diff options
Diffstat (limited to 'myproposal.h')
-rw-r--r-- | myproposal.h | 138 |
1 files changed, 23 insertions, 115 deletions
diff --git a/myproposal.h b/myproposal.h index 145704f49..dd2499d66 100644 --- a/myproposal.h +++ b/myproposal.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */ | 1 | /* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -24,110 +24,47 @@ | |||
24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 24 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | */ | 25 | */ |
26 | 26 | ||
27 | #ifdef WITH_OPENSSL | 27 | #define KEX_SERVER_KEX \ |
28 | #include <openssl/opensslv.h> | 28 | "curve25519-sha256," \ |
29 | #endif | 29 | "curve25519-sha256@libssh.org," \ |
30 | |||
31 | /* conditional algorithm support */ | ||
32 | |||
33 | #ifdef OPENSSL_HAS_ECC | ||
34 | # ifdef OPENSSL_HAS_NISTP521 | ||
35 | # define KEX_ECDH_METHODS \ | ||
36 | "ecdh-sha2-nistp256," \ | 30 | "ecdh-sha2-nistp256," \ |
37 | "ecdh-sha2-nistp384," \ | 31 | "ecdh-sha2-nistp384," \ |
38 | "ecdh-sha2-nistp521," | 32 | "ecdh-sha2-nistp521," \ |
39 | # define HOSTKEY_ECDSA_CERT_METHODS \ | ||
40 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
41 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
42 | "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ | ||
43 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," | ||
44 | # define HOSTKEY_ECDSA_METHODS \ | ||
45 | "ecdsa-sha2-nistp256," \ | ||
46 | "ecdsa-sha2-nistp384," \ | ||
47 | "ecdsa-sha2-nistp521," \ | ||
48 | "sk-ecdsa-sha2-nistp256@openssh.com," | ||
49 | # else /* OPENSSL_HAS_NISTP521 */ | ||
50 | # define KEX_ECDH_METHODS \ | ||
51 | "ecdh-sha2-nistp256," \ | ||
52 | "ecdh-sha2-nistp384," | ||
53 | # define HOSTKEY_ECDSA_CERT_METHODS \ | ||
54 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
55 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
56 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," | ||
57 | # define HOSTKEY_ECDSA_METHODS \ | ||
58 | "ecdsa-sha2-nistp256," \ | ||
59 | "ecdsa-sha2-nistp384," \ | ||
60 | "sk-ecdsa-sha2-nistp256@openssh.com," | ||
61 | # endif /* OPENSSL_HAS_NISTP521 */ | ||
62 | #else /* OPENSSL_HAS_ECC */ | ||
63 | # define KEX_ECDH_METHODS | ||
64 | # define HOSTKEY_ECDSA_CERT_METHODS | ||
65 | # define HOSTKEY_ECDSA_METHODS | ||
66 | #endif /* OPENSSL_HAS_ECC */ | ||
67 | |||
68 | #ifdef OPENSSL_HAVE_EVPGCM | ||
69 | # define AESGCM_CIPHER_MODES \ | ||
70 | ",aes128-gcm@openssh.com,aes256-gcm@openssh.com" | ||
71 | #else | ||
72 | # define AESGCM_CIPHER_MODES | ||
73 | #endif | ||
74 | |||
75 | #ifdef HAVE_EVP_SHA256 | ||
76 | # define KEX_SHA2_METHODS \ | ||
77 | "diffie-hellman-group-exchange-sha256," \ | 33 | "diffie-hellman-group-exchange-sha256," \ |
78 | "diffie-hellman-group16-sha512," \ | 34 | "diffie-hellman-group16-sha512," \ |
79 | "diffie-hellman-group18-sha512," | 35 | "diffie-hellman-group18-sha512," \ |
80 | # define KEX_SHA2_GROUP14 \ | 36 | "diffie-hellman-group14-sha256" |
81 | "diffie-hellman-group14-sha256," | ||
82 | #define SHA2_HMAC_MODES \ | ||
83 | "hmac-sha2-256," \ | ||
84 | "hmac-sha2-512," | ||
85 | #else | ||
86 | # define KEX_SHA2_METHODS | ||
87 | # define KEX_SHA2_GROUP14 | ||
88 | # define SHA2_HMAC_MODES | ||
89 | #endif | ||
90 | |||
91 | #ifdef WITH_OPENSSL | ||
92 | # ifdef HAVE_EVP_SHA256 | ||
93 | # define KEX_CURVE25519_METHODS \ | ||
94 | "curve25519-sha256," \ | ||
95 | "curve25519-sha256@libssh.org," | ||
96 | # else | ||
97 | # define KEX_CURVE25519_METHODS "" | ||
98 | # endif | ||
99 | #define KEX_SERVER_KEX \ | ||
100 | KEX_CURVE25519_METHODS \ | ||
101 | KEX_ECDH_METHODS \ | ||
102 | KEX_SHA2_METHODS \ | ||
103 | KEX_SHA2_GROUP14 | ||
104 | 37 | ||
105 | #define KEX_CLIENT_KEX KEX_SERVER_KEX | 38 | #define KEX_CLIENT_KEX KEX_SERVER_KEX |
106 | 39 | ||
107 | #define KEX_DEFAULT_PK_ALG \ | 40 | #define KEX_DEFAULT_PK_ALG \ |
108 | HOSTKEY_ECDSA_CERT_METHODS \ | 41 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ |
42 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ | ||
43 | "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ | ||
44 | "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ | ||
109 | "ssh-ed25519-cert-v01@openssh.com," \ | 45 | "ssh-ed25519-cert-v01@openssh.com," \ |
110 | "sk-ssh-ed25519-cert-v01@openssh.com," \ | 46 | "sk-ssh-ed25519-cert-v01@openssh.com," \ |
111 | "rsa-sha2-512-cert-v01@openssh.com," \ | 47 | "rsa-sha2-512-cert-v01@openssh.com," \ |
112 | "rsa-sha2-256-cert-v01@openssh.com," \ | 48 | "rsa-sha2-256-cert-v01@openssh.com," \ |
113 | "ssh-rsa-cert-v01@openssh.com," \ | 49 | "ssh-rsa-cert-v01@openssh.com," \ |
114 | HOSTKEY_ECDSA_METHODS \ | 50 | "ecdsa-sha2-nistp256," \ |
51 | "ecdsa-sha2-nistp384," \ | ||
52 | "ecdsa-sha2-nistp521," \ | ||
53 | "sk-ecdsa-sha2-nistp256@openssh.com," \ | ||
115 | "ssh-ed25519," \ | 54 | "ssh-ed25519," \ |
116 | "sk-ssh-ed25519@openssh.com," \ | 55 | "sk-ssh-ed25519@openssh.com," \ |
117 | "rsa-sha2-512," \ | 56 | "rsa-sha2-512," \ |
118 | "rsa-sha2-256," \ | 57 | "rsa-sha2-256," \ |
119 | "ssh-rsa" | 58 | "ssh-rsa" |
120 | 59 | ||
121 | /* the actual algorithms */ | 60 | #define KEX_SERVER_ENCRYPT \ |
122 | |||
123 | #define KEX_SERVER_ENCRYPT \ | ||
124 | "chacha20-poly1305@openssh.com," \ | 61 | "chacha20-poly1305@openssh.com," \ |
125 | "aes128-ctr,aes192-ctr,aes256-ctr" \ | 62 | "aes128-ctr,aes192-ctr,aes256-ctr," \ |
126 | AESGCM_CIPHER_MODES | 63 | "aes128-gcm@openssh.com,aes256-gcm@openssh.com" |
