19 #endif |
23 #endif |
20 +#ifndef WITHOUT_HMAC_MD5 |
24 +#ifndef WITHOUT_HMAC_MD5 |
21 { "hmac-md5", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 }, |
25 { "hmac-md5", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 }, |
22 { "hmac-md5-96", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 }, |
26 { "hmac-md5-96", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 }, |
23 +#endif |
27 +#endif |
|
28 #ifdef HAVE_EVP_RIPEMD160 |
24 { "hmac-ripemd160", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, |
29 { "hmac-ripemd160", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, |
25 { "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, |
30 { "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 }, |
26 { "[email protected]", SSH_UMAC, 0, 0, 128, 64, 0 }, |
31 @@ -103,8 +105,10 @@ static const struct macalg macs[] = { |
27 @@ -101,8 +103,10 @@ static const struct macalg macs[] = { |
|
28 { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, |
32 { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 }, |
29 { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, |
33 { "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 }, |
30 #endif |
34 #endif |
31 +#ifndef WITHOUT_HMAC_MD5 |
35 +#ifndef WITHOUT_HMAC_MD5 |
32 { "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 }, |
36 { "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 }, |
33 { "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 }, |
37 { "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 }, |
34 +#endif |
38 +#endif |
|
39 #ifdef HAVE_EVP_RIPEMD160 |
35 { "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 }, |
40 { "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 }, |
36 { "[email protected]", SSH_UMAC, 0, 0, 128, 64, 1 }, |
41 #endif |
37 { "[email protected]", SSH_UMAC128, 0, 0, 128, 128, 1 }, |
|
38 diff -pur old/myproposal.h new/myproposal.h |
|
39 --- old/myproposal.h |
|
40 +++ new/myproposal.h |
|
41 @@ -140,14 +140,14 @@ |
|
42 AESGCM_CIPHER_MODES |
|
43 |
|
44 #define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \ |
|
45 - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" |
|
46 + "aes128-cbc,aes192-cbc,aes256-cbc" |
|
47 |
|
48 #define KEX_SERVER_ENCRYPT_FIPS \ |
|
49 "aes128-ctr,aes192-ctr,aes256-ctr" \ |
|
50 AESGCM_CIPHER_MODES |
|
51 |
|
52 #define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \ |
|
53 - "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" |
|
54 + "aes128-cbc,aes192-cbc,aes256-cbc" |
|
55 |
|
56 #define KEX_SERVER_MAC_DFLT \ |
|
57 "[email protected]," \ |
|
58 diff -pur old/ssh_config.5 new/ssh_config.5 |
42 diff -pur old/ssh_config.5 new/ssh_config.5 |
59 --- old/ssh_config.5 |
43 --- old/ssh_config.5 |
60 +++ new/ssh_config.5 |
44 +++ new/ssh_config.5 |
61 @@ -470,12 +470,6 @@ [email protected] |
45 @@ -427,9 +427,6 @@ aes192-ctr |
62 .It |
46 aes256-ctr |
|
47 [email protected] |
63 [email protected] |
48 [email protected] |
64 .It |
|
65 -arcfour |
49 -arcfour |
66 -.It |
|
67 -arcfour128 |
50 -arcfour128 |
68 -.It |
|
69 -arcfour256 |
51 -arcfour256 |
70 -.It |
|
71 blowfish-cbc |
52 blowfish-cbc |
72 .It |
|
73 [email protected] |
53 [email protected] |
74 @@ -486,7 +480,7 @@ The default is: |
|
75 [email protected], |
|
76 aes128-ctr,aes192-ctr,aes256-ctr, |
|
77 [email protected],[email protected], |
|
78 -aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc |
|
79 +aes128-cbc,aes192-cbc,aes256-cbc |
|
80 .Ed |
54 .Ed |
81 .Pp |
|
82 The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode: |
|
83 diff -pur old/sshd.8 new/sshd.8 |
55 diff -pur old/sshd.8 new/sshd.8 |
84 --- old/sshd.8 |
56 --- old/sshd.8 |
85 +++ new/sshd.8 |
57 +++ new/sshd.8 |
86 @@ -310,12 +310,12 @@ For protocol 2, |
58 @@ -258,12 +258,12 @@ host key against its own database to ver |
87 forward security is provided through a Diffie-Hellman key agreement. |
59 Forward security is provided through a Diffie-Hellman key agreement. |
88 This key agreement results in a shared session key. |
60 This key agreement results in a shared session key. |
89 The rest of the session is encrypted using a symmetric cipher, currently |
61 The rest of the session is encrypted using a symmetric cipher, currently |
90 -128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES. |
62 -128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES. |
91 +128-bit AES, Blowfish, 3DES, 192-bit AES, or 256-bit AES. |
63 +128-bit AES, Blowfish, 3DES, 192-bit AES, or 256-bit AES. |
92 The client selects the encryption algorithm |
64 The client selects the encryption algorithm |