7 files changed, 242 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index b26426265..9e9bb3068 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -131,6 +131,10 @@
   names)
 - (djm) [Makefile.in]
   Remove generated openbsd-compat/regress/Makefile in distclean target
+ - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
+   [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
+   Sync regress tests to -current; include dtucker@'s new cfgmatch and 
+   forcecommand tests. Add cipher-speed.sh test (not linked in yet)
 20060713
 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
@@ -5049,4 +5053,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4435 2006/07/24 05:30:18 djm Exp $
+$Id: ChangeLog,v 1.4436 2006/07/24 05:31:41 djm Exp $
diff --git a/regress/Makefile b/regress/Makefile
index 4f47bc3fd..539956398 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $
+#       $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= 	connect \
                forwarding \
                multiplex \
                reexec \
-                brokenkeys
+                brokenkeys \
+                cfgmatch \
+                forcecommand
 USER!=          id -un
 CLEANFILES=     t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
                rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
                ls.copy banner.in banner.out empty.in \
-                scp-ssh-wrapper.scp ssh_proxy_envpass \
+                scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
-                remote_pid
+                sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
 #LTESTS +=      ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 6186a8d48..e5fcedda7 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
+#       $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
 #       Placed in the Public Domain.
 tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
        echo "skipped (not supported on this platform)"
        exit 0
 fi
+if [ -z "$SUDO" ]; then
+        echo "skipped: need SUDO to switch to uid $UNPRIV"
+        exit 0
+fi
 trace "start agent"
 eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
new file mode 100644
index 000000000..3a789faab
--- /dev/null
+++ b/regress/cfgmatch.sh
@@ -0,0 +1,105 @@
+#       $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
+#       Placed in the Public Domain.
+tid="sshd_config match"
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+stop_client()
+{
+        pid=`cat $pidfile`
+        if [ ! -z "$pid" ]; then
+                kill $pid
+        fi
+}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+start_sshd
+#set -x
+# Test Match + PermitOpen in sshd_config.  This should be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+# Same but from different source.  This should not be permitted
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proxy proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny proto $p"
+        stop_client
+done
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen w/key opt proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match permitopen deny w/key opt proto $p"
+        stop_client
+done
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen localhost proto $p"
+        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+            fail "match permitopen permit proto $p"
+        stop_client
+done
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+        rm -f $pidfile
+        trace "match permitopen proxy w/key opts proto $p"
+        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+            "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+            fail "match override permitopen proto $p sshd failed"
+        sleep 1;
+        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+            fail "match override permitopen proto $p"
+        stop_client
+done
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
new file mode 100644
index 000000000..592511143
--- /dev/null
+++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
+#       $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
+#       Placed in the Public Domain.
+tid="cipher speed"
+getbytes ()
+{
+        sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+        arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+for c in $ciphers; do for m in $macs; do
+        trace "proto 2 cipher $c mac $m"
+        for x in $tries; do
+                echo -n "$c/$m:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+                if [ $? -ne 0 ]; then
+                        fail "ssh -2 failed with mac $m cipher $c"
+                fi
+        done
+done; done
+ciphers="3des blowfish"
+for c in $ciphers; do
+        trace "proto 1 cipher $c"
+        for x in $tries; do
+                echo -n "$c:\t"
+                ( ${SSH} -o 'compression no' \
+                        -F $OBJ/ssh_proxy -1 -c $c somehost \
+                        exec sh -c \'"dd of=/dev/null obs=32k"\' \
+                < ${DATA} ) 2>&1 | getbytes
+                if [ $? -ne 0 ]; then
+                        fail "ssh -1 failed with cipher $c"
+                fi
+        done
+done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
new file mode 100644
index 000000000..796e7c2c0
--- /dev/null
+++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
+#       $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#       Placed in the Public Domain.
+tid="forced command"
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echo -n 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+        trace "forced command in key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+echo -n 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+for p in 1 2; do
+        trace "forced command in sshd_config overrides key option proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo "    ForceCommand true" >> $OBJ/sshd_proxy
+for p in 1 2; do
+        trace "forced command with match proto $p"
+        ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+            fail "forced command in key proto $p"
+done
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 3b171144f..9ffbb3dd4 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
+#       $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
 #       Placed in the Public Domain.
 tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
 done
 for p in 1 2; do
+for d in L R; do
+        trace "exit on -$d forward failure, proto $p"
+        # this one should succeed
+        ${SSH} -$p -F $OBJ/ssh_config \
+            -$d ${base}01:127.0.0.1:$PORT \
+            -$d ${base}02:127.0.0.1:$PORT \
+            -$d ${base}03:127.0.0.1:$PORT \
+            -$d ${base}04:127.0.0.1:$PORT \
+            -oExitOnForwardFailure=yes somehost true
+        if [ $? != 0 ]; then
+                fail "connection failed, should not"
+        else
+                # this one should fail
+                ${SSH} -q -$p -F $OBJ/ssh_config \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}02:127.0.0.1:$PORT \
+                    -$d ${base}03:127.0.0.1:$PORT \
+                    -$d ${base}01:127.0.0.1:$PORT \
+                    -$d ${base}04:127.0.0.1:$PORT \
+                    -oExitOnForwardFailure=yes somehost true
+                r=$?
+                if [ $r != 255 ]; then
+                        fail "connection not termintated, but should ($r)"
+                fi
+        fi
+done
+done
+for p in 1 2; do
        trace "simple clear forwarding proto $p"
        ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true

