summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile5
-rw-r--r--regress/agent-getpeereid.sh4
-rw-r--r--regress/agent-pkcs11.sh4
-rw-r--r--regress/agent-ptrace.sh2
-rw-r--r--regress/agent-timeout.sh4
-rw-r--r--regress/agent.sh53
-rw-r--r--regress/cert-file.sh4
-rw-r--r--regress/cert-hostkey.sh10
-rw-r--r--regress/cert-userkey.sh14
-rw-r--r--regress/connect.sh11
-rw-r--r--regress/hostkey-agent.sh10
-rw-r--r--regress/hostkey-rotate.sh11
-rw-r--r--regress/integrity.sh4
-rw-r--r--regress/keygen-change.sh7
-rw-r--r--regress/keygen-moduli.sh6
-rw-r--r--regress/keyscan.sh9
-rw-r--r--regress/keytype.sh47
-rw-r--r--regress/krl.sh22
-rw-r--r--regress/limit-keytype.sh17
-rw-r--r--regress/misc/Makefile2
-rw-r--r--regress/misc/fuzz-harness/Makefile31
-rw-r--r--regress/misc/fuzz-harness/privkey_fuzz.cc21
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc24
-rw-r--r--regress/misc/fuzz-harness/ssh-sk-null.cc51
-rw-r--r--regress/misc/fuzz-harness/sshsig_fuzz.cc4
-rw-r--r--regress/misc/kexfuzz/Makefile6
-rw-r--r--regress/misc/kexfuzz/kexfuzz.c8
-rw-r--r--regress/misc/sk-dummy/Makefile66
-rw-r--r--regress/misc/sk-dummy/fatal.c20
-rw-r--r--regress/misc/sk-dummy/sk-dummy.c526
-rw-r--r--regress/multiplex.sh6
-rw-r--r--regress/multipubkey.sh4
-rw-r--r--regress/netcat.c4
-rw-r--r--regress/principals-command.sh6
-rw-r--r--regress/proxy-connect.sh10
-rw-r--r--regress/putty-ciphers.sh4
-rw-r--r--regress/putty-kex.sh4
-rw-r--r--regress/putty-transfer.sh10
-rw-r--r--regress/servcfginclude.sh154
-rwxr-xr-xregress/ssh2putty.sh2
-rw-r--r--regress/sshcfgparse.sh12
-rw-r--r--regress/sshsig.sh4
-rw-r--r--regress/test-exec.sh80
-rw-r--r--regress/unittests/Makefile.inc5
-rw-r--r--regress/unittests/authopt/Makefile26
-rw-r--r--regress/unittests/hostkeys/Makefile9
-rw-r--r--regress/unittests/kex/Makefile9
-rw-r--r--regress/unittests/misc/Makefile16
-rw-r--r--regress/unittests/misc/tests.c79
-rw-r--r--regress/unittests/sshbuf/Makefile6
-rw-r--r--regress/unittests/sshkey/Makefile9
-rw-r--r--regress/unittests/sshkey/common.c11
-rw-r--r--regress/unittests/sshkey/test_fuzz.c9
-rw-r--r--regress/unittests/sshkey/test_sshkey.c14
54 files changed, 1320 insertions, 176 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 17e0a06e8..01e257a94 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.104 2019/09/03 08:37:45 djm Exp $ 1# $OpenBSD: Makefile,v 1.106 2020/01/31 23:25:08 djm Exp $
2 2
3tests: prep file-tests t-exec unit 3tests: prep file-tests t-exec unit
4 4
@@ -87,6 +87,7 @@ LTESTS= connect \
87 principals-command \ 87 principals-command \
88 cert-file \ 88 cert-file \
89 cfginclude \ 89 cfginclude \
90 servcfginclude \
90 allow-deny-users \ 91 allow-deny-users \
91 authinfo \ 92 authinfo \
92 sshsig 93 sshsig
@@ -122,7 +123,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
122 ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ 123 ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
123 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 124 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
124 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ 125 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
125 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ 126 sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
126 sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ 127 sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
127 t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ 128 t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
128 t8.out t8.out.pub t9.out t9.out.pub testdata \ 129 t8.out t8.out.pub t9.out t9.out.pub testdata \
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 769c29e8d..524340816 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.11 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -26,7 +26,7 @@ case "x$SUDO" in
26esac 26esac
27 27
28trace "start agent" 28trace "start agent"
29eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null 29eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s -a ${ASOCK}` > /dev/null
30r=$? 30r=$?
31if [ $r -ne 0 ]; then 31if [ $r -ne 0 ]; then
32 fail "could not start ssh-agent: exit code $r" 32 fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 5205d9067..fbbaea518 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-pkcs11.sh,v 1.6 2019/01/21 09:13:41 djm Exp $ 1# $OpenBSD: agent-pkcs11.sh,v 1.7 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="pkcs11 agent test" 4tid="pkcs11 agent test"
@@ -75,7 +75,7 @@ openssl pkcs8 -nocrypt -in $EC |\
75 softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin 75 softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
76 76
77trace "start agent" 77trace "start agent"
78eval `${SSHAGENT} -s` > /dev/null 78eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
79r=$? 79r=$?
80if [ $r -ne 0 ]; then 80if [ $r -ne 0 ]; then
81 fail "could not start ssh-agent: exit code $r" 81 fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 2d795ee32..9cd68d7ec 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -41,7 +41,7 @@ else
41fi 41fi
42 42
43trace "start agent" 43trace "start agent"
44eval `${SSHAGENT} -s` > /dev/null 44eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
45r=$? 45r=$?
46if [ $r -ne 0 ]; then 46if [ $r -ne 0 ]; then
47 fail "could not start ssh-agent: exit code $r" 47 fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent-timeout.sh b/regress/agent-timeout.sh
index 311c7bcba..6dec09285 100644
--- a/regress/agent-timeout.sh
+++ b/regress/agent-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-timeout.sh,v 1.5 2019/09/03 08:37:06 djm Exp $ 1# $OpenBSD: agent-timeout.sh,v 1.6 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="agent timeout test" 4tid="agent timeout test"
@@ -6,7 +6,7 @@ tid="agent timeout test"
6SSHAGENT_TIMEOUT=10 6SSHAGENT_TIMEOUT=10
7 7
8trace "start agent" 8trace "start agent"
9eval `${SSHAGENT} -s` > /dev/null 9eval `${SSHAGENT} -s ${EXTRA_AGENT_ARGS}` > /dev/null
10r=$? 10r=$?
11if [ $r -ne 0 ]; then 11if [ $r -ne 0 ]; then
12 fail "could not start ssh-agent: exit code $r" 12 fail "could not start ssh-agent: exit code $r"
diff --git a/regress/agent.sh b/regress/agent.sh
index 48fa12b0e..39403653c 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.15 2019/07/23 07:39:43 dtucker Exp $ 1# $OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -8,13 +8,19 @@ if [ $? -ne 2 ]; then
8 fail "ssh-add -l did not fail with exit code 2" 8 fail "ssh-add -l did not fail with exit code 2"
9fi 9fi
10 10
11trace "start agent" 11trace "start agent, args ${EXTRA_AGENT_ARGS} -s"
12eval `${SSHAGENT} -s` > /dev/null 12eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
13r=$? 13r=$?
14if [ $r -ne 0 ]; then 14if [ $r -ne 0 ]; then
15 fatal "could not start ssh-agent: exit code $r" 15 fatal "could not start ssh-agent: exit code $r"
16fi 16fi
17 17
18eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null
19r=$?
20if [ $r -ne 0 ]; then
21 fatal "could not start second ssh-agent: exit code $r"
22fi
23
18${SSHADD} -l > /dev/null 2>&1 24${SSHADD} -l > /dev/null 2>&1
19if [ $? -ne 1 ]; then 25if [ $? -ne 1 ]; then
20 fail "ssh-add -l did not fail with exit code 1" 26 fail "ssh-add -l did not fail with exit code 1"
@@ -38,10 +44,15 @@ for t in ${SSH_KEYTYPES}; do
38 44
39 # add to authorized keys 45 # add to authorized keys
40 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER 46 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
41 # add privat key to agent 47 # add private key to agent
42 ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 48 ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
49 if [ $? -ne 0 ]; then
50 fail "ssh-add failed exit code $?"
51 fi
52 # add private key to second agent
53 SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
43 if [ $? -ne 0 ]; then 54 if [ $? -ne 0 ]; then
44 fail "ssh-add did succeed exit code 0" 55 fail "ssh-add failed exit code $?"
45 fi 56 fi
46 # Remove private key to ensure that we aren't accidentally using it. 57 # Remove private key to ensure that we aren't accidentally using it.
47 rm -f $OBJ/$t-agent 58 rm -f $OBJ/$t-agent
@@ -90,6 +101,11 @@ r=$?
90if [ $r -ne 0 ]; then 101if [ $r -ne 0 ]; then
91 fail "ssh-add -l via agent fwd failed (exit code $r)" 102 fail "ssh-add -l via agent fwd failed (exit code $r)"
92fi 103fi
104${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
105r=$?
106if [ $r -ne 0 ]; then
107 fail "ssh-add -l via agent path fwd failed (exit code $r)"
108fi
93${SSH} -A -F $OBJ/ssh_proxy somehost \ 109${SSH} -A -F $OBJ/ssh_proxy somehost \
94 "${SSH} -F $OBJ/ssh_proxy somehost exit 52" 110 "${SSH} -F $OBJ/ssh_proxy somehost exit 52"
95r=$? 111r=$?
@@ -97,6 +113,30 @@ if [ $r -ne 52 ]; then
97 fail "agent fwd failed (exit code $r)" 113 fail "agent fwd failed (exit code $r)"
98fi 114fi
99 115
116trace "agent forwarding different agent"
117${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
118r=$?
119if [ $r -ne 0 ]; then
120 fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)"
121fi
122${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
123r=$?
124if [ $r -ne 0 ]; then
125 fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)"
126fi
127
128# Remove keys from forwarded agent, ssh-add on remote machine should now fail.
129SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1
130r=$?
131if [ $r -ne 0 ]; then
132 fail "ssh-add -D failed: exit code $r"
133fi
134${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
135r=$?
136if [ $r -ne 1 ]; then
137 fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)"
138fi
139
100(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ 140(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
101 > $OBJ/authorized_keys_$USER 141 > $OBJ/authorized_keys_$USER
102for t in ${SSH_KEYTYPES}; do 142for t in ${SSH_KEYTYPES}; do
@@ -121,3 +161,4 @@ fi
121 161
122trace "kill agent" 162trace "kill agent"
123${SSHAGENT} -k > /dev/null 163${SSHAGENT} -k > /dev/null
164SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 1157a3582..94e672a99 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ 1# $OpenBSD: cert-file.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh with certificates" 4tid="ssh with certificates"
@@ -120,7 +120,7 @@ if [ $? -ne 2 ]; then
120fi 120fi
121 121
122trace "start agent" 122trace "start agent"
123eval `${SSHAGENT} -s` > /dev/null 123eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
124r=$? 124r=$?
125if [ $r -ne 0 ]; then 125if [ $r -ne 0 ]; then
126 fatal "could not start ssh-agent: exit code $r" 126 fatal "could not start ssh-agent: exit code $r"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 844adabcc..097bf8463 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.18 2019/07/25 08:28:15 dtucker Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.23 2020/01/03 03:02:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -9,7 +9,7 @@ rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
9# Allow all hostkey/pubkey types, prefer certs for the client 9# Allow all hostkey/pubkey types, prefer certs for the client
10rsa=0 10rsa=0
11types="" 11types=""
12for i in `$SSH -Q key`; do 12for i in `$SSH -Q key | maybe_filter_sk`; do
13 if [ -z "$types" ]; then 13 if [ -z "$types" ]; then
14 types="$i" 14 types="$i"
15 continue 15 continue
@@ -70,7 +70,7 @@ touch $OBJ/host_revoked_plain
70touch $OBJ/host_revoked_cert 70touch $OBJ/host_revoked_cert
71cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca 71cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
72 72
73PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` 73PLAIN_TYPES=`echo "$SSH_KEYTYPES" | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
74 74
75if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 75if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
76 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 76 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
@@ -131,7 +131,7 @@ attempt_connect() {
131} 131}
132 132
133# Basic connect and revocation tests. 133# Basic connect and revocation tests.
