Prepare release 0.37.0

* Added AES-GCM Support for OpenSSH Private Keys

* Small simplification

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>

---------

Signed-off-by: Jeroen van Erp <jeroen@hierynomus.com>
Co-authored-by: Jeroen van Erp <jeroen@hierynomus.com>

README.adoc

@@ -1,7 +1,7 @@
 = sshj - SSHv2 library for Java
 Jeroen van Erp
 :sshj_groupid: com.hierynomus
-:sshj_version: 0.36.0
+:sshj_version: 0.37.0
 :source-highlighter: pygments
 
 image:https://github.com/hierynomus/sshj/actions/workflows/gradle.yml/badge.svg[link="https://github.com/hierynomus/sshj/actions/workflows/gradle.yml"]
@@ -108,6 +108,10 @@ Issue tracker: https://github.com/hierynomus/sshj/issues
 Fork away!
 
 == Release history
+SSHJ 0.37.0 (2023-10-11)::
+* Merged https://github.com/hierynomus/sshj/pull/899[#899]: Add support for AES-GCM OpenSSH private keys
+* Merged https://github.com/hierynomus/sshj/pull/901[#901]: Fix ZLib compression bug
+* Merged https://github.com/hierynomus/sshj/pull/898[#898]: Improved malformed file handling for OpenSSH private keys
 SSHJ 0.36.0 (2023-09-04)::
 * Rewrote Integration tests to JUnit5
 * Merged https://github.com/hierynomus/sshj/pull/851[#851]: Fix race condition in key exchange causing intermittent SSH_MSG_UNIMPLEMENTED

examples/pom.xml

@@ -24,7 +24,7 @@
     <groupId>com.hierynomus</groupId>
     <artifactId>sshj-examples</artifactId>
     <packaging>jar</packaging>
-    <version>0.33.0</version>
+    <version>0.37.0</version>
 
     <name>sshj-examples</name>
     <description>Examples for SSHv2 library for Java</description>

src/itest/java/com/hierynomus/sshj/SshdContainer.java

@@ -214,6 +214,9 @@ public class SshdContainer extends GenericContainer<SshdContainer> {
                 case STDERR:
                     logger().info("sshd stderr: {}", outputFrame.getUtf8String().stripTrailing());
                     break;
+                case END:
+                    break;
+
             }
         });
     }

src/itest/java/com/hierynomus/sshj/sftp/PutFileCompressedTest.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.sftp;
+
+import com.hierynomus.sshj.SshdContainer;
+import net.schmizz.sshj.SSHClient;
+import net.schmizz.sshj.sftp.SFTPClient;
+import net.schmizz.sshj.xfer.InMemorySourceFile;
+import org.junit.jupiter.api.Test;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.Random;
+
+@Testcontainers
+public class PutFileCompressedTest {
+
+    private static class TestInMemorySourceFile extends InMemorySourceFile {
+
+        private final String name;
+        private final byte[] data;
+
+        public TestInMemorySourceFile(String name, byte[] data) {
+            this.name = name;
+            this.data = data;
+        }
+
+        @Override
+        public String getName() {
+            return name;
+        }
+
+        @Override
+        public long getLength() {
+            return data.length;
+        }
+
+        @Override
+        public InputStream getInputStream() throws IOException {
+            return new ByteArrayInputStream(data);
+        }
+
+    }
+
+    @Container
+    private static SshdContainer sshd = new SshdContainer();
+
+    @Test
+    public void shouldPutCompressedFile_GH893() throws Throwable {
+        try (SSHClient client = sshd.getConnectedClient()) {
+            client.authPublickey("sshj", "src/test/resources/id_rsa");
+            client.useCompression();
+            try (SFTPClient sftp = client.newSFTPClient()) {
+                String filename = "test.txt";
+                // needs to be a larger file for bug taking effect
+                byte[] content = new byte[5000];
+                Random r = new Random(1);
+                r.nextBytes(content);
+
+                sftp.put(new TestInMemorySourceFile(filename,content), "/home/sshj/");
+            }
+
+        }
+    }
+}

src/itest/java/com/hierynomus/sshj/signature/HostKeyWithCertificateTest.java

@@ -26,7 +26,6 @@ import org.junit.jupiter.params.provider.ValueSource;
 import com.hierynomus.sshj.SshdContainer;
 import com.hierynomus.sshj.SshdContainer.SshdConfigBuilder;
 
-import net.schmizz.sshj.Config;
 import net.schmizz.sshj.DefaultConfig;
 import net.schmizz.sshj.SSHClient;
 import net.schmizz.sshj.transport.verification.OpenSSHKnownHosts;

src/itest/java/com/hierynomus/sshj/transport/kex/KexTest.java

@@ -26,7 +26,6 @@ import org.testcontainers.junit.jupiter.Container;
 import org.testcontainers.junit.jupiter.Testcontainers;
 
 import com.hierynomus.sshj.SshdContainer;
-import com.hierynomus.sshj.transport.mac.Macs;
 
 import net.schmizz.sshj.Config;
 import net.schmizz.sshj.DefaultConfig;

src/main/java/com/hierynomus/sshj/key/KeyAlgorithms.java

@@ -22,9 +22,6 @@ import net.schmizz.sshj.signature.SignatureDSA;
 import net.schmizz.sshj.signature.SignatureECDSA;
 import net.schmizz.sshj.signature.SignatureRSA;
 
-import java.util.Arrays;
-import java.util.List;
-
 public class KeyAlgorithms {
 
     public static Factory SSHRSA() { return new Factory("ssh-rsa", new SignatureRSA.FactorySSHRSA(), KeyType.RSA); }

src/main/java/com/hierynomus/sshj/userauth/keyprovider/OpenSSHKeyV1KeyFile.java

@@ -18,6 +18,7 @@ package com.hierynomus.sshj.userauth.keyprovider;
 import com.hierynomus.sshj.common.KeyAlgorithm;
 import com.hierynomus.sshj.common.KeyDecryptionFailedException;
 import com.hierynomus.sshj.transport.cipher.BlockCiphers;
+import com.hierynomus.sshj.transport.cipher.GcmCiphers;
 import net.i2p.crypto.eddsa.EdDSAPrivateKey;
 import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
@@ -36,6 +37,7 @@ import org.bouncycastle.asn1.nist.NISTNamedCurves;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.jce.spec.ECNamedCurveSpec;
 import com.hierynomus.sshj.userauth.keyprovider.bcrypt.BCrypt;
+import org.bouncycastle.openssl.EncryptionException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -47,24 +49,42 @@ import java.io.Reader;
 import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.security.spec.ECPrivateKeySpec;
 import java.security.spec.RSAPrivateCrtKeySpec;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
 
 /**
  * Reads a key file in the new OpenSSH format.
  * The format is described in the following document: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
  */
 public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
-    private static final Logger logger = LoggerFactory.getLogger(OpenSSHKeyV1KeyFile.class);
     private static final String BEGIN = "-----BEGIN ";
     private static final String END = "-----END ";
     private static final byte[] AUTH_MAGIC = "openssh-key-v1\0".getBytes();
     public static final String OPENSSH_PRIVATE_KEY = "OPENSSH PRIVATE KEY-----";
     public static final String BCRYPT = "bcrypt";
+
+    private static final String NONE_CIPHER = "none";
+
+    private static final Map<String, Factory.Named<Cipher>> SUPPORTED_CIPHERS = new HashMap<>();
+
+    static {
+        SUPPORTED_CIPHERS.put(BlockCiphers.TripleDESCBC().getName(), BlockCiphers.TripleDESCBC());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES128CBC().getName(), BlockCiphers.AES128CBC());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES192CBC().getName(), BlockCiphers.AES192CBC());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES256CBC().getName(), BlockCiphers.AES256CBC());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES128CTR().getName(), BlockCiphers.AES128CTR());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES192CTR().getName(), BlockCiphers.AES192CTR());
+        SUPPORTED_CIPHERS.put(BlockCiphers.AES256CTR().getName(), BlockCiphers.AES256CTR());
+        SUPPORTED_CIPHERS.put(GcmCiphers.AES256GCM().getName(), GcmCiphers.AES256GCM());
+        SUPPORTED_CIPHERS.put(GcmCiphers.AES128GCM().getName(), GcmCiphers.AES128GCM());
+    }
+
     private PublicKey pubKey;
 
     public static class Factory
@@ -98,19 +118,19 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
 
