3 files changed, 148 insertions, 12 deletions
diff --git a/regress/Makefile b/regress/Makefile
index cba83f4d6..451909c1a 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
+#       $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $
 REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:          prep $(REGRESS_TARGETS)
@@ -74,7 +74,8 @@ LTESTS= 	connect \
                hostkey-agent \
                keygen-knownhosts \
                hostkey-rotate \
-                principals-command
+                principals-command \
+                cert-file
 #               dhgex \
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
new file mode 100644
index 000000000..f172cfd11
--- /dev/null
+++ b/regress/cert-file.sh
@@ -0,0 +1,136 @@
+#       $OpenBSD: cert-file.sh,v 1.1 2015/09/24 06:16:53 djm Exp $
+#       Placed in the Public Domain.
+tid="ssh with certificates"
+rm -f $OBJ/user_ca_key* $OBJ/user_key*
+rm -f $OBJ/cert_user_key*
+# Create a CA key
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\
+        fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t ed25519  -f $OBJ/user_ca_key2 ||\
+        fatal "ssh-keygen failed"
+# Make some keys and certificates.
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
+        fatal "ssh-keygen failed"
+${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
+        fatal "ssh-keygen failed"
+# Move the certificate to a different address to better control
+# when it is offered.
+${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
+        -z $$ -n ${USER} $OBJ/user_key1 ||
+                fail "couldn't sign user_key1 with user_ca_key1"
+mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
+${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
+        -z $$ -n ${USER} $OBJ/user_key1 ||
+                fail "couldn't sign user_key1 with user_ca_key2"
+mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
+trace 'try with identity files'
+opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
+opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
+echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
+for p in ${SSH_PROTOCOLS}; do
+        # Just keys should fail
+        ${SSH} $opts2 somehost exit 5$p
+        r=$?
+        if [ $r -eq 5$p ]; then
+                fail "ssh succeeded with no certs in protocol $p"
+        fi
+        # Keys with untrusted cert should fail.
+        opts3="$opts2 -z $OBJ/cert_user_key1_2.pub"
+        ${SSH} $opts3 somehost exit 5$p
+        r=$?
+        if [ $r -eq 5$p ]; then
+                fail "ssh succeeded with bad cert in protocol $p"
+        fi
+        # Good cert with bad key should fail.
+        opts3="$opts -i $OBJ/user_key2 -z $OBJ/cert_user_key1_1.pub"
+        ${SSH} $opts3 somehost exit 5$p
+        r=$?
+        if [ $r -eq 5$p ]; then
+                fail "ssh succeeded with no matching key in protocol $p"
+        fi
+        # Keys with one trusted cert, should succeed.
+        opts3="$opts2 -z $OBJ/cert_user_key1_1.pub"
+        ${SSH} $opts3 somehost exit 5$p
+        r=$?
+        if [ $r -ne 5$p ]; then
+                fail "ssh failed with trusted cert and key in protocol $p"
+        fi
+        # Multiple certs and keys, with one trusted cert, should succeed.
+        opts3="$opts2 -z $OBJ/cert_user_key1_2.pub -z $OBJ/cert_user_key1_1.pub"
+        ${SSH} $opts3 somehost exit 5$p
+        r=$?
+        if [ $r -ne 5$p ]; then
+                fail "ssh failed with multiple certs in protocol $p"
+        fi
+        #Keys with trusted certificate specified in config options, should succeed.
+        opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+        ${SSH} $opts3 somehost exit 5$p
+        r=$?
+        if [ $r -ne 5$p ]; then
+                fail "ssh failed with trusted cert in config in protocol $p"
+        fi
+done
+#next, using an agent in combination with the keys
+SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
+if [ $? -ne 2 ]; then
+        fatal "ssh-add -l did not fail with exit code 2"
+fi
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+        fatal "could not start ssh-agent: exit code $r"
+fi
+# add private keys to agent
+${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+        fatal "ssh-add did not succeed with exit code 0"
+fi
+${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+        fatal "ssh-add did not succeed with exit code 0"
+fi
+# try ssh with the agent and certificates
+# note: ssh agent only uses certificates in protocol 2
+opts="-F $OBJ/ssh_proxy"
+# with no certificates, shoud fail
+${SSH} -2 $opts somehost exit 52
+if [ $? -eq 52 ]; then
+        fail "ssh connect with agent in protocol 2 succeeded with no cert"
+fi
+#with an untrusted certificate, should fail
+opts="$opts -z $OBJ/cert_user_key1_2.pub"
+${SSH} -2 $opts somehost exit 52
+if [ $? -eq 52 ]; then
+        fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+fi
+#with an additional trusted certificate, should succeed
+opts="$opts -z $OBJ/cert_user_key1_1.pub"
+${SSH} -2 $opts somehost exit 52
+if [ $? -ne 52 ]; then
+        fail "ssh connect with agent in protocol 2 failed with good cert"
+fi
+trace "kill agent"
+${SSHAGENT} -k > /dev/null
+#cleanup
+rm -f $OBJ/user_ca_key* $OBJ/user_key*
+rm -f $OBJ/cert_user_key*
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index 2de037bd1..aaf2d2d44 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $
+#       $OpenBSD: limit-keytype.sh,v 1.2 2015/09/24 06:16:53 djm Exp $
 #       Placed in the Public Domain.
 tid="restrict pubkey type"
@@ -26,12 +26,11 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
 # Copy the private key alongside the cert to allow better control of when
 # it is offered.
 mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
-cp -p $OBJ/user_key3 $OBJ/cert_user_key3
 grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
 opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
-fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2"
+certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub"
 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
 cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
@@ -53,28 +52,28 @@ prepare_config() {
 prepare_config
 # Check we can log in with all key types.
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $certopts proxy true || fatal "cert failed"
 ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
 ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
 # Allow plain Ed25519 and RSA. The certificate should fail.
-verbose "privsep=$privsep allow rsa,ed25519"
+verbose "allow rsa,ed25519"
 prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $certopt proxy true && fatal "cert succeeded"
 ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
 ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
 # Allow Ed25519 only.
-verbose "privsep=$privsep allow ed25519"
+verbose "allow ed25519"
 prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"
+${SSH} $certopts proxy true && fatal "cert succeeded"
 ${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
 ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
 # Allow all certs. Plain keys should fail.
-verbose "privsep=$privsep allow cert only"
+verbose "allow cert only"
 prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
-${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed"
+${SSH} $certopts proxy true || fatal "cert failed"
 ${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
 ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"

diff --git a/regress/Makefile b/regress/Makefile index cba83f4d6..451909c1a 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $	1	# $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $
2		2
3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec	3	REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4	tests: prep $(REGRESS_TARGETS)	4	tests: prep $(REGRESS_TARGETS)
@@ -74,7 +74,8 @@ LTESTS= connect \
74	hostkey-agent \	74	hostkey-agent \
75	keygen-knownhosts \	75	keygen-knownhosts \
76	hostkey-rotate \	76	hostkey-rotate \
77	principals-command	77	principals-command \
		78	cert-file
78		79
79		80
80	# dhgex \	81	# dhgex \


diff --git a/regress/cert-file.sh b/regress/cert-file.sh new file mode 100644 index 000000000..f172cfd11 --- /dev/null +++ b/regress/cert-file.sh
@@ -0,0 +1,136 @@
		1	# $OpenBSD: cert-file.sh,v 1.1 2015/09/24 06:16:53 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="ssh with certificates"
		5
		6	rm -f $OBJ/user_ca_key* $OBJ/user_key*
		7	rm -f $OBJ/cert_user_key*
		8
		9	# Create a CA key
		10	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 \|\|\
		11	fatal "ssh-keygen failed"
		12	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 \|\|\
		13	fatal "ssh-keygen failed"
		14
		15	# Make some keys and certificates.
		16	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 \|\| \
		17	fatal "ssh-keygen failed"
		18	${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 \|\| \
		19	fatal "ssh-keygen failed"
		20	# Move the certificate to a different address to better control
		21	# when it is offered.
		22	${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
		23	-z $$ -n ${USER} $OBJ/user_key1 \|\|
		24	fail "couldn't sign user_key1 with user_ca_key1"
		25	mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
		26	${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
		27	-z $$ -n ${USER} $OBJ/user_key1 \|\|
		28	fail "couldn't sign user_key1 with user_ca_key2"
		29	mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
		30
		31	trace 'try with identity files'
		32	opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
		33	opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
		34	echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
		35
		36	for p in ${SSH_PROTOCOLS}; do
		37	# Just keys should fail
		38	${SSH} $opts2 somehost exit 5$p
		39	r=$?
		40	if [ $r -eq 5$p ]; then
		41	fail "ssh succeeded with no certs in protocol $p"
		42	fi
		43
		44	# Keys with untrusted cert should fail.
		45	opts3="$opts2 -z $OBJ/cert_user_key1_2.pub"
		46	${SSH} $opts3 somehost exit 5$p
		47	r=$?
		48	if [ $r -eq 5$p ]; then
		49	fail "ssh succeeded with bad cert in protocol $p"
		50	fi
		51
		52	# Good cert with bad key should fail.
		53	opts3="$opts -i $OBJ/user_key2 -z $OBJ/cert_user_key1_1.pub"
		54	${SSH} $opts3 somehost exit 5$p
		55	r=$?
		56	if [ $r -eq 5$p ]; then
		57	fail "ssh succeeded with no matching key in protocol $p"
		58	fi
		59
		60	# Keys with one trusted cert, should succeed.
		61	opts3="$opts2 -z $OBJ/cert_user_key1_1.pub"
		62	${SSH} $opts3 somehost exit 5$p
		63	r=$?
		64	if [ $r -ne 5$p ]; then
		65	fail "ssh failed with trusted cert and key in protocol $p"
		66	fi
		67
		68	# Multiple certs and keys, with one trusted cert, should succeed.
		69	opts3="$opts2 -z $OBJ/cert_user_key1_2.pub -z $OBJ/cert_user_key1_1.pub"
		70	${SSH} $opts3 somehost exit 5$p
		71	r=$?
