Remove *sha1 Kex in FIPS mode (#1324493)

2016-04-11 13:16:12 +02:00 · 2016-04-11 13:16:12 +02:00 · 0509c6c977
commit 0509c6c977
parent 117a730ded
1 changed files with 28 additions and 0 deletions
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -676,3 +676,31 @@ index f282907..51bbffb 100644
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
 
+diff --git a/kex.c b/kex.c
+index f07a636..4ce5843 100644
+--- a/kex.c
+++ b/kex.c
+@@ -123,8 +123,6 @@ static const struct kexalg kexalgs[] = {
+ };
+ 
+ static const struct kexalg kexalgs_fips[] = {
+-	{ KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+-	{ KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ #ifdef HAVE_EVP_SHA256
+ 	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+ #endif
+diff --git a/myproposal.h b/myproposal.h
+index 7efe312..bcf2ae1 100644
+--- a/myproposal.h
+++ b/myproposal.h
+@@ -131,9 +131,7 @@
+ 
+ #define KEX_DEFAULT_KEX_FIPS		\
+ 	KEX_ECDH_METHODS \
+-	KEX_SHA256_METHODS \
+-	"diffie-hellman-group-exchange-sha1," \
+-	"diffie-hellman-group14-sha1"
+	KEX_SHA256_METHODS
+ #define	KEX_FIPS_ENCRYPT \
+ 	"aes128-ctr,aes192-ctr,aes256-ctr," \
+ 	"aes128-cbc,3des-cbc," \