File 1331-Use-the-standard-kex-strict-identifier-in-the-kex_al.patch of Package erlang
From be189d179804e3cc509a19b397cd4f4bde29bff2 Mon Sep 17 00:00:00 2001
From: Simon Cornish <7t9jna402@sneakemail.com>
Date: Mon, 18 Aug 2025 16:36:24 -0700
Subject: [PATCH] Use the standard kex-strict-* identifier in the
kex_algorithms field
This patch signals support for strict KEX using the IETF standard
identifiers, kex-strict-c & kex-strict-s. The pre-standard
identifiers are retained for compatibility.
---
lib/ssh/src/ssh_transport.erl | 12 ++++++++----
lib/ssh/src/ssh_transport.hrl | 6 ++++--
lib/ssh/test/ssh_protocol_SUITE.erl | 8 ++++----
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/lib/ssh/src/ssh_transport.erl b/lib/ssh/src/ssh_transport.erl
index d88e5fb6ed..dfe64d8611 100644
--- a/lib/ssh/src/ssh_transport.erl
+++ b/lib/ssh/src/ssh_transport.erl
@@ -897,8 +897,8 @@ handle_new_keys(#ssh_msg_newkeys{}, Ssh0) ->
end.
%%%----------------------------------------------------------------
-kex_strict_alg(client) -> [?kex_strict_c];
-kex_strict_alg(server) -> [?kex_strict_s].
+kex_strict_alg(client) -> [?kex_strict_c, ?kex_strict_c_pre];
+kex_strict_alg(server) -> [?kex_strict_s, ?kex_strict_s_pre].
%%%----------------------------------------------------------------
kex_ext_info(Role, Opts) ->
@@ -1101,10 +1101,14 @@ select_algorithm(Role, Client, Server,
case Role of
server ->
lists:member(?kex_strict_c,
- Client#ssh_msg_kexinit.kex_algorithms);
+ Client#ssh_msg_kexinit.kex_algorithms) orelse
+ lists:member(?kex_strict_c_pre,
+ Client#ssh_msg_kexinit.kex_algorithms);
client ->
lists:member(?kex_strict_s,
- Server#ssh_msg_kexinit.kex_algorithms)
+ Server#ssh_msg_kexinit.kex_algorithms) orelse
+ lists:member(?kex_strict_s_pre,
+ Server#ssh_msg_kexinit.kex_algorithms)
end,
case Result of
true ->
diff --git a/lib/ssh/src/ssh_transport.hrl b/lib/ssh/src/ssh_transport.hrl
index 3ab1ce319f..2373f89c4d 100644
--- a/lib/ssh/src/ssh_transport.hrl
+++ b/lib/ssh/src/ssh_transport.hrl
@@ -269,6 +269,8 @@
{2, 16#FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF}).
%%% OpenSSH KEX strict
--define(kex_strict_c, "kex-strict-c-v00@openssh.com").
--define(kex_strict_s, "kex-strict-s-v00@openssh.com").
+-define(kex_strict_c_pre, "kex-strict-c-v00@openssh.com").
+-define(kex_strict_c, "kex-strict-c").
+-define(kex_strict_s_pre, "kex-strict-s-v00@openssh.com").
+-define(kex_strict_s, "kex-strict-s").
-endif. % -ifdef(ssh_transport).
diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl
index a4d8a778af..3acf1599c9 100644
--- a/lib/ssh/test/ssh_protocol_SUITE.erl
+++ b/lib/ssh/test/ssh_protocol_SUITE.erl
@@ -1321,7 +1321,7 @@ modify_append(Config) ->
Ciphers = filter_supported(cipher, ?CIPHERS),
{ok,_} =
chk_pref_algs(Config,
- [?DEFAULT_KEX, ?EXTRA_KEX, list_to_atom(?kex_strict_s)],
+ [?DEFAULT_KEX, ?EXTRA_KEX, list_to_atom(?kex_strict_s), list_to_atom(?kex_strict_s_pre)],
Ciphers,
[{preferred_algorithms, [{kex,[?DEFAULT_KEX]},
{cipher,Ciphers}
@@ -1335,7 +1335,7 @@ modify_prepend(Config) ->
Ciphers = filter_supported(cipher, ?CIPHERS),
{ok,_} =
chk_pref_algs(Config,
- [?EXTRA_KEX, ?DEFAULT_KEX, list_to_atom(?kex_strict_s)],
+ [?EXTRA_KEX, ?DEFAULT_KEX, list_to_atom(?kex_strict_s), list_to_atom(?kex_strict_s_pre)],
Ciphers,
[{preferred_algorithms, [{kex,[?DEFAULT_KEX]},
{cipher,Ciphers}
@@ -1349,7 +1349,7 @@ modify_rm(Config) ->
Ciphers = filter_supported(cipher, ?CIPHERS),
{ok,_} =
chk_pref_algs(Config,
- [?DEFAULT_KEX, list_to_atom(?kex_strict_s)],
+ [?DEFAULT_KEX, list_to_atom(?kex_strict_s), list_to_atom(?kex_strict_s_pre)],
tl(Ciphers),
[{preferred_algorithms, [{kex,[?DEFAULT_KEX,?EXTRA_KEX]},
{cipher,Ciphers}
@@ -1368,7 +1368,7 @@ modify_combo(Config) ->
LastC = lists:last(Ciphers),
{ok,_} =
chk_pref_algs(Config,
- [?DEFAULT_KEX, list_to_atom(?kex_strict_s)],
+ [?DEFAULT_KEX, list_to_atom(?kex_strict_s), list_to_atom(?kex_strict_s_pre)],
[LastC] ++ (tl(Ciphers)--[LastC]) ++ [hd(Ciphers)],
[{preferred_algorithms, [{kex,[?DEFAULT_KEX,?EXTRA_KEX]},
{cipher,Ciphers}
--
2.51.0
