Allow aes-GCM modes in FIPS

This commit is contained in:
Jakub Jelen 2018-08-07 18:08:08 +02:00
parent baff4a61a7
commit 951e3ca00b

View File

@ -10,7 +10,7 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[]
@@ -116,6 +118,33 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
@ -25,6 +25,12 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
+# ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com",
+ 16, 16, 12, 16, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ 16, 32, 12, 16, 0, EVP_aes_256_gcm },
+# endif /* OPENSSL_HAVE_EVPGCM */
+#else
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
@ -326,14 +332,15 @@ diff -up openssh-7.5p1/myproposal.h.fips openssh-7.5p1/myproposal.h
/* the actual algorithms */
#define KEX_SERVER_ENCRYPT \
@@ -138,6 +146,37 @@
@@ -138,6 +146,38 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se" \
+ AESGCM_CIPHER_MODES
+#ifdef HAVE_EVP_SHA256
+# define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \