diff options
Diffstat (limited to 'regress')
60 files changed, 733 insertions, 1113 deletions
diff --git a/regress/Makefile b/regress/Makefile index b23496b98..7d50f9cfa 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $ | 1 | # $OpenBSD: Makefile,v 1.95 2017/06/24 06:35:24 djm Exp $ |
| 2 | 2 | ||
| 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec | 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec |
| 4 | tests: prep $(REGRESS_TARGETS) | 4 | tests: prep $(REGRESS_TARGETS) |
| @@ -79,7 +79,8 @@ LTESTS= connect \ | |||
| 79 | principals-command \ | 79 | principals-command \ |
| 80 | cert-file \ | 80 | cert-file \ |
| 81 | cfginclude \ | 81 | cfginclude \ |
| 82 | allow-deny-users | 82 | allow-deny-users \ |
| 83 | authinfo | ||
| 83 | 84 | ||
| 84 | 85 | ||
| 85 | # dhgex \ | 86 | # dhgex \ |
| @@ -89,30 +90,33 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | |||
| 89 | 90 | ||
| 90 | #LTESTS= cipher-speed | 91 | #LTESTS= cipher-speed |
| 91 | 92 | ||
| 92 | USERNAME!= id -un | 93 | USERNAME= ${LOGNAME} |
| 93 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | 94 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ |
| 94 | authorized_keys_${USERNAME}.* \ | 95 | authorized_keys_${USERNAME}.* \ |
| 95 | authorized_principals_${USERNAME} \ | 96 | authorized_principals_${USERNAME} \ |
| 96 | banner.in banner.out cert_host_key* cert_user_key* \ | 97 | banner.in banner.out cert_host_key* cert_user_key* \ |
| 97 | copy.1 copy.2 data ed25519-agent ed25519-agent* \ | 98 | copy.1 copy.2 data ed25519-agent ed25519-agent* \ |
| 98 | ed25519-agent.pub empty.in expect failed-regress.log \ | 99 | ed25519-agent.pub ed25519 ed25519.pub empty.in \ |
| 99 | failed-ssh.log failed-sshd.log hkr.* host.rsa host.rsa1 \ | 100 | expect failed-regress.log failed-ssh.log failed-sshd.log \ |
| 100 | host_* host_ca_key* host_krl_* host_revoked_* key.* \ | 101 | hkr.* host.ed25519 host.rsa host.rsa1 host_* \ |
| 101 | key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \ | 102 | host_ca_key* host_krl_* host_revoked_* key.* \ |
| 102 | key.rsa-* keys-command-args kh.* known_hosts \ | 103 | key.dsa-* key.ecdsa-* key.ed25519-512 \ |
| 103 | known_hosts-cert known_hosts.* krl-* ls.copy modpipe \ | 104 | key.ed25519-512.pub key.rsa-* keys-command-args kh.* \ |
| 104 | netcat pidfile putty.rsa2 ready regress.log remote_pid \ | 105 | known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ |
| 105 | revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa1 \ | 106 | modpipe netcat no_identity_config \ |
| 106 | rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | 107 | pidfile putty.rsa2 ready regress.log \ |
| 108 | remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ | ||
| 109 | rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | ||
| 107 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | 110 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ |
| 108 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | 111 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ |
| 109 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | 112 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ |
| 110 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | 113 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ |
| 111 | ssh_proxy_envpass sshd.log sshd_config sshd_config.orig \ | 114 | ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ |
| 112 | sshd_proxy sshd_proxy.* sshd_proxy_bak sshd_proxy_orig \ | 115 | sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ |
| 113 | t10.out t10.out.pub t12.out t12.out.pub t2.out t3.out \ | 116 | sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ |
| 114 | t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \ | 117 | t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ |
| 115 | t9.out t9.out.pub testdata user_*key* user_ca* user_key* | 118 | t8.out t8.out.pub t9.out t9.out.pub testdata \ |
| 119 | user_*key* user_ca* user_key* | ||
| 116 | 120 | ||
| 117 | SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} | 121 | SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} |
| 118 | 122 | ||
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 34bced154..037a50914 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-getpeereid.sh,v 1.8 2017/01/06 02:51:16 djm Exp $ | 1 | # $OpenBSD: agent-getpeereid.sh,v 1.9 2017/09/13 14:58:26 bluhm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="disallow agent attach from other uid" | 4 | tid="disallow agent attach from other uid" |
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 3aa20c8b1..db3018b88 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $ | 1 | # $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="pkcs11 agent test" | 4 | tid="pkcs11 agent test" |
| @@ -53,7 +53,7 @@ else | |||
| 53 | fi | 53 | fi |
| 54 | 54 | ||
| 55 | trace "pkcs11 connect via agent" | 55 | trace "pkcs11 connect via agent" |
| 56 | ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5 | 56 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 |
| 57 | r=$? | 57 | r=$? |
| 58 | if [ $r -ne 5 ]; then | 58 | if [ $r -ne 5 ]; then |
| 59 | fail "ssh connect failed (exit code $r)" | 59 | fail "ssh connect failed (exit code $r)" |
diff --git a/regress/agent.sh b/regress/agent.sh index c5e2794b7..0baf0c74a 100644 --- a/regress/agent.sh +++ b/regress/agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple agent test" | 4 | tid="simple agent test" |
| @@ -46,28 +46,24 @@ else | |||
| 46 | fi | 46 | fi |
| 47 | 47 | ||
| 48 | trace "simple connect via agent" | 48 | trace "simple connect via agent" |
| 49 | for p in ${SSH_PROTOCOLS}; do | 49 | ${SSH} -F $OBJ/ssh_proxy somehost exit 52 |
| 50 | ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p | 50 | r=$? |
| 51 | r=$? | 51 | if [ $r -ne 52 ]; then |
| 52 | if [ $r -ne 5$p ]; then | 52 | fail "ssh connect with failed (exit code $r)" |
| 53 | fail "ssh connect with protocol $p failed (exit code $r)" | 53 | fi |
| 54 | fi | ||
| 55 | done | ||
| 56 | 54 | ||
| 57 | trace "agent forwarding" | 55 | trace "agent forwarding" |
| 58 | for p in ${SSH_PROTOCOLS}; do | 56 | ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 |
| 59 | ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 | 57 | r=$? |
| 60 | r=$? | 58 | if [ $r -ne 0 ]; then |
| 61 | if [ $r -ne 0 ]; then | 59 | fail "ssh-add -l via agent fwd failed (exit code $r)" |
| 62 | fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" | 60 | fi |
| 63 | fi | 61 | ${SSH} -A -F $OBJ/ssh_proxy somehost \ |
| 64 | ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ | 62 | "${SSH} -F $OBJ/ssh_proxy somehost exit 52" |
| 65 | "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" | 63 | r=$? |
| 66 | r=$? | 64 | if [ $r -ne 52 ]; then |
| 67 | if [ $r -ne 5$p ]; then | 65 | fail "agent fwd failed (exit code $r)" |
| 68 | fail "agent fwd proto $p failed (exit code $r)" | 66 | fi |
| 69 | fi | ||
| 70 | done | ||
| 71 | 67 | ||
| 72 | trace "delete all agent keys" | 68 | trace "delete all agent keys" |
| 73 | ${SSHADD} -D > /dev/null 2>&1 | 69 | ${SSHADD} -D > /dev/null 2>&1 |
diff --git a/regress/authinfo.sh b/regress/authinfo.sh new file mode 100644 index 000000000..e725296c9 --- /dev/null +++ b/regress/authinfo.sh | |||
| @@ -0,0 +1,17 @@ | |||
| 1 | # $OpenBSD: authinfo.sh,v 1.1 2017/06/24 06:35:24 djm Exp $ | ||
| 2 | # Placed in the Public Domain. | ||
| 3 | |||
| 4 | tid="authinfo" | ||
| 5 | |||
| 6 | # Ensure the environment variable doesn't leak when ExposeAuthInfo=no. | ||
| 7 | verbose "ExposeAuthInfo=no" | ||
| 8 | env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \ | ||
| 9 | 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present" | ||
| 10 | |||
| 11 | verbose "ExposeAuthInfo=yes" | ||
| 12 | echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy | ||
| 13 | ${SSH} -F $OBJ/ssh_proxy x \ | ||
| 14 | 'grep ^publickey "$SSH_USER_AUTH" /dev/null >/dev/null' || | ||
| 15 | fail "ssh with ExposeAuthInfo failed" | ||
| 16 | |||
| 17 | # XXX test multiple auth and key contents | ||
diff --git a/regress/banner.sh b/regress/banner.sh index 0b9c95007..0d9654fe2 100644 --- a/regress/banner.sh +++ b/regress/banner.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ | 1 | # $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="banner" | 4 | tid="banner" |
| @@ -9,7 +9,7 @@ touch $OBJ/empty.in | |||
| 9 | 9 | ||
| 10 | trace "test missing banner file" | 10 | trace "test missing banner file" |
| 11 | verbose "test $tid: missing banner file" | 11 | verbose "test $tid: missing banner file" |
| 12 | ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 12 | ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
| 13 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ | 13 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ |
| 14 | fail "missing banner file" | 14 | fail "missing banner file" |
| 15 | 15 | ||
| @@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do | |||
| 30 | 30 | ||
| 31 | trace "test banner size $s" | 31 | trace "test banner size $s" |
| 32 | verbose "test $tid: size $s" | 32 | verbose "test $tid: size $s" |
| 33 | ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 33 | ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
| 34 | cmp $OBJ/banner.in $OBJ/banner.out ) || \ | 34 | cmp $OBJ/banner.in $OBJ/banner.out ) || \ |
| 35 | fail "banner size $s mismatch" | 35 | fail "banner size $s mismatch" |
| 36 | done | 36 | done |
| 37 | 37 | ||
| 38 | trace "test suppress banner (-q)" | 38 | trace "test suppress banner (-q)" |
| 39 | verbose "test $tid: suppress banner (-q)" | 39 | verbose "test $tid: suppress banner (-q)" |
| 40 | ( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 40 | ( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
| 41 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ | 41 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ |
| 42 | fail "suppress banner (-q)" | 42 | fail "suppress banner (-q)" |
| 43 | 43 | ||
diff --git a/regress/broken-pipe.sh b/regress/broken-pipe.sh index a416f7a3b..c69276e27 100644 --- a/regress/broken-pipe.sh +++ b/regress/broken-pipe.sh | |||
| @@ -1,15 +1,12 @@ | |||
| 1 | # $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="broken pipe test" | 4 | tid="broken pipe test" |
| 5 | 5 | ||
| 6 | for p in ${SSH_PROTOCOLS}; do | 6 | for i in 1 2 3 4; do |
| 7 | trace "protocol $p" | 7 | ${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true |
| 8 | for i in 1 2 3 4; do | 8 | r=$? |
| 9 | ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true | 9 | if [ $r -ne 0 ]; then |
| 10 | r=$? | 10 | fail "broken pipe returns $r" |
| 11 | if [ $r -ne 0 ]; then | 11 | fi |
| 12 | fail "broken pipe returns $r for protocol $p" | ||
| 13 | fi | ||
| 14 | done | ||
| 15 | done | 12 | done |
diff --git a/regress/brokenkeys.sh b/regress/brokenkeys.sh index 3e70c348a..9d5a54fa9 100644 --- a/regress/brokenkeys.sh +++ b/regress/brokenkeys.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ | 1 | # $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="broken keys" | 4 | tid="broken keys" |
| @@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS | |||
| 14 | cat ${KEYS}.bak >> ${KEYS} | 14 | cat ${KEYS}.bak >> ${KEYS} |
| 15 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 15 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 16 | 16 | ||
| 17 | ${SSH} -2 -F $OBJ/ssh_config somehost true | 17 | ${SSH} -F $OBJ/ssh_config somehost true |
| 18 | if [ $? -ne 0 ]; then | 18 | if [ $? -ne 0 ]; then |
| 19 | fail "ssh connect with protocol $p failed" | 19 | fail "ssh connect with failed" |
| 20 | fi | 20 | fi |
| 21 | 21 | ||
| 22 | mv ${KEYS}.bak ${KEYS} | 22 | mv ${KEYS}.bak ${KEYS} |
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 43b8e0201..8fd62c773 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
| @@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | |||
| 54 | # XXX: verify that certificate used was what we expect. Needs exposure of | 54 | # XXX: verify that certificate used was what we expect. Needs exposure of |
| 55 | # keys via enviornment variable or similar. | 55 | # keys via enviornment variable or similar. |
| 56 | 56 | ||
| 57 | for p in ${SSH_PROTOCOLS}; do | ||
| 58 | # Key with no .pub should work - finding the equivalent *-cert.pub. | 57 | # Key with no .pub should work - finding the equivalent *-cert.pub. |
| 59 | verbose "protocol $p: identity cert with no plain public file" | 58 | verbose "identity cert with no plain public file" |
| 60 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 59 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 61 | -i $OBJ/user_key3 somehost exit 5$p | 60 | -i $OBJ/user_key3 somehost exit 52 |
| 62 | [ $? -ne 5$p ] && fail "ssh failed" | 61 | [ $? -ne 52 ] && fail "ssh failed" |
| 63 | 62 | ||
| 64 | # CertificateFile matching private key with no .pub file should work. | 63 | # CertificateFile matching private key with no .pub file should work. |
| 65 | verbose "protocol $p: CertificateFile with no plain public file" | 64 | verbose "CertificateFile with no plain public file" |
| 66 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 65 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
| 67 | -oCertificateFile=$OBJ/user_key3-cert.pub \ | 66 | -oCertificateFile=$OBJ/user_key3-cert.pub \ |
| 68 | -i $OBJ/user_key3 somehost exit 5$p | 67 | -i $OBJ/user_key3 somehost exit 52 |
| 69 | [ $? -ne 5$p ] && fail "ssh failed" | 68 | [ $? -ne 52 ] && fail "ssh failed" |
| 70 | 69 | ||
| 71 | # Just keys should fail | 70 | # Just keys should fail |
| 72 | verbose "protocol $p: plain keys" | 71 | verbose "plain keys" |
| 73 | ${SSH} $opts2 somehost exit 5$p | 72 | ${SSH} $opts2 somehost exit 52 |
| 74 | r=$? | 73 | r=$? |
| 75 | if [ $r -eq 5$p ]; then | 74 | if [ $r -eq 52 ]; then |
| 76 | fail "ssh succeeded with no certs in protocol $p" | 75 | fail "ssh succeeded with no certs" |
| 77 | fi | 76 | fi |
| 78 | 77 | ||
| 79 | # Keys with untrusted cert should fail. | 78 | # Keys with untrusted cert should fail. |
| 80 | verbose "protocol $p: untrusted cert" | 79 | verbose "untrusted cert" |
| 81 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 80 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 82 | ${SSH} $opts3 somehost exit 5$p | 81 | ${SSH} $opts3 somehost exit 52 |
| 83 | r=$? | 82 | r=$? |
| 84 | if [ $r -eq 5$p ]; then | 83 | if [ $r -eq 52 ]; then |
| 85 | fail "ssh succeeded with bad cert in protocol $p" | 84 | fail "ssh succeeded with bad cert" |
| 86 | fi | 85 | fi |
| 87 | 86 | ||
| 88 | # Good cert with bad key should fail. | 87 | # Good cert with bad key should fail. |
| 89 | verbose "protocol $p: good cert, bad key" | 88 | verbose "good cert, bad key" |
| 90 | opts3="$opts -i $OBJ/user_key2" | 89 | opts3="$opts -i $OBJ/user_key2" |
| 91 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 90 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 92 | ${SSH} $opts3 somehost exit 5$p | 91 | ${SSH} $opts3 somehost exit 52 |
| 93 | r=$? | 92 | r=$? |
| 94 | if [ $r -eq 5$p ]; then | 93 | if [ $r -eq 52 ]; then |
| 95 | fail "ssh succeeded with no matching key in protocol $p" | 94 | fail "ssh succeeded with no matching key" |
| 96 | fi | 95 | fi |
| 97 | 96 | ||
| 98 | # Keys with one trusted cert, should succeed. | 97 | # Keys with one trusted cert, should succeed. |
| 99 | verbose "protocol $p: single trusted" | 98 | verbose "single trusted" |
| 100 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 99 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 101 | ${SSH} $opts3 somehost exit 5$p | 100 | ${SSH} $opts3 somehost exit 52 |
| 102 | r=$? | 101 | r=$? |
| 103 | if [ $r -ne 5$p ]; then | 102 | if [ $r -ne 52 ]; then |
| 104 | fail "ssh failed with trusted cert and key in protocol $p" | 103 | fail "ssh failed with trusted cert and key" |
| 105 | fi | 104 | fi |
| 106 | 105 | ||
| 107 | # Multiple certs and keys, with one trusted cert, should succeed. | 106 | # Multiple certs and keys, with one trusted cert, should succeed. |
| 108 | verbose "protocol $p: multiple trusted" | 107 | verbose "multiple trusted" |
| 109 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 108 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 110 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 109 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 111 | ${SSH} $opts3 somehost exit 5$p | 110 | ${SSH} $opts3 somehost exit 52 |
| 112 | r=$? | 111 | r=$? |
| 113 | if [ $r -ne 5$p ]; then | 112 | if [ $r -ne 52 ]; then |
| 114 | fail "ssh failed with multiple certs in protocol $p" | 113 | fail "ssh failed with multiple certs" |
| 115 | fi | 114 | fi |
| 116 | done | ||
| 117 | 115 | ||
| 118 | #next, using an agent in combination with the keys | 116 | #next, using an agent in combination with the keys |
| 119 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 | 117 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 |
| @@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then | |||
| 139 | fi | 137 | fi |
| 140 | 138 | ||
| 141 | # try ssh with the agent and certificates | 139 | # try ssh with the agent and certificates |
| 142 | # note: ssh agent only uses certificates in protocol 2 | ||
| 143 | opts="-F $OBJ/ssh_proxy" | 140 | opts="-F $OBJ/ssh_proxy" |
| 144 | # with no certificates, shoud fail | 141 | # with no certificates, shoud fail |
| 145 | ${SSH} -2 $opts somehost exit 52 | 142 | ${SSH} $opts somehost exit 52 |
| 146 | if [ $? -eq 52 ]; then | 143 | if [ $? -eq 52 ]; then |
| 147 | fail "ssh connect with agent in protocol 2 succeeded with no cert" | 144 | fail "ssh connect with agent in succeeded with no cert" |
| 148 | fi | 145 | fi |
| 149 | 146 | ||
| 150 | #with an untrusted certificate, should fail | 147 | #with an untrusted certificate, should fail |
| 151 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 148 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
| 152 | ${SSH} -2 $opts somehost exit 52 | 149 | ${SSH} $opts somehost exit 52 |
| 153 | if [ $? -eq 52 ]; then | 150 | if [ $? -eq 52 ]; then |
| 154 | fail "ssh connect with agent in protocol 2 succeeded with bad cert" | 151 | fail "ssh connect with agent in succeeded with bad cert" |
| 155 | fi | 152 | fi |
| 156 | 153 | ||
| 157 | #with an additional trusted certificate, should succeed | 154 | #with an additional trusted certificate, should succeed |
| 158 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 155 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
| 159 | ${SSH} -2 $opts somehost exit 52 | 156 | ${SSH} $opts somehost exit 52 |
| 160 | if [ $? -ne 52 ]; then | 157 | if [ $? -ne 52 ]; then |
| 161 | fail "ssh connect with agent in protocol 2 failed with good cert" | 158 | fail "ssh connect with agent in failed with good cert" |
| 162 | fi | 159 | fi |
| 163 | 160 | ||
| 164 | trace "kill agent" | 161 | trace "kill agent" |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 62261cf8b..3d5732a5d 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -104,7 +104,7 @@ attempt_connect() { | |||
| 104 | shift; shift | 104 | shift; shift |
| 105 | verbose "$tid: $_ident expect success $_expect_success" | 105 | verbose "$tid: $_ident expect success $_expect_success" |
| 106 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 106 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 107 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 107 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 108 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 108 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 109 | "$@" -F $OBJ/ssh_proxy somehost true | 109 | "$@" -F $OBJ/ssh_proxy somehost true |
| 110 | _r=$? | 110 | _r=$? |
| @@ -169,7 +169,7 @@ for privsep in yes no ; do | |||
| 169 | ) > $OBJ/sshd_proxy | 169 | ) > $OBJ/sshd_proxy |
| 170 | 170 | ||
| 171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 172 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 172 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 173 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 173 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 174 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 174 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 175 | if [ $? -eq 0 ]; then | 175 | if [ $? -eq 0 ]; then |
| @@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 190 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 190 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
| 191 | ) > $OBJ/sshd_proxy | 191 | ) > $OBJ/sshd_proxy |
| 192 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 192 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 193 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 193 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 194 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 194 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 195 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 195 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 196 | if [ $? -eq 0 ]; then | 196 | if [ $? -eq 0 ]; then |
| @@ -222,7 +222,7 @@ test_one() { | |||
| 222 | ) > $OBJ/sshd_proxy | 222 | ) > $OBJ/sshd_proxy |
| 223 | 223 | ||
| 224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 225 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 227 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 227 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 228 | rc=$? | 228 | rc=$? |
| @@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
| 272 | ) > $OBJ/sshd_proxy | 272 | ) > $OBJ/sshd_proxy |
| 273 | 273 | ||
| 274 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 274 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 276 | -F $OBJ/ssh_proxy somehost true | 276 | -F $OBJ/ssh_proxy somehost true |
| 277 | if [ $? -ne 0 ]; then | 277 | if [ $? -ne 0 ]; then |
| @@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do | |||
| 303 | ) > $OBJ/sshd_proxy | 303 | ) > $OBJ/sshd_proxy |
| 304 | 304 | ||
| 305 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 305 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 306 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 306 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
| 307 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 307 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
| 308 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 308 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 |
| 309 | if [ $? -eq 0 ]; then | 309 | if [ $? -eq 0 ]; then |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7005fd55e..6a23fe300 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 67 | # Missing authorized_principals | 67 | # Missing authorized_principals |
| 68 | verbose "$tid: ${_prefix} missing authorized_principals" | 68 | verbose "$tid: ${_prefix} missing authorized_principals" |
| 69 | rm -f $OBJ/authorized_principals_$USER | 69 | rm -f $OBJ/authorized_principals_$USER |
| 70 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 70 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 71 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 71 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 72 | if [ $? -eq 0 ]; then | 72 | if [ $? -eq 0 ]; then |
| 73 | fail "ssh cert connect succeeded unexpectedly" | 73 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 76 | # Empty authorized_principals | 76 | # Empty authorized_principals |
| 77 | verbose "$tid: ${_prefix} empty authorized_principals" | 77 | verbose "$tid: ${_prefix} empty authorized_principals" |
| 78 | echo > $OBJ/authorized_principals_$USER | 78 | echo > $OBJ/authorized_principals_$USER |
| 79 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 79 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 80 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 80 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 81 | if [ $? -eq 0 ]; then | 81 | if [ $? -eq 0 ]; then |
| 82 | fail "ssh cert connect succeeded unexpectedly" | 82 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 85 | # Wrong authorized_principals | 85 | # Wrong authorized_principals |
| 86 | verbose "$tid: ${_prefix} wrong authorized_principals" | 86 | verbose "$tid: ${_prefix} wrong authorized_principals" |
| 87 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 87 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
| 88 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 88 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 89 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 89 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 90 | if [ $? -eq 0 ]; then | 90 | if [ $? -eq 0 ]; then |
| 91 | fail "ssh cert connect succeeded unexpectedly" | 91 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 94 | # Correct authorized_principals | 94 | # Correct authorized_principals |
| 95 | verbose "$tid: ${_prefix} correct authorized_principals" | 95 | verbose "$tid: ${_prefix} correct authorized_principals" |
| 96 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 96 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
| 97 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 97 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 98 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 98 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 99 | if [ $? -ne 0 ]; then | 99 | if [ $? -ne 0 ]; then |
| 100 | fail "ssh cert connect failed" | 100 | fail "ssh cert connect failed" |
| @@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 103 | # authorized_principals with bad key option | 103 | # authorized_principals with bad key option |
| 104 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 104 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
| 105 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 105 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
| 106 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 106 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 107 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 107 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 108 | if [ $? -eq 0 ]; then | 108 | if [ $? -eq 0 ]; then |
| 109 | fail "ssh cert connect succeeded unexpectedly" | 109 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 113 | verbose "$tid: ${_prefix} authorized_principals command=false" | 113 | verbose "$tid: ${_prefix} authorized_principals command=false" |
| 114 | echo 'command="false" mekmitasdigoat' > \ | 114 | echo 'command="false" mekmitasdigoat' > \ |
| 115 | $OBJ/authorized_principals_$USER | 115 | $OBJ/authorized_principals_$USER |
| 116 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 116 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 117 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 117 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 118 | if [ $? -eq 0 ]; then | 118 | if [ $? -eq 0 ]; then |
| 119 | fail "ssh cert connect succeeded unexpectedly" | 119 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 124 | verbose "$tid: ${_prefix} authorized_principals command=true" | 124 | verbose "$tid: ${_prefix} authorized_principals command=true" |
| 125 | echo 'command="true" mekmitasdigoat' > \ | 125 | echo 'command="true" mekmitasdigoat' > \ |
| 126 | $OBJ/authorized_principals_$USER | 126 | $OBJ/authorized_principals_$USER |
| 127 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 127 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 128 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 128 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
| 129 | if [ $? -ne 0 ]; then | 129 | if [ $? -ne 0 ]; then |
| 130 | fail "ssh cert connect failed" | 130 | fail "ssh cert connect failed" |
| @@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 148 | printf 'cert-authority,principals="gregorsamsa" ' | 148 | printf 'cert-authority,principals="gregorsamsa" ' |
| 149 | cat $OBJ/user_ca_key.pub | 149 | cat $OBJ/user_ca_key.pub |
| 150 | ) > $OBJ/authorized_keys_$USER | 150 | ) > $OBJ/authorized_keys_$USER |
| 151 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 151 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 153 | if [ $? -eq 0 ]; then | 153 | if [ $? -eq 0 ]; then |
| 154 | fail "ssh cert connect succeeded unexpectedly" | 154 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
| 160 | printf 'cert-authority,principals="mekmitasdigoat" ' | 160 | printf 'cert-authority,principals="mekmitasdigoat" ' |
| 161 | cat $OBJ/user_ca_key.pub | 161 | cat $OBJ/user_ca_key.pub |
| 162 | ) > $OBJ/authorized_keys_$USER | 162 | ) > $OBJ/authorized_keys_$USER |
| 163 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 163 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 164 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 164 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 165 | if [ $? -ne 0 ]; then | 165 | if [ $? -ne 0 ]; then |
| 166 | fail "ssh cert connect failed" | 166 | fail "ssh cert connect failed" |
| @@ -198,7 +198,7 @@ basic_tests() { | |||
| 198 | echo "PubkeyAcceptedKeyTypes ${t}" | 198 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 199 | ) > $OBJ/ssh_proxy | 199 | ) > $OBJ/ssh_proxy |
| 200 | 200 | ||
| 201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 202 | -F $OBJ/ssh_proxy somehost true | 202 | -F $OBJ/ssh_proxy somehost true |
| 203 | if [ $? -ne 0 ]; then | 203 | if [ $? -ne 0 ]; then |
| 204 | fail "ssh cert connect failed" | 204 | fail "ssh cert connect failed" |
| @@ -215,7 +215,7 @@ basic_tests() { | |||
| 215 | ) > $OBJ/sshd_proxy | 215 | ) > $OBJ/sshd_proxy |
| 216 | cp $OBJ/cert_user_key_${ktype}.pub \ | 216 | cp $OBJ/cert_user_key_${ktype}.pub \ |
| 217 | $OBJ/cert_user_key_revoked | 217 | $OBJ/cert_user_key_revoked |
| 218 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 218 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 219 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 219 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 220 | if [ $? -eq 0 ]; then | 220 | if [ $? -eq 0 ]; then |
| 221 | fail "ssh cert connect succeeded unexpecedly" | 221 | fail "ssh cert connect succeeded unexpecedly" |
| @@ -224,14 +224,14 @@ basic_tests() { | |||
| 224 | rm $OBJ/cert_user_key_revoked | 224 | rm $OBJ/cert_user_key_revoked |
| 225 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ | 225 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ |
| 226 | $OBJ/cert_user_key_${ktype}.pub | 226 | $OBJ/cert_user_key_${ktype}.pub |
| 227 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 227 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 228 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 228 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 229 | if [ $? -eq 0 ]; then | 229 | if [ $? -eq 0 ]; then |
| 230 | fail "ssh cert connect succeeded unexpecedly" | 230 | fail "ssh cert connect succeeded unexpecedly" |
| 231 | fi | 231 | fi |
| 232 | verbose "$tid: ${_prefix} empty KRL" | 232 | verbose "$tid: ${_prefix} empty KRL" |
| 233 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked | 233 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked |
| 234 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 234 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 235 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 235 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 236 | if [ $? -ne 0 ]; then | 236 | if [ $? -ne 0 ]; then |
| 237 | fail "ssh cert connect failed" | 237 | fail "ssh cert connect failed" |
| @@ -246,7 +246,7 @@ basic_tests() { | |||
| 246 | echo "PubkeyAcceptedKeyTypes ${t}" | 246 | echo "PubkeyAcceptedKeyTypes ${t}" |
| 247 | echo "$extra_sshd" | 247 | echo "$extra_sshd" |
| 248 | ) > $OBJ/sshd_proxy | 248 | ) > $OBJ/sshd_proxy |
| 249 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 249 | ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 250 | somehost true >/dev/null 2>&1 | 250 | somehost true >/dev/null 2>&1 |
| 251 | if [ $? -eq 0 ]; then | 251 | if [ $? -eq 0 ]; then |
| 252 | fail "ssh cert connect succeeded unexpecedly" | 252 | fail "ssh cert connect succeeded unexpecedly" |
| @@ -260,7 +260,7 @@ basic_tests() { | |||
| 260 | echo "$extra_sshd" | 260 | echo "$extra_sshd" |
| 261 | ) > $OBJ/sshd_proxy | 261 | ) > $OBJ/sshd_proxy |
| 262 | verbose "$tid: ensure CA key does not authenticate user" | 262 | verbose "$tid: ensure CA key does not authenticate user" |
| 263 | ${SSH} -2i $OBJ/user_ca_key \ | 263 | ${SSH} -i $OBJ/user_ca_key \ |
| 264 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 264 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 265 | if [ $? -eq 0 ]; then | 265 | if [ $? -eq 0 ]; then |
| 266 | fail "ssh cert connect with CA key succeeded unexpectedly" | 266 | fail "ssh cert connect with CA key succeeded unexpectedly" |
| @@ -307,7 +307,7 @@ test_one() { | |||
| 307 | $sign_opts $OBJ/cert_user_key_${ktype} || | 307 | $sign_opts $OBJ/cert_user_key_${ktype} || |
| 308 | fail "couldn't sign cert_user_key_${ktype}" | 308 | fail "couldn't sign cert_user_key_${ktype}" |
| 309 | 309 | ||
| 310 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 310 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
| 311 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 311 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 312 | rc=$? | 312 | rc=$? |
| 313 | if [ "x$result" = "xsuccess" ] ; then | 313 | if [ "x$result" = "xsuccess" ] ; then |
| @@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 378 | -n $USER $OBJ/cert_user_key_${ktype} || | 378 | -n $USER $OBJ/cert_user_key_${ktype} || |
| 379 | fatal "couldn't sign cert_user_key_${ktype}" | 379 | fatal "couldn't sign cert_user_key_${ktype}" |
| 380 | verbose "$tid: user ${ktype} connect wrong cert" | 380 | verbose "$tid: user ${ktype} connect wrong cert" |
| 381 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 381 | ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
| 382 | somehost true >/dev/null 2>&1 | 382 | somehost true >/dev/null 2>&1 |
| 383 | if [ $? -eq 0 ]; then | 383 | if [ $? -eq 0 ]; then |
| 384 | fail "ssh cert connect $ident succeeded unexpectedly" | 384 | fail "ssh cert connect $ident succeeded unexpectedly" |
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 056296398..2504d04f4 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd_config match" | 4 | tid="sshd_config match" |
| @@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy | |||
| 13 | start_client() | 13 | start_client() |
| 14 | { | 14 | { |
| 15 | rm -f $pidfile | 15 | rm -f $pidfile |
| 16 | ${SSH} -q -$p $fwd "$@" somehost \ | 16 | ${SSH} -q $fwd "$@" somehost \ |
| 17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ | 17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
| 18 | >>$TEST_REGRESS_LOGFILE 2>&1 & | 18 | >>$TEST_REGRESS_LOGFILE 2>&1 & |
| 19 | client_pid=$! | 19 | client_pid=$! |
| @@ -56,22 +56,18 @@ start_sshd | |||
| 56 | #set -x | 56 | #set -x |
| 57 | 57 | ||
| 58 | # Test Match + PermitOpen in sshd_config. This should be permitted | 58 | # Test Match + PermitOpen in sshd_config. This should be permitted |
| 59 | for p in ${SSH_PROTOCOLS}; do | 59 | trace "match permitopen localhost" |
| 60 | trace "match permitopen localhost proto $p" | 60 | start_client -F $OBJ/ssh_config |
| 61 | start_client -F $OBJ/ssh_config | 61 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 62 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 62 | fail "match permitopen permit" |
| 63 | fail "match permitopen permit proto $p" | 63 | stop_client |
| 64 | stop_client | ||
| 65 | done | ||
| 66 | 64 | ||
| 67 | # Same but from different source. This should not be permitted | 65 | # Same but from different source. This should not be permitted |
| 68 | for p in ${SSH_PROTOCOLS}; do | 66 | trace "match permitopen proxy" |
| 69 | trace "match permitopen proxy proto $p" | 67 | start_client -F $OBJ/ssh_proxy |
| 70 | start_client -F $OBJ/ssh_proxy | 68 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 71 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 69 | fail "match permitopen deny" |
| 72 | fail "match permitopen deny proto $p" | 70 | stop_client |
| 73 | stop_client | ||
| 74 | done | ||
| 75 | 71 | ||
| 76 | # Retry previous with key option, should also be denied. | 72 | # Retry previous with key option, should also be denied. |
| 77 | cp /dev/null $OBJ/authorized_keys_$USER | 73 | cp /dev/null $OBJ/authorized_keys_$USER |
| @@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do | |||
| 79 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER | 75 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
| 80 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 76 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 81 | done | 77 | done |
| 82 | for p in ${SSH_PROTOCOLS}; do | 78 | trace "match permitopen proxy w/key opts" |
| 83 | trace "match permitopen proxy w/key opts proto $p" | 79 | start_client -F $OBJ/ssh_proxy |
| 84 | start_client -F $OBJ/ssh_proxy | 80 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 85 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 81 | fail "match permitopen deny w/key opt" |
| 86 | fail "match permitopen deny w/key opt proto $p" | 82 | stop_client |
| 87 | stop_client | ||
| 88 | done | ||
| 89 | 83 | ||
| 90 | # Test both sshd_config and key options permitting the same dst/port pair. | 84 | # Test both sshd_config and key options permitting the same dst/port pair. |
| 91 | # Should be permitted. | 85 | # Should be permitted. |
| 92 | for p in ${SSH_PROTOCOLS}; do | 86 | trace "match permitopen localhost" |
| 93 | trace "match permitopen localhost proto $p" | 87 | start_client -F $OBJ/ssh_config |
| 94 | start_client -F $OBJ/ssh_config | 88 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 95 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 89 | fail "match permitopen permit" |
| 96 | fail "match permitopen permit proto $p" | 90 | stop_client |
| 97 | stop_client | ||
| 98 | done | ||
| 99 | 91 | ||
| 100 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 92 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 101 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 93 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| @@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy | |||
| 103 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | 95 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 104 | 96 | ||
| 105 | # Test that a Match overrides a PermitOpen in the global section | 97 | # Test that a Match overrides a PermitOpen in the global section |
| 106 | for p in ${SSH_PROTOCOLS}; do | 98 | trace "match permitopen proxy w/key opts" |
| 107 | trace "match permitopen proxy w/key opts proto $p" | 99 | start_client -F $OBJ/ssh_proxy |
| 108 | start_client -F $OBJ/ssh_proxy | 100 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 109 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 101 | fail "match override permitopen" |
| 110 | fail "match override permitopen proto $p" | 102 | stop_client |
| 111 | stop_client | ||
| 112 | done | ||
| 113 | 103 | ||
| 114 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 104 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 115 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 105 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| @@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | |||
| 118 | 108 | ||
| 119 | # Test that a rule that doesn't match doesn't override, plus test a | 109 | # Test that a rule that doesn't match doesn't override, plus test a |
| 120 | # PermitOpen entry that's not at the start of the list | 110 | # PermitOpen entry that's not at the start of the list |
| 121 | for p in ${SSH_PROTOCOLS}; do | 111 | trace "nomatch permitopen proxy w/key opts" |
| 122 | trace "nomatch permitopen proxy w/key opts proto $p" | 112 | start_client -F $OBJ/ssh_proxy |
| 123 | start_client -F $OBJ/ssh_proxy | 113 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 124 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 114 | fail "nomatch override permitopen" |
| 125 | fail "nomatch override permitopen proto $p" | 115 | stop_client |
| 126 | stop_client | ||
| 127 | done | ||
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 575dc2341..5da95b3a9 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $ | 1 | # $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="cipher speed" | 4 | tid="cipher speed" |
| @@ -12,16 +12,16 @@ getbytes () | |||
| 12 | tries="1 2" | 12 | tries="1 2" |
| 13 | 13 | ||
| 14 | for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do | 14 | for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do |
| 15 | trace "proto 2 cipher $c mac $m" | 15 | trace "cipher $c mac $m" |
| 16 | for x in $tries; do | 16 | for x in $tries; do |
| 17 | printf "%-60s" "$c/$m:" | 17 | printf "%-60s" "$c/$m:" |
| 18 | ( ${SSH} -o 'compression no' \ | 18 | ( ${SSH} -o 'compression no' \ |
| 19 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | 19 | -F $OBJ/ssh_proxy -m $m -c $c somehost \ |
| 20 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | 20 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ |
| 21 | < ${DATA} ) 2>&1 | getbytes | 21 | < ${DATA} ) 2>&1 | getbytes |
| 22 | 22 | ||
| 23 | if [ $? -ne 0 ]; then | 23 | if [ $? -ne 0 ]; then |
| 24 | fail "ssh -2 failed with mac $m cipher $c" | 24 | fail "ssh failed with mac $m cipher $c" |
| 25 | fi | 25 | fi |
| 26 | done | 26 | done |
| 27 | # No point trying all MACs for AEAD ciphers since they are ignored. | 27 | # No point trying all MACs for AEAD ciphers since they are ignored. |
| @@ -30,22 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do | |||
| 30 | fi | 30 | fi |
| 31 | n=`expr $n + 1` | 31 | n=`expr $n + 1` |
| 32 | done; done | 32 | done; done |
| 33 | |||
| 34 | if ssh_version 1; then | ||
| 35 | ciphers="3des blowfish" | ||
| 36 | else | ||
| 37 | ciphers="" | ||
| 38 | fi | ||
| 39 | for c in $ciphers; do | ||
| 40 | trace "proto 1 cipher $c" | ||
| 41 | for x in $tries; do | ||
| 42 | printf "%-60s" "$c:" | ||
| 43 | ( ${SSH} -o 'compression no' \ | ||
| 44 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
| 45 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
| 46 | < ${DATA} ) 2>&1 | getbytes | ||
| 47 | if [ $? -ne 0 ]; then | ||
| 48 | fail "ssh -1 failed with cipher $c" | ||
| 49 | fi | ||
| 50 | done | ||
| 51 | done | ||
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index 81cedc7e5..b6abb65e3 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $ | 1 | # $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="proxy connect with privsep" | 4 | tid="proxy connect with privsep" |
| @@ -6,23 +6,19 @@ tid="proxy connect with privsep" | |||
| 6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
| 7 | echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy | 7 | echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy |
| 8 | 8 | ||
| 9 | for p in ${SSH_PROTOCOLS}; do | 9 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
| 10 | ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | 10 | if [ $? -ne 0 ]; then |
| 11 | if [ $? -ne 0 ]; then | 11 | fail "ssh privsep+proxyconnect failed" |
| 12 | fail "ssh privsep+proxyconnect protocol $p failed" | 12 | fi |
| 13 | fi | ||
| 14 | done | ||
| 15 | 13 | ||
| 16 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 14 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
