summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--regress/cert-hostkey.sh174
-rw-r--r--regress/cert-userkey.sh80
3 files changed, 151 insertions, 107 deletions
diff --git a/ChangeLog b/ChangeLog
index 04eefa62b..db35d00d2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,10 @@
9 - djm@cvs.openbsd.org 2010/04/16 21:14:27 9 - djm@cvs.openbsd.org 2010/04/16 21:14:27
10 [sshconnect.c] 10 [sshconnect.c]
11 oops, %r => remote username, not %u 11 oops, %r => remote username, not %u
12 - djm@cvs.openbsd.org 2010/04/16 01:58:45
13 [regress/cert-hostkey.sh regress/cert-userkey.sh]
14 regression tests for v01 certificate format
15 includes interop tests for v00 certs
12 16
1320100416 1720100416
14 - (djm) Release openssh-5.5p1 18 - (djm) Release openssh-5.5p1
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3fda667cb..0265e8f6b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -28,11 +28,17 @@ for ktype in rsa dsa ; do
28 -I "regress host key for $USER" \ 28 -I "regress host key for $USER" \
29 -n $HOSTS $OBJ/cert_host_key_${ktype} || 29 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
30 fail "couldn't sign cert_host_key_${ktype}" 30 fail "couldn't sign cert_host_key_${ktype}"
31 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
32 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
33 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
34 -I "regress host key for $USER" \
35 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
36 fail "couldn't sign cert_host_key_${ktype}_v00"
31done 37done
32 38
33# Basic connect tests 39# Basic connect tests
34for privsep in yes no ; do 40for privsep in yes no ; do
35 for ktype in rsa dsa ; do 41 for ktype in rsa dsa rsa_v00 dsa_v00; do
36 verbose "$tid: host ${ktype} cert connect privsep $privsep" 42 verbose "$tid: host ${ktype} cert connect privsep $privsep"
37 ( 43 (
38 cat $OBJ/sshd_proxy_bak 44 cat $OBJ/sshd_proxy_bak
@@ -61,9 +67,15 @@ done
61 echon '@revoked ' 67 echon '@revoked '
62 echon "* " 68 echon "* "
63 cat $OBJ/cert_host_key_dsa.pub 69 cat $OBJ/cert_host_key_dsa.pub
70 echon '@revoked '
71 echon "* "
72 cat $OBJ/cert_host_key_rsa_v00.pub
73 echon '@revoked '
74 echon "* "
75 cat $OBJ/cert_host_key_dsa_v00.pub
64) > $OBJ/known_hosts-cert 76) > $OBJ/known_hosts-cert
65for privsep in yes no ; do 77for privsep in yes no ; do
66 for ktype in rsa dsa ; do 78 for ktype in rsa dsa rsa_v00 dsa_v00; do
67 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 79 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
68 ( 80 (
69 cat $OBJ/sshd_proxy_bak 81 cat $OBJ/sshd_proxy_bak
@@ -90,7 +102,7 @@ done
90 echon "* " 102 echon "* "
91 cat $OBJ/host_ca_key.pub 103 cat $OBJ/host_ca_key.pub
92) > $OBJ/known_hosts-cert 104) > $OBJ/known_hosts-cert
93for ktype in rsa dsa ; do 105for ktype in rsa dsa rsa_v00 dsa_v00 ; do
94 verbose "$tid: host ${ktype} revoked cert" 106 verbose "$tid: host ${ktype} revoked cert"
95 ( 107 (
96 cat $OBJ/sshd_proxy_bak 108 cat $OBJ/sshd_proxy_bak
@@ -116,32 +128,39 @@ test_one() {
116 ident=$1 128 ident=$1
117 result=$2 129 result=$2
118 sign_opts=$3 130 sign_opts=$3
119
120 verbose "$tid: test host cert connect $ident expect $result"
121
122 ${SSHKEYGEN} -q -s $OBJ/host_ca_key -I "regress host key for $USER" \
123 $sign_opts \
124 $OBJ/cert_host_key_rsa ||
125 fail "couldn't sign cert_host_key_rsa"
126 (
127 cat $OBJ/sshd_proxy_bak
128 echo HostKey $OBJ/cert_host_key_rsa
129 echo HostCertificate $OBJ/cert_host_key_rsa-cert.pub
130 ) > $OBJ/sshd_proxy
131 131
132 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 132 for kt in rsa rsa_v00 ; do
133 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 133 case $kt in
134 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 134 *_v00) args="-t v00" ;;
135 rc=$? 135 *) args="" ;;
136 if [ "x$result" = "xsuccess" ] ; then 136 esac
137 if [ $rc -ne 0 ]; then 137
138 fail "ssh cert connect $ident failed unexpectedly" 138 verbose "$tid: host cert connect $ident $kt expect $result"
139 fi 139 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
140 else 140 -I "regress host key for $USER" \
141 if [ $rc -eq 0 ]; then 141 $sign_opts $args \
142 fail "ssh cert connect $ident succeeded unexpectedly" 142 $OBJ/cert_host_key_${kt} ||
143 fail "couldn't sign cert_host_key_${kt}"
144 (
145 cat $OBJ/sshd_proxy_bak
146 echo HostKey $OBJ/cert_host_key_${kt}
147 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
148 ) > $OBJ/sshd_proxy
149
150 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
151 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153 rc=$?
154 if [ "x$result" = "xsuccess" ] ; then
155 if [ $rc -ne 0 ]; then
156 fail "ssh cert connect $ident failed unexpectedly"
157 fi
158 else
159 if [ $rc -eq 0 ]; then
160 fail "ssh cert connect $ident succeeded unexpectedly"
161 fi
143 fi 162 fi
144 fi 163 done
145} 164}
146 165
147test_one "user-certificate" failure "-n $HOSTS" 166test_one "user-certificate" failure "-n $HOSTS"
@@ -153,32 +172,35 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
153test_one "cert has constraints" failure "-h -Oforce-command=false" 172test_one "cert has constraints" failure "-h -Oforce-command=false"
154 173
155# Check downgrade of cert to raw key when no CA found 174# Check downgrade of cert to raw key when no CA found
156rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 175for v in v01 v00 ; do
157for ktype in rsa dsa ; do 176 for ktype in rsa dsa ; do
158 verbose "$tid: host ${ktype} cert downgrade to raw key" 177 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
159 # Generate and sign a host key 178 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
160 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 179 # Generate and sign a host key
161 -f $OBJ/cert_host_key_${ktype} || \ 180 ${SSHKEYGEN} -q -N '' -t ${ktype} \
162 fail "ssh-keygen of cert_host_key_${ktype} failed" 181 -f $OBJ/cert_host_key_${ktype} || \
163 ${SSHKEYGEN} -h -q -s $OBJ/host_ca_key -I "regress host key for $USER" \ 182 fail "ssh-keygen of cert_host_key_${ktype} failed"
164 -n $HOSTS $OBJ/cert_host_key_${ktype} || 183 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
165 fail "couldn't sign cert_host_key_${ktype}" 184 -I "regress host key for $USER" \
166 ( 185 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
167 echon "$HOSTS " 186 fail "couldn't sign cert_host_key_${ktype}"
168 cat $OBJ/cert_host_key_${ktype}.pub 187 (
169 ) > $OBJ/known_hosts-cert 188 echon "$HOSTS "
170 ( 189 cat $OBJ/cert_host_key_${ktype}.pub
171 cat $OBJ/sshd_proxy_bak 190 ) > $OBJ/known_hosts-cert
172 echo HostKey $OBJ/cert_host_key_${ktype} 191 (
173 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 192 cat $OBJ/sshd_proxy_bak
174 ) > $OBJ/sshd_proxy 193 echo HostKey $OBJ/cert_host_key_${ktype}
175 194 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
176 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 195 ) > $OBJ/sshd_proxy
177 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 196
178 -F $OBJ/ssh_proxy somehost true 197 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
179 if [ $? -ne 0 ]; then 198 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
180 fail "ssh cert connect failed" 199 -F $OBJ/ssh_proxy somehost true
181 fi 200 if [ $? -ne 0 ]; then
201 fail "ssh cert connect failed"
202 fi
203 done
182done 204done
183 205
184# Wrong certificate 206# Wrong certificate
@@ -187,25 +209,31 @@ done
187 echon "$HOSTS " 209 echon "$HOSTS "
188 cat $OBJ/host_ca_key.pub 210 cat $OBJ/host_ca_key.pub
189) > $OBJ/known_hosts-cert 211) > $OBJ/known_hosts-cert
190for ktype in rsa dsa ; do 212for v in v01 v00 ; do
191 # Self-sign key 213 for kt in rsa dsa ; do
192 ${SSHKEYGEN} -h -q -s $OBJ/cert_host_key_${ktype} \ 214 rm -f $OBJ/cert_host_key*
193 -I "regress host key for $USER" \ 215 # Self-sign key
194 -n $HOSTS $OBJ/cert_host_key_${ktype} || 216 ${SSHKEYGEN} -q -N '' -t ${kt} \
195 fail "couldn't sign cert_host_key_${ktype}" 217 -f $OBJ/cert_host_key_${kt} || \
196 verbose "$tid: host ${ktype} connect wrong cert" 218 fail "ssh-keygen of cert_host_key_${kt} failed"
197 ( 219 ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
198 cat $OBJ/sshd_proxy_bak 220 -I "regress host key for $USER" \
199 echo HostKey $OBJ/cert_host_key_${ktype} 221 -n $HOSTS $OBJ/cert_host_key_${kt} ||
200 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 222 fail "couldn't sign cert_host_key_${kt}"
201 ) > $OBJ/sshd_proxy 223 verbose "$tid: host ${kt} connect wrong cert"
202 224 (
203 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 cat $OBJ/sshd_proxy_bak
204 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 echo HostKey $OBJ/cert_host_key_${kt}
205 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 227 echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
206 if [ $? -eq 0 ]; then 228 ) > $OBJ/sshd_proxy
207 fail "ssh cert connect $ident succeeded unexpectedly" 229
208 fi 230 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
231 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
