upstream commit

regression test for known_host file editing using ssh-keygen (-H / -R / -F) after hostkeys_foreach() change; feedback and ok markus@
author: djm@openbsd.org <djm@openbsd.org> 2015-01-18 22:00:18 +0000
committer: Damien Miller <djm@mindrot.org> 2015-01-20 00:26:13 +1100
commit: 7947810eab5fe0ad311f32a48f4d4eb1f71be6cf (patch)
tree: c1513f6abec3b307d01567e13326b3c2512cf5da
parent: 3a2b09d147a565d8a47edf37491e149a02c0d3a3 (diff)
2 files changed, 202 insertions, 3 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 23f1cbc9a..1c02aa819 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.75 2015/01/18 19:47:55 djm Exp $
+#       $OpenBSD: Makefile,v 1.76 2015/01/18 22:00:18 djm Exp $
 REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -67,7 +67,8 @@ LTESTS= 	connect \
                krl \
                multipubkey \
                limit-keytype \
-                hostkey-agent
+                hostkey-agent \
+                keygen-knownhosts
 #               dhgex \
@@ -97,7 +98,8 @@ CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                regress.log failed-regress.log ssh-log-wrapper.sh \
                sftp-server.sh sftp-server.log sftp.log setuid-allowed \
                data ed25519-agent ed25519-agent.pub key.ed25519-512 \
-                key.ed25519-512.pub netcat host_krl_* host_revoked_* user_*key*
+                key.ed25519-512.pub netcat host_krl_* host_revoked_* \
+                kh.* user_*key*
 SUDO_CLEAN+=    /var/run/testdata_${USER} /var/run/keycommand_${USER}
diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh
new file mode 100644
index 000000000..35a5ea499
--- /dev/null
+++ b/regress/keygen-knownhosts.sh
@@ -0,0 +1,197 @@
+#       $OpenBSD: keygen-knownhosts.sh,v 1.1 2015/01/18 22:00:18 djm Exp $
+#       Placed in the Public Domain.
+tid="ssh-keygen known_hosts"
+rm -f $OBJ/kh.*
+# Generate some keys for testing (just ed25519 for speed) and make a hosts file.
+for x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do
+        ${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" || \
+                fatal "ssh-keygen failed"
+        # Add a comment that we expect should be preserved.
+        echo "# $x" >> $OBJ/kh.hosts
+        (
+                case "$x" in
+                host-a|host-b)  echo -n "$x " ;;
+                host-c)         echo -n "@cert-authority $x " ;;
+                host-d)         echo -n "@revoked $x " ;;
+                host-e)         echo -n "host-e* " ;;
+                host-f)         echo -n "host-f,host-g,host-h " ;;
+                host-a2)        echo -n "host-a " ;;
+                host-b2)        echo -n "host-b " ;;
+                esac
+                cat $OBJ/kh.${x}.pub
+                # Blank line should be preserved.
+                echo "" >> $OBJ/kh.hosts
+        ) >> $OBJ/kh.hosts
+done
+# Generate a variant with an invalid line. We'll use this for most tests,
+# because keygen should be able to cope and it should be preserved in any
+# output file.