		72	if [ $r -ne 5$p ]; then
		73	fail "ssh failed with multiple certs in protocol $p"
		74	fi
		75
		76	#Keys with trusted certificate specified in config options, should succeed.
		77	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
		78	${SSH} $opts3 somehost exit 5$p
		79	r=$?
		80	if [ $r -ne 5$p ]; then
		81	fail "ssh failed with trusted cert in config in protocol $p"
		82	fi
		83	done
		84
		85	#next, using an agent in combination with the keys
		86	SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
		87	if [ $? -ne 2 ]; then
		88	fatal "ssh-add -l did not fail with exit code 2"
		89	fi
		90
		91	trace "start agent"
		92	eval `${SSHAGENT} -s` > /dev/null
		93	r=$?
		94	if [ $r -ne 0 ]; then
		95	fatal "could not start ssh-agent: exit code $r"
		96	fi
		97
		98	# add private keys to agent
		99	${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
		100	if [ $? -ne 0 ]; then
		101	fatal "ssh-add did not succeed with exit code 0"
		102	fi
		103	${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
		104	if [ $? -ne 0 ]; then
		105	fatal "ssh-add did not succeed with exit code 0"
		106	fi
		107
		108	# try ssh with the agent and certificates
		109	# note: ssh agent only uses certificates in protocol 2
		110	opts="-F $OBJ/ssh_proxy"
		111	# with no certificates, shoud fail
		112	${SSH} -2 $opts somehost exit 52
		113	if [ $? -eq 52 ]; then
		114	fail "ssh connect with agent in protocol 2 succeeded with no cert"
		115	fi
		116
		117	#with an untrusted certificate, should fail
		118	opts="$opts -z $OBJ/cert_user_key1_2.pub"
		119	${SSH} -2 $opts somehost exit 52
		120	if [ $? -eq 52 ]; then
		121	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
		122	fi
		123
		124	#with an additional trusted certificate, should succeed
		125	opts="$opts -z $OBJ/cert_user_key1_1.pub"
		126	${SSH} -2 $opts somehost exit 52
		127	if [ $? -ne 52 ]; then
		128	fail "ssh connect with agent in protocol 2 failed with good cert"
		129	fi
		130
		131	trace "kill agent"
		132	${SSHAGENT} -k > /dev/null
		133
		134	#cleanup
		135	rm -f $OBJ/user_ca_key* $OBJ/user_key*
		136	rm -f $OBJ/cert_user_key*


diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh index 2de037bd1..aaf2d2d44 100644 --- a/regress/limit-keytype.sh +++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $	1	# $OpenBSD: limit-keytype.sh,v 1.2 2015/09/24 06:16:53 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="restrict pubkey type"	4	tid="restrict pubkey type"
@@ -26,12 +26,11 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26	# Copy the private key alongside the cert to allow better control of when	26	# Copy the private key alongside the cert to allow better control of when
27	# it is offered.	27	# it is offered.
28	mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub	28	mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
29	cp -p $OBJ/user_key3 $OBJ/cert_user_key3
30		29
31	grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy	30	grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
32		31
33	opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"	32	opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
34	fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2"	33	certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub"
35		34
36	echo mekmitasdigoat > $OBJ/authorized_principals_$USER	35	echo mekmitasdigoat > $OBJ/authorized_principals_$USER
37	cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER	36	cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
@@ -53,28 +52,28 @@ prepare_config() {
53	prepare_config	52	prepare_config
54		53
55	# Check we can log in with all key types.	54	# Check we can log in with all key types.
56	${SSH} $opts -i $OBJ/cert_user_key3 proxy true \|\| fatal "cert failed"	55	${SSH} $certopts proxy true \|\| fatal "cert failed"
57	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"	56	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
58	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"	57	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"
59		58
60	# Allow plain Ed25519 and RSA. The certificate should fail.	59	# Allow plain Ed25519 and RSA. The certificate should fail.
61	verbose "privsep=$privsep allow rsa,ed25519"	60	verbose "allow rsa,ed25519"
62	prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"	61	prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
63	${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"	62	${SSH} $certopt proxy true && fatal "cert succeeded"
64	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"	63	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
65	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"	64	${SSH} $opts -i $OBJ/user_key2 proxy true \|\| fatal "key2 failed"
66		65
67	# Allow Ed25519 only.	66	# Allow Ed25519 only.
68	verbose "privsep=$privsep allow ed25519"	67	verbose "allow ed25519"
69	prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"	68	prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
70	${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded"	69	${SSH} $certopts proxy true && fatal "cert succeeded"
71	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"	70	${SSH} $opts -i $OBJ/user_key1 proxy true \|\| fatal "key1 failed"
72	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"	71	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
73		72
74	# Allow all certs. Plain keys should fail.	73	# Allow all certs. Plain keys should fail.
75	verbose "privsep=$privsep allow cert only"	74	verbose "allow cert only"
76	prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"	75	prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
77	${SSH} $opts -i $OBJ/cert_user_key3 proxy true \|\| fatal "cert failed"	76	${SSH} $certopts proxy true \|\| fatal "cert failed"
78	${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"	77	${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
79	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"	78	${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
80		79