diff options
Diffstat (limited to 'regress')
-rw-r--r-- | regress/Makefile | 3 | ||||
-rw-r--r-- | regress/allow-deny-users.sh | 12 | ||||
-rw-r--r-- | regress/authinfo.sh | 2 | ||||
-rw-r--r-- | regress/cert-file.sh | 6 | ||||
-rw-r--r-- | regress/cert-hostkey.sh | 9 | ||||
-rw-r--r-- | regress/cfgmatchlisten.sh | 202 | ||||
-rw-r--r-- | regress/cfgparse.sh | 6 | ||||
-rw-r--r-- | regress/forward-control.sh | 77 | ||||
-rw-r--r-- | regress/forwarding.sh | 3 | ||||
-rw-r--r-- | regress/key-options.sh | 5 | ||||
-rw-r--r-- | regress/keygen-knownhosts.sh | 35 | ||||
-rw-r--r-- | regress/mkdtemp.c | 61 | ||||
-rw-r--r-- | regress/multiplex.sh | 3 | ||||
-rw-r--r-- | regress/rekey.sh | 12 | ||||
-rw-r--r-- | regress/setuid-allowed.c | 1 | ||||
-rw-r--r-- | regress/sshcfgparse.sh | 62 | ||||
-rw-r--r-- | regress/test-exec.sh | 32 | ||||
-rw-r--r-- | regress/unittests/hostkeys/test_iterate.c | 37 | ||||
-rw-r--r-- | regress/unittests/match/tests.c | 4 | ||||
-rw-r--r-- | regress/unittests/sshkey/test_sshkey.c | 5 | ||||
-rwxr-xr-x | regress/valgrind-unit.sh | 6 |
21 files changed, 526 insertions, 57 deletions
diff --git a/regress/Makefile b/regress/Makefile index d15898ad0..647b4a049 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.96 2017/10/24 19:33:32 millert Exp $ | 1 | # $OpenBSD: Makefile,v 1.97 2018/06/07 04:46:34 djm Exp $ |
2 | 2 | ||
3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec | 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec |
4 | tests: prep $(REGRESS_TARGETS) | 4 | tests: prep $(REGRESS_TARGETS) |
@@ -61,6 +61,7 @@ LTESTS= connect \ | |||
61 | sshcfgparse \ | 61 | sshcfgparse \ |
62 | cfgparse \ | 62 | cfgparse \ |
63 | cfgmatch \ | 63 | cfgmatch \ |
64 | cfgmatchlisten \ | ||
64 | addrmatch \ | 65 | addrmatch \ |
65 | localcommand \ | 66 | localcommand \ |
66 | forcecommand \ | 67 | forcecommand \ |
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh index 4165111e0..5c3895122 100644 --- a/regress/allow-deny-users.sh +++ b/regress/allow-deny-users.sh | |||
@@ -1,6 +1,6 @@ | |||
1 | # Public Domain | 1 | # Public Domain |
2 | # Zev Weiss, 2016 | 2 | # Zev Weiss, 2016 |
3 | # $OpenBSD: allow-deny-users.sh,v 1.4 2017/10/20 02:13:41 djm Exp $ | 3 | # $OpenBSD: allow-deny-users.sh,v 1.5 2018/07/13 02:13:50 djm Exp $ |
4 | 4 | ||
5 | tid="AllowUsers/DenyUsers" | 5 | tid="AllowUsers/DenyUsers" |
6 | 6 | ||
@@ -10,6 +10,8 @@ if [ "x$me" = "x" ]; then | |||
10 | fi | 10 | fi |
11 | other="nobody" | 11 | other="nobody" |
12 | 12 | ||
13 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | ||
14 | |||
13 | test_auth() | 15 | test_auth() |
14 | { | 16 | { |
15 | deny="$1" | 17 | deny="$1" |
@@ -17,17 +19,19 @@ test_auth() | |||
17 | should_succeed="$3" | 19 | should_succeed="$3" |
18 | failmsg="$4" | 20 | failmsg="$4" |
19 | 21 | ||
22 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | ||
23 | echo DenyUsers="$deny" >> $OBJ/sshd_proxy | ||
24 | echo AllowUsers="$allow" >> $OBJ/sshd_proxy | ||
25 | |||
20 | start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow" | 26 | start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow" |
21 | 27 | ||
22 | ${SSH} -F $OBJ/ssh_config "$me@somehost" true | 28 | ${SSH} -F $OBJ/ssh_proxy "$me@somehost" true |
23 | status=$? | 29 | status=$? |
24 | 30 | ||
25 | if (test $status -eq 0 && ! $should_succeed) \ | 31 | if (test $status -eq 0 && ! $should_succeed) \ |
26 | || (test $status -ne 0 && $should_succeed); then | 32 | || (test $status -ne 0 && $should_succeed); then |
27 | fail "$failmsg" | 33 | fail "$failmsg" |
28 | fi | 34 | fi |
29 | |||
30 | stop_sshd | ||
31 | } | 35 | } |
32 | 36 | ||
33 | # DenyUsers AllowUsers should_succeed failure_message | 37 | # DenyUsers AllowUsers should_succeed failure_message |
diff --git a/regress/authinfo.sh b/regress/authinfo.sh index 3caf89478..693424afa 100644 --- a/regress/authinfo.sh +++ b/regress/authinfo.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: authinfo.sh,v 1.2 2017/10/25 20:08:36 millert Exp $ | 1 | # $OpenBSD: authinfo.sh,v 1.3 2018/04/10 00:13:27 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="authinfo" | 4 | tid="authinfo" |
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 8fd62c773..1157a3582 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
@@ -52,7 +52,7 @@ echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER | |||
52 | cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | 52 | cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config |
53 | 53 | ||
54 | # XXX: verify that certificate used was what we expect. Needs exposure of | 54 | # XXX: verify that certificate used was what we expect. Needs exposure of |
55 | # keys via enviornment variable or similar. | 55 | # keys via environment variable or similar. |
56 | 56 | ||
57 | # Key with no .pub should work - finding the equivalent *-cert.pub. | 57 | # Key with no .pub should work - finding the equivalent *-cert.pub. |
58 | verbose "identity cert with no plain public file" | 58 | verbose "identity cert with no plain public file" |
@@ -138,7 +138,7 @@ fi | |||
138 | 138 | ||
139 | # try ssh with the agent and certificates | 139 | # try ssh with the agent and certificates |
140 | opts="-F $OBJ/ssh_proxy" | 140 | opts="-F $OBJ/ssh_proxy" |
141 | # with no certificates, shoud fail | 141 | # with no certificates, should fail |
142 | ${SSH} $opts somehost exit 52 | 142 | ${SSH} $opts somehost exit 52 |
143 | if [ $? -eq 52 ]; then | 143 | if [ $? -eq 52 ]; then |
144 | fail "ssh connect with agent in succeeded with no cert" | 144 | fail "ssh connect with agent in succeeded with no cert" |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3d5732a5d..d2ecd318b 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.16 2018/07/03 11:43:49 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -14,6 +14,13 @@ for i in `$SSH -Q key`; do | |||
14 | continue | 14 | continue |
15 | fi | 15 | fi |
16 | case "$i" in | 16 | case "$i" in |
17 | # Special treatment for RSA keys. | ||
18 | *rsa*cert*) | ||
19 | types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" | ||
20 | types="rsa-sha2-512-cert-v01@openssh.com,$types";; | ||
21 | *rsa*) | ||
22 | types="$types,rsa-sha2-512,rsa-sha2-256,$i";; | ||
23 | # Prefer certificate to plain keys. | ||
17 | *cert*) types="$i,$types";; | 24 | *cert*) types="$i,$types";; |
18 | *) types="$types,$i";; | 25 | *) types="$types,$i";; |
19 | esac | 26 | esac |
diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh new file mode 100644 index 000000000..a4fd66b32 --- /dev/null +++ b/regress/cfgmatchlisten.sh | |||
@@ -0,0 +1,202 @@ | |||
1 | # $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="sshd_config matchlisten" | ||
5 | |||
6 | pidfile=$OBJ/remote_pid | ||
7 | fwdport=3301 | ||
8 | fwdspec="localhost:${fwdport}" | ||
9 | fwd="-R $fwdport:127.0.0.1:$PORT" | ||
10 | |||
11 | echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config | ||
12 | echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy | ||
13 | |||
14 | start_client() | ||
15 | { | ||
16 | rm -f $pidfile | ||
17 | ${SSH} -vvv $fwd "$@" somehost true >>$TEST_REGRESS_LOGFILE 2>&1 | ||
18 | r=$? | ||
19 | if [ $r -ne 0 ]; then | ||
20 | return $r | ||
21 | fi | ||
22 | ${SSH} -vvv $fwd "$@" somehost \ | ||
23 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ | ||
24 | >>$TEST_REGRESS_LOGFILE 2>&1 & | ||
25 | client_pid=$! | ||
26 | # Wait for remote end | ||
27 | n=0 | ||
28 | while test ! -f $pidfile ; do | ||
29 | sleep 1 | ||
30 | n=`expr $n + 1` | ||
