From 5ce5bcdb0dded993f4845bac50054adfe8e002d9 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 14 Mar 2020 22:51:09 +0100 Subject: [PATCH] ssh: add support for aes256-gcm@openssh.com --- ssh/cipher.go | 1 + ssh/common.go | 6 +++--- ssh/transport.go | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ssh/cipher.go b/ssh/cipher.go index b0204ee59f..43fd974cb3 100644 --- a/ssh/cipher.go +++ b/ssh/cipher.go @@ -116,6 +116,7 @@ var cipherModes = map[string]*cipherMode{ // AEAD ciphers gcmCipherID: {16, 12, newGCMCipher}, + gcm256CipherID: {32, 12, newGCMCipher}, chacha20Poly1305ID: {64, 0, newChaCha20Cipher}, // CBC mode is insecure and so is not included in the default config. diff --git a/ssh/common.go b/ssh/common.go index 290382d059..c11b1ea803 100644 --- a/ssh/common.go +++ b/ssh/common.go @@ -27,7 +27,7 @@ const ( // supportedCiphers lists ciphers we support but might not recommend. var supportedCiphers = []string{ "aes128-ctr", "aes192-ctr", "aes256-ctr", - "aes128-gcm@openssh.com", + gcmCipherID, gcm256CipherID, chacha20Poly1305ID, "arcfour256", "arcfour128", "arcfour", aes128cbcID, @@ -36,7 +36,7 @@ var supportedCiphers = []string{ // preferredCiphers specifies the default preference for ciphers. var preferredCiphers = []string{ - "aes128-gcm@openssh.com", + gcmCipherID, gcm256CipherID, chacha20Poly1305ID, "aes128-ctr", "aes192-ctr", "aes256-ctr", } @@ -137,7 +137,7 @@ func (a *directionAlgorithms) rekeyBytes() int64 { // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is // 128. switch a.Cipher { - case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID: + case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, gcm256CipherID, aes128cbcID: return 16 * (1 << 32) } diff --git a/ssh/transport.go b/ssh/transport.go index 49ddc2e7de..75e560f75f 100644 --- a/ssh/transport.go +++ b/ssh/transport.go @@ -18,6 +18,7 @@ const debugTransport = false const ( gcmCipherID = "aes128-gcm@openssh.com" + gcm256CipherID = "aes256-gcm@openssh.com" aes128cbcID = "aes128-cbc" tripledescbcID = "3des-cbc" )