summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2016-08-06 10:49:59 +0100
committerColin Watson <cjwatson@debian.org>2016-08-07 12:18:58 +0100
commit477bb7636238c106f8cd7c868a8c0c5eabcfb3db (patch)
tree601176af2ecf358c36b766776a86845ad7a3cd6f /regress
parent747fac2de0d889183f67f6900194c0462c558544 (diff)
parent4c914ccd85bbf391c4dc61b85e3c178fef465e3f (diff)
New upstream release (7.3p1).
Diffstat (limited to 'regress')
-rw-r--r--regress/.cvsignore31
-rw-r--r--regress/Makefile49
-rw-r--r--regress/agent-getpeereid.sh25
-rw-r--r--regress/cert-hostkey.sh126
-rw-r--r--regress/cert-userkey.sh48
-rw-r--r--regress/cfginclude.sh293
-rw-r--r--regress/cfgparse.sh4
-rw-r--r--regress/connect-privsep.sh7
-rw-r--r--regress/forwarding.sh4
-rw-r--r--regress/integrity.sh4
-rw-r--r--regress/misc/Makefile3
-rw-r--r--regress/misc/kexfuzz/Makefile78
-rw-r--r--regress/misc/kexfuzz/README28
-rw-r--r--regress/misc/kexfuzz/kexfuzz.c410
-rwxr-xr-xregress/modpipe.c31
-rw-r--r--regress/netcat.c43
-rw-r--r--regress/sshcfgparse.sh29
-rw-r--r--regress/test-exec.sh10
-rw-r--r--regress/unittests/Makefile4
-rw-r--r--regress/unittests/sshbuf/test_sshbuf_misc.c31
-rw-r--r--regress/unittests/sshkey/test_sshkey.c4
-rw-r--r--regress/unittests/test_helper/Makefile3
-rw-r--r--regress/unittests/utf8/Makefile12
-rw-r--r--regress/unittests/utf8/tests.c82
24 files changed, 1141 insertions, 218 deletions
diff --git a/regress/.cvsignore b/regress/.cvsignore
deleted file mode 100644
index 3fd25b02e..000000000
--- a/regress/.cvsignore
+++ /dev/null
@@ -1,31 +0,0 @@
1*-agent
2*.copy
3*.log
4*.prv
5*.pub
6actual
7authorized_keys_*
8batch
9copy.dd*
10data
11expect
12host.rsa*
13key.*
14known_hosts
15krl-*
16modpipe
17remote_pid
18revoked-*
19revoked-ca
20revoked-keyid
21revoked-serials
22rsa
23rsa1
24sftp-server.sh
25ssh-log-wrapper.sh
26ssh_config
27ssh_proxy*
28sshd_config
29sshd_proxy*
30t*.out
31t*.out[0-9]
diff --git a/regress/Makefile b/regress/Makefile
index 451909c1a..08fd82dbf 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $ 1# $OpenBSD: Makefile,v 1.88 2016/06/03 04:10:41 dtucker Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -54,6 +54,7 @@ LTESTS= connect \
54 multiplex \ 54 multiplex \
55 reexec \ 55 reexec \
56 brokenkeys \ 56 brokenkeys \
57 sshcfgparse \
57 cfgparse \ 58 cfgparse \
58 cfgmatch \ 59 cfgmatch \
59 addrmatch \ 60 addrmatch \
@@ -75,7 +76,8 @@ LTESTS= connect \
75 keygen-knownhosts \ 76 keygen-knownhosts \
76 hostkey-rotate \ 77 hostkey-rotate \
77 principals-command \ 78 principals-command \
78 cert-file 79 cert-file \
80 cfginclude
79 81
80 82
81# dhgex \ 83# dhgex \
@@ -86,27 +88,28 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
86#LTESTS= cipher-speed 88#LTESTS= cipher-speed
87 89
88USER!= id -un 90USER!= id -un
89CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ 91CLEANFILES= *.core actual agent-key.* authorized_keys_${USER} \
90 t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \ 92 authorized_keys_${USER}.* authorized_principals_${USER} \
91 t12.out t12.out.pub \ 93 banner.in banner.out cert_host_key* cert_user_key* \
92 authorized_keys_${USER} known_hosts pidfile testdata \ 94 copy.1 copy.2 data ed25519-agent ed25519-agent* \
93 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ 95 ed25519-agent.pub empty.in expect failed-regress.log \
94 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ 96 failed-ssh.log failed-sshd.log hkr.* host.rsa host.rsa1 \
95 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ 97 host_* host_ca_key* host_krl_* host_revoked_* key.* \
96 ls.copy banner.in banner.out empty.in \ 98 key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \
97 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ 99 key.rsa-* keys-command-args kh.* known_hosts \
98 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \ 100 known_hosts-cert known_hosts.* krl-* ls.copy modpipe \
99 known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \ 101 netcat pidfile putty.rsa2 ready regress.log remote_pid \
100 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 102 revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa1 \
101 key.rsa-* key.dsa-* key.ecdsa-* \ 103 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
102 authorized_principals_${USER} expect actual ready \ 104 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
103 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ 105 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
104 ssh.log failed-ssh.log sshd.log failed-sshd.log \ 106 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
105 regress.log failed-regress.log ssh-log-wrapper.sh \ 107 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
106 sftp-server.sh sftp-server.log sftp.log setuid-allowed \ 108 ssh_proxy_envpass sshd.log sshd_config sshd_config.orig \
107 data ed25519-agent ed25519-agent.pub key.ed25519-512 \ 109 sshd_proxy sshd_proxy.* sshd_proxy_bak sshd_proxy_orig \
108 key.ed25519-512.pub netcat host_krl_* host_revoked_* \ 110 t10.out t10.out.pub t12.out t12.out.pub t2.out t3.out \
109 kh.* user_*key* agent-key.* known_hosts.* hkr.* 111 t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \
112 t9.out t9.out.pub testdata user_*key* user_ca* user_key*
110 113
111SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} 114SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
112 115
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index d5ae2d6e2..24b71f458 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.6 2016/05/03 14:41:04 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -13,10 +13,16 @@ else
13 echo "skipped (not supported on this platform)" 13 echo "skipped (not supported on this platform)"
14 exit 0 14 exit 0
15fi 15fi
16if [ -z "$SUDO" ]; then 16case "x$SUDO" in
17 echo "skipped: need SUDO to switch to uid $UNPRIV" 17 xsudo) sudo=1;;
18 exit 0 18 xdoas) ;;
19fi 19 x)
20 echo "need SUDO to switch to uid $UNPRIV"
21 exit 0 ;;
22 *)
23 echo "unsupported $SUDO - "doas" and "sudo" are allowed"
24 exit 0 ;;
25esac
20 26
21trace "start agent" 27trace "start agent"
22eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null 28eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
@@ -31,8 +37,13 @@ else
31 if [ $r -ne 1 ]; then 37 if [ $r -ne 1 ]; then
32 fail "ssh-add failed with $r != 1" 38 fail "ssh-add failed with $r != 1"
33 fi 39 fi
34 40 if test -z "$sudo" ; then
35 < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null 41 # doas
42 ${SUDO} -n -u ${UNPRIV} ssh-add -l 2>/dev/null
43 else
44 # sudo
45 < /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null
46 fi
36 r=$? 47 r=$?
37 if [ $r -lt 2 ]; then 48 if [ $r -lt 2 ]; then
38 fail "ssh-add did not fail for ${UNPRIV}: $r < 2" 49 fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3f53922c8..62261cf8b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -30,34 +30,51 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
30 30
31HOSTS='localhost-with-alias,127.0.0.1,::1' 31HOSTS='localhost-with-alias,127.0.0.1,::1'
32 32
33# Create a CA key and add it to known hosts. Ed25519 chosed for speed. 33kh_ca() {
34 for k in "$@" ; do
35 printf "@cert-authority $HOSTS "
36 cat $OBJ/$k || fatal "couldn't cat $k"
37 done
38}
39kh_revoke() {
40 for k in "$@" ; do
41 printf "@revoked * "
42 cat $OBJ/$k || fatal "couldn't cat $k"
43 done
44}
45
46# Create a CA key and add it to known hosts. Ed25519 chosen for speed.
47# RSA for testing RSA/SHA2 signatures.
34${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\ 48${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/host_ca_key ||\
35 fail "ssh-keygen of host_ca_key failed" 49 fail "ssh-keygen of host_ca_key failed"
36( 50${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key2 ||\
37 printf '@cert-authority ' 51 fail "ssh-keygen of host_ca_key failed"
38 printf "$HOSTS " 52
39 cat $OBJ/host_ca_key.pub 53kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
40) > $OBJ/known_hosts-cert.orig
41cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 54cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
42 55
43# Plain text revocation files 56# Plain text revocation files
44touch $OBJ/host_revoked_empty 57touch $OBJ/host_revoked_empty
45touch $OBJ/host_revoked_plain 58touch $OBJ/host_revoked_plain
46touch $OBJ/host_revoked_cert 59touch $OBJ/host_revoked_cert
47cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca 60cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
48 61
49PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 62PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
50 63
64if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
65 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
66fi
67
51# Prepare certificate, plain key and CA KRLs 68# Prepare certificate, plain key and CA KRLs
52${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" 69${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
53${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed" 70${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
54${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed" 71${SSHKEYGEN} -kf $OBJ/host_krl_cert || fatal "KRL init failed"
55${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub \ 72${SSHKEYGEN} -kf $OBJ/host_krl_ca $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub \
56 || fatal "KRL init failed" 73 || fatal "KRL init failed"
57 74
58# Generate and sign host keys 75# Generate and sign host keys
59serial=1 76serial=1
60for ktype in $PLAIN_TYPES ; do 77for ktype in $PLAIN_TYPES ; do
61 verbose "$tid: sign host ${ktype} cert" 78 verbose "$tid: sign host ${ktype} cert"
62 # Generate and sign a host key 79 # Generate and sign a host key
63 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 80 ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -66,7 +83,11 @@ for ktype in $PLAIN_TYPES ; do
66 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \ 83 ${SSHKEYGEN} -ukf $OBJ/host_krl_plain \
67 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed" 84 $OBJ/cert_host_key_${ktype}.pub || fatal "KRL update failed"
68 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain 85 cat $OBJ/cert_host_key_${ktype}.pub >> $OBJ/host_revoked_plain
69 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -z $serial \ 86 case $ktype in
87 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
88 *) tflag=""; ca="$OBJ/host_ca_key" ;;
89 esac
90 ${SSHKEYGEN} -h -q -s $ca -z $serial $tflag \
70 -I "regress host key for $USER" \ 91 -I "regress host key for $USER" \
71 -n $HOSTS $OBJ/cert_host_key_${ktype} || 92 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
72 fatal "couldn't sign cert_host_key_${ktype}" 93 fatal "couldn't sign cert_host_key_${ktype}"
@@ -100,7 +121,7 @@ attempt_connect() {
100 121
101# Basic connect and revocation tests. 122# Basic connect and revocation tests.
102for privsep in yes no ; do 123for privsep in yes no ; do
103 for ktype in $PLAIN_TYPES ; do 124 for ktype in $PLAIN_TYPES ; do
104 verbose "$tid: host ${ktype} cert connect privsep $privsep" 125 verbose "$tid: host ${ktype} cert connect privsep $privsep"
105 ( 126 (
106 cat $OBJ/sshd_proxy_bak 127 cat $OBJ/sshd_proxy_bak
@@ -131,18 +152,14 @@ for privsep in yes no ; do
131done 152done
132 153
133# Revoked certificates with key present 154# Revoked certificates with key present
134( 155kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
135 printf '@cert-authority ' 156for ktype in $PLAIN_TYPES ; do
136 printf "$HOSTS " 157 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
137 cat $OBJ/host_ca_key.pub 158 kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
138 for ktype in $PLAIN_TYPES ; do 159done
139 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
140 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
141 done
142) > $OBJ/known_hosts-cert.orig
143cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 160cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
144for privsep in yes no ; do 161for privsep in yes no ; do
145 for ktype in $PLAIN_TYPES ; do 162 for ktype in $PLAIN_TYPES ; do
146 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 163 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
147 ( 164 (
148 cat $OBJ/sshd_proxy_bak 165 cat $OBJ/sshd_proxy_bak
@@ -162,16 +179,10 @@ for privsep in yes no ; do
162done 179done
163 180
164# Revoked CA 181# Revoked CA
165( 182kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
166 printf '@cert-authority ' 183kh_revoke host_ca_key.pub host_ca_key2.pub >> $OBJ/known_hosts-cert.orig
167 printf "$HOSTS "
168 cat $OBJ/host_ca_key.pub
169 printf '@revoked '
170 printf "* "
171 cat $OBJ/host_ca_key.pub
172) > $OBJ/known_hosts-cert.orig
173cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 184cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
174for ktype in $PLAIN_TYPES ; do 185for ktype in $PLAIN_TYPES ; do
175 verbose "$tid: host ${ktype} revoked cert" 186 verbose "$tid: host ${ktype} revoked cert"
176 ( 187 (
177 cat $OBJ/sshd_proxy_bak 188 cat $OBJ/sshd_proxy_bak
@@ -188,11 +199,7 @@ for ktype in $PLAIN_TYPES ; do
188done 199done
189 200
190# Create a CA key and add it to known hosts 201# Create a CA key and add it to known hosts
191( 202kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
192 printf '@cert-authority '
193 printf "$HOSTS "
194 cat $OBJ/host_ca_key.pub
195) > $OBJ/known_hosts-cert.orig
196cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 203cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
197 204
198test_one() { 205test_one() {
@@ -201,16 +208,19 @@ test_one() {
201 sign_opts=$3 208 sign_opts=$3
202 209
203 for kt in rsa ed25519 ; do 210 for kt in rsa ed25519 ; do
204 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \ 211 case $ktype in
205 -I "regress host key for $USER" \ 212 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
213 *) tflag=""; ca="$OBJ/host_ca_key" ;;
214 esac
215 ${SSHKEYGEN} -q -s $ca $tflag -I "regress host key for $USER" \
206 $sign_opts $OBJ/cert_host_key_${kt} || 216 $sign_opts $OBJ/cert_host_key_${kt} ||
207 fail "couldn't sign cert_host_key_${kt}" 217 fatal "couldn't sign cert_host_key_${kt}"
208 ( 218 (
209 cat $OBJ/sshd_proxy_bak 219 cat $OBJ/sshd_proxy_bak
210 echo HostKey $OBJ/cert_host_key_${kt} 220 echo HostKey $OBJ/cert_host_key_${kt}
211 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub 221 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
212 ) > $OBJ/sshd_proxy 222 ) > $OBJ/sshd_proxy
213 223
214 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 224 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
215 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
216 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
@@ -237,17 +247,20 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
237test_one "cert has constraints" failure "-h -Oforce-command=false" 247test_one "cert has constraints" failure "-h -Oforce-command=false"
238 248
239# Check downgrade of cert to raw key when no CA found 249# Check downgrade of cert to raw key when no CA found
240for ktype in $PLAIN_TYPES ; do 250for ktype in $PLAIN_TYPES ; do
241 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 251 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
242 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 252 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
243 # Generate and sign a host key 253 # Generate and sign a host key
244 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 254 ${SSHKEYGEN} -q -N '' -t ${ktype} -f $OBJ/cert_host_key_${ktype} || \
245 -f $OBJ/cert_host_key_${ktype} || \
246 fail "ssh-keygen of cert_host_key_${ktype} failed" 255 fail "ssh-keygen of cert_host_key_${ktype} failed"
247 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \ 256 case $ktype in
257 rsa-sha2-*) tflag="-t $ktype"; ca="$OBJ/host_ca_key2" ;;
258 *) tflag=""; ca="$OBJ/host_ca_key" ;;
259 esac
260 ${SSHKEYGEN} -h -q $tflag -s $ca $tflag \
248 -I "regress host key for $USER" \ 261 -I "regress host key for $USER" \
249 -n $HOSTS $OBJ/cert_host_key_${ktype} || 262 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
250 fail "couldn't sign cert_host_key_${ktype}" 263 fatal "couldn't sign cert_host_key_${ktype}"
251 ( 264 (
252 printf "$HOSTS " 265 printf "$HOSTS "
253 cat $OBJ/cert_host_key_${ktype}.pub 266 cat $OBJ/cert_host_key_${ktype}.pub
@@ -257,7 +270,7 @@ for ktype in $PLAIN_TYPES ; do
257 echo HostKey $OBJ/cert_host_key_${ktype} 270 echo HostKey $OBJ/cert_host_key_${ktype}
258 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 271 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
259 ) > $OBJ/sshd_proxy 272 ) > $OBJ/sshd_proxy
260 273
261 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 274 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
