1 /* $OpenBSD: myproposal.h,v 1.50 2016/02/09 05:30:04 djm Exp $ */ 2 3 /* 4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <openssl/opensslv.h> 28 29 /* conditional algorithm support */ 30 31 #ifdef OPENSSL_HAS_ECC 32 #ifdef OPENSSL_HAS_NISTP521 33 # define KEX_ECDH_METHODS \ 34 "ecdh-sha2-nistp256," \ 35 "ecdh-sha2-nistp384," \ 36 "ecdh-sha2-nistp521," 37 # define HOSTKEY_ECDSA_CERT_METHODS \ 38 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 39 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ 40 "ecdsa-sha2-nistp521-cert-v01@openssh.com," 41 # define HOSTKEY_ECDSA_METHODS \ 42 "ecdsa-sha2-nistp256," \ 43 "ecdsa-sha2-nistp384," \ 44 "ecdsa-sha2-nistp521," 45 #else 46 # define KEX_ECDH_METHODS \ 47 "ecdh-sha2-nistp256," \ 48 "ecdh-sha2-nistp384," 49 # define HOSTKEY_ECDSA_CERT_METHODS \ 50 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ 51 "ecdsa-sha2-nistp384-cert-v01@openssh.com," 52 # define HOSTKEY_ECDSA_METHODS \ 53 "ecdsa-sha2-nistp256," \ 54 "ecdsa-sha2-nistp384," 55 #endif 56 #else 57 # define KEX_ECDH_METHODS 58 # define HOSTKEY_ECDSA_CERT_METHODS 59 # define HOSTKEY_ECDSA_METHODS 60 #endif 61 62 #ifdef OPENSSL_HAVE_EVPGCM 63 # define AESGCM_CIPHER_MODES \ 64 ",aes128-gcm@openssh.com,aes256-gcm@openssh.com" 65 #else 66 # define AESGCM_CIPHER_MODES 67 #endif 68 69 #ifdef HAVE_EVP_SHA256 70 # define KEX_SHA2_METHODS \ 71 "diffie-hellman-group-exchange-sha256," \ 72 "diffie-hellman-group16-sha512," \ 73 "diffie-hellman-group18-sha512," 74 # define KEX_SHA2_GROUP14 \ 75 "diffie-hellman-group14-sha256," 76 #define SHA2_HMAC_MODES \ 77 "hmac-sha2-256," \ 78 "hmac-sha2-512," 79 #else 80 # define KEX_SHA2_METHODS 81 # define KEX_SHA2_GROUP14 82 # define SHA2_HMAC_MODES 83 #endif 84 85 #ifdef WITH_OPENSSL 86 # ifdef HAVE_EVP_SHA256 87 # define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org," 88 # else 89 # define KEX_CURVE25519_METHODS "" 90 # endif 91 #define KEX_COMMON_KEX \ 92 KEX_CURVE25519_METHODS \ 93 KEX_ECDH_METHODS \ 94 KEX_SHA2_METHODS 95 96 #define KEX_SERVER_KEX KEX_COMMON_KEX \ 97 KEX_SHA2_GROUP14 \ 98 "diffie-hellman-group14-sha1" \ 99 100 #define KEX_CLIENT_KEX KEX_COMMON_KEX \ 101 "diffie-hellman-group-exchange-sha1," \ 102 KEX_SHA2_GROUP14 \ 103 "diffie-hellman-group14-sha1" 104 105 #define KEX_DEFAULT_PK_ALG \ 106 HOSTKEY_ECDSA_CERT_METHODS \ 107 "ssh-ed25519-cert-v01@openssh.com," \ 108 "ssh-rsa-cert-v01@openssh.com," \ 109 HOSTKEY_ECDSA_METHODS \ 110 "ssh-ed25519," \ 111 "rsa-sha2-512," \ 112 "rsa-sha2-256," \ 113 "ssh-rsa" 114 115 /* the actual algorithms */ 116 117 #define KEX_SERVER_ENCRYPT \ 118 "chacha20-poly1305@openssh.com," \ 119 "aes128-ctr,aes192-ctr,aes256-ctr" \ 120 AESGCM_CIPHER_MODES 121 122 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \ 123 "aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc" 124 125 #define KEX_SERVER_MAC \ 126 "umac-64-etm@openssh.com," \ 127 "umac-128-etm@openssh.com," \ 128 "hmac-sha2-256-etm@openssh.com," \ 129 "hmac-sha2-512-etm@openssh.com," \ 130 "hmac-sha1-etm@openssh.com," \ 131 "umac-64@openssh.com," \ 132 "umac-128@openssh.com," \ 133 "hmac-sha2-256," \ 134 "hmac-sha2-512," \ 135 "hmac-sha1" 136 137 #define KEX_CLIENT_MAC KEX_SERVER_MAC 138 139 #else /* WITH_OPENSSL */ 140 141 #define KEX_SERVER_KEX \ 142 "curve25519-sha256@libssh.org" 143 #define KEX_DEFAULT_PK_ALG \ 144 "ssh-ed25519-cert-v01@openssh.com," \ 145 "ssh-ed25519" 146 #define KEX_SERVER_ENCRYPT \ 147 "chacha20-poly1305@openssh.com," \ 148 "aes128-ctr,aes192-ctr,aes256-ctr" 149 #define KEX_SERVER_MAC \ 150 "umac-64-etm@openssh.com," \ 151 "umac-128-etm@openssh.com," \ 152 "hmac-sha2-256-etm@openssh.com," \ 153 "hmac-sha2-512-etm@openssh.com," \ 154 "hmac-sha1-etm@openssh.com," \ 155 "umac-64@openssh.com," \ 156 "umac-128@openssh.com," \ 157 "hmac-sha2-256," \ 158 "hmac-sha2-512," \ 159 "hmac-sha1" 160 161 #define KEX_CLIENT_KEX KEX_SERVER_KEX 162 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT 163 #define KEX_CLIENT_MAC KEX_SERVER_MAC 164 165 #endif /* WITH_OPENSSL */ 166 167 #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" 168 #define KEX_DEFAULT_LANG "" 169 170 #define KEX_CLIENT \ 171 KEX_CLIENT_KEX, \ 172 KEX_DEFAULT_PK_ALG, \ 173 KEX_CLIENT_ENCRYPT, \ 174 KEX_CLIENT_ENCRYPT, \ 175 KEX_CLIENT_MAC, \ 176 KEX_CLIENT_MAC, \ 177 KEX_DEFAULT_COMP, \ 178 KEX_DEFAULT_COMP, \ 179 KEX_DEFAULT_LANG, \ 180 KEX_DEFAULT_LANG 181 182 #define KEX_SERVER \ 183 KEX_SERVER_KEX, \ 184 KEX_DEFAULT_PK_ALG, \ 185 KEX_SERVER_ENCRYPT, \ 186 KEX_SERVER_ENCRYPT, \ 187 KEX_SERVER_MAC, \ 188 KEX_SERVER_MAC, \ 189 KEX_DEFAULT_COMP, \ 190 KEX_DEFAULT_COMP, \ 191 KEX_DEFAULT_LANG, \ 192 KEX_DEFAULT_LANG 193 194