summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
committerColin Watson <cjwatson@debian.org>2019-10-09 22:59:48 +0100
commit4213eec74e74de6310c27a40c3e9759a08a73996 (patch)
treee97a6dcafc6763aea7c804e4e113c2750cb1400d /regress
parent102062f825fb26a74295a1c089c00c4c4c76b68a (diff)
parentcdf1d0a9f5d18535e0a18ff34860e81a6d83aa5c (diff)
Import openssh_8.1p1.orig.tar.gz
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile38
-rw-r--r--regress/README.regress80
-rw-r--r--regress/agent-timeout.sh4
-rw-r--r--regress/agent.sh9
-rw-r--r--regress/cert-hostkey.sh12
-rw-r--r--regress/cert-userkey.sh19
-rw-r--r--regress/cfgmatch.sh49
-rw-r--r--regress/conch-ciphers.sh4
-rw-r--r--regress/dhgex.sh12
-rw-r--r--regress/forwarding.sh38
-rw-r--r--regress/hostkey-rotate.sh74
-rw-r--r--regress/integrity.sh4
-rw-r--r--regress/keygen-convert.sh12
-rw-r--r--regress/keygen-moduli.sh15
-rw-r--r--regress/keys-command.sh6
-rw-r--r--regress/keytype.sh12
-rw-r--r--regress/krl.sh31
-rw-r--r--regress/limit-keytype.sh56
-rw-r--r--regress/misc/fuzz-harness/Makefile16
-rw-r--r--regress/misc/fuzz-harness/sshsig_fuzz.cc35
-rw-r--r--regress/misc/fuzz-harness/sshsigopt_fuzz.cc29
-rw-r--r--regress/multiplex.sh10
-rw-r--r--regress/principals-command.sh11
-rw-r--r--regress/scp-ssh-wrapper.sh14
-rw-r--r--regress/scp.sh14
-rw-r--r--regress/sshcfgparse.sh29
-rw-r--r--regress/sshsig.sh196
-rw-r--r--regress/test-exec.sh51
-rw-r--r--regress/unittests/Makefile4
-rw-r--r--regress/unittests/bitmap/tests.c4
-rw-r--r--regress/unittests/conversion/tests.c4
-rw-r--r--regress/unittests/hostkeys/test_iterate.c28
-rw-r--r--regress/unittests/kex/test_kex.c12
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_getput_basic.c231
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_getput_crypto.c3
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c8
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_misc.c71
-rw-r--r--regress/unittests/sshbuf/tests.c2
-rw-r--r--regress/unittests/sshkey/common.c6
-rw-r--r--regress/unittests/sshkey/test_file.c8
-rw-r--r--regress/unittests/sshkey/test_fuzz.c14
-rw-r--r--regress/unittests/sshkey/test_sshkey.c42
-rw-r--r--regress/unittests/sshkey/testdata/ed25519_1_pw12
-rw-r--r--regress/unittests/test_helper/test_helper.c29
-rw-r--r--regress/unittests/test_helper/test_helper.h4
-rw-r--r--regress/unittests/utf8/tests.c2
46 files changed, 1140 insertions, 224 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 925edf71a..34c47e8cb 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,7 +1,11 @@
1# $OpenBSD: Makefile,v 1.100 2019/01/20 23:24:19 djm Exp $ 1# $OpenBSD: Makefile,v 1.104 2019/09/03 08:37:45 djm Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3tests: prep file-tests t-exec unit
4tests: prep $(REGRESS_TARGETS) 4
5REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12
6
7# File based tests
8file-tests: $(REGRESS_TARGETS)
5 9
6# Interop tests are not run by default 10# Interop tests are not run by default
7interop interop-tests: t-exec-interop 11interop interop-tests: t-exec-interop
@@ -26,6 +30,7 @@ LTESTS= connect \
26 transfer \ 30 transfer \
27 banner \ 31 banner \
28 rekey \ 32 rekey \
33 dhgex \
29 stderr-data \ 34 stderr-data \
30 stderr-after-eof \ 35 stderr-after-eof \
31 broken-pipe \ 36 broken-pipe \
@@ -83,10 +88,10 @@ LTESTS= connect \
83 cert-file \ 88 cert-file \
84 cfginclude \ 89 cfginclude \
85 allow-deny-users \ 90 allow-deny-users \
86 authinfo 91 authinfo \
92 sshsig
87 93
88 94
89# dhgex \
90 95
91INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 96INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
92#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 97#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -102,18 +107,19 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
102 copy.1 copy.2 data ed25519-agent ed25519-agent* \ 107 copy.1 copy.2 data ed25519-agent ed25519-agent* \
103 ed25519-agent.pub ed25519 ed25519.pub empty.in \ 108 ed25519-agent.pub ed25519 ed25519.pub empty.in \
104 expect failed-regress.log failed-ssh.log failed-sshd.log \ 109 expect failed-regress.log failed-ssh.log failed-sshd.log \
105 hkr.* host.ed25519 host.rsa host.rsa1 host_* \ 110 hkr.* host.ecdsa-sha2-nistp256 host.ecdsa-sha2-nistp384 \
106 host_ca_key* host_krl_* host_revoked_* key.* \ 111 host.ecdsa-sha2-nistp521 host.ssh-dss host.ssh-ed25519 \
112 host.ssh-rsa host_ca_key* host_krl_* host_revoked_* key.* \
107 key.dsa-* key.ecdsa-* key.ed25519-512 \ 113 key.dsa-* key.ecdsa-* key.ed25519-512 \
108 key.ed25519-512.pub key.rsa-* keys-command-args kh.* \ 114 key.ed25519-512.pub key.rsa-* keys-command-args kh.* \
109 known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ 115 known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
110 modpipe netcat no_identity_config \ 116 modpipe netcat no_identity_config \
111 pidfile putty.rsa2 ready regress.log \ 117 pidfile putty.rsa2 ready regress.log remote_pid \
112 remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ 118 revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa_ssh2_cr.prv \
113 rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
114 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 119 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
115 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 120 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
116 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ 121 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
122 ssh-rsa_oldfmt \
117 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 123 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
118 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ 124 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
119 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ 125 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
@@ -204,8 +210,16 @@ t12: $(OBJ)/t12.out
204t-exec: ${LTESTS:=.sh} 210t-exec: ${LTESTS:=.sh}
205 @if [ "x$?" = "x" ]; then exit 0; fi; \ 211 @if [ "x$?" = "x" ]; then exit 0; fi; \
206 for TEST in ""$?; do \ 212 for TEST in ""$?; do \
207 echo "run test $${TEST}" ... 1>&2; \ 213 skip=no; \
208 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ 214 for t in ""$${SKIP_LTESTS}; do \
215 if [ "x$${t}.sh" = "x$${TEST}" ]; then skip=yes; fi; \
216 done; \
217 if [ "x$${skip}" = "xno" ]; then \
218 echo "run test $${TEST}" ... 1>&2; \
219 (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
220 else \
221 echo skip test $${TEST} 1>&2; \
222 fi; \
209 done 223 done
210 224
211t-exec-interop: ${INTEROP_TESTS:=.sh} 225t-exec-interop: ${INTEROP_TESTS:=.sh}
diff --git a/regress/README.regress b/regress/README.regress
index 315fe149a..ac2e8487e 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -25,6 +25,7 @@ SUDO: path to sudo/doas command, if desired. Note that some systems
25 (notably systems using PAM) require sudo to execute some tests. 25 (notably systems using PAM) require sudo to execute some tests.
26LTESTS: Whitespace separated list of tests (filenames without the .sh 26LTESTS: Whitespace separated list of tests (filenames without the .sh
27 extension) to run. 27 extension) to run.
28SKIP_LTESTS: Whitespace separated list of tests to skip.
28OBJ: used by test scripts to access build dir. 29OBJ: used by test scripts to access build dir.
29TEST_SHELL: shell used for running the test scripts. 30TEST_SHELL: shell used for running the test scripts.
30TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test 31TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test
@@ -63,28 +64,79 @@ test-exec.sh: the main test driver. Sets environment, creates config files
63and keys and runs the specified test. 64and keys and runs the specified test.
64 65
65At the time of writing, the individual tests are: 66At the time of writing, the individual tests are:
66agent-timeout.sh: agent timeout test
67agent.sh: simple agent test
68broken-pipe.sh: broken pipe test
69connect-privsep.sh: proxy connect with privsep
70connect.sh: simple connect 67connect.sh: simple connect
68proxy-connect.sh: proxy connect
69connect-privsep.sh: proxy connect with privsep
70connect-uri.sh: uri connect
71proto-version.sh: sshd version with different protocol combinations
72proto-mismatch.sh: protocol version mismatch
71exit-status.sh: remote exit status 73exit-status.sh: remote exit status
72forwarding.sh: local and remote forwarding 74envpass.sh: environment passing
73keygen-change.sh: change passphrase for key 75transfer.sh: transfer data
76banner.sh: banner
77rekey.sh: rekey
78stderr-data.sh: stderr data transfer
79stderr-after-eof.sh: stderr data after eof
80broken-pipe.sh: broken pipe test
81try-ciphers.sh: try ciphers
82yes-head.sh: yes pipe head
83login-timeout.sh: connect after login grace timeout
84agent.sh: simple connect via agent
85agent-getpeereid.sh: disallow agent attach from other uid
86agent-timeout.sh: agent timeout test
87agent-ptrace.sh: disallow agent ptrace attach
74keyscan.sh: keyscan 88keyscan.sh: keyscan
75proto-mismatch.sh: protocol version mismatch 89keygen-change.sh: change passphrase for key
76proto-version.sh: sshd version with different protocol combinations 90keygen-convert.sh: convert keys
77proxy-connect.sh: proxy connect 91keygen-moduli.sh: keygen moduli
92key-options.sh: key options
93scp.sh: scp
94scp-uri.sh: scp-uri
78sftp.sh: basic sftp put/get 95sftp.sh: basic sftp put/get
96sftp-chroot.sh: sftp in chroot
97sftp-cmds.sh: sftp command
98sftp-badcmds.sh: sftp invalid commands
99sftp-batch.sh: sftp batchfile
100sftp-glob.sh: sftp glob
101sftp-perm.sh: sftp permissions
102sftp-uri.sh: sftp-uri
79ssh-com-client.sh: connect with ssh.com client 103ssh-com-client.sh: connect with ssh.com client
80ssh-com-keygen.sh: ssh.com key import 104ssh-com-keygen.sh: ssh.com key import
81ssh-com-sftp.sh: basic sftp put/get with ssh.com server 105ssh-com-sftp.sh: basic sftp put/get with ssh.com server
82ssh-com.sh: connect to ssh.com server 106ssh-com.sh: connect to ssh.com server
83stderr-after-eof.sh: stderr data after eof 107reconfigure.sh: simple connect after reconfigure
84stderr-data.sh: stderr data transfer 108dynamic-forward.sh: dynamic forwarding
85transfer.sh: transfer data 109forwarding.sh: local and remote forwarding
86try-ciphers.sh: try ciphers 110multiplex.sh: connection multiplexing
87yes-head.sh: yes pipe head 111reexec.sh: reexec tests
112brokenkeys.sh: broken keys
113sshcfgparse.sh: ssh config parse
114cfgparse.sh: sshd config parse
115cfgmatch.sh: sshd_config match
116cfgmatchlisten.sh: sshd_config matchlisten
117addrmatch.sh: address match
118localcommand.sh: localcommand
119forcecommand.sh: forced command
120portnum.sh: port number parsing
121keytype.sh: login with different key types
122kextype.sh: login with different key exchange algorithms
123cert-hostkey.sh certified host keys
124cert-userkey.sh: certified user keys
125host-expand.sh: expand %h and %n
126keys-command.sh: authorized keys from command
127forward-control.sh: sshd control of local and remote forwarding
128integrity.sh: integrity
129krl.sh: key revocation lists
130multipubkey.sh: multiple pubkey
131limit-keytype.sh: restrict pubkey type
132hostkey-agent.sh: hostkey agent
133keygen-knownhosts.sh: ssh-keygen known_hosts
134hostkey-rotate.sh: hostkey rotate
135principals-command.sh: authorized principals command
136cert-file.sh: ssh with certificates
137cfginclude.sh: config include
138allow-deny-users.sh: AllowUsers/DenyUsers
139authinfo.sh: authinfo
88 140
89 141
90Problems? 142Problems?
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 80012f80c..311c7bcba 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-timeout.sh,v 1.4 2019/01/28 00:08:26 dtucker Exp $ 1# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="agent timeout test" 4tid="agent timeout test"
@@ -14,7 +14,7 @@ else
14 trace "add keys with timeout" 14 trace "add keys with timeout"
15 keys=0 15 keys=0
16 for t in ${SSH_KEYTYPES}; do 16 for t in ${SSH_KEYTYPES}; do
17 ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1 17 ${SSHADD} -kt ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
18 if [ $? -ne 0 ]; then 18 if [ $? -ne 0 ]; then
19 fail "ssh-add did succeed exit code 0" 19 fail "ssh-add did succeed exit code 0"
20 fi 20 fi
diff --git a/regress/agent.sh b/regress/agent.sh
index 788b02064..48fa12b0e 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.14 2019/01/28 00:12:36 dtucker Exp $ 1# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -27,9 +27,6 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
27trace "overwrite authorized keys" 27trace "overwrite authorized keys"
28printf '' > $OBJ/authorized_keys_$USER 28printf '' > $OBJ/authorized_keys_$USER
29 29
30echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy
31echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy
32
33for t in ${SSH_KEYTYPES}; do 30for t in ${SSH_KEYTYPES}; do
34 # generate user key for agent 31 # generate user key for agent
35 rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* 32 rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
@@ -75,6 +72,10 @@ fi
75 72
76for t in ${SSH_KEYTYPES}; do 73for t in ${SSH_KEYTYPES}; do
77 trace "connect via agent using $t key" 74 trace "connect via agent using $t key"
75 if [ "$t" = "ssh-dss" ]; then
76 echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy
77 echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy
78 fi
78 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \ 79 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
79 somehost exit 52 80 somehost exit 52
80 r=$? 81 r=$?
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3ce777967..86ea62504 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -7,6 +7,7 @@ rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
7rm -f $OBJ/cert_host_key* $OBJ/host_krl_* 7rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
8 8
9# Allow all hostkey/pubkey types, prefer certs for the client 9# Allow all hostkey/pubkey types, prefer certs for the client
10rsa=0
10types="" 11types=""
11for i in `$SSH -Q key`; do 12for i in `$SSH -Q key`; do
12 if [ -z "$types" ]; then 13 if [ -z "$types" ]; then
@@ -19,6 +20,7 @@ for i in `$SSH -Q key`; do
19 types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" 20 types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
20 types="rsa-sha2-512-cert-v01@openssh.com,$types";; 21 types="rsa-sha2-512-cert-v01@openssh.com,$types";;
21 *rsa*) 22 *rsa*)
23 rsa=1
22 types="$types,rsa-sha2-512,rsa-sha2-256,$i";; 24 types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
23 # Prefer certificate to plain keys. 25 # Prefer certificate to plain keys.
24 *cert*) types="$i,$types";; 26 *cert*) types="$i,$types";;
@@ -51,10 +53,12 @@ kh_revoke() {
51} 53}
52 54
53# Create a CA key and add it to known hosts. Ed25519 chosen for speed. 55# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
54# RSA for testing RSA/SHA2 signatures. 56# RSA for testing RSA/SHA2 signatures if supported.
57ktype2=ed25519
58[ "x$rsa" = "x1" ] && ktype2=rsa
55${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ 59${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
56 fail "ssh-keygen of host_ca_key failed" 60 fail "ssh-keygen of host_ca_key failed"
57${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\ 61${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/host_ca_key2 ||\
58 fail "ssh-keygen of host_ca_key failed" 62 fail "ssh-keygen of host_ca_key failed"
59 63
60kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig 64kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
@@ -214,7 +218,7 @@ test_one() {
214 result=$2 218 result=$2
215 sign_opts=$3 219 sign_opts=$3
216 220
217 for kt in rsa ed25519 ; do 221 for kt in $PLAIN_TYPES; do
218 case $ktype in 222 case $ktype in
219 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;; 223 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
220 *) tflag=""; ca="$OBJ/host_ca_key" ;; 224 *) tflag=""; ca="$OBJ/host_ca_key" ;;
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6849e9922..38c14a698 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -9,8 +9,10 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11EXTRA_TYPES="" 11EXTRA_TYPES=""
12rsa=""
12 13
13if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 14if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
15 rsa=rsa
14 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 16 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
15fi 17fi
16 18
@@ -20,11 +22,20 @@ kname() {
20 # subshell because some seds will add a newline 22 # subshell because some seds will add a newline
21 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 23 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
22 esac 24 esac
23 echo "$n*,ssh-rsa*,ssh-ed25519*" 25 if [ -z "$rsa" ]; then
26 echo "$n*,ssh-ed25519*"
27 else
28 echo "$n*,ssh-rsa*,ssh-ed25519*"
29 fi
24} 30}
25 31
26# Create a CA key 32# Create a CA key
27${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 33if [ ! -z "$rsa" ]; then
34 catype=rsa
35else
36 catype=ed25519
37fi
38${SSHKEYGEN} -q -N '' -t $catype -f $OBJ/user_ca_key ||\
28 fail "ssh-keygen of user_ca_key failed" 39 fail "ssh-keygen of user_ca_key failed"
29 40
30# Generate and sign user keys 41# Generate and sign user keys
@@ -283,7 +294,7 @@ test_one() {
283 fi 294 fi
284 295
285 for auth in $auth_choice ; do 296 for auth in $auth_choice ; do
286 for ktype in rsa ed25519 ; do 297 for ktype in $rsa ed25519 ; do
287 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 298 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
288 if test "x$auth" = "xauthorized_keys" ; then 299 if test "x$auth" = "xauthorized_keys" ; then
289 # Add CA to authorized_keys 300 # Add CA to authorized_keys
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index dd11e404d..6620c84ed 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.12 2019/04/18 18:57:16 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -51,9 +51,10 @@ echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53 53
54start_sshd 54${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
55 fail "config w/match fails config test"
55 56
56#set -x 57start_sshd
57 58
58# Test Match + PermitOpen in sshd_config. This should be permitted 59# Test Match + PermitOpen in sshd_config. This should be permitted
59trace "match permitopen localhost" 60trace "match permitopen localhost"
@@ -113,3 +114,45 @@ start_client -F $OBJ/ssh_proxy
113${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 114${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
114 fail "nomatch override permitopen" 115 fail "nomatch override permitopen"
115stop_client 116stop_client
117
118# Test parsing of available Match criteria (with the exception of Group which
119# requires knowledge of actual group memberships user running the test).