262 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 275 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
263 -F $OBJ/ssh_proxy somehost true 276 -F $OBJ/ssh_proxy somehost true
@@ -267,23 +280,22 @@ for ktype in $PLAIN_TYPES ; do
267done 280done
268 281
269# Wrong certificate 282# Wrong certificate
270( 283kh_ca host_ca_key.pub host_ca_key2.pub > $OBJ/known_hosts-cert.orig
271 printf '@cert-authority '
272 printf "$HOSTS "
273 cat $OBJ/host_ca_key.pub
274) > $OBJ/known_hosts-cert.orig
275cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 284cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
276for kt in $PLAIN_TYPES ; do 285for kt in $PLAIN_TYPES ; do
286 verbose "$tid: host ${kt} connect wrong cert"
277 rm -f $OBJ/cert_host_key* 287 rm -f $OBJ/cert_host_key*
278 # Self-sign key 288 # Self-sign key
279 ${SSHKEYGEN} -q -N '' -t ${kt} \ 289 ${SSHKEYGEN} -q -N '' -t ${kt} -f $OBJ/cert_host_key_${kt} || \
280 -f $OBJ/cert_host_key_${kt} || \
281 fail "ssh-keygen of cert_host_key_${kt} failed" 290 fail "ssh-keygen of cert_host_key_${kt} failed"
282 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \ 291 case $kt in
292 rsa-sha2-*) tflag="-t $kt" ;;
293 *) tflag="" ;;
294 esac
295 ${SSHKEYGEN} $tflag -h -q -s $OBJ/cert_host_key_${kt} \
283 -I "regress host key for $USER" \ 296 -I "regress host key for $USER" \
284 -n $HOSTS $OBJ/cert_host_key_${kt} || 297 -n $HOSTS $OBJ/cert_host_key_${kt} ||
285 fail "couldn't sign cert_host_key_${kt}" 298 fatal "couldn't sign cert_host_key_${kt}"
286 verbose "$tid: host ${kt} connect wrong cert"
287 ( 299 (
288 cat $OBJ/sshd_proxy_bak 300 cat $OBJ/sshd_proxy_bak
289 echo HostKey $OBJ/cert_host_key_${kt} 301 echo HostKey $OBJ/cert_host_key_${kt}
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index c38c00a02..319746395 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -9,8 +9,16 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11 11
12if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
13 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
14fi
15
12kname() { 16kname() {
13 n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` 17 case $ktype in
18 rsa-sha2-*) ;;
19 # subshell because some seds will add a newline
20 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
21 esac
14 echo "$n*,ssh-rsa*,ssh-ed25519*" 22 echo "$n*,ssh-rsa*,ssh-ed25519*"
15} 23}
16 24
@@ -19,18 +27,24 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
19 fail "ssh-keygen of user_ca_key failed" 27 fail "ssh-keygen of user_ca_key failed"
20 28
21# Generate and sign user keys 29# Generate and sign user keys
22for ktype in $PLAIN_TYPES ; do 30for ktype in $PLAIN_TYPES $EXTRA_TYPES ; do
23 verbose "$tid: sign user ${ktype} cert" 31 verbose "$tid: sign user ${ktype} cert"
24 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 32 ${SSHKEYGEN} -q -N '' -t ${ktype} \
25 -f $OBJ/cert_user_key_${ktype} || \ 33 -f $OBJ/cert_user_key_${ktype} || \
26 fail "ssh-keygen of cert_user_key_${ktype} failed" 34 fatal "ssh-keygen of cert_user_key_${ktype} failed"
27 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 35 # Generate RSA/SHA2 certs for rsa-sha2* keys.
28 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 36 case $ktype in
29 fail "couldn't sign cert_user_key_${ktype}" 37 rsa-sha2-*) tflag="-t $ktype" ;;
38 *) tflag="" ;;
39 esac
40 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -z $$ \
41 -I "regress user key for $USER" \
42 -n ${USER},mekmitasdigoat $tflag $OBJ/cert_user_key_${ktype} || \
43 fatal "couldn't sign cert_user_key_${ktype}"
30done 44done
31 45
32# Test explicitly-specified principals 46# Test explicitly-specified principals
33for ktype in $PLAIN_TYPES ; do 47for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
34 t=$(kname $ktype) 48 t=$(kname $ktype)
35 for privsep in yes no ; do 49 for privsep in yes no ; do
36 _prefix="${ktype} privsep $privsep" 50 _prefix="${ktype} privsep $privsep"
@@ -67,7 +81,7 @@ for ktype in $PLAIN_TYPES ; do
67 if [ $? -eq 0 ]; then 81 if [ $? -eq 0 ]; then
68 fail "ssh cert connect succeeded unexpectedly" 82 fail "ssh cert connect succeeded unexpectedly"
69 fi 83 fi
70 84
71 # Wrong authorized_principals 85 # Wrong authorized_principals
72 verbose "$tid: ${_prefix} wrong authorized_principals" 86 verbose "$tid: ${_prefix} wrong authorized_principals"
73 echo gregorsamsa > $OBJ/authorized_principals_$USER 87 echo gregorsamsa > $OBJ/authorized_principals_$USER
@@ -166,8 +180,8 @@ basic_tests() {
166 echo > $OBJ/authorized_keys_$USER 180 echo > $OBJ/authorized_keys_$USER
167 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 181 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
168 fi 182 fi
169 183
170 for ktype in $PLAIN_TYPES ; do 184 for ktype in $PLAIN_TYPES ; do
171 t=$(kname $ktype) 185 t=$(kname $ktype)
172 for privsep in yes no ; do 186 for privsep in yes no ; do
173 _prefix="${ktype} privsep $privsep $auth" 187 _prefix="${ktype} privsep $privsep $auth"
@@ -183,7 +197,7 @@ basic_tests() {
183 cat $OBJ/ssh_proxy_bak 197 cat $OBJ/ssh_proxy_bak
184 echo "PubkeyAcceptedKeyTypes ${t}" 198 echo "PubkeyAcceptedKeyTypes ${t}"
185 ) > $OBJ/ssh_proxy 199 ) > $OBJ/ssh_proxy
186 200
187 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
188 -F $OBJ/ssh_proxy somehost true 202 -F $OBJ/ssh_proxy somehost true
189 if [ $? -ne 0 ]; then 203 if [ $? -ne 0 ]; then
@@ -223,7 +237,7 @@ basic_tests() {
223 fail "ssh cert connect failed" 237 fail "ssh cert connect failed"
224 fi 238 fi
225 done 239 done
226 240
227 # Revoked CA 241 # Revoked CA
228 verbose "$tid: ${ktype} $auth revoked CA key" 242 verbose "$tid: ${ktype} $auth revoked CA key"
229 ( 243 (
@@ -238,7 +252,7 @@ basic_tests() {
238 fail "ssh cert connect succeeded unexpecedly" 252 fail "ssh cert connect succeeded unexpecedly"
239 fi 253 fi
240 done 254 done
241 255
242 verbose "$tid: $auth CA does not authenticate" 256 verbose "$tid: $auth CA does not authenticate"
243 ( 257 (
244 cat $OBJ/sshd_proxy_bak 258 cat $OBJ/sshd_proxy_bak
@@ -286,7 +300,7 @@ test_one() {
286 echo $auth_opt >> $OBJ/sshd_proxy 300 echo $auth_opt >> $OBJ/sshd_proxy
287 fi 301 fi
288 fi 302 fi
289 303
290 verbose "$tid: $ident auth $auth expect $result $ktype" 304 verbose "$tid: $ident auth $auth expect $result $ktype"
291 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \ 305 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
292 -I "regress user key for $USER" \ 306 -I "regress user key for $USER" \
@@ -342,13 +356,13 @@ test_one "principals key option no principals" failure "" \
342 356
343# Wrong certificate 357# Wrong certificate
344cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 358cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
345for ktype in $PLAIN_TYPES ; do 359for ktype in $PLAIN_TYPES ; do
346 t=$(kname $ktype) 360 t=$(kname $ktype)
347 # Self-sign 361 # Self-sign
348 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 362 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
349 "regress user key for $USER" \ 363 "regress user key for $USER" \
350 -n $USER $OBJ/cert_user_key_${ktype} || 364 -n $USER $OBJ/cert_user_key_${ktype} ||
351 fail "couldn't sign cert_user_key_${ktype}" 365 fatal "couldn't sign cert_user_key_${ktype}"
352 verbose "$tid: user ${ktype} connect wrong cert" 366 verbose "$tid: user ${ktype} connect wrong cert"
353 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 367 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
354 somehost true >/dev/null 2>&1 368 somehost true >/dev/null 2>&1
diff --git a/regress/cfginclude.sh b/regress/cfginclude.sh
new file mode 100644
index 000000000..2fc39ce45
--- /dev/null
+++ b/regress/cfginclude.sh
@@ -0,0 +1,293 @@
1# $OpenBSD: cfginclude.sh,v 1.2 2016/05/03 15:30:46 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="config include"
5
6# to appease StrictModes
7umask 022
8
9cat > $OBJ/ssh_config.i << _EOF
10Match host a
11 Hostname aa
12
13Match host b
14 Hostname bb
15 Include $OBJ/ssh_config.i.*
16
17Match host c
18 Include $OBJ/ssh_config.i.*
19 Hostname cc
20
21Match host m
22 Include $OBJ/ssh_config.i.*
23
24Host d
25 Hostname dd
26
27Host e
28 Hostname ee
29 Include $OBJ/ssh_config.i.*
30
31Host f
32 Include $OBJ/ssh_config.i.*
33 Hostname ff
34
35Host n
36 Include $OBJ/ssh_config.i.*
37_EOF
38
39cat > $OBJ/ssh_config.i.0 << _EOF
40Match host xxxxxx
41_EOF
42
43cat > $OBJ/ssh_config.i.1 << _EOF
44Match host a
45 Hostname aaa
46
47Match host b
48 Hostname bbb
49
50Match host c
51 Hostname ccc
52
53Host d
54 Hostname ddd
55
56Host e
57 Hostname eee
58
59Host f
60 Hostname fff
61_EOF
62
63cat > $OBJ/ssh_config.i.2 << _EOF
64Match host a
65 Hostname aaaa
66
67Match host b
68 Hostname bbbb
69
70Match host c
71 Hostname cccc
72
73Host d
74 Hostname dddd
75
76Host e
77 Hostname eeee
78
79Host f
80 Hostname ffff
81
82Match all
83 Hostname xxxx
84_EOF
85
86trial() {
87 _host="$1"
88 _exp="$2"
89 ${REAL_SSH} -F $OBJ/ssh_config.i -G "$_host" > $OBJ/ssh_config.out ||
90 fatal "ssh config parse failed"
91 _got=`grep -i '^hostname ' $OBJ/ssh_config.out | awk '{print $2}'`
92 if test "x$_exp" != "x$_got" ; then
93 fail "host $_host include fail: expected $_exp got $_got"
94 fi
95}
96
97trial a aa
98trial b bb
99trial c ccc
100trial d dd
101trial e ee
102trial f fff
103trial m xxxx
104trial n xxxx
105trial x x
106
107# Prepare an included config with an error.
