New upstream release (7.4p1).

author: Colin Watson <cjwatson@debian.org> 2016-12-20 00:22:53 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-12-23 19:08:35 +0000
commit: ee52365e713e546dbd878d73d9590dbaccd760ba (patch)
tree: 841d0d9ae73e83070bcc3b46218ebdd18142dda3 /regress
parent: 8a4a5c22e363ad6a110ad9b787170297f5da8f04 (diff)
parent: 2103d3e5566c54e08a59be750579a249e46747d7 (diff)
31 files changed, 414 insertions, 144 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 08fd82dbf..c2dba4fdf 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.88 2016/06/03 04:10:41 dtucker Exp $
+#       $OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $
 REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:          prep $(REGRESS_TARGETS)
@@ -39,6 +39,7 @@ LTESTS= 	connect \
                keyscan \
                keygen-change \
                keygen-convert \
+                keygen-moduli \
                key-options \
                scp \
                sftp \
@@ -77,7 +78,8 @@ LTESTS= 	connect \
                hostkey-rotate \
                principals-command \
                cert-file \
-                cfginclude
+                cfginclude \
+                allow-deny-users
 #               dhgex \
@@ -87,9 +89,10 @@ INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 #LTESTS=        cipher-speed
-USER!=          id -un
+USERNAME!=              id -un
-CLEANFILES=     *.core actual agent-key.* authorized_keys_${USER} \
+CLEANFILES=     *.core actual agent-key.* authorized_keys_${USERNAME} \
-                authorized_keys_${USER}.* authorized_principals_${USER} \
+                authorized_keys_${USERNAME}.* \
+                authorized_principals_${USERNAME} \
                banner.in banner.out cert_host_key* cert_user_key* \
                copy.1 copy.2 data ed25519-agent ed25519-agent* \
                ed25519-agent.pub empty.in expect failed-regress.log \
@@ -111,10 +114,10 @@ CLEANFILES=	*.core actual agent-key.* authorized_keys_${USER} \
                t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \
                t9.out t9.out.pub testdata user_*key* user_ca* user_key*
-SUDO_CLEAN+=    /var/run/testdata_${USER} /var/run/keycommand_${USER}
+SUDO_CLEAN+=    /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME}
 # Enable all malloc(3) randomisations and checks
-TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
+TEST_ENV=      "MALLOC_OPTIONS=CFGJRSUX"
 TEST_SSH_SSHKEYGEN?=ssh-keygen
@@ -222,4 +225,8 @@ unit:
                $$V ${.OBJDIR}/unittests/kex/test_kex ; \
                $$V ${.OBJDIR}/unittests/hostkeys/test_hostkeys \
                        -d ${.CURDIR}/unittests/hostkeys/testdata ; \
+                $$V ${.OBJDIR}/unittests/match/test_match ; \
+                if test "x${TEST_SSH_UTF8}" = "xyes"  ; then \
+                        $$V ${.OBJDIR}/unittests/utf8/test_utf8 ; \
+                fi \
        fi
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 24b71f458..91621a59c 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-getpeereid.sh,v 1.6 2016/05/03 14:41:04 djm Exp $
+#       $OpenBSD: agent-getpeereid.sh,v 1.7 2016/09/26 21:34:38 bluhm Exp $
 #       Placed in the Public Domain.
 tid="disallow agent attach from other uid"
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
new file mode 100644
index 000000000..32a269afa
--- /dev/null
+++ b/regress/allow-deny-users.sh
@@ -0,0 +1,40 @@
+# Public Domain
+# Zev Weiss, 2016
+tid="AllowUsers/DenyUsers"
+me="$LOGNAME"
+if [ "x$me" == "x" ]; then
+        me=`whoami`
+fi
+other="nobody"
+test_auth()
+{
+        deny="$1"
+        allow="$2"
+        should_succeed="$3"
+        failmsg="$4"
+        start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow"
+        ${SSH} -F $OBJ/ssh_config "$me@somehost" true
+        status=$?
+        if (test $status -eq 0 && ! $should_succeed) \
+            || (test $status -ne 0 && $should_succeed); then
+                fail "$failmsg"
+        fi
+        stop_sshd
+}
+#         DenyUsers     AllowUsers    should_succeed  failure_message
+test_auth ""            ""            true            "user in neither DenyUsers nor AllowUsers denied"
+test_auth "$other $me"  ""            false           "user in DenyUsers allowed"
+test_auth "$me $other"  ""            false           "user in DenyUsers allowed"
+test_auth ""            "$other"      false           "user not in AllowUsers allowed"
+test_auth ""            "$other $me"  true            "user in AllowUsers denied"
+test_auth ""            "$me $other"  true            "user in AllowUsers denied"
+test_auth "$me $other"  "$me $other"  false           "user in both DenyUsers and AllowUsers allowed"
+test_auth "$other $me"  "$other $me"  false           "user in both DenyUsers and AllowUsers allowed"
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index bad923ad0..b184e7fea 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $
+#       $OpenBSD: cert-file.sh,v 1.4 2016/12/16 02:48:55 djm Exp $
 #       Placed in the Public Domain.
 tid="ssh with certificates"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 319746395..7005fd55e 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -354,6 +354,20 @@ test_one "principals key option principals" success "-n mekmitasdigoat" \
 test_one "principals key option no principals" failure "" \
    authorized_keys ',principals="mekmitasdigoat"'
+# command= options vs. force-command in key
+test_one "force-command match true" success \
+    "-n ${USER} -Oforce-command=true" \
+    authorized_keys ',command="true"'
+test_one "force-command match true" failure \
+    "-n ${USER} -Oforce-command=false" \
+    authorized_keys ',command="false"'
+test_one "force-command mismatch 1" failure \
+    "-n ${USER} -Oforce-command=false" \
+    authorized_keys ',command="true"'
+test_one "force-command mismatch 2" failure \
+    "-n ${USER} -Oforce-command=true" \
+    authorized_keys ',command="false"'
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 for ktype in $PLAIN_TYPES ; do
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index ea739f614..81cedc7e5 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: connect-privsep.sh,v 1.6 2015/03/03 22:35:19 markus Exp $
+#       $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $
 #       Placed in the Public Domain.
 tid="proxy connect with privsep"
@@ -27,7 +27,7 @@ done
 # Because sandbox is sensitive to changes in libc, especially malloc, retest
 # with every malloc.conf option (and none).
 if [ -z "TEST_MALLOC_OPTIONS" ]; then
-        mopts="A F G H J P R S X < >"
+        mopts="C F G J R S U X < >"
 else
        mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'`
 fi
diff --git a/regress/integrity.sh b/regress/integrity.sh
index bfadc6b48..39d310deb 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: integrity.sh,v 1.18 2016/03/04 02:48:06 dtucker Exp $
+#       $OpenBSD: integrity.sh,v 1.19 2016/11/25 02:56:49 dtucker Exp $
 #       Placed in the Public Domain.
 tid="integrity"
diff --git a/regress/keygen-moduli.sh b/regress/keygen-moduli.sh
new file mode 100644
index 000000000..d4e771383
--- /dev/null
+++ b/regress/keygen-moduli.sh
@@ -0,0 +1,18 @@
+#       $OpenBSD: keygen-moduli.sh,v 1.2 2016/09/14 00:45:31 dtucker Exp $
+#       Placed in the Public Domain.
+tid="keygen moduli"
+# Try "start at the beginning and stop after 1", "skip 1 then stop after 1"
+# and "skip 2 and run to the end with checkpointing".  Since our test data
+# file has 3 lines, these should always result in 1 line of output.
+for i in "-J1" "-j1 -J1" "-j2 -K $OBJ/moduli.ckpt"; do
+        trace "keygen $i"
+        rm -f $OBJ/moduli.out $OBJ/moduli.ckpt
+        ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in $i 2>/dev/null || \
+            fail "keygen screen failed $i"
+        lines=`wc -l <$OBJ/moduli.out`
+        test "$lines" -eq "1" || fail "expected 1 line, got $lines"
+done
+rm -f $OBJ/moduli.out $OBJ/moduli.ckpt
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index af68cf15c..9c9ada7c7 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -3,7 +3,7 @@
 tid="authorized keys from command"
-if test -z "$SUDO" ; then
+if [ -z "$SUDO" -a ! -w /var/run ]; then
        echo "skipped (SUDO not set)"
        echo "need SUDO to create file in /var/run, test won't work without"
        exit 0
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index eb76f554b..12207fd99 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: login-timeout.sh,v 1.7 2014/03/13 20:44:49 djm Exp $
+#       $OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $
 #       Placed in the Public Domain.
 tid="connect after login grace timeout"
@@ -17,7 +17,7 @@ if [ $? -ne 0 ]; then
        fail "ssh connect after login grace timeout failed with privsep"
 fi
-$SUDO kill `$SUDO cat $PIDFILE`
+stop_sshd
 trace "test login grace without privsep"
 echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README
index 8b215b5bf..abd7b50ee 100644
--- a/regress/misc/kexfuzz/README
+++ b/regress/misc/kexfuzz/README
@@ -26,3 +26,7 @@ A comprehensive KEX fuzz run would fuzz every packet in both
 directions for each key exchange type and every hostkey type.
 This will take some time.
+Limitations: kexfuzz can't change the ordering of packets at
+present. It is limited to replacing individual packets with
+fuzzed variants with the same type. It really should allow
+insertion, deletion on replacement of packets too.
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
index 2894d3a1e..67058027f 100644
--- a/regress/misc/kexfuzz/kexfuzz.c
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kexfuzz.c,v 1.1 2016/03/04 02:30:37 djm Exp $ */
+/*      $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */
 /*
 * Fuzz harness for KEX code
 *
@@ -27,6 +27,7 @@
 #include "packet.h"
 #include "myproposal.h"
 #include "authfile.h"
+#include "log.h"
 struct ssh *active_state = NULL; /* XXX - needed for linking */
@@ -35,61 +36,93 @@ static int do_debug = 0;
 enum direction { S2C, C2S };
+struct hook_ctx {
+        struct ssh *client, *server, *server2;
+        int *c2s, *s2c;
+        int trigger_direction, packet_index;
+        const char *dump_path;
+        struct sshbuf *replace_data;
+};
 static int
-do_send_and_receive(struct ssh *from, struct ssh *to, int mydirection,
+packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx)
-    int *packet_count, int trigger_direction, int packet_index,
+{
-    const char *dump_path, struct sshbuf *replace_data)
+        struct hook_ctx *ctx = (struct hook_ctx *)_ctx;
+        int mydirection = ssh == ctx->client ? S2C : C2S;
+        int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s;
+        FILE *dumpfile;
+        int r;
+        if (do_debug) {
+                printf("%s packet %d type %u:\n",
+                    mydirection == S2C ? "s2c" : "c2s",
+                    *packet_count, *typep);
+                sshbuf_dump(packet, stdout);
+        }
+        if (mydirection == ctx->trigger_direction &&
+            ctx->packet_index == *packet_count) {
+                if (ctx->replace_data != NULL) {
+                        sshbuf_reset(packet);
+                        /* Type is first byte of packet */
+                        if ((r = sshbuf_get_u8(ctx->replace_data,
+                            typep)) != 0 ||
+                            (r = sshbuf_putb(packet, ctx->replace_data)) != 0)
+                                return r;
+                        if (do_debug) {
+                                printf("***** replaced packet type %u\n",
+                                    *typep);
+                                sshbuf_dump(packet, stdout);
+                        }
+                } else if (ctx->dump_path != NULL) {
+                        if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL)
+                                err(1, "fopen %s", ctx->dump_path);
+                        /* Write { type, packet } */
+                        if (fwrite(typep, 1, 1, dumpfile) != 1)
+                                err(1, "fwrite type %s", ctx->dump_path);
+                        if (sshbuf_len(packet) != 0 &&
+                            fwrite(sshbuf_ptr(packet), sshbuf_len(packet),
+                            1, dumpfile) != 1)
+                                err(1, "fwrite body %s", ctx->dump_path);
+                        if (do_debug) {
+                                printf("***** dumped packet type %u len %zu\n",
+                                    *typep, sshbuf_len(packet));
+                        }
+                        fclose(dumpfile);
+                        /* No point in continuing */
+                        exit(0);
+                }
+        }
+        (*packet_count)++;
+        return 0;
+}
+static int
+do_send_and_receive(struct ssh *from, struct ssh *to)
 {
        u_char type;
-        size_t len, olen;
+        size_t len;
        const u_char *buf;
        int r;
-        FILE *dumpfile;
        for (;;) {
                if ((r = ssh_packet_next(from, &type)) != 0) {
                        fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r));
                        return r;
                }
                if (type != 0)
                        return 0;
                buf = ssh_output_ptr(from, &len);
-                olen = len;
-                if (do_debug) {
-                        printf("%s packet %d type %u len %zu:\n",
-                            mydirection == S2C ? "s2c" : "c2s",
-                            *packet_count, type, len);
-                        sshbuf_dump_data(buf, len, stdout);
-                }
-                if (mydirection == trigger_direction &&
-                    packet_index == *packet_count) {
-                        if (replace_data != NULL) {
-                                buf = sshbuf_ptr(replace_data);
-                                len = sshbuf_len(replace_data);
-                                if (do_debug) {
-                                        printf("***** replaced packet "
-                                            "len %zu\n", len);
-                                        sshbuf_dump_data(buf, len, stdout);
-                                }
-                        } else if (dump_path != NULL) {
-                                if ((dumpfile = fopen(dump_path, "w+")) == NULL)
-                                        err(1, "fopen %s", dump_path);
-                                if (len != 0 &&
-                                    fwrite(buf, len, 1, dumpfile) != 1)
-                                        err(1, "fwrite %s", dump_path);
-                                if (do_debug)
-                                        printf("***** dumped packet "
-                                            "len %zu\n", len);
-                                fclose(dumpfile);
-                                exit(0);
-                        }
-                }
-                (*packet_count)++;
                if (len == 0)
                        return 0;
-                if ((r = ssh_input_append(to, buf, len)) != 0 ||
+                if ((r = ssh_input_append(to, buf, len)) != 0) {
-                    (r = ssh_output_consume(from, olen)) != 0)
+                        debug("ssh_input_append: %s", ssh_err(r));
+                        return r;
+                }
+                if ((r = ssh_output_consume(from, len)) != 0) {
+                        debug("ssh_output_consume: %s", ssh_err(r));
                        return r;
