--- a/components/openssh/patches/045-remove_unacceptable_algs.patch Mon Feb 06 13:54:36 2017 -0800
+++ b/components/openssh/patches/045-remove_unacceptable_algs.patch Mon Feb 06 22:51:03 2017 -0800
@@ -8,6 +8,10 @@
# Disabling arcfour used to be implemented by Solaris specific macro
# WITHOUT_ARCFOUR, but now upstream OPENSSL_NO_RC4 is used instead.
#
+# Update Jan 4, 2017:
+# We used to disable 3des-cbc on the client, but now upstream does that too and
+# we no longer have to.
+#
# Patch source: in-house
#
diff -pur old/mac.c new/mac.c
@@ -21,10 +25,10 @@
{ "hmac-md5", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 },
{ "hmac-md5-96", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 },
+#endif
+ #ifdef HAVE_EVP_RIPEMD160
{ "hmac-ripemd160", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
- { "[email protected]", SSH_UMAC, 0, 0, 128, 64, 0 },
-@@ -101,8 +103,10 @@ static const struct macalg macs[] = {
+@@ -103,8 +105,10 @@ static const struct macalg macs[] = {
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
#endif
@@ -32,59 +36,27 @@
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 },
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 },
+#endif
+ #ifdef HAVE_EVP_RIPEMD160
{ "[email protected]", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 },
- { "[email protected]", SSH_UMAC, 0, 0, 128, 64, 1 },
- { "[email protected]", SSH_UMAC128, 0, 0, 128, 128, 1 },
-diff -pur old/myproposal.h new/myproposal.h
---- old/myproposal.h
-+++ new/myproposal.h
-@@ -140,14 +140,14 @@
- AESGCM_CIPHER_MODES
-
- #define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
-- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
-+ "aes128-cbc,aes192-cbc,aes256-cbc"
-
- #define KEX_SERVER_ENCRYPT_FIPS \
- "aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
-
- #define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
-- "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
-+ "aes128-cbc,aes192-cbc,aes256-cbc"
-
- #define KEX_SERVER_MAC_DFLT \
- "[email protected]," \
+ #endif
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
-@@ -470,12 +470,6 @@ [email protected]
- .It
+@@ -427,9 +427,6 @@ aes192-ctr
+ aes256-ctr
+ [email protected]
[email protected]
- .It
-arcfour
--.It
-arcfour128
--.It
-arcfour256
--.It
blowfish-cbc
- .It
[email protected]
-@@ -486,7 +480,7 @@ The default is:
- [email protected],
- aes128-ctr,aes192-ctr,aes256-ctr,
- [email protected],[email protected],
--aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
-+aes128-cbc,aes192-cbc,aes256-cbc
.Ed
- .Pp
- The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
diff -pur old/sshd.8 new/sshd.8
--- old/sshd.8
+++ new/sshd.8
-@@ -310,12 +310,12 @@ For protocol 2,
- forward security is provided through a Diffie-Hellman key agreement.
+@@ -258,12 +258,12 @@ host key against its own database to ver
+ Forward security is provided through a Diffie-Hellman key agreement.
This key agreement results in a shared session key.
The rest of the session is encrypted using a symmetric cipher, currently
-128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
@@ -101,7 +73,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -471,12 +471,6 @@ [email protected]
+@@ -460,12 +460,6 @@ [email protected]
.It
[email protected]
.It
@@ -114,7 +86,7 @@
blowfish-cbc
.It
[email protected]
-@@ -1009,10 +1003,6 @@ The supported MACs are:
+@@ -981,10 +975,6 @@ The supported MACs are:
.Pp
.Bl -item -compact -offset indent
.It
@@ -125,7 +97,7 @@
hmac-ripemd160
.It
hmac-sha1
-@@ -1027,10 +1017,6 @@ [email protected]
+@@ -999,10 +989,6 @@ [email protected]
.It
[email protected]
.It