diff options
Diffstat (limited to 'regress')
28 files changed, 314 insertions, 289 deletions
diff --git a/regress/Makefile b/regress/Makefile index 6e462a4f6..6fdfcc8ca 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.97 2018/06/07 04:46:34 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.100 2019/01/20 23:24:19 djm Exp $ |
| 2 | 2 | ||
| 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec | 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec |
| 4 | tests: prep $(REGRESS_TARGETS) | 4 | tests: prep $(REGRESS_TARGETS) |
| @@ -11,7 +11,6 @@ prep: | |||
| 11 | 11 | ||
| 12 | clean: | 12 | clean: |
| 13 | for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done | 13 | for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done |
| 14 | test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN} | ||
| 15 | rm -rf $(OBJ).putty | 14 | rm -rf $(OBJ).putty |
| 16 | 15 | ||
| 17 | distclean: clean | 16 | distclean: clean |
| @@ -92,7 +91,8 @@ LTESTS= connect \ | |||
| 92 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | 91 | INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers |
| 93 | #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp | 92 | #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp |
| 94 | 93 | ||
| 95 | #LTESTS= cipher-speed | 94 | EXTRA_TESTS= agent-pkcs11 |
| 95 | #EXTRA_TESTS+= cipher-speed | ||
| 96 | 96 | ||
| 97 | USERNAME= ${LOGNAME} | 97 | USERNAME= ${LOGNAME} |
| 98 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | 98 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ |
| @@ -123,8 +123,6 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | |||
| 123 | t8.out t8.out.pub t9.out t9.out.pub testdata \ | 123 | t8.out t8.out.pub t9.out t9.out.pub testdata \ |
| 124 | user_*key* user_ca* user_key* | 124 | user_*key* user_ca* user_key* |
| 125 | 125 | ||
| 126 | SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} | ||
| 127 | |||
| 128 | # Enable all malloc(3) randomisations and checks | 126 | # Enable all malloc(3) randomisations and checks |
| 129 | TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" | 127 | TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" |
| 130 | 128 | ||
| @@ -218,6 +216,13 @@ t-exec-interop: ${INTEROP_TESTS:=.sh} | |||
| 218 | (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ | 216 | (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ |
| 219 | done | 217 | done |
| 220 | 218 | ||
| 219 | t-extra: ${EXTRA_TESTS:=.sh} | ||
| 220 | @if [ "x$?" = "x" ]; then exit 0; fi; \ | ||
| 221 | for TEST in ""$?; do \ | ||
| 222 | echo "run test $${TEST}" ... 1>&2; \ | ||
| 223 | (env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \ | ||
| 224 | done | ||
| 225 | |||
| 221 | # Not run by default | 226 | # Not run by default |
| 222 | interop: ${INTEROP_TARGETS} | 227 | interop: ${INTEROP_TARGETS} |
| 223 | 228 | ||
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index db3018b88..5205d9067 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh | |||
| @@ -1,16 +1,53 @@ | |||
| 1 | # $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="pkcs11 agent test" | 4 | tid="pkcs11 agent test" |
| 5 | 5 | ||
| 6 | TEST_SSH_PIN="" | 6 | try_token_libs() { |
| 7 | TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0 | 7 | for _lib in "$@" ; do |
| 8 | if test -f "$_lib" ; then | ||
| 9 | verbose "Using token library $_lib" | ||
| 10 | TEST_SSH_PKCS11="$_lib" | ||
| 11 | return | ||
| 12 | fi | ||
| 13 | done | ||
| 14 | echo "skipped: Unable to find PKCS#11 token library" | ||
| 15 | exit 0 | ||
| 16 | } | ||
| 17 | |||
| 18 | try_token_libs \ | ||
| 19 | /usr/local/lib/softhsm/libsofthsm2.so \ | ||
| 20 | /usr/lib64/pkcs11/libsofthsm2.so \ | ||
| 21 | /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so | ||
| 22 | |||
| 23 | TEST_SSH_PIN=1234 | ||
| 24 | TEST_SSH_SOPIN=12345678 | ||
| 25 | if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then | ||
| 26 | SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}" | ||
| 27 | export SSH_PKCS11_HELPER | ||
| 28 | fi | ||
| 8 | 29 | ||
| 9 | test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" | 30 | test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist" |
| 10 | 31 | ||
| 11 | # setup environment for soft-pkcs11 token | 32 | # setup environment for softhsm2 token |
| 12 | SOFTPKCS11RC=$OBJ/pkcs11.info | 33 | DIR=$OBJ/SOFTHSM |
| 13 | export SOFTPKCS11RC | 34 | rm -rf $DIR |
| 35 | TOKEN=$DIR/tokendir | ||
| 36 | mkdir -p $TOKEN | ||
| 37 | SOFTHSM2_CONF=$DIR/softhsm2.conf | ||
| 38 | export SOFTHSM2_CONF | ||
| 39 | cat > $SOFTHSM2_CONF << EOF | ||
| 40 | # SoftHSM v2 configuration file | ||
| 41 | directories.tokendir = ${TOKEN} | ||
| 42 | objectstore.backend = file | ||
| 43 | # ERROR, WARNING, INFO, DEBUG | ||
| 44 | log.level = DEBUG | ||
| 45 | # If CKF_REMOVABLE_DEVICE flag should be set | ||
| 46 | slots.removable = false | ||
| 47 | EOF | ||
| 48 | out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN") | ||
| 49 | slot=$(echo -- $out | sed 's/.* //') | ||
| 50 | |||
| 14 | # prevent ssh-agent from calling ssh-askpass | 51 | # prevent ssh-agent from calling ssh-askpass |
| 15 | SSH_ASKPASS=/usr/bin/true | 52 | SSH_ASKPASS=/usr/bin/true |
| 16 | export SSH_ASKPASS | 53 | export SSH_ASKPASS |
| @@ -22,22 +59,27 @@ notty() { | |||
| 22 | if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" | 59 | if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@" |
| 23 | } | 60 | } |
| 24 | 61 | ||
| 62 | trace "generating keys" | ||
| 63 | RSA=${DIR}/RSA | ||
| 64 | EC=${DIR}/EC | ||
| 65 | openssl genpkey -algorithm rsa > $RSA | ||
| 66 | openssl pkcs8 -nocrypt -in $RSA |\ | ||
| 67 | softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin | ||
| 68 | openssl genpkey \ | ||
| 69 | -genparam \ | ||
| 70 | -algorithm ec \ | ||
| 71 | -pkeyopt ec_paramgen_curve:prime256v1 |\ | ||
| 72 | openssl genpkey \ | ||
| 73 | -paramfile /dev/stdin > $EC | ||
| 74 | openssl pkcs8 -nocrypt -in $EC |\ | ||
| 75 | softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin | ||
| 76 | |||
| 25 | trace "start agent" | 77 | trace "start agent" |
| 26 | eval `${SSHAGENT} -s` > /dev/null | 78 | eval `${SSHAGENT} -s` > /dev/null |
| 27 | r=$? | 79 | r=$? |
| 28 | if [ $r -ne 0 ]; then | 80 | if [ $r -ne 0 ]; then |
| 29 | fail "could not start ssh-agent: exit code $r" | 81 | fail "could not start ssh-agent: exit code $r" |
| 30 | else | 82 | else |
| 31 | trace "generating key/cert" | ||
| 32 | rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt | ||
| 33 | openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1 | ||
| 34 | chmod 600 $OBJ/pkcs11.key | ||
| 35 | openssl req -key $OBJ/pkcs11.key -new -x509 \ | ||
| 36 | -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null | ||
| 37 | printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC | ||
| 38 | # add to authorized keys | ||
| 39 | ${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER | ||
| 40 | |||
| 41 | trace "add pkcs11 key to agent" | 83 | trace "add pkcs11 key to agent" |
| 42 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 | 84 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1 |
| 43 | r=$? | 85 | r=$? |
| @@ -52,12 +94,23 @@ else | |||
| 52 | fail "ssh-add -l failed: exit code $r" | 94 | fail "ssh-add -l failed: exit code $r" |
| 53 | fi | 95 | fi |
| 54 | 96 | ||
| 55 | trace "pkcs11 connect via agent" | 97 | for k in $RSA $EC; do |
| 56 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 | 98 | trace "testing $k" |
| 57 | r=$? | 99 | chmod 600 $k |
| 58 | if [ $r -ne 5 ]; then | 100 | ssh-keygen -y -f $k > $k.pub |
| 59 | fail "ssh connect failed (exit code $r)" | 101 | pub=$(cat $k.pub) |
| 60 | fi | 102 | ${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L" |
| 103 | ${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed" | ||
| 104 | |||
| 105 | # add to authorized keys | ||
| 106 | cat $k.pub > $OBJ/authorized_keys_$USER | ||
| 107 | trace "pkcs11 connect via agent ($k)" | ||
| 108 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 | ||
| 109 | r=$? | ||
| 110 | if [ $r -ne 5 ]; then | ||
| 111 | fail "ssh connect failed (exit code $r)" | ||
| 112 | fi | ||
| 113 | done | ||
| 61 | 114 | ||
| 62 | trace "remove pkcs11 keys" | 115 | trace "remove pkcs11 keys" |
| 63 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 | 116 | echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1 |
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh index 9598c2032..80012f80c 100644 --- a/regress/agent-timeout.sh +++ b/regress/agent-timeout.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent-timeout.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: agent-timeout.sh,v 1.4 2019/01/28 00:08:26 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="agent timeout test" | 4 | tid="agent timeout test" |
| @@ -12,16 +12,18 @@ if [ $r -ne 0 ]; then | |||
| 12 | fail "could not start ssh-agent: exit code $r" | 12 | fail "could not start ssh-agent: exit code $r" |
| 13 | else | 13 | else |
| 14 | trace "add keys with timeout" | 14 | trace "add keys with timeout" |
| 15 | keys=0 | ||
| 15 | for t in ${SSH_KEYTYPES}; do | 16 | for t in ${SSH_KEYTYPES}; do |
| 16 | ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1 | 17 | ${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1 |
