diff options
| author | Damien Miller <djm@mindrot.org> | 2013-12-07 16:32:44 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-12-07 16:32:44 +1100 |
| commit | f54542af3ad07532188b10136ae302314ec69ed6 (patch) | |
| tree | 2caa3c595bd1177bd6bfabecc47c8af69d33d6c8 /regress | |
| parent | f104da263de995f66b6861b4f3368264ee483d7f (diff) | |
- markus@cvs.openbsd.org 2013/12/06 13:52:46
[regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
[regress/cert-userkey.sh regress/keytype.sh]
test ed25519 support; from djm@
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/Makefile | 12 | ||||
| -rw-r--r-- | regress/agent.sh | 4 | ||||
| -rw-r--r-- | regress/cert-hostkey.sh | 48 | ||||
| -rw-r--r-- | regress/cert-userkey.sh | 31 | ||||
| -rw-r--r-- | regress/keytype.sh | 4 |
5 files changed, 59 insertions, 40 deletions
diff --git a/regress/Makefile b/regress/Makefile index eca634a60..098f2014b 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $ |
| 2 | 2 | ||
| 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec | 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec |
| 4 | tests: $(REGRESS_TARGETS) | 4 | tests: $(REGRESS_TARGETS) |
| 5 | 5 | ||
| 6 | # Interop tests are not run by default | 6 | # Interop tests are not run by default |
| @@ -153,6 +153,14 @@ t9: $(OBJ)/t9.out | |||
| 153 | test "${TEST_SSH_ECC}" != yes || \ | 153 | test "${TEST_SSH_ECC}" != yes || \ |
| 154 | ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null | 154 | ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null |
| 155 | 155 | ||
| 156 | |||
| 157 | $(OBJ)/t10.out: | ||
| 158 | ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@ | ||
| 159 | |||
| 160 | t10: $(OBJ)/t10.out | ||
| 161 | ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null | ||
| 162 | ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null | ||
| 163 | |||
| 156 | t-exec: ${LTESTS:=.sh} | 164 | t-exec: ${LTESTS:=.sh} |
| 157 | @if [ "x$?" = "x" ]; then exit 0; fi; \ | 165 | @if [ "x$?" = "x" ]; then exit 0; fi; \ |
| 158 | for TEST in ""$?; do \ | 166 | for TEST in ""$?; do \ |
diff --git a/regress/agent.sh b/regress/agent.sh index be7d91334..90bad15d4 100644 --- a/regress/agent.sh +++ b/regress/agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple agent test" | 4 | tid="simple agent test" |
| @@ -20,7 +20,7 @@ else | |||
| 20 | fi | 20 | fi |
| 21 | trace "overwrite authorized keys" | 21 | trace "overwrite authorized keys" |
| 22 | printf '' > $OBJ/authorized_keys_$USER | 22 | printf '' > $OBJ/authorized_keys_$USER |
| 23 | for t in rsa rsa1; do | 23 | for t in ed25519 rsa rsa1; do |
| 24 | # generate user key for agent | 24 | # generate user key for agent |
| 25 | rm -f $OBJ/$t-agent | 25 | rm -f $OBJ/$t-agent |
| 26 | ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ | 26 | ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 35cd39293..da2cec87d 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,14 +1,8 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| 5 | 5 | ||
| 6 | # used to disable ECC based tests on platforms without ECC | ||
| 7 | ecdsa="" | ||
| 8 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
| 9 | ecdsa=ecdsa | ||
| 10 | fi | ||
| 11 | |||
| 12 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* | 6 | rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* |
| 13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 14 | 8 | ||
| @@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ | |||
| 23 | cat $OBJ/host_ca_key.pub | 17 | cat $OBJ/host_ca_key.pub |
| 24 | ) > $OBJ/known_hosts-cert | 18 | ) > $OBJ/known_hosts-cert |
| 25 | 19 | ||
| 20 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` | ||
| 21 | |||
| 22 | type_has_legacy() { | ||
| 23 | case $1 in | ||
| 24 | ed25519*|ecdsa*) return 1 ;; | ||
| 25 | esac | ||
| 26 | return 0 | ||
| 27 | } | ||
| 28 | |||
| 26 | # Generate and sign host keys | 29 | # Generate and sign host keys |
| 27 | for ktype in rsa dsa $ecdsa ; do | 30 | for ktype in $PLAIN_TYPES ; do |
| 28 | verbose "$tid: sign host ${ktype} cert" | 31 | verbose "$tid: sign host ${ktype} cert" |
| 29 | # Generate and sign a host key | 32 | # Generate and sign a host key |
| 30 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 33 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| @@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do | |||
| 34 | -I "regress host key for $USER" \ | 37 | -I "regress host key for $USER" \ |
| 35 | -n $HOSTS $OBJ/cert_host_key_${ktype} || | 38 | -n $HOSTS $OBJ/cert_host_key_${ktype} || |
| 36 | fail "couldn't sign cert_host_key_${ktype}" | 39 | fail "couldn't sign cert_host_key_${ktype}" |
| 37 | # v00 ecdsa certs do not exist | 40 | type_has_legacy $ktype || continue |
| 38 | test "${ktype}" = "ecdsa" && continue | ||
| 39 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 | 41 | cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 |
