0000000 --- a/sshd-common/src/test/java/org/apache/sshd/common/cipher/ChaCha20CipherTest.java +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.sshd.common.cipher; - -import java.nio.charset.StandardCharsets; - -import org.apache.sshd.common.util.buffer.BufferUtils; -import org.apache.sshd.util.test.JUnitTestSupport; -import org.junit.Test; - -public class ChaCha20CipherTest extends JUnitTestSupport { - public ChaCha20CipherTest() { - super(); - } - - @Test - public void testEncryptDecrypt() throws Exception { - ChaCha20Cipher cipher = new ChaCha20Cipher(); - byte[] key = new byte[cipher.getKdfSize()]; - for (int i = 0; i < key.length; i++) { - key[i] = (byte) (i & 0xff); - } - byte[] iv = new byte[cipher.getIVSize()]; - BufferUtils.putLong(42, iv, 0, iv.length); - byte[] aad = new byte[4]; - byte[] plaintext = getClass().getName().getBytes(StandardCharsets.UTF_8); - BufferUtils.putUInt(plaintext.length, aad); - byte[] buf = new byte[plaintext.length + cipher.getAuthenticationTagSize()]; - System.arraycopy(plaintext, 0, buf, 0, plaintext.length); - cipher.init(Cipher.Mode.Encrypt, key, iv); - cipher.updateAAD(aad); - cipher.update(buf, 0, plaintext.length); - - byte[] ciphertext = buf.clone(); - - cipher.init(Cipher.Mode.Decrypt, key, iv); - cipher.updateAAD(aad); - int length = (int) BufferUtils.getUInt(aad); - cipher.update(ciphertext, 0, length); - assertEquals(getClass().getName(), new String(ciphertext, 0, length, StandardCharsets.UTF_8)); - } -} diff --git a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java index 8db30b7..6c24a5c 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/BaseBuilder.java @@ -70,7 +70,6 @@ public class BaseBuilder<T extends AbstractFactoryManager, S extends BaseBuilder */ public static final List<BuiltinCiphers> DEFAULT_CIPHERS_PREFERENCE = Collections.unmodifiableList( Arrays.asList( - BuiltinCiphers.cc20p1305_openssh, BuiltinCiphers.aes128ctr, BuiltinCiphers.aes192ctr, BuiltinCiphers.aes256ctr, diff --git a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java index f13baf1..14da167 100644 --- a/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java +++ b/sshd-core/src/main/java/org/apache/sshd/common/session/helpers/AbstractSession.java @@ -1635,8 +1635,7 @@ public abstract class AbstractSession extends SessionHelper { * * @throws Exception if an error occurs */ - // TODO: this method needs refactoring - @SuppressWarnings({ "checkstyle:VariableDeclarationUsageDistance", "checkstyle:ExecutableStatementCount" }) + @SuppressWarnings("checkstyle:VariableDeclarationUsageDistance") protected void receiveNewKeys() throws Exception { byte[] k = kex.getK(); byte[] h = kex.getH(); @@ -1688,9 +1687,6 @@ public abstract class AbstractSession extends SessionHelper { Cipher s2ccipher = ValidateUtils.checkNotNull( NamedFactory.create(getCipherFactories(), value), "Unknown s2c cipher: %s", value); e_s2c = resizeKey(e_s2c, s2ccipher.getKdfSize(), hash, k, h); - if (s2ccipher.getAlgorithm().startsWith("ChaCha")) { - BufferUtils.putLong(serverSession ? seqo : seqi, iv_s2c, 0, iv_s2c.length); - } s2ccipher.init(serverSession ? Cipher.Mode.Encrypt : Cipher.Mode.Decrypt, e_s2c, iv_s2c); Mac s2cmac; @@ -1716,9 +1712,6 @@ public abstract class AbstractSession extends SessionHelper { Cipher c2scipher = ValidateUtils.checkNotNull( NamedFactory.create(getCipherFactories(), value), "Unknown c2s cipher: %s", value); e_c2s = resizeKey(e_c2s, c2scipher.getKdfSize(), hash, k, h); - if (c2scipher.getAlgorithm().startsWith("ChaCha")) { - BufferUtils.putLong(serverSession ? seqi : seqo, iv_c2s, 0, iv_c2s.length); - } c2scipher.init(serverSession ? Cipher.Mode.Decrypt : Cipher.Mode.Encrypt, e_c2s, iv_c2s); Mac c2smac;