120params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
121 localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
122cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
123echo 'Banner /nomatch' >>$OBJ/sshd_config
124for i in $params; do
125 config=`echo $i | cut -f1 -d:`
126 criteria=`echo $i | cut -f2 -d:`
127 value=`echo $i | cut -f3 -d:`
128 cat >>$OBJ/sshd_config <<EOD
129 Match $config $value
130 Banner /$value
131EOD
132done
133
134${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
135 fail "validate config for w/out spec"
136
137# Test matching each criteria.
138for i in $params; do
139 testcriteria=`echo $i | cut -f2 -d:`
140 expected=/`echo $i | cut -f3 -d:`
141 spec=""
142 for j in $params; do
143 config=`echo $j | cut -f1 -d:`
144 criteria=`echo $j | cut -f2 -d:`
145 value=`echo $j | cut -f3 -d:`
146 if [ "$criteria" = "$testcriteria" ]; then
147 spec="$criteria=$value,$spec"
148 else
149 spec="$criteria=1$value,$spec"
150 fi
151 done
152 trace "test spec $spec"
153 result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \
154 awk '$1=="banner"{print $2}'`
155 if [ "$result" != "$expected" ]; then
156 fail "match $config expected $expected got $result"
157 fi
158done
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 199d863a0..6678813a2 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ 1# $OpenBSD: conch-ciphers.sh,v 1.4 2019/07/05 04:12:46 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="conch ciphers" 4tid="conch ciphers"
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
16 rm -f ${COPY} 16 rm -f ${COPY}
17 # XXX the 2nd "cat" seems to be needed because of buggy FD handling 17 # XXX the 2nd "cat" seems to be needed because of buggy FD handling
18 # in conch 18 # in conch
19 ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ 19 ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
20 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ 20 --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
21 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} 21 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
22 if [ $? -ne 0 ]; then 22 if [ $? -ne 0 ]; then
diff --git a/regress/dhgex.sh b/regress/dhgex.sh
index 61fc178e8..ae64a9fb6 100644
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: dhgex.sh,v 1.4 2017/05/08 01:52:49 djm Exp $ 1# $OpenBSD: dhgex.sh,v 1.6 2019/10/06 11:49:50 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dhgex" 4tid="dhgex"
@@ -34,9 +34,11 @@ ssh_test_dhgex()
34 got=`egrep "SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent" ${LOG}` 34 got=`egrep "SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent" ${LOG}`
35 fail "$tid unexpected GEX sizes, expected $groupsz, got $got" 35 fail "$tid unexpected GEX sizes, expected $groupsz, got $got"
36 fi 36 fi
37 # check what we got (depends on contents of system moduli file) 37 # check what we got.
38 gotbits="`awk '/bits set:/{print $4}' ${LOG} | head -1 | cut -f2 -d/`" 38 gotbits="`awk 'BEGIN{FS="/"}/bits set:/{print $2}' ${LOG} |
39 if [ "$gotbits" -lt "$bits" ]; then 39 head -1 | tr -d '\r\n'`"
40 trace "expected '$bits' got '$gotbits'"
41 if [ -z "$gotbits" ] || [ "$gotbits" -lt "$bits" ]; then
40 fatal "$tid expected $bits bit group, got $gotbits" 42 fatal "$tid expected $bits bit group, got $gotbits"
41 fi 43 fi
42} 44}
@@ -52,7 +54,7 @@ check()
52 done 54 done
53} 55}
54 56
55#check 2048 3des-cbc 57check 3072 3des-cbc # 112 bits.
56check 3072 `${SSH} -Q cipher | grep 128` 58check 3072 `${SSH} -Q cipher | grep 128`
57check 7680 `${SSH} -Q cipher | grep 192` 59check 7680 `${SSH} -Q cipher | grep 192`
58check 8192 `${SSH} -Q cipher | grep 256` 60check 8192 `${SSH} -Q cipher | grep 256`
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 7d0fae114..cd634f2f6 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: forwarding.sh,v 1.23 2019/07/20 09:50:58 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -26,7 +26,7 @@ done
26 26
27trace "start forwarding, fork to background" 27trace "start forwarding, fork to background"
28rm -f $CTL 28rm -f $CTL
29${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10 29${SSH} -S $CTL -N -M -F $OBJ/ssh_config -f $fwd somehost
30 30
31trace "transfer over forwarded channels and check result" 31trace "transfer over forwarded channels and check result"
32${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ 32${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
@@ -34,7 +34,7 @@ ${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
34test -s ${COPY} || fail "failed copy of ${DATA}" 34test -s ${COPY} || fail "failed copy of ${DATA}"
35cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" 35cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
36 36
37${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 37${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 2>/dev/null
38 38
39for d in L R; do 39for d in L R; do
40 trace "exit on -$d forward failure" 40 trace "exit on -$d forward failure"
@@ -69,8 +69,8 @@ ${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
69 69
70trace "clear local forward" 70trace "clear local forward"
71rm -f $CTL 71rm -f $CTL
72${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ 72${SSH} -S $CTL -N -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
73 -oClearAllForwardings=yes somehost sleep 10 73 -oClearAllForwardings=yes somehost
74if [ $? != 0 ]; then 74if [ $? != 0 ]; then
75 fail "connection failed with cleared local forwarding" 75 fail "connection failed with cleared local forwarding"
76else 76else
@@ -79,12 +79,12 @@ else
79 >>$TEST_REGRESS_LOGFILE 2>&1 && \ 79 >>$TEST_REGRESS_LOGFILE 2>&1 && \
80 fail "local forwarding not cleared" 80 fail "local forwarding not cleared"
81fi 81fi
82${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 82${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 2>/dev/null
83 83
84trace "clear remote forward" 84trace "clear remote forward"
85rm -f $CTL 85rm -f $CTL
86${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ 86${SSH} -S $CTL -N -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
87 -oClearAllForwardings=yes somehost sleep 10 87 -oClearAllForwardings=yes somehost
88if [ $? != 0 ]; then 88if [ $? != 0 ]; then
89 fail "connection failed with cleared remote forwarding" 89 fail "connection failed with cleared remote forwarding"
90else 90else
@@ -93,7 +93,7 @@ else
93 >>$TEST_REGRESS_LOGFILE 2>&1 && \ 93 >>$TEST_REGRESS_LOGFILE 2>&1 && \
94 fail "remote forwarding not cleared" 94 fail "remote forwarding not cleared"
95fi 95fi
96${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 96${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 2>/dev/null
97 97
98trace "stdio forwarding" 98trace "stdio forwarding"
99cmd="${SSH} -F $OBJ/ssh_config" 99cmd="${SSH} -F $OBJ/ssh_config"
@@ -107,7 +107,7 @@ echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
107 107
108trace "config file: start forwarding, fork to background" 108trace "config file: start forwarding, fork to background"
109rm -f $CTL 109rm -f $CTL
110${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10 110${SSH} -S $CTL -N -M -F $OBJ/ssh_config -f somehost
111 111
112trace "config file: transfer over forwarded channels and check result" 112trace "config file: transfer over forwarded channels and check result"
113${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ 113${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
@@ -115,22 +115,22 @@ ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
115test -s ${COPY} || fail "failed copy of ${DATA}" 115test -s ${COPY} || fail "failed copy of ${DATA}"
116cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" 116cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
117 117
118${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 118${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 2>/dev/null
119 119
120trace "transfer over chained unix domain socket forwards and check result" 120trace "transfer over chained unix domain socket forwards and check result"
121rm -f $OBJ/unix-[123].fwd 121rm -f $OBJ/unix-[123].fwd
122rm -f $CTL $CTL.[123] 122rm -f $CTL $CTL.[123]
123${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 123${SSH} -S $CTL -N -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost
124${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 124${SSH} -S $CTL.1 -N -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost
125${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 125${SSH} -S $CTL.2 -N -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost
126${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 126${SSH} -S $CTL.3 -N -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost
127${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ 127${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
128 somehost cat ${DATA} > ${COPY} 128 somehost cat ${DATA} > ${COPY}
129test -s ${COPY} || fail "failed copy ${DATA}" 129test -s ${COPY} || fail "failed copy ${DATA}"
130cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" 130cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
131 131
132${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 132${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 2>/dev/null
133${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost 133${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost 2>/dev/null
134${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost 134${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost 2>/dev/null
135${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost 135${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost 2>/dev/null
136 136
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index d69de3255..cc6bd9cf6 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,10 +1,10 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.6 2019/08/30 05:08:28 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
5 5
6# Need full names here since they are used in HostKeyAlgorithms 6# Need full names here since they are used in HostKeyAlgorithms
7HOSTKEY_TYPES="ecdsa-sha2-nistp256 ssh-ed25519 ssh-rsa ssh-dss" 7HOSTKEY_TYPES="`${SSH} -Q key-plain`"
8 8
9rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig 9rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
10 10
@@ -12,15 +12,23 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
12echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy 12echo "UpdateHostkeys=yes" >> $OBJ/ssh_proxy
13rm $OBJ/known_hosts 13rm $OBJ/known_hosts
14 14
15# The "primary" key type is ed25519 since it's supported even when built
16# without OpenSSL. The secondary is RSA if it's supported.
17primary="ssh-ed25519"
18secondary="$primary"
19
15trace "prepare hostkeys" 20trace "prepare hostkeys"
16nkeys=0 21nkeys=0
17all_algs="" 22all_algs=""
18for k in `${SSH} -Q key-plain` ; do 23for k in $HOSTKEY_TYPES; do
19 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" 24 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
20 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig 25 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
21 nkeys=`expr $nkeys + 1` 26 nkeys=`expr $nkeys + 1`
22 test "x$all_algs" = "x" || all_algs="${all_algs}," 27 test "x$all_algs" = "x" || all_algs="${all_algs},"
23 all_algs="${all_algs}$k" 28 all_algs="${all_algs}$k"
29 case "$k" in
30 ssh-rsa) secondary="ssh-rsa" ;;
31 esac
24done 32done
25 33
26dossh() { 34dossh() {
@@ -49,62 +57,68 @@ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
49# Connect to sshd with StrictHostkeyChecking=no 57# Connect to sshd with StrictHostkeyChecking=no
50verbose "learn hostkey with StrictHostKeyChecking=no" 58verbose "learn hostkey with StrictHostKeyChecking=no"
51>$OBJ/known_hosts 59>$OBJ/known_hosts
52dossh -oHostKeyAlgorithms=ssh-ed25519 -oStrictHostKeyChecking=no 60dossh -oHostKeyAlgorithms=$primary -oStrictHostKeyChecking=no
53# Verify no additional keys learned 61# Verify no additional keys learned
54expect_nkeys 1 "unstrict connect keys" 62expect_nkeys 1 "unstrict connect keys"
55check_key_present ssh-ed25519 || fail "unstrict didn't learn key" 63check_key_present $primary || fail "unstrict didn't learn key"
56 64
57# Connect to sshd as usual 65# Connect to sshd as usual
58verbose "learn additional hostkeys" 66verbose "learn additional hostkeys"
59dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs 67dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
60# Check that other keys learned 68# Check that other keys learned
61expect_nkeys $nkeys "learn hostkeys" 69expect_nkeys $nkeys "learn hostkeys"
62check_key_present ssh-rsa || fail "didn't learn keys" 70for k in $HOSTKEY_TYPES; do
71 check_key_present $k || fail "didn't learn keytype $k"
72done
63 73
64# Check each key type 74# Check each key type
65for k in `${SSH} -Q key-plain` ; do 75for k in $HOSTKEY_TYPES; do
66 verbose "learn additional hostkeys, type=$k" 76 verbose "learn additional hostkeys, type=$k"
67 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs 77 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
68 expect_nkeys $nkeys "learn hostkeys $k" 78 expect_nkeys $nkeys "learn hostkeys $k"
69 check_key_present $k || fail "didn't learn $k" 79 check_key_present $k || fail "didn't learn $k correctly"
70done 80done
71 81
72# Change one hostkey (non primary) and relearn 82# Change one hostkey (non primary) and relearn
73verbose "learn changed non-primary hostkey" 83if [ "$primary" != "$secondary" ]; then
74mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 84 verbose "learn changed non-primary hostkey type=${secondary}"
75rm -f $OBJ/hkr.ssh-rsa 85 mv $OBJ/hkr.${secondary}.pub $OBJ/hkr.${secondary}.pub.old
76${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k" 86 rm -f $OBJ/hkr.${secondary}
77dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs 87 ${SSHKEYGEN} -qt ${secondary} -f $OBJ/hkr.${secondary} -N '' || \
78# Check that the key was replaced 88 fatal "ssh-keygen $secondary"
79expect_nkeys $nkeys "learn hostkeys" 89 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
80check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 90 # Check that the key was replaced
81check_key_present ssh-rsa || fail "didn't learn changed key" 91 expect_nkeys $nkeys "learn hostkeys"
92 check_key_present ${secondary} $OBJ/hkr.${secondary}.pub.old && \
93 fail "old key present"
94 check_key_present ${secondary} || fail "didn't learn changed key"
95fi
82 96
83# Add new hostkey (primary type) to sshd and connect 97# Add new hostkey (primary type) to sshd and connect
84verbose "learn new primary hostkey" 98verbose "learn new primary hostkey"
85${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa-new -N '' || fatal "ssh-keygen $k" 99${SSHKEYGEN} -qt ${primary} -f $OBJ/hkr.${primary}-new -N '' || fatal "ssh-keygen ed25519"
86( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.ssh-rsa-new ) \ 100( cat $OBJ/sshd_proxy.orig ; echo HostKey $OBJ/hkr.${primary}-new ) \
87 > $OBJ/sshd_proxy 101 > $OBJ/sshd_proxy
88# Check new hostkey added 102# Check new hostkey added
89dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 103dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
90expect_nkeys `expr $nkeys + 1` "learn hostkeys" 104expect_nkeys `expr $nkeys + 1` "learn hostkeys"
91check_key_present ssh-rsa || fail "current key missing" 105check_key_present ${primary} || fail "current key missing"
92check_key_present ssh-rsa $OBJ/hkr.ssh-rsa-new.pub || fail "new key missing" 106check_key_present ${primary} $OBJ/hkr.${primary}-new.pub || fail "new key missing"
93 107
94# Remove old hostkey (primary type) from sshd 108# Remove old hostkey (primary type) from sshd
95verbose "rotate primary hostkey" 109verbose "rotate primary hostkey"
96cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 110cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
97mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old 111mv $OBJ/hkr.${primary}.pub $OBJ/hkr.${primary}.pub.old
98mv $OBJ/hkr.ssh-rsa-new.pub $OBJ/hkr.ssh-rsa.pub 112mv $OBJ/hkr.${primary}-new.pub $OBJ/hkr.${primary}.pub
99mv $OBJ/hkr.ssh-rsa-new $OBJ/hkr.ssh-rsa 113mv $OBJ/hkr.${primary}-new $OBJ/hkr.${primary}
100# Check old hostkey removed 114# Check old hostkey removed
101dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa,$all_algs 115dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary},$all_algs
102expect_nkeys $nkeys "learn hostkeys" 116expect_nkeys $nkeys "learn hostkeys"
103check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present" 117check_key_present ${primary} $OBJ/hkr.${primary}.pub.old && fail "old key present"
104check_key_present ssh-rsa || fail "didn't learn changed key" 118check_key_present ${primary} || fail "didn't learn changed key"
105 119
106# Connect again, forcing rotated key 120# Connect again, forcing rotated key
107verbose "check rotate primary hostkey" 121verbose "check rotate primary hostkey"
108dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa 122dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=${primary}
109expect_nkeys 1 "learn hostkeys" 123expect_nkeys 1 "learn hostkeys"
110check_key_present ssh-rsa || fail "didn't learn changed key" 124check_key_present ${primary} || fail "didn't learn changed key"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 3eda40f0a..5ba6bf6ab 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -14,8 +14,8 @@ macs="$macs `${SSH} -Q cipher-auth`"
14 14
15# avoid DH group exchange as the extra traffic makes it harder to get the 15# avoid DH group exchange as the extra traffic makes it harder to get the
16# offset into the stream right. 16# offset into the stream right.
17echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ 17#echo "KexAlgorithms -diffie-hellman-group*" \
18 >> $OBJ/ssh_proxy 18# >> $OBJ/ssh_proxy
19 19
20# sshd-command for proxy (see test-exec.sh) 20# sshd-command for proxy (see test-exec.sh)
21cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" 21cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy"
diff --git a/regress/keygen-convert.sh b/regress/keygen-convert.sh
index ad0e9c637..fce110ea1 100644
--- a/regress/keygen-convert.sh
+++ b/regress/keygen-convert.sh
@@ -1,9 +1,17 @@
1# $OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $ 1# $OpenBSD: keygen-convert.sh,v 1.2 2019/07/23 07:55:29 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="convert keys" 4tid="convert keys"
5 5
6for t in rsa dsa; do 6types=""
7for i in ${SSH_KEYTYPES}; do
8 case "$i" in
9 ssh-dss) types="$types dsa" ;;
10 ssh-rsa) types="$types rsa" ;;
11 esac
12done
13
14for t in $types; do
7 # generate user key for agent 15 # generate user key for agent
8 trace "generating $t key" 16 trace "generating $t key"
9 rm -f $OBJ/$t-key 17 rm -f $OBJ/$t-key
diff --git a/regress/keygen-moduli.sh b/regress/keygen-moduli.sh
index d4e771383..a8eccfb69 100644
--- a/regress/keygen-moduli.sh
+++ b/regress/keygen-moduli.sh
@@ -1,18 +1,27 @@
1# $OpenBSD: keygen-moduli.sh,v 1.2 2016/09/14 00:45:31 dtucker Exp $ 1# $OpenBSD: keygen-moduli.sh,v 1.3 2019/07/23 08:19:29 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keygen moduli" 4tid="keygen moduli"
5 5
6dhgex=0
7for kex in `${SSH} -Q kex`; do
8 case $kex in
9 diffie-hellman-group*) dhgex=1 ;;
10 esac
11done
12
6# Try "start at the beginning and stop after 1", "skip 1 then stop after 1" 13# Try "start at the beginning and stop after 1", "skip 1 then stop after 1"
7# and "skip 2 and run to the end with checkpointing". Since our test data 14# and "skip 2 and run to the end with checkpointing". Since our test data
8# file has 3 lines, these should always result in 1 line of output. 15# file has 3 lines, these should always result in 1 line of output.
9for i in "-J1" "-j1 -J1" "-j2 -K $OBJ/moduli.ckpt"; do 16if [ "x$dhgex" = "x1" ]; then
17 for i in "-J1" "-j1 -J1" "-j2 -K $OBJ/moduli.ckpt"; do
10 trace "keygen $i" 18 trace "keygen $i"
11 rm -f $OBJ/moduli.out $OBJ/moduli.ckpt 19 rm -f $OBJ/moduli.out $OBJ/moduli.ckpt
12 ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in $i 2>/dev/null || \ 20 ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in $i 2>/dev/null || \
13 fail "keygen screen failed $i" 21 fail "keygen screen failed $i"
14 lines=`wc -l <$OBJ/moduli.out` 22 lines=`wc -l <$OBJ/moduli.out`
15 test "$lines" -eq "1" || fail "expected 1 line, got $lines" 23 test "$lines" -eq "1" || fail "expected 1 line, got $lines"
16done 24 done
25fi
17 26
18rm -f $OBJ/moduli.out $OBJ/moduli.ckpt 27rm -f $OBJ/moduli.out $OBJ/moduli.ckpt
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index d166fc589..33b6e7b42 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keys-command.sh,v 1.5 2018/11/22 08:48:32 dtucker Exp $ 1# $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized keys from command" 4tid="authorized keys from command"
@@ -14,8 +14,8 @@ rm -f $OBJ/keys-command-args
14touch $OBJ/keys-command-args 14touch $OBJ/keys-command-args
15chmod a+rw $OBJ/keys-command-args 15chmod a+rw $OBJ/keys-command-args
16 16
17expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub` 17expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub`
18expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'` 18expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'`
19 19
20# Establish a AuthorizedKeysCommand in /var/run where it will have 20# Establish a AuthorizedKeysCommand in /var/run where it will have
21# acceptable directory permissions. 21# acceptable directory permissions.
diff --git a/regress/keytype.sh b/regress/keytype.sh
index f78a2c171..13095088e 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.7 2018/03/12 00:54:04 djm Exp $ 1# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -6,11 +6,13 @@ tid="login with different key types"
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
7cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 7cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
8 8
9# Traditional and builtin key types. 9# Construct list of key types based on what the built binaries support.
10ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" 10ktypes=""
11# Types not present in all OpenSSL versions. 11for i in ${SSH_KEYTYPES}; do
12for i in `$SSH -Q key`; do
13 case "$i" in 12 case "$i" in
13 ssh-dss) ktypes="$ktypes dsa-1024" ;;
14 ssh-rsa) ktypes="$ktypes rsa-2048 rsa-3072" ;;
15 ssh-ed25519) ktypes="$ktypes ed25519-512" ;;
14 ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; 16 ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;;
15 ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; 17 ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;;
16 ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; 18 ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;;
diff --git a/regress/krl.sh b/regress/krl.sh
index a70c79c66..e18d0ec7f 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,13 +1,18 @@
1# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ 1# $OpenBSD: krl.sh,v 1.8 2019/07/25 09:17:35 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key revocation lists" 4tid="key revocation lists"
5 5
6# If we don't support ecdsa keys then this tell will be much slower. 6# Use ed25519 by default since it's fast and it's supported when building
7ECDSA=ecdsa 7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
8if test "x$TEST_SSH_ECC" != "xyes"; then 8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519
9 ECDSA=rsa 9for t in `${SSH} -Q key-plain`; do
10fi 10 case "$t" in
11 ecdsa*) ktype2=ecdsa ;;
12 ssh-rsa) ktype3=rsa ;;
13 ssh-dss) ktype4=dsa ;;
14 esac
15done
11 16
12# Do most testing with ssh-keygen; it uses the same verification code as sshd. 17# Do most testing with ssh-keygen; it uses the same verification code as sshd.
13 18
@@ -15,9 +20,9 @@ fi
15rm -f $OBJ/revoked-* $OBJ/krl-* 20rm -f $OBJ/revoked-* $OBJ/krl-*
16 21
17# Generate a CA key 22# Generate a CA key
18$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || 23$SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
19 fatal "$SSHKEYGEN CA failed" 24 fatal "$SSHKEYGEN CA failed"
20$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || 25$SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
21 fatal "$SSHKEYGEN CA2 failed" 26 fatal "$SSHKEYGEN CA2 failed"
22 27
23# A specification that revokes some certificates by serial numbers 28# A specification that revokes some certificates by serial numbers
@@ -55,11 +60,13 @@ done
55keygen() { 60keygen() {
56 N=$1 61 N=$1
57 f=$OBJ/revoked-`printf "%04d" $N` 62 f=$OBJ/revoked-`printf "%04d" $N`
58 # Vary the keytype. We use mostly ECDSA since this is fastest by far. 63 # Vary the keytype. We use mostly ed25519 since this is fast and well
59 keytype=$ECDSA 64 # supported.
65 keytype=$ktype1
60 case $N in 66 case $N in
61 2 | 10 | 510 | 1001) keytype=rsa;; 67 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
62 4 | 30 | 520 | 1002) keytype=ed25519;; 68 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
69 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
63 esac 70 esac
64 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 71 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
65 || fatal "$SSHKEYGEN failed" 72 || fatal "$SSHKEYGEN failed"
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index 04f11977e..5c30af006 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.6 2019/07/26 04:22:21 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
@@ -9,18 +9,27 @@ rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
9mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 9mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
10mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 10mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
11 11
12ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1
13for t in `${SSH} -Q key-plain`; do
14 case "$t" in
15 ssh-rsa) ktype2=rsa ;;
16 ecdsa*) ktype3=ecdsa ;; # unused
17 ssh-dss) ktype4=dsa ;;
18 esac
19done
20
12# Create a CA key 21# Create a CA key
13${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key ||\ 22${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_ca_key ||\
14 fatal "ssh-keygen failed" 23 fatal "ssh-keygen failed"
15 24
16# Make some keys and a certificate. 25# Make some keys and a certificate.
17${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ 26${SSHKEYGEN} -q -N '' -t $ktype1 -f $OBJ/user_key1 || \
18 fatal "ssh-keygen failed" 27 fatal "ssh-keygen failed"
19${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \ 28${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key2 || \
20 fatal "ssh-keygen failed" 29 fatal "ssh-keygen failed"
21${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ 30${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \
22 fatal "ssh-keygen failed" 31 fatal "ssh-keygen failed"
23${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \ 32${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \
24 fatal "ssh-keygen failed" 33 fatal "ssh-keygen failed"
25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 34${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || 35 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
@@ -51,6 +60,17 @@ prepare_config() {
51 ) > $OBJ/sshd_proxy 60 ) > $OBJ/sshd_proxy
52} 61}
53 62
63# Return the required parameter for PubkeyAcceptedKeyTypes corresponding to
64# the supplied key type.
65keytype() {
66 case "$1" in
67 ecdsa) printf "ecdsa-sha2-*" ;;
68 ed25519) printf "ssh-ed25519" ;;
69 dsa) printf "ssh-dss" ;;
70 rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
71 esac
72}
73
54prepare_config 74prepare_config
55 75
56# Check we can log in with all key types. 76# Check we can log in with all key types.
@@ -59,19 +79,21 @@ ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
59${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 79${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
60 80
61# Allow plain Ed25519 and RSA. The certificate should fail. 81# Allow plain Ed25519 and RSA. The certificate should fail.
62verbose "allow rsa,ed25519" 82verbose "allow $ktype2,$ktype1"
63prepare_config \ 83prepare_config \
64 "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519" 84 "PubkeyAcceptedKeyTypes `keytype $ktype2`,`keytype $ktype1`"
65${SSH} $certopts proxy true && fatal "cert succeeded" 85${SSH} $certopts proxy true && fatal "cert succeeded"
66${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 86${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
67${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 87${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
68 88
69# Allow Ed25519 only. 89# Allow Ed25519 only.
70verbose "allow ed25519" 90verbose "allow $ktype1"
71prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" 91prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype1`"
72${SSH} $certopts proxy true && fatal "cert succeeded" 92${SSH} $certopts proxy true && fatal "cert succeeded"
73${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 93${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
74${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" 94if [ "$ktype1" != "$ktype2" ]; then
95 ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
96fi
75 97
76# Allow all certs. Plain keys should fail. 98# Allow all certs. Plain keys should fail.
77verbose "allow cert only" 99verbose "allow cert only"
@@ -82,16 +104,18 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
82 104
83# Allow RSA in main config, Ed25519 for non-existent user. 105# Allow RSA in main config, Ed25519 for non-existent user.
84verbose "match w/ no match" 106verbose "match w/ no match"
85prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \ 107prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype2`" \
86 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" 108 "Match user x$USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`"
87${SSH} $certopts proxy true && fatal "cert succeeded" 109${SSH} $certopts proxy true && fatal "cert succeeded"
88${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 110if [ "$ktype1" != "$ktype2" ]; then
111 ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
112fi
89${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 113${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
90 114
91# Allow only DSA in main config, Ed25519 for user. 115# Allow only DSA in main config, Ed25519 for user.
92verbose "match w/ matching" 116verbose "match w/ matching"
93prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \ 117prepare_config "PubkeyAcceptedKeyTypes `keytype $ktype4`" \
94 "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" 118 "Match user $USER" "PubkeyAcceptedKeyTypes +`keytype $ktype1`"
95${SSH} $certopts proxy true || fatal "cert failed" 119${SSH} $certopts proxy true || fatal "cert failed"
96${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 120${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
97${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded" 121${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded"
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index a2aa4441f..85179ac4e 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -1,13 +1,15 @@
1# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. 1# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
2CXX=clang++-3.9 2CXX=clang++-6.0
3FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge 3FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
4FUZZ_LIBS=-lFuzzer 4FUZZ_LIBS=-lFuzzer
5 5
6CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) 6CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
7LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) 7LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
8LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) 8LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
9 9
10all: pubkey_fuzz sig_fuzz authopt_fuzz 10TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz
11
12all: $(TARGETS)
11 13
12.cc.o: 14.cc.o:
13 $(CXX) $(CXXFLAGS) -c $< -o $@ 15 $(CXX) $(CXXFLAGS) -c $< -o $@
@@ -21,5 +23,11 @@ sig_fuzz: sig_fuzz.o
21authopt_fuzz: authopt_fuzz.o 23authopt_fuzz: authopt_fuzz.o
22 $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS) 24 $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS)
23 25
26sshsig_fuzz: sshsig_fuzz.o
27 $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
28
29sshsigopt_fuzz: sshsigopt_fuzz.o
30 $(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS)
31
24clean: 32clean:
25 -rm -f *.o pubkey_fuzz sig_fuzz authopt_fuzz 33 -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
new file mode 100644
index 000000000..fe09ccb87
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -0,0 +1,35 @@
1// cc_fuzz_target test for sshsig verification.
2
3#include <stddef.h>
4#include <stdio.h>
5#include <stdint.h>
6#include <stdlib.h>
7#include <string.h>
8
9extern "C" {
10
11#include "includes.h"
12#include "sshkey.h"
13#include "ssherr.h"
14#include "sshbuf.h"
15#include "sshsig.h"
16#include "log.h"
17
18int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
19{
20 static const char *data = "If everyone started announcing his nose had "
21 "run away, I don’t know how it would all end";
22 struct sshbuf *signature = sshbuf_from(sig, slen);
23 struct sshbuf *message = sshbuf_from(data, strlen(data));
24 struct sshkey *k = NULL;
25 extern char *__progname;
26
27 log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
28 sshsig_verifyb(signature, message, "castle", &k);
29 sshkey_free(k);
30 sshbuf_free(signature);
31 sshbuf_free(message);
32 return 0;
33}
34
35} // extern
diff --git a/regress/misc/fuzz-harness/sshsigopt_fuzz.cc b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
new file mode 100644
index 000000000..7424fcbe3
--- /dev/null
+++ b/regress/misc/fuzz-harness/sshsigopt_fuzz.cc
@@ -0,0 +1,29 @@
1#include <stddef.h>
2#include <stdio.h>
3#include <stdint.h>
4#include <string.h>
5#include <stdlib.h>
6
7extern "C" {
8
9#include "sshsig.h"
10
11int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
12{
13 char *cp = (char *)malloc(size + 1);
14 struct sshsigopt *opts = NULL;
15
16 if (cp == NULL)
17 goto out;
18 memcpy(cp, data, size);
19 cp[size] = '\0';
20 if ((opts = sshsigopt_parse(cp, "libfuzzer", 0, NULL)) == NULL)
21 goto out;
22
23 out:
24 free(cp);
25 sshsigopt_free(opts);
26 return 0;
27}
28
29} // extern "C"
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index de357c4d5..b5e604dba 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.29 2019/01/01 22:20:16 djm Exp $ 1# $OpenBSD: multiplex.sh,v 1.30 2019/07/05 04:03:13 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4make_tmpdir 4make_tmpdir
@@ -81,6 +81,7 @@ trace "forward over TCP/IP and check result"
81$NC -N -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} > /dev/null & 81$NC -N -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} > /dev/null &
82netcat_pid=$! 82netcat_pid=$!
83${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L127.0.0.1:$((${PORT} + 2)):127.0.0.1:$((${PORT} + 1)) otherhost >>$TEST_SSH_LOGFILE 2>&1 83${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L127.0.0.1:$((${PORT} + 2)):127.0.0.1:$((${PORT} + 1)) otherhost >>$TEST_SSH_LOGFILE 2>&1
84sleep 1 # XXX remove once race fixed
84$NC 127.0.0.1 $((${PORT} + 2)) < /dev/null > ${COPY} 85$NC 127.0.0.1 $((${PORT} + 2)) < /dev/null > ${COPY}
85cmp ${DATA} ${COPY} || fail "ssh: corrupted copy of ${DATA}" 86cmp ${DATA} ${COPY} || fail "ssh: corrupted copy of ${DATA}"
86kill $netcat_pid 2>/dev/null 87kill $netcat_pid 2>/dev/null
@@ -91,7 +92,8 @@ $NC -N -Ul $OBJ/unix-1.fwd < ${DATA} > /dev/null &
91netcat_pid=$! 92netcat_pid=$!
92${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L$OBJ/unix-2.fwd:$OBJ/unix-1.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1 93${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L$OBJ/unix-2.fwd:$OBJ/unix-1.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
93${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R$OBJ/unix-3.fwd:$OBJ/unix-2.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1 94${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R$OBJ/unix-3.fwd:$OBJ/unix-2.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
94$NC -U $OBJ/unix-3.fwd < /dev/null > ${COPY} 2>/dev/null 95sleep 1 # XXX remove once race fixed
96$NC -U $OBJ/unix-3.fwd < /dev/null > ${COPY}
95cmp ${DATA} ${COPY} || fail "ssh: corrupted copy of ${DATA}" 97cmp ${DATA} ${COPY} || fail "ssh: corrupted copy of ${DATA}"
96kill $netcat_pid 2>/dev/null 98kill $netcat_pid 2>/dev/null
97rm -f ${COPY} $OBJ/unix-[123].fwd 99rm -f ${COPY} $OBJ/unix-[123].fwd
@@ -122,6 +124,7 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1
122verbose "test $tid: cmd forward local (TCP)" 124verbose "test $tid: cmd forward local (TCP)"
123${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \ 125${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
124 || fail "request local forward failed" 126 || fail "request local forward failed"
127sleep 1 # XXX remove once race fixed
125${SSH} -F $OBJ/ssh_config -p$P otherhost true \ 128${SSH} -F $OBJ/ssh_config -p$P otherhost true \
126 || fail "connect to local forward port failed" 129 || fail "connect to local forward port failed"
127${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \ 130${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
@@ -132,6 +135,7 @@ ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
132verbose "test $tid: cmd forward remote (TCP)" 135verbose "test $tid: cmd forward remote (TCP)"
133${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \ 136${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
134 || fail "request remote forward failed" 137 || fail "request remote forward failed"
138sleep 1 # XXX remove once race fixed
135${SSH} -F $OBJ/ssh_config -p$P otherhost true \ 139${SSH} -F $OBJ/ssh_config -p$P otherhost true \
136 || fail "connect to remote forwarded port failed" 140 || fail "connect to remote forwarded port failed"
137${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \ 141${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
@@ -142,6 +146,7 @@ ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
142verbose "test $tid: cmd forward local (UNIX)" 146verbose "test $tid: cmd forward local (UNIX)"
143${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \ 147${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \
144 || fail "request local forward failed" 148 || fail "request local forward failed"
149sleep 1 # XXX remove once race fixed
145echo "" | $NC -U $OBJ/unix-1.fwd | \ 150echo "" | $NC -U $OBJ/unix-1.fwd | \
146 grep "Invalid SSH identification string" >/dev/null 2>&1 \ 151 grep "Invalid SSH identification string" >/dev/null 2>&1 \
147 || fail "connect to local forward path failed" 152 || fail "connect to local forward path failed"
@@ -154,6 +159,7 @@ rm -f $OBJ/unix-1.fwd
154verbose "test $tid: cmd forward remote (UNIX)" 159verbose "test $tid: cmd forward remote (UNIX)"
155${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \ 160${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \
156 || fail "request remote forward failed" 161 || fail "request remote forward failed"
162sleep 1 # XXX remove once race fixed
157echo "" | $NC -U $OBJ/unix-1.fwd | \ 163echo "" | $NC -U $OBJ/unix-1.fwd | \
158 grep "Invalid SSH identification string" >/dev/null 2>&1 \ 164 grep "Invalid SSH identification string" >/dev/null 2>&1 \
159 || fail "connect to remote forwarded path failed" 165 || fail "connect to remote forwarded path failed"
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 197c00021..7d380325b 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: principals-command.sh,v 1.6 2018/11/22 08:48:32 dtucker Exp $ 1# $OpenBSD: principals-command.sh,v 1.7 2019/09/06 04:24:06 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized principals command" 4tid="authorized principals command"
@@ -12,12 +12,17 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
12 exit 0 12 exit 0
13fi 13fi
14 14
15case "`${SSH} -Q key-plain`" in
16 *ssh-rsa*) userkeytype=rsa ;;
17 *) userkeytype=ed25519 ;;
18esac
19
15SERIAL=$$ 20SERIAL=$$
16 21
17# Create a CA key and a user certificate. 22# Create a CA key and a user certificate.
18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 23${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
19 fatal "ssh-keygen of user_ca_key failed" 24 fatal "ssh-keygen of user_ca_key failed"
20${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ 25${SSHKEYGEN} -q -N '' -t ${userkeytype} -f $OBJ/cert_user_key || \
21 fatal "ssh-keygen of cert_user_key failed" 26 fatal "ssh-keygen of cert_user_key failed"
22${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ 27${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
23 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ 28 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
@@ -35,7 +40,7 @@ trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0
35cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" 40cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
36#!/bin/sh 41#!/bin/sh
37test "x\$1" != "x${LOGNAME}" && exit 1 42test "x\$1" != "x${LOGNAME}" && exit 1
38test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 43test "x\$2" != "xssh-${userkeytype}-cert-v01@openssh.com" && exit 1
39test "x\$3" != "xssh-ed25519" && exit 1 44test "x\$3" != "xssh-ed25519" && exit 1
40test "x\$4" != "xJoanne User" && exit 1 45test "x\$4" != "xJoanne User" && exit 1
41test "x\$5" != "x${SERIAL}" && exit 1 46test "x\$5" != "x${SERIAL}" && exit 1
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index 59f1ff63e..7fb21f424 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: scp-ssh-wrapper.sh,v 1.3 2014/01/26 10:49:17 djm Exp $ 2# $OpenBSD: scp-ssh-wrapper.sh,v 1.4 2019/07/19 03:45:44 djm Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4 4
5printname () { 5printname () {
@@ -51,6 +51,18 @@ badserver_4)
51 echo "C755 2 file" 51 echo "C755 2 file"
52 echo "X" 52 echo "X"
53 ;; 53 ;;
54badserver_5)
55 echo "D0555 0 "
56 echo "X"
57 ;;
58badserver_6)
59 echo "D0555 0 ."
60 echo "X"
61 ;;
62badserver_7)
63 echo "C0755 2 extrafile"
64 echo "X"
65 ;;
54*) 66*)
55 set -- $arg 67 set -- $arg
56 shift 68 shift
diff --git a/regress/scp.sh b/regress/scp.sh
index 57cc77066..62400efad 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: scp.sh,v 1.10 2014/01/26 10:49:17 djm Exp $ 1# $OpenBSD: scp.sh,v 1.11 2019/07/19 03:45:44 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="scp" 4tid="scp"
@@ -25,6 +25,7 @@ export SCP # used in scp-ssh-wrapper.scp
25scpclean() { 25scpclean() {
26 rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} 26 rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
27 mkdir ${DIR} ${DIR2} 27 mkdir ${DIR} ${DIR2}
28 chmod 755 ${DIR} ${DIR2}
28} 29}
29 30
30verbose "$tid: simple copy local file to local file" 31verbose "$tid: simple copy local file to local file"
@@ -101,7 +102,7 @@ if [ ! -z "$SUDO" ]; then
101 $SUDO rm ${DIR2}/copy 102 $SUDO rm ${DIR2}/copy
102fi 103fi
103 104
104for i in 0 1 2 3 4; do 105for i in 0 1 2 3 4 5 6 7; do
105 verbose "$tid: disallow bad server #$i" 106 verbose "$tid: disallow bad server #$i"
106 SCPTESTMODE=badserver_$i 107 SCPTESTMODE=badserver_$i
107 export DIR SCPTESTMODE 108 export DIR SCPTESTMODE
@@ -113,6 +114,15 @@ for i in 0 1 2 3 4; do
113 scpclean 114 scpclean
114 $SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null 115 $SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
115 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir" 116 [ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
117
118 scpclean
119 $SCP -pr $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
120 [ ! -w ${DIR2} ] && fail "allows target root attribute change"
121
122 scpclean
123 $SCP $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
124 [ -e ${DIR2}/extrafile ] && fail "allows unauth object creation"
125 rm -f ${DIR2}/extrafile
116done 126done
117 127
118verbose "$tid: detect non-directory target" 128verbose "$tid: detect non-directory target"
diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh
index e0ce568d7..2c00b64ef 100644
--- a/regress/sshcfgparse.sh
+++ b/regress/sshcfgparse.sh
@@ -1,8 +1,15 @@
1# $OpenBSD: sshcfgparse.sh,v 1.4 2018/07/04 13:51:12 djm Exp $ 1# $OpenBSD: sshcfgparse.sh,v 1.5 2019/07/23 13:32:48 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh config parse" 4tid="ssh config parse"
5 5
6dsa=0
7for t in $SSH_KEYTYPES; do
8 case "$t" in
9 ssh-dss) dsa=1 ;;
10 esac
11done
12
6expect_result_present() { 13expect_result_present() {
7 _str="$1" ; shift 14 _str="$1" ; shift
8 for _expect in "$@" ; do 15 for _expect in "$@" ; do
@@ -75,15 +82,17 @@ f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519 host | \
75expect_result_present "$f" "ssh-ed25519-cert-v01.*" 82expect_result_present "$f" "ssh-ed25519-cert-v01.*"
76expect_result_absent "$f" "ssh-ed25519" "ssh-dss" 83expect_result_absent "$f" "ssh-ed25519" "ssh-dss"
77# Append to default set. 84# Append to default set.
78# XXX this will break for !WITH_OPENSSL 85# This is not tested when built !WITH_OPENSSL
79f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss-cert* host | \ 86if [ "$dsa" = "1" ]; then
80 awk '/^pubkeyacceptedkeytypes /{print $2}'` 87 f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss-cert* host | \
81expect_result_present "$f" "ssh-ed25519" "ssh-dss-cert-v01.*" 88 awk '/^pubkeyacceptedkeytypes /{print $2}'`
82expect_result_absent "$f" "ssh-dss" 89 expect_result_present "$f" "ssh-ed25519" "ssh-dss-cert-v01.*"
83f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss host | \ 90 expect_result_absent "$f" "ssh-dss"
84 awk '/^pubkeyacceptedkeytypes /{print $2}'` 91 f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss host | \
85expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" "ssh-dss" 92 awk '/^pubkeyacceptedkeytypes /{print $2}'`
86expect_result_absent "$f" "ssh-dss-cert-v01.*" 93 expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" "ssh-dss"
94 expect_result_absent "$f" "ssh-dss-cert-v01.*"
95fi
87 96
88# cleanup 97# cleanup
89rm -f $OBJ/ssh_config.[012] 98rm -f $OBJ/ssh_config.[012]
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
new file mode 100644
index 000000000..eb99486ae
--- /dev/null
+++ b/regress/sshsig.sh
@@ -0,0 +1,196 @@
1# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshsig"
5
6DATA2=$OBJ/${DATANAME}.2
7cat ${DATA} ${DATA} > ${DATA2}
8
9rm -f $OBJ/sshsig-*.sig $OBJ/wrong-key* $OBJ/sigca-key*
10
11sig_namespace="test-$$"
12sig_principal="user-$$@example.com"
13
14# Make a "wrong key"
15${SSHKEYGEN} -t ed25519 -f $OBJ/wrong-key -C "wrong trousers, Grommit" -N '' \
16 || fatal "couldn't generate key"
17WRONG=$OBJ/wrong-key.pub
18
19# Make a CA key.
20${SSHKEYGEN} -t ed25519 -f $OBJ/sigca-key -C "CA" -N '' \
21 || fatal "couldn't generate key"
22CA_PRIV=$OBJ/sigca-key
23CA_PUB=$OBJ/sigca-key.pub
24
25trace "start agent"
26eval `${SSHAGENT} -s` > /dev/null
27r=$?
28if [ $r -ne 0 ]; then
29 fatal "could not start ssh-agent: exit code $r"
30fi
31
32SIGNKEYS="$SSH_KEYTYPES"
33verbose "$tid: make certificates"
34for t in $SSH_KEYTYPES ; do
35 ${SSHKEYGEN} -q -s $CA_PRIV -z $$ \
36 -I "regress signature key for $USER" \
37 -n $sig_principal $OBJ/${t} || \
38 fatal "couldn't sign ${t}"
39 SIGNKEYS="$SIGNKEYS ${t}-cert.pub"
40done
41
42for t in $SIGNKEYS; do
43 verbose "$tid: check signature for $t"
44 keybase=`basename $t .pub`
45 privkey=${OBJ}/`basename $t -cert.pub`
46 sigfile=${OBJ}/sshsig-${keybase}.sig
47 sigfile_agent=${OBJ}/sshsig-agent-${keybase}.sig
48 pubkey=${OBJ}/${keybase}.pub
49
50 ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
51 < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
52
53 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
54 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
55 -I $sig_principal -f $OBJ/allowed_signers \
56 < $DATA >/dev/null 2>&1 || \
57 fail "failed signature for $t key"
58
59 (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
60 cat $pubkey) > $OBJ/allowed_signers
61 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
62 -I $sig_principal -f $OBJ/allowed_signers \
63 < $DATA >/dev/null 2>&1 || \
64 fail "failed signature for $t key w/ limited namespace"
65
66 # Invalid option
67 (printf "$sig_principal octopus " ; cat $pubkey) > $OBJ/allowed_signers
68 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
69 -I $sig_principal -f $OBJ/allowed_signers \
70 < $DATA >/dev/null 2>&1 && \
71 fail "accepted signature for $t key with bad signers option"
72
73 # Wrong key trusted.
74 (printf "$sig_principal " ; cat $WRONG) > $OBJ/allowed_signers
75 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
76 -I $sig_principal -f $OBJ/allowed_signers \
77 < $DATA >/dev/null 2>&1 && \
78 fail "accepted signature for $t key with wrong key trusted"
79
80 # incorrect data
81 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
82 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
83 -I $sig_principal -f $OBJ/allowed_signers \
84 < $DATA2 >/dev/null 2>&1 && \
85 fail "passed signature for wrong data with $t key"
86
87 # wrong principal in signers
88 (printf "josef.k@example.com " ; cat $pubkey) > $OBJ/allowed_signers
89 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
90 -I $sig_principal -f $OBJ/allowed_signers \
91 < $DATA >/dev/null 2>&1 && \
92 fail "accepted signature for $t key with wrong principal"
93
94 # wrong namespace
95 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
96 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n COWS_COWS_COWS \
97 -I $sig_principal -f $OBJ/allowed_signers \
98 < $DATA >/dev/null 2>&1 && \
99 fail "accepted signature for $t key with wrong namespace"
100
101 # namespace excluded by option
102 (printf "$sig_principal namespaces=\"whatever\" " ;
103 cat $pubkey) > $OBJ/allowed_signers
104 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
105 -I $sig_principal -f $OBJ/allowed_signers \
106 < $DATA >/dev/null 2>&1 && \
107 fail "accepted signature for $t key with excluded namespace"
108
109 # public key in revoked keys file
110 cat $pubkey > $OBJ/revoked_keys
111 (printf "$sig_principal namespaces=\"whatever\" " ;
112 cat $pubkey) > $OBJ/allowed_signers
113 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
114 -I $sig_principal -f $OBJ/allowed_signers \
115 -r $OBJ/revoked_keys \
116 < $DATA >/dev/null 2>&1 && \
117 fail "accepted signature for $t key, but key is in revoked_keys"
118
119 # public key not revoked, but other are present in revoked_keysfile
120 cat $WRONG > $OBJ/revoked_keys
121 (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
122 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
123 -I $sig_principal -f $OBJ/allowed_signers \
124 -r $OBJ/revoked_keys \
125 < $DATA >/dev/null 2>&1 || \
126 fail "couldn't verify signature for $t key, but key not in revoked_keys"
127
128 # check-novalidate with valid data
129 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
130 < $DATA >/dev/null 2>&1 || \
131 fail "failed to check valid signature for $t key"
132
133 # check-novalidate with invalid data
134 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
135 < $DATA2 >/dev/null 2>&1 && \
136 fail "sucessfully checked signature for $t key with invalid data"
137
138 # Check signing keys using ssh-agent.
139 ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
140 ${SSHADD} ${privkey} > /dev/null 2>&1 || fail "ssh-add failed"
141
142 # Move private key to ensure agent key is used
143 mv ${privkey} ${privkey}.tmp
144
145 ${SSHKEYGEN} -vvv -Y sign -f $pubkey -n $sig_namespace \
146 < $DATA > $sigfile_agent 2>/dev/null || \
147 fail "ssh-agent based sign using $pubkey failed"
148 ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile_agent \
149 -n $sig_namespace < $DATA >/dev/null 2>&1 || \
150 fail "failed to check valid signature for $t key"
151
152 # Move private key back
153 mv ${privkey}.tmp ${privkey}
154
155 # Remaining tests are for certificates only.
156 case "$keybase" in
157 *-cert) ;;
158 *) continue ;;
159 esac
160
161
162 # correct CA key
163 (printf "$sig_principal cert-authority " ;
164 cat $CA_PUB) > $OBJ/allowed_signers
165 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
166 -I $sig_principal -f $OBJ/allowed_signers \
167 < $DATA >/dev/null 2>&1 || \
168 fail "failed signature for $t cert"
169
170 # signing key listed as cert-authority
171 (printf "$sig_principal cert-authority" ;
172 cat $pubkey) > $OBJ/allowed_signers
173 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
174 -I $sig_principal -f $OBJ/allowed_signers \
175 < $DATA >/dev/null 2>&1 && \
176 fail "accepted signature with $t key listed as CA"
177
178 # CA key not flagged cert-authority
179 (printf "$sig_principal " ; cat $CA_PUB) > $OBJ/allowed_signers
180 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
181 -I $sig_principal -f $OBJ/allowed_signers \
182 < $DATA >/dev/null 2>&1 && \
183 fail "accepted signature for $t cert with CA not marked"
184
185 # mismatch between cert principal and file
186 (printf "josef.k@example.com cert-authority" ;
187 cat $CA_PUB) > $OBJ/allowed_signers
188 ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
189 -I $sig_principal -f $OBJ/allowed_signers \
190 < $DATA >/dev/null 2>&1 && \
191 fail "accepted signature for $t cert with wrong principal"
192done
193
194trace "kill agent"
195${SSHAGENT} -k > /dev/null
196
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index b8e2009de..508b93284 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.65 2019/01/27 06:30:53 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.66 2019/07/05 04:12:46 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -152,13 +152,22 @@ SFTPSERVER_BIN=${SFTPSERVER}
152SCP_BIN=${SCP} 152SCP_BIN=${SCP}
153 153
154if [ "x$USE_VALGRIND" != "x" ]; then 154if [ "x$USE_VALGRIND" != "x" ]; then
155 mkdir -p $OBJ/valgrind-out 155 rm -rf $OBJ/valgrind-out $OBJ/valgrind-vgdb
156 mkdir -p $OBJ/valgrind-out $OBJ/valgrind-vgdb
157 # When using sudo ensure low-priv tests can write pipes and logs.
158 if [ "x$SUDO" != "x" ]; then
159 chmod 777 $OBJ/valgrind-out $OBJ/valgrind-vgdb
160 fi
156 VG_TEST=`basename $SCRIPT .sh` 161 VG_TEST=`basename $SCRIPT .sh`
157 162
158 # Some tests are difficult to fix. 163 # Some tests are difficult to fix.
159 case "$VG_TEST" in 164 case "$VG_TEST" in
160 connect-privsep|reexec) 165 reexec)
161 VG_SKIP=1 ;; 166 VG_SKIP=1 ;;
167 sftp-chroot)
168 if [ "x${SUDO}" != "x" ]; then
169 VG_SKIP=1
170 fi ;;
162 esac 171 esac
163 172
164 if [ x"$VG_SKIP" = "x" ]; then 173 if [ x"$VG_SKIP" = "x" ]; then
@@ -171,6 +180,7 @@ if [ "x$USE_VALGRIND" != "x" ]; then
171 VG_OPTS="--track-origins=yes $VG_LEAK" 180 VG_OPTS="--track-origins=yes $VG_LEAK"
172 VG_OPTS="$VG_OPTS --trace-children=yes" 181 VG_OPTS="$VG_OPTS --trace-children=yes"
173 VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" 182 VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}"
183 VG_OPTS="$VG_OPTS --vgdb-prefix=$OBJ/valgrind-vgdb/"
174 VG_PATH="valgrind" 184 VG_PATH="valgrind"
175 if [ "x$VALGRIND_PATH" != "x" ]; then 185 if [ "x$VALGRIND_PATH" != "x" ]; then
176 VG_PATH="$VALGRIND_PATH" 186 VG_PATH="$VALGRIND_PATH"
@@ -527,13 +537,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
527 >> $OBJ/authorized_keys_$USER 537 >> $OBJ/authorized_keys_$USER
528 538
529 # Convert rsa2 host key to PuTTY format 539 # Convert rsa2 host key to PuTTY format
530 cp $OBJ/rsa $OBJ/rsa_oldfmt 540 cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
531 ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null 541 ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
532 ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \ 542 ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \
533 ${OBJ}/.putty/sshhostkeys 543 ${OBJ}/.putty/sshhostkeys
534 ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \ 544 ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \
535 ${OBJ}/.putty/sshhostkeys 545 ${OBJ}/.putty/sshhostkeys
536 rm -f $OBJ/rsa_oldfmt 546 rm -f $OBJ/ssh-rsa_oldfmt
537 547
538 # Setup proxied session 548 # Setup proxied session
539 mkdir -p ${OBJ}/.putty/sessions 549 mkdir -p ${OBJ}/.putty/sessions
@@ -581,6 +591,31 @@ start_sshd ()
581 591
582# kill sshd 592# kill sshd
583cleanup 593cleanup
594
595if [ "x$USE_VALGRIND" != "x" ]; then
596 # wait for any running process to complete
597 wait; sleep 1
598 VG_RESULTS=$(find $OBJ/valgrind-out -type f -print)
599 VG_RESULT_COUNT=0
600 VG_FAIL_COUNT=0
601 for i in $VG_RESULTS; do
602 if grep "ERROR SUMMARY" $i >/dev/null; then
603 VG_RESULT_COUNT=$(($VG_RESULT_COUNT + 1))
604 if ! grep "ERROR SUMMARY: 0 errors" $i >/dev/null; then
605 VG_FAIL_COUNT=$(($VG_FAIL_COUNT + 1))
606 RESULT=1
607 verbose valgrind failure $i
608 cat $i
609 fi
610 fi
611 done
612 if [ x"$VG_SKIP" != "x" ]; then
613 verbose valgrind skipped
614 else
615 verbose valgrind results $VG_RESULT_COUNT failures $VG_FAIL_COUNT
616 fi
617fi
618
584if [ $RESULT -eq 0 ]; then 619if [ $RESULT -eq 0 ]; then
585 verbose ok $tid 620 verbose ok $tid
586else 621else
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
index e464b085a..4e56e1104 100644
--- a/regress/unittests/Makefile
+++ b/regress/unittests/Makefile
@@ -1,7 +1,7 @@
1# $OpenBSD: Makefile,v 1.10 2018/03/03 03:16:17 djm Exp $ 1# $OpenBSD: Makefile,v 1.11 2019/04/28 22:53:26 dtucker Exp $
2 2
3REGRESS_FAIL_EARLY?= yes 3REGRESS_FAIL_EARLY?= yes
4SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion 4SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
5SUBDIR+=authopt 5SUBDIR+=authopt misc
6 6
7.include <bsd.subdir.mk> 7.include <bsd.subdir.mk>
diff --git a/regress/unittests/bitmap/tests.c b/regress/unittests/bitmap/tests.c
index 23025f90a..f66a4ce46 100644
--- a/regress/unittests/bitmap/tests.c
+++ b/regress/unittests/bitmap/tests.c
@@ -16,7 +16,9 @@
16#include <stdlib.h> 16#include <stdlib.h>
17#include <string.h> 17#include <string.h>
18 18
19#ifdef WITH_OPENSSL
19#include <openssl/bn.h> 20#include <openssl/bn.h>
21#endif
20 22
21#include "../test_helper/test_helper.h" 23#include "../test_helper/test_helper.h"
22 24
@@ -27,6 +29,7 @@
27void 29void
28tests(void) 30tests(void)
29{ 31{
32#ifdef WITH_OPENSSL
30 struct bitmap *b; 33 struct bitmap *b;
31 BIGNUM *bn; 34 BIGNUM *bn;
32 size_t len; 35 size_t len;
@@ -131,5 +134,6 @@ tests(void)
131 bitmap_free(b); 134 bitmap_free(b);
132 BN_free(bn); 135 BN_free(bn);
133 TEST_DONE(); 136 TEST_DONE();
137#endif
134} 138}
135 139
diff --git a/regress/unittests/conversion/tests.c b/regress/unittests/conversion/tests.c
index 6dd77ef42..ae1154d42 100644
--- a/regress/unittests/conversion/tests.c
+++ b/regress/unittests/conversion/tests.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tests.c,v 1.1 2017/03/14 01:20:29 dtucker Exp $ */ 1/* $OpenBSD: tests.c,v 1.2 2019/06/14 04:03:48 djm Exp $ */
2/* 2/*
3 * Regress test for conversions 3 * Regress test for conversions
4 * 4 *
@@ -40,6 +40,8 @@ tests(void)
40 ASSERT_LONG_EQ(convtime("-9d"), -1); 40 ASSERT_LONG_EQ(convtime("-9d"), -1);
41 41
42 /* overflow */ 42 /* overflow */
43 snprintf(buf, sizeof buf, "%llu", (unsigned long long)LONG_MAX);
44 ASSERT_LONG_EQ(convtime(buf), -1);
43 snprintf(buf, sizeof buf, "%llu", (unsigned long long)LONG_MAX + 1); 45 snprintf(buf, sizeof buf, "%llu", (unsigned long long)LONG_MAX + 1);
44 ASSERT_LONG_EQ(convtime(buf), -1); 46 ASSERT_LONG_EQ(convtime(buf), -1);
45 47
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index d6963bd2a..5904121ef 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -57,7 +57,7 @@ check(struct hostkey_foreach_line *l, void *_ctx)
57 int parse_key = (ctx->flags & HKF_WANT_PARSE_KEY) != 0; 57 int parse_key = (ctx->flags & HKF_WANT_PARSE_KEY) != 0;
58 const int matching = (ctx->flags & HKF_WANT_MATCH) != 0; 58 const int matching = (ctx->flags & HKF_WANT_MATCH) != 0;
59 u_int expected_status, expected_match; 59 u_int expected_status, expected_match;
60 int expected_keytype; 60 int expected_keytype, skip = 0;
61 61
62 test_subtest_info("entry %zu/%zu, file line %ld", 62 test_subtest_info("entry %zu/%zu, file line %ld",
63 ctx->i + 1, ctx->nexpected, l->linenum); 63 ctx->i + 1, ctx->nexpected, l->linenum);
@@ -92,13 +92,23 @@ check(struct hostkey_foreach_line *l, void *_ctx)
92 92
93#ifndef OPENSSL_HAS_ECC 93#ifndef OPENSSL_HAS_ECC
94 if (expected->l.keytype == KEY_ECDSA || 94 if (expected->l.keytype == KEY_ECDSA ||
95 expected->no_parse_keytype == KEY_ECDSA) { 95 expected->no_parse_keytype == KEY_ECDSA)
96 skip = 1;
97#endif /* OPENSSL_HAS_ECC */
98#ifndef WITH_OPENSSL
99 if (expected->l.keytype == KEY_DSA ||
100 expected->no_parse_keytype == KEY_DSA ||
101 expected->l.keytype == KEY_RSA ||
102 expected->no_parse_keytype == KEY_RSA ||
103 expected->l.keytype == KEY_ECDSA ||
104 expected->no_parse_keytype == KEY_ECDSA)
105 skip = 1;
106#endif /* WITH_OPENSSL */
107 if (skip) {
96 expected_status = HKF_STATUS_INVALID; 108 expected_status = HKF_STATUS_INVALID;
97 expected_keytype = KEY_UNSPEC; 109 expected_keytype = KEY_UNSPEC;
98 parse_key = 0; 110 parse_key = 0;
99 } 111 }
100#endif
101
102 UPDATE_MATCH_STATUS(match_host_p); 112 UPDATE_MATCH_STATUS(match_host_p);
103 UPDATE_MATCH_STATUS(match_host_s); 113 UPDATE_MATCH_STATUS(match_host_s);
104 UPDATE_MATCH_STATUS(match_ipv4); 114 UPDATE_MATCH_STATUS(match_ipv4);
@@ -145,7 +155,15 @@ prepare_expected(struct expected *expected, size_t n)
145#ifndef OPENSSL_HAS_ECC 155#ifndef OPENSSL_HAS_ECC
146 if (expected[i].l.keytype == KEY_ECDSA) 156 if (expected[i].l.keytype == KEY_ECDSA)
147 continue; 157 continue;
148#endif 158#endif /* OPENSSL_HAS_ECC */
159#ifndef WITH_OPENSSL
160 switch (expected[i].l.keytype) {
161 case KEY_RSA:
162 case KEY_DSA:
163 case KEY_ECDSA:
164 continue;
165 }
166#endif /* WITH_OPENSSL */
149 ASSERT_INT_EQ(sshkey_load_public( 167 ASSERT_INT_EQ(sshkey_load_public(
150 test_data_file(expected[i].key_file), &expected[i].l.key, 168 test_data_file(expected[i].key_file), &expected[i].l.key,
151 NULL), 0); 169 NULL), 0);
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index a860efc02..0e7cd9e07 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -142,13 +142,15 @@ do_kex_with_key(char *kex, int keytype, int bits)
142 sshbuf_free(state); 142 sshbuf_free(state);
143 ASSERT_PTR_NE(server2->kex, NULL); 143 ASSERT_PTR_NE(server2->kex, NULL);
144 /* XXX we need to set the callbacks */ 144 /* XXX we need to set the callbacks */
145#ifdef WITH_OPENSSL
145 server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; 146 server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server;
146 server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; 147 server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server;
147 server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; 148 server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
148 server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; 149 server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
149#ifdef OPENSSL_HAS_ECC 150#ifdef OPENSSL_HAS_ECC
150 server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server; 151 server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
151#endif 152#endif /* OPENSSL_HAS_ECC */
153#endif /* WITH_OPENSSL */
152 server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server; 154 server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server;
153 server2->kex->load_host_public_key = server->kex->load_host_public_key; 155 server2->kex->load_host_public_key = server->kex->load_host_public_key;
154 server2->kex->load_host_private_key = server->kex->load_host_private_key; 156 server2->kex->load_host_private_key = server->kex->load_host_private_key;
@@ -175,11 +177,13 @@ do_kex_with_key(char *kex, int keytype, int bits)
175static void 177static void
176do_kex(char *kex) 178do_kex(char *kex)
177{ 179{
180#ifdef WITH_OPENSSL
178 do_kex_with_key(kex, KEY_RSA, 2048); 181 do_kex_with_key(kex, KEY_RSA, 2048);
179 do_kex_with_key(kex, KEY_DSA, 1024); 182 do_kex_with_key(kex, KEY_DSA, 1024);
180#ifdef OPENSSL_HAS_ECC 183#ifdef OPENSSL_HAS_ECC
181 do_kex_with_key(kex, KEY_ECDSA, 256); 184 do_kex_with_key(kex, KEY_ECDSA, 256);
182#endif 185#endif /* OPENSSL_HAS_ECC */
186#endif /* WITH_OPENSSL */
183 do_kex_with_key(kex, KEY_ED25519, 256); 187 do_kex_with_key(kex, KEY_ED25519, 256);
184} 188}
185 189
@@ -187,13 +191,15 @@ void
187kex_tests(void) 191kex_tests(void)
188{ 192{
189 do_kex("curve25519-sha256@libssh.org"); 193 do_kex("curve25519-sha256@libssh.org");
194#ifdef WITH_OPENSSL
190#ifdef OPENSSL_HAS_ECC 195#ifdef OPENSSL_HAS_ECC
191 do_kex("ecdh-sha2-nistp256"); 196 do_kex("ecdh-sha2-nistp256");
192 do_kex("ecdh-sha2-nistp384"); 197 do_kex("ecdh-sha2-nistp384");
193 do_kex("ecdh-sha2-nistp521"); 198 do_kex("ecdh-sha2-nistp521");
194#endif 199#endif /* OPENSSL_HAS_ECC */
195 do_kex("diffie-hellman-group-exchange-sha256"); 200 do_kex("diffie-hellman-group-exchange-sha256");
196 do_kex("diffie-hellman-group-exchange-sha1"); 201 do_kex("diffie-hellman-group-exchange-sha1");
197 do_kex("diffie-hellman-group14-sha1"); 202 do_kex("diffie-hellman-group14-sha1");
198 do_kex("diffie-hellman-group1-sha1"); 203 do_kex("diffie-hellman-group1-sha1");
204#endif /* WITH_OPENSSL */
199} 205}
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_basic.c b/regress/unittests/sshbuf/test_sshbuf_getput_basic.c
index 966e8432b..bea89881a 100644
--- a/regress/unittests/sshbuf/test_sshbuf_getput_basic.c
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_basic.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshbuf_getput_basic.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */ 1/* $OpenBSD: test_sshbuf_getput_basic.c,v 1.2 2019/07/14 23:33:19 djm Exp $ */
2/* 2/*
3 * Regress test for sshbuf.h buffer API 3 * Regress test for sshbuf.h buffer API
4 * 4 *
@@ -481,4 +481,233 @@ sshbuf_getput_basic_tests(void)
481 ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp3, sizeof(bn_exp3)); 481 ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp3, sizeof(bn_exp3));
482 sshbuf_free(p1); 482 sshbuf_free(p1);
483 TEST_DONE(); 483 TEST_DONE();
484
485 TEST_START("sshbuf_peek_u64");
486 p1 = sshbuf_new();
487 ASSERT_PTR_NE(p1, NULL);
488 ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
489 ASSERT_INT_EQ(sshbuf_peek_u64(p1, 0, &v64), 0);
490 ASSERT_U64_EQ(v64, 0x1122334455667788ULL);
491 ASSERT_INT_EQ(sshbuf_peek_u64(p1, 2, &v64), 0);
492 ASSERT_U64_EQ(v64, 0x3344556677880099ULL);
493 ASSERT_INT_EQ(sshbuf_peek_u64(p1, 3, &v64), SSH_ERR_MESSAGE_INCOMPLETE);
494 ASSERT_INT_EQ(sshbuf_peek_u64(p1, sizeof(x), &v64),
495 SSH_ERR_MESSAGE_INCOMPLETE);
496 ASSERT_INT_EQ(sshbuf_peek_u64(p1, 1000, &v64),
497 SSH_ERR_MESSAGE_INCOMPLETE);
498 sshbuf_free(p1);
499 TEST_DONE();
500
501 TEST_START("sshbuf_peek_u32");
502 p1 = sshbuf_new();
503 ASSERT_PTR_NE(p1, NULL);
504 ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
505 ASSERT_INT_EQ(sshbuf_peek_u32(p1, 0, &v32), 0);
506 ASSERT_U32_EQ(v32, 0x11223344);
507 ASSERT_INT_EQ(sshbuf_peek_u32(p1, 6, &v32), 0);
508 ASSERT_U32_EQ(v32, 0x77880099);
509 ASSERT_INT_EQ(sshbuf_peek_u32(p1, 7, &v32), SSH_ERR_MESSAGE_INCOMPLETE);
510 ASSERT_INT_EQ(sshbuf_peek_u32(p1, sizeof(x), &v32),
511 SSH_ERR_MESSAGE_INCOMPLETE);
512 ASSERT_INT_EQ(sshbuf_peek_u32(p1, 1000, &v32),
513 SSH_ERR_MESSAGE_INCOMPLETE);
514 sshbuf_free(p1);
515 TEST_DONE();
516
517 TEST_START("sshbuf_peek_u16");
518 p1 = sshbuf_new();
519 ASSERT_PTR_NE(p1, NULL);
520 ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
521 ASSERT_INT_EQ(sshbuf_peek_u16(p1, 0, &v16), 0);
522 ASSERT_U16_EQ(v16, 0x1122);
523 ASSERT_INT_EQ(sshbuf_peek_u16(p1, 8, &v16), 0);
524 ASSERT_U16_EQ(v16, 0x99);
525 ASSERT_INT_EQ(sshbuf_peek_u16(p1, 9, &v16), SSH_ERR_MESSAGE_INCOMPLETE);
526 ASSERT_INT_EQ(sshbuf_peek_u16(p1, sizeof(x), &v16),
527 SSH_ERR_MESSAGE_INCOMPLETE);
528 ASSERT_INT_EQ(sshbuf_peek_u16(p1, 1000, &v16),
529 SSH_ERR_MESSAGE_INCOMPLETE);
530 sshbuf_free(p1);
531 TEST_DONE();
532
533 TEST_START("sshbuf_peek_u8");
534 p1 = sshbuf_new();
535 ASSERT_PTR_NE(p1, NULL);
536 ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
537 ASSERT_INT_EQ(sshbuf_peek_u8(p1, 0, &v8), 0);
538 ASSERT_U8_EQ(v8, 0x11);
539 ASSERT_INT_EQ(sshbuf_peek_u8(p1, 9, &v8), 0);
540 ASSERT_U8_EQ(v8, 0x99);
541 ASSERT_INT_EQ(sshbuf_peek_u8(p1, sizeof(x), &v8),
542 SSH_ERR_MESSAGE_INCOMPLETE);
543 ASSERT_INT_EQ(sshbuf_peek_u8(p1, 1000, &v8),
544 SSH_ERR_MESSAGE_INCOMPLETE);
545 sshbuf_free(p1);
546 TEST_DONE();
547
548 TEST_START("sshbuf_poke_u64");
549 p1 = sshbuf_new();
550 ASSERT_PTR_NE(p1, NULL);
551 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
552 /* poke at start of buffer */
553 ASSERT_INT_EQ(sshbuf_poke_u64(p1, 0, 0xa1b2c3d4e5f60718ULL), 0);
554 s2 = sshbuf_dtob16(p1);
555 ASSERT_PTR_NE(s2, NULL);
556 ASSERT_STRING_EQ(s2, "a1b2c3d4e5f607180000");
557 free(s2);
558 sshbuf_reset(p1);
559 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
560 /* poke aligned with end of buffer */
561 ASSERT_INT_EQ(sshbuf_poke_u64(p1, 2, 0xa1b2c3d4e5f60718ULL), 0);
562 s2 = sshbuf_dtob16(p1);
563 ASSERT_PTR_NE(s2, NULL);
564 ASSERT_STRING_EQ(s2, "0000a1b2c3d4e5f60718");
565 free(s2);
566 sshbuf_reset(p1);
567 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
568 /* poke past end of buffer */
569 ASSERT_INT_EQ(sshbuf_poke_u64(p1, 3, 0xa1b2c3d4e5f60718ULL),
570 SSH_ERR_NO_BUFFER_SPACE);
571 ASSERT_INT_EQ(sshbuf_poke_u64(p1, 10, 0xa1b2c3d4e5f60718ULL),
572 SSH_ERR_NO_BUFFER_SPACE);
573 ASSERT_INT_EQ(sshbuf_poke_u64(p1, 1000, 0xa1b2c3d4e5f60718ULL),
574 SSH_ERR_NO_BUFFER_SPACE);
575 /* ensure failed pokes do not modify buffer */
576 s2 = sshbuf_dtob16(p1);
577 ASSERT_PTR_NE(s2, NULL);
578 ASSERT_STRING_EQ(s2, "00000000000000000000");
579 sshbuf_free(p1);
580 TEST_DONE();
581
582 TEST_START("sshbuf_poke_u32");
583 p1 = sshbuf_new();
584 ASSERT_PTR_NE(p1, NULL);
585 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
586 /* poke at start of buffer */
587 ASSERT_INT_EQ(sshbuf_poke_u32(p1, 0, 0xa1b2c3d4), 0);
588 s2 = sshbuf_dtob16(p1);
589 ASSERT_PTR_NE(s2, NULL);
590 ASSERT_STRING_EQ(s2, "a1b2c3d4000000000000");
591 free(s2);
592 sshbuf_reset(p1);
593 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
594 /* poke aligned with end of buffer */
595 ASSERT_INT_EQ(sshbuf_poke_u32(p1, 6, 0xa1b2c3d4), 0);
596 s2 = sshbuf_dtob16(p1);
597 ASSERT_PTR_NE(s2, NULL);
598 ASSERT_STRING_EQ(s2, "000000000000a1b2c3d4");
599 free(s2);
600 sshbuf_reset(p1);
601 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
602 /* poke past end of buffer */
603 ASSERT_INT_EQ(sshbuf_poke_u32(p1, 7, 0xa1b2c3d4),
604 SSH_ERR_NO_BUFFER_SPACE);
605 ASSERT_INT_EQ(sshbuf_poke_u32(p1, 10, 0xa1b2c3d4),
606 SSH_ERR_NO_BUFFER_SPACE);
607 ASSERT_INT_EQ(sshbuf_poke_u32(p1, 1000, 0xa1b2c3d4),
608 SSH_ERR_NO_BUFFER_SPACE);
609 /* ensure failed pokes do not modify buffer */
610 s2 = sshbuf_dtob16(p1);
611 ASSERT_PTR_NE(s2, NULL);
612 ASSERT_STRING_EQ(s2, "00000000000000000000");
613 sshbuf_free(p1);
614 TEST_DONE();
615
616 TEST_START("sshbuf_poke_u16");
617 p1 = sshbuf_new();
618 ASSERT_PTR_NE(p1, NULL);
619 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
620 /* poke at start of buffer */
621 ASSERT_INT_EQ(sshbuf_poke_u16(p1, 0, 0xa1b2), 0);
622 s2 = sshbuf_dtob16(p1);
623 ASSERT_PTR_NE(s2, NULL);
624 ASSERT_STRING_EQ(s2, "a1b20000000000000000");
625 free(s2);
626 sshbuf_reset(p1);
627 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
628 /* poke aligned with end of buffer */
629 ASSERT_INT_EQ(sshbuf_poke_u16(p1, 8, 0xa1b2), 0);
630 s2 = sshbuf_dtob16(p1);
631 ASSERT_PTR_NE(s2, NULL);
632 ASSERT_STRING_EQ(s2, "0000000000000000a1b2");
633 free(s2);
634 sshbuf_reset(p1);
635 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
636 /* poke past end of buffer */
637 ASSERT_INT_EQ(sshbuf_poke_u16(p1, 9, 0xa1b2),
638 SSH_ERR_NO_BUFFER_SPACE);
639 ASSERT_INT_EQ(sshbuf_poke_u16(p1, 10, 0xa1b2),
640 SSH_ERR_NO_BUFFER_SPACE);
641 ASSERT_INT_EQ(sshbuf_poke_u16(p1, 1000, 0xa1b2),
642 SSH_ERR_NO_BUFFER_SPACE);
643 /* ensure failed pokes do not modify buffer */
644 s2 = sshbuf_dtob16(p1);
645 ASSERT_PTR_NE(s2, NULL);
646 ASSERT_STRING_EQ(s2, "00000000000000000000");
647 sshbuf_free(p1);
648 TEST_DONE();
649
650 TEST_START("sshbuf_poke_u8");
651 p1 = sshbuf_new();
652 ASSERT_PTR_NE(p1, NULL);
653 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
654 /* poke at start of buffer */
655 ASSERT_INT_EQ(sshbuf_poke_u8(p1, 0, 0xa1), 0);
656 s2 = sshbuf_dtob16(p1);
657 ASSERT_PTR_NE(s2, NULL);
658 ASSERT_STRING_EQ(s2, "a1000000000000000000");
659 free(s2);
660 sshbuf_reset(p1);
661 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
662 /* poke aligned with end of buffer */
663 ASSERT_INT_EQ(sshbuf_poke_u8(p1, 9, 0xa1), 0);
664 s2 = sshbuf_dtob16(p1);
665 ASSERT_PTR_NE(s2, NULL);
666 ASSERT_STRING_EQ(s2, "000000000000000000a1");
667 free(s2);
668 sshbuf_reset(p1);
669 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
670 /* poke past end of buffer */
671 ASSERT_INT_EQ(sshbuf_poke_u8(p1, 10, 0xa1), SSH_ERR_NO_BUFFER_SPACE);
672 ASSERT_INT_EQ(sshbuf_poke_u8(p1, 1000, 0xa1), SSH_ERR_NO_BUFFER_SPACE);
673 /* ensure failed pokes do not modify buffer */
674 s2 = sshbuf_dtob16(p1);
675 ASSERT_PTR_NE(s2, NULL);
676 ASSERT_STRING_EQ(s2, "00000000000000000000");
677 sshbuf_free(p1);
678 TEST_DONE();
679
680 TEST_START("sshbuf_poke");
681 p1 = sshbuf_new();
682 ASSERT_PTR_NE(p1, NULL);
683 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
684 /* poke at start of buffer */
685 ASSERT_INT_EQ(sshbuf_poke(p1, 0, "hello!", 6), 0);
686 s2 = sshbuf_dtob16(p1);
687 ASSERT_PTR_NE(s2, NULL);
688 ASSERT_STRING_EQ(s2, "68656c6c6f2100000000");
689 free(s2);
690 sshbuf_reset(p1);
691 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
692 /* poke aligned with end of buffer */
693 ASSERT_INT_EQ(sshbuf_poke(p1, 4, "hello!", 6), 0);
694 s2 = sshbuf_dtob16(p1);
695 ASSERT_PTR_NE(s2, NULL);
696 ASSERT_STRING_EQ(s2, "0000000068656c6c6f21");
697 free(s2);
698 sshbuf_reset(p1);
699 ASSERT_INT_EQ(sshbuf_reserve(p1, 10, NULL), 0);
700 /* poke past end of buffer */
701 ASSERT_INT_EQ(sshbuf_poke(p1, 7, "hello!", 6),
702 SSH_ERR_NO_BUFFER_SPACE);
703 ASSERT_INT_EQ(sshbuf_poke(p1, 10, "hello!", 6),
704 SSH_ERR_NO_BUFFER_SPACE);
705 ASSERT_INT_EQ(sshbuf_poke(p1, 1000, "hello!", 6),
706 SSH_ERR_NO_BUFFER_SPACE);
707 /* ensure failed pokes do not modify buffer */
708 s2 = sshbuf_dtob16(p1);
709 ASSERT_PTR_NE(s2, NULL);
710 ASSERT_STRING_EQ(s2, "00000000000000000000");
711 sshbuf_free(p1);
712 TEST_DONE();
484} 713}
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
index 5d39e63e1..492b3bdf0 100644
--- a/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
@@ -7,6 +7,8 @@
7 7
8#include "includes.h" 8#include "includes.h"
9 9
10#ifdef WITH_OPENSSL
11
10#include <sys/types.h> 12#include <sys/types.h>
11#include <sys/param.h> 13#include <sys/param.h>
12#include <stdio.h> 14#include <stdio.h>
@@ -276,3 +278,4 @@ sshbuf_getput_crypto_tests(void)
276#endif 278#endif
277} 279}
278 280
281#endif /* WITH_OPENSSL */
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
index ca06bfb00..1ca30be97 100644
--- a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
@@ -32,10 +32,12 @@ static void
32attempt_parse_blob(u_char *blob, size_t len) 32attempt_parse_blob(u_char *blob, size_t len)
33{ 33{
34 struct sshbuf *p1; 34 struct sshbuf *p1;
35#ifdef WITH_OPENSSL
35 BIGNUM *bn; 36 BIGNUM *bn;
36#if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) 37#if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256)
37 EC_KEY *eck; 38 EC_KEY *eck;
38#endif 39#endif /* defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) */
40#endif /* WITH_OPENSSL */
39 u_char *s; 41 u_char *s;
40 size_t l; 42 size_t l;
41 u_int8_t u8; 43 u_int8_t u8;
@@ -54,6 +56,7 @@ attempt_parse_blob(u_char *blob, size_t len)
54 bzero(s, l); 56 bzero(s, l);
55 free(s); 57 free(s);
56 } 58 }
59#ifdef WITH_OPENSSL
57 bn = NULL; 60 bn = NULL;
58 sshbuf_get_bignum2(p1, &bn); 61 sshbuf_get_bignum2(p1, &bn);
59 BN_clear_free(bn); 62 BN_clear_free(bn);
@@ -62,7 +65,8 @@ attempt_parse_blob(u_char *blob, size_t len)
62 ASSERT_PTR_NE(eck, NULL); 65 ASSERT_PTR_NE(eck, NULL);
63 sshbuf_get_eckey(p1, eck); 66 sshbuf_get_eckey(p1, eck);
64 EC_KEY_free(eck); 67 EC_KEY_free(eck);
65#endif 68#endif /* defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) */
69#endif /* WITH_OPENSSL */
66 sshbuf_free(p1); 70 sshbuf_free(p1);
67} 71}
68 72
diff --git a/regress/unittests/sshbuf/test_sshbuf_misc.c b/regress/unittests/sshbuf/test_sshbuf_misc.c
index 762a6c31c..c53db937f 100644
--- a/regress/unittests/sshbuf/test_sshbuf_misc.c
+++ b/regress/unittests/sshbuf/test_sshbuf_misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshbuf_misc.c,v 1.2 2016/05/03 13:48:33 djm Exp $ */ 1/* $OpenBSD: test_sshbuf_misc.c,v 1.4 2019/07/16 22:16:49 djm Exp $ */
2/* 2/*
3 * Regress test for sshbuf.h buffer API 3 * Regress test for sshbuf.h buffer API
4 * 4 *
@@ -19,6 +19,7 @@
19#include "../test_helper/test_helper.h" 19#include "../test_helper/test_helper.h"
20 20
21#include "sshbuf.h" 21#include "sshbuf.h"
22#include "ssherr.h"
22 23
23void sshbuf_misc_tests(void); 24void sshbuf_misc_tests(void);
24 25
@@ -26,7 +27,7 @@ void
26sshbuf_misc_tests(void) 27sshbuf_misc_tests(void)
27{ 28{
28 struct sshbuf *p1; 29 struct sshbuf *p1;
29 char tmp[512], *p; 30 char tmp[512], msg[] = "imploring ping silence ping over", *p;
30 FILE *out; 31 FILE *out;
31 size_t sz; 32 size_t sz;
32 33
@@ -60,48 +61,48 @@ sshbuf_misc_tests(void)
60 sshbuf_free(p1); 61 sshbuf_free(p1);
61 TEST_DONE(); 62 TEST_DONE();
62 63
63 TEST_START("sshbuf_dtob64 len 1"); 64 TEST_START("sshbuf_dtob64_string len 1");
64 p1 = sshbuf_new(); 65 p1 = sshbuf_new();
65 ASSERT_PTR_NE(p1, NULL); 66 ASSERT_PTR_NE(p1, NULL);
66 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0); 67 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
67 p = sshbuf_dtob64(p1); 68 p = sshbuf_dtob64_string(p1, 0);
68 ASSERT_PTR_NE(p, NULL); 69 ASSERT_PTR_NE(p, NULL);
69 ASSERT_STRING_EQ(p, "EQ=="); 70 ASSERT_STRING_EQ(p, "EQ==");
70 free(p); 71 free(p);
71 sshbuf_free(p1); 72 sshbuf_free(p1);
72 TEST_DONE(); 73 TEST_DONE();
73 74
74 TEST_START("sshbuf_dtob64 len 2"); 75 TEST_START("sshbuf_dtob64_string len 2");
75 p1 = sshbuf_new(); 76 p1 = sshbuf_new();
76 ASSERT_PTR_NE(p1, NULL); 77 ASSERT_PTR_NE(p1, NULL);
77 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0); 78 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
78 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0); 79 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
79 p = sshbuf_dtob64(p1); 80 p = sshbuf_dtob64_string(p1, 0);
80 ASSERT_PTR_NE(p, NULL); 81 ASSERT_PTR_NE(p, NULL);
81 ASSERT_STRING_EQ(p, "ESI="); 82 ASSERT_STRING_EQ(p, "ESI=");
82 free(p); 83 free(p);
83 sshbuf_free(p1); 84 sshbuf_free(p1);
84 TEST_DONE(); 85 TEST_DONE();
85 86
86 TEST_START("sshbuf_dtob64 len 3"); 87 TEST_START("sshbuf_dtob64_string len 3");
87 p1 = sshbuf_new(); 88 p1 = sshbuf_new();
88 ASSERT_PTR_NE(p1, NULL); 89 ASSERT_PTR_NE(p1, NULL);
89 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0); 90 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
90 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0); 91 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
91 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x33), 0); 92 ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x33), 0);
92 p = sshbuf_dtob64(p1); 93 p = sshbuf_dtob64_string(p1, 0);
93 ASSERT_PTR_NE(p, NULL); 94 ASSERT_PTR_NE(p, NULL);
94 ASSERT_STRING_EQ(p, "ESIz"); 95 ASSERT_STRING_EQ(p, "ESIz");
95 free(p); 96 free(p);
96 sshbuf_free(p1); 97 sshbuf_free(p1);
97 TEST_DONE(); 98 TEST_DONE();
98 99
