src/kex.c: removes DES and SHA1 from mac and kex algorithms by default.

Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

src/kex.c

@@ -168,16 +168,17 @@
 
 #define CHACHA20 "chacha20-poly1305@openssh.com,"
 
-#define KEY_EXCHANGE \
+#define DEFAULT_KEY_EXCHANGE \
     CURVE25519 \
     ECDH \
     "diffie-hellman-group18-sha512,diffie-hellman-group16-sha512," \
     GEX_SHA256 \
-    "diffie-hellman-group14-sha256," \
+    "diffie-hellman-group14-sha256" \
-    "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
+
 #define KEY_EXCHANGE_SUPPORTED \
     GEX_SHA1 \
-    KEY_EXCHANGE
+    DEFAULT_KEY_EXCHANGE \
+    ",diffie-hellman-group14-sha1,diffie-hellman-group1-sha1"
 
 /* RFC 8308 */
 #define KEX_EXTENSION_CLIENT "ext-info-c"
@@ -231,12 +232,12 @@ static const char *fips_methods[] = {
 
 /* NOTE: This is a fixed API and the index is defined by ssh_kex_types_e */
 static const char *default_methods[] = {
-    KEY_EXCHANGE,
+    DEFAULT_KEY_EXCHANGE,
     DEFAULT_PUBLIC_KEY_ALGORITHMS,
-    CHACHA20 AES DES,
+    CHACHA20 AES,
-    CHACHA20 AES DES,
+    CHACHA20 AES,
-    "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+    "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512",
-    "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+    "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512",
     "none",
     "none",
     "",

tests/pkd/pkd_daemon.c

@@ -247,10 +247,9 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
     int level = args->opts.libssh_log_level;
     enum pkd_hostkey_type_e type = args->type;
     const char *hostkeypath = args->hostkeypath;
-    const char *default_kex = NULL;
+    const char *all_kex = NULL;
-    char *all_kex = NULL;
-    size_t kex_len = 0;
     const char *all_ciphers = NULL;
+    const char *all_macs = NULL;
     const uint64_t rekey_data_limit = args->rekey_data_limit;
     bool process_config = false;
 
@@ -302,17 +301,10 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
     if (!ssh_fips_mode()) {
         const char *all_hostkeys = NULL;
         /* Add methods not enabled by default */
-#define GEX_SHA1 "diffie-hellman-group-exchange-sha1"
+
-        default_kex = ssh_kex_get_default_methods(SSH_KEX);
+        /* Enable all supported key exchange methods */
-        kex_len = strlen(default_kex) + strlen(GEX_SHA1) + 2;
+        all_kex = ssh_kex_get_supported_method(SSH_KEX);
-        all_kex = malloc(kex_len);
-        if (all_kex == NULL) {
-            pkderr("Failed to alloc more memory.\n");
-            goto outclose;
-        }
-        snprintf(all_kex, kex_len, "%s," GEX_SHA1, default_kex);
         rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_KEY_EXCHANGE, all_kex);
-        free(all_kex);
         if (rc != 0) {
             pkderr("ssh_bind_options_set kex methods: %s\n", ssh_get_error(b));
             goto outclose;
@@ -341,6 +333,21 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
             goto outclose;
         }
 
+        /* Enable all message authentication codes */
+        all_macs = ssh_kex_get_supported_method(SSH_MAC_C_S);
+        rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_C_S, all_macs);
+        if (rc != 0) {
+            pkderr("ssh_bind_options_set MACs C-S: %s\n", ssh_get_error(b));
+            goto outclose;
+        }
+
+        all_macs = ssh_kex_get_supported_method(SSH_MAC_S_C);
+        rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_S_C, all_macs);
+        if (rc != 0) {
+            pkderr("ssh_bind_options_set MACs S-C: %s\n", ssh_get_error(b));
+            goto outclose;
+        }
+
     }
 
     s = ssh_new();