From fd58b9eabb5dfd36bd924440081362b798607ddb Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 8 Mar 2017 14:37:07 +0100 Subject: [PATCH] Add new DH kex into the FIPS-allowed list --- openssh-7.2p1-fips.patch | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/openssh-7.2p1-fips.patch b/openssh-7.2p1-fips.patch index f8991f0..d4de8b5 100644 --- a/openssh-7.2p1-fips.patch +++ b/openssh-7.2p1-fips.patch @@ -115,11 +115,14 @@ diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c #endif #include "ssh2.h" -@@ -125,6 +126,23 @@ static const struct kexalg kexalgs[] = { +@@ -125,6 +126,26 @@ static const struct kexalg kexalgs[] = { { NULL, -1, -1, -1}, }; +static const struct kexalg kexalgs_fips[] = { ++ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 }, ++ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 }, ++ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 }, +#ifdef HAVE_EVP_SHA256 + { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 }, +#endif @@ -306,13 +309,14 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h --- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/myproposal.h 2016-12-23 16:37:49.300741586 +0100 -@@ -138,6 +138,26 @@ +@@ -138,6 +138,27 @@ #define KEX_CLIENT_MAC KEX_SERVER_MAC +#define KEX_DEFAULT_KEX_FIPS \ + KEX_ECDH_METHODS \ -+ KEX_SHA2_METHODS ++ KEX_SHA2_METHODS \ ++ KEX_SHA2_GROUP14 +#define KEX_FIPS_ENCRYPT \ + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-cbc,3des-cbc," \