+cat $OBJ/kh.hosts >> $OBJ/kh.invalid
+echo "host-i " >> $OBJ/kh.invalid
+cp $OBJ/kh.invalid $OBJ/kh.invalid.orig
+cp $OBJ/kh.hosts $OBJ/kh.hosts.orig
+expect_key() {
+        _host=$1
+        _hosts=$2
+        _key=$3
+        _line=$4
+        _mark=$5
+        _marker=""
+        test "x$_mark" = "xCA" && _marker="@cert-authority "
+        test "x$_mark" = "xREVOKED" && _marker="@revoked "
+        test "x$_line" != "x" &&
+            echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect
+        echo -n "${_marker}$_hosts " >> $OBJ/kh.expect
+        cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect ||
+            fatal "${_key}.pub missing"
+}
+check_find() {
+        _host=$1
+        _name=$2
+        _keygenopt=$3
+        ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result
+        if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
+                fail "didn't find $_name"
+        fi
+}
+# Find key
+rm -f $OBJ/kh.expect
+expect_key host-a host-a host-a 2
+expect_key host-a host-a host-a2 20
+check_find host-a "simple find"
+# find CA key
+rm -f $OBJ/kh.expect
+expect_key host-c host-c host-c 8 CA
+check_find host-c "find CA key"
+# find revoked key
+rm -f $OBJ/kh.expect
+expect_key host-d host-d host-d 11 REVOKED
+check_find host-d "find revoked key"
+# find key with wildcard
+rm -f $OBJ/kh.expect
+expect_key host-e.somedomain "host-e*" host-e 14
+check_find host-e.somedomain "find wildcard key"
+# find key among multiple hosts
+rm -f $OBJ/kh.expect
+expect_key host-h "host-f,host-g,host-h " host-f 17
+check_find host-h "find multiple hosts"
+check_hashed_find() {
+        _host=$1
+        _name=$2
+        _file=$3
+        test "x$_file" = "x" && _file=$OBJ/kh.invalid
+        ${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \
+            sed "s/^[^ ]*/$_host/" > $OBJ/kh.result
+        if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
+                fail "didn't find $_name"
+        fi
+}
+# Find key and hash
+rm -f $OBJ/kh.expect
+expect_key host-a host-a host-a
+expect_key host-a host-a host-a2
+check_hashed_find host-a "find simple and hash"
+# Find CA key and hash
+rm -f $OBJ/kh.expect
+expect_key host-c host-c host-c "" CA
+# CA key output is not hashed.
+check_find host-c "find simple and hash" -H
+# Find revoked key and hash
+rm -f $OBJ/kh.expect
+expect_key host-d host-d host-d "" REVOKED
+# Revoked key output is not hashed.
+check_find host-d "find simple and hash" -H
+# find key with wildcard and hash
+rm -f $OBJ/kh.expect
+expect_key host-e "host-e*" host-e ""
+# Key with wildcard hostname should not be hashed.
+check_find host-e "find wildcard key" -H
+# find key among multiple hosts
+rm -f $OBJ/kh.expect
+# Comma-separated hostnames should be expanded and hashed.
+expect_key host-f "host-h " host-f
+expect_key host-g "host-h " host-f
+expect_key host-h "host-h " host-f
+check_hashed_find host-h "find multiple hosts"
+# Attempt remove key on invalid file.
+cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
+${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null
+diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded"
+# Remove key
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null
+grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect
+diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple"
+# Remove CA key
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null
+# CA key should not be removed.
+diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA"
+# Remove revoked key
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null
+# revoked key should not be removed.
+diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked"
+# Remove wildcard
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null
+grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect
+diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
+# Remove multiple
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null
+grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect
+diff -u $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
+# Attempt hash on invalid file
+cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
+${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded"
+diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified"
+# Hash valid file
+cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
+${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed"
+diff -u $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs"
+grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist"
+cp $OBJ/kh.hosts $OBJ/kh.hashed.orig
+# Test lookup
+rm -f $OBJ/kh.expect
+expect_key host-a host-a host-a
+expect_key host-a host-a host-a2
+check_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts
+# Test multiple expanded
+rm -f $OBJ/kh.expect
+expect_key host-h host-h host-f
+check_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts
+# Test remove
+cp $OBJ/kh.hashed.orig $OBJ/kh.hashed
+${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null
+${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove"
author	djm@openbsd.org <djm@openbsd.org>	2015-01-18 22:00:18 +0000
