Switch chacha20-poly1305@openssh.com to a pure Bouncy Castle based im…

…plementation. JEP 329 implements an RFC-7539 version of ChaCha20 (96 bit nonce + 32 bit counter), while OpenSSH uses a different variant of ChaCha20 (64 bit nonce + 64 bit counter). Switching to Bouncy Castle's ChaChaEngine eliminates dependence upon JEP 329's implementation working for the non RFC-7539 version of ChaCha20 that OpenSSH utilizes.
fuse-code-support · Dec 20, 2021 · f10672a · f10672a
1 parent ee2410e
commit f10672a
Show file tree

Hide file tree

Showing 9 changed files with 18 additions and 888 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,3 +1,5 @@
+* [0.1.72](https://github.com/mwiede/jsch/releases/tag/jsch-0.1.72)
+  * Switch chacha20-poly1305@<!-- -->openssh.com algorithm to a pure [Bouncy Castle](https://www.bouncycastle.org/java.html) based implementation
 * [0.1.71](https://github.com/mwiede/jsch/releases/tag/jsch-0.1.71)
   * Address [#98](https://github.com/mwiede/jsch/issues/98) by restoring JSch.VERSION
 * [0.1.70](https://github.com/mwiede/jsch/releases/tag/jsch-0.1.70)

diff --git a/LICENSE.OpenJAX.txt b/LICENSE.OpenJAX.txt
diff --git a/Readme.md b/Readme.md
@@ -62,9 +62,11 @@ As I explained in a [blog post](http://www.matez.de/index.php/2020/06/22/the-fut
       * analogous to `JSch.setConfig("MaxAuthTries", "...")`
 * Are ssh-ed25519, ssh-ed448, curve25519-sha256, curve448-sha512 & chacha20-poly1305@<!-- -->openssh.com supported?
   * This library is a Multi-Release-jar, which means that you can only use certain features when a more recent Java version is used.
-    * In order to use ssh-ed25519 & ssh-ed448, you must use at least Java 15.
-    * In order to use curve25519-sha256, curve448-sha512 & chacha20-poly1305@<!-- -->openssh.com, you must use at least Java 11.
+    * In order to use ssh-ed25519 & ssh-ed448, you must use at least Java 15 or add [Bouncy Castle](https://www.bouncycastle.org/java.html) (bcprov-jdk15on) to the classpath.
+    * In order to use curve25519-sha256 & curve448-sha512, you must use at least Java 11 or add [Bouncy Castle](https://www.bouncycastle.org/java.html) (bcprov-jdk15on) to the classpath.
+    * In order to use chacha20-poly1305@<!-- -->openssh.com, you must add [Bouncy Castle](https://www.bouncycastle.org/java.html) (bcprov-jdk15on) to the classpath.
   * As of the [0.1.66](https://github.com/mwiede/jsch/releases/tag/jsch-0.1.66) release, these algorithms can now be used with older Java releases if [Bouncy Castle](https://www.bouncycastle.org/java.html) (bcprov-jdk15on) is added to the classpath.
+    * As of the [0.1.72](https://github.com/mwiede/jsch/releases/tag/jsch-0.1.72) release, chacha20-poly1305@<!-- -->openssh.com can only be used if [Bouncy Castle](https://www.bouncycastle.org/java.html) (bcprov-jdk15on) is added to the classpath.
 
 ## Changes since fork:
 See [ChangeLog.md](ChangeLog.md)
diff --git a/src/main/java/com/jcraft/jsch/JSch.java b/src/main/java/com/jcraft/jsch/JSch.java
@@ -46,8 +46,8 @@ public class JSch{
     config.put("server_host_key", Util.getSystemProperty("jsch.server_host_key", "ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa"));
     config.put("prefer_known_host_key_types", Util.getSystemProperty("jsch.prefer_known_host_key_types", "yes"));
     config.put("enable_server_sig_algs", Util.getSystemProperty("jsch.enable_server_sig_algs", "yes"));
-    config.put("cipher.s2c", Util.getSystemProperty("jsch.cipher", "aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com"));
-    config.put("cipher.c2s", Util.getSystemProperty("jsch.cipher", "aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com"));
+    config.put("cipher.s2c", Util.getSystemProperty("jsch.cipher", "aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"));
+    config.put("cipher.c2s", Util.getSystemProperty("jsch.cipher", "aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com"));
     config.put("mac.s2c", Util.getSystemProperty("jsch.mac", "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"));
     config.put("mac.c2s", Util.getSystemProperty("jsch.mac", "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"));
     config.put("compression.s2c", Util.getSystemProperty("jsch.compression", "none"));
@@ -172,6 +172,7 @@ public class JSch{
     config.put("aes256-cbc",    "com.jcraft.jsch.jce.AES256CBC");
     config.put("rijndael-cbc@lysator.liu.se",    "com.jcraft.jsch.jce.AES256CBC");
 