diff --git a/ChangeLog b/ChangeLog index b26426265..9e9bb3068 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -131,6 +131,10 @@
131	names)	131	names)
132	- (djm) [Makefile.in]	132	- (djm) [Makefile.in]
133	Remove generated openbsd-compat/regress/Makefile in distclean target	133	Remove generated openbsd-compat/regress/Makefile in distclean target
		134	- (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
		135	[regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
		136	Sync regress tests to -current; include dtucker@'s new cfgmatch and
		137	forcecommand tests. Add cipher-speed.sh test (not linked in yet)
134		138
135	20060713	139	20060713
136	- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h	140	- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
@@ -5049,4 +5053,4 @@
5049	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	5053	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
5050	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	5054	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
5051		5055
5052	$Id: ChangeLog,v 1.4435 2006/07/24 05:30:18 djm Exp $	5056	$Id: ChangeLog,v 1.4436 2006/07/24 05:31:41 djm Exp $


diff --git a/regress/Makefile b/regress/Makefile index 4f47bc3fd..539956398 100644 --- a/regress/Makefile +++ b/regress/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $	1	# $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
2		2
3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec	3	REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4	tests: $(REGRESS_TARGETS)	4	tests: $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= connect \
40	forwarding \	40	forwarding \
41	multiplex \	41	multiplex \
42	reexec \	42	reexec \
43	brokenkeys	43	brokenkeys \
		44	cfgmatch \
		45	forcecommand
44		46
45	USER!= id -un	47	USER!= id -un
46	CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \	48	CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
49	rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \	51	rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
50	rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \	52	rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
51	ls.copy banner.in banner.out empty.in \	53	ls.copy banner.in banner.out empty.in \
52	scp-ssh-wrapper.scp ssh_proxy_envpass \	54	scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
53	remote_pid	55	sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
54		56
55	#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp	57	#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
56		58


diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 6186a8d48..e5fcedda7 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $	1	# $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="disallow agent attach from other uid"	4	tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
12	echo "skipped (not supported on this platform)"	12	echo "skipped (not supported on this platform)"
13	exit 0	13	exit 0
14	fi	14	fi
		15	if [ -z "$SUDO" ]; then
		16	echo "skipped: need SUDO to switch to uid $UNPRIV"
		17	exit 0
		18	fi
		19
15		20
16	trace "start agent"	21	trace "start agent"
17	eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null	22	eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null


diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh new file mode 100644 index 000000000..3a789faab --- /dev/null +++ b/regress/cfgmatch.sh
@@ -0,0 +1,105 @@
		1	# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="sshd_config match"
		5
		6	pidfile=$OBJ/remote_pid
		7	fwdport=3301
		8	fwd="-L $fwdport:127.0.0.1:$PORT"
		9
		10	stop_client()
		11	{
		12	pid=`cat $pidfile`
		13	if [ ! -z "$pid" ]; then
		14	kill $pid
		15	fi
		16	}
		17
		18	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		19
		20	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
		21	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
		22	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
		23
		24	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
		25	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
		26	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
		27
		28	start_sshd
		29
		30	#set -x
		31
		32	# Test Match + PermitOpen in sshd_config. This should be permitted
		33	for p in 1 2; do
		34	rm -f $pidfile
		35	trace "match permitopen localhost proto $p"
		36	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
		37	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		38	fail "match permitopen proto $p sshd failed"
		39	sleep 1;
		40	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		41	fail "match permitopen permit proto $p"
		42	stop_client
		43	done
		44
		45	# Same but from different source. This should not be permitted
		46	for p in 1 2; do
		47	rm -f $pidfile
		48	trace "match permitopen proxy proto $p"
		49	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		50	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		51	fail "match permitopen proxy proto $p sshd failed"
		52	sleep 1;
		53	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		54	fail "match permitopen deny proto $p"
		55	stop_client
		56	done
		57
		58	# Retry previous with key option, should also be denied.
		59	echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
		60	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		61	echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
		62	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		63	for p in 1 2; do
		64	rm -f $pidfile
		65	trace "match permitopen proxy w/key opts proto $p"
		66	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		67	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		68	fail "match permitopen w/key opt proto $p sshd failed"
		69	sleep 1;
		70	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		71	fail "match permitopen deny w/key opt proto $p"
		72	stop_client
		73	done
		74
		75	# Test both sshd_config and key options permitting the same dst/port pair.
		76	# Should be permitted.
		77	for p in 1 2; do
		78	rm -f $pidfile
		79	trace "match permitopen localhost proto $p"
		80	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
		81	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		82	fail "match permitopen proto $p sshd failed"
		83	sleep 1;
		84	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		85	fail "match permitopen permit proto $p"
		86	stop_client
		87	done
		88
		89	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		90	echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
		91	echo "Match User $USER" >>$OBJ/sshd_proxy
		92	echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
		93
		94	# Test that a Match overrides a PermitOpen in the global section
		95	for p in 1 2; do
		96	rm -f $pidfile
		97	trace "match permitopen proxy w/key opts proto $p"
		98	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
		99	"echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 \|\|\
		100	fail "match override permitopen proto $p sshd failed"
		101	sleep 1;
		102	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
		103	fail "match override permitopen proto $p"
		104	stop_client
		105	done


diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh new file mode 100644 index 000000000..592511143 --- /dev/null +++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
		1	# $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="cipher speed"
		5
		6	getbytes ()
		7	{
		8	sed -n '/transferred/s/.secs (\(. bytes.sec\).*/\1/p'
		9	}
		10
		11	tries="1 2"
		12	DATA=/bin/ls
		13	DATA=/bsd
		14
		15	macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
		16	ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
		17	arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
		18
		19	for c in $ciphers; do for m in $macs; do
		20	trace "proto 2 cipher $c mac $m"
		21	for x in $tries; do
		22	echo -n "$c/$m:\t"
		23	( ${SSH} -o 'compression no' \
		24	-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
		25	exec sh -c \'"dd of=/dev/null obs=32k"\' \
		26	< ${DATA} ) 2>&1 \| getbytes
		27
		28	if [ $? -ne 0 ]; then
		29	fail "ssh -2 failed with mac $m cipher $c"
		30	fi
		31	done
		32	done; done
		33
		34	ciphers="3des blowfish"
		35	for c in $ciphers; do
		36	trace "proto 1 cipher $c"
		37	for x in $tries; do
		38	echo -n "$c:\t"
		39	( ${SSH} -o 'compression no' \
		40	-F $OBJ/ssh_proxy -1 -c $c somehost \
		41	exec sh -c \'"dd of=/dev/null obs=32k"\' \
		42	< ${DATA} ) 2>&1 \| getbytes
		43	if [ $? -ne 0 ]; then
		44	fail "ssh -1 failed with cipher $c"
		45	fi
		46	done
		47	done


diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh new file mode 100644 index 000000000..796e7c2c0 --- /dev/null +++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
		1	# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
		2	# Placed in the Public Domain.
		3
		4	tid="forced command"
		5
		6	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
		7
		8	echo -n 'command="true" ' >$OBJ/authorized_keys_$USER
		9	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		10	echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER
		11	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		12
		13	for p in 1 2; do
		14	trace "forced command in key option proto $p"
		15	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		16	fail "forced command in key proto $p"
		17	done
		18
		19	echo -n 'command="false" ' >$OBJ/authorized_keys_$USER
		20	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
		21	echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER
		22	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
		23
		24	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		25	echo "ForceCommand true" >> $OBJ/sshd_proxy
		26
		27	for p in 1 2; do
		28	trace "forced command in sshd_config overrides key option proto $p"
		29	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		30	fail "forced command in key proto $p"
		31	done
		32
		33	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		34	echo "ForceCommand false" >> $OBJ/sshd_proxy
		35	echo "Match User $USER" >> $OBJ/sshd_proxy
		36	echo " ForceCommand true" >> $OBJ/sshd_proxy
		37
		38	for p in 1 2; do
		39	trace "forced command with match proto $p"
		40	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ \|\|
		41	fail "forced command in key proto $p"
		42	done


diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 3b171144f..9ffbb3dd4 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $	1	# $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="local and remote forwarding"	4	tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
34	done	34	done
35		35
36	for p in 1 2; do	36	for p in 1 2; do
		37	for d in L R; do
		38	trace "exit on -$d forward failure, proto $p"
		39
		40	# this one should succeed
		41	${SSH} -$p -F $OBJ/ssh_config \
		42	-$d ${base}01:127.0.0.1:$PORT \
		43	-$d ${base}02:127.0.0.1:$PORT \
		44	-$d ${base}03:127.0.0.1:$PORT \
		45	-$d ${base}04:127.0.0.1:$PORT \
		46	-oExitOnForwardFailure=yes somehost true
		47	if [ $? != 0 ]; then
		48	fail "connection failed, should not"
		49	else
		50	# this one should fail
		51	${SSH} -q -$p -F $OBJ/ssh_config \
		52	-$d ${base}01:127.0.0.1:$PORT \
		53	-$d ${base}02:127.0.0.1:$PORT \
		54	-$d ${base}03:127.0.0.1:$PORT \
		55	-$d ${base}01:127.0.0.1:$PORT \
		56	-$d ${base}04:127.0.0.1:$PORT \
		57	-oExitOnForwardFailure=yes somehost true
		58	r=$?
		59	if [ $r != 255 ]; then
		60	fail "connection not termintated, but should ($r)"
		61	fi
		62	fi
		63	done
		64	done
		65
		66	for p in 1 2; do
37	trace "simple clear forwarding proto $p"	67	trace "simple clear forwarding proto $p"
38	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true	68	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
39		69