committer	Damien Miller <djm@mindrot.org>	2015-01-20 00:26:13 +1100
commit	7947810eab5fe0ad311f32a48f4d4eb1f71be6cf (patch)
tree	c1513f6abec3b307d01567e13326b3c2512cf5da
parent	3a2b09d147a565d8a47edf37491e149a02c0d3a3 (diff)

diff --git a/regress/Makefile b/regress/Makefile index 23f1cbc9a..1c02aa819 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.75 2015/01/18 19:47:55 djm Exp $	1	# $OpenBSD: Makefile,v 1.76 2015/01/18 22:00:18 djm Exp $
2		2
3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec	3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -67,7 +67,8 @@ LTESTS= connect \
67	krl \	67	krl \
68	multipubkey \	68	multipubkey \
69	limit-keytype \	69	limit-keytype \
70	hostkey-agent	70	hostkey-agent \
		71	keygen-knownhosts
71		72
72		73
73	# dhgex \	74	# dhgex \
@@ -97,7 +98,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
97	regress.log failed-regress.log ssh-log-wrapper.sh \	98	regress.log failed-regress.log ssh-log-wrapper.sh \
98	sftp-server.sh sftp-server.log sftp.log setuid-allowed \	99	sftp-server.sh sftp-server.log sftp.log setuid-allowed \
99	data ed25519-agent ed25519-agent.pub key.ed25519-512 \	100	data ed25519-agent ed25519-agent.pub key.ed25519-512 \
100	key.ed25519-512.pub netcat host_krl_* host_revoked_* user_key	101	key.ed25519-512.pub netcat host_krl_* host_revoked_* \
		102	kh.* user_key
101		103
102	SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}	104	SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
103		105


diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh new file mode 100644 index 000000000..35a5ea499 --- /dev/null +++ b/regress/keygen-knownhosts.sh
@@ -0,0 +1,197 @@
		1	# $OpenBSD: keygen-knownhosts.sh,v 1.1 2015/01/18 22:00:18 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="ssh-keygen known_hosts"
		5
		6	rm -f $OBJ/kh.*
		7
		8	# Generate some keys for testing (just ed25519 for speed) and make a hosts file.
		9	for x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do
		10	${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" \|\| \
		11	fatal "ssh-keygen failed"
		12	# Add a comment that we expect should be preserved.
		13	echo "# $x" >> $OBJ/kh.hosts
		14	(
		15	case "$x" in
		16	host-a\|host-b) echo -n "$x " ;;
		17	host-c) echo -n "@cert-authority $x " ;;
		18	host-d) echo -n "@revoked $x " ;;
		19	host-e) echo -n "host-e* " ;;
		20	host-f) echo -n "host-f,host-g,host-h " ;;
		21	host-a2) echo -n "host-a " ;;
		22	host-b2) echo -n "host-b " ;;
		23	esac
		24	cat $OBJ/kh.${x}.pub
		25	# Blank line should be preserved.
		26	echo "" >> $OBJ/kh.hosts
		27	) >> $OBJ/kh.hosts
		28	done
		29
		30	# Generate a variant with an invalid line. We'll use this for most tests,
		31	# because keygen should be able to cope and it should be preserved in any
		32	# output file.
		33	cat $OBJ/kh.hosts >> $OBJ/kh.invalid
		34	echo "host-i " >> $OBJ/kh.invalid
		35
		36	cp $OBJ/kh.invalid $OBJ/kh.invalid.orig
		37	cp $OBJ/kh.hosts $OBJ/kh.hosts.orig
		38
		39	expect_key() {
		40	_host=$1
		41	_hosts=$2
		42	_key=$3
		43	_line=$4
		44	_mark=$5
		45	_marker=""
		46	test "x$_mark" = "xCA" && _marker="@cert-authority "
		47	test "x$_mark" = "xREVOKED" && _marker="@revoked "
		48	test "x$_line" != "x" &&
		49	echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect
		50	echo -n "${_marker}$_hosts " >> $OBJ/kh.expect
		51	cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect \|\|
		52	fatal "${_key}.pub missing"
		53	}
		54
		55	check_find() {
		56	_host=$1
		57	_name=$2
		58	_keygenopt=$3
		59	${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result
		60	if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
		61	fail "didn't find $_name"
		62	fi
		63	}
		64
		65	# Find key
		66	rm -f $OBJ/kh.expect
		67	expect_key host-a host-a host-a 2
		68	expect_key host-a host-a host-a2 20
		69	check_find host-a "simple find"
		70
		71	# find CA key
		72	rm -f $OBJ/kh.expect
		73	expect_key host-c host-c host-c 8 CA
		74	check_find host-c "find CA key"
		75
		76	# find revoked key
		77	rm -f $OBJ/kh.expect
		78	expect_key host-d host-d host-d 11 REVOKED
		79	check_find host-d "find revoked key"
		80
		81	# find key with wildcard
		82	rm -f $OBJ/kh.expect
		83	expect_key host-e.somedomain "host-e*" host-e 14
		84	check_find host-e.somedomain "find wildcard key"
		85
		86	# find key among multiple hosts
		87	rm -f $OBJ/kh.expect
		88	expect_key host-h "host-f,host-g,host-h " host-f 17
		89	check_find host-h "find multiple hosts"
		90
		91	check_hashed_find() {
		92	_host=$1
		93	_name=$2
		94	_file=$3
		95	test "x$_file" = "x" && _file=$OBJ/kh.invalid
		96	${SSHKEYGEN} -f $_file -HF $_host \| grep '\|1\|' \| \
		97	sed "s/^[^ ]*/$_host/" > $OBJ/kh.result
		98	if ! diff -uw $OBJ/kh.expect $OBJ/kh.result ; then
		99	fail "didn't find $_name"
		100	fi
		101	}
		102
		103	# Find key and hash
		104	rm -f $OBJ/kh.expect
		105	expect_key host-a host-a host-a
		106	expect_key host-a host-a host-a2
		107	check_hashed_find host-a "find simple and hash"
		108
		109	# Find CA key and hash
		110	rm -f $OBJ/kh.expect
		111	expect_key host-c host-c host-c "" CA
		112	# CA key output is not hashed.
