aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2019-05-22 15:13:51 +0200
committerAndreas Schneider <asn@cryptomilk.org>2019-06-12 10:27:40 +0200
commitee456104f16b29d5fe0245e6e2ba026450db0fe8 (patch)
tree734ab05304d6a48d434f4f9a4a495ca8eda7ba85 /src
parent0fb7d9831a9d2b22c9d19cc239c9fa007243ba69 (diff)
downloadlibssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.tar.gz
libssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.tar.xz
libssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.zip
session: Do not use MD5 in FIPS mode
Do not use MD5 when generating fingerprints in FIPS mode. The call will fail in such case. The test suite was updated with a negative test for this case. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r--src/session.c23
1 files changed, 21 insertions, 2 deletions
diff --git a/src/session.c b/src/session.c
index d4600861..d692b32e 100644
--- a/src/session.c
+++ b/src/session.c
@@ -964,6 +964,17 @@ int ssh_get_pubkey_hash(ssh_session session, unsigned char **hash)
if (session == NULL || hash == NULL) {
return SSH_ERROR;
}
+
+ /* In FIPS mode, we cannot use MD5 */
+ if (ssh_fips_mode()) {
+ ssh_set_error(session,
+ SSH_FATAL,
+ "In FIPS mode MD5 is not allowed."
+ "Try ssh_get_publickey_hash() with"
+ "SSH_PUBLICKEY_HASH_SHA256");
+ return SSH_ERROR;
+ }
+
*hash = NULL;
if (session->current_crypto == NULL ||
session->current_crypto->server_pubkey == NULL) {
@@ -1064,7 +1075,7 @@ int ssh_get_publickey(ssh_session session, ssh_key *key)
*
* This function allows you to get a hash of the public key. You can then
* print this hash in a human-readable form to the user so that he is able to
- * verify it. Use ssh_get_hexa() or ssh_print_hexa() to display it.
+ * verify it. Use ssh_get_hexa() or ssh_print_hash() to display it.
*
* @param[in] key The public key to create the hash for.
*
@@ -1084,7 +1095,7 @@ int ssh_get_publickey(ssh_session session, ssh_key *key)
*
* @see ssh_session_update_known_hosts()
* @see ssh_get_hexa()
- * @see ssh_print_hexa()
+ * @see ssh_print_hash()
* @see ssh_clean_pubkey_hash()
*/
int ssh_get_publickey_hash(const ssh_key key,
@@ -1152,6 +1163,14 @@ int ssh_get_publickey_hash(const ssh_key key,
{
MD5CTX ctx;
+ /* In FIPS mode, we cannot use MD5 */
+ if (ssh_fips_mode()) {
+ SSH_LOG(SSH_LOG_WARN, "In FIPS mode MD5 is not allowed."
+ "Try using SSH_PUBLICKEY_HASH_SHA256");
+ rc = SSH_ERROR;
+ goto out;
+ }
+
h = calloc(1, MD5_DIGEST_LEN);
if (h == NULL) {
rc = -1;