From 460b96dcdfcf3674f676a8a71c8a291e435ae393 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Fri, 18 Mar 2022 16:59:41 +0100 Subject: [PATCH] ssh: add support for aes256-gcm@openssh.com --- ssh/cipher.go | 1 + ssh/common.go | 7 ++++--- ssh/transport.go | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ssh/cipher.go b/ssh/cipher.go index 87f48552ce..2be92c8fca 100644 --- a/ssh/cipher.go +++ b/ssh/cipher.go @@ -115,6 +115,7 @@ var cipherModes = map[string]*cipherMode{ // AEAD ciphers gcmCipherID: {16, 12, newGCMCipher}, + gcm256CipherID: {32, 12, newGCMCipher}, chacha20Poly1305ID: {64, 0, newChaCha20Cipher}, // CBC mode is insecure and so is not included in the default config. diff --git a/ssh/common.go b/ssh/common.go index c7964275de..80188d208c 100644 --- a/ssh/common.go +++ b/ssh/common.go @@ -28,7 +28,7 @@ const ( // supportedCiphers lists ciphers we support but might not recommend. var supportedCiphers = []string{ "aes128-ctr", "aes192-ctr", "aes256-ctr", - "aes128-gcm@openssh.com", + "aes128-gcm@openssh.com", gcm256CipherID, chacha20Poly1305ID, "arcfour256", "arcfour128", "arcfour", aes128cbcID, @@ -37,7 +37,7 @@ var supportedCiphers = []string{ // preferredCiphers specifies the default preference for ciphers. var preferredCiphers = []string{ - "aes128-gcm@openssh.com", + "aes128-gcm@openssh.com", gcm256CipherID, chacha20Poly1305ID, "aes128-ctr", "aes192-ctr", "aes256-ctr", } @@ -168,7 +168,7 @@ func (a *directionAlgorithms) rekeyBytes() int64 { // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is // 128. switch a.Cipher { - case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID: + case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, gcm256CipherID, aes128cbcID: return 16 * (1 << 32) } @@ -179,6 +179,7 @@ func (a *directionAlgorithms) rekeyBytes() int64 { var aeadCiphers = map[string]bool{ gcmCipherID: true, + gcm256CipherID: true, chacha20Poly1305ID: true, } diff --git a/ssh/transport.go b/ssh/transport.go index acf5a21bbb..55f95ac71b 100644 --- a/ssh/transport.go +++ b/ssh/transport.go @@ -18,6 +18,7 @@ const debugTransport = false const ( gcmCipherID = "aes128-gcm@openssh.com" + gcm256CipherID = "aes256-gcm@openssh.com" aes128cbcID = "aes128-cbc" tripledescbcID = "3des-cbc" )