upstream commit

eliminate explicit specification of protocol in tests and loops over protocol. We only support SSHv2 now. Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
author: djm@openbsd.org <djm@openbsd.org> 2017-04-30 23:34:55 +0000
committer: Damien Miller <djm@mindrot.org> 2017-05-01 11:59:42 +1000
commit: dd369320d2435b630a5974ab270d686dcd92d024 (patch)
tree: 97ae4bb34d835fbafad12180862195a9e9192d28 /regress/cert-file.sh
parent: 557f921aad004be15805e09fd9572969eb3d9321 (diff)
1 files changed, 64 insertions, 67 deletions
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 43b8e0201..8fd62c773 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
+#       $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #       Placed in the Public Domain.
 tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
 # XXX: verify that certificate used was what we expect. Needs exposure of
 # keys via enviornment variable or similar.
-for p in ${SSH_PROTOCOLS}; do
        # Key with no .pub should work - finding the equivalent *-cert.pub.
-        verbose "protocol $p: identity cert with no plain public file"
+verbose "identity cert with no plain public file"
-        ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-            -i $OBJ/user_key3 somehost exit 5$p
+    -i $OBJ/user_key3 somehost exit 52
-        [ $? -ne 5$p ] && fail "ssh failed"
+[ $? -ne 52 ] && fail "ssh failed"
-        # CertificateFile matching private key with no .pub file should work.
+# CertificateFile matching private key with no .pub file should work.
-        verbose "protocol $p: CertificateFile with no plain public file"
+verbose "CertificateFile with no plain public file"
-        ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-            -oCertificateFile=$OBJ/user_key3-cert.pub \
+    -oCertificateFile=$OBJ/user_key3-cert.pub \
-            -i $OBJ/user_key3 somehost exit 5$p
+    -i $OBJ/user_key3 somehost exit 52
-        [ $? -ne 5$p ] && fail "ssh failed"
+[ $? -ne 52 ] && fail "ssh failed"
-        # Just keys should fail
+# Just keys should fail
-        verbose "protocol $p: plain keys"
+verbose "plain keys"
-        ${SSH} $opts2 somehost exit 5$p
+${SSH} $opts2 somehost exit 52
-        r=$?
+r=$?
-        if [ $r -eq 5$p ]; then
+if [ $r -eq 52 ]; then
-                fail "ssh succeeded with no certs in protocol $p"
+        fail "ssh succeeded with no certs"
-        fi
+fi
-        # Keys with untrusted cert should fail.
+# Keys with untrusted cert should fail.
-        verbose "protocol $p: untrusted cert"
+verbose "untrusted cert"
-        opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-        ${SSH} $opts3 somehost exit 5$p
+${SSH} $opts3 somehost exit 52
-        r=$?
+r=$?
-        if [ $r -eq 5$p ]; then
+if [ $r -eq 52 ]; then
-                fail "ssh succeeded with bad cert in protocol $p"
+        fail "ssh succeeded with bad cert"
-        fi
+fi
-        # Good cert with bad key should fail.
+# Good cert with bad key should fail.
-        verbose "protocol $p: good cert, bad key"
+verbose "good cert, bad key"
-        opts3="$opts -i $OBJ/user_key2"
+opts3="$opts -i $OBJ/user_key2"
-        opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-        ${SSH} $opts3 somehost exit 5$p
+${SSH} $opts3 somehost exit 52
-        r=$?
+r=$?
-        if [ $r -eq 5$p ]; then
+if [ $r -eq 52 ]; then
-                fail "ssh succeeded with no matching key in protocol $p"
+        fail "ssh succeeded with no matching key"
-        fi
+fi
-        # Keys with one trusted cert, should succeed.
+# Keys with one trusted cert, should succeed.
-        verbose "protocol $p: single trusted"
+verbose "single trusted"
-        opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-        ${SSH} $opts3 somehost exit 5$p
+${SSH} $opts3 somehost exit 52
-        r=$?
+r=$?
-        if [ $r -ne 5$p ]; then
+if [ $r -ne 52 ]; then
-                fail "ssh failed with trusted cert and key in protocol $p"
+        fail "ssh failed with trusted cert and key"
-        fi
+fi
-        # Multiple certs and keys, with one trusted cert, should succeed.