| 17 | echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy | 15 | echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy |
| 18 | 16 | ||
| 19 | for p in ${SSH_PROTOCOLS}; do | 17 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
| 20 | ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | 18 | if [ $? -ne 0 ]; then |
| 21 | if [ $? -ne 0 ]; then | 19 | # XXX replace this with fail once sandbox has stabilised |
| 22 | # XXX replace this with fail once sandbox has stabilised | 20 | warn "ssh privsep/sandbox+proxyconnect failed" |
| 23 | warn "ssh privsep/sandbox+proxyconnect protocol $p failed" | 21 | fi |
| 24 | fi | ||
| 25 | done | ||
| 26 | 22 | ||
| 27 | # Because sandbox is sensitive to changes in libc, especially malloc, retest | 23 | # Because sandbox is sensitive to changes in libc, especially malloc, retest |
| 28 | # with every malloc.conf option (and none). | 24 | # with every malloc.conf option (and none). |
| @@ -32,10 +28,8 @@ else | |||
| 32 | mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` | 28 | mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` |
| 33 | fi | 29 | fi |
| 34 | for m in '' $mopts ; do | 30 | for m in '' $mopts ; do |
| 35 | for p in ${SSH_PROTOCOLS}; do | 31 | env MALLOC_OPTIONS="$m" ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
| 36 | env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | ||
| 37 | if [ $? -ne 0 ]; then | 32 | if [ $? -ne 0 ]; then |
| 38 | fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" | 33 | fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed" |
| 39 | fi | 34 | fi |
| 40 | done | ||
| 41 | done | 35 | done |
diff --git a/regress/connect.sh b/regress/connect.sh index f0d55d343..1b344b603 100644 --- a/regress/connect.sh +++ b/regress/connect.sh | |||
| @@ -1,13 +1,11 @@ | |||
| 1 | # $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple connect" | 4 | tid="simple connect" |
| 5 | 5 | ||
| 6 | start_sshd | 6 | start_sshd |
| 7 | 7 | ||
| 8 | for p in ${SSH_PROTOCOLS}; do | 8 | ${SSH} -F $OBJ/ssh_config somehost true |
| 9 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 9 | if [ $? -ne 0 ]; then |
| 10 | if [ $? -ne 0 ]; then | 10 | fail "ssh connect with failed" |
| 11 | fail "ssh connect with protocol $p failed" | 11 | fi |
| 12 | fi | ||
| 13 | done | ||
diff --git a/regress/dhgex.sh b/regress/dhgex.sh index e7c573397..61fc178e8 100644 --- a/regress/dhgex.sh +++ b/regress/dhgex.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $ | 1 | # $OpenBSD: dhgex.sh,v 1.4 2017/05/08 01:52:49 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="dhgex" | 4 | tid="dhgex" |
| @@ -54,7 +54,6 @@ check() | |||
| 54 | 54 | ||
| 55 | #check 2048 3des-cbc | 55 | #check 2048 3des-cbc |
| 56 | check 3072 `${SSH} -Q cipher | grep 128` | 56 | check 3072 `${SSH} -Q cipher | grep 128` |
| 57 | check 3072 arcfour blowfish-cbc | ||
| 58 | check 7680 `${SSH} -Q cipher | grep 192` | 57 | check 7680 `${SSH} -Q cipher | grep 192` |
| 59 | check 8192 `${SSH} -Q cipher | grep 256` | 58 | check 8192 `${SSH} -Q cipher | grep 256` |
| 60 | check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com | 59 | check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com |
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index dd67c9639..84f8ee192 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="dynamic forwarding" | 4 | tid="dynamic forwarding" |
| @@ -17,33 +17,34 @@ trace "will use ProxyCommand $proxycmd" | |||
| 17 | 17 | ||
| 18 | start_sshd | 18 | start_sshd |
| 19 | 19 | ||
| 20 | for p in ${SSH_PROTOCOLS}; do | 20 | for d in D R; do |
| 21 | n=0 | 21 | n=0 |
| 22 | error="1" | 22 | error="1" |
| 23 | trace "start dynamic forwarding, fork to background" | 23 | trace "start dynamic forwarding, fork to background" |
| 24 | |||
| 24 | while [ "$error" -ne 0 -a "$n" -lt 3 ]; do | 25 | while [ "$error" -ne 0 -a "$n" -lt 3 ]; do |
| 25 | n=`expr $n + 1` | 26 | n=`expr $n + 1` |
| 26 | ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ | 27 | ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ |
| 27 | -oExitOnForwardFailure=yes somehost exec sh -c \ | 28 | -oExitOnForwardFailure=yes somehost exec sh -c \ |
| 28 | \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' | 29 | \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' |
| 29 | error=$? | 30 | error=$? |
| 30 | if [ "$error" -ne 0 ]; then | 31 | if [ "$error" -ne 0 ]; then |
| 31 | trace "forward failed proto $p attempt $n err $error" | 32 | trace "forward failed attempt $n err $error" |
| 32 | sleep $n | 33 | sleep $n |
| 33 | fi | 34 | fi |
| 34 | done | 35 | done |
| 35 | if [ "$error" -ne 0 ]; then | 36 | if [ "$error" -ne 0 ]; then |
| 36 | fatal "failed to start dynamic forwarding proto $p" | 37 | fatal "failed to start dynamic forwarding" |
| 37 | fi | 38 | fi |
| 38 | 39 | ||
| 39 | for s in 4 5; do | 40 | for s in 4 5; do |
| 40 | for h in 127.0.0.1 localhost; do | 41 | for h in 127.0.0.1 localhost; do |
| 41 | trace "testing ssh protocol $p socks version $s host $h" | 42 | trace "testing ssh socks version $s host $h (-$d)" |
| 42 | ${SSH} -F $OBJ/ssh_config \ | 43 | ${SSH} -F $OBJ/ssh_config \ |
| 43 | -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ | 44 | -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ |
| 44 | somehost cat $DATA > $OBJ/ls.copy | 45 | somehost cat ${DATA} > ${COPY} |
| 45 | test -f $OBJ/ls.copy || fail "failed copy $DATA" | 46 | test -f ${COPY} || fail "failed copy ${DATA}" |
| 46 | cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" | 47 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" |
| 47 | done | 48 | done |
| 48 | done | 49 | done |
| 49 | 50 | ||
| @@ -56,4 +57,5 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 56 | else | 57 | else |
| 57 | fail "no pid file: $OBJ/remote_pid" | 58 | fail "no pid file: $OBJ/remote_pid" |
| 58 | fi | 59 | fi |
| 60 | |||
| 59 | done | 61 | done |
diff --git a/regress/exit-status.sh b/regress/exit-status.sh index 397d8d732..aadf99fb3 100644 --- a/regress/exit-status.sh +++ b/regress/exit-status.sh | |||
| @@ -1,24 +1,22 @@ | |||
| 1 | # $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="remote exit status" | 4 | tid="remote exit status" |
| 5 | 5 | ||
| 6 | for p in ${SSH_PROTOCOLS}; do | 6 | for s in 0 1 4 5 44; do |
| 7 | for s in 0 1 4 5 44; do | 7 | trace "status $s" |
| 8 | trace "proto $p status $s" | 8 | verbose "test $tid: status $s" |
| 9 | verbose "test $tid: proto $p status $s" | 9 | ${SSH} -F $OBJ/ssh_proxy otherhost exit $s |
| 10 | ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s | 10 | r=$? |
| 11 | r=$? | 11 | if [ $r -ne $s ]; then |
| 12 | if [ $r -ne $s ]; then | 12 | fail "exit code mismatch for: $r != $s" |
| 13 | fail "exit code mismatch for protocol $p: $r != $s" | 13 | fi |
| 14 | fi | ||
| 15 | 14 | ||
| 16 | # same with early close of stdout/err | 15 | # same with early close of stdout/err |
| 17 | ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ | 16 | ${SSH} -F $OBJ/ssh_proxy -n otherhost exec \ |
| 18 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' | 17 | sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' |
| 19 | r=$? | 18 | r=$? |
| 20 | if [ $r -ne $s ]; then | 19 | if [ $r -ne $s ]; then |
| 21 | fail "exit code (with sleep) mismatch for protocol $p: $r != $s" | 20 | fail "exit code (with sleep) mismatch for: $r != $s" |
| 22 | fi | 21 | fi |
| 23 | done | ||
| 24 | done | 22 | done |
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index 8a9b090ea..e059f1fdb 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="forced command" | 4 | tid="forced command" |
| @@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do | |||
| 11 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 11 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 12 | done | 12 | done |
| 13 | 13 | ||
| 14 | for p in ${SSH_PROTOCOLS}; do | 14 | trace "forced command in key option" |
| 15 | trace "forced command in key option proto $p" | 15 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
| 16 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
| 17 | fail "forced command in key proto $p" | ||
| 18 | done | ||
| 19 | 16 | ||
| 20 | cp /dev/null $OBJ/authorized_keys_$USER | 17 | cp /dev/null $OBJ/authorized_keys_$USER |
| 21 | for t in ${SSH_KEYTYPES}; do | 18 | for t in ${SSH_KEYTYPES}; do |
| @@ -26,19 +23,13 @@ done | |||
| 26 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 23 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 27 | echo "ForceCommand true" >> $OBJ/sshd_proxy | 24 | echo "ForceCommand true" >> $OBJ/sshd_proxy |
| 28 | 25 | ||
| 29 | for p in ${SSH_PROTOCOLS}; do | 26 | trace "forced command in sshd_config overrides key option" |
| 30 | trace "forced command in sshd_config overrides key option proto $p" | 27 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
| 31 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
| 32 | fail "forced command in key proto $p" | ||
| 33 | done | ||
| 34 | 28 | ||
| 35 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 29 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 36 | echo "ForceCommand false" >> $OBJ/sshd_proxy | 30 | echo "ForceCommand false" >> $OBJ/sshd_proxy |
| 37 | echo "Match User $USER" >> $OBJ/sshd_proxy | 31 | echo "Match User $USER" >> $OBJ/sshd_proxy |
| 38 | echo " ForceCommand true" >> $OBJ/sshd_proxy | 32 | echo " ForceCommand true" >> $OBJ/sshd_proxy |
| 39 | 33 | ||
| 40 | for p in ${SSH_PROTOCOLS}; do | 34 | trace "forced command with match" |
| 41 | trace "forced command with match proto $p" | 35 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
| 42 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
| 43 | fail "forced command in key proto $p" | ||
| 44 | done | ||
diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 91957098f..2e9dbb53a 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd control of local and remote forwarding" | 4 | tid="sshd control of local and remote forwarding" |
| @@ -32,13 +32,12 @@ wait_for_process_to_exit() { | |||
| 32 | return 0 | 32 | return 0 |
| 33 | } | 33 | } |
| 34 | 34 | ||
| 35 | # usage: check_lfwd protocol Y|N message | 35 | # usage: check_lfwd Y|N message |
| 36 | check_lfwd() { | 36 | check_lfwd() { |
| 37 | _proto=$1 | 37 | _expected=$1 |
| 38 | _expected=$2 | 38 | _message=$2 |
| 39 | _message=$3 | ||
| 40 | rm -f $READY | 39 | rm -f $READY |
| 41 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | 40 | ${SSH} -F $OBJ/ssh_proxy \ |
| 42 | -L$LFWD_PORT:127.0.0.1:$PORT \ | 41 | -L$LFWD_PORT:127.0.0.1:$PORT \ |
| 43 | -o ExitOnForwardFailure=yes \ | 42 | -o ExitOnForwardFailure=yes \ |
| 44 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 43 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
| @@ -62,13 +61,12 @@ check_lfwd() { | |||
| 62 | fi | 61 | fi |
| 63 | } | 62 | } |
| 64 | 63 | ||
| 65 | # usage: check_rfwd protocol Y|N message | 64 | # usage: check_rfwd Y|N message |
| 66 | check_rfwd() { | 65 | check_rfwd() { |
| 67 | _proto=$1 | 66 | _expected=$1 |
| 68 | _expected=$2 | 67 | _message=$2 |
| 69 | _message=$3 | ||
| 70 | rm -f $READY | 68 | rm -f $READY |
| 71 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | 69 | ${SSH} -F $OBJ/ssh_proxy \ |
| 72 | -R$RFWD_PORT:127.0.0.1:$PORT \ | 70 | -R$RFWD_PORT:127.0.0.1:$PORT \ |
| 73 | -o ExitOnForwardFailure=yes \ | 71 | -o ExitOnForwardFailure=yes \ |
| 74 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
| @@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak | |||
| 99 | cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak | 97 | cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak |
| 100 | 98 | ||
| 101 | # Sanity check: ensure the default config allows forwarding | 99 | # Sanity check: ensure the default config allows forwarding |
| 102 | for p in ${SSH_PROTOCOLS} ; do | 100 | check_lfwd Y "default configuration" |
| 103 | check_lfwd $p Y "proto $p, default configuration" | 101 | check_rfwd Y "default configuration" |
| 104 | check_rfwd $p Y "proto $p, default configuration" | ||
| 105 | done | ||
| 106 | 102 | ||
| 107 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | 103 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
| 108 | all_tests() { | 104 | all_tests() { |
| @@ -115,49 +111,46 @@ all_tests() { | |||
| 115 | _permit_rfwd=$7 | 111 | _permit_rfwd=$7 |
| 116 | _badfwd=127.0.0.1:22 | 112 | _badfwd=127.0.0.1:22 |
| 117 | _goodfwd=127.0.0.1:${PORT} | 113 | _goodfwd=127.0.0.1:${PORT} |
| 118 | for _proto in ${SSH_PROTOCOLS} ; do | 114 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
| 119 | cp ${OBJ}/authorized_keys_${USER}.bak \ | 115 | _prefix="AllowTcpForwarding=$_tcpfwd" |
| 120 | ${OBJ}/authorized_keys_${USER} | 116 | # No PermitOpen |
| 121 | _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" | 117 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 122 | # No PermitOpen | 118 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
| 123 | ( cat ${OBJ}/sshd_proxy.bak ; | 119 | > ${OBJ}/sshd_proxy |
| 124 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 120 | check_lfwd $_plain_lfwd "$_prefix" |
| 125 | > ${OBJ}/sshd_proxy | 121 | check_rfwd $_plain_rfwd "$_prefix" |
| 126 | check_lfwd $_proto $_plain_lfwd "$_prefix" | 122 | # PermitOpen via sshd_config that doesn't match |
| 127 | check_rfwd $_proto $_plain_rfwd "$_prefix" | 123 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 128 | # PermitOpen via sshd_config that doesn't match | 124 | echo "AllowTcpForwarding $_tcpfwd" ; |
| 129 | ( cat ${OBJ}/sshd_proxy.bak ; | 125 | echo "PermitOpen $_badfwd" ) \ |
| 130 | echo "AllowTcpForwarding $_tcpfwd" ; | 126 | > ${OBJ}/sshd_proxy |
| 131 | echo "PermitOpen $_badfwd" ) \ | 127 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" |
| 132 | > ${OBJ}/sshd_proxy | 128 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" |
| 133 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" | 129 | # PermitOpen via sshd_config that does match |
| 134 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" | 130 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 135 | # PermitOpen via sshd_config that does match | 131 | echo "AllowTcpForwarding $_tcpfwd" ; |
| 136 | ( cat ${OBJ}/sshd_proxy.bak ; | 132 | echo "PermitOpen $_badfwd $_goodfwd" ) \ |
| 137 | echo "AllowTcpForwarding $_tcpfwd" ; | 133 | > ${OBJ}/sshd_proxy |
| 138 | echo "PermitOpen $_badfwd $_goodfwd" ) \ | 134 | # NB. permitopen via authorized_keys should have same |
| 139 | > ${OBJ}/sshd_proxy | 135 | # success/fail as via sshd_config |
| 140 | # NB. permitopen via authorized_keys should have same | 136 | # permitopen via authorized_keys that doesn't match |
| 141 | # success/fail as via sshd_config | 137 | sed "s/^/permitopen=\"$_badfwd\" /" \ |
| 142 | # permitopen via authorized_keys that doesn't match | 138 | < ${OBJ}/authorized_keys_${USER}.bak \ |
| 143 | sed "s/^/permitopen=\"$_badfwd\" /" \ | 139 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" |
| 144 | < ${OBJ}/authorized_keys_${USER}.bak \ | 140 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 145 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" | 141 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
| 146 | ( cat ${OBJ}/sshd_proxy.bak ; | 142 | > ${OBJ}/sshd_proxy |
| 147 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 143 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" |
| 148 | > ${OBJ}/sshd_proxy | 144 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" |
| 149 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" | 145 | # permitopen via authorized_keys that does match |
| 150 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" | 146 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ |
| 151 | # permitopen via authorized_keys that does match | 147 | < ${OBJ}/authorized_keys_${USER}.bak \ |
| 152 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ | 148 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" |
| 153 | < ${OBJ}/authorized_keys_${USER}.bak \ | 149 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 154 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" | 150 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
| 155 | ( cat ${OBJ}/sshd_proxy.bak ; | 151 | > ${OBJ}/sshd_proxy |
| 156 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 152 | check_lfwd $_permit_lfwd "$_prefix, permitopen" |
| 157 | > ${OBJ}/sshd_proxy | 153 | check_rfwd $_permit_rfwd "$_prefix, permitopen" |
| 158 | check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" | ||
| 159 | check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" | ||
| 160 | done | ||
| 161 | } | 154 | } |
| 162 | 155 | ||
| 163 | # no-permitopen mismatch-permitopen match-permitopen | 156 | # no-permitopen mismatch-permitopen match-permitopen |
diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 45c596d7d..39fccba73 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $ | 1 | # $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="local and remote forwarding" | 4 | tid="local and remote forwarding" |
| @@ -22,30 +22,24 @@ for j in 0 1 2; do | |||
| 22 | last=$a | 22 | last=$a |
| 23 | done | 23 | done |
| 24 | done | 24 | done |
| 25 | for p in ${SSH_PROTOCOLS}; do | ||
| 26 | q=`expr 3 - $p` | ||
| 27 | if ! ssh_version $q; then | ||
| 28 | q=$p | ||
| 29 | fi | ||
| 30 | trace "start forwarding, fork to background" | ||
| 31 | rm -f $CTL | ||
| 32 | ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10 | ||
| 33 | 25 | ||
| 34 | trace "transfer over forwarded channels and check result" | 26 | trace "start forwarding, fork to background" |
| 35 | ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ | 27 | rm -f $CTL |
| 36 | somehost cat ${DATA} > ${COPY} | 28 | ${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10 |
| 37 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
| 38 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
| 39 | 29 | ||
| 40 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 30 | trace "transfer over forwarded channels and check result" |
| 41 | done | 31 | ${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ |
| 32 | somehost cat ${DATA} > ${COPY} | ||
| 33 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
| 34 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
| 35 | |||
| 36 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
| 42 | 37 | ||
| 43 | for p in ${SSH_PROTOCOLS}; do | ||
| 44 | for d in L R; do | 38 | for d in L R; do |
| 45 | trace "exit on -$d forward failure, proto $p" | 39 | trace "exit on -$d forward failure" |
| 46 | 40 | ||
| 47 | # this one should succeed | 41 | # this one should succeed |
| 48 | ${SSH} -$p -F $OBJ/ssh_config \ | 42 | ${SSH} -F $OBJ/ssh_config \ |
| 49 | -$d ${base}01:127.0.0.1:$PORT \ | 43 | -$d ${base}01:127.0.0.1:$PORT \ |
| 50 | -$d ${base}02:127.0.0.1:$PORT \ | 44 | -$d ${base}02:127.0.0.1:$PORT \ |
| 51 | -$d ${base}03:127.0.0.1:$PORT \ | 45 | -$d ${base}03:127.0.0.1:$PORT \ |
| @@ -55,7 +49,7 @@ for d in L R; do | |||
| 55 | fatal "connection failed, should not" | 49 | fatal "connection failed, should not" |
| 56 | else | 50 | else |
| 57 | # this one should fail | 51 | # this one should fail |
| 58 | ${SSH} -q -$p -F $OBJ/ssh_config \ | 52 | ${SSH} -q -F $OBJ/ssh_config \ |
| 59 | -$d ${base}01:127.0.0.1:$PORT \ | 53 | -$d ${base}01:127.0.0.1:$PORT \ |
| 60 | -$d ${base}02:127.0.0.1:$PORT \ | 54 | -$d ${base}02:127.0.0.1:$PORT \ |
| 61 | -$d ${base}03:127.0.0.1:$PORT \ | 55 | -$d ${base}03:127.0.0.1:$PORT \ |
| @@ -68,82 +62,74 @@ for d in L R; do | |||
| 68 | fi | 62 | fi |
| 69 | fi | 63 | fi |
| 70 | done | 64 | done |
| 71 | done | ||
| 72 | 65 | ||
| 73 | for p in ${SSH_PROTOCOLS}; do | 66 | trace "simple clear forwarding" |
| 74 | trace "simple clear forwarding proto $p" | 67 | ${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true |
| 75 | ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true | 68 | |
| 76 | 69 | trace "clear local forward" | |
| 77 | trace "clear local forward proto $p" | 70 | rm -f $CTL |
| 78 | rm -f $CTL | 71 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ |
| 79 | ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ | 72 | -oClearAllForwardings=yes somehost sleep 10 |
| 80 | -oClearAllForwardings=yes somehost sleep 10 | 73 | if [ $? != 0 ]; then |
| 81 | if [ $? != 0 ]; then | 74 | fail "connection failed with cleared local forwarding" |
| 82 | fail "connection failed with cleared local forwarding" | 75 | else |
| 83 | else | 76 | # this one should fail |
| 84 | # this one should fail | 77 | ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ |
| 85 | ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ | 78 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ |
| 86 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ | 79 | fail "local forwarding not cleared" |
| 87 | fail "local forwarding not cleared" | 80 | fi |
| 88 | fi | 81 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
| 89 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 82 | |
| 90 | 83 | trace "clear remote forward" | |
| 91 | trace "clear remote forward proto $p" | 84 | rm -f $CTL |
| 92 | rm -f $CTL | 85 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ |
| 93 | ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ | 86 | -oClearAllForwardings=yes somehost sleep 10 |
| 94 | -oClearAllForwardings=yes somehost sleep 10 | 87 | if [ $? != 0 ]; then |
| 95 | if [ $? != 0 ]; then | 88 | fail "connection failed with cleared remote forwarding" |
| 96 | fail "connection failed with cleared remote forwarding" | 89 | else |
| 97 | else | 90 | # this one should fail |