134for privsep in yes sandbox ; do 134for privsep in yes ; do
135 for ktype in $PLAIN_TYPES ; do 135 for ktype in $PLAIN_TYPES ; do
136 verbose "$tid: host ${ktype} cert connect privsep $privsep" 136 verbose "$tid: host ${ktype} cert connect privsep $privsep"
137 ( 137 (
@@ -169,7 +169,7 @@ for ktype in $PLAIN_TYPES ; do
169 kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig 169 kh_revoke cert_host_key_${ktype}.pub >> $OBJ/known_hosts-cert.orig
170done 170done
171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 171cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172for privsep in yes sandbox ; do 172for privsep in yes ; do
173 for ktype in $PLAIN_TYPES ; do 173 for ktype in $PLAIN_TYPES ; do
174 verbose "$tid: host ${ktype} revoked cert privsep $privsep" 174 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
175 ( 175 (
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 5cd02fc3f..91596fa78 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.21 2019/07/25 08:28:15 dtucker Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.25 2020/01/03 03:02:26 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | maybe_filter_sk | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11EXTRA_TYPES="" 11EXTRA_TYPES=""
12rsa="" 12rsa=""
13 13
@@ -17,8 +17,10 @@ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
17fi 17fi
18 18
19kname() { 19kname() {
20 case $ktype in 20 case $1 in
21 rsa-sha2-*) n="$ktype" ;; 21 rsa-sha2-*) n="$1" ;;
22 sk-ecdsa-*) n="sk-ecdsa" ;;
23 sk-ssh-ed25519*) n="sk-ssh-ed25519" ;;
22 # subshell because some seds will add a newline 24 # subshell because some seds will add a newline
23 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 25 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
24 esac 26 esac
@@ -58,7 +60,7 @@ done
58# Test explicitly-specified principals 60# Test explicitly-specified principals
59for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do 61for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
60 t=$(kname $ktype) 62 t=$(kname $ktype)
61 for privsep in yes sandbox ; do 63 for privsep in yes ; do
62 _prefix="${ktype} privsep $privsep" 64 _prefix="${ktype} privsep $privsep"
63 65
64 # Setup for AuthorizedPrincipalsFile 66 # Setup for AuthorizedPrincipalsFile
@@ -195,7 +197,7 @@ basic_tests() {
195 197
196 for ktype in $PLAIN_TYPES ; do 198 for ktype in $PLAIN_TYPES ; do
197 t=$(kname $ktype) 199 t=$(kname $ktype)
198 for privsep in yes no ; do 200 for privsep in yes ; do
199 _prefix="${ktype} privsep $privsep $auth" 201 _prefix="${ktype} privsep $privsep $auth"
200 # Simple connect 202 # Simple connect
201 verbose "$tid: ${_prefix} connect" 203 verbose "$tid: ${_prefix} connect"
diff --git a/regress/connect.sh b/regress/connect.sh
index 1b344b603..46f12b7b3 100644
--- a/regress/connect.sh
+++ b/regress/connect.sh
@@ -1,11 +1,18 @@
1# $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: connect.sh,v 1.8 2020/01/25 02:57:53 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple connect" 4tid="simple connect"
5 5
6start_sshd 6start_sshd
7 7
8trace "direct connect"
8${SSH} -F $OBJ/ssh_config somehost true 9${SSH} -F $OBJ/ssh_config somehost true
9if [ $? -ne 0 ]; then 10if [ $? -ne 0 ]; then
10 fail "ssh connect with failed" 11 fail "ssh direct connect failed"
12fi
13
14trace "proxy connect"
15${SSH} -F $OBJ/ssh_config -o "proxycommand $NC %h %p" somehost true
16if [ $? -ne 0 ]; then
17 fail "ssh proxycommand connect failed"
11fi 18fi
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 811b6b9ab..d6736e246 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: hostkey-agent.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey agent" 4tid="hostkey agent"
@@ -6,7 +6,7 @@ tid="hostkey agent"
6rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig 6rm -f $OBJ/agent-key.* $OBJ/ssh_proxy.orig $OBJ/known_hosts.orig
7 7
8trace "start agent" 8trace "start agent"
9eval `${SSHAGENT} -s` > /dev/null 9eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
10r=$? 10r=$?
11[ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r" 11[ $r -ne 0 ] && fatal "could not start ssh-agent: exit code $r"
12 12
@@ -14,7 +14,7 @@ grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
14echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig 14echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
15 15
16trace "load hostkeys" 16trace "load hostkeys"
17for k in `${SSH} -Q key-plain` ; do 17for k in $SSH_KEYTYPES ; do
18 ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" 18 ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
19 ( 19 (
20 printf 'localhost-with-alias,127.0.0.1,::1 ' 20 printf 'localhost-with-alias,127.0.0.1,::1 '
@@ -30,8 +30,8 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
30 30
31unset SSH_AUTH_SOCK 31unset SSH_AUTH_SOCK
32 32
33for ps in no yes; do 33for ps in yes; do
34 for k in `${SSH} -Q key-plain` ; do 34 for k in $SSH_KEYTYPES ; do
35 verbose "key type $k privsep=$ps" 35 verbose "key type $k privsep=$ps"
36 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 36 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
37 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy 37 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index cc6bd9cf6..c3e100c3e 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,11 +1,8 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.6 2019/08/30 05:08:28 dtucker Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.8 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
5 5
6# Need full names here since they are used in HostKeyAlgorithms
7HOSTKEY_TYPES="`${SSH} -Q key-plain`"
8
9rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig 6rm -f $OBJ/hkr.* $OBJ/ssh_proxy.orig
10 7
11grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig 8grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
@@ -20,7 +17,7 @@ secondary="$primary"
20trace "prepare hostkeys" 17trace "prepare hostkeys"
21nkeys=0 18nkeys=0
22all_algs="" 19all_algs=""
23for k in $HOSTKEY_TYPES; do 20for k in $SSH_HOSTKEY_TYPES; do
24 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" 21 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
25 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig 22 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
26 nkeys=`expr $nkeys + 1` 23 nkeys=`expr $nkeys + 1`
@@ -67,12 +64,12 @@ verbose "learn additional hostkeys"
67dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs 64dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
68# Check that other keys learned 65# Check that other keys learned
69expect_nkeys $nkeys "learn hostkeys" 66expect_nkeys $nkeys "learn hostkeys"
70for k in $HOSTKEY_TYPES; do 67for k in $SSH_HOSTKEY_TYPES; do
71 check_key_present $k || fail "didn't learn keytype $k" 68 check_key_present $k || fail "didn't learn keytype $k"
72done 69done
73 70
74# Check each key type 71# Check each key type
75for k in $HOSTKEY_TYPES; do 72for k in $SSH_HOSTKEY_TYPES; do
76 verbose "learn additional hostkeys, type=$k" 73 verbose "learn additional hostkeys, type=$k"
77 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs 74 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
78 expect_nkeys $nkeys "learn hostkeys $k" 75 expect_nkeys $nkeys "learn hostkeys $k"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 5ba6bf6ab..bc030cb74 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: integrity.sh,v 1.24 2020/01/21 08:06:27 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -18,7 +18,7 @@ macs="$macs `${SSH} -Q cipher-auth`"
18# >> $OBJ/ssh_proxy 18# >> $OBJ/ssh_proxy
19 19
20# sshd-command for proxy (see test-exec.sh) 20# sshd-command for proxy (see test-exec.sh)
21cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" 21cmd="$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy"
22 22
23for m in $macs; do 23for m in $macs; do
24 trace "test $tid: mac $m" 24 trace "test $tid: mac $m"
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index 8b8acd52f..3863e33b5 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: keygen-change.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="change passphrase for key" 4tid="change passphrase for key"
@@ -6,10 +6,7 @@ tid="change passphrase for key"
6S1="secret1" 6S1="secret1"
7S2="2secret" 7S2="2secret"
8 8
9KEYTYPES=`${SSH} -Q key-plain` 9for t in $SSH_KEYTYPES; do
10
11for t in $KEYTYPES; do
12 # generate user key for agent
13 trace "generating $t key" 10 trace "generating $t key"
14 rm -f $OBJ/$t-key 11 rm -f $OBJ/$t-key
15 ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key 12 ${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
diff --git a/regress/keygen-moduli.sh b/regress/keygen-moduli.sh
index a8eccfb69..8be53f92f 100644
--- a/regress/keygen-moduli.sh
+++ b/regress/keygen-moduli.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keygen-moduli.sh,v 1.3 2019/07/23 08:19:29 dtucker Exp $ 1# $OpenBSD: keygen-moduli.sh,v 1.4 2020/01/02 13:25:38 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keygen moduli" 4tid="keygen moduli"
@@ -14,10 +14,10 @@ done
14# and "skip 2 and run to the end with checkpointing". Since our test data 14# and "skip 2 and run to the end with checkpointing". Since our test data
15# file has 3 lines, these should always result in 1 line of output. 15# file has 3 lines, these should always result in 1 line of output.
16if [ "x$dhgex" = "x1" ]; then 16if [ "x$dhgex" = "x1" ]; then
17 for i in "-J1" "-j1 -J1" "-j2 -K $OBJ/moduli.ckpt"; do 17 for i in "-O lines=1" "-O start-line=1 -O lines=1" "-O start-line=2 -O checkpoint=$OBJ/moduli.ckpt"; do
18 trace "keygen $i" 18 trace "keygen $i"
19 rm -f $OBJ/moduli.out $OBJ/moduli.ckpt 19 rm -f $OBJ/moduli.out $OBJ/moduli.ckpt
20 ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in $i 2>/dev/null || \ 20 ${SSHKEYGEN} -M screen -f ${SRC}/moduli.in $i $OBJ/moduli.out 2>/dev/null || \
21 fail "keygen screen failed $i" 21 fail "keygen screen failed $i"
22 lines=`wc -l <$OBJ/moduli.out` 22 lines=`wc -l <$OBJ/moduli.out`
23 test "$lines" -eq "1" || fail "expected 1 line, got $lines" 23 test "$lines" -eq "1" || fail "expected 1 line, got $lines"
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 8940d24b6..75a14ee0e 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,10 +1,9 @@
1# $OpenBSD: keyscan.sh,v 1.9 2019/01/28 03:50:39 dtucker Exp $ 1# $OpenBSD: keyscan.sh,v 1.13 2020/01/22 07:31:27 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keyscan" 4tid="keyscan"
5 5
6KEYTYPES=`${SSH} -Q key-plain` 6for i in $SSH_KEYTYPES; do
7for i in $KEYTYPES; do
8 if [ -z "$algs" ]; then 7 if [ -z "$algs" ]; then
9 algs="$i" 8 algs="$i"
10 else 9 else
@@ -15,9 +14,9 @@ echo "HostKeyAlgorithms $algs" >> $OBJ/sshd_config
15 14
16start_sshd 15start_sshd
17 16
18for t in $KEYTYPES; do 17for t in $SSH_KEYTYPES; do
19 trace "keyscan type $t" 18 trace "keyscan type $t"
20 ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ 19 ${SSHKEYSCAN} -t $t -T 15 -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
21 > /dev/null 2>&1 20 > /dev/null 2>&1
22 r=$? 21 r=$?