     @Override
     protected KeyPair readKeyPair() throws IOException {
-        BufferedReader reader = new BufferedReader(resource.getReader());
+        final BufferedReader reader = new BufferedReader(resource.getReader());
         try {
-            if (!checkHeader(reader)) {
-                throw new IOException("This key is not in 'openssh-key-v1' format");
+            if (checkHeader(reader)) {
+                final String encodedPrivateKey = readEncodedKey(reader);
+                byte[] decodedPrivateKey = Base64.getDecoder().decode(encodedPrivateKey);
+                final PlainBuffer bufferedPrivateKey = new PlainBuffer(decodedPrivateKey);
+                return readDecodedKeyPair(bufferedPrivateKey);
+            } else {
+                final String message = String.format("File header not found [%s%s]", BEGIN, OPENSSH_PRIVATE_KEY);
+                throw new IOException(message);
             }
-
-            String keyFile = readKeyFile(reader);
-            byte[] decode = Base64.getDecoder().decode(keyFile);
-            PlainBuffer keyBuffer = new PlainBuffer(decode);
-            return readDecodedKeyPair(keyBuffer);
-
-        } catch (GeneralSecurityException e) {
-            throw new SSHRuntimeException(e);
+        } catch (final GeneralSecurityException e) {
+            throw new SSHRuntimeException("Read OpenSSH Version 1 Key failed", e);
         } finally {
             IOUtils.closeQuietly(reader);
         }
@@ -135,88 +155,143 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
 
         int nrKeys = keyBuffer.readUInt32AsInt(); // int number of keys N; Should be 1
         if (nrKeys != 1) {
-            throw new IOException("We don't support having more than 1 key in the file (yet).");
+            final String message = String.format("OpenSSH Private Key number of keys not supported [%d]", nrKeys);
+            throw new IOException(message);
         }
         PublicKey publicKey = pubKey;
         if (publicKey == null) {
             publicKey = readPublicKey(new PlainBuffer(keyBuffer.readBytes()));
-        }
-        else {
+        } else {
             keyBuffer.readBytes();
         }
-        PlainBuffer privateKeyBuffer = new PlainBuffer(keyBuffer.readBytes()); // string (possibly) encrypted, padded list of private keys
-        if ("none".equals(cipherName)) {
-            logger.debug("Reading unencrypted keypair");
+
+        final byte[] privateKeyEncoded = keyBuffer.readBytes();
+        final PlainBuffer privateKeyBuffer = new PlainBuffer(privateKeyEncoded);
+
+        if (NONE_CIPHER.equals(cipherName)) {
             return readUnencrypted(privateKeyBuffer, publicKey);
         } else {
-            logger.info("Keypair is encrypted with: " + cipherName + ", " + kdfName + ", " + Arrays.toString(kdfOptions));
+            final byte[] encryptedPrivateKey = readEncryptedPrivateKey(privateKeyEncoded, keyBuffer);
             while (true) {
-                PlainBuffer decryptionBuffer = new PlainBuffer(privateKeyBuffer);
-                PlainBuffer decrypted = decryptBuffer(decryptionBuffer, cipherName, kdfName, kdfOptions);
+                final byte[] encrypted = encryptedPrivateKey.clone();
                 try {
+                    final PlainBuffer decrypted = decryptPrivateKey(encrypted, privateKeyEncoded.length, cipherName, kdfName, kdfOptions);
                     return readUnencrypted(decrypted, publicKey);
                 } catch (KeyDecryptionFailedException e) {
                     if (pwdf == null || !pwdf.shouldRetry(resource))
                         throw e;
                 }
             }
-//            throw new IOException("Cannot read encrypted keypair with " + cipherName + " yet.");
         }
     }
 
-    private PlainBuffer decryptBuffer(PlainBuffer privateKeyBuffer, String cipherName, String kdfName, byte[] kdfOptions) throws IOException {
-        Cipher cipher = createCipher(cipherName);
-        initializeCipher(kdfName, kdfOptions, cipher);
-        byte[] array = privateKeyBuffer.array();
-        cipher.update(array, 0, privateKeyBuffer.available());
-        return new PlainBuffer(array);
+    private byte[] readEncryptedPrivateKey(final byte[] privateKeyEncoded, final PlainBuffer inputBuffer) throws Buffer.BufferException {
+        final byte[] encryptedPrivateKey;
+
+        final int bufferRemaining = inputBuffer.available();
+        if (bufferRemaining == 0) {
+            encryptedPrivateKey = privateKeyEncoded;
+        } else {
+            // Read Authentication Tag for AES-GCM
+            final byte[] authenticationTag = new byte[bufferRemaining];
+            inputBuffer.readRawBytes(authenticationTag);
+
+            final int encryptedBufferLength = privateKeyEncoded.length + authenticationTag.length;
+            final PlainBuffer encryptedBuffer = new PlainBuffer(encryptedBufferLength);
+            encryptedBuffer.putRawBytes(privateKeyEncoded);
+            encryptedBuffer.putRawBytes(authenticationTag);
+
+            encryptedPrivateKey = new byte[encryptedBufferLength];
+            encryptedBuffer.readRawBytes(encryptedPrivateKey);
+        }
+
+        return encryptedPrivateKey;
     }
 
-    private void initializeCipher(String kdfName, byte[] kdfOptions, Cipher cipher) throws Buffer.BufferException {
+    private PlainBuffer decryptPrivateKey(final byte[] privateKey, final int privateKeyLength, final String cipherName, final String kdfName, final byte[] kdfOptions) throws IOException {
+        try {
+            final Cipher cipher = createCipher(cipherName);
+            initializeCipher(kdfName, kdfOptions, cipher);
+            cipher.update(privateKey, 0, privateKeyLength);
+        } catch (final SSHRuntimeException e) {
+            final String message = String.format("OpenSSH Private Key decryption failed with cipher [%s]", cipherName);
+            throw new KeyDecryptionFailedException(new EncryptionException(message, e));
+        }
+        final PlainBuffer decryptedPrivateKey = new PlainBuffer(privateKeyLength);
+        decryptedPrivateKey.putRawBytes(privateKey, 0, privateKeyLength);
+        return decryptedPrivateKey;
+    }
+
+    private void initializeCipher(final String kdfName, final byte[] kdfOptions, final Cipher cipher) throws Buffer.BufferException {
         if (kdfName.equals(BCRYPT)) {
-            PlainBuffer opts = new PlainBuffer(kdfOptions);
+            final PlainBuffer bufferedOptions = new PlainBuffer(kdfOptions);
             byte[] passphrase = new byte[0];
             if (pwdf != null) {
-                CharBuffer charBuffer = CharBuffer.wrap(pwdf.reqPassword(null));
-                ByteBuffer byteBuffer = Charset.forName("UTF-8").encode(charBuffer);
+                final CharBuffer charBuffer = CharBuffer.wrap(pwdf.reqPassword(null));
+                final ByteBuffer byteBuffer = StandardCharsets.UTF_8.encode(charBuffer);
                 passphrase = Arrays.copyOfRange(byteBuffer.array(), byteBuffer.position(), byteBuffer.limit());
                 Arrays.fill(charBuffer.array(), '\u0000');
                 Arrays.fill(byteBuffer.array(), (byte) 0);
             }
-            byte[] keyiv = new byte[cipher.getIVSize()+ cipher.getBlockSize()];
-            new BCrypt().pbkdf(passphrase, opts.readBytes(), opts.readUInt32AsInt(), keyiv);
+
+            final int ivSize = cipher.getIVSize();
+            final int blockSize = cipher.getBlockSize();
+            final int parameterSize = ivSize + blockSize;
+            final byte[] keyIvParameters = new byte[parameterSize];
+
+            final byte[] salt = bufferedOptions.readBytes();
+            final int iterations = bufferedOptions.readUInt32AsInt();
+            new BCrypt().pbkdf(passphrase, salt, iterations, keyIvParameters);
             Arrays.fill(passphrase, (byte) 0);
-            byte[] key = Arrays.copyOfRange(keyiv, 0, cipher.getBlockSize());
-            byte[] iv = Arrays.copyOfRange(keyiv, cipher.getBlockSize(), cipher.getIVSize() + cipher.getBlockSize());
+
+            final byte[] key = Arrays.copyOfRange(keyIvParameters, 0, blockSize);
+            final byte[] iv = Arrays.copyOfRange(keyIvParameters, blockSize, parameterSize);
+
             cipher.init(Cipher.Mode.Decrypt, key, iv);
         } else {
-            throw new IllegalStateException("No support for KDF '" + kdfName + "'.");
+            final String message = String.format("OpenSSH Private Key encryption KDF not supported [%s]", kdfName);
+            throw new IllegalStateException(message);
         }
     }
 
