olamy commented on PR #591: URL: https://github.com/apache/mina-sshd/pull/591#issuecomment-2325965028
> > I'm not quite sure. with new do you mean this from 2018? :) https://www.openssh.com/txt/release-7.8 > > Yes: https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key > > I also think neither ChaCha20-Poly1305 nor bcrypt are covered by FIPS. > > For ChaCha20-Poly1305 we have two options: either we say it's the user's responsibility to configure the SshClient appropriately by removing the cipher via configuration (`SshClient.setCipherFactories()`), or we add a flag (with system property and setter) in `SecurityUtils` and then hard-disable this Cipher if the flag is set. > LGTM > The bcrypt thing is less critical. I don't know which KDF's are FIPS-approved, but I'd be surprised if bcrypt was. If not, anyone using this OpenSSH format for stored keys would deviate from FIPS anyway, so we could say it's entirely the user's responsibility. (As is using only PEM keys with FIPS-approved encryptions and KDFs.) Or we could use the aforementioned flag to also disable bcrypt (with the effect that such keys cannot be read or written in FIPS mode). Or we might only disable writing such files, while still allowing to read them. what about something such a general flag `fips enabled`? Will turn reponsibility to the library but could be a great user feature? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org
