In FIPS mode do not append bogus comma after the kex list

This commit is contained in:
Jakub Jelen 2017-04-26 14:26:25 +02:00
parent 204765aba1
commit eb751fd1d3

View File

@ -309,20 +309,20 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
--- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/myproposal.h 2016-12-23 16:37:49.300741586 +0100
@@ -138,6 +138,27 @@
@@ -138,6 +138,37 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \
+ KEX_SHA2_METHODS \
+ KEX_SHA2_GROUP14
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#ifdef HAVE_EVP_SHA256
+#define KEX_FIPS_MAC \
+# define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \
+ KEX_SHA2_METHODS \
+ "diffie-hellman-group14-sha256"
+# define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
@ -330,6 +330,16 @@ diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
+#else
+# ifdef OPENSSL_HAS_NISTP521
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384," \
+ "ecdh-sha2-nistp521"
+# else
+# define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384"
+# endif
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif