changeset 746:465fefc4f6e0 kexguess

Put some #ifdef options around first-follows options in case they need to be disabled
author Matt Johnston <matt@ucc.asn.au>
date Wed, 03 Apr 2013 00:43:31 +0800
parents 15999b098cc9
children 077bbe1eb220
files cli-session.c common-algo.c common-kex.c sysoptions.h
diffstat 4 files changed, 19 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/cli-session.c	Wed Apr 03 00:32:55 2013 +0800
+++ b/cli-session.c	Wed Apr 03 00:43:31 2013 +0800
@@ -110,11 +110,12 @@
 
 }
 
+#ifdef USE_KEX_FIRST_FOLLOWS
 static void cli_send_kex_first_guess() {
 	send_msg_kexdh_init();
 	dropbear_log(LOG_INFO, "kexdh_init guess sent");
-	//cli_ses.kex_state = KEXDH_INIT_SENT;			
 }
+#endif
 
 static void cli_session_init() {
 
@@ -155,7 +156,9 @@
 
 	ses.isserver = 0;
 
+#ifdef USE_KEX_FIRST_FOLLOWS
 	ses.send_kex_first_guess = cli_send_kex_first_guess;
+#endif
 
 }
 
--- a/common-algo.c	Wed Apr 03 00:32:55 2013 +0800
+++ b/common-algo.c	Wed Apr 03 00:43:31 2013 +0800
@@ -216,7 +216,9 @@
 algo_type sshkex[] = {
 	{"diffie-hellman-group14-sha1", DROPBEAR_KEX_DH_GROUP14, NULL, 1, NULL},
 	{"diffie-hellman-group1-sha1", DROPBEAR_KEX_DH_GROUP1, NULL, 1, NULL},
+#ifdef USE_KEXGUESS2
 	{KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},
+#endif
 	{NULL, 0, NULL, 0, NULL}
 };
 
--- a/common-kex.c	Wed Apr 03 00:32:55 2013 +0800
+++ b/common-kex.c	Wed Apr 03 00:43:31 2013 +0800
@@ -692,7 +692,11 @@
 
 	memset(ses.newkeys, 0x0, sizeof(*ses.newkeys));
 
+#ifdef USE_KEXGUESS2
 	enum kexguess2_used kexguess2 = KEXGUESS2_LOOK;
+#else
+	enum kexguess2_used kexguess2 = KEXGUESS2_NO;
+#endif
 
 	/* kex_algorithms */
 	algo = buf_match_algo(ses.payload, sshkex, &kexguess2, &goodguess);
--- a/sysoptions.h	Wed Apr 03 00:32:55 2013 +0800
+++ b/sysoptions.h	Wed Apr 03 00:43:31 2013 +0800
@@ -23,6 +23,15 @@
 #define AUTH_TIMEOUT 300 /* we choose 5 minutes */
 #endif
 
+/* A client should try and send an initial key exchange packet guessing
+ * the algorithm that will match - saves a round trip connecting, has little
+ * overhead if the guess was "wrong". */
+#define USE_KEX_FIRST_FOLLOWS
+/* Use protocol extension to allow "first follows" to succeed more frequently.
+ * This is currently Dropbear-specific but will gracefully fallback when connecting
+ * to other implementations. */
+#define USE_KEXGUESS2
+
 /* Minimum key sizes for DSS and RSA */
 #ifndef MIN_DSS_KEYLEN
 #define MIN_DSS_KEYLEN 512