127 | 64 | ||
128 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT | 65 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT |
129 | 66 | ||
130 | #define KEX_SERVER_MAC \ | 67 | #define KEX_SERVER_MAC \ |
131 | "umac-64-etm@openssh.com," \ | 68 | "umac-64-etm@openssh.com," \ |
132 | "umac-128-etm@openssh.com," \ | 69 | "umac-128-etm@openssh.com," \ |
133 | "hmac-sha2-256-etm@openssh.com," \ | 70 | "hmac-sha2-256-etm@openssh.com," \ |
@@ -143,44 +80,16 @@ | |||
143 | 80 | ||
144 | /* Not a KEX value, but here so all the algorithm defaults are together */ | 81 | /* Not a KEX value, but here so all the algorithm defaults are together */ |
145 | #define SSH_ALLOWED_CA_SIGALGS \ | 82 | #define SSH_ALLOWED_CA_SIGALGS \ |
146 | HOSTKEY_ECDSA_METHODS \ | 83 | "ecdsa-sha2-nistp256," \ |
84 | "ecdsa-sha2-nistp384," \ | ||
85 | "ecdsa-sha2-nistp521," \ | ||
86 | "sk-ecdsa-sha2-nistp256@openssh.com," \ | ||
147 | "ssh-ed25519," \ | 87 | "ssh-ed25519," \ |
148 | "sk-ssh-ed25519@openssh.com," \ | 88 | "sk-ssh-ed25519@openssh.com," \ |
149 | "rsa-sha2-512," \ | 89 | "rsa-sha2-512," \ |
150 | "rsa-sha2-256," \ | 90 | "rsa-sha2-256," \ |
151 | "ssh-rsa" | 91 | "ssh-rsa" |
152 | 92 | ||
153 | #else /* WITH_OPENSSL */ | ||
154 | |||
155 | #define KEX_SERVER_KEX \ | ||
156 | "curve25519-sha256," \ | ||
157 | "curve25519-sha256@libssh.org" | ||
158 | #define KEX_DEFAULT_PK_ALG \ | ||
159 | "ssh-ed25519-cert-v01@openssh.com," \ | ||
160 | "ssh-ed25519" | ||
161 | #define KEX_SERVER_ENCRYPT \ | ||
162 | "chacha20-poly1305@openssh.com," \ | ||
163 | "aes128-ctr,aes192-ctr,aes256-ctr" | ||
164 | #define KEX_SERVER_MAC \ | ||
165 | "umac-64-etm@openssh.com," \ | ||
166 | "umac-128-etm@openssh.com," \ | ||
167 | "hmac-sha2-256-etm@openssh.com," \ | ||
168 | "hmac-sha2-512-etm@openssh.com," \ | ||
169 | "hmac-sha1-etm@openssh.com," \ | ||
170 | "umac-64@openssh.com," \ | ||
171 | "umac-128@openssh.com," \ | ||
172 | "hmac-sha2-256," \ | ||
173 | "hmac-sha2-512," \ | ||
174 | "hmac-sha1" | ||
175 | |||
176 | #define KEX_CLIENT_KEX KEX_SERVER_KEX | ||
177 | #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT | ||
178 | #define KEX_CLIENT_MAC KEX_SERVER_MAC | ||
179 | |||
180 | #define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com" | ||
181 | |||
182 | #endif /* WITH_OPENSSL */ | ||
183 | |||
184 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com" | 93 | #define KEX_DEFAULT_COMP "none,zlib@openssh.com" |
185 | #define KEX_DEFAULT_LANG "" | 94 | #define KEX_DEFAULT_LANG "" |
186 | 95 | ||
@@ -207,4 +116,3 @@ | |||
207 | KEX_DEFAULT_COMP, \ | 116 | KEX_DEFAULT_COMP, \ |
208 | KEX_DEFAULT_LANG, \ | 117 | KEX_DEFAULT_LANG, \ |
209 | KEX_DEFAULT_LANG | 118 | KEX_DEFAULT_LANG |
210 | |||