diff options
| author | Jakub Jelen <jjelen@redhat.com> | 2020-04-14 12:26:50 +0200 |
|---|---|---|
| committer | Jakub Jelen <jjelen@redhat.com> | 2020-04-20 14:14:33 +0200 |
| commit | fecdc3cc0e6d051ebbe06414a15c6634a4126a8b (patch) | |
| tree | 9fd3ac5002c3a324d40946f976a10fc1426d887d | |
| parent | 04ae110c612f0dabc03882a52bf5be56be560020 (diff) | |
| download | libssh-fecdc3cc0e6d051ebbe06414a15c6634a4126a8b.tar.gz libssh-fecdc3cc0e6d051ebbe06414a15c6634a4126a8b.tar.xz libssh-fecdc3cc0e6d051ebbe06414a15c6634a4126a8b.zip | |
Disable RSA and DSA keys with sha1 by default
Fixes: T218
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
| -rw-r--r-- | src/kex.c | 32 | ||||
| -rw-r--r-- | tests/unittests/torture_knownhosts_parsing.c | 16 |
2 files changed, 25 insertions, 23 deletions
@@ -131,6 +131,11 @@ "rsa-sha2-256," \ "ssh-rsa" \ DSA_HOSTKEYS +#define DEFAULT_HOSTKEYS "ssh-ed25519," \ + EC_HOSTKEYS \ + "rsa-sha2-512," \ + "rsa-sha2-256" + #define PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \ EC_PUBLIC_KEY_ALGORITHMS \ "rsa-sha2-512-cert-v01@openssh.com," \ @@ -138,6 +143,11 @@ "ssh-rsa-cert-v01@openssh.com" \ DSA_PUBLIC_KEY_ALGORITHMS "," \ HOSTKEYS +#define DEFAULT_PUBLIC_KEY_ALGORITHMS "ssh-ed25519-cert-v01@openssh.com," \ + EC_PUBLIC_KEY_ALGORITHMS \ + "rsa-sha2-512-cert-v01@openssh.com," \ + "rsa-sha2-256-cert-v01@openssh.com," \ + DEFAULT_HOSTKEYS #ifdef WITH_GEX #define GEX_SHA256 "diffie-hellman-group-exchange-sha256," @@ -212,17 +222,17 @@ static const char *fips_methods[] = { /* NOTE: This is a fixed API and the index is defined by ssh_kex_types_e */ static const char *default_methods[] = { - KEY_EXCHANGE, - PUBLIC_KEY_ALGORITHMS, - AES BLOWFISH DES, - AES BLOWFISH DES, - "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", - "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", - "none", - "none", - "", - "", - NULL + KEY_EXCHANGE, + DEFAULT_PUBLIC_KEY_ALGORITHMS, + CHACHA20 AES BLOWFISH DES, + CHACHA20 AES BLOWFISH DES, + "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", + "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", + "none", + "none", + "", + "", + NULL }; /* NOTE: This is a fixed API and the index is defined by ssh_kex_types_e */ diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c index 1c2ccc10..bde0eb60 100644 --- a/tests/unittests/torture_knownhosts_parsing.c +++ b/tests/unittests/torture_knownhosts_parsing.c @@ -574,13 +574,9 @@ static void torture_knownhosts_algorithms(void **state) char *algo_list = NULL; ssh_session session; bool process_config = false; - const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa," + const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256," "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384," - "ecdsa-sha2-nistp256" -#ifdef HAVE_DSA - ",ssh-dss" -#endif - ; + "ecdsa-sha2-nistp256"; const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521," "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"; @@ -613,13 +609,9 @@ static void torture_knownhosts_algorithms_global(void **state) char *algo_list = NULL; ssh_session session; bool process_config = false; - const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa," + const char *expect = "ssh-ed25519,rsa-sha2-512,rsa-sha2-256," "ecdsa-sha2-nistp521,ecdsa-sha2-nistp384," - "ecdsa-sha2-nistp256" -#ifdef HAVE_DSA - ",ssh-dss" -#endif - ; + "ecdsa-sha2-nistp256"; const char *expect_fips = "rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp521," "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"; |