From 2ea9eb77a7fcab3190564ef5a6a5377a600aa391 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 5 Jun 2013 15:04:00 +1000 Subject: - (dtucker) Enable sha256 kex methods based on the presence of the necessary functions, not from the openssl version. --- myproposal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'myproposal.h') diff --git a/myproposal.h b/myproposal.h index 99d093461..f13c74850 100644 --- a/myproposal.h +++ b/myproposal.h @@ -46,7 +46,7 @@ #endif /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L +#ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," #else -- cgit v1.2.3 From 97b62f41adcb0dcbeff142d0540793a7ea17c910 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Jun 2013 11:47:24 +1000 Subject: - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. --- ChangeLog | 2 ++ myproposal.h | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) (limited to 'myproposal.h') diff --git a/ChangeLog b/ChangeLog index a7ab9a693..6805e8a10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ bz#1917, also reported and tested by tedu@. ok djm@ markus@. - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. + - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have + the required OpenSSL support. Patch from naddy at freebsd. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index f13c74850..276108bf6 100644 --- a/myproposal.h +++ b/myproposal.h @@ -45,6 +45,13 @@ # define HOSTKEY_ECDSA_METHODS #endif +#ifdef OPENSSL_HAVE_EVPGCM +# define AESGCM_CIPHER_MODES \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com," +#else +# define AESGCM_CIPHER_MODES +#endif + /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ @@ -73,7 +80,7 @@ #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ - "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \ + AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" #ifdef HAVE_EVP_SHA256 -- cgit v1.2.3 From b8ae92d08b91beaef34232c6ef34b9941473fdd6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 11 Jun 2013 12:10:02 +1000 Subject: - (dtucker) [myproposal.h] Make the conditional algorithm support consistent and add some comments so it's clear what goes where. --- ChangeLog | 2 ++ myproposal.h | 17 +++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) (limited to 'myproposal.h') diff --git a/ChangeLog b/ChangeLog index 6805e8a10..526a05102 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages. - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have the required OpenSSL support. Patch from naddy at freebsd. + - (dtucker) [myproposal.h] Make the conditional algorithm support consistent + and add some comments so it's clear what goes where. 20130605 - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of diff --git a/myproposal.h b/myproposal.h index 276108bf6..4e913e3ce 100644 --- a/myproposal.h +++ b/myproposal.h @@ -26,6 +26,8 @@ #include +/* conditional algorithm support */ + #ifdef OPENSSL_HAS_ECC # define KEX_ECDH_METHODS \ "ecdh-sha2-nistp256," \ @@ -52,12 +54,15 @@ # define AESGCM_CIPHER_MODES #endif -/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ #ifdef HAVE_EVP_SHA256 # define KEX_SHA256_METHODS \ "diffie-hellman-group-exchange-sha256," +#define SHA2_HMAC_MODES \ + "hmac-sha2-256," \ + "hmac-sha2-512," #else # define KEX_SHA256_METHODS +# define SHA2_HMAC_MODES #endif # define KEX_DEFAULT_KEX \ @@ -77,19 +82,15 @@ "ssh-rsa," \ "ssh-dss" +/* the actual algorithms */ + #define KEX_DEFAULT_ENCRYPT \ "aes128-ctr,aes192-ctr,aes256-ctr," \ "arcfour256,arcfour128," \ AESGCM_CIPHER_MODES \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se" -#ifdef HAVE_EVP_SHA256 -#define SHA2_HMAC_MODES \ - "hmac-sha2-256," \ - "hmac-sha2-512," -#else -# define SHA2_HMAC_MODES -#endif + #define KEX_DEFAULT_MAC \ "hmac-md5-etm@openssh.com," \ "hmac-sha1-etm@openssh.com," \ -- cgit v1.2.3