summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile5
-rw-r--r--regress/agent-ptrace.sh5
-rw-r--r--regress/cert-file.sh138
-rw-r--r--regress/check-perm.c205
-rw-r--r--regress/dhgex.sh6
-rw-r--r--regress/hostkey-rotate.sh20
-rw-r--r--regress/keys-command.sh6
-rw-r--r--regress/keyscan.sh4
-rw-r--r--regress/limit-keytype.sh37
-rw-r--r--regress/principals-command.sh7
-rw-r--r--regress/proxy-connect.sh5
-rw-r--r--regress/rekey.sh6
-rw-r--r--regress/setuid-allowed.c2
-rw-r--r--regress/sftp-chroot.sh5
-rw-r--r--regress/unittests/sshkey/test_file.c42
-rw-r--r--regress/unittests/sshkey/test_fuzz.c102
-rw-r--r--regress/unittests/sshkey/test_sshkey.c46
17 files changed, 508 insertions, 133 deletions
diff --git a/regress/Makefile b/regress/Makefile
index cba83f4d6..451909c1a 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $ 1# $OpenBSD: Makefile,v 1.82 2015/09/24 06:16:53 djm Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -74,7 +74,8 @@ LTESTS= connect \
74 hostkey-agent \ 74 hostkey-agent \
75 keygen-knownhosts \ 75 keygen-knownhosts \
76 hostkey-rotate \ 76 hostkey-rotate \
77 principals-command 77 principals-command \
78 cert-file
78 79
79 80
80# dhgex \ 81# dhgex \
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 1912ca8f9..bb676d631 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -12,6 +12,11 @@ if have_prog uname ; then
12 esac 12 esac
13fi 13fi
14 14
15if [ "x$USER" = "xroot" ]; then
16 echo "Skipped: running as root"
17 exit 0
18fi
19
15if have_prog gdb ; then 20if have_prog gdb ; then
16 : ok 21 : ok
17else 22else
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
new file mode 100644
index 000000000..bad923ad0
--- /dev/null
+++ b/regress/cert-file.sh
@@ -0,0 +1,138 @@
1# $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $
2# Placed in the Public Domain.
3
4tid="ssh with certificates"
5
6rm -f $OBJ/user_ca_key* $OBJ/user_key*
7rm -f $OBJ/cert_user_key*
8
9# Create a CA key
10${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key1 ||\
11 fatal "ssh-keygen failed"
12${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key2 ||\
13 fatal "ssh-keygen failed"
14
15# Make some keys and certificates.
16${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \
17 fatal "ssh-keygen failed"
18${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \
19 fatal "ssh-keygen failed"
20# Move the certificate to a different address to better control
21# when it is offered.
22${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \
23 -z $$ -n ${USER} $OBJ/user_key1 ||
24 fail "couldn't sign user_key1 with user_ca_key1"
25mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub
26${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \
27 -z $$ -n ${USER} $OBJ/user_key1 ||
28 fail "couldn't sign user_key1 with user_ca_key2"
29mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub
30
31trace 'try with identity files'
32opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
33opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2"
34echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER
35
36for p in ${SSH_PROTOCOLS}; do
37 # Just keys should fail
38 ${SSH} $opts2 somehost exit 5$p
39 r=$?
40 if [ $r -eq 5$p ]; then
41 fail "ssh succeeded with no certs in protocol $p"
42 fi
43
44 # Keys with untrusted cert should fail.
45 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
46 ${SSH} $opts3 somehost exit 5$p
47 r=$?
48 if [ $r -eq 5$p ]; then
49 fail "ssh succeeded with bad cert in protocol $p"
50 fi
51
52 # Good cert with bad key should fail.
53 opts3="$opts -i $OBJ/user_key2"
54 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
55 ${SSH} $opts3 somehost exit 5$p
56 r=$?
57 if [ $r -eq 5$p ]; then
58 fail "ssh succeeded with no matching key in protocol $p"
59 fi
60
61 # Keys with one trusted cert, should succeed.
62 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
63 ${SSH} $opts3 somehost exit 5$p
64 r=$?
65 if [ $r -ne 5$p ]; then
66 fail "ssh failed with trusted cert and key in protocol $p"
67 fi
68
69 # Multiple certs and keys, with one trusted cert, should succeed.
70 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
71 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
72 ${SSH} $opts3 somehost exit 5$p
73 r=$?
74 if [ $r -ne 5$p ]; then
75 fail "ssh failed with multiple certs in protocol $p"
76 fi
77
78 #Keys with trusted certificate specified in config options, should succeed.
79 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
80 ${SSH} $opts3 somehost exit 5$p
81 r=$?
82 if [ $r -ne 5$p ]; then
83 fail "ssh failed with trusted cert in config in protocol $p"
84 fi
85done
86
87#next, using an agent in combination with the keys
88SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
89if [ $? -ne 2 ]; then
90 fatal "ssh-add -l did not fail with exit code 2"
91fi
92
93trace "start agent"
94eval `${SSHAGENT} -s` > /dev/null
95r=$?
96if [ $r -ne 0 ]; then
97 fatal "could not start ssh-agent: exit code $r"
98fi
99
100# add private keys to agent
101${SSHADD} -k $OBJ/user_key2 > /dev/null 2>&1
102if [ $? -ne 0 ]; then
103 fatal "ssh-add did not succeed with exit code 0"
104fi
105${SSHADD} -k $OBJ/user_key1 > /dev/null 2>&1
106if [ $? -ne 0 ]; then
107 fatal "ssh-add did not succeed with exit code 0"
108fi
109
110# try ssh with the agent and certificates
111# note: ssh agent only uses certificates in protocol 2
112opts="-F $OBJ/ssh_proxy"
113# with no certificates, shoud fail
114${SSH} -2 $opts somehost exit 52
115if [ $? -eq 52 ]; then
116 fail "ssh connect with agent in protocol 2 succeeded with no cert"
117fi
118
119#with an untrusted certificate, should fail
120opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
121${SSH} -2 $opts somehost exit 52
122if [ $? -eq 52 ]; then
123 fail "ssh connect with agent in protocol 2 succeeded with bad cert"
124fi
125
126#with an additional trusted certificate, should succeed
127opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
128${SSH} -2 $opts somehost exit 52
129if [ $? -ne 52 ]; then
130 fail "ssh connect with agent in protocol 2 failed with good cert"
131fi
132
133trace "kill agent"
134${SSHAGENT} -k > /dev/null
135
136#cleanup
137rm -f $OBJ/user_ca_key* $OBJ/user_key*
138rm -f $OBJ/cert_user_key*
diff --git a/regress/check-perm.c b/regress/check-perm.c
new file mode 100644
index 000000000..dac307d24
--- /dev/null
+++ b/regress/check-perm.c
@@ -0,0 +1,205 @@
1/*
2 * Placed in the public domain
3 */
4
5/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */
6
7#include "includes.h"
8
9#include <sys/types.h>
10#include <sys/stat.h>
11#include <unistd.h>
12#include <stdio.h>
13#include <string.h>
14#include <stdarg.h>
15#include <stdlib.h>
16#include <errno.h>
17#include <pwd.h>
18#ifdef HAVE_LIBGEN_H
19#include <libgen.h>
20#endif
21
22static void
23fatal(const char *fmt, ...)
