1 /* $OpenBSD: myproposal.h,v 1.57 2018/09/12 01:34:02 djm Exp $ */
4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include <openssl/opensslv.h>
29 /* conditional algorithm support */
31 #ifdef OPENSSL_HAS_ECC
32 #ifdef OPENSSL_HAS_NISTP521
33 # define KEX_ECDH_METHODS \
34 "ecdh-sha2-nistp256," \
35 "ecdh-sha2-nistp384," \
37 # define HOSTKEY_ECDSA_CERT_METHODS \
38 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
39 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
40 "ecdsa-sha2-nistp521-cert-v01@openssh.com,"
41 # define HOSTKEY_ECDSA_METHODS \
42 "ecdsa-sha2-nistp256," \
43 "ecdsa-sha2-nistp384," \
44 "ecdsa-sha2-nistp521,"
46 # define KEX_ECDH_METHODS \
47 "ecdh-sha2-nistp256," \
49 # define HOSTKEY_ECDSA_CERT_METHODS \
50 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
51 "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
52 # define HOSTKEY_ECDSA_METHODS \
53 "ecdsa-sha2-nistp256," \
54 "ecdsa-sha2-nistp384,"
57 # define KEX_ECDH_METHODS
58 # define HOSTKEY_ECDSA_CERT_METHODS
59 # define HOSTKEY_ECDSA_METHODS
62 #ifdef OPENSSL_HAVE_EVPGCM
63 # define AESGCM_CIPHER_MODES \
64 ",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
66 # define AESGCM_CIPHER_MODES
69 #ifdef HAVE_EVP_SHA256
70 # define KEX_SHA2_METHODS \
71 "diffie-hellman-group-exchange-sha256," \
72 "diffie-hellman-group16-sha512," \
73 "diffie-hellman-group18-sha512,"
74 # define KEX_SHA2_GROUP14 \
75 "diffie-hellman-group14-sha256,"
76 #define SHA2_HMAC_MODES \
80 # define KEX_SHA2_METHODS
81 # define KEX_SHA2_GROUP14
82 # define SHA2_HMAC_MODES
86 # ifdef HAVE_EVP_SHA256
87 # define KEX_CURVE25519_METHODS \
88 "curve25519-sha256," \
89 "curve25519-sha256@libssh.org,"
91 # define KEX_CURVE25519_METHODS ""
93 #define KEX_COMMON_KEX \
94 KEX_CURVE25519_METHODS \
98 #define KEX_SERVER_KEX KEX_COMMON_KEX \
100 "diffie-hellman-group14-sha1" \
102 #define KEX_CLIENT_KEX KEX_COMMON_KEX \
103 "diffie-hellman-group-exchange-sha1," \
105 "diffie-hellman-group14-sha1"
107 #define KEX_DEFAULT_PK_ALG \
108 HOSTKEY_ECDSA_CERT_METHODS \
109 "ssh-ed25519-cert-v01@openssh.com," \
110 "rsa-sha2-512-cert-v01@openssh.com," \
111 "rsa-sha2-256-cert-v01@openssh.com," \
112 "ssh-rsa-cert-v01@openssh.com," \
113 HOSTKEY_ECDSA_METHODS \
119 /* the actual algorithms */
121 #define KEX_SERVER_ENCRYPT \
122 "chacha20-poly1305@openssh.com," \
123 "aes128-ctr,aes192-ctr,aes256-ctr" \
126 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
128 #define KEX_SERVER_MAC \
129 "umac-64-etm@openssh.com," \
130 "umac-128-etm@openssh.com," \
131 "hmac-sha2-256-etm@openssh.com," \
132 "hmac-sha2-512-etm@openssh.com," \
133 "hmac-sha1-etm@openssh.com," \
134 "umac-64@openssh.com," \
135 "umac-128@openssh.com," \
140 #define KEX_CLIENT_MAC KEX_SERVER_MAC
142 /* Not a KEX value, but here so all the algorithm defaults are together */
143 #define SSH_ALLOWED_CA_SIGALGS \
144 "ecdsa-sha2-nistp256," \
145 "ecdsa-sha2-nistp384," \
146 "ecdsa-sha2-nistp521," \
152 #else /* WITH_OPENSSL */
154 #define KEX_SERVER_KEX \
155 "curve25519-sha256," \
156 "curve25519-sha256@libssh.org"
157 #define KEX_DEFAULT_PK_ALG \
158 "ssh-ed25519-cert-v01@openssh.com," \
160 #define KEX_SERVER_ENCRYPT \
161 "chacha20-poly1305@openssh.com," \
162 "aes128-ctr,aes192-ctr,aes256-ctr"
163 #define KEX_SERVER_MAC \
164 "umac-64-etm@openssh.com," \
165 "umac-128-etm@openssh.com," \
166 "hmac-sha2-256-etm@openssh.com," \
167 "hmac-sha2-512-etm@openssh.com," \
168 "hmac-sha1-etm@openssh.com," \
169 "umac-64@openssh.com," \
170 "umac-128@openssh.com," \
175 #define KEX_CLIENT_KEX KEX_SERVER_KEX
176 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
177 #define KEX_CLIENT_MAC KEX_SERVER_MAC
179 #define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519"
181 #endif /* WITH_OPENSSL */
183 #define KEX_DEFAULT_COMP "none,zlib@openssh.com"
184 #define KEX_DEFAULT_LANG ""
188 KEX_DEFAULT_PK_ALG, \
189 KEX_CLIENT_ENCRYPT, \
190 KEX_CLIENT_ENCRYPT, \
200 KEX_DEFAULT_PK_ALG, \
201 KEX_SERVER_ENCRYPT, \
202 KEX_SERVER_ENCRYPT, \