aboutsummaryrefslogtreecommitdiff
path: root/src/options.c
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2019-05-22 18:33:14 +0200
committerAndreas Schneider <asn@cryptomilk.org>2019-06-12 11:13:52 +0200
commit54d76098edda33a2b526e8eae069992abc470bb6 (patch)
treeafeaf652d3afc1e939f99da366d97da5b937ef61 /src/options.c
parent56041dc7840ade64b16c9c299bd64504daa79599 (diff)
downloadlibssh-54d76098edda33a2b526e8eae069992abc470bb6.tar.gz
libssh-54d76098edda33a2b526e8eae069992abc470bb6.tar.xz
libssh-54d76098edda33a2b526e8eae069992abc470bb6.zip
kex, pki, server, options: Filter algorithms in FIPS mode
When in FIPS mode, filter the algorithms to enable only the allowed ones. If any algorithm is explicitly set through options or configuration file, they are kept. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/options.c')
-rw-r--r--src/options.c27
1 files changed, 22 insertions, 5 deletions
diff --git a/src/options.c b/src/options.c
index 9af7b22b..672735a4 100644
--- a/src/options.c
+++ b/src/options.c
@@ -223,10 +223,15 @@ int ssh_options_set_algo(ssh_session session,
{
char *p = NULL;
- p = ssh_keep_known_algos(algo, list);
+ if (ssh_fips_mode()) {
+ p = ssh_keep_fips_algos(algo, list);
+ } else {
+ p = ssh_keep_known_algos(algo, list);
+ }
+
if (p == NULL) {
ssh_set_error(session, SSH_REQUEST_DENIED,
- "Setting method: no algorithm for method \"%s\" (%s)",
+ "Setting method: no allowed algorithm for method \"%s\" (%s)",
ssh_kex_get_description(algo), list);
return -1;
}
@@ -796,7 +801,11 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
ssh_set_error_invalid(session);
return -1;
} else {
- p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+ if (ssh_fips_mode()) {
+ p = ssh_keep_fips_algos(SSH_HOSTKEYS, v);
+ } else {
+ p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+ }
if (p == NULL) {
ssh_set_error(session, SSH_REQUEST_DENIED,
"Setting method: no known public key algorithm (%s)",
@@ -1503,7 +1512,11 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
{
char *p = NULL;
- p = ssh_keep_known_algos(algo, list);
+ if (ssh_fips_mode()) {
+ p = ssh_keep_fips_algos(algo, list);
+ } else {
+ p = ssh_keep_known_algos(algo, list);
+ }
if (p == NULL) {
ssh_set_error(sshbind, SSH_REQUEST_DENIED,
"Setting method: no algorithm for method \"%s\" (%s)",
@@ -1938,7 +1951,11 @@ int ssh_bind_options_set(ssh_bind sshbind, enum ssh_bind_options_e type,
ssh_set_error_invalid(sshbind);
return -1;
} else {
- p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+ if (ssh_fips_mode()) {
+ p = ssh_keep_fips_algos(SSH_HOSTKEYS, v);
+ } else {
+ p = ssh_keep_known_algos(SSH_HOSTKEYS, v);
+ }
if (p == NULL) {
ssh_set_error(sshbind, SSH_REQUEST_DENIED,
"Setting method: no known public key algorithm (%s)",