diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-05-22 15:13:51 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-12 10:27:40 +0200 |
commit | ee456104f16b29d5fe0245e6e2ba026450db0fe8 (patch) | |
tree | 734ab05304d6a48d434f4f9a4a495ca8eda7ba85 /src | |
parent | 0fb7d9831a9d2b22c9d19cc239c9fa007243ba69 (diff) | |
download | libssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.tar.gz libssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.tar.xz libssh-ee456104f16b29d5fe0245e6e2ba026450db0fe8.zip |
session: Do not use MD5 in FIPS mode
Do not use MD5 when generating fingerprints in FIPS mode. The call will
fail in such case. The test suite was updated with a negative test for
this case.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/session.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/src/session.c b/src/session.c index d4600861..d692b32e 100644 --- a/src/session.c +++ b/src/session.c @@ -964,6 +964,17 @@ int ssh_get_pubkey_hash(ssh_session session, unsigned char **hash) if (session == NULL || hash == NULL) { return SSH_ERROR; } + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { + ssh_set_error(session, + SSH_FATAL, + "In FIPS mode MD5 is not allowed." + "Try ssh_get_publickey_hash() with" + "SSH_PUBLICKEY_HASH_SHA256"); + return SSH_ERROR; + } + *hash = NULL; if (session->current_crypto == NULL || session->current_crypto->server_pubkey == NULL) { @@ -1064,7 +1075,7 @@ int ssh_get_publickey(ssh_session session, ssh_key *key) * * This function allows you to get a hash of the public key. You can then * print this hash in a human-readable form to the user so that he is able to - * verify it. Use ssh_get_hexa() or ssh_print_hexa() to display it. + * verify it. Use ssh_get_hexa() or ssh_print_hash() to display it. * * @param[in] key The public key to create the hash for. * @@ -1084,7 +1095,7 @@ int ssh_get_publickey(ssh_session session, ssh_key *key) * * @see ssh_session_update_known_hosts() * @see ssh_get_hexa() - * @see ssh_print_hexa() + * @see ssh_print_hash() * @see ssh_clean_pubkey_hash() */ int ssh_get_publickey_hash(const ssh_key key, @@ -1152,6 +1163,14 @@ int ssh_get_publickey_hash(const ssh_key key, { MD5CTX ctx; + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { + SSH_LOG(SSH_LOG_WARN, "In FIPS mode MD5 is not allowed." + "Try using SSH_PUBLICKEY_HASH_SHA256"); + rc = SSH_ERROR; + goto out; + } + h = calloc(1, MD5_DIGEST_LEN); if (h == NULL) { rc = -1; |