108
109cat > $OBJ/ssh_config.i.3 << _EOF
110Hostname xxxx
111 Junk
112_EOF
113
114${REAL_SSH} -F $OBJ/ssh_config.i -G a 2>/dev/null && \
115 fail "ssh include allowed invalid config"
116
117${REAL_SSH} -F $OBJ/ssh_config.i -G x 2>/dev/null && \
118 fail "ssh include allowed invalid config"
119
120rm -f $OBJ/ssh_config.i.*
121
122# Ensure that a missing include is not fatal.
123cat > $OBJ/ssh_config.i << _EOF
124Include $OBJ/ssh_config.i.*
125Hostname aa
126_EOF
127
128trial a aa
129
130# Ensure that Match/Host in an included config does not affect parent.
131cat > $OBJ/ssh_config.i.x << _EOF
132Match host x
133_EOF
134
135trial a aa
136
137cat > $OBJ/ssh_config.i.x << _EOF
138Host x
139_EOF
140
141trial a aa
142
143# cleanup
144rm -f $OBJ/ssh_config.i $OBJ/ssh_config.i.* $OBJ/ssh_config.out
145# $OpenBSD: cfginclude.sh,v 1.2 2016/05/03 15:30:46 dtucker Exp $
146# Placed in the Public Domain.
147
148tid="config include"
149
150cat > $OBJ/ssh_config.i << _EOF
151Match host a
152 Hostname aa
153
154Match host b
155 Hostname bb
156 Include $OBJ/ssh_config.i.*
157
158Match host c
159 Include $OBJ/ssh_config.i.*
160 Hostname cc
161
162Match host m
163 Include $OBJ/ssh_config.i.*
164
165Host d
166 Hostname dd
167
168Host e
169 Hostname ee
170 Include $OBJ/ssh_config.i.*
171
172Host f
173 Include $OBJ/ssh_config.i.*
174 Hostname ff
175
176Host n
177 Include $OBJ/ssh_config.i.*
178_EOF
179
180cat > $OBJ/ssh_config.i.0 << _EOF
181Match host xxxxxx
182_EOF
183
184cat > $OBJ/ssh_config.i.1 << _EOF
185Match host a
186 Hostname aaa
187
188Match host b
189 Hostname bbb
190
191Match host c
192 Hostname ccc
193
194Host d
195 Hostname ddd
196
197Host e
198 Hostname eee
199
200Host f
201 Hostname fff
202_EOF
203
204cat > $OBJ/ssh_config.i.2 << _EOF
205Match host a
206 Hostname aaaa
207
208Match host b
209 Hostname bbbb
210
211Match host c
212 Hostname cccc
213
214Host d
215 Hostname dddd
216
217Host e
218 Hostname eeee
219
220Host f
221 Hostname ffff
222
223Match all
224 Hostname xxxx
225_EOF
226
227trial() {
228 _host="$1"
229 _exp="$2"
230 ${REAL_SSH} -F $OBJ/ssh_config.i -G "$_host" > $OBJ/ssh_config.out ||
231 fatal "ssh config parse failed"
232 _got=`grep -i '^hostname ' $OBJ/ssh_config.out | awk '{print $2}'`
233 if test "x$_exp" != "x$_got" ; then
234 fail "host $_host include fail: expected $_exp got $_got"
235 fi
236}
237
238trial a aa
239trial b bb
240trial c ccc
241trial d dd
242trial e ee
243trial f fff
244trial m xxxx
245trial n xxxx
246trial x x
247
248# Prepare an included config with an error.
249
250cat > $OBJ/ssh_config.i.3 << _EOF
251Hostname xxxx
252 Junk
253_EOF
254
255${REAL_SSH} -F $OBJ/ssh_config.i -G a 2>/dev/null && \
256 fail "ssh include allowed invalid config"
257
258${REAL_SSH} -F $OBJ/ssh_config.i -G x 2>/dev/null && \
259 fail "ssh include allowed invalid config"
260
261rm -f $OBJ/ssh_config.i.*
262
263# Ensure that a missing include is not fatal.
264cat > $OBJ/ssh_config.i << _EOF
265Include $OBJ/ssh_config.i.*
266Hostname aa
267_EOF
268
269trial a aa
270
271# Ensure that Match/Host in an included config does not affect parent.
272cat > $OBJ/ssh_config.i.x << _EOF
273Match host x
274_EOF
275
276trial a aa
277
278cat > $OBJ/ssh_config.i.x << _EOF
279Host x
280_EOF
281
282trial a aa
283
284# Ensure that recursive includes are bounded.
285cat > $OBJ/ssh_config.i << _EOF
286Include $OBJ/ssh_config.i
287_EOF
288
289${REAL_SSH} -F $OBJ/ssh_config.i -G a 2>/dev/null && \
290 fail "ssh include allowed infinite recursion?" # or hang...
291
292# cleanup
293rm -f $OBJ/ssh_config.i $OBJ/ssh_config.i.* $OBJ/ssh_config.out
diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh
index 736f38976..ccf511f6b 100644
--- a/regress/cfgparse.sh
+++ b/regress/cfgparse.sh
@@ -1,7 +1,7 @@
1# $OpenBSD: cfgparse.sh,v 1.5 2015/05/29 03:05:13 djm Exp $ 1# $OpenBSD: cfgparse.sh,v 1.6 2016/06/03 03:47:59 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="config parse" 4tid="sshd config parse"
5 5
6# This is a reasonable proxy for IPv6 support. 6# This is a reasonable proxy for IPv6 support.
7if ! config_defined HAVE_STRUCT_IN6_ADDR ; then 7if ! config_defined HAVE_STRUCT_IN6_ADDR ; then
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index 9a51f5690..ea739f614 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -26,7 +26,12 @@ done
26 26
27# Because sandbox is sensitive to changes in libc, especially malloc, retest 27# Because sandbox is sensitive to changes in libc, especially malloc, retest
28# with every malloc.conf option (and none). 28# with every malloc.conf option (and none).
29for m in '' A F G H J P R S X '<' '>'; do 29if [ -z "TEST_MALLOC_OPTIONS" ]; then
30 mopts="A F G H J P R S X < >"
31else
32 mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'`
33fi
34for m in '' $mopts ; do
30 for p in ${SSH_PROTOCOLS}; do 35 for p in ${SSH_PROTOCOLS}; do
31 env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true 36 env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
32 if [ $? -ne 0 ]; then 37 if [ $? -ne 0 ]; then
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index fb4f35aff..2539db9b7 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.15 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: forwarding.sh,v 1.16 2016/04/14 23:57:17 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -59,7 +59,7 @@ for d in L R; do
59 -$d ${base}01:127.0.0.1:$PORT \ 59 -$d ${base}01:127.0.0.1:$PORT \
60 -$d ${base}02:127.0.0.1:$PORT \ 60 -$d ${base}02:127.0.0.1:$PORT \
61 -$d ${base}03:127.0.0.1:$PORT \ 61 -$d ${base}03:127.0.0.1:$PORT \
62 -$d ${base}01:127.0.0.1:$PORT \ 62 -$d ${base}01:localhost:$PORT \
63 -$d ${base}04:127.0.0.1:$PORT \ 63 -$d ${base}04:127.0.0.1:$PORT \
64 -oExitOnForwardFailure=yes somehost true 64 -oExitOnForwardFailure=yes somehost true
65 r=$? 65 r=$?
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 1d4976771..bfadc6b48 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.16 2015/03/24 20:22:17 markus Exp $ 1# $OpenBSD: integrity.sh,v 1.18 2016/03/04 02:48:06 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -54,7 +54,7 @@ for m in $macs; do
54 fail "ssh -m $m succeeds with bit-flip at $off" 54 fail "ssh -m $m succeeds with bit-flip at $off"
55 fi 55 fi
56 ecnt=`expr $ecnt + 1` 56 ecnt=`expr $ecnt + 1`
57 out=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \ 57 out=$(egrep -v "^debug" $TEST_SSH_LOGFILE | tail -2 | \
58 tr -s '\r\n' '.') 58 tr -s '\r\n' '.')
59 case "$out" in 59 case "$out" in
60 Bad?packet*) elen=`expr $elen + 1`; skip=3;; 60 Bad?packet*) elen=`expr $elen + 1`; skip=3;;
diff --git a/regress/misc/Makefile b/regress/misc/Makefile
new file mode 100644
index 000000000..14c0c279f
--- /dev/null
+++ b/regress/misc/Makefile
@@ -0,0 +1,3 @@
1SUBDIR= kexfuzz
2
3.include <bsd.subdir.mk>
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
new file mode 100644
index 000000000..3018b632f
--- /dev/null
+++ b/regress/misc/kexfuzz/Makefile
@@ -0,0 +1,78 @@
1# $OpenBSD: Makefile,v 1.1 2016/03/04 02:30:37 djm Exp $
2
3.include <bsd.own.mk>
4.include <bsd.obj.mk>
5
6# XXX detect from ssh binary?
7SSH1?= no
8OPENSSL?= yes
9
10PROG= kexfuzz
11SRCS= kexfuzz.c
12NOMAN= 1
13
14.if (${OPENSSL:L} == "yes")
15CFLAGS+= -DWITH_OPENSSL
16.else
17# SSH v.1 requires OpenSSL.
18SSH1= no
19.endif
20
21.if (${SSH1:L} == "yes")
22CFLAGS+= -DWITH_SSH1
23.endif
24
25# enable warnings
26WARNINGS=Yes
27
28DEBUG=-g
29CFLAGS+= -fstack-protector-all
30CDIAGFLAGS= -Wall
31CDIAGFLAGS+= -Wextra
32CDIAGFLAGS+= -Werror
33CDIAGFLAGS+= -Wchar-subscripts
34CDIAGFLAGS+= -Wcomment
35CDIAGFLAGS+= -Wformat
36CDIAGFLAGS+= -Wformat-security
37CDIAGFLAGS+= -Wimplicit
38CDIAGFLAGS+= -Winline
39CDIAGFLAGS+= -Wmissing-declarations
40CDIAGFLAGS+= -Wmissing-prototypes
41CDIAGFLAGS+= -Wparentheses
42CDIAGFLAGS+= -Wpointer-arith
43CDIAGFLAGS+= -Wreturn-type
44CDIAGFLAGS+= -Wshadow
45CDIAGFLAGS+= -Wsign-compare
46CDIAGFLAGS+= -Wstrict-aliasing
47CDIAGFLAGS+= -Wstrict-prototypes
48CDIAGFLAGS+= -Wswitch
49CDIAGFLAGS+= -Wtrigraphs
50CDIAGFLAGS+= -Wuninitialized
51CDIAGFLAGS+= -Wunused
52.if ${COMPILER_VERSION} == "gcc4"
53CDIAGFLAGS+= -Wpointer-sign
54CDIAGFLAGS+= -Wold-style-definition
55.endif
56
57SSHREL=../../../../../usr.bin/ssh
58
59CFLAGS+=-I${.CURDIR}/${SSHREL}
60
61.if exists(${.CURDIR}/${SSHREL}/lib/${__objdir})
62LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh
63DPADD+=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
64.else
65LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh
66DPADD+=${.CURDIR}/${SSHREL}/lib/libssh.a
67.endif
68
69LDADD+= -lutil -lz
70DPADD+= ${LIBUTIL} ${LIBZ}
71
72.if (${OPENSSL:L} == "yes")
73LDADD+= -lcrypto
74DPADD+= ${LIBCRYPTO}
75.endif
76
77.include <bsd.prog.mk>
78
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README
new file mode 100644
index 000000000..8b215b5bf
--- /dev/null
+++ b/regress/misc/kexfuzz/README
@@ -0,0 +1,28 @@
1This is a harness to help with fuzzing KEX.
2
3To use it, you first set it to count packets in each direction:
4
5./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key -c
6S2C: 29
7C2S: 31
8
9Then get it to record a particular packet (in this case the 4th
10packet from client->server):
11
12./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
13 -d -D C2S -i 3 -f packet_3
14
15Fuzz the packet somehow:
16
17dd if=/dev/urandom of=packet_3 bs=32 count=1 # Just for example
18
19Then re-run the key exchange substituting the modified packet in
20its original sequence:
21
22./kexfuzz -K diffie-hellman-group1-sha1 -k host_ed25519_key \
23 -r -D C2S -i 3 -f packet_3
24
25A comprehensive KEX fuzz run would fuzz every packet in both
26directions for each key exchange type and every hostkey type.
27This will take some time.
28
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
new file mode 100644
index 000000000..2894d3a1e
--- /dev/null
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -0,0 +1,410 @@
1/* $OpenBSD: kexfuzz.c,v 1.1 2016/03/04 02:30:37 djm Exp $ */
2/*
3 * Fuzz harness for KEX code
4 *
5 * Placed in the public domain
6 */
7
8#include "includes.h"
9
10#include <sys/types.h>
11#include <sys/param.h>
12#include <stdio.h>
13#ifdef HAVE_STDINT_H
14# include <stdint.h>
15#endif
16#include <stdlib.h>
17#include <string.h>
18#include <unistd.h>
19#include <fcntl.h>
20#ifdef HAVE_ERR_H
21# include <err.h>
22#endif
23
24#include "ssherr.h"
25#include "ssh_api.h"
26#include "sshbuf.h"
27#include "packet.h"
28#include "myproposal.h"
29#include "authfile.h"
30
31struct ssh *active_state = NULL; /* XXX - needed for linking */
32
33void kex_tests(void);
34static int do_debug = 0;
35
36enum direction { S2C, C2S };
37
38static int
39do_send_and_receive(struct ssh *from, struct ssh *to, int mydirection,
40 int *packet_count, int trigger_direction, int packet_index,
41 const char *dump_path, struct sshbuf *replace_data)
42{
43 u_char type;
44 size_t len, olen;
45 const u_char *buf;
46 int r;
47 FILE *dumpfile;
48
49 for (;;) {
50 if ((r = ssh_packet_next(from, &type)) != 0) {
51 fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r));
52 return r;
53 }
54 if (type != 0)
55 return 0;
56 buf = ssh_output_ptr(from, &len);
57 olen = len;
58 if (do_debug) {
59 printf("%s packet %d type %u len %zu:\n",
60 mydirection == S2C ? "s2c" : "c2s",
61 *packet_count, type, len);
62 sshbuf_dump_data(buf, len, stdout);
63 }
64 if (mydirection == trigger_direction &&
65 packet_index == *packet_count) {
66 if (replace_data != NULL) {
67 buf = sshbuf_ptr(replace_data);
68 len = sshbuf_len(replace_data);
69 if (do_debug) {
70 printf("***** replaced packet "
71 "len %zu\n", len);
72 sshbuf_dump_data(buf, len, stdout);
73 }
74 } else if (dump_path != NULL) {
75 if ((dumpfile = fopen(dump_path, "w+")) == NULL)
76 err(1, "fopen %s", dump_path);
77 if (len != 0 &&
78 fwrite(buf, len, 1, dumpfile) != 1)
79 err(1, "fwrite %s", dump_path);
80 if (do_debug)
81 printf("***** dumped packet "
82 "len %zu\n", len);
83 fclose(dumpfile);
84 exit(0);
85 }
86 }
87 (*packet_count)++;
88 if (len == 0)
89 return 0;
90 if ((r = ssh_input_append(to, buf, len)) != 0 ||
91 (r = ssh_output_consume(from, olen)) != 0)
92 return r;
93 }
94}
95
96/* Minimal test_helper.c scaffholding to make this standalone */
97const char *in_test = NULL;
98#define TEST_START(a) \
99 do { \
100 in_test = (a); \
101 if (do_debug) \
102 fprintf(stderr, "test %s starting\n", in_test); \
103 } while (0)
104#define TEST_DONE() \
105 do { \
106 if (do_debug) \
107 fprintf(stderr, "test %s done\n", \
108 in_test ? in_test : "???"); \
109 in_test = NULL; \
110 } while(0)
111#define ASSERT_INT_EQ(a, b) \
112 do { \
113 if ((int)(a) != (int)(b)) { \
114 fprintf(stderr, "%s %s:%d " \
115 "%s (%d) != expected %s (%d)\n", \
116 in_test ? in_test : "(none)", \
117 __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
118 exit(2); \
119 } \
120 } while (0)
121#define ASSERT_INT_GE(a, b) \
122 do { \
123 if ((int)(a) < (int)(b)) { \
124 fprintf(stderr, "%s %s:%d " \
125 "%s (%d) < expected %s (%d)\n", \
126 in_test ? in_test : "(none)", \
127 __func__, __LINE__, #a, (int)(a), #b, (int)(b)); \
128 exit(2); \
129 } \
130 } while (0)
131#define ASSERT_PTR_NE(a, b) \
132 do { \
133 if ((a) == (b)) { \
134 fprintf(stderr, "%s %s:%d " \
135 "%s (%p) != expected %s (%p)\n", \
136 in_test ? in_test : "(none)", \
137 __func__, __LINE__, #a, (a), #b, (b)); \
138 exit(2); \
139 } \
140 } while (0)
141
142
143static void
144run_kex(struct ssh *client, struct ssh *server, int *s2c, int *c2s,
145 int direction, int packet_index,
146 const char *dump_path, struct sshbuf *replace_data)
147{
148 int r = 0;
149
150 while (!server->kex->done || !client->kex->done) {
151 if ((r = do_send_and_receive(server, client, S2C, s2c,
152 direction, packet_index, dump_path, replace_data)))
153 break;
154 if ((r = do_send_and_receive(client, server, C2S, c2s,
155 direction, packet_index, dump_path, replace_data)))
156 break;
157 }
158 if (do_debug)
159 printf("done: %s\n", ssh_err(r));
160 ASSERT_INT_EQ(r, 0);
161 ASSERT_INT_EQ(server->kex->done, 1);
162 ASSERT_INT_EQ(client->kex->done, 1);
163}
164
165static void
166do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
167 int direction, int packet_index,
168 const char *dump_path, struct sshbuf *replace_data)
169{
170 struct ssh *client = NULL, *server = NULL, *server2 = NULL;
171 struct sshkey *pubkey = NULL;
172 struct sshbuf *state;
173 struct kex_params kex_params;
174 char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
175 char *keyname = NULL;
176
177 TEST_START("sshkey_from_private");
178 ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0);
179 TEST_DONE();
180
181 TEST_START("ssh_init");
182 memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
183 if (kex != NULL)
184 kex_params.proposal[PROPOSAL_KEX_ALGS] = strdup(kex);
185 keyname = strdup(sshkey_ssh_name(prvkey));
186 ASSERT_PTR_NE(keyname, NULL);
187 kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
188 ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
189 ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
190 ASSERT_PTR_NE(client, NULL);
191 ASSERT_PTR_NE(server, NULL);
192 TEST_DONE();
193
194 TEST_START("ssh_add_hostkey");
195 ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0);
196 ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0);
197 TEST_DONE();
198
199 TEST_START("kex");
200 run_kex(client, server, s2c, c2s, direction, packet_index,
201 dump_path, replace_data);
202 TEST_DONE();
203
204 TEST_START("rekeying client");
205 ASSERT_INT_EQ(kex_send_kexinit(client), 0);
206 run_kex(client, server, s2c, c2s, direction, packet_index,
207 dump_path, replace_data);
208 TEST_DONE();
209
210 TEST_START("rekeying server");
211 ASSERT_INT_EQ(kex_send_kexinit(server), 0);
212 run_kex(client, server, s2c, c2s, direction, packet_index,
213 dump_path, replace_data);
214 TEST_DONE();
215
216 TEST_START("ssh_packet_get_state");
217 state = sshbuf_new();
218 ASSERT_PTR_NE(state, NULL);
219 ASSERT_INT_EQ(ssh_packet_get_state(server, state), 0);
220 ASSERT_INT_GE(sshbuf_len(state), 1);
221 TEST_DONE();
222
223 TEST_START("ssh_packet_set_state");
224 server2 = NULL;
225 ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0);
226 ASSERT_PTR_NE(server2, NULL);
227 ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0);
228 kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */
229 ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0);
230 ASSERT_INT_EQ(sshbuf_len(state), 0);
231 sshbuf_free(state);
232 ASSERT_PTR_NE(server2->kex, NULL);
233 /* XXX we need to set the callbacks */
234 server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
235 server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
236 server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
237 server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
238#ifdef OPENSSL_HAS_ECC
239 server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
240#endif
241 server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
242 server2->kex->load_host_public_key = server->kex->load_host_public_key;
243 server2->kex->load_host_private_key = server->kex->load_host_private_key;
244 server2->kex->sign = server->kex->sign;
245 TEST_DONE();
246
247 TEST_START("rekeying server2");
248 ASSERT_INT_EQ(kex_send_kexinit(server2), 0);
249 run_kex(client, server2, s2c, c2s, direction, packet_index,
250 dump_path, replace_data);
251 ASSERT_INT_EQ(kex_send_kexinit(client), 0);
252 run_kex(client, server2, s2c, c2s, direction, packet_index,
253 dump_path, replace_data);
254 TEST_DONE();
255
256 TEST_START("cleanup");
257 sshkey_free(pubkey);
258 ssh_free(client);
259 ssh_free(server);
260 ssh_free(server2);
261 free(keyname);
262 TEST_DONE();
263}
264
265static void
266usage(void)
267{
268 fprintf(stderr,
269 "Usage: kexfuzz [-hcdrv] [-D direction] [-f data_file]\n"
270 " [-K kex_alg] [-k private_key] [-i packet_index]\n"
271 "\n"
272 "Options:\n"
273 " -h Display this help\n"
274 " -c Count packets sent during KEX\n"
275 " -d Dump mode: record KEX packet to data file\n"
276 " -r Replace mode: replace packet with data file\n"
277 " -v Turn on verbose logging\n"
278 " -D S2C|C2S Packet direction for replacement or dump\n"
279 " -f data_file Path to data file for replacement or dump\n"
280 " -K kex_alg Name of KEX algorithm to test (see below)\n"
281 " -k private_key Path to private key file\n"
282 " -i packet_index Index of packet to replace or dump (from 0)\n"
283 "\n"
284 "Available KEX algorithms: %s\n", kex_alg_list(' '));
285}
286
287static void
288badusage(const char *bad)
289{
290 fprintf(stderr, "Invalid options\n");
291 fprintf(stderr, "%s\n", bad);
292 usage();
293 exit(1);
294}
295
296int
297main(int argc, char **argv)
298{
299 int ch, fd, r;
300 int count_flag = 0, dump_flag = 0, replace_flag = 0;
301 int packet_index = -1, direction = -1;
302 int s2c = 0, c2s = 0; /* packet counts */
303 const char *kex = NULL, *kpath = NULL, *data_path = NULL;
304 struct sshkey *key = NULL;
305 struct sshbuf *replace_data = NULL;
306
307 setvbuf(stdout, NULL, _IONBF, 0);
308 while ((ch = getopt(argc, argv, "hcdrvD:f:K:k:i:")) != -1) {
309 switch (ch) {
310 case 'h':
311 usage();
312 return 0;
313 case 'c':
314 count_flag = 1;
315 break;
316 case 'd':
317 dump_flag = 1;
318 break;
319 case 'r':
320 replace_flag = 1;
321 break;
322 case 'v':
323 do_debug = 1;
324 break;
325
326 case 'D':
327 if (strcasecmp(optarg, "s2c") == 0)
328 direction = S2C;
329 else if (strcasecmp(optarg, "c2s") == 0)
330 direction = C2S;
331 else
332 badusage("Invalid direction (-D)");
333 break;
334 case 'f':
335 data_path = optarg;
336 break;
337 case 'K':
338 kex = optarg;
339 break;
340 case 'k':
341 kpath = optarg;
342 break;
343 case 'i':
344 packet_index = atoi(optarg);
345 if (packet_index < 0)
346 badusage("Invalid packet index");
347 break;
348 default:
349 badusage("unsupported flag");
350 }
351 }
352 argc -= optind;
353 argv += optind;
354
355 /* Must select a single mode */
356 if ((count_flag + dump_flag + replace_flag) != 1)
357 badusage("Must select one mode: -c, -d or -r");
358 /* KEX type is mandatory */
359 if (kex == NULL || !kex_names_valid(kex) || strchr(kex, ',') != NULL)
360 badusage("Missing or invalid kex type (-K flag)");
361 /* Valid key is mandatory */
362 if (kpath == NULL)
363 badusage("Missing private key (-k flag)");
364 if ((fd = open(kpath, O_RDONLY)) == -1)
365 err(1, "open %s", kpath);
366 if ((r = sshkey_load_private_type_fd(fd, KEY_UNSPEC, NULL,
367 &key, NULL)) != 0)
368 errx(1, "Unable to load key %s: %s", kpath, ssh_err(r));
369 close(fd);
370 /* XXX check that it is a private key */
371 /* XXX support certificates */
372 if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1)
373 badusage("Invalid key file (-k flag)");
374
375 /* Replace (fuzz) mode */
376 if (replace_flag) {
377 if (packet_index == -1 || direction == -1 || data_path == NULL)
378 badusage("Replace (-r) mode must specify direction "
379 "(-D) packet index (-i) and data path (-f)");
380 if ((fd = open(data_path, O_RDONLY)) == -1)
381 err(1, "open %s", data_path);
382 replace_data = sshbuf_new();
383 if ((r = sshkey_load_file(fd, replace_data)) != 0)
384 errx(1, "read %s: %s", data_path, ssh_err(r));
385 close(fd);
386 }
387
388 /* Dump mode */
389 if (dump_flag) {
390 if (packet_index == -1 || direction == -1 || data_path == NULL)
391 badusage("Dump (-d) mode must specify direction "
392 "(-D), packet index (-i) and data path (-f)");
393 }
394
395 /* Count mode needs no further flags */
396
397 do_kex_with_key(kex, key, &c2s, &s2c,
398 direction, packet_index,
399 dump_flag ? data_path : NULL,
400 replace_flag ? replace_data : NULL);
401 sshkey_free(key);
402 sshbuf_free(replace_data);
403
404 if (count_flag) {
405 printf("S2C: %d\n", s2c);
406 printf("C2S: %d\n", c2s);
407 }
408
409 return 0;
410}
diff --git a/regress/modpipe.c b/regress/modpipe.c
index e854f9e07..5f4824b51 100755
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
@@ -25,36 +25,11 @@
25#include <stdarg.h> 25#include <stdarg.h>
26#include <stdlib.h> 26#include <stdlib.h>
27#include <errno.h> 27#include <errno.h>
28#ifdef HAVE_ERR_H
29# include <err.h>
30#endif
28#include "openbsd-compat/getopt_long.c" 31#include "openbsd-compat/getopt_long.c"
29 32
30static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
31static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
32
33static void
34err(int r, const char *fmt, ...)
35{
36 va_list args;
37
38 va_start(args, fmt);
39 fprintf(stderr, "%s: ", strerror(errno));
40 vfprintf(stderr, fmt, args);
41 fputc('\n', stderr);
42 va_end(args);
43 exit(r);
44}
45
46static void
47errx(int r, const char *fmt, ...)
48{
49 va_list args;
50
51 va_start(args, fmt);
52 vfprintf(stderr, fmt, args);
53 fputc('\n', stderr);
54 va_end(args);
55 exit(r);
56}
57
58static void 33static void
59usage(void) 34usage(void)
60{ 35{
diff --git a/regress/netcat.c b/regress/netcat.c
index 6234ba019..98a08b1ec 100644
--- a/regress/netcat.c
+++ b/regress/netcat.c
@@ -61,6 +61,9 @@
61# include <sys/poll.h> 61# include <sys/poll.h>
62# endif 62# endif
63#endif 63#endif
64#ifdef HAVE_ERR_H
65# include <err.h>
66#endif
64 67
65/* Telnet options from arpa/telnet.h */ 68/* Telnet options from arpa/telnet.h */
66#define IAC 255 69#define IAC 255
@@ -134,46 +137,6 @@ void usage(int);
134ssize_t drainbuf(int, unsigned char *, size_t *); 137ssize_t drainbuf(int, unsigned char *, size_t *);
135ssize_t fillbuf(int, unsigned char *, size_t *); 138ssize_t fillbuf(int, unsigned char *, size_t *);
136 139
137static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
138static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
139static void warn(const char *, ...) __attribute__((format(printf, 1, 2)));
140
141static void
142err(int r, const char *fmt, ...)
143{
144 va_list args;
145
146 va_start(args, fmt);
147 fprintf(stderr, "%s: ", strerror(errno));
148 vfprintf(stderr, fmt, args);
149 fputc('\n', stderr);
150 va_end(args);
151 exit(r);
152}
153
154static void
155errx(int r, const char *fmt, ...)
156{
157 va_list args;
158
159 va_start(args, fmt);
160 vfprintf(stderr, fmt, args);
161 fputc('\n', stderr);
162 va_end(args);
163 exit(r);
164}
165
166static void
167warn(const char *fmt, ...)
168{
169 va_list args;
170
171 va_start(args, fmt);
172 fprintf(stderr, "%s: ", strerror(errno));
173 vfprintf(stderr, fmt, args);
174 fputc('\n', stderr);
175 va_end(args);
176}
177 140
178int 141int
179main(int argc, char *argv[]) 142main(int argc, char *argv[])
diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh
new file mode 100644
index 000000000..010e02865
--- /dev/null
+++ b/regress/sshcfgparse.sh
@@ -0,0 +1,29 @@
1# $OpenBSD: sshcfgparse.sh,v 1.2 2016/07/14 01:24:21 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="ssh config parse"
5
6verbose "reparse minimal config"
7(${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 &&
8 ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 &&
9 diff $OBJ/ssh_config.1 $OBJ/ssh_config.2) || fail "reparse minimal config"
10
11verbose "ssh -W opts"
12f=`${SSH} -GF $OBJ/ssh_config host | awk '/exitonforwardfailure/{print $2}'`
13test "$f" = "no" || fail "exitonforwardfailure default"
14f=`${SSH} -GF $OBJ/ssh_config -W a:1 h | awk '/exitonforwardfailure/{print $2}'`
15test "$f" = "yes" || fail "exitonforwardfailure enable"
16f=`${SSH} -GF $OBJ/ssh_config -W a:1 -o exitonforwardfailure=no h | \
17 awk '/exitonforwardfailure/{print $2}'`
18test "$f" = "no" || fail "exitonforwardfailure override"
19
20f=`${SSH} -GF $OBJ/ssh_config host | awk '/clearallforwardings/{print $2}'`
21test "$f" = "no" || fail "clearallforwardings default"
22f=`${SSH} -GF $OBJ/ssh_config -W a:1 h | awk '/clearallforwardings/{print $2}'`
23test "$f" = "yes" || fail "clearallforwardings enable"
24f=`${SSH} -GF $OBJ/ssh_config -W a:1 -o clearallforwardings=no h | \
25 awk '/clearallforwardings/{print $2}'`
26test "$f" = "no" || fail "clearallforwardings override"
27
28# cleanup
29rm -f $OBJ/ssh_config.[012]
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 114e129f2..1b6526d0b 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.51 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: test-exec.sh,v 1.53 2016/04/15 02:57:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -221,6 +221,7 @@ echo "#!/bin/sh" > $SSHLOGWRAP
221echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP 221echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
222 222
223chmod a+rx $OBJ/ssh-log-wrapper.sh 223chmod a+rx $OBJ/ssh-log-wrapper.sh
224REAL_SSH="$SSH"
224SSH="$SSHLOGWRAP" 225SSH="$SSHLOGWRAP"
225 226
226# Some test data. We make a copy because some tests will overwrite it. 227# Some test data. We make a copy because some tests will overwrite it.
@@ -411,6 +412,13 @@ cat << EOF > $OBJ/sshd_config
411 Subsystem sftp $SFTPSERVER 412 Subsystem sftp $SFTPSERVER
412EOF 413EOF
413 414
415# This may be necessary if /usr/src and/or /usr/obj are group-writable,
416# but if you aren't careful with permissions then the unit tests could
417# be abused to locally escalate privileges.