		113	check_find host-c "find simple and hash" -H
		114
		115	# Find revoked key and hash
		116	rm -f $OBJ/kh.expect
		117	expect_key host-d host-d host-d "" REVOKED
		118	# Revoked key output is not hashed.
		119	check_find host-d "find simple and hash" -H
		120
		121	# find key with wildcard and hash
		122	rm -f $OBJ/kh.expect
		123	expect_key host-e "host-e*" host-e ""
		124	# Key with wildcard hostname should not be hashed.
		125	check_find host-e "find wildcard key" -H
		126
		127	# find key among multiple hosts
		128	rm -f $OBJ/kh.expect
		129	# Comma-separated hostnames should be expanded and hashed.
		130	expect_key host-f "host-h " host-f
		131	expect_key host-g "host-h " host-f
		132	expect_key host-h "host-h " host-f
		133	check_hashed_find host-h "find multiple hosts"
		134
		135	# Attempt remove key on invalid file.
		136	cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
		137	${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null
		138	diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig \|\| fail "remove on invalid succeeded"
		139
		140	# Remove key
		141	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		142	${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null
		143	grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect
		144	diff -u $OBJ/kh.hosts $OBJ/kh.expect \|\| fail "remove simple"
		145
		146	# Remove CA key
		147	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		148	${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null
		149	# CA key should not be removed.
		150	diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig \|\| fail "remove CA"
		151
		152	# Remove revoked key
		153	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		154	${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null
		155	# revoked key should not be removed.
		156	diff -u $OBJ/kh.hosts $OBJ/kh.hosts.orig \|\| fail "remove revoked"
		157
		158	# Remove wildcard
		159	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		160	${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null
		161	grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect
		162	diff -u $OBJ/kh.hosts $OBJ/kh.expect \|\| fail "remove wildcard"
		163
		164	# Remove multiple
		165	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		166	${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null
		167	grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect
		168	diff -u $OBJ/kh.hosts $OBJ/kh.expect \|\| fail "remove wildcard"
		169
		170	# Attempt hash on invalid file
		171	cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
		172	${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded"
		173	diff -u $OBJ/kh.invalid $OBJ/kh.invalid.orig \|\| fail "invalid file modified"
		174
		175	# Hash valid file
		176	cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
		177	${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null \|\| fail "hash failed"
		178	diff -u $OBJ/kh.hosts.old $OBJ/kh.hosts.orig \|\| fail "backup differs"
		179	grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist"
		180
		181	cp $OBJ/kh.hosts $OBJ/kh.hashed.orig
		182
		183	# Test lookup
		184	rm -f $OBJ/kh.expect
		185	expect_key host-a host-a host-a
		186	expect_key host-a host-a host-a2
		187	check_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts
		188
		189	# Test multiple expanded
		190	rm -f $OBJ/kh.expect
		191	expect_key host-h host-h host-f
		192	check_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts
		193
		194	# Test remove
		195	cp $OBJ/kh.hashed.orig $OBJ/kh.hashed
		196	${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null
		197	${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove"