gssapi: enable gssapi-keyex in FIPS mode

All gssapi-keyex tests have to be disabled in Centos Stream 8 because the KEX is not allowed in FIPS. In Centos Stream 9, only tests against OpenSSH have to be disabled because OpenSSH only enables gssapi-keyex since Centos Stream 10. Signed-off-by: Pavol Žáčik <pzacik@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2025-12-02 10:31:01 +01:00
parent d3e80d9a19
commit 9b4ee9c6d4
10 changed files with 32 additions and 107 deletions
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -672,7 +672,6 @@ fail:
 */
 char *ssh_gssapi_oid_hash(ssh_string oid)
 {
-    MD5CTX ctx = NULL;
    unsigned char *h = NULL;
    int rc;
    char *base64 = NULL;
@@ -682,19 +681,7 @@ char *ssh_gssapi_oid_hash(ssh_string oid)
        return NULL;
    }

-    ctx = md5_init();
-    if (ctx == NULL) {
-        SAFE_FREE(h);
-        return NULL;
-    }
-
-    rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid));
-    if (rc != SSH_OK) {
-        SAFE_FREE(h);
-        md5_ctx_free(ctx);
-        return NULL;
-    }
-    rc = md5_final(h, ctx);
+    rc = md5(ssh_string_data(oid), ssh_string_len(oid), h);
    if (rc != SSH_OK) {
        SAFE_FREE(h);
        return NULL;
--- a/src/kex.c
+++ b/src/kex.c
@@ -811,7 +811,7 @@ int ssh_set_client_kex(ssh_session session)
        return SSH_ERROR;
    }
 #ifdef WITH_GSSAPI
-    if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) {
+    if (session->opts.gssapi_key_exchange) {
        char *gssapi_algs = NULL;

        ok = ssh_gssapi_init(session);
@@ -831,9 +831,15 @@ int ssh_set_client_kex(ssh_session session)
        }

        /* Prefix the default algorithms with gsskex algs */
-        session->opts.wanted_methods[SSH_KEX] =
-            ssh_prefix_without_duplicates(default_methods[SSH_KEX],
-                                          gssapi_algs);
+        if (ssh_fips_mode()) {
+            session->opts.wanted_methods[SSH_KEX] =
+                ssh_prefix_without_duplicates(fips_methods[SSH_KEX],
+                                              gssapi_algs);
+        } else {
+            session->opts.wanted_methods[SSH_KEX] =
+                ssh_prefix_without_duplicates(default_methods[SSH_KEX],
+                                              gssapi_algs);
+        }

        gssapi_null_alg = true;

--- a/src/server.c
+++ b/src/server.c
@@ -172,7 +172,7 @@ int server_set_kex(ssh_session session)
        }
    }
 #ifdef WITH_GSSAPI
-    if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) {
+    if (session->opts.gssapi_key_exchange) {
        ok = ssh_gssapi_init(session);
        if (ok != SSH_OK) {
            ssh_set_error_oom(session);