Merge branch 'vendor/OPENSSH'
[dragonfly.git] / crypto / openssh / myproposal.h
index 990e604..dbf0a37 100644 (file)
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.28 2011/08/02 01:22:11 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.41 2014/07/11 13:54:34 tedu Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 
 #include <openssl/opensslv.h>
 
+/* conditional algorithm support */
+
 #ifdef OPENSSL_HAS_ECC
+#ifdef OPENSSL_HAS_NISTP521
 # define KEX_ECDH_METHODS \
        "ecdh-sha2-nistp256," \
        "ecdh-sha2-nistp384," \
        "ecdsa-sha2-nistp384," \
        "ecdsa-sha2-nistp521,"
 #else
+# define KEX_ECDH_METHODS \
+       "ecdh-sha2-nistp256," \
+       "ecdh-sha2-nistp384,"
+# define HOSTKEY_ECDSA_CERT_METHODS \
+       "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+       "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+# define HOSTKEY_ECDSA_METHODS \
+       "ecdsa-sha2-nistp256," \
+       "ecdsa-sha2-nistp384,"
+#endif
+#else
 # define KEX_ECDH_METHODS
 # define HOSTKEY_ECDSA_CERT_METHODS
 # define HOSTKEY_ECDSA_METHODS
 #endif
 
-/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+       "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
+#else
+# define AESGCM_CIPHER_MODES
+#endif
+
+#ifdef HAVE_EVP_SHA256
 # define KEX_SHA256_METHODS \
        "diffie-hellman-group-exchange-sha256,"
+#define        SHA2_HMAC_MODES \
+       "hmac-sha2-256," \
+       "hmac-sha2-512,"
 #else
 # define KEX_SHA256_METHODS
+# define SHA2_HMAC_MODES
 #endif
 
-# define KEX_DEFAULT_KEX \
+#ifdef WITH_OPENSSL
+# ifdef HAVE_EVP_SHA256
+#  define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org,"
+# else
+#  define KEX_CURVE25519_METHODS ""
+# endif
+#define KEX_SERVER_KEX \
+       KEX_CURVE25519_METHODS \
        KEX_ECDH_METHODS \
        KEX_SHA256_METHODS \
+       "diffie-hellman-group14-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
        "diffie-hellman-group-exchange-sha1," \
-       "diffie-hellman-group14-sha1," \
        "diffie-hellman-group1-sha1"
 
 #define        KEX_DEFAULT_PK_ALG      \
        HOSTKEY_ECDSA_CERT_METHODS \
+       "ssh-ed25519-cert-v01@openssh.com," \
        "ssh-rsa-cert-v01@openssh.com," \
        "ssh-dss-cert-v01@openssh.com," \
        "ssh-rsa-cert-v00@openssh.com," \
        "ssh-dss-cert-v00@openssh.com," \
        HOSTKEY_ECDSA_METHODS \
+       "ssh-ed25519," \
        "ssh-rsa," \
        "ssh-dss"
 
-#define        KEX_DEFAULT_ENCRYPT \
+/* the actual algorithms */
+
+#define KEX_SERVER_ENCRYPT \
        "aes128-ctr,aes192-ctr,aes256-ctr," \
+       AESGCM_CIPHER_MODES \
+       "chacha20-poly1305@openssh.com"
+
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
        "arcfour256,arcfour128," \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
        "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
-#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
-       ",none"
-#ifdef HAVE_EVP_SHA256
-#define        SHA2_HMAC_MODES \
+
+#define KEX_SERVER_MAC \
+       "umac-64-etm@openssh.com," \
+       "umac-128-etm@openssh.com," \
+       "hmac-sha2-256-etm@openssh.com," \
+       "hmac-sha2-512-etm@openssh.com," \
+       "hmac-sha1-etm@openssh.com," \
+       "umac-64@openssh.com," \
+       "umac-128@openssh.com," \
        "hmac-sha2-256," \
-       "hmac-sha2-256-96," \
        "hmac-sha2-512," \
-       "hmac-sha2-512-96,"
-#else
-# define SHA2_HMAC_MODES
-#endif
-#define        KEX_DEFAULT_MAC \
+       "hmac-sha1"
+
+#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
+       "hmac-md5-etm@openssh.com," \
+       "hmac-ripemd160-etm@openssh.com," \
+       "hmac-sha1-96-etm@openssh.com," \
+       "hmac-md5-96-etm@openssh.com," \
        "hmac-md5," \
-       "hmac-sha1," \
-       "umac-64@openssh.com," \
-       SHA2_HMAC_MODES \
        "hmac-ripemd160," \
        "hmac-ripemd160@openssh.com," \
        "hmac-sha1-96," \
        "hmac-md5-96"
 
+#else
+
+#define KEX_SERVER_KEX         \
+       "curve25519-sha256@libssh.org"
+#define        KEX_DEFAULT_PK_ALG      \
+       "ssh-ed25519-cert-v01@openssh.com," \
+       "ssh-ed25519"
+#define        KEX_SERVER_ENCRYPT \
+       "aes128-ctr,aes192-ctr,aes256-ctr," \
+       "chacha20-poly1305@openssh.com"
+#define        KEX_SERVER_MAC \
+       "umac-64-etm@openssh.com," \
+       "umac-128-etm@openssh.com," \
+       "hmac-sha2-256-etm@openssh.com," \
+       "hmac-sha2-512-etm@openssh.com," \
+       "hmac-sha1-etm@openssh.com," \
+       "umac-64@openssh.com," \
+       "umac-128@openssh.com," \
+       "hmac-sha2-256," \
+       "hmac-sha2-512," \
+       "hmac-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX
+#define        KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
+#define KEX_CLIENT_MAC KEX_SERVER_MAC
+
+#endif /* WITH_OPENSSL */
+
 #define        KEX_DEFAULT_COMP        "none,zlib@openssh.com,zlib"
 #define        KEX_DEFAULT_LANG        ""
 
+#define KEX_ENCRYPT_INCLUDE_NONE KEX_SERVER_ENCRYPT ",none"
 
-static char *myproposal[PROPOSAL_MAX] = {
-       KEX_DEFAULT_KEX,
-       KEX_DEFAULT_PK_ALG,
-       KEX_DEFAULT_ENCRYPT,
-       KEX_DEFAULT_ENCRYPT,
-       KEX_DEFAULT_MAC,
-       KEX_DEFAULT_MAC,
-       KEX_DEFAULT_COMP,
-       KEX_DEFAULT_COMP,
-       KEX_DEFAULT_LANG,
+#define KEX_CLIENT \
+       KEX_CLIENT_KEX, \
+       KEX_DEFAULT_PK_ALG, \
+       KEX_CLIENT_ENCRYPT, \
+       KEX_CLIENT_ENCRYPT, \
+       KEX_CLIENT_MAC, \
+       KEX_CLIENT_MAC, \
+       KEX_DEFAULT_COMP, \
+       KEX_DEFAULT_COMP, \
+       KEX_DEFAULT_LANG, \
        KEX_DEFAULT_LANG
-};
+
+#define KEX_SERVER \
+       KEX_SERVER_KEX, \
+       KEX_DEFAULT_PK_ALG, \
+       KEX_SERVER_ENCRYPT, \
+       KEX_SERVER_ENCRYPT, \
+       KEX_SERVER_MAC, \
+       KEX_SERVER_MAC, \
+       KEX_DEFAULT_COMP, \
+       KEX_DEFAULT_COMP, \
+       KEX_DEFAULT_LANG, \
+       KEX_DEFAULT_LANG
+