99 TEST_START("sshbuf_dtob64 len 8191"); 100 TEST_START("sshbuf_dtob64_string len 8191");
100 p1 = sshbuf_new(); 101 p1 = sshbuf_new();
101 ASSERT_PTR_NE(p1, NULL); 102 ASSERT_PTR_NE(p1, NULL);
102 ASSERT_INT_EQ(sshbuf_reserve(p1, 8192, NULL), 0); 103 ASSERT_INT_EQ(sshbuf_reserve(p1, 8192, NULL), 0);
103 bzero(sshbuf_mutable_ptr(p1), 8192); 104 bzero(sshbuf_mutable_ptr(p1), 8192);
104 p = sshbuf_dtob64(p1); 105 p = sshbuf_dtob64_string(p1, 0);
105 ASSERT_PTR_NE(p, NULL); 106 ASSERT_PTR_NE(p, NULL);
106 ASSERT_SIZE_T_EQ(strlen(p), ((8191 + 2) / 3) * 4); 107 ASSERT_SIZE_T_EQ(strlen(p), ((8191 + 2) / 3) * 4);
107 free(p); 108 free(p);
@@ -163,5 +164,55 @@ sshbuf_misc_tests(void)
163 ASSERT_PTR_EQ(p, NULL); 164 ASSERT_PTR_EQ(p, NULL);
164 sshbuf_free(p1); 165 sshbuf_free(p1);
165 TEST_DONE(); 166 TEST_DONE();
167
168 TEST_START("sshbuf_cmp");
169 p1 = sshbuf_from(msg, sizeof(msg) - 1);
170 ASSERT_PTR_NE(p1, NULL);
171 ASSERT_INT_EQ(sshbuf_cmp(p1, 0, "i", 1), 0);
172 ASSERT_INT_EQ(sshbuf_cmp(p1, 0, "j", 1), SSH_ERR_INVALID_FORMAT);
173 ASSERT_INT_EQ(sshbuf_cmp(p1, 0, "imploring", 9), 0);
174 ASSERT_INT_EQ(sshbuf_cmp(p1, 0, "implored", 9), SSH_ERR_INVALID_FORMAT);
175 ASSERT_INT_EQ(sshbuf_cmp(p1, 10, "ping", 4), 0);
176 ASSERT_INT_EQ(sshbuf_cmp(p1, 10, "ring", 4), SSH_ERR_INVALID_FORMAT);
177 ASSERT_INT_EQ(sshbuf_cmp(p1, 28, "over", 4), 0);
178 ASSERT_INT_EQ(sshbuf_cmp(p1, 28, "rove", 4), SSH_ERR_INVALID_FORMAT);
179 ASSERT_INT_EQ(sshbuf_cmp(p1, 28, "overt", 5),
180 SSH_ERR_MESSAGE_INCOMPLETE);
181 ASSERT_INT_EQ(sshbuf_cmp(p1, 32, "ping", 4),
182 SSH_ERR_MESSAGE_INCOMPLETE);
183 ASSERT_INT_EQ(sshbuf_cmp(p1, 1000, "silence", 7),
184 SSH_ERR_MESSAGE_INCOMPLETE);
185 ASSERT_INT_EQ(sshbuf_cmp(p1, 0, msg, sizeof(msg) - 1), 0);
186 TEST_DONE();
187
188 TEST_START("sshbuf_find");
189 p1 = sshbuf_from(msg, sizeof(msg) - 1);
190 ASSERT_PTR_NE(p1, NULL);
191 ASSERT_INT_EQ(sshbuf_find(p1, 0, "i", 1, &sz), 0);
192 ASSERT_SIZE_T_EQ(sz, 0);
193 ASSERT_INT_EQ(sshbuf_find(p1, 0, "j", 1, &sz), SSH_ERR_INVALID_FORMAT);
194 ASSERT_INT_EQ(sshbuf_find(p1, 0, "imploring", 9, &sz), 0);
195 ASSERT_SIZE_T_EQ(sz, 0);
196 ASSERT_INT_EQ(sshbuf_find(p1, 0, "implored", 9, &sz),
197 SSH_ERR_INVALID_FORMAT);
198 ASSERT_INT_EQ(sshbuf_find(p1, 3, "ping", 4, &sz), 0);
199 ASSERT_SIZE_T_EQ(sz, 10);
200 ASSERT_INT_EQ(sshbuf_find(p1, 11, "ping", 4, &sz), 0);
201 ASSERT_SIZE_T_EQ(sz, 23);
202 ASSERT_INT_EQ(sshbuf_find(p1, 20, "over", 4, &sz), 0);
203 ASSERT_SIZE_T_EQ(sz, 28);
204 ASSERT_INT_EQ(sshbuf_find(p1, 28, "over", 4, &sz), 0);
205 ASSERT_SIZE_T_EQ(sz, 28);
206 ASSERT_INT_EQ(sshbuf_find(p1, 28, "rove", 4, &sz),
207 SSH_ERR_INVALID_FORMAT);
208 ASSERT_INT_EQ(sshbuf_find(p1, 28, "overt", 5, &sz),
209 SSH_ERR_MESSAGE_INCOMPLETE);
210 ASSERT_INT_EQ(sshbuf_find(p1, 32, "ping", 4, &sz),
211 SSH_ERR_MESSAGE_INCOMPLETE);
212 ASSERT_INT_EQ(sshbuf_find(p1, 1000, "silence", 7, &sz),
213 SSH_ERR_MESSAGE_INCOMPLETE);
214 ASSERT_INT_EQ(sshbuf_find(p1, 0, msg + 1, sizeof(msg) - 2, &sz), 0);
215 ASSERT_SIZE_T_EQ(sz, 1);
216 TEST_DONE();
166} 217}
167 218
diff --git a/regress/unittests/sshbuf/tests.c b/regress/unittests/sshbuf/tests.c
index 1557e4342..29916a10b 100644
--- a/regress/unittests/sshbuf/tests.c
+++ b/regress/unittests/sshbuf/tests.c
@@ -20,7 +20,9 @@ tests(void)
20{ 20{
21 sshbuf_tests(); 21 sshbuf_tests();
22 sshbuf_getput_basic_tests(); 22 sshbuf_getput_basic_tests();
23#ifdef WITH_OPENSSL
23 sshbuf_getput_crypto_tests(); 24 sshbuf_getput_crypto_tests();
25#endif
24 sshbuf_misc_tests(); 26 sshbuf_misc_tests();
25 sshbuf_fuzz_tests(); 27 sshbuf_fuzz_tests();
26 sshbuf_getput_fuzz_tests(); 28 sshbuf_getput_fuzz_tests();
diff --git a/regress/unittests/sshkey/common.c b/regress/unittests/sshkey/common.c
index e63465c47..e21638093 100644
--- a/regress/unittests/sshkey/common.c
+++ b/regress/unittests/sshkey/common.c
@@ -19,13 +19,15 @@
19#include <string.h> 19#include <string.h>
20#include <unistd.h> 20#include <unistd.h>
21 21
22#ifdef WITH_OPENSSL
22#include <openssl/bn.h> 23#include <openssl/bn.h>
23#include <openssl/rsa.h> 24#include <openssl/rsa.h>
24#include <openssl/dsa.h> 25#include <openssl/dsa.h>
25#include <openssl/objects.h> 26#include <openssl/objects.h>
26#ifdef OPENSSL_HAS_NISTP256 27#ifdef OPENSSL_HAS_NISTP256
27# include <openssl/ec.h> 28# include <openssl/ec.h>
28#endif 29#endif /* OPENSSL_HAS_NISTP256 */
30#endif /* WITH_OPENSSL */
29 31
30#include "openbsd-compat/openssl-compat.h" 32#include "openbsd-compat/openssl-compat.h"
31 33
@@ -72,6 +74,7 @@ load_text_file(const char *name)
72 return ret; 74 return ret;
73} 75}
74 76
77#ifdef WITH_OPENSSL
75BIGNUM * 78BIGNUM *
76load_bignum(const char *name) 79load_bignum(const char *name)
77{ 80{
@@ -160,4 +163,5 @@ dsa_priv_key(struct sshkey *k)
160 DSA_get0_key(k->dsa, NULL, &priv_key); 163 DSA_get0_key(k->dsa, NULL, &priv_key);
161 return priv_key; 164 return priv_key;
162} 165}
166#endif /* WITH_OPENSSL */
163 167
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
index 65610dacc..55627bc12 100644
--- a/regress/unittests/sshkey/test_file.c
+++ b/regress/unittests/sshkey/test_file.c
@@ -19,13 +19,15 @@
19#include <string.h> 19#include <string.h>
20#include <unistd.h> 20#include <unistd.h>
21 21
22#ifdef WITH_OPENSSL
22#include <openssl/bn.h> 23#include <openssl/bn.h>
23#include <openssl/rsa.h> 24#include <openssl/rsa.h>
24#include <openssl/dsa.h> 25#include <openssl/dsa.h>
25#include <openssl/objects.h> 26#include <openssl/objects.h>
26#ifdef OPENSSL_HAS_NISTP256 27#ifdef OPENSSL_HAS_NISTP256
27# include <openssl/ec.h> 28# include <openssl/ec.h>
28#endif 29#endif /* OPENSSL_HAS_NISTP256 */
30#endif /* WITH_OPENSSL */
29 31
30#include "../test_helper/test_helper.h" 32#include "../test_helper/test_helper.h"
31 33
@@ -44,7 +46,9 @@ sshkey_file_tests(void)
44{ 46{
45 struct sshkey *k1, *k2; 47 struct sshkey *k1, *k2;
46 struct sshbuf *buf, *pw; 48 struct sshbuf *buf, *pw;
49#ifdef WITH_OPENSSL
47 BIGNUM *a, *b, *c; 50 BIGNUM *a, *b, *c;
51#endif
48 char *cp; 52 char *cp;
49 53
50 TEST_START("load passphrase"); 54 TEST_START("load passphrase");
@@ -52,6 +56,7 @@ sshkey_file_tests(void)
52 TEST_DONE(); 56 TEST_DONE();
53 57
54 58
59#ifdef WITH_OPENSSL
55 TEST_START("parse RSA from private"); 60 TEST_START("parse RSA from private");
56 buf = load_file("rsa_1"); 61 buf = load_file("rsa_1");
57 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); 62 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -350,6 +355,7 @@ sshkey_file_tests(void)
350 355
351 sshkey_free(k1); 356 sshkey_free(k1);
352#endif /* OPENSSL_HAS_ECC */ 357#endif /* OPENSSL_HAS_ECC */
358#endif /* WITH_OPENSSL */
353 359
354 TEST_START("parse Ed25519 from private"); 360 TEST_START("parse Ed25519 from private");
355 buf = load_file("ed25519_1"); 361 buf = load_file("ed25519_1");
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 5953de595..1323f8997 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -113,7 +113,7 @@ sshkey_fuzz_tests(void)
113 struct fuzz *fuzz; 113 struct fuzz *fuzz;
114 int r, i; 114 int r, i;
115 115
116 116#ifdef WITH_OPENSSL
117 TEST_START("fuzz RSA private"); 117 TEST_START("fuzz RSA private");
118 buf = load_file("rsa_1"); 118 buf = load_file("rsa_1");
119 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 119 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
@@ -246,7 +246,8 @@ sshkey_fuzz_tests(void)
246 sshbuf_free(fuzzed); 246 sshbuf_free(fuzzed);
247 fuzz_cleanup(fuzz); 247 fuzz_cleanup(fuzz);
248 TEST_DONE(); 248 TEST_DONE();
249#endif 249#endif /* OPENSSL_HAS_ECC */
250#endif /* WITH_OPENSSL */
250 251
251 TEST_START("fuzz Ed25519 private"); 252 TEST_START("fuzz Ed25519 private");
252 buf = load_file("ed25519_1"); 253 buf = load_file("ed25519_1");
@@ -270,6 +271,7 @@ sshkey_fuzz_tests(void)
270 fuzz_cleanup(fuzz); 271 fuzz_cleanup(fuzz);
271 TEST_DONE(); 272 TEST_DONE();
272 273
274#ifdef WITH_OPENSSL
273 TEST_START("fuzz RSA public"); 275 TEST_START("fuzz RSA public");
274 buf = load_file("rsa_1"); 276 buf = load_file("rsa_1");
275 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); 277 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -312,7 +314,8 @@ sshkey_fuzz_tests(void)
312 public_fuzz(k1); 314 public_fuzz(k1);
313 sshkey_free(k1); 315 sshkey_free(k1);
314 TEST_DONE(); 316 TEST_DONE();
315#endif 317#endif /* OPENSSL_HAS_ECC */
318#endif /* WITH_OPENSSL */
316 319
317 TEST_START("fuzz Ed25519 public"); 320 TEST_START("fuzz Ed25519 public");
318 buf = load_file("ed25519_1"); 321 buf = load_file("ed25519_1");
@@ -328,6 +331,7 @@ sshkey_fuzz_tests(void)
328 sshkey_free(k1); 331 sshkey_free(k1);
329 TEST_DONE(); 332 TEST_DONE();
330 333
334#ifdef WITH_OPENSSL
331 TEST_START("fuzz RSA sig"); 335 TEST_START("fuzz RSA sig");
332 buf = load_file("rsa_1"); 336 buf = load_file("rsa_1");
333 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); 337 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -368,7 +372,8 @@ sshkey_fuzz_tests(void)
368 sig_fuzz(k1, NULL); 372 sig_fuzz(k1, NULL);
369 sshkey_free(k1); 373 sshkey_free(k1);
370 TEST_DONE(); 374 TEST_DONE();
371#endif 375#endif /* OPENSSL_HAS_ECC */
376#endif /* WITH_OPENSSL */
372 377
373 TEST_START("fuzz Ed25519 sig"); 378 TEST_START("fuzz Ed25519 sig");
374 buf = load_file("ed25519_1"); 379 buf = load_file("ed25519_1");
@@ -379,5 +384,6 @@ sshkey_fuzz_tests(void)
379 TEST_DONE(); 384 TEST_DONE();
380 385
381/* XXX fuzz decoded new-format blobs too */ 386/* XXX fuzz decoded new-format blobs too */
387/* XXX fuzz XMSS too */
382 388
383} 389}
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 47a03fad4..42395b8db 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.17 2018/09/13 09:03:20 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.18 2019/06/21 04:21:45 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -50,9 +50,10 @@ put_opt(struct sshbuf *b, const char *name, const char *value)
50 sshbuf_free(sect); 50 sshbuf_free(sect);
51} 51}
52 52
53#ifdef WITH_OPENSSL
53static void 54static void
54build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, 55build_cert(struct sshbuf *b, struct sshkey *k, const char *type,
55 const struct sshkey *sign_key, const struct sshkey *ca_key, 56 struct sshkey *sign_key, struct sshkey *ca_key,
56 const char *sig_alg) 57 const char *sig_alg)
57{ 58{
58 struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts; 59 struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts;
@@ -110,6 +111,7 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
110 sshbuf_free(principals); 111 sshbuf_free(principals);
111 sshbuf_free(pk); 112 sshbuf_free(pk);
112} 113}
114#endif /* WITH_OPENSSL */
113 115
114static void 116static void
115signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg, 117signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg,
@@ -176,10 +178,13 @@ get_private(const char *n)
176void 178void
177sshkey_tests(void) 179sshkey_tests(void)
178{ 180{
179 struct sshkey *k1, *k2, *k3, *k4, *kr, *kd, *kf; 181 struct sshkey *k1, *k2, *k3, *kf;
182#ifdef WITH_OPENSSL
183 struct sshkey *k4, *kr, *kd;
180#ifdef OPENSSL_HAS_ECC 184#ifdef OPENSSL_HAS_ECC
181 struct sshkey *ke; 185 struct sshkey *ke;
182#endif 186#endif /* OPENSSL_HAS_ECC */
187#endif /* WITH_OPENSSL */
183 struct sshbuf *b; 188 struct sshbuf *b;
184 189
185 TEST_START("new invalid"); 190 TEST_START("new invalid");
@@ -193,6 +198,7 @@ sshkey_tests(void)
193 sshkey_free(k1); 198 sshkey_free(k1);
194 TEST_DONE(); 199 TEST_DONE();
195 200
201#ifdef WITH_OPENSSL
196 TEST_START("new/free KEY_RSA"); 202 TEST_START("new/free KEY_RSA");
197 k1 = sshkey_new(KEY_RSA); 203 k1 = sshkey_new(KEY_RSA);
198 ASSERT_PTR_NE(k1, NULL); 204 ASSERT_PTR_NE(k1, NULL);
@@ -281,7 +287,8 @@ sshkey_tests(void)
281 ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL); 287 ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL);
282 ASSERT_PTR_NE(EC_KEY_get0_private_key(ke->ecdsa), NULL); 288 ASSERT_PTR_NE(EC_KEY_get0_private_key(ke->ecdsa), NULL);
283 TEST_DONE(); 289 TEST_DONE();
284#endif 290#endif /* OPENSSL_HAS_ECC */
291#endif /* WITH_OPENSSL */
285 292
286 TEST_START("generate KEY_ED25519"); 293 TEST_START("generate KEY_ED25519");
287 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &kf), 0); 294 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &kf), 0);
@@ -291,6 +298,7 @@ sshkey_tests(void)
291 ASSERT_PTR_NE(kf->ed25519_sk, NULL); 298 ASSERT_PTR_NE(kf->ed25519_sk, NULL);
292 TEST_DONE(); 299 TEST_DONE();
293 300
301#ifdef WITH_OPENSSL
294 TEST_START("demote KEY_RSA"); 302 TEST_START("demote KEY_RSA");
295 ASSERT_INT_EQ(sshkey_from_private(kr, &k1), 0); 303 ASSERT_INT_EQ(sshkey_from_private(kr, &k1), 0);
296 ASSERT_PTR_NE(k1, NULL); 304 ASSERT_PTR_NE(k1, NULL);
@@ -338,7 +346,8 @@ sshkey_tests(void)
338 ASSERT_INT_EQ(sshkey_equal(ke, k1), 1); 346 ASSERT_INT_EQ(sshkey_equal(ke, k1), 1);
339 sshkey_free(k1); 347 sshkey_free(k1);
