Re: [PR] GUACAMOLE-2012: Fix SSH connection to FIPS servers which only offer AES GCM [guacamole-server]

[via GitHub]

mike-jumper commented on code in PR #572:
URL: https://github.com/apache/guacamole-server/pull/572#discussion_r1909301265


##########
src/common-ssh/ssh.c:
##########
@@ -412,6 +415,56 @@ static int 
guac_common_ssh_authenticate(guac_common_ssh_session* common_session)
 
 }
 
+/**
+ * Verifies if given algorithms are supported by libssh2.
+ * Writes log messages if an algorithm is not supported or
+ * could not get the list of supported algorithms from libssh2.
+ *
+ * @param client
+ *     The Guacamole client that is using SSH.
+ * 
+ * @param session
+ *     The session associated with the user to be authenticated.
+ *
+ * @param method_type
+ *      One of the libssh2 Method Type constants for 
libssh2_session_method_pref().
+ * 
+ * @param algs
+ *      A string with preferred list of algorithms, for example 
FIPS_COMPLIANT_CIPHERS.
+ *
+ */
+static void check_if_algs_are_supported(guac_client* client, LIBSSH2_SESSION* 
session,
+        int method_type, const char* algs) {
+
+    /* Request the list of supported algorithms/cyphers from libssh2. */
+    const char** supported_algs;
+    int supported_algs_count =
+        libssh2_session_supported_algs(session, method_type, &supported_algs);
+
+    if (supported_algs_count > 0) {
+        char** preferred_algs = guac_split(algs, ',');
+        for (int i = 0; preferred_algs[i]; i++) {           
+            bool found = false;
+            /* Check if the algorithm is found in the libssh2 supported list. 
*/
+            for (int j = 0; j < supported_algs_count; j++) {
+                if (strcmp(preferred_algs[i], supported_algs[j]) == 0) {
+                    found = true;
+                    break;
+                }
+            }
+            if (!found) {
+                guac_client_log(client, GUAC_LOG_WARNING,
+                    "Preferred algorithm/cipher '%s' is not supported by 
libssh2", preferred_algs[i]);               
+            }
+        }
+        guac_mem_free(preferred_algs);
+    } else {

Review Comment:
   Please don't cuddle the `else`. See: 
https://cwiki.apache.org/confluence/display/GUAC/Contribution+and+Style+Guidelines#ContributionandStyleGuidelines-Braces



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org