From 1b7146e28f6816055d5b05861376eda39aa205c4 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Sun, 9 Jun 2019 01:04:32 +0200
Subject: [PATCH] server: Send only allowed algorithms in extension

Send only allowed algorithms in server-sig-algs extension if in FIPS
mode.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 src/server.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/server.c b/src/server.c
index f5a12bdf..11cc78f0 100644
--- a/src/server.c
+++ b/src/server.c
@@ -211,8 +211,12 @@ static int ssh_server_send_extensions(ssh_session session) {
     if (session->opts.pubkey_accepted_types) {
         hostkey_algorithms = session->opts.pubkey_accepted_types;
     } else {
-        /* There are no restrictions to the accepted public keys */
-        hostkey_algorithms = ssh_kex_get_default_methods(SSH_HOSTKEYS);
+        if (ssh_fips_mode()) {
+            hostkey_algorithms = ssh_kex_get_fips_methods(SSH_HOSTKEYS);
+        } else {
+            /* There are no restrictions to the accepted public keys */
+            hostkey_algorithms = ssh_kex_get_default_methods(SSH_HOSTKEYS);
+        }
     }
 
     rc = ssh_buffer_pack(session->out_buffer,