[openssh-commits] [openssh] 02/03: upstream: Dropbear recently added a -Q option;

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit 0cadf7e0e88f4088595afbea21f2e43f3ae28abc
Author: dtucker at openbsd.org <dtucker at openbsd.org>
AuthorDate: Tue May 12 13:02:40 2026 +0000

    upstream: Dropbear recently added a -Q option;
    
    use it to query KEX if available.
    
    OpenBSD-Regress-ID: beab781f357e27e75dfdd2ec600a7dff2c63cb5b
---
 regress/dropbear-kex.sh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh
index 72717fbb7..9ce366a43 100644
--- a/regress/dropbear-kex.sh
+++ b/regress/dropbear-kex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $
+#	$OpenBSD: dropbear-kex.sh,v 1.5 2026/05/12 13:02:40 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="dropbear kex"
@@ -13,10 +13,12 @@ kex="curve25519-sha256 curve25519-sha256 at libssh.org"
 if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then
 	kex="$kex diffie-hellman-group14-sha256"
 fi
-# There's no flag to query KEX, so if MACs does not contain SHA1, assume
-# there's also SHA1-based KEX methods either.
+# Until recently, dbclient had no way to query KEX.  If -Qkex is available
+# then use it, otherwise check if MACs contain SHA1 and if present assume
+# there's also SHA1-based KEX methods.
 if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \
-    $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then
+    ($DBCLIENT -Q kex 2>/dev/null | grep 'diffie-hellman-group14-sha1' >/dev/null || \
+     $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null) ; then
 	kex="$kex diffie-hellman-group14-sha1"
 fi
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.