Code Review / controller.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
BUG 3555: disable RC4 in mina-sshd
[controller.git] / opendaylight / netconf / netconf-ssh / src / main / java / org / opendaylight / controller / netconf / ssh / SshProxyServer.java
diff --git a/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java b/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java
index 0b85cf2653e9ca07b294651265cc882bbae8b841..b91bdc8da67d95a630077170ae0cdd78869a32af 100644 (file)
--- a/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java
+++ b/opendaylight/netconf/netconf-ssh/src/main/java/org/opendaylight/controller/netconf/ssh/SshProxyServer.java
@@ -10,18 +10,22 @@ package org.opendaylight.controller.netconf.ssh;
 
 import com.google.common.collect.Lists;
 import io.netty.channel.EventLoopGroup;
-import io.netty.channel.local.LocalAddress;
 import java.io.IOException;
-import java.net.InetSocketAddress;
 import java.nio.channels.AsynchronousChannelGroup;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
 import org.apache.sshd.SshServer;
+import org.apache.sshd.common.Cipher;
 import org.apache.sshd.common.FactoryManager;
-import org.apache.sshd.common.KeyPairProvider;
 import org.apache.sshd.common.NamedFactory;
 import org.apache.sshd.common.RuntimeSshException;
+import org.apache.sshd.common.cipher.ARCFOUR128;
+import org.apache.sshd.common.cipher.ARCFOUR256;
 import org.apache.sshd.common.io.IoAcceptor;
 import org.apache.sshd.common.io.IoConnector;
 import org.apache.sshd.common.io.IoHandler;
@@ -32,7 +36,7 @@ import org.apache.sshd.common.io.nio2.Nio2Connector;
 import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
 import org.apache.sshd.common.util.CloseableUtils;
 import org.apache.sshd.server.Command;
-import org.apache.sshd.server.PasswordAuthenticator;
+import org.apache.sshd.server.ServerFactoryManager;
 
 /**
  * Proxy SSH server that just delegates decrypted content to a delegate server within same VM.
@@ -40,6 +44,8 @@ import org.apache.sshd.server.PasswordAuthenticator;
  */
 public class SshProxyServer implements AutoCloseable {
 
+    private static final ARCFOUR128.Factory DEFAULT_ARCFOUR128_FACTORY = new ARCFOUR128.Factory();
+    private static final ARCFOUR256.Factory DEFAULT_ARCFOUR256_FACTORY = new ARCFOUR256.Factory();
     private final SshServer sshServer;
     private final ScheduledExecutorService minaTimerExecutor;
     private final EventLoopGroup clientGroup;
@@ -52,22 +58,43 @@ public class SshProxyServer implements AutoCloseable {
         this.sshServer = SshServer.setUpDefaultServer();
     }
 
-    public void bind(final InetSocketAddress bindingAddress, final LocalAddress localAddress, final PasswordAuthenticator authenticator, final KeyPairProvider keyPairProvider) throws IOException {
-        sshServer.setHost(bindingAddress.getHostString());
-        sshServer.setPort(bindingAddress.getPort());
-
-        sshServer.setPasswordAuthenticator(authenticator);
-        sshServer.setKeyPairProvider(keyPairProvider);
+    public void bind(final SshProxyServerConfiguration sshProxyServerConfiguration) throws IOException {
+        sshServer.setHost(sshProxyServerConfiguration.getBindingAddress().getHostString());
+        sshServer.setPort(sshProxyServerConfiguration.getBindingAddress().getPort());
+
+        //remove rc4 ciphers
+        final List<NamedFactory<Cipher>> cipherFactories = sshServer.getCipherFactories();
+        for (Iterator<NamedFactory<Cipher>> i = cipherFactories.iterator(); i.hasNext(); ) {
+            final NamedFactory<Cipher> factory = i.next();
+            if (factory.getName().contains(DEFAULT_ARCFOUR128_FACTORY.getName())
+                    || factory.getName().contains(DEFAULT_ARCFOUR256_FACTORY.getName())) {
+                i.remove();
+            }
+        }
+        sshServer.setPasswordAuthenticator(sshProxyServerConfiguration.getAuthenticator());
+        sshServer.setKeyPairProvider(sshProxyServerConfiguration.getKeyPairProvider());
 
         sshServer.setIoServiceFactoryFactory(nioServiceWithPoolFactoryFactory);
         sshServer.setScheduledExecutorService(minaTimerExecutor);
+        sshServer.setProperties(getProperties(sshProxyServerConfiguration));
 
         final RemoteNetconfCommand.NetconfCommandFactory netconfCommandFactory =
-                new RemoteNetconfCommand.NetconfCommandFactory(clientGroup, localAddress);
+                new RemoteNetconfCommand.NetconfCommandFactory(clientGroup, sshProxyServerConfiguration.getLocalAddress());
         sshServer.setSubsystemFactories(Lists.<NamedFactory<Command>>newArrayList(netconfCommandFactory));
         sshServer.start();
     }
 
+    private static Map<String, String> getProperties(final SshProxyServerConfiguration sshProxyServerConfiguration) {
+        return new HashMap<String, String>()
+        {
+            {
+                put(ServerFactoryManager.IDLE_TIMEOUT, String.valueOf(sshProxyServerConfiguration.getIdleTimeout()));
+                // TODO make auth timeout configurable on its own
+                put(ServerFactoryManager.AUTH_TIMEOUT, String.valueOf(sshProxyServerConfiguration.getIdleTimeout()));
+            }
+        };
+    }
+
     @Override
     public void close() {
         try {
OpenDaylight controller