| 17 | if [ $? -ne 0 ]; then | 18 | if [ $? -ne 0 ]; then |
| 18 | fail "ssh-add did succeed exit code 0" | 19 | fail "ssh-add did succeed exit code 0" |
| 19 | fi | 20 | fi |
| 21 | keys=$((${keys} + 1)) | ||
| 20 | done | 22 | done |
| 21 | n=`${SSHADD} -l 2> /dev/null | wc -l` | 23 | n=`${SSHADD} -l 2> /dev/null | wc -l` |
| 22 | trace "agent has $n keys" | 24 | trace "agent has $n keys" |
| 23 | if [ $n -ne 2 ]; then | 25 | if [ $n -ne $keys ]; then |
| 24 | fail "ssh-add -l did not return 2 keys: $n" | 26 | fail "ssh-add -l did not return $keys keys: $n" |
| 25 | fi | 27 | fi |
| 26 | trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds" | 28 | trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds" |
| 27 | sleep ${SSHAGENT_TIMEOUT} | 29 | sleep ${SSHAGENT_TIMEOUT} |
diff --git a/regress/agent.sh b/regress/agent.sh index 7111056c9..788b02064 100644 --- a/regress/agent.sh +++ b/regress/agent.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: agent.sh,v 1.13 2017/12/19 00:49:30 djm Exp $ | 1 | # $OpenBSD: agent.sh,v 1.14 2019/01/28 00:12:36 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="simple agent test" | 4 | tid="simple agent test" |
| @@ -27,6 +27,9 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \ | |||
| 27 | trace "overwrite authorized keys" | 27 | trace "overwrite authorized keys" |
| 28 | printf '' > $OBJ/authorized_keys_$USER | 28 | printf '' > $OBJ/authorized_keys_$USER |
| 29 | 29 | ||
| 30 | echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/ssh_proxy | ||
| 31 | echo "PubkeyAcceptedKeyTypes +ssh-dss" >> $OBJ/sshd_proxy | ||
| 32 | |||
| 30 | for t in ${SSH_KEYTYPES}; do | 33 | for t in ${SSH_KEYTYPES}; do |
| 31 | # generate user key for agent | 34 | # generate user key for agent |
| 32 | rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* | 35 | rm -f $OBJ/$t-agent $OBJ/$t-agent.pub* |
| @@ -96,6 +99,7 @@ fi | |||
| 96 | (printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ | 99 | (printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ |
| 97 | > $OBJ/authorized_keys_$USER | 100 | > $OBJ/authorized_keys_$USER |
| 98 | for t in ${SSH_KEYTYPES}; do | 101 | for t in ${SSH_KEYTYPES}; do |
| 102 | if [ "$t" != "ssh-dss" ]; then | ||
| 99 | trace "connect via agent using $t key" | 103 | trace "connect via agent using $t key" |
| 100 | ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \ | 104 | ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \ |
| 101 | -oCertificateFile=$OBJ/$t-agent-cert.pub \ | 105 | -oCertificateFile=$OBJ/$t-agent-cert.pub \ |
| @@ -104,6 +108,7 @@ for t in ${SSH_KEYTYPES}; do | |||
| 104 | if [ $r -ne 52 ]; then | 108 | if [ $r -ne 52 ]; then |
| 105 | fail "ssh connect with failed (exit code $r)" | 109 | fail "ssh connect with failed (exit code $r)" |
| 106 | fi | 110 | fi |
| 111 | fi | ||
| 107 | done | 112 | done |
| 108 | 113 | ||
| 109 | trace "delete all agent keys" | 114 | trace "delete all agent keys" |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index d2ecd318b..3ce777967 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-hostkey.sh,v 1.16 2018/07/03 11:43:49 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.17 2018/10/31 11:09:27 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified host keys" | 4 | tid="certified host keys" |
| @@ -127,7 +127,7 @@ attempt_connect() { | |||
| 127 | } | 127 | } |
| 128 | 128 | ||
| 129 | # Basic connect and revocation tests. | 129 | # Basic connect and revocation tests. |
| 130 | for privsep in yes no ; do | 130 | for privsep in yes sandbox ; do |
| 131 | for ktype in $PLAIN_TYPES ; do | 131 | for ktype in $PLAIN_TYPES ; do |
| 132 | verbose "$tid: host ${ktype} cert connect privsep $privsep" | 132 | verbose "$tid: host ${ktype} cert connect privsep $privsep" |
| 133 | ( | 133 | ( |
| @@ -165,7 +165,7 @@ for ktype in $PLAIN_TYPES ; do | |||
| 165 | kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig | 165 | kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig |
| 166 | done | 166 | done |
| 167 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 167 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
| 168 | for privsep in yes no ; do | 168 | for privsep in yes sandbox ; do |
| 169 | for ktype in $PLAIN_TYPES ; do | 169 | for ktype in $PLAIN_TYPES ; do |
| 170 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" | 170 | verbose "$tid: host ${ktype} revoked cert privsep $privsep" |
| 171 | ( | 171 | ( |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 30c2c156d..6849e9922 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cert-userkey.sh,v 1.19 2018/03/12 00:54:04 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.20 2018/10/31 11:09:27 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="certified user keys" | 4 | tid="certified user keys" |
| @@ -47,7 +47,7 @@ done | |||
| 47 | # Test explicitly-specified principals | 47 | # Test explicitly-specified principals |
| 48 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | 48 | for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do |
| 49 | t=$(kname $ktype) | 49 | t=$(kname $ktype) |
| 50 | for privsep in yes no ; do | 50 | for privsep in yes sandbox ; do |
| 51 | _prefix="${ktype} privsep $privsep" | 51 | _prefix="${ktype} privsep $privsep" |
| 52 | 52 | ||
| 53 | # Setup for AuthorizedPrincipalsFile | 53 | # Setup for AuthorizedPrincipalsFile |
diff --git a/regress/keys-command.sh b/regress/keys-command.sh index 4029e2c78..d166fc589 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: keys-command.sh,v 1.4 2016/09/26 21:34:38 bluhm Exp $ | 1 | # $OpenBSD: keys-command.sh,v 1.5 2018/11/22 08:48:32 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="authorized keys from command" | 4 | tid="authorized keys from command" |
| @@ -19,7 +19,8 @@ expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'` | |||
| 19 | 19 | ||
| 20 | # Establish a AuthorizedKeysCommand in /var/run where it will have | 20 | # Establish a AuthorizedKeysCommand in /var/run where it will have |
| 21 | # acceptable directory permissions. | 21 | # acceptable directory permissions. |
| 22 | KEY_COMMAND="/var/run/keycommand_${LOGNAME}" | 22 | KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$" |
| 23 | trap "${SUDO} rm -f ${KEY_COMMAND}" 0 | ||
| 23 | cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" | 24 | cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" |
| 24 | #!/bin/sh | 25 | #!/bin/sh |
| 25 | echo args: "\$@" >> $OBJ/keys-command-args | 26 | echo args: "\$@" >> $OBJ/keys-command-args |
| @@ -78,5 +79,3 @@ if [ -x $KEY_COMMAND ]; then | |||
| 78 | else | 79 | else |
| 79 | echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" | 80 | echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" |
| 80 | fi | 81 | fi |
| 81 | |||
| 82 | $SUDO rm -f $KEY_COMMAND | ||
diff --git a/regress/keyscan.sh b/regress/keyscan.sh index 3bde1219a..8940d24b6 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh | |||
| @@ -1,14 +1,20 @@ | |||
| 1 | # $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: keyscan.sh,v 1.9 2019/01/28 03:50:39 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="keyscan" | 4 | tid="keyscan" |
| 5 | 5 | ||
| 6 | # remove DSA hostkey | 6 | KEYTYPES=`${SSH} -Q key-plain` |
| 7 | rm -f ${OBJ}/host.dsa | 7 | for i in $KEYTYPES; do |
| 8 | if [ -z "$algs" ]; then | ||
| 9 | algs="$i" | ||
| 10 | else | ||
| 11 | algs="$algs,$i" | ||
| 12 | fi | ||
| 13 | done | ||
| 14 | echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config | ||
| 8 | 15 | ||
| 9 | start_sshd | 16 | start_sshd |
| 10 | 17 | ||
| 11 | KEYTYPES=`${SSH} -Q key-plain` | ||
| 12 | for t in $KEYTYPES; do | 18 | for t in $KEYTYPES; do |
| 13 | trace "keyscan type $t" | 19 | trace "keyscan type $t" |
| 14 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ | 20 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ |
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile index a7bb6b70d..20802cb87 100644 --- a/regress/misc/kexfuzz/Makefile +++ b/regress/misc/kexfuzz/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.3 2017/12/21 05:46:35 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.4 2019/01/21 12:50:12 djm Exp $ |
| 2 | 2 | ||
| 3 | .include <bsd.own.mk> | 3 | .include <bsd.own.mk> |
| 4 | .include <bsd.obj.mk> | 4 | .include <bsd.obj.mk> |
| @@ -18,12 +18,21 @@ SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c | |||
| 18 | SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c | 18 | SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c |
| 19 | SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c | 19 | SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c |
| 20 | SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c | 20 | SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c |
| 21 | SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c | 21 | SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c |
| 22 | SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c | ||
| 23 | SRCS+=dh.c compat.c | ||
| 24 | SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c | ||
| 25 | SRCS+=cipher-chachapoly.c chacha.c poly1305.c | 22 | SRCS+=cipher-chachapoly.c chacha.c poly1305.c |
| 26 | SRCS+=smult_curve25519_ref.c | 23 | |
