openssh/patches/045-remove_unacceptable_algs.patch

#
# In order for OpenSSH to comply with Oracle Software Security Assurance
# Standards (OSSA), completely remove support for unacceptable arcfour* ciphers
# and hmac-md5 Messages Authentication Codes (MACs). Besides that, disable
# deprecated 3des-cbc by default on client (already disabled on the server).
#
# Update Aug 29, 2016:
# Disabling arcfour used to be implemented by Solaris specific macro
# WITHOUT_ARCFOUR, but now upstream OPENSSL_NO_RC4 is used instead.
#
# Patch source: in-house
#
diff -pur old/mac.c new/mac.c
--- old/mac.c
+++ new/mac.c
@@ -87,8 +87,10 @@ static const struct macalg macs[] = {
    { "hmac-sha2-256",          SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
    { "hmac-sha2-512",          SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
 #endif
+#ifndef WITHOUT_HMAC_MD5
    { "hmac-md5",               SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 },
    { "hmac-md5-96",            SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 },
+#endif
    { "hmac-ripemd160",         SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
    { "hmac-ripemd160@openssh.com",     SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
    { "umac-64@openssh.com",        SSH_UMAC, 0, 0, 128, 64, 0 },
@@ -101,8 +103,10 @@ static const struct macalg macs[] = {
    { "hmac-sha2-256-etm@openssh.com",  SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
    { "hmac-sha2-512-etm@openssh.com",  SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
 #endif
+#ifndef WITHOUT_HMAC_MD5
    { "hmac-md5-etm@openssh.com",       SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 },
    { "hmac-md5-96-etm@openssh.com",    SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 },
+#endif
    { "hmac-ripemd160-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 },
    { "umac-64-etm@openssh.com",        SSH_UMAC, 0, 0, 128, 64, 1 },
    { "umac-128-etm@openssh.com",       SSH_UMAC128, 0, 0, 128, 128, 1 },
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h
+++ new/myproposal.h
@@ -140,14 +140,14 @@
    AESGCM_CIPHER_MODES

 #define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
-   "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+   "aes128-cbc,aes192-cbc,aes256-cbc"

 #define KEX_SERVER_ENCRYPT_FIPS \
    "aes128-ctr,aes192-ctr,aes256-ctr" \
    AESGCM_CIPHER_MODES

 #define KEX_CLIENT_ENCRYPT_FIPS KEX_SERVER_ENCRYPT_FIPS "," \
-   "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc"
+   "aes128-cbc,aes192-cbc,aes256-cbc"

 #define KEX_SERVER_MAC_DFLT \
    "umac-64-etm@openssh.com," \
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
@@ -470,12 +470,6 @@ aes128-gcm@openssh.com
 .It
 aes256-gcm@openssh.com
 .It
-arcfour
-.It
-arcfour128
-.It
-arcfour256
-.It
 blowfish-cbc
 .It
 chacha20-poly1305@openssh.com
@@ -486,7 +480,7 @@ The default is:
 chacha20-poly1305@openssh.com,
 aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
+aes128-cbc,aes192-cbc,aes256-cbc
 .Ed
 .Pp
 The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
diff -pur old/sshd.8 new/sshd.8
--- old/sshd.8
+++ new/sshd.8
@@ -310,12 +310,12 @@ For protocol 2,
 forward security is provided through a Diffie-Hellman key agreement.
 This key agreement results in a shared session key.
 The rest of the session is encrypted using a symmetric cipher, currently
-128-bit AES, Blowfish, 3DES, Arcfour, 192-bit AES, or 256-bit AES.
+128-bit AES, Blowfish, 3DES, 192-bit AES, or 256-bit AES.
 The client selects the encryption algorithm
 to use from those offered by the server.
 Additionally, session integrity is provided
 through a cryptographic message authentication code
-(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
+(hmac-sha1, umac-64, umac-128, hmac-ripemd160,
 hmac-sha2-256 or hmac-sha2-512).
 .Pp
 Finally, the server and the client enter an authentication dialog.
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
@@ -471,12 +471,6 @@ aes128-gcm@openssh.com
 .It
 aes256-gcm@openssh.com
 .It
-arcfour
-.It
-arcfour128
-.It
-arcfour256
-.It
 blowfish-cbc
 .It
 chacha20-poly1305@openssh.com
@@ -1009,10 +1003,6 @@ The supported MACs are:
 .Pp
 .Bl -item -compact -offset indent
 .It
-hmac-md5
-.It
-hmac-md5-96
-.It
 hmac-ripemd160
 .It
 hmac-sha1
@@ -1027,10 +1017,6 @@ umac-64@openssh.com
 .It
 umac-128@openssh.com
 .It
-hmac-md5-etm@openssh.com
-.It
-hmac-md5-96-etm@openssh.com
-.It
 hmac-ripemd160-etm@openssh.com
 .It
 hmac-sha1-etm@openssh.com