diff options
Diffstat (limited to 'regress')
60 files changed, 729 insertions, 1111 deletions
diff --git a/regress/Makefile b/regress/Makefile index b23496b98..7d50f9cfa 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $ | 1 | # $OpenBSD: Makefile,v 1.95 2017/06/24 06:35:24 djm Exp $ |
2 | 2 | ||
3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec | 3 | REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec |
4 | tests: prep $(REGRESS_TARGETS) | 4 | tests: prep $(REGRESS_TARGETS) |
@@ -79,7 +79,8 @@ LTESTS= connect \ | |||
79 | principals-command \ | 79 | principals-command \ |
80 | cert-file \ | 80 | cert-file \ |
81 | cfginclude \ | 81 | cfginclude \ |
82 | allow-deny-users | 82 | allow-deny-users \ |
83 | authinfo | ||
83 | 84 | ||
84 | 85 | ||
85 | # dhgex \ | 86 | # dhgex \ |
@@ -89,30 +90,33 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers | |||
89 | 90 | ||
90 | #LTESTS= cipher-speed | 91 | #LTESTS= cipher-speed |
91 | 92 | ||
92 | USERNAME!= id -un | 93 | USERNAME= ${LOGNAME} |
93 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | 94 | CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ |
94 | authorized_keys_${USERNAME}.* \ | 95 | authorized_keys_${USERNAME}.* \ |
95 | authorized_principals_${USERNAME} \ | 96 | authorized_principals_${USERNAME} \ |
96 | banner.in banner.out cert_host_key* cert_user_key* \ | 97 | banner.in banner.out cert_host_key* cert_user_key* \ |
97 | copy.1 copy.2 data ed25519-agent ed25519-agent* \ | 98 | copy.1 copy.2 data ed25519-agent ed25519-agent* \ |
98 | ed25519-agent.pub empty.in expect failed-regress.log \ | 99 | ed25519-agent.pub ed25519 ed25519.pub empty.in \ |
99 | failed-ssh.log failed-sshd.log hkr.* host.rsa host.rsa1 \ | 100 | expect failed-regress.log failed-ssh.log failed-sshd.log \ |
100 | host_* host_ca_key* host_krl_* host_revoked_* key.* \ | 101 | hkr.* host.ed25519 host.rsa host.rsa1 host_* \ |
101 | key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \ | 102 | host_ca_key* host_krl_* host_revoked_* key.* \ |
102 | key.rsa-* keys-command-args kh.* known_hosts \ | 103 | key.dsa-* key.ecdsa-* key.ed25519-512 \ |
103 | known_hosts-cert known_hosts.* krl-* ls.copy modpipe \ | 104 | key.ed25519-512.pub key.rsa-* keys-command-args kh.* \ |
104 | netcat pidfile putty.rsa2 ready regress.log remote_pid \ | 105 | known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \ |
105 | revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa1 \ | 106 | modpipe netcat no_identity_config \ |
106 | rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | 107 | pidfile putty.rsa2 ready regress.log \ |
108 | remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ | ||
109 | rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | ||
107 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | 110 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ |
108 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | 111 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ |
109 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | 112 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ |
110 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | 113 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ |
111 | ssh_proxy_envpass sshd.log sshd_config sshd_config.orig \ | 114 | ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ |
112 | sshd_proxy sshd_proxy.* sshd_proxy_bak sshd_proxy_orig \ | 115 | sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ |
113 | t10.out t10.out.pub t12.out t12.out.pub t2.out t3.out \ | 116 | sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ |
114 | t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \ | 117 | t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ |
115 | t9.out t9.out.pub testdata user_*key* user_ca* user_key* | 118 | t8.out t8.out.pub t9.out t9.out.pub testdata \ |
119 | user_*key* user_ca* user_key* | ||
116 | 120 | ||
117 | SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} | 121 | SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} |
118 | 122 | ||
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 34bced154..037a50914 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: agent-getpeereid.sh,v 1.8 2017/01/06 02:51:16 djm Exp $ | 1 | # $OpenBSD: agent-getpeereid.sh,v 1.9 2017/09/13 14:58:26 bluhm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="disallow agent attach from other uid" | 4 | tid="disallow agent attach from other uid" |
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh index 3aa20c8b1..db3018b88 100644 --- a/regress/agent-pkcs11.sh +++ b/regress/agent-pkcs11.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $ | 1 | # $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="pkcs11 agent test" | 4 | tid="pkcs11 agent test" |
@@ -53,7 +53,7 @@ else | |||
53 | fi | 53 | fi |
54 | 54 | ||
55 | trace "pkcs11 connect via agent" | 55 | trace "pkcs11 connect via agent" |
56 | ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5 | 56 | ${SSH} -F $OBJ/ssh_proxy somehost exit 5 |
57 | r=$? | 57 | r=$? |
58 | if [ $r -ne 5 ]; then | 58 | if [ $r -ne 5 ]; then |
59 | fail "ssh connect failed (exit code $r)" | 59 | fail "ssh connect failed (exit code $r)" |
diff --git a/regress/agent.sh b/regress/agent.sh index c5e2794b7..0baf0c74a 100644 --- a/regress/agent.sh +++ b/regress/agent.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="simple agent test" | 4 | tid="simple agent test" |
@@ -46,28 +46,24 @@ else | |||
46 | fi | 46 | fi |
47 | 47 | ||
48 | trace "simple connect via agent" | 48 | trace "simple connect via agent" |
49 | for p in ${SSH_PROTOCOLS}; do | 49 | ${SSH} -F $OBJ/ssh_proxy somehost exit 52 |
50 | ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p | 50 | r=$? |
51 | r=$? | 51 | if [ $r -ne 52 ]; then |
52 | if [ $r -ne 5$p ]; then | 52 | fail "ssh connect with failed (exit code $r)" |
53 | fail "ssh connect with protocol $p failed (exit code $r)" | 53 | fi |
54 | fi | ||
55 | done | ||
56 | 54 | ||
57 | trace "agent forwarding" | 55 | trace "agent forwarding" |
58 | for p in ${SSH_PROTOCOLS}; do | 56 | ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 |
59 | ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 | 57 | r=$? |
60 | r=$? | 58 | if [ $r -ne 0 ]; then |
61 | if [ $r -ne 0 ]; then | 59 | fail "ssh-add -l via agent fwd failed (exit code $r)" |
62 | fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" | 60 | fi |
63 | fi | 61 | ${SSH} -A -F $OBJ/ssh_proxy somehost \ |
64 | ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ | 62 | "${SSH} -F $OBJ/ssh_proxy somehost exit 52" |
65 | "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" | 63 | r=$? |
66 | r=$? | 64 | if [ $r -ne 52 ]; then |
67 | if [ $r -ne 5$p ]; then | 65 | fail "agent fwd failed (exit code $r)" |
68 | fail "agent fwd proto $p failed (exit code $r)" | 66 | fi |
69 | fi | ||
70 | done | ||
71 | 67 | ||
72 | trace "delete all agent keys" | 68 | trace "delete all agent keys" |
73 | ${SSHADD} -D > /dev/null 2>&1 | 69 | ${SSHADD} -D > /dev/null 2>&1 |
diff --git a/regress/authinfo.sh b/regress/authinfo.sh new file mode 100644 index 000000000..e725296c9 --- /dev/null +++ b/regress/authinfo.sh | |||
@@ -0,0 +1,17 @@ | |||
1 | # $OpenBSD: authinfo.sh,v 1.1 2017/06/24 06:35:24 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="authinfo" | ||
5 | |||
6 | # Ensure the environment variable doesn't leak when ExposeAuthInfo=no. | ||
7 | verbose "ExposeAuthInfo=no" | ||
8 | env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \ | ||
9 | 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present" | ||
10 | |||
11 | verbose "ExposeAuthInfo=yes" | ||
12 | echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy | ||
13 | ${SSH} -F $OBJ/ssh_proxy x \ | ||
14 | 'grep ^publickey "$SSH_USER_AUTH" /dev/null >/dev/null' || | ||
15 | fail "ssh with ExposeAuthInfo failed" | ||
16 | |||
17 | # XXX test multiple auth and key contents | ||
diff --git a/regress/banner.sh b/regress/banner.sh index 0b9c95007..0d9654fe2 100644 --- a/regress/banner.sh +++ b/regress/banner.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ | 1 | # $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="banner" | 4 | tid="banner" |
@@ -9,7 +9,7 @@ touch $OBJ/empty.in | |||
9 | 9 | ||
10 | trace "test missing banner file" | 10 | trace "test missing banner file" |
11 | verbose "test $tid: missing banner file" | 11 | verbose "test $tid: missing banner file" |
12 | ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 12 | ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
13 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ | 13 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ |
14 | fail "missing banner file" | 14 | fail "missing banner file" |
15 | 15 | ||
@@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do | |||
30 | 30 | ||
31 | trace "test banner size $s" | 31 | trace "test banner size $s" |
32 | verbose "test $tid: size $s" | 32 | verbose "test $tid: size $s" |
33 | ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 33 | ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
34 | cmp $OBJ/banner.in $OBJ/banner.out ) || \ | 34 | cmp $OBJ/banner.in $OBJ/banner.out ) || \ |
35 | fail "banner size $s mismatch" | 35 | fail "banner size $s mismatch" |
36 | done | 36 | done |
37 | 37 | ||
38 | trace "test suppress banner (-q)" | 38 | trace "test suppress banner (-q)" |
39 | verbose "test $tid: suppress banner (-q)" | 39 | verbose "test $tid: suppress banner (-q)" |
40 | ( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ | 40 | ( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ |
41 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ | 41 | cmp $OBJ/empty.in $OBJ/banner.out ) || \ |
42 | fail "suppress banner (-q)" | 42 | fail "suppress banner (-q)" |
43 | 43 | ||
diff --git a/regress/broken-pipe.sh b/regress/broken-pipe.sh index a416f7a3b..c69276e27 100644 --- a/regress/broken-pipe.sh +++ b/regress/broken-pipe.sh | |||
@@ -1,15 +1,12 @@ | |||
1 | # $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="broken pipe test" | 4 | tid="broken pipe test" |
5 | 5 | ||
6 | for p in ${SSH_PROTOCOLS}; do | 6 | for i in 1 2 3 4; do |
7 | trace "protocol $p" | 7 | ${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true |
8 | for i in 1 2 3 4; do | 8 | r=$? |
9 | ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true | 9 | if [ $r -ne 0 ]; then |
10 | r=$? | 10 | fail "broken pipe returns $r" |
11 | if [ $r -ne 0 ]; then | 11 | fi |
12 | fail "broken pipe returns $r for protocol $p" | ||
13 | fi | ||
14 | done | ||
15 | done | 12 | done |
diff --git a/regress/brokenkeys.sh b/regress/brokenkeys.sh index 3e70c348a..9d5a54fa9 100644 --- a/regress/brokenkeys.sh +++ b/regress/brokenkeys.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ | 1 | # $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="broken keys" | 4 | tid="broken keys" |
@@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS | |||
14 | cat ${KEYS}.bak >> ${KEYS} | 14 | cat ${KEYS}.bak >> ${KEYS} |
15 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 15 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
16 | 16 | ||
17 | ${SSH} -2 -F $OBJ/ssh_config somehost true | 17 | ${SSH} -F $OBJ/ssh_config somehost true |
18 | if [ $? -ne 0 ]; then | 18 | if [ $? -ne 0 ]; then |
19 | fail "ssh connect with protocol $p failed" | 19 | fail "ssh connect with failed" |
20 | fi | 20 | fi |
21 | 21 | ||
22 | mv ${KEYS}.bak ${KEYS} | 22 | mv ${KEYS}.bak ${KEYS} |
diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 43b8e0201..8fd62c773 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ | 1 | # $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="ssh with certificates" | 4 | tid="ssh with certificates" |
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config | |||
54 | # XXX: verify that certificate used was what we expect. Needs exposure of | 54 | # XXX: verify that certificate used was what we expect. Needs exposure of |
55 | # keys via enviornment variable or similar. | 55 | # keys via enviornment variable or similar. |
56 | 56 | ||
57 | for p in ${SSH_PROTOCOLS}; do | ||
58 | # Key with no .pub should work - finding the equivalent *-cert.pub. | 57 | # Key with no .pub should work - finding the equivalent *-cert.pub. |
59 | verbose "protocol $p: identity cert with no plain public file" | 58 | verbose "identity cert with no plain public file" |
60 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 59 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
61 | -i $OBJ/user_key3 somehost exit 5$p | 60 | -i $OBJ/user_key3 somehost exit 52 |
62 | [ $? -ne 5$p ] && fail "ssh failed" | 61 | [ $? -ne 52 ] && fail "ssh failed" |
63 | 62 | ||
64 | # CertificateFile matching private key with no .pub file should work. | 63 | # CertificateFile matching private key with no .pub file should work. |
65 | verbose "protocol $p: CertificateFile with no plain public file" | 64 | verbose "CertificateFile with no plain public file" |
66 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ | 65 | ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ |
67 | -oCertificateFile=$OBJ/user_key3-cert.pub \ | 66 | -oCertificateFile=$OBJ/user_key3-cert.pub \ |
68 | -i $OBJ/user_key3 somehost exit 5$p | 67 | -i $OBJ/user_key3 somehost exit 52 |
69 | [ $? -ne 5$p ] && fail "ssh failed" | 68 | [ $? -ne 52 ] && fail "ssh failed" |
70 | 69 | ||
71 | # Just keys should fail | 70 | # Just keys should fail |
72 | verbose "protocol $p: plain keys" | 71 | verbose "plain keys" |
73 | ${SSH} $opts2 somehost exit 5$p | 72 | ${SSH} $opts2 somehost exit 52 |
74 | r=$? | 73 | r=$? |
75 | if [ $r -eq 5$p ]; then | 74 | if [ $r -eq 52 ]; then |
76 | fail "ssh succeeded with no certs in protocol $p" | 75 | fail "ssh succeeded with no certs" |
77 | fi | 76 | fi |
78 | 77 | ||
79 | # Keys with untrusted cert should fail. | 78 | # Keys with untrusted cert should fail. |
80 | verbose "protocol $p: untrusted cert" | 79 | verbose "untrusted cert" |
81 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 80 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
82 | ${SSH} $opts3 somehost exit 5$p | 81 | ${SSH} $opts3 somehost exit 52 |
83 | r=$? | 82 | r=$? |
84 | if [ $r -eq 5$p ]; then | 83 | if [ $r -eq 52 ]; then |
85 | fail "ssh succeeded with bad cert in protocol $p" | 84 | fail "ssh succeeded with bad cert" |
86 | fi | 85 | fi |
87 | 86 | ||
88 | # Good cert with bad key should fail. | 87 | # Good cert with bad key should fail. |
89 | verbose "protocol $p: good cert, bad key" | 88 | verbose "good cert, bad key" |
90 | opts3="$opts -i $OBJ/user_key2" | 89 | opts3="$opts -i $OBJ/user_key2" |
91 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 90 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
92 | ${SSH} $opts3 somehost exit 5$p | 91 | ${SSH} $opts3 somehost exit 52 |
93 | r=$? | 92 | r=$? |
94 | if [ $r -eq 5$p ]; then | 93 | if [ $r -eq 52 ]; then |
95 | fail "ssh succeeded with no matching key in protocol $p" | 94 | fail "ssh succeeded with no matching key" |
96 | fi | 95 | fi |
97 | 96 | ||
98 | # Keys with one trusted cert, should succeed. | 97 | # Keys with one trusted cert, should succeed. |
99 | verbose "protocol $p: single trusted" | 98 | verbose "single trusted" |
100 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 99 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
101 | ${SSH} $opts3 somehost exit 5$p | 100 | ${SSH} $opts3 somehost exit 52 |
102 | r=$? | 101 | r=$? |
103 | if [ $r -ne 5$p ]; then | 102 | if [ $r -ne 52 ]; then |
104 | fail "ssh failed with trusted cert and key in protocol $p" | 103 | fail "ssh failed with trusted cert and key" |
105 | fi | 104 | fi |
106 | 105 | ||
107 | # Multiple certs and keys, with one trusted cert, should succeed. | 106 | # Multiple certs and keys, with one trusted cert, should succeed. |
108 | verbose "protocol $p: multiple trusted" | 107 | verbose "multiple trusted" |
109 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 108 | opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
110 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 109 | opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