-    private Cipher createCipher(String cipherName) {
-        if (cipherName.equals(BlockCiphers.AES256CTR().getName())) {
-            return BlockCiphers.AES256CTR().create();
-        } else if (cipherName.equals(BlockCiphers.AES256CBC().getName())) {
-            return BlockCiphers.AES256CBC().create();
-        } else if (cipherName.equals(BlockCiphers.AES128CBC().getName())) {
-            return BlockCiphers.AES128CBC().create();
+    private Cipher createCipher(final String cipherName) {
+        final Cipher cipher;
+
+        if (SUPPORTED_CIPHERS.containsKey(cipherName)) {
+            final Factory.Named<Cipher> cipherFactory = SUPPORTED_CIPHERS.get(cipherName);
+            cipher = cipherFactory.create();
+        } else {
+            final String message = String.format("OpenSSH Key encryption cipher not supported [%s]", cipherName);
+            throw new IllegalStateException(message);
         }
-        throw new IllegalStateException("Cipher '" + cipherName + "' not currently implemented for openssh-key-v1 format");
+
+        return cipher;
     }
 
     private PublicKey readPublicKey(final PlainBuffer plainBuffer) throws Buffer.BufferException, GeneralSecurityException {
         return KeyType.fromString(plainBuffer.readString()).readPubKeyFromBuffer(plainBuffer);
     }
 
-    private String readKeyFile(final BufferedReader reader) throws IOException {
-        StringBuilder sb = new StringBuilder();
+    private String readEncodedKey(final BufferedReader reader) throws IOException {
+        final StringBuilder builder = new StringBuilder();
+
+        boolean footerFound = false;
         String line = reader.readLine();
-        while (!line.startsWith(END)) {
-            sb.append(line);
+        while (line != null) {
+            if (line.startsWith(END)) {
+                footerFound = true;
+                break;
+            }
+            builder.append(line);
             line = reader.readLine();
         }
-        return sb.toString();
+
+        if (footerFound) {
+            return builder.toString();
+        } else {
+            final String message = String.format("File footer not found [%s%s]", END, OPENSSH_PRIVATE_KEY);
+            throw new IOException(message);
+        }
     }
 
     private boolean checkHeader(final BufferedReader reader) throws IOException {
@@ -244,7 +319,7 @@ public class OpenSSHKeyV1KeyFile extends BaseFileKeyProvider {
         // The private key section contains both the public key and the private key
         String keyType = keyBuffer.readString(); // string keytype
         KeyType kt = KeyType.fromString(keyType);
-        logger.info("Read key type: {}", keyType, kt);
+
         KeyPair kp;
         switch (kt) {
             case ED25519:

src/main/java/net/schmizz/sshj/SSHClient.java

@@ -28,7 +28,6 @@ import net.schmizz.sshj.connection.channel.forwarded.RemotePortForwarder.Forward
 import net.schmizz.sshj.connection.channel.forwarded.X11Forwarder;
 import net.schmizz.sshj.connection.channel.forwarded.X11Forwarder.X11Channel;
 import net.schmizz.sshj.sftp.SFTPClient;
-import net.schmizz.sshj.sftp.SFTPEngine;
 import net.schmizz.sshj.sftp.StatefulSFTPClient;
 import net.schmizz.sshj.transport.Transport;
 import net.schmizz.sshj.transport.TransportException;
@@ -733,7 +732,7 @@ public class SSHClient
             throws IOException {
         checkConnected();
         checkAuthenticated();
-        return new SFTPClient(new SFTPEngine(this).init());
+        return new SFTPClient(this);
     }
 