| 98 | # this one should fail | 91 | ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ |
| 99 | ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ | 92 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ |
| 100 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ | 93 | fail "remote forwarding not cleared" |
| 101 | fail "remote forwarding not cleared" | 94 | fi |
| 102 | fi | 95 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
| 103 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 96 | |
| 104 | done | 97 | trace "stdio forwarding" |
| 105 | 98 | cmd="${SSH} -F $OBJ/ssh_config" | |
| 106 | for p in 2; do | 99 | $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true |
| 107 | trace "stdio forwarding proto $p" | 100 | if [ $? != 0 ]; then |
| 108 | cmd="${SSH} -$p -F $OBJ/ssh_config" | 101 | fail "stdio forwarding" |
| 109 | $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \ | 102 | fi |
| 110 | somehost true | ||
| 111 | if [ $? != 0 ]; then | ||
| 112 | fail "stdio forwarding proto $p" | ||
| 113 | fi | ||
| 114 | done | ||
| 115 | 103 | ||
| 116 | echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config | 104 | echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config |
| 117 | echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config | 105 | echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config |
| 118 | for p in ${SSH_PROTOCOLS}; do | ||
| 119 | trace "config file: start forwarding, fork to background" | ||
| 120 | rm -f $CTL | ||
| 121 | ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10 | ||
| 122 | |||
| 123 | trace "config file: transfer over forwarded channels and check result" | ||
| 124 | ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ | ||
| 125 | somehost cat ${DATA} > ${COPY} | ||
| 126 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
| 127 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
| 128 | |||
| 129 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
| 130 | done | ||
| 131 | 106 | ||
| 132 | for p in 2; do | 107 | trace "config file: start forwarding, fork to background" |
| 133 | trace "transfer over chained unix domain socket forwards and check result" | 108 | rm -f $CTL |
| 134 | rm -f $OBJ/unix-[123].fwd | 109 | ${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10 |
| 135 | rm -f $CTL $CTL.[123] | 110 | |
| 136 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 | 111 | trace "config file: transfer over forwarded channels and check result" |
| 137 | ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 | 112 | ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ |
| 138 | ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 | 113 | somehost cat ${DATA} > ${COPY} |
| 139 | ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 | 114 | test -s ${COPY} || fail "failed copy of ${DATA}" |
| 140 | ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ | 115 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" |
| 141 | somehost cat ${DATA} > ${COPY} | 116 | |
| 142 | test -s ${COPY} || fail "failed copy ${DATA}" | 117 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
| 143 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | 118 | |
| 144 | 119 | trace "transfer over chained unix domain socket forwards and check result" | |
| 145 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 120 | rm -f $OBJ/unix-[123].fwd |
| 146 | ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost | 121 | rm -f $CTL $CTL.[123] |
| 147 | ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost | 122 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 |
| 148 | ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost | 123 | ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 |
| 149 | done | 124 | ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 |
| 125 | ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 | ||
| 126 | ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ | ||
| 127 | somehost cat ${DATA} > ${COPY} | ||
| 128 | test -s ${COPY} || fail "failed copy ${DATA}" | ||
| 129 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
| 130 | |||
| 131 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
| 132 | ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost | ||
| 133 | ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost | ||
| 134 | ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost | ||
| 135 | |||
diff --git a/regress/host-expand.sh b/regress/host-expand.sh index 2a95bfe1b..9444f7fb6 100644 --- a/regress/host-expand.sh +++ b/regress/host-expand.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="expand %h and %n" | 4 | tid="expand %h and %n" |
| @@ -11,9 +11,6 @@ somehost | |||
| 11 | 127.0.0.1 | 11 | 127.0.0.1 |
| 12 | EOE | 12 | EOE |
| 13 | 13 | ||
| 14 | for p in ${SSH_PROTOCOLS}; do | 14 | ${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual |
| 15 | verbose "test $tid: proto $p" | 15 | diff $OBJ/expect $OBJ/actual || fail "$tid" |
| 16 | ${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual | ||
| 17 | diff $OBJ/expect $OBJ/actual || fail "$tid proto $p" | ||
| 18 | done | ||
| 19 | 16 | ||
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 094700da6..811b6b9ab 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="hostkey agent" | 4 | tid="hostkey agent" |
| @@ -40,7 +40,7 @@ for ps in no yes; do | |||
| 40 | cp $OBJ/known_hosts.orig $OBJ/known_hosts | 40 | cp $OBJ/known_hosts.orig $OBJ/known_hosts |
| 41 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` | 41 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` |
| 42 | if [ $? -ne 0 ]; then | 42 | if [ $? -ne 0 ]; then |
| 43 | fail "protocol $p privsep=$ps failed" | 43 | fail "privsep=$ps failed" |
| 44 | fi | 44 | fi |
| 45 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then | 45 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then |
| 46 | fail "bad SSH_CONNECTION key type $k privsep=$ps" | 46 | fail "bad SSH_CONNECTION key type $k privsep=$ps" |
diff --git a/regress/integrity.sh b/regress/integrity.sh index 1df2924f5..3eda40f0a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: integrity.sh,v 1.20 2017/01/06 02:26:10 dtucker Exp $ | 1 | # $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="integrity" | 4 | tid="integrity" |
| @@ -46,7 +46,7 @@ for m in $macs; do | |||
| 46 | macopt="-m $m -c aes128-ctr" | 46 | macopt="-m $m -c aes128-ctr" |
| 47 | fi | 47 | fi |
| 48 | verbose "test $tid: $m @$off" | 48 | verbose "test $tid: $m @$off" |
| 49 | ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ | 49 | ${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \ |
| 50 | -oServerAliveInterval=1 -oServerAliveCountMax=30 \ | 50 | -oServerAliveInterval=1 -oServerAliveCountMax=30 \ |
| 51 | 999.999.999.999 'printf "%4096s" " "' >/dev/null | 51 | 999.999.999.999 'printf "%4096s" " "' >/dev/null |
| 52 | if [ $? -eq 0 ]; then | 52 | if [ $? -eq 0 ]; then |
| @@ -60,14 +60,16 @@ for m in $macs; do | |||
| 60 | Corrupted?MAC* | *message?authentication?code?incorrect*) | 60 | Corrupted?MAC* | *message?authentication?code?incorrect*) |
| 61 | emac=`expr $emac + 1`; skip=0;; | 61 | emac=`expr $emac + 1`; skip=0;; |
| 62 | padding*) epad=`expr $epad + 1`; skip=0;; | 62 | padding*) epad=`expr $epad + 1`; skip=0;; |
| 63 | *Timeout,?server*) | ||
| 64 | etmo=`expr $etmo + 1`; skip=0;; | ||
| 63 | *) fail "unexpected error mac $m at $off: $out";; | 65 | *) fail "unexpected error mac $m at $off: $out";; |
| 64 | esac | 66 | esac |
| 65 | done | 67 | done |
| 66 | verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" | 68 | verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo" |
| 67 | if [ $emac -eq 0 ]; then | 69 | if [ $emac -eq 0 ]; then |
| 68 | fail "$m: no mac errors" | 70 | fail "$m: no mac errors" |
| 69 | fi | 71 | fi |
| 70 | expect=`expr $ecnt - $epad - $elen` | 72 | expect=`expr $ecnt - $epad - $elen - $etmo` |
| 71 | if [ $emac -ne $expect ]; then | 73 | if [ $emac -ne $expect ]; then |
| 72 | fail "$m: expected $expect mac errors, got $emac" | 74 | fail "$m: expected $expect mac errors, got $emac" |
| 73 | fi | 75 | fi |
diff --git a/regress/key-options.sh b/regress/key-options.sh index 7a68ad358..2adee6833 100644 --- a/regress/key-options.sh +++ b/regress/key-options.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="key options" | 4 | tid="key options" |
| @@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}" | |||
| 8 | cp $authkeys $origkeys | 8 | cp $authkeys $origkeys |
| 9 | 9 | ||
| 10 | # Test command= forced command | 10 | # Test command= forced command |
| 11 | for p in ${SSH_PROTOCOLS}; do | 11 | for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do |
| 12 | for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do | ||
| 13 | sed "s/.*/$c &/" $origkeys >$authkeys | 12 | sed "s/.*/$c &/" $origkeys >$authkeys |
| 14 | verbose "key option proto $p $c" | 13 | verbose "key option $c" |
| 15 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` | 14 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` |
| 16 | if [ "$r" = "foo" ]; then | 15 | if [ "$r" = "foo" ]; then |
| 17 | fail "key option forced command not restricted" | 16 | fail "key option forced command not restricted" |
| 18 | fi | 17 | fi |
| 19 | if [ "$r" != "bar" ]; then | 18 | if [ "$r" != "bar" ]; then |
| 20 | fail "key option forced command not executed" | 19 | fail "key option forced command not executed" |
| 21 | fi | 20 | fi |
| 22 | done | ||
| 23 | done | 21 | done |
| 24 | 22 | ||
| 25 | # Test no-pty | 23 | # Test no-pty |
| 26 | sed 's/.*/no-pty &/' $origkeys >$authkeys | 24 | sed 's/.*/no-pty &/' $origkeys >$authkeys |
| 27 | for p in ${SSH_PROTOCOLS}; do | 25 | verbose "key option proto no-pty" |
| 28 | verbose "key option proto $p no-pty" | 26 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty` |
| 29 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` | 27 | if [ -f "$r" ]; then |
| 30 | if [ -f "$r" ]; then | 28 | fail "key option failed no-pty (pty $r)" |
| 31 | fail "key option failed proto $p no-pty (pty $r)" | 29 | fi |
| 32 | fi | ||
| 33 | done | ||
| 34 | 30 | ||
| 35 | # Test environment= | 31 | # Test environment= |
| 36 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy | 32 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy |
| 37 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys | 33 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys |
| 38 | for p in ${SSH_PROTOCOLS}; do | 34 | verbose "key option environment" |
| 39 | verbose "key option proto $p environment" | 35 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` |
| 40 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` | 36 | if [ "$r" != "bar" ]; then |
| 41 | if [ "$r" != "bar" ]; then | 37 | fail "key option environment not set" |
| 42 | fail "key option environment not set" | 38 | fi |
| 43 | fi | ||
| 44 | done | ||
| 45 | 39 | ||
| 46 | # Test from= restriction | 40 | # Test from= restriction |
| 47 | start_sshd | 41 | start_sshd |
| 48 | for p in ${SSH_PROTOCOLS}; do | 42 | for f in 127.0.0.1 '127.0.0.0\/8'; do |
| 49 | for f in 127.0.0.1 '127.0.0.0\/8'; do | ||
| 50 | cat $origkeys >$authkeys | 43 | cat $origkeys >$authkeys |
| 51 | ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true | 44 | ${SSH} -q -F $OBJ/ssh_proxy somehost true |
| 52 | if [ $? -ne 0 ]; then | 45 | if [ $? -ne 0 ]; then |
| 53 | fail "key option proto $p failed without restriction" | 46 | fail "key option failed without restriction" |
| 54 | fi | 47 | fi |
| 55 | 48 | ||
| 56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | 49 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys |
| 57 | from=`head -1 $authkeys | cut -f1 -d ' '` | 50 | from=`head -1 $authkeys | cut -f1 -d ' '` |
| 58 | verbose "key option proto $p $from" | 51 | verbose "key option $from" |
| 59 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | 52 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` |
| 60 | if [ "$r" = "true" ]; then | 53 | if [ "$r" = "true" ]; then |
| 61 | fail "key option proto $p $from not restricted" | 54 | fail "key option $from not restricted" |
| 62 | fi | 55 | fi |
| 63 | 56 | ||
| 64 | r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` | 57 | r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` |
| 65 | if [ "$r" != "true" ]; then | 58 | if [ "$r" != "true" ]; then |
| 66 | fail "key option proto $p $from not allowed but should be" | 59 | fail "key option $from not allowed but should be" |
| 67 | fi | 60 | fi |
| 68 | done | ||
| 69 | done | 61 | done |
| 70 | 62 | ||
| 71 | rm -f "$origkeys" | 63 | rm -f "$origkeys" |
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index e56185050..8b8acd52f 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="change passphrase for key" | 4 | tid="change passphrase for key" |
| @@ -7,9 +7,6 @@ S1="secret1" | |||
| 7 | S2="2secret" | 7 | S2="2secret" |
| 8 | 8 | ||
| 9 | KEYTYPES=`${SSH} -Q key-plain` | 9 | KEYTYPES=`${SSH} -Q key-plain` |
| 10 | if ssh_version 1; then | ||
| 11 | KEYTYPES="${KEYTYPES} rsa1" | ||
| 12 | fi | ||
| 13 | 10 | ||
| 14 | for t in $KEYTYPES; do | 11 | for t in $KEYTYPES; do |
| 15 | # generate user key for agent | 12 | # generate user key for agent |
diff --git a/regress/keyscan.sh b/regress/keyscan.sh index f97364b76..3bde1219a 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $ | 1 | # $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="keyscan" | 4 | tid="keyscan" |
| @@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa | |||
| 9 | start_sshd | 9 | start_sshd |
| 10 | 10 | ||
| 11 | KEYTYPES=`${SSH} -Q key-plain` | 11 | KEYTYPES=`${SSH} -Q key-plain` |
| 12 | if ssh_version 1; then | ||
| 13 | KEYTYPES="${KEYTYPES} rsa1" | ||
| 14 | fi | ||
| 15 | |||
| 16 | for t in $KEYTYPES; do | 12 | for t in $KEYTYPES; do |
| 17 | trace "keyscan type $t" | 13 | trace "keyscan type $t" |
| 18 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ | 14 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ |
diff --git a/regress/keytype.sh b/regress/keytype.sh index 8f697788f..88b022de4 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh | |||
| @@ -1,13 +1,8 @@ | |||
| 1 | # $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: keytype.sh,v 1.5 2017/03/20 22:08:06 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="login with different key types" | 4 | tid="login with different key types" |
| 5 | 5 | ||
| 6 | TIME=`which time 2>/dev/null` | ||
| 7 | if test ! -x "$TIME"; then | ||
| 8 | TIME="" | ||
| 9 | fi | ||
| 10 | |||
| 11 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 12 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | 7 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
| 13 | 8 | ||
| @@ -26,8 +21,8 @@ for kt in $ktypes; do | |||
| 26 | rm -f $OBJ/key.$kt | 21 | rm -f $OBJ/key.$kt |
| 27 | bits=`echo ${kt} | awk -F- '{print $2}'` | 22 | bits=`echo ${kt} | awk -F- '{print $2}'` |
| 28 | type=`echo ${kt} | awk -F- '{print $1}'` | 23 | type=`echo ${kt} | awk -F- '{print $1}'` |
| 29 | printf "keygen $type, $bits bits:\t" | 24 | verbose "keygen $type, $bits bits" |
| 30 | ${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ | 25 | ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ |
| 31 | fail "ssh-keygen for type $type, $bits bits failed" | 26 | fail "ssh-keygen for type $type, $bits bits failed" |
| 32 | done | 27 | done |
| 33 | 28 | ||
| @@ -63,8 +58,8 @@ for ut in $ktypes; do | |||
| 63 | ) > $OBJ/known_hosts | 58 | ) > $OBJ/known_hosts |
| 64 | cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER | 59 | cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER |
| 65 | for i in $tries; do | 60 | for i in $tries; do |
| 66 | printf "userkey $ut, hostkey ${ht}:\t" | 61 | verbose "userkey $ut, hostkey ${ht}" |
| 67 | ${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true | 62 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
| 68 | if [ $? -ne 0 ]; then | 63 | if [ $? -ne 0 ]; then |
| 69 | fail "ssh userkey $ut, hostkey $ht failed" | 64 | fail "ssh userkey $ut, hostkey $ht failed" |
| 70 | fi | 65 | fi |
diff --git a/regress/localcommand.sh b/regress/localcommand.sh index 220f19a4d..5224a16b2 100644 --- a/regress/localcommand.sh +++ b/regress/localcommand.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="localcommand" | 4 | tid="localcommand" |
| @@ -6,10 +6,8 @@ tid="localcommand" | |||
| 6 | echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy | 6 | echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy |
| 7 | echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy | 7 | echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy |
| 8 | 8 | ||
| 9 | for p in ${SSH_PROTOCOLS}; do | 9 | verbose "test $tid: proto $p localcommand" |
| 10 | verbose "test $tid: proto $p localcommand" | 10 | a=`${SSH} -F $OBJ/ssh_proxy somehost true` |
| 11 | a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true` | 11 | if [ "$a" != "foo" ] ; then |
| 12 | if [ "$a" != "foo" ] ; then | 12 | fail "$tid proto $p" |
| 13 | fail "$tid proto $p" | 13 | fi |
| 14 | fi | ||
| 15 | done | ||
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 12207fd99..4c2d07dc2 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $ | 1 | # $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="connect after login grace timeout" | 4 | tid="connect after login grace timeout" |
| @@ -10,23 +10,9 @@ echo "LoginGraceTime 10s" >> $OBJ/sshd_config | |||
| 10 | echo "MaxStartups 1" >> $OBJ/sshd_config | 10 | echo "MaxStartups 1" >> $OBJ/sshd_config |
| 11 | start_sshd | 11 | start_sshd |
| 12 | 12 | ||
| 13 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & | 13 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & |
| 14 | sleep 15 | 14 | sleep 15 |
| 15 | ${SSH} -F $OBJ/ssh_config somehost true | 15 | ${SSH} -F $OBJ/ssh_config somehost true |
| 16 | if [ $? -ne 0 ]; then | 16 | if [ $? -ne 0 ]; then |
| 17 | fail "ssh connect after login grace timeout failed with privsep" | 17 | fail "ssh connect after login grace timeout failed" |
| 18 | fi | ||
| 19 | |||
| 20 | stop_sshd | ||
| 21 | |||
| 22 | trace "test login grace without privsep" | ||
| 23 | echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config | ||
| 24 | start_sshd | ||
| 25 | sleep 1 | ||
| 26 | |||
| 27 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & | ||
| 28 | sleep 15 | ||
| 29 | ${SSH} -F $OBJ/ssh_config somehost true | ||
| 30 | if [ $? -ne 0 ]; then | ||
| 31 | fail "ssh connect after login grace timeout failed without privsep" | ||
| 32 | fi | 18 | fi |
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile new file mode 100644 index 000000000..8fbfc20c6 --- /dev/null +++ b/regress/misc/fuzz-harness/Makefile | |||
| @@ -0,0 +1,22 @@ | |||
| 1 | # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. | ||
| 2 | CXX=clang++-3.9 | ||
| 3 | FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge | ||
| 4 | FUZZ_LIBS=-lFuzzer | ||
| 5 | |||
| 6 | CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) | ||
| 7 | LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) | ||
| 8 | LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) | ||
| 9 | |||
| 10 | all: pubkey_fuzz sig_fuzz | ||
| 11 | |||
| 12 | .cc.o: | ||
| 13 | $(CXX) $(CXXFLAGS) -c $< -o $@ | ||
| 14 | |||
| 15 | pubkey_fuzz: pubkey_fuzz.o | ||
| 16 | $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS) | ||
| 17 | |||
| 18 | sig_fuzz: sig_fuzz.o | ||
| 19 | $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS) | ||
| 20 | |||
| 21 | clean: | ||
| 22 | -rm -f *.o pubkey_fuzz sig_fuzz | ||
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README new file mode 100644 index 000000000..ae6fbe75d --- /dev/null +++ b/regress/misc/fuzz-harness/README | |||
| @@ -0,0 +1 @@ | |||
| This directory contains fuzzing harnesses for use with clang's libfuzzer. | |||
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc new file mode 100644 index 000000000..8bbc11093 --- /dev/null +++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc | |||
| @@ -0,0 +1,18 @@ | |||
| 1 | #include <stddef.h> | ||
| 2 | #include <stdio.h> | ||
| 3 | #include <stdint.h> | ||
| 4 | |||
| 5 | extern "C" { | ||
| 6 | |||
| 7 | #include "sshkey.h" | ||
| 8 | |||
| 9 | int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) | ||
| 10 | { | ||
| 11 | struct sshkey *k = NULL; | ||
| 12 | int r = sshkey_from_blob(data, size, &k); | ||
| 13 | if (r == 0) sshkey_free(k); | ||
| 14 | return 0; | ||
| 15 | } | ||
| 16 | |||
| 17 | } // extern | ||
| 18 | |||
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc new file mode 100644 index 000000000..0e535b49a --- /dev/null +++ b/regress/misc/fuzz-harness/sig_fuzz.cc | |||
| @@ -0,0 +1,50 @@ | |||
| 1 | // cc_fuzz_target test for public key parsing. | ||
| 2 | |||
| 3 | #include <stddef.h> | ||
| 4 | #include <stdio.h> | ||
| 5 | #include <stdint.h> | ||
| 6 | #include <stdlib.h> | ||
| 7 | #include <string.h> | ||
| 8 | |||
| 9 | extern "C" { | ||
| 10 | |||
| 11 | #include "includes.h" | ||
| 12 | #include "sshkey.h" | ||
| 13 | #include "ssherr.h" | ||
| 14 | |||
| 15 | static struct sshkey *generate_or_die(int type, unsigned bits) { | ||
| 16 | int r; | ||
| 17 | struct sshkey *ret; | ||
| 18 | if ((r = sshkey_generate(type, bits, &ret)) != 0) { | ||
| 19 | fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r)); | ||
| 20 | abort(); | ||
| 21 | } | ||
| 22 | return ret; | ||
| 23 | } | ||
| 24 | |||
| 25 | int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) | ||
| 26 | { | ||
| 27 | #ifdef WITH_OPENSSL | ||
| 28 | static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); | ||
| 29 | static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); | ||
