upstream: Remove unsupported algorithms from list of defaults at run

time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
author: dtucker@openbsd.org <dtucker@openbsd.org> 2020-01-23 02:46:49 +0000
committer: Darren Tucker <dtucker@dtucker.net> 2020-01-23 14:40:15 +1100
commit: c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch)
tree: 60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /myproposal.h
parent: 56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff)
1 files changed, 23 insertions, 115 deletions
diff --git a/myproposal.h b/myproposal.h
index 145704f49..dd2499d66 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */
+/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -24,110 +24,47 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#ifdef WITH_OPENSSL
+#define KEX_SERVER_KEX  \
-#include <openssl/opensslv.h>
+        "curve25519-sha256," \
-#endif
+        "curve25519-sha256@libssh.org," \
-/* conditional algorithm support */
-#ifdef OPENSSL_HAS_ECC
-# ifdef OPENSSL_HAS_NISTP521
-#  define KEX_ECDH_METHODS \
        "ecdh-sha2-nistp256," \
        "ecdh-sha2-nistp384," \
-        "ecdh-sha2-nistp521,"
+        "ecdh-sha2-nistp521," \
-#  define HOSTKEY_ECDSA_CERT_METHODS \
-        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
-        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
-#  define HOSTKEY_ECDSA_METHODS \
-        "ecdsa-sha2-nistp256," \
-        "ecdsa-sha2-nistp384," \
-        "ecdsa-sha2-nistp521," \
-        "sk-ecdsa-sha2-nistp256@openssh.com,"
-# else /* OPENSSL_HAS_NISTP521 */
-#  define KEX_ECDH_METHODS \
-        "ecdh-sha2-nistp256," \
-        "ecdh-sha2-nistp384,"
-#  define HOSTKEY_ECDSA_CERT_METHODS \
-        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
-        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
-#  define HOSTKEY_ECDSA_METHODS \
-        "ecdsa-sha2-nistp256," \
-        "ecdsa-sha2-nistp384," \
-        "sk-ecdsa-sha2-nistp256@openssh.com,"
-# endif /* OPENSSL_HAS_NISTP521 */
-#else /* OPENSSL_HAS_ECC */
-# define KEX_ECDH_METHODS
-# define HOSTKEY_ECDSA_CERT_METHODS
-# define HOSTKEY_ECDSA_METHODS
-#endif /* OPENSSL_HAS_ECC */
-#ifdef OPENSSL_HAVE_EVPGCM
-# define AESGCM_CIPHER_MODES \
-        ",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
-#else
-# define AESGCM_CIPHER_MODES
-#endif
-#ifdef HAVE_EVP_SHA256
-# define KEX_SHA2_METHODS \
        "diffie-hellman-group-exchange-sha256," \
        "diffie-hellman-group16-sha512," \
-        "diffie-hellman-group18-sha512,"
+        "diffie-hellman-group18-sha512," \
-# define KEX_SHA2_GROUP14 \
+        "diffie-hellman-group14-sha256"
-        "diffie-hellman-group14-sha256,"
-#define SHA2_HMAC_MODES \
-        "hmac-sha2-256," \
-        "hmac-sha2-512,"
-#else
-# define KEX_SHA2_METHODS
-# define KEX_SHA2_GROUP14
-# define SHA2_HMAC_MODES
-#endif
-#ifdef WITH_OPENSSL
-# ifdef HAVE_EVP_SHA256
-#  define KEX_CURVE25519_METHODS \
-        "curve25519-sha256," \
-        "curve25519-sha256@libssh.org,"
-# else
-#  define KEX_CURVE25519_METHODS ""
-# endif
-#define KEX_SERVER_KEX \
-        KEX_CURVE25519_METHODS \
-        KEX_ECDH_METHODS \
-        KEX_SHA2_METHODS \
-        KEX_SHA2_GROUP14
 #define KEX_CLIENT_KEX KEX_SERVER_KEX
 #define KEX_DEFAULT_PK_ALG      \
