From 0cd47c16403712c38cc87abc16e4e8c5900c35ea Mon Sep 17 00:00:00 2001 From: Fabian Henneke Date: Mon, 20 Jul 2020 12:06:10 +0200 Subject: [PATCH] Send ext-info-c with kex algorithms Some SSH servers will not honor the negotiated rsa-sha2-256 algorithms if the client does not indicate support for SSH_MSG_EXT_INFO messages. Since we only need to accept these messages, but are free to ignore their contents, adding support amounts to sending "ext-info-c" with our kex algorithm proposal. --- .../transport/kex/ExtInfoClientFactory.java | 21 +++++++++++++++++++ .../java/net/schmizz/sshj/DefaultConfig.java | 4 +++- .../java/net/schmizz/sshj/common/Message.java | 1 + .../schmizz/sshj/transport/TransportImpl.java | 3 +++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 src/main/java/com/hierynomus/sshj/transport/kex/ExtInfoClientFactory.java diff --git a/src/main/java/com/hierynomus/sshj/transport/kex/ExtInfoClientFactory.java b/src/main/java/com/hierynomus/sshj/transport/kex/ExtInfoClientFactory.java new file mode 100644 index 000000000..f7e302040 --- /dev/null +++ b/src/main/java/com/hierynomus/sshj/transport/kex/ExtInfoClientFactory.java @@ -0,0 +1,21 @@ +package com.hierynomus.sshj.transport.kex; + +import net.schmizz.sshj.transport.kex.KeyExchange; + +/** + * Stub kex algorithm factory that indicates support for SSH2_MSG_EXT_INFO. + * Some servers will not send `rsa-sha2-*` signatures if the client doesn't indicate support. + * + * Note: Since the server sends `ext-info-s` to indicate support, this fake kex algorithm is never negotiated. + */ +public class ExtInfoClientFactory implements net.schmizz.sshj.common.Factory.Named { + @Override + public String getName() { + return "ext-info-c"; + } + + @Override + public KeyExchange create() { + return null; + } +} diff --git a/src/main/java/net/schmizz/sshj/DefaultConfig.java b/src/main/java/net/schmizz/sshj/DefaultConfig.java index ddf79c38b..746148c79 100644 --- a/src/main/java/net/schmizz/sshj/DefaultConfig.java +++ b/src/main/java/net/schmizz/sshj/DefaultConfig.java @@ -20,6 +20,7 @@ import com.hierynomus.sshj.transport.cipher.BlockCiphers; import com.hierynomus.sshj.transport.cipher.StreamCiphers; import com.hierynomus.sshj.transport.kex.DHGroups; +import com.hierynomus.sshj.transport.kex.ExtInfoClientFactory; import com.hierynomus.sshj.transport.kex.ExtendedDHGroups; import com.hierynomus.sshj.transport.mac.Macs; import com.hierynomus.sshj.userauth.keyprovider.OpenSSHKeyV1KeyFile; @@ -125,7 +126,8 @@ protected void initKeyExchangeFactories(boolean bouncyCastleRegistered) { ExtendedDHGroups.Group16SHA256(), ExtendedDHGroups.Group16SHA384AtSSH(), ExtendedDHGroups.Group16SHA512AtSSH(), - ExtendedDHGroups.Group18SHA512AtSSH()); + ExtendedDHGroups.Group18SHA512AtSSH(), + new ExtInfoClientFactory()); } else { setKeyExchangeFactories(DHGroups.Group1SHA1(), new DHGexSHA1.Factory()); } diff --git a/src/main/java/net/schmizz/sshj/common/Message.java b/src/main/java/net/schmizz/sshj/common/Message.java index 82c1184bc..d87213772 100644 --- a/src/main/java/net/schmizz/sshj/common/Message.java +++ b/src/main/java/net/schmizz/sshj/common/Message.java @@ -25,6 +25,7 @@ public enum Message { DEBUG(4), SERVICE_REQUEST(5), SERVICE_ACCEPT(6), + EXT_INFO(7), KEXINIT(20), NEWKEYS(21), diff --git a/src/main/java/net/schmizz/sshj/transport/TransportImpl.java b/src/main/java/net/schmizz/sshj/transport/TransportImpl.java index c92ac0380..50e31d537 100644 --- a/src/main/java/net/schmizz/sshj/transport/TransportImpl.java +++ b/src/main/java/net/schmizz/sshj/transport/TransportImpl.java @@ -529,6 +529,9 @@ public void handle(Message msg, SSHPacket buf) case SERVICE_ACCEPT: gotServiceAccept(); break; + case EXT_INFO: + log.debug("Received SSH_MSG_EXT_INFO"); + break; case USERAUTH_BANNER: log.debug("Received USERAUTH_BANNER"); break;