     /**
@@ -746,7 +745,7 @@ public class SSHClient
             throws IOException {
         checkConnected();
         checkAuthenticated();
-        return new StatefulSFTPClient(new SFTPEngine(this).init());
+        return new StatefulSFTPClient(this);
     }
 
     /**

src/main/java/net/schmizz/sshj/sftp/SFTPClient.java

@@ -15,6 +15,7 @@
  */
 package net.schmizz.sshj.sftp;
 
+import net.schmizz.sshj.connection.channel.direct.SessionFactory;
 import net.schmizz.sshj.xfer.FilePermission;
 import net.schmizz.sshj.xfer.LocalDestFile;
 import net.schmizz.sshj.xfer.LocalSourceFile;
@@ -39,6 +40,13 @@ public class SFTPClient
         this.xfer = new SFTPFileTransfer(engine);
     }
 
+    public SFTPClient(SessionFactory sessionFactory) throws IOException {
+        this.engine = new SFTPEngine(sessionFactory);
+        this.engine.init();
+        log = engine.getLoggerFactory().getLogger(getClass());
+        this.xfer = new SFTPFileTransfer(engine);
+    }
+
     public SFTPEngine getSFTPEngine() {
         return engine;
     }
@@ -232,7 +240,7 @@ public class SFTPClient
             throws IOException {
         xfer.download(source, dest);
     }
-    
+
     public void get(String source, String dest, long byteOffset)
             throws IOException {
         xfer.download(source, dest, byteOffset);
@@ -252,7 +260,7 @@ public class SFTPClient
             throws IOException {
         xfer.download(source, dest);
     }
-    
+
     public void get(String source, LocalDestFile dest, long byteOffset)
             throws IOException {
         xfer.download(source, dest, byteOffset);
@@ -262,7 +270,7 @@ public class SFTPClient
             throws IOException {
         xfer.upload(source, dest);
     }
-    
+
     public void put(LocalSourceFile source, String dest, long byteOffset)
             throws IOException {
         xfer.upload(source, dest, byteOffset);

src/main/java/net/schmizz/sshj/sftp/StatefulSFTPClient.java

@@ -15,6 +15,7 @@
  */
 package net.schmizz.sshj.sftp;
 
+import net.schmizz.sshj.connection.channel.direct.SessionFactory;
 import net.schmizz.sshj.xfer.LocalDestFile;
 import net.schmizz.sshj.xfer.LocalSourceFile;
 
@@ -34,6 +35,12 @@ public class StatefulSFTPClient
         log.debug("Start dir = {}", cwd);
     }
 
+    public StatefulSFTPClient(SessionFactory sessionFactory) throws IOException {
+        super(sessionFactory);
+        this.cwd = getSFTPEngine().canonicalize(".");
+        log.debug("Start dir = {}", cwd);
+    }
+
     private synchronized String cwdify(String path) {
         return engine.getPathHelper().adjustForParent(cwd, path);
     }

src/main/java/net/schmizz/sshj/transport/compression/ZlibCompression.java

@@ -22,7 +22,6 @@ import java.util.zip.Inflater;
 import net.schmizz.sshj.common.Buffer;
 import net.schmizz.sshj.common.DisconnectReason;
 import net.schmizz.sshj.transport.TransportException;
-import net.schmizz.sshj.transport.compression.Compression;
 
 public class ZlibCompression implements Compression {
 
@@ -71,10 +70,14 @@ public class ZlibCompression implements Compression {
     public void compress(Buffer buffer) {
         deflater.setInput(buffer.array(), buffer.rpos(), buffer.available());
         buffer.wpos(buffer.rpos());
-        do {
+        while (true) {
             final int len = deflater.deflate(tempBuf, 0, BUF_SIZE, Deflater.SYNC_FLUSH);
-            buffer.putRawBytes(tempBuf, 0, len);
-        } while (!deflater.needsInput());
+            if(len > 0) {
+                buffer.putRawBytes(tempBuf, 0, len);
+            } else {
+                return;
+            }
+        }
     }
 
