ssh: add support for aes256-gcm@openssh.com

golang · Feb 15, 2023 · 460b96d · 460b96d
1 parent a9f661c
commit 460b96d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/ssh/cipher.go b/ssh/cipher.go
@@ -115,6 +115,7 @@ var cipherModes = map[string]*cipherMode{
 
 	// AEAD ciphers
 	gcmCipherID:        {16, 12, newGCMCipher},
+	gcm256CipherID:     {32, 12, newGCMCipher},
 	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
 
 	// CBC mode is insecure and so is not included in the default config.

diff --git a/ssh/common.go b/ssh/common.go
@@ -28,7 +28,7 @@ const (
 // supportedCiphers lists ciphers we support but might not recommend.
 var supportedCiphers = []string{
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-	"aes128-gcm@openssh.com",
+	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"arcfour256", "arcfour128", "arcfour",
 	aes128cbcID,
@@ -37,7 +37,7 @@ var supportedCiphers = []string{
 
 // preferredCiphers specifies the default preference for ciphers.
 var preferredCiphers = []string{
-	"aes128-gcm@openssh.com",
+	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 }
@@ -168,7 +168,7 @@ func (a *directionAlgorithms) rekeyBytes() int64 {
 	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
 	// 128.
 	switch a.Cipher {
-	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
+	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, gcm256CipherID, aes128cbcID:
 		return 16 * (1 << 32)
 
 	}
@@ -179,6 +179,7 @@ func (a *directionAlgorithms) rekeyBytes() int64 {
 
 var aeadCiphers = map[string]bool{
 	gcmCipherID:        true,
+	gcm256CipherID:     true,
 	chacha20Poly1305ID: true,
 }
 

diff --git a/ssh/transport.go b/ssh/transport.go
@@ -18,6 +18,7 @@ const debugTransport = false
 
 const (
 	gcmCipherID    = "aes128-gcm@openssh.com"
+	gcm256CipherID = "aes256-gcm@openssh.com"
 	aes128cbcID    = "aes128-cbc"
 	tripledescbcID = "3des-cbc"
 )