Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Wolf2019-01-15 18:50:12 +0000
committerMatthias Sohn2019-05-06 13:22:08 +0000
commitc33d2bfb9f5d0f407bb736fafe2fa8ff93309e93 (patch)
tree260f3e145fb5f1d7e26f482db5e09d720fadf238 /org.eclipse.jgit.ssh.apache
parent86cee68e0d9282ecc6a49792693309e8d5d9d984 (diff)
downloadjgit-c33d2bfb9f5d0f407bb736fafe2fa8ff93309e93.tar.gz
jgit-c33d2bfb9f5d0f407bb736fafe2fa8ff93309e93.tar.xz
jgit-c33d2bfb9f5d0f407bb736fafe2fa8ff93309e93.zip
Apache MINA sshd client: test reading encrypted ed25519 keys
Add encrypted ed25519 keys in the tests; sshd 2.2.0 can finally decrypt encrypted new-style OpenSSH key files. (Needs the "unlimited strength" JCE, which is the default since Java 8u161. On older JREs, users should install the policy files available from Oracle.) The "expensive" key added has been generated with OpenSSH's ssh-keygen -t ed25519 -a 256, i.e., with 256 bcrypt KDF rounds instead of the default 16. On my machine it takes about 2sec to decrypt. Bug: 541703 Change-Id: Id3872ca2fd75d8f009cbc932eeb6357d3d1f267c Signed-off-by: Thomas Wolf <thomas.wolf@paranor.ch>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache')
-rw-r--r--org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF1
-rw-r--r--org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java6
2 files changed, 7 insertions, 0 deletions
diff --git a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
index d1f7d49826..5d344f4944 100644
--- a/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
+++ b/org.eclipse.jgit.ssh.apache/META-INF/MANIFEST.MF
@@ -51,6 +51,7 @@ Import-Package: net.i2p.crypto.eddsa;version="[0.3.0,0.4.0)",
org.apache.sshd.common.compression;version="[2.2.0,2.3.0)",
org.apache.sshd.common.config.keys;version="[2.2.0,2.3.0)",
org.apache.sshd.common.config.keys.loader;version="[2.2.0,2.3.0)",
+ org.apache.sshd.common.config.keys.loader.openssh.kdf;version="[2.2.0,2.3.0)",
org.apache.sshd.common.digest;version="[2.2.0,2.3.0)",
org.apache.sshd.common.forward;version="[2.2.0,2.3.0)",
org.apache.sshd.common.future;version="[2.2.0,2.3.0)",
diff --git a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
index 2f9691ed63..90dc8ca500 100644
--- a/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
+++ b/org.eclipse.jgit.ssh.apache/src/org/eclipse/jgit/transport/sshd/SshdSessionFactory.java
@@ -70,6 +70,7 @@ import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.compression.BuiltinCompressions;
import org.apache.sshd.common.config.keys.FilePasswordProvider;
+import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions;
import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.errors.TransportException;
@@ -157,6 +158,11 @@ public class SshdSessionFactory extends SshSessionFactory implements Closeable {
super();
this.keyCache = keyCache;
this.proxies = proxies;
+ // sshd limits the number of BCrypt KDF rounds to 255 by default.
+ // Decrypting such a key takes about two seconds on my machine.
+ // I consider this limit too low. The time increases linearly with the
+ // number of rounds.
+ BCryptKdfOptions.setMaxAllowedRounds(16384);
}
/** A simple general map key. */

Back to the top