-        HOSTKEY_ECDSA_CERT_METHODS \
+        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
        "ssh-ed25519-cert-v01@openssh.com," \
        "sk-ssh-ed25519-cert-v01@openssh.com," \
        "rsa-sha2-512-cert-v01@openssh.com," \
        "rsa-sha2-256-cert-v01@openssh.com," \
        "ssh-rsa-cert-v01@openssh.com," \
-        HOSTKEY_ECDSA_METHODS \
+        "ecdsa-sha2-nistp256," \
+        "ecdsa-sha2-nistp384," \
+        "ecdsa-sha2-nistp521," \
+        "sk-ecdsa-sha2-nistp256@openssh.com," \
        "ssh-ed25519," \
        "sk-ssh-ed25519@openssh.com," \
        "rsa-sha2-512," \
        "rsa-sha2-256," \
        "ssh-rsa"
-/* the actual algorithms */
+#define KEX_SERVER_ENCRYPT \
-#define KEX_SERVER_ENCRYPT \
        "chacha20-poly1305@openssh.com," \
-        "aes128-ctr,aes192-ctr,aes256-ctr" \
+        "aes128-ctr,aes192-ctr,aes256-ctr," \
-        AESGCM_CIPHER_MODES
+        "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_SERVER_MAC \
+#define KEX_SERVER_MAC \
        "umac-64-etm@openssh.com," \
        "umac-128-etm@openssh.com," \
        "hmac-sha2-256-etm@openssh.com," \
@@ -143,44 +80,16 @@
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define SSH_ALLOWED_CA_SIGALGS  \
-        HOSTKEY_ECDSA_METHODS \
+        "ecdsa-sha2-nistp256," \
+        "ecdsa-sha2-nistp384," \
+        "ecdsa-sha2-nistp521," \
+        "sk-ecdsa-sha2-nistp256@openssh.com," \
        "ssh-ed25519," \
        "sk-ssh-ed25519@openssh.com," \
        "rsa-sha2-512," \
        "rsa-sha2-256," \
        "ssh-rsa"
-#else /* WITH_OPENSSL */
-#define KEX_SERVER_KEX          \
-        "curve25519-sha256," \
-        "curve25519-sha256@libssh.org"
-#define KEX_DEFAULT_PK_ALG      \
-        "ssh-ed25519-cert-v01@openssh.com," \
-        "ssh-ed25519"
-#define KEX_SERVER_ENCRYPT \
-        "chacha20-poly1305@openssh.com," \
-        "aes128-ctr,aes192-ctr,aes256-ctr"
-#define KEX_SERVER_MAC \
-        "umac-64-etm@openssh.com," \
-        "umac-128-etm@openssh.com," \
-        "hmac-sha2-256-etm@openssh.com," \
-        "hmac-sha2-512-etm@openssh.com," \
-        "hmac-sha1-etm@openssh.com," \
-        "umac-64@openssh.com," \
-        "umac-128@openssh.com," \
-        "hmac-sha2-256," \
-        "hmac-sha2-512," \
-        "hmac-sha1"
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC
-#define SSH_ALLOWED_CA_SIGALGS  "ssh-ed25519,sk-ssh-ed25519@openssh.com"
-#endif /* WITH_OPENSSL */
 #define KEX_DEFAULT_COMP        "none,zlib@openssh.com"
 #define KEX_DEFAULT_LANG        ""
@@ -207,4 +116,3 @@
        KEX_DEFAULT_COMP, \
        KEX_DEFAULT_LANG, \
        KEX_DEFAULT_LANG
author	dtucker@openbsd.org <dtucker@openbsd.org>	2020-01-23 02:46:49 +0000
committer	Darren Tucker <dtucker@dtucker.net>	2020-01-23 14:40:15 +1100
commit	c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 (patch)
tree	60dca3a18ff7ec4bc2f6b9d90f8abb867344fcc9 /myproposal.h
parent	56cffcc09f8a2e661d2ba02e61364ae6f998b2b1 (diff)

diff --git a/myproposal.h b/myproposal.h index 145704f49..dd2499d66 100644 --- a/myproposal.h +++ b/myproposal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */	1	/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -24,110 +24,47 @@
24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25	*/	25	*/