| 40 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub | 42 | cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub |
| 43 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
| 41 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ | 44 | ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ |
| 42 | -I "regress host key for $USER" \ | 45 | -I "regress host key for $USER" \ |
| 43 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || | 46 | -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || |
| @@ -46,7 +49,7 @@ done | |||
| 46 | 49 | ||
| 47 | # Basic connect tests | 50 | # Basic connect tests |
| 48 | for privsep in yes no ; do | 51 | for privsep in yes no ; do |
| 49 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do | 52 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
| 50 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 53 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| 51 | ( | 54 | ( |
| 52 | cat $OBJ/sshd_proxy_bak | 55 | cat $OBJ/sshd_proxy_bak |
| @@ -73,9 +76,16 @@ done | |||
| 73 | printf "* " | 76 | printf "* " |
| 74 | cat $OBJ/cert_host_key_rsa.pub | 77 | cat $OBJ/cert_host_key_rsa.pub |
| 75 | if test "x$TEST_SSH_ECC" = "xyes"; then | 78 | if test "x$TEST_SSH_ECC" = "xyes"; then |
| 79 | cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub | ||
| 80 | printf '@revoked ' | ||
| 81 | printf "* " | ||
| 82 | cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub | ||
| 83 | printf '@revoked ' | ||
| 84 | printf "* " | ||
| 85 | cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub | ||
| 76 | printf '@revoked ' | 86 | printf '@revoked ' |
| 77 | printf "* " | 87 | printf "* " |
| 78 | cat $OBJ/cert_host_key_ecdsa.pub | 88 | cat $OBJ/cert_host_key_ed25519.pub |
| 79 | fi | 89 | fi |
| 80 | printf '@revoked ' | 90 | printf '@revoked ' |
| 81 | printf "* " | 91 | printf "* " |
| @@ -88,7 +98,7 @@ done | |||
| 88 | cat $OBJ/cert_host_key_dsa_v00.pub | 98 | cat $OBJ/cert_host_key_dsa_v00.pub |
| 89 | ) > $OBJ/known_hosts-cert | 99 | ) > $OBJ/known_hosts-cert |
| 90 | for privsep in yes no ; do | 100 | for privsep in yes no ; do |
| 91 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do | 101 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do |
| 92 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 102 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
| 93 | ( | 103 | ( |
| 94 | cat $OBJ/sshd_proxy_bak | 104 | cat $OBJ/sshd_proxy_bak |
| @@ -115,7 +125,7 @@ done | |||
| 115 | printf "* " | 125 | printf "* " |
| 116 | cat $OBJ/host_ca_key.pub | 126 | cat $OBJ/host_ca_key.pub |
| 117 | ) > $OBJ/known_hosts-cert | 127 | ) > $OBJ/known_hosts-cert |
| 118 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do | 128 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
| 119 | verbose "$tid: host ${ktype} revoked cert" | 129 | verbose "$tid: host ${ktype} revoked cert" |
| 120 | ( | 130 | ( |
| 121 | cat $OBJ/sshd_proxy_bak | 131 | cat $OBJ/sshd_proxy_bak |
| @@ -186,9 +196,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" | |||
| 186 | 196 | ||
| 187 | # Check downgrade of cert to raw key when no CA found | 197 | # Check downgrade of cert to raw key when no CA found |
| 188 | for v in v01 v00 ; do | 198 | for v in v01 v00 ; do |
| 189 | for ktype in rsa dsa $ecdsa ; do | 199 | for ktype in $PLAIN_TYPES ; do |
| 190 | # v00 ecdsa certs do not exist. | 200 | type_has_legacy $ktype || continue |
| 191 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
| 192 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* | 201 | rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* |
| 193 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" | 202 | verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" |
| 194 | # Generate and sign a host key | 203 | # Generate and sign a host key |
| @@ -225,9 +234,8 @@ done | |||
| 225 | cat $OBJ/host_ca_key.pub | 234 | cat $OBJ/host_ca_key.pub |
| 226 | ) > $OBJ/known_hosts-cert | 235 | ) > $OBJ/known_hosts-cert |
| 227 | for v in v01 v00 ; do | 236 | for v in v01 v00 ; do |
| 228 | for kt in rsa dsa $ecdsa ; do | 237 | for kt in $PLAIN_TYPES ; do |
| 229 | # v00 ecdsa certs do not exist. | 238 | type_has_legacy $kt || continue |
| 230 | test "${v}${ktype}" = "v00ecdsa" && continue | ||
| 231 | rm -f $OBJ/cert_host_key* | 239 | rm -f $OBJ/cert_host_key* |
| 232 | # Self-sign key | 240 | # Self-sign key |
| 233 | ${SSHKEYGEN} -q -N '' -t ${kt} \ | 241 | ${SSHKEYGEN} -q -N '' -t ${kt} \ |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6018b38f4..b093a9196 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,23 +1,26 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| 5 | 5 | ||
| 6 | # used to disable ECC based tests on platforms without ECC | ||
| 7 | ecdsa="" | ||
| 8 | if test "x$TEST_SSH_ECC" = "xyes"; then | ||
