Add support for hmac-ripemd-160

2025-12-06 15:20:54 +03:00 · 2018-03-05 12:57:59 +01:00
parent 3bcd3530cf
commit 84a7677a62
7 changed files with 230 additions and 10 deletions
--- a/README.adoc
+++ b/README.adoc
@@ -81,7 +81,7 @@ signatures::
  `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`

 mac::
-  `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`, `hmac-sha2-256`, `hmac-sha2-512`
+  `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`, `hmac-sha2-256`, `hmac-sha2-512`, `hmac-ripemd160`

 compression::
  `zlib` and `zlib@openssh.com` (delayed zlib)
--- a/src/itest/docker-image/Dockerfile
+++ b/src/itest/docker-image/Dockerfile
@@ -4,6 +4,7 @@ ADD id_rsa.pub /home/sshj/.ssh/authorized_keys

 ADD test-container/ssh_host_ecdsa_key     /etc/ssh/ssh_host_ecdsa_key
 ADD test-container/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
+ADD test-container/sshd_config /etc/ssh/sshd_config

 RUN \
  echo "root:smile" | chpasswd && \
--- a/src/itest/docker-image/test-container/sshd_config
+++ b/src/itest/docker-image/test-container/sshd_config
@@ -0,0 +1,132 @@
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+
+macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com
--- a/src/itest/groovy/com/hierynomus/sshj/IntegrationBaseSpec.groovy
+++ b/src/itest/groovy/com/hierynomus/sshj/IntegrationBaseSpec.groovy
@@ -15,22 +15,28 @@
 */
 package com.hierynomus.sshj

+import net.schmizz.sshj.Config
 import net.schmizz.sshj.DefaultConfig
 import net.schmizz.sshj.SSHClient
 import net.schmizz.sshj.transport.verification.PromiscuousVerifier
 import spock.lang.Specification

 class IntegrationBaseSpec extends Specification {
-    protected static final int DOCKER_PORT = 2222;
-    protected static final String USERNAME = "sshj";
-    protected final static String SERVER_IP = System.getProperty("serverIP", "127.0.0.1");
+    protected static final int DOCKER_PORT = 2222
+    protected static final String USERNAME = "sshj"
+    protected static final String KEYFILE = "src/test/resources/id_rsa"
+    protected final static String SERVER_IP = System.getProperty("serverIP", "127.0.0.1")
+
+    protected static SSHClient getConnectedClient(Config config) {
+        SSHClient sshClient = new SSHClient(config)
+        sshClient.addHostKeyVerifier(new PromiscuousVerifier())
+        sshClient.connect(SERVER_IP, DOCKER_PORT)
+
+        return sshClient
+    }

    protected static SSHClient getConnectedClient() throws IOException {
-        SSHClient sshClient = new SSHClient(new DefaultConfig());
-        sshClient.addHostKeyVerifier(new PromiscuousVerifier());
-        sshClient.connect(SERVER_IP, DOCKER_PORT);
-
-        return sshClient;
+        return getConnectedClient(new DefaultConfig())
    }

 }
--- a/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy
+++ b/src/itest/groovy/com/hierynomus/sshj/IntegrationSpec.groovy
@@ -51,7 +51,7 @@ class IntegrationSpec extends IntegrationBaseSpec {
        SSHClient client = getConnectedClient()

        when:
-        client.authPublickey("sshj", "src/test/resources/id_rsa")
+        client.authPublickey(USERNAME, KEYFILE)

        then:
        client.isAuthenticated()
--- a/src/itest/groovy/com/hierynomus/sshj/transport/mac/MacSpec.groovy
+++ b/src/itest/groovy/com/hierynomus/sshj/transport/mac/MacSpec.groovy
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.transport.mac
+
+import com.hierynomus.sshj.IntegrationBaseSpec
+import net.schmizz.sshj.DefaultConfig
+import net.schmizz.sshj.transport.mac.HMACRIPEMD160
+import net.schmizz.sshj.transport.mac.HMACSHA2256
+import spock.lang.Unroll
+
+class MacSpec extends IntegrationBaseSpec {
+
+    @Unroll
+    def "should correctly connect with #mac MAC"() {
+        given:
+        def cfg = new DefaultConfig()
+        cfg.setMACFactories(macFactory)
+        def client = getConnectedClient(cfg)
+
+        when:
+        client.authPublickey(USERNAME, KEYFILE)
+
+        then:
+        client.authenticated
+
+        where:
+        macFactory << [new HMACSHA2256.Factory(), new HMACRIPEMD160.Factory()]
+        mac = macFactory.name
+    }
+}
--- a/src/main/java/net/schmizz/sshj/transport/mac/HMACRIPEMD160.java
+++ b/src/main/java/net/schmizz/sshj/transport/mac/HMACRIPEMD160.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package net.schmizz.sshj.transport.mac;
+
+public class HMACRIPEMD160 extends BaseMAC {
+    /** Named factory for the HMAC-SHA1 <code>MAC</code> */
+    public static class Factory
+            implements net.schmizz.sshj.common.Factory.Named<MAC> {
+
+        @Override
+        public MAC create() {
+            return new HMACRIPEMD160();
+        }
+
+        @Override
+        public String getName() {
+            return "hmac-ripemd160";
+        }
+    }
+
+
+    public HMACRIPEMD160() {
+        super("HMACRIPEMD160", 20, 20);
+    }
+}