| 30 | static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); | ||
| 31 | static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); | ||
| 32 | static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); | ||
| 33 | #endif | ||
| 34 | static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); | ||
| 35 | static const char *data = "If everyone started announcing his nose had " | ||
| 36 | "run away, I don’t know how it would all end"; | ||
| 37 | static const size_t dlen = strlen(data); | ||
| 38 | |||
| 39 | #ifdef WITH_OPENSSL | ||
| 40 | sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, 0); | ||
| 41 | sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, 0); | ||
| 42 | sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, 0); | ||
| 43 | sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, 0); | ||
| 44 | sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, 0); | ||
| 45 | #endif | ||
| 46 | sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, 0); | ||
| 47 | return 0; | ||
| 48 | } | ||
| 49 | |||
| 50 | } // extern | ||
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile index 3018b632f..d0aca8dfe 100644 --- a/regress/misc/kexfuzz/Makefile +++ b/regress/misc/kexfuzz/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.1 2016/03/04 02:30:37 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.2 2017/04/17 11:02:31 jsg Exp $ |
| 2 | 2 | ||
| 3 | .include <bsd.own.mk> | 3 | .include <bsd.own.mk> |
| 4 | .include <bsd.obj.mk> | 4 | .include <bsd.obj.mk> |
| @@ -49,7 +49,7 @@ CDIAGFLAGS+= -Wswitch | |||
| 49 | CDIAGFLAGS+= -Wtrigraphs | 49 | CDIAGFLAGS+= -Wtrigraphs |
| 50 | CDIAGFLAGS+= -Wuninitialized | 50 | CDIAGFLAGS+= -Wuninitialized |
| 51 | CDIAGFLAGS+= -Wunused | 51 | CDIAGFLAGS+= -Wunused |
| 52 | .if ${COMPILER_VERSION} == "gcc4" | 52 | .if ${COMPILER_VERSION:L} != "gcc3" |
| 53 | CDIAGFLAGS+= -Wpointer-sign | 53 | CDIAGFLAGS+= -Wpointer-sign |
| 54 | CDIAGFLAGS+= -Wold-style-definition | 54 | CDIAGFLAGS+= -Wold-style-definition |
| 55 | .endif | 55 | .endif |
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c index 67058027f..3e2c48160 100644 --- a/regress/misc/kexfuzz/kexfuzz.c +++ b/regress/misc/kexfuzz/kexfuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */ | 1 | /* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Fuzz harness for KEX code | 3 | * Fuzz harness for KEX code |
| 4 | * | 4 | * |
| @@ -418,7 +418,7 @@ main(int argc, char **argv) | |||
| 418 | close(fd); | 418 | close(fd); |
| 419 | /* XXX check that it is a private key */ | 419 | /* XXX check that it is a private key */ |
| 420 | /* XXX support certificates */ | 420 | /* XXX support certificates */ |
| 421 | if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1) | 421 | if (key == NULL || key->type == KEY_UNSPEC) |
| 422 | badusage("Invalid key file (-k flag)"); | 422 | badusage("Invalid key file (-k flag)"); |
| 423 | 423 | ||
| 424 | /* Replace (fuzz) mode */ | 424 | /* Replace (fuzz) mode */ |
diff --git a/regress/multiplex.sh b/regress/multiplex.sh index acb9234d9..078a53a88 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $ | 1 | # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | CTL=/tmp/openssh.regress.ctl-sock.$$ | 4 | CTL=/tmp/openssh.regress.ctl-sock.$$ |
| @@ -101,7 +101,7 @@ for s in 0 1 4 5 44; do | |||
| 101 | ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s | 101 | ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s |
| 102 | r=$? | 102 | r=$? |
| 103 | if [ $r -ne $s ]; then | 103 | if [ $r -ne $s ]; then |
| 104 | fail "exit code mismatch for protocol $p: $r != $s" | 104 | fail "exit code mismatch: $r != $s" |
| 105 | fi | 105 | fi |
| 106 | 106 | ||
| 107 | # same with early close of stdout/err | 107 | # same with early close of stdout/err |
| @@ -110,7 +110,7 @@ for s in 0 1 4 5 44; do | |||
| 110 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' | 110 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' |
| 111 | r=$? | 111 | r=$? |
| 112 | if [ $r -ne $s ]; then | 112 | if [ $r -ne $s ]; then |
| 113 | fail "exit code (with sleep) mismatch for protocol $p: $r != $s" | 113 | fail "exit code (with sleep) mismatch: $r != $s" |
| 114 | fi | 114 | fi |
| 115 | done | 115 | done |
| 116 | 116 | ||
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9b38eb105..bcc68e80b 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
| @@ -78,7 +78,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 78 | # Empty authorized_principals | 78 | # Empty authorized_principals |
| 79 | verbose "$tid: ${_prefix} empty authorized_principals" | 79 | verbose "$tid: ${_prefix} empty authorized_principals" |
| 80 | echo > $OBJ/authorized_principals_$USER | 80 | echo > $OBJ/authorized_principals_$USER |
| 81 | ${SSH} -2i $OBJ/cert_user_key \ | 81 | ${SSH} -i $OBJ/cert_user_key \ |
| 82 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 82 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 83 | if [ $? -eq 0 ]; then | 83 | if [ $? -eq 0 ]; then |
| 84 | fail "ssh cert connect succeeded unexpectedly" | 84 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -87,7 +87,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 87 | # Wrong authorized_principals | 87 | # Wrong authorized_principals |
| 88 | verbose "$tid: ${_prefix} wrong authorized_principals" | 88 | verbose "$tid: ${_prefix} wrong authorized_principals" |
| 89 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 89 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
| 90 | ${SSH} -2i $OBJ/cert_user_key \ | 90 | ${SSH} -i $OBJ/cert_user_key \ |
| 91 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 91 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 92 | if [ $? -eq 0 ]; then | 92 | if [ $? -eq 0 ]; then |
| 93 | fail "ssh cert connect succeeded unexpectedly" | 93 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -96,7 +96,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 96 | # Correct authorized_principals | 96 | # Correct authorized_principals |
| 97 | verbose "$tid: ${_prefix} correct authorized_principals" | 97 | verbose "$tid: ${_prefix} correct authorized_principals" |
| 98 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 98 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
| 99 | ${SSH} -2i $OBJ/cert_user_key \ | 99 | ${SSH} -i $OBJ/cert_user_key \ |
| 100 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 100 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 101 | if [ $? -ne 0 ]; then | 101 | if [ $? -ne 0 ]; then |
| 102 | fail "ssh cert connect failed" | 102 | fail "ssh cert connect failed" |
| @@ -105,7 +105,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 105 | # authorized_principals with bad key option | 105 | # authorized_principals with bad key option |
| 106 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 106 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
| 107 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 107 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
| 108 | ${SSH} -2i $OBJ/cert_user_key \ | 108 | ${SSH} -i $OBJ/cert_user_key \ |
| 109 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 109 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 110 | if [ $? -eq 0 ]; then | 110 | if [ $? -eq 0 ]; then |
| 111 | fail "ssh cert connect succeeded unexpectedly" | 111 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -115,7 +115,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 115 | verbose "$tid: ${_prefix} authorized_principals command=false" | 115 | verbose "$tid: ${_prefix} authorized_principals command=false" |
| 116 | echo 'command="false" mekmitasdigoat' > \ | 116 | echo 'command="false" mekmitasdigoat' > \ |
| 117 | $OBJ/authorized_principals_$USER | 117 | $OBJ/authorized_principals_$USER |
| 118 | ${SSH} -2i $OBJ/cert_user_key \ | 118 | ${SSH} -i $OBJ/cert_user_key \ |
| 119 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 119 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 120 | if [ $? -eq 0 ]; then | 120 | if [ $? -eq 0 ]; then |
| 121 | fail "ssh cert connect succeeded unexpectedly" | 121 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -125,7 +125,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 125 | verbose "$tid: ${_prefix} authorized_principals command=true" | 125 | verbose "$tid: ${_prefix} authorized_principals command=true" |
| 126 | echo 'command="true" mekmitasdigoat' > \ | 126 | echo 'command="true" mekmitasdigoat' > \ |
| 127 | $OBJ/authorized_principals_$USER | 127 | $OBJ/authorized_principals_$USER |
| 128 | ${SSH} -2i $OBJ/cert_user_key \ | 128 | ${SSH} -i $OBJ/cert_user_key \ |
| 129 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 129 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
| 130 | if [ $? -ne 0 ]; then | 130 | if [ $? -ne 0 ]; then |
| 131 | fail "ssh cert connect failed" | 131 | fail "ssh cert connect failed" |
| @@ -144,7 +144,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 144 | printf 'cert-authority,principals="gregorsamsa" ' | 144 | printf 'cert-authority,principals="gregorsamsa" ' |
| 145 | cat $OBJ/user_ca_key.pub | 145 | cat $OBJ/user_ca_key.pub |
| 146 | ) > $OBJ/authorized_keys_$USER | 146 | ) > $OBJ/authorized_keys_$USER |
| 147 | ${SSH} -2i $OBJ/cert_user_key \ | 147 | ${SSH} -i $OBJ/cert_user_key \ |
| 148 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 148 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 149 | if [ $? -eq 0 ]; then | 149 | if [ $? -eq 0 ]; then |
| 150 | fail "ssh cert connect succeeded unexpectedly" | 150 | fail "ssh cert connect succeeded unexpectedly" |
| @@ -156,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
| 156 | printf 'cert-authority,principals="mekmitasdigoat" ' | 156 | printf 'cert-authority,principals="mekmitasdigoat" ' |
| 157 | cat $OBJ/user_ca_key.pub | 157 | cat $OBJ/user_ca_key.pub |
| 158 | ) > $OBJ/authorized_keys_$USER | 158 | ) > $OBJ/authorized_keys_$USER |
| 159 | ${SSH} -2i $OBJ/cert_user_key \ | 159 | ${SSH} -i $OBJ/cert_user_key \ |
| 160 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 160 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
| 161 | if [ $? -ne 0 ]; then | 161 | if [ $? -ne 0 ]; then |
| 162 | fail "ssh cert connect failed" | 162 | fail "ssh cert connect failed" |
diff --git a/regress/proto-mismatch.sh b/regress/proto-mismatch.sh index 9e8024beb..6ab28c9a7 100644 --- a/regress/proto-mismatch.sh +++ b/regress/proto-mismatch.sh | |||
| @@ -1,21 +1,17 @@ | |||
| 1 | # $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="protocol version mismatch" | 4 | tid="protocol version mismatch" |
| 5 | 5 | ||
| 6 | mismatch () | 6 | mismatch () |
| 7 | { | 7 | { |
| 8 | server=$1 | ||
| 9 | client=$2 | 8 | client=$2 |
| 10 | banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` | 9 | banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy` |
| 11 | r=$? | 10 | r=$? |
| 12 | trace "sshd prints ${banner}" | 11 | trace "sshd prints ${banner}" |
| 13 | if [ $r -ne 255 ]; then | 12 | if [ $r -ne 255 ]; then |
| 14 | fail "sshd prints ${banner} and accepts connect with version ${client}" | 13 | fail "sshd prints ${banner} but accepts version ${client}" |
| 15 | fi | 14 | fi |
| 16 | } | 15 | } |
| 17 | 16 | ||
| 18 | mismatch 2 SSH-1.5-HALLO | 17 | mismatch SSH-1.5-HALLO |
| 19 | if ssh_version 1; then | ||
| 20 | mismatch 1 SSH-2.0-HALLO | ||
| 21 | fi | ||
diff --git a/regress/proto-version.sh b/regress/proto-version.sh index cf4946115..1f33b1f00 100644 --- a/regress/proto-version.sh +++ b/regress/proto-version.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: proto-version.sh,v 1.7 2017/06/07 01:48:15 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd version with different protocol combinations" | 4 | tid="sshd version with different protocol combinations" |
| @@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations" | |||
| 6 | # we just start sshd in inetd mode and check the banner | 6 | # we just start sshd in inetd mode and check the banner |
| 7 | check_version () | 7 | check_version () |
| 8 | { | 8 | { |
| 9 | version=$1 | 9 | expect=$1 |
| 10 | expect=$2 | 10 | banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy` |
| 11 | banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` | ||
| 12 | case ${banner} in | 11 | case ${banner} in |
| 13 | SSH-1.99-*) | 12 | SSH-1.99-*) |
| 14 | proto=199 | 13 | proto=199 |
| @@ -24,13 +23,8 @@ check_version () | |||
| 24 | ;; | 23 | ;; |
| 25 | esac | 24 | esac |
| 26 | if [ ${expect} -ne ${proto} ]; then | 25 | if [ ${expect} -ne ${proto} ]; then |
| 27 | fail "wrong protocol version ${banner} for ${version}" | 26 | fail "wrong protocol version ${banner}" |
| 28 | fi | 27 | fi |
| 29 | } | 28 | } |
| 30 | 29 | ||
| 31 | check_version 2 20 | 30 | check_version 20 |
| 32 | if ssh_version 1; then | ||
| 33 | check_version 2,1 199 | ||
| 34 | check_version 1,2 199 | ||
| 35 | check_version 1 15 | ||
| 36 | fi | ||
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh index b7a43fabe..f1b9d9f76 100644 --- a/regress/proxy-connect.sh +++ b/regress/proxy-connect.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $ | 1 | # $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="proxy connect" | 4 | tid="proxy connect" |
| @@ -6,27 +6,22 @@ tid="proxy connect" | |||
| 6 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 6 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
| 7 | 7 | ||
| 8 | for ps in no yes; do | 8 | for ps in no yes; do |
| 9 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 9 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
| 10 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy | 10 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy |
| 11 | 11 | for c in no yes; do | |
| 12 | for p in ${SSH_PROTOCOLS}; do | 12 | verbose "plain username privsep=$ps comp=$c" |
| 13 | for c in no yes; do | 13 | opts="-oCompression=$c -F $OBJ/ssh_proxy" |
| 14 | verbose "plain username protocol $p privsep=$ps comp=$c" | 14 | SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` |
| 15 | opts="-$p -oCompression=$c -F $OBJ/ssh_proxy" | 15 | if [ $? -ne 0 ]; then |
| 16 | SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` | 16 | fail "ssh proxyconnect privsep=$ps comp=$c failed" |
| 17 | if [ $? -ne 0 ]; then | 17 | fi |
| 18 | fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" | 18 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then |
| 19 | fi | 19 | fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \ |
| 20 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then | 20 | "$SSH_CONNECTION" |
| 21 | fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \ | 21 | fi |
| 22 | "$SSH_CONNECTION" | 22 | done |
| 23 | fi | ||
| 24 | done | ||
| 25 | done | ||
| 26 | done | 23 | done |
| 27 | 24 | ||
| 28 | for p in ${SSH_PROTOCOLS}; do | 25 | verbose "username with style" |
| 29 | verbose "username with style protocol $p" | 26 | ${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ |
| 30 | ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ | 27 | fail "ssh proxyconnect failed" |
| 31 | fail "ssh proxyconnect protocol $p failed" | ||
| 32 | done | ||
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 9adba674e..419daabba 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $ | 1 | # $OpenBSD: putty-ciphers.sh,v 1.6 2017/05/08 01:52:49 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="putty ciphers" | 4 | tid="putty ciphers" |
| @@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then | |||
| 8 | exit 0 | 8 | exit 0 |
| 9 | fi | 9 | fi |
| 10 | 10 | ||
| 11 | for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do | 11 | for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do |
| 12 | verbose "$tid: cipher $c" | 12 | verbose "$tid: cipher $c" |
| 13 | cp ${OBJ}/.putty/sessions/localhost_proxy \ | 13 | cp ${OBJ}/.putty/sessions/localhost_proxy \ |
| 14 | ${OBJ}/.putty/sessions/cipher_$c | 14 | ${OBJ}/.putty/sessions/cipher_$c |
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index 8eb6ae0c0..32c79f9ea 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ | 1 | # $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="putty transfer data" | 4 | tid="putty transfer data" |
| @@ -8,33 +8,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then | |||
| 8 | exit 0 | 8 | exit 0 |
| 9 | fi | 9 | fi |
| 10 | 10 | ||
| 11 | # XXX support protocol 1 too | 11 | for c in 0 1 ; do |
| 12 | for p in 2; do | 12 | verbose "$tid: compression $c" |
| 13 | for c in 0 1 ; do | 13 | rm -f ${COPY} |
| 14 | verbose "$tid: proto $p compression $c" | 14 | cp ${OBJ}/.putty/sessions/localhost_proxy \ |
| 15 | ${OBJ}/.putty/sessions/compression_$c | ||
| 16 | echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k | ||
| 17 | env HOME=$PWD ${PLINK} -load compression_$c -batch \ | ||
| 18 | -i putty.rsa cat ${DATA} > ${COPY} | ||
| 19 | if [ $? -ne 0 ]; then | ||
| 20 | fail "ssh cat $DATA failed" | ||
| 21 | fi | ||
| 22 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
| 23 | |||
| 24 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
| 25 | trace "compression $c dd-size ${s}" | ||
| 15 | rm -f ${COPY} | 26 | rm -f ${COPY} |
| 16 | cp ${OBJ}/.putty/sessions/localhost_proxy \ | 27 | dd if=$DATA obs=${s} 2> /dev/null | \ |
| 17 | ${OBJ}/.putty/sessions/compression_$c | 28 | env HOME=$PWD ${PLINK} -load compression_$c \ |
| 18 | echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k | 29 | -batch -i putty.rsa \ |
| 19 | env HOME=$PWD ${PLINK} -load compression_$c -batch \ | 30 | "cat > ${COPY}" |
| 20 | -i putty.rsa$p cat ${DATA} > ${COPY} | ||
| 21 | if [ $? -ne 0 ]; then | 31 | if [ $? -ne 0 ]; then |
| 22 | fail "ssh cat $DATA failed" | 32 | fail "ssh cat $DATA failed" |
| 23 | fi | 33 | fi |
| 24 | cmp ${DATA} ${COPY} || fail "corrupted copy" | 34 | cmp $DATA ${COPY} || fail "corrupted copy" |
| 25 | |||
| 26 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
| 27 | trace "proto $p compression $c dd-size ${s}" | ||
| 28 | rm -f ${COPY} | ||
| 29 | dd if=$DATA obs=${s} 2> /dev/null | \ | ||
| 30 | env HOME=$PWD ${PLINK} -load compression_$c \ | ||
| 31 | -batch -i putty.rsa$p \ | ||
| 32 | "cat > ${COPY}" | ||
| 33 | if [ $? -ne 0 ]; then | ||
| 34 | fail "ssh cat $DATA failed" | ||
| 35 | fi | ||
| 36 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
| 37 | done | ||
| 38 | done | 35 | done |
| 39 | done | 36 | done |
| 40 | rm -f ${COPY} | 37 | rm -f ${COPY} |
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh index eecddd3c7..dd15eddb2 100644 --- a/regress/reconfigure.sh +++ b/regress/reconfigure.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple connect after reconfigure" | 4 | tid="simple connect after reconfigure" |
| @@ -18,12 +18,10 @@ fi | |||
| 18 | start_sshd | 18 | start_sshd |
| 19 | 19 | ||
| 20 | trace "connect before restart" | 20 | trace "connect before restart" |
| 21 | for p in ${SSH_PROTOCOLS} ; do | 21 | ${SSH} -F $OBJ/ssh_config somehost true |
| 22 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 22 | if [ $? -ne 0 ]; then |
| 23 | if [ $? -ne 0 ]; then | 23 | fail "ssh connect with failed before reconfigure" |
| 24 | fail "ssh connect with protocol $p failed before reconfigure" | 24 | fi |
| 25 | fi | ||
| 26 | done | ||
| 27 | 25 | ||
| 28 | PID=`$SUDO cat $PIDFILE` | 26 | PID=`$SUDO cat $PIDFILE` |
| 29 | rm -f $PIDFILE | 27 | rm -f $PIDFILE |
| @@ -39,9 +37,7 @@ done | |||
| 39 | test -f $PIDFILE || fatal "sshd did not restart" | 37 | test -f $PIDFILE || fatal "sshd did not restart" |
| 40 | 38 | ||
| 41 | trace "connect after restart" | 39 | trace "connect after restart" |
| 42 | for p in ${SSH_PROTOCOLS} ; do | 40 | ${SSH} -F $OBJ/ssh_config somehost true |
| 43 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 41 | if [ $? -ne 0 ]; then |
| 44 | if [ $? -ne 0 ]; then | 42 | fail "ssh connect with failed after reconfigure" |
| 45 | fail "ssh connect with protocol $p failed after reconfigure" | 43 | fi |
| 46 | fi | ||
| 47 | done | ||
diff --git a/regress/reexec.sh b/regress/reexec.sh index 72957d4cd..2192456cd 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $ | 1 | # $OpenBSD: reexec.sh,v 1.12 2017/08/07 03:52:55 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="reexec tests" | 4 | tid="reexec tests" |
| @@ -19,16 +19,13 @@ start_sshd_copy () | |||
| 19 | copy_tests () | 19 | copy_tests () |
| 20 | { | 20 | { |
| 21 | rm -f ${COPY} | 21 | rm -f ${COPY} |
| 22 | for p in ${SSH_PROTOCOLS} ; do | 22 | ${SSH} -nq -F $OBJ/ssh_config somehost \ |
| 23 | verbose "$tid: proto $p" | 23 | cat ${DATA} > ${COPY} |
| 24 | ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ | 24 | if [ $? -ne 0 ]; then |
| 25 | cat ${DATA} > ${COPY} | 25 | fail "ssh cat $DATA failed" |
| 26 | if [ $? -ne 0 ]; then | 26 | fi |
| 27 | fail "ssh cat $DATA failed" | 27 | cmp ${DATA} ${COPY} || fail "corrupted copy" |
| 28 | fi | 28 | rm -f ${COPY} |
| 29 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
| 30 | rm -f ${COPY} | ||
| 31 | done | ||
| 32 | } | 29 | } |
| 33 | 30 | ||
| 34 | verbose "test config passing" | 31 | verbose "test config passing" |
| @@ -54,17 +51,4 @@ rm -f $SSHD_COPY | |||
| 54 | copy_tests | 51 | copy_tests |
| 55 | 52 | ||
| 56 | stop_sshd | 53 | stop_sshd |
| 57 | |||
| 58 | verbose "test reexec fallback without privsep" | ||
| 59 | |||
| 60 | cp $OBJ/sshd_config.orig $OBJ/sshd_config | ||
| 61 | echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config | ||
| 62 | |||
| 63 | start_sshd_copy | ||
| 64 | rm -f $SSHD_COPY | ||
| 65 | |||
| 66 | copy_tests | ||
| 67 | |||
| 68 | stop_sshd | ||
| 69 | |||
| 70 | fi | 54 | fi |
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 4371d5279..b1a2505d1 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $ | 1 | # $OpenBSD: ssh-com.sh,v 1.10 2017/05/08 01:52:49 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="connect to ssh.com server" | 4 | tid="connect to ssh.com server" |
| @@ -87,7 +87,7 @@ for v in ${VERSIONS}; do | |||
| 87 | fail "ssh connect to sshd2 ${v} failed" | 87 | fail "ssh connect to sshd2 ${v} failed" |
| 88 | fi | 88 | fi |
| 89 | 89 | ||
| 90 | ciphers="3des-cbc blowfish-cbc arcfour" | 90 | ciphers="3des-cbc" |
| 91 | macs="hmac-md5" | 91 | macs="hmac-md5" |
| 92 | case $v in | 92 | case $v in |
| 93 | 2.4.*) | 93 | 2.4.*) |
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh index 218ac6b68..9065245e8 100644 --- a/regress/stderr-after-eof.sh +++ b/regress/stderr-after-eof.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ | 1 | # $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="stderr data after eof" | 4 | tid="stderr data after eof" |
| @@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do | |||
| 10 | (date;echo $i) | md5 >> ${DATA} | 10 | (date;echo $i) | md5 >> ${DATA} |
| 11 | done | 11 | done |
| 12 | 12 | ||
| 13 | ${SSH} -2 -F $OBJ/ssh_proxy otherhost \ | 13 | ${SSH} -F $OBJ/ssh_proxy otherhost \ |
| 14 | exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ | 14 | exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ |
| 15 | 2> ${COPY} | 15 | 2> ${COPY} |
| 16 | r=$? | 16 | r=$? |
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh index 8c8149a73..0ceb72b3a 100644 --- a/regress/stderr-data.sh +++ b/regress/stderr-data.sh | |||
| @@ -1,13 +1,12 @@ | |||
| 1 | # $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="stderr data transfer" | 4 | tid="stderr data transfer" |
| 5 | 5 | ||
| 6 | for n in '' -n; do | 6 | for n in '' -n; do |
| 7 | for p in ${SSH_PROTOCOLS}; do | 7 | verbose "test $tid: ($n)" |
| 8 | verbose "test $tid: proto $p ($n)" | 8 | ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ |
| 9 | ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ | 9 | sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ |
| 10 | exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ | ||
| 11 | 2> ${COPY} | 10 | 2> ${COPY} |
| 12 | r=$? | 11 | r=$? |
| 13 | if [ $r -ne 0 ]; then | 12 | if [ $r -ne 0 ]; then |
| @@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 16 | cmp ${DATA} ${COPY} || fail "stderr corrupt" | 15 | cmp ${DATA} ${COPY} || fail "stderr corrupt" |
| 17 | rm -f ${COPY} | 16 | rm -f ${COPY} |
| 18 | 17 | ||
| 19 | ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ | 18 | ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ |
| 20 | exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ | 19 | sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ |
| 21 | > /dev/null 2> ${COPY} | 20 | > /dev/null 2> ${COPY} |
| 22 | r=$? | 21 | r=$? |
| 23 | if [ $r -ne 0 ]; then | 22 | if [ $r -ne 0 ]; then |
| @@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do | |||
| 26 | cmp ${DATA} ${COPY} || fail "stderr corrupt" | 25 | cmp ${DATA} ${COPY} || fail "stderr corrupt" |
| 27 | rm -f ${COPY} | 26 | rm -f ${COPY} |
| 28 | done | 27 | done |
| 29 | done | ||
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index dc033cd96..68f010b70 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.61 2017/07/28 10:32:08 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | #SUDO=sudo | 4 | #SUDO=sudo |
| @@ -130,12 +130,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then | |||
| 130 | esac | 130 | esac |
| 131 | fi | 131 | fi |
| 132 | 132 | ||
| 133 | SSH_PROTOCOLS=2 | ||
| 134 | #SSH_PROTOCOLS=`$SSH -Q protocol-version` | ||
| 135 | if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then | ||
| 136 | SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}" | ||
| 137 | fi | ||
| 138 | |||
| 139 | # Path to sshd must be absolute for rexec | 133 | # Path to sshd must be absolute for rexec |
| 140 | case "$SSHD" in | 134 | case "$SSHD" in |
| 141 | /*) ;; | 135 | /*) ;; |
| @@ -310,8 +304,15 @@ stop_sshd () | |||
| 310 | i=`expr $i + 1` | 304 | i=`expr $i + 1` |
| 311 | sleep $i | 305 | sleep $i |
| 312 | done | 306 | done |
| 313 | test -f $PIDFILE && \ | 307 | if test -f $PIDFILE; then |
| 314 | fatal "sshd didn't exit port $PORT pid $pid" | 308 | if $SUDO kill -0 $pid; then |
| 309 | echo "sshd didn't exit " \ | ||
| 310 | "port $PORT pid $pid" | ||
| 311 | else | ||
| 312 | echo "sshd died without cleanup" | ||
| 313 | fi | ||
| 314 | exit 1 | ||
| 315 | fi | ||
| 315 | fi | 316 | fi |
| 316 | fi | 317 | fi |
| 317 | fi | 318 | fi |
| @@ -386,22 +387,11 @@ fatal () | |||
| 386 | exit $RESULT | 387 | exit $RESULT |
| 387 | } | 388 | } |
| 388 | 389 | ||
| 389 | ssh_version () | ||
| 390 | { | ||
| 391 | echo ${SSH_PROTOCOLS} | grep "$1" >/dev/null | ||
| 392 | } | ||
| 393 | |||
| 394 | RESULT=0 | 390 | RESULT=0 |
| 395 | PIDFILE=$OBJ/pidfile | 391 | PIDFILE=$OBJ/pidfile |
| 396 | 392 | ||
| 397 | trap fatal 3 2 | 393 | trap fatal 3 2 |
| 398 | 394 | ||
| 399 | if ssh_version 1; then | ||
| 400 | PROTO="2,1" | ||
| 401 | else | ||
| 402 | PROTO="2" | ||
| 403 | fi | ||
| 404 | |||
| 405 | # create server config | 395 | # create server config |
| 406 | cat << EOF > $OBJ/sshd_config | 396 | cat << EOF > $OBJ/sshd_config |
| 407 | StrictModes no | 397 | StrictModes no |
| @@ -460,11 +450,8 @@ fi | |||
| 460 | 450 | ||
| 461 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER | 451 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER |
| 462 | 452 | ||
| 463 | if ssh_version 1; then | 453 | SSH_KEYTYPES="rsa ed25519" |
| 464 | SSH_KEYTYPES="rsa rsa1" | 454 | |
| 465 | else | ||
| 466 | SSH_KEYTYPES="rsa ed25519" | ||
| 467 | fi | ||
| 468 | trace "generate keys" | 455 | trace "generate keys" |
| 469 | for t in ${SSH_KEYTYPES}; do | 456 | for t in ${SSH_KEYTYPES}; do |
| 470 | # generate user key | 457 | # generate user key |
diff --git a/regress/transfer.sh b/regress/transfer.sh index 36c14634a..cf174a006 100644 --- a/regress/transfer.sh +++ b/regress/transfer.sh | |||
| @@ -1,26 +1,23 @@ | |||
| 1 | # $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="transfer data" | 4 | tid="transfer data" |
| 5 | 5 | ||
| 6 | for p in ${SSH_PROTOCOLS}; do | 6 | rm -f ${COPY} |
| 7 | verbose "$tid: proto $p" | 7 | ${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} |
| 8 | if [ $? -ne 0 ]; then | ||
| 9 | fail "ssh cat $DATA failed" | ||
| 10 | fi | ||
| 11 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
| 12 | |||
| 13 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
| 14 | trace "dd-size ${s}" | ||
| 8 | rm -f ${COPY} | 15 | rm -f ${COPY} |
| 9 | ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} | 16 | dd if=$DATA obs=${s} 2> /dev/null | \ |
| 17 | ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
| 10 | if [ $? -ne 0 ]; then | 18 | if [ $? -ne 0 ]; then |
| 11 | fail "ssh cat $DATA failed" | 19 | fail "ssh cat $DATA failed" |
| 12 | fi | 20 | fi |
| 13 | cmp ${DATA} ${COPY} || fail "corrupted copy" | 21 | cmp $DATA ${COPY} || fail "corrupted copy" |
| 14 | |||
| 15 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
| 16 | trace "proto $p dd-size ${s}" | ||
| 17 | rm -f ${COPY} | ||
| 18 | dd if=$DATA obs=${s} 2> /dev/null | \ | ||
| 19 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
| 20 | if [ $? -ne 0 ]; then | ||
| 21 | fail "ssh cat $DATA failed" | ||
| 22 | fi | ||
| 23 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
| 24 | done | ||
| 25 | done | 22 | done |
| 26 | rm -f ${COPY} | 23 | rm -f ${COPY} |
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 889a735d2..e04268ba3 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $ | 1 | # $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="try ciphers" | 4 | tid="try ciphers" |
| @@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
| 8 | for c in `${SSH} -Q cipher`; do | 8 | for c in `${SSH} -Q cipher`; do |
| 9 | n=0 | 9 | n=0 |
| 10 | for m in `${SSH} -Q mac`; do | 10 | for m in `${SSH} -Q mac`; do |
| 11 | trace "proto 2 cipher $c mac $m" | 11 | trace "cipher $c mac $m" |
| 12 | verbose "test $tid: proto 2 cipher $c mac $m" | 12 | verbose "test $tid: cipher $c mac $m" |
| 13 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 13 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 14 | echo "Ciphers=$c" >> $OBJ/sshd_proxy | 14 | echo "Ciphers=$c" >> $OBJ/sshd_proxy |
| 15 | echo "MACs=$m" >> $OBJ/sshd_proxy | 15 | echo "MACs=$m" >> $OBJ/sshd_proxy |
| 16 | ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true | 16 | ${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true |
| 17 | if [ $? -ne 0 ]; then | 17 | if [ $? -ne 0 ]; then |
| 18 | fail "ssh -2 failed with mac $m cipher $c" | 18 | fail "ssh failed with mac $m cipher $c" |
| 19 | fi | 19 | fi |
| 20 | # No point trying all MACs for AEAD ciphers since they | 20 | # No point trying all MACs for AEAD ciphers since they |
| 21 | # are ignored. | 21 | # are ignored. |
| @@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do | |||
| 26 | done | 26 | done |
| 27 | done | 27 | done |
| 28 | 28 | ||
| 29 | if ssh_version 1; then | ||
| 30 | ciphers="3des blowfish" | ||
| 31 | else | ||
| 32 | ciphers="" | ||
| 33 | fi | ||
| 34 | for c in $ciphers; do | ||
| 35 | trace "proto 1 cipher $c" | ||
| 36 | verbose "test $tid: proto 1 cipher $c" | ||
| 37 | ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true | ||
| 38 | if [ $? -ne 0 ]; then | ||
| 39 | fail "ssh -1 failed with cipher $c" | ||
| 40 | fi | ||
| 41 | done | ||
| 42 | |||
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index 3d9eaba5c..36d1ff42c 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $ | 1 | # $OpenBSD: Makefile.inc,v 1.11 2017/04/30 23:33:48 djm Exp $ |
| 2 | 2 | ||
| 3 | .include <bsd.own.mk> | 3 | .include <bsd.own.mk> |
| 4 | .include <bsd.obj.mk> | 4 | .include <bsd.obj.mk> |
| @@ -30,7 +30,7 @@ CDIAGFLAGS+= -Wswitch | |||
| 30 | CDIAGFLAGS+= -Wtrigraphs | 30 | CDIAGFLAGS+= -Wtrigraphs |
| 31 | CDIAGFLAGS+= -Wuninitialized | 31 | CDIAGFLAGS+= -Wuninitialized |
| 32 | CDIAGFLAGS+= -Wunused | 32 | CDIAGFLAGS+= -Wunused |
| 33 | .if ${COMPILER_VERSION} == "gcc4" | 33 | .if ${COMPILER_VERSION:L} != "gcc3" |
| 34 | CDIAGFLAGS+= -Wpointer-sign | 34 | CDIAGFLAGS+= -Wpointer-sign |
| 35 | CDIAGFLAGS+= -Wold-style-definition | 35 | CDIAGFLAGS+= -Wold-style-definition |
| 36 | .endif | 36 | .endif |
diff --git a/regress/unittests/hostkeys/mktestdata.sh b/regress/unittests/hostkeys/mktestdata.sh index 36890ba11..5a46de990 100644 --- a/regress/unittests/hostkeys/mktestdata.sh +++ b/regress/unittests/hostkeys/mktestdata.sh | |||
| @@ -1,11 +1,11 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # $OpenBSD: mktestdata.sh,v 1.1 2015/02/16 22:18:34 djm Exp $ | 2 | # $OpenBSD: mktestdata.sh,v 1.2 2017/04/30 23:33:48 djm Exp $ |
| 3 | 3 | ||
| 4 | set -ex | 4 | set -ex |
| 5 | 5 | ||
| 6 | cd testdata | 6 | cd testdata |
| 7 | 7 | ||
| 8 | rm -f rsa1* rsa* dsa* ecdsa* ed25519* | 8 | rm -f rsa* dsa* ecdsa* ed25519* |
| 9 | rm -f known_hosts* | 9 | rm -f known_hosts* |
| 10 | 10 | ||
| 11 | gen_all() { | 11 | gen_all() { |
| @@ -13,13 +13,12 @@ gen_all() { | |||
| 13 | _ecdsa_bits=256 | 13 | _ecdsa_bits=256 |
| 14 | test "x$_n" = "x1" && _ecdsa_bits=384 | 14 | test "x$_n" = "x1" && _ecdsa_bits=384 |
| 15 | test "x$_n" = "x2" && _ecdsa_bits=521 | 15 | test "x$_n" = "x2" && _ecdsa_bits=521 |
| 16 | ssh-keygen -qt rsa1 -b 1024 -C "RSA1 #$_n" -N "" -f rsa1_$_n | ||
| 17 | ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n | 16 | ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n |
| 18 | ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n | 17 | ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n |
| 19 | ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n | 18 | ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n |
| 20 | ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n | 19 | ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n |
| 21 | # Don't need private keys | 20 | # Don't need private keys |
| 22 | rm -f rsa1_$_n rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n | 21 | rm -f rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n |
| 23 | } | 22 | } |
| 24 | 23 | ||
| 25 | hentries() { | 24 | hentries() { |
| @@ -64,7 +63,6 @@ rm -f known_hosts_hash_frag.old | |||
| 64 | echo | 63 | echo |
| 65 | 64 | ||
| 66 | echo "# Revoked and CA keys" | 65 | echo "# Revoked and CA keys" |
| 67 | printf "@revoked sisyphus.example.com " ; cat rsa1_4.pub | ||
| 68 | printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub | 66 | printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub |
| 69 | printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub | 67 | printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub |
| 70 | printf "@cert-authority *.example.com " ; cat dsa_4.pub | 68 | printf "@cert-authority *.example.com " ; cat dsa_4.pub |
| @@ -72,19 +70,13 @@ rm -f known_hosts_hash_frag.old | |||
| 72 | printf "\n" | 70 | printf "\n" |
| 73 | echo "# Some invalid lines" | 71 | echo "# Some invalid lines" |
| 74 | # Invalid marker | 72 | # Invalid marker |
| 75 | printf "@what sisyphus.example.com " ; cat rsa1_1.pub | 73 | printf "@what sisyphus.example.com " ; cat dsa_1.pub |
| 76 | # Key missing | 74 | # Key missing |
| 77 | echo "sisyphus.example.com " | 75 | echo "sisyphus.example.com " |
| 78 | # Key blob missing | 76 | # Key blob missing |
| 79 | echo "prometheus.example.com ssh-ed25519 " | 77 | echo "prometheus.example.com ssh-ed25519 " |
| 80 | # Key blob truncated | 78 | # Key blob truncated |
| 81 | echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz" | 79 | echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz" |
| 82 | # RSA1 key truncated after key bits | ||
| 83 | echo "prometheus.example.com 1024 " | ||
| 84 | # RSA1 key truncated after exponent | ||
| 85 | echo "sisyphus.example.com 1024 65535 " | ||
| 86 | # RSA1 key incorrect key bits | ||
| 87 | printf "prometheus.example.com 1025 " ; cut -d' ' -f2- < rsa1_1.pub | ||
| 88 | # Invalid type | 80 | # Invalid type |
| 89 | echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==" | 81 | echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==" |
| 90 | # Type mismatch with blob | 82 | # Type mismatch with blob |
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c index 2eaaf063a..751825dda 100644 --- a/regress/unittests/hostkeys/test_iterate.c +++ b/regress/unittests/hostkeys/test_iterate.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */ | 1 | /* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for hostfile.h hostkeys_foreach() | 3 | * Regress test for hostfile.h hostkeys_foreach() |
| 4 | * | 4 | * |
| @@ -90,14 +90,6 @@ check(struct hostkey_foreach_line *l, void *_ctx) | |||
| 90 | expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? | 90 | expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? |
| 91 | expected->l.keytype : expected->no_parse_keytype; | 91 | expected->l.keytype : expected->no_parse_keytype; |
| 92 | 92 | ||
| 93 | #ifndef WITH_SSH1 | ||
| 94 | if (parse_key && (expected->l.keytype == KEY_RSA1 || | ||
| 95 | expected->no_parse_keytype == KEY_RSA1)) { | ||
| 96 | expected_status = HKF_STATUS_INVALID; | ||
| 97 | expected_keytype = KEY_UNSPEC; | ||
| 98 | parse_key = 0; | ||
| 99 | } | ||
| 100 | #endif | ||
| 101 | #ifndef OPENSSL_HAS_ECC | 93 | #ifndef OPENSSL_HAS_ECC |
| 102 | if (expected->l.keytype == KEY_ECDSA || | 94 | if (expected->l.keytype == KEY_ECDSA || |
| 103 | expected->no_parse_keytype == KEY_ECDSA) { | 95 | expected->no_parse_keytype == KEY_ECDSA) { |
| @@ -150,10 +142,6 @@ prepare_expected(struct expected *expected, size_t n) | |||
| 150 | for (i = 0; i < n; i++) { | 142 | for (i = 0; i < n; i++) { |
| 151 | if (expected[i].key_file == NULL) | 143 | if (expected[i].key_file == NULL) |
| 152 | continue; | 144 | continue; |
| 153 | #ifndef WITH_SSH1 | ||
| 154 | if (expected[i].l.keytype == KEY_RSA1) | ||
| 155 | continue; | ||
| 156 | #endif | ||
| 157 | #ifndef OPENSSL_HAS_ECC | 145 | #ifndef OPENSSL_HAS_ECC |
| 158 | if (expected[i].l.keytype == KEY_ECDSA) | 146 | if (expected[i].l.keytype == KEY_ECDSA) |
| 159 | continue; | 147 | continue; |
| @@ -217,22 +205,9 @@ struct expected expected_full[] = { | |||
| 217 | NULL, /* filled at runtime */ | 205 | NULL, /* filled at runtime */ |
| 218 | "ED25519 #1", | 206 | "ED25519 #1", |
| 219 | } }, | 207 | } }, |
| 220 | { "rsa1_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
| 221 | NULL, | ||
| 222 | 5, | ||
| 223 | HKF_STATUS_OK, | ||
| 224 | 0, | ||
| 225 | NULL, | ||
| 226 | MRK_NONE, | ||
| 227 | "sisyphus.example.com", | ||
| 228 | NULL, | ||
| 229 | KEY_RSA1, | ||
| 230 | NULL, /* filled at runtime */ | ||
| 231 | "RSA1 #1", | ||
| 232 | } }, | ||
| 233 | { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 208 | { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
| 234 | NULL, | 209 | NULL, |
| 235 | 6, | 210 | 5, |
| 236 | HKF_STATUS_OK, | 211 | HKF_STATUS_OK, |
| 237 | 0, | 212 | 0, |
| 238 | NULL, | 213 | NULL, |
| @@ -245,7 +220,7 @@ struct expected expected_full[] = { | |||
| 245 | } }, | 220 | } }, |
| 246 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 221 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 247 | NULL, | 222 | NULL, |
| 248 | 7, | 223 | 6, |
| 249 | HKF_STATUS_COMMENT, | 224 | HKF_STATUS_COMMENT, |
| 250 | 0, | 225 | 0, |
| 251 | "", | 226 | "", |
| @@ -258,7 +233,7 @@ struct expected expected_full[] = { | |||
| 258 | } }, | 233 | } }, |
| 259 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 234 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 260 | NULL, | 235 | NULL, |
| 261 | 8, | 236 | 7, |
| 262 | HKF_STATUS_COMMENT, | 237 | HKF_STATUS_COMMENT, |
| 263 | 0, | 238 | 0, |
| 264 | "# Plain host keys, hostnames + addresses", | 239 | "# Plain host keys, hostnames + addresses", |
| @@ -271,7 +246,7 @@ struct expected expected_full[] = { | |||
| 271 | } }, | 246 | } }, |
| 272 | { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 247 | { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 273 | NULL, | 248 | NULL, |
| 274 | 9, | 249 | 8, |
| 275 | HKF_STATUS_OK, | 250 | HKF_STATUS_OK, |
| 276 | 0, | 251 | 0, |
| 277 | NULL, | 252 | NULL, |
| @@ -284,7 +259,7 @@ struct expected expected_full[] = { | |||
| 284 | } }, | 259 | } }, |
| 285 | { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 260 | { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 286 | NULL, | 261 | NULL, |
| 287 | 10, | 262 | 9, |
| 288 | HKF_STATUS_OK, | 263 | HKF_STATUS_OK, |
| 289 | 0, | 264 | 0, |
| 290 | NULL, | 265 | NULL, |
| @@ -297,7 +272,7 @@ struct expected expected_full[] = { | |||
| 297 | } }, | 272 | } }, |
| 298 | { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 273 | { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 299 | NULL, | 274 | NULL, |
| 300 | 11, | 275 | 10, |
| 301 | HKF_STATUS_OK, | 276 | HKF_STATUS_OK, |
| 302 | 0, | 277 | 0, |
| 303 | NULL, | 278 | NULL, |
| @@ -308,22 +283,9 @@ struct expected expected_full[] = { | |||
| 308 | NULL, /* filled at runtime */ | 283 | NULL, /* filled at runtime */ |
| 309 | "ED25519 #2", | 284 | "ED25519 #2", |
| 310 | } }, | 285 | } }, |
| 311 | { "rsa1_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | ||
| 312 | NULL, | ||
| 313 | 12, | ||
| 314 | HKF_STATUS_OK, | ||
| 315 | 0, | ||
| 316 | NULL, | ||
| 317 | MRK_NONE, | ||
| 318 | "prometheus.example.com,192.0.2.1,2001:db8::1", | ||
| 319 | NULL, | ||
| 320 | KEY_RSA1, | ||
| 321 | NULL, /* filled at runtime */ | ||
| 322 | "RSA1 #2", | ||
| 323 | } }, | ||
| 324 | { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 286 | { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 325 | NULL, | 287 | NULL, |
| 326 | 13, | 288 | 11, |
| 327 | HKF_STATUS_OK, | 289 | HKF_STATUS_OK, |
| 328 | 0, | 290 | 0, |
| 329 | NULL, | 291 | NULL, |
| @@ -336,7 +298,7 @@ struct expected expected_full[] = { | |||
| 336 | } }, | 298 | } }, |
| 337 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 299 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 338 | NULL, | 300 | NULL, |
| 339 | 14, | 301 | 12, |
| 340 | HKF_STATUS_COMMENT, | 302 | HKF_STATUS_COMMENT, |
| 341 | 0, | 303 | 0, |
| 342 | "", | 304 | "", |
| @@ -349,7 +311,7 @@ struct expected expected_full[] = { | |||
| 349 | } }, | 311 | } }, |
| 350 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 312 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 351 | NULL, | 313 | NULL, |
| 352 | 15, | 314 | 13, |
| 353 | HKF_STATUS_COMMENT, | 315 | HKF_STATUS_COMMENT, |
| 354 | 0, | 316 | 0, |
| 355 | "# Some hosts with wildcard names / IPs", | 317 | "# Some hosts with wildcard names / IPs", |
| @@ -362,7 +324,7 @@ struct expected expected_full[] = { | |||
| 362 | } }, | 324 | } }, |
| 363 | { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 325 | { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 364 | NULL, | 326 | NULL, |
| 365 | 16, | 327 | 14, |
| 366 | HKF_STATUS_OK, | 328 | HKF_STATUS_OK, |
| 367 | 0, | 329 | 0, |
| 368 | NULL, | 330 | NULL, |
| @@ -375,7 +337,7 @@ struct expected expected_full[] = { | |||
| 375 | } }, | 337 | } }, |
| 376 | { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 338 | { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 377 | NULL, | 339 | NULL, |
| 378 | 17, | 340 | 15, |
| 379 | HKF_STATUS_OK, | 341 | HKF_STATUS_OK, |
| 380 | 0, | 342 | 0, |
| 381 | NULL, | 343 | NULL, |
| @@ -388,7 +350,7 @@ struct expected expected_full[] = { | |||
| 388 | } }, | 350 | } }, |
| 389 | { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 351 | { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 390 | NULL, | 352 | NULL, |
| 391 | 18, | 353 | 16, |
| 392 | HKF_STATUS_OK, | 354 | HKF_STATUS_OK, |
| 393 | 0, | 355 | 0, |
| 394 | NULL, | 356 | NULL, |
| @@ -399,22 +361,9 @@ struct expected expected_full[] = { | |||
| 399 | NULL, /* filled at runtime */ | 361 | NULL, /* filled at runtime */ |
| 400 | "ED25519 #3", | 362 | "ED25519 #3", |
| 401 | } }, | 363 | } }, |
| 402 | { "rsa1_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | ||
| 403 | NULL, | ||
| 404 | 19, | ||
| 405 | HKF_STATUS_OK, | ||
| 406 | 0, | ||
| 407 | NULL, | ||
| 408 | MRK_NONE, | ||
| 409 | "*.example.com,192.0.2.*,2001:*", | ||
| 410 | NULL, | ||
| 411 | KEY_RSA1, | ||
| 412 | NULL, /* filled at runtime */ | ||
| 413 | "RSA1 #3", | ||
| 414 | } }, | ||
| 415 | { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 364 | { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
| 416 | NULL, | 365 | NULL, |
| 417 | 20, | 366 | 17, |
| 418 | HKF_STATUS_OK, | 367 | HKF_STATUS_OK, |
| 419 | 0, | 368 | 0, |
| 420 | NULL, | 369 | NULL, |
| @@ -427,7 +376,7 @@ struct expected expected_full[] = { | |||
| 427 | } }, | 376 | } }, |
| 428 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 377 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 429 | NULL, | 378 | NULL, |
| 430 | 21, | 379 | 18, |
| 431 | HKF_STATUS_COMMENT, | 380 | HKF_STATUS_COMMENT, |
| 432 | 0, | 381 | 0, |
| 433 | "", | 382 | "", |
| @@ -440,7 +389,7 @@ struct expected expected_full[] = { | |||
| 440 | } }, | 389 | } }, |
| 441 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 390 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 442 | NULL, | 391 | NULL, |
| 443 | 22, | 392 | 19, |
| 444 | HKF_STATUS_COMMENT, | 393 | HKF_STATUS_COMMENT, |
| 445 | 0, | 394 | 0, |
| 446 | "# Hashed hostname and address entries", | 395 | "# Hashed hostname and address entries", |
| @@ -453,7 +402,7 @@ struct expected expected_full[] = { | |||
| 453 | } }, | 402 | } }, |
| 454 | { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 403 | { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
| 455 | NULL, | 404 | NULL, |
| 456 | 23, | 405 | 20, |
| 457 | HKF_STATUS_OK, | 406 | HKF_STATUS_OK, |
| 458 | 0, | 407 | 0, |
| 459 | NULL, | 408 | NULL, |
| @@ -466,7 +415,7 @@ struct expected expected_full[] = { | |||
| 466 | } }, | 415 | } }, |
| 467 | { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 416 | { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
| 468 | NULL, | 417 | NULL, |
| 469 | 24, | 418 | 21, |
| 470 | HKF_STATUS_OK, | 419 | HKF_STATUS_OK, |
| 471 | 0, | 420 | 0, |
| 472 | NULL, | 421 | NULL, |
| @@ -479,7 +428,7 @@ struct expected expected_full[] = { | |||
| 479 | } }, | 428 | } }, |
| 480 | { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 429 | { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
| 481 | NULL, | 430 | NULL, |
| 482 | 25, | 431 | 22, |
| 483 | HKF_STATUS_OK, | 432 | HKF_STATUS_OK, |
| 484 | 0, | 433 | 0, |
| 485 | NULL, | 434 | NULL, |
| @@ -490,22 +439,9 @@ struct expected expected_full[] = { | |||
| 490 | NULL, /* filled at runtime */ | 439 | NULL, /* filled at runtime */ |
| 491 | "ED25519 #5", | 440 | "ED25519 #5", |
| 492 | } }, | 441 | } }, |
| 493 | { "rsa1_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | ||
| 494 | NULL, | ||
| 495 | 26, | ||
| 496 | HKF_STATUS_OK, | ||
| 497 | 0, | ||
| 498 | NULL, | ||
| 499 | MRK_NONE, | ||
| 500 | NULL, | ||
| 501 | NULL, | ||
| 502 | KEY_RSA1, | ||
| 503 | NULL, /* filled at runtime */ | ||
| 504 | "RSA1 #5", | ||
| 505 | } }, | ||
| 506 | { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 442 | { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
| 507 | NULL, | 443 | NULL, |
| 508 | 27, | 444 | 23, |
| 509 | HKF_STATUS_OK, | 445 | HKF_STATUS_OK, |
| 510 | 0, | 446 | 0, |
| 511 | NULL, | 447 | NULL, |
| @@ -518,7 +454,7 @@ struct expected expected_full[] = { | |||
| 518 | } }, | 454 | } }, |
| 519 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 455 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 520 | NULL, | 456 | NULL, |
| 521 | 28, | 457 | 24, |
| 522 | HKF_STATUS_COMMENT, | 458 | HKF_STATUS_COMMENT, |
| 523 | 0, | 459 | 0, |
| 524 | "", | 460 | "", |
| @@ -536,7 +472,7 @@ struct expected expected_full[] = { | |||
| 536 | */ | 472 | */ |
| 537 | { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 473 | { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
| 538 | NULL, | 474 | NULL, |
| 539 | 29, | 475 | 25, |
| 540 | HKF_STATUS_OK, | 476 | HKF_STATUS_OK, |
| 541 | 0, | 477 | 0, |
| 542 | NULL, | 478 | NULL, |
| @@ -549,7 +485,7 @@ struct expected expected_full[] = { | |||
| 549 | } }, | 485 | } }, |
| 550 | { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 486 | { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
| 551 | NULL, | 487 | NULL, |
| 552 | 30, | 488 | 26, |
| 553 | HKF_STATUS_OK, | 489 | HKF_STATUS_OK, |
| 554 | 0, | 490 | 0, |
| 555 | NULL, | 491 | NULL, |
| @@ -562,7 +498,7 @@ struct expected expected_full[] = { | |||
| 562 | } }, | 498 | } }, |
| 563 | { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 499 | { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
| 564 | NULL, | 500 | NULL, |
| 565 | 31, | 501 | 27, |
| 566 | HKF_STATUS_OK, | 502 | HKF_STATUS_OK, |
| 567 | 0, | 503 | 0, |
| 568 | NULL, | 504 | NULL, |
| @@ -575,7 +511,7 @@ struct expected expected_full[] = { | |||
| 575 | } }, | 511 | } }, |
| 576 | { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 512 | { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
| 577 | NULL, | 513 | NULL, |
| 578 | 32, | 514 | 28, |
| 579 | HKF_STATUS_OK, | 515 | HKF_STATUS_OK, |
| 580 | 0, | 516 | 0, |
| 581 | NULL, | 517 | NULL, |
| @@ -588,7 +524,7 @@ struct expected expected_full[] = { | |||
| 588 | } }, | 524 | } }, |
| 589 | { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 525 | { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
| 590 | NULL, | 526 | NULL, |
| 591 | 33, | 527 | 29, |
| 592 | HKF_STATUS_OK, | 528 | HKF_STATUS_OK, |
| 593 | 0, | 529 | 0, |
| 594 | NULL, | 530 | NULL, |
| @@ -601,7 +537,7 @@ struct expected expected_full[] = { | |||
| 601 | } }, | 537 | } }, |
| 602 | { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 538 | { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
| 603 | NULL, | 539 | NULL, |
| 604 | 34, | 540 | 30, |
| 605 | HKF_STATUS_OK, | 541 | HKF_STATUS_OK, |
| 606 | 0, | 542 | 0, |
| 607 | NULL, | 543 | NULL, |
| @@ -614,7 +550,7 @@ struct expected expected_full[] = { | |||
| 614 | } }, | 550 | } }, |
| 615 | { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 551 | { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
| 616 | NULL, | 552 | NULL, |
| 617 | 35, | 553 | 31, |
| 618 | HKF_STATUS_OK, | 554 | HKF_STATUS_OK, |
| 619 | 0, | 555 | 0, |
| 620 | NULL, | 556 | NULL, |
| @@ -627,7 +563,7 @@ struct expected expected_full[] = { | |||
| 627 | } }, | 563 | } }, |
| 628 | { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 564 | { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
| 629 | NULL, | 565 | NULL, |
| 630 | 36, | 566 | 32, |
| 631 | HKF_STATUS_OK, | 567 | HKF_STATUS_OK, |
| 632 | 0, | 568 | 0, |
| 633 | NULL, | 569 | NULL, |
| @@ -640,7 +576,7 @@ struct expected expected_full[] = { | |||
| 640 | } }, | 576 | } }, |
| 641 | { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 577 | { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
| 642 | NULL, | 578 | NULL, |
| 643 | 37, | 579 | 33, |
| 644 | HKF_STATUS_OK, | 580 | HKF_STATUS_OK, |
| 645 | 0, | 581 | 0, |
| 646 | NULL, | 582 | NULL, |
| @@ -651,48 +587,9 @@ struct expected expected_full[] = { | |||
| 651 | NULL, /* filled at runtime */ | 587 | NULL, /* filled at runtime */ |
| 652 | "ED25519 #6", | 588 | "ED25519 #6", |
| 653 | } }, | 589 | } }, |
| 654 | { "rsa1_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | ||
| 655 | NULL, | ||
| 656 | 38, | ||
| 657 | HKF_STATUS_OK, | ||
| 658 | 0, | ||
| 659 | NULL, | ||
| 660 | MRK_NONE, | ||
| 661 | NULL, | ||
| 662 | NULL, | ||
| 663 | KEY_RSA1, | ||
| 664 | NULL, /* filled at runtime */ | ||
| 665 | "RSA1 #6", | ||
| 666 | } }, | ||
| 667 | { "rsa1_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | ||
| 668 | NULL, | ||
| 669 | 39, | ||
| 670 | HKF_STATUS_OK, | ||
| 671 | 0, | ||
| 672 | NULL, | ||
| 673 | MRK_NONE, | ||
| 674 | NULL, | ||
| 675 | NULL, | ||
| 676 | KEY_RSA1, | ||
| 677 | NULL, /* filled at runtime */ | ||
| 678 | "RSA1 #6", | ||
| 679 | } }, | ||
| 680 | { "rsa1_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | ||
| 681 | NULL, | ||
| 682 | 40, | ||
| 683 | HKF_STATUS_OK, | ||
| 684 | 0, | ||
| 685 | NULL, | ||
| 686 | MRK_NONE, | ||
| 687 | NULL, | ||
| 688 | NULL, | ||
| 689 | KEY_RSA1, | ||
| 690 | NULL, /* filled at runtime */ | ||
| 691 | "RSA1 #6", | ||
| 692 | } }, | ||
| 693 | { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 590 | { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
| 694 | NULL, | 591 | NULL, |
| 695 | 41, | 592 | 34, |
| 696 | HKF_STATUS_OK, | 593 | HKF_STATUS_OK, |
| 697 | 0, | 594 | 0, |
| 698 | NULL, | 595 | NULL, |
| @@ -705,7 +602,7 @@ struct expected expected_full[] = { | |||
| 705 | } }, | 602 | } }, |
| 706 | { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 603 | { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
| 707 | NULL, | 604 | NULL, |
| 708 | 42, | 605 | 35, |
| 709 | HKF_STATUS_OK, | 606 | HKF_STATUS_OK, |
| 710 | 0, | 607 | 0, |
| 711 | NULL, | 608 | NULL, |
| @@ -718,7 +615,7 @@ struct expected expected_full[] = { | |||
| 718 | } }, | 615 | } }, |
| 719 | { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 616 | { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
| 720 | NULL, | 617 | NULL, |
| 721 | 43, | 618 | 36, |
| 722 | HKF_STATUS_OK, | 619 | HKF_STATUS_OK, |
| 723 | 0, | 620 | 0, |
| 724 | NULL, | 621 | NULL, |
| @@ -731,7 +628,7 @@ struct expected expected_full[] = { | |||
| 731 | } }, | 628 | } }, |
| 732 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 629 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 733 | NULL, | 630 | NULL, |
| 734 | 44, | 631 | 37, |
| 735 | HKF_STATUS_COMMENT, | 632 | HKF_STATUS_COMMENT, |
| 736 | 0, | 633 | 0, |
| 737 | "", | 634 | "", |
| @@ -744,7 +641,7 @@ struct expected expected_full[] = { | |||
| 744 | } }, | 641 | } }, |
| 745 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 642 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 746 | NULL, | 643 | NULL, |
| 747 | 45, | 644 | 38, |
| 748 | HKF_STATUS_COMMENT, | 645 | HKF_STATUS_COMMENT, |
| 749 | 0, | 646 | 0, |
| 750 | "", | 647 | "", |
| @@ -757,7 +654,7 @@ struct expected expected_full[] = { | |||
| 757 | } }, | 654 | } }, |
| 758 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 655 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 759 | NULL, | 656 | NULL, |
| 760 | 46, | 657 | 39, |
| 761 | HKF_STATUS_COMMENT, | 658 | HKF_STATUS_COMMENT, |
| 762 | 0, | 659 | 0, |
| 763 | "# Revoked and CA keys", | 660 | "# Revoked and CA keys", |
| @@ -768,22 +665,9 @@ struct expected expected_full[] = { | |||
| 768 | NULL, | 665 | NULL, |
| 769 | NULL, | 666 | NULL, |
| 770 | } }, | 667 | } }, |
| 771 | { "rsa1_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
| 772 | NULL, | ||
| 773 | 47, | ||
| 774 | HKF_STATUS_OK, | ||
| 775 | 0, | ||
| 776 | NULL, | ||
| 777 | MRK_REVOKE, | ||
| 778 | "sisyphus.example.com", | ||
| 779 | NULL, | ||
| 780 | KEY_RSA1, | ||
| 781 | NULL, /* filled at runtime */ | ||
| 782 | "RSA1 #4", | ||
| 783 | } }, | ||
| 784 | { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 668 | { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
| 785 | NULL, | 669 | NULL, |
| 786 | 48, | 670 | 40, |
| 787 | HKF_STATUS_OK, | 671 | HKF_STATUS_OK, |
| 788 | 0, | 672 | 0, |
| 789 | NULL, | 673 | NULL, |
| @@ -796,7 +680,7 @@ struct expected expected_full[] = { | |||
| 796 | } }, | 680 | } }, |
| 797 | { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | 681 | { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { |
| 798 | NULL, | 682 | NULL, |
| 799 | 49, | 683 | 41, |
| 800 | HKF_STATUS_OK, | 684 | HKF_STATUS_OK, |
| 801 | 0, | 685 | 0, |
| 802 | NULL, | 686 | NULL, |
| @@ -809,7 +693,7 @@ struct expected expected_full[] = { | |||
| 809 | } }, | 693 | } }, |
| 810 | { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, { | 694 | { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, { |
| 811 | NULL, | 695 | NULL, |
| 812 | 50, | 696 | 42, |
| 813 | HKF_STATUS_OK, | 697 | HKF_STATUS_OK, |
| 814 | 0, | 698 | 0, |
| 815 | NULL, | 699 | NULL, |
| @@ -822,7 +706,7 @@ struct expected expected_full[] = { | |||
| 822 | } }, | 706 | } }, |
| 823 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 707 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 824 | NULL, | 708 | NULL, |
| 825 | 51, | 709 | 43, |
| 826 | HKF_STATUS_COMMENT, | 710 | HKF_STATUS_COMMENT, |
| 827 | 0, | 711 | 0, |
| 828 | "", | 712 | "", |
| @@ -835,7 +719,7 @@ struct expected expected_full[] = { | |||
| 835 | } }, | 719 | } }, |
| 836 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 720 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 837 | NULL, | 721 | NULL, |
| 838 | 52, | 722 | 44, |
| 839 | HKF_STATUS_COMMENT, | 723 | HKF_STATUS_COMMENT, |
| 840 | 0, | 724 | 0, |
| 841 | "# Some invalid lines", | 725 | "# Some invalid lines", |
| @@ -848,7 +732,7 @@ struct expected expected_full[] = { | |||
| 848 | } }, | 732 | } }, |
| 849 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 733 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
| 850 | NULL, | 734 | NULL, |
| 851 | 53, | 735 | 45, |
| 852 | HKF_STATUS_INVALID, | 736 | HKF_STATUS_INVALID, |
| 853 | 0, | 737 | 0, |
| 854 | NULL, | 738 | NULL, |
| @@ -861,7 +745,7 @@ struct expected expected_full[] = { | |||
| 861 | } }, | 745 | } }, |
| 862 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 746 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
| 863 | NULL, | 747 | NULL, |
| 864 | 54, | 748 | 46, |
| 865 | HKF_STATUS_INVALID, | 749 | HKF_STATUS_INVALID, |
| 866 | 0, | 750 | 0, |
| 867 | NULL, | 751 | NULL, |
| @@ -874,7 +758,7 @@ struct expected expected_full[] = { | |||
| 874 | } }, | 758 | } }, |
| 875 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | 759 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { |
| 876 | NULL, | 760 | NULL, |
| 877 | 55, | 761 | 47, |
| 878 | HKF_STATUS_INVALID, | 762 | HKF_STATUS_INVALID, |
| 879 | 0, | 763 | 0, |
| 880 | NULL, | 764 | NULL, |
| @@ -887,33 +771,7 @@ struct expected expected_full[] = { | |||
| 887 | } }, | 771 | } }, |
| 888 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 772 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
| 889 | NULL, | 773 | NULL, |
| 890 | 56, | 774 | 48, |
| 891 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
| 892 | 0, | ||
| 893 | NULL, | ||
| 894 | MRK_NONE, | ||
| 895 | "sisyphus.example.com", | ||
| 896 | NULL, | ||
| 897 | KEY_UNSPEC, | ||
| 898 | NULL, | ||
| 899 | NULL, | ||
| 900 | } }, | ||
| 901 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | ||
| 902 | NULL, | ||
| 903 | 57, | ||
| 904 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
| 905 | 0, | ||
| 906 | NULL, | ||
| 907 | MRK_NONE, | ||
| 908 | "prometheus.example.com", | ||
| 909 | NULL, | ||
| 910 | KEY_UNSPEC, | ||
| 911 | NULL, | ||
| 912 | NULL, | ||
| 913 | } }, | ||
| 914 | { NULL, HKF_STATUS_OK, KEY_RSA1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
| 915 | NULL, | ||
| 916 | 58, | ||
| 917 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | 775 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ |
| 918 | 0, | 776 | 0, |
| 919 | NULL, | 777 | NULL, |
| @@ -924,22 +782,9 @@ struct expected expected_full[] = { | |||
| 924 | NULL, | 782 | NULL, |
| 925 | NULL, | 783 | NULL, |
| 926 | } }, | 784 | } }, |
| 927 | { NULL, HKF_STATUS_OK, KEY_RSA1, HKF_MATCH_HOST, 0, 0, 0, -1, { | ||
| 928 | NULL, | ||
| 929 | 59, | ||
| 930 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
| 931 | 0, | ||
| 932 | NULL, | ||
| 933 | MRK_NONE, | ||
| 934 | "prometheus.example.com", | ||
| 935 | NULL, | ||
| 936 | KEY_UNSPEC, | ||
| 937 | NULL, /* filled at runtime */ | ||
| 938 | NULL, | ||
| 939 | } }, | ||
| 940 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 785 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
| 941 | NULL, | 786 | NULL, |
| 942 | 60, | 787 | 49, |
| 943 | HKF_STATUS_INVALID, | 788 | HKF_STATUS_INVALID, |
| 944 | 0, | 789 | 0, |
| 945 | NULL, | 790 | NULL, |
| @@ -952,7 +797,7 @@ struct expected expected_full[] = { | |||
| 952 | } }, | 797 | } }, |
| 953 | { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, { | 798 | { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, { |
| 954 | NULL, | 799 | NULL, |
| 955 | 61, | 800 | 50, |
| 956 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | 801 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ |
| 957 | 0, | 802 | 0, |
| 958 | NULL, | 803 | NULL, |
diff --git a/regress/unittests/hostkeys/testdata/known_hosts b/regress/unittests/hostkeys/testdata/known_hosts index 3740f674b..4446f45df 100644 --- a/regress/unittests/hostkeys/testdata/known_hosts +++ b/regress/unittests/hostkeys/testdata/known_hosts | |||
| @@ -2,60 +2,49 @@ | |||
| 2 | sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 | 2 | sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 |
| 3 | sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1 | 3 | sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1 |
| 4 | sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1 | 4 | sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1 |
| 5 | sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | ||
| 6 | sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1 | 5 | sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1 |
| 7 | 6 | ||
| 8 | # Plain host keys, hostnames + addresses | 7 | # Plain host keys, hostnames + addresses |
| 9 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2 | 8 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2 |
| 10 | prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2 | 9 | prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2 |
| 11 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2 | 10 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2 |
| 12 | prometheus.example.com,192.0.2.1,2001:db8::1 1024 65537 135970715082947442639683969597180728933388298633245835186618852623800675939308729462220235058285909679252157995530180587329132927339620517781785310829060832352381015614725360278571924286986474946772141568893116432268565829418506866604294073334978275702221949783314402806080929601995102334442541344606109853641 RSA1 #2 | ||
| 13 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2 | 11 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2 |
| 14 | 12 | ||
| 15 | # Some hosts with wildcard names / IPs | 13 | # Some hosts with wildcard names / IPs |
| 16 | *.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3 | 14 | *.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3 |
| 17 | *.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3 | 15 | *.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3 |
| 18 | *.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3 | 16 | *.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3 |
| 19 | *.example.com,192.0.2.*,2001:* 1024 65537 125895605498029643697051635076028105429632810811904702876152645261610759866299221305725069141163240694267669117205342283569102183636228981857946763978553664895308762890072813014496700601576921921752482059207749978374872713540759920335553799711267170948655579130584031555334229966603000896364091459595522912269 RSA1 #3 | ||
| 20 | *.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3 | 17 | *.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3 |
| 21 | 18 | ||
| 22 | # Hashed hostname and address entries | 19 | # Hashed hostname and address entries |
| 23 | |1|6FWxoqTCAfm8sZ7T/q73OmxCFGM=|S4eQmusok4cbyDzzGEFGIAthDbw= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5 | 20 | |1|z3xOIdT5ue3Vuf3MzT67kaioqjw=|GZhhe5uwDOBQrC9N4cCjpbLpSn4= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5 |
| 24 | |1|hTrfD0CuuB9ZbOa1CHFYvIk/gKE=|tPmW50t7flncm1UyM+DR97ubDNU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5 | 21 | |1|B7t/AYabn8zgwU47Cb4A/Nqt3eI=|arQPZyRphkzisr7w6wwikvhaOyE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5 |
| 25 | |1|fOGqe75X5ZpTz4c7DitP4E8/y30=|Lmcch2fh54bUYoV//S2VqDFVeiY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5 | 22 | |1|JR81WxEocTP5d7goIRkl8fHBbno=|l6sj6FOsoXxgEZMzn/BnOfPKN68= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5 |
| 26 | |1|0RVzLjY3lwE3MRweguaAXaCCWk8=|DbcIgJQcRZJMYI6NYDOM6oJycPk= 1024 65537 127931411493401587586867047972295564331543694182352197506125410692673654572057908999642645524647232712160516076508316152810117209181150078352725299319149726341058893406440426414316276977768958023952319602422835879783057966985348561111880658922724668687074412548487722084792283453716871417610020757212399252171 RSA1 #5 | 23 | |1|W7x4zY6KtTZJgsopyOusJqvVPag=|QauLt7hKezBZFZi2i4Xopho7Nsk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5 |
| 27 | |1|4q79XnHpKBNQhyMLAqbPPDN+JKo=|k1Wvjjb52zDdrXWM801+wX5oH8U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5 | ||
| 28 | 24 | ||
| 29 | |1|0M6PIx6THA3ipIOvTl3fcgn2z+A=|bwEJAOwJz+Sm7orFdgj170mD/zY= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 25 | |1|mxnU8luzqWLvfVi5qBm5xVIyCRM=|9Epopft7LBd80Bf6RmWPIpwa8yU= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
| 30 | |1|a6WGHcL+9gX3e96tMlgDSDJwtSg=|5Dqlb/yqNEf7jgfllrp/ygLmRV8= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 26 | |1|klvLmvh2vCpkNMDEjVvrE8SJWTg=|e/dqEEBLnbgqmwEesl4cDRu/7TM= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