26		26
27	#ifdef WITH_OPENSSL	27	#define KEX_SERVER_KEX \
28	#include <openssl/opensslv.h>	28	"curve25519-sha256," \
29	#endif	29	"curve25519-sha256@libssh.org," \
30
31	/* conditional algorithm support */
32
33	#ifdef OPENSSL_HAS_ECC
34	# ifdef OPENSSL_HAS_NISTP521
35	# define KEX_ECDH_METHODS \
36	"ecdh-sha2-nistp256," \	30	"ecdh-sha2-nistp256," \
37	"ecdh-sha2-nistp384," \	31	"ecdh-sha2-nistp384," \
38	"ecdh-sha2-nistp521,"	32	"ecdh-sha2-nistp521," \
39	# define HOSTKEY_ECDSA_CERT_METHODS \
40	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
41	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
42	"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
43	"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
44	# define HOSTKEY_ECDSA_METHODS \
45	"ecdsa-sha2-nistp256," \
46	"ecdsa-sha2-nistp384," \
47	"ecdsa-sha2-nistp521," \
48	"sk-ecdsa-sha2-nistp256@openssh.com,"
49	# else /* OPENSSL_HAS_NISTP521 */
50	# define KEX_ECDH_METHODS \
51	"ecdh-sha2-nistp256," \
52	"ecdh-sha2-nistp384,"
53	# define HOSTKEY_ECDSA_CERT_METHODS \
54	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
55	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
56	"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
57	# define HOSTKEY_ECDSA_METHODS \
58	"ecdsa-sha2-nistp256," \
59	"ecdsa-sha2-nistp384," \
60	"sk-ecdsa-sha2-nistp256@openssh.com,"
61	# endif /* OPENSSL_HAS_NISTP521 */
62	#else /* OPENSSL_HAS_ECC */
63	# define KEX_ECDH_METHODS
64	# define HOSTKEY_ECDSA_CERT_METHODS
65	# define HOSTKEY_ECDSA_METHODS
66	#endif /* OPENSSL_HAS_ECC */
67
68	#ifdef OPENSSL_HAVE_EVPGCM
69	# define AESGCM_CIPHER_MODES \
70	",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
71	#else
72	# define AESGCM_CIPHER_MODES
73	#endif
74
75	#ifdef HAVE_EVP_SHA256
76	# define KEX_SHA2_METHODS \
77	"diffie-hellman-group-exchange-sha256," \	33	"diffie-hellman-group-exchange-sha256," \
78	"diffie-hellman-group16-sha512," \	34	"diffie-hellman-group16-sha512," \
79	"diffie-hellman-group18-sha512,"	35	"diffie-hellman-group18-sha512," \
80	# define KEX_SHA2_GROUP14 \	36	"diffie-hellman-group14-sha256"
81	"diffie-hellman-group14-sha256,"
82	#define SHA2_HMAC_MODES \
83	"hmac-sha2-256," \
84	"hmac-sha2-512,"
85	#else
86	# define KEX_SHA2_METHODS
87	# define KEX_SHA2_GROUP14
88	# define SHA2_HMAC_MODES
89	#endif
90
91	#ifdef WITH_OPENSSL
92	# ifdef HAVE_EVP_SHA256
93	# define KEX_CURVE25519_METHODS \
94	"curve25519-sha256," \
95	"curve25519-sha256@libssh.org,"
96	# else
97	# define KEX_CURVE25519_METHODS ""
98	# endif
99	#define KEX_SERVER_KEX \
100	KEX_CURVE25519_METHODS \
101	KEX_ECDH_METHODS \
102	KEX_SHA2_METHODS \
103	KEX_SHA2_GROUP14
104		37
105	#define KEX_CLIENT_KEX KEX_SERVER_KEX	38	#define KEX_CLIENT_KEX KEX_SERVER_KEX
106		39
107	#define KEX_DEFAULT_PK_ALG \	40	#define KEX_DEFAULT_PK_ALG \
108	HOSTKEY_ECDSA_CERT_METHODS \	41	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
		42	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
		43	"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
		44	"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
109	"ssh-ed25519-cert-v01@openssh.com," \	45	"ssh-ed25519-cert-v01@openssh.com," \
110	"sk-ssh-ed25519-cert-v01@openssh.com," \	46	"sk-ssh-ed25519-cert-v01@openssh.com," \
