external/openssh: update to 6.8p1.
In preparation for some updates to external/openssh to make it work with
BoringSSL, this change updates the code to a recent version. The current
version (5.9p1) is coming up on four years old now.
* Confirmed that f5c67b478bef9992de9e9ec91ce10af4f6205e0d matches
OpenSSH 5.9p1 exactly (save for the removal of the scard
subdirectory).
* Downloaded openssh-6.8p1.tar.gz (SHA256:
3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e)
and verified with PGP signature. (I've verified Damien's key in
person previously.)
* Applied changes between f5c67b478bef9992de9e9ec91ce10af4f6205e0d and
OpenSSH 5.9p1 to 6.8p1 and updated the build as best I can. The
ugliest change is probably the duplication of umac.c to umac128.c
because Android conditionally compiles that file twice. See the
comment in those files.
Change-Id: I63cb07a8118afb5a377f116087a0882914cea486
diff --git a/myproposal.h b/myproposal.h
index c051690..61d79ca 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.41 2014/07/11 13:54:34 tedu Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -26,7 +26,10 @@
#include <openssl/opensslv.h>
+/* conditional algorithm support */
+
#ifdef OPENSSL_HAS_ECC
+#ifdef OPENSSL_HAS_NISTP521
# define KEX_ECDH_METHODS \
"ecdh-sha2-nistp256," \
"ecdh-sha2-nistp384," \
@@ -40,79 +43,162 @@
"ecdsa-sha2-nistp384," \
"ecdsa-sha2-nistp521,"
#else
+# define KEX_ECDH_METHODS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384,"
+# define HOSTKEY_ECDSA_CERT_METHODS \
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+# define HOSTKEY_ECDSA_METHODS \
+ "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384,"
+#endif
+#else
# define KEX_ECDH_METHODS
# define HOSTKEY_ECDSA_CERT_METHODS
# define HOSTKEY_ECDSA_METHODS
#endif
-/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-# define KEX_SHA256_METHODS \
- "diffie-hellman-group-exchange-sha256,"
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
#else
-# define KEX_SHA256_METHODS
+# define AESGCM_CIPHER_MODES
#endif
-# define KEX_DEFAULT_KEX \
+#ifdef HAVE_EVP_SHA256
+# define KEX_SHA256_METHODS \
+ "diffie-hellman-group-exchange-sha256,"
+#define SHA2_HMAC_MODES \
+ "hmac-sha2-256," \
+ "hmac-sha2-512,"
+#else
+# define KEX_SHA256_METHODS
+# define SHA2_HMAC_MODES
+#endif
+
+#ifdef HAVE_EVP_RIPEMD
+#define RIPEMD_MAC_MODES \
+ "hmac-ripemd160-etm@openssh.com," \
+ "hmac-ripemd160," \
+ "hmac-ripemd160@openssh.com",
+#else
+#define RIPEMD_MAC_MODES
+#endif
+
+#ifdef WITH_OPENSSL
+# ifdef HAVE_EVP_SHA256
+# define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org,"
+# else
+# define KEX_CURVE25519_METHODS ""
+# endif
+#define KEX_SERVER_KEX \
+ KEX_CURVE25519_METHODS \
KEX_ECDH_METHODS \
KEX_SHA256_METHODS \
+ "diffie-hellman-group14-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
"diffie-hellman-group-exchange-sha1," \
- "diffie-hellman-group14-sha1," \
"diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG \
HOSTKEY_ECDSA_CERT_METHODS \
+ "ssh-ed25519-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
"ssh-dss-cert-v01@openssh.com," \
"ssh-rsa-cert-v00@openssh.com," \
"ssh-dss-cert-v00@openssh.com," \
HOSTKEY_ECDSA_METHODS \
+ "ssh-ed25519," \
"ssh-rsa," \
"ssh-dss"
-#define KEX_DEFAULT_ENCRYPT \
+/* the actual algorithms */
+
+#define KEX_SERVER_ENCRYPT \
"aes128-ctr,aes192-ctr,aes256-ctr," \
+ AESGCM_CIPHER_MODES \
+ "chacha20-poly1305@openssh.com"
+
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
"arcfour256,arcfour128," \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
-#ifdef HAVE_EVP_SHA256
-#define SHA2_HMAC_MODES \
- "hmac-sha2-256," \
- "hmac-sha2-256-96," \
- "hmac-sha2-512," \
- "hmac-sha2-512-96,"
-#else
-# define SHA2_HMAC_MODES
-#endif
-#ifdef HAVE_EVP_RIPEMD
-#define RIPEMD_MAC_MODES \
- "hmac-ripemd160," \
- "hmac-ripemd160@openssh.com,"
-#else
-# define RIPEMD_MAC_MODES
-#endif
-#define KEX_DEFAULT_MAC \
- "hmac-md5," \
- "hmac-sha1," \
+
+#define KEX_SERVER_MAC \
+ "umac-64-etm@openssh.com," \
+ "umac-128-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com," \
+ "hmac-sha1-etm@openssh.com," \
"umac-64@openssh.com," \
- SHA2_HMAC_MODES \
+ "umac-128@openssh.com," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1"
+
+#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
+ "hmac-md5-etm@openssh.com," \
+ "hmac-sha1-96-etm@openssh.com," \
+ "hmac-md5-96-etm@openssh.com," \
+ "hmac-md5," \
RIPEMD_MAC_MODES \
"hmac-sha1-96," \
"hmac-md5-96"
+#else
+
+#define KEX_SERVER_KEX \
+ "curve25519-sha256@libssh.org"
+#define KEX_DEFAULT_PK_ALG \
+ "ssh-ed25519-cert-v01@openssh.com," \
+ "ssh-ed25519"
+#define KEX_SERVER_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "chacha20-poly1305@openssh.com"
+#define KEX_SERVER_MAC \
+ "umac-64-etm@openssh.com," \
+ "umac-128-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com," \
+ "hmac-sha1-etm@openssh.com," \
+ "umac-64@openssh.com," \
+ "umac-128@openssh.com," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
+#define KEX_CLIENT_MAC KEX_SERVER_MAC
+
+#endif /* WITH_OPENSSL */
+
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
-
-static char *myproposal[PROPOSAL_MAX] = {
- KEX_DEFAULT_KEX,
- KEX_DEFAULT_PK_ALG,
- KEX_DEFAULT_ENCRYPT,
- KEX_DEFAULT_ENCRYPT,
- KEX_DEFAULT_MAC,
- KEX_DEFAULT_MAC,
- KEX_DEFAULT_COMP,
- KEX_DEFAULT_COMP,
- KEX_DEFAULT_LANG,
+#define KEX_CLIENT \
+ KEX_CLIENT_KEX, \
+ KEX_DEFAULT_PK_ALG, \
+ KEX_CLIENT_ENCRYPT, \
+ KEX_CLIENT_ENCRYPT, \
+ KEX_CLIENT_MAC, \
+ KEX_CLIENT_MAC, \
+ KEX_DEFAULT_COMP, \
+ KEX_DEFAULT_COMP, \
+ KEX_DEFAULT_LANG, \
KEX_DEFAULT_LANG
-};
+
+#define KEX_SERVER \
+ KEX_SERVER_KEX, \
+ KEX_DEFAULT_PK_ALG, \
+ KEX_SERVER_ENCRYPT, \
+ KEX_SERVER_ENCRYPT, \
+ KEX_SERVER_MAC, \
+ KEX_SERVER_MAC, \
+ KEX_DEFAULT_COMP, \
+ KEX_DEFAULT_COMP, \
+ KEX_DEFAULT_LANG, \
+ KEX_DEFAULT_LANG
+