diff options
-rw-r--r-- | src/kex.c | 19 | ||||
-rw-r--r-- | tests/pkd/pkd_daemon.c | 33 |
2 files changed, 30 insertions, 22 deletions
@@ -168,16 +168,17 @@ #define CHACHA20 "chacha20-poly1305@openssh.com," -#define KEY_EXCHANGE \ +#define DEFAULT_KEY_EXCHANGE \ CURVE25519 \ ECDH \ "diffie-hellman-group18-sha512,diffie-hellman-group16-sha512," \ GEX_SHA256 \ - "diffie-hellman-group14-sha256," \ - "diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" + "diffie-hellman-group14-sha256" \ + #define KEY_EXCHANGE_SUPPORTED \ GEX_SHA1 \ - KEY_EXCHANGE + DEFAULT_KEY_EXCHANGE \ + ",diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" /* RFC 8308 */ #define KEX_EXTENSION_CLIENT "ext-info-c" @@ -231,12 +232,12 @@ static const char *fips_methods[] = { /* NOTE: This is a fixed API and the index is defined by ssh_kex_types_e */ static const char *default_methods[] = { - KEY_EXCHANGE, + DEFAULT_KEY_EXCHANGE, DEFAULT_PUBLIC_KEY_ALGORITHMS, - CHACHA20 AES DES, - CHACHA20 AES DES, - "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", - "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1", + CHACHA20 AES, + CHACHA20 AES, + "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", + "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512", "none", "none", "", diff --git a/tests/pkd/pkd_daemon.c b/tests/pkd/pkd_daemon.c index 239bdd36..5325a5de 100644 --- a/tests/pkd/pkd_daemon.c +++ b/tests/pkd/pkd_daemon.c @@ -247,10 +247,9 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args) int level = args->opts.libssh_log_level; enum pkd_hostkey_type_e type = args->type; const char *hostkeypath = args->hostkeypath; - const char *default_kex = NULL; - char *all_kex = NULL; - size_t kex_len = 0; + const char *all_kex = NULL; const char *all_ciphers = NULL; + const char *all_macs = NULL; const uint64_t rekey_data_limit = args->rekey_data_limit; bool process_config = false; @@ -302,17 +301,10 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args) if (!ssh_fips_mode()) { const char *all_hostkeys = NULL; /* Add methods not enabled by default */ -#define GEX_SHA1 "diffie-hellman-group-exchange-sha1" - default_kex = ssh_kex_get_default_methods(SSH_KEX); - kex_len = strlen(default_kex) + strlen(GEX_SHA1) + 2; - all_kex = malloc(kex_len); - if (all_kex == NULL) { - pkderr("Failed to alloc more memory.\n"); - goto outclose; - } - snprintf(all_kex, kex_len, "%s," GEX_SHA1, default_kex); + + /* Enable all supported key exchange methods */ + all_kex = ssh_kex_get_supported_method(SSH_KEX); rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_KEY_EXCHANGE, all_kex); - free(all_kex); if (rc != 0) { pkderr("ssh_bind_options_set kex methods: %s\n", ssh_get_error(b)); goto outclose; @@ -341,6 +333,21 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args) goto outclose; } + /* Enable all message authentication codes */ + all_macs = ssh_kex_get_supported_method(SSH_MAC_C_S); + rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_C_S, all_macs); + if (rc != 0) { + pkderr("ssh_bind_options_set MACs C-S: %s\n", ssh_get_error(b)); + goto outclose; + } + + all_macs = ssh_kex_get_supported_method(SSH_MAC_S_C); + rc = ssh_bind_options_set(b, SSH_BIND_OPTIONS_HMAC_S_C, all_macs); + if (rc != 0) { + pkderr("ssh_bind_options_set MACs S-C: %s\n", ssh_get_error(b)); + goto outclose; + } + } s = ssh_new(); |