1 files changed, 27 insertions, 112 deletions
diff --git a/myproposal.h b/myproposal.h
index 34bd10c9f..5312e6058 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.58 2019/02/23 08:20:43 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.67 2020/01/24 00:28:57 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -24,103 +24,47 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#include <openssl/opensslv.h>
+#define KEX_SERVER_KEX  \
+        "curve25519-sha256," \
-/* conditional algorithm support */
+        "curve25519-sha256@libssh.org," \
-#ifdef OPENSSL_HAS_ECC
-#ifdef OPENSSL_HAS_NISTP521
-# define KEX_ECDH_METHODS \
        "ecdh-sha2-nistp256," \
        "ecdh-sha2-nistp384," \
-        "ecdh-sha2-nistp521,"
+        "ecdh-sha2-nistp521," \
-# define HOSTKEY_ECDSA_CERT_METHODS \
-        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp521-cert-v01@openssh.com,"
-# define HOSTKEY_ECDSA_METHODS \
-        "ecdsa-sha2-nistp256," \
-        "ecdsa-sha2-nistp384," \
-        "ecdsa-sha2-nistp521,"
-#else
-# define KEX_ECDH_METHODS \
-        "ecdh-sha2-nistp256," \
-        "ecdh-sha2-nistp384,"
-# define HOSTKEY_ECDSA_CERT_METHODS \
-        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
-        "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
-# define HOSTKEY_ECDSA_METHODS \
-        "ecdsa-sha2-nistp256," \
-        "ecdsa-sha2-nistp384,"
-#endif
-#else
-# define KEX_ECDH_METHODS
-# define HOSTKEY_ECDSA_CERT_METHODS
-# define HOSTKEY_ECDSA_METHODS
-#endif
-#ifdef OPENSSL_HAVE_EVPGCM
-# define AESGCM_CIPHER_MODES \
-        ",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
-#else
-# define AESGCM_CIPHER_MODES
-#endif
-#ifdef HAVE_EVP_SHA256
-# define KEX_SHA2_METHODS \
        "diffie-hellman-group-exchange-sha256," \
        "diffie-hellman-group16-sha512," \
-        "diffie-hellman-group18-sha512,"
+        "diffie-hellman-group18-sha512," \
-# define KEX_SHA2_GROUP14 \
+        "diffie-hellman-group14-sha256"
-        "diffie-hellman-group14-sha256,"
-#define SHA2_HMAC_MODES \
-        "hmac-sha2-256," \
-        "hmac-sha2-512,"
-#else
-# define KEX_SHA2_METHODS
-# define KEX_SHA2_GROUP14
-# define SHA2_HMAC_MODES
-#endif
-#ifdef WITH_OPENSSL
-# ifdef HAVE_EVP_SHA256
-#  define KEX_CURVE25519_METHODS \
-        "curve25519-sha256," \
-        "curve25519-sha256@libssh.org,"
-# else
-#  define KEX_CURVE25519_METHODS ""
-# endif
-#define KEX_SERVER_KEX \
-        KEX_CURVE25519_METHODS \
-        KEX_ECDH_METHODS \
-        KEX_SHA2_METHODS \
-        KEX_SHA2_GROUP14 \
-        "diffie-hellman-group14-sha1"
 #define KEX_CLIENT_KEX KEX_SERVER_KEX
 #define KEX_DEFAULT_PK_ALG      \
-        HOSTKEY_ECDSA_CERT_METHODS \
+        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+        "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+        "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
        "ssh-ed25519-cert-v01@openssh.com," \
+        "sk-ssh-ed25519-cert-v01@openssh.com," \
