Allow aes-GCM modes in FIPS

2018-08-07 18:08:08 +02:00 · 2018-08-07 18:08:08 +02:00 · 951e3ca00b
commit 951e3ca00b
parent baff4a61a7
1 changed files with 10 additions and 3 deletions
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -10,7 +10,7 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
-@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[]
+@@ -116,6 +118,33 @@ static const struct sshcipher ciphers[]
 	{ NULL,			0, 0, 0, 0, 0, NULL }
 };
 
@ -25,6 +25,12 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
 +	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
 +	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
 +	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
+# ifdef OPENSSL_HAVE_EVPGCM
+	{ "aes128-gcm@openssh.com",
+				16, 16, 12, 16, 0, EVP_aes_128_gcm },
+	{ "aes256-gcm@openssh.com",
+				16, 32, 12, 16, 0, EVP_aes_256_gcm },
+# endif /* OPENSSL_HAVE_EVPGCM */
 +#else
 +	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
 +	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },
@ -326,14 +332,15 @@ diff -up openssh-7.5p1/myproposal.h.fips openssh-7.5p1/myproposal.h
 /* the actual algorithms */
 
 #define KEX_SERVER_ENCRYPT \
-@@ -138,6 +146,37 @@
+@@ -138,6 +146,38 @@
 
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
 
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \
-+	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
+	AESGCM_CIPHER_MODES
 +#ifdef HAVE_EVP_SHA256
 +# define KEX_DEFAULT_KEX_FIPS		\
 +	KEX_ECDH_METHODS \