From 84d02e7440ddfffd43e04276571ea238afffbda7 Mon Sep 17 00:00:00 2001
From: David Wedderwille <davidwe@posteo.de>
Date: Fri, 28 Mar 2025 00:26:52 +0100
Subject: [PATCH] kex: Make existing convenience features available

Signed-off-by: David Wedderwille <davidwe@posteo.de>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 include/libssh/libssh.h              |  1 +
 src/kex.c                            | 19 +++++++++++++++++++
 tests/client/torture_auth.c          |  2 +-
 tests/client/torture_auth_cert.c     |  2 +-
 tests/pkd/pkd_daemon.c               | 12 ++++++------
 tests/server/torture_server_config.c |  2 +-
 tests/ssh_ping.c                     |  2 +-
 7 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index 28fe7396..a485132b 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -875,6 +875,7 @@ LIBSSH_API const char* ssh_get_cipher_in(ssh_session session);
 LIBSSH_API const char* ssh_get_cipher_out(ssh_session session);
 LIBSSH_API const char* ssh_get_hmac_in(ssh_session session);
 LIBSSH_API const char* ssh_get_hmac_out(ssh_session session);
+LIBSSH_API const char *ssh_get_supported_methods(enum ssh_kex_types_e type);
 
 LIBSSH_API ssh_buffer ssh_buffer_new(void);
 LIBSSH_API void ssh_buffer_free(ssh_buffer buffer);
diff --git a/src/kex.c b/src/kex.c
index 403f726a..991f414e 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -310,6 +310,25 @@ const char *ssh_kex_get_fips_methods(enum ssh_kex_types_e type)
     return fips_methods[type];
 }
 
+/**
+ * @brief Get a list of supported algorithms of a given type. This respects the
+ * FIPS mode status.
+ *
+ * @param[in] type The type of the algorithm to query (SSH_KEX, SSH_MAC_C_S,
+ * ...).
+ *
+ * @return The list of supported methods as comma-separated string, or NULL for
+ * unknown type.
+ */
+const char *ssh_get_supported_methods(enum ssh_kex_types_e type)
+{
+    if (ssh_fips_mode()) {
+        return ssh_kex_get_fips_methods(type);
+    } else {
+        return ssh_kex_get_supported_method(type);
+    }
+}
+
 /**
  * @internal
  * @brief returns whether the first client key exchange algorithm or
diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c
index c677b2cd..42d15193 100644
--- a/tests/client/torture_auth.c
+++ b/tests/client/torture_auth.c
@@ -72,7 +72,7 @@ static int session_setup(void **state)
     assert_ssh_return_code(s->ssh.session, rc);
 
     /* Enable all hostkeys */
-    all_keytypes = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+    all_keytypes = ssh_get_supported_methods(SSH_HOSTKEYS);
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, all_keytypes);
     assert_ssh_return_code(s->ssh.session, rc);
 
diff --git a/tests/client/torture_auth_cert.c b/tests/client/torture_auth_cert.c
index f0ad7c95..a03f6358 100644
--- a/tests/client/torture_auth_cert.c
+++ b/tests/client/torture_auth_cert.c
@@ -74,7 +74,7 @@ static int session_setup(void **state)
     assert_ssh_return_code(s->ssh.session, rc);
 
     /* Enable all hostkeys */
-    all_keytypes = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+    all_keytypes = ssh_get_supported_methods(SSH_HOSTKEYS);
     rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, all_keytypes);
     assert_ssh_return_code(s->ssh.session, rc);
 
diff --git a/tests/pkd/pkd_daemon.c b/tests/pkd/pkd_daemon.c
index ac4b53b7..6c9ca03e 100644
--- a/tests/pkd/pkd_daemon.c
+++ b/tests/pkd/pkd_daemon.c
@@ -297,7 +297,7 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
         /* Add methods not enabled by default */
 
         /* Enable all supported key exchange methods */
-        all_kex = ssh_kex_get_supported_method(SSH_KEX);
+        all_kex = ssh_get_supported_methods(SSH_KEX);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_KEY_EXCHANGE, all_kex);
         if (rc != 0) {
             pkderr("ssh_bind_options_set kex methods: %s\n", ssh_get_error(b));
@@ -305,14 +305,14 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
         }
 
         /* Enable all supported ciphers */
-        all_ciphers = ssh_kex_get_supported_method(SSH_CRYPT_C_S);
+        all_ciphers = ssh_get_supported_methods(SSH_CRYPT_C_S);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_CIPHERS_C_S, all_ciphers);
         if (rc != 0) {
             pkderr("ssh_bind_options_set Ciphers C-S: %s\n", ssh_get_error(b));
             goto outclose;
         }
 
-        all_ciphers = ssh_kex_get_supported_method(SSH_CRYPT_S_C);
+        all_ciphers = ssh_get_supported_methods(SSH_CRYPT_S_C);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_CIPHERS_S_C, all_ciphers);
         if (rc != 0) {
             pkderr("ssh_bind_options_set Ciphers S-C: %s\n", ssh_get_error(b));
@@ -320,7 +320,7 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
         }
 
         /* Enable all hostkey algorithms */
-        all_hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+        all_hostkeys = ssh_get_supported_methods(SSH_HOSTKEYS);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, all_hostkeys);
         if (rc != 0) {
             pkderr("ssh_bind_options_set Hostkeys: %s\n", ssh_get_error(b));
@@ -328,14 +328,14 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
         }
 
         /* Enable all message authentication codes */
-        all_macs = ssh_kex_get_supported_method(SSH_MAC_C_S);
+        all_macs = ssh_get_supported_methods(SSH_MAC_C_S);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_C_S, all_macs);
         if (rc != 0) {
             pkderr("ssh_bind_options_set MACs C-S: %s\n", ssh_get_error(b));
             goto outclose;
         }
 
-        all_macs = ssh_kex_get_supported_method(SSH_MAC_S_C);
+        all_macs = ssh_get_supported_methods(SSH_MAC_S_C);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_S_C, all_macs);
         if (rc != 0) {
             pkderr("ssh_bind_options_set MACs S-C: %s\n", ssh_get_error(b));
diff --git a/tests/server/torture_server_config.c b/tests/server/torture_server_config.c
index 0bb11ec0..c3c5f3a5 100644
--- a/tests/server/torture_server_config.c
+++ b/tests/server/torture_server_config.c
@@ -226,7 +226,7 @@ static int session_setup(void **state)
     struct test_server_st *tss = *state;
     struct torture_state *s;
     int verbosity = torture_libssh_verbosity();
-    const char *compat_hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+    const char *compat_hostkeys = ssh_get_supported_methods(SSH_HOSTKEYS);
     struct passwd *pwd;
     bool b = false;
     int rc;
diff --git a/tests/ssh_ping.c b/tests/ssh_ping.c
index 01754590..ac780994 100644
--- a/tests/ssh_ping.c
+++ b/tests/ssh_ping.c
@@ -61,7 +61,7 @@ int main(int argc, char **argv)
     }
 
     /* Enable all supported algorithms */
-    hostkeys = ssh_kex_get_supported_method(SSH_HOSTKEYS);
+    hostkeys = ssh_get_supported_methods(SSH_HOSTKEYS);
     rc = ssh_options_set(session, SSH_OPTIONS_HOSTKEYS, hostkeys);
     if (rc < 0) {
         goto out;