diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | regress/dhgex.sh | 6 | ||||
-rw-r--r-- | regress/integrity.sh | 7 | ||||
-rw-r--r-- | regress/kextype.sh | 7 | ||||
-rw-r--r-- | regress/rekey.sh | 20 | ||||
-rw-r--r-- | regress/try-ciphers.sh | 7 |
6 files changed, 42 insertions, 10 deletions
@@ -97,6 +97,11 @@ | |||
97 | this test is a sorry mess of race conditions; add another sleep | 97 | this test is a sorry mess of race conditions; add another sleep |
98 | to avoid a failure on slow machines (at least until I find a | 98 | to avoid a failure on slow machines (at least until I find a |
99 | better way) | 99 | better way) |
100 | - djm@cvs.openbsd.org 2014/04/21 22:15:37 | ||
101 | [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] | ||
102 | repair regress tests broken by server-side default cipher/kex/mac changes | ||
103 | by ensuring that the option under test is included in the server's | ||
104 | algorithm list | ||
100 | 105 | ||
101 | 20140430 | 106 | 20140430 |
102 | - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already | 107 | - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already |
diff --git a/regress/dhgex.sh b/regress/dhgex.sh index 4c1a3d83c..57fca4a32 100644 --- a/regress/dhgex.sh +++ b/regress/dhgex.sh | |||
@@ -1,10 +1,11 @@ | |||
1 | # $OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $ | 1 | # $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="dhgex" | 4 | tid="dhgex" |
5 | 5 | ||
6 | LOG=${TEST_SSH_LOGFILE} | 6 | LOG=${TEST_SSH_LOGFILE} |
7 | rm -f ${LOG} | 7 | rm -f ${LOG} |
8 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
8 | 9 | ||
9 | kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange` | 10 | kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange` |
10 | 11 | ||
@@ -14,6 +15,9 @@ ssh_test_dhgex() | |||
14 | cipher="$1"; shift | 15 | cipher="$1"; shift |
15 | kex="$1"; shift | 16 | kex="$1"; shift |
16 | 17 | ||
18 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
19 | echo "KexAlgorithms=$kex" >> $OBJ/sshd_proxy | ||
20 | echo "Ciphers=$cipher" >> $OBJ/sshd_proxy | ||
17 | rm -f ${LOG} | 21 | rm -f ${LOG} |
18 | opts="-oKexAlgorithms=$kex -oCiphers=$cipher" | 22 | opts="-oKexAlgorithms=$kex -oCiphers=$cipher" |
19 | groupsz="1024<$bits<8192" | 23 | groupsz="1024<$bits<8192" |
diff --git a/regress/integrity.sh b/regress/integrity.sh index 852d82690..03d80618c 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh | |||
@@ -1,7 +1,8 @@ | |||
1 | # $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ | 1 | # $OpenBSD: integrity.sh,v 1.13 2014/04/21 22:15:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="integrity" | 4 | tid="integrity" |
5 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
5 | 6 | ||
6 | # start at byte 2900 (i.e. after kex) and corrupt at different offsets | 7 | # start at byte 2900 (i.e. after kex) and corrupt at different offsets |
7 | # XXX the test hangs if we modify the low bytes of the packet length | 8 | # XXX the test hangs if we modify the low bytes of the packet length |
@@ -34,11 +35,15 @@ for m in $macs; do | |||
34 | # avoid modifying the high bytes of the length | 35 | # avoid modifying the high bytes of the length |
35 | continue | 36 | continue |
36 | fi | 37 | fi |
38 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
37 | # modify output from sshd at offset $off | 39 | # modify output from sshd at offset $off |
38 | pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" | 40 | pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" |
39 | if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then | 41 | if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then |
42 | echo "Ciphers=$m" >> $OBJ/sshd_proxy | ||
40 | macopt="-c $m" | 43 | macopt="-c $m" |
41 | else | 44 | else |
45 | echo "Ciphers=aes128-ctr" >> $OBJ/sshd_proxy | ||
46 | echo "MACs=$m" >> $OBJ/sshd_proxy | ||
42 | macopt="-m $m -c aes128-ctr" | 47 | macopt="-m $m -c aes128-ctr" |
43 | fi | 48 | fi |
44 | verbose "test $tid: $m @$off" | 49 | verbose "test $tid: $m @$off" |
diff --git a/regress/kextype.sh b/regress/kextype.sh index 8c2ac09d6..6f952f4e4 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $ | 1 | # $OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="login with different key exchange algorithms" | 4 | tid="login with different key exchange algorithms" |
@@ -7,6 +7,11 @@ TIME=/usr/bin/time | |||