+                }
        }
 }
@@ -141,19 +174,19 @@ const char *in_test = NULL;
 static void
-run_kex(struct ssh *client, struct ssh *server, int *s2c, int *c2s,
+run_kex(struct ssh *client, struct ssh *server)
-    int direction, int packet_index,
-    const char *dump_path, struct sshbuf *replace_data)
 {
        int r = 0;
        while (!server->kex->done || !client->kex->done) {
-                if ((r = do_send_and_receive(server, client, S2C, s2c,
+                if ((r = do_send_and_receive(server, client)) != 0) {
-                    direction, packet_index, dump_path, replace_data)))
+                        debug("do_send_and_receive S2C: %s", ssh_err(r));
                        break;
-                if ((r = do_send_and_receive(client, server, C2S, c2s,
+                }
-                    direction, packet_index, dump_path, replace_data)))
+                if ((r = do_send_and_receive(client, server)) != 0) {
+                        debug("do_send_and_receive C2S: %s", ssh_err(r));
                        break;
+                }
        }
        if (do_debug)
                printf("done: %s\n", ssh_err(r));
@@ -173,6 +206,7 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
        struct kex_params kex_params;
        char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
        char *keyname = NULL;
+        struct hook_ctx hook_ctx;
        TEST_START("sshkey_from_private");
        ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0);
@@ -187,30 +221,42 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
        kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
        ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
        ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
+        ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0);
        ASSERT_PTR_NE(client, NULL);
        ASSERT_PTR_NE(server, NULL);
+        ASSERT_PTR_NE(server2, NULL);
        TEST_DONE();
+        hook_ctx.c2s = c2s;
+        hook_ctx.s2c = s2c;
+        hook_ctx.trigger_direction = direction;
+        hook_ctx.packet_index = packet_index;
+        hook_ctx.dump_path = dump_path;
+        hook_ctx.replace_data = replace_data;
+        hook_ctx.client = client;
+        hook_ctx.server = server;
+        hook_ctx.server2 = server2;
+        ssh_packet_set_input_hook(client, packet_hook, &hook_ctx);
+        ssh_packet_set_input_hook(server, packet_hook, &hook_ctx);
+        ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx);
        TEST_START("ssh_add_hostkey");
        ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0);
        ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0);
        TEST_DONE();
        TEST_START("kex");
-        run_kex(client, server, s2c, c2s, direction, packet_index,
+        run_kex(client, server);
-            dump_path, replace_data);
        TEST_DONE();
        TEST_START("rekeying client");
        ASSERT_INT_EQ(kex_send_kexinit(client), 0);
-        run_kex(client, server, s2c, c2s, direction, packet_index,
+        run_kex(client, server);
-            dump_path, replace_data);
        TEST_DONE();
        TEST_START("rekeying server");
        ASSERT_INT_EQ(kex_send_kexinit(server), 0);
-        run_kex(client, server, s2c, c2s, direction, packet_index,
+        run_kex(client, server);
-            dump_path, replace_data);
        TEST_DONE();
        TEST_START("ssh_packet_get_state");
@@ -221,9 +267,6 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
        TEST_DONE();
        TEST_START("ssh_packet_set_state");
-        server2 = NULL;
-        ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0);
-        ASSERT_PTR_NE(server2, NULL);
        ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0);
        kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */
        ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0);
@@ -231,12 +274,17 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
        sshbuf_free(state);
        ASSERT_PTR_NE(server2->kex, NULL);
        /* XXX we need to set the callbacks */
+#ifdef WITH_OPENSSL
        server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
        server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
+        server2->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server;
+        server2->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server;
+        server2->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server;
        server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
        server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
-#ifdef OPENSSL_HAS_ECC
+# ifdef OPENSSL_HAS_ECC
        server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+# endif
 #endif
        server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server;
        server2->kex->load_host_public_key = server->kex->load_host_public_key;
@@ -246,11 +294,9 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c,
        TEST_START("rekeying server2");
        ASSERT_INT_EQ(kex_send_kexinit(server2), 0);
-        run_kex(client, server2, s2c, c2s, direction, packet_index,
+        run_kex(client, server2);
-            dump_path, replace_data);
        ASSERT_INT_EQ(kex_send_kexinit(client), 0);
-        run_kex(client, server2, s2c, c2s, direction, packet_index,
+        run_kex(client, server2);
-            dump_path, replace_data);
        TEST_DONE();
        TEST_START("cleanup");
@@ -352,6 +398,9 @@ main(int argc, char **argv)
        argc -= optind;
        argv += optind;
+        log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO,
+            SYSLOG_FACILITY_USER, 1);
        /* Must select a single mode */
        if ((count_flag + dump_flag + replace_flag) != 1)
                badusage("Must select one mode: -c, -d or -r");
diff --git a/regress/moduli.in b/regress/moduli.in
new file mode 100644
index 000000000..e69c902a2
--- /dev/null
+++ b/regress/moduli.in
@@ -0,0 +1,3 @@
+20160301052556 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D19F4647
+20160301052601 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1A5C13B
+20160301052612 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1B7A3EF
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index c0be7e747..9b38eb105 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
+#       $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
 #       Placed in the Public Domain.
 tid="authorized principals command"
@@ -6,41 +6,56 @@ tid="authorized principals command"
 rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-if test -z "$SUDO" ; then
+if [ -z "$SUDO" -a ! -w /var/run ]; then
        echo "skipped (SUDO not set)"
        echo "need SUDO to create file in /var/run, test won't work without"
        exit 0
 fi
+SERIAL=$$
+# Create a CA key and a user certificate.
+${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
+        fatal "ssh-keygen of user_ca_key failed"
+${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \
+        fatal "ssh-keygen of cert_user_key failed"
+${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \
+    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
+        fatal "couldn't sign cert_user_key"
+CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
+CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'`
+CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'`
+CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'`
 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
 # acceptable directory permissions.
-PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
+PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
 #!/bin/sh
 test "x\$1" != "x${LOGNAME}" && exit 1
+test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1
+test "x\$3" != "xssh-ed25519" && exit 1
+test "x\$4" != "xJoanne User" && exit 1
+test "x\$5" != "x${SERIAL}" && exit 1
+test "x\$6" != "x${CA_FP}" && exit 1
+test "x\$7" != "x${CERT_FP}" && exit 1
+test "x\$8" != "x${CERT_BODY}" && exit 1
+test "x\$9" != "x${CA_BODY}" && exit 1
 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
        exec cat "$OBJ/authorized_principals_${LOGNAME}"
 _EOF
 test $? -eq 0 || fatal "couldn't prepare principals command"
-$SUDO chmod 0755 "$PRINCIPALS_CMD"
+$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
-if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
+if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then
-        echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
+        echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \
            "AuthorizedPrincipalsCommand"
-        $SUDO rm -f $PRINCIPALS_CMD
+        $SUDO rm -f $PRINCIPALS_COMMAND
        exit 0
 fi
-# Create a CA key and a user certificate.
+if [ -x $PRINCIPALS_COMMAND ]; then
-${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key || \
-        fatal "ssh-keygen of user_ca_key failed"
-${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
-        fatal "ssh-keygen of cert_user_key failed"
-${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
-        fatal "couldn't sign cert_user_key"
-if [ -x $PRINCIPALS_CMD ]; then
        # Test explicitly-specified principals
        for privsep in yes no ; do
                _prefix="privsep $privsep"
@@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then
                        cat $OBJ/sshd_proxy_bak
                        echo "UsePrivilegeSeparation $privsep"
                        echo "AuthorizedKeysFile none"
-                        echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
+                        echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \
+                            "%u %t %T %i %s %F %f %k %K"
                        echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
                        echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
                ) > $OBJ/sshd_proxy
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 3775b1d80..9adba674e 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $
 #       Placed in the Public Domain.
 tid="putty ciphers"
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 6ae229005..9d3c6a9f0 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: putty-kex.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
 #       Placed in the Public Domain.
 tid="putty KEX"
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index cb1da94fa..8eb6ae0c0 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
 #       Placed in the Public Domain.
 tid="putty transfer data"
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 5c0a7b46f..72957d4cd 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: reexec.sh,v 1.8 2015/03/03 22:35:19 markus Exp $
