Three commits in one (since they touch the same heavily-diverged file

repeatedly): - markus@cvs.openbsd.org 2014/03/25 09:40:03 [myproposal.h] trimm default proposals. This commit removes the weaker pre-SHA2 hashes, the broken ciphers (arcfour), and the broken modes (CBC) from the default configuration (the patch only changes the default, all the modes are still available for the config files). ok djm@, reminded by tedu@ & naddy@ and discussed with many - deraadt@cvs.openbsd.org 2014/03/26 17:16:26 [myproposal.h] The current sharing of myproposal[] between both client and server code makes the previous diff highly unpallatable. We want to go in that direction for the server, but not for the client. Sigh. Brought up by naddy. - markus@cvs.openbsd.org 2014/03/27 23:01:27 [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] disable weak proposals in sshd, but keep them in ssh; ok djm@
author: Damien Miller <djm@mindrot.org> 2014-04-20 13:17:20 +1000
committer: Damien Miller <djm@mindrot.org> 2014-04-20 13:17:20 +1000
commit: 9235a030ad1b16903fb495d81544e0f7c7449523 (patch)
tree: 3cb61622daa8f3b0caf0e53fd8bfab5534def35e /myproposal.h
parent: 6e1777f592f15f4559728c78204617537b1ac076 (diff)
1 files changed, 42 insertions, 27 deletions
diff --git a/myproposal.h b/myproposal.h
index 3a0f5aeab..94d6f7061 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.38 2014/03/27 23:01:27 markus Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -69,23 +69,22 @@
 #ifdef HAVE_EVP_SHA256
 # define KEX_SHA256_METHODS \
        "diffie-hellman-group-exchange-sha256,"
-#define KEX_CURVE25519_METHODS \
-        "curve25519-sha256@libssh.org,"
 #define SHA2_HMAC_MODES \
        "hmac-sha2-256," \
        "hmac-sha2-512,"
 #else
 # define KEX_SHA256_METHODS
-# define KEX_CURVE25519_METHODS
 # define SHA2_HMAC_MODES
 #endif
-# define KEX_DEFAULT_KEX \
+#define KEX_SERVER_KEX          \
-        KEX_CURVE25519_METHODS \
+        "curve25519-sha256@libssh.org," \
        KEX_ECDH_METHODS \
        KEX_SHA256_METHODS \
+        "diffie-hellman-group14-sha1"
+#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
        "diffie-hellman-group-exchange-sha1," \
-        "diffie-hellman-group14-sha1," \
        "diffie-hellman-group1-sha1"
 #define KEX_DEFAULT_PK_ALG      \
@@ -102,29 +101,34 @@
 /* the actual algorithms */
-#define KEX_DEFAULT_ENCRYPT \
+#define KEX_SERVER_ENCRYPT \
        "aes128-ctr,aes192-ctr,aes256-ctr," \
-        "arcfour256,arcfour128," \
        AESGCM_CIPHER_MODES \
-        "chacha20-poly1305@openssh.com," \
+        "chacha20-poly1305@openssh.com"
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
+        "arcfour256,arcfour128," \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
        "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
-#define KEX_DEFAULT_MAC \
+#define KEX_SERVER_MAC \
-        "hmac-md5-etm@openssh.com," \
-        "hmac-sha1-etm@openssh.com," \
        "umac-64-etm@openssh.com," \
        "umac-128-etm@openssh.com," \
        "hmac-sha2-256-etm@openssh.com," \
        "hmac-sha2-512-etm@openssh.com," \
+        "umac-64@openssh.com," \
+        "umac-128@openssh.com," \
