1 /* $OpenBSD: myproposal.h,v 1.58 2019/02/23 08:20:43 djm Exp $ */
4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 #include <openssl/opensslv.h>
29 /* conditional algorithm support */
31 #ifdef OPENSSL_HAS_ECC
32 #ifdef OPENSSL_HAS_NISTP521
33 # define KEX_ECDH_METHODS \
34 "ecdh-sha2-nistp256," \
35 "ecdh-sha2-nistp384," \
37 # define HOSTKEY_ECDSA_CERT_METHODS \
38 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
39 "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
40 "ecdsa-sha2-nistp521-cert-v01@openssh.com,"
41 # define HOSTKEY_ECDSA_METHODS \
42 "ecdsa-sha2-nistp256," \
43 "ecdsa-sha2-nistp384," \
44 "ecdsa-sha2-nistp521,"
46 # define KEX_ECDH_METHODS \
47 "ecdh-sha2-nistp256," \
49 # define HOSTKEY_ECDSA_CERT_METHODS \
50 "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
51 "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
52 # define HOSTKEY_ECDSA_METHODS \
53 "ecdsa-sha2-nistp256," \
54 "ecdsa-sha2-nistp384,"
57 # define KEX_ECDH_METHODS
58 # define HOSTKEY_ECDSA_CERT_METHODS
59 # define HOSTKEY_ECDSA_METHODS
62 #ifdef OPENSSL_HAVE_EVPGCM
63 # define AESGCM_CIPHER_MODES \
64 ",aes128-gcm@openssh.com,aes256-gcm@openssh.com"
66 # define AESGCM_CIPHER_MODES
69 #ifdef HAVE_EVP_SHA256
70 # define KEX_SHA2_METHODS \
71 "diffie-hellman-group-exchange-sha256," \
72 "diffie-hellman-group16-sha512," \
73 "diffie-hellman-group18-sha512,"
74 # define KEX_SHA2_GROUP14 \
75 "diffie-hellman-group14-sha256,"
76 #define SHA2_HMAC_MODES \
80 # define KEX_SHA2_METHODS
81 # define KEX_SHA2_GROUP14
82 # define SHA2_HMAC_MODES
86 # ifdef HAVE_EVP_SHA256
87 # define KEX_CURVE25519_METHODS \
88 "curve25519-sha256," \
89 "curve25519-sha256@libssh.org,"
91 # define KEX_CURVE25519_METHODS ""
93 #define KEX_SERVER_KEX \
94 KEX_CURVE25519_METHODS \
98 "diffie-hellman-group14-sha1"
100 #define KEX_CLIENT_KEX KEX_SERVER_KEX
102 #define KEX_DEFAULT_PK_ALG \
103 HOSTKEY_ECDSA_CERT_METHODS \
104 "ssh-ed25519-cert-v01@openssh.com," \
105 "rsa-sha2-512-cert-v01@openssh.com," \
106 "rsa-sha2-256-cert-v01@openssh.com," \
107 "ssh-rsa-cert-v01@openssh.com," \
108 HOSTKEY_ECDSA_METHODS \
114 /* the actual algorithms */
116 #define KEX_SERVER_ENCRYPT \
117 "chacha20-poly1305@openssh.com," \
118 "aes128-ctr,aes192-ctr,aes256-ctr" \
121 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
123 #define KEX_SERVER_MAC \
124 "umac-64-etm@openssh.com," \
125 "umac-128-etm@openssh.com," \
126 "hmac-sha2-256-etm@openssh.com," \
127 "hmac-sha2-512-etm@openssh.com," \
128 "hmac-sha1-etm@openssh.com," \
129 "umac-64@openssh.com," \
130 "umac-128@openssh.com," \
135 #define KEX_CLIENT_MAC KEX_SERVER_MAC
137 /* Not a KEX value, but here so all the algorithm defaults are together */
138 #define SSH_ALLOWED_CA_SIGALGS \
139 "ecdsa-sha2-nistp256," \
140 "ecdsa-sha2-nistp384," \
141 "ecdsa-sha2-nistp521," \
147 #else /* WITH_OPENSSL */
149 #define KEX_SERVER_KEX \
150 "curve25519-sha256," \
151 "curve25519-sha256@libssh.org"
152 #define KEX_DEFAULT_PK_ALG \
153 "ssh-ed25519-cert-v01@openssh.com," \
155 #define KEX_SERVER_ENCRYPT \
156 "chacha20-poly1305@openssh.com," \
157 "aes128-ctr,aes192-ctr,aes256-ctr"
158 #define KEX_SERVER_MAC \
159 "umac-64-etm@openssh.com," \
160 "umac-128-etm@openssh.com," \
161 "hmac-sha2-256-etm@openssh.com," \
162 "hmac-sha2-512-etm@openssh.com," \
163 "hmac-sha1-etm@openssh.com," \
164 "umac-64@openssh.com," \
165 "umac-128@openssh.com," \
170 #define KEX_CLIENT_KEX KEX_SERVER_KEX
171 #define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
172 #define KEX_CLIENT_MAC KEX_SERVER_MAC
174 #define SSH_ALLOWED_CA_SIGALGS "ssh-ed25519"
176 #endif /* WITH_OPENSSL */
178 #define KEX_DEFAULT_COMP "none,zlib@openssh.com"
179 #define KEX_DEFAULT_LANG ""
183 KEX_DEFAULT_PK_ALG, \
184 KEX_CLIENT_ENCRYPT, \
185 KEX_CLIENT_ENCRYPT, \
195 KEX_DEFAULT_PK_ALG, \
196 KEX_SERVER_ENCRYPT, \
197 KEX_SERVER_ENCRYPT, \