418if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
419 echo "StrictModes no" >> $OBJ/sshd_config
420fi
421
414if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then 422if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
415 trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS" 423 trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
416 echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config 424 echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
index d3d90823f..0a95d4b20 100644
--- a/regress/unittests/Makefile
+++ b/regress/unittests/Makefile
@@ -1,5 +1,5 @@
1# $OpenBSD: Makefile,v 1.5 2015/02/16 22:21:03 djm Exp $ 1# $OpenBSD: Makefile,v 1.6 2016/05/26 19:14:25 schwarze Exp $
2REGRESS_FAIL_EARLY= yes 2REGRESS_FAIL_EARLY= yes
3SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys 3SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8
4 4
5.include <bsd.subdir.mk> 5.include <bsd.subdir.mk>
diff --git a/regress/unittests/sshbuf/test_sshbuf_misc.c b/regress/unittests/sshbuf/test_sshbuf_misc.c
index f155491a0..762a6c31c 100644
--- a/regress/unittests/sshbuf/test_sshbuf_misc.c
+++ b/regress/unittests/sshbuf/test_sshbuf_misc.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshbuf_misc.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */ 1/* $OpenBSD: test_sshbuf_misc.c,v 1.2 2016/05/03 13:48:33 djm Exp $ */
2/* 2/*
3 * Regress test for sshbuf.h buffer API 3 * Regress test for sshbuf.h buffer API
4 * 4 *
@@ -134,5 +134,34 @@ sshbuf_misc_tests(void)
134 ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), 0xd00fd00f); 134 ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), 0xd00fd00f);
135 sshbuf_free(p1); 135 sshbuf_free(p1);
136 TEST_DONE(); 136 TEST_DONE();
137
138 TEST_START("sshbuf_dup_string");
139 p1 = sshbuf_new();
140 ASSERT_PTR_NE(p1, NULL);
141 /* Check empty buffer */
142 p = sshbuf_dup_string(p1);
143 ASSERT_PTR_NE(p, NULL);
144 ASSERT_SIZE_T_EQ(strlen(p), 0);
145 free(p);
146 /* Check buffer with string */
147 ASSERT_INT_EQ(sshbuf_put(p1, "quad1", strlen("quad1")), 0);
148 p = sshbuf_dup_string(p1);
149 ASSERT_PTR_NE(p, NULL);
150 ASSERT_SIZE_T_EQ(strlen(p), strlen("quad1"));
151 ASSERT_STRING_EQ(p, "quad1");
152 free(p);
153 /* Check buffer with terminating nul */
154 ASSERT_INT_EQ(sshbuf_put(p1, "\0", 1), 0);
155 p = sshbuf_dup_string(p1);
156 ASSERT_PTR_NE(p, NULL);
157 ASSERT_SIZE_T_EQ(strlen(p), strlen("quad1"));
158 ASSERT_STRING_EQ(p, "quad1");
159 free(p);
160 /* Check buffer with data after nul (expect failure) */
161 ASSERT_INT_EQ(sshbuf_put(p1, "quad2", strlen("quad2")), 0);
162 p = sshbuf_dup_string(p1);
163 ASSERT_PTR_EQ(p, NULL);
164 sshbuf_free(p1);
165 TEST_DONE();
137} 166}
138 167
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 1f160d1a7..1476dc2e3 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -455,7 +455,7 @@ sshkey_tests(void)
455 put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL); 455 put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
456 put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL); 456 put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
457 ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0); 457 ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
458 ASSERT_INT_EQ(sshkey_certify(k1, k2), 0); 458 ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0);
459 b = sshbuf_new(); 459 b = sshbuf_new();
460 ASSERT_PTR_NE(b, NULL); 460 ASSERT_PTR_NE(b, NULL);
461 ASSERT_INT_EQ(sshkey_putb(k1, b), 0); 461 ASSERT_INT_EQ(sshkey_putb(k1, b), 0);
diff --git a/regress/unittests/test_helper/Makefile b/regress/unittests/test_helper/Makefile
index 5b3894cbf..78026e653 100644
--- a/regress/unittests/test_helper/Makefile
+++ b/regress/unittests/test_helper/Makefile
@@ -1,9 +1,8 @@
1# $OpenBSD: Makefile,v 1.2 2015/01/20 22:58:57 djm Exp $ 1# $OpenBSD: Makefile,v 1.3 2016/07/04 18:01:44 guenther Exp $
2 2
3LIB= test_helper 3LIB= test_helper
4SRCS= test_helper.c fuzz.c 4SRCS= test_helper.c fuzz.c
5 5
6DEBUGLIBS= no
7NOPROFILE= yes 6NOPROFILE= yes
8NOPIC= yes 7NOPIC= yes
9 8
diff --git a/regress/unittests/utf8/Makefile b/regress/unittests/utf8/Makefile
new file mode 100644
index 000000000..150ea2f2e
--- /dev/null
+++ b/regress/unittests/utf8/Makefile
@@ -0,0 +1,12 @@
1# $OpenBSD: Makefile,v 1.2 2016/05/30 12:14:08 schwarze Exp $
2
3TEST_ENV= "MALLOC_OPTIONS=CFGJPRSUX"
4
5PROG=test_utf8
6SRCS=tests.c
7REGRESS_TARGETS=run-regress-${PROG}
8
9run-regress-${PROG}: ${PROG}
10 env ${TEST_ENV} ./${PROG}
11
12.include <bsd.regress.mk>
diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c
new file mode 100644
index 000000000..fad2ec279
--- /dev/null
+++ b/regress/unittests/utf8/tests.c
@@ -0,0 +1,82 @@
1/* $OpenBSD: tests.c,v 1.2 2016/05/30 12:05:56 schwarze Exp $ */
2/*
3 * Regress test for the utf8.h *mprintf() API
4 *
5 * Written by Ingo Schwarze <schwarze@openbsd.org> in 2016
6 * and placed in the public domain.
7 */
8
9#include <locale.h>
10#include <string.h>
11
12#include "test_helper.h"
13
14#include "utf8.h"
15
16void badarg(void);
17void one(const char *, const char *, int, int, int, const char *);
18
19void
20badarg(void)
21{
22 char buf[16];
23 int len, width;
24
25 width = 1;
26 TEST_START("utf8_badarg");
27 len = snmprintf(buf, sizeof(buf), &width, "\377");
28 ASSERT_INT_EQ(len, -1);
29 ASSERT_STRING_EQ(buf, "");
30 ASSERT_INT_EQ(width, 0);
31 TEST_DONE();
32}
33
34void
35one(const char *name, const char *mbs, int width,
36 int wantwidth, int wantlen, const char *wants)
37{
38 char buf[16];
39 int *wp;
40 int len;
41
42 if (wantlen == -2)
43 wantlen = strlen(wants);
44 (void)strlcpy(buf, "utf8_", sizeof(buf));
45 (void)strlcat(buf, name, sizeof(buf));
46 TEST_START(buf);
47 wp = wantwidth == -2 ? NULL : &width;
48 len = snmprintf(buf, sizeof(buf), wp, "%s", mbs);
49 ASSERT_INT_EQ(len, wantlen);
50 ASSERT_STRING_EQ(buf, wants);
51 ASSERT_INT_EQ(width, wantwidth);
52 TEST_DONE();
53}
54
55void
56tests(void)
57{
58 char *loc;
59
60 TEST_START("utf8_setlocale");
61 loc = setlocale(LC_CTYPE, "en_US.UTF-8");
62 ASSERT_PTR_NE(loc, NULL);
63 TEST_DONE();
64
65 badarg();
66 one("null", NULL, 8, 6, 6, "(null)");
67 one("empty", "", 2, 0, 0, "");
68 one("ascii", "x", -2, -2, -2, "x");
69 one("newline", "a\nb", -2, -2, -2, "a\nb");
70 one("cr", "a\rb", -2, -2, -2, "a\rb");
71 one("tab", "a\tb", -2, -2, -2, "a\tb");
72 one("esc", "\033x", -2, -2, -2, "\\033x");
73 one("inv_badbyte", "\377x", -2, -2, -2, "\\377x");
74 one("inv_nocont", "\341x", -2, -2, -2, "\\341x");
75 one("inv_nolead", "a\200b", -2, -2, -2, "a\\200b");
76 one("sz_ascii", "1234567890123456", -2, -2, 16, "123456789012345");
77 one("sz_esc", "123456789012\033", -2, -2, 16, "123456789012");
78 one("width_ascii", "123", 2, 2, -1, "12");
79 one("width_double", "a\343\201\201", 2, 1, -1, "a");
80 one("double_fit", "a\343\201\201", 3, 3, 4, "a\343\201\201");
81 one("double_spc", "a\343\201\201", 4, 3, 4, "a\343\201\201");
82}