232 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
233 if [ $? -eq 0 ]; then
234 fail "ssh cert connect $ident succeeded unexpectedly"
235 fi
236 done
209done 237done
210 238
211rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 239rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7a58e7b75..88d6d70a4 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.3 2010/03/04 10:38:23 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.4 2010/04/16 01:58:45 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -20,6 +20,12 @@ for ktype in rsa dsa ; do
20 "regress user key for $USER" \ 20 "regress user key for $USER" \
21 -n $USER $OBJ/cert_user_key_${ktype} || 21 -n $USER $OBJ/cert_user_key_${ktype} ||
22 fail "couldn't sign cert_user_key_${ktype}" 22 fail "couldn't sign cert_user_key_${ktype}"
23 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
24 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
25 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
26 "regress user key for $USER" \
27 -n $USER $OBJ/cert_user_key_${ktype}_v00 ||
28 fail "couldn't sign cert_user_key_${ktype}_v00"
23done 29done
24 30
25basic_tests() { 31basic_tests() {
@@ -35,7 +41,7 @@ basic_tests() {
35 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 41 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
36 fi 42 fi
37 43
38 for ktype in rsa dsa ; do 44 for ktype in rsa dsa rsa_v00 dsa_v00 ; do
39 for privsep in yes no ; do 45 for privsep in yes no ; do
40 _prefix="${ktype} privsep $privsep $auth" 46 _prefix="${ktype} privsep $privsep $auth"
41 # Simple connect 47 # Simple connect
@@ -108,39 +114,41 @@ test_one() {
108 fi 114 fi
109 115
110 for auth in $auth_choice ; do 116 for auth in $auth_choice ; do
111 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 117 for ktype in rsa rsa_v00 ; do
112 if test "x$auth" = "xauthorized_keys" ; then 118 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
113 # Add CA to authorized_keys 119 if test "x$auth" = "xauthorized_keys" ; then
114 ( 120 # Add CA to authorized_keys
115 echon 'cert-authority ' 121 (
116 cat $OBJ/user_ca_key.pub 122 echon 'cert-authority '
117 ) > $OBJ/authorized_keys_$USER 123 cat $OBJ/user_ca_key.pub
118 else 124 ) > $OBJ/authorized_keys_$USER
119 echo > $OBJ/authorized_keys_$USER 125 else
120 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" >> \ 126 echo > $OBJ/authorized_keys_$USER
121 $OBJ/sshd_proxy 127 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
122 128 >> $OBJ/sshd_proxy
123 fi
124
125 verbose "$tid: $ident auth $auth expect $result"
126 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
127 -I "regress user key for $USER" \
128 $sign_opts \
129 $OBJ/cert_user_key_rsa ||
130 fail "couldn't sign cert_user_key_rsa"
131 129
132 ${SSH} -2i $OBJ/cert_user_key_rsa -F $OBJ/ssh_proxy \
133 somehost true >/dev/null 2>&1
134 rc=$?
135 if [ "x$result" = "xsuccess" ] ; then
136 if [ $rc -ne 0 ]; then
137 fail "$ident failed unexpectedly"
138 fi 130 fi
139 else 131
140 if [ $rc -eq 0 ]; then 132 verbose "$tid: $ident auth $auth expect $result $ktype"
141 fail "$ident succeeded unexpectedly" 133 ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
134 -I "regress user key for $USER" \
135 $sign_opts \
136 $OBJ/cert_user_key_${ktype} ||
137 fail "couldn't sign cert_user_key_${ktype}"
138
139 ${SSH} -2i $OBJ/cert_user_key_${ktype} \
140 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
141 rc=$?
142 if [ "x$result" = "xsuccess" ] ; then
143 if [ $rc -ne 0 ]; then
144 fail "$ident failed unexpectedly"
145 fi
146 else
147 if [ $rc -eq 0 ]; then
148 fail "$ident succeeded unexpectedly"
149 fi
142 fi 150 fi
143 fi 151 done
144 done 152 done
145} 153}
146 154
@@ -158,9 +166,13 @@ test_one "empty principals" success "" authorized_keys
158test_one "empty principals" failure "" TrustedUserCAKeys 166test_one "empty principals" failure "" TrustedUserCAKeys
159 167
160# Wrong certificate 168# Wrong certificate
161for ktype in rsa dsa ; do 169for ktype in rsa dsa rsa_v00 dsa_v00 ; do
170 case $ktype in
171 *_v00) args="-t v00" ;;
172 *) args="" ;;
173 esac
162 # Self-sign 174 # Self-sign
163 ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \ 175 ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
164 "regress user key for $USER" \ 176 "regress user key for $USER" \
165 -n $USER $OBJ/cert_user_key_${ktype} || 177 -n $USER $OBJ/cert_user_key_${ktype} ||
166 fail "couldn't sign cert_user_key_${ktype}" 178 fail "couldn't sign cert_user_key_${ktype}"