| 24 | SRCS+= kex.c | ||
| 25 | SRCS+= dh.c | ||
| 26 | SRCS+= kexdh.c | ||
| 27 | SRCS+= kexecdh.c | ||
| 28 | SRCS+= kexgex.c | ||
| 29 | SRCS+= kexgexc.c | ||
| 30 | SRCS+= kexgexs.c | ||
| 31 | SRCS+= kexc25519.c | ||
| 32 | SRCS+= smult_curve25519_ref.c | ||
| 33 | SRCS+= kexgen.c | ||
| 34 | SRCS+= kexsntrup4591761x25519.c | ||
| 35 | SRCS+= sntrup4591761.c | ||
| 27 | 36 | ||
| 28 | SRCS+=digest-openssl.c | 37 | SRCS+=digest-openssl.c |
| 29 | #SRCS+=digest-libc.c | 38 | #SRCS+=digest-libc.c |
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c index 3e2c48160..7051e87b1 100644 --- a/regress/misc/kexfuzz/kexfuzz.c +++ b/regress/misc/kexfuzz/kexfuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */ | 1 | /* $OpenBSD: kexfuzz.c,v 1.5 2019/01/21 12:50:12 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Fuzz harness for KEX code | 3 | * Fuzz harness for KEX code |
| 4 | * | 4 | * |
| @@ -29,8 +29,6 @@ | |||
| 29 | #include "authfile.h" | 29 | #include "authfile.h" |
| 30 | #include "log.h" | 30 | #include "log.h" |
| 31 | 31 | ||
| 32 | struct ssh *active_state = NULL; /* XXX - needed for linking */ | ||
| 33 | |||
| 34 | void kex_tests(void); | 32 | void kex_tests(void); |
| 35 | static int do_debug = 0; | 33 | static int do_debug = 0; |
| 36 | 34 | ||
| @@ -275,18 +273,18 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, | |||
| 275 | ASSERT_PTR_NE(server2->kex, NULL); | 273 | ASSERT_PTR_NE(server2->kex, NULL); |
| 276 | /* XXX we need to set the callbacks */ | 274 | /* XXX we need to set the callbacks */ |
| 277 | #ifdef WITH_OPENSSL | 275 | #ifdef WITH_OPENSSL |
| 278 | server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 276 | server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; |
| 279 | server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 277 | server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; |
| 280 | server2->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; | 278 | server2->kex->kex[KEX_DH_GRP14_SHA256] = kex_gen_server; |
| 281 | server2->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; | 279 | server2->kex->kex[KEX_DH_GRP16_SHA512] = kex_gen_server; |
| 282 | server2->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; | 280 | server2->kex->kex[KEX_DH_GRP18_SHA512] = kex_gen_server; |
| 283 | server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 281 | server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
| 284 | server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 282 | server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
| 285 | # ifdef OPENSSL_HAS_ECC | 283 | # ifdef OPENSSL_HAS_ECC |
| 286 | server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 284 | server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
| 287 | # endif | 285 | # endif |
| 288 | #endif | 286 | #endif |
| 289 | server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 287 | server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
| 290 | server2->kex->load_host_public_key = server->kex->load_host_public_key; | 288 | server2->kex->load_host_public_key = server->kex->load_host_public_key; |
| 291 | server2->kex->load_host_private_key = server->kex->load_host_private_key; | 289 | server2->kex->load_host_private_key = server->kex->load_host_private_key; |
| 292 | server2->kex->sign = server->kex->sign; | 290 | server2->kex->sign = server->kex->sign; |
diff --git a/regress/multiplex.sh b/regress/multiplex.sh index a6fad8eb8..de357c4d5 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: multiplex.sh,v 1.29 2019/01/01 22:20:16 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | make_tmpdir | 4 | make_tmpdir |
| @@ -142,7 +142,8 @@ ${SSH} -F $OBJ/ssh_config -p$P otherhost true \ | |||
| 142 | verbose "test $tid: cmd forward local (UNIX)" | 142 | verbose "test $tid: cmd forward local (UNIX)" |
| 143 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \ | 143 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \ |
| 144 | || fail "request local forward failed" | 144 | || fail "request local forward failed" |
| 145 | echo "" | $NC -U $OBJ/unix-1.fwd | grep "Protocol mismatch" >/dev/null 2>&1 \ | 145 | echo "" | $NC -U $OBJ/unix-1.fwd | \ |
| 146 | grep "Invalid SSH identification string" >/dev/null 2>&1 \ | ||
| 146 | || fail "connect to local forward path failed" | 147 | || fail "connect to local forward path failed" |
| 147 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \ | 148 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \ |
| 148 | || fail "cancel local forward failed" | 149 | || fail "cancel local forward failed" |
| @@ -153,7 +154,8 @@ rm -f $OBJ/unix-1.fwd | |||
| 153 | verbose "test $tid: cmd forward remote (UNIX)" | 154 | verbose "test $tid: cmd forward remote (UNIX)" |
| 154 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \ | 155 | ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \ |
| 155 | || fail "request remote forward failed" | 156 | || fail "request remote forward failed" |
| 156 | echo "" | $NC -U $OBJ/unix-1.fwd | grep "Protocol mismatch" >/dev/null 2>&1 \ | 157 | echo "" | $NC -U $OBJ/unix-1.fwd | \ |
| 158 | grep "Invalid SSH identification string" >/dev/null 2>&1 \ | ||
| 157 | || fail "connect to remote forwarded path failed" | 159 | || fail "connect to remote forwarded path failed" |
| 158 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \ | 160 | ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \ |
| 159 | || fail "cancel remote forward failed" | 161 | || fail "cancel remote forward failed" |
diff --git a/regress/multipubkey.sh b/regress/multipubkey.sh index e9d15306f..4d443ec45 100644 --- a/regress/multipubkey.sh +++ b/regress/multipubkey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: multipubkey.sh,v 1.1 2014/12/22 08:06:03 djm Exp $ | 1 | # $OpenBSD: multipubkey.sh,v 1.2 2018/10/31 11:09:27 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="multiple pubkey" | 4 | tid="multiple pubkey" |
| @@ -31,7 +31,7 @@ grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy | |||
| 31 | opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" | 31 | opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" |
| 32 | opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" | 32 | opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" |
| 33 | 33 | ||
| 34 | for privsep in no yes; do | 34 | for privsep in yes sandbox ; do |
| 35 | ( | 35 | ( |
| 36 | grep -v "Protocol" $OBJ/sshd_proxy.orig | 36 | grep -v "Protocol" $OBJ/sshd_proxy.orig |
| 37 | echo "Protocol 2" | 37 | echo "Protocol 2" |
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index bcc68e80b..197c00021 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.6 2018/11/22 08:48:32 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
| @@ -30,7 +30,8 @@ CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` | |||
| 30 | 30 | ||
| 31 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | 31 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have |
| 32 | # acceptable directory permissions. | 32 | # acceptable directory permissions. |
| 33 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" | 33 | PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}.$$" |
| 34 | trap "$SUDO rm -f ${PRINCIPALS_COMMAND}" 0 | ||
| 34 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" | 35 | cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" |
| 35 | #!/bin/sh | 36 | #!/bin/sh |
| 36 | test "x\$1" != "x${LOGNAME}" && exit 1 | 37 | test "x\$1" != "x${LOGNAME}" && exit 1 |
| @@ -57,7 +58,7 @@ fi | |||
| 57 | 58 | ||
| 58 | if [ -x $PRINCIPALS_COMMAND ]; then | 59 | if [ -x $PRINCIPALS_COMMAND ]; then |
| 59 | # Test explicitly-specified principals | 60 | # Test explicitly-specified principals |
| 60 | for privsep in yes no ; do | 61 | for privsep in yes sandbox ; do |
| 61 | _prefix="privsep $privsep" | 62 | _prefix="privsep $privsep" |
| 62 | 63 | ||
| 63 | # Setup for AuthorizedPrincipalsCommand | 64 | # Setup for AuthorizedPrincipalsCommand |
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index ba5bd1efb..5acc4d2de 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh | |||
| @@ -1,11 +1,12 @@ | |||
| 1 | # $OpenBSD: sftp-chroot.sh,v 1.6 2018/02/09 03:42:57 dtucker Exp $ | 1 | # $OpenBSD: sftp-chroot.sh,v 1.7 2018/11/22 08:48:32 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sftp in chroot" | 4 | tid="sftp in chroot" |
| 5 | 5 | ||
| 6 | CHROOT=/var/run | 6 | CHROOT=/var/run |
| 7 | FILENAME=testdata_${USER} | 7 | FILENAME=testdata_${USER}.$$ |
| 8 | PRIVDATA=${CHROOT}/${FILENAME} | 8 | PRIVDATA=${CHROOT}/${FILENAME} |
| 9 | trap "${SUDO} rm -f ${PRIVDATA}" 0 | ||
| 9 | 10 | ||
| 10 | if [ -z "$SUDO" -a ! -w /var/run ]; then | 11 | if [ -z "$SUDO" -a ! -w /var/run ]; then |
| 11 | echo "need SUDO to create file in /var/run, test won't work without" | 12 | echo "need SUDO to create file in /var/run, test won't work without" |
| @@ -28,5 +29,3 @@ ${SFTP} -S "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY \ | |||
| 28 | >>$TEST_REGRESS_LOGFILE 2>&1 || \ | 29 | >>$TEST_REGRESS_LOGFILE 2>&1 || \ |
| 29 | fatal "Fetch ${FILENAME} failed" | 30 | fatal "Fetch ${FILENAME} failed" |
| 30 | cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" | 31 | cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ" |