     @Override

src/test/java/net/schmizz/sshj/keyprovider/OpenSSHKeyFileTest.java

@@ -25,7 +25,6 @@ import net.schmizz.sshj.userauth.password.PasswordFinder;
 import net.schmizz.sshj.userauth.password.PasswordUtils;
 import net.schmizz.sshj.userauth.password.Resource;
 import net.schmizz.sshj.util.KeyUtil;
-import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 
@@ -226,6 +225,22 @@ public class OpenSSHKeyFileTest {
         assertThat(aPrivate.getAlgorithm(), equalTo("EdDSA"));
     }
 
+    @Test
+    public void shouldHandlePrivateKeyMissingHeader() {
+        OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
+        keyFile.init(new File("src/test/resources/keyformats/pkcs8"));
+        final IOException exception = assertThrows(IOException.class, keyFile::getPrivate);
+        assertTrue(exception.getMessage().contains("header not found"));
+    }
+
+    @Test
+    public void shouldHandlePrivateKeyMissingFooter() {
+        final OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
+        keyFile.init(new File("src/test/resources/keytypes/test_ed25519_missing_footer"));
+        final IOException exception = assertThrows(IOException.class, keyFile::getPrivate);
+        assertTrue(exception.getMessage().contains("footer not found"));
+    }
+
     @Test
     public void shouldLoadProtectedED25519PrivateKeyAes256CTR() throws IOException {
         checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_protected", "sshjtest", false);
@@ -245,7 +260,13 @@ public class OpenSSHKeyFileTest {
     }
 
     @Test
-    public void shouldFailOnIncorrectPassphraseAfterRetries() throws IOException {
+    public void shouldLoadProtectedEd25519PrivateKeyAES256GCM() throws IOException {
+        checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes256-gcm", "sshjtest", false);
+        checkOpenSSHKeyV1("src/test/resources/keytypes/ed25519_aes256-gcm", "sshjtest", true);
+    }
+
+    @Test
+    public void shouldFailOnIncorrectPassphraseAfterRetries() {
         assertThrows(KeyDecryptionFailedException.class, () -> {
         OpenSSHKeyV1KeyFile keyFile = new OpenSSHKeyV1KeyFile();
         keyFile.init(new File("src/test/resources/keytypes/ed25519_aes256cbc.pem"), new PasswordFinder() {

src/test/resources/keytypes/ed25519_aes256-gcm

@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAAFmFlczI1Ni1nY21Ab3BlbnNzaC5jb20AAAAGYmNyeXB0AA
+AAGAAAABDpxH70vULcphyZoyd8Roc8AAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAA
+ID3cbY1HvyY8fXNrcESSpXm/3nGKpjxNjrlD+U5oMVmxAAAAoGXyMyKfXmGAVGLI3jbwk5
+gqrHAEFI5HHuYfW1DAAjSlj41paovl9tk7jZLIGslLUrUkN8Ac6ACNYuCWQZPgPr5mXHDx
+x+8GpdYPrgamB74lVwEPwk1BVjJRYUDRJ0SWyHagybITJhutq7yH+hZS+S05q2EeVee4Cn
+ZqESfmPZwdHg41IkdVTrZcLzadjPrcqrGzg1P7T9zl9hLD2QfBmO+XN2FPM+ufOGxpHHyJ
+SY/c
+-----END OPENSSH PRIVATE KEY-----

src/test/resources/keytypes/ed25519_aes256-gcm.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3cbY1HvyY8fXNrcESSpXm/3nGKpjxNjrlD+U5oMVmx

src/test/resources/keytypes/test_ed25519_missing_footer

@@ -0,0 +1,6 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAwHSYkZJATPMgvLHkxKAJ9j38Gyyq5HGoWdMcT6FiAiQAAAJDimgR84poE
+fAAAAAtzc2gtZWQyNTUxOQAAACAwHSYkZJATPMgvLHkxKAJ9j38Gyyq5HGoWdMcT6FiAiQ
+AAAECmsckQycWnfGQK6XtQpaMGODbAkMQOdJNK6XJSipB7dDAdJiRkkBM8yC8seTEoAn2P
+fwbLKrkcahZ0xxPoWICJAAAACXJvb3RAc3NoagECAwQ=