| 31 | |1|OeCpi7Pn5Q6c8la4fPf9G8YctT8=|sC6D7lDXTafIpokZJ1+1xWg2R6Q= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 27 | |1|wsk3ddB3UjuxEsoeNCeZjZ6NvZs=|O3O/q2Z/u7DrxoTiIq6kzCevQT0= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
| 32 | |1|BHESVyiJ7G2NN0lxrw7vT109jmk=|TKof+015J77bXqibsh0N1Lp0MKk= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 28 | |1|B8epmkLSni+vGZDijr/EwxeR2k4=|7ct8yzNOVJhKm3ZD2w0XIT7df8E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
| 33 | |1|wY53mZNASDJ5/P3JYCJ4FUNa6WQ=|v8p0MfV5lqlZB2J0yLxl/gsWVQo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 29 | |1|JojD885UhYhbCu571rgyM/5PpYU=|BJaU2aE1FebQZy3B5tzTDRWFRG0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
| 34 | |1|horeoyFPwfKhyFN+zJZ5LCfOo/I=|2ofvp0tNwCbKsV8FuiFA4gQG2Z8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 30 | |1|5t7UDHDybVrDZVQPCpwdnr6nk4k=|EqJ73W/veIL3H2x+YWHcJxI5ETA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
| 35 | |1|Aw4fXumZfx6jEIJuDGIyeEMd81A=|5FdLtdm2JeKNsS8IQeQlGYIadOE= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 31 | |1|OCcBfGc/b9+ip+W6Gp+3ftdluO4=|VbrKUdzOOtIBOOmEE+jlK4SD3Xc= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
| 36 | |1|+dGUNpv6GblrDd5fgHLlOWpSbEo=|He/pQ1yJjtiCyTNWpGwjBD4sZFI= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 32 | |1|9fLN0YdP+BJ25lKuKvYuOdUo93w=|vZyr0rOiX01hv5XbghhHMW+Zb3U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
| 37 | |1|E/PACGl8m1T7QnPedOoooozstP0=|w6DQAFT8yZgj0Hlkz5R1TppYHCA= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 33 | |1|nc9RoaaQ0s5jdPxwlUmluGHU3uk=|un6OsJajokKQ3MgyS9mfDNeyP6U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
| 38 | |1|SaoyMStgxpYfwedSXBAghi8Zo0s=|Gz78k69GaE6iViV3OOvbStKqyTA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 34 | |1|rsHB6juT9q6GOY91qOeOwL6TSJE=|ps/vXF9Izuues5PbOn887Gw/2Dg= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
| 39 | |1|8qfGeiT5WTCzWYbXPQ+lsLg7km4=|1sIBwiSUr8IGkvrUGm3/9QYurmA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 35 | |1|BsckdLH2aRyWQooRmv+Yo3t4dKg=|Lf3tJc5Iyx0KxNwAG89FsImsfEE= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
| 40 | |1|87M1OtyHg1BZiDY3rT6lYsZFnAU=|eddAQVcMNbn2OB87XWXFQnYo6R4= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 36 | |1|plqkBA4hq7UATyd5+/Xl+zL7ghw=|stacofaUed46666mfqxp9gJFjt4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
| 41 | |1|60w3wFfC0XWI+rRmRlxIRhh8lwE=|yMhsGrzBJKiesAdSQ/PVgkCrDKk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
| 42 | |1|5gdEMmLUJC7grqWhRJPy2OTaSyE=|/XTfmLMa/B8npcVCGFRdaHl+d/0= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
| 43 | |1|6FGCWUr42GHdMB/eifnHNCuwgdk=|ONJvYZ/ANmi59R5HrOhLPmvYENM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
| 44 | 37 | ||
| 45 | 38 | ||
| 46 | # Revoked and CA keys | 39 | # Revoked and CA keys |
| 47 | @revoked sisyphus.example.com 1024 65537 174143366122697048196335388217056770310345753698079464367148030836533360510864881734142526411160017107552815906024399248049666856133771656680462456979369587903909343046704480897527203474513676654933090991684252819423129896444427656841613263783484827101210734799449281639493127615902427443211183258155381810593 RSA1 #4 | ||
| 48 | @revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4 | 40 | @revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4 |
| 49 | @cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4 | 41 | @cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4 |
| 50 | @cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4 | 42 | @cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4 |
| 51 | 43 | ||
| 52 | # Some invalid lines | 44 | # Some invalid lines |
| 53 | @what sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | 45 | @what sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 |
| 54 | sisyphus.example.com | 46 | sisyphus.example.com |
| 55 | prometheus.example.com ssh-ed25519 | 47 | prometheus.example.com ssh-ed25519 |
| 56 | sisyphus.example.com ssh-dsa AAAATgAAAAdz | 48 | sisyphus.example.com ssh-dsa AAAATgAAAAdz |
| 57 | prometheus.example.com 1024 | ||
| 58 | sisyphus.example.com 1024 65535 | ||
| 59 | prometheus.example.com 1025 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | ||
| 60 | sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== | 49 | sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== |
| 61 | prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== | 50 | prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== |
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh index e11100145..8047bc62f 100755 --- a/regress/unittests/sshkey/mktestdata.sh +++ b/regress/unittests/sshkey/mktestdata.sh | |||
| @@ -1,25 +1,8 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # $OpenBSD: mktestdata.sh,v 1.5 2015/07/07 14:53:30 markus Exp $ | 2 | # $OpenBSD: mktestdata.sh,v 1.6 2017/04/30 23:33:48 djm Exp $ |
| 3 | 3 | ||
| 4 | PW=mekmitasdigoat | 4 | PW=mekmitasdigoat |
| 5 | 5 | ||
| 6 | rsa1_params() { | ||
| 7 | _in="$1" | ||
| 8 | _outbase="$2" | ||
| 9 | set -e | ||
| 10 | ssh-keygen -f $_in -e -m pkcs8 | \ | ||
| 11 | openssl rsa -noout -text -pubin | \ | ||
| 12 | awk '/^Modulus:$/,/^Exponent:/' | \ | ||
| 13 | grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n | ||
| 14 | # XXX need conversion support in ssh-keygen for the other params | ||
| 15 | for x in n ; do | ||
| 16 | echo "" >> ${_outbase}.$x | ||
| 17 | echo ============ ${_outbase}.$x | ||
| 18 | cat ${_outbase}.$x | ||
| 19 | echo ============ | ||
| 20 | done | ||
| 21 | } | ||
| 22 | |||
| 23 | rsa_params() { | 6 | rsa_params() { |
| 24 | _in="$1" | 7 | _in="$1" |
| 25 | _outbase="$2" | 8 | _outbase="$2" |
| @@ -87,20 +70,18 @@ set -ex | |||
| 87 | 70 | ||
| 88 | cd testdata | 71 | cd testdata |
| 89 | 72 | ||
| 90 | rm -f rsa1_1 rsa_1 dsa_1 ecdsa_1 ed25519_1 | 73 | rm -f rsa_1 dsa_1 ecdsa_1 ed25519_1 |
| 91 | rm -f rsa1_2 rsa_2 dsa_2 ecdsa_2 ed25519_2 | 74 | rm -f rsa_2 dsa_2 ecdsa_2 ed25519_2 |
| 92 | rm -f rsa_n dsa_n ecdsa_n # new-format keys | 75 | rm -f rsa_n dsa_n ecdsa_n # new-format keys |
| 93 | rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw | 76 | rm -f rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw |
| 94 | rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw | 77 | rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw |
| 95 | rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb | 78 | rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb |
| 96 | 79 | ||
| 97 | ssh-keygen -t rsa1 -b 1024 -C "RSA1 test key #1" -N "" -f rsa1_1 | ||
| 98 | ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 | 80 | ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 |
| 99 | ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 | 81 | ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 |
| 100 | ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 | 82 | ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 |
| 101 | ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 | 83 | ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 |
| 102 | 84 | ||
| 103 | ssh-keygen -t rsa1 -b 2048 -C "RSA1 test key #2" -N "" -f rsa1_2 | ||
| 104 | ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 | 85 | ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 |
| 105 | ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 | 86 | ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 |
| 106 | ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 | 87 | ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 |
| @@ -110,7 +91,6 @@ cp rsa_1 rsa_n | |||
| 110 | cp dsa_1 dsa_n | 91 | cp dsa_1 dsa_n |
| 111 | cp ecdsa_1 ecdsa_n | 92 | cp ecdsa_1 ecdsa_n |
| 112 | 93 | ||
| 113 | cp rsa1_1 rsa1_1_pw | ||
| 114 | cp rsa_1 rsa_1_pw | 94 | cp rsa_1 rsa_1_pw |
| 115 | cp dsa_1 dsa_1_pw | 95 | cp dsa_1 dsa_1_pw |
| 116 | cp ecdsa_1 ecdsa_1_pw | 96 | cp ecdsa_1 ecdsa_1_pw |
| @@ -119,7 +99,6 @@ cp rsa_1 rsa_n_pw | |||
| 119 | cp dsa_1 dsa_n_pw | 99 | cp dsa_1 dsa_n_pw |
| 120 | cp ecdsa_1 ecdsa_n_pw | 100 | cp ecdsa_1 ecdsa_n_pw |
| 121 | 101 | ||
| 122 | ssh-keygen -pf rsa1_1_pw -N "$PW" | ||
| 123 | ssh-keygen -pf rsa_1_pw -N "$PW" | 102 | ssh-keygen -pf rsa_1_pw -N "$PW" |
| 124 | ssh-keygen -pf dsa_1_pw -N "$PW" | 103 | ssh-keygen -pf dsa_1_pw -N "$PW" |
| 125 | ssh-keygen -pf ecdsa_1_pw -N "$PW" | 104 | ssh-keygen -pf ecdsa_1_pw -N "$PW" |
| @@ -128,8 +107,6 @@ ssh-keygen -opf rsa_n_pw -N "$PW" | |||
| 128 | ssh-keygen -opf dsa_n_pw -N "$PW" | 107 | ssh-keygen -opf dsa_n_pw -N "$PW" |
| 129 | ssh-keygen -opf ecdsa_n_pw -N "$PW" | 108 | ssh-keygen -opf ecdsa_n_pw -N "$PW" |
| 130 | 109 | ||
| 131 | rsa1_params rsa1_1 rsa1_1.param | ||
| 132 | rsa1_params rsa1_2 rsa1_2.param | ||
| 133 | rsa_params rsa_1 rsa_1.param | 110 | rsa_params rsa_1 rsa_1.param |
| 134 | rsa_params rsa_2 rsa_2.param | 111 | rsa_params rsa_2 rsa_2.param |
| 135 | dsa_params dsa_1 dsa_1.param | 112 | dsa_params dsa_1 dsa_1.param |
| @@ -160,12 +137,10 @@ ssh-keygen -s ecdsa_1 -I julius -n host1,host2 -h \ | |||
| 160 | ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \ | 137 | ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \ |
| 161 | -V 19990101:20110101 -z 8 ed25519_1.pub | 138 | -V 19990101:20110101 -z 8 ed25519_1.pub |
| 162 | 139 | ||
| 163 | ssh-keygen -lf rsa1_1 | awk '{print $2}' > rsa1_1.fp | ||
| 164 | ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp | 140 | ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp |
| 165 | ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp | 141 | ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp |
| 166 | ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp | 142 | ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp |
| 167 | ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp | 143 | ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp |
| 168 | ssh-keygen -lf rsa1_2 | awk '{print $2}' > rsa1_2.fp | ||
| 169 | ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp | 144 | ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp |
| 170 | ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp | 145 | ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp |
| 171 | ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp | 146 | ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp |
| @@ -176,12 +151,10 @@ ssh-keygen -lf ecdsa_1-cert.pub | awk '{print $2}' > ecdsa_1-cert.fp | |||
| 176 | ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp | 151 | ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp |
| 177 | ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp | 152 | ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp |
| 178 | 153 | ||
| 179 | ssh-keygen -Bf rsa1_1 | awk '{print $2}' > rsa1_1.fp.bb | ||
| 180 | ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb | 154 | ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb |
| 181 | ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb | 155 | ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb |
| 182 | ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb | 156 | ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb |
| 183 | ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb | 157 | ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb |
| 184 | ssh-keygen -Bf rsa1_2 | awk '{print $2}' > rsa1_2.fp.bb | ||
| 185 | ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb | 158 | ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb |
| 186 | ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb | 159 | ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb |
| 187 | ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb | 160 | ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb |
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c index 906491f2b..99b7e21c0 100644 --- a/regress/unittests/sshkey/test_file.c +++ b/regress/unittests/sshkey/test_file.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */ | 1 | /* $OpenBSD: test_file.c,v 1.6 2017/04/30 23:33:48 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for sshkey.h key management API | 3 | * Regress test for sshkey.h key management API |
| 4 | * | 4 | * |
| @@ -51,55 +51,6 @@ sshkey_file_tests(void) | |||
| 51 | pw = load_text_file("pw"); | 51 | pw = load_text_file("pw"); |
| 52 | TEST_DONE(); | 52 | TEST_DONE(); |
| 53 | 53 | ||
| 54 | #ifdef WITH_SSH1 | ||
| 55 | TEST_START("parse RSA1 from private"); | ||
| 56 | buf = load_file("rsa1_1"); | ||
| 57 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); | ||
| 58 | sshbuf_free(buf); | ||
| 59 | ASSERT_PTR_NE(k1, NULL); | ||
| 60 | a = load_bignum("rsa1_1.param.n"); | ||
| 61 | ASSERT_BIGNUM_EQ(k1->rsa->n, a); | ||
| 62 | BN_free(a); | ||
| 63 | TEST_DONE(); | ||
| 64 | |||
| 65 | TEST_START("parse RSA1 from private w/ passphrase"); | ||
| 66 | buf = load_file("rsa1_1_pw"); | ||
| 67 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, | ||
| 68 | (const char *)sshbuf_ptr(pw), &k2, NULL), 0); | ||
| 69 | sshbuf_free(buf); | ||
| 70 | ASSERT_PTR_NE(k2, NULL); | ||
| 71 | ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); | ||
| 72 | sshkey_free(k2); | ||
| 73 | TEST_DONE(); | ||
| 74 | |||
| 75 | TEST_START("load RSA1 from public"); | ||
| 76 | ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2, | ||
| 77 | NULL), 0); | ||
| 78 | ASSERT_PTR_NE(k2, NULL); | ||
| 79 | ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); | ||
| 80 | sshkey_free(k2); | ||
| 81 | TEST_DONE(); | ||
| 82 | |||
| 83 | TEST_START("RSA1 key hex fingerprint"); | ||
| 84 | buf = load_text_file("rsa1_1.fp"); | ||
| 85 | cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); | ||
| 86 | ASSERT_PTR_NE(cp, NULL); | ||
| 87 | ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); | ||
| 88 | sshbuf_free(buf); | ||
| 89 | free(cp); | ||
| 90 | TEST_DONE(); | ||
| 91 | |||
| 92 | TEST_START("RSA1 key bubblebabble fingerprint"); | ||
| 93 | buf = load_text_file("rsa1_1.fp.bb"); | ||
| 94 | cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); | ||
| 95 | ASSERT_PTR_NE(cp, NULL); | ||
| 96 | ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); | ||
| 97 | sshbuf_free(buf); | ||
| 98 | free(cp); | ||
| 99 | TEST_DONE(); | ||
| 100 | |||
| 101 | sshkey_free(k1); | ||
| 102 | #endif | ||
| 103 | 54 | ||
| 104 | TEST_START("parse RSA from private"); | 55 | TEST_START("parse RSA from private"); |
| 105 | buf = load_file("rsa_1"); | 56 | buf = load_file("rsa_1"); |
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c index 1f414e0ac..6706045d5 100644 --- a/regress/unittests/sshkey/test_fuzz.c +++ b/regress/unittests/sshkey/test_fuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */ | 1 | /* $OpenBSD: test_fuzz.c,v 1.7 2017/04/30 23:33:48 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Fuzz tests for key parsing | 3 | * Fuzz tests for key parsing |
| 4 | * | 4 | * |
| @@ -104,49 +104,6 @@ sshkey_fuzz_tests(void) | |||
| 104 | struct fuzz *fuzz; | 104 | struct fuzz *fuzz; |
| 105 | int r; | 105 | int r; |
| 106 | 106 | ||
| 107 | #ifdef WITH_SSH1 | ||
| 108 | TEST_START("fuzz RSA1 private"); | ||
| 109 | buf = load_file("rsa1_1"); | ||
| 110 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | | ||
| 111 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, | ||
| 112 | sshbuf_mutable_ptr(buf), sshbuf_len(buf)); | ||
| 113 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); | ||
| 114 | sshkey_free(k1); | ||
| 115 | sshbuf_free(buf); | ||
| 116 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | ||
| 117 | TEST_ONERROR(onerror, fuzz); | ||
| 118 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | ||
| 119 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | ||
| 120 | ASSERT_INT_EQ(r, 0); | ||
| 121 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | ||
| 122 | sshkey_free(k1); | ||
| 123 | sshbuf_reset(fuzzed); | ||
| 124 | } | ||
| 125 | sshbuf_free(fuzzed); | ||
| 126 | fuzz_cleanup(fuzz); | ||
| 127 | TEST_DONE(); | ||
| 128 | |||
| 129 | TEST_START("fuzz RSA1 public"); | ||
| 130 | buf = load_file("rsa1_1_pw"); | ||
| 131 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | | ||
| 132 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, | ||
| 133 | sshbuf_mutable_ptr(buf), sshbuf_len(buf)); | ||
| 134 | ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0); | ||
| 135 | sshkey_free(k1); | ||
| 136 | sshbuf_free(buf); | ||
| 137 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | ||
| 138 | TEST_ONERROR(onerror, fuzz); | ||
| 139 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | ||
| 140 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | ||
| 141 | ASSERT_INT_EQ(r, 0); | ||
| 142 | if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0) | ||
| 143 | sshkey_free(k1); | ||
| 144 | sshbuf_reset(fuzzed); | ||
| 145 | } | ||
| 146 | sshbuf_free(fuzzed); | ||
| 147 | fuzz_cleanup(fuzz); | ||
| 148 | TEST_DONE(); | ||
| 149 | #endif | ||
| 150 | 107 | ||
| 151 | TEST_START("fuzz RSA private"); | 108 | TEST_START("fuzz RSA private"); |
| 152 | buf = load_file("rsa_1"); | 109 | buf = load_file("rsa_1"); |
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 1476dc2e3..0a73322a3 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */ | 1 | /* $OpenBSD: test_sshkey.c,v 1.12 2017/05/08 06:08:42 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for sshkey.h key management API | 3 | * Regress test for sshkey.h key management API |
| 4 | * | 4 | * |
| @@ -193,16 +193,6 @@ sshkey_tests(void) | |||
| 193 | sshkey_free(k1); | 193 | sshkey_free(k1); |
| 194 | TEST_DONE(); | 194 | TEST_DONE(); |
| 195 | 195 | ||
| 196 | TEST_START("new/free KEY_RSA1"); | ||
| 197 | k1 = sshkey_new(KEY_RSA1); | ||
| 198 | ASSERT_PTR_NE(k1, NULL); | ||
| 199 | ASSERT_PTR_NE(k1->rsa, NULL); | ||
| 200 | ASSERT_PTR_NE(k1->rsa->n, NULL); | ||
| 201 | ASSERT_PTR_NE(k1->rsa->e, NULL); | ||
| 202 | ASSERT_PTR_EQ(k1->rsa->p, NULL); | ||
| 203 | sshkey_free(k1); | ||
| 204 | TEST_DONE(); | ||
| 205 | |||
| 206 | TEST_START("new/free KEY_RSA"); | 196 | TEST_START("new/free KEY_RSA"); |
| 207 | k1 = sshkey_new(KEY_RSA); | 197 | k1 = sshkey_new(KEY_RSA); |
| 208 | ASSERT_PTR_NE(k1, NULL); | 198 | ASSERT_PTR_NE(k1, NULL); |
| @@ -263,19 +253,19 @@ sshkey_tests(void) | |||
| 263 | 253 | ||
| 264 | TEST_START("generate KEY_RSA too small modulus"); | 254 | TEST_START("generate KEY_RSA too small modulus"); |
| 265 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), | 255 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), |
| 266 | SSH_ERR_INVALID_ARGUMENT); | 256 | SSH_ERR_KEY_LENGTH); |
| 267 | ASSERT_PTR_EQ(k1, NULL); | 257 | ASSERT_PTR_EQ(k1, NULL); |
| 268 | TEST_DONE(); | 258 | TEST_DONE(); |
| 269 | 259 | ||
| 270 | TEST_START("generate KEY_RSA too large modulus"); | 260 | TEST_START("generate KEY_RSA too large modulus"); |
| 271 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), | 261 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), |
| 272 | SSH_ERR_INVALID_ARGUMENT); | 262 | SSH_ERR_KEY_LENGTH); |
| 273 | ASSERT_PTR_EQ(k1, NULL); | 263 | ASSERT_PTR_EQ(k1, NULL); |
| 274 | TEST_DONE(); | 264 | TEST_DONE(); |
| 275 | 265 | ||
| 276 | TEST_START("generate KEY_DSA wrong bits"); | 266 | TEST_START("generate KEY_DSA wrong bits"); |
| 277 | ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), | 267 | ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), |
| 278 | SSH_ERR_INVALID_ARGUMENT); | 268 | SSH_ERR_KEY_LENGTH); |
| 279 | ASSERT_PTR_EQ(k1, NULL); | 269 | ASSERT_PTR_EQ(k1, NULL); |
| 280 | sshkey_free(k1); | 270 | sshkey_free(k1); |
| 281 | TEST_DONE(); | 271 | TEST_DONE(); |
| @@ -283,7 +273,7 @@ sshkey_tests(void) | |||
| 283 | #ifdef OPENSSL_HAS_ECC | 273 | #ifdef OPENSSL_HAS_ECC |
| 284 | TEST_START("generate KEY_ECDSA wrong bits"); | 274 | TEST_START("generate KEY_ECDSA wrong bits"); |
| 285 | ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), | 275 | ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), |
| 286 | SSH_ERR_INVALID_ARGUMENT); | 276 | SSH_ERR_KEY_LENGTH); |
| 287 | ASSERT_PTR_EQ(k1, NULL); | 277 | ASSERT_PTR_EQ(k1, NULL); |
| 288 | sshkey_free(k1); | 278 | sshkey_free(k1); |
| 289 | TEST_DONE(); | 279 | TEST_DONE(); |
| @@ -291,7 +281,7 @@ sshkey_tests(void) | |||
| 291 | 281 | ||
| 292 | TEST_START("generate KEY_RSA"); | 282 | TEST_START("generate KEY_RSA"); |
| 293 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), | 283 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), |
| 294 | SSH_ERR_INVALID_ARGUMENT); | 284 | SSH_ERR_KEY_LENGTH); |
| 295 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); | 285 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); |
| 296 | ASSERT_PTR_NE(kr, NULL); | 286 | ASSERT_PTR_NE(kr, NULL); |
| 297 | ASSERT_PTR_NE(kr->rsa, NULL); | 287 | ASSERT_PTR_NE(kr->rsa, NULL); |
diff --git a/regress/yes-head.sh b/regress/yes-head.sh index 1fc754211..fce2f6580 100644 --- a/regress/yes-head.sh +++ b/regress/yes-head.sh | |||
| @@ -3,13 +3,11 @@ | |||
| 3 | 3 | ||
| 4 | tid="yes pipe head" | 4 | tid="yes pipe head" |
| 5 | 5 | ||
| 6 | for p in ${SSH_PROTOCOLS}; do | 6 | lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` |
| 7 | lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | 7 | if [ $? -ne 0 ]; then |
| 8 | if [ $? -ne 0 ]; then | 8 | fail "yes|head test failed" |
| 9 | fail "yes|head test failed" | 9 | lines = 0; |
| 10 | lines = 0; | 10 | fi |
| 11 | fi | 11 | if [ $lines -ne 2000 ]; then |
| 12 | if [ $lines -ne 2000 ]; then | 12 | fail "yes|head returns $lines lines instead of 2000" |
| 13 | fail "yes|head returns $lines lines instead of 2000" | 13 | fi |
| 14 | fi | ||
| 15 | done | ||