| 31 | |||
| 32 | $SUDO rm $PRIVDATA | ||
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index aad7fcac2..1289c4089 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh | |||
| @@ -77,7 +77,6 @@ echo "get \"$DATA\" $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ | |||
| 77 | || fail "get failed" | 77 | || fail "get failed" |
| 78 | cmp $DATA ${COPY} || fail "corrupted copy after get" | 78 | cmp $DATA ${COPY} || fail "corrupted copy after get" |
| 79 | 79 | ||
| 80 | if [ "$os" != "cygwin" ]; then | ||
| 81 | rm -f ${QUOTECOPY} | 80 | rm -f ${QUOTECOPY} |
| 82 | cp $DATA ${QUOTECOPY} | 81 | cp $DATA ${QUOTECOPY} |
| 83 | verbose "$tid: get filename with quotes" | 82 | verbose "$tid: get filename with quotes" |
| @@ -85,7 +84,6 @@ echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 | |||
| 85 | || fail "get failed" | 84 | || fail "get failed" |
| 86 | cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" | 85 | cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" |
| 87 | rm -f ${QUOTECOPY} ${COPY} | 86 | rm -f ${QUOTECOPY} ${COPY} |
| 88 | fi | ||
| 89 | 87 | ||
| 90 | rm -f "$SPACECOPY" ${COPY} | 88 | rm -f "$SPACECOPY" ${COPY} |
| 91 | cp $DATA "$SPACECOPY" | 89 | cp $DATA "$SPACECOPY" |
| @@ -136,13 +134,11 @@ echo "put $DATA $COPY" | \ | |||
| 136 | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" | 134 | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" |
| 137 | cmp $DATA ${COPY} || fail "corrupted copy after put" | 135 | cmp $DATA ${COPY} || fail "corrupted copy after put" |
| 138 | 136 | ||
| 139 | if [ "$os" != "cygwin" ]; then | ||
| 140 | rm -f ${QUOTECOPY} | 137 | rm -f ${QUOTECOPY} |
| 141 | verbose "$tid: put filename with quotes" | 138 | verbose "$tid: put filename with quotes" |
| 142 | echo "put $DATA \"$QUOTECOPY_ARG\"" | \ | 139 | echo "put $DATA \"$QUOTECOPY_ARG\"" | \ |
| 143 | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" | 140 | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed" |
| 144 | cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes" | 141 | cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes" |
| 145 | fi | ||
| 146 | 142 | ||
| 147 | rm -f "$SPACECOPY" | 143 | rm -f "$SPACECOPY" |
| 148 | verbose "$tid: put filename with spaces" | 144 | verbose "$tid: put filename with spaces" |
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 1bbd47f25..08338121b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: test-exec.sh,v 1.64 2018/08/10 01:35:49 dtucker Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.65 2019/01/27 06:30:53 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | #SUDO=sudo | 4 | #SUDO=sudo |
| @@ -12,10 +12,6 @@ OSF1*) | |||
| 12 | BIN_SH=xpg4 | 12 | BIN_SH=xpg4 |
| 13 | export BIN_SH | 13 | export BIN_SH |
| 14 | ;; | 14 | ;; |
| 15 | CYGWIN_NT-5.0) | ||
| 16 | os=cygwin | ||
| 17 | TEST_SSH_IPV6=no | ||
| 18 | ;; | ||
| 19 | CYGWIN*) | 15 | CYGWIN*) |
| 20 | os=cygwin | 16 | os=cygwin |
| 21 | ;; | 17 | ;; |
| @@ -469,11 +465,11 @@ fi | |||
| 469 | 465 | ||
| 470 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER | 466 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER |
| 471 | 467 | ||
| 472 | SSH_KEYTYPES="rsa ed25519" | 468 | SSH_KEYTYPES=`$SSH -Q key-plain` |
| 473 | 469 | ||
| 474 | trace "generate keys" | ||
| 475 | for t in ${SSH_KEYTYPES}; do | 470 | for t in ${SSH_KEYTYPES}; do |
| 476 | # generate user key | 471 | # generate user key |
| 472 | trace "generating key type $t" | ||
| 477 | if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN_BIN} -nt $OBJ/$t ]; then | 473 | if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN_BIN} -nt $OBJ/$t ]; then |
| 478 | rm -f $OBJ/$t | 474 | rm -f $OBJ/$t |
| 479 | ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ | 475 | ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ |
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index b509f4452..428ef6836 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc | |||
| @@ -1,8 +1,25 @@ | |||
| 1 | # $OpenBSD: Makefile.inc,v 1.12 2017/12/21 00:41:22 djm Exp $ | 1 | # $OpenBSD: Makefile.inc,v 1.13 2018/10/17 23:28:05 djm Exp $ |
| 2 | |||
| 3 | REGRESS_FAIL_EARLY?= yes | ||
| 2 | 4 | ||
| 3 | .include <bsd.own.mk> | 5 | .include <bsd.own.mk> |
| 4 | .include <bsd.obj.mk> | 6 | .include <bsd.obj.mk> |
| 5 | 7 | ||
| 8 | # User-settable options | ||
| 9 | UNITTEST_FAST?= no # Skip slow tests (e.g. less intensive fuzzing). | ||
| 10 | UNITTEST_SLOW?= no # Include slower tests (e.g. more intensive fuzzing). | ||
| 11 | UNITTEST_VERBOSE?= no # Verbose test output (inc. per-test names). | ||
| 12 | |||
| 13 | MALLOC_OPTIONS?= CFGJRSUX | ||
| 14 | TEST_ENV?= MALLOC_OPTIONS=${MALLOC_OPTIONS} | ||
| 15 | |||
| 16 | # XXX detect from ssh binary? | ||
| 17 | OPENSSL?= yes | ||
| 18 | |||
| 19 | .if (${OPENSSL:L} == "yes") | ||
| 20 | CFLAGS+= -DWITH_OPENSSL | ||
| 21 | .endif | ||
| 22 | |||
| 6 | # enable warnings | 23 | # enable warnings |
| 7 | WARNINGS=Yes | 24 | WARNINGS=Yes |
| 8 | 25 | ||
| @@ -49,5 +66,21 @@ DPADD+=${.CURDIR}/../test_helper/libtest_helper.a | |||
| 49 | 66 | ||
| 50 | .PATH: ${.CURDIR}/${SSHREL} | 67 | .PATH: ${.CURDIR}/${SSHREL} |
| 51 | 68 | ||
| 69 | LDADD+= -lutil | ||
| 70 | DPADD+= ${LIBUTIL} | ||
| 71 | |||
| 72 | .if (${OPENSSL:L} == "yes") | ||
| 52 | LDADD+= -lcrypto | 73 | LDADD+= -lcrypto |
| 53 | DPADD+= ${LIBCRYPTO} | 74 | DPADD+= ${LIBCRYPTO} |
| 75 | .endif | ||
| 76 | |||
| 77 | UNITTEST_ARGS?= | ||
| 78 | |||
| 79 | .if (${UNITTEST_VERBOSE:L} != "no") | ||
| 80 | UNITTEST_ARGS+= -v | ||
| 81 | .endif | ||
| 82 | .if (${UNITTEST_FAST:L} != "no") | ||
| 83 | UNITTEST_ARGS+= -f | ||
| 84 | .elif (${UNITTEST_SLOW:L} != "no") | ||
| 85 | UNITTEST_ARGS+= -F | ||
| 86 | .endif | ||
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile index 5c61307a3..7b4c644e5 100644 --- a/regress/unittests/kex/Makefile +++ b/regress/unittests/kex/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.5 2017/12/21 00:41:22 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.6 2019/01/21 12:35:20 djm Exp $ |
| 2 | 2 | ||
| 3 | PROG=test_kex | 3 | PROG=test_kex |
| 4 | SRCS=tests.c test_kex.c | 4 | SRCS=tests.c test_kex.c |
| @@ -9,12 +9,21 @@ SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c | |||
| 9 | SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c | 9 | SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c |
| 10 | SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c | 10 | SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c |
| 11 | SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c | 11 | SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c |
| 12 | SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c | 12 | SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c |
| 13 | SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c | ||
| 14 | SRCS+=dh.c compat.c | ||
| 15 | SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c | ||
| 16 | SRCS+=cipher-chachapoly.c chacha.c poly1305.c | 13 | SRCS+=cipher-chachapoly.c chacha.c poly1305.c |
| 17 | SRCS+=smult_curve25519_ref.c | 14 | |
| 15 | SRCS+= kex.c | ||
| 16 | SRCS+= dh.c | ||
| 17 | SRCS+= kexdh.c | ||
| 18 | SRCS+= kexecdh.c | ||
| 19 | SRCS+= kexgex.c | ||
| 20 | SRCS+= kexgexc.c | ||
| 21 | SRCS+= kexgexs.c | ||
| 22 | SRCS+= kexc25519.c | ||
| 23 | SRCS+= smult_curve25519_ref.c | ||
| 24 | SRCS+= kexgen.c | ||
| 25 | SRCS+= kexsntrup4591761x25519.c | ||
| 26 | SRCS+= sntrup4591761.c | ||
| 18 | 27 | ||
| 19 | SRCS+=digest-openssl.c | 28 | SRCS+=digest-openssl.c |
| 20 | #SRCS+=digest-libc.c | 29 | #SRCS+=digest-libc.c |
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c index 6e5999bb9..a860efc02 100644 --- a/regress/unittests/kex/test_kex.c +++ b/regress/unittests/kex/test_kex.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_kex.c,v 1.2 2015/07/10 06:23:25 markus Exp $ */ | 1 | /* $OpenBSD: test_kex.c,v 1.4 2019/01/21 12:35:20 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test KEX | 3 | * Regress test KEX |
| 4 | * | 4 | * |
| @@ -24,8 +24,6 @@ | |||
| 24 | #include "packet.h" | 24 | #include "packet.h" |
| 25 | #include "myproposal.h" | 25 | #include "myproposal.h" |
| 26 | 26 | ||
| 27 | struct ssh *active_state = NULL; /* XXX - needed for linking */ | ||
| 28 | |||
| 29 | void kex_tests(void); | 27 | void kex_tests(void); |
| 30 | static int do_debug = 0; | 28 | static int do_debug = 0; |
| 31 | 29 | ||
| @@ -139,20 +137,19 @@ do_kex_with_key(char *kex, int keytype, int bits) | |||
| 139 | ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); | 137 | ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); |
| 140 | ASSERT_PTR_NE(server2, NULL); | 138 | ASSERT_PTR_NE(server2, NULL); |
| 141 | ASSERT_INT_EQ(ssh_add_hostkey(server2, private), 0); | 139 | ASSERT_INT_EQ(ssh_add_hostkey(server2, private), 0); |
| 142 | kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */ | ||
| 143 | ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0); | 140 | ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0); |
| 144 | ASSERT_INT_EQ(sshbuf_len(state), 0); | 141 | ASSERT_INT_EQ(sshbuf_len(state), 0); |
| 145 | sshbuf_free(state); | 142 | sshbuf_free(state); |
| 146 | ASSERT_PTR_NE(server2->kex, NULL); | 143 | ASSERT_PTR_NE(server2->kex, NULL); |
| 147 | /* XXX we need to set the callbacks */ | 144 | /* XXX we need to set the callbacks */ |
| 148 | server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 145 | server2->kex->kex[KEX_DH_GRP1_SHA1] = kex_gen_server; |
| 149 | server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; | 146 | server2->kex->kex[KEX_DH_GRP14_SHA1] = kex_gen_server; |
| 150 | server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 147 | server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
| 151 | server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 148 | server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
| 152 | #ifdef OPENSSL_HAS_ECC | 149 | #ifdef OPENSSL_HAS_ECC |
| 153 | server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 150 | server2->kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
| 154 | #endif | 151 | #endif |
| 155 | server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 152 | server2->kex->kex[KEX_C25519_SHA256] = kex_gen_server; |
| 156 | server2->kex->load_host_public_key = server->kex->load_host_public_key; | 153 | server2->kex->load_host_public_key = server->kex->load_host_public_key; |
| 157 | server2->kex->load_host_private_key = server->kex->load_host_private_key; | 154 | server2->kex->load_host_private_key = server->kex->load_host_private_key; |
| 158 | server2->kex->sign = server->kex->sign; | 155 | server2->kex->sign = server->kex->sign; |
diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile index 81d4f27a6..0e8e9fd10 100644 --- a/regress/unittests/sshbuf/Makefile +++ b/regress/unittests/sshbuf/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.6 2017/12/21 00:41:22 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.7 2018/10/17 23:28:05 djm Exp $ |
| 2 | 2 | ||
| 3 | .include <bsd.regress.mk> | 3 | .include <bsd.regress.mk> |
| 4 | 4 | ||
| @@ -17,6 +17,5 @@ SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c | |||
| 17 | SRCS+=atomicio.c | 17 | SRCS+=atomicio.c |
| 18 | 18 | ||
| 19 | run-regress-${PROG}: ${PROG} | 19 | run-regress-${PROG}: ${PROG} |
| 20 | env ${TEST_ENV} ./${PROG} | 20 | env ${TEST_ENV} ./${PROG} ${UNITTEST_ARGS} |
| 21 | |||
| 22 | 21 | ||
diff --git a/regress/unittests/sshbuf/test_sshbuf_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_fuzz.c index c52376b53..e236c82f9 100644 --- a/regress/unittests/sshbuf/test_sshbuf_fuzz.c +++ b/regress/unittests/sshbuf/test_sshbuf_fuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_sshbuf_fuzz.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */ | 1 | /* $OpenBSD: test_sshbuf_fuzz.c,v 1.2 2018/10/17 23:28:05 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for sshbuf.h buffer API | 3 | * Regress test for sshbuf.h buffer API |
| 4 | * | 4 | * |
| @@ -30,10 +30,15 @@ sshbuf_fuzz_tests(void) | |||
| 30 | { | 30 | { |
| 31 | struct sshbuf *p1; | 31 | struct sshbuf *p1; |
| 32 | u_char *dp; | 32 | u_char *dp; |
| 33 | size_t sz, sz2, i; | 33 | size_t sz, sz2, i, ntests = NUM_FUZZ_TESTS; |
| 34 | u_int32_t r; | 34 | u_int32_t r; |
| 35 | int ret; | 35 | int ret; |
| 36 | 36 | ||
| 37 | if (test_is_fast()) | ||
| 38 | ntests >>= 2; | ||
| 39 | if (test_is_slow()) | ||
| 40 | ntests <<= 2; | ||
| 41 | |||
| 37 | /* NB. uses sshbuf internals */ | 42 | /* NB. uses sshbuf internals */ |
| 38 | TEST_START("fuzz alloc/dealloc"); | 43 | TEST_START("fuzz alloc/dealloc"); |
| 39 | p1 = sshbuf_new(); | 44 | p1 = sshbuf_new(); |
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c index a68e1329e..5d39e63e1 100644 --- a/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c +++ b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_sshbuf_getput_crypto.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */ | 1 | /* $OpenBSD: test_sshbuf_getput_crypto.c,v 1.2 2019/01/21 12:29:35 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for sshbuf.h buffer API | 3 | * Regress test for sshbuf.h buffer API |
| 4 | * | 4 | * |
| @@ -33,7 +33,6 @@ sshbuf_getput_crypto_tests(void) | |||
| 33 | { | 33 | { |
| 34 | struct sshbuf *p1; | 34 | struct sshbuf *p1; |
| 35 | BIGNUM *bn, *bn2; | 35 | BIGNUM *bn, *bn2; |
| 36 | /* This one has num_bits != num_bytes * 8 to test bignum1 encoding */ | ||
| 37 | const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10"; | 36 | const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10"; |
| 38 | /* This one has MSB set to test bignum2 encoding negative-avoidance */ | 37 | /* This one has MSB set to test bignum2 encoding negative-avoidance */ |
| 39 | const char *hexbn2 = "f0e0d0c0b0a0908070605040302010007fff11"; | 38 | const char *hexbn2 = "f0e0d0c0b0a0908070605040302010007fff11"; |
| @@ -77,54 +76,6 @@ sshbuf_getput_crypto_tests(void) | |||
| 77 | ASSERT_INT_GT(BN_hex2bn(&bnn, b), 0); \ | 76 | ASSERT_INT_GT(BN_hex2bn(&bnn, b), 0); \ |
| 78 | } while (0) | 77 | } while (0) |
| 79 | 78 | ||
| 80 | TEST_START("sshbuf_put_bignum1"); | ||
| 81 | MKBN(hexbn1, bn); | ||
| 82 | p1 = sshbuf_new(); | ||
| 83 | ASSERT_PTR_NE(p1, NULL); | ||
| 84 | ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0); | ||
| 85 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 2); | ||
| 86 | ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn)); | ||
| 87 | ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn1, sizeof(expbn1)); | ||
| 88 | BN_free(bn); | ||
| 89 | sshbuf_free(p1); | ||
| 90 | TEST_DONE(); | ||
| 91 | |||
| 92 | TEST_START("sshbuf_put_bignum1 limited"); | ||
| 93 | MKBN(hexbn1, bn); | ||
| 94 | p1 = sshbuf_new(); | ||
| 95 | ASSERT_PTR_NE(p1, NULL); | ||
| 96 | ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0); | ||
| 97 | r = sshbuf_put_bignum1(p1, bn); | ||
| 98 | ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE); | ||
| 99 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0); | ||
| 100 | BN_free(bn); | ||
| 101 | sshbuf_free(p1); | ||
| 102 | TEST_DONE(); | ||
| 103 | |||
| 104 | TEST_START("sshbuf_put_bignum1 bn2"); | ||
| 105 | MKBN(hexbn2, bn); | ||
| 106 | p1 = sshbuf_new(); | ||
| 107 | ASSERT_PTR_NE(p1, NULL); | ||
| 108 | ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0); | ||
| 109 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 2); | ||
| 110 | ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn)); | ||
| 111 | ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn2, sizeof(expbn2)); | ||
| 112 | BN_free(bn); | ||
| 113 | sshbuf_free(p1); | ||
| 114 | TEST_DONE(); | ||
| 115 | |||
| 116 | TEST_START("sshbuf_put_bignum1 bn2 limited"); | ||
| 117 | MKBN(hexbn2, bn); | ||
| 118 | p1 = sshbuf_new(); | ||
| 119 | ASSERT_PTR_NE(p1, NULL); | ||
| 120 | ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0); | ||
| 121 | r = sshbuf_put_bignum1(p1, bn); | ||
| 122 | ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE); | ||
| 123 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0); | ||
| 124 | BN_free(bn); | ||
| 125 | sshbuf_free(p1); | ||
| 126 | TEST_DONE(); | ||
| 127 | |||
| 128 | TEST_START("sshbuf_put_bignum2"); | 79 | TEST_START("sshbuf_put_bignum2"); |
| 129 | MKBN(hexbn1, bn); | 80 | MKBN(hexbn1, bn); |
| 130 | p1 = sshbuf_new(); | 81 | p1 = sshbuf_new(); |
| @@ -174,88 +125,6 @@ sshbuf_getput_crypto_tests(void) | |||
| 174 | sshbuf_free(p1); | 125 | sshbuf_free(p1); |
| 175 | TEST_DONE(); | 126 | TEST_DONE(); |
| 176 | 127 | ||
| 177 | TEST_START("sshbuf_get_bignum1"); | ||
| 178 | MKBN(hexbn1, bn); | ||
| 179 | p1 = sshbuf_new(); | ||
| 180 | ASSERT_PTR_NE(p1, NULL); | ||
| 181 | ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0); | ||
| 182 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0); | ||
| 183 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1)); | ||
| 184 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); | ||
| 185 | bn2 = BN_new(); | ||
| 186 | ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0); | ||
| 187 | ASSERT_BIGNUM_EQ(bn, bn2); | ||
| 188 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); | ||
| 189 | BN_free(bn); | ||
| 190 | BN_free(bn2); | ||
| 191 | sshbuf_free(p1); | ||
| 192 | TEST_DONE(); | ||
| 193 | |||
| 194 | TEST_START("sshbuf_get_bignum1 truncated"); | ||
| 195 | MKBN(hexbn1, bn); | ||
| 196 | p1 = sshbuf_new(); | ||
| 197 | ASSERT_PTR_NE(p1, NULL); | ||
| 198 | ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0); | ||
| 199 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0); | ||
| 200 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1); | ||
| 201 | bn2 = BN_new(); | ||
| 202 | r = sshbuf_get_bignum1(p1, bn2); | ||
| 203 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); | ||
| 204 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1); | ||
| 205 | BN_free(bn); | ||
| 206 | BN_free(bn2); | ||
| 207 | sshbuf_free(p1); | ||
| 208 | TEST_DONE(); | ||
| 209 | |||
| 210 | TEST_START("sshbuf_get_bignum1 giant"); | ||
| 211 | MKBN(hexbn1, bn); | ||
| 212 | p1 = sshbuf_new(); | ||
| 213 | ASSERT_PTR_NE(p1, NULL); | ||
| 214 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xffff), 0); | ||
| 215 | ASSERT_INT_EQ(sshbuf_reserve(p1, (0xffff + 7) / 8, NULL), 0); | ||
| 216 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8)); | ||
| 217 | bn2 = BN_new(); | ||
| 218 | r = sshbuf_get_bignum1(p1, bn2); | ||
| 219 | ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE); | ||
| 220 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8)); | ||
| 221 | BN_free(bn); | ||
| 222 | BN_free(bn2); | ||
| 223 | sshbuf_free(p1); | ||
| 224 | TEST_DONE(); | ||
| 225 | |||
| 226 | TEST_START("sshbuf_get_bignum1 bn2"); | ||
| 227 | MKBN(hexbn2, bn); | ||
| 228 | p1 = sshbuf_new(); | ||
| 229 | ASSERT_PTR_NE(p1, NULL); | ||
| 230 | ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0); | ||
| 231 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0); | ||
| 232 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2)); | ||
| 233 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); | ||
| 234 | bn2 = BN_new(); | ||
| 235 | ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0); | ||
| 236 | ASSERT_BIGNUM_EQ(bn, bn2); | ||
| 237 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); | ||
| 238 | BN_free(bn); | ||
| 239 | BN_free(bn2); | ||
| 240 | sshbuf_free(p1); | ||
| 241 | TEST_DONE(); | ||
| 242 | |||
| 243 | TEST_START("sshbuf_get_bignum1 bn2 truncated"); | ||
| 244 | MKBN(hexbn2, bn); | ||
| 245 | p1 = sshbuf_new(); | ||
| 246 | ASSERT_PTR_NE(p1, NULL); | ||
| 247 | ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0); | ||
| 248 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0); | ||
| 249 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1); | ||
| 250 | bn2 = BN_new(); | ||
| 251 | r = sshbuf_get_bignum1(p1, bn2); | ||
| 252 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); | ||
| 253 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1); | ||
| 254 | BN_free(bn); | ||
| 255 | BN_free(bn2); | ||
| 256 | sshbuf_free(p1); | ||
| 257 | TEST_DONE(); | ||
| 258 | |||
| 259 | TEST_START("sshbuf_get_bignum2"); | 128 | TEST_START("sshbuf_get_bignum2"); |
| 260 | MKBN(hexbn1, bn); | 129 | MKBN(hexbn1, bn); |
| 261 | p1 = sshbuf_new(); | 130 | p1 = sshbuf_new(); |
| @@ -264,8 +133,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 264 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0); | 133 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0); |
| 265 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + sizeof(expbn1)); | 134 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + sizeof(expbn1)); |
| 266 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); | 135 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); |
| 267 | bn2 = BN_new(); | 136 | bn2 = NULL; |
| 268 | ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0); | 137 | ASSERT_INT_EQ(sshbuf_get_bignum2(p1, &bn2), 0); |
| 269 | ASSERT_BIGNUM_EQ(bn, bn2); | 138 | ASSERT_BIGNUM_EQ(bn, bn2); |
| 270 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); | 139 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); |
| 271 | BN_free(bn); | 140 | BN_free(bn); |
| @@ -279,8 +148,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 279 | ASSERT_PTR_NE(p1, NULL); | 148 | ASSERT_PTR_NE(p1, NULL); |
| 280 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0); | 149 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0); |
| 281 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0); | 150 | ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0); |
| 282 | bn2 = BN_new(); | 151 | bn2 = NULL; |
| 283 | r = sshbuf_get_bignum2(p1, bn2); | 152 | r = sshbuf_get_bignum2(p1, &bn2); |
| 284 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); | 153 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); |
| 285 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 3); | 154 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 3); |
| 286 | BN_free(bn); | 155 | BN_free(bn); |
| @@ -294,8 +163,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 294 | ASSERT_PTR_NE(p1, NULL); | 163 | ASSERT_PTR_NE(p1, NULL); |
| 295 | ASSERT_INT_EQ(sshbuf_put_u32(p1, 65536), 0); | 164 | ASSERT_INT_EQ(sshbuf_put_u32(p1, 65536), 0); |
| 296 | ASSERT_INT_EQ(sshbuf_reserve(p1, 65536, NULL), 0); | 165 | ASSERT_INT_EQ(sshbuf_reserve(p1, 65536, NULL), 0); |
| 297 | bn2 = BN_new(); | 166 | bn2 = NULL; |
| 298 | r = sshbuf_get_bignum2(p1, bn2); | 167 | r = sshbuf_get_bignum2(p1, &bn2); |
| 299 | ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE); | 168 | ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE); |
| 300 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 65536 + 4); | 169 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 65536 + 4); |
| 301 | BN_free(bn); | 170 | BN_free(bn); |
| @@ -312,8 +181,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 312 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0); | 181 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0); |
| 313 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + 1 + sizeof(expbn2)); | 182 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + 1 + sizeof(expbn2)); |
| 314 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); | 183 | ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0); |
| 315 | bn2 = BN_new(); | 184 | bn2 = NULL; |
| 316 | ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0); | 185 | ASSERT_INT_EQ(sshbuf_get_bignum2(p1, &bn2), 0); |
| 317 | ASSERT_BIGNUM_EQ(bn, bn2); | 186 | ASSERT_BIGNUM_EQ(bn, bn2); |
| 318 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); | 187 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2); |
| 319 | BN_free(bn); | 188 | BN_free(bn); |
| @@ -328,8 +197,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 328 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0); | 197 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0); |
| 329 | ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0); | 198 | ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0); |
| 330 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0); | 199 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0); |
| 331 | bn2 = BN_new(); | 200 | bn2 = NULL; |
| 332 | r = sshbuf_get_bignum2(p1, bn2); | 201 | r = sshbuf_get_bignum2(p1, &bn2); |
| 333 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); | 202 | ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE); |
| 334 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 1 + 4 - 1); | 203 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 1 + 4 - 1); |
| 335 | BN_free(bn); | 204 | BN_free(bn); |
| @@ -343,8 +212,8 @@ sshbuf_getput_crypto_tests(void) | |||
| 343 | ASSERT_PTR_NE(p1, NULL); | 212 | ASSERT_PTR_NE(p1, NULL); |
| 344 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0); | 213 | ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0); |
| 345 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0); | 214 | ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0); |
| 346 | bn2 = BN_new(); | 215 | bn2 = NULL; |
| 347 | r = sshbuf_get_bignum2(p1, bn2); | 216 | r = sshbuf_get_bignum2(p1, &bn2); |
| 348 | ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_IS_NEGATIVE); | 217 | ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_IS_NEGATIVE); |
| 349 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4); | 218 | ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4); |
| 350 | BN_free(bn); | 219 | BN_free(bn); |
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c index c6b5c29d1..ca06bfb00 100644 --- a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c +++ b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.2 2014/05/02 02:54:00 djm Exp $ */ | 1 | /* $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.4 2019/01/21 12:29:35 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Regress test for sshbuf.h buffer API | 3 | * Regress test for sshbuf.h buffer API |
| 4 | * | 4 | * |
| @@ -54,11 +54,8 @@ attempt_parse_blob(u_char *blob, size_t len) | |||
| 54 | bzero(s, l); | 54 | bzero(s, l); |
| 55 | free(s); | 55 | free(s); |
| 56 | } | 56 | } |
| 57 | bn = BN_new(); | 57 | bn = NULL; |
| 58 | sshbuf_get_bignum1(p1, bn); | 58 | sshbuf_get_bignum2(p1, &bn); |
| 59 | BN_clear_free(bn); | ||
| 60 | bn = BN_new(); | ||
| 61 | sshbuf_get_bignum2(p1, bn); | ||
| 62 | BN_clear_free(bn); | 59 | BN_clear_free(bn); |
| 63 | #if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) | 60 | #if defined(OPENSSL_HAS_ECC) && defined(OPENSSL_HAS_NISTP256) |
| 64 | eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 61 | eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| @@ -92,10 +89,6 @@ sshbuf_getput_fuzz_tests(void) | |||
| 92 | /* string */ | 89 | /* string */ |
| 93 | 0x00, 0x00, 0x00, 0x09, | 90 | 0x00, 0x00, 0x00, 0x09, |
| 94 | 'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!', | 91 | 'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!', |
| 95 | /* bignum1 */ | ||
| 96 | 0x79, | ||
| 97 | 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, | ||
| 98 | 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, | ||
| 99 | /* bignum2 */ | 92 | /* bignum2 */ |
| 100 | 0x00, 0x00, 0x00, 0x14, | 93 | 0x00, 0x00, 0x00, 0x14, |
| 101 | 0x00, | 94 | 0x00, |
| @@ -115,11 +108,15 @@ sshbuf_getput_fuzz_tests(void) | |||
| 115 | 0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4, | 108 | 0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4, |
| 116 | }; | 109 | }; |
| 117 | struct fuzz *fuzz; | 110 | struct fuzz *fuzz; |
| 111 | u_int fuzzers = FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | | ||
| 112 | FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | | ||
| 113 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END; | ||
| 114 | |||
| 115 | if (test_is_fast()) | ||
| 116 | fuzzers &= ~(FUZZ_2_BYTE_FLIP|FUZZ_2_BIT_FLIP); | ||
| 118 | 117 | ||
| 119 | TEST_START("fuzz blob parsing"); | 118 | TEST_START("fuzz blob parsing"); |
| 120 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP | | 119 | fuzz = fuzz_begin(fuzzers, blob, sizeof(blob)); |
| 121 | FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | | ||
| 122 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, blob, sizeof(blob)); | ||
| 123 | TEST_ONERROR(onerror, fuzz); | 120 | TEST_ONERROR(onerror, fuzz); |
| 124 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) | 121 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) |
| 125 | attempt_parse_blob(blob, sizeof(blob)); | 122 | attempt_parse_blob(blob, sizeof(blob)); |
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile index 1c940bec6..aa731df1c 100644 --- a/regress/unittests/sshkey/Makefile +++ b/regress/unittests/sshkey/Makefile | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: Makefile,v 1.5 2017/12/21 00:41:22 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.6 2018/10/17 23:28:05 djm Exp $ |
| 2 | 2 | ||
| 3 | PROG=test_sshkey | 3 | PROG=test_sshkey |
| 4 | SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c | 4 | SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c |
| @@ -18,7 +18,7 @@ SRCS+=digest-openssl.c | |||
| 18 | REGRESS_TARGETS=run-regress-${PROG} | 18 | REGRESS_TARGETS=run-regress-${PROG} |
| 19 | 19 | ||
| 20 | run-regress-${PROG}: ${PROG} | 20 | run-regress-${PROG}: ${PROG} |
| 21 | env ${TEST_ENV} ./${PROG} -d ${.CURDIR}/testdata | 21 | env ${TEST_ENV} ./${PROG} ${UNITTEST_ARGS} -d ${.CURDIR}/testdata |
| 22 | 22 | ||
| 23 | .include <bsd.regress.mk> | 23 | .include <bsd.regress.mk> |
| 24 | 24 | ||
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c index d3b0c92b4..5953de595 100644 --- a/regress/unittests/sshkey/test_fuzz.c +++ b/regress/unittests/sshkey/test_fuzz.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_fuzz.c,v 1.8 2017/12/21 00:41:22 djm Exp $ */ | 1 | /* $OpenBSD: test_fuzz.c,v 1.9 2018/10/17 23:28:05 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Fuzz tests for key parsing | 3 | * Fuzz tests for key parsing |
| 4 | * | 4 | * |
| @@ -51,14 +51,16 @@ public_fuzz(struct sshkey *k) | |||
| 51 | struct sshkey *k1; | 51 | struct sshkey *k1; |
| 52 | struct sshbuf *buf; | 52 | struct sshbuf *buf; |
| 53 | struct fuzz *fuzz; | 53 | struct fuzz *fuzz; |
| 54 | u_int fuzzers = FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | | ||
| 55 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END; | ||
| 54 | 56 | ||
| 57 | if (test_is_fast()) | ||
| 58 | fuzzers &= ~FUZZ_1_BIT_FLIP; | ||
| 59 | if (test_is_slow()) | ||
| 60 | fuzzers |= FUZZ_2_BIT_FLIP | FUZZ_2_BYTE_FLIP; | ||
| 55 | ASSERT_PTR_NE(buf = sshbuf_new(), NULL); | 61 | ASSERT_PTR_NE(buf = sshbuf_new(), NULL); |
| 56 | ASSERT_INT_EQ(sshkey_putb(k, buf), 0); | 62 | ASSERT_INT_EQ(sshkey_putb(k, buf), 0); |
| 57 | /* XXX need a way to run the tests in "slow, but complete" mode */ | 63 | fuzz = fuzz_begin(fuzzers, sshbuf_mutable_ptr(buf), sshbuf_len(buf)); |
| 58 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* XXX too slow FUZZ_2_BIT_FLIP | */ | ||
| 59 | FUZZ_1_BYTE_FLIP | /* XXX too slow FUZZ_2_BYTE_FLIP | */ | ||
| 60 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, | ||
| 61 | sshbuf_mutable_ptr(buf), sshbuf_len(buf)); | ||
| 62 | ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf), | 64 | ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf), |
| 63 | &k1), 0); | 65 | &k1), 0); |
| 64 | sshkey_free(k1); | 66 | sshkey_free(k1); |
| @@ -77,12 +79,17 @@ sig_fuzz(struct sshkey *k, const char *sig_alg) | |||
| 77 | struct fuzz *fuzz; | 79 | struct fuzz *fuzz; |
| 78 | u_char *sig, c[] = "some junk to be signed"; | 80 | u_char *sig, c[] = "some junk to be signed"; |
| 79 | size_t l; | 81 | size_t l; |
| 82 | u_int fuzzers = FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | | ||
| 83 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END; | ||
| 84 | |||
| 85 | if (test_is_fast()) | ||
| 86 | fuzzers &= ~FUZZ_2_BYTE_FLIP; | ||
| 87 | if (test_is_slow()) | ||
| 88 | fuzzers |= FUZZ_2_BIT_FLIP; | ||
| 80 | 89 | ||
| 81 | ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0); | 90 | ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0); |
| 82 | ASSERT_SIZE_T_GT(l, 0); | 91 | ASSERT_SIZE_T_GT(l, 0); |
| 83 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */ | 92 | fuzz = fuzz_begin(fuzzers, sig, l); |
| 84 | FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | | ||
| 85 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l); | ||
| 86 | ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), NULL, 0), 0); | 93 | ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), NULL, 0), 0); |
| 87 | free(sig); | 94 | free(sig); |
| 88 | TEST_ONERROR(onerror, fuzz); | 95 | TEST_ONERROR(onerror, fuzz); |
| @@ -96,13 +103,15 @@ sig_fuzz(struct sshkey *k, const char *sig_alg) | |||
| 96 | fuzz_cleanup(fuzz); | 103 | fuzz_cleanup(fuzz); |
| 97 | } | 104 | } |
| 98 | 105 | ||
| 106 | #define NUM_FAST_BASE64_TESTS 1024 | ||
| 107 | |||
| 99 | void | 108 | void |
| 100 | sshkey_fuzz_tests(void) | 109 | sshkey_fuzz_tests(void) |
| 101 | { | 110 | { |
| 102 | struct sshkey *k1; | 111 | struct sshkey *k1; |
| 103 | struct sshbuf *buf, *fuzzed; | 112 | struct sshbuf *buf, *fuzzed; |
| 104 | struct fuzz *fuzz; | 113 | struct fuzz *fuzz; |
| 105 | int r; | 114 | int r, i; |
| 106 | 115 | ||
| 107 | 116 | ||
| 108 | TEST_START("fuzz RSA private"); | 117 | TEST_START("fuzz RSA private"); |
| @@ -114,12 +123,14 @@ sshkey_fuzz_tests(void) | |||
| 114 | sshbuf_free(buf); | 123 | sshbuf_free(buf); |
| 115 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 124 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 116 | TEST_ONERROR(onerror, fuzz); | 125 | TEST_ONERROR(onerror, fuzz); |
| 117 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 126 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 118 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 127 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 119 | ASSERT_INT_EQ(r, 0); | 128 | ASSERT_INT_EQ(r, 0); |
| 120 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 129 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 121 | sshkey_free(k1); | 130 | sshkey_free(k1); |
| 122 | sshbuf_reset(fuzzed); | 131 | sshbuf_reset(fuzzed); |
| 132 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 133 | break; | ||
| 123 | } | 134 | } |
| 124 | sshbuf_free(fuzzed); | 135 | sshbuf_free(fuzzed); |
| 125 | fuzz_cleanup(fuzz); | 136 | fuzz_cleanup(fuzz); |
| @@ -134,12 +145,14 @@ sshkey_fuzz_tests(void) | |||
| 134 | sshbuf_free(buf); | 145 | sshbuf_free(buf); |
| 135 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 146 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 136 | TEST_ONERROR(onerror, fuzz); | 147 | TEST_ONERROR(onerror, fuzz); |
| 137 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 148 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 138 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 149 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 139 | ASSERT_INT_EQ(r, 0); | 150 | ASSERT_INT_EQ(r, 0); |
| 140 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 151 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 141 | sshkey_free(k1); | 152 | sshkey_free(k1); |
| 142 | sshbuf_reset(fuzzed); | 153 | sshbuf_reset(fuzzed); |
| 154 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 155 | break; | ||
| 143 | } | 156 | } |
| 144 | sshbuf_free(fuzzed); | 157 | sshbuf_free(fuzzed); |
| 145 | fuzz_cleanup(fuzz); | 158 | fuzz_cleanup(fuzz); |
| @@ -154,12 +167,14 @@ sshkey_fuzz_tests(void) | |||
| 154 | sshbuf_free(buf); | 167 | sshbuf_free(buf); |
| 155 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 168 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 156 | TEST_ONERROR(onerror, fuzz); | 169 | TEST_ONERROR(onerror, fuzz); |
| 157 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 170 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 158 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 171 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 159 | ASSERT_INT_EQ(r, 0); | 172 | ASSERT_INT_EQ(r, 0); |
| 160 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 173 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 161 | sshkey_free(k1); | 174 | sshkey_free(k1); |
| 162 | sshbuf_reset(fuzzed); | 175 | sshbuf_reset(fuzzed); |
| 176 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 177 | break; | ||
| 163 | } | 178 | } |
| 164 | sshbuf_free(fuzzed); | 179 | sshbuf_free(fuzzed); |
| 165 | fuzz_cleanup(fuzz); | 180 | fuzz_cleanup(fuzz); |
| @@ -174,12 +189,14 @@ sshkey_fuzz_tests(void) | |||
| 174 | sshbuf_free(buf); | 189 | sshbuf_free(buf); |
| 175 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 190 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 176 | TEST_ONERROR(onerror, fuzz); | 191 | TEST_ONERROR(onerror, fuzz); |
| 177 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 192 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 178 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 193 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 179 | ASSERT_INT_EQ(r, 0); | 194 | ASSERT_INT_EQ(r, 0); |
| 180 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 195 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 181 | sshkey_free(k1); | 196 | sshkey_free(k1); |
| 182 | sshbuf_reset(fuzzed); | 197 | sshbuf_reset(fuzzed); |
| 198 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 199 | break; | ||
| 183 | } | 200 | } |
| 184 | sshbuf_free(fuzzed); | 201 | sshbuf_free(fuzzed); |
| 185 | fuzz_cleanup(fuzz); | 202 | fuzz_cleanup(fuzz); |
| @@ -195,12 +212,14 @@ sshkey_fuzz_tests(void) | |||
| 195 | sshbuf_free(buf); | 212 | sshbuf_free(buf); |
| 196 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 213 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 197 | TEST_ONERROR(onerror, fuzz); | 214 | TEST_ONERROR(onerror, fuzz); |
| 198 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 215 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 199 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 216 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 200 | ASSERT_INT_EQ(r, 0); | 217 | ASSERT_INT_EQ(r, 0); |
| 201 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 218 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 202 | sshkey_free(k1); | 219 | sshkey_free(k1); |
| 203 | sshbuf_reset(fuzzed); | 220 | sshbuf_reset(fuzzed); |
| 221 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 222 | break; | ||
| 204 | } | 223 | } |
| 205 | sshbuf_free(fuzzed); | 224 | sshbuf_free(fuzzed); |
| 206 | fuzz_cleanup(fuzz); | 225 | fuzz_cleanup(fuzz); |
| @@ -215,12 +234,14 @@ sshkey_fuzz_tests(void) | |||
| 215 | sshbuf_free(buf); | 234 | sshbuf_free(buf); |
| 216 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 235 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 217 | TEST_ONERROR(onerror, fuzz); | 236 | TEST_ONERROR(onerror, fuzz); |
| 218 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 237 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 219 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 238 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 220 | ASSERT_INT_EQ(r, 0); | 239 | ASSERT_INT_EQ(r, 0); |
| 221 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 240 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 222 | sshkey_free(k1); | 241 | sshkey_free(k1); |
| 223 | sshbuf_reset(fuzzed); | 242 | sshbuf_reset(fuzzed); |
| 243 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 244 | break; | ||
| 224 | } | 245 | } |
| 225 | sshbuf_free(fuzzed); | 246 | sshbuf_free(fuzzed); |
| 226 | fuzz_cleanup(fuzz); | 247 | fuzz_cleanup(fuzz); |
| @@ -236,12 +257,14 @@ sshkey_fuzz_tests(void) | |||
| 236 | sshbuf_free(buf); | 257 | sshbuf_free(buf); |
| 237 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | 258 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); |
| 238 | TEST_ONERROR(onerror, fuzz); | 259 | TEST_ONERROR(onerror, fuzz); |
| 239 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | 260 | for(i = 0; !fuzz_done(fuzz); i++, fuzz_next(fuzz)) { |
| 240 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | 261 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); |
| 241 | ASSERT_INT_EQ(r, 0); | 262 | ASSERT_INT_EQ(r, 0); |
| 242 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | 263 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) |
| 243 | sshkey_free(k1); | 264 | sshkey_free(k1); |
| 244 | sshbuf_reset(fuzzed); | 265 | sshbuf_reset(fuzzed); |
| 266 | if (test_is_fast() && i >= NUM_FAST_BASE64_TESTS) | ||
| 267 | break; | ||
| 245 | } | 268 | } |
| 246 | sshbuf_free(fuzzed); | 269 | sshbuf_free(fuzzed); |
| 247 | fuzz_cleanup(fuzz); | 270 | fuzz_cleanup(fuzz); |
diff --git a/regress/unittests/sshkey/tests.c b/regress/unittests/sshkey/tests.c index 13f265cdb..78aa9223d 100644 --- a/regress/unittests/sshkey/tests.c +++ b/regress/unittests/sshkey/tests.c | |||
| @@ -7,8 +7,6 @@ | |||
| 7 | 7 | ||
| 8 | #include "includes.h" | 8 | #include "includes.h" |
| 9 | 9 | ||
| 10 | #include <openssl/evp.h> | ||
| 11 | |||
| 12 | #include "../test_helper/test_helper.h" | 10 | #include "../test_helper/test_helper.h" |
| 13 | 11 | ||
| 14 | void sshkey_tests(void); | 12 | void sshkey_tests(void); |
| @@ -18,9 +16,6 @@ void sshkey_fuzz_tests(void); | |||
| 18 | void | 16 | void |
| 19 | tests(void) | 17 | tests(void) |
| 20 | { | 18 | { |
| 21 | OpenSSL_add_all_algorithms(); | ||
| 22 | ERR_load_CRYPTO_strings(); | ||
| 23 | |||
| 24 | sshkey_tests(); | 19 | sshkey_tests(); |
| 25 | sshkey_file_tests(); | 20 | sshkey_file_tests(); |
| 26 | sshkey_fuzz_tests(); | 21 | sshkey_fuzz_tests(); |
diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c index 4cc70852c..e7a47b265 100644 --- a/regress/unittests/test_helper/test_helper.c +++ b/regress/unittests/test_helper/test_helper.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_helper.c,v 1.8 2018/02/08 08:46:20 djm Exp $ */ | 1 | /* $OpenBSD: test_helper.c,v 1.11 2018/11/23 02:53:57 dtucker Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> |
| 4 | * | 4 | * |
| @@ -35,11 +35,13 @@ | |||
| 35 | #include <signal.h> | 35 | #include <signal.h> |
| 36 | 36 | ||
| 37 | #include <openssl/bn.h> | 37 | #include <openssl/bn.h> |
| 38 | #include <openssl/err.h> | ||
| 38 | 39 | ||
| 39 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) | 40 | #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) |
| 40 | # include <vis.h> | 41 | # include <vis.h> |
| 41 | #endif | 42 | #endif |
| 42 | 43 | ||
| 44 | #include "entropy.h" | ||
| 43 | #include "test_helper.h" | 45 | #include "test_helper.h" |
| 44 | #include "atomicio.h" | 46 | #include "atomicio.h" |
| 45 | 47 | ||
| @@ -115,12 +117,17 @@ static test_onerror_func_t *test_onerror = NULL; | |||
| 115 | static void *onerror_ctx = NULL; | 117 | static void *onerror_ctx = NULL; |
| 116 | static const char *data_dir = NULL; | 118 | static const char *data_dir = NULL; |
| 117 | static char subtest_info[512]; | 119 | static char subtest_info[512]; |
| 120 | static int fast = 0; | ||
| 121 | static int slow = 0; | ||
| 118 | 122 | ||
| 119 | int | 123 | int |
| 120 | main(int argc, char **argv) | 124 | main(int argc, char **argv) |
| 121 | { | 125 | { |
| 122 | int ch; | 126 | int ch; |
| 123 | 127 | ||
| 128 | seed_rng(); | ||
| 129 | ERR_load_CRYPTO_strings(); | ||
| 130 | |||
| 124 | /* Handle systems without __progname */ | 131 | /* Handle systems without __progname */ |
| 125 | if (__progname == NULL) { | 132 | if (__progname == NULL) { |
| 126 | __progname = strrchr(argv[0], '/'); | 133 | __progname = strrchr(argv[0], '/'); |
| @@ -134,8 +141,14 @@ main(int argc, char **argv) | |||
| 134 | } | 141 | } |
| 135 | } | 142 | } |
| 136 | 143 | ||
| 137 | while ((ch = getopt(argc, argv, "vqd:")) != -1) { | 144 | while ((ch = getopt(argc, argv, "Ffvqd:")) != -1) { |
| 138 | switch (ch) { | 145 | switch (ch) { |
| 146 | case 'F': | ||
| 147 | slow = 1; | ||
| 148 | break; | ||
| 149 | case 'f': | ||
| 150 | fast = 1; | ||
| 151 | break; | ||
| 139 | case 'd': | 152 | case 'd': |
| 140 | data_dir = optarg; | 153 | data_dir = optarg; |
| 141 | break; | 154 | break; |
| @@ -167,17 +180,29 @@ main(int argc, char **argv) | |||
| 167 | } | 180 | } |
| 168 | 181 | ||
| 169 | int | 182 | int |
| 170 | test_is_verbose() | 183 | test_is_verbose(void) |
| 171 | { | 184 | { |
| 172 | return verbose_mode; | 185 | return verbose_mode; |
| 173 | } | 186 | } |
| 174 | 187 | ||
| 175 | int | 188 | int |
| 176 | test_is_quiet() | 189 | test_is_quiet(void) |
| 177 | { | 190 | { |
| 178 | return quiet_mode; | 191 | return quiet_mode; |
| 179 | } | 192 | } |
| 180 | 193 | ||
| 194 | int | ||
| 195 | test_is_fast(void) | ||
| 196 | { | ||
| 197 | return fast; | ||
| 198 | } | ||
| 199 | |||
| 200 | int | ||
| 201 | test_is_slow(void) | ||
| 202 | { | ||
| 203 | return slow; | ||
| 204 | } | ||
| 205 | |||
| 181 | const char * | 206 | const char * |
| 182 | test_data_file(const char *name) | 207 | test_data_file(const char *name) |
| 183 | { | 208 | { |
diff --git a/regress/unittests/test_helper/test_helper.h b/regress/unittests/test_helper/test_helper.h index 6da0066e9..1f893c8dd 100644 --- a/regress/unittests/test_helper/test_helper.h +++ b/regress/unittests/test_helper/test_helper.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: test_helper.h,v 1.8 2018/02/08 08:46:20 djm Exp $ */ | 1 | /* $OpenBSD: test_helper.h,v 1.9 2018/10/17 23:28:05 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> | 3 | * Copyright (c) 2011 Damien Miller <djm@mindrot.org> |
| 4 | * | 4 | * |
| @@ -45,6 +45,8 @@ void set_onerror_func(test_onerror_func_t *f, void *ctx); | |||
| 45 | void test_done(void); | 45 | void test_done(void); |
| 46 | int test_is_verbose(void); | 46 | int test_is_verbose(void); |
| 47 | int test_is_quiet(void); | 47 | int test_is_quiet(void); |
| 48 | int test_is_fast(void); | ||
| 49 | int test_is_slow(void); | ||
| 48 | void test_subtest_info(const char *fmt, ...) | 50 | void test_subtest_info(const char *fmt, ...) |
| 49 | __attribute__((format(printf, 1, 2))); | 51 | __attribute__((format(printf, 1, 2))); |
| 50 | void ssl_err_check(const char *file, int line); | 52 | void ssl_err_check(const char *file, int line); |