        "rsa-sha2-512-cert-v01@openssh.com," \
        "rsa-sha2-256-cert-v01@openssh.com," \
        "ssh-rsa-cert-v01@openssh.com," \
-        HOSTKEY_ECDSA_METHODS \
+        "ecdsa-sha2-nistp256," \
+        "ecdsa-sha2-nistp384," \
+        "ecdsa-sha2-nistp521," \
+        "sk-ecdsa-sha2-nistp256@openssh.com," \
        "ssh-ed25519," \
+        "sk-ssh-ed25519@openssh.com," \
        "rsa-sha2-512," \
        "rsa-sha2-256," \
        "ssh-rsa"
-/* the actual algorithms */
+#define KEX_SERVER_ENCRYPT \
-#define KEX_SERVER_ENCRYPT \
        "chacha20-poly1305@openssh.com," \
-        "aes128-ctr,aes192-ctr,aes256-ctr" \
+        "aes128-ctr,aes192-ctr,aes256-ctr," \
-        AESGCM_CIPHER_MODES
+        "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_SERVER_MAC \
+#define KEX_SERVER_MAC \
        "umac-64-etm@openssh.com," \
        "umac-128-etm@openssh.com," \
        "hmac-sha2-256-etm@openssh.com," \
@@ -136,42 +80,14 @@
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define SSH_ALLOWED_CA_SIGALGS  \
-        HOSTKEY_ECDSA_METHODS \
+        "ecdsa-sha2-nistp256," \
+        "ecdsa-sha2-nistp384," \
+        "ecdsa-sha2-nistp521," \
+        "sk-ecdsa-sha2-nistp256@openssh.com," \
        "ssh-ed25519," \
+        "sk-ssh-ed25519@openssh.com," \
        "rsa-sha2-512," \
-        "rsa-sha2-256," \
+        "rsa-sha2-256"
-        "ssh-rsa"
-#else /* WITH_OPENSSL */
-#define KEX_SERVER_KEX          \
-        "curve25519-sha256," \
-        "curve25519-sha256@libssh.org"
-#define KEX_DEFAULT_PK_ALG      \
-        "ssh-ed25519-cert-v01@openssh.com," \
-        "ssh-ed25519"
-#define KEX_SERVER_ENCRYPT \
-        "chacha20-poly1305@openssh.com," \
-        "aes128-ctr,aes192-ctr,aes256-ctr"
-#define KEX_SERVER_MAC \
-        "umac-64-etm@openssh.com," \
-        "umac-128-etm@openssh.com," \
-        "hmac-sha2-256-etm@openssh.com," \
-        "hmac-sha2-512-etm@openssh.com," \
-        "hmac-sha1-etm@openssh.com," \
-        "umac-64@openssh.com," \
-        "umac-128@openssh.com," \
-        "hmac-sha2-256," \
-        "hmac-sha2-512," \
-        "hmac-sha1"
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC
-#define SSH_ALLOWED_CA_SIGALGS  "ssh-ed25519"
-#endif /* WITH_OPENSSL */
 #define KEX_DEFAULT_COMP        "none,zlib@openssh.com"
 #define KEX_DEFAULT_LANG        ""
@@ -199,4 +115,3 @@
        KEX_DEFAULT_COMP, \
        KEX_DEFAULT_LANG, \
        KEX_DEFAULT_LANG

diff --git a/myproposal.h b/myproposal.h index 34bd10c9f..5312e6058 100644 --- a/myproposal.h +++ b/myproposal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: myproposal.h,v 1.58 2019/02/23 08:20:43 djm Exp $ */	1	/* $OpenBSD: myproposal.h,v 1.67 2020/01/24 00:28:57 djm Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2000 Markus Friedl. All rights reserved.	4	* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -24,103 +24,47 @@
24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25	*/	25	*/
26		26
27	#include <openssl/opensslv.h>	27	#define KEX_SERVER_KEX \
