Skip to content

Commit 274ab28

Browse files
anandfanandf
authored
fix(util): Fix default key exchange algorthims used for SSH connection to be FIPS compliant (#24086) (cherry-pick 3.0) (#24165)
Signed-off-by: anandf <[email protected]>
1 parent b1df89b commit 274ab28

File tree

1 file changed

+20
-6
lines changed

1 file changed

+20
-6
lines changed

util/git/ssh.go

Lines changed: 20 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
package git
22

33
import (
4+
"crypto/fips140"
45
"fmt"
56

67
gitssh "github.com/go-git/go-git/v5/plumbing/transport/ssh"
78
"golang.org/x/crypto/ssh"
89
)
910

10-
// List of all currently supported algorithms for SSH key exchange
11+
// SupportedSSHKeyExchangeAlgorithms is a list of all currently supported algorithms for SSH key exchange
1112
// Unfortunately, crypto/ssh does not offer public constants or list for
1213
// this.
1314
var SupportedSSHKeyExchangeAlgorithms = []string{
@@ -21,10 +22,15 @@ var SupportedSSHKeyExchangeAlgorithms = []string{
2122
"diffie-hellman-group14-sha1",
2223
}
2324

24-
// List of default key exchange algorithms to use. We use those that are
25-
// available by default, we can become more opinionated later on (when
26-
// we support configuration of algorithms to use).
27-
var DefaultSSHKeyExchangeAlgorithms = SupportedSSHKeyExchangeAlgorithms
25+
// SupportedFIPSCompliantSSHKeyExchangeAlgorithms is a list of all currently supported algorithms for SSH key exchange
26+
// that are FIPS compliant
27+
var SupportedFIPSCompliantSSHKeyExchangeAlgorithms = []string{
28+
"ecdh-sha2-nistp256",
29+
"ecdh-sha2-nistp384",
30+
"ecdh-sha2-nistp521",
31+
"diffie-hellman-group-exchange-sha256",
32+
"diffie-hellman-group14-sha256",
33+
}
2834

2935
// PublicKeysWithOptions is an auth method for go-git's SSH client that
3036
// inherits from PublicKeys, but provides the possibility to override
@@ -51,9 +57,17 @@ func (a *PublicKeysWithOptions) ClientConfig() (*ssh.ClientConfig, error) {
5157
if len(a.KexAlgorithms) > 0 {
5258
kexAlgos = a.KexAlgorithms
5359
} else {
54-
kexAlgos = DefaultSSHKeyExchangeAlgorithms
60+
kexAlgos = getDefaultSSHKeyExchangeAlgorithms()
5561
}
5662
config := ssh.Config{KeyExchanges: kexAlgos}
5763
opts := &ssh.ClientConfig{Config: config, User: a.User, Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)}}
5864
return a.SetHostKeyCallback(opts)
5965
}
66+
67+
// getDefaultSSHKeyExchangeAlgorithms returns the default key exchange algorithms to be used
68+
func getDefaultSSHKeyExchangeAlgorithms() []string {
69+
if fips140.Enabled() {
70+
return SupportedFIPSCompliantSSHKeyExchangeAlgorithms
71+
}
72+
return SupportedSSHKeyExchangeAlgorithms
73+
}

0 commit comments

Comments
 (0)