Remove *sha1 Kex in FIPS mode (#1324493)
This commit is contained in:
Jakub Jelen
parent
117a730ded
commit
0509c6c977
@ -676,3 +676,31 @@ index f282907..51bbffb 100644
|
|||||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
diff --git a/kex.c b/kex.c
|
||||||
|
index f07a636..4ce5843 100644
|
||||||
|
--- a/kex.c
|
||||||
|
+++ b/kex.c
|
||||||
|
@@ -123,8 +123,6 @@ static const struct kexalg kexalgs[] = {
|
||||||
|
};
|
||||||
|
|
||||||
|
static const struct kexalg kexalgs_fips[] = {
|
||||||
|
- { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||||
|
- { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||||
|
#ifdef HAVE_EVP_SHA256
|
||||||
|
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||||
|
#endif
|
||||||
|
diff --git a/myproposal.h b/myproposal.h
|
||||||
|
index 7efe312..bcf2ae1 100644
|
||||||
|
--- a/myproposal.h
|
||||||
|
+++ b/myproposal.h
|
||||||
|
@@ -131,9 +131,7 @@
|
||||||
|
|
||||||
|
#define KEX_DEFAULT_KEX_FIPS \
|
||||||
|
KEX_ECDH_METHODS \
|
||||||
|
- KEX_SHA256_METHODS \
|
||||||
|
- "diffie-hellman-group-exchange-sha1," \
|
||||||
|
- "diffie-hellman-group14-sha1"
|
||||||
|
+ KEX_SHA256_METHODS
|
||||||
|
#define KEX_FIPS_ENCRYPT \
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
"aes128-cbc,3des-cbc," \
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user