+#       $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $
 #       Placed in the Public Domain.
 tid="reexec tests"
@@ -39,8 +39,7 @@ echo "InvalidXXX=no" >> $OBJ/sshd_config
 copy_tests
-$SUDO kill `$SUDO cat $PIDFILE`
+stop_sshd
-rm -f $PIDFILE
 cp $OBJ/sshd_config.orig $OBJ/sshd_config
@@ -54,8 +53,7 @@ rm -f $SSHD_COPY
 copy_tests
-$SUDO kill `$SUDO cat $PIDFILE`
+stop_sshd
-rm -f $PIDFILE
 verbose "test reexec fallback without privsep"
@@ -67,7 +65,6 @@ rm -f $SSHD_COPY
 copy_tests
-$SUDO kill `$SUDO cat $PIDFILE`
+stop_sshd
-rm -f $PIDFILE
 fi
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
index 9c26eb680..4ea2fce85 100644
--- a/regress/sftp-chroot.sh
+++ b/regress/sftp-chroot.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sftp-chroot.sh,v 1.4 2014/01/20 00:00:30 dtucker Exp $
+#       $OpenBSD: sftp-chroot.sh,v 1.5 2016/09/26 21:34:38 bluhm Exp $
 #       Placed in the Public Domain.
 tid="sftp in chroot"
@@ -7,7 +7,7 @@ CHROOT=/var/run
 FILENAME=testdata_${USER}
 PRIVDATA=${CHROOT}/${FILENAME}
-if [ -z "$SUDO" ]; then
+if [ -z "$SUDO" -a ! -w /var/run ]; then
  echo "skipped: need SUDO to create file in /var/run, test won't work without"
  exit 0
 fi
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 74b365cac..bfa48803b 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.53 2016/04/15 02:57:10 djm Exp $
+#       $OpenBSD: test-exec.sh,v 1.58 2016/12/16 01:06:27 dtucker Exp $
 #       Placed in the Public Domain.
 #SUDO=sudo
@@ -130,7 +130,8 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
        esac
 fi
-SSH_PROTOCOLS=`$SSH -Q protocol-version`
+SSH_PROTOCOLS=2
+#SSH_PROTOCOLS=`$SSH -Q protocol-version`
 if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
        SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
 fi
@@ -292,16 +293,8 @@ md5 () {
 }
 # End of portable specific functions
-# helper
+stop_sshd ()
-cleanup ()
 {
-        if [ "x$SSH_PID" != "x" ]; then
-                if [ $SSH_PID -lt 2 ]; then
-                        echo bad pid for ssh: $SSH_PID
-                else
-                        kill $SSH_PID
-                fi
-        fi
        if [ -f $PIDFILE ]; then
                pid=`$SUDO cat $PIDFILE`
                if [ "X$pid" = "X" ]; then
@@ -324,6 +317,19 @@ cleanup ()
        fi
 }
+# helper
+cleanup ()
+{
+        if [ "x$SSH_PID" != "x" ]; then
+                if [ $SSH_PID -lt 2 ]; then
+                        echo bad pid for ssh: $SSH_PID
+                else
+                        kill $SSH_PID
+                fi
+        fi
+        stop_sshd
+}
 start_debug_log ()
 {
        echo "trace: $@" >$TEST_REGRESS_LOGFILE
@@ -400,7 +406,6 @@ fi
 cat << EOF > $OBJ/sshd_config
        StrictModes             no
        Port                    $PORT
-        Protocol                $PROTO
        AddressFamily           inet
        ListenAddress           127.0.0.1
        #ListenAddress          ::1
@@ -433,7 +438,6 @@ echo 'StrictModes no' >> $OBJ/sshd_proxy
 # create client config
 cat << EOF > $OBJ/ssh_config
 Host *
-        Protocol                $PROTO
        Hostname                127.0.0.1
        HostKeyAlias            localhost-with-alias
        Port                    $PORT
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
index 0a95d4b20..e70b16644 100644
--- a/regress/unittests/Makefile
+++ b/regress/unittests/Makefile
@@ -1,5 +1,5 @@
-#       $OpenBSD: Makefile,v 1.6 2016/05/26 19:14:25 schwarze Exp $
+#       $OpenBSD: Makefile,v 1.7 2016/08/19 06:44:13 djm Exp $
 REGRESS_FAIL_EARLY= yes
-SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8
+SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match
 .include <bsd.subdir.mk>
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 7385e2ba3..3d9eaba5c 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile.inc,v 1.6 2015/07/01 23:11:18 djm Exp $
+#       $OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -49,11 +49,15 @@ DPADD+=${.CURDIR}/../test_helper/libtest_helper.a
 .if exists(${.CURDIR}/${SSHREL}/lib/${__objdir})
 LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh
-DPADD+=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
+LIBSSH=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
 .else
 LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh
-DPADD+=${.CURDIR}/${SSHREL}/lib/libssh.a
+LIBSSH=${.CURDIR}/${SSHREL}/lib/libssh.a
 .endif
+DPADD+=${LIBSSH}
+${PROG}: ${LIBSSH}
+${LIBSSH}:
+        cd ${.CURDIR}/${SSHREL} && ${MAKE} lib
 LDADD+= -lcrypto
 DPADD+= ${LIBCRYPTO}
diff --git a/regress/unittests/bitmap/Makefile b/regress/unittests/bitmap/Makefile