| 9 | ecdsa=ecdsa | ||
| 10 | fi | ||
| 11 | |||
| 12 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* | 6 | rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* |
| 13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 14 | 8 | ||
| 9 | PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` | ||
| 10 | |||
| 11 | type_has_legacy() { | ||
| 12 | case $1 in | ||
| 13 | ed25519*|ecdsa*) return 1 ;; | ||
| 14 | esac | ||
| 15 | return 0 | ||
| 16 | } | ||
| 17 | |||
| 15 | # Create a CA key | 18 | # Create a CA key |
| 16 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ | 19 | ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ |
| 17 | fail "ssh-keygen of user_ca_key failed" | 20 | fail "ssh-keygen of user_ca_key failed" |
| 18 | 21 | ||
| 19 | # Generate and sign user keys | 22 | # Generate and sign user keys |
| 20 | for ktype in rsa dsa $ecdsa ; do | 23 | for ktype in $PLAIN_TYPES ; do |
| 21 | verbose "$tid: sign user ${ktype} cert" | 24 | verbose "$tid: sign user ${ktype} cert" |
| 22 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ | 25 | ${SSHKEYGEN} -q -N '' -t ${ktype} \ |
| 23 | -f $OBJ/cert_user_key_${ktype} || \ | 26 | -f $OBJ/cert_user_key_${ktype} || \ |
| @@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do | |||
| 25 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | 28 | ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ |
| 26 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || | 29 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || |
| 27 | fail "couldn't sign cert_user_key_${ktype}" | 30 | fail "couldn't sign cert_user_key_${ktype}" |
| 28 | # v00 ecdsa certs do not exist | 31 | type_has_legacy $ktype || continue |
| 29 | test "${ktype}" = "ecdsa" && continue | ||
| 30 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 | 32 | cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 |
| 31 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub | 33 | cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub |
| 34 | verbose "$tid: sign host ${ktype}_v00 cert" | ||
| 32 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ | 35 | ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ |
| 33 | "regress user key for $USER" \ | 36 | "regress user key for $USER" \ |
| 34 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || | 37 | -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || |
| 35 | fail "couldn't sign cert_user_key_${ktype}_v00" | 38 | fatal "couldn't sign cert_user_key_${ktype}_v00" |
| 36 | done | 39 | done |
| 37 | 40 | ||
| 38 | # Test explicitly-specified principals | 41 | # Test explicitly-specified principals |
| 39 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do | 42 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
| 40 | for privsep in yes no ; do | 43 | for privsep in yes no ; do |
| 41 | _prefix="${ktype} privsep $privsep" | 44 | _prefix="${ktype} privsep $privsep" |
| 42 | 45 | ||
| @@ -162,7 +165,7 @@ basic_tests() { | |||
| 162 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" | 165 | extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" |
| 163 | fi | 166 | fi |
| 164 | 167 | ||
| 165 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do | 168 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
| 166 | for privsep in yes no ; do | 169 | for privsep in yes no ; do |
| 167 | _prefix="${ktype} privsep $privsep $auth" | 170 | _prefix="${ktype} privsep $privsep $auth" |
| 168 | # Simple connect | 171 | # Simple connect |
| @@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \ | |||
| 332 | 335 | ||
| 333 | # Wrong certificate | 336 | # Wrong certificate |
| 334 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | 337 | cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 335 | for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do | 338 | for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do |
| 336 | case $ktype in | 339 | case $ktype in |
| 337 | *_v00) args="-t v00" ;; | 340 | *_v00) args="-t v00" ;; |
| 338 | *) args="" ;; | 341 | *) args="" ;; |
diff --git a/regress/keytype.sh b/regress/keytype.sh index 65436b2c0..2c57ec6b1 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="login with different key types" | 4 | tid="login with different key types" |
| @@ -11,7 +11,7 @@ fi | |||
| 11 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 11 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 12 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | 12 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
| 13 | 13 | ||
| 14 | ktypes="dsa-1024 rsa-2048 rsa-3072" | 14 | ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" |
| 15 | for i in `$SSH -Q key`; do | 15 | for i in `$SSH -Q key`; do |
| 16 | case "$i" in | 16 | case "$i" in |
| 17 | ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; | 17 | ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; |