340 TEST_DONE(); 348 TEST_DONE();
341#endif 349#endif /* OPENSSL_HAS_ECC */
350#endif /* WITH_OPENSSL */
342 351
343 TEST_START("demote KEY_ED25519"); 352 TEST_START("demote KEY_ED25519");
344 ASSERT_INT_EQ(sshkey_from_private(kf, &k1), 0); 353 ASSERT_INT_EQ(sshkey_from_private(kf, &k1), 0);
@@ -354,17 +363,20 @@ sshkey_tests(void)
354 sshkey_free(k1); 363 sshkey_free(k1);
355 TEST_DONE(); 364 TEST_DONE();
356 365
366#ifdef WITH_OPENSSL
357 TEST_START("equal mismatched key types"); 367 TEST_START("equal mismatched key types");
358 ASSERT_INT_EQ(sshkey_equal(kd, kr), 0); 368 ASSERT_INT_EQ(sshkey_equal(kd, kr), 0);
359#ifdef OPENSSL_HAS_ECC 369#ifdef OPENSSL_HAS_ECC
360 ASSERT_INT_EQ(sshkey_equal(kd, ke), 0); 370 ASSERT_INT_EQ(sshkey_equal(kd, ke), 0);
361 ASSERT_INT_EQ(sshkey_equal(kr, ke), 0); 371 ASSERT_INT_EQ(sshkey_equal(kr, ke), 0);
362 ASSERT_INT_EQ(sshkey_equal(ke, kf), 0); 372 ASSERT_INT_EQ(sshkey_equal(ke, kf), 0);
363#endif 373#endif /* OPENSSL_HAS_ECC */
364 ASSERT_INT_EQ(sshkey_equal(kd, kf), 0); 374 ASSERT_INT_EQ(sshkey_equal(kd, kf), 0);
365 TEST_DONE(); 375 TEST_DONE();
376#endif /* WITH_OPENSSL */
366 377
367 TEST_START("equal different keys"); 378 TEST_START("equal different keys");
379#ifdef WITH_OPENSSL
368 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0); 380 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0);
369 ASSERT_INT_EQ(sshkey_equal(kr, k1), 0); 381 ASSERT_INT_EQ(sshkey_equal(kr, k1), 0);
370 sshkey_free(k1); 382 sshkey_free(k1);
@@ -375,17 +387,20 @@ sshkey_tests(void)
375 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0); 387 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0);
376 ASSERT_INT_EQ(sshkey_equal(ke, k1), 0); 388 ASSERT_INT_EQ(sshkey_equal(ke, k1), 0);
377 sshkey_free(k1); 389 sshkey_free(k1);
378#endif 390#endif /* OPENSSL_HAS_ECC */
391#endif /* WITH_OPENSSL */
379 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &k1), 0); 392 ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &k1), 0);
380 ASSERT_INT_EQ(sshkey_equal(kf, k1), 0); 393 ASSERT_INT_EQ(sshkey_equal(kf, k1), 0);
381 sshkey_free(k1); 394 sshkey_free(k1);
382 TEST_DONE(); 395 TEST_DONE();
383 396
397#ifdef WITH_OPENSSL
384 sshkey_free(kr); 398 sshkey_free(kr);
385 sshkey_free(kd); 399 sshkey_free(kd);
386#ifdef OPENSSL_HAS_ECC 400#ifdef OPENSSL_HAS_ECC
387 sshkey_free(ke); 401 sshkey_free(ke);
388#endif 402#endif /* OPENSSL_HAS_ECC */
403#endif /* WITH_OPENSSL */
389 sshkey_free(kf); 404 sshkey_free(kf);
390 405
391 TEST_START("certify key"); 406 TEST_START("certify key");
@@ -434,6 +449,7 @@ sshkey_tests(void)
434 sshbuf_reset(b); 449 sshbuf_reset(b);
435 TEST_DONE(); 450 TEST_DONE();
436 451
452#ifdef WITH_OPENSSL
437 TEST_START("sign and verify RSA"); 453 TEST_START("sign and verify RSA");
438 k1 = get_private("rsa_1"); 454 k1 = get_private("rsa_1");
439 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2, 455 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
@@ -479,7 +495,8 @@ sshkey_tests(void)
479 sshkey_free(k1); 495 sshkey_free(k1);
480 sshkey_free(k2); 496 sshkey_free(k2);
481 TEST_DONE(); 497 TEST_DONE();
482#endif 498#endif /* OPENSSL_HAS_ECC */
499#endif /* WITH_OPENSSL */
483 500
484 TEST_START("sign and verify ED25519"); 501 TEST_START("sign and verify ED25519");
485 k1 = get_private("ed25519_1"); 502 k1 = get_private("ed25519_1");
@@ -490,6 +507,7 @@ sshkey_tests(void)
490 sshkey_free(k2); 507 sshkey_free(k2);
491 TEST_DONE(); 508 TEST_DONE();
492 509
510#ifdef WITH_OPENSSL
493 TEST_START("nested certificate"); 511 TEST_START("nested certificate");
494 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0); 512 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
495 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, 513 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
@@ -504,5 +522,5 @@ sshkey_tests(void)
504 sshkey_free(k3); 522 sshkey_free(k3);
505 sshbuf_free(b); 523 sshbuf_free(b);
506 TEST_DONE(); 524 TEST_DONE();
507 525#endif /* WITH_OPENSSL */
508} 526}
diff --git a/regress/unittests/sshkey/testdata/ed25519_1_pw b/regress/unittests/sshkey/testdata/ed25519_1_pw
index c3b7ae7f8..da94d2b8e 100644
--- a/regress/unittests/sshkey/testdata/ed25519_1_pw
+++ b/regress/unittests/sshkey/testdata/ed25519_1_pw
@@ -1,8 +1,8 @@
1-----BEGIN OPENSSH PRIVATE KEY----- 1-----BEGIN OPENSSH PRIVATE KEY-----
2b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABCus+kaow 2b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDKT56mBA
3AUjHphacvRp98dAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIFOG6kY7Rf4UtCFv 3tXIMsWqmuuA2gdAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIFOG6kY7Rf4UtCFv
4PwKgo/BztXck2xC4a2WyA34XtIwZAAAAoJaqqgiYQuElraJAmYOm7Tb4nJ3eI4oj9mQ52M 4PwKgo/BztXck2xC4a2WyA34XtIwZAAAAoC13U47yfUOSZJePNUAwWXuFOk3aOKwPM5PMvK
5/Yd+ION2Ur1v8BDewpDX+LHEYgKHo3Mlmcn2UyF+QJ+7xUCW7QCtk/4szrJzw74DlEl6mH 50zwRnMZZjgn+tsMAYPwhsT3Mx3h5QzvVGFyFEqsiK7j4vAotD+LVQeBN5TwWbUBx4lnoGs
6T8PT/f/av7PpECBD/YD3NoDlB9OWm/Q4sHcxfBEKfTGD7s2Onn71HgrdEOPqd4Sj/IQigR 63iAfYVDakO/gNvVBDDGOqv5kdCc4cgn5HacjHQLKOAx6KzHe7JFn7uCywMdVVQjlpI6LHb
7drfjtXEMlD32k9n3dd2eS9x7AHWYaGFEMkOcY= 7mHkaKiVX/C2oiRnsoe17HZ8Fxyt3vd1qNM8BE=
8-----END OPENSSH PRIVATE KEY----- 8-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c
index e7a47b265..9014ce8e4 100644
--- a/regress/unittests/test_helper/test_helper.c
+++ b/regress/unittests/test_helper/test_helper.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_helper.c,v 1.11 2018/11/23 02:53:57 dtucker Exp $ */ 1/* $OpenBSD: test_helper.c,v 1.12 2019/08/02 01:41:24 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -23,6 +23,7 @@
23#include <sys/param.h> 23#include <sys/param.h>
24#include <sys/uio.h> 24#include <sys/uio.h>
25 25
26#include <stdarg.h>
26#include <fcntl.h> 27#include <fcntl.h>
27#include <stdio.h> 28#include <stdio.h>
28#ifdef HAVE_STDINT_H 29#ifdef HAVE_STDINT_H
@@ -34,8 +35,10 @@
34#include <unistd.h> 35#include <unistd.h>
35#include <signal.h> 36#include <signal.h>
36 37
38#ifdef WITH_OPENSSL
37#include <openssl/bn.h> 39#include <openssl/bn.h>
38#include <openssl/err.h> 40#include <openssl/err.h>
41#endif
39 42
40#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) 43#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
41# include <vis.h> 44# include <vis.h>
@@ -126,7 +129,9 @@ main(int argc, char **argv)
126 int ch; 129 int ch;
127 130
128 seed_rng(); 131 seed_rng();
132#ifdef WITH_OPENSSL
129 ERR_load_CRYPTO_strings(); 133 ERR_load_CRYPTO_strings();
134#endif
130 135
131 /* Handle systems without __progname */ 136 /* Handle systems without __progname */
132 if (__progname == NULL) { 137 if (__progname == NULL) {
@@ -287,6 +292,7 @@ test_subtest_info(const char *fmt, ...)
287void 292void
288ssl_err_check(const char *file, int line) 293ssl_err_check(const char *file, int line)
289{ 294{
295#ifdef WITH_OPENSSL
290 long openssl_error = ERR_get_error(); 296 long openssl_error = ERR_get_error();
291 297
292 if (openssl_error == 0) 298 if (openssl_error == 0)
@@ -294,6 +300,10 @@ ssl_err_check(const char *file, int line)
294 300
295 fprintf(stderr, "\n%s:%d: uncaught OpenSSL error: %s", 301 fprintf(stderr, "\n%s:%d: uncaught OpenSSL error: %s",
296 file, line, ERR_error_string(openssl_error, NULL)); 302 file, line, ERR_error_string(openssl_error, NULL));
303#else /* WITH_OPENSSL */
304 fprintf(stderr, "\n%s:%d: uncaught OpenSSL error ",
305 file, line);
306#endif /* WITH_OPENSSL */
297 abort(); 307 abort();
298} 308}
299 309
@@ -338,6 +348,7 @@ test_header(const char *file, int line, const char *a1, const char *a2,
338 a2 != NULL ? ", " : "", a2 != NULL ? a2 : ""); 348 a2 != NULL ? ", " : "", a2 != NULL ? a2 : "");
339} 349}
340 350
351#ifdef WITH_OPENSSL
341void 352void
342assert_bignum(const char *file, int line, const char *a1, const char *a2, 353assert_bignum(const char *file, int line, const char *a1, const char *a2,
343 const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred) 354 const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred)
@@ -350,6 +361,7 @@ assert_bignum(const char *file, int line, const char *a1, const char *a2,
350 fprintf(stderr, "%12s = 0x%s\n", a2, BN_bn2hex(aa2)); 361 fprintf(stderr, "%12s = 0x%s\n", a2, BN_bn2hex(aa2));
351 test_die(); 362 test_die();
352} 363}
364#endif
353 365
354void 366void
355assert_string(const char *file, int line, const char *a1, const char *a2, 367assert_string(const char *file, int line, const char *a1, const char *a2,
@@ -391,6 +403,8 @@ assert_mem(const char *file, int line, const char *a1, const char *a2,
391 const void *aa1, const void *aa2, size_t l, enum test_predicate pred) 403 const void *aa1, const void *aa2, size_t l, enum test_predicate pred)
392{ 404{
393 int r; 405 int r;
406 char *aa1_tohex = NULL;
407 char *aa2_tohex = NULL;
394 408
395 if (l == 0) 409 if (l == 0)
396 return; 410 return;
@@ -401,8 +415,12 @@ assert_mem(const char *file, int line, const char *a1, const char *a2,
401 r = memcmp(aa1, aa2, l); 415 r = memcmp(aa1, aa2, l);
402 TEST_CHECK_INT(r, pred); 416 TEST_CHECK_INT(r, pred);
403 test_header(file, line, a1, a2, "STRING", pred); 417 test_header(file, line, a1, a2, "STRING", pred);
404 fprintf(stderr, "%12s = %s (len %zu)\n", a1, tohex(aa1, MIN(l, 256)), l); 418 aa1_tohex = tohex(aa1, MIN(l, 256));
405 fprintf(stderr, "%12s = %s (len %zu)\n", a2, tohex(aa2, MIN(l, 256)), l); 419 aa2_tohex = tohex(aa2, MIN(l, 256));
420 fprintf(stderr, "%12s = %s (len %zu)\n", a1, aa1_tohex, l);
421 fprintf(stderr, "%12s = %s (len %zu)\n", a2, aa2_tohex, l);
422 free(aa1_tohex);
423 free(aa2_tohex);
406 test_die(); 424 test_die();
407} 425}
408 426
@@ -427,6 +445,7 @@ assert_mem_filled(const char *file, int line, const char *a1,
427 size_t where = -1; 445 size_t where = -1;
428 int r; 446 int r;
429 char tmp[64]; 447 char tmp[64];
448 char *aa1_tohex = NULL;
430 449
431 if (l == 0) 450 if (l == 0)
432 return; 451 return;
@@ -436,8 +455,10 @@ assert_mem_filled(const char *file, int line, const char *a1,
436 r = memvalcmp(aa1, v, l, &where); 455 r = memvalcmp(aa1, v, l, &where);
437 TEST_CHECK_INT(r, pred); 456 TEST_CHECK_INT(r, pred);
438 test_header(file, line, a1, NULL, "MEM_ZERO", pred); 457 test_header(file, line, a1, NULL, "MEM_ZERO", pred);
458 aa1_tohex = tohex(aa1, MIN(l, 20));
439 fprintf(stderr, "%20s = %s%s (len %zu)\n", a1, 459 fprintf(stderr, "%20s = %s%s (len %zu)\n", a1,
440 tohex(aa1, MIN(l, 20)), l > 20 ? "..." : "", l); 460 aa1_tohex, l > 20 ? "..." : "", l);
461 free(aa1_tohex);
441 snprintf(tmp, sizeof(tmp), "(%s)[%zu]", a1, where); 462 snprintf(tmp, sizeof(tmp), "(%s)[%zu]", a1, where);
442 fprintf(stderr, "%20s = 0x%02x (expected 0x%02x)\n", tmp, 463 fprintf(stderr, "%20s = 0x%02x (expected 0x%02x)\n", tmp,
443 ((u_char *)aa1)[where], v); 464 ((u_char *)aa1)[where], v);
diff --git a/regress/unittests/test_helper/test_helper.h b/regress/unittests/test_helper/test_helper.h
index 1f893c8dd..66302201c 100644
--- a/regress/unittests/test_helper/test_helper.h
+++ b/regress/unittests/test_helper/test_helper.h
@@ -27,8 +27,10 @@
27# include <stdint.h> 27# include <stdint.h>
28#endif 28#endif
29 29
30#ifdef WITH_OPENSSL
30#include <openssl/bn.h> 31#include <openssl/bn.h>
31#include <openssl/err.h> 32#include <openssl/err.h>
33#endif
32 34
33enum test_predicate { 35enum test_predicate {
34 TEST_EQ, TEST_NE, TEST_LT, TEST_LE, TEST_GT, TEST_GE 36 TEST_EQ, TEST_NE, TEST_LT, TEST_LE, TEST_GT, TEST_GE
@@ -50,9 +52,11 @@ int test_is_slow(void);
50void test_subtest_info(const char *fmt, ...) 52void test_subtest_info(const char *fmt, ...)
51 __attribute__((format(printf, 1, 2))); 53 __attribute__((format(printf, 1, 2)));
52void ssl_err_check(const char *file, int line); 54void ssl_err_check(const char *file, int line);
55#ifdef WITH_OPENSSL
53void assert_bignum(const char *file, int line, 56void assert_bignum(const char *file, int line,
54 const char *a1, const char *a2, 57 const char *a1, const char *a2,
55 const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred); 58 const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred);
59#endif
56void assert_string(const char *file, int line, 60void assert_string(const char *file, int line,
57 const char *a1, const char *a2, 61 const char *a1, const char *a2,
58 const char *aa1, const char *aa2, enum test_predicate pred); 62 const char *aa1, const char *aa2, enum test_predicate pred);
diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c
index f0bbca509..8cf524ddb 100644
--- a/regress/unittests/utf8/tests.c
+++ b/regress/unittests/utf8/tests.c
@@ -9,7 +9,9 @@
9#include "includes.h" 9#include "includes.h"
10 10
11#include <locale.h> 11#include <locale.h>
12#include <stdarg.h>
12#include <string.h> 13#include <string.h>
14#include <stdio.h>
13 15
14#include "../test_helper/test_helper.h" 16#include "../test_helper/test_helper.h"
15 17