Add configuration of key exchange algorithms for sshd

Add new config key "sshd.kex". The default and supported values are: 1. ecdh-sha2-nistp521 2. ecdh-sha2-nistp384 3. ecdh-sha2-nistp256 4. diffie-hellman-group-exchange-sha256 5. diffie-hellman-group-exchange-sha1, 6. diffie-hellman-group14-sha1 7. diffie-hellman-group1-sha1 With Bouncy Castle installed, all of the above are supported (previously only 6 and 7). With JCE, only 7 is available. Bug: Issue 3517 Change-Id: I6b44e88dc4a0ff8f693f21510aba30546bf4cd99
2016-03-15 09:44:11 -04:00
parent ea204d6eea
commit b4a04fa1c5
2 changed files with 44 additions and 15 deletions
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
@@ -56,7 +56,7 @@ import org.apache.sshd.common.io.IoSession;
 import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
 import org.apache.sshd.common.io.mina.MinaSession;
 import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
-import org.apache.sshd.common.kex.BuiltinDHFactories;
+import org.apache.sshd.common.kex.KeyExchange;
 import org.apache.sshd.common.keyprovider.KeyPairProvider;
 import org.apache.sshd.common.mac.Mac;
 import org.apache.sshd.common.random.JceRandomFactory;
@@ -223,6 +223,7 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
      initProviderJce();
    }
    initCiphers(cfg);
+    initKeyExchanges(cfg);
    initMacs(cfg);
    initSignatures();
    initChannels();
@@ -425,14 +426,15 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
    return r.toString();
  }

+  @SuppressWarnings("unchecked")
+  private void initKeyExchanges(Config cfg) {
+    List<NamedFactory<KeyExchange>> a =
+        ServerBuilder.setUpDefaultKeyExchanges(true);
+    setKeyExchangeFactories(filter(cfg, "kex",
+        (NamedFactory<KeyExchange>[])a.toArray(new NamedFactory[a.size()])));
+  }
+
  private void initProviderBouncyCastle(Config cfg) {
-    setKeyExchangeFactories(
-        NamedFactory.Utils.setUpTransformedFactories(true,
-            Collections.unmodifiableList(Arrays.asList(
-                BuiltinDHFactories.dhg14,
-                BuiltinDHFactories.dhg1
-            )),
-        ServerBuilder.DH2KEX));
    NamedFactory<Random> factory;
    if (cfg.getBoolean("sshd", null, "testUseInsecureRandom", false)) {
      factory = new InsecureBouncyCastleRandom.Factory();
@@ -507,13 +509,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
  }

  private void initProviderJce() {
-    setKeyExchangeFactories(
-        NamedFactory.Utils.setUpTransformedFactories(true,
-            Collections.unmodifiableList(Arrays.asList(
-                BuiltinDHFactories.dhg1
-            )),
-        ServerBuilder.DH2KEX));
-    setKeyExchangeFactories(ServerBuilder.setUpDefaultKeyExchanges(true));
    setRandomFactory(new SingletonRandomFactory(JceRandomFactory.INSTANCE));
  }