summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog4
-rw-r--r--regress/Makefile12
-rw-r--r--regress/agent.sh4
-rw-r--r--regress/cert-hostkey.sh48
-rw-r--r--regress/cert-userkey.sh31
-rw-r--r--regress/keytype.sh4
6 files changed, 63 insertions, 40 deletions
diff --git a/ChangeLog b/ChangeLog
index cf5e0d504..5edeb82b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,10 @@
33 - djm@cvs.openbsd.org 2013/12/07 00:19:15 33 - djm@cvs.openbsd.org 2013/12/07 00:19:15
34 [key.c] 34 [key.c]
35 set k->cert = NULL after freeing it 35 set k->cert = NULL after freeing it
36 - markus@cvs.openbsd.org 2013/12/06 13:52:46
37 [regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
38 [regress/cert-userkey.sh regress/keytype.sh]
39 test ed25519 support; from djm@
36 - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] 40 - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
37 [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents 41 [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
38 - (djm) [Makefile.in] Add ed25519 sources 42 - (djm) [Makefile.in] Add ed25519 sources
diff --git a/regress/Makefile b/regress/Makefile
index eca634a60..098f2014b 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,6 +1,6 @@
1# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ 1# $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
5 5
6# Interop tests are not run by default 6# Interop tests are not run by default
@@ -153,6 +153,14 @@ t9: $(OBJ)/t9.out
153 test "${TEST_SSH_ECC}" != yes || \ 153 test "${TEST_SSH_ECC}" != yes || \
154 ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null 154 ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
155 155
156
157$(OBJ)/t10.out:
158 ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@
159
160t10: $(OBJ)/t10.out
161 ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
162 ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
163
156t-exec: ${LTESTS:=.sh} 164t-exec: ${LTESTS:=.sh}
157 @if [ "x$?" = "x" ]; then exit 0; fi; \ 165 @if [ "x$?" = "x" ]; then exit 0; fi; \
158 for TEST in ""$?; do \ 166 for TEST in ""$?; do \
diff --git a/regress/agent.sh b/regress/agent.sh
index be7d91334..90bad15d4 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ 1# $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -20,7 +20,7 @@ else
20 fi 20 fi
21 trace "overwrite authorized keys" 21 trace "overwrite authorized keys"
22 printf '' > $OBJ/authorized_keys_$USER 22 printf '' > $OBJ/authorized_keys_$USER
23 for t in rsa rsa1; do 23 for t in ed25519 rsa rsa1; do
24 # generate user key for agent 24 # generate user key for agent
25 rm -f $OBJ/$t-agent 25 rm -f $OBJ/$t-agent
26 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ 26 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 35cd39293..da2cec87d 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,14 +1,8 @@
1# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
5 5
6# used to disable ECC based tests on platforms without ECC
7ecdsa=""
8if test "x$TEST_SSH_ECC" = "xyes"; then
9 ecdsa=ecdsa
10fi
11
12rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* 6rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
14 8
@@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
23 cat $OBJ/host_ca_key.pub 17 cat $OBJ/host_ca_key.pub
24) > $OBJ/known_hosts-cert 18) > $OBJ/known_hosts-cert
25 19
20PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
21
22type_has_legacy() {
23 case $1 in
24 ed25519*|ecdsa*) return 1 ;;
25 esac
26 return 0
27}
28
26# Generate and sign host keys 29# Generate and sign host keys
27for ktype in rsa dsa $ecdsa ; do 30for ktype in $PLAIN_TYPES ; do
28 verbose "$tid: sign host ${ktype} cert" 31 verbose "$tid: sign host ${ktype} cert"
29 # Generate and sign a host key 32 # Generate and sign a host key
30 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 33 ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do
34 -I "regress host key for $USER" \ 37 -I "regress host key for $USER" \
35 -n $HOSTS $OBJ/cert_host_key_${ktype} || 38 -n $HOSTS $OBJ/cert_host_key_${ktype} ||
36 fail "couldn't sign cert_host_key_${ktype}" 39 fail "couldn't sign cert_host_key_${ktype}"
37 # v00 ecdsa certs do not exist 40 type_has_legacy $ktype || continue
38 test "${ktype}" = "ecdsa" && continue
39 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 41 cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
40 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub 42 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
43 verbose "$tid: sign host ${ktype}_v00 cert"
41 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ 44 ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
42 -I "regress host key for $USER" \ 45 -I "regress host key for $USER" \
43 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || 46 -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
@@ -46,7 +49,7 @@ done
46 49
47# Basic connect tests 50# Basic connect tests
48for privsep in yes no ; do 51for privsep in yes no ; do
49 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 52 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
50 verbose "$tid: host ${ktype} cert connect privsep $privsep" 53 verbose "$tid: host ${ktype} cert connect privsep $privsep"
51 ( 54 (
52 cat $OBJ/sshd_proxy_bak 55 cat $OBJ/sshd_proxy_bak
@@ -73,9 +76,16 @@ done
73 printf "* " 76 printf "* "
74 cat $OBJ/cert_host_key_rsa.pub 77 cat $OBJ/cert_host_key_rsa.pub
75 if test "x$TEST_SSH_ECC" = "xyes"; then 78 if test "x$TEST_SSH_ECC" = "xyes"; then
79 cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub
80 printf '@revoked '
81 printf "* "
82 cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub
83 printf '@revoked '
84 printf "* "
85 cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub
76 printf '@revoked ' 86 printf '@revoked '
77 printf "* " 87 printf "* "
78 cat $OBJ/cert_host_key_ecdsa.pub 88 cat $OBJ/cert_host_key_ed25519.pub
79 fi 89 fi
80 printf '@revoked ' 90 printf '@revoked '
81 printf "* " 91 printf "* "
@@ -88,7 +98,7 @@ done
88 cat $OBJ/cert_host_key_dsa_v00.pub 98 cat $OBJ/cert_host_key_dsa_v00.pub
89) > $OBJ/known_hosts-cert 99) > $OBJ/known_hosts-cert
90for privsep in yes no ; do 100for privsep in yes no ; do
91 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 101 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
92 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 102 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
93 ( 103 (
94 cat $OBJ/sshd_proxy_bak 104 cat $OBJ/sshd_proxy_bak
@@ -115,7 +125,7 @@ done
115 printf "* " 125 printf "* "
116 cat $OBJ/host_ca_key.pub 126 cat $OBJ/host_ca_key.pub
117) > $OBJ/known_hosts-cert 127) > $OBJ/known_hosts-cert
118for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 128for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
119 verbose "$tid: host ${ktype} revoked cert" 129 verbose "$tid: host ${ktype} revoked cert"
120 ( 130 (
121 cat $OBJ/sshd_proxy_bak 131 cat $OBJ/sshd_proxy_bak
@@ -186,9 +196,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false"
186 196
187# Check downgrade of cert to raw key when no CA found 197# Check downgrade of cert to raw key when no CA found
188for v in v01 v00 ; do 198for v in v01 v00 ; do
189 for ktype in rsa dsa $ecdsa ; do 199 for ktype in $PLAIN_TYPES ; do
190 # v00 ecdsa certs do not exist. 200 type_has_legacy $ktype || continue
191 test "${v}${ktype}" = "v00ecdsa" && continue
192 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* 201 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
193 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" 202 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
194 # Generate and sign a host key 203 # Generate and sign a host key
@@ -225,9 +234,8 @@ done
225 cat $OBJ/host_ca_key.pub 234 cat $OBJ/host_ca_key.pub
226) > $OBJ/known_hosts-cert 235) > $OBJ/known_hosts-cert
227for v in v01 v00 ; do 236for v in v01 v00 ; do
228 for kt in rsa dsa $ecdsa ; do 237 for kt in $PLAIN_TYPES ; do
229 # v00 ecdsa certs do not exist. 238 type_has_legacy $kt || continue
230 test "${v}${ktype}" = "v00ecdsa" && continue
231 rm -f $OBJ/cert_host_key* 239 rm -f $OBJ/cert_host_key*
232 # Self-sign key 240 # Self-sign key
233 ${SSHKEYGEN} -q -N '' -t ${kt} \ 241 ${SSHKEYGEN} -q -N '' -t ${kt} \
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6018b38f4..b093a9196 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,23 +1,26 @@
1# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
5 5
6# used to disable ECC based tests on platforms without ECC
7ecdsa=""