24{
25 va_list args;
26
27 va_start(args, fmt);
28 vfprintf(stderr, fmt, args);
29 fputc('\n', stderr);
30 va_end(args);
31 exit(1);
32}
33/* Based on session.c. NB. keep tests in sync */
34static void
35safely_chroot(const char *path, uid_t uid)
36{
37 const char *cp;
38 char component[PATH_MAX];
39 struct stat st;
40
41 if (*path != '/')
42 fatal("chroot path does not begin at root");
43 if (strlen(path) >= sizeof(component))
44 fatal("chroot path too long");
45
46 /*
47 * Descend the path, checking that each component is a
48 * root-owned directory with strict permissions.
49 */
50 for (cp = path; cp != NULL;) {
51 if ((cp = strchr(cp, '/')) == NULL)
52 strlcpy(component, path, sizeof(component));
53 else {
54 cp++;
55 memcpy(component, path, cp - path);
56 component[cp - path] = '\0';
57 }
58
59 /* debug3("%s: checking '%s'", __func__, component); */
60
61 if (stat(component, &st) != 0)
62 fatal("%s: stat(\"%s\"): %s", __func__,
63 component, strerror(errno));
64 if (st.st_uid != 0 || (st.st_mode & 022) != 0)
65 fatal("bad ownership or modes for chroot "
66 "directory %s\"%s\"",
67 cp == NULL ? "" : "component ", component);
68 if (!S_ISDIR(st.st_mode))
69 fatal("chroot path %s\"%s\" is not a directory",
70 cp == NULL ? "" : "component ", component);
71
72 }
73
74 if (chdir(path) == -1)
75 fatal("Unable to chdir to chroot path \"%s\": "
76 "%s", path, strerror(errno));
77}
78
79/* from platform.c */
80int
81platform_sys_dir_uid(uid_t uid)
82{
83 if (uid == 0)
84 return 1;
85#ifdef PLATFORM_SYS_DIR_UID
86 if (uid == PLATFORM_SYS_DIR_UID)
87 return 1;
88#endif
89 return 0;
90}
91
92/* from auth.c */
93int
94auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
95 uid_t uid, char *err, size_t errlen)
96{
97 char buf[PATH_MAX], homedir[PATH_MAX];
98 char *cp;
99 int comparehome = 0;
100 struct stat st;
101
102 if (realpath(name, buf) == NULL) {
103 snprintf(err, errlen, "realpath %s failed: %s", name,
104 strerror(errno));
105 return -1;
106 }
107 if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
108 comparehome = 1;
109
110 if (!S_ISREG(stp->st_mode)) {
111 snprintf(err, errlen, "%s is not a regular file", buf);
112 return -1;
113 }
114 if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
115 (stp->st_mode & 022) != 0) {
116 snprintf(err, errlen, "bad ownership or modes for file %s",
117 buf);
118 return -1;
119 }
120
121 /* for each component of the canonical path, walking upwards */
122 for (;;) {
123 if ((cp = dirname(buf)) == NULL) {
124 snprintf(err, errlen, "dirname() failed");
125 return -1;
126 }
127 strlcpy(buf, cp, sizeof(buf));
128
129 if (stat(buf, &st) < 0 ||
130 (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
131 (st.st_mode & 022) != 0) {
132 snprintf(err, errlen,
133 "bad ownership or modes for directory %s", buf);
134 return -1;
135 }
136
137 /* If are past the homedir then we can stop */
138 if (comparehome && strcmp(homedir, buf) == 0)
139 break;
140
141 /*
142 * dirname should always complete with a "/" path,
143 * but we can be paranoid and check for "." too
144 */
145 if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
146 break;
147 }
148 return 0;
149}
150
151static void
152usage(void)
153{
154 fprintf(stderr, "check-perm -m [chroot | keys-command] [path]\n");
155 exit(1);
156}
157
158int
159main(int argc, char **argv)
160{
161 const char *path = ".";
162 char errmsg[256];
163 int ch, mode = -1;
164 extern char *optarg;
165 extern int optind;
166 struct stat st;
167
168 while ((ch = getopt(argc, argv, "hm:")) != -1) {
169 switch (ch) {
170 case 'm':
171 if (strcasecmp(optarg, "chroot") == 0)
172 mode = 1;
173 else if (strcasecmp(optarg, "keys-command") == 0)
174 mode = 2;
175 else {
176 fprintf(stderr, "Invalid -m option\n"),
177 usage();
178 }
179 break;
180 default:
181 usage();
182 }
183 }
184 argc -= optind;
185 argv += optind;
186
187 if (argc > 1)
188 usage();
189 else if (argc == 1)
190 path = argv[0];
191
192 if (mode == 1)
193 safely_chroot(path, getuid());
194 else if (mode == 2) {
195 if (stat(path, &st) < 0)
196 fatal("Could not stat %s: %s", path, strerror(errno));
197 if (auth_secure_path(path, &st, NULL, 0,
198 errmsg, sizeof(errmsg)) != 0)
199 fatal("Unsafe %s: %s", path, errmsg);
200 } else {
201 fprintf(stderr, "Invalid mode\n");
202 usage();
203 }
204 return 0;
205}
diff --git a/regress/dhgex.sh b/regress/dhgex.sh
index 57fca4a32..e7c573397 100644
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $ 1# $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dhgex" 4tid="dhgex"
@@ -20,7 +20,9 @@ ssh_test_dhgex()
20 echo "Ciphers=$cipher" >> $OBJ/sshd_proxy 20 echo "Ciphers=$cipher" >> $OBJ/sshd_proxy
21 rm -f ${LOG} 21 rm -f ${LOG}
22 opts="-oKexAlgorithms=$kex -oCiphers=$cipher" 22 opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
23 groupsz="1024<$bits<8192" 23 min=2048
24 max=8192
25 groupsz="$min<$bits<$max"
24 verbose "$tid bits $bits $kex $cipher" 26 verbose "$tid bits $bits $kex $cipher"
25 ${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true 27 ${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true
26 if [ $? -ne 0 ]; then 28 if [ $? -ne 0 ]; then
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index 3aa8c40c0..d69de3255 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.5 2015/09/04 04:23:10 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
@@ -108,21 +108,3 @@ verbose "check rotate primary hostkey"
108dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa 108dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
109expect_nkeys 1 "learn hostkeys" 109expect_nkeys 1 "learn hostkeys"
110check_key_present ssh-rsa || fail "didn't learn changed key" 110check_key_present ssh-rsa || fail "didn't learn changed key"
111
112# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
113# Placed in the Public Domain.
114
115tid="hostkey rotate"
116
117# Prepare hostkeys file with one key
118
119# Connect to sshd
120
121# Check that other keys learned
122
123# Change one hostkey (non primary)
124
125# Connect to sshd
126
127# Check that the key was replaced
128
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index 700273b66..af68cf15c 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -36,6 +36,12 @@ exec cat "$OBJ/authorized_keys_${LOGNAME}"
36_EOF 36_EOF
37$SUDO chmod 0755 "$KEY_COMMAND" 37$SUDO chmod 0755 "$KEY_COMMAND"
38 38
39if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
40 echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
41 $SUDO rm -f $KEY_COMMAND
42 exit 0
43fi
44
39if [ -x $KEY_COMMAND ]; then 45if [ -x $KEY_COMMAND ]; then
40 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak 46 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
41 47
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index 886f3295a..f97364b76 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keyscan.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keyscan" 4tid="keyscan"
@@ -8,7 +8,7 @@ rm -f ${OBJ}/host.dsa
8 8
9start_sshd 9start_sshd
10 10
11KEYTYPES="rsa dsa" 11KEYTYPES=`${SSH} -Q key-plain`
12if ssh_version 1; then 12if ssh_version 1; then
13 KEYTYPES="${KEYTYPES} rsa1" 13 KEYTYPES="${KEYTYPES} rsa1"
14fi 14fi
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index 2de037bd1..c0cf2fed6 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: limit-keytype.sh,v 1.1 2015/01/13 07:49:49 djm Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
@@ -20,18 +20,19 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key2 || \
20 fatal "ssh-keygen failed" 20 fatal "ssh-keygen failed"
21${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \ 21${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_key3 || \
22 fatal "ssh-keygen failed" 22 fatal "ssh-keygen failed"
23${SSHKEYGEN} -q -N '' -t dsa -f $OBJ/user_key4 || \
24 fatal "ssh-keygen failed"
23${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ 25${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
24 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 || 26 -z $$ -n ${USER},mekmitasdigoat $OBJ/user_key3 ||
25 fatal "couldn't sign user_key1" 27 fatal "couldn't sign user_key1"
26# Copy the private key alongside the cert to allow better control of when 28# Copy the private key alongside the cert to allow better control of when
27# it is offered. 29# it is offered.
28mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub 30mv $OBJ/user_key3-cert.pub $OBJ/cert_user_key3.pub
29cp -p $OBJ/user_key3 $OBJ/cert_user_key3
30 31
31grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy 32grep -v IdentityFile $OBJ/ssh_proxy.orig > $OBJ/ssh_proxy
32 33
33opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes" 34opts="-oProtocol=2 -F $OBJ/ssh_proxy -oIdentitiesOnly=yes"
34fullopts="$opts -i $OBJ/cert_user_key3 -i $OBJ/user_key1 -i $OBJ/user_key2" 35certopts="$opts -i $OBJ/user_key3 -oCertificateFile=$OBJ/cert_user_key3.pub"
35 36
36echo mekmitasdigoat > $OBJ/authorized_principals_$USER 37echo mekmitasdigoat > $OBJ/authorized_principals_$USER
37cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER 38cat $OBJ/user_key1.pub > $OBJ/authorized_keys_$USER
@@ -53,28 +54,44 @@ prepare_config() {
53prepare_config 54prepare_config
54 55
55# Check we can log in with all key types. 56# Check we can log in with all key types.
56${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" 57${SSH} $certopts proxy true || fatal "cert failed"
57${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 58${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
58${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 59${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
59 60
60# Allow plain Ed25519 and RSA. The certificate should fail. 61# Allow plain Ed25519 and RSA. The certificate should fail.
61verbose "privsep=$privsep allow rsa,ed25519" 62verbose "allow rsa,ed25519"
62prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" 63prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519"
63${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" 64${SSH} $certopts proxy true && fatal "cert succeeded"
64${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 65${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
65${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 66${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
66 67
67# Allow Ed25519 only. 68# Allow Ed25519 only.
68verbose "privsep=$privsep allow ed25519" 69verbose "allow ed25519"
69prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519" 70prepare_config "PubkeyAcceptedKeyTypes ssh-ed25519"
70${SSH} $opts -i $OBJ/cert_user_key3 proxy true && fatal "cert succeeded" 71${SSH} $certopts proxy true && fatal "cert succeeded"
71${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 72${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
72${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" 73${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
73 74
74# Allow all certs. Plain keys should fail. 75# Allow all certs. Plain keys should fail.
75verbose "privsep=$privsep allow cert only" 76verbose "allow cert only"
76prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" 77prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com"
77${SSH} $opts -i $OBJ/cert_user_key3 proxy true || fatal "cert failed" 78${SSH} $certopts proxy true || fatal "cert failed"
78${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 79${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
79${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" 80${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
80 81
82# Allow RSA in main config, Ed25519 for non-existent user.
83verbose "match w/ no match"
84prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \
85 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
86${SSH} $certopts proxy true && fatal "cert succeeded"
87${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
88${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
89
90# Allow only DSA in main config, Ed25519 for user.
91verbose "match w/ matching"
92prepare_config "PubkeyAcceptedKeyTypes ssh-dss" \
93 "Match user $USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
94${SSH} $certopts proxy true || fatal "cert failed"
95${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
96${SSH} $opts -i $OBJ/user_key4 proxy true && fatal "key4 succeeded"
97
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index b90a8cf2c..c0be7e747 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -24,6 +24,13 @@ _EOF
24test $? -eq 0 || fatal "couldn't prepare principals command" 24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_CMD" 25$SUDO chmod 0755 "$PRINCIPALS_CMD"
26 26
27if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then
28 echo "skipping: $PRINCIPALS_CMD is unsuitable as " \
29 "AuthorizedPrincipalsCommand"
30 $SUDO rm -f $PRINCIPALS_CMD
31 exit 0
32fi
33
27# Create a CA key and a user certificate. 34# Create a CA key and a user certificate.
28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ 35${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
29 fatal "ssh-keygen of user_ca_key failed" 36 fatal "ssh-keygen of user_ca_key failed"
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index f816962b5..b7a43fabe 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: proxy-connect.sh,v 1.8 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
@@ -18,7 +18,8 @@ for ps in no yes; do
18 fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" 18 fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
19 fi 19 fi
20 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 20 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
21 fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c" 21 fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
22 "$SSH_CONNECTION"
22 fi 23 fi
23 done 24 done
24 done 25 done
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 0d4444d03..ae145bc8b 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $ 1# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="rekey" 4tid="rekey"
@@ -137,13 +137,15 @@ for s in 5 10; do
137done 137done
138 138
139verbose "rekeylimit parsing" 139verbose "rekeylimit parsing"
140for size in 16 1k 1K 1m 1M 1g 1G; do 140for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
142 case $size in 142 case $size in
143 16) bytes=16 ;; 143 16) bytes=16 ;;
144 1k|1K) bytes=1024 ;; 144 1k|1K) bytes=1024 ;;
145 1m|1M) bytes=1048576 ;; 145 1m|1M) bytes=1048576 ;;
146 1g|1G) bytes=1073741824 ;; 146 1g|1G) bytes=1073741824 ;;
147 4g|4G) bytes=4294967296 ;;
148 8g|8G) bytes=8589934592 ;;
147 esac 149 esac
148 case $time in 150 case $time in
149 1) seconds=1 ;; 151 1) seconds=1 ;;
diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c
index 676d2661c..7a0527fd0 100644
--- a/regress/setuid-allowed.c
+++ b/regress/setuid-allowed.c
@@ -26,7 +26,7 @@
26#include <string.h> 26#include <string.h>
27#include <errno.h> 27#include <errno.h>
28 28
29void 29static void
30usage(void) 30usage(void)
31{ 31{
32 fprintf(stderr, "check-setuid [path]\n"); 32 fprintf(stderr, "check-setuid [path]\n");
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
index 23f7456e8..9c26eb680 100644
--- a/regress/sftp-chroot.sh
+++ b/regress/sftp-chroot.sh
@@ -12,6 +12,11 @@ if [ -z "$SUDO" ]; then
12 exit 0 12 exit 0
13fi 13fi
14 14
15if ! $OBJ/check-perm -m chroot "$CHROOT" ; then
16 echo "skipped: $CHROOT is unsuitable as ChrootDirectory"
17 exit 0
18fi
19
15$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \ 20$SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
16 fatal "create $PRIVDATA failed" 21 fatal "create $PRIVDATA failed"
17 22
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
index c8a236937..906491f2b 100644
--- a/regress/unittests/sshkey/test_file.c
+++ b/regress/unittests/sshkey/test_file.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_file.c,v 1.4 2015/07/07 14:53:30 markus Exp $ */ 1/* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -54,8 +54,7 @@ sshkey_file_tests(void)
54#ifdef WITH_SSH1 54#ifdef WITH_SSH1
55 TEST_START("parse RSA1 from private"); 55 TEST_START("parse RSA1 from private");
56 buf = load_file("rsa1_1"); 56 buf = load_file("rsa1_1");
57 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa1_1", 57 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
58 &k1, NULL), 0);
59 sshbuf_free(buf); 58 sshbuf_free(buf);
60 ASSERT_PTR_NE(k1, NULL); 59 ASSERT_PTR_NE(k1, NULL);
61 a = load_bignum("rsa1_1.param.n"); 60 a = load_bignum("rsa1_1.param.n");
@@ -66,7 +65,7 @@ sshkey_file_tests(void)
66 TEST_START("parse RSA1 from private w/ passphrase"); 65 TEST_START("parse RSA1 from private w/ passphrase");
67 buf = load_file("rsa1_1_pw"); 66 buf = load_file("rsa1_1_pw");
68 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 67 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
69 (const char *)sshbuf_ptr(pw), "rsa1_1_pw", &k2, NULL), 0); 68 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
70 sshbuf_free(buf); 69 sshbuf_free(buf);
71 ASSERT_PTR_NE(k2, NULL); 70 ASSERT_PTR_NE(k2, NULL);
72 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 71 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -104,8 +103,7 @@ sshkey_file_tests(void)
104 103
105 TEST_START("parse RSA from private"); 104 TEST_START("parse RSA from private");
106 buf = load_file("rsa_1"); 105 buf = load_file("rsa_1");
107 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa_1", 106 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
108 &k1, NULL), 0);
109 sshbuf_free(buf); 107 sshbuf_free(buf);
110 ASSERT_PTR_NE(k1, NULL); 108 ASSERT_PTR_NE(k1, NULL);
111 a = load_bignum("rsa_1.param.n"); 109 a = load_bignum("rsa_1.param.n");
@@ -122,7 +120,7 @@ sshkey_file_tests(void)
122 TEST_START("parse RSA from private w/ passphrase"); 120 TEST_START("parse RSA from private w/ passphrase");
123 buf = load_file("rsa_1_pw"); 121 buf = load_file("rsa_1_pw");
124 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 122 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
125 (const char *)sshbuf_ptr(pw), "rsa_1_pw", &k2, NULL), 0); 123 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
126 sshbuf_free(buf); 124 sshbuf_free(buf);
127 ASSERT_PTR_NE(k2, NULL); 125 ASSERT_PTR_NE(k2, NULL);
128 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 126 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -131,8 +129,7 @@ sshkey_file_tests(void)
131 129
132 TEST_START("parse RSA from new-format"); 130 TEST_START("parse RSA from new-format");
133 buf = load_file("rsa_n"); 131 buf = load_file("rsa_n");
134 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 132 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
135 "", "rsa_n", &k2, NULL), 0);
136 sshbuf_free(buf); 133 sshbuf_free(buf);
137 ASSERT_PTR_NE(k2, NULL); 134 ASSERT_PTR_NE(k2, NULL);
138 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 135 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -142,7 +139,7 @@ sshkey_file_tests(void)
142 TEST_START("parse RSA from new-format w/ passphrase"); 139 TEST_START("parse RSA from new-format w/ passphrase");
143 buf = load_file("rsa_n_pw"); 140 buf = load_file("rsa_n_pw");
144 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 141 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
145 (const char *)sshbuf_ptr(pw), "rsa_n_pw", &k2, NULL), 0); 142 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
146 sshbuf_free(buf); 143 sshbuf_free(buf);
147 ASSERT_PTR_NE(k2, NULL); 144 ASSERT_PTR_NE(k2, NULL);
148 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 145 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -197,8 +194,7 @@ sshkey_file_tests(void)
197 194
198 TEST_START("parse DSA from private"); 195 TEST_START("parse DSA from private");
199 buf = load_file("dsa_1"); 196 buf = load_file("dsa_1");
200 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "dsa_1", 197 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
201 &k1, NULL), 0);
202 sshbuf_free(buf); 198 sshbuf_free(buf);
203 ASSERT_PTR_NE(k1, NULL); 199 ASSERT_PTR_NE(k1, NULL);
204 a = load_bignum("dsa_1.param.g"); 200 a = load_bignum("dsa_1.param.g");
@@ -215,7 +211,7 @@ sshkey_file_tests(void)
215 TEST_START("parse DSA from private w/ passphrase"); 211 TEST_START("parse DSA from private w/ passphrase");
216 buf = load_file("dsa_1_pw"); 212 buf = load_file("dsa_1_pw");
217 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 213 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
218 (const char *)sshbuf_ptr(pw), "dsa_1_pw", &k2, NULL), 0); 214 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
219 sshbuf_free(buf); 215 sshbuf_free(buf);
220 ASSERT_PTR_NE(k2, NULL); 216 ASSERT_PTR_NE(k2, NULL);
221 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 217 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -224,8 +220,7 @@ sshkey_file_tests(void)
224 220
225 TEST_START("parse DSA from new-format"); 221 TEST_START("parse DSA from new-format");
226 buf = load_file("dsa_n"); 222 buf = load_file("dsa_n");
227 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 223 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
228 "", "dsa_n", &k2, NULL), 0);
229 sshbuf_free(buf); 224 sshbuf_free(buf);
230 ASSERT_PTR_NE(k2, NULL); 225 ASSERT_PTR_NE(k2, NULL);
231 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 226 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -235,7 +230,7 @@ sshkey_file_tests(void)
235 TEST_START("parse DSA from new-format w/ passphrase"); 230 TEST_START("parse DSA from new-format w/ passphrase");
236 buf = load_file("dsa_n_pw"); 231 buf = load_file("dsa_n_pw");
237 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 232 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
238 (const char *)sshbuf_ptr(pw), "dsa_n_pw", &k2, NULL), 0); 233 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
239 sshbuf_free(buf); 234 sshbuf_free(buf);
240 ASSERT_PTR_NE(k2, NULL); 235 ASSERT_PTR_NE(k2, NULL);
241 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 236 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -291,8 +286,7 @@ sshkey_file_tests(void)
291#ifdef OPENSSL_HAS_ECC 286#ifdef OPENSSL_HAS_ECC
292 TEST_START("parse ECDSA from private"); 287 TEST_START("parse ECDSA from private");
293 buf = load_file("ecdsa_1"); 288 buf = load_file("ecdsa_1");
294 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ecdsa_1", 289 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
295 &k1, NULL), 0);
296 sshbuf_free(buf); 290 sshbuf_free(buf);
297 ASSERT_PTR_NE(k1, NULL); 291 ASSERT_PTR_NE(k1, NULL);
298 buf = load_text_file("ecdsa_1.param.curve"); 292 buf = load_text_file("ecdsa_1.param.curve");
@@ -315,7 +309,7 @@ sshkey_file_tests(void)
315 TEST_START("parse ECDSA from private w/ passphrase"); 309 TEST_START("parse ECDSA from private w/ passphrase");
316 buf = load_file("ecdsa_1_pw"); 310 buf = load_file("ecdsa_1_pw");
317 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 311 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
318 (const char *)sshbuf_ptr(pw), "ecdsa_1_pw", &k2, NULL), 0); 312 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
319 sshbuf_free(buf); 313 sshbuf_free(buf);
320 ASSERT_PTR_NE(k2, NULL); 314 ASSERT_PTR_NE(k2, NULL);
321 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 315 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -324,8 +318,7 @@ sshkey_file_tests(void)
324 318
325 TEST_START("parse ECDSA from new-format"); 319 TEST_START("parse ECDSA from new-format");
326 buf = load_file("ecdsa_n"); 320 buf = load_file("ecdsa_n");
327 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 321 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k2, NULL), 0);
328 "", "ecdsa_n", &k2, NULL), 0);
329 sshbuf_free(buf); 322 sshbuf_free(buf);
330 ASSERT_PTR_NE(k2, NULL); 323 ASSERT_PTR_NE(k2, NULL);
331 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 324 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -335,7 +328,7 @@ sshkey_file_tests(void)
335 TEST_START("parse ECDSA from new-format w/ passphrase"); 328 TEST_START("parse ECDSA from new-format w/ passphrase");
336 buf = load_file("ecdsa_n_pw"); 329 buf = load_file("ecdsa_n_pw");
337 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 330 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
338 (const char *)sshbuf_ptr(pw), "ecdsa_n_pw", &k2, NULL), 0); 331 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
339 sshbuf_free(buf); 332 sshbuf_free(buf);
340 ASSERT_PTR_NE(k2, NULL); 333 ASSERT_PTR_NE(k2, NULL);
341 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 334 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
@@ -391,8 +384,7 @@ sshkey_file_tests(void)
391 384
392 TEST_START("parse Ed25519 from private"); 385 TEST_START("parse Ed25519 from private");
393 buf = load_file("ed25519_1"); 386 buf = load_file("ed25519_1");
394 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ed25519_1", 387 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
395 &k1, NULL), 0);
396 sshbuf_free(buf); 388 sshbuf_free(buf);
397 ASSERT_PTR_NE(k1, NULL); 389 ASSERT_PTR_NE(k1, NULL);
398 ASSERT_INT_EQ(k1->type, KEY_ED25519); 390 ASSERT_INT_EQ(k1->type, KEY_ED25519);
@@ -402,7 +394,7 @@ sshkey_file_tests(void)
402 TEST_START("parse Ed25519 from private w/ passphrase"); 394 TEST_START("parse Ed25519 from private w/ passphrase");
403 buf = load_file("ed25519_1_pw"); 395 buf = load_file("ed25519_1_pw");
404 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, 396 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
405 (const char *)sshbuf_ptr(pw), "ed25519_1_pw", &k2, NULL), 0); 397 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
406 sshbuf_free(buf); 398 sshbuf_free(buf);
407 ASSERT_PTR_NE(k2, NULL); 399 ASSERT_PTR_NE(k2, NULL);
408 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); 400 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 1f08a2e43..1f414e0ac 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_fuzz.c,v 1.4 2015/03/04 23:22:35 djm Exp $ */ 1/* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */
2/* 2/*
3 * Fuzz tests for key parsing 3 * Fuzz tests for key parsing
4 * 4 *
@@ -72,13 +72,13 @@ public_fuzz(struct sshkey *k)
72} 72}
73 73
74static void 74static void
75sig_fuzz(struct sshkey *k) 75sig_fuzz(struct sshkey *k, const char *sig_alg)
76{ 76{
77 struct fuzz *fuzz; 77 struct fuzz *fuzz;
78 u_char *sig, c[] = "some junk to be signed"; 78 u_char *sig, c[] = "some junk to be signed";
79 size_t l; 79 size_t l;
80 80
81 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0); 81 ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), sig_alg, 0), 0);
82 ASSERT_SIZE_T_GT(l, 0); 82 ASSERT_SIZE_T_GT(l, 0);
83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */ 83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
@@ -110,8 +110,7 @@ sshkey_fuzz_tests(void)
110 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | 110 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
111 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, 111 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
112 sshbuf_mutable_ptr(buf), sshbuf_len(buf)); 112 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
113 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 113 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
114 &k1, NULL), 0);
115 sshkey_free(k1); 114 sshkey_free(k1);
116 sshbuf_free(buf); 115 sshbuf_free(buf);
117 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 116 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -119,8 +118,7 @@ sshkey_fuzz_tests(void)
119 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 118 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
120 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 119 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
121 ASSERT_INT_EQ(r, 0); 120 ASSERT_INT_EQ(r, 0);
122 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 121 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
123 &k1, NULL) == 0)
124 sshkey_free(k1); 122 sshkey_free(k1);
125 sshbuf_reset(fuzzed); 123 sshbuf_reset(fuzzed);
126 } 124 }
@@ -154,8 +152,7 @@ sshkey_fuzz_tests(void)
154 buf = load_file("rsa_1"); 152 buf = load_file("rsa_1");
155 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 153 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
156 sshbuf_len(buf)); 154 sshbuf_len(buf));
157 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 155 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
158 &k1, NULL), 0);
159 sshkey_free(k1); 156 sshkey_free(k1);
160 sshbuf_free(buf); 157 sshbuf_free(buf);
161 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 158 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -163,8 +160,7 @@ sshkey_fuzz_tests(void)
163 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 160 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
164 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 161 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
165 ASSERT_INT_EQ(r, 0); 162 ASSERT_INT_EQ(r, 0);
166 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 163 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
167 &k1, NULL) == 0)
168 sshkey_free(k1); 164 sshkey_free(k1);
169 sshbuf_reset(fuzzed); 165 sshbuf_reset(fuzzed);
170 } 166 }
@@ -176,8 +172,7 @@ sshkey_fuzz_tests(void)
176 buf = load_file("rsa_n"); 172 buf = load_file("rsa_n");
177 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 173 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
178 sshbuf_len(buf)); 174 sshbuf_len(buf));
179 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 175 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
180 &k1, NULL), 0);
181 sshkey_free(k1); 176 sshkey_free(k1);
182 sshbuf_free(buf); 177 sshbuf_free(buf);
183 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 178 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -185,8 +180,7 @@ sshkey_fuzz_tests(void)
185 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 180 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
186 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 181 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
187 ASSERT_INT_EQ(r, 0); 182 ASSERT_INT_EQ(r, 0);
188 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 183 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
189 &k1, NULL) == 0)
190 sshkey_free(k1); 184 sshkey_free(k1);
191 sshbuf_reset(fuzzed); 185 sshbuf_reset(fuzzed);
192 } 186 }
@@ -198,8 +192,7 @@ sshkey_fuzz_tests(void)
198 buf = load_file("dsa_1"); 192 buf = load_file("dsa_1");
199 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 193 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
200 sshbuf_len(buf)); 194 sshbuf_len(buf));
201 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 195 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
202 &k1, NULL), 0);
203 sshkey_free(k1); 196 sshkey_free(k1);
204 sshbuf_free(buf); 197 sshbuf_free(buf);
205 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 198 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -207,8 +200,7 @@ sshkey_fuzz_tests(void)
207 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 200 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
208 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 201 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
209 ASSERT_INT_EQ(r, 0); 202 ASSERT_INT_EQ(r, 0);
210 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 203 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
211 &k1, NULL) == 0)
212 sshkey_free(k1); 204 sshkey_free(k1);
213 sshbuf_reset(fuzzed); 205 sshbuf_reset(fuzzed);
214 } 206 }
@@ -220,8 +212,7 @@ sshkey_fuzz_tests(void)
220 buf = load_file("dsa_n"); 212 buf = load_file("dsa_n");
221 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 213 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
222 sshbuf_len(buf)); 214 sshbuf_len(buf));
223 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 215 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
224 &k1, NULL), 0);
225 sshkey_free(k1); 216 sshkey_free(k1);
226 sshbuf_free(buf); 217 sshbuf_free(buf);
227 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 218 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -229,8 +220,7 @@ sshkey_fuzz_tests(void)
229 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 220 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
230 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 221 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
231 ASSERT_INT_EQ(r, 0); 222 ASSERT_INT_EQ(r, 0);
232 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 223 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
233 &k1, NULL) == 0)
234 sshkey_free(k1); 224 sshkey_free(k1);
235 sshbuf_reset(fuzzed); 225 sshbuf_reset(fuzzed);
236 } 226 }
@@ -243,8 +233,7 @@ sshkey_fuzz_tests(void)
243 buf = load_file("ecdsa_1"); 233 buf = load_file("ecdsa_1");
244 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 234 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
245 sshbuf_len(buf)); 235 sshbuf_len(buf));
246 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 236 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
247 &k1, NULL), 0);
248 sshkey_free(k1); 237 sshkey_free(k1);
249 sshbuf_free(buf); 238 sshbuf_free(buf);
250 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 239 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -252,8 +241,7 @@ sshkey_fuzz_tests(void)
252 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 241 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
253 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 242 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
254 ASSERT_INT_EQ(r, 0); 243 ASSERT_INT_EQ(r, 0);
255 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 244 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
256 &k1, NULL) == 0)
257 sshkey_free(k1); 245 sshkey_free(k1);
258 sshbuf_reset(fuzzed); 246 sshbuf_reset(fuzzed);
259 } 247 }
@@ -265,8 +253,7 @@ sshkey_fuzz_tests(void)
265 buf = load_file("ecdsa_n"); 253 buf = load_file("ecdsa_n");
266 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 254 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
267 sshbuf_len(buf)); 255 sshbuf_len(buf));
268 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 256 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
269 &k1, NULL), 0);
270 sshkey_free(k1); 257 sshkey_free(k1);
271 sshbuf_free(buf); 258 sshbuf_free(buf);
272 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 259 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -274,8 +261,7 @@ sshkey_fuzz_tests(void)
274 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 261 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
275 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 262 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
276 ASSERT_INT_EQ(r, 0); 263 ASSERT_INT_EQ(r, 0);
277 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 264 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
278 &k1, NULL) == 0)
279 sshkey_free(k1); 265 sshkey_free(k1);
280 sshbuf_reset(fuzzed); 266 sshbuf_reset(fuzzed);
281 } 267 }
@@ -288,8 +274,7 @@ sshkey_fuzz_tests(void)
288 buf = load_file("ed25519_1"); 274 buf = load_file("ed25519_1");
289 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), 275 fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
290 sshbuf_len(buf)); 276 sshbuf_len(buf));
291 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 277 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
292 &k1, NULL), 0);
293 sshkey_free(k1); 278 sshkey_free(k1);
294 sshbuf_free(buf); 279 sshbuf_free(buf);
295 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); 280 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
@@ -297,8 +282,7 @@ sshkey_fuzz_tests(void)
297 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 282 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
298 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); 283 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
299 ASSERT_INT_EQ(r, 0); 284 ASSERT_INT_EQ(r, 0);
300 if (sshkey_parse_private_fileblob(fuzzed, "", "key", 285 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
301 &k1, NULL) == 0)
302 sshkey_free(k1); 286 sshkey_free(k1);
303 sshbuf_reset(fuzzed); 287 sshbuf_reset(fuzzed);
304 } 288 }
@@ -308,8 +292,7 @@ sshkey_fuzz_tests(void)
308 292
309 TEST_START("fuzz RSA public"); 293 TEST_START("fuzz RSA public");
310 buf = load_file("rsa_1"); 294 buf = load_file("rsa_1");
311 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 295 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
312 &k1, NULL), 0);
313 sshbuf_free(buf); 296 sshbuf_free(buf);
314 public_fuzz(k1); 297 public_fuzz(k1);
315 sshkey_free(k1); 298 sshkey_free(k1);
@@ -323,8 +306,7 @@ sshkey_fuzz_tests(void)
323 306
324 TEST_START("fuzz DSA public"); 307 TEST_START("fuzz DSA public");
325 buf = load_file("dsa_1"); 308 buf = load_file("dsa_1");
326 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 309 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
327 &k1, NULL), 0);
328 sshbuf_free(buf); 310 sshbuf_free(buf);
329 public_fuzz(k1); 311 public_fuzz(k1);
330 sshkey_free(k1); 312 sshkey_free(k1);
@@ -339,8 +321,7 @@ sshkey_fuzz_tests(void)
339#ifdef OPENSSL_HAS_ECC 321#ifdef OPENSSL_HAS_ECC
340 TEST_START("fuzz ECDSA public"); 322 TEST_START("fuzz ECDSA public");
341 buf = load_file("ecdsa_1"); 323 buf = load_file("ecdsa_1");
342 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 324 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
343 &k1, NULL), 0);
344 sshbuf_free(buf); 325 sshbuf_free(buf);
345 public_fuzz(k1); 326 public_fuzz(k1);
346 sshkey_free(k1); 327 sshkey_free(k1);
@@ -355,8 +336,7 @@ sshkey_fuzz_tests(void)
355 336
356 TEST_START("fuzz Ed25519 public"); 337 TEST_START("fuzz Ed25519 public");
357 buf = load_file("ed25519_1"); 338 buf = load_file("ed25519_1");
358 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 339 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
359 &k1, NULL), 0);
360 sshbuf_free(buf); 340 sshbuf_free(buf);
361 public_fuzz(k1); 341 public_fuzz(k1);
362 sshkey_free(k1); 342 sshkey_free(k1);
@@ -370,39 +350,51 @@ sshkey_fuzz_tests(void)
370 350
371 TEST_START("fuzz RSA sig"); 351 TEST_START("fuzz RSA sig");
372 buf = load_file("rsa_1"); 352 buf = load_file("rsa_1");
373 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 353 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
374 &k1, NULL), 0);
375 sshbuf_free(buf); 354 sshbuf_free(buf);
376 sig_fuzz(k1); 355 sig_fuzz(k1, "ssh-rsa");
356 sshkey_free(k1);
357 TEST_DONE();
358
359 TEST_START("fuzz RSA SHA256 sig");
360 buf = load_file("rsa_1");
361 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
362 sshbuf_free(buf);
363 sig_fuzz(k1, "rsa-sha2-256");
364 sshkey_free(k1);
365 TEST_DONE();
366
367 TEST_START("fuzz RSA SHA512 sig");
368 buf = load_file("rsa_1");
369 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
370 sshbuf_free(buf);
371 sig_fuzz(k1, "rsa-sha2-512");
377 sshkey_free(k1); 372 sshkey_free(k1);
378 TEST_DONE(); 373 TEST_DONE();
379 374
380 TEST_START("fuzz DSA sig"); 375 TEST_START("fuzz DSA sig");
381 buf = load_file("dsa_1"); 376 buf = load_file("dsa_1");
382 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 377 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
383 &k1, NULL), 0);
384 sshbuf_free(buf); 378 sshbuf_free(buf);
385 sig_fuzz(k1); 379 sig_fuzz(k1, NULL);
386 sshkey_free(k1); 380 sshkey_free(k1);
387 TEST_DONE(); 381 TEST_DONE();
388 382
389#ifdef OPENSSL_HAS_ECC 383#ifdef OPENSSL_HAS_ECC
390 TEST_START("fuzz ECDSA sig"); 384 TEST_START("fuzz ECDSA sig");
391 buf = load_file("ecdsa_1"); 385 buf = load_file("ecdsa_1");
392 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 386 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
393 &k1, NULL), 0);
394 sshbuf_free(buf); 387 sshbuf_free(buf);
395 sig_fuzz(k1); 388 sig_fuzz(k1, NULL);
396 sshkey_free(k1); 389 sshkey_free(k1);
397 TEST_DONE(); 390 TEST_DONE();
398#endif 391#endif
399 392
400 TEST_START("fuzz Ed25519 sig"); 393 TEST_START("fuzz Ed25519 sig");
401 buf = load_file("ed25519_1"); 394 buf = load_file("ed25519_1");
402 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key", 395 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
403 &k1, NULL), 0);
404 sshbuf_free(buf); 396 sshbuf_free(buf);
405 sig_fuzz(k1); 397 sig_fuzz(k1, NULL);
406 sshkey_free(k1); 398 sshkey_free(k1);
407 TEST_DONE(); 399 TEST_DONE();
408 400
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 9b3ce7ee4..1f160d1a7 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.7 2015/08/05 05:27:33 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.9 2015/12/07 02:20:46 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -52,7 +52,8 @@ put_opt(struct sshbuf *b, const char *name, const char *value)
52 52
53static void 53static void
54build_cert(struct sshbuf *b, const struct sshkey *k, const char *type, 54build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
55 const struct sshkey *sign_key, const struct sshkey *ca_key) 55 const struct sshkey *sign_key, const struct sshkey *ca_key,
56 const char *sig_alg)
56{ 57{
57 struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts; 58 struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts;
58 u_char *sigblob; 59 u_char *sigblob;
@@ -99,7 +100,7 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
99 ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */ 100 ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
100 ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */ 101 ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
101 ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen, 102 ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
102 sshbuf_ptr(b), sshbuf_len(b), 0), 0); 103 sshbuf_ptr(b), sshbuf_len(b), sig_alg, 0), 0);
103 ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */ 104 ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
104 105
105 free(sigblob); 106 free(sigblob);
@@ -111,12 +112,13 @@ build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
111} 112}
112 113
113static void 114static void
114signature_test(struct sshkey *k, struct sshkey *bad, const u_char *d, size_t l) 115signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg,
116 const u_char *d, size_t l)
115{ 117{
116 size_t len; 118 size_t len;
117 u_char *sig; 119 u_char *sig;
118 120
119 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, 0), 0); 121 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0);
120 ASSERT_SIZE_T_GT(len, 8); 122 ASSERT_SIZE_T_GT(len, 8);
121 ASSERT_PTR_NE(sig, NULL); 123 ASSERT_PTR_NE(sig, NULL);
122 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, 0), 0); 124 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, 0), 0);
@@ -143,7 +145,7 @@ banana(u_char *s, size_t l)
143} 145}
144 146
145static void 147static void
146signature_tests(struct sshkey *k, struct sshkey *bad) 148signature_tests(struct sshkey *k, struct sshkey *bad, const char *sig_alg)
147{ 149{
148 u_char i, buf[2049]; 150 u_char i, buf[2049];
149 size_t lens[] = { 151 size_t lens[] = {
@@ -155,7 +157,7 @@ signature_tests(struct sshkey *k, struct sshkey *bad)
155 test_subtest_info("%s key, banana length %zu", 157 test_subtest_info("%s key, banana length %zu",
156 sshkey_type(k), lens[i]); 158 sshkey_type(k), lens[i]);
157 banana(buf, lens[i]); 159 banana(buf, lens[i]);
158 signature_test(k, bad, buf, lens[i]); 160 signature_test(k, bad, sig_alg, buf, lens[i]);
159 } 161 }
160} 162}
161 163
@@ -166,7 +168,7 @@ get_private(const char *n)
166 struct sshkey *ret; 168 struct sshkey *ret;
167 169
168 b = load_file(n); 170 b = load_file(n);
169 ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", n, &ret, NULL), 0); 171 ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", &ret, NULL), 0);
170 sshbuf_free(b); 172 sshbuf_free(b);
171 return ret; 173 return ret;
172} 174}
@@ -469,7 +471,25 @@ sshkey_tests(void)
469 k1 = get_private("rsa_1"); 471 k1 = get_private("rsa_1");
470 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2, 472 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
471 NULL), 0); 473 NULL), 0);
472 signature_tests(k1, k2); 474 signature_tests(k1, k2, "ssh-rsa");
475 sshkey_free(k1);
476 sshkey_free(k2);
477 TEST_DONE();
478
479 TEST_START("sign and verify RSA-SHA256");
480 k1 = get_private("rsa_1");
481 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
482 NULL), 0);
483 signature_tests(k1, k2, "rsa-sha2-256");
484 sshkey_free(k1);
485 sshkey_free(k2);
486 TEST_DONE();
487
488 TEST_START("sign and verify RSA-SHA512");
489 k1 = get_private("rsa_1");
490 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_2.pub"), &k2,
491 NULL), 0);
492 signature_tests(k1, k2, "rsa-sha2-512");
473 sshkey_free(k1); 493 sshkey_free(k1);
474 sshkey_free(k2); 494 sshkey_free(k2);
475 TEST_DONE(); 495 TEST_DONE();
@@ -478,7 +498,7 @@ sshkey_tests(void)
478 k1 = get_private("dsa_1"); 498 k1 = get_private("dsa_1");
479 ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2, 499 ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2,
480 NULL), 0); 500 NULL), 0);
481 signature_tests(k1, k2); 501 signature_tests(k1, k2, NULL);
482 sshkey_free(k1); 502 sshkey_free(k1);
483 sshkey_free(k2); 503 sshkey_free(k2);
484 TEST_DONE(); 504 TEST_DONE();
@@ -488,7 +508,7 @@ sshkey_tests(void)
488 k1 = get_private("ecdsa_1"); 508 k1 = get_private("ecdsa_1");
489 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_2.pub"), &k2, 509 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_2.pub"), &k2,
490 NULL), 0); 510 NULL), 0);
491 signature_tests(k1, k2); 511 signature_tests(k1, k2, NULL);
492 sshkey_free(k1); 512 sshkey_free(k1);
493 sshkey_free(k2); 513 sshkey_free(k2);
494 TEST_DONE(); 514 TEST_DONE();
@@ -498,7 +518,7 @@ sshkey_tests(void)
498 k1 = get_private("ed25519_1"); 518 k1 = get_private("ed25519_1");
499 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_2.pub"), &k2, 519 ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_2.pub"), &k2,
500 NULL), 0); 520 NULL), 0);
501 signature_tests(k1, k2); 521 signature_tests(k1, k2, NULL);
502 sshkey_free(k1); 522 sshkey_free(k1);
503 sshkey_free(k2); 523 sshkey_free(k2);
504 TEST_DONE(); 524 TEST_DONE();
@@ -508,7 +528,7 @@ sshkey_tests(void)
508 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, 528 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
509 NULL), 0); 529 NULL), 0);
510 k3 = get_private("rsa_1"); 530 k3 = get_private("rsa_1");
511 build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1); 531 build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1, NULL);
512 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), 532 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
513 SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); 533 SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
514 ASSERT_PTR_EQ(k4, NULL); 534 ASSERT_PTR_EQ(k4, NULL);