31 | if test $n -gt 60; then | ||
32 | kill $client_pid | ||
33 | fatal "timeout waiting for background ssh" | ||
34 | fi | ||
35 | done | ||
36 | return $r | ||
37 | } | ||
38 | |||
39 | expect_client_ok() | ||
40 | { | ||
41 | start_client "$@" || | ||
42 | fail "client did not start" | ||
43 | } | ||
44 | |||
45 | expect_client_fail() | ||
46 | { | ||
47 | local failmsg="$1" | ||
48 | shift | ||
49 | start_client "$@" && | ||
50 | fail $failmsg | ||
51 | } | ||
52 | |||
53 | stop_client() | ||
54 | { | ||
55 | pid=`cat $pidfile` | ||
56 | if [ ! -z "$pid" ]; then | ||
57 | kill $pid | ||
58 | fi | ||
59 | wait | ||
60 | } | ||
61 | |||
62 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
63 | echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_config | ||
64 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_config | ||
65 | echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_config | ||
66 | |||
67 | grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy | ||
68 | echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy | ||
69 | echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_proxy | ||
70 | echo "Match user $USER" >>$OBJ/sshd_proxy | ||
71 | echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy | ||
72 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy | ||
73 | echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_proxy | ||
74 | |||
75 | start_sshd | ||
76 | |||
77 | #set -x | ||
78 | |||
79 | # Test Match + PermitListen in sshd_config. This should be permitted | ||
80 | trace "match permitlisten localhost" | ||
81 | expect_client_ok -F $OBJ/ssh_config | ||
82 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
83 | fail "match permitlisten permit" | ||
84 | stop_client | ||
85 | |||
86 | # Same but from different source. This should not be permitted | ||
87 | trace "match permitlisten proxy" | ||
88 | expect_client_fail "match permitlisten deny" \ | ||
89 | -F $OBJ/ssh_proxy | ||
90 | |||
91 | # Retry previous with key option, should also be denied. | ||
92 | cp /dev/null $OBJ/authorized_keys_$USER | ||
93 | for t in ${SSH_KEYTYPES}; do | ||
94 | printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER | ||
95 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
96 | done | ||
97 | trace "match permitlisten proxy w/key opts" | ||
98 | expect_client_fail "match permitlisten deny w/key opt"\ | ||
99 | -F $OBJ/ssh_proxy | ||
100 | |||
101 | # Test both sshd_config and key options permitting the same dst/port pair. | ||
102 | # Should be permitted. | ||
103 | trace "match permitlisten localhost" | ||
104 | expect_client_ok -F $OBJ/ssh_config | ||
105 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
106 | fail "match permitlisten permit" | ||
107 | stop_client | ||
108 | |||
109 | # Test that a bare port number is accepted in PermitListen | ||
110 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
111 | echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
112 | trace "match permitlisten bare" | ||
113 | expect_client_ok -F $OBJ/ssh_config | ||
114 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
115 | fail "match permitlisten bare" | ||
116 | stop_client | ||
117 | |||
118 | # Test that an incorrect bare port number is denied as expected | ||
119 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
120 | echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy | ||
121 | trace "match permitlisten bare" | ||
122 | expect_client_fail -F $OBJ/ssh_config | ||
123 | |||
124 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
125 | echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
126 | echo "Match User $USER" >>$OBJ/sshd_proxy | ||
127 | echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | ||
128 | |||
129 | # Test that a Match overrides a PermitListen in the global section | ||
130 | trace "match permitlisten proxy w/key opts" | ||
131 | expect_client_fail "match override permitlisten" \ | ||
132 | -F $OBJ/ssh_proxy | ||
133 | |||
134 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
135 | echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
136 | echo "Match User NoSuchUser" >>$OBJ/sshd_proxy | ||
137 | echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | ||
138 | |||
139 | # Test that a rule that doesn't match doesn't override, plus test a | ||
140 | # PermitListen entry that's not at the start of the list | ||
141 | trace "nomatch permitlisten proxy w/key opts" | ||
142 | expect_client_ok -F $OBJ/ssh_proxy | ||
143 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
144 | fail "nomatch override permitlisten" | ||
145 | stop_client | ||
146 | |||
147 | # bind to 127.0.0.1 instead of default localhost | ||
148 | fwdspec2="127.0.0.1:${fwdport}" | ||
149 | fwd="-R ${fwdspec2}:127.0.0.1:$PORT" | ||
150 | |||
151 | # first try w/ old fwdspec both in server config and key opts | ||
152 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
153 | echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
154 | cp /dev/null $OBJ/authorized_keys_$USER | ||
155 | for t in ${SSH_KEYTYPES}; do | ||
156 | printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER | ||
157 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
158 | done | ||
159 | trace "nomatch permitlisten 127.0.0.1 server config and userkey" | ||
160 | expect_client_fail "nomatch 127.0.0.1 server config and userkey" \ | ||
161 | -F $OBJ/ssh_config | ||
162 | |||
163 | # correct server config, denied by key opts | ||
164 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
165 | echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
166 | trace "nomatch permitlisten 127.0.0.1 w/key opts" | ||
167 | expect_client_fail "nomatch 127.0.0.1 w/key opts" \ | ||
168 | -F $OBJ/ssh_config | ||
169 | |||
170 | # fix key opts | ||
171 | cp /dev/null $OBJ/authorized_keys_$USER | ||
172 | for t in ${SSH_KEYTYPES}; do | ||
173 | printf 'permitlisten="'$fwdspec2'" ' >> $OBJ/authorized_keys_$USER | ||
174 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
175 | done | ||
176 | trace "match permitlisten 127.0.0.1 server config w/key opts" | ||
177 | expect_client_ok -F $OBJ/ssh_proxy | ||
178 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
179 | fail "match 127.0.0.1 server config w/key opts" | ||
180 | stop_client | ||
181 | |||
182 | # key opts with bare port number | ||
183 | cp /dev/null $OBJ/authorized_keys_$USER | ||
184 | for t in ${SSH_KEYTYPES}; do | ||
185 | printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER | ||
186 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
187 | done | ||
188 | trace "match permitlisten 127.0.0.1 server config w/key opts (bare)" | ||
189 | expect_client_ok -F $OBJ/ssh_proxy | ||
190 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
191 | fail "match 127.0.0.1 server config w/key opts (bare)" | ||
192 | stop_client | ||
193 | |||
194 | # key opts with incorrect bare port number | ||
195 | cp /dev/null $OBJ/authorized_keys_$USER | ||
196 | for t in ${SSH_KEYTYPES}; do | ||
197 | printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER | ||
198 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | ||
199 | done | ||
200 | trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)" | ||
201 | expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \ | ||
202 | -F $OBJ/ssh_config | ||
diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh index ccf511f6b..a9e5c6b09 100644 --- a/regress/cfgparse.sh +++ b/regress/cfgparse.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cfgparse.sh,v 1.6 2016/06/03 03:47:59 dtucker Exp $ | 1 | # $OpenBSD: cfgparse.sh,v 1.7 2018/05/11 03:51:06 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd config parse" | 4 | tid="sshd config parse" |
@@ -10,8 +10,8 @@ fi | |||
10 | 10 | ||
11 | # We need to use the keys generated for the regression test because sshd -T | 11 | # We need to use the keys generated for the regression test because sshd -T |
12 | # will fail if we're not running with SUDO (no permissions for real keys) or | 12 | # will fail if we're not running with SUDO (no permissions for real keys) or |
13 | # if we are # running tests on a system that has never had sshd installed | 13 | # if we are running tests on a system that has never had sshd installed |
14 | # (keys won't exist). | 14 | # because the keys won't exist. |
15 | 15 | ||
16 | grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal | 16 | grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal |
17 | SSHD_KEYS="`cat $OBJ/sshd_config_minimal`" | 17 | SSHD_KEYS="`cat $OBJ/sshd_config_minimal`" |
diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 93d05cf63..3b1f69a71 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ | 1 | # $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd control of local and remote forwarding" | 4 | tid="sshd control of local and remote forwarding" |
@@ -67,7 +67,7 @@ check_rfwd() { | |||
67 | _message=$2 | 67 | _message=$2 |
68 | rm -f $READY | 68 | rm -f $READY |
69 | ${SSH} -F $OBJ/ssh_proxy \ | 69 | ${SSH} -F $OBJ/ssh_proxy \ |
70 | -R$RFWD_PORT:127.0.0.1:$PORT \ | 70 | -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ |
71 | -o ExitOnForwardFailure=yes \ | 71 | -o ExitOnForwardFailure=yes \ |
72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
73 | >/dev/null 2>&1 & | 73 | >/dev/null 2>&1 & |
@@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak | |||
100 | check_lfwd Y "default configuration" | 100 | check_lfwd Y "default configuration" |
101 | check_rfwd Y "default configuration" | 101 | check_rfwd Y "default configuration" |
102 | 102 | ||
103 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | 103 | # Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
104 | all_tests() { | 104 | lperm_tests() { |
105 | _tcpfwd=$1 | 105 | _tcpfwd=$1 |
106 | _plain_lfwd=$2 | 106 | _plain_lfwd=$2 |
107 | _plain_rfwd=$3 | 107 | _plain_rfwd=$3 |
@@ -109,32 +109,39 @@ all_tests() { | |||
109 | _nopermit_rfwd=$5 | 109 | _nopermit_rfwd=$5 |
110 | _permit_lfwd=$6 | 110 | _permit_lfwd=$6 |
111 | _permit_rfwd=$7 | 111 | _permit_rfwd=$7 |
112 | _badfwd=127.0.0.1:22 | 112 | _badfwd1=127.0.0.1:22 |
113 | _badfwd2=127.0.0.2:22 | ||
113 | _goodfwd=127.0.0.1:${PORT} | 114 | _goodfwd=127.0.0.1:${PORT} |
114 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} | 115 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
115 | _prefix="AllowTcpForwarding=$_tcpfwd" | 116 | _prefix="AllowTcpForwarding=$_tcpfwd" |
117 | |||
116 | # No PermitOpen | 118 | # No PermitOpen |
117 | ( cat ${OBJ}/sshd_proxy.bak ; | 119 | ( cat ${OBJ}/sshd_proxy.bak ; |
118 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 120 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
119 | > ${OBJ}/sshd_proxy | 121 | > ${OBJ}/sshd_proxy |
120 | check_lfwd $_plain_lfwd "$_prefix" | 122 | check_lfwd $_plain_lfwd "$_prefix" |
121 | check_rfwd $_plain_rfwd "$_prefix" | 123 | check_rfwd $_plain_rfwd "$_prefix" |
124 | |||
122 | # PermitOpen via sshd_config that doesn't match | 125 | # PermitOpen via sshd_config that doesn't match |
123 | ( cat ${OBJ}/sshd_proxy.bak ; | 126 | ( cat ${OBJ}/sshd_proxy.bak ; |
124 | echo "AllowTcpForwarding $_tcpfwd" ; | 127 | echo "AllowTcpForwarding $_tcpfwd" ; |
125 | echo "PermitOpen $_badfwd" ) \ | 128 | echo "PermitOpen $_badfwd1 $_badfwd2" ) \ |
126 | > ${OBJ}/sshd_proxy | 129 | > ${OBJ}/sshd_proxy |
127 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" | 130 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" |
128 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" | 131 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" |
129 | # PermitOpen via sshd_config that does match | 132 | # PermitOpen via sshd_config that does match |
130 | ( cat ${OBJ}/sshd_proxy.bak ; | 133 | ( cat ${OBJ}/sshd_proxy.bak ; |
131 | echo "AllowTcpForwarding $_tcpfwd" ; | 134 | echo "AllowTcpForwarding $_tcpfwd" ; |
132 | echo "PermitOpen $_badfwd $_goodfwd" ) \ | 135 | echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ |
133 | > ${OBJ}/sshd_proxy | 136 | > ${OBJ}/sshd_proxy |
137 | check_lfwd $_plain_lfwd "$_prefix, PermitOpen" | ||
138 | check_rfwd $_plain_rfwd "$_prefix, PermitOpen" | ||
139 | |||
140 | # permitopen keys option. | ||
134 | # NB. permitopen via authorized_keys should have same | 141 | # NB. permitopen via authorized_keys should have same |
135 | # success/fail as via sshd_config | 142 | # success/fail as via sshd_config |
136 | # permitopen via authorized_keys that doesn't match | 143 | # permitopen via authorized_keys that doesn't match |
137 | sed "s/^/permitopen=\"$_badfwd\" /" \ | 144 | sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ |
138 | < ${OBJ}/authorized_keys_${USER}.bak \ | 145 | < ${OBJ}/authorized_keys_${USER}.bak \ |
139 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" | 146 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" |
140 | ( cat ${OBJ}/sshd_proxy.bak ; | 147 | ( cat ${OBJ}/sshd_proxy.bak ; |
@@ -143,7 +150,7 @@ all_tests() { | |||
143 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" | 150 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" |
144 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" | 151 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" |
145 | # permitopen via authorized_keys that does match | 152 | # permitopen via authorized_keys that does match |
146 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ | 153 | sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ |
147 | < ${OBJ}/authorized_keys_${USER}.bak \ | 154 | < ${OBJ}/authorized_keys_${USER}.bak \ |
148 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" | 155 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" |
149 | ( cat ${OBJ}/sshd_proxy.bak ; | 156 | ( cat ${OBJ}/sshd_proxy.bak ; |
@@ -151,6 +158,7 @@ all_tests() { | |||
151 | > ${OBJ}/sshd_proxy | 158 | > ${OBJ}/sshd_proxy |
152 | check_lfwd $_permit_lfwd "$_prefix, permitopen" | 159 | check_lfwd $_permit_lfwd "$_prefix, permitopen" |
153 | check_rfwd $_permit_rfwd "$_prefix, permitopen" | 160 | check_rfwd $_permit_rfwd "$_prefix, permitopen" |
161 | |||
154 | # Check port-forwarding flags in authorized_keys. | 162 | # Check port-forwarding flags in authorized_keys. |
155 | # These two should refuse all. | 163 | # These two should refuse all. |
156 | sed "s/^/no-port-forwarding /" \ | 164 | sed "s/^/no-port-forwarding /" \ |
@@ -180,9 +188,48 @@ all_tests() { | |||
180 | check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" | 188 | check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" |
181 | } | 189 | } |
182 | 190 | ||
183 | # no-permitopen mismatch-permitopen match-permitopen | 191 | # permit-open none mismatch match |
184 | # AllowTcpForwarding local remote local remote local remote | 192 | # AllowTcpForwarding local remote local remote local remote |
185 | all_tests yes Y Y N Y Y Y | 193 | lperm_tests yes Y Y N Y Y Y |
186 | all_tests local Y N N N Y N | 194 | lperm_tests local Y N N N Y N |
187 | all_tests remote N Y N Y N Y | 195 | lperm_tests remote N Y N Y N Y |
188 | all_tests no N N N N N N | 196 | lperm_tests no N N N N N N |
197 | |||
198 | # Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | ||
199 | rperm_tests() { | ||
200 | _tcpfwd=$1 | ||
201 | _plain_lfwd=$2 | ||
202 | _plain_rfwd=$3 | ||
203 | _nopermit_lfwd=$4 | ||
204 | _nopermit_rfwd=$5 | ||
205 | _permit_lfwd=$6 | ||
206 | _permit_rfwd=$7 | ||
207 | _badfwd1=127.0.0.1:22 | ||
208 | _badfwd2=127.0.0.2:${RFWD_PORT} | ||
209 | _goodfwd=127.0.0.1:${RFWD_PORT} | ||
210 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} | ||
211 | _prefix="AllowTcpForwarding=$_tcpfwd" | ||
212 | |||
213 | # PermitListen via sshd_config that doesn't match | ||
214 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
215 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
216 | echo "PermitListen $_badfwd1 $_badfwd2" ) \ | ||
217 | > ${OBJ}/sshd_proxy | ||
218 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen" | ||
219 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen" | ||
220 | # PermitListen via sshd_config that does match | ||
221 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
222 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
223 | echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \ | ||
224 | > ${OBJ}/sshd_proxy | ||
225 | check_lfwd $_plain_lfwd "$_prefix, PermitListen" | ||
226 | check_rfwd $_plain_rfwd "$_prefix, PermitListen" | ||
227 | } | ||
228 | |||
229 | # permit-remote-open none mismatch match | ||
230 | # AllowTcpForwarding local remote local remote local remote | ||
231 | rperm_tests yes Y Y Y N Y Y | ||
232 | rperm_tests local Y N Y N Y N | ||
233 | rperm_tests remote N Y N N N Y | ||
234 | rperm_tests no N N N N N N | ||
235 | |||
diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 39fccba73..7d0fae114 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh | |||
@@ -10,7 +10,8 @@ start_sshd | |||
10 | base=33 | 10 | base=33 |
11 | last=$PORT | 11 | last=$PORT |
12 | fwd="" | 12 | fwd="" |
13 | CTL=/tmp/openssh.regress.ctl-sock.$$ | 13 | make_tmpdir |
14 | CTL=${SSH_REGRESS_TMP}/ctl-sock | ||
14 | 15 | ||
15 | for j in 0 1 2; do | 16 | for j in 0 1 2; do |
16 | for i in 0 1 2; do | 17 | for i in 0 1 2; do |
diff --git a/regress/key-options.sh b/regress/key-options.sh index d680737c1..112c9bd8e 100644 --- a/regress/key-options.sh +++ b/regress/key-options.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: key-options.sh,v 1.8 2018/03/14 05:35:40 djm Exp $ | 1 | # $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="key options" | 4 | tid="key options" |
@@ -27,6 +27,7 @@ expect_pty_succeed() { | |||
27 | rm -f $OBJ/data | 27 | rm -f $OBJ/data |
28 | sed "s/.*/$opts &/" $origkeys >$authkeys | 28 | sed "s/.*/$opts &/" $origkeys >$authkeys |
29 | verbose "key option pty $which" | 29 | verbose "key option pty $which" |
30 | config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" | ||
30 | ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" | 31 | ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" |
31 | if [ $? -ne 0 ] ; then | 32 | if [ $? -ne 0 ] ; then |
32 | fail "key option failed $which" | 33 | fail "key option failed $which" |
@@ -44,6 +45,7 @@ expect_pty_fail() { | |||
44 | rm -f $OBJ/data | 45 | rm -f $OBJ/data |
45 | sed "s/.*/$opts &/" $origkeys >$authkeys | 46 | sed "s/.*/$opts &/" $origkeys >$authkeys |
46 | verbose "key option pty $which" | 47 | verbose "key option pty $which" |
48 | config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" | ||
47 | ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" | 49 | ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" |
48 | if [ $? -eq 0 ]; then | 50 | if [ $? -eq 0 ]; then |
49 | r=`cat $OBJ/data` | 51 | r=`cat $OBJ/data` |
@@ -63,6 +65,7 @@ expect_pty_fail "restrict" "restrict" | |||
63 | expect_pty_succeed "restrict,pty" "restrict,pty" | 65 | expect_pty_succeed "restrict,pty" "restrict,pty" |
64 | 66 | ||
65 | # Test environment= | 67 | # Test environment= |
68 | # XXX this can fail if ~/.ssh/environment exists for the user running the test | ||
66 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy | 69 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy |
67 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys | 70 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys |
68 | verbose "key option environment" | 71 | verbose "key option environment" |
diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh index 693cd0e75..37af34769 100644 --- a/regress/keygen-knownhosts.sh +++ b/regress/keygen-knownhosts.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $ | 1 | # $OpenBSD: keygen-knownhosts.sh,v 1.4 2018/06/01 03:52:37 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="ssh-keygen known_hosts" | 4 | tid="ssh-keygen known_hosts" |
@@ -55,13 +55,24 @@ expect_key() { | |||
55 | check_find() { | 55 | check_find() { |
56 | _host=$1 | 56 | _host=$1 |
57 | _name=$2 | 57 | _name=$2 |
58 | _keygenopt=$3 | 58 | shift; shift |
59 | ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result | 59 | ${SSHKEYGEN} "$@" -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result |
60 | if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then | 60 | if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then |
61 | fail "didn't find $_name" | 61 | fail "didn't find $_name" |
62 | fi | 62 | fi |
63 | } | 63 | } |
64 | 64 | ||
65 | check_find_exit_code() { | ||
66 | _host=$1 | ||
67 | _name=$2 | ||
68 | _keygenopt=$3 | ||
69 | _exp_exit_code=$4 | ||
70 | ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > /dev/null | ||
71 | if [ "$?" != "$_exp_exit_code" ] ; then | ||
72 | fail "Unexpected exit code $_name" | ||
73 | fi | ||
74 | } | ||
75 | |||
65 | # Find key | 76 | # Find key |
66 | rm -f $OBJ/kh.expect | 77 | rm -f $OBJ/kh.expect |
67 | expect_key host-a host-a host-a 2 | 78 | expect_key host-a host-a host-a 2 |
@@ -88,6 +99,18 @@ rm -f $OBJ/kh.expect | |||
88 | expect_key host-h "host-f,host-g,host-h " host-f 17 | 99 | expect_key host-h "host-f,host-g,host-h " host-f 17 |
89 | check_find host-h "find multiple hosts" | 100 | check_find host-h "find multiple hosts" |
90 | 101 | ||
102 | # Check exit code, known host | ||
103 | check_find_exit_code host-a "known host" "-q" "0" | ||
104 | |||
105 | # Check exit code, unknown host | ||
106 | check_find_exit_code host-aa "unknown host" "-q" "1" | ||
107 | |||
108 | # Check exit code, the hash mode, known host | ||
109 | check_find_exit_code host-a "known host" "-q -H" "0" | ||
110 | |||
111 | # Check exit code, the hash mode, unknown host | ||
112 | check_find_exit_code host-aa "unknown host" "-q -H" "1" | ||
113 | |||
91 | check_hashed_find() { | 114 | check_hashed_find() { |
92 | _host=$1 | 115 | _host=$1 |
93 | _name=$2 | 116 | _name=$2 |
@@ -110,19 +133,19 @@ check_hashed_find host-a "find simple and hash" | |||
110 | rm -f $OBJ/kh.expect | 133 | rm -f $OBJ/kh.expect |
111 | expect_key host-c host-c host-c "" CA | 134 | expect_key host-c host-c host-c "" CA |
112 | # CA key output is not hashed. | 135 | # CA key output is not hashed. |
113 | check_find host-c "find simple and hash" -H | 136 | check_find host-c "find simple and hash" -Hq |
114 | 137 | ||
115 | # Find revoked key and hash | 138 | # Find revoked key and hash |
116 | rm -f $OBJ/kh.expect | 139 | rm -f $OBJ/kh.expect |
117 | expect_key host-d host-d host-d "" REVOKED | 140 | expect_key host-d host-d host-d "" REVOKED |
118 | # Revoked key output is not hashed. | 141 | # Revoked key output is not hashed. |
119 | check_find host-d "find simple and hash" -H | 142 | check_find host-d "find simple and hash" -Hq |
120 | 143 | ||
121 | # find key with wildcard and hash | 144 | # find key with wildcard and hash |
122 | rm -f $OBJ/kh.expect | 145 | rm -f $OBJ/kh.expect |
123 | expect_key host-e "host-e*" host-e "" | 146 | expect_key host-e "host-e*" host-e "" |
124 | # Key with wildcard hostname should not be hashed. | 147 | # Key with wildcard hostname should not be hashed. |
125 | check_find host-e "find wildcard key" -H | 148 | check_find host-e "find wildcard key" -Hq |
126 | 149 | ||
127 | # find key among multiple hosts | 150 | # find key among multiple hosts |
128 | rm -f $OBJ/kh.expect | 151 | rm -f $OBJ/kh.expect |
diff --git a/regress/mkdtemp.c b/regress/mkdtemp.c new file mode 100644 index 000000000..a7be1bdab --- /dev/null +++ b/regress/mkdtemp.c | |||
@@ -0,0 +1,61 @@ | |||
1 | /* | ||
2 | * Copyright (c) 2017 Colin Watson <cjwatson@debian.org> | ||
3 | * | ||
4 | * Permission to use, copy, modify, and distribute this software for any | ||
5 | * purpose with or without fee is hereby granted, provided that the above | ||
6 | * copyright notice and this permission notice appear in all copies. | ||
7 | * | ||
8 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
9 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
10 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
11 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
12 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
13 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
14 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
15 | */ | ||
16 | |||
17 | /* Roughly equivalent to "mktemp -d -t TEMPLATE", but portable. */ | ||
18 | |||
19 | #include "includes.h" | ||
20 | |||
21 | #include <limits.h> | ||
22 | #include <stdarg.h> | ||
23 | #include <stdio.h> | ||
24 | #include <stdlib.h> | ||
25 | #include <unistd.h> | ||
26 | |||
27 | #include "log.h" | ||
28 | |||
29 | static void | ||
30 | usage(void) | ||
31 | { | ||
32 | fprintf(stderr, "mkdtemp template\n"); | ||
33 | exit(1); | ||
34 | } | ||
35 | |||
36 | int | ||
37 | main(int argc, char **argv) | ||
38 | { | ||
39 | const char *base; | ||
40 | const char *tmpdir; | ||
41 | char template[PATH_MAX]; | ||
42 | int r; | ||
43 | char *dir; | ||
44 | |||
45 | if (argc != 2) | ||
46 | usage(); | ||
47 | base = argv[1]; | ||
48 | |||
49 | if ((tmpdir = getenv("TMPDIR")) == NULL) | ||
50 | tmpdir = "/tmp"; | ||
51 | r = snprintf(template, sizeof(template), "%s/%s", tmpdir, base); | ||
52 | if (r < 0 || (size_t)r >= sizeof(template)) | ||
53 | fatal("template string too long"); | ||
54 | dir = mkdtemp(template); | ||
55 | if (dir == NULL) { | ||
56 | perror("mkdtemp"); | ||
57 | exit(1); | ||
58 | } | ||
59 | puts(dir); | ||
60 | return 0; | ||
61 | } | ||
diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 078a53a88..a6fad8eb8 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh | |||
@@ -1,7 +1,8 @@ | |||
1 | # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | CTL=/tmp/openssh.regress.ctl-sock.$$ | 4 | make_tmpdir |
5 | CTL=${SSH_REGRESS_TMP}/ctl-sock | ||
5 | 6 | ||
6 | tid="connection multiplexing" | 7 | tid="connection multiplexing" |
7 | 8 | ||
diff --git a/regress/rekey.sh b/regress/rekey.sh index ae145bc8b..fd6a02cc7 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ | 1 | # $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="rekey" | 4 | tid="rekey" |
@@ -30,7 +30,7 @@ ssh_data_rekeying() | |||
30 | n=`expr $n - 1` | 30 | n=`expr $n - 1` |
31 | trace "$n rekeying(s)" | 31 | trace "$n rekeying(s)" |
32 | if [ $n -lt 1 ]; then | 32 | if [ $n -lt 1 ]; then |
33 | fail "no rekeying occured ($@)" | 33 | fail "no rekeying occurred ($@)" |
34 | fi | 34 | fi |
35 | } | 35 | } |
36 | 36 | ||
@@ -80,7 +80,7 @@ for s in 5 10; do | |||
80 | n=`expr $n - 1` | 80 | n=`expr $n - 1` |
81 | trace "$n rekeying(s)" | 81 | trace "$n rekeying(s)" |
82 | if [ $n -lt 1 ]; then | 82 | if [ $n -lt 1 ]; then |
83 | fail "no rekeying occured" | 83 | fail "no rekeying occurred" |
84 | fi | 84 | fi |
85 | done | 85 | done |
86 | 86 | ||
@@ -96,7 +96,7 @@ for s in 5 10; do | |||
96 | n=`expr $n - 1` | 96 | n=`expr $n - 1` |
97 | trace "$n rekeying(s)" | 97 | trace "$n rekeying(s)" |
98 | if [ $n -lt 1 ]; then | 98 | if [ $n -lt 1 ]; then |
99 | fail "no rekeying occured" | 99 | fail "no rekeying occurred" |
100 | fi | 100 | fi |
101 | done | 101 | done |
102 | 102 | ||
@@ -115,7 +115,7 @@ for s in 16 1k 128k 256k; do | |||
115 | n=`expr $n - 1` | 115 | n=`expr $n - 1` |
116 | trace "$n rekeying(s)" | 116 | trace "$n rekeying(s)" |
117 | if [ $n -lt 1 ]; then | 117 | if [ $n -lt 1 ]; then |
118 | fail "no rekeying occured" | 118 | fail "no rekeying occurred" |
119 | fi | 119 | fi |
120 | done | 120 | done |
121 | 121 | ||
@@ -132,7 +132,7 @@ for s in 5 10; do | |||
132 | n=`expr $n - 1` | 132 | n=`expr $n - 1` |
133 | trace "$n rekeying(s)" | 133 | trace "$n rekeying(s)" |
134 | if [ $n -lt 1 ]; then | 134 | if [ $n -lt 1 ]; then |
135 | fail "no rekeying occured" | 135 | fail "no rekeying occurred" |
136 | fi | 136 | fi |
137 | done | 137 | done |
138 | 138 | ||
diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c index 7a0527fd0..d91d9f194 100644 --- a/regress/setuid-allowed.c +++ b/regress/setuid-allowed.c | |||
@@ -22,6 +22,7 @@ | |||
22 | #ifdef HAVE_SYS_STATVFS_H | 22 | #ifdef HAVE_SYS_STATVFS_H |
23 | # include <sys/statvfs.h> | 23 | # include <sys/statvfs.h> |
24 | #endif | 24 | #endif |
25 | #include <stdlib.h> | ||
25 | #include <stdio.h> | 26 | #include <stdio.h> |
26 | #include <string.h> | 27 | #include <string.h> |
27 | #include <errno.h> | 28 | #include <errno.h> |
diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh index 010e02865..e0ce568d7 100644 --- a/regress/sshcfgparse.sh +++ b/regress/sshcfgparse.sh | |||
@@ -1,8 +1,27 @@ | |||
1 | # $OpenBSD: sshcfgparse.sh,v 1.2 2016/07/14 01:24:21 dtucker Exp $ | 1 | # $OpenBSD: sshcfgparse.sh,v 1.4 2018/07/04 13:51:12 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="ssh config parse" | 4 | tid="ssh config parse" |
5 | 5 | ||
6 | expect_result_present() { | ||
7 | _str="$1" ; shift | ||
8 | for _expect in "$@" ; do | ||
9 | echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null | ||
10 | if test $? -ne 0 ; then | ||
11 | fail "missing expected \"$_expect\" from \"$_str\"" | ||
12 | fi | ||
13 | done | ||
14 | } | ||
15 | expect_result_absent() { | ||
16 | _str="$1" ; shift | ||
17 | for _expect in "$@" ; do | ||
18 | echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null | ||
19 | if test $? -eq 0 ; then | ||
20 | fail "unexpected \"$_expect\" present in \"$_str\"" | ||
21 | fi | ||
22 | done | ||
23 | } | ||
24 | |||
6 | verbose "reparse minimal config" | 25 | verbose "reparse minimal config" |
7 | (${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 && | 26 | (${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 && |
8 | ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 && | 27 | ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 && |
@@ -25,5 +44,46 @@ f=`${SSH} -GF $OBJ/ssh_config -W a:1 -o clearallforwardings=no h | \ | |||
25 | awk '/clearallforwardings/{print $2}'` | 44 | awk '/clearallforwardings/{print $2}'` |
26 | test "$f" = "no" || fail "clearallforwardings override" | 45 | test "$f" = "no" || fail "clearallforwardings override" |
27 | 46 | ||
47 | verbose "user first match" | ||
48 | user=`awk '$1=="User" {print $2}' $OBJ/ssh_config` | ||
49 | f=`${SSH} -GF $OBJ/ssh_config host | awk '/^user /{print $2}'` | ||
50 | test "$f" = "$user" || fail "user from config, expected '$user' got '$f'" | ||
51 | f=`${SSH} -GF $OBJ/ssh_config -o user=foo -l bar baz@host | awk '/^user /{print $2}'` | ||
52 | test "$f" = "foo" || fail "user first match -oUser, expected 'foo' got '$f' " | ||
53 | f=`${SSH} -GF $OBJ/ssh_config -lbar baz@host user=foo baz@host | awk '/^user /{print $2}'` | ||
54 | test "$f" = "bar" || fail "user first match -l, expected 'bar' got '$f'" | ||
55 | f=`${SSH} -GF $OBJ/ssh_config baz@host -o user=foo -l bar baz@host | awk '/^user /{print $2}'` | ||
56 | test "$f" = "baz" || fail "user first match user@host, expected 'baz' got '$f'" | ||
57 | |||
58 | verbose "pubkeyacceptedkeytypes" | ||
59 | # Default set | ||
60 | f=`${SSH} -GF none host | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
61 | expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" | ||
62 | expect_result_absent "$f" "ssh-dss" | ||
63 | # Explicit override | ||
64 | f=`${SSH} -GF none -opubkeyacceptedkeytypes=ssh-ed25519 host | \ | ||
65 | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
66 | expect_result_present "$f" "ssh-ed25519" | ||
67 | expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss" | ||
68 | # Removal from default set | ||
69 | f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519-cert* host | \ | ||
70 | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
71 | expect_result_present "$f" "ssh-ed25519" | ||
72 | expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss" | ||
73 | f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519 host | \ | ||
74 | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
75 | expect_result_present "$f" "ssh-ed25519-cert-v01.*" | ||
76 | expect_result_absent "$f" "ssh-ed25519" "ssh-dss" | ||
77 | # Append to default set. | ||
78 | # XXX this will break for !WITH_OPENSSL | ||
79 | f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss-cert* host | \ | ||
80 | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
81 | expect_result_present "$f" "ssh-ed25519" "ssh-dss-cert-v01.*" | ||
82 | expect_result_absent "$f" "ssh-dss" | ||
83 | f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss host | \ | ||
84 | awk '/^pubkeyacceptedkeytypes /{print $2}'` | ||
85 | expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" "ssh-dss" | ||
86 | expect_result_absent "$f" "ssh-dss-cert-v01.*" | ||
87 | |||
28 | # cleanup | 88 | # cleanup |
29 | rm -f $OBJ/ssh_config.[012] | 89 | rm -f $OBJ/ssh_config.[012] |
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b6169f157..40d46e3cd 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: test-exec.sh,v 1.62 2018/03/16 09:06:31 dtucker Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.64 2018/08/10 01:35:49 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | #SUDO=sudo | 4 | #SUDO=sudo |
@@ -76,6 +76,9 @@ SFTP=sftp | |||
76 | SFTPSERVER=/usr/libexec/openssh/sftp-server | 76 | SFTPSERVER=/usr/libexec/openssh/sftp-server |
77 | SCP=scp | 77 | SCP=scp |
78 | 78 | ||
79 | # Set by make_tmpdir() on demand (below). | ||
80 | SSH_REGRESS_TMP= | ||
81 | |||
79 | # Interop testing | 82 | # Interop testing |
80 | PLINK=plink | 83 | PLINK=plink |
81 | PUTTYGEN=puttygen | 84 | PUTTYGEN=puttygen |
@@ -163,9 +166,13 @@ if [ "x$USE_VALGRIND" != "x" ]; then | |||
163 | esac | 166 | esac |
164 | 167 | ||
165 | if [ x"$VG_SKIP" = "x" ]; then | 168 | if [ x"$VG_SKIP" = "x" ]; then |
169 | VG_LEAK="--leak-check=no" | ||
170 | if [ x"$VALGRIND_CHECK_LEAKS" != "x" ]; then | ||
171 | VG_LEAK="--leak-check=full" | ||
172 | fi | ||
166 | VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*" | 173 | VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*" |
167 | VG_LOG="$OBJ/valgrind-out/${VG_TEST}." | 174 | VG_LOG="$OBJ/valgrind-out/${VG_TEST}." |
168 | VG_OPTS="--track-origins=yes --leak-check=full" | 175 | VG_OPTS="--track-origins=yes $VG_LEAK" |
169 | VG_OPTS="$VG_OPTS --trace-children=yes" | 176 | VG_OPTS="$VG_OPTS --trace-children=yes" |
170 | VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" | 177 | VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" |
171 | VG_PATH="valgrind" | 178 | VG_PATH="valgrind" |
@@ -318,6 +325,12 @@ stop_sshd () | |||
318 | fi | 325 | fi |
319 | } | 326 | } |
320 | 327 | ||
328 | make_tmpdir () | ||
329 | { | ||
330 | SSH_REGRESS_TMP="$($OBJ/mkdtemp openssh-XXXXXXXX)" || \ | ||
331 | fatal "failed to create temporary directory" | ||
332 | } | ||
333 | |||
321 | # helper | 334 | # helper |
322 | cleanup () | 335 | cleanup () |
323 | { | 336 | { |
@@ -328,6 +341,9 @@ cleanup () | |||
328 | kill $SSH_PID | 341 | kill $SSH_PID |
329 | fi | 342 | fi |
330 | fi | 343 | fi |
344 | if [ "x$SSH_REGRESS_TMP" != "x" ]; then | ||
345 | rm -rf "$SSH_REGRESS_TMP" | ||
346 | fi | ||
331 | stop_sshd | 347 | stop_sshd |
332 | } | 348 | } |
333 | 349 | ||
@@ -375,7 +391,10 @@ fail () | |||
375 | save_debug_log "FAIL: $@" | 391 | save_debug_log "FAIL: $@" |
376 | RESULT=1 | 392 | RESULT=1 |
377 | echo "$@" | 393 | echo "$@" |
378 | 394 | if test "x$TEST_SSH_FAIL_FATAL" != "x" ; then | |
395 | cleanup | ||
396 | exit $RESULT | ||
397 | fi | ||
379 | } | 398 | } |
380 | 399 | ||
381 | fatal () | 400 | fatal () |
@@ -512,10 +531,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then | |||
512 | >> $OBJ/authorized_keys_$USER | 531 | >> $OBJ/authorized_keys_$USER |
513 | 532 | ||
514 | # Convert rsa2 host key to PuTTY format | 533 | # Convert rsa2 host key to PuTTY format |
515 | ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \ | 534 | cp $OBJ/rsa $OBJ/rsa_oldfmt |
535 | ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null | ||
536 | ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \ | ||
516 | ${OBJ}/.putty/sshhostkeys | 537 | ${OBJ}/.putty/sshhostkeys |
517 | ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \ | 538 | ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \ |
518 | ${OBJ}/.putty/sshhostkeys | 539 | ${OBJ}/.putty/sshhostkeys |
540 | rm -f $OBJ/rsa_oldfmt | ||
519 | 541 | ||
520 | # Setup proxied session | 542 | # Setup proxied session |
521 | mkdir -p ${OBJ}/.putty/sessions | 543 | mkdir -p ${OBJ}/.putty/sessions |
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c index 751825dda..d6963bd2a 100644 --- a/regress/unittests/hostkeys/test_iterate.c +++ b/regress/unittests/hostkeys/test_iterate.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */ | 1 | /* $OpenBSD: test_iterate.c,v 1.6 2018/07/16 03:09:59 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for hostfile.h hostkeys_foreach() | 3 | * Regress test for hostfile.h hostkeys_foreach() |
4 | * | 4 | * |
@@ -152,6 +152,17 @@ prepare_expected(struct expected *expected, size_t n) | |||
152 | } | 152 | } |
153 | } | 153 | } |
154 | 154 | ||
155 | static void | ||
156 | cleanup_expected(struct expected *expected, size_t n) | ||
157 | { | ||
158 | size_t i; | ||
159 | |||
160 | for (i = 0; i < n; i++) { | ||
161 | sshkey_free(expected[i].l.key); | ||
162 | expected[i].l.key = NULL; | ||
163 | } | ||
164 | } | ||
165 | |||
155 | struct expected expected_full[] = { | 166 | struct expected expected_full[] = { |
156 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 167 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
157 | NULL, /* path, don't care */ | 168 | NULL, /* path, don't care */ |
@@ -825,6 +836,7 @@ test_iterate(void) | |||
825 | prepare_expected(expected_full, ctx.nexpected); | 836 | prepare_expected(expected_full, ctx.nexpected); |
826 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 837 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
827 | check, &ctx, NULL, NULL, ctx.flags), 0); | 838 | check, &ctx, NULL, NULL, ctx.flags), 0); |
839 | cleanup_expected(expected_full, ctx.nexpected); | ||
828 | TEST_DONE(); | 840 | TEST_DONE(); |
829 | 841 | ||
830 | TEST_START("hostkeys_iterate all without key parse"); | 842 | TEST_START("hostkeys_iterate all without key parse"); |
@@ -835,6 +847,7 @@ test_iterate(void) | |||
835 | prepare_expected(expected_full, ctx.nexpected); | 847 | prepare_expected(expected_full, ctx.nexpected); |
836 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 848 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
837 | check, &ctx, NULL, NULL, ctx.flags), 0); | 849 | check, &ctx, NULL, NULL, ctx.flags), 0); |
850 | cleanup_expected(expected_full, ctx.nexpected); | ||
838 | TEST_DONE(); | 851 | TEST_DONE(); |
839 | 852 | ||
840 | TEST_START("hostkeys_iterate specify host 1"); | 853 | TEST_START("hostkeys_iterate specify host 1"); |
@@ -846,6 +859,7 @@ test_iterate(void) | |||
846 | prepare_expected(expected_full, ctx.nexpected); | 859 | prepare_expected(expected_full, ctx.nexpected); |
847 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 860 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
848 | check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); | 861 | check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); |
862 | cleanup_expected(expected_full, ctx.nexpected); | ||
849 | TEST_DONE(); | 863 | TEST_DONE(); |
850 | 864 | ||
851 | TEST_START("hostkeys_iterate specify host 2"); | 865 | TEST_START("hostkeys_iterate specify host 2"); |
@@ -857,6 +871,7 @@ test_iterate(void) | |||
857 | prepare_expected(expected_full, ctx.nexpected); | 871 | prepare_expected(expected_full, ctx.nexpected); |
858 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 872 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
859 | check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); | 873 | check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); |
874 | cleanup_expected(expected_full, ctx.nexpected); | ||
860 | TEST_DONE(); | 875 | TEST_DONE(); |
861 | 876 | ||
862 | TEST_START("hostkeys_iterate match host 1"); | 877 | TEST_START("hostkeys_iterate match host 1"); |
@@ -868,6 +883,7 @@ test_iterate(void) | |||
868 | prepare_expected(expected_full, ctx.nexpected); | 883 | prepare_expected(expected_full, ctx.nexpected); |
869 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 884 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
870 | check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); | 885 | check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); |
886 | cleanup_expected(expected_full, ctx.nexpected); | ||
871 | TEST_DONE(); | 887 | TEST_DONE(); |
872 | 888 | ||
873 | TEST_START("hostkeys_iterate match host 2"); | 889 | TEST_START("hostkeys_iterate match host 2"); |
@@ -879,6 +895,7 @@ test_iterate(void) | |||
879 | prepare_expected(expected_full, ctx.nexpected); | 895 | prepare_expected(expected_full, ctx.nexpected); |
880 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 896 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
881 | check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); | 897 | check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); |
898 | cleanup_expected(expected_full, ctx.nexpected); | ||
882 | TEST_DONE(); | 899 | TEST_DONE(); |
883 | 900 | ||
884 | TEST_START("hostkeys_iterate specify host missing"); | 901 | TEST_START("hostkeys_iterate specify host missing"); |
@@ -889,6 +906,7 @@ test_iterate(void) | |||
889 | prepare_expected(expected_full, ctx.nexpected); | 906 | prepare_expected(expected_full, ctx.nexpected); |
890 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 907 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
891 | check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); | 908 | check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); |
909 | cleanup_expected(expected_full, ctx.nexpected); | ||
892 | TEST_DONE(); | 910 | TEST_DONE(); |
893 | 911 | ||
894 | TEST_START("hostkeys_iterate match host missing"); | 912 | TEST_START("hostkeys_iterate match host missing"); |
@@ -899,6 +917,7 @@ test_iterate(void) | |||
899 | prepare_expected(expected_full, ctx.nexpected); | 917 | prepare_expected(expected_full, ctx.nexpected); |
900 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 918 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
901 | check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); | 919 | check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); |
920 | cleanup_expected(expected_full, ctx.nexpected); | ||
902 | TEST_DONE(); | 921 | TEST_DONE(); |
903 | 922 | ||
904 | TEST_START("hostkeys_iterate specify IPv4"); | 923 | TEST_START("hostkeys_iterate specify IPv4"); |
@@ -910,6 +929,7 @@ test_iterate(void) | |||
910 | prepare_expected(expected_full, ctx.nexpected); | 929 | prepare_expected(expected_full, ctx.nexpected); |
911 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 930 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
912 | check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); | 931 | check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); |
932 | cleanup_expected(expected_full, ctx.nexpected); | ||
913 | TEST_DONE(); | 933 | TEST_DONE(); |
914 | 934 | ||
915 | TEST_START("hostkeys_iterate specify IPv6"); | 935 | TEST_START("hostkeys_iterate specify IPv6"); |
@@ -921,6 +941,7 @@ test_iterate(void) | |||
921 | prepare_expected(expected_full, ctx.nexpected); | 941 | prepare_expected(expected_full, ctx.nexpected); |
922 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 942 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
923 | check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); | 943 | check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); |
944 | cleanup_expected(expected_full, ctx.nexpected); | ||
924 | TEST_DONE(); | 945 | TEST_DONE(); |
925 | 946 | ||
926 | TEST_START("hostkeys_iterate match IPv4"); | 947 | TEST_START("hostkeys_iterate match IPv4"); |
@@ -932,6 +953,7 @@ test_iterate(void) | |||
932 | prepare_expected(expected_full, ctx.nexpected); | 953 | prepare_expected(expected_full, ctx.nexpected); |
933 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 954 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
934 | check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); | 955 | check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); |
956 | cleanup_expected(expected_full, ctx.nexpected); | ||
935 | TEST_DONE(); | 957 | TEST_DONE(); |
936 | 958 | ||
937 | TEST_START("hostkeys_iterate match IPv6"); | 959 | TEST_START("hostkeys_iterate match IPv6"); |
@@ -943,6 +965,7 @@ test_iterate(void) | |||
943 | prepare_expected(expected_full, ctx.nexpected); | 965 | prepare_expected(expected_full, ctx.nexpected); |
944 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 966 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
945 | check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); | 967 | check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); |
968 | cleanup_expected(expected_full, ctx.nexpected); | ||
946 | TEST_DONE(); | 969 | TEST_DONE(); |
947 | 970 | ||
948 | TEST_START("hostkeys_iterate specify addr missing"); | 971 | TEST_START("hostkeys_iterate specify addr missing"); |
@@ -953,6 +976,7 @@ test_iterate(void) | |||
953 | prepare_expected(expected_full, ctx.nexpected); | 976 | prepare_expected(expected_full, ctx.nexpected); |
954 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 977 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
955 | check, &ctx, "tiresias.example.org", "192.168.0.1", ctx.flags), 0); | 978 | check, &ctx, "tiresias.example.org", "192.168.0.1", ctx.flags), 0); |
979 | cleanup_expected(expected_full, ctx.nexpected); | ||
956 | TEST_DONE(); | 980 | TEST_DONE(); |
957 | 981 | ||
958 | TEST_START("hostkeys_iterate match addr missing"); | 982 | TEST_START("hostkeys_iterate match addr missing"); |
@@ -963,6 +987,7 @@ test_iterate(void) | |||
963 | prepare_expected(expected_full, ctx.nexpected); | 987 | prepare_expected(expected_full, ctx.nexpected); |
964 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 988 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
965 | check, &ctx, "tiresias.example.org", "::1", ctx.flags), 0); | 989 | check, &ctx, "tiresias.example.org", "::1", ctx.flags), 0); |
990 | cleanup_expected(expected_full, ctx.nexpected); | ||
966 | TEST_DONE(); | 991 | TEST_DONE(); |
967 | 992 | ||
968 | TEST_START("hostkeys_iterate specify host 2 and IPv4"); | 993 | TEST_START("hostkeys_iterate specify host 2 and IPv4"); |
@@ -975,6 +1000,7 @@ test_iterate(void) | |||
975 | prepare_expected(expected_full, ctx.nexpected); | 1000 | prepare_expected(expected_full, ctx.nexpected); |
976 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 1001 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
977 | check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); | 1002 | check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); |
1003 | cleanup_expected(expected_full, ctx.nexpected); | ||
978 | TEST_DONE(); | 1004 | TEST_DONE(); |
979 | 1005 | ||
980 | TEST_START("hostkeys_iterate match host 1 and IPv6"); | 1006 | TEST_START("hostkeys_iterate match host 1 and IPv6"); |
@@ -986,7 +1012,9 @@ test_iterate(void) | |||
986 | ctx.match_ipv6 = 1; | 1012 | ctx.match_ipv6 = 1; |
987 | prepare_expected(expected_full, ctx.nexpected); | 1013 | prepare_expected(expected_full, ctx.nexpected); |
988 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 1014 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
989 | check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); | 1015 | check, &ctx, "prometheus.example.com", |
1016 | "2001:db8::1", ctx.flags), 0); | ||
1017 | cleanup_expected(expected_full, ctx.nexpected); | ||
990 | TEST_DONE(); | 1018 | TEST_DONE(); |
991 | 1019 | ||
992 | TEST_START("hostkeys_iterate specify host 2 and IPv4 w/ key parse"); | 1020 | TEST_START("hostkeys_iterate specify host 2 and IPv4 w/ key parse"); |
@@ -999,6 +1027,7 @@ test_iterate(void) | |||
999 | prepare_expected(expected_full, ctx.nexpected); | 1027 | prepare_expected(expected_full, ctx.nexpected); |
1000 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 1028 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
1001 | check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); | 1029 | check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); |
1030 | cleanup_expected(expected_full, ctx.nexpected); | ||
1002 | TEST_DONE(); | 1031 | TEST_DONE(); |
1003 | 1032 | ||
1004 | TEST_START("hostkeys_iterate match host 1 and IPv6 w/ key parse"); | 1033 | TEST_START("hostkeys_iterate match host 1 and IPv6 w/ key parse"); |
@@ -1010,7 +1039,9 @@ test_iterate(void) | |||
1010 | ctx.match_ipv6 = 1; | 1039 | ctx.match_ipv6 = 1; |
1011 | prepare_expected(expected_full, ctx.nexpected); | 1040 | prepare_expected(expected_full, ctx.nexpected); |
1012 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), | 1041 | ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), |
1013 | check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); | 1042 | check, &ctx, "prometheus.example.com", |
1043 | "2001:db8::1", ctx.flags), 0); | ||
1044 | cleanup_expected(expected_full, ctx.nexpected); | ||
1014 | TEST_DONE(); | 1045 | TEST_DONE(); |
1015 | } | 1046 | } |
1016 | 1047 | ||
diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index e1593367b..3d9af55f2 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tests.c,v 1.4 2017/02/03 23:01:42 djm Exp $ */ | 1 | /* $OpenBSD: tests.c,v 1.5 2018/07/04 13:51:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for matching functions | 3 | * Regress test for matching functions |
4 | * | 4 | * |
@@ -105,7 +105,7 @@ tests(void) | |||
105 | 105 | ||
106 | #define CHECK_FILTER(string,filter,expected) \ | 106 | #define CHECK_FILTER(string,filter,expected) \ |
107 | do { \ | 107 | do { \ |
108 | char *result = match_filter_list((string), (filter)); \ | 108 | char *result = match_filter_blacklist((string), (filter)); \ |
109 | ASSERT_STRING_EQ(result, expected); \ | 109 | ASSERT_STRING_EQ(result, expected); \ |
110 | free(result); \ | 110 | free(result); \ |
111 | } while (0) | 111 | } while (0) |
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 1aa608f92..72367bde7 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_sshkey.c,v 1.13 2017/12/21 00:41:22 djm Exp $ */ | 1 | /* $OpenBSD: test_sshkey.c,v 1.14 2018/07/13 02:13:19 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for sshkey.h key management API | 3 | * Regress test for sshkey.h key management API |
4 | * | 4 | * |
@@ -434,10 +434,13 @@ sshkey_tests(void) | |||
434 | ASSERT_PTR_NE(k1->cert->principals[1], NULL); | 434 | ASSERT_PTR_NE(k1->cert->principals[1], NULL); |
435 | ASSERT_PTR_NE(k1->cert->principals[2], NULL); | 435 | ASSERT_PTR_NE(k1->cert->principals[2], NULL); |
436 | ASSERT_PTR_NE(k1->cert->principals[3], NULL); | 436 | ASSERT_PTR_NE(k1->cert->principals[3], NULL); |
437 | k1->cert->nprincipals = 4; | ||
437 | k1->cert->valid_after = 0; | 438 | k1->cert->valid_after = 0; |
438 | k1->cert->valid_before = (u_int64_t)-1; | 439 | k1->cert->valid_before = (u_int64_t)-1; |
440 | sshbuf_free(k1->cert->critical); | ||
439 | k1->cert->critical = sshbuf_new(); | 441 | k1->cert->critical = sshbuf_new(); |
440 | ASSERT_PTR_NE(k1->cert->critical, NULL); | 442 | ASSERT_PTR_NE(k1->cert->critical, NULL); |
443 | sshbuf_free(k1->cert->extensions); | ||
441 | k1->cert->extensions = sshbuf_new(); | 444 | k1->cert->extensions = sshbuf_new(); |
442 | ASSERT_PTR_NE(k1->cert->extensions, NULL); | 445 | ASSERT_PTR_NE(k1->cert->extensions, NULL); |
443 | put_opt(k1->cert->critical, "force-command", "/usr/bin/true"); | 446 | put_opt(k1->cert->critical, "force-command", "/usr/bin/true"); |
diff --git a/regress/valgrind-unit.sh b/regress/valgrind-unit.sh index 433cb069a..4143ead4b 100755 --- a/regress/valgrind-unit.sh +++ b/regress/valgrind-unit.sh | |||
@@ -7,10 +7,12 @@ UNIT_ARGS="$@" | |||
7 | test "x$OBJ" = "x" && OBJ=$PWD | 7 | test "x$OBJ" = "x" && OBJ=$PWD |
8 | 8 | ||
9 | # This mostly replicates the logic in test-exec.sh for running the | 9 | # This mostly replicates the logic in test-exec.sh for running the |
10 | # regress tests under valgrind. | 10 | # regress tests under valgrind, except that we unconditionally enable |
11 | # leak checking because the unit tests should be clean. | ||
12 | VG_LEAK="--leak-check=full" | ||
11 | VG_TEST=`basename $UNIT_BINARY` | 13 | VG_TEST=`basename $UNIT_BINARY` |
12 | VG_LOG="$OBJ/valgrind-out/${VG_TEST}.%p" | 14 | VG_LOG="$OBJ/valgrind-out/${VG_TEST}.%p" |
13 | VG_OPTS="--track-origins=yes --leak-check=full --log-file=${VG_LOG}" | 15 | VG_OPTS="--track-origins=yes $VG_LEAK --log-file=${VG_LOG}" |
14 | VG_OPTS="$VG_OPTS --trace-children=yes" | 16 | VG_OPTS="$VG_OPTS --trace-children=yes" |
15 | VG_PATH="valgrind" | 17 | VG_PATH="valgrind" |
16 | if [ "x$VALGRIND_PATH" != "x" ]; then | 18 | if [ "x$VALGRIND_PATH" != "x" ]; then |