#	$OpenBSD: terrapin-protection.sh,v 1.1 2025/07/24 14:06:42 djm Exp $
#	Placed in the Public Domain.

tid="terrapin protection"

cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

trace "test $tid: chacha20-poly1305 without kex-strict should fail"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "Ciphers=chacha20-poly1305@openssh.com" >> $OBJ/sshd_proxy
echo "KexAlgorithms=curve25519-sha256" >> $OBJ/sshd_proxy
${SSH} -F $OBJ/ssh_proxy -c chacha20-poly1305@openssh.com somehost true
if [ $? -eq 0 ]; then
	fail "ssh succeeded with chacha20-poly1305 without kex-strict"
fi

trace "test $tid: chacha20-poly1305 with kex-strict should succeed"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "Ciphers=chacha20-poly1305@openssh.com" >> $OBJ/sshd_proxy
echo "KexAlgorithms=curve25519-sha256,kex-strict-s-v00@openssh.com" >> $OBJ/sshd_proxy
${SSH} -F $OBJ/ssh_proxy -c chacha20-poly1305@openssh.com somehost true
if [ $? -ne 0 ]; then
	fail "ssh failed with chacha20-poly1305 with kex-strict"
fi

trace "test $tid: other ciphers without kex-strict should succeed"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "Ciphers=aes256-gcm@openssh.com" >> $OBJ/sshd_proxy
echo "KexAlgorithms=curve25519-sha256" >> $OBJ/sshd_proxy
${SSH} -F $OBJ/ssh_proxy -c aes256-gcm@openssh.com somehost true
if [ $? -ne 0 ]; then
	fail "ssh failed with aes256-gcm without kex-strict"
fi