Add support for JCE (Java Cryptography Extension) ciphers
Configures the SSHD daemon to enable support the extra strength
ciphers -if- available in the current JRE. These extensions can be
installed by downloading the JCE policy files from Oracle and
following the installation instructions.
Change-Id: Idd934a29b049b61cddadde5bf797514fcbc654d9
diff --git a/Documentation/install.txt b/Documentation/install.txt
index 0157079..bdca158 100644
--- a/Documentation/install.txt
+++ b/Documentation/install.txt
@@ -10,6 +10,36 @@
You'll also need an SQL database to house the review metadata. You have the
choice of either using the embedded H2 or to host your own MySQL or PostgreSQL.
+[[cryptography]]
+== Configure Java for Strong Cryptography
+Support for extra strength cryptographic ciphers: _AES128CTR_, _AES256CTR_,
+_ARCFOUR256_, and _ARCFOUR128_ can be enabled by downloading the _Java
+Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_
+from Oracle and installing them into your JRE.
+
+NOTE: Installing JCE extensions is optional and export restrictions may apply.
+
+. Download the unlimited strength JCE policy files.
++
+- link:http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html[JDK7 JCE policy files]
+- link:http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html[JDK8 JCE policy files]
+. Uncompress and extract the downloaded file.
++
+The downloaded file contains the following files:
++
+[cols="2"]
+|===
+|README.txt
+|Information about JCE and installation guide
+
+|local_policy.jar
+|Unlimited strength local policy file
+
+|US_export_policy.jar
+|Unlimited strength US export policy file
+|===
+. Install the unlimited strength policy JAR files by following instructions
+found in `README.txt`.
[[download]]
== Download Gerrit
diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
index 6351280..767a3fc 100644
--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java
@@ -47,11 +47,15 @@
import org.apache.sshd.common.Signature;
import org.apache.sshd.common.SshdSocketAddress;
import org.apache.sshd.common.cipher.AES128CBC;
+import org.apache.sshd.common.cipher.AES128CTR;
import org.apache.sshd.common.cipher.AES192CBC;
import org.apache.sshd.common.cipher.AES256CBC;
+import org.apache.sshd.common.cipher.AES256CTR;
import org.apache.sshd.common.cipher.BlowfishCBC;
import org.apache.sshd.common.cipher.CipherNone;
import org.apache.sshd.common.cipher.TripleDESCBC;
+import org.apache.sshd.common.cipher.ARCFOUR128;
+import org.apache.sshd.common.cipher.ARCFOUR256;
import org.apache.sshd.common.compression.CompressionNone;
import org.apache.sshd.common.file.FileSystemFactory;
import org.apache.sshd.common.file.FileSystemView;
@@ -367,6 +371,10 @@
a.add(new BlowfishCBC.Factory());
a.add(new AES192CBC.Factory());
a.add(new AES256CBC.Factory());
+ a.add(new AES128CTR.Factory());
+ a.add(new AES256CTR.Factory());
+ a.add(new ARCFOUR256.Factory());
+ a.add(new ARCFOUR128.Factory());
for (Iterator<NamedFactory<Cipher>> i = a.iterator(); i.hasNext();) {
final NamedFactory<Cipher> f = i.next();