111	"rsa-sha2-512-cert-v01@openssh.com," \	47	"rsa-sha2-512-cert-v01@openssh.com," \
112	"rsa-sha2-256-cert-v01@openssh.com," \	48	"rsa-sha2-256-cert-v01@openssh.com," \
113	"ssh-rsa-cert-v01@openssh.com," \	49	"ssh-rsa-cert-v01@openssh.com," \
114	HOSTKEY_ECDSA_METHODS \	50	"ecdsa-sha2-nistp256," \
		51	"ecdsa-sha2-nistp384," \
		52	"ecdsa-sha2-nistp521," \
		53	"sk-ecdsa-sha2-nistp256@openssh.com," \
115	"ssh-ed25519," \	54	"ssh-ed25519," \
116	"sk-ssh-ed25519@openssh.com," \	55	"sk-ssh-ed25519@openssh.com," \
117	"rsa-sha2-512," \	56	"rsa-sha2-512," \
118	"rsa-sha2-256," \	57	"rsa-sha2-256," \
119	"ssh-rsa"	58	"ssh-rsa"
120		59
121	/* the actual algorithms */	60	#define KEX_SERVER_ENCRYPT \
122
123	#define KEX_SERVER_ENCRYPT \
124	"chacha20-poly1305@openssh.com," \	61	"chacha20-poly1305@openssh.com," \
125	"aes128-ctr,aes192-ctr,aes256-ctr" \	62	"aes128-ctr,aes192-ctr,aes256-ctr," \
126	AESGCM_CIPHER_MODES	63	"aes128-gcm@openssh.com,aes256-gcm@openssh.com"
127		64
128	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT	65	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
129		66
130	#define KEX_SERVER_MAC \	67	#define KEX_SERVER_MAC \
131	"umac-64-etm@openssh.com," \	68	"umac-64-etm@openssh.com," \
132	"umac-128-etm@openssh.com," \	69	"umac-128-etm@openssh.com," \
133	"hmac-sha2-256-etm@openssh.com," \	70	"hmac-sha2-256-etm@openssh.com," \
@@ -143,44 +80,16 @@
143		80
144	/* Not a KEX value, but here so all the algorithm defaults are together */	81	/* Not a KEX value, but here so all the algorithm defaults are together */
145	#define SSH_ALLOWED_CA_SIGALGS \	82	#define SSH_ALLOWED_CA_SIGALGS \
146	HOSTKEY_ECDSA_METHODS \	83	"ecdsa-sha2-nistp256," \
		84	"ecdsa-sha2-nistp384," \
		85	"ecdsa-sha2-nistp521," \
		86	"sk-ecdsa-sha2-nistp256@openssh.com," \
147	"ssh-ed25519," \	87	"ssh-ed25519," \
148	"sk-ssh-ed25519@openssh.com," \	88	"sk-ssh-ed25519@openssh.com," \
149	"rsa-sha2-512," \	89	"rsa-sha2-512," \
150	"rsa-sha2-256," \	90	"rsa-sha2-256," \
151	"ssh-rsa"	91	"ssh-rsa"
152		92
153	#else /* WITH_OPENSSL */
154
155	#define KEX_SERVER_KEX \
156	"curve25519-sha256," \
157	"curve25519-sha256@libssh.org"
158	#define KEX_DEFAULT_PK_ALG \
159	"ssh-ed25519-cert-v01@openssh.com," \
160	"ssh-ed25519"
161	#define KEX_SERVER_ENCRYPT \
162	"chacha20-poly1305@openssh.com," \
163	"aes128-ctr,aes192-ctr,aes256-ctr"
164	#define KEX_SERVER_MAC \
165	"umac-64-etm@openssh.com," \
166	"umac-128-etm@openssh.com," \
167	"hmac-sha2-256-etm@openssh.com," \
168	"hmac-sha2-512-etm@openssh.com," \
169	"hmac-sha1-etm@openssh.com," \
170	"umac-64@openssh.com," \
171	"umac-128@openssh.com," \
172	"hmac-sha2-256," \
173	"hmac-sha2-512," \
174	"hmac-sha1"
175
176	#define KEX_CLIENT_KEX KEX_SERVER_KEX
177	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
178	#define KEX_CLIENT_MAC KEX_SERVER_MAC
179
180	#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com"
181
182	#endif /* WITH_OPENSSL */
183
184	#define KEX_DEFAULT_COMP "none,zlib@openssh.com"	93	#define KEX_DEFAULT_COMP "none,zlib@openssh.com"
185	#define KEX_DEFAULT_LANG ""	94	#define KEX_DEFAULT_LANG ""
186		95
@@ -207,4 +116,3 @@
207	KEX_DEFAULT_COMP, \	116	KEX_DEFAULT_COMP, \
208	KEX_DEFAULT_LANG, \	117	KEX_DEFAULT_LANG, \
209	KEX_DEFAULT_LANG	118	KEX_DEFAULT_LANG
210