lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-12 15:41:16 +03:00
Code Activity

kex, pki, server, options: Filter algorithms in FIPS mode

Browse Source 
When in FIPS mode, filter the algorithms to enable only the allowed
ones.  If any algorithm is explicitly set through options or
configuration file, they are kept.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Anderson Toshiyuki Sasaki
2019-05-22 18:33:14 +02:00
committed by Andreas Schneider
parent 56041dc784
commit 54d76098ed
5 changed files with 137 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/server.c
View File

@@ -142,7 +142,11 @@ int server_set_kex(ssh_session session)
if (session->opts.wanted_methods[SSH_HOSTKEYS]) {
allowed = session->opts.wanted_methods[SSH_HOSTKEYS];
} else {
allowed = ssh_kex_get_default_methods(SSH_HOSTKEYS);
if (ssh_fips_mode()) {
allowed = ssh_kex_get_fips_methods(SSH_HOSTKEYS);
} else {
allowed = ssh_kex_get_default_methods(SSH_HOSTKEYS);
}
}
/* It is expected for the list of allowed hostkeys to be ordered by
@@ -163,8 +167,13 @@ int server_set_kex(ssh_session session)
}
for (i = 0; i < 10; i++) {
if ((wanted = session->opts.wanted_methods[i]) == NULL) {
wanted = ssh_kex_get_default_methods(i);
wanted = session->opts.wanted_methods[i];
if (wanted == NULL) {
if (ssh_fips_mode()) {
wanted = ssh_kex_get_fips_methods(i);
} else {
wanted = ssh_kex_get_default_methods(i);
}
}
server->methods[i] = strdup(wanted);
if (server->methods[i] == NULL) {