From ca108139a702a834a221cb061ab56f10a8d72260 Mon Sep 17 00:00:00 2001
From: Lain Iwakura <lain@iwakurahome.ru>
Date: Thu, 24 Jul 2025 06:15:38 +0300
Subject: [PATCH] upd

---
 kex.c                          | 10 ++++++++--
 regress/terrapin-protection.sh | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100755 regress/terrapin-protection.sh

diff --git a/kex.c b/kex.c
index 6b957e5..c310017 100644
--- a/kex.c
+++ b/kex.c
@@ -793,7 +793,7 @@ kex_start_rekex(struct ssh *ssh)
 }
 
 static int
-choose_enc(struct sshenc *enc, char *client, char *server)
+choose_enc(struct ssh *ssh, struct sshenc *enc, char *client, char *server)
 {
 	char *name = match_list(client, server, NULL);
 
@@ -804,6 +804,12 @@ choose_enc(struct sshenc *enc, char *client, char *server)
 		free(name);
 		return SSH_ERR_INTERNAL_ERROR;
 	}
+	if (strcmp(name, "chacha20-poly1305@openssh.com") == 0 && 
+	    !ssh->kex->kex_strict) {
+		error_f("chacha20-poly1305@openssh.com requires kex-strict for Terrapin protection");
+		free(name);
+		return SSH_ERR_NO_CIPHER_ALG_MATCH;
+	}
 	enc->name = name;
 	enc->enabled = 0;
 	enc->iv = NULL;
@@ -1002,7 +1008,7 @@ kex_choose_conf(struct ssh *ssh, uint32_t seq)
 		nenc  = ctos ? PROPOSAL_ENC_ALGS_CTOS  : PROPOSAL_ENC_ALGS_STOC;
 		nmac  = ctos ? PROPOSAL_MAC_ALGS_CTOS  : PROPOSAL_MAC_ALGS_STOC;
 		ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
-		if ((r = choose_enc(&newkeys->enc, cprop[nenc],
+		if ((r = choose_enc(ssh, &newkeys->enc, cprop[nenc],
 		    sprop[nenc])) != 0) {
 			kex->failed_choice = peer[nenc];
 			peer[nenc] = NULL;
diff --git a/regress/terrapin-protection.sh b/regress/terrapin-protection.sh
new file mode 100755
index 0000000..ce92368
--- /dev/null
+++ b/regress/terrapin-protection.sh
@@ -0,0 +1,33 @@
+#	$OpenBSD: terrapin-protection.sh,v 1.1 2025/07/24 14:06:42 djm Exp $
+#	Placed in the Public Domain.
+
+tid="terrapin protection"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+trace "test $tid: chacha20-poly1305 without kex-strict should fail"
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "Ciphers=chacha20-poly1305@openssh.com" >> $OBJ/sshd_proxy
+echo "KexAlgorithms=curve25519-sha256" >> $OBJ/sshd_proxy
+${SSH} -F $OBJ/ssh_proxy -c chacha20-poly1305@openssh.com somehost true
+if [ $? -eq 0 ]; then
+	fail "ssh succeeded with chacha20-poly1305 without kex-strict"
+fi
+
+trace "test $tid: chacha20-poly1305 with kex-strict should succeed"
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "Ciphers=chacha20-poly1305@openssh.com" >> $OBJ/sshd_proxy
+echo "KexAlgorithms=curve25519-sha256,kex-strict-s-v00@openssh.com" >> $OBJ/sshd_proxy
+${SSH} -F $OBJ/ssh_proxy -c chacha20-poly1305@openssh.com somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh failed with chacha20-poly1305 with kex-strict"
+fi
+
+trace "test $tid: other ciphers without kex-strict should succeed"
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "Ciphers=aes256-gcm@openssh.com" >> $OBJ/sshd_proxy
+echo "KexAlgorithms=curve25519-sha256" >> $OBJ/sshd_proxy
+${SSH} -F $OBJ/ssh_proxy -c aes256-gcm@openssh.com somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh failed with aes256-gcm without kex-strict"
+fi 
\ No newline at end of file