- (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange

   methods.  When the openssl version doesn't support ECDH then next one on
   the list is DH group exchange, but that causes a bit more traffic which can
   mean that the tests flip bits in the initial exchange rather than the MACed
   traffic and we get different errors to what the tests look for.

2 files changed, 10 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 61601f6ba..2f6572779 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -44,6 +44,11 @@
      add tests for RekeyLimit parsing
  - (dtucker) [regress/bsd.regress.mk] Remove unused file.  We've never used it
    in portable and it's long gone in openbsd.
+ - (dtucker) [regress/integrity.sh].  Force fixed Diffie-Hellman key exchange
+   methods.  When the openssl version doesn't support ECDH then next one on
+   the list is DH group exchange, but that causes a bit more traffic which can
+   mean that the tests flip bits in the initial exchange rather than the MACed
+   traffic and we get different errors to what the tests look for.
 
 20130516
  - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be 
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 3950b7d1f..2621a0025 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -21,6 +21,11 @@ config_defined HAVE_EVP_SHA256 &&
 config_defined OPENSSL_HAVE_EVPGCM && \
         macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
 
+# avoid DH group exchange as the extra traffic makes it harder to get the
+# offset into the stream right.
+echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
+        >> $OBJ/ssh_proxy
+
 # sshd-command for proxy (see test-exec.sh)
 cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"