[openssh-commits] [openssh] branch master updated: upstream: Use curve25519-sha256 kex where possible.

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Aug 21 17:19:01 AEST 2024 

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

The following commit(s) were added to refs/heads/master by this push:
     new 25c52f37 upstream: Use curve25519-sha256 kex where possible.
25c52f37 is described below

commit 25c52f37a82c4da48ec537de37d7c168982b8d6d
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Wed Aug 21 06:59:08 2024 +0000

    upstream: Use curve25519-sha256 kex where possible.
    
    Except where we're explicitly testing a different kex, use
    curve25519-sha256 since it's faster than the default and supported even
    when configured without OpenSSL.  Add a check to ensure that the kex we
    intended to test is the one we actually tested. Speeds test up by ~5%.
    
    OpenBSD-Regress-ID: 3b27fcc2ae953cb08fd82a0d3155c498b226d6e0
---
 regress/rekey.sh | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/regress/rekey.sh b/regress/rekey.sh
index 061e6547..79e52f2a 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: rekey.sh,v 1.26 2024/08/20 12:36:59 dtucker Exp $
+#	$OpenBSD: rekey.sh,v 1.27 2024/08/21 06:59:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="rekey"
@@ -11,6 +11,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
 echo "Compression no" >> $OBJ/ssh_proxy
 echo "RekeyLimit 256k" >> $OBJ/ssh_proxy
+echo "KexAlgorithms curve25519-sha256" >> ssh_proxy
 
 # Test rekeying based on data volume only.
 # Arguments: rekeylimit, kex method, optional remaining opts are passed to ssh.
@@ -31,7 +32,7 @@ ssh_data_rekeying()
 	rm -f ${COPY} ${COPY2} ${LOG}
 	# Create data file just big enough to reach rekey threshold.
 	dd if=${DATA} of=${COPY} bs=$_bytes count=1 2>/dev/null
-	${SSH} <${COPY} $_opts -v \
+	${SSH} <${COPY} $_opts -vv \
 	    -oRekeyLimit=$_bytes -F $OBJ/ssh_proxy somehost "cat >${COPY2}"
 	if [ $? -ne 0 ]; then
 		fail "ssh failed ($@)"
@@ -39,6 +40,16 @@ ssh_data_rekeying()
 	cmp ${COPY} ${COPY2}		|| fail "corrupted copy ($@)"
 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
 	n=`expr $n - 1`
+	case "$_kexopt" in
+	KexAlgorithms*)
+		_want=`echo $_kexopt | cut -f2 -d=`
+		_got=`awk 'BEGIN{FS="[ \r]+"} /kex: algorithm: /{print $4}' \
+		    ${LOG} | sort -u`
+		if [ "$_want" != "$_got" ]; then
+			fail "expected kex $_want, got $_got"
+		fi
+		 ;;
+	esac
 	trace "$n rekeying(s)"
 	if [ $n -lt 1 ]; then
 		fail "no rekeying occurred ($@)"

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list