Add new DH kex into the FIPS-allowed list

2017-03-08 14:37:07 +01:00 · 2017-03-08 14:37:07 +01:00 · fd58b9eabb
commit fd58b9eabb
parent 7b666e5764
1 changed files with 7 additions and 3 deletions
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -115,11 +115,14 @@ diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
 #endif
 #include "ssh2.h"
-@@ -125,6 +126,23 @@ static const struct kexalg kexalgs[] = {
+@@ -125,6 +126,26 @@ static const struct kexalg kexalgs[] = {
 	{ NULL, -1, -1, -1},
 };
 +static const struct kexalg kexalgs_fips[] = {
 +	{ KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
 +	{ KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
 +	{ KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
 +#ifdef HAVE_EVP_SHA256
 +	{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
 +#endif
@ -306,13 +309,14 @@ diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
 diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
 --- openssh-7.4p1/myproposal.h.fips	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/myproposal.h	2016-12-23 16:37:49.300741586 +0100
-@@ -138,6 +138,26 @@
+@@ -138,6 +138,27 @@
 #define KEX_CLIENT_MAC KEX_SERVER_MAC
 +#define KEX_DEFAULT_KEX_FIPS		\
 +	KEX_ECDH_METHODS \
-+	KEX_SHA2_METHODS
+	KEX_SHA2_METHODS \
 +	KEX_SHA2_GROUP14
 +#define	KEX_FIPS_ENCRYPT \
 +	"aes128-ctr,aes192-ctr,aes256-ctr," \
 +	"aes128-cbc,3des-cbc," \