7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 7 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | 8 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
9 | 9 | ||
10 | # Make server accept all key exchanges. | ||
11 | ALLKEX=`ssh -Q kex` | ||
12 | KEXOPT=`echo $ALLKEX | tr ' ' ,` | ||
13 | echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy | ||
14 | |||
10 | tries="1 2 3 4" | 15 | tries="1 2 3 4" |
11 | for k in `${SSH} -Q kex`; do | 16 | for k in `${SSH} -Q kex`; do |
12 | verbose "kex $k" | 17 | verbose "kex $k" |
diff --git a/regress/rekey.sh b/regress/rekey.sh index cf9401ea0..fd452b034 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ | 1 | # $OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="rekey" | 4 | tid="rekey" |
@@ -6,14 +6,22 @@ tid="rekey" | |||
6 | LOG=${TEST_SSH_LOGFILE} | 6 | LOG=${TEST_SSH_LOGFILE} |
7 | 7 | ||
8 | rm -f ${LOG} | 8 | rm -f ${LOG} |
9 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
9 | 10 | ||
10 | # Test rekeying based on data volume only. | 11 | # Test rekeying based on data volume only. |
11 | # Arguments will be passed to ssh. | 12 | # Arguments will be passed to ssh. |
12 | ssh_data_rekeying() | 13 | ssh_data_rekeying() |
13 | { | 14 | { |
15 | _kexopt=$1 ; shift | ||
16 | _opts="$@" | ||
17 | if ! test -z "$_kexopts" ; then | ||
18 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
19 | echo "$_kexopt" >> $OBJ/sshd_proxy | ||
20 | _opts="$_opts -o$_kexopt" | ||
21 | fi | ||
14 | rm -f ${COPY} ${LOG} | 22 | rm -f ${COPY} ${LOG} |
15 | ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ | 23 | _opts="$_opts -oCompression=no" |
16 | "cat > ${COPY}" | 24 | ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" |
17 | if [ $? -ne 0 ]; then | 25 | if [ $? -ne 0 ]; then |
18 | fail "ssh failed ($@)" | 26 | fail "ssh failed ($@)" |
19 | fi | 27 | fi |
@@ -41,7 +49,7 @@ done | |||
41 | 49 | ||
42 | for opt in $opts; do | 50 | for opt in $opts; do |
43 | verbose "client rekey $opt" | 51 | verbose "client rekey $opt" |
44 | ssh_data_rekeying -oRekeyLimit=256k -o$opt | 52 | ssh_data_rekeying "$opt" -oRekeyLimit=256k |
45 | done | 53 | done |
46 | 54 | ||
47 | # AEAD ciphers are magical so test with all KexAlgorithms | 55 | # AEAD ciphers are magical so test with all KexAlgorithms |
@@ -49,14 +57,14 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then | |||
49 | for c in `${SSH} -Q cipher-auth`; do | 57 | for c in `${SSH} -Q cipher-auth`; do |
50 | for kex in `${SSH} -Q kex`; do | 58 | for kex in `${SSH} -Q kex`; do |
51 | verbose "client rekey $c $kex" | 59 | verbose "client rekey $c $kex" |
52 | ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex | 60 | ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c |
53 | done | 61 | done |
54 | done | 62 | done |
55 | fi | 63 | fi |
56 | 64 | ||
57 | for s in 16 1k 128k 256k; do | 65 | for s in 16 1k 128k 256k; do |
58 | verbose "client rekeylimit ${s}" | 66 | verbose "client rekeylimit ${s}" |
59 | ssh_data_rekeying -oCompression=no -oRekeyLimit=$s | 67 | ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s |
60 | done | 68 | done |
61 | 69 | ||
62 | for s in 5 10; do | 70 | for s in 5 10; do |
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ac34cedbf..2881ce16c 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh | |||
@@ -1,13 +1,18 @@ | |||
1 | # $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ | 1 | # $OpenBSD: try-ciphers.sh,v 1.23 2014/04/21 22:15:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="try ciphers" | 4 | tid="try ciphers" |
5 | 5 | ||
6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
7 | |||
6 | for c in `${SSH} -Q cipher`; do | 8 | for c in `${SSH} -Q cipher`; do |
7 | n=0 | 9 | n=0 |
8 | for m in `${SSH} -Q mac`; do | 10 | for m in `${SSH} -Q mac`; do |
9 | trace "proto 2 cipher $c mac $m" | 11 | trace "proto 2 cipher $c mac $m" |
10 | verbose "test $tid: proto 2 cipher $c mac $m" | 12 | verbose "test $tid: proto 2 cipher $c mac $m" |
13 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
14 | echo "Ciphers=$c" >> $OBJ/sshd_proxy | ||
15 | echo "MACs=$m" >> $OBJ/sshd_proxy | ||
11 | ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true | 16 | ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true |
12 | if [ $? -ne 0 ]; then | 17 | if [ $? -ne 0 ]; then |
13 | fail "ssh -2 failed with mac $m cipher $c" | 18 | fail "ssh -2 failed with mac $m cipher $c" |