28		28	"curve25519-sha256," \
29	/* conditional algorithm support */	29	"curve25519-sha256@libssh.org," \
30
31	#ifdef OPENSSL_HAS_ECC
32	#ifdef OPENSSL_HAS_NISTP521
33	# define KEX_ECDH_METHODS \
34	"ecdh-sha2-nistp256," \	30	"ecdh-sha2-nistp256," \
35	"ecdh-sha2-nistp384," \	31	"ecdh-sha2-nistp384," \
36	"ecdh-sha2-nistp521,"	32	"ecdh-sha2-nistp521," \
37	# define HOSTKEY_ECDSA_CERT_METHODS \
38	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
39	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
40	"ecdsa-sha2-nistp521-cert-v01@openssh.com,"
41	# define HOSTKEY_ECDSA_METHODS \
42	"ecdsa-sha2-nistp256," \
43	"ecdsa-sha2-nistp384," \
44	"ecdsa-sha2-nistp521,"
45	#else
46	# define KEX_ECDH_METHODS \
47	"ecdh-sha2-nistp256," \
48	"ecdh-sha2-nistp384,"
49	# define HOSTKEY_ECDSA_CERT_METHODS \
50	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
51	"ecdsa-sha2-nistp384-cert-v01@openssh.com,"
52	# define HOSTKEY_ECDSA_METHODS \
53	"ecdsa-sha2-nistp256," \
54	"ecdsa-sha2-nistp384,"
55	#endif
56	#else
57	# define KEX_ECDH_METHODS
58	# define HOSTKEY_ECDSA_CERT_METHODS
59	# define HOSTKEY_ECDSA_METHODS
60	#endif
61
62	#ifdef OPENSSL_HAVE_EVPGCM
63	# define AESGCM_CIPHER_MODES \
64	",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
65	#else
66	# define AESGCM_CIPHER_MODES
67	#endif
68
69	#ifdef HAVE_EVP_SHA256
70	# define KEX_SHA2_METHODS \
71	"diffie-hellman-group-exchange-sha256," \	33	"diffie-hellman-group-exchange-sha256," \
72	"diffie-hellman-group16-sha512," \	34	"diffie-hellman-group16-sha512," \
73	"diffie-hellman-group18-sha512,"	35	"diffie-hellman-group18-sha512," \
74	# define KEX_SHA2_GROUP14 \	36	"diffie-hellman-group14-sha256"
75	"diffie-hellman-group14-sha256,"
76	#define SHA2_HMAC_MODES \
77	"hmac-sha2-256," \
78	"hmac-sha2-512,"
79	#else
80	# define KEX_SHA2_METHODS
81	# define KEX_SHA2_GROUP14
82	# define SHA2_HMAC_MODES
83	#endif
84
85	#ifdef WITH_OPENSSL
86	# ifdef HAVE_EVP_SHA256
87	# define KEX_CURVE25519_METHODS \
88	"curve25519-sha256," \
89	"curve25519-sha256@libssh.org,"
90	# else
91	# define KEX_CURVE25519_METHODS ""
92	# endif
93	#define KEX_SERVER_KEX \
94	KEX_CURVE25519_METHODS \
95	KEX_ECDH_METHODS \
96	KEX_SHA2_METHODS \
97	KEX_SHA2_GROUP14 \
98	"diffie-hellman-group14-sha1"
99		37
100	#define KEX_CLIENT_KEX KEX_SERVER_KEX	38	#define KEX_CLIENT_KEX KEX_SERVER_KEX
101		39
102	#define KEX_DEFAULT_PK_ALG \	40	#define KEX_DEFAULT_PK_ALG \
103	HOSTKEY_ECDSA_CERT_METHODS \	41	"ecdsa-sha2-nistp256-cert-v01@openssh.com," \
		42	"ecdsa-sha2-nistp384-cert-v01@openssh.com," \
		43	"ecdsa-sha2-nistp521-cert-v01@openssh.com," \
		44	"sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
104	"ssh-ed25519-cert-v01@openssh.com," \	45	"ssh-ed25519-cert-v01@openssh.com," \
		46	"sk-ssh-ed25519-cert-v01@openssh.com," \
105	"rsa-sha2-512-cert-v01@openssh.com," \	47	"rsa-sha2-512-cert-v01@openssh.com," \
106	"rsa-sha2-256-cert-v01@openssh.com," \	48	"rsa-sha2-256-cert-v01@openssh.com," \
107	"ssh-rsa-cert-v01@openssh.com," \	49	"ssh-rsa-cert-v01@openssh.com," \
108	HOSTKEY_ECDSA_METHODS \	50	"ecdsa-sha2-nistp256," \
		51	"ecdsa-sha2-nistp384," \
		52	"ecdsa-sha2-nistp521," \
		53	"sk-ecdsa-sha2-nistp256@openssh.com," \
109	"ssh-ed25519," \	54	"ssh-ed25519," \
		55	"sk-ssh-ed25519@openssh.com," \
110	"rsa-sha2-512," \	56	"rsa-sha2-512," \
111	"rsa-sha2-256," \	57	"rsa-sha2-256," \
112	"ssh-rsa"	58	"ssh-rsa"
113		59
114	/* the actual algorithms */	60	#define KEX_SERVER_ENCRYPT \
115
116	#define KEX_SERVER_ENCRYPT \
117	"chacha20-poly1305@openssh.com," \	61	"chacha20-poly1305@openssh.com," \
118	"aes128-ctr,aes192-ctr,aes256-ctr" \	62	"aes128-ctr,aes192-ctr,aes256-ctr," \
119	AESGCM_CIPHER_MODES	63	"aes128-gcm@openssh.com,aes256-gcm@openssh.com"
120		64
121	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT	65	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
122		66
123	#define KEX_SERVER_MAC \	67	#define KEX_SERVER_MAC \
124	"umac-64-etm@openssh.com," \	68	"umac-64-etm@openssh.com," \
125	"umac-128-etm@openssh.com," \	69	"umac-128-etm@openssh.com," \
126	"hmac-sha2-256-etm@openssh.com," \	70	"hmac-sha2-256-etm@openssh.com," \
@@ -136,42 +80,14 @@
136		80
137	/* Not a KEX value, but here so all the algorithm defaults are together */	81	/* Not a KEX value, but here so all the algorithm defaults are together */
138	#define SSH_ALLOWED_CA_SIGALGS \	82	#define SSH_ALLOWED_CA_SIGALGS \
139	HOSTKEY_ECDSA_METHODS \	83	"ecdsa-sha2-nistp256," \
		84	"ecdsa-sha2-nistp384," \
		85	"ecdsa-sha2-nistp521," \
		86	"sk-ecdsa-sha2-nistp256@openssh.com," \
140	"ssh-ed25519," \	87	"ssh-ed25519," \
		88	"sk-ssh-ed25519@openssh.com," \
141	"rsa-sha2-512," \	89	"rsa-sha2-512," \
142	"rsa-sha2-256," \	90	"rsa-sha2-256"
143	"ssh-rsa"
144
145	#else /* WITH_OPENSSL */
146
147	#define KEX_SERVER_KEX \
148	"curve25519-sha256," \
149	"curve25519-sha256@libssh.org"
150	#define KEX_DEFAULT_PK_ALG \
151	"ssh-ed25519-cert-v01@openssh.com," \
152	"ssh-ed25519"
153	#define KEX_SERVER_ENCRYPT \
154	"chacha20-poly1305@openssh.com," \
155	"aes128-ctr,aes192-ctr,aes256-ctr"
156	#define KEX_SERVER_MAC \
157	"umac-64-etm@openssh.com," \
158	"umac-128-etm@openssh.com," \
159	"hmac-sha2-256-etm@openssh.com," \
160	"hmac-sha2-512-etm@openssh.com," \
161	"hmac-sha1-etm@openssh.com," \
162	"umac-64@openssh.com," \
163	"umac-128@openssh.com," \
164	"hmac-sha2-256," \
165	"hmac-sha2-512," \
166	"hmac-sha1"
167
168	#define KEX_CLIENT_KEX KEX_SERVER_KEX
169	#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
170	#define KEX_CLIENT_MAC KEX_SERVER_MAC
171
172	#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519"
173
174	#endif /* WITH_OPENSSL */
175		91
176	#define KEX_DEFAULT_COMP "none,zlib@openssh.com"	92	#define KEX_DEFAULT_COMP "none,zlib@openssh.com"
177	#define KEX_DEFAULT_LANG ""	93	#define KEX_DEFAULT_LANG ""
@@ -199,4 +115,3 @@
199	KEX_DEFAULT_COMP, \	115	KEX_DEFAULT_COMP, \
200	KEX_DEFAULT_LANG, \	116	KEX_DEFAULT_LANG, \
201	KEX_DEFAULT_LANG	117	KEX_DEFAULT_LANG
202