+        "hmac-sha2-256," \
+        "hmac-sha2-512"
+#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
+        "hmac-md5-etm@openssh.com," \
+        "hmac-sha1-etm@openssh.com," \
        "hmac-ripemd160-etm@openssh.com," \
        "hmac-sha1-96-etm@openssh.com," \
        "hmac-md5-96-etm@openssh.com," \
        "hmac-md5," \
        "hmac-sha1," \
-        "umac-64@openssh.com," \
-        "umac-128@openssh.com," \
-        SHA2_HMAC_MODES \
        "hmac-ripemd160," \
        "hmac-ripemd160@openssh.com," \
        "hmac-sha1-96," \
@@ -133,16 +137,27 @@
 #define KEX_DEFAULT_COMP        "none,zlib@openssh.com,zlib"
 #define KEX_DEFAULT_LANG        ""
+#define KEX_CLIENT \
+        KEX_CLIENT_KEX, \
+        KEX_DEFAULT_PK_ALG, \
+        KEX_CLIENT_ENCRYPT, \
+        KEX_CLIENT_ENCRYPT, \
+        KEX_CLIENT_MAC, \
+        KEX_CLIENT_MAC, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_LANG, \
+        KEX_DEFAULT_LANG
-static char *myproposal[PROPOSAL_MAX] = {
+#define KEX_SERVER \
-        KEX_DEFAULT_KEX,
+        KEX_SERVER_KEX, \
-        KEX_DEFAULT_PK_ALG,
+        KEX_DEFAULT_PK_ALG, \
-        KEX_DEFAULT_ENCRYPT,
+        KEX_SERVER_ENCRYPT, \
-        KEX_DEFAULT_ENCRYPT,
+        KEX_SERVER_ENCRYPT, \
-        KEX_DEFAULT_MAC,
+        KEX_SERVER_MAC, \
-        KEX_DEFAULT_MAC,
+        KEX_SERVER_MAC, \
-        KEX_DEFAULT_COMP,
+        KEX_DEFAULT_COMP, \
-        KEX_DEFAULT_COMP,
+        KEX_DEFAULT_COMP, \
-        KEX_DEFAULT_LANG,
+        KEX_DEFAULT_LANG, \
        KEX_DEFAULT_LANG
-};
author	Damien Miller <djm@mindrot.org>	2014-04-20 13:17:20 +1000
committer	Damien Miller <djm@mindrot.org>	2014-04-20 13:17:20 +1000
commit	9235a030ad1b16903fb495d81544e0f7c7449523 (patch)
tree	3cb61622daa8f3b0caf0e53fd8bfab5534def35e /myproposal.h
parent	6e1777f592f15f4559728c78204617537b1ac076 (diff)

diff --git a/myproposal.h b/myproposal.h index 3a0f5aeab..94d6f7061 100644 --- a/myproposal.h +++ b/myproposal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */	1	/* $OpenBSD: myproposal.h,v 1.38 2014/03/27 23:01:27 markus Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -69,23 +69,22 @@
69	#ifdef HAVE_EVP_SHA256	69	#ifdef HAVE_EVP_SHA256
70	# define KEX_SHA256_METHODS \	70	# define KEX_SHA256_METHODS \
71	"diffie-hellman-group-exchange-sha256,"	71	"diffie-hellman-group-exchange-sha256,"
72	#define KEX_CURVE25519_METHODS \
73	"curve25519-sha256@libssh.org,"
74	#define SHA2_HMAC_MODES \	72	#define SHA2_HMAC_MODES \
75	"hmac-sha2-256," \	73	"hmac-sha2-256," \
76	"hmac-sha2-512,"	74	"hmac-sha2-512,"
77	#else	75	#else
78	# define KEX_SHA256_METHODS	76	# define KEX_SHA256_METHODS
79	# define KEX_CURVE25519_METHODS
80	# define SHA2_HMAC_MODES	77	# define SHA2_HMAC_MODES
81	#endif	78	#endif
82		79
83	# define KEX_DEFAULT_KEX \	80	#define KEX_SERVER_KEX \
84	KEX_CURVE25519_METHODS \	81	"curve25519-sha256@libssh.org," \
85	KEX_ECDH_METHODS \	82	KEX_ECDH_METHODS \
86	KEX_SHA256_METHODS \	83	KEX_SHA256_METHODS \
		84	"diffie-hellman-group14-sha1"
		85
		86	#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
87	"diffie-hellman-group-exchange-sha1," \	87	"diffie-hellman-group-exchange-sha1," \
88	"diffie-hellman-group14-sha1," \
89	"diffie-hellman-group1-sha1"	88	"diffie-hellman-group1-sha1"
90		89
91	#define KEX_DEFAULT_PK_ALG \	90	#define KEX_DEFAULT_PK_ALG \
@@ -102,29 +101,34 @@
102		101
103	/* the actual algorithms */	102	/* the actual algorithms */
104		103
105	#define KEX_DEFAULT_ENCRYPT \	104	#define KEX_SERVER_ENCRYPT \
106	"aes128-ctr,aes192-ctr,aes256-ctr," \	105	"aes128-ctr,aes192-ctr,aes256-ctr," \
107	"arcfour256,arcfour128," \
108	AESGCM_CIPHER_MODES \	106	AESGCM_CIPHER_MODES \
109	"chacha20-poly1305@openssh.com," \	107	"chacha20-poly1305@openssh.com"
		108
		109	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
		110	"arcfour256,arcfour128," \
110	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \	111	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
111	"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"	112	"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
112		113
113	#define KEX_DEFAULT_MAC \	114	#define KEX_SERVER_MAC \
114	"hmac-md5-etm@openssh.com," \
115	"hmac-sha1-etm@openssh.com," \
116	"umac-64-etm@openssh.com," \	115	"umac-64-etm@openssh.com," \
117	"umac-128-etm@openssh.com," \	116	"umac-128-etm@openssh.com," \
118	"hmac-sha2-256-etm@openssh.com," \	117	"hmac-sha2-256-etm@openssh.com," \
119	"hmac-sha2-512-etm@openssh.com," \	118	"hmac-sha2-512-etm@openssh.com," \
		119	"umac-64@openssh.com," \
		120	"umac-128@openssh.com," \
		121	"hmac-sha2-256," \
		122	"hmac-sha2-512"
		123
		124	#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
		125	"hmac-md5-etm@openssh.com," \
		126	"hmac-sha1-etm@openssh.com," \
120	"hmac-ripemd160-etm@openssh.com," \	127	"hmac-ripemd160-etm@openssh.com," \
121	"hmac-sha1-96-etm@openssh.com," \	128	"hmac-sha1-96-etm@openssh.com," \
122	"hmac-md5-96-etm@openssh.com," \	129	"hmac-md5-96-etm@openssh.com," \
123	"hmac-md5," \	130	"hmac-md5," \
124	"hmac-sha1," \	131	"hmac-sha1," \
125	"umac-64@openssh.com," \
126	"umac-128@openssh.com," \
127	SHA2_HMAC_MODES \
128	"hmac-ripemd160," \	132	"hmac-ripemd160," \
129	"hmac-ripemd160@openssh.com," \	133	"hmac-ripemd160@openssh.com," \
130	"hmac-sha1-96," \	134	"hmac-sha1-96," \
@@ -133,16 +137,27 @@
133	#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"	137	#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
134	#define KEX_DEFAULT_LANG ""	138	#define KEX_DEFAULT_LANG ""
135		139
		140	#define KEX_CLIENT \
		141	KEX_CLIENT_KEX, \
		142	KEX_DEFAULT_PK_ALG, \
		143	KEX_CLIENT_ENCRYPT, \
		144	KEX_CLIENT_ENCRYPT, \
		145	KEX_CLIENT_MAC, \
		146	KEX_CLIENT_MAC, \
		147	KEX_DEFAULT_COMP, \
		148	KEX_DEFAULT_COMP, \
		149	KEX_DEFAULT_LANG, \
		150	KEX_DEFAULT_LANG
136		151
137	static char *myproposal[PROPOSAL_MAX] = {	152	#define KEX_SERVER \
138	KEX_DEFAULT_KEX,	153	KEX_SERVER_KEX, \
139	KEX_DEFAULT_PK_ALG,	154	KEX_DEFAULT_PK_ALG, \
140	KEX_DEFAULT_ENCRYPT,	155	KEX_SERVER_ENCRYPT, \
141	KEX_DEFAULT_ENCRYPT,	156	KEX_SERVER_ENCRYPT, \
142	KEX_DEFAULT_MAC,	157	KEX_SERVER_MAC, \
143	KEX_DEFAULT_MAC,	158	KEX_SERVER_MAC, \
144	KEX_DEFAULT_COMP,	159	KEX_DEFAULT_COMP, \
145	KEX_DEFAULT_COMP,	160	KEX_DEFAULT_COMP, \
146	KEX_DEFAULT_LANG,	161	KEX_DEFAULT_LANG, \
147	KEX_DEFAULT_LANG	162	KEX_DEFAULT_LANG
148	};	163