- Upgraded Bouncy Castle from 1.78.1 to 1.80
- Upgraded Apache SSHD from 2.12.1 to 2.14.0
- Upgraded SLF4J from 2.0.13 to 2.0.16
- Upgraded Logback from 1.3.14 to 1.3.15
- Upgraded Testcontainers from 1.19.8 to 1.20.4
- Modified Curve25519 negotiation to determine algorithm identifier length based on PublicKey.getEncoded() length instead of hard-coded value of 44
- Runtime length determination avoids differences in X25519 implementations on Java 11
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Upgraded Bouncy Castle from 1.78 to 1.78.1
- Upgraded SLF4J from 2.0.7 to 2.0.13
- Upgraded SSHD from 2.10.0 to 2.12.1
- Upgraded Logback from 1.3.8 to 1.3.14
- Upgraded Testcontainers from 1.18.3 to 1.19.8
- Upgraded setup-java action to version 4
- Upgraded checkout action to version 4
* Fix for issue #910: Bad packet received by server when hearbeat is enabled
* Address re-keying case too
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
Bouncy Caste version before 1.78 have
CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
Is sshj impacted by this vulnerability?
* Wrap IllegalArgumentException thrown by Base64 decoder
Some time ago, there had been `net.schmizz.sshj.common.Base64`. This class used to throw `IOException` in case of any problem. Although `IOException` isn't an appropriate class for indicating on parsing issues, a lot of code has been expecting `IOException` from Base64.
Once, the old Base64 decoder was replaced with the one, bundled into Java 14 (see f35c2bd4ce). Copy-paste elimination and switching to standard implementations is undoubtedly a good decision.
Unfortunately, `java.util.Base64.Decoder` brought a pesky issue. It throws `IllegalArgumentException` in case of any problem. Since it is an unchecked exception, it was quite challenging to notice it. It's especially challenging because the error appears during processing malformed base64 strings. So, a lot of places in the code kept expecting `IOException`. Sudden `IllegalArgumentException` led to authentication termination in cases where everything used to work perfectly.
One of such issues is already found and fixed: 03f8b2224d
This commit represents a work, based on revising every change made in f35c2bd4ce. It should fix all other similar issues.
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Rename Base64DecodeError -> Base64DecodingException
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better warning message in KnownHostMatchers
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyFileUtil
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
A better error message in OpenSSHKeyV1KeyFile
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Get rid of unnecessary `throws IOException` in Base64Decoder
* squash! Wrap IllegalArgumentException thrown by Base64 decoder
Better error messages in OpenSSHKeyFileUtil and PuTTYKeyFile
* adds fallback to posix-rename@openssh.com extension if possible and communicates possible problems with flags to the developer
* Adds '{}' around if/else statements
* adds basic tests for file rename
* fix comments
* fixes indentation
* adds helper methods to make existing sftp rename tests more concise
* adds basic test for atomic rewrite
* adds possibility to request a specific client version (e.g. for testing purposes)
* adds testcases for SFTP rename flags fallback behaviour
* refactoring to make SFTPEngine.init(int requestedVersion) protected
---------
Co-authored-by: Florian Klemenz <florian.klemenz@fau.de>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
* Add ChaCha20-Poly1305 Support for OpenSSH Keys
- Updated ChachaPolyCipher to support decryption without Additional Authenticated Data
* Added test for ChachaPolyCipher without AAD
* Streamlined ChachaPolyCipher.update() method
* Added DefaultSecurityProviderConfig with Bouncy Castle disabled
* Upgrade test to junit jupiter
---------
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
- Upgraded Bouncy Castle from 1.70 to 1.75
- Upgraded SLF4J from 1.7.36 to 2.0.7
- Upgraded Logback from 1.2.11 to 1.3.8
- Upgraded Apache MINA SSHD from 2.8.0 to 2.10.0
- Upgraded Grizzly HTTP Server from 2.4.4 to 3.0.1
- Upgraded Testcontainers from 1.16.2 to 1.18.3
- Refactored references and removed HttpClient dependency
- Upgraded GitHub Actions setup-java from 1 to 3
- Updated GitHub Actions to use Temurin JDK 11
- Added OpenSSL upgrade to RSA Key Tests
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>