111 | ${SSH} $opts3 somehost exit 5$p | 110 | ${SSH} $opts3 somehost exit 52 |
112 | r=$? | 111 | r=$? |
113 | if [ $r -ne 5$p ]; then | 112 | if [ $r -ne 52 ]; then |
114 | fail "ssh failed with multiple certs in protocol $p" | 113 | fail "ssh failed with multiple certs" |
115 | fi | 114 | fi |
116 | done | ||
117 | 115 | ||
118 | #next, using an agent in combination with the keys | 116 | #next, using an agent in combination with the keys |
119 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 | 117 | SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 |
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then | |||
139 | fi | 137 | fi |
140 | 138 | ||
141 | # try ssh with the agent and certificates | 139 | # try ssh with the agent and certificates |
142 | # note: ssh agent only uses certificates in protocol 2 | ||
143 | opts="-F $OBJ/ssh_proxy" | 140 | opts="-F $OBJ/ssh_proxy" |
144 | # with no certificates, shoud fail | 141 | # with no certificates, shoud fail |
145 | ${SSH} -2 $opts somehost exit 52 | 142 | ${SSH} $opts somehost exit 52 |
146 | if [ $? -eq 52 ]; then | 143 | if [ $? -eq 52 ]; then |
147 | fail "ssh connect with agent in protocol 2 succeeded with no cert" | 144 | fail "ssh connect with agent in succeeded with no cert" |
148 | fi | 145 | fi |
149 | 146 | ||
150 | #with an untrusted certificate, should fail | 147 | #with an untrusted certificate, should fail |
151 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" | 148 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" |
152 | ${SSH} -2 $opts somehost exit 52 | 149 | ${SSH} $opts somehost exit 52 |
153 | if [ $? -eq 52 ]; then | 150 | if [ $? -eq 52 ]; then |
154 | fail "ssh connect with agent in protocol 2 succeeded with bad cert" | 151 | fail "ssh connect with agent in succeeded with bad cert" |
155 | fi | 152 | fi |
156 | 153 | ||
157 | #with an additional trusted certificate, should succeed | 154 | #with an additional trusted certificate, should succeed |
158 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" | 155 | opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" |
159 | ${SSH} -2 $opts somehost exit 52 | 156 | ${SSH} $opts somehost exit 52 |
160 | if [ $? -ne 52 ]; then | 157 | if [ $? -ne 52 ]; then |
161 | fail "ssh connect with agent in protocol 2 failed with good cert" | 158 | fail "ssh connect with agent in failed with good cert" |
162 | fi | 159 | fi |
163 | 160 | ||
164 | trace "kill agent" | 161 | trace "kill agent" |
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 62261cf8b..3d5732a5d 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ | 1 | # $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified host keys" | 4 | tid="certified host keys" |
@@ -104,7 +104,7 @@ attempt_connect() { | |||
104 | shift; shift | 104 | shift; shift |
105 | verbose "$tid: $_ident expect success $_expect_success" | 105 | verbose "$tid: $_ident expect success $_expect_success" |
106 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 106 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
107 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 107 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
108 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 108 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
109 | "$@" -F $OBJ/ssh_proxy somehost true | 109 | "$@" -F $OBJ/ssh_proxy somehost true |
110 | _r=$? | 110 | _r=$? |
@@ -169,7 +169,7 @@ for privsep in yes no ; do | |||
169 | ) > $OBJ/sshd_proxy | 169 | ) > $OBJ/sshd_proxy |
170 | 170 | ||
171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 171 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
172 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 172 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
173 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 173 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
174 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 174 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
175 | if [ $? -eq 0 ]; then | 175 | if [ $? -eq 0 ]; then |
@@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do | |||
190 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 190 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
191 | ) > $OBJ/sshd_proxy | 191 | ) > $OBJ/sshd_proxy |
192 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 192 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
193 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 193 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
194 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 194 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
195 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 195 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
196 | if [ $? -eq 0 ]; then | 196 | if [ $? -eq 0 ]; then |
@@ -222,7 +222,7 @@ test_one() { | |||
222 | ) > $OBJ/sshd_proxy | 222 | ) > $OBJ/sshd_proxy |
223 | 223 | ||
224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 224 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
225 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 225 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 226 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
227 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 227 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
228 | rc=$? | 228 | rc=$? |
@@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do | |||
271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub | 271 | echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub |
272 | ) > $OBJ/sshd_proxy | 272 | ) > $OBJ/sshd_proxy |
273 | 273 | ||
274 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 274 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 275 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
276 | -F $OBJ/ssh_proxy somehost true | 276 | -F $OBJ/ssh_proxy somehost true |
277 | if [ $? -ne 0 ]; then | 277 | if [ $? -ne 0 ]; then |
@@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do | |||
303 | ) > $OBJ/sshd_proxy | 303 | ) > $OBJ/sshd_proxy |
304 | 304 | ||
305 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert | 305 | cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert |
306 | ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ | 306 | ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \ |
307 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ | 307 | -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ |
308 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 | 308 | -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 |
309 | if [ $? -eq 0 ]; then | 309 | if [ $? -eq 0 ]; then |
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 7005fd55e..6a23fe300 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ | 1 | # $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="certified user keys" | 4 | tid="certified user keys" |
@@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
67 | # Missing authorized_principals | 67 | # Missing authorized_principals |
68 | verbose "$tid: ${_prefix} missing authorized_principals" | 68 | verbose "$tid: ${_prefix} missing authorized_principals" |
69 | rm -f $OBJ/authorized_principals_$USER | 69 | rm -f $OBJ/authorized_principals_$USER |
70 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 70 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
71 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 71 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
72 | if [ $? -eq 0 ]; then | 72 | if [ $? -eq 0 ]; then |
73 | fail "ssh cert connect succeeded unexpectedly" | 73 | fail "ssh cert connect succeeded unexpectedly" |
@@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
76 | # Empty authorized_principals | 76 | # Empty authorized_principals |
77 | verbose "$tid: ${_prefix} empty authorized_principals" | 77 | verbose "$tid: ${_prefix} empty authorized_principals" |
78 | echo > $OBJ/authorized_principals_$USER | 78 | echo > $OBJ/authorized_principals_$USER |
79 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 79 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
80 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 80 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
81 | if [ $? -eq 0 ]; then | 81 | if [ $? -eq 0 ]; then |
82 | fail "ssh cert connect succeeded unexpectedly" | 82 | fail "ssh cert connect succeeded unexpectedly" |
@@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
85 | # Wrong authorized_principals | 85 | # Wrong authorized_principals |
86 | verbose "$tid: ${_prefix} wrong authorized_principals" | 86 | verbose "$tid: ${_prefix} wrong authorized_principals" |
87 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 87 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
88 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 88 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
89 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 89 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
90 | if [ $? -eq 0 ]; then | 90 | if [ $? -eq 0 ]; then |
91 | fail "ssh cert connect succeeded unexpectedly" | 91 | fail "ssh cert connect succeeded unexpectedly" |
@@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
94 | # Correct authorized_principals | 94 | # Correct authorized_principals |
95 | verbose "$tid: ${_prefix} correct authorized_principals" | 95 | verbose "$tid: ${_prefix} correct authorized_principals" |
96 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 96 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
97 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 97 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
98 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 98 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
99 | if [ $? -ne 0 ]; then | 99 | if [ $? -ne 0 ]; then |
100 | fail "ssh cert connect failed" | 100 | fail "ssh cert connect failed" |
@@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
103 | # authorized_principals with bad key option | 103 | # authorized_principals with bad key option |
104 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 104 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
105 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 105 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
106 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 106 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
107 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 107 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
108 | if [ $? -eq 0 ]; then | 108 | if [ $? -eq 0 ]; then |
109 | fail "ssh cert connect succeeded unexpectedly" | 109 | fail "ssh cert connect succeeded unexpectedly" |
@@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
113 | verbose "$tid: ${_prefix} authorized_principals command=false" | 113 | verbose "$tid: ${_prefix} authorized_principals command=false" |
114 | echo 'command="false" mekmitasdigoat' > \ | 114 | echo 'command="false" mekmitasdigoat' > \ |
115 | $OBJ/authorized_principals_$USER | 115 | $OBJ/authorized_principals_$USER |
116 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 116 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
117 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 117 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
118 | if [ $? -eq 0 ]; then | 118 | if [ $? -eq 0 ]; then |
119 | fail "ssh cert connect succeeded unexpectedly" | 119 | fail "ssh cert connect succeeded unexpectedly" |
@@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
124 | verbose "$tid: ${_prefix} authorized_principals command=true" | 124 | verbose "$tid: ${_prefix} authorized_principals command=true" |
125 | echo 'command="true" mekmitasdigoat' > \ | 125 | echo 'command="true" mekmitasdigoat' > \ |
126 | $OBJ/authorized_principals_$USER | 126 | $OBJ/authorized_principals_$USER |
127 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 127 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
128 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 128 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
129 | if [ $? -ne 0 ]; then | 129 | if [ $? -ne 0 ]; then |
130 | fail "ssh cert connect failed" | 130 | fail "ssh cert connect failed" |
@@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
148 | printf 'cert-authority,principals="gregorsamsa" ' | 148 | printf 'cert-authority,principals="gregorsamsa" ' |
149 | cat $OBJ/user_ca_key.pub | 149 | cat $OBJ/user_ca_key.pub |
150 | ) > $OBJ/authorized_keys_$USER | 150 | ) > $OBJ/authorized_keys_$USER |
151 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 151 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 152 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
153 | if [ $? -eq 0 ]; then | 153 | if [ $? -eq 0 ]; then |
154 | fail "ssh cert connect succeeded unexpectedly" | 154 | fail "ssh cert connect succeeded unexpectedly" |
@@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do | |||
160 | printf 'cert-authority,principals="mekmitasdigoat" ' | 160 | printf 'cert-authority,principals="mekmitasdigoat" ' |
161 | cat $OBJ/user_ca_key.pub | 161 | cat $OBJ/user_ca_key.pub |
162 | ) > $OBJ/authorized_keys_$USER | 162 | ) > $OBJ/authorized_keys_$USER |
163 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 163 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
164 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 164 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
165 | if [ $? -ne 0 ]; then | 165 | if [ $? -ne 0 ]; then |
166 | fail "ssh cert connect failed" | 166 | fail "ssh cert connect failed" |
@@ -198,7 +198,7 @@ basic_tests() { | |||
198 | echo "PubkeyAcceptedKeyTypes ${t}" | 198 | echo "PubkeyAcceptedKeyTypes ${t}" |
199 | ) > $OBJ/ssh_proxy | 199 | ) > $OBJ/ssh_proxy |
200 | 200 | ||
201 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 201 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
202 | -F $OBJ/ssh_proxy somehost true | 202 | -F $OBJ/ssh_proxy somehost true |
203 | if [ $? -ne 0 ]; then | 203 | if [ $? -ne 0 ]; then |
204 | fail "ssh cert connect failed" | 204 | fail "ssh cert connect failed" |
@@ -215,7 +215,7 @@ basic_tests() { | |||
215 | ) > $OBJ/sshd_proxy | 215 | ) > $OBJ/sshd_proxy |
216 | cp $OBJ/cert_user_key_${ktype}.pub \ | 216 | cp $OBJ/cert_user_key_${ktype}.pub \ |
217 | $OBJ/cert_user_key_revoked | 217 | $OBJ/cert_user_key_revoked |
218 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 218 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
219 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 219 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
220 | if [ $? -eq 0 ]; then | 220 | if [ $? -eq 0 ]; then |
221 | fail "ssh cert connect succeeded unexpecedly" | 221 | fail "ssh cert connect succeeded unexpecedly" |
@@ -224,14 +224,14 @@ basic_tests() { | |||
224 | rm $OBJ/cert_user_key_revoked | 224 | rm $OBJ/cert_user_key_revoked |
225 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ | 225 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ |
226 | $OBJ/cert_user_key_${ktype}.pub | 226 | $OBJ/cert_user_key_${ktype}.pub |
227 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 227 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
228 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 228 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
229 | if [ $? -eq 0 ]; then | 229 | if [ $? -eq 0 ]; then |
230 | fail "ssh cert connect succeeded unexpecedly" | 230 | fail "ssh cert connect succeeded unexpecedly" |
231 | fi | 231 | fi |
232 | verbose "$tid: ${_prefix} empty KRL" | 232 | verbose "$tid: ${_prefix} empty KRL" |
233 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked | 233 | ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked |
234 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 234 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
235 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 235 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
236 | if [ $? -ne 0 ]; then | 236 | if [ $? -ne 0 ]; then |
237 | fail "ssh cert connect failed" | 237 | fail "ssh cert connect failed" |
@@ -246,7 +246,7 @@ basic_tests() { | |||
246 | echo "PubkeyAcceptedKeyTypes ${t}" | 246 | echo "PubkeyAcceptedKeyTypes ${t}" |
247 | echo "$extra_sshd" | 247 | echo "$extra_sshd" |
248 | ) > $OBJ/sshd_proxy | 248 | ) > $OBJ/sshd_proxy |
249 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 249 | ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
250 | somehost true >/dev/null 2>&1 | 250 | somehost true >/dev/null 2>&1 |
251 | if [ $? -eq 0 ]; then | 251 | if [ $? -eq 0 ]; then |
252 | fail "ssh cert connect succeeded unexpecedly" | 252 | fail "ssh cert connect succeeded unexpecedly" |
@@ -260,7 +260,7 @@ basic_tests() { | |||
260 | echo "$extra_sshd" | 260 | echo "$extra_sshd" |
261 | ) > $OBJ/sshd_proxy | 261 | ) > $OBJ/sshd_proxy |
262 | verbose "$tid: ensure CA key does not authenticate user" | 262 | verbose "$tid: ensure CA key does not authenticate user" |
263 | ${SSH} -2i $OBJ/user_ca_key \ | 263 | ${SSH} -i $OBJ/user_ca_key \ |
264 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 264 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
265 | if [ $? -eq 0 ]; then | 265 | if [ $? -eq 0 ]; then |
266 | fail "ssh cert connect with CA key succeeded unexpectedly" | 266 | fail "ssh cert connect with CA key succeeded unexpectedly" |
@@ -307,7 +307,7 @@ test_one() { | |||
307 | $sign_opts $OBJ/cert_user_key_${ktype} || | 307 | $sign_opts $OBJ/cert_user_key_${ktype} || |
308 | fail "couldn't sign cert_user_key_${ktype}" | 308 | fail "couldn't sign cert_user_key_${ktype}" |
309 | 309 | ||
310 | ${SSH} -2i $OBJ/cert_user_key_${ktype} \ | 310 | ${SSH} -i $OBJ/cert_user_key_${ktype} \ |
311 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 311 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
312 | rc=$? | 312 | rc=$? |
313 | if [ "x$result" = "xsuccess" ] ; then | 313 | if [ "x$result" = "xsuccess" ] ; then |
@@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do | |||
378 | -n $USER $OBJ/cert_user_key_${ktype} || | 378 | -n $USER $OBJ/cert_user_key_${ktype} || |
379 | fatal "couldn't sign cert_user_key_${ktype}" | 379 | fatal "couldn't sign cert_user_key_${ktype}" |
380 | verbose "$tid: user ${ktype} connect wrong cert" | 380 | verbose "$tid: user ${ktype} connect wrong cert" |
381 | ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ | 381 | ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ |
382 | somehost true >/dev/null 2>&1 | 382 | somehost true >/dev/null 2>&1 |
383 | if [ $? -eq 0 ]; then | 383 | if [ $? -eq 0 ]; then |
384 | fail "ssh cert connect $ident succeeded unexpectedly" | 384 | fail "ssh cert connect $ident succeeded unexpectedly" |
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 056296398..2504d04f4 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd_config match" | 4 | tid="sshd_config match" |
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy | |||
13 | start_client() | 13 | start_client() |
14 | { | 14 | { |
15 | rm -f $pidfile | 15 | rm -f $pidfile |
16 | ${SSH} -q -$p $fwd "$@" somehost \ | 16 | ${SSH} -q $fwd "$@" somehost \ |
17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ | 17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
18 | >>$TEST_REGRESS_LOGFILE 2>&1 & | 18 | >>$TEST_REGRESS_LOGFILE 2>&1 & |
19 | client_pid=$! | 19 | client_pid=$! |
@@ -56,22 +56,18 @@ start_sshd | |||
56 | #set -x | 56 | #set -x |
57 | 57 | ||
58 | # Test Match + PermitOpen in sshd_config. This should be permitted | 58 | # Test Match + PermitOpen in sshd_config. This should be permitted |
59 | for p in ${SSH_PROTOCOLS}; do | 59 | trace "match permitopen localhost" |
60 | trace "match permitopen localhost proto $p" | 60 | start_client -F $OBJ/ssh_config |
61 | start_client -F $OBJ/ssh_config | 61 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
62 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 62 | fail "match permitopen permit" |
63 | fail "match permitopen permit proto $p" | 63 | stop_client |
64 | stop_client | ||
65 | done | ||
66 | 64 | ||
67 | # Same but from different source. This should not be permitted | 65 | # Same but from different source. This should not be permitted |
68 | for p in ${SSH_PROTOCOLS}; do | 66 | trace "match permitopen proxy" |
69 | trace "match permitopen proxy proto $p" | 67 | start_client -F $OBJ/ssh_proxy |
70 | start_client -F $OBJ/ssh_proxy | 68 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
71 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 69 | fail "match permitopen deny" |
72 | fail "match permitopen deny proto $p" | 70 | stop_client |
73 | stop_client | ||
74 | done | ||
75 | 71 | ||
76 | # Retry previous with key option, should also be denied. | 72 | # Retry previous with key option, should also be denied. |
77 | cp /dev/null $OBJ/authorized_keys_$USER | 73 | cp /dev/null $OBJ/authorized_keys_$USER |
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do | |||
79 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER | 75 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
80 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 76 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
81 | done | 77 | done |
82 | for p in ${SSH_PROTOCOLS}; do | 78 | trace "match permitopen proxy w/key opts" |
83 | trace "match permitopen proxy w/key opts proto $p" | 79 | start_client -F $OBJ/ssh_proxy |
84 | start_client -F $OBJ/ssh_proxy | 80 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
85 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 81 | fail "match permitopen deny w/key opt" |
86 | fail "match permitopen deny w/key opt proto $p" | 82 | stop_client |
87 | stop_client | ||
88 | done | ||
89 | 83 | ||
90 | # Test both sshd_config and key options permitting the same dst/port pair. | 84 | # Test both sshd_config and key options permitting the same dst/port pair. |
91 | # Should be permitted. | 85 | # Should be permitted. |
92 | for p in ${SSH_PROTOCOLS}; do | 86 | trace "match permitopen localhost" |
93 | trace "match permitopen localhost proto $p" | 87 | start_client -F $OBJ/ssh_config |
94 | start_client -F $OBJ/ssh_config | 88 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
95 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 89 | fail "match permitopen permit" |
96 | fail "match permitopen permit proto $p" | 90 | stop_client |
97 | stop_client | ||
98 | done | ||
99 | 91 | ||
100 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 92 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
101 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 93 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy | |||
103 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | 95 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
104 | 96 | ||
105 | # Test that a Match overrides a PermitOpen in the global section | 97 | # Test that a Match overrides a PermitOpen in the global section |
106 | for p in ${SSH_PROTOCOLS}; do | 98 | trace "match permitopen proxy w/key opts" |
107 | trace "match permitopen proxy w/key opts proto $p" | 99 | start_client -F $OBJ/ssh_proxy |
108 | start_client -F $OBJ/ssh_proxy | 100 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
109 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 101 | fail "match override permitopen" |
110 | fail "match override permitopen proto $p" | 102 | stop_client |
111 | stop_client | ||
112 | done | ||
113 | 103 | ||
114 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 104 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
115 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 105 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | |||
118 | 108 | ||
119 | # Test that a rule that doesn't match doesn't override, plus test a | 109 | # Test that a rule that doesn't match doesn't override, plus test a |
120 | # PermitOpen entry that's not at the start of the list | 110 | # PermitOpen entry that's not at the start of the list |
121 | for p in ${SSH_PROTOCOLS}; do | 111 | trace "nomatch permitopen proxy w/key opts" |
122 | trace "nomatch permitopen proxy w/key opts proto $p" | 112 | start_client -F $OBJ/ssh_proxy |
123 | start_client -F $OBJ/ssh_proxy | 113 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
124 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 114 | fail "nomatch override permitopen" |
125 | fail "nomatch override permitopen proto $p" | 115 | stop_client |
126 | stop_client | ||
127 | done | ||
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 575dc2341..5da95b3a9 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $ | 1 | # $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="cipher speed" | 4 | tid="cipher speed" |
@@ -12,16 +12,16 @@ getbytes () | |||
12 | tries="1 2" | 12 | tries="1 2" |
13 | 13 | ||
14 | for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do | 14 | for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do |
15 | trace "proto 2 cipher $c mac $m" | 15 | trace "cipher $c mac $m" |
16 | for x in $tries; do | 16 | for x in $tries; do |
17 | printf "%-60s" "$c/$m:" | 17 | printf "%-60s" "$c/$m:" |
18 | ( ${SSH} -o 'compression no' \ | 18 | ( ${SSH} -o 'compression no' \ |
19 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | 19 | -F $OBJ/ssh_proxy -m $m -c $c somehost \ |
20 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | 20 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ |
21 | < ${DATA} ) 2>&1 | getbytes | 21 | < ${DATA} ) 2>&1 | getbytes |
22 | 22 | ||
23 | if [ $? -ne 0 ]; then | 23 | if [ $? -ne 0 ]; then |
24 | fail "ssh -2 failed with mac $m cipher $c" | 24 | fail "ssh failed with mac $m cipher $c" |
25 | fi | 25 | fi |
26 | done | 26 | done |
27 | # No point trying all MACs for AEAD ciphers since they are ignored. | 27 | # No point trying all MACs for AEAD ciphers since they are ignored. |
@@ -30,22 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do | |||
30 | fi | 30 | fi |
31 | n=`expr $n + 1` | 31 | n=`expr $n + 1` |
32 | done; done | 32 | done; done |
33 | |||
34 | if ssh_version 1; then | ||
35 | ciphers="3des blowfish" | ||
36 | else | ||
37 | ciphers="" | ||
38 | fi | ||
39 | for c in $ciphers; do | ||
40 | trace "proto 1 cipher $c" | ||
41 | for x in $tries; do | ||
42 | printf "%-60s" "$c:" | ||
43 | ( ${SSH} -o 'compression no' \ | ||
44 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
45 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
46 | < ${DATA} ) 2>&1 | getbytes | ||
47 | if [ $? -ne 0 ]; then | ||
48 | fail "ssh -1 failed with cipher $c" | ||
49 | fi | ||
50 | done | ||
51 | done | ||
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index 81cedc7e5..b6abb65e3 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $ | 1 | # $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="proxy connect with privsep" | 4 | tid="proxy connect with privsep" |
@@ -6,23 +6,19 @@ tid="proxy connect with privsep" | |||
6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
7 | echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy | 7 | echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy |
8 | 8 | ||
9 | for p in ${SSH_PROTOCOLS}; do | 9 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
10 | ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | 10 | if [ $? -ne 0 ]; then |
11 | if [ $? -ne 0 ]; then | 11 | fail "ssh privsep+proxyconnect failed" |
12 | fail "ssh privsep+proxyconnect protocol $p failed" | 12 | fi |
13 | fi | ||
14 | done | ||
15 | 13 | ||
16 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 14 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
17 | echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy | 15 | echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy |
18 | 16 | ||
19 | for p in ${SSH_PROTOCOLS}; do | 17 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
20 | ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | 18 | if [ $? -ne 0 ]; then |
21 | if [ $? -ne 0 ]; then | 19 | # XXX replace this with fail once sandbox has stabilised |
22 | # XXX replace this with fail once sandbox has stabilised | 20 | warn "ssh privsep/sandbox+proxyconnect failed" |
23 | warn "ssh privsep/sandbox+proxyconnect protocol $p failed" | 21 | fi |
24 | fi | ||
25 | done | ||
26 | 22 | ||
27 | # Because sandbox is sensitive to changes in libc, especially malloc, retest | 23 | # Because sandbox is sensitive to changes in libc, especially malloc, retest |
28 | # with every malloc.conf option (and none). | 24 | # with every malloc.conf option (and none). |
@@ -32,10 +28,8 @@ else | |||
32 | mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` | 28 | mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` |
33 | fi | 29 | fi |
34 | for m in '' $mopts ; do | 30 | for m in '' $mopts ; do |
35 | for p in ${SSH_PROTOCOLS}; do | 31 | env MALLOC_OPTIONS="$m" ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
36 | env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true | ||
37 | if [ $? -ne 0 ]; then | 32 | if [ $? -ne 0 ]; then |
38 | fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" | 33 | fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed" |
39 | fi | 34 | fi |
40 | done | ||
41 | done | 35 | done |
diff --git a/regress/connect.sh b/regress/connect.sh index f0d55d343..1b344b603 100644 --- a/regress/connect.sh +++ b/regress/connect.sh | |||
@@ -1,13 +1,11 @@ | |||
1 | # $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="simple connect" | 4 | tid="simple connect" |
5 | 5 | ||
6 | start_sshd | 6 | start_sshd |
7 | 7 | ||
8 | for p in ${SSH_PROTOCOLS}; do | 8 | ${SSH} -F $OBJ/ssh_config somehost true |
9 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 9 | if [ $? -ne 0 ]; then |
10 | if [ $? -ne 0 ]; then | 10 | fail "ssh connect with failed" |
11 | fail "ssh connect with protocol $p failed" | 11 | fi |
12 | fi | ||
13 | done | ||
diff --git a/regress/dhgex.sh b/regress/dhgex.sh index e7c573397..61fc178e8 100644 --- a/regress/dhgex.sh +++ b/regress/dhgex.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $ | 1 | # $OpenBSD: dhgex.sh,v 1.4 2017/05/08 01:52:49 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="dhgex" | 4 | tid="dhgex" |
@@ -54,7 +54,6 @@ check() | |||
54 | 54 | ||
55 | #check 2048 3des-cbc | 55 | #check 2048 3des-cbc |
56 | check 3072 `${SSH} -Q cipher | grep 128` | 56 | check 3072 `${SSH} -Q cipher | grep 128` |
57 | check 3072 arcfour blowfish-cbc | ||
58 | check 7680 `${SSH} -Q cipher | grep 192` | 57 | check 7680 `${SSH} -Q cipher | grep 192` |
59 | check 8192 `${SSH} -Q cipher | grep 256` | 58 | check 8192 `${SSH} -Q cipher | grep 256` |
60 | check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com | 59 | check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com |
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index dd67c9639..84f8ee192 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="dynamic forwarding" | 4 | tid="dynamic forwarding" |
@@ -17,33 +17,34 @@ trace "will use ProxyCommand $proxycmd" | |||
17 | 17 | ||
18 | start_sshd | 18 | start_sshd |
19 | 19 | ||
20 | for p in ${SSH_PROTOCOLS}; do | 20 | for d in D R; do |
21 | n=0 | 21 | n=0 |
22 | error="1" | 22 | error="1" |
23 | trace "start dynamic forwarding, fork to background" | 23 | trace "start dynamic forwarding, fork to background" |
24 | |||
24 | while [ "$error" -ne 0 -a "$n" -lt 3 ]; do | 25 | while [ "$error" -ne 0 -a "$n" -lt 3 ]; do |
25 | n=`expr $n + 1` | 26 | n=`expr $n + 1` |
26 | ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ | 27 | ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ |
27 | -oExitOnForwardFailure=yes somehost exec sh -c \ | 28 | -oExitOnForwardFailure=yes somehost exec sh -c \ |
28 | \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' | 29 | \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' |
29 | error=$? | 30 | error=$? |
30 | if [ "$error" -ne 0 ]; then | 31 | if [ "$error" -ne 0 ]; then |
31 | trace "forward failed proto $p attempt $n err $error" | 32 | trace "forward failed attempt $n err $error" |
32 | sleep $n | 33 | sleep $n |
33 | fi | 34 | fi |
34 | done | 35 | done |
35 | if [ "$error" -ne 0 ]; then | 36 | if [ "$error" -ne 0 ]; then |
36 | fatal "failed to start dynamic forwarding proto $p" | 37 | fatal "failed to start dynamic forwarding" |