+# Multiple certs and keys, with one trusted cert, should succeed.
-        verbose "protocol $p: multiple trusted"
+verbose "multiple trusted"
-        opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-        opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-        ${SSH} $opts3 somehost exit 5$p
+${SSH} $opts3 somehost exit 52
-        r=$?
+r=$?
-        if [ $r -ne 5$p ]; then
+if [ $r -ne 52 ]; then
-                fail "ssh failed with multiple certs in protocol $p"
+        fail "ssh failed with multiple certs"
-        fi
+fi
-done
 #next, using an agent in combination with the keys
 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
 fi
 # try ssh with the agent and certificates
-# note: ssh agent only uses certificates in protocol 2
 opts="-F $OBJ/ssh_proxy"
 # with no certificates, shoud fail
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-        fail "ssh connect with agent in protocol 2 succeeded with no cert"
+        fail "ssh connect with agent in succeeded with no cert"
 fi
 #with an untrusted certificate, should fail
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-        fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+        fail "ssh connect with agent in succeeded with bad cert"
 fi
 #with an additional trusted certificate, should succeed
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -ne 52 ]; then
-        fail "ssh connect with agent in protocol 2 failed with good cert"
+        fail "ssh connect with agent in failed with good cert"
 fi
 trace "kill agent"
author	djm@openbsd.org <djm@openbsd.org>	2017-04-30 23:34:55 +0000
committer	Damien Miller <djm@mindrot.org>	2017-05-01 11:59:42 +1000
commit	dd369320d2435b630a5974ab270d686dcd92d024 (patch)
tree	97ae4bb34d835fbafad12180862195a9e9192d28 /regress/cert-file.sh
parent	557f921aad004be15805e09fd9572969eb3d9321 (diff)

diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 43b8e0201..8fd62c773 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $	1	# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="ssh with certificates"	4	tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy \| grep -v IdentityFile > $OBJ/no_identity_config
54	# XXX: verify that certificate used was what we expect. Needs exposure of	54	# XXX: verify that certificate used was what we expect. Needs exposure of
55	# keys via enviornment variable or similar.	55	# keys via enviornment variable or similar.
56		56
57	for p in ${SSH_PROTOCOLS}; do
58	# Key with no .pub should work - finding the equivalent *-cert.pub.	57	# Key with no .pub should work - finding the equivalent *-cert.pub.
59	verbose "protocol $p: identity cert with no plain public file"	58	verbose "identity cert with no plain public file"
60	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \	59	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
61	-i $OBJ/user_key3 somehost exit 5$p	60	-i $OBJ/user_key3 somehost exit 52
62	[ $? -ne 5$p ] && fail "ssh failed"	61	[ $? -ne 52 ] && fail "ssh failed"
63		62
64	# CertificateFile matching private key with no .pub file should work.	63	# CertificateFile matching private key with no .pub file should work.
65	verbose "protocol $p: CertificateFile with no plain public file"	64	verbose "CertificateFile with no plain public file"
66	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \	65	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
67	-oCertificateFile=$OBJ/user_key3-cert.pub \	66	-oCertificateFile=$OBJ/user_key3-cert.pub \
68	-i $OBJ/user_key3 somehost exit 5$p	67	-i $OBJ/user_key3 somehost exit 52
69	[ $? -ne 5$p ] && fail "ssh failed"	68	[ $? -ne 52 ] && fail "ssh failed"
70		69
71	# Just keys should fail	70	# Just keys should fail
72	verbose "protocol $p: plain keys"	71	verbose "plain keys"
73	${SSH} $opts2 somehost exit 5$p	72	${SSH} $opts2 somehost exit 52
74	r=$?	73	r=$?
75	if [ $r -eq 5$p ]; then	74	if [ $r -eq 52 ]; then
76	fail "ssh succeeded with no certs in protocol $p"	75	fail "ssh succeeded with no certs"
77	fi	76	fi
78		77
79	# Keys with untrusted cert should fail.	78	# Keys with untrusted cert should fail.
