From c4b3a128954ee1b7fbcbda167baf8aca1a3d1c84 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 23 Jan 2020 02:46:49 +0000 Subject: upstream: Remove unsupported algorithms from list of defaults at run time and remove ifdef and distinct settings for OPENSSL=no case. This will make things much simpler for -portable where the exact set of algos depends on the configuration of both OpenSSH and the libcrypto it's linked against (if any). ok djm@ OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2 --- myproposal.h | 138 ++++++++++------------------------------------------------- 1 file changed, 23 insertions(+), 115 deletions(-) (limited to 'myproposal.h') diff --git a/myproposal.h b/myproposal.h index 145704f4..dd2499d6 100644 --- a/myproposal.h +++ b/myproposal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */ +/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -24,110 +24,47 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef WITH_OPENSSL -#include -#endif - -/* conditional algorithm support */ - -#ifdef OPENSSL_HAS_ECC -# ifdef OPENSSL_HAS_NISTP521 -# define KEX_ECDH_METHODS \ +#define KEX_SERVER_KEX \ + "curve25519-sha256," \ + "curve25519-sha256@libssh.org," \ "ecdh-sha2-nistp256," \ "ecdh-sha2-nistp384," \ - "ecdh-sha2-nistp521," -# define HOSTKEY_ECDSA_CERT_METHODS \ - "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ - "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ - "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ - "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," -# define HOSTKEY_ECDSA_METHODS \ - "ecdsa-sha2-nistp256," \ - "ecdsa-sha2-nistp384," \ - "ecdsa-sha2-nistp521," \ - "sk-ecdsa-sha2-nistp256@openssh.com," -# else /* OPENSSL_HAS_NISTP521 */ -# define KEX_ECDH_METHODS \ - "ecdh-sha2-nistp256," \ - "ecdh-sha2-nistp384," -# define HOSTKEY_ECDSA_CERT_METHODS \ - "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ - "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ - "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," -# define HOSTKEY_ECDSA_METHODS \ - "ecdsa-sha2-nistp256," \ - "ecdsa-sha2-nistp384," \ - "sk-ecdsa-sha2-nistp256@openssh.com," -# endif /* OPENSSL_HAS_NISTP521 */ -#else /* OPENSSL_HAS_ECC */ -# define KEX_ECDH_METHODS -# define HOSTKEY_ECDSA_CERT_METHODS -# define HOSTKEY_ECDSA_METHODS -#endif /* OPENSSL_HAS_ECC */ - -#ifdef OPENSSL_HAVE_EVPGCM -# define AESGCM_CIPHER_MODES \ - ",aes128-gcm@openssh.com,aes256-gcm@openssh.com" -#else -# define AESGCM_CIPHER_MODES -#endif - -#ifdef HAVE_EVP_SHA256 -# define KEX_SHA2_METHODS \ + "ecdh-sha2-nistp521," \ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group16-sha512," \ - "diffie-hellman-group18-sha512," -# define KEX_SHA2_GROUP14 \ - "diffie-hellman-group14-sha256," -#define SHA2_HMAC_MODES \ - "hmac-sha2-256," \ - "hmac-sha2-512," -#else -# define KEX_SHA2_METHODS -# define KEX_SHA2_GROUP14 -# define SHA2_HMAC_MODES -#endif - -#ifdef WITH_OPENSSL -# ifdef HAVE_EVP_SHA256 -# define KEX_CURVE25519_METHODS \ - "curve25519-sha256," \ - "curve25519-sha256@libssh.org," -# else -# define KEX_CURVE25519_METHODS "" -# endif -#define KEX_SERVER_KEX \ - KEX_CURVE25519_METHODS \ - KEX_ECDH_METHODS \ - KEX_SHA2_METHODS \ - KEX_SHA2_GROUP14 + "diffie-hellman-group18-sha512," \ + "diffie-hellman-group14-sha256" #define KEX_CLIENT_KEX KEX_SERVER_KEX #define KEX_DEFAULT_PK_ALG \ - HOSTKEY_ECDSA_CERT_METHODS \ + "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ + "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ + "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \ "ssh-ed25519-cert-v01@openssh.com," \ "sk-ssh-ed25519-cert-v01@openssh.com," \ "rsa-sha2-512-cert-v01@openssh.com," \ "rsa-sha2-256-cert-v01@openssh.com," \ "ssh-rsa-cert-v01@openssh.com," \ - HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "sk-ecdsa-sha2-nistp256@openssh.com," \ "ssh-ed25519," \ "sk-ssh-ed25519@openssh.com," \ "rsa-sha2-512," \ "rsa-sha2-256," \ "ssh-rsa" -/* the actual algorithms */ - -#define KEX_SERVER_ENCRYPT \ +#define KEX_SERVER_ENCRYPT \ "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr" \ - AESGCM_CIPHER_MODES + "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-gcm@openssh.com,aes256-gcm@openssh.com" #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT -#define KEX_SERVER_MAC \ +#define KEX_SERVER_MAC \ "umac-64-etm@openssh.com," \ "umac-128-etm@openssh.com," \ "hmac-sha2-256-etm@openssh.com," \ @@ -143,44 +80,16 @@ /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ - HOSTKEY_ECDSA_METHODS \ + "ecdsa-sha2-nistp256," \ + "ecdsa-sha2-nistp384," \ + "ecdsa-sha2-nistp521," \ + "sk-ecdsa-sha2-nistp256@openssh.com," \ "ssh-ed25519," \ "sk-ssh-ed25519@openssh.com," \ "rsa-sha2-512," \ "rsa-sha2-256," \ "ssh-rsa" -#else /* WITH_OPENSSL */ - -#define KEX_SERVER_KEX \ - "curve25519-sha256," \ - "curve25519-sha256@libssh.org" -#define KEX_DEFAULT_PK_ALG \ - "ssh-ed25519-cert-v01@openssh.com," \ - "ssh-ed25519" -#define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr" -#define KEX_SERVER_MAC \ - "umac-64-etm@openssh.com," \ - "umac-128-etm@openssh.com," \ - "hmac-sha2-256-etm@openssh.com," \ - "hmac-sha2-512-etm@openssh.com," \ - "hmac-sha1-etm@openssh.com," \ - "umac-64@openssh.com," \ - "umac-128@openssh.com," \ - "hmac-sha2-256," \ - "hmac-sha2-512," \ - "hmac-sha1" - -#define KEX_CLIENT_KEX KEX_SERVER_KEX -#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT -#define KEX_CLIENT_MAC KEX_SERVER_MAC - -#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com" - -#endif /* WITH_OPENSSL */ - #define KEX_DEFAULT_COMP "none,zlib@openssh.com" #define KEX_DEFAULT_LANG "" @@ -207,4 +116,3 @@ KEX_DEFAULT_COMP, \ KEX_DEFAULT_LANG, \ KEX_DEFAULT_LANG - -- cgit v1.2.1