summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile3
-rw-r--r--regress/allow-deny-users.sh12
-rw-r--r--regress/authinfo.sh2
-rw-r--r--regress/cert-file.sh6
-rw-r--r--regress/cert-hostkey.sh9
-rw-r--r--regress/cfgmatchlisten.sh202
-rw-r--r--regress/cfgparse.sh6
-rw-r--r--regress/forward-control.sh77
-rw-r--r--regress/forwarding.sh3
-rw-r--r--regress/key-options.sh5
-rw-r--r--regress/keygen-knownhosts.sh35
-rw-r--r--regress/mkdtemp.c61
-rw-r--r--regress/multiplex.sh3
-rw-r--r--regress/rekey.sh12
-rw-r--r--regress/setuid-allowed.c1
-rw-r--r--regress/sshcfgparse.sh62
-rw-r--r--regress/test-exec.sh32
-rw-r--r--regress/unittests/hostkeys/test_iterate.c37
-rw-r--r--regress/unittests/match/tests.c4
-rw-r--r--regress/unittests/sshkey/test_sshkey.c5
-rwxr-xr-xregress/valgrind-unit.sh6
21 files changed, 526 insertions, 57 deletions
diff --git a/regress/Makefile b/regress/Makefile
index d15898ad0..647b4a049 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.96 2017/10/24 19:33:32 millert Exp $ 1# $OpenBSD: Makefile,v 1.97 2018/06/07 04:46:34 djm Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -61,6 +61,7 @@ LTESTS= connect \
61 sshcfgparse \ 61 sshcfgparse \
62 cfgparse \ 62 cfgparse \
63 cfgmatch \ 63 cfgmatch \
64 cfgmatchlisten \
64 addrmatch \ 65 addrmatch \
65 localcommand \ 66 localcommand \
66 forcecommand \ 67 forcecommand \
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
index 4165111e0..5c3895122 100644
--- a/regress/allow-deny-users.sh
+++ b/regress/allow-deny-users.sh
@@ -1,6 +1,6 @@
1# Public Domain 1# Public Domain
2# Zev Weiss, 2016 2# Zev Weiss, 2016
3# $OpenBSD: allow-deny-users.sh,v 1.4 2017/10/20 02:13:41 djm Exp $ 3# $OpenBSD: allow-deny-users.sh,v 1.5 2018/07/13 02:13:50 djm Exp $
4 4
5tid="AllowUsers/DenyUsers" 5tid="AllowUsers/DenyUsers"
6 6
@@ -10,6 +10,8 @@ if [ "x$me" = "x" ]; then
10fi 10fi
11other="nobody" 11other="nobody"
12 12
13cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
14
13test_auth() 15test_auth()
14{ 16{
15 deny="$1" 17 deny="$1"
@@ -17,17 +19,19 @@ test_auth()
17 should_succeed="$3" 19 should_succeed="$3"
18 failmsg="$4" 20 failmsg="$4"
19 21
22 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
23 echo DenyUsers="$deny" >> $OBJ/sshd_proxy
24 echo AllowUsers="$allow" >> $OBJ/sshd_proxy
25
20 start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow" 26 start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow"
21 27
22 ${SSH} -F $OBJ/ssh_config "$me@somehost" true 28 ${SSH} -F $OBJ/ssh_proxy "$me@somehost" true
23 status=$? 29 status=$?
24 30
25 if (test $status -eq 0 && ! $should_succeed) \ 31 if (test $status -eq 0 && ! $should_succeed) \
26 || (test $status -ne 0 && $should_succeed); then 32 || (test $status -ne 0 && $should_succeed); then
27 fail "$failmsg" 33 fail "$failmsg"
28 fi 34 fi
29
30 stop_sshd
31} 35}
32 36
33# DenyUsers AllowUsers should_succeed failure_message 37# DenyUsers AllowUsers should_succeed failure_message
diff --git a/regress/authinfo.sh b/regress/authinfo.sh
index 3caf89478..693424afa 100644
--- a/regress/authinfo.sh
+++ b/regress/authinfo.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: authinfo.sh,v 1.2 2017/10/25 20:08:36 millert Exp $ 1# $OpenBSD: authinfo.sh,v 1.3 2018/04/10 00:13:27 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authinfo" 4tid="authinfo"
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 8fd62c773..1157a3582 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh with certificates" 4tid="ssh with certificates"
@@ -52,7 +52,7 @@ echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
52cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config 52cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
53 53
54# XXX: verify that certificate used was what we expect. Needs exposure of 54# XXX: verify that certificate used was what we expect. Needs exposure of
55# keys via enviornment variable or similar. 55# keys via environment variable or similar.
56 56
57 # Key with no .pub should work - finding the equivalent *-cert.pub. 57 # Key with no .pub should work - finding the equivalent *-cert.pub.
58verbose "identity cert with no plain public file" 58verbose "identity cert with no plain public file"
@@ -138,7 +138,7 @@ fi
138 138
139# try ssh with the agent and certificates 139# try ssh with the agent and certificates
140opts="-F $OBJ/ssh_proxy" 140opts="-F $OBJ/ssh_proxy"
141# with no certificates, shoud fail 141# with no certificates, should fail
142${SSH} $opts somehost exit 52 142${SSH} $opts somehost exit 52
143if [ $? -eq 52 ]; then 143if [ $? -eq 52 ]; then
144 fail "ssh connect with agent in succeeded with no cert" 144 fail "ssh connect with agent in succeeded with no cert"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3d5732a5d..d2ecd318b 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.16 2018/07/03 11:43:49 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -14,6 +14,13 @@ for i in `$SSH -Q key`; do
14 continue 14 continue
15 fi 15 fi
16 case "$i" in 16 case "$i" in
17 # Special treatment for RSA keys.
18 *rsa*cert*)
19 types="rsa-sha2-256-cert-v01@openssh.com,$i,$types"
20 types="rsa-sha2-512-cert-v01@openssh.com,$types";;
21 *rsa*)
22 types="$types,rsa-sha2-512,rsa-sha2-256,$i";;
23 # Prefer certificate to plain keys.
17 *cert*) types="$i,$types";; 24 *cert*) types="$i,$types";;
18 *) types="$types,$i";; 25 *) types="$types,$i";;
19 esac 26 esac
diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh
new file mode 100644
index 000000000..a4fd66b32
--- /dev/null
+++ b/regress/cfgmatchlisten.sh
@@ -0,0 +1,202 @@
1# $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="sshd_config matchlisten"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwdspec="localhost:${fwdport}"
9fwd="-R $fwdport:127.0.0.1:$PORT"
10
11echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
12echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
13
14start_client()
15{
16 rm -f $pidfile
17 ${SSH} -vvv $fwd "$@" somehost true >>$TEST_REGRESS_LOGFILE 2>&1
18 r=$?
