upstream: Remove unsupported algorithms from list of defaults at run
time and remove ifdef and distinct settings for OPENSSL=no case.
This will make things much simpler for -portable where the exact set
of algos depends on the configuration of both OpenSSH and the libcrypto
it's linked against (if any). ok djm@
OpenBSD-Commit-ID: e0116d0183dcafc7a9c40ba5fe9127805c5dfdd2
diff --git a/myproposal.h b/myproposal.h
index 145704f..dd2499d 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.65 2020/01/22 04:58:23 tedu Exp $ */
+/* $OpenBSD: myproposal.h,v 1.66 2020/01/23 02:46:49 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -24,110 +24,47 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifdef WITH_OPENSSL
-#include <openssl/opensslv.h>
-#endif
-
-/* conditional algorithm support */
-
-#ifdef OPENSSL_HAS_ECC
-# ifdef OPENSSL_HAS_NISTP521
-# define KEX_ECDH_METHODS \
+#define KEX_SERVER_KEX \
+ "curve25519-sha256," \
+ "curve25519-sha256@libssh.org," \
"ecdh-sha2-nistp256," \
"ecdh-sha2-nistp384," \
- "ecdh-sha2-nistp521,"
-# define HOSTKEY_ECDSA_CERT_METHODS \
- "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
- "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
- "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
- "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
-# define HOSTKEY_ECDSA_METHODS \
- "ecdsa-sha2-nistp256," \
- "ecdsa-sha2-nistp384," \
- "ecdsa-sha2-nistp521," \
- "sk-ecdsa-sha2-nistp256@openssh.com,"
-# else /* OPENSSL_HAS_NISTP521 */
-# define KEX_ECDH_METHODS \
- "ecdh-sha2-nistp256," \
- "ecdh-sha2-nistp384,"
-# define HOSTKEY_ECDSA_CERT_METHODS \
- "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
- "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
- "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,"
-# define HOSTKEY_ECDSA_METHODS \
- "ecdsa-sha2-nistp256," \
- "ecdsa-sha2-nistp384," \
- "sk-ecdsa-sha2-nistp256@openssh.com,"
-# endif /* OPENSSL_HAS_NISTP521 */
-#else /* OPENSSL_HAS_ECC */
-# define KEX_ECDH_METHODS
-# define HOSTKEY_ECDSA_CERT_METHODS
-# define HOSTKEY_ECDSA_METHODS
-#endif /* OPENSSL_HAS_ECC */
-
-#ifdef OPENSSL_HAVE_EVPGCM
-# define AESGCM_CIPHER_MODES \
- ",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
-#else
-# define AESGCM_CIPHER_MODES
-#endif
-
-#ifdef HAVE_EVP_SHA256
-# define KEX_SHA2_METHODS \
+ "ecdh-sha2-nistp521," \
"diffie-hellman-group-exchange-sha256," \
"diffie-hellman-group16-sha512," \
- "diffie-hellman-group18-sha512,"
-# define KEX_SHA2_GROUP14 \
- "diffie-hellman-group14-sha256,"
-#define SHA2_HMAC_MODES \
- "hmac-sha2-256," \
- "hmac-sha2-512,"
-#else
-# define KEX_SHA2_METHODS
-# define KEX_SHA2_GROUP14
-# define SHA2_HMAC_MODES
-#endif
-
-#ifdef WITH_OPENSSL
-# ifdef HAVE_EVP_SHA256
-# define KEX_CURVE25519_METHODS \
- "curve25519-sha256," \
- "curve25519-sha256@libssh.org,"
-# else
-# define KEX_CURVE25519_METHODS ""
-# endif
-#define KEX_SERVER_KEX \
- KEX_CURVE25519_METHODS \
- KEX_ECDH_METHODS \
- KEX_SHA2_METHODS \
- KEX_SHA2_GROUP14
+ "diffie-hellman-group18-sha512," \
+ "diffie-hellman-group14-sha256"
#define KEX_CLIENT_KEX KEX_SERVER_KEX
#define KEX_DEFAULT_PK_ALG \
- HOSTKEY_ECDSA_CERT_METHODS \
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com," \
"ssh-ed25519-cert-v01@openssh.com," \
"sk-ssh-ed25519-cert-v01@openssh.com," \
"rsa-sha2-512-cert-v01@openssh.com," \
"rsa-sha2-256-cert-v01@openssh.com," \
"ssh-rsa-cert-v01@openssh.com," \
- HOSTKEY_ECDSA_METHODS \
+ "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "sk-ecdsa-sha2-nistp256@openssh.com," \
"ssh-ed25519," \
"sk-ssh-ed25519@openssh.com," \
"rsa-sha2-512," \
"rsa-sha2-256," \
"ssh-rsa"
-/* the actual algorithms */
-
-#define KEX_SERVER_ENCRYPT \
+#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
- "aes128-ctr,aes192-ctr,aes256-ctr" \
- AESGCM_CIPHER_MODES
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_SERVER_MAC \
+#define KEX_SERVER_MAC \
"umac-64-etm@openssh.com," \
"umac-128-etm@openssh.com," \
"hmac-sha2-256-etm@openssh.com," \
@@ -143,44 +80,16 @@
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
- HOSTKEY_ECDSA_METHODS \
+ "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "sk-ecdsa-sha2-nistp256@openssh.com," \
"ssh-ed25519," \
"sk-ssh-ed25519@openssh.com," \
"rsa-sha2-512," \
"rsa-sha2-256," \
"ssh-rsa"
-#else /* WITH_OPENSSL */
-
-#define KEX_SERVER_KEX \
- "curve25519-sha256," \
- "curve25519-sha256@libssh.org"
-#define KEX_DEFAULT_PK_ALG \
- "ssh-ed25519-cert-v01@openssh.com," \
- "ssh-ed25519"
-#define KEX_SERVER_ENCRYPT \
- "chacha20-poly1305@openssh.com," \
- "aes128-ctr,aes192-ctr,aes256-ctr"
-#define KEX_SERVER_MAC \
- "umac-64-etm@openssh.com," \
- "umac-128-etm@openssh.com," \
- "hmac-sha2-256-etm@openssh.com," \
- "hmac-sha2-512-etm@openssh.com," \
- "hmac-sha1-etm@openssh.com," \
- "umac-64@openssh.com," \
- "umac-128@openssh.com," \
- "hmac-sha2-256," \
- "hmac-sha2-512," \
- "hmac-sha1"
-
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
-#define KEX_CLIENT_MAC KEX_SERVER_MAC
-
-#define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519,sk-ssh-ed25519@openssh.com"
-
-#endif /* WITH_OPENSSL */
-
#define KEX_DEFAULT_COMP "none,zlib@openssh.com"
#define KEX_DEFAULT_LANG ""
@@ -207,4 +116,3 @@
KEX_DEFAULT_COMP, \
KEX_DEFAULT_LANG, \
KEX_DEFAULT_LANG
-