37 | fi | 38 | fi |
38 | 39 | ||
39 | for s in 4 5; do | 40 | for s in 4 5; do |
40 | for h in 127.0.0.1 localhost; do | 41 | for h in 127.0.0.1 localhost; do |
41 | trace "testing ssh protocol $p socks version $s host $h" | 42 | trace "testing ssh socks version $s host $h (-$d)" |
42 | ${SSH} -F $OBJ/ssh_config \ | 43 | ${SSH} -F $OBJ/ssh_config \ |
43 | -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ | 44 | -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ |
44 | somehost cat $DATA > $OBJ/ls.copy | 45 | somehost cat ${DATA} > ${COPY} |
45 | test -f $OBJ/ls.copy || fail "failed copy $DATA" | 46 | test -f ${COPY} || fail "failed copy ${DATA}" |
46 | cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" | 47 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" |
47 | done | 48 | done |
48 | done | 49 | done |
49 | 50 | ||
@@ -56,4 +57,5 @@ for p in ${SSH_PROTOCOLS}; do | |||
56 | else | 57 | else |
57 | fail "no pid file: $OBJ/remote_pid" | 58 | fail "no pid file: $OBJ/remote_pid" |
58 | fi | 59 | fi |
60 | |||
59 | done | 61 | done |
diff --git a/regress/exit-status.sh b/regress/exit-status.sh index 397d8d732..aadf99fb3 100644 --- a/regress/exit-status.sh +++ b/regress/exit-status.sh | |||
@@ -1,24 +1,22 @@ | |||
1 | # $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="remote exit status" | 4 | tid="remote exit status" |
5 | 5 | ||
6 | for p in ${SSH_PROTOCOLS}; do | 6 | for s in 0 1 4 5 44; do |
7 | for s in 0 1 4 5 44; do | 7 | trace "status $s" |
8 | trace "proto $p status $s" | 8 | verbose "test $tid: status $s" |
9 | verbose "test $tid: proto $p status $s" | 9 | ${SSH} -F $OBJ/ssh_proxy otherhost exit $s |
10 | ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s | 10 | r=$? |
11 | r=$? | 11 | if [ $r -ne $s ]; then |
12 | if [ $r -ne $s ]; then | 12 | fail "exit code mismatch for: $r != $s" |
13 | fail "exit code mismatch for protocol $p: $r != $s" | 13 | fi |
14 | fi | ||
15 | 14 | ||
16 | # same with early close of stdout/err | 15 | # same with early close of stdout/err |
17 | ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ | 16 | ${SSH} -F $OBJ/ssh_proxy -n otherhost exec \ |
18 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' | 17 | sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' |
19 | r=$? | 18 | r=$? |
20 | if [ $r -ne $s ]; then | 19 | if [ $r -ne $s ]; then |
21 | fail "exit code (with sleep) mismatch for protocol $p: $r != $s" | 20 | fail "exit code (with sleep) mismatch for: $r != $s" |
22 | fi | 21 | fi |
23 | done | ||
24 | done | 22 | done |
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index 8a9b090ea..e059f1fdb 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="forced command" | 4 | tid="forced command" |
@@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do | |||
11 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 11 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
12 | done | 12 | done |
13 | 13 | ||
14 | for p in ${SSH_PROTOCOLS}; do | 14 | trace "forced command in key option" |
15 | trace "forced command in key option proto $p" | 15 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
16 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
17 | fail "forced command in key proto $p" | ||
18 | done | ||
19 | 16 | ||
20 | cp /dev/null $OBJ/authorized_keys_$USER | 17 | cp /dev/null $OBJ/authorized_keys_$USER |
21 | for t in ${SSH_KEYTYPES}; do | 18 | for t in ${SSH_KEYTYPES}; do |
@@ -26,19 +23,13 @@ done | |||
26 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 23 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
27 | echo "ForceCommand true" >> $OBJ/sshd_proxy | 24 | echo "ForceCommand true" >> $OBJ/sshd_proxy |
28 | 25 | ||
29 | for p in ${SSH_PROTOCOLS}; do | 26 | trace "forced command in sshd_config overrides key option" |
30 | trace "forced command in sshd_config overrides key option proto $p" | 27 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
31 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
32 | fail "forced command in key proto $p" | ||
33 | done | ||
34 | 28 | ||
35 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 29 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
36 | echo "ForceCommand false" >> $OBJ/sshd_proxy | 30 | echo "ForceCommand false" >> $OBJ/sshd_proxy |
37 | echo "Match User $USER" >> $OBJ/sshd_proxy | 31 | echo "Match User $USER" >> $OBJ/sshd_proxy |
38 | echo " ForceCommand true" >> $OBJ/sshd_proxy | 32 | echo " ForceCommand true" >> $OBJ/sshd_proxy |
39 | 33 | ||
40 | for p in ${SSH_PROTOCOLS}; do | 34 | trace "forced command with match" |
41 | trace "forced command with match proto $p" | 35 | ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key" |
42 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
43 | fail "forced command in key proto $p" | ||
44 | done | ||
diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 91957098f..2e9dbb53a 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd control of local and remote forwarding" | 4 | tid="sshd control of local and remote forwarding" |
@@ -32,13 +32,12 @@ wait_for_process_to_exit() { | |||
32 | return 0 | 32 | return 0 |
33 | } | 33 | } |
34 | 34 | ||
35 | # usage: check_lfwd protocol Y|N message | 35 | # usage: check_lfwd Y|N message |
36 | check_lfwd() { | 36 | check_lfwd() { |
37 | _proto=$1 | 37 | _expected=$1 |
38 | _expected=$2 | 38 | _message=$2 |
39 | _message=$3 | ||
40 | rm -f $READY | 39 | rm -f $READY |
41 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | 40 | ${SSH} -F $OBJ/ssh_proxy \ |
42 | -L$LFWD_PORT:127.0.0.1:$PORT \ | 41 | -L$LFWD_PORT:127.0.0.1:$PORT \ |
43 | -o ExitOnForwardFailure=yes \ | 42 | -o ExitOnForwardFailure=yes \ |
44 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 43 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
@@ -62,13 +61,12 @@ check_lfwd() { | |||
62 | fi | 61 | fi |
63 | } | 62 | } |
64 | 63 | ||
65 | # usage: check_rfwd protocol Y|N message | 64 | # usage: check_rfwd Y|N message |
66 | check_rfwd() { | 65 | check_rfwd() { |
67 | _proto=$1 | 66 | _expected=$1 |
68 | _expected=$2 | 67 | _message=$2 |
69 | _message=$3 | ||
70 | rm -f $READY | 68 | rm -f $READY |
71 | ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ | 69 | ${SSH} -F $OBJ/ssh_proxy \ |
72 | -R$RFWD_PORT:127.0.0.1:$PORT \ | 70 | -R$RFWD_PORT:127.0.0.1:$PORT \ |
73 | -o ExitOnForwardFailure=yes \ | 71 | -o ExitOnForwardFailure=yes \ |
74 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
@@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak | |||
99 | cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak | 97 | cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak |
100 | 98 | ||
101 | # Sanity check: ensure the default config allows forwarding | 99 | # Sanity check: ensure the default config allows forwarding |
102 | for p in ${SSH_PROTOCOLS} ; do | 100 | check_lfwd Y "default configuration" |
103 | check_lfwd $p Y "proto $p, default configuration" | 101 | check_rfwd Y "default configuration" |
104 | check_rfwd $p Y "proto $p, default configuration" | ||
105 | done | ||
106 | 102 | ||
107 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | 103 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
108 | all_tests() { | 104 | all_tests() { |
@@ -115,49 +111,46 @@ all_tests() { | |||
115 | _permit_rfwd=$7 | 111 | _permit_rfwd=$7 |
116 | _badfwd=127.0.0.1:22 | 112 | _badfwd=127.0.0.1:22 |
117 | _goodfwd=127.0.0.1:${PORT} | 113 | _goodfwd=127.0.0.1:${PORT} |
118 | for _proto in ${SSH_PROTOCOLS} ; do | 114 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
119 | cp ${OBJ}/authorized_keys_${USER}.bak \ | 115 | _prefix="AllowTcpForwarding=$_tcpfwd" |
120 | ${OBJ}/authorized_keys_${USER} | 116 | # No PermitOpen |
121 | _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" | 117 | ( cat ${OBJ}/sshd_proxy.bak ; |
122 | # No PermitOpen | 118 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
123 | ( cat ${OBJ}/sshd_proxy.bak ; | 119 | > ${OBJ}/sshd_proxy |
124 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 120 | check_lfwd $_plain_lfwd "$_prefix" |
125 | > ${OBJ}/sshd_proxy | 121 | check_rfwd $_plain_rfwd "$_prefix" |
126 | check_lfwd $_proto $_plain_lfwd "$_prefix" | 122 | # PermitOpen via sshd_config that doesn't match |
127 | check_rfwd $_proto $_plain_rfwd "$_prefix" | 123 | ( cat ${OBJ}/sshd_proxy.bak ; |
128 | # PermitOpen via sshd_config that doesn't match | 124 | echo "AllowTcpForwarding $_tcpfwd" ; |
129 | ( cat ${OBJ}/sshd_proxy.bak ; | 125 | echo "PermitOpen $_badfwd" ) \ |
130 | echo "AllowTcpForwarding $_tcpfwd" ; | 126 | > ${OBJ}/sshd_proxy |
131 | echo "PermitOpen $_badfwd" ) \ | 127 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" |
132 | > ${OBJ}/sshd_proxy | 128 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" |
133 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" | 129 | # PermitOpen via sshd_config that does match |
134 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" | 130 | ( cat ${OBJ}/sshd_proxy.bak ; |
135 | # PermitOpen via sshd_config that does match | 131 | echo "AllowTcpForwarding $_tcpfwd" ; |
136 | ( cat ${OBJ}/sshd_proxy.bak ; | 132 | echo "PermitOpen $_badfwd $_goodfwd" ) \ |
137 | echo "AllowTcpForwarding $_tcpfwd" ; | 133 | > ${OBJ}/sshd_proxy |
138 | echo "PermitOpen $_badfwd $_goodfwd" ) \ | 134 | # NB. permitopen via authorized_keys should have same |
139 | > ${OBJ}/sshd_proxy | 135 | # success/fail as via sshd_config |
140 | # NB. permitopen via authorized_keys should have same | 136 | # permitopen via authorized_keys that doesn't match |
141 | # success/fail as via sshd_config | 137 | sed "s/^/permitopen=\"$_badfwd\" /" \ |
142 | # permitopen via authorized_keys that doesn't match | 138 | < ${OBJ}/authorized_keys_${USER}.bak \ |
143 | sed "s/^/permitopen=\"$_badfwd\" /" \ | 139 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" |
144 | < ${OBJ}/authorized_keys_${USER}.bak \ | 140 | ( cat ${OBJ}/sshd_proxy.bak ; |
145 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" | 141 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
146 | ( cat ${OBJ}/sshd_proxy.bak ; | 142 | > ${OBJ}/sshd_proxy |
147 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 143 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" |
148 | > ${OBJ}/sshd_proxy | 144 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" |
149 | check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" | 145 | # permitopen via authorized_keys that does match |
150 | check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" | 146 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ |
151 | # permitopen via authorized_keys that does match | 147 | < ${OBJ}/authorized_keys_${USER}.bak \ |
152 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ | 148 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" |
153 | < ${OBJ}/authorized_keys_${USER}.bak \ | 149 | ( cat ${OBJ}/sshd_proxy.bak ; |
154 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" | 150 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
155 | ( cat ${OBJ}/sshd_proxy.bak ; | 151 | > ${OBJ}/sshd_proxy |
156 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 152 | check_lfwd $_permit_lfwd "$_prefix, permitopen" |
157 | > ${OBJ}/sshd_proxy | 153 | check_rfwd $_permit_rfwd "$_prefix, permitopen" |
158 | check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" | ||
159 | check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" | ||
160 | done | ||
161 | } | 154 | } |
162 | 155 | ||
163 | # no-permitopen mismatch-permitopen match-permitopen | 156 | # no-permitopen mismatch-permitopen match-permitopen |
diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 45c596d7d..39fccba73 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $ | 1 | # $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="local and remote forwarding" | 4 | tid="local and remote forwarding" |
@@ -22,30 +22,24 @@ for j in 0 1 2; do | |||
22 | last=$a | 22 | last=$a |
23 | done | 23 | done |
24 | done | 24 | done |
25 | for p in ${SSH_PROTOCOLS}; do | ||
26 | q=`expr 3 - $p` | ||
27 | if ! ssh_version $q; then | ||
28 | q=$p | ||
29 | fi | ||
30 | trace "start forwarding, fork to background" | ||
31 | rm -f $CTL | ||
32 | ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10 | ||
33 | 25 | ||
34 | trace "transfer over forwarded channels and check result" | 26 | trace "start forwarding, fork to background" |
35 | ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ | 27 | rm -f $CTL |
36 | somehost cat ${DATA} > ${COPY} | 28 | ${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10 |
37 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
38 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
39 | 29 | ||
40 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 30 | trace "transfer over forwarded channels and check result" |
41 | done | 31 | ${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ |
32 | somehost cat ${DATA} > ${COPY} | ||
33 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
34 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
35 | |||
36 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
42 | 37 | ||
43 | for p in ${SSH_PROTOCOLS}; do | ||
44 | for d in L R; do | 38 | for d in L R; do |
45 | trace "exit on -$d forward failure, proto $p" | 39 | trace "exit on -$d forward failure" |
46 | 40 | ||
47 | # this one should succeed | 41 | # this one should succeed |
48 | ${SSH} -$p -F $OBJ/ssh_config \ | 42 | ${SSH} -F $OBJ/ssh_config \ |
49 | -$d ${base}01:127.0.0.1:$PORT \ | 43 | -$d ${base}01:127.0.0.1:$PORT \ |
50 | -$d ${base}02:127.0.0.1:$PORT \ | 44 | -$d ${base}02:127.0.0.1:$PORT \ |
51 | -$d ${base}03:127.0.0.1:$PORT \ | 45 | -$d ${base}03:127.0.0.1:$PORT \ |
@@ -55,7 +49,7 @@ for d in L R; do | |||
55 | fatal "connection failed, should not" | 49 | fatal "connection failed, should not" |
56 | else | 50 | else |
57 | # this one should fail | 51 | # this one should fail |
58 | ${SSH} -q -$p -F $OBJ/ssh_config \ | 52 | ${SSH} -q -F $OBJ/ssh_config \ |
59 | -$d ${base}01:127.0.0.1:$PORT \ | 53 | -$d ${base}01:127.0.0.1:$PORT \ |
60 | -$d ${base}02:127.0.0.1:$PORT \ | 54 | -$d ${base}02:127.0.0.1:$PORT \ |
61 | -$d ${base}03:127.0.0.1:$PORT \ | 55 | -$d ${base}03:127.0.0.1:$PORT \ |
@@ -68,82 +62,74 @@ for d in L R; do | |||
68 | fi | 62 | fi |
69 | fi | 63 | fi |
70 | done | 64 | done |
71 | done | ||
72 | 65 | ||
73 | for p in ${SSH_PROTOCOLS}; do | 66 | trace "simple clear forwarding" |
74 | trace "simple clear forwarding proto $p" | 67 | ${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true |
75 | ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true | 68 | |
76 | 69 | trace "clear local forward" | |
77 | trace "clear local forward proto $p" | 70 | rm -f $CTL |
78 | rm -f $CTL | 71 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ |
79 | ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ | 72 | -oClearAllForwardings=yes somehost sleep 10 |
80 | -oClearAllForwardings=yes somehost sleep 10 | 73 | if [ $? != 0 ]; then |
81 | if [ $? != 0 ]; then | 74 | fail "connection failed with cleared local forwarding" |
82 | fail "connection failed with cleared local forwarding" | 75 | else |
83 | else | 76 | # this one should fail |
84 | # this one should fail | 77 | ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ |
85 | ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ | 78 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ |
86 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ | 79 | fail "local forwarding not cleared" |
87 | fail "local forwarding not cleared" | 80 | fi |
88 | fi | 81 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
89 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 82 | |
90 | 83 | trace "clear remote forward" | |
91 | trace "clear remote forward proto $p" | 84 | rm -f $CTL |
92 | rm -f $CTL | 85 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ |
93 | ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ | 86 | -oClearAllForwardings=yes somehost sleep 10 |
94 | -oClearAllForwardings=yes somehost sleep 10 | 87 | if [ $? != 0 ]; then |
95 | if [ $? != 0 ]; then | 88 | fail "connection failed with cleared remote forwarding" |
96 | fail "connection failed with cleared remote forwarding" | 89 | else |
97 | else | 90 | # this one should fail |
98 | # this one should fail | 91 | ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \ |
99 | ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ | 92 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ |
100 | >>$TEST_REGRESS_LOGFILE 2>&1 && \ | 93 | fail "remote forwarding not cleared" |
101 | fail "remote forwarding not cleared" | 94 | fi |
102 | fi | 95 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
103 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 96 | |
104 | done | 97 | trace "stdio forwarding" |
105 | 98 | cmd="${SSH} -F $OBJ/ssh_config" | |
106 | for p in 2; do | 99 | $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true |
107 | trace "stdio forwarding proto $p" | 100 | if [ $? != 0 ]; then |
108 | cmd="${SSH} -$p -F $OBJ/ssh_config" | 101 | fail "stdio forwarding" |
109 | $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \ | 102 | fi |
110 | somehost true | ||
111 | if [ $? != 0 ]; then | ||
112 | fail "stdio forwarding proto $p" | ||
113 | fi | ||
114 | done | ||
115 | 103 | ||
116 | echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config | 104 | echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config |
117 | echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config | 105 | echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config |
118 | for p in ${SSH_PROTOCOLS}; do | ||
119 | trace "config file: start forwarding, fork to background" | ||
120 | rm -f $CTL | ||
121 | ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10 | ||
122 | |||
123 | trace "config file: transfer over forwarded channels and check result" | ||
124 | ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ | ||
125 | somehost cat ${DATA} > ${COPY} | ||
126 | test -s ${COPY} || fail "failed copy of ${DATA}" | ||
127 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
128 | |||
129 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
130 | done | ||
131 | 106 | ||
132 | for p in 2; do | 107 | trace "config file: start forwarding, fork to background" |
133 | trace "transfer over chained unix domain socket forwards and check result" | 108 | rm -f $CTL |
134 | rm -f $OBJ/unix-[123].fwd | 109 | ${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10 |
135 | rm -f $CTL $CTL.[123] | 110 | |
136 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 | 111 | trace "config file: transfer over forwarded channels and check result" |
137 | ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 | 112 | ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \ |
138 | ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 | 113 | somehost cat ${DATA} > ${COPY} |
139 | ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 | 114 | test -s ${COPY} || fail "failed copy of ${DATA}" |
140 | ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ | 115 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" |
141 | somehost cat ${DATA} > ${COPY} | 116 | |
142 | test -s ${COPY} || fail "failed copy ${DATA}" | 117 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost |
143 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | 118 | |
144 | 119 | trace "transfer over chained unix domain socket forwards and check result" | |
145 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | 120 | rm -f $OBJ/unix-[123].fwd |
146 | ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost | 121 | rm -f $CTL $CTL.[123] |
147 | ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost | 122 | ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 |
148 | ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost | 123 | ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 |
149 | done | 124 | ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 |
125 | ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 | ||
126 | ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ | ||
127 | somehost cat ${DATA} > ${COPY} | ||
128 | test -s ${COPY} || fail "failed copy ${DATA}" | ||
129 | cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" | ||
130 | |||
131 | ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost | ||
132 | ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost | ||
133 | ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost | ||
134 | ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost | ||
135 | |||
diff --git a/regress/host-expand.sh b/regress/host-expand.sh index 2a95bfe1b..9444f7fb6 100644 --- a/regress/host-expand.sh +++ b/regress/host-expand.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="expand %h and %n" | 4 | tid="expand %h and %n" |
@@ -11,9 +11,6 @@ somehost | |||
11 | 127.0.0.1 | 11 | 127.0.0.1 |
12 | EOE | 12 | EOE |
13 | 13 | ||
14 | for p in ${SSH_PROTOCOLS}; do | 14 | ${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual |
15 | verbose "test $tid: proto $p" | 15 | diff $OBJ/expect $OBJ/actual || fail "$tid" |
16 | ${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual | ||
17 | diff $OBJ/expect $OBJ/actual || fail "$tid proto $p" | ||
18 | done | ||
19 | 16 | ||
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh index 094700da6..811b6b9ab 100644 --- a/regress/hostkey-agent.sh +++ b/regress/hostkey-agent.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="hostkey agent" | 4 | tid="hostkey agent" |
@@ -40,7 +40,7 @@ for ps in no yes; do | |||
40 | cp $OBJ/known_hosts.orig $OBJ/known_hosts | 40 | cp $OBJ/known_hosts.orig $OBJ/known_hosts |
41 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` | 41 | SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` |
42 | if [ $? -ne 0 ]; then | 42 | if [ $? -ne 0 ]; then |
43 | fail "protocol $p privsep=$ps failed" | 43 | fail "privsep=$ps failed" |
44 | fi | 44 | fi |
45 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then | 45 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then |
46 | fail "bad SSH_CONNECTION key type $k privsep=$ps" | 46 | fail "bad SSH_CONNECTION key type $k privsep=$ps" |
diff --git a/regress/integrity.sh b/regress/integrity.sh index ed3783372..3eda40f0a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: integrity.sh,v 1.20 2017/01/06 02:26:10 dtucker Exp $ | 1 | # $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="integrity" | 4 | tid="integrity" |
@@ -46,7 +46,7 @@ for m in $macs; do | |||
46 | macopt="-m $m -c aes128-ctr" | 46 | macopt="-m $m -c aes128-ctr" |
47 | fi | 47 | fi |
48 | verbose "test $tid: $m @$off" | 48 | verbose "test $tid: $m @$off" |
49 | ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ | 49 | ${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \ |
50 | -oServerAliveInterval=1 -oServerAliveCountMax=30 \ | 50 | -oServerAliveInterval=1 -oServerAliveCountMax=30 \ |
51 | 999.999.999.999 'printf "%4096s" " "' >/dev/null | 51 | 999.999.999.999 'printf "%4096s" " "' >/dev/null |
52 | if [ $? -eq 0 ]; then | 52 | if [ $? -eq 0 ]; then |
diff --git a/regress/key-options.sh b/regress/key-options.sh index 7a68ad358..2adee6833 100644 --- a/regress/key-options.sh +++ b/regress/key-options.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="key options" | 4 | tid="key options" |
@@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}" | |||
8 | cp $authkeys $origkeys | 8 | cp $authkeys $origkeys |
9 | 9 | ||
10 | # Test command= forced command | 10 | # Test command= forced command |
11 | for p in ${SSH_PROTOCOLS}; do | 11 | for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do |
12 | for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do | ||
13 | sed "s/.*/$c &/" $origkeys >$authkeys | 12 | sed "s/.*/$c &/" $origkeys >$authkeys |
14 | verbose "key option proto $p $c" | 13 | verbose "key option $c" |
15 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` | 14 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` |
16 | if [ "$r" = "foo" ]; then | 15 | if [ "$r" = "foo" ]; then |
17 | fail "key option forced command not restricted" | 16 | fail "key option forced command not restricted" |
18 | fi | 17 | fi |
19 | if [ "$r" != "bar" ]; then | 18 | if [ "$r" != "bar" ]; then |
20 | fail "key option forced command not executed" | 19 | fail "key option forced command not executed" |
21 | fi | 20 | fi |
22 | done | ||
23 | done | 21 | done |
24 | 22 | ||
25 | # Test no-pty | 23 | # Test no-pty |
26 | sed 's/.*/no-pty &/' $origkeys >$authkeys | 24 | sed 's/.*/no-pty &/' $origkeys >$authkeys |
27 | for p in ${SSH_PROTOCOLS}; do | 25 | verbose "key option proto no-pty" |
28 | verbose "key option proto $p no-pty" | 26 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty` |
29 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` | 27 | if [ -f "$r" ]; then |
30 | if [ -f "$r" ]; then | 28 | fail "key option failed no-pty (pty $r)" |
31 | fail "key option failed proto $p no-pty (pty $r)" | 29 | fi |
32 | fi | ||
33 | done | ||
34 | 30 | ||
35 | # Test environment= | 31 | # Test environment= |
36 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy | 32 | echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy |
37 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys | 33 | sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys |
38 | for p in ${SSH_PROTOCOLS}; do | 34 | verbose "key option environment" |
39 | verbose "key option proto $p environment" | 35 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` |
40 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` | 36 | if [ "$r" != "bar" ]; then |
41 | if [ "$r" != "bar" ]; then | 37 | fail "key option environment not set" |
42 | fail "key option environment not set" | 38 | fi |
43 | fi | ||
44 | done | ||
45 | 39 | ||
46 | # Test from= restriction | 40 | # Test from= restriction |
47 | start_sshd | 41 | start_sshd |
48 | for p in ${SSH_PROTOCOLS}; do | 42 | for f in 127.0.0.1 '127.0.0.0\/8'; do |
49 | for f in 127.0.0.1 '127.0.0.0\/8'; do | ||
50 | cat $origkeys >$authkeys | 43 | cat $origkeys >$authkeys |
51 | ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true | 44 | ${SSH} -q -F $OBJ/ssh_proxy somehost true |
52 | if [ $? -ne 0 ]; then | 45 | if [ $? -ne 0 ]; then |
53 | fail "key option proto $p failed without restriction" | 46 | fail "key option failed without restriction" |
54 | fi | 47 | fi |
55 | 48 | ||
56 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys | 49 | sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys |
57 | from=`head -1 $authkeys | cut -f1 -d ' '` | 50 | from=`head -1 $authkeys | cut -f1 -d ' '` |
58 | verbose "key option proto $p $from" | 51 | verbose "key option $from" |
59 | r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` | 52 | r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` |
60 | if [ "$r" = "true" ]; then | 53 | if [ "$r" = "true" ]; then |
61 | fail "key option proto $p $from not restricted" | 54 | fail "key option $from not restricted" |
62 | fi | 55 | fi |
63 | 56 | ||
64 | r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` | 57 | r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` |
65 | if [ "$r" != "true" ]; then | 58 | if [ "$r" != "true" ]; then |
66 | fail "key option proto $p $from not allowed but should be" | 59 | fail "key option $from not allowed but should be" |
67 | fi | 60 | fi |
68 | done | ||
69 | done | 61 | done |
70 | 62 | ||
71 | rm -f "$origkeys" | 63 | rm -f "$origkeys" |
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh index e56185050..8b8acd52f 100644 --- a/regress/keygen-change.sh +++ b/regress/keygen-change.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="change passphrase for key" | 4 | tid="change passphrase for key" |
@@ -7,9 +7,6 @@ S1="secret1" | |||
7 | S2="2secret" | 7 | S2="2secret" |
8 | 8 | ||
9 | KEYTYPES=`${SSH} -Q key-plain` | 9 | KEYTYPES=`${SSH} -Q key-plain` |
10 | if ssh_version 1; then | ||
11 | KEYTYPES="${KEYTYPES} rsa1" | ||
12 | fi | ||
13 | 10 | ||
14 | for t in $KEYTYPES; do | 11 | for t in $KEYTYPES; do |
15 | # generate user key for agent | 12 | # generate user key for agent |
diff --git a/regress/keyscan.sh b/regress/keyscan.sh index f97364b76..3bde1219a 100644 --- a/regress/keyscan.sh +++ b/regress/keyscan.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $ | 1 | # $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="keyscan" | 4 | tid="keyscan" |
@@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa | |||
9 | start_sshd | 9 | start_sshd |
10 | 10 | ||
11 | KEYTYPES=`${SSH} -Q key-plain` | 11 | KEYTYPES=`${SSH} -Q key-plain` |
12 | if ssh_version 1; then | ||
13 | KEYTYPES="${KEYTYPES} rsa1" | ||
14 | fi | ||
15 | |||
16 | for t in $KEYTYPES; do | 12 | for t in $KEYTYPES; do |
17 | trace "keyscan type $t" | 13 | trace "keyscan type $t" |
18 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ | 14 | ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ |
diff --git a/regress/keytype.sh b/regress/keytype.sh index 8f697788f..88b022de4 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh | |||
@@ -1,13 +1,8 @@ | |||
1 | # $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ | 1 | # $OpenBSD: keytype.sh,v 1.5 2017/03/20 22:08:06 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="login with different key types" | 4 | tid="login with different key types" |
5 | 5 | ||
6 | TIME=`which time 2>/dev/null` | ||
7 | if test ! -x "$TIME"; then | ||
8 | TIME="" | ||
9 | fi | ||
10 | |||
11 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | 6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
12 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak | 7 | cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak |
13 | 8 | ||
@@ -26,8 +21,8 @@ for kt in $ktypes; do | |||
26 | rm -f $OBJ/key.$kt | 21 | rm -f $OBJ/key.$kt |
27 | bits=`echo ${kt} | awk -F- '{print $2}'` | 22 | bits=`echo ${kt} | awk -F- '{print $2}'` |
28 | type=`echo ${kt} | awk -F- '{print $1}'` | 23 | type=`echo ${kt} | awk -F- '{print $1}'` |
29 | printf "keygen $type, $bits bits:\t" | 24 | verbose "keygen $type, $bits bits" |
30 | ${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ | 25 | ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ |
31 | fail "ssh-keygen for type $type, $bits bits failed" | 26 | fail "ssh-keygen for type $type, $bits bits failed" |
32 | done | 27 | done |
33 | 28 | ||
@@ -63,8 +58,8 @@ for ut in $ktypes; do | |||
63 | ) > $OBJ/known_hosts | 58 | ) > $OBJ/known_hosts |
64 | cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER | 59 | cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER |
65 | for i in $tries; do | 60 | for i in $tries; do |
66 | printf "userkey $ut, hostkey ${ht}:\t" | 61 | verbose "userkey $ut, hostkey ${ht}" |
67 | ${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true | 62 | ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true |
68 | if [ $? -ne 0 ]; then | 63 | if [ $? -ne 0 ]; then |
69 | fail "ssh userkey $ut, hostkey $ht failed" | 64 | fail "ssh userkey $ut, hostkey $ht failed" |
70 | fi | 65 | fi |
diff --git a/regress/localcommand.sh b/regress/localcommand.sh index 220f19a4d..5224a16b2 100644 --- a/regress/localcommand.sh +++ b/regress/localcommand.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="localcommand" | 4 | tid="localcommand" |
@@ -6,10 +6,8 @@ tid="localcommand" | |||
6 | echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy | 6 | echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy |
7 | echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy | 7 | echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy |
8 | 8 | ||
9 | for p in ${SSH_PROTOCOLS}; do | 9 | verbose "test $tid: proto $p localcommand" |
10 | verbose "test $tid: proto $p localcommand" | 10 | a=`${SSH} -F $OBJ/ssh_proxy somehost true` |
11 | a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true` | 11 | if [ "$a" != "foo" ] ; then |
12 | if [ "$a" != "foo" ] ; then | 12 | fail "$tid proto $p" |
13 | fail "$tid proto $p" | 13 | fi |
14 | fi | ||
15 | done | ||
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index 12207fd99..4c2d07dc2 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $ | 1 | # $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="connect after login grace timeout" | 4 | tid="connect after login grace timeout" |
@@ -10,23 +10,9 @@ echo "LoginGraceTime 10s" >> $OBJ/sshd_config | |||
10 | echo "MaxStartups 1" >> $OBJ/sshd_config | 10 | echo "MaxStartups 1" >> $OBJ/sshd_config |
11 | start_sshd | 11 | start_sshd |
12 | 12 | ||
13 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & | 13 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & |
14 | sleep 15 | 14 | sleep 15 |
15 | ${SSH} -F $OBJ/ssh_config somehost true | 15 | ${SSH} -F $OBJ/ssh_config somehost true |
16 | if [ $? -ne 0 ]; then | 16 | if [ $? -ne 0 ]; then |
17 | fail "ssh connect after login grace timeout failed with privsep" | 17 | fail "ssh connect after login grace timeout failed" |
18 | fi | ||
19 | |||
20 | stop_sshd | ||
21 | |||
22 | trace "test login grace without privsep" | ||
23 | echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config | ||
24 | start_sshd | ||
25 | sleep 1 | ||
26 | |||
27 | (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & | ||
28 | sleep 15 | ||
29 | ${SSH} -F $OBJ/ssh_config somehost true | ||
30 | if [ $? -ne 0 ]; then | ||
31 | fail "ssh connect after login grace timeout failed without privsep" | ||
32 | fi | 18 | fi |
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile new file mode 100644 index 000000000..8fbfc20c6 --- /dev/null +++ b/regress/misc/fuzz-harness/Makefile | |||
@@ -0,0 +1,22 @@ | |||
1 | # NB. libssh and libopenbsd-compat should be built with the same sanitizer opts. | ||
2 | CXX=clang++-3.9 | ||
3 | FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge | ||
4 | FUZZ_LIBS=-lFuzzer | ||
5 | |||
6 | CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS) | ||
7 | LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS) | ||
8 | LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS) | ||
9 | |||
10 | all: pubkey_fuzz sig_fuzz | ||
11 | |||
12 | .cc.o: | ||
13 | $(CXX) $(CXXFLAGS) -c $< -o $@ | ||
14 | |||
15 | pubkey_fuzz: pubkey_fuzz.o | ||
16 | $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS) | ||
17 | |||
18 | sig_fuzz: sig_fuzz.o | ||
19 | $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS) | ||
20 | |||
21 | clean: | ||
22 | -rm -f *.o pubkey_fuzz sig_fuzz | ||
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README new file mode 100644 index 000000000..ae6fbe75d --- /dev/null +++ b/regress/misc/fuzz-harness/README | |||
@@ -0,0 +1 @@ | |||
This directory contains fuzzing harnesses for use with clang's libfuzzer. | |||
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc new file mode 100644 index 000000000..8bbc11093 --- /dev/null +++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc | |||
@@ -0,0 +1,18 @@ | |||
1 | #include <stddef.h> | ||
2 | #include <stdio.h> | ||
3 | #include <stdint.h> | ||
4 | |||
5 | extern "C" { | ||
6 | |||
7 | #include "sshkey.h" | ||
8 | |||
9 | int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) | ||
10 | { | ||
11 | struct sshkey *k = NULL; | ||
12 | int r = sshkey_from_blob(data, size, &k); | ||
13 | if (r == 0) sshkey_free(k); | ||
14 | return 0; | ||
15 | } | ||
16 | |||
17 | } // extern | ||
18 | |||
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc new file mode 100644 index 000000000..0e535b49a --- /dev/null +++ b/regress/misc/fuzz-harness/sig_fuzz.cc | |||
@@ -0,0 +1,50 @@ | |||
1 | // cc_fuzz_target test for public key parsing. | ||
2 | |||
3 | #include <stddef.h> | ||
4 | #include <stdio.h> | ||
5 | #include <stdint.h> | ||
6 | #include <stdlib.h> | ||
7 | #include <string.h> | ||
8 | |||
9 | extern "C" { | ||
10 | |||
11 | #include "includes.h" | ||
12 | #include "sshkey.h" | ||
13 | #include "ssherr.h" | ||
14 | |||
15 | static struct sshkey *generate_or_die(int type, unsigned bits) { | ||
16 | int r; | ||
17 | struct sshkey *ret; | ||
18 | if ((r = sshkey_generate(type, bits, &ret)) != 0) { | ||
19 | fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r)); | ||
20 | abort(); | ||
21 | } | ||
22 | return ret; | ||
23 | } | ||
24 | |||
25 | int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) | ||
26 | { | ||
27 | #ifdef WITH_OPENSSL | ||
28 | static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); | ||
29 | static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); | ||
30 | static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); | ||
31 | static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); | ||
32 | static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); | ||
33 | #endif | ||
34 | static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); | ||
35 | static const char *data = "If everyone started announcing his nose had " | ||
36 | "run away, I don’t know how it would all end"; | ||
37 | static const size_t dlen = strlen(data); | ||
38 | |||
39 | #ifdef WITH_OPENSSL | ||
40 | sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, 0); | ||
41 | sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, 0); | ||
42 | sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, 0); | ||
43 | sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, 0); | ||
44 | sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, 0); | ||
45 | #endif | ||
46 | sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, 0); | ||
47 | return 0; | ||
48 | } | ||
49 | |||
50 | } // extern | ||
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile index 3018b632f..d0aca8dfe 100644 --- a/regress/misc/kexfuzz/Makefile +++ b/regress/misc/kexfuzz/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.1 2016/03/04 02:30:37 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.2 2017/04/17 11:02:31 jsg Exp $ |
2 | 2 | ||
3 | .include <bsd.own.mk> | 3 | .include <bsd.own.mk> |
4 | .include <bsd.obj.mk> | 4 | .include <bsd.obj.mk> |
@@ -49,7 +49,7 @@ CDIAGFLAGS+= -Wswitch | |||
49 | CDIAGFLAGS+= -Wtrigraphs | 49 | CDIAGFLAGS+= -Wtrigraphs |
50 | CDIAGFLAGS+= -Wuninitialized | 50 | CDIAGFLAGS+= -Wuninitialized |
51 | CDIAGFLAGS+= -Wunused | 51 | CDIAGFLAGS+= -Wunused |
52 | .if ${COMPILER_VERSION} == "gcc4" | 52 | .if ${COMPILER_VERSION:L} != "gcc3" |
53 | CDIAGFLAGS+= -Wpointer-sign | 53 | CDIAGFLAGS+= -Wpointer-sign |
54 | CDIAGFLAGS+= -Wold-style-definition | 54 | CDIAGFLAGS+= -Wold-style-definition |
55 | .endif | 55 | .endif |
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c index 67058027f..3e2c48160 100644 --- a/regress/misc/kexfuzz/kexfuzz.c +++ b/regress/misc/kexfuzz/kexfuzz.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */ | 1 | /* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Fuzz harness for KEX code | 3 | * Fuzz harness for KEX code |
4 | * | 4 | * |
@@ -418,7 +418,7 @@ main(int argc, char **argv) | |||
418 | close(fd); | 418 | close(fd); |
419 | /* XXX check that it is a private key */ | 419 | /* XXX check that it is a private key */ |
420 | /* XXX support certificates */ | 420 | /* XXX support certificates */ |
421 | if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1) | 421 | if (key == NULL || key->type == KEY_UNSPEC) |
422 | badusage("Invalid key file (-k flag)"); | 422 | badusage("Invalid key file (-k flag)"); |
423 | 423 | ||
424 | /* Replace (fuzz) mode */ | 424 | /* Replace (fuzz) mode */ |
diff --git a/regress/multiplex.sh b/regress/multiplex.sh index acb9234d9..078a53a88 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $ | 1 | # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | CTL=/tmp/openssh.regress.ctl-sock.$$ | 4 | CTL=/tmp/openssh.regress.ctl-sock.$$ |
@@ -101,7 +101,7 @@ for s in 0 1 4 5 44; do | |||
101 | ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s | 101 | ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s |
102 | r=$? | 102 | r=$? |
103 | if [ $r -ne $s ]; then | 103 | if [ $r -ne $s ]; then |
104 | fail "exit code mismatch for protocol $p: $r != $s" | 104 | fail "exit code mismatch: $r != $s" |
105 | fi | 105 | fi |
106 | 106 | ||
107 | # same with early close of stdout/err | 107 | # same with early close of stdout/err |
@@ -110,7 +110,7 @@ for s in 0 1 4 5 44; do | |||
110 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' | 110 | exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' |
111 | r=$? | 111 | r=$? |
112 | if [ $r -ne $s ]; then | 112 | if [ $r -ne $s ]; then |
113 | fail "exit code (with sleep) mismatch for protocol $p: $r != $s" | 113 | fail "exit code (with sleep) mismatch: $r != $s" |
114 | fi | 114 | fi |
115 | done | 115 | done |
116 | 116 | ||
diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 9b38eb105..bcc68e80b 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ | 1 | # $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="authorized principals command" | 4 | tid="authorized principals command" |
@@ -78,7 +78,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
78 | # Empty authorized_principals | 78 | # Empty authorized_principals |
79 | verbose "$tid: ${_prefix} empty authorized_principals" | 79 | verbose "$tid: ${_prefix} empty authorized_principals" |
80 | echo > $OBJ/authorized_principals_$USER | 80 | echo > $OBJ/authorized_principals_$USER |
81 | ${SSH} -2i $OBJ/cert_user_key \ | 81 | ${SSH} -i $OBJ/cert_user_key \ |
82 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 82 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
83 | if [ $? -eq 0 ]; then | 83 | if [ $? -eq 0 ]; then |
84 | fail "ssh cert connect succeeded unexpectedly" | 84 | fail "ssh cert connect succeeded unexpectedly" |
@@ -87,7 +87,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
87 | # Wrong authorized_principals | 87 | # Wrong authorized_principals |
88 | verbose "$tid: ${_prefix} wrong authorized_principals" | 88 | verbose "$tid: ${_prefix} wrong authorized_principals" |
89 | echo gregorsamsa > $OBJ/authorized_principals_$USER | 89 | echo gregorsamsa > $OBJ/authorized_principals_$USER |
90 | ${SSH} -2i $OBJ/cert_user_key \ | 90 | ${SSH} -i $OBJ/cert_user_key \ |
91 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 91 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
92 | if [ $? -eq 0 ]; then | 92 | if [ $? -eq 0 ]; then |
93 | fail "ssh cert connect succeeded unexpectedly" | 93 | fail "ssh cert connect succeeded unexpectedly" |
@@ -96,7 +96,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
96 | # Correct authorized_principals | 96 | # Correct authorized_principals |
97 | verbose "$tid: ${_prefix} correct authorized_principals" | 97 | verbose "$tid: ${_prefix} correct authorized_principals" |
98 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER | 98 | echo mekmitasdigoat > $OBJ/authorized_principals_$USER |
99 | ${SSH} -2i $OBJ/cert_user_key \ | 99 | ${SSH} -i $OBJ/cert_user_key \ |
100 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 100 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
101 | if [ $? -ne 0 ]; then | 101 | if [ $? -ne 0 ]; then |
102 | fail "ssh cert connect failed" | 102 | fail "ssh cert connect failed" |
@@ -105,7 +105,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
105 | # authorized_principals with bad key option | 105 | # authorized_principals with bad key option |
106 | verbose "$tid: ${_prefix} authorized_principals bad key opt" | 106 | verbose "$tid: ${_prefix} authorized_principals bad key opt" |
107 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | 107 | echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER |
108 | ${SSH} -2i $OBJ/cert_user_key \ | 108 | ${SSH} -i $OBJ/cert_user_key \ |
109 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 109 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
110 | if [ $? -eq 0 ]; then | 110 | if [ $? -eq 0 ]; then |
111 | fail "ssh cert connect succeeded unexpectedly" | 111 | fail "ssh cert connect succeeded unexpectedly" |
@@ -115,7 +115,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
115 | verbose "$tid: ${_prefix} authorized_principals command=false" | 115 | verbose "$tid: ${_prefix} authorized_principals command=false" |
116 | echo 'command="false" mekmitasdigoat' > \ | 116 | echo 'command="false" mekmitasdigoat' > \ |
117 | $OBJ/authorized_principals_$USER | 117 | $OBJ/authorized_principals_$USER |
118 | ${SSH} -2i $OBJ/cert_user_key \ | 118 | ${SSH} -i $OBJ/cert_user_key \ |
119 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 119 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
120 | if [ $? -eq 0 ]; then | 120 | if [ $? -eq 0 ]; then |
121 | fail "ssh cert connect succeeded unexpectedly" | 121 | fail "ssh cert connect succeeded unexpectedly" |
@@ -125,7 +125,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
125 | verbose "$tid: ${_prefix} authorized_principals command=true" | 125 | verbose "$tid: ${_prefix} authorized_principals command=true" |
126 | echo 'command="true" mekmitasdigoat' > \ | 126 | echo 'command="true" mekmitasdigoat' > \ |
127 | $OBJ/authorized_principals_$USER | 127 | $OBJ/authorized_principals_$USER |
128 | ${SSH} -2i $OBJ/cert_user_key \ | 128 | ${SSH} -i $OBJ/cert_user_key \ |
129 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | 129 | -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 |
130 | if [ $? -ne 0 ]; then | 130 | if [ $? -ne 0 ]; then |
131 | fail "ssh cert connect failed" | 131 | fail "ssh cert connect failed" |
@@ -144,7 +144,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
144 | printf 'cert-authority,principals="gregorsamsa" ' | 144 | printf 'cert-authority,principals="gregorsamsa" ' |
145 | cat $OBJ/user_ca_key.pub | 145 | cat $OBJ/user_ca_key.pub |
146 | ) > $OBJ/authorized_keys_$USER | 146 | ) > $OBJ/authorized_keys_$USER |
147 | ${SSH} -2i $OBJ/cert_user_key \ | 147 | ${SSH} -i $OBJ/cert_user_key \ |
148 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 148 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
149 | if [ $? -eq 0 ]; then | 149 | if [ $? -eq 0 ]; then |
150 | fail "ssh cert connect succeeded unexpectedly" | 150 | fail "ssh cert connect succeeded unexpectedly" |
@@ -156,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then | |||
156 | printf 'cert-authority,principals="mekmitasdigoat" ' | 156 | printf 'cert-authority,principals="mekmitasdigoat" ' |
157 | cat $OBJ/user_ca_key.pub | 157 | cat $OBJ/user_ca_key.pub |
158 | ) > $OBJ/authorized_keys_$USER | 158 | ) > $OBJ/authorized_keys_$USER |
159 | ${SSH} -2i $OBJ/cert_user_key \ | 159 | ${SSH} -i $OBJ/cert_user_key \ |
160 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | 160 | -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 |
161 | if [ $? -ne 0 ]; then | 161 | if [ $? -ne 0 ]; then |
162 | fail "ssh cert connect failed" | 162 | fail "ssh cert connect failed" |
diff --git a/regress/proto-mismatch.sh b/regress/proto-mismatch.sh index 9e8024beb..6ab28c9a7 100644 --- a/regress/proto-mismatch.sh +++ b/regress/proto-mismatch.sh | |||
@@ -1,21 +1,17 @@ | |||
1 | # $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="protocol version mismatch" | 4 | tid="protocol version mismatch" |
5 | 5 | ||
6 | mismatch () | 6 | mismatch () |
7 | { | 7 | { |
8 | server=$1 | ||
9 | client=$2 | 8 | client=$2 |
10 | banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` | 9 | banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy` |
11 | r=$? | 10 | r=$? |
12 | trace "sshd prints ${banner}" | 11 | trace "sshd prints ${banner}" |
13 | if [ $r -ne 255 ]; then | 12 | if [ $r -ne 255 ]; then |
14 | fail "sshd prints ${banner} and accepts connect with version ${client}" | 13 | fail "sshd prints ${banner} but accepts version ${client}" |
15 | fi | 14 | fi |
16 | } | 15 | } |
17 | 16 | ||
18 | mismatch 2 SSH-1.5-HALLO | 17 | mismatch SSH-1.5-HALLO |
19 | if ssh_version 1; then | ||
20 | mismatch 1 SSH-2.0-HALLO | ||
21 | fi | ||
diff --git a/regress/proto-version.sh b/regress/proto-version.sh index cf4946115..1f33b1f00 100644 --- a/regress/proto-version.sh +++ b/regress/proto-version.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: proto-version.sh,v 1.7 2017/06/07 01:48:15 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd version with different protocol combinations" | 4 | tid="sshd version with different protocol combinations" |
@@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations" | |||