19 if [ $r -ne 0 ]; then
20 return $r
21 fi
22 ${SSH} -vvv $fwd "$@" somehost \
23 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
24 >>$TEST_REGRESS_LOGFILE 2>&1 &
25 client_pid=$!
26 # Wait for remote end
27 n=0
28 while test ! -f $pidfile ; do
29 sleep 1
30 n=`expr $n + 1`
31 if test $n -gt 60; then
32 kill $client_pid
33 fatal "timeout waiting for background ssh"
34 fi
35 done
36 return $r
37}
38
39expect_client_ok()
40{
41 start_client "$@" ||
42 fail "client did not start"
43}
44
45expect_client_fail()
46{
47 local failmsg="$1"
48 shift
49 start_client "$@" &&
50 fail $failmsg
51}
52
53stop_client()
54{
55 pid=`cat $pidfile`
56 if [ ! -z "$pid" ]; then
57 kill $pid
58 fi
59 wait
60}
61
62cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
63echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_config
64echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
65echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_config
66
67grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
68echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
69echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_proxy
70echo "Match user $USER" >>$OBJ/sshd_proxy
71echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
72echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
73echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_proxy
74
75start_sshd
76
77#set -x
78
79# Test Match + PermitListen in sshd_config. This should be permitted
80trace "match permitlisten localhost"
81expect_client_ok -F $OBJ/ssh_config
82${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
83 fail "match permitlisten permit"
84stop_client
85
86# Same but from different source. This should not be permitted
87trace "match permitlisten proxy"
88expect_client_fail "match permitlisten deny" \
89 -F $OBJ/ssh_proxy
90
91# Retry previous with key option, should also be denied.
92cp /dev/null $OBJ/authorized_keys_$USER
93for t in ${SSH_KEYTYPES}; do
94 printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
95 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
96done
97trace "match permitlisten proxy w/key opts"
98expect_client_fail "match permitlisten deny w/key opt"\
99 -F $OBJ/ssh_proxy
100
101# Test both sshd_config and key options permitting the same dst/port pair.
102# Should be permitted.
103trace "match permitlisten localhost"
104expect_client_ok -F $OBJ/ssh_config
105${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
106 fail "match permitlisten permit"
107stop_client
108
109# Test that a bare port number is accepted in PermitListen
110cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
111echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy
112trace "match permitlisten bare"
113expect_client_ok -F $OBJ/ssh_config
114${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
115 fail "match permitlisten bare"
116stop_client
117
118# Test that an incorrect bare port number is denied as expected
119cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
120echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy
121trace "match permitlisten bare"
122expect_client_fail -F $OBJ/ssh_config
123
124cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
125echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
126echo "Match User $USER" >>$OBJ/sshd_proxy
127echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
128
129# Test that a Match overrides a PermitListen in the global section
130trace "match permitlisten proxy w/key opts"
131expect_client_fail "match override permitlisten" \
132 -F $OBJ/ssh_proxy
133
134cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
135echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
136echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
137echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
138
139# Test that a rule that doesn't match doesn't override, plus test a
140# PermitListen entry that's not at the start of the list
141trace "nomatch permitlisten proxy w/key opts"
142expect_client_ok -F $OBJ/ssh_proxy
143${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
144 fail "nomatch override permitlisten"
145stop_client
146
147# bind to 127.0.0.1 instead of default localhost
148fwdspec2="127.0.0.1:${fwdport}"
149fwd="-R ${fwdspec2}:127.0.0.1:$PORT"
150
151# first try w/ old fwdspec both in server config and key opts
152cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
153echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
154cp /dev/null $OBJ/authorized_keys_$USER
155for t in ${SSH_KEYTYPES}; do
156 printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
157 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
158done
159trace "nomatch permitlisten 127.0.0.1 server config and userkey"
160expect_client_fail "nomatch 127.0.0.1 server config and userkey" \
161 -F $OBJ/ssh_config
162
163# correct server config, denied by key opts
164cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
165echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy
166trace "nomatch permitlisten 127.0.0.1 w/key opts"
167expect_client_fail "nomatch 127.0.0.1 w/key opts" \
168 -F $OBJ/ssh_config
169
170# fix key opts
171cp /dev/null $OBJ/authorized_keys_$USER
172for t in ${SSH_KEYTYPES}; do
173 printf 'permitlisten="'$fwdspec2'" ' >> $OBJ/authorized_keys_$USER
174 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
175done
176trace "match permitlisten 127.0.0.1 server config w/key opts"
177expect_client_ok -F $OBJ/ssh_proxy
178${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
179 fail "match 127.0.0.1 server config w/key opts"
180stop_client
181
182# key opts with bare port number
183cp /dev/null $OBJ/authorized_keys_$USER
184for t in ${SSH_KEYTYPES}; do
185 printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER
186 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
187done
188trace "match permitlisten 127.0.0.1 server config w/key opts (bare)"
189expect_client_ok -F $OBJ/ssh_proxy
190${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
191 fail "match 127.0.0.1 server config w/key opts (bare)"
192stop_client
193
194# key opts with incorrect bare port number
195cp /dev/null $OBJ/authorized_keys_$USER
196for t in ${SSH_KEYTYPES}; do
197 printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER
198 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
199done
200trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)"
201expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \
202 -F $OBJ/ssh_config
diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh
index ccf511f6b..a9e5c6b09 100644
--- a/regress/cfgparse.sh
+++ b/regress/cfgparse.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgparse.sh,v 1.6 2016/06/03 03:47:59 dtucker Exp $ 1# $OpenBSD: cfgparse.sh,v 1.7 2018/05/11 03:51:06 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd config parse" 4tid="sshd config parse"
@@ -10,8 +10,8 @@ fi
10 10
11# We need to use the keys generated for the regression test because sshd -T 11# We need to use the keys generated for the regression test because sshd -T
12# will fail if we're not running with SUDO (no permissions for real keys) or 12# will fail if we're not running with SUDO (no permissions for real keys) or
13# if we are # running tests on a system that has never had sshd installed 13# if we are running tests on a system that has never had sshd installed
14# (keys won't exist). 14# because the keys won't exist.
