From 951e3ca00b7fd8d881f10b7255f02202b641d8b7 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Aug 07 2018 16:08:08 +0000 Subject: Allow aes-GCM modes in FIPS --- diff --git a/openssh-7.2p1-fips.patch b/openssh-7.2p1-fips.patch index 94cbefe..d8bb4e5 100644 --- a/openssh-7.2p1-fips.patch +++ b/openssh-7.2p1-fips.patch @@ -10,7 +10,7 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c #include #include #include -@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[] +@@ -116,6 +118,33 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -25,6 +25,12 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c + { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, ++# ifdef OPENSSL_HAVE_EVPGCM ++ { "aes128-gcm@openssh.com", ++ 16, 16, 12, 16, 0, EVP_aes_128_gcm }, ++ { "aes256-gcm@openssh.com", ++ 16, 32, 12, 16, 0, EVP_aes_256_gcm }, ++# endif /* OPENSSL_HAVE_EVPGCM */ +#else + { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, + { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, @@ -326,14 +332,15 @@ diff -up openssh-7.5p1/myproposal.h.fips openssh-7.5p1/myproposal.h /* the actual algorithms */ #define KEX_SERVER_ENCRYPT \ -@@ -138,6 +146,37 @@ +@@ -138,6 +146,38 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define KEX_FIPS_ENCRYPT \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" ++ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \ ++ AESGCM_CIPHER_MODES +#ifdef HAVE_EVP_SHA256 +# define KEX_DEFAULT_KEX_FIPS \ + KEX_ECDH_METHODS \