index b704d22d6..bd21949f8 100644
--- a/regress/unittests/bitmap/Makefile
+++ b/regress/unittests/bitmap/Makefile
@@ -1,6 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2015/01/15 07:36:28 djm Exp $
+#       $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $
-TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
 PROG=test_bitmap
 SRCS=tests.c
diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile
index f52a85fb1..ae3c342bd 100644
--- a/regress/unittests/hostkeys/Makefile
+++ b/regress/unittests/hostkeys/Makefile
@@ -1,6 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2015/02/16 22:18:34 djm Exp $
+#       $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $
-TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
 PROG=test_hostkeys
 SRCS=tests.c test_iterate.c
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile
index 6532cb00a..7ed312675 100644
--- a/regress/unittests/kex/Makefile
+++ b/regress/unittests/kex/Makefile
@@ -1,6 +1,4 @@
-#       $OpenBSD: Makefile,v 1.2 2015/01/24 10:39:21 miod Exp $
+#       $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $
-TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
 PROG=test_kex
 SRCS=tests.c test_kex.c
diff --git a/regress/unittests/match/Makefile b/regress/unittests/match/Makefile
new file mode 100644
index 000000000..bd4aed844
--- /dev/null
+++ b/regress/unittests/match/Makefile
@@ -0,0 +1,10 @@
+#       $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $
+PROG=test_match
+SRCS=tests.c
+REGRESS_TARGETS=run-regress-${PROG}
+run-regress-${PROG}: ${PROG}
+        env ${TEST_ENV} ./${PROG}
+.include <bsd.regress.mk>
diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c
new file mode 100644
index 000000000..7ff319c16
--- /dev/null
+++ b/regress/unittests/match/tests.c
@@ -0,0 +1,113 @@
+/*      $OpenBSD: tests.c,v 1.3 2016/09/21 17:03:54 djm Exp $ */
+/*
+ * Regress test for matching functions
+ *
+ * Placed in the public domain
+ */
+#include "includes.h"
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include "../test_helper/test_helper.h"
+#include "match.h"
+void
+tests(void)
+{
+        TEST_START("match_pattern");
+        ASSERT_INT_EQ(match_pattern("", ""), 1);
+        ASSERT_INT_EQ(match_pattern("", "aaa"), 0);
+        ASSERT_INT_EQ(match_pattern("aaa", ""), 0);
+        ASSERT_INT_EQ(match_pattern("aaa", "aaaa"), 0);
+        ASSERT_INT_EQ(match_pattern("aaaa", "aaa"), 0);
+        TEST_DONE();
+        TEST_START("match_pattern wildcard");
+        ASSERT_INT_EQ(match_pattern("", "*"), 1);
+        ASSERT_INT_EQ(match_pattern("a", "?"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "a?"), 1);
+        ASSERT_INT_EQ(match_pattern("a", "*"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "a*"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "?*"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "**"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "?a"), 1);
+        ASSERT_INT_EQ(match_pattern("aa", "*a"), 1);
+        ASSERT_INT_EQ(match_pattern("ba", "a?"), 0);
+        ASSERT_INT_EQ(match_pattern("ba", "a*"), 0);
+        ASSERT_INT_EQ(match_pattern("ab", "?a"), 0);
+        ASSERT_INT_EQ(match_pattern("ab", "*a"), 0);
+        TEST_DONE();
+        TEST_START("match_pattern_list");
+        ASSERT_INT_EQ(match_pattern_list("", "", 0), 0); /* no patterns */
+        ASSERT_INT_EQ(match_pattern_list("", "*", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("", "!*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("", "!a,*", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("", "*,!a", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("", "a,!*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("", "!*,a", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("a", "", 0), 0);
+        ASSERT_INT_EQ(match_pattern_list("a", "*", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("a", "!*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("a", "!a", 0), -1);
+        /* XXX negated ASSERT_INT_EQ(match_pattern_list("a", "!b", 0), 1); */
+        ASSERT_INT_EQ(match_pattern_list("a", "!a,*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("b", "!a,*", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("a", "*,!a", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("b", "*,!a", 0), 1);
+        ASSERT_INT_EQ(match_pattern_list("a", "a,!*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("b", "a,!*", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("a", "a,!a", 0), -1);
+        /* XXX negated ASSERT_INT_EQ(match_pattern_list("b", "a,!a", 0), 1); */