+    config.put("chacha20-poly1305@openssh.com", "com.jcraft.jsch.bc.ChaCha20Poly1305");
     config.put("cast128-cbc",    "com.jcraft.jsch.bc.CAST128CBC");
     config.put("cast128-ctr",    "com.jcraft.jsch.bc.CAST128CTR");
     config.put("twofish128-cbc",    "com.jcraft.jsch.bc.Twofish128CBC");
@@ -205,11 +206,9 @@ public class JSch{
     config.put("pbkdf", "com.jcraft.jsch.jce.PBKDF");
 
     if(JavaVersion.getVersion()>=11){
-      config.put("chacha20-poly1305@openssh.com", "com.jcraft.jsch.jce.ChaCha20Poly1305");
       config.put("xdh", "com.jcraft.jsch.jce.XDH");
     }
     else{
-      config.put("chacha20-poly1305@openssh.com", "com.jcraft.jsch.bc.ChaCha20Poly1305");
       config.put("xdh", "com.jcraft.jsch.bc.XDH");
     }
 

diff --git a/src/main/java/com/jcraft/jsch/bc/ChaCha20Poly1305.java b/src/main/java/com/jcraft/jsch/bc/ChaCha20Poly1305.java
@@ -30,10 +30,10 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 package com.jcraft.jsch.bc;
 
 import com.jcraft.jsch.Cipher;
-import com.jcraft.jsch.openjax.Poly1305;
 import java.nio.ByteBuffer;
 import javax.crypto.AEADBadTagException;
 import org.bouncycastle.crypto.engines.ChaChaEngine;
+import org.bouncycastle.crypto.macs.Poly1305;
 import org.bouncycastle.crypto.params.*;
 
 public class ChaCha20Poly1305 implements Cipher{
@@ -72,6 +72,7 @@ public void init(int mode, byte[] key, byte[] iv) throws Exception{
       K_2_spec=new KeyParameter(K_2, 0, K_2.length);
       header_cipher=new ChaChaEngine();
       main_cipher=new ChaChaEngine();
+      poly1305 = new Poly1305();
     }
     catch(Exception e){
       header_cipher=null;
@@ -89,11 +90,9 @@ public void update(int foo) throws Exception{
     main_cipher.init(this.mode==ENCRYPT_MODE, new ParametersWithIV(K_2_spec, nonce.array(), 0, nonce.array().length));
     // Trying to reinit the cipher again with same nonce results in InvalidKeyException
     // So just read entire first 64-byte block, which should increment global counter from 0->1
-    byte[] poly_key = new byte[32];
-    byte[] discard = new byte[32];
-    main_cipher.processBytes(poly_key, 0, 32, poly_key, 0);
-    main_cipher.processBytes(discard, 0, 32, discard, 0);
-    poly1305 = new Poly1305(poly_key);
+    byte[] poly_key = new byte[64];
+    main_cipher.processBytes(poly_key, 0, poly_key.length, poly_key, 0);
+    poly1305.init(new KeyParameter(poly_key, 0, 32));
   }
   @Override
   public void update(byte[] foo, int s1, int len, byte[] bar, int s2) throws Exception{
@@ -108,7 +107,8 @@ public void doFinal(byte[] foo, int s1, int len, byte[] bar, int s2) throws Exce
       byte[] actual_tag = new byte[tagsize];
       System.arraycopy(foo, len, actual_tag, 0, tagsize);
       byte[] expected_tag = new byte[tagsize];
-      poly1305.update(foo, s1, len).finish(expected_tag, 0);
+      poly1305.update(foo, s1, len);
+      poly1305.doFinal(expected_tag, 0);
       if(!arraysequals(actual_tag, expected_tag)){
         throw new AEADBadTagException("Tag mismatch");
       }
@@ -117,7 +117,8 @@ public void doFinal(byte[] foo, int s1, int len, byte[] bar, int s2) throws Exce
     main_cipher.processBytes(foo, s1+4, len-4, bar, s2+4);
 
     if(this.mode==ENCRYPT_MODE){
-      poly1305.update(bar, s2, len).finish(bar, len);
+      poly1305.update(bar, s2, len);
+      poly1305.doFinal(bar, len);
     }
   }
   @Override