23 if [ $r -ne 0 ]; then 22 if [ $r -ne 0 ]; then
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 13095088e..20a8ceaf2 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.8 2019/07/23 13:49:14 dtucker Exp $ 1# $OpenBSD: keytype.sh,v 1.10 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -16,43 +16,56 @@ for i in ${SSH_KEYTYPES}; do
16 ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; 16 ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;;
17 ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; 17 ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;;
18 ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; 18 ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;;
19 sk-ssh-ed25519*) ktypes="$ktypes ed25519-sk" ;;
20 sk-ecdsa-sha2-nistp256*) ktypes="$ktypes ecdsa-sk" ;;
19 esac 21 esac
20done 22done
21 23
22for kt in $ktypes; do 24for kt in $ktypes; do
23 rm -f $OBJ/key.$kt 25 rm -f $OBJ/key.$kt
24 bits=`echo ${kt} | awk -F- '{print $2}'` 26 xbits=`echo ${kt} | awk -F- '{print $2}'`
25 type=`echo ${kt} | awk -F- '{print $1}'` 27 xtype=`echo ${kt} | awk -F- '{print $1}'`
28 case "$kt" in
29 *sk) type="$kt"; bits="n/a"; bits_arg="";;
30 *) type=$xtype; bits=$xbits; bits_arg="-b $bits";;
31 esac
26 verbose "keygen $type, $bits bits" 32 verbose "keygen $type, $bits bits"
27 ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ 33 ${SSHKEYGEN} $bits_arg -q -N '' -t $type -f $OBJ/key.$kt || \
28 fail "ssh-keygen for type $type, $bits bits failed" 34 fail "ssh-keygen for type $type, $bits bits failed"
29done 35done
30 36
37kname_to_ktype() {
38 case $1 in
39 dsa-1024) echo ssh-dss;;
40 ecdsa-256) echo ecdsa-sha2-nistp256;;
41 ecdsa-384) echo ecdsa-sha2-nistp384;;
42 ecdsa-521) echo ecdsa-sha2-nistp521;;
43 ed25519-512) echo ssh-ed25519;;
44 rsa-*) echo rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
45 ed25519-sk) echo sk-ssh-ed25519@openssh.com;;
46 ecdsa-sk) echo sk-ecdsa-sha2-nistp256@openssh.com;;
47 esac
48}
49
31tries="1 2 3" 50tries="1 2 3"
32for ut in $ktypes; do 51for ut in $ktypes; do
33 htypes=$ut 52 user_type=`kname_to_ktype "$ut"`
53 htypes="$ut"
34 #htypes=$ktypes 54 #htypes=$ktypes
35 for ht in $htypes; do 55 for ht in $htypes; do
36 case $ht in 56 host_type=`kname_to_ktype "$ht"`
37 dsa-1024) t=ssh-dss;;
38 ecdsa-256) t=ecdsa-sha2-nistp256;;
39 ecdsa-384) t=ecdsa-sha2-nistp384;;
40 ecdsa-521) t=ecdsa-sha2-nistp521;;
41 ed25519-512) t=ssh-ed25519;;
42 rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
43 esac
44 trace "ssh connect, userkey $ut, hostkey $ht" 57 trace "ssh connect, userkey $ut, hostkey $ht"
45 ( 58 (
46 grep -v HostKey $OBJ/sshd_proxy_bak 59 grep -v HostKey $OBJ/sshd_proxy_bak
47 echo HostKey $OBJ/key.$ht 60 echo HostKey $OBJ/key.$ht
48 echo PubkeyAcceptedKeyTypes $t 61 echo PubkeyAcceptedKeyTypes $user_type
49 echo HostKeyAlgorithms $t 62 echo HostKeyAlgorithms $host_type
50 ) > $OBJ/sshd_proxy 63 ) > $OBJ/sshd_proxy
51 ( 64 (
52 grep -v IdentityFile $OBJ/ssh_proxy_bak 65 grep -v IdentityFile $OBJ/ssh_proxy_bak
53 echo IdentityFile $OBJ/key.$ut 66 echo IdentityFile $OBJ/key.$ut
54 echo PubkeyAcceptedKeyTypes $t 67 echo PubkeyAcceptedKeyTypes $user_type
55 echo HostKeyAlgorithms $t 68 echo HostKeyAlgorithms $host_type
56 ) > $OBJ/ssh_proxy 69 ) > $OBJ/ssh_proxy
57 ( 70 (
58 printf 'localhost-with-alias,127.0.0.1,::1 ' 71 printf 'localhost-with-alias,127.0.0.1,::1 '
diff --git a/regress/krl.sh b/regress/krl.sh
index e18d0ec7f..c381225ed 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,16 +1,19 @@
1# $OpenBSD: krl.sh,v 1.8 2019/07/25 09:17:35 dtucker Exp $ 1# $OpenBSD: krl.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key revocation lists" 4tid="key revocation lists"
5 5
6# Use ed25519 by default since it's fast and it's supported when building 6# Use ed25519 by default since it's fast and it's supported when building
7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported. 7# w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519 8ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
9for t in `${SSH} -Q key-plain`; do 9ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
10for t in $SSH_KEYTYPES; do
10 case "$t" in 11 case "$t" in
11 ecdsa*) ktype2=ecdsa ;; 12 ecdsa*) ktype2=ecdsa ;;
12 ssh-rsa) ktype3=rsa ;; 13 ssh-rsa) ktype3=rsa ;;
13 ssh-dss) ktype4=dsa ;; 14 ssh-dss) ktype4=dsa ;;
15 sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
16 sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
14 esac 17 esac
15done 18done
16 19
@@ -34,6 +37,7 @@ serial: 10
34serial: 15 37serial: 15
35serial: 30 38serial: 30
36serial: 50 39serial: 50
40serial: 90
37serial: 999 41serial: 999
38# The following sum to 500-799 42# The following sum to 500-799
39serial: 500 43serial: 500
@@ -51,7 +55,7 @@ EOF
51 55
52# A specification that revokes some certificated by key ID. 56# A specification that revokes some certificated by key ID.
53touch $OBJ/revoked-keyid 57touch $OBJ/revoked-keyid
54for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do 58for n in 1 2 3 4 10 15 30 50 90 `jot 500 300` 999 1000 1001 1002; do
55 test "x$n" = "x499" && continue 59 test "x$n" = "x499" && continue
56 # Fill in by-ID revocation spec. 60 # Fill in by-ID revocation spec.
57 echo "id: revoked $n" >> $OBJ/revoked-keyid 61 echo "id: revoked $n" >> $OBJ/revoked-keyid
@@ -64,9 +68,11 @@ keygen() {
64 # supported. 68 # supported.
65 keytype=$ktype1 69 keytype=$ktype1
66 case $N in 70 case $N in
67 2 | 10 | 510 | 1001) keytype=$ktype2 ;; 71 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
68 4 | 30 | 520 | 1002) keytype=$ktype3 ;; 72 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
69 8 | 50 | 530 | 1003) keytype=$ktype4 ;; 73 8 | 50 | 530 | 1003) keytype=$ktype4 ;;
74 16 | 70 | 540 | 1004) keytype=$ktype5 ;;
75 32 | 90 | 550 | 1005) keytype=$ktype6 ;;
70 esac 76 esac
71 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ 77 $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
72 || fatal "$SSHKEYGEN failed" 78 || fatal "$SSHKEYGEN failed"
@@ -78,7 +84,7 @@ keygen() {
78 84
79# Generate some keys. 85# Generate some keys.
80verbose "$tid: generating test keys" 86verbose "$tid: generating test keys"
81REVOKED_SERIALS="1 4 10 50 500 510 520 799 999" 87REVOKED_SERIALS="1 4 10 50 90 500 510 520 550 799 999"
82for n in $REVOKED_SERIALS ; do 88for n in $REVOKED_SERIALS ; do
83 f=`keygen $n` 89 f=`keygen $n`
84 RKEYS="$RKEYS ${f}.pub" 90 RKEYS="$RKEYS ${f}.pub"
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index 5c30af006..010a88cd7 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,20 +1,25 @@
1# $OpenBSD: limit-keytype.sh,v 1.6 2019/07/26 04:22:21 dtucker Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.9 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
5 5
6# XXX sk-* keys aren't actually tested ATM.
7
6rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key* 8rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/user_key*
7rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key* 9rm -f $OBJ/authorized_principals_$USER $OBJ/cert_user_key*
8 10
9mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 11mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
10mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig 12mv $OBJ/ssh_proxy $OBJ/ssh_proxy.orig
11 13
12ktype1=ed25519; ktype2=$ktype1; ktype3=$ktype1; ktype4=$ktype1 14ktype1=ed25519; ktype2=ed25519; ktype3=ed25519;
13for t in `${SSH} -Q key-plain`; do 15ktype4=ed25519; ktype5=ed25519; ktype6=ed25519;
16for t in $SSH_KEYTYPES ; do
14 case "$t" in 17 case "$t" in
15 ssh-rsa) ktype2=rsa ;; 18 ssh-rsa) ktype2=rsa ;;
16 ecdsa*) ktype3=ecdsa ;; # unused 19 ecdsa*) ktype3=ecdsa ;; # unused
17 ssh-dss) ktype4=dsa ;; 20 ssh-dss) ktype4=dsa ;;
21 sk-ssh-ed25519@openssh.com) ktype5=ed25519-sk ;;
22 sk-ecdsa-sha2-nistp256@openssh.com) ktype6=ecdsa-sk ;;
18 esac 23 esac
19done 24done
20 25
@@ -31,6 +36,10 @@ ${SSHKEYGEN} -q -N '' -t $ktype2 -f $OBJ/user_key3 || \
31 fatal "ssh-keygen failed" 36 fatal "ssh-keygen failed"
32${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \ 37${SSHKEYGEN} -q -N '' -t $ktype4 -f $OBJ/user_key4 || \
33 fatal "ssh-keygen failed" 38 fatal "ssh-keygen failed"
39${SSHKEYGEN} -q -N '' -t $ktype5 -f $OBJ/user_key5 || \
40 fatal "ssh-keygen failed"
41${SSHKEYGEN} -q -N '' -t $ktype6 -f $OBJ/user_key6 || \
42 fatal "ssh-keygen failed"
34${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 43${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
35 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || 44 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
36 fatal "couldn't sign user_key1" 45 fatal "couldn't sign user_key1"
@@ -68,6 +77,8 @@ keytype() {
68 ed25519) printf "ssh-ed25519" ;; 77 ed25519) printf "ssh-ed25519" ;;
69 dsa) printf "ssh-dss" ;; 78 dsa) printf "ssh-dss" ;;
70 rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;; 79 rsa) printf "rsa-sha2-256,rsa-sha2-512,ssh-rsa" ;;
80 sk-ecdsa) printf "sk-ecdsa-*" ;;
81 sk-ssh-ed25519) printf "sk-ssh-ed25519-*" ;;
71 esac 82 esac
72} 83}
73 84
diff --git a/regress/misc/Makefile b/regress/misc/Makefile
index 14c0c279f..cf95f265c 100644
--- a/regress/misc/Makefile
+++ b/regress/misc/Makefile
@@ -1,3 +1,3 @@
1SUBDIR= kexfuzz 1SUBDIR= kexfuzz sk-dummy
2 2
3.include <bsd.subdir.mk> 3.include <bsd.subdir.mk>
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index 85179ac4e..64fbdbab1 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -3,31 +3,36 @@ CXX=clang++-6.0
3FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc 3FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge,trace-pc
4FUZZ_LIBS=-lFuzzer 4FUZZ_LIBS=-lFuzzer
5 5
6CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) 6CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
7LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) 7LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
8LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) 8LIBS=-lssh -lopenbsd-compat -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
9COMMON_OBJS=ssh-sk-null.o
9 10
10TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz sshsigopt_fuzz 11TARGETS=pubkey_fuzz sig_fuzz authopt_fuzz sshsig_fuzz \
12 sshsigopt_fuzz privkey_fuzz
11 13
12all: $(TARGETS) 14all: $(TARGETS)
13 15
14.cc.o: 16.cc.o:
15 $(CXX) $(CXXFLAGS) -c $< -o $@ 17 $(CXX) $(CXXFLAGS) -c $< -o $@
16 18
17pubkey_fuzz: pubkey_fuzz.o 19pubkey_fuzz: pubkey_fuzz.o $(COMMON_OBJS)
18 $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS) 20 $(CXX) -o $@ pubkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
19 21
20sig_fuzz: sig_fuzz.o 22sig_fuzz: sig_fuzz.o $(COMMON_OBJS)
21 $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS) 23 $(CXX) -o $@ sig_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
22 24
23authopt_fuzz: authopt_fuzz.o 25authopt_fuzz: authopt_fuzz.o $(COMMON_OBJS)
24 $(CXX) -o $@ authopt_fuzz.o ../../../auth-options.o $(LDFLAGS) $(LIBS) 26 $(CXX) -o $@ authopt_fuzz.o $(COMMON_OBJS) ../../../auth-options.o $(LDFLAGS) $(LIBS)
25 27
26sshsig_fuzz: sshsig_fuzz.o 28sshsig_fuzz: sshsig_fuzz.o $(COMMON_OBJS)
27 $(CXX) -o $@ sshsig_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS) 29 $(CXX) -o $@ sshsig_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
28 30
29sshsigopt_fuzz: sshsigopt_fuzz.o 31sshsigopt_fuzz: sshsigopt_fuzz.o $(COMMON_OBJS)
30 $(CXX) -o $@ sshsigopt_fuzz.o ../../../sshsig.o $(LDFLAGS) $(LIBS) 32 $(CXX) -o $@ sshsigopt_fuzz.o $(COMMON_OBJS) ../../../sshsig.o $(LDFLAGS) $(LIBS)
33
34privkey_fuzz: privkey_fuzz.o $(COMMON_OBJS)
35 $(CXX) -o $@ privkey_fuzz.o $(COMMON_OBJS) $(LDFLAGS) $(LIBS)
31 36
32clean: 37clean:
33 -rm -f *.o $(TARGETS) 38 -rm -f *.o $(TARGETS)
diff --git a/regress/misc/fuzz-harness/privkey_fuzz.cc b/regress/misc/fuzz-harness/privkey_fuzz.cc
new file mode 100644
index 000000000..ff0b0f776
--- /dev/null
+++ b/regress/misc/fuzz-harness/privkey_fuzz.cc
@@ -0,0 +1,21 @@
1#include <stddef.h>
2#include <stdio.h>
3#include <stdint.h>
4
5extern "C" {
6
7#include "sshkey.h"
8#include "sshbuf.h"
9
10int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
11{
12 struct sshkey *k = NULL;
13 struct sshbuf *b = sshbuf_from(data, size);
14 int r = sshkey_private_deserialize(b, &k);
15 if (r == 0) sshkey_free(k);
16 sshbuf_free(b);
17 return 0;
18}
19
20} // extern
21
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
index dd1fda091..b32502ba0 100644
--- a/regress/misc/fuzz-harness/sig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -31,19 +31,31 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
31 static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); 31 static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
32 static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); 32 static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
33#endif 33#endif
34 struct sshkey_sig_details *details = NULL;
34 static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); 35 static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
35 static const char *data = "If everyone started announcing his nose had " 36 static const char *data = "If everyone started announcing his nose had "
36 "run away, I don’t know how it would all end"; 37 "run away, I don’t know how it would all end";
37 static const size_t dlen = strlen(data); 38 static const size_t dlen = strlen(data);
38 39
39#ifdef WITH_OPENSSL 40#ifdef WITH_OPENSSL
40 sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0); 41 sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
41 sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0); 42 sshkey_sig_details_free(details);
42 sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0); 43 details = NULL;
43 sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0); 44 sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
44 sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0); 45 sshkey_sig_details_free(details);
46 details = NULL;
47 sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
48 sshkey_sig_details_free(details);
49 details = NULL;
50 sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
51 sshkey_sig_details_free(details);
52 details = NULL;
53 sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
54 sshkey_sig_details_free(details);
55 details = NULL;
45#endif 56#endif
46 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0); 57 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
58 sshkey_sig_details_free(details);
47 return 0; 59 return 0;
48} 60}
49 61
diff --git a/regress/misc/fuzz-harness/ssh-sk-null.cc b/regress/misc/fuzz-harness/ssh-sk-null.cc
new file mode 100644
index 000000000..199af1121
--- /dev/null
+++ b/regress/misc/fuzz-harness/ssh-sk-null.cc
@@ -0,0 +1,51 @@
1/* $OpenBSD$ */
2/*
3 * Copyright (c) 2019 Google LLC
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18extern "C" {
19
20#include "includes.h"
21
22#include <sys/types.h>
23
24#include "ssherr.h"
25#include "ssh-sk.h"
26
27int
28sshsk_enroll(int type, const char *provider_path, const char *device,
29 const char *application, const char *userid, uint8_t flags,
30 const char *pin, struct sshbuf *challenge_buf,
31 struct sshkey **keyp, struct sshbuf *attest)
32{
33 return SSH_ERR_FEATURE_UNSUPPORTED;
34}
35
36int
37sshsk_sign(const char *provider_path, struct sshkey *key,
38 u_char **sigp, size_t *lenp, const u_char *data, size_t datalen,
39 u_int compat, const char *pin)
40{
41 return SSH_ERR_FEATURE_UNSUPPORTED;
42}
43
44int
45sshsk_load_resident(const char *provider_path, const char *device,
46 const char *pin, struct sshkey ***keysp, size_t *nkeysp)
47{
48 return SSH_ERR_FEATURE_UNSUPPORTED;
49}
50
51};
diff --git a/regress/misc/fuzz-harness/sshsig_fuzz.cc b/regress/misc/fuzz-harness/sshsig_fuzz.cc
index fe09ccb87..02211a096 100644
--- a/regress/misc/fuzz-harness/sshsig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sshsig_fuzz.cc
@@ -22,10 +22,12 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
22 struct sshbuf *signature = sshbuf_from(sig, slen); 22 struct sshbuf *signature = sshbuf_from(sig, slen);
23 struct sshbuf *message = sshbuf_from(data, strlen(data)); 23 struct sshbuf *message = sshbuf_from(data, strlen(data));
24 struct sshkey *k = NULL; 24 struct sshkey *k = NULL;
25 struct sshkey_sig_details *details = NULL;
25 extern char *__progname; 26 extern char *__progname;
26 27
27 log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1); 28 log_init(__progname, SYSLOG_LEVEL_QUIET, SYSLOG_FACILITY_USER, 1);
28 sshsig_verifyb(signature, message, "castle", &k); 29 sshsig_verifyb(signature, message, "castle", &k, &details);
30 sshkey_sig_details_free(details);
29 sshkey_free(k); 31 sshkey_free(k);
30 sshbuf_free(signature); 32 sshbuf_free(signature);
31 sshbuf_free(message); 33 sshbuf_free(message);
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index 20802cb87..9eb86931c 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.4 2019/01/21 12:50:12 djm Exp $ 1# $OpenBSD: Makefile,v 1.7 2020/01/26 00:09:50 djm Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.include <bsd.obj.mk> 4.include <bsd.obj.mk>
@@ -20,6 +20,7 @@ SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
20SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c 20SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
21SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c 21SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
22SRCS+=cipher-chachapoly.c chacha.c poly1305.c 22SRCS+=cipher-chachapoly.c chacha.c poly1305.c
23SRCS+=sshbuf-io.c ssh-ecdsa-sk.c ssh-ed25519-sk.c msg.c ssh-sk-client.c
23 24
24SRCS+= kex.c 25SRCS+= kex.c
25SRCS+= dh.c 26SRCS+= dh.c
@@ -50,6 +51,9 @@ SSH1= no
50CFLAGS+= -DWITH_SSH1 51CFLAGS+= -DWITH_SSH1
51.endif 52.endif
52 53
54LDADD+= -lfido2 -lcbor -lusbhid
55DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID}
56
53# enable warnings 57# enable warnings
54WARNINGS=Yes 58WARNINGS=Yes
55 59
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
index 7051e87b1..56697c918 100644
--- a/regress/misc/kexfuzz/kexfuzz.c
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexfuzz.c,v 1.5 2019/01/21 12:50:12 djm Exp $ */ 1/* $OpenBSD: kexfuzz.c,v 1.6 2020/01/26 00:09:50 djm Exp $ */
2/* 2/*
3 * Fuzz harness for KEX code 3 * Fuzz harness for KEX code
4 * 4 *
@@ -424,12 +424,8 @@ main(int argc, char **argv)
424 if (packet_index == -1 || direction == -1 || data_path == NULL) 424 if (packet_index == -1 || direction == -1 || data_path == NULL)
425 badusage("Replace (-r) mode must specify direction " 425 badusage("Replace (-r) mode must specify direction "
426 "(-D) packet index (-i) and data path (-f)"); 426 "(-D) packet index (-i) and data path (-f)");
427 if ((fd = open(data_path, O_RDONLY)) == -1) 427 if ((r = sshbuf_load_file(data_path, &replace_data)) != 0)
428 err(1, "open %s", data_path);
429 replace_data = sshbuf_new();
430 if ((r = sshkey_load_file(fd, replace_data)) != 0)
431 errx(1, "read %s: %s", data_path, ssh_err(r)); 428 errx(1, "read %s: %s", data_path, ssh_err(r));
432 close(fd);
433 } 429 }
434 430
435 /* Dump mode */ 431 /* Dump mode */
diff --git a/regress/misc/sk-dummy/Makefile b/regress/misc/sk-dummy/Makefile
new file mode 100644
index 000000000..29e313c82
--- /dev/null
+++ b/regress/misc/sk-dummy/Makefile
@@ -0,0 +1,66 @@
1# $OpenBSD: Makefile,v 1.2 2019/11/29 00:13:29 djm Exp $
2
3.include <bsd.own.mk>
4.include <bsd.obj.mk>
5
6PROG= sk-dummy.so
7NOMAN=
8
9SSHREL=../../../../../usr.bin/ssh
10.PATH: ${.CURDIR}/${SSHREL}
11
12SRCS=sk-dummy.c
13# From usr.bin/ssh
14SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
15OPENSSL?= yes
16
17CFLAGS+= -fPIC
18
19.if (${OPENSSL:L} == "yes")
20CFLAGS+= -DWITH_OPENSSL
21.endif
22
23# enable warnings
24WARNINGS=Yes
25
26DEBUG=-g
27CFLAGS+= -fstack-protector-all
28CDIAGFLAGS= -Wall
29CDIAGFLAGS+= -Wextra
30CDIAGFLAGS+= -Werror
31CDIAGFLAGS+= -Wchar-subscripts
32CDIAGFLAGS+= -Wcomment
33CDIAGFLAGS+= -Wformat
34CDIAGFLAGS+= -Wformat-security
35CDIAGFLAGS+= -Wimplicit
36CDIAGFLAGS+= -Winline
37CDIAGFLAGS+= -Wmissing-declarations
38CDIAGFLAGS+= -Wmissing-prototypes
39CDIAGFLAGS+= -Wparentheses
40CDIAGFLAGS+= -Wpointer-arith
41CDIAGFLAGS+= -Wreturn-type
42CDIAGFLAGS+= -Wshadow
43CDIAGFLAGS+= -Wsign-compare
44CDIAGFLAGS+= -Wstrict-aliasing
45CDIAGFLAGS+= -Wstrict-prototypes
46CDIAGFLAGS+= -Wswitch
47CDIAGFLAGS+= -Wtrigraphs
48CDIAGFLAGS+= -Wuninitialized
49CDIAGFLAGS+= -Wunused
50CDIAGFLAGS+= -Wno-unused-parameter
51.if ${COMPILER_VERSION:L} != "gcc3"
52CDIAGFLAGS+= -Wold-style-definition
53.endif
54
55CFLAGS+=-I${.CURDIR}/${SSHREL}
56
57.if (${OPENSSL:L} == "yes")
58LDADD+= -lcrypto
59DPADD+= ${LIBCRYPTO}
60.endif
61
62$(PROG): $(OBJS)
63 $(CC) $(LDFLAGS) -shared -o $@ $(OBJS) $(LDADD)
64
65.include <bsd.prog.mk>
66
diff --git a/regress/misc/sk-dummy/fatal.c b/regress/misc/sk-dummy/fatal.c
new file mode 100644
index 000000000..7cdc74b97
--- /dev/null
+++ b/regress/misc/sk-dummy/fatal.c
@@ -0,0 +1,20 @@
1/* public domain */
2
3#include <stdlib.h>
4#include <stdio.h>
5#include <stdarg.h>
6#include <unistd.h>
7
8void fatal(char *fmt, ...);
9
10void
11fatal(char *fmt, ...)
12{
13 va_list ap;
14
15 va_start(ap, fmt);
16 vfprintf(stderr, fmt, ap);
17 va_end(ap);
18 fputc('\n', stderr);
19 _exit(1);
20}
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
new file mode 100644
index 000000000..dca158ded
--- /dev/null
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -0,0 +1,526 @@
1/*
2 * Copyright (c) 2019 Markus Friedl
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include "includes.h"
18
19#ifdef HAVE_STDINT_H
20#include <stdint.h>
21#endif
22#include <stdlib.h>
23#include <string.h>
24#include <stdio.h>
25#include <stddef.h>
26#include <stdarg.h>
27
28#include "crypto_api.h"
29#include "sk-api.h"
30
31#include <openssl/opensslv.h>
32#include <openssl/crypto.h>
33#include <openssl/evp.h>
34#include <openssl/bn.h>
35#include <openssl/ec.h>
36#include <openssl/ecdsa.h>
37#include <openssl/pem.h>
38
39/* #define SK_DEBUG 1 */
40
41/* Compatibility with OpenSSH 1.0.x */
42#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
43#define ECDSA_SIG_get0(sig, pr, ps) \
44 do { \
45 (*pr) = sig->r; \
46 (*ps) = sig->s; \
47 } while (0)
48#endif
49
50#if SSH_SK_VERSION_MAJOR != 0x00040000
51# error SK API has changed, sk-dummy.c needs an update
52#endif
53
54static void skdebug(const char *func, const char *fmt, ...)
55 __attribute__((__format__ (printf, 2, 3)));
56
57static void
58skdebug(const char *func, const char *fmt, ...)
59{
60#if defined(SK_DEBUG)
61 va_list ap;
62
63 va_start(ap, fmt);
64 fprintf(stderr, "sk-dummy %s: ", func);
65 vfprintf(stderr, fmt, ap);
66 fputc('\n', stderr);
67 va_end(ap);
68#else
69 (void)func; /* XXX */
70 (void)fmt; /* XXX */
71#endif
72}
73
74uint32_t
75sk_api_version(void)
76{
77 return SSH_SK_VERSION_MAJOR;
78}
79
80static int
81pack_key_ecdsa(struct sk_enroll_response *response)
82{
83#ifdef OPENSSL_HAS_ECC
84 EC_KEY *key = NULL;
85 const EC_GROUP *g;
86 const EC_POINT *q;
87 int ret = -1;
88 long privlen;
89 BIO *bio = NULL;
90 char *privptr;
91
92 response->public_key = NULL;
93 response->public_key_len = 0;
94 response->key_handle = NULL;
95 response->key_handle_len = 0;
96
97 if ((key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) {
98 skdebug(__func__, "EC_KEY_new_by_curve_name");
99 goto out;
100 }
101 if (EC_KEY_generate_key(key) != 1) {
102 skdebug(__func__, "EC_KEY_generate_key");
103 goto out;
104 }
105 EC_KEY_set_asn1_flag(key, OPENSSL_EC_NAMED_CURVE);
106 if ((bio = BIO_new(BIO_s_mem())) == NULL ||
107 (g = EC_KEY_get0_group(key)) == NULL ||
108 (q = EC_KEY_get0_public_key(key)) == NULL) {
109 skdebug(__func__, "couldn't get key parameters");
110 goto out;
111 }
112 response->public_key_len = EC_POINT_point2oct(g, q,
113 POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
114 if (response->public_key_len == 0 || response->public_key_len > 2048) {
115 skdebug(__func__, "bad pubkey length %zu",
116 response->public_key_len);
117 goto out;
118 }
119 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
120 skdebug(__func__, "malloc pubkey failed");
121 goto out;
122 }
123 if (EC_POINT_point2oct(g, q, POINT_CONVERSION_UNCOMPRESSED,
124 response->public_key, response->public_key_len, NULL) == 0) {
125 skdebug(__func__, "EC_POINT_point2oct failed");
126 goto out;
127 }
128 /* Key handle contains PEM encoded private key */
129 if (!PEM_write_bio_ECPrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) {
130 skdebug(__func__, "PEM_write_bio_ECPrivateKey failed");
131 goto out;
132 }
133 if ((privlen = BIO_get_mem_data(bio, &privptr)) <= 0) {
134 skdebug(__func__, "BIO_get_mem_data failed");
135 goto out;
136 }
137 if ((response->key_handle = malloc(privlen)) == NULL) {
138 skdebug(__func__, "malloc key_handle failed");
139 goto out;
140 }
141 response->key_handle_len = (size_t)privlen;
142 memcpy(response->key_handle, privptr, response->key_handle_len);
143 /* success */
144 ret = 0;
145 out:
146 if (ret != 0) {
147 if (response->public_key != NULL) {
148 memset(response->public_key, 0,
149 response->public_key_len);
150 free(response->public_key);
151 response->public_key = NULL;
152 }
153 if (response->key_handle != NULL) {
154 memset(response->key_handle, 0,
155 response->key_handle_len);
156 free(response->key_handle);
157 response->key_handle = NULL;
158 }
159 }
160 BIO_free(bio);
161 EC_KEY_free(key);
162 return ret;
163#else
164 return -1;
165#endif
166}
167
168static int
169pack_key_ed25519(struct sk_enroll_response *response)
170{
171 int ret = -1;
172 u_char pk[crypto_sign_ed25519_PUBLICKEYBYTES];
173 u_char sk[crypto_sign_ed25519_SECRETKEYBYTES];
174
175 response->public_key = NULL;
176 response->public_key_len = 0;
177 response->key_handle = NULL;
178 response->key_handle_len = 0;
179
180 memset(pk, 0, sizeof(pk));
181 memset(sk, 0, sizeof(sk));
182 crypto_sign_ed25519_keypair(pk, sk);
183
184 response->public_key_len = sizeof(pk);
185 if ((response->public_key = malloc(response->public_key_len)) == NULL) {
186 skdebug(__func__, "malloc pubkey failed");
187 goto out;
188 }
189 memcpy(response->public_key, pk, sizeof(pk));
190 /* Key handle contains sk */
191 response->key_handle_len = sizeof(sk);
192 if ((response->key_handle = malloc(response->key_handle_len)) == NULL) {
193 skdebug(__func__, "malloc key_handle failed");
194 goto out;
195 }
196 memcpy(response->key_handle, sk, sizeof(sk));
197 /* success */
198 ret = 0;
199 out:
200 if (ret != 0)
201 free(response->public_key);
202 return ret;
203}
204
205static int
206check_options(struct sk_option **options)
207{
208 size_t i;
209
210 if (options == NULL)
211 return 0;
212 for (i = 0; options[i] != NULL; i++) {
213 skdebug(__func__, "requested unsupported option %s",
214 options[i]->name);
215 if (options[i]->required) {
216 skdebug(__func__, "unknown required option");
217 return -1;
218 }
219 }
220 return 0;
221}
222
223int
224sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
225 const char *application, uint8_t flags, const char *pin,
226 struct sk_option **options, struct sk_enroll_response **enroll_response)
227{
228 struct sk_enroll_response *response = NULL;
229 int ret = SSH_SK_ERR_GENERAL;
230
231 (void)flags; /* XXX; unused */
232
233 if (enroll_response == NULL) {
234 skdebug(__func__, "enroll_response == NULL");
235 goto out;
236 }
237 *enroll_response = NULL;
238 if (check_options(options) != 0)
239 goto out; /* error already logged */
240 if ((response = calloc(1, sizeof(*response))) == NULL) {
241 skdebug(__func__, "calloc response failed");
242 goto out;
243 }
244 switch(alg) {
245 case SSH_SK_ECDSA:
246 if (pack_key_ecdsa(response) != 0)
247 goto out;
248 break;
249 case SSH_SK_ED25519:
250 if (pack_key_ed25519(response) != 0)
251 goto out;
252 break;
253 default:
254 skdebug(__func__, "unsupported key type %d", alg);
255 return -1;
256 }
257 /* Have to return something here */
258 if ((response->signature = calloc(1, 1)) == NULL) {
259 skdebug(__func__, "calloc signature failed");
260 goto out;
261 }
262 response->signature_len = 0;
263
264 *enroll_response = response;
265 response = NULL;
266 ret = 0;
267 out:
268 if (response != NULL) {
269 free(response->public_key);
270 free(response->key_handle);
271 free(response->signature);
272 free(response->attestation_cert);
273 free(response);
274 }
275 return ret;
276}
277
278static void
279dump(const char *preamble, const void *sv, size_t l)
280{
281#ifdef SK_DEBUG
282 const u_char *s = (const u_char *)sv;
283 size_t i;
284
285 fprintf(stderr, "%s (len %zu):\n", preamble, l);
286 for (i = 0; i < l; i++) {
287 if (i % 16 == 0)
288 fprintf(stderr, "%04zu: ", i);
289 fprintf(stderr, "%02x", s[i]);
290 if (i % 16 == 15 || i == l - 1)
291 fprintf(stderr, "\n");
292 }
293#endif
294}
295
296static int
297sig_ecdsa(const uint8_t *message, size_t message_len,
298 const char *application, uint32_t counter, uint8_t flags,
299 const uint8_t *key_handle, size_t key_handle_len,
300 struct sk_sign_response *response)
301{
302#ifdef OPENSSL_HAS_ECC
303 ECDSA_SIG *sig = NULL;
304 const BIGNUM *sig_r, *sig_s;
305 int ret = -1;
306 BIO *bio = NULL;
307 EVP_PKEY *pk = NULL;
308 EC_KEY *ec = NULL;
309 SHA256_CTX ctx;
310 uint8_t apphash[SHA256_DIGEST_LENGTH];
311 uint8_t sighash[SHA256_DIGEST_LENGTH];
312 uint8_t countbuf[4];
313
314 /* Decode EC_KEY from key handle */
315 if ((bio = BIO_new(BIO_s_mem())) == NULL ||
316 BIO_write(bio, key_handle, key_handle_len) != (int)key_handle_len) {
317 skdebug(__func__, "BIO setup failed");
318 goto out;
319 }
320 if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, "")) == NULL) {
321 skdebug(__func__, "PEM_read_bio_PrivateKey failed");
322 goto out;
323 }
324 if (EVP_PKEY_base_id(pk) != EVP_PKEY_EC) {
325 skdebug(__func__, "Not an EC key: %d", EVP_PKEY_base_id(pk));
326 goto out;
327 }
328 if ((ec = EVP_PKEY_get1_EC_KEY(pk)) == NULL) {
329 skdebug(__func__, "EVP_PKEY_get1_EC_KEY failed");
330 goto out;
331 }
332 /* Expect message to be pre-hashed */
333 if (message_len != SHA256_DIGEST_LENGTH) {
334 skdebug(__func__, "bad message len %zu", message_len);
335 goto out;
336 }
337 /* Prepare data to be signed */
338 dump("message", message, message_len);
339 SHA256_Init(&ctx);
340 SHA256_Update(&ctx, application, strlen(application));
341 SHA256_Final(apphash, &ctx);
342 dump("apphash", apphash, sizeof(apphash));
343 countbuf[0] = (counter >> 24) & 0xff;
344 countbuf[1] = (counter >> 16) & 0xff;
345 countbuf[2] = (counter >> 8) & 0xff;
346 countbuf[3] = counter & 0xff;
347 dump("countbuf", countbuf, sizeof(countbuf));
348 dump("flags", &flags, sizeof(flags));
349 SHA256_Init(&ctx);
350 SHA256_Update(&ctx, apphash, sizeof(apphash));
351 SHA256_Update(&ctx, &flags, sizeof(flags));
352 SHA256_Update(&ctx, countbuf, sizeof(countbuf));
353 SHA256_Update(&ctx, message, message_len);
354 SHA256_Final(sighash, &ctx);
355 dump("sighash", sighash, sizeof(sighash));
356 /* create and encode signature */
357 if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) {
358 skdebug(__func__, "ECDSA_do_sign failed");
359 goto out;
360 }
361 ECDSA_SIG_get0(sig, &sig_r, &sig_s);
362 response->sig_r_len = BN_num_bytes(sig_r);
363 response->sig_s_len = BN_num_bytes(sig_s);
364 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL ||
365 (response->sig_s = calloc(1, response->sig_s_len)) == NULL) {
366 skdebug(__func__, "calloc signature failed");
367 goto out;
368 }
369 BN_bn2bin(sig_r, response->sig_r);
370 BN_bn2bin(sig_s, response->sig_s);
371 ret = 0;
372 out:
373 explicit_bzero(&ctx, sizeof(ctx));
374 explicit_bzero(&apphash, sizeof(apphash));
375 explicit_bzero(&sighash, sizeof(sighash));
376 ECDSA_SIG_free(sig);
377 if (ret != 0) {
378 free(response->sig_r);
379 free(response->sig_s);
380 response->sig_r = NULL;
381 response->sig_s = NULL;
382 }
383 BIO_free(bio);
384 EC_KEY_free(ec);
385 EVP_PKEY_free(pk);
386 return ret;
387#else
388 return -1;
389#endif
390}
391
392static int
393sig_ed25519(const uint8_t *message, size_t message_len,
394 const char *application, uint32_t counter, uint8_t flags,
395 const uint8_t *key_handle, size_t key_handle_len,
396 struct sk_sign_response *response)
397{
398 size_t o;
399 int ret = -1;
400 SHA256_CTX ctx;
401 uint8_t apphash[SHA256_DIGEST_LENGTH];
402 uint8_t signbuf[sizeof(apphash) + sizeof(flags) +
403 sizeof(counter) + SHA256_DIGEST_LENGTH];
404 uint8_t sig[crypto_sign_ed25519_BYTES + sizeof(signbuf)];
405 unsigned long long smlen;
406
407 if (key_handle_len != crypto_sign_ed25519_SECRETKEYBYTES) {
408 skdebug(__func__, "bad key handle length %zu", key_handle_len);
409 goto out;
410 }
411 /* Expect message to be pre-hashed */
412 if (message_len != SHA256_DIGEST_LENGTH) {
413 skdebug(__func__, "bad message len %zu", message_len);
414 goto out;
415 }
416 /* Prepare data to be signed */
417 dump("message", message, message_len);
418 SHA256_Init(&ctx);
419 SHA256_Update(&ctx, application, strlen(application));
420 SHA256_Final(apphash, &ctx);
421 dump("apphash", apphash, sizeof(apphash));
422
423 memcpy(signbuf, apphash, sizeof(apphash));
424 o = sizeof(apphash);
425 signbuf[o++] = flags;
426 signbuf[o++] = (counter >> 24) & 0xff;
427 signbuf[o++] = (counter >> 16) & 0xff;
428 signbuf[o++] = (counter >> 8) & 0xff;
429 signbuf[o++] = counter & 0xff;
430 memcpy(signbuf + o, message, message_len);
431 o += message_len;
432 if (o != sizeof(signbuf)) {
433 skdebug(__func__, "bad sign buf len %zu, expected %zu",
434 o, sizeof(signbuf));
435 goto out;
436 }
437 dump("signbuf", signbuf, sizeof(signbuf));
438 /* create and encode signature */
439 smlen = sizeof(signbuf);
440 if (crypto_sign_ed25519(sig, &smlen, signbuf, sizeof(signbuf),
441 key_handle) != 0) {
442 skdebug(__func__, "crypto_sign_ed25519 failed");
443 goto out;
444 }
445 if (smlen <= sizeof(signbuf)) {
446 skdebug(__func__, "bad sign smlen %llu, expected min %zu",
447 smlen, sizeof(signbuf) + 1);
448 goto out;
449 }
450 response->sig_r_len = (size_t)(smlen - sizeof(signbuf));
451 if ((response->sig_r = calloc(1, response->sig_r_len)) == NULL) {
452 skdebug(__func__, "calloc signature failed");
453 goto out;
454 }
455 memcpy(response->sig_r, sig, response->sig_r_len);
456 dump("sig_r", response->sig_r, response->sig_r_len);
457 ret = 0;
458 out:
459 explicit_bzero(&ctx, sizeof(ctx));
460 explicit_bzero(&apphash, sizeof(apphash));
461 explicit_bzero(&signbuf, sizeof(signbuf));
462 explicit_bzero(&sig, sizeof(sig));
463 if (ret != 0) {
464 free(response->sig_r);
465 response->sig_r = NULL;
466 }
467 return ret;
468}
469
470int
471sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
472 const char *application, const uint8_t *key_handle, size_t key_handle_len,
473 uint8_t flags, const char *pin, struct sk_option **options,
474 struct sk_sign_response **sign_response)
475{
476 struct sk_sign_response *response = NULL;
477 int ret = SSH_SK_ERR_GENERAL;
478
479 if (sign_response == NULL) {
480 skdebug(__func__, "sign_response == NULL");
481 goto out;
482 }
483 *sign_response = NULL;
484 if (check_options(options) != 0)
485 goto out; /* error already logged */
486 if ((response = calloc(1, sizeof(*response))) == NULL) {
487 skdebug(__func__, "calloc response failed");
488 goto out;
489 }
490 response->flags = flags;
491 response->counter = 0x12345678;
492 switch(alg) {
493 case SSH_SK_ECDSA:
494 if (sig_ecdsa(message, message_len, application,
495 response->counter, flags, key_handle, key_handle_len,
496 response) != 0)
497 goto out;
498 break;
499 case SSH_SK_ED25519:
500 if (sig_ed25519(message, message_len, application,
501 response->counter, flags, key_handle, key_handle_len,
502 response) != 0)
503 goto out;
504 break;
505 default:
506 skdebug(__func__, "unsupported key type %d", alg);
507 return -1;
508 }
509 *sign_response = response;
510 response = NULL;
511 ret = 0;
512 out:
513 if (response != NULL) {
514 free(response->sig_r);
515 free(response->sig_s);
516 free(response);
517 }
518 return ret;
519}
520
521int
522sk_load_resident_keys(const char *pin, struct sk_option **options,
523 struct sk_resident_key ***rks, size_t *nrks)
524{
525 return SSH_SK_ERR_UNSUPPORTED;
526}
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index b5e604dba..817ddbfa8 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.30 2019/07/05 04:03:13 dtucker Exp $ 1# $OpenBSD: multiplex.sh,v 1.32 2020/01/25 02:57:53 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4make_tmpdir 4make_tmpdir
@@ -6,8 +6,6 @@ CTL=${SSH_REGRESS_TMP}/ctl-sock
6 6
7tid="connection multiplexing" 7tid="connection multiplexing"
8 8
9NC=$OBJ/netcat
10
11trace "will use ProxyCommand $proxycmd" 9trace "will use ProxyCommand $proxycmd"
12if config_defined DISABLE_FD_PASSING ; then 10if config_defined DISABLE_FD_PASSING ; then
13 echo "skipped (not supported on this platform)" 11 echo "skipped (not supported on this platform)"
@@ -18,7 +16,7 @@ P=3301 # test port
18 16
19wait_for_mux_master_ready() 17wait_for_mux_master_ready()
20{ 18{
21 for i in 1 2 3 4 5; do 19 for i in 1 2 3 4 5 6 7 8 9; do
22 ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \ 20 ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
23 >/dev/null 2>&1 && return 0 21 >/dev/null 2>&1 && return 0
24 sleep $i 22 sleep $i
diff --git a/regress/multipubkey.sh b/regress/multipubkey.sh
index 4d443ec45..9b2273353 100644
--- a/regress/multipubkey.sh
+++ b/regress/multipubkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multipubkey.sh,v 1.2 2018/10/31 11:09:27 dtucker Exp $ 1# $OpenBSD: multipubkey.sh,v 1.3 2019/12/11 18:47:14 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="multiple pubkey" 4tid="multiple pubkey"
@@ -31,7 +31,7 @@ grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
31opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 31opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
32opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2" 32opts="$opts -i $OBJ/cert_user_key1 -i $OBJ/user_key1 -i $OBJ/user_key2"
33 33
34for privsep in yes sandbox ; do 34for privsep in yes ; do
35 ( 35 (
36 grep -v "Protocol" $OBJ/sshd_proxy.orig 36 grep -v "Protocol" $OBJ/sshd_proxy.orig
37 echo "Protocol 2" 37 echo "Protocol 2"
diff --git a/regress/netcat.c b/regress/netcat.c
index 56bd09de5..2d86818e2 100644
--- a/regress/netcat.c
+++ b/regress/netcat.c
@@ -1181,11 +1181,13 @@ set_common_sockopts(int s)
1181 &x, sizeof(x)) == -1) 1181 &x, sizeof(x)) == -1)
1182 err(1, "setsockopt"); 1182 err(1, "setsockopt");
1183 } 1183 }
1184#ifdef IP_TOS
1184 if (Tflag != -1) { 1185 if (Tflag != -1) {
1185 if (setsockopt(s, IPPROTO_IP, IP_TOS, 1186 if (setsockopt(s, IPPROTO_IP, IP_TOS,
1186 &Tflag, sizeof(Tflag)) == -1) 1187 &Tflag, sizeof(Tflag)) == -1)
1187 err(1, "set IP ToS"); 1188 err(1, "set IP ToS");
1188 } 1189 }
1190#endif
1189 if (Iflag) { 1191 if (Iflag) {
1190 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF, 1192 if (setsockopt(s, SOL_SOCKET, SO_RCVBUF,
1191 &Iflag, sizeof(Iflag)) == -1) 1193 &Iflag, sizeof(Iflag)) == -1)
@@ -1201,6 +1203,7 @@ set_common_sockopts(int s)
1201int 1203int
1202map_tos(char *s, int *val) 1204map_tos(char *s, int *val)
1203{ 1205{
1206#ifdef IP_TOS
1204 /* DiffServ Codepoints and other TOS mappings */ 1207 /* DiffServ Codepoints and other TOS mappings */
1205 const struct toskeywords { 1208 const struct toskeywords {
1206 const char *keyword; 1209 const char *keyword;
@@ -1242,6 +1245,7 @@ map_tos(char *s, int *val)
1242 return (1); 1245 return (1);
1243 } 1246 }
1244 } 1247 }
1248#endif
1245 1249
1246 return (0); 1250 return (0);
1247} 1251}
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 7d380325b..5e535c133 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: principals-command.sh,v 1.7 2019/09/06 04:24:06 dtucker Exp $ 1# $OpenBSD: principals-command.sh,v 1.11 2019/12/16 02:39:05 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized principals command" 4tid="authorized principals command"
@@ -12,7 +12,7 @@ if [ -z "$SUDO" -a ! -w /var/run ]; then
12 exit 0 12 exit 0
13fi 13fi
14 14
15case "`${SSH} -Q key-plain`" in 15case "$SSH_KEYTYPES" in
16 *ssh-rsa*) userkeytype=rsa ;; 16 *ssh-rsa*) userkeytype=rsa ;;
17 *) userkeytype=ed25519 ;; 17 *) userkeytype=ed25519 ;;
18esac 18esac
@@ -63,7 +63,7 @@ fi
63 63
64if [ -x $PRINCIPALS_COMMAND ]; then 64if [ -x $PRINCIPALS_COMMAND ]; then
65 # Test explicitly-specified principals 65 # Test explicitly-specified principals
66 for privsep in yes sandbox ; do 66 for privsep in yes ; do
67 _prefix="privsep $privsep" 67 _prefix="privsep $privsep"
68 68
69 # Setup for AuthorizedPrincipalsCommand 69 # Setup for AuthorizedPrincipalsCommand
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index 39bbd3c96..8847fe0c6 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,9 +1,15 @@
1# $OpenBSD: proxy-connect.sh,v 1.11 2017/09/26 22:39:25 dtucker Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.12 2020/01/23 11:19:12 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
5 5
6for c in no yes; do 6if [ "`${SSH} -Q compression`" = "none" ]; then
7 comp="no"
8else
9 comp="no yes"
10fi
11
12for c in $comp; do
7 verbose "plain username comp=$c" 13 verbose "plain username comp=$c"
8 opts="-oCompression=$c -F $OBJ/ssh_proxy" 14 opts="-oCompression=$c -F $OBJ/ssh_proxy"
9 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` 15 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 191a2bda8..708c288d7 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-ciphers.sh,v 1.6 2017/05/08 01:52:49 djm Exp $ 1# $OpenBSD: putty-ciphers.sh,v 1.7 2020/01/23 03:35:07 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty ciphers" 4tid="putty ciphers"
@@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
8 exit 0 8 exit 0
9fi 9fi
10 10
11for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do 11for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
12 verbose "$tid: cipher $c" 12 verbose "$tid: cipher $c"
13 cp ${OBJ}/.putty/sessions/localhost_proxy \ 13 cp ${OBJ}/.putty/sessions/localhost_proxy \
14 ${OBJ}/.putty/sessions/cipher_$c 14 ${OBJ}/.putty/sessions/cipher_$c
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 71c09701b..686d0e1af 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-kex.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ 1# $OpenBSD: putty-kex.sh,v 1.5 2020/01/23 03:24:38 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty KEX" 4tid="putty KEX"
@@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
8 exit 0 8 exit 0
9fi 9fi
10 10
11for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do 11for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
12 verbose "$tid: kex $k" 12 verbose "$tid: kex $k"
13 cp ${OBJ}/.putty/sessions/localhost_proxy \ 13 cp ${OBJ}/.putty/sessions/localhost_proxy \
14 ${OBJ}/.putty/sessions/kex_$k 14 ${OBJ}/.putty/sessions/kex_$k
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 4928d4533..14b41022f 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-transfer.sh,v 1.6 2018/02/23 03:03:00 djm Exp $ 1# $OpenBSD: putty-transfer.sh,v 1.7 2020/01/23 11:19:12 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty transfer data" 4tid="putty transfer data"
@@ -8,7 +8,13 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
8 exit 0 8 exit 0
9fi 9fi
10 10
11for c in 0 1 ; do 11if [ "`${SSH} -Q compression`" = "none" ]; then
12 comp="0"
13else
14 comp="0 1"
15fi
16
17for c in $comp; do
12 verbose "$tid: compression $c" 18 verbose "$tid: compression $c"
13 rm -f ${COPY} 19 rm -f ${COPY}
14 cp ${OBJ}/.putty/sessions/localhost_proxy \ 20 cp ${OBJ}/.putty/sessions/localhost_proxy \
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
new file mode 100644
index 000000000..b25c8faa8
--- /dev/null
+++ b/regress/servcfginclude.sh
@@ -0,0 +1,154 @@
1# Placed in the Public Domain.
2
3tid="server config include"
4
5cat > $OBJ/sshd_config.i << _EOF
6HostKey $OBJ/host.ssh-ed25519
7Match host a
8 Banner /aa
9
10Match host b
11 Banner /bb
12 Include $OBJ/sshd_config.i.*
13
14Match host c
15 Include $OBJ/sshd_config.i.*
16 Banner /cc
17
18Match host m
19 Include $OBJ/sshd_config.i.*
20
21Match Host d
22 Banner /dd
23
24Match Host e
25 Banner /ee
26 Include $OBJ/sshd_config.i.*
27
28Match Host f
29 Include $OBJ/sshd_config.i.*
30 Banner /ff
31
32Match Host n
33 Include $OBJ/sshd_config.i.*
34_EOF
35
36cat > $OBJ/sshd_config.i.0 << _EOF
37Match host xxxxxx
38_EOF
39
40cat > $OBJ/sshd_config.i.1 << _EOF
41Match host a
42 Banner /aaa
43
44Match host b
45 Banner /bbb
46
47Match host c
48 Banner /ccc
49
50Match Host d
51 Banner /ddd
52
53Match Host e
54 Banner /eee
55
56Match Host f
57 Banner /fff
58_EOF
59
60cat > $OBJ/sshd_config.i.2 << _EOF
61Match host a
62 Banner /aaaa
63
64Match host b
65 Banner /bbbb
66
67Match host c
68 Banner /cccc
69
70Match Host d
71 Banner /dddd
72
73Match Host e
74 Banner /eeee
75
76Match Host f
77 Banner /ffff
78
79Match all
80 Banner /xxxx
81_EOF
82
83trial() {
84 _host="$1"
85 _exp="$2"
86 _desc="$3"
87 test -z "$_desc" && _desc="test match"
88 trace "$_desc host=$_host expect=$_exp"
89 ${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
90 -C "host=$_host,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out ||
91 fatal "ssh config parse failed: $_desc host=$_host expect=$_exp"
92 _got=`grep -i '^banner ' $OBJ/sshd_config.out | awk '{print $2}'`
93 if test "x$_exp" != "x$_got" ; then
94 fail "$desc_ host $_host include fail: expected $_exp got $_got"
95 fi
96}
97
98trial a /aa
99trial b /bb
100trial c /ccc
101trial d /dd
102trial e /ee
103trial f /fff
104trial m /xxxx
105trial n /xxxx
106trial x none
107
108# Prepare an included config with an error.
109
110cat > $OBJ/sshd_config.i.3 << _EOF
111Banner xxxx
112 Junk
113_EOF
114
115trace "disallow invalid config host=a"
116${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
117 -C "host=a,user=test,addr=127.0.0.1" 2>/dev/null && \
118 fail "sshd include allowed invalid config"
119
120trace "disallow invalid config host=x"
121${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i \
122 -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
123 fail "sshd include allowed invalid config"
124
125rm -f $OBJ/sshd_config.i.*
126
127# Ensure that a missing include is not fatal.
128cat > $OBJ/sshd_config.i << _EOF
129HostKey $OBJ/host.ssh-ed25519
130Include $OBJ/sshd_config.i.*
131Banner /aa
132_EOF
133
134trial a /aa "missing include non-fatal"
135
136# Ensure that Match/Host in an included config does not affect parent.
137cat > $OBJ/sshd_config.i.x << _EOF
138Match host x
139_EOF
140
141trial a /aa "included file does not affect match state"
142
143# Ensure the empty include directive is not accepted
144cat > $OBJ/sshd_config.i.x << _EOF
145Include
146_EOF
147
148trace "disallow invalid with no argument"
149${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
150 -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
151 fail "sshd allowed Include with no argument"
152
153# cleanup
154rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
diff --git a/regress/ssh2putty.sh b/regress/ssh2putty.sh
index bcf83afe9..dcb975d95 100755
--- a/regress/ssh2putty.sh
+++ b/regress/ssh2putty.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: ssh2putty.sh,v 1.3 2015/05/08 07:26:13 djm Exp $ 2# $OpenBSD: ssh2putty.sh,v 1.5 2019/11/21 05:18:47 tb Exp $
3 3
4if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then 4if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then
5 echo "Usage: ssh2putty hostname port ssh-private-key" 5 echo "Usage: ssh2putty hostname port ssh-private-key"
diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh
index 2c00b64ef..fc72a0a71 100644
--- a/regress/sshcfgparse.sh
+++ b/regress/sshcfgparse.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sshcfgparse.sh,v 1.5 2019/07/23 13:32:48 dtucker Exp $ 1# $OpenBSD: sshcfgparse.sh,v 1.6 2019/12/21 02:33:07 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh config parse" 4tid="ssh config parse"
@@ -94,5 +94,15 @@ if [ "$dsa" = "1" ]; then
94 expect_result_absent "$f" "ssh-dss-cert-v01.*" 94 expect_result_absent "$f" "ssh-dss-cert-v01.*"
95fi 95fi
96 96
97verbose "agentforwarding"
98f=`${SSH} -GF none host | awk '/^forwardagent /{print$2}'`
99expect_result_present "$f" "no"
100f=`${SSH} -GF none -oforwardagent=no host | awk '/^forwardagent /{print$2}'`
101expect_result_present "$f" "no"
102f=`${SSH} -GF none -oforwardagent=yes host | awk '/^forwardagent /{print$2}'`
103expect_result_present "$f" "yes"
104f=`${SSH} -GF none '-oforwardagent=SSH_AUTH_SOCK.forward' host | awk '/^forwardagent /{print$2}'`
105expect_result_present "$f" "SSH_AUTH_SOCK.forward"
106
97# cleanup 107# cleanup
98rm -f $OBJ/ssh_config.[012] 108rm -f $OBJ/ssh_config.[012]
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index eb99486ae..da362c179 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sshsig.sh,v 1.2 2019/10/04 03:39:19 djm Exp $ 1# $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshsig" 4tid="sshsig"
@@ -23,7 +23,7 @@ CA_PRIV=$OBJ/sigca-key
23CA_PUB=$OBJ/sigca-key.pub 23CA_PUB=$OBJ/sigca-key.pub
24 24
25trace "start agent" 25trace "start agent"
26eval `${SSHAGENT} -s` > /dev/null 26eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
27r=$? 27r=$?
28if [ $r -ne 0 ]; then 28if [ $r -ne 0 ]; then
29 fatal "could not start ssh-agent: exit code $r" 29 fatal "could not start ssh-agent: exit code $r"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 5e48bfbe3..a3a40719f 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.66 2019/07/05 04:12:46 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.75 2020/01/31 23:25:08 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -80,6 +80,9 @@ PLINK=plink
80PUTTYGEN=puttygen 80PUTTYGEN=puttygen
81CONCH=conch 81CONCH=conch
82 82
83# Tools used by multiple tests
84NC=$OBJ/netcat
85
83if [ "x$TEST_SSH_SSH" != "x" ]; then 86if [ "x$TEST_SSH_SSH" != "x" ]; then
84 SSH="${TEST_SSH_SSH}" 87 SSH="${TEST_SSH_SSH}"
85fi 88fi
@@ -128,6 +131,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
128 *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; 131 *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
129 esac 132 esac
130fi 133fi
134if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
135 SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
136fi
137if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
138 SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
139fi
131 140
132# Path to sshd must be absolute for rexec 141# Path to sshd must be absolute for rexec
133case "$SSHD" in 142case "$SSHD" in
@@ -230,6 +239,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
230 239
231chmod a+rx $OBJ/ssh-log-wrapper.sh 240chmod a+rx $OBJ/ssh-log-wrapper.sh
232REAL_SSH="$SSH" 241REAL_SSH="$SSH"
242REAL_SSHD="$SSHD"
233SSH="$SSHLOGWRAP" 243SSH="$SSHLOGWRAP"
234 244
235# Some test data. We make a copy because some tests will overwrite it. 245# Some test data. We make a copy because some tests will overwrite it.
@@ -252,6 +262,7 @@ increase_datafile_size()
252 262
253# these should be used in tests 263# these should be used in tests
254export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 264export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
265export SSH_PKCS11_HELPER SSH_SK_HELPER
255#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 266#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
256 267
257# Portable specific functions 268# Portable specific functions
@@ -437,6 +448,31 @@ EOF
437# be abused to locally escalate privileges. 448# be abused to locally escalate privileges.
438if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then 449if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
439 echo "StrictModes no" >> $OBJ/sshd_config 450 echo "StrictModes no" >> $OBJ/sshd_config
451else
452 # check and warn if excessive permissions are likely to cause failures.
453 unsafe=""
454 dir="${OBJ}"
455 while test ${dir} != "/"; do
456 if test -d "${dir}" && ! test -h "${dir}"; then
457 perms=`ls -ld ${dir}`
458 case "${perms}" in
459 ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;;
460 esac
461 fi
462 dir=`dirname ${dir}`
463 done
464 if ! test -z "${unsafe}"; then
465 cat <<EOD
466
467WARNING: Unsafe (group or world writable) directory permissions found:
468${unsafe}
469
470These could be abused to locally escalate privileges. If you are
471sure that this is not a risk (eg there are no other users), you can
472bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1
473
474EOD
475 fi
440fi 476fi
441 477
442if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then 478if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
@@ -475,8 +511,33 @@ fi
475 511
476rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER 512rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
477 513
478SSH_KEYTYPES=`$SSH -Q key-plain` 514SSH_SK_PROVIDER=
515if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
516 SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
517elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
518 SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
519fi
520export SSH_SK_PROVIDER
521
522if ! test -z "$SSH_SK_PROVIDER"; then
523 EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
524 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
525 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
526 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
527fi
528export EXTRA_AGENT_ARGS
529
530maybe_filter_sk() {
531 if test -z "$SSH_SK_PROVIDER" ; then
532 grep -v ^sk
533 else
534 cat
535 fi
536}
479 537
538SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
539SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
540
480for t in ${SSH_KEYTYPES}; do 541for t in ${SSH_KEYTYPES}; do
481 # generate user key 542 # generate user key
482 trace "generating key type $t" 543 trace "generating key type $t"
@@ -486,16 +547,18 @@ for t in ${SSH_KEYTYPES}; do
486 fail "ssh-keygen for $t failed" 547 fail "ssh-keygen for $t failed"
487 fi 548 fi
488 549
550 # setup authorized keys
551 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
552 echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
553done
554
555for t in ${SSH_HOSTKEY_TYPES}; do
489 # known hosts file for client 556 # known hosts file for client
490 ( 557 (
491 printf 'localhost-with-alias,127.0.0.1,::1 ' 558 printf 'localhost-with-alias,127.0.0.1,::1 '
492 cat $OBJ/$t.pub 559 cat $OBJ/$t.pub
493 ) >> $OBJ/known_hosts 560 ) >> $OBJ/known_hosts
494 561
495 # setup authorized keys
496 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
497 echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
498
499 # use key as host key, too 562 # use key as host key, too
500 $SUDO cp $OBJ/$t $OBJ/host.$t 563 $SUDO cp $OBJ/$t $OBJ/host.$t
501 echo HostKey $OBJ/host.$t >> $OBJ/sshd_config 564 echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
@@ -576,7 +639,7 @@ fi
576# create a proxy version of the client config 639# create a proxy version of the client config
577( 640(
578 cat $OBJ/ssh_config 641 cat $OBJ/ssh_config
579 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy 642 echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy
580) > $OBJ/ssh_proxy 643) > $OBJ/ssh_proxy
581 644
582# check proxy config 645# check proxy config
@@ -586,7 +649,8 @@ start_sshd ()
586{ 649{
587 # start sshd 650 # start sshd
588 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" 651 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
589 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE 652 $SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" \
653 ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE
590 654
591 trace "wait for sshd" 655 trace "wait for sshd"
592 i=0; 656 i=0;
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 428ef6836..370224aa5 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile.inc,v 1.13 2018/10/17 23:28:05 djm Exp $ 1# $OpenBSD: Makefile.inc,v 1.14 2019/11/25 10:32:35 djm Exp $
2 2
3REGRESS_FAIL_EARLY?= yes 3REGRESS_FAIL_EARLY?= yes
4 4
@@ -74,6 +74,9 @@ LDADD+= -lcrypto
74DPADD+= ${LIBCRYPTO} 74DPADD+= ${LIBCRYPTO}
75.endif 75.endif
76 76
77LDADD+= -lfido2 -lcbor -lusbhid
78DPADD+= ${LIBFIDO2} ${LIBCBOR} ${LIBUSBHID}
79
77UNITTEST_ARGS?= 80UNITTEST_ARGS?=
78 81
79.if (${UNITTEST_VERBOSE:L} != "no") 82.if (${UNITTEST_VERBOSE:L} != "no")
diff --git a/regress/unittests/authopt/Makefile b/regress/unittests/authopt/Makefile
new file mode 100644
index 000000000..492092fc6
--- /dev/null
+++ b/regress/unittests/authopt/Makefile
@@ -0,0 +1,26 @@
1# $OpenBSD: Makefile,v 1.4 2020/01/26 00:09:50 djm Exp $
2
3PROG=test_authopt
4SRCS=tests.c
5
6SRCS+=auth-options.c
7
8# From usr.bin/ssh
9SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
10SRCS+=sshbuf-io.c atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c
11SRCS+=ssh-dss.c ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
12SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
13SRCS+=addrmatch.c bitmap.c
14SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
15SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
16SRCS+=ssh-ed25519-sk.c sk-usbhid.c
17
18SRCS+=digest-openssl.c
19#SRCS+=digest-libc.c
20
21REGRESS_TARGETS=run-regress-${PROG}
22
23run-regress-${PROG}: ${PROG}
24 env ${TEST_ENV} ./${PROG} -d ${.CURDIR}/testdata
25
26.include <bsd.regress.mk>
diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile
index 336885122..c0a893135 100644
--- a/regress/unittests/hostkeys/Makefile
+++ b/regress/unittests/hostkeys/Makefile
@@ -1,16 +1,17 @@
1# $OpenBSD: Makefile,v 1.4 2017/12/21 00:41:22 djm Exp $ 1# $OpenBSD: Makefile,v 1.7 2020/01/26 00:09:50 djm Exp $
2 2
3PROG=test_hostkeys 3PROG=test_hostkeys
4SRCS=tests.c test_iterate.c 4SRCS=tests.c test_iterate.c
5 5
6# From usr.bin/ssh 6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c 7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c 8SRCS+=sshbuf-io.c atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c 9SRCS+=ssh-dss.c ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c 10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c hostfile.c 11SRCS+=addrmatch.c bitmap.c hostfile.c
12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c 12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
13SRCS+=cipher-chachapoly.c chacha.c poly1305.c 13SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
14SRCS+=ssh-ed25519-sk.c sk-usbhid.c
14 15
15SRCS+=digest-openssl.c 16SRCS+=digest-openssl.c
16#SRCS+=digest-libc.c 17#SRCS+=digest-libc.c
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile
index 7b4c644e5..648006c78 100644
--- a/regress/unittests/kex/Makefile
+++ b/regress/unittests/kex/Makefile
@@ -1,16 +1,17 @@
1# $OpenBSD: Makefile,v 1.6 2019/01/21 12:35:20 djm Exp $ 1# $OpenBSD: Makefile,v 1.9 2020/01/26 00:09:50 djm Exp $
2 2
3PROG=test_kex 3PROG=test_kex
4SRCS=tests.c test_kex.c 4SRCS=tests.c test_kex.c
5 5
6# From usr.bin/ssh 6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c 7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c 8SRCS+=sshbuf-io.c atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c 9SRCS+=ssh-dss.c ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c 10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c 11SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
12SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c 12SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
13SRCS+=cipher-chachapoly.c chacha.c poly1305.c 13SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
14SRCS+=ssh-ed25519-sk.c sk-usbhid.c
14 15
15SRCS+= kex.c 16SRCS+= kex.c
16SRCS+= dh.c 17SRCS+= dh.c
diff --git a/regress/unittests/misc/Makefile b/regress/unittests/misc/Makefile
new file mode 100644
index 000000000..06e954cb8
--- /dev/null
+++ b/regress/unittests/misc/Makefile
@@ -0,0 +1,16 @@
1# $OpenBSD: Makefile,v 1.1 2019/04/28 22:53:26 dtucker Exp $
2
3PROG=test_misc
4SRCS=tests.c
5
6# From usr.bin/ssh/Makefile.inc
7SRCS+=sshbuf.c sshbuf-getput-basic.c ssherr.c log.c xmalloc.c misc.c
8# From usr/bin/ssh/sshd/Makefile
9SRCS+=atomicio.c cleanup.c fatal.c
10
11REGRESS_TARGETS=run-regress-${PROG}
12
13run-regress-${PROG}: ${PROG}
14 env ${TEST_ENV} ./${PROG}
15
16.include <bsd.regress.mk>
diff --git a/regress/unittests/misc/tests.c b/regress/unittests/misc/tests.c
new file mode 100644
index 000000000..ed775ebbd
--- /dev/null
+++ b/regress/unittests/misc/tests.c
@@ -0,0 +1,79 @@
1/* $OpenBSD: tests.c,v 1.1 2019/04/28 22:53:26 dtucker Exp $ */
2/*
3 * Regress test for misc helper functions.