+        ASSERT_INT_EQ(match_pattern_list("a", "!*,a", 0), -1);
+        ASSERT_INT_EQ(match_pattern_list("b", "!*,a", 0), -1);
+        TEST_DONE();
+        TEST_START("match_pattern_list lowercase");
+        ASSERT_INT_EQ(match_pattern_list("abc", "ABC", 0), 0);
+        ASSERT_INT_EQ(match_pattern_list("ABC", "abc", 0), 0);
+        ASSERT_INT_EQ(match_pattern_list("abc", "ABC", 1), 1);
+        ASSERT_INT_EQ(match_pattern_list("ABC", "abc", 1), 0);
+        TEST_DONE();
+        TEST_START("addr_match_list");
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.1/44"), -2);
+        ASSERT_INT_EQ(addr_match_list(NULL, "127.0.0.1/44"), -2);
+        ASSERT_INT_EQ(addr_match_list("a", "*"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "*"), 1);
+        ASSERT_INT_EQ(addr_match_list(NULL, "*"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.1"), 1);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1"), -1);
+        /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2"), 1); */
+        ASSERT_INT_EQ(addr_match_list("127.0.0.255", "127.0.0.0/24"), 1);
+        ASSERT_INT_EQ(addr_match_list("127.0.1.1", "127.0.0.0/24"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.0/24"), 1);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.1.0/24"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.0/24"), -1);
+        /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.1.0/24"), 1); */
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.1"), -1);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1,10.0.0.1"), -1);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,127.0.0.2"), 0);
+        ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2,10.0.0.1"), 0);
+        /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.2"), 1); */
+        /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2,10.0.0.1"), 1); */
+        TEST_DONE();
+/*
+ * XXX TODO
+ * int      match_host_and_ip(const char *, const char *, const char *);
+ * int      match_user(const char *, const char *, const char *, const char *);
+ * char    *match_list(const char *, const char *, u_int *);
+ * int      addr_match_cidr_list(const char *, const char *);
+ */
+}
diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile
index 85f99ac38..69b27566b 100644
--- a/regress/unittests/sshbuf/Makefile
+++ b/regress/unittests/sshbuf/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2014/04/30 05:32:00 djm Exp $
+#       $OpenBSD: Makefile,v 1.5 2016/11/01 13:43:27 tb Exp $
 PROG=test_sshbuf
 SRCS=tests.c
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile
index 1bcd26676..cfbfcf8f1 100644
--- a/regress/unittests/sshkey/Makefile
+++ b/regress/unittests/sshkey/Makefile
@@ -1,6 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2014/06/24 01:14:18 djm Exp $
+#       $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $
-TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
 PROG=test_sshkey
 SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c
diff --git a/regress/unittests/utf8/Makefile b/regress/unittests/utf8/Makefile
index 150ea2f2e..a975264fc 100644
--- a/regress/unittests/utf8/Makefile
+++ b/regress/unittests/utf8/Makefile
@@ -1,6 +1,4 @@
-#       $OpenBSD: Makefile,v 1.2 2016/05/30 12:14:08 schwarze Exp $
+#       $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $
-TEST_ENV=       "MALLOC_OPTIONS=CFGJPRSUX"
 PROG=test_utf8
 SRCS=tests.c
diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c
index fad2ec279..31f9fe9c3 100644
--- a/regress/unittests/utf8/tests.c
+++ b/regress/unittests/utf8/tests.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tests.c,v 1.2 2016/05/30 12:05:56 schwarze Exp $ */
+/*      $OpenBSD: tests.c,v 1.3 2016/12/19 04:55:18 djm Exp $ */
 /*
 * Regress test for the utf8.h *mprintf() API
 *
@@ -6,10 +6,12 @@
 * and placed in the public domain.
 */
+#include "includes.h"
 #include <locale.h>
 #include <string.h>
-#include "test_helper.h"
+#include "../test_helper/test_helper.h"
 #include "utf8.h"
@@ -63,7 +65,6 @@ tests(void)
        TEST_DONE();
        badarg();
-        one("null", NULL, 8, 6, 6, "(null)");
        one("empty", "", 2, 0, 0, "");
        one("ascii", "x", -2, -2, -2, "x");
        one("newline", "a\nb", -2, -2, -2, "a\nb");
author	Colin Watson <cjwatson@debian.org>	2016-12-20 00:22:53 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-12-23 19:08:35 +0000
commit	ee52365e713e546dbd878d73d9590dbaccd760ba (patch)
tree	841d0d9ae73e83070bcc3b46218ebdd18142dda3 /regress
parent	8a4a5c22e363ad6a110ad9b787170297f5da8f04 (diff)
parent	2103d3e5566c54e08a59be750579a249e46747d7 (diff)