8if test "x$TEST_SSH_ECC" = "xyes"; then
9 ecdsa=ecdsa
10fi
11
12rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* 6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
13cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
14 8
9PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
10
11type_has_legacy() {
12 case $1 in
13 ed25519*|ecdsa*) return 1 ;;
14 esac
15 return 0
16}
17
15# Create a CA key 18# Create a CA key
16${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ 19${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
17 fail "ssh-keygen of user_ca_key failed" 20 fail "ssh-keygen of user_ca_key failed"
18 21
19# Generate and sign user keys 22# Generate and sign user keys
20for ktype in rsa dsa $ecdsa ; do 23for ktype in $PLAIN_TYPES ; do
21 verbose "$tid: sign user ${ktype} cert" 24 verbose "$tid: sign user ${ktype} cert"
22 ${SSHKEYGEN} -q -N '' -t ${ktype} \ 25 ${SSHKEYGEN} -q -N '' -t ${ktype} \
23 -f $OBJ/cert_user_key_${ktype} || \ 26 -f $OBJ/cert_user_key_${ktype} || \
@@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do
25 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 28 ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
26 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || 29 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
27 fail "couldn't sign cert_user_key_${ktype}" 30 fail "couldn't sign cert_user_key_${ktype}"
28 # v00 ecdsa certs do not exist 31 type_has_legacy $ktype || continue
29 test "${ktype}" = "ecdsa" && continue
30 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 32 cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
31 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub 33 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
34 verbose "$tid: sign host ${ktype}_v00 cert"
32 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ 35 ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
33 "regress user key for $USER" \ 36 "regress user key for $USER" \
34 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || 37 -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
35 fail "couldn't sign cert_user_key_${ktype}_v00" 38 fatal "couldn't sign cert_user_key_${ktype}_v00"
36done 39done
37 40
38# Test explicitly-specified principals 41# Test explicitly-specified principals
39for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 42for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
40 for privsep in yes no ; do 43 for privsep in yes no ; do
41 _prefix="${ktype} privsep $privsep" 44 _prefix="${ktype} privsep $privsep"
42 45
@@ -162,7 +165,7 @@ basic_tests() {
162 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" 165 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
163 fi 166 fi
164 167
165 for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 168 for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
166 for privsep in yes no ; do 169 for privsep in yes no ; do
167 _prefix="${ktype} privsep $privsep $auth" 170 _prefix="${ktype} privsep $privsep $auth"
168 # Simple connect 171 # Simple connect
@@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \
332 335
333# Wrong certificate 336# Wrong certificate
334cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 337cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
335for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 338for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
336 case $ktype in 339 case $ktype in
337 *_v00) args="-t v00" ;; 340 *_v00) args="-t v00" ;;
338 *) args="" ;; 341 *) args="" ;;
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 65436b2c0..2c57ec6b1 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ 1# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -11,7 +11,7 @@ fi
11cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 11cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
12cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 12cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
13 13
14ktypes="dsa-1024 rsa-2048 rsa-3072" 14ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512"
15for i in `$SSH -Q key`; do 15for i in `$SSH -Q key`; do
16 case "$i" in 16 case "$i" in
17 ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; 17 ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;;