6 | # we just start sshd in inetd mode and check the banner | 6 | # we just start sshd in inetd mode and check the banner |
7 | check_version () | 7 | check_version () |
8 | { | 8 | { |
9 | version=$1 | 9 | expect=$1 |
10 | expect=$2 | 10 | banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy` |
11 | banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy` | ||
12 | case ${banner} in | 11 | case ${banner} in |
13 | SSH-1.99-*) | 12 | SSH-1.99-*) |
14 | proto=199 | 13 | proto=199 |
@@ -24,13 +23,8 @@ check_version () | |||
24 | ;; | 23 | ;; |
25 | esac | 24 | esac |
26 | if [ ${expect} -ne ${proto} ]; then | 25 | if [ ${expect} -ne ${proto} ]; then |
27 | fail "wrong protocol version ${banner} for ${version}" | 26 | fail "wrong protocol version ${banner}" |
28 | fi | 27 | fi |
29 | } | 28 | } |
30 | 29 | ||
31 | check_version 2 20 | 30 | check_version 20 |
32 | if ssh_version 1; then | ||
33 | check_version 2,1 199 | ||
34 | check_version 1,2 199 | ||
35 | check_version 1 15 | ||
36 | fi | ||
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh index b7a43fabe..f1b9d9f76 100644 --- a/regress/proxy-connect.sh +++ b/regress/proxy-connect.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $ | 1 | # $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="proxy connect" | 4 | tid="proxy connect" |
@@ -6,27 +6,22 @@ tid="proxy connect" | |||
6 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig | 6 | mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig |
7 | 7 | ||
8 | for ps in no yes; do | 8 | for ps in no yes; do |
9 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy | 9 | cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy |
10 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy | 10 | echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy |
11 | 11 | for c in no yes; do | |
12 | for p in ${SSH_PROTOCOLS}; do | 12 | verbose "plain username privsep=$ps comp=$c" |
13 | for c in no yes; do | 13 | opts="-oCompression=$c -F $OBJ/ssh_proxy" |
14 | verbose "plain username protocol $p privsep=$ps comp=$c" | 14 | SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` |
15 | opts="-$p -oCompression=$c -F $OBJ/ssh_proxy" | 15 | if [ $? -ne 0 ]; then |
16 | SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` | 16 | fail "ssh proxyconnect privsep=$ps comp=$c failed" |
17 | if [ $? -ne 0 ]; then | 17 | fi |
18 | fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" | 18 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then |
19 | fi | 19 | fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \ |
20 | if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then | 20 | "$SSH_CONNECTION" |
21 | fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \ | 21 | fi |
22 | "$SSH_CONNECTION" | 22 | done |
23 | fi | ||
24 | done | ||
25 | done | ||
26 | done | 23 | done |
27 | 24 | ||
28 | for p in ${SSH_PROTOCOLS}; do | 25 | verbose "username with style" |
29 | verbose "username with style protocol $p" | 26 | ${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ |
30 | ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ | 27 | fail "ssh proxyconnect failed" |
31 | fail "ssh proxyconnect protocol $p failed" | ||
32 | done | ||
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 9adba674e..419daabba 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $ | 1 | # $OpenBSD: putty-ciphers.sh,v 1.6 2017/05/08 01:52:49 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="putty ciphers" | 4 | tid="putty ciphers" |
@@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then | |||
8 | exit 0 | 8 | exit 0 |
9 | fi | 9 | fi |
10 | 10 | ||
11 | for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do | 11 | for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do |
12 | verbose "$tid: cipher $c" | 12 | verbose "$tid: cipher $c" |
13 | cp ${OBJ}/.putty/sessions/localhost_proxy \ | 13 | cp ${OBJ}/.putty/sessions/localhost_proxy \ |
14 | ${OBJ}/.putty/sessions/cipher_$c | 14 | ${OBJ}/.putty/sessions/cipher_$c |
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index 8eb6ae0c0..32c79f9ea 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ | 1 | # $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="putty transfer data" | 4 | tid="putty transfer data" |
@@ -8,33 +8,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then | |||
8 | exit 0 | 8 | exit 0 |
9 | fi | 9 | fi |
10 | 10 | ||
11 | # XXX support protocol 1 too | 11 | for c in 0 1 ; do |
12 | for p in 2; do | 12 | verbose "$tid: compression $c" |
13 | for c in 0 1 ; do | 13 | rm -f ${COPY} |
14 | verbose "$tid: proto $p compression $c" | 14 | cp ${OBJ}/.putty/sessions/localhost_proxy \ |
15 | ${OBJ}/.putty/sessions/compression_$c | ||
16 | echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k | ||
17 | env HOME=$PWD ${PLINK} -load compression_$c -batch \ | ||
18 | -i putty.rsa cat ${DATA} > ${COPY} | ||
19 | if [ $? -ne 0 ]; then | ||
20 | fail "ssh cat $DATA failed" | ||
21 | fi | ||
22 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
23 | |||
24 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
25 | trace "compression $c dd-size ${s}" | ||
15 | rm -f ${COPY} | 26 | rm -f ${COPY} |
16 | cp ${OBJ}/.putty/sessions/localhost_proxy \ | 27 | dd if=$DATA obs=${s} 2> /dev/null | \ |
17 | ${OBJ}/.putty/sessions/compression_$c | 28 | env HOME=$PWD ${PLINK} -load compression_$c \ |
18 | echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k | 29 | -batch -i putty.rsa \ |
19 | env HOME=$PWD ${PLINK} -load compression_$c -batch \ | 30 | "cat > ${COPY}" |
20 | -i putty.rsa$p cat ${DATA} > ${COPY} | ||
21 | if [ $? -ne 0 ]; then | 31 | if [ $? -ne 0 ]; then |
22 | fail "ssh cat $DATA failed" | 32 | fail "ssh cat $DATA failed" |
23 | fi | 33 | fi |
24 | cmp ${DATA} ${COPY} || fail "corrupted copy" | 34 | cmp $DATA ${COPY} || fail "corrupted copy" |
25 | |||
26 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
27 | trace "proto $p compression $c dd-size ${s}" | ||
28 | rm -f ${COPY} | ||
29 | dd if=$DATA obs=${s} 2> /dev/null | \ | ||
30 | env HOME=$PWD ${PLINK} -load compression_$c \ | ||
31 | -batch -i putty.rsa$p \ | ||
32 | "cat > ${COPY}" | ||
33 | if [ $? -ne 0 ]; then | ||
34 | fail "ssh cat $DATA failed" | ||
35 | fi | ||
36 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
37 | done | ||
38 | done | 35 | done |
39 | done | 36 | done |
40 | rm -f ${COPY} | 37 | rm -f ${COPY} |
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh index eecddd3c7..dd15eddb2 100644 --- a/regress/reconfigure.sh +++ b/regress/reconfigure.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="simple connect after reconfigure" | 4 | tid="simple connect after reconfigure" |
@@ -18,12 +18,10 @@ fi | |||
18 | start_sshd | 18 | start_sshd |
19 | 19 | ||
20 | trace "connect before restart" | 20 | trace "connect before restart" |
21 | for p in ${SSH_PROTOCOLS} ; do | 21 | ${SSH} -F $OBJ/ssh_config somehost true |
22 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 22 | if [ $? -ne 0 ]; then |
23 | if [ $? -ne 0 ]; then | 23 | fail "ssh connect with failed before reconfigure" |
24 | fail "ssh connect with protocol $p failed before reconfigure" | 24 | fi |
25 | fi | ||
26 | done | ||
27 | 25 | ||
28 | PID=`$SUDO cat $PIDFILE` | 26 | PID=`$SUDO cat $PIDFILE` |
29 | rm -f $PIDFILE | 27 | rm -f $PIDFILE |
@@ -39,9 +37,7 @@ done | |||
39 | test -f $PIDFILE || fatal "sshd did not restart" | 37 | test -f $PIDFILE || fatal "sshd did not restart" |
40 | 38 | ||
41 | trace "connect after restart" | 39 | trace "connect after restart" |
42 | for p in ${SSH_PROTOCOLS} ; do | 40 | ${SSH} -F $OBJ/ssh_config somehost true |
43 | ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true | 41 | if [ $? -ne 0 ]; then |
44 | if [ $? -ne 0 ]; then | 42 | fail "ssh connect with failed after reconfigure" |
45 | fail "ssh connect with protocol $p failed after reconfigure" | 43 | fi |
46 | fi | ||
47 | done | ||
diff --git a/regress/reexec.sh b/regress/reexec.sh index 72957d4cd..2192456cd 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $ | 1 | # $OpenBSD: reexec.sh,v 1.12 2017/08/07 03:52:55 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="reexec tests" | 4 | tid="reexec tests" |
@@ -19,16 +19,13 @@ start_sshd_copy () | |||
19 | copy_tests () | 19 | copy_tests () |
20 | { | 20 | { |
21 | rm -f ${COPY} | 21 | rm -f ${COPY} |
22 | for p in ${SSH_PROTOCOLS} ; do | 22 | ${SSH} -nq -F $OBJ/ssh_config somehost \ |
23 | verbose "$tid: proto $p" | 23 | cat ${DATA} > ${COPY} |
24 | ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ | 24 | if [ $? -ne 0 ]; then |
25 | cat ${DATA} > ${COPY} | 25 | fail "ssh cat $DATA failed" |
26 | if [ $? -ne 0 ]; then | 26 | fi |
27 | fail "ssh cat $DATA failed" | 27 | cmp ${DATA} ${COPY} || fail "corrupted copy" |
28 | fi | 28 | rm -f ${COPY} |
29 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
30 | rm -f ${COPY} | ||
31 | done | ||
32 | } | 29 | } |
33 | 30 | ||
34 | verbose "test config passing" | 31 | verbose "test config passing" |
@@ -54,17 +51,4 @@ rm -f $SSHD_COPY | |||
54 | copy_tests | 51 | copy_tests |
55 | 52 | ||
56 | stop_sshd | 53 | stop_sshd |
57 | |||
58 | verbose "test reexec fallback without privsep" | ||
59 | |||
60 | cp $OBJ/sshd_config.orig $OBJ/sshd_config | ||
61 | echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config | ||
62 | |||
63 | start_sshd_copy | ||
64 | rm -f $SSHD_COPY | ||
65 | |||
66 | copy_tests | ||
67 | |||
68 | stop_sshd | ||
69 | |||
70 | fi | 54 | fi |
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 4371d5279..b1a2505d1 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $ | 1 | # $OpenBSD: ssh-com.sh,v 1.10 2017/05/08 01:52:49 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="connect to ssh.com server" | 4 | tid="connect to ssh.com server" |
@@ -87,7 +87,7 @@ for v in ${VERSIONS}; do | |||
87 | fail "ssh connect to sshd2 ${v} failed" | 87 | fail "ssh connect to sshd2 ${v} failed" |
88 | fi | 88 | fi |
89 | 89 | ||
90 | ciphers="3des-cbc blowfish-cbc arcfour" | 90 | ciphers="3des-cbc" |
91 | macs="hmac-md5" | 91 | macs="hmac-md5" |
92 | case $v in | 92 | case $v in |
93 | 2.4.*) | 93 | 2.4.*) |
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh index 218ac6b68..9065245e8 100644 --- a/regress/stderr-after-eof.sh +++ b/regress/stderr-after-eof.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ | 1 | # $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="stderr data after eof" | 4 | tid="stderr data after eof" |
@@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do | |||
10 | (date;echo $i) | md5 >> ${DATA} | 10 | (date;echo $i) | md5 >> ${DATA} |
11 | done | 11 | done |
12 | 12 | ||
13 | ${SSH} -2 -F $OBJ/ssh_proxy otherhost \ | 13 | ${SSH} -F $OBJ/ssh_proxy otherhost \ |
14 | exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ | 14 | exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ |
15 | 2> ${COPY} | 15 | 2> ${COPY} |
16 | r=$? | 16 | r=$? |
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh index 8c8149a73..0ceb72b3a 100644 --- a/regress/stderr-data.sh +++ b/regress/stderr-data.sh | |||
@@ -1,13 +1,12 @@ | |||
1 | # $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="stderr data transfer" | 4 | tid="stderr data transfer" |
5 | 5 | ||
6 | for n in '' -n; do | 6 | for n in '' -n; do |
7 | for p in ${SSH_PROTOCOLS}; do | 7 | verbose "test $tid: ($n)" |
8 | verbose "test $tid: proto $p ($n)" | 8 | ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ |
9 | ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ | 9 | sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ |
10 | exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ | ||
11 | 2> ${COPY} | 10 | 2> ${COPY} |
12 | r=$? | 11 | r=$? |
13 | if [ $r -ne 0 ]; then | 12 | if [ $r -ne 0 ]; then |
@@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do | |||
16 | cmp ${DATA} ${COPY} || fail "stderr corrupt" | 15 | cmp ${DATA} ${COPY} || fail "stderr corrupt" |
17 | rm -f ${COPY} | 16 | rm -f ${COPY} |
18 | 17 | ||
19 | ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ | 18 | ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \ |
20 | exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ | 19 | sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ |
21 | > /dev/null 2> ${COPY} | 20 | > /dev/null 2> ${COPY} |
22 | r=$? | 21 | r=$? |
23 | if [ $r -ne 0 ]; then | 22 | if [ $r -ne 0 ]; then |
@@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do | |||
26 | cmp ${DATA} ${COPY} || fail "stderr corrupt" | 25 | cmp ${DATA} ${COPY} || fail "stderr corrupt" |
27 | rm -f ${COPY} | 26 | rm -f ${COPY} |
28 | done | 27 | done |
29 | done | ||
diff --git a/regress/test-exec.sh b/regress/test-exec.sh index dc033cd96..68f010b70 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $ | 1 | # $OpenBSD: test-exec.sh,v 1.61 2017/07/28 10:32:08 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | #SUDO=sudo | 4 | #SUDO=sudo |
@@ -130,12 +130,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then | |||
130 | esac | 130 | esac |
131 | fi | 131 | fi |
132 | 132 | ||
133 | SSH_PROTOCOLS=2 | ||
134 | #SSH_PROTOCOLS=`$SSH -Q protocol-version` | ||
135 | if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then | ||
136 | SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}" | ||
137 | fi | ||
138 | |||
139 | # Path to sshd must be absolute for rexec | 133 | # Path to sshd must be absolute for rexec |
140 | case "$SSHD" in | 134 | case "$SSHD" in |
141 | /*) ;; | 135 | /*) ;; |
@@ -310,8 +304,15 @@ stop_sshd () | |||
310 | i=`expr $i + 1` | 304 | i=`expr $i + 1` |
311 | sleep $i | 305 | sleep $i |
312 | done | 306 | done |
313 | test -f $PIDFILE && \ | 307 | if test -f $PIDFILE; then |
314 | fatal "sshd didn't exit port $PORT pid $pid" | 308 | if $SUDO kill -0 $pid; then |
309 | echo "sshd didn't exit " \ | ||
310 | "port $PORT pid $pid" | ||
311 | else | ||
312 | echo "sshd died without cleanup" | ||
313 | fi | ||
314 | exit 1 | ||
315 | fi | ||
315 | fi | 316 | fi |
316 | fi | 317 | fi |
317 | fi | 318 | fi |
@@ -386,22 +387,11 @@ fatal () | |||
386 | exit $RESULT | 387 | exit $RESULT |
387 | } | 388 | } |
388 | 389 | ||
389 | ssh_version () | ||
390 | { | ||
391 | echo ${SSH_PROTOCOLS} | grep "$1" >/dev/null | ||
392 | } | ||
393 | |||
394 | RESULT=0 | 390 | RESULT=0 |
395 | PIDFILE=$OBJ/pidfile | 391 | PIDFILE=$OBJ/pidfile |
396 | 392 | ||
397 | trap fatal 3 2 | 393 | trap fatal 3 2 |
398 | 394 | ||
399 | if ssh_version 1; then | ||
400 | PROTO="2,1" | ||
401 | else | ||
402 | PROTO="2" | ||
403 | fi | ||
404 | |||
405 | # create server config | 395 | # create server config |
406 | cat << EOF > $OBJ/sshd_config | 396 | cat << EOF > $OBJ/sshd_config |
407 | StrictModes no | 397 | StrictModes no |
@@ -460,11 +450,8 @@ fi | |||
460 | 450 | ||
461 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER | 451 | rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER |
462 | 452 | ||
463 | if ssh_version 1; then | 453 | SSH_KEYTYPES="rsa ed25519" |
464 | SSH_KEYTYPES="rsa rsa1" | 454 | |
465 | else | ||
466 | SSH_KEYTYPES="rsa ed25519" | ||
467 | fi | ||
468 | trace "generate keys" | 455 | trace "generate keys" |
469 | for t in ${SSH_KEYTYPES}; do | 456 | for t in ${SSH_KEYTYPES}; do |
470 | # generate user key | 457 | # generate user key |
diff --git a/regress/transfer.sh b/regress/transfer.sh index 36c14634a..cf174a006 100644 --- a/regress/transfer.sh +++ b/regress/transfer.sh | |||
@@ -1,26 +1,23 @@ | |||
1 | # $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="transfer data" | 4 | tid="transfer data" |
5 | 5 | ||
6 | for p in ${SSH_PROTOCOLS}; do | 6 | rm -f ${COPY} |
7 | verbose "$tid: proto $p" | 7 | ${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} |
8 | if [ $? -ne 0 ]; then | ||
9 | fail "ssh cat $DATA failed" | ||
10 | fi | ||
11 | cmp ${DATA} ${COPY} || fail "corrupted copy" | ||
12 | |||
13 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
14 | trace "dd-size ${s}" | ||
8 | rm -f ${COPY} | 15 | rm -f ${COPY} |
9 | ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} | 16 | dd if=$DATA obs=${s} 2> /dev/null | \ |
17 | ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