4 *
5 * Placed in the public domain.
6 */
7
8#include <sys/types.h>
9#include <sys/param.h>
10#include <stdio.h>
11#include <stdint.h>
12#include <stdlib.h>
13#include <string.h>
14
15#include "test_helper.h"
16
17#include "misc.h"
18
19void
20tests(void)
21{
22 int port;
23 char *user, *host, *path;
24
25 TEST_START("misc_parse_user_host_path");
26 ASSERT_INT_EQ(parse_user_host_path("someuser@some.host:some/path",
27 &user, &host, &path), 0);
28 ASSERT_STRING_EQ(user, "someuser");
29 ASSERT_STRING_EQ(host, "some.host");
30 ASSERT_STRING_EQ(path, "some/path");
31 free(user); free(host); free(path);
32 TEST_DONE();
33
34 TEST_START("misc_parse_user_ipv4_path");
35 ASSERT_INT_EQ(parse_user_host_path("someuser@1.22.33.144:some/path",
36 &user, &host, &path), 0);
37 ASSERT_STRING_EQ(user, "someuser");
38 ASSERT_STRING_EQ(host, "1.22.33.144");
39 ASSERT_STRING_EQ(path, "some/path");
40 free(user); free(host); free(path);
41 TEST_DONE();
42
43 TEST_START("misc_parse_user_[ipv4]_path");
44 ASSERT_INT_EQ(parse_user_host_path("someuser@[1.22.33.144]:some/path",
45 &user, &host, &path), 0);
46 ASSERT_STRING_EQ(user, "someuser");
47 ASSERT_STRING_EQ(host, "1.22.33.144");
48 ASSERT_STRING_EQ(path, "some/path");
49 free(user); free(host); free(path);
50 TEST_DONE();
51
52 TEST_START("misc_parse_user_[ipv4]_nopath");
53 ASSERT_INT_EQ(parse_user_host_path("someuser@[1.22.33.144]:",
54 &user, &host, &path), 0);
55 ASSERT_STRING_EQ(user, "someuser");
56 ASSERT_STRING_EQ(host, "1.22.33.144");
57 ASSERT_STRING_EQ(path, ".");
58 free(user); free(host); free(path);
59 TEST_DONE();
60
61 TEST_START("misc_parse_user_ipv6_path");
62 ASSERT_INT_EQ(parse_user_host_path("someuser@[::1]:some/path",
63 &user, &host, &path), 0);
64 ASSERT_STRING_EQ(user, "someuser");
65 ASSERT_STRING_EQ(host, "::1");
66 ASSERT_STRING_EQ(path, "some/path");
67 free(user); free(host); free(path);
68 TEST_DONE();
69
70 TEST_START("misc_parse_uri");
71 ASSERT_INT_EQ(parse_uri("ssh", "ssh://someuser@some.host:22/some/path",
72 &user, &host, &port, &path), 0);
73 ASSERT_STRING_EQ(user, "someuser");
74 ASSERT_STRING_EQ(host, "some.host");
75 ASSERT_INT_EQ(port, 22);
76 ASSERT_STRING_EQ(path, "some/path");
77 free(user); free(host); free(path);
78 TEST_DONE();
79}
diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile
index 0e8e9fd10..5f6c4426a 100644
--- a/regress/unittests/sshbuf/Makefile
+++ b/regress/unittests/sshbuf/Makefile
@@ -1,6 +1,6 @@
1# $OpenBSD: Makefile,v 1.7 2018/10/17 23:28:05 djm Exp $ 1# $OpenBSD: Makefile,v 1.8 2020/01/26 00:09:50 djm Exp $
2 2
3.include <bsd.regress.mk> 3# $OpenBSD: Makefile,v 1.8 2020/01/26 00:09:50 djm Exp $
4 4
5PROG=test_sshbuf 5PROG=test_sshbuf
6SRCS=tests.c 6SRCS=tests.c
@@ -14,7 +14,7 @@ SRCS+=test_sshbuf_fixed.c
14 14
15# From usr.bin/ssh 15# From usr.bin/ssh
16SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c 16SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
17SRCS+=atomicio.c 17SRCS+=sshbuf-io.c atomicio.c misc.c xmalloc.c log.c fatal.c ssherr.c cleanup.c
18 18
19run-regress-${PROG}: ${PROG} 19run-regress-${PROG}: ${PROG}
20 env ${TEST_ENV} ./${PROG} ${UNITTEST_ARGS} 20 env ${TEST_ENV} ./${PROG} ${UNITTEST_ARGS}
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile
index aa731df1c..78b2cf0ce 100644
--- a/regress/unittests/sshkey/Makefile
+++ b/regress/unittests/sshkey/Makefile
@@ -1,16 +1,17 @@
1# $OpenBSD: Makefile,v 1.6 2018/10/17 23:28:05 djm Exp $ 1# $OpenBSD: Makefile,v 1.9 2020/01/26 00:09:50 djm Exp $
2 2
3PROG=test_sshkey 3PROG=test_sshkey
4SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c 4SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c
5 5
6# From usr.bin/ssh 6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c 7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c 8SRCS+=sshbuf-io.c atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c 9SRCS+=ssh-dss.c ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c 10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c 11SRCS+=addrmatch.c bitmap.c
12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c 12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
13SRCS+=cipher-chachapoly.c chacha.c poly1305.c 13SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
14SRCS+=ssh-ed25519-sk.c sk-usbhid.c
14 15
15SRCS+=digest-openssl.c 16SRCS+=digest-openssl.c
16#SRCS+=digest-libc.c 17#SRCS+=digest-libc.c
diff --git a/regress/unittests/sshkey/common.c b/regress/unittests/sshkey/common.c
index e21638093..effea578c 100644
--- a/regress/unittests/sshkey/common.c
+++ b/regress/unittests/sshkey/common.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: common.c,v 1.3 2018/09/13 09:03:20 djm Exp $ */ 1/* $OpenBSD: common.c,v 1.4 2020/01/26 00:09:50 djm Exp $ */
2/* 2/*
3 * Helpers for key API tests 3 * Helpers for key API tests
4 * 4 *
@@ -43,13 +43,10 @@
43struct sshbuf * 43struct sshbuf *
44load_file(const char *name) 44load_file(const char *name)
45{ 45{
46 int fd; 46 struct sshbuf *ret = NULL;
47 struct sshbuf *ret;
48 47
49 ASSERT_PTR_NE(ret = sshbuf_new(), NULL); 48 ASSERT_INT_EQ(sshbuf_load_file(test_data_file(name), &ret), 0);
50 ASSERT_INT_NE(fd = open(test_data_file(name), O_RDONLY), -1); 49 ASSERT_PTR_NE(ret, NULL);
51 ASSERT_INT_EQ(sshkey_load_file(fd, ret), 0);
52 close(fd);
53 return ret; 50 return ret;
54} 51}
55 52
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 1323f8997..359811893 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_fuzz.c,v 1.9 2018/10/17 23:28:05 djm Exp $ */ 1/* $OpenBSD: test_fuzz.c,v 1.11 2019/11/25 10:32:35 djm Exp $ */
2/* 2/*
3 * Fuzz tests for key parsing 3 * Fuzz tests for key parsing
4 * 4 *
@@ -87,10 +87,11 @@ sig_fuzz(struct sshkey *k, const char *sig_alg)
87 if (test_is_slow()) 87 if (test_is_slow())
88 fuzzers |= FUZZ_2_BIT_FLIP; 88 fuzzers |= FUZZ_2_BIT_FLIP;
89 89
90 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0); 90 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c),
91 sig_alg, NULL, 0), 0);
91 ASSERT_SIZE_T_GT(l, 0); 92 ASSERT_SIZE_T_GT(l, 0);
92 fuzz = fuzz_begin(fuzzers, sig, l); 93 fuzz = fuzz_begin(fuzzers, sig, l);
93 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), NULL, 0), 0); 94 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), NULL, 0, NULL), 0);
94 free(sig); 95 free(sig);
95 TEST_ONERROR(onerror, fuzz); 96 TEST_ONERROR(onerror, fuzz);
96 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 97 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
@@ -98,7 +99,7 @@ sig_fuzz(struct sshkey *k, const char *sig_alg)
98 if (fuzz_matches_original(fuzz)) 99 if (fuzz_matches_original(fuzz))
99 continue; 100 continue;
100 ASSERT_INT_NE(sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz), 101 ASSERT_INT_NE(sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
101 c, sizeof(c), NULL, 0), 0); 102 c, sizeof(c), NULL, 0, NULL), 0);
102 } 103 }
103 fuzz_cleanup(fuzz); 104 fuzz_cleanup(fuzz);
104} 105}
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 42395b8db..025bb9815 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.18 2019/06/21 04:21:45 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.20 2019/11/25 10:32:35 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -101,7 +101,7 @@ build_cert(struct sshbuf *b, struct sshkey *k, const char *type,
101 ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ 101 ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
102 ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ 102 ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
103 ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, 103 ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
104 sshbuf_ptr(b), sshbuf_len(b), sig_alg, 0), 0); 104 sshbuf_ptr(b), sshbuf_len(b), sig_alg, NULL, 0), 0);
105 ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ 105 ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
106 106
107 free(sigblob); 107 free(sigblob);
@@ -120,14 +120,14 @@ signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg,
120 size_t len; 120 size_t len;
121 u_char *sig; 121 u_char *sig;
122 122
123 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0); 123 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, NULL, 0), 0);
124 ASSERT_SIZE_T_GT(len, 8); 124 ASSERT_SIZE_T_GT(len, 8);
125 ASSERT_PTR_NE(sig, NULL); 125 ASSERT_PTR_NE(sig, NULL);
126 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0), 0); 126 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
127 ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0), 0); 127 ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0, NULL), 0);
128 /* Fuzz test is more comprehensive, this is just a smoke test */ 128 /* Fuzz test is more comprehensive, this is just a smoke test */
129 sig[len - 5] ^= 0x10; 129 sig[len - 5] ^= 0x10;
130 ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0), 0); 130 ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0, NULL), 0);
131 free(sig); 131 free(sig);
132} 132}
133 133
@@ -437,7 +437,7 @@ sshkey_tests(void)
437 put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL); 437 put_opt(k1->cert->extensions, "permit-X11-forwarding", NULL);
438 put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL); 438 put_opt(k1->cert->extensions, "permit-agent-forwarding", NULL);
439 ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0); 439 ASSERT_INT_EQ(sshkey_from_private(k2, &k1->cert->signature_key), 0);
440 ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL), 0); 440 ASSERT_INT_EQ(sshkey_certify(k1, k2, NULL, NULL), 0);
441 b = sshbuf_new(); 441 b = sshbuf_new();
442 ASSERT_PTR_NE(b, NULL); 442 ASSERT_PTR_NE(b, NULL);
443 ASSERT_INT_EQ(sshkey_putb(k1, b), 0); 443 ASSERT_INT_EQ(sshkey_putb(k1, b), 0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-24 19:20:36 +0000