15 15
16grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal 16grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal
17SSHD_KEYS="`cat $OBJ/sshd_config_minimal`" 17SSHD_KEYS="`cat $OBJ/sshd_config_minimal`"
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 93d05cf63..3b1f69a71 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ 1# $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd control of local and remote forwarding" 4tid="sshd control of local and remote forwarding"
@@ -67,7 +67,7 @@ check_rfwd() {
67 _message=$2 67 _message=$2
68 rm -f $READY 68 rm -f $READY
69 ${SSH} -F $OBJ/ssh_proxy \ 69 ${SSH} -F $OBJ/ssh_proxy \
70 -R$RFWD_PORT:127.0.0.1:$PORT \ 70 -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
71 -o ExitOnForwardFailure=yes \ 71 -o ExitOnForwardFailure=yes \
72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
73 >/dev/null 2>&1 & 73 >/dev/null 2>&1 &
@@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100check_lfwd Y "default configuration" 100check_lfwd Y "default configuration"
101check_rfwd Y "default configuration" 101check_rfwd Y "default configuration"
102 102
103# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N 103# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
104all_tests() { 104lperm_tests() {
105 _tcpfwd=$1 105 _tcpfwd=$1
106 _plain_lfwd=$2 106 _plain_lfwd=$2
107 _plain_rfwd=$3 107 _plain_rfwd=$3
@@ -109,32 +109,39 @@ all_tests() {
109 _nopermit_rfwd=$5 109 _nopermit_rfwd=$5
110 _permit_lfwd=$6 110 _permit_lfwd=$6
111 _permit_rfwd=$7 111 _permit_rfwd=$7
112 _badfwd=127.0.0.1:22 112 _badfwd1=127.0.0.1:22
113 _badfwd2=127.0.0.2:22
113 _goodfwd=127.0.0.1:${PORT} 114 _goodfwd=127.0.0.1:${PORT}
114 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} 115 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
115 _prefix="AllowTcpForwarding=$_tcpfwd" 116 _prefix="AllowTcpForwarding=$_tcpfwd"
117
116 # No PermitOpen 118 # No PermitOpen
117 ( cat ${OBJ}/sshd_proxy.bak ; 119 ( cat ${OBJ}/sshd_proxy.bak ;
118 echo "AllowTcpForwarding $_tcpfwd" ) \ 120 echo "AllowTcpForwarding $_tcpfwd" ) \
119 > ${OBJ}/sshd_proxy 121 > ${OBJ}/sshd_proxy
120 check_lfwd $_plain_lfwd "$_prefix" 122 check_lfwd $_plain_lfwd "$_prefix"
121 check_rfwd $_plain_rfwd "$_prefix" 123 check_rfwd $_plain_rfwd "$_prefix"
124
122 # PermitOpen via sshd_config that doesn't match 125 # PermitOpen via sshd_config that doesn't match
123 ( cat ${OBJ}/sshd_proxy.bak ; 126 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ; 127 echo "AllowTcpForwarding $_tcpfwd" ;
125 echo "PermitOpen $_badfwd" ) \ 128 echo "PermitOpen $_badfwd1 $_badfwd2" ) \
126 > ${OBJ}/sshd_proxy 129 > ${OBJ}/sshd_proxy
127 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" 130 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
128 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" 131 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
129 # PermitOpen via sshd_config that does match 132 # PermitOpen via sshd_config that does match
130 ( cat ${OBJ}/sshd_proxy.bak ; 133 ( cat ${OBJ}/sshd_proxy.bak ;
131 echo "AllowTcpForwarding $_tcpfwd" ; 134 echo "AllowTcpForwarding $_tcpfwd" ;
132 echo "PermitOpen $_badfwd $_goodfwd" ) \ 135 echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
133 > ${OBJ}/sshd_proxy 136 > ${OBJ}/sshd_proxy
137 check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
138 check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
139
140 # permitopen keys option.
134 # NB. permitopen via authorized_keys should have same 141 # NB. permitopen via authorized_keys should have same
135 # success/fail as via sshd_config 142 # success/fail as via sshd_config
136 # permitopen via authorized_keys that doesn't match 143 # permitopen via authorized_keys that doesn't match
137 sed "s/^/permitopen=\"$_badfwd\" /" \ 144 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
138 < ${OBJ}/authorized_keys_${USER}.bak \ 145 < ${OBJ}/authorized_keys_${USER}.bak \
139 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" 146 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
140 ( cat ${OBJ}/sshd_proxy.bak ; 147 ( cat ${OBJ}/sshd_proxy.bak ;
@@ -143,7 +150,7 @@ all_tests() {
143 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" 150 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
144 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" 151 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
145 # permitopen via authorized_keys that does match 152 # permitopen via authorized_keys that does match
146 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ 153 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
147 < ${OBJ}/authorized_keys_${USER}.bak \ 154 < ${OBJ}/authorized_keys_${USER}.bak \
148 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" 155 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
149 ( cat ${OBJ}/sshd_proxy.bak ; 156 ( cat ${OBJ}/sshd_proxy.bak ;
@@ -151,6 +158,7 @@ all_tests() {
151 > ${OBJ}/sshd_proxy 158 > ${OBJ}/sshd_proxy
152 check_lfwd $_permit_lfwd "$_prefix, permitopen" 159 check_lfwd $_permit_lfwd "$_prefix, permitopen"
153 check_rfwd $_permit_rfwd "$_prefix, permitopen" 160 check_rfwd $_permit_rfwd "$_prefix, permitopen"
161
154 # Check port-forwarding flags in authorized_keys. 162 # Check port-forwarding flags in authorized_keys.
155 # These two should refuse all. 163 # These two should refuse all.
156 sed "s/^/no-port-forwarding /" \ 164 sed "s/^/no-port-forwarding /" \
@@ -180,9 +188,48 @@ all_tests() {
180 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" 188 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
181} 189}
182 190
183# no-permitopen mismatch-permitopen match-permitopen 191# permit-open none mismatch match
184# AllowTcpForwarding local remote local remote local remote 192# AllowTcpForwarding local remote local remote local remote
185all_tests yes Y Y N Y Y Y 193lperm_tests yes Y Y N Y Y Y
186all_tests local Y N N N Y N 194lperm_tests local Y N N N Y N
187all_tests remote N Y N Y N Y 195lperm_tests remote N Y N Y N Y
188all_tests no N N N N N N 196lperm_tests no N N N N N N
197
198# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
199rperm_tests() {
200 _tcpfwd=$1
201 _plain_lfwd=$2
202 _plain_rfwd=$3
203 _nopermit_lfwd=$4
204 _nopermit_rfwd=$5
205 _permit_lfwd=$6
206 _permit_rfwd=$7
207 _badfwd1=127.0.0.1:22
208 _badfwd2=127.0.0.2:${RFWD_PORT}
209 _goodfwd=127.0.0.1:${RFWD_PORT}
210 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
211 _prefix="AllowTcpForwarding=$_tcpfwd"
212
213 # PermitListen via sshd_config that doesn't match
214 ( cat ${OBJ}/sshd_proxy.bak ;
215 echo "AllowTcpForwarding $_tcpfwd" ;
216 echo "PermitListen $_badfwd1 $_badfwd2" ) \
217 > ${OBJ}/sshd_proxy
218 check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen"
219 check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen"
220 # PermitListen via sshd_config that does match
221 ( cat ${OBJ}/sshd_proxy.bak ;
222 echo "AllowTcpForwarding $_tcpfwd" ;
223 echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \
224 > ${OBJ}/sshd_proxy
225 check_lfwd $_plain_lfwd "$_prefix, PermitListen"
226 check_rfwd $_plain_rfwd "$_prefix, PermitListen"
227}
228
229# permit-remote-open none mismatch match
230# AllowTcpForwarding local remote local remote local remote
231rperm_tests yes Y Y Y N Y Y
232rperm_tests local Y N Y N Y N
233rperm_tests remote N Y N N N Y
234rperm_tests no N N N N N N
235
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 39fccba73..7d0fae114 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -10,7 +10,8 @@ start_sshd
10base=33 10base=33
11last=$PORT 11last=$PORT
12fwd="" 12fwd=""
13CTL=/tmp/openssh.regress.ctl-sock.$$ 13make_tmpdir
14CTL=${SSH_REGRESS_TMP}/ctl-sock
14 15
15for j in 0 1 2; do 16for j in 0 1 2; do
16 for i in 0 1 2; do 17 for i in 0 1 2; do
diff --git a/regress/key-options.sh b/regress/key-options.sh
index d680737c1..112c9bd8e 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: key-options.sh,v 1.8 2018/03/14 05:35:40 djm Exp $ 1# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key options" 4tid="key options"
@@ -27,6 +27,7 @@ expect_pty_succeed() {
27 rm -f $OBJ/data 27 rm -f $OBJ/data
28 sed "s/.*/$opts &/" $origkeys >$authkeys 28 sed "s/.*/$opts &/" $origkeys >$authkeys
29 verbose "key option pty $which" 29 verbose "key option pty $which"
30 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
30 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 31 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
31 if [ $? -ne 0 ] ; then 32 if [ $? -ne 0 ] ; then
32 fail "key option failed $which" 33 fail "key option failed $which"
@@ -44,6 +45,7 @@ expect_pty_fail() {
44 rm -f $OBJ/data 45 rm -f $OBJ/data
45 sed "s/.*/$opts &/" $origkeys >$authkeys 46 sed "s/.*/$opts &/" $origkeys >$authkeys
46 verbose "key option pty $which" 47 verbose "key option pty $which"
48 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
47 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 49 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
48 if [ $? -eq 0 ]; then 50 if [ $? -eq 0 ]; then
49 r=`cat $OBJ/data` 51 r=`cat $OBJ/data`
@@ -63,6 +65,7 @@ expect_pty_fail "restrict" "restrict"
63expect_pty_succeed "restrict,pty" "restrict,pty" 65expect_pty_succeed "restrict,pty" "restrict,pty"
64 66
65# Test environment= 67# Test environment=
68# XXX this can fail if ~/.ssh/environment exists for the user running the test
66echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 69echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
67sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 70sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
68verbose "key option environment" 71verbose "key option environment"
diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh
index 693cd0e75..37af34769 100644
--- a/regress/keygen-knownhosts.sh
+++ b/regress/keygen-knownhosts.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $ 1# $OpenBSD: keygen-knownhosts.sh,v 1.4 2018/06/01 03:52:37 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh-keygen known_hosts" 4tid="ssh-keygen known_hosts"
@@ -55,13 +55,24 @@ expect_key() {
55check_find() { 55check_find() {
56 _host=$1 56 _host=$1
57 _name=$2 57 _name=$2
58 _keygenopt=$3 58 shift; shift
59 ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result 59 ${SSHKEYGEN} "$@" -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result
60 if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then 60 if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then
61 fail "didn't find $_name" 61 fail "didn't find $_name"
62 fi 62 fi
63} 63}
64 64
65check_find_exit_code() {
66 _host=$1
67 _name=$2
68 _keygenopt=$3
69 _exp_exit_code=$4
70 ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > /dev/null
71 if [ "$?" != "$_exp_exit_code" ] ; then
72 fail "Unexpected exit code $_name"
73 fi
74}
75
65# Find key 76# Find key
66rm -f $OBJ/kh.expect 77rm -f $OBJ/kh.expect
67expect_key host-a host-a host-a 2 78expect_key host-a host-a host-a 2
@@ -88,6 +99,18 @@ rm -f $OBJ/kh.expect
88expect_key host-h "host-f,host-g,host-h " host-f 17 99expect_key host-h "host-f,host-g,host-h " host-f 17
89check_find host-h "find multiple hosts" 100check_find host-h "find multiple hosts"
90 101
102# Check exit code, known host
103check_find_exit_code host-a "known host" "-q" "0"
104
105# Check exit code, unknown host
106check_find_exit_code host-aa "unknown host" "-q" "1"
107
108# Check exit code, the hash mode, known host
109check_find_exit_code host-a "known host" "-q -H" "0"
110
111# Check exit code, the hash mode, unknown host
112check_find_exit_code host-aa "unknown host" "-q -H" "1"
113
91check_hashed_find() { 114check_hashed_find() {
92 _host=$1 115 _host=$1
93 _name=$2 116 _name=$2
@@ -110,19 +133,19 @@ check_hashed_find host-a "find simple and hash"
110rm -f $OBJ/kh.expect 133rm -f $OBJ/kh.expect
111expect_key host-c host-c host-c "" CA 134expect_key host-c host-c host-c "" CA
112# CA key output is not hashed. 135# CA key output is not hashed.
113check_find host-c "find simple and hash" -H 136check_find host-c "find simple and hash" -Hq
114 137
115# Find revoked key and hash 138# Find revoked key and hash
116rm -f $OBJ/kh.expect 139rm -f $OBJ/kh.expect
117expect_key host-d host-d host-d "" REVOKED 140expect_key host-d host-d host-d "" REVOKED
118# Revoked key output is not hashed. 141# Revoked key output is not hashed.
119check_find host-d "find simple and hash" -H 142check_find host-d "find simple and hash" -Hq
120 143
121# find key with wildcard and hash 144# find key with wildcard and hash
122rm -f $OBJ/kh.expect 145rm -f $OBJ/kh.expect
123expect_key host-e "host-e*" host-e "" 146expect_key host-e "host-e*" host-e ""
124# Key with wildcard hostname should not be hashed. 147# Key with wildcard hostname should not be hashed.
125check_find host-e "find wildcard key" -H 148check_find host-e "find wildcard key" -Hq
126 149
127# find key among multiple hosts 150# find key among multiple hosts
128rm -f $OBJ/kh.expect 151rm -f $OBJ/kh.expect
diff --git a/regress/mkdtemp.c b/regress/mkdtemp.c
new file mode 100644
index 000000000..a7be1bdab
--- /dev/null
+++ b/regress/mkdtemp.c
@@ -0,0 +1,61 @@
1/*
2 * Copyright (c) 2017 Colin Watson <cjwatson@debian.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17/* Roughly equivalent to "mktemp -d -t TEMPLATE", but portable. */
18
19#include "includes.h"
20
21#include <limits.h>
22#include <stdarg.h>
23#include <stdio.h>
24#include <stdlib.h>
25#include <unistd.h>
26
27#include "log.h"
28
29static void
30usage(void)
31{
32 fprintf(stderr, "mkdtemp template\n");
33 exit(1);
34}
35
36int
37main(int argc, char **argv)
38{
39 const char *base;
40 const char *tmpdir;
41 char template[PATH_MAX];
42 int r;
43 char *dir;
44
45 if (argc != 2)
46 usage();
47 base = argv[1];
48
49 if ((tmpdir = getenv("TMPDIR")) == NULL)
50 tmpdir = "/tmp";
51 r = snprintf(template, sizeof(template), "%s/%s", tmpdir, base);
52 if (r < 0 || (size_t)r >= sizeof(template))
53 fatal("template string too long");
54 dir = mkdtemp(template);
55 if (dir == NULL) {
56 perror("mkdtemp");
57 exit(1);
58 }
59 puts(dir);
60 return 0;
61}
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 078a53a88..a6fad8eb8 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,7 +1,8 @@
1# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4make_tmpdir
5CTL=${SSH_REGRESS_TMP}/ctl-sock
5 6
6tid="connection multiplexing" 7tid="connection multiplexing"
7 8
diff --git a/regress/rekey.sh b/regress/rekey.sh
index ae145bc8b..fd6a02cc7 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ 1# $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="rekey" 4tid="rekey"
@@ -30,7 +30,7 @@ ssh_data_rekeying()
30 n=`expr $n - 1` 30 n=`expr $n - 1`
31 trace "$n rekeying(s)" 31 trace "$n rekeying(s)"
32 if [ $n -lt 1 ]; then 32 if [ $n -lt 1 ]; then
33 fail "no rekeying occured ($@)" 33 fail "no rekeying occurred ($@)"
34 fi 34 fi
35} 35}
36 36
@@ -80,7 +80,7 @@ for s in 5 10; do
80 n=`expr $n - 1` 80 n=`expr $n - 1`
81 trace "$n rekeying(s)" 81 trace "$n rekeying(s)"
82 if [ $n -lt 1 ]; then 82 if [ $n -lt 1 ]; then
83 fail "no rekeying occured" 83 fail "no rekeying occurred"
84 fi 84 fi
85done 85done
86 86
@@ -96,7 +96,7 @@ for s in 5 10; do
96 n=`expr $n - 1` 96 n=`expr $n - 1`
97 trace "$n rekeying(s)" 97 trace "$n rekeying(s)"
98 if [ $n -lt 1 ]; then 98 if [ $n -lt 1 ]; then
99 fail "no rekeying occured" 99 fail "no rekeying occurred"
100 fi 100 fi
101done 101done
102 102
@@ -115,7 +115,7 @@ for s in 16 1k 128k 256k; do
115 n=`expr $n - 1` 115 n=`expr $n - 1`
116 trace "$n rekeying(s)" 116 trace "$n rekeying(s)"
117 if [ $n -lt 1 ]; then 117 if [ $n -lt 1 ]; then
118 fail "no rekeying occured" 118 fail "no rekeying occurred"
119 fi 119 fi
120done 120done
121 121
@@ -132,7 +132,7 @@ for s in 5 10; do
132 n=`expr $n - 1` 132 n=`expr $n - 1`
133 trace "$n rekeying(s)" 133 trace "$n rekeying(s)"
134 if [ $n -lt 1 ]; then 134 if [ $n -lt 1 ]; then
135 fail "no rekeying occured" 135 fail "no rekeying occurred"
136 fi 136 fi
137done 137done
138 138
diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c
index 7a0527fd0..d91d9f194 100644
--- a/regress/setuid-allowed.c
+++ b/regress/setuid-allowed.c
@@ -22,6 +22,7 @@
22#ifdef HAVE_SYS_STATVFS_H 22#ifdef HAVE_SYS_STATVFS_H
23# include <sys/statvfs.h> 23# include <sys/statvfs.h>
24#endif 24#endif
25#include <stdlib.h>
25#include <stdio.h> 26#include <stdio.h>
26#include <string.h> 27#include <string.h>
27#include <errno.h> 28#include <errno.h>
diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh
index 010e02865..e0ce568d7 100644
--- a/regress/sshcfgparse.sh
+++ b/regress/sshcfgparse.sh
@@ -1,8 +1,27 @@
1# $OpenBSD: sshcfgparse.sh,v 1.2 2016/07/14 01:24:21 dtucker Exp $ 1# $OpenBSD: sshcfgparse.sh,v 1.4 2018/07/04 13:51:12 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh config parse" 4tid="ssh config parse"
5 5
6expect_result_present() {
7 _str="$1" ; shift
8 for _expect in "$@" ; do
9 echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null
10 if test $? -ne 0 ; then
11 fail "missing expected \"$_expect\" from \"$_str\""
12 fi
13 done
14}
15expect_result_absent() {
16 _str="$1" ; shift
17 for _expect in "$@" ; do
18 echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null
19 if test $? -eq 0 ; then
20 fail "unexpected \"$_expect\" present in \"$_str\""
21 fi
22 done
23}
24
6verbose "reparse minimal config" 25verbose "reparse minimal config"
7(${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 && 26(${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 &&
8 ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 && 27 ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 &&
@@ -25,5 +44,46 @@ f=`${SSH} -GF $OBJ/ssh_config -W a:1 -o clearallforwardings=no h | \
25 awk '/clearallforwardings/{print $2}'` 44 awk '/clearallforwardings/{print $2}'`
26test "$f" = "no" || fail "clearallforwardings override" 45test "$f" = "no" || fail "clearallforwardings override"
27 46
47verbose "user first match"
48user=`awk '$1=="User" {print $2}' $OBJ/ssh_config`
49f=`${SSH} -GF $OBJ/ssh_config host | awk '/^user /{print $2}'`
50test "$f" = "$user" || fail "user from config, expected '$user' got '$f'"
51f=`${SSH} -GF $OBJ/ssh_config -o user=foo -l bar baz@host | awk '/^user /{print $2}'`
52test "$f" = "foo" || fail "user first match -oUser, expected 'foo' got '$f' "
53f=`${SSH} -GF $OBJ/ssh_config -lbar baz@host user=foo baz@host | awk '/^user /{print $2}'`
54test "$f" = "bar" || fail "user first match -l, expected 'bar' got '$f'"
55f=`${SSH} -GF $OBJ/ssh_config baz@host -o user=foo -l bar baz@host | awk '/^user /{print $2}'`
56test "$f" = "baz" || fail "user first match user@host, expected 'baz' got '$f'"
57
58verbose "pubkeyacceptedkeytypes"
59# Default set
60f=`${SSH} -GF none host | awk '/^pubkeyacceptedkeytypes /{print $2}'`
61expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*"
62expect_result_absent "$f" "ssh-dss"
63# Explicit override
64f=`${SSH} -GF none -opubkeyacceptedkeytypes=ssh-ed25519 host | \
65 awk '/^pubkeyacceptedkeytypes /{print $2}'`
66expect_result_present "$f" "ssh-ed25519"
67expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss"
68# Removal from default set
69f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519-cert* host | \
70 awk '/^pubkeyacceptedkeytypes /{print $2}'`
71expect_result_present "$f" "ssh-ed25519"
72expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss"
73f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519 host | \
74 awk '/^pubkeyacceptedkeytypes /{print $2}'`
75expect_result_present "$f" "ssh-ed25519-cert-v01.*"
76expect_result_absent "$f" "ssh-ed25519" "ssh-dss"
77# Append to default set.
78# XXX this will break for !WITH_OPENSSL
79f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss-cert* host | \
80 awk '/^pubkeyacceptedkeytypes /{print $2}'`
81expect_result_present "$f" "ssh-ed25519" "ssh-dss-cert-v01.*"
82expect_result_absent "$f" "ssh-dss"
83f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss host | \
84 awk '/^pubkeyacceptedkeytypes /{print $2}'`
85expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" "ssh-dss"
86expect_result_absent "$f" "ssh-dss-cert-v01.*"
87
28# cleanup 88# cleanup
29rm -f $OBJ/ssh_config.[012] 89rm -f $OBJ/ssh_config.[012]
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index b6169f157..40d46e3cd 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.62 2018/03/16 09:06:31 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.64 2018/08/10 01:35:49 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -76,6 +76,9 @@ SFTP=sftp
76SFTPSERVER=/usr/libexec/openssh/sftp-server 76SFTPSERVER=/usr/libexec/openssh/sftp-server
77SCP=scp 77SCP=scp
78 78
79# Set by make_tmpdir() on demand (below).
80SSH_REGRESS_TMP=
81
79# Interop testing 82# Interop testing
80PLINK=plink 83PLINK=plink
81PUTTYGEN=puttygen 84PUTTYGEN=puttygen
@@ -163,9 +166,13 @@ if [ "x$USE_VALGRIND" != "x" ]; then
163 esac 166 esac
164 167
165 if [ x"$VG_SKIP" = "x" ]; then 168 if [ x"$VG_SKIP" = "x" ]; then
169 VG_LEAK="--leak-check=no"
170 if [ x"$VALGRIND_CHECK_LEAKS" != "x" ]; then
171 VG_LEAK="--leak-check=full"
172 fi
166 VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*" 173 VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*"
167 VG_LOG="$OBJ/valgrind-out/${VG_TEST}." 174 VG_LOG="$OBJ/valgrind-out/${VG_TEST}."
168 VG_OPTS="--track-origins=yes --leak-check=full" 175 VG_OPTS="--track-origins=yes $VG_LEAK"
169 VG_OPTS="$VG_OPTS --trace-children=yes" 176 VG_OPTS="$VG_OPTS --trace-children=yes"
170 VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" 177 VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}"
171 VG_PATH="valgrind" 178 VG_PATH="valgrind"
@@ -318,6 +325,12 @@ stop_sshd ()
318 fi 325 fi
319} 326}
320 327
328make_tmpdir ()
329{
330 SSH_REGRESS_TMP="$($OBJ/mkdtemp openssh-XXXXXXXX)" || \
331 fatal "failed to create temporary directory"
332}
333
321# helper 334# helper
322cleanup () 335cleanup ()
323{ 336{
@@ -328,6 +341,9 @@ cleanup ()
328 kill $SSH_PID 341 kill $SSH_PID
329 fi 342 fi
330 fi 343 fi
344 if [ "x$SSH_REGRESS_TMP" != "x" ]; then
345 rm -rf "$SSH_REGRESS_TMP"
346 fi
331 stop_sshd 347 stop_sshd
332} 348}
333 349
@@ -375,7 +391,10 @@ fail ()
375 save_debug_log "FAIL: $@" 391 save_debug_log "FAIL: $@"
376 RESULT=1 392 RESULT=1
377 echo "$@" 393 echo "$@"
378 394 if test "x$TEST_SSH_FAIL_FATAL" != "x" ; then
395 cleanup
396 exit $RESULT
397 fi
379} 398}
380 399
381fatal () 400fatal ()
@@ -512,10 +531,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
512 >> $OBJ/authorized_keys_$USER 531 >> $OBJ/authorized_keys_$USER
513 532
514 # Convert rsa2 host key to PuTTY format 533 # Convert rsa2 host key to PuTTY format
515 ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \ 534 cp $OBJ/rsa $OBJ/rsa_oldfmt
535 ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null
536 ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \
516 ${OBJ}/.putty/sshhostkeys 537 ${OBJ}/.putty/sshhostkeys
517 ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \ 538 ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \
518 ${OBJ}/.putty/sshhostkeys 539 ${OBJ}/.putty/sshhostkeys
540 rm -f $OBJ/rsa_oldfmt
519 541
520 # Setup proxied session 542 # Setup proxied session
521 mkdir -p ${OBJ}/.putty/sessions 543 mkdir -p ${OBJ}/.putty/sessions
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index 751825dda..d6963bd2a 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */ 1/* $OpenBSD: test_iterate.c,v 1.6 2018/07/16 03:09:59 djm Exp $ */
2/* 2/*
3 * Regress test for hostfile.h hostkeys_foreach() 3 * Regress test for hostfile.h hostkeys_foreach()
4 * 4 *
@@ -152,6 +152,17 @@ prepare_expected(struct expected *expected, size_t n)
152 } 152 }
153} 153}
154 154
155static void
156cleanup_expected(struct expected *expected, size_t n)
157{
158 size_t i;
159
160 for (i = 0; i < n; i++) {
161 sshkey_free(expected[i].l.key);
162 expected[i].l.key = NULL;
163 }
164}
165
155struct expected expected_full[] = { 166struct expected expected_full[] = {
156 { NULL, -1, -1, 0, 0, 0, 0, -1, { 167 { NULL, -1, -1, 0, 0, 0, 0, -1, {
157 NULL, /* path, don't care */ 168 NULL, /* path, don't care */
@@ -825,6 +836,7 @@ test_iterate(void)
825 prepare_expected(expected_full, ctx.nexpected); 836 prepare_expected(expected_full, ctx.nexpected);
826 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 837 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
827 check, &ctx, NULL, NULL, ctx.flags), 0); 838 check, &ctx, NULL, NULL, ctx.flags), 0);
839 cleanup_expected(expected_full, ctx.nexpected);
828 TEST_DONE(); 840 TEST_DONE();
829 841
830 TEST_START("hostkeys_iterate all without key parse"); 842 TEST_START("hostkeys_iterate all without key parse");
@@ -835,6 +847,7 @@ test_iterate(void)
835 prepare_expected(expected_full, ctx.nexpected); 847 prepare_expected(expected_full, ctx.nexpected);
836 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 848 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
837 check, &ctx, NULL, NULL, ctx.flags), 0); 849 check, &ctx, NULL, NULL, ctx.flags), 0);
850 cleanup_expected(expected_full, ctx.nexpected);
838 TEST_DONE(); 851 TEST_DONE();
839 852
840 TEST_START("hostkeys_iterate specify host 1"); 853 TEST_START("hostkeys_iterate specify host 1");
@@ -846,6 +859,7 @@ test_iterate(void)
846 prepare_expected(expected_full, ctx.nexpected); 859 prepare_expected(expected_full, ctx.nexpected);
847 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 860 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
848 check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); 861 check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0);
862 cleanup_expected(expected_full, ctx.nexpected);
849 TEST_DONE(); 863 TEST_DONE();
850 864
851 TEST_START("hostkeys_iterate specify host 2"); 865 TEST_START("hostkeys_iterate specify host 2");
@@ -857,6 +871,7 @@ test_iterate(void)
857 prepare_expected(expected_full, ctx.nexpected); 871 prepare_expected(expected_full, ctx.nexpected);
858 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 872 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
859 check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); 873 check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0);
874 cleanup_expected(expected_full, ctx.nexpected);
860 TEST_DONE(); 875 TEST_DONE();
861 876
862 TEST_START("hostkeys_iterate match host 1"); 877 TEST_START("hostkeys_iterate match host 1");
@@ -868,6 +883,7 @@ test_iterate(void)
868 prepare_expected(expected_full, ctx.nexpected); 883 prepare_expected(expected_full, ctx.nexpected);
869 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 884 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
870 check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); 885 check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0);
886 cleanup_expected(expected_full, ctx.nexpected);
871 TEST_DONE(); 887 TEST_DONE();
872 888
873 TEST_START("hostkeys_iterate match host 2"); 889 TEST_START("hostkeys_iterate match host 2");
@@ -879,6 +895,7 @@ test_iterate(void)
879 prepare_expected(expected_full, ctx.nexpected); 895 prepare_expected(expected_full, ctx.nexpected);
880 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 896 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
881 check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); 897 check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0);
898 cleanup_expected(expected_full, ctx.nexpected);
882 TEST_DONE(); 899 TEST_DONE();
883 900
884 TEST_START("hostkeys_iterate specify host missing"); 901 TEST_START("hostkeys_iterate specify host missing");
@@ -889,6 +906,7 @@ test_iterate(void)
889 prepare_expected(expected_full, ctx.nexpected); 906 prepare_expected(expected_full, ctx.nexpected);
890 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 907 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
891 check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); 908 check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0);
909 cleanup_expected(expected_full, ctx.nexpected);
892 TEST_DONE(); 910 TEST_DONE();
893 911
894 TEST_START("hostkeys_iterate match host missing"); 912 TEST_START("hostkeys_iterate match host missing");
@@ -899,6 +917,7 @@ test_iterate(void)
899 prepare_expected(expected_full, ctx.nexpected); 917 prepare_expected(expected_full, ctx.nexpected);
900 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 918 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
901 check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); 919 check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0);
920 cleanup_expected(expected_full, ctx.nexpected);
902 TEST_DONE(); 921 TEST_DONE();
903 922
904 TEST_START("hostkeys_iterate specify IPv4"); 923 TEST_START("hostkeys_iterate specify IPv4");
@@ -910,6 +929,7 @@ test_iterate(void)
910 prepare_expected(expected_full, ctx.nexpected); 929 prepare_expected(expected_full, ctx.nexpected);
911 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 930 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
912 check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); 931 check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0);
932 cleanup_expected(expected_full, ctx.nexpected);
913 TEST_DONE(); 933 TEST_DONE();
914 934
915 TEST_START("hostkeys_iterate specify IPv6"); 935 TEST_START("hostkeys_iterate specify IPv6");
@@ -921,6 +941,7 @@ test_iterate(void)
921 prepare_expected(expected_full, ctx.nexpected); 941 prepare_expected(expected_full, ctx.nexpected);
922 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 942 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
923 check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); 943 check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0);
944 cleanup_expected(expected_full, ctx.nexpected);
924 TEST_DONE(); 945 TEST_DONE();
925 946
926 TEST_START("hostkeys_iterate match IPv4"); 947 TEST_START("hostkeys_iterate match IPv4");
@@ -932,6 +953,7 @@ test_iterate(void)
932 prepare_expected(expected_full, ctx.nexpected); 953 prepare_expected(expected_full, ctx.nexpected);
933 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 954 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
934 check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); 955 check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0);
956 cleanup_expected(expected_full, ctx.nexpected);
935 TEST_DONE(); 957 TEST_DONE();
936 958
937 TEST_START("hostkeys_iterate match IPv6"); 959 TEST_START("hostkeys_iterate match IPv6");
@@ -943,6 +965,7 @@ test_iterate(void)
943 prepare_expected(expected_full, ctx.nexpected); 965 prepare_expected(expected_full, ctx.nexpected);
944 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 966 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
945 check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); 967 check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0);
968 cleanup_expected(expected_full, ctx.nexpected);
946 TEST_DONE(); 969 TEST_DONE();
947 970
948 TEST_START("hostkeys_iterate specify addr missing"); 971 TEST_START("hostkeys_iterate specify addr missing");
@@ -953,6 +976,7 @@ test_iterate(void)
953 prepare_expected(expected_full, ctx.nexpected); 976 prepare_expected(expected_full, ctx.nexpected);
954 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 977 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
955 check, &ctx, "tiresias.example.org", "192.168.0.1", ctx.flags), 0); 978 check, &ctx, "tiresias.example.org", "192.168.0.1", ctx.flags), 0);
979 cleanup_expected(expected_full, ctx.nexpected);
956 TEST_DONE(); 980 TEST_DONE();
957 981
958 TEST_START("hostkeys_iterate match addr missing"); 982 TEST_START("hostkeys_iterate match addr missing");
@@ -963,6 +987,7 @@ test_iterate(void)
963 prepare_expected(expected_full, ctx.nexpected); 987 prepare_expected(expected_full, ctx.nexpected);
964 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 988 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
965 check, &ctx, "tiresias.example.org", "::1", ctx.flags), 0); 989 check, &ctx, "tiresias.example.org", "::1", ctx.flags), 0);
990 cleanup_expected(expected_full, ctx.nexpected);
966 TEST_DONE(); 991 TEST_DONE();
967 992
968 TEST_START("hostkeys_iterate specify host 2 and IPv4"); 993 TEST_START("hostkeys_iterate specify host 2 and IPv4");
@@ -975,6 +1000,7 @@ test_iterate(void)
975 prepare_expected(expected_full, ctx.nexpected); 1000 prepare_expected(expected_full, ctx.nexpected);
976 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 1001 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
977 check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); 1002 check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0);
1003 cleanup_expected(expected_full, ctx.nexpected);
978 TEST_DONE(); 1004 TEST_DONE();
979 1005
980 TEST_START("hostkeys_iterate match host 1 and IPv6"); 1006 TEST_START("hostkeys_iterate match host 1 and IPv6");
@@ -986,7 +1012,9 @@ test_iterate(void)
986 ctx.match_ipv6 = 1; 1012 ctx.match_ipv6 = 1;
987 prepare_expected(expected_full, ctx.nexpected); 1013 prepare_expected(expected_full, ctx.nexpected);
988 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 1014 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
989 check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); 1015 check, &ctx, "prometheus.example.com",
1016 "2001:db8::1", ctx.flags), 0);
1017 cleanup_expected(expected_full, ctx.nexpected);
990 TEST_DONE(); 1018 TEST_DONE();
991 1019
992 TEST_START("hostkeys_iterate specify host 2 and IPv4 w/ key parse"); 1020 TEST_START("hostkeys_iterate specify host 2 and IPv4 w/ key parse");
@@ -999,6 +1027,7 @@ test_iterate(void)
999 prepare_expected(expected_full, ctx.nexpected); 1027 prepare_expected(expected_full, ctx.nexpected);
1000 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 1028 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
1001 check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); 1029 check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0);
1030 cleanup_expected(expected_full, ctx.nexpected);
1002 TEST_DONE(); 1031 TEST_DONE();
1003 1032
1004 TEST_START("hostkeys_iterate match host 1 and IPv6 w/ key parse"); 1033 TEST_START("hostkeys_iterate match host 1 and IPv6 w/ key parse");
@@ -1010,7 +1039,9 @@ test_iterate(void)
1010 ctx.match_ipv6 = 1; 1039 ctx.match_ipv6 = 1;
1011 prepare_expected(expected_full, ctx.nexpected); 1040 prepare_expected(expected_full, ctx.nexpected);
1012 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), 1041 ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"),
1013 check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); 1042 check, &ctx, "prometheus.example.com",
1043 "2001:db8::1", ctx.flags), 0);
1044 cleanup_expected(expected_full, ctx.nexpected);
1014 TEST_DONE(); 1045 TEST_DONE();
1015} 1046}
1016 1047
diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c
index e1593367b..3d9af55f2 100644
--- a/regress/unittests/match/tests.c
+++ b/regress/unittests/match/tests.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tests.c,v 1.4 2017/02/03 23:01:42 djm Exp $ */ 1/* $OpenBSD: tests.c,v 1.5 2018/07/04 13:51:45 djm Exp $ */
2/* 2/*
3 * Regress test for matching functions 3 * Regress test for matching functions
4 * 4 *
@@ -105,7 +105,7 @@ tests(void)
105 105
106#define CHECK_FILTER(string,filter,expected) \ 106#define CHECK_FILTER(string,filter,expected) \
107 do { \ 107 do { \
108 char *result = match_filter_list((string), (filter)); \ 108 char *result = match_filter_blacklist((string), (filter)); \
109 ASSERT_STRING_EQ(result, expected); \ 109 ASSERT_STRING_EQ(result, expected); \
110 free(result); \ 110 free(result); \
111 } while (0) 111 } while (0)
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 1aa608f92..72367bde7 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.13 2017/12/21 00:41:22 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.14 2018/07/13 02:13:19 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -434,10 +434,13 @@ sshkey_tests(void)
434 ASSERT_PTR_NE(k1->cert->principals[1], NULL); 434 ASSERT_PTR_NE(k1->cert->principals[1], NULL);
435 ASSERT_PTR_NE(k1->cert->principals[2], NULL); 435 ASSERT_PTR_NE(k1->cert->principals[2], NULL);
436 ASSERT_PTR_NE(k1->cert->principals[3], NULL); 436 ASSERT_PTR_NE(k1->cert->principals[3], NULL);
437 k1->cert->nprincipals = 4;
437 k1->cert->valid_after = 0; 438 k1->cert->valid_after = 0;
438 k1->cert->valid_before = (u_int64_t)-1; 439 k1->cert->valid_before = (u_int64_t)-1;
440 sshbuf_free(k1->cert->critical);
439 k1->cert->critical = sshbuf_new(); 441 k1->cert->critical = sshbuf_new();
440 ASSERT_PTR_NE(k1->cert->critical, NULL); 442 ASSERT_PTR_NE(k1->cert->critical, NULL);
443 sshbuf_free(k1->cert->extensions);
441 k1->cert->extensions = sshbuf_new(); 444 k1->cert->extensions = sshbuf_new();
442 ASSERT_PTR_NE(k1->cert->extensions, NULL); 445 ASSERT_PTR_NE(k1->cert->extensions, NULL);
443 put_opt(k1->cert->critical, "force-command", "/usr/bin/true"); 446 put_opt(k1->cert->critical, "force-command", "/usr/bin/true");
diff --git a/regress/valgrind-unit.sh b/regress/valgrind-unit.sh
index 433cb069a..4143ead4b 100755
--- a/regress/valgrind-unit.sh
+++ b/regress/valgrind-unit.sh
@@ -7,10 +7,12 @@ UNIT_ARGS="$@"
7test "x$OBJ" = "x" && OBJ=$PWD 7test "x$OBJ" = "x" && OBJ=$PWD
8 8
9# This mostly replicates the logic in test-exec.sh for running the 9# This mostly replicates the logic in test-exec.sh for running the
10# regress tests under valgrind. 10# regress tests under valgrind, except that we unconditionally enable
11# leak checking because the unit tests should be clean.
12VG_LEAK="--leak-check=full"
11VG_TEST=`basename $UNIT_BINARY` 13VG_TEST=`basename $UNIT_BINARY`
12VG_LOG="$OBJ/valgrind-out/${VG_TEST}.%p" 14VG_LOG="$OBJ/valgrind-out/${VG_TEST}.%p"
13VG_OPTS="--track-origins=yes --leak-check=full --log-file=${VG_LOG}" 15VG_OPTS="--track-origins=yes $VG_LEAK --log-file=${VG_LOG}"
14VG_OPTS="$VG_OPTS --trace-children=yes" 16VG_OPTS="$VG_OPTS --trace-children=yes"
15VG_PATH="valgrind" 17VG_PATH="valgrind"
16if [ "x$VALGRIND_PATH" != "x" ]; then 18if [ "x$VALGRIND_PATH" != "x" ]; then