10 | if [ $? -ne 0 ]; then | 18 | if [ $? -ne 0 ]; then |
11 | fail "ssh cat $DATA failed" | 19 | fail "ssh cat $DATA failed" |
12 | fi | 20 | fi |
13 | cmp ${DATA} ${COPY} || fail "corrupted copy" | 21 | cmp $DATA ${COPY} || fail "corrupted copy" |
14 | |||
15 | for s in 10 100 1k 32k 64k 128k 256k; do | ||
16 | trace "proto $p dd-size ${s}" | ||
17 | rm -f ${COPY} | ||
18 | dd if=$DATA obs=${s} 2> /dev/null | \ | ||
19 | ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
20 | if [ $? -ne 0 ]; then | ||
21 | fail "ssh cat $DATA failed" | ||
22 | fi | ||
23 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
24 | done | ||
25 | done | 22 | done |
26 | rm -f ${COPY} | 23 | rm -f ${COPY} |
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 889a735d2..e04268ba3 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $ | 1 | # $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="try ciphers" | 4 | tid="try ciphers" |
@@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
8 | for c in `${SSH} -Q cipher`; do | 8 | for c in `${SSH} -Q cipher`; do |
9 | n=0 | 9 | n=0 |
10 | for m in `${SSH} -Q mac`; do | 10 | for m in `${SSH} -Q mac`; do |
11 | trace "proto 2 cipher $c mac $m" | 11 | trace "cipher $c mac $m" |
12 | verbose "test $tid: proto 2 cipher $c mac $m" | 12 | verbose "test $tid: cipher $c mac $m" |
13 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 13 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
14 | echo "Ciphers=$c" >> $OBJ/sshd_proxy | 14 | echo "Ciphers=$c" >> $OBJ/sshd_proxy |
15 | echo "MACs=$m" >> $OBJ/sshd_proxy | 15 | echo "MACs=$m" >> $OBJ/sshd_proxy |
16 | ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true | 16 | ${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true |
17 | if [ $? -ne 0 ]; then | 17 | if [ $? -ne 0 ]; then |
18 | fail "ssh -2 failed with mac $m cipher $c" | 18 | fail "ssh failed with mac $m cipher $c" |
19 | fi | 19 | fi |
20 | # No point trying all MACs for AEAD ciphers since they | 20 | # No point trying all MACs for AEAD ciphers since they |
21 | # are ignored. | 21 | # are ignored. |
@@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do | |||
26 | done | 26 | done |
27 | done | 27 | done |
28 | 28 | ||
29 | if ssh_version 1; then | ||
30 | ciphers="3des blowfish" | ||
31 | else | ||
32 | ciphers="" | ||
33 | fi | ||
34 | for c in $ciphers; do | ||
35 | trace "proto 1 cipher $c" | ||
36 | verbose "test $tid: proto 1 cipher $c" | ||
37 | ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true | ||
38 | if [ $? -ne 0 ]; then | ||
39 | fail "ssh -1 failed with cipher $c" | ||
40 | fi | ||
41 | done | ||
42 | |||
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index 3d9eaba5c..36d1ff42c 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $ | 1 | # $OpenBSD: Makefile.inc,v 1.11 2017/04/30 23:33:48 djm Exp $ |
2 | 2 | ||
3 | .include <bsd.own.mk> | 3 | .include <bsd.own.mk> |
4 | .include <bsd.obj.mk> | 4 | .include <bsd.obj.mk> |
@@ -30,7 +30,7 @@ CDIAGFLAGS+= -Wswitch | |||
30 | CDIAGFLAGS+= -Wtrigraphs | 30 | CDIAGFLAGS+= -Wtrigraphs |
31 | CDIAGFLAGS+= -Wuninitialized | 31 | CDIAGFLAGS+= -Wuninitialized |
32 | CDIAGFLAGS+= -Wunused | 32 | CDIAGFLAGS+= -Wunused |
33 | .if ${COMPILER_VERSION} == "gcc4" | 33 | .if ${COMPILER_VERSION:L} != "gcc3" |
34 | CDIAGFLAGS+= -Wpointer-sign | 34 | CDIAGFLAGS+= -Wpointer-sign |
35 | CDIAGFLAGS+= -Wold-style-definition | 35 | CDIAGFLAGS+= -Wold-style-definition |
36 | .endif | 36 | .endif |
diff --git a/regress/unittests/hostkeys/mktestdata.sh b/regress/unittests/hostkeys/mktestdata.sh index 36890ba11..5a46de990 100644 --- a/regress/unittests/hostkeys/mktestdata.sh +++ b/regress/unittests/hostkeys/mktestdata.sh | |||
@@ -1,11 +1,11 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # $OpenBSD: mktestdata.sh,v 1.1 2015/02/16 22:18:34 djm Exp $ | 2 | # $OpenBSD: mktestdata.sh,v 1.2 2017/04/30 23:33:48 djm Exp $ |
3 | 3 | ||
4 | set -ex | 4 | set -ex |
5 | 5 | ||
6 | cd testdata | 6 | cd testdata |
7 | 7 | ||
8 | rm -f rsa1* rsa* dsa* ecdsa* ed25519* | 8 | rm -f rsa* dsa* ecdsa* ed25519* |
9 | rm -f known_hosts* | 9 | rm -f known_hosts* |
10 | 10 | ||
11 | gen_all() { | 11 | gen_all() { |
@@ -13,13 +13,12 @@ gen_all() { | |||
13 | _ecdsa_bits=256 | 13 | _ecdsa_bits=256 |
14 | test "x$_n" = "x1" && _ecdsa_bits=384 | 14 | test "x$_n" = "x1" && _ecdsa_bits=384 |
15 | test "x$_n" = "x2" && _ecdsa_bits=521 | 15 | test "x$_n" = "x2" && _ecdsa_bits=521 |
16 | ssh-keygen -qt rsa1 -b 1024 -C "RSA1 #$_n" -N "" -f rsa1_$_n | ||
17 | ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n | 16 | ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n |
18 | ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n | 17 | ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n |
19 | ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n | 18 | ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n |
20 | ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n | 19 | ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n |
21 | # Don't need private keys | 20 | # Don't need private keys |
22 | rm -f rsa1_$_n rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n | 21 | rm -f rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n |
23 | } | 22 | } |
24 | 23 | ||
25 | hentries() { | 24 | hentries() { |
@@ -64,7 +63,6 @@ rm -f known_hosts_hash_frag.old | |||
64 | echo | 63 | echo |
65 | 64 | ||
66 | echo "# Revoked and CA keys" | 65 | echo "# Revoked and CA keys" |
67 | printf "@revoked sisyphus.example.com " ; cat rsa1_4.pub | ||
68 | printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub | 66 | printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub |
69 | printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub | 67 | printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub |
70 | printf "@cert-authority *.example.com " ; cat dsa_4.pub | 68 | printf "@cert-authority *.example.com " ; cat dsa_4.pub |
@@ -72,19 +70,13 @@ rm -f known_hosts_hash_frag.old | |||
72 | printf "\n" | 70 | printf "\n" |
73 | echo "# Some invalid lines" | 71 | echo "# Some invalid lines" |
74 | # Invalid marker | 72 | # Invalid marker |
75 | printf "@what sisyphus.example.com " ; cat rsa1_1.pub | 73 | printf "@what sisyphus.example.com " ; cat dsa_1.pub |
76 | # Key missing | 74 | # Key missing |
77 | echo "sisyphus.example.com " | 75 | echo "sisyphus.example.com " |
78 | # Key blob missing | 76 | # Key blob missing |
79 | echo "prometheus.example.com ssh-ed25519 " | 77 | echo "prometheus.example.com ssh-ed25519 " |
80 | # Key blob truncated | 78 | # Key blob truncated |
81 | echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz" | 79 | echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz" |
82 | # RSA1 key truncated after key bits | ||
83 | echo "prometheus.example.com 1024 " | ||
84 | # RSA1 key truncated after exponent | ||
85 | echo "sisyphus.example.com 1024 65535 " | ||
86 | # RSA1 key incorrect key bits | ||
87 | printf "prometheus.example.com 1025 " ; cut -d' ' -f2- < rsa1_1.pub | ||
88 | # Invalid type | 80 | # Invalid type |
89 | echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==" | 81 | echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==" |
90 | # Type mismatch with blob | 82 | # Type mismatch with blob |
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c index 2eaaf063a..751825dda 100644 --- a/regress/unittests/hostkeys/test_iterate.c +++ b/regress/unittests/hostkeys/test_iterate.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */ | 1 | /* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for hostfile.h hostkeys_foreach() | 3 | * Regress test for hostfile.h hostkeys_foreach() |
4 | * | 4 | * |
@@ -90,14 +90,6 @@ check(struct hostkey_foreach_line *l, void *_ctx) | |||
90 | expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? | 90 | expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? |
91 | expected->l.keytype : expected->no_parse_keytype; | 91 | expected->l.keytype : expected->no_parse_keytype; |
92 | 92 | ||
93 | #ifndef WITH_SSH1 | ||
94 | if (parse_key && (expected->l.keytype == KEY_RSA1 || | ||
95 | expected->no_parse_keytype == KEY_RSA1)) { | ||
96 | expected_status = HKF_STATUS_INVALID; | ||
97 | expected_keytype = KEY_UNSPEC; | ||
98 | parse_key = 0; | ||
99 | } | ||
100 | #endif | ||
101 | #ifndef OPENSSL_HAS_ECC | 93 | #ifndef OPENSSL_HAS_ECC |
102 | if (expected->l.keytype == KEY_ECDSA || | 94 | if (expected->l.keytype == KEY_ECDSA || |
103 | expected->no_parse_keytype == KEY_ECDSA) { | 95 | expected->no_parse_keytype == KEY_ECDSA) { |
@@ -150,10 +142,6 @@ prepare_expected(struct expected *expected, size_t n) | |||
150 | for (i = 0; i < n; i++) { | 142 | for (i = 0; i < n; i++) { |
151 | if (expected[i].key_file == NULL) | 143 | if (expected[i].key_file == NULL) |
152 | continue; | 144 | continue; |
153 | #ifndef WITH_SSH1 | ||
154 | if (expected[i].l.keytype == KEY_RSA1) | ||
155 | continue; | ||
156 | #endif | ||
157 | #ifndef OPENSSL_HAS_ECC | 145 | #ifndef OPENSSL_HAS_ECC |
158 | if (expected[i].l.keytype == KEY_ECDSA) | 146 | if (expected[i].l.keytype == KEY_ECDSA) |
159 | continue; | 147 | continue; |
@@ -217,22 +205,9 @@ struct expected expected_full[] = { | |||
217 | NULL, /* filled at runtime */ | 205 | NULL, /* filled at runtime */ |
218 | "ED25519 #1", | 206 | "ED25519 #1", |
219 | } }, | 207 | } }, |
220 | { "rsa1_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
221 | NULL, | ||
222 | 5, | ||
223 | HKF_STATUS_OK, | ||
224 | 0, | ||
225 | NULL, | ||
226 | MRK_NONE, | ||
227 | "sisyphus.example.com", | ||
228 | NULL, | ||
229 | KEY_RSA1, | ||
230 | NULL, /* filled at runtime */ | ||
231 | "RSA1 #1", | ||
232 | } }, | ||
233 | { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 208 | { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
234 | NULL, | 209 | NULL, |
235 | 6, | 210 | 5, |
236 | HKF_STATUS_OK, | 211 | HKF_STATUS_OK, |
237 | 0, | 212 | 0, |
238 | NULL, | 213 | NULL, |
@@ -245,7 +220,7 @@ struct expected expected_full[] = { | |||
245 | } }, | 220 | } }, |
246 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 221 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
247 | NULL, | 222 | NULL, |
248 | 7, | 223 | 6, |
249 | HKF_STATUS_COMMENT, | 224 | HKF_STATUS_COMMENT, |
250 | 0, | 225 | 0, |
251 | "", | 226 | "", |
@@ -258,7 +233,7 @@ struct expected expected_full[] = { | |||
258 | } }, | 233 | } }, |
259 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 234 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
260 | NULL, | 235 | NULL, |
261 | 8, | 236 | 7, |
262 | HKF_STATUS_COMMENT, | 237 | HKF_STATUS_COMMENT, |
263 | 0, | 238 | 0, |
264 | "# Plain host keys, hostnames + addresses", | 239 | "# Plain host keys, hostnames + addresses", |
@@ -271,7 +246,7 @@ struct expected expected_full[] = { | |||
271 | } }, | 246 | } }, |
272 | { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 247 | { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
273 | NULL, | 248 | NULL, |
274 | 9, | 249 | 8, |
275 | HKF_STATUS_OK, | 250 | HKF_STATUS_OK, |
276 | 0, | 251 | 0, |
277 | NULL, | 252 | NULL, |
@@ -284,7 +259,7 @@ struct expected expected_full[] = { | |||
284 | } }, | 259 | } }, |
285 | { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 260 | { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
286 | NULL, | 261 | NULL, |
287 | 10, | 262 | 9, |
288 | HKF_STATUS_OK, | 263 | HKF_STATUS_OK, |
289 | 0, | 264 | 0, |
290 | NULL, | 265 | NULL, |
@@ -297,7 +272,7 @@ struct expected expected_full[] = { | |||
297 | } }, | 272 | } }, |
298 | { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 273 | { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
299 | NULL, | 274 | NULL, |
300 | 11, | 275 | 10, |
301 | HKF_STATUS_OK, | 276 | HKF_STATUS_OK, |
302 | 0, | 277 | 0, |
303 | NULL, | 278 | NULL, |
@@ -308,22 +283,9 @@ struct expected expected_full[] = { | |||
308 | NULL, /* filled at runtime */ | 283 | NULL, /* filled at runtime */ |
309 | "ED25519 #2", | 284 | "ED25519 #2", |
310 | } }, | 285 | } }, |
311 | { "rsa1_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | ||
312 | NULL, | ||
313 | 12, | ||
314 | HKF_STATUS_OK, | ||
315 | 0, | ||
316 | NULL, | ||
317 | MRK_NONE, | ||
318 | "prometheus.example.com,192.0.2.1,2001:db8::1", | ||
319 | NULL, | ||
320 | KEY_RSA1, | ||
321 | NULL, /* filled at runtime */ | ||
322 | "RSA1 #2", | ||
323 | } }, | ||
324 | { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 286 | { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
325 | NULL, | 287 | NULL, |
326 | 13, | 288 | 11, |
327 | HKF_STATUS_OK, | 289 | HKF_STATUS_OK, |
328 | 0, | 290 | 0, |
329 | NULL, | 291 | NULL, |
@@ -336,7 +298,7 @@ struct expected expected_full[] = { | |||
336 | } }, | 298 | } }, |
337 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 299 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
338 | NULL, | 300 | NULL, |
339 | 14, | 301 | 12, |
340 | HKF_STATUS_COMMENT, | 302 | HKF_STATUS_COMMENT, |
341 | 0, | 303 | 0, |
342 | "", | 304 | "", |
@@ -349,7 +311,7 @@ struct expected expected_full[] = { | |||
349 | } }, | 311 | } }, |
350 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 312 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
351 | NULL, | 313 | NULL, |
352 | 15, | 314 | 13, |
353 | HKF_STATUS_COMMENT, | 315 | HKF_STATUS_COMMENT, |
354 | 0, | 316 | 0, |
355 | "# Some hosts with wildcard names / IPs", | 317 | "# Some hosts with wildcard names / IPs", |
@@ -362,7 +324,7 @@ struct expected expected_full[] = { | |||
362 | } }, | 324 | } }, |
363 | { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 325 | { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
364 | NULL, | 326 | NULL, |
365 | 16, | 327 | 14, |
366 | HKF_STATUS_OK, | 328 | HKF_STATUS_OK, |
367 | 0, | 329 | 0, |
368 | NULL, | 330 | NULL, |
@@ -375,7 +337,7 @@ struct expected expected_full[] = { | |||
375 | } }, | 337 | } }, |
376 | { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 338 | { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
377 | NULL, | 339 | NULL, |
378 | 17, | 340 | 15, |
379 | HKF_STATUS_OK, | 341 | HKF_STATUS_OK, |
380 | 0, | 342 | 0, |
381 | NULL, | 343 | NULL, |
@@ -388,7 +350,7 @@ struct expected expected_full[] = { | |||
388 | } }, | 350 | } }, |
389 | { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 351 | { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
390 | NULL, | 352 | NULL, |
391 | 18, | 353 | 16, |
392 | HKF_STATUS_OK, | 354 | HKF_STATUS_OK, |
393 | 0, | 355 | 0, |
394 | NULL, | 356 | NULL, |
@@ -399,22 +361,9 @@ struct expected expected_full[] = { | |||
399 | NULL, /* filled at runtime */ | 361 | NULL, /* filled at runtime */ |
400 | "ED25519 #3", | 362 | "ED25519 #3", |
401 | } }, | 363 | } }, |
402 | { "rsa1_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | ||
403 | NULL, | ||
404 | 19, | ||
405 | HKF_STATUS_OK, | ||
406 | 0, | ||
407 | NULL, | ||
408 | MRK_NONE, | ||
409 | "*.example.com,192.0.2.*,2001:*", | ||
410 | NULL, | ||
411 | KEY_RSA1, | ||
412 | NULL, /* filled at runtime */ | ||
413 | "RSA1 #3", | ||
414 | } }, | ||
415 | { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { | 364 | { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { |
416 | NULL, | 365 | NULL, |
417 | 20, | 366 | 17, |
418 | HKF_STATUS_OK, | 367 | HKF_STATUS_OK, |
419 | 0, | 368 | 0, |
420 | NULL, | 369 | NULL, |
@@ -427,7 +376,7 @@ struct expected expected_full[] = { | |||
427 | } }, | 376 | } }, |
428 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 377 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
429 | NULL, | 378 | NULL, |
430 | 21, | 379 | 18, |
431 | HKF_STATUS_COMMENT, | 380 | HKF_STATUS_COMMENT, |
432 | 0, | 381 | 0, |
433 | "", | 382 | "", |
@@ -440,7 +389,7 @@ struct expected expected_full[] = { | |||
440 | } }, | 389 | } }, |
441 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 390 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
442 | NULL, | 391 | NULL, |
443 | 22, | 392 | 19, |
444 | HKF_STATUS_COMMENT, | 393 | HKF_STATUS_COMMENT, |
445 | 0, | 394 | 0, |
446 | "# Hashed hostname and address entries", | 395 | "# Hashed