80	verbose "protocol $p: untrusted cert"	79	verbose "untrusted cert"
81	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"	80	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
82	${SSH} $opts3 somehost exit 5$p	81	${SSH} $opts3 somehost exit 52
83	r=$?	82	r=$?
84	if [ $r -eq 5$p ]; then	83	if [ $r -eq 52 ]; then
85	fail "ssh succeeded with bad cert in protocol $p"	84	fail "ssh succeeded with bad cert"
86	fi	85	fi
87		86
88	# Good cert with bad key should fail.	87	# Good cert with bad key should fail.
89	verbose "protocol $p: good cert, bad key"	88	verbose "good cert, bad key"
90	opts3="$opts -i $OBJ/user_key2"	89	opts3="$opts -i $OBJ/user_key2"
91	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"	90	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
92	${SSH} $opts3 somehost exit 5$p	91	${SSH} $opts3 somehost exit 52
93	r=$?	92	r=$?
94	if [ $r -eq 5$p ]; then	93	if [ $r -eq 52 ]; then
95	fail "ssh succeeded with no matching key in protocol $p"	94	fail "ssh succeeded with no matching key"
96	fi	95	fi
97		96
98	# Keys with one trusted cert, should succeed.	97	# Keys with one trusted cert, should succeed.
99	verbose "protocol $p: single trusted"	98	verbose "single trusted"
100	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"	99	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
101	${SSH} $opts3 somehost exit 5$p	100	${SSH} $opts3 somehost exit 52
102	r=$?	101	r=$?
103	if [ $r -ne 5$p ]; then	102	if [ $r -ne 52 ]; then
104	fail "ssh failed with trusted cert and key in protocol $p"	103	fail "ssh failed with trusted cert and key"
105	fi	104	fi
106		105
107	# Multiple certs and keys, with one trusted cert, should succeed.	106	# Multiple certs and keys, with one trusted cert, should succeed.
108	verbose "protocol $p: multiple trusted"	107	verbose "multiple trusted"
109	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"	108	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
110	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"	109	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
111	${SSH} $opts3 somehost exit 5$p	110	${SSH} $opts3 somehost exit 52
112	r=$?	111	r=$?
113	if [ $r -ne 5$p ]; then	112	if [ $r -ne 52 ]; then
114	fail "ssh failed with multiple certs in protocol $p"	113	fail "ssh failed with multiple certs"
115	fi	114	fi
116	done
117		115
118	#next, using an agent in combination with the keys	116	#next, using an agent in combination with the keys
119	SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1	117	SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
139	fi	137	fi
140		138
141	# try ssh with the agent and certificates	139	# try ssh with the agent and certificates
142	# note: ssh agent only uses certificates in protocol 2
143	opts="-F $OBJ/ssh_proxy"	140	opts="-F $OBJ/ssh_proxy"
144	# with no certificates, shoud fail	141	# with no certificates, shoud fail
145	${SSH} -2 $opts somehost exit 52	142	${SSH} $opts somehost exit 52
146	if [ $? -eq 52 ]; then	143	if [ $? -eq 52 ]; then
147	fail "ssh connect with agent in protocol 2 succeeded with no cert"	144	fail "ssh connect with agent in succeeded with no cert"
148	fi	145	fi
149		146
150	#with an untrusted certificate, should fail	147	#with an untrusted certificate, should fail
151	opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"	148	opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
152	${SSH} -2 $opts somehost exit 52	149	${SSH} $opts somehost exit 52
153	if [ $? -eq 52 ]; then	150	if [ $? -eq 52 ]; then
154	fail "ssh connect with agent in protocol 2 succeeded with bad cert"	151	fail "ssh connect with agent in succeeded with bad cert"
155	fi	152	fi
156		153
157	#with an additional trusted certificate, should succeed	154	#with an additional trusted certificate, should succeed
158	opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"	155	opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
159	${SSH} -2 $opts somehost exit 52	156	${SSH} $opts somehost exit 52
160	if [ $? -ne 52 ]; then	157	if [ $? -ne 52 ]; then
161	fail "ssh connect with agent in protocol 2 failed with good cert"	158	fail "ssh connect with agent in failed with good cert"
162	fi	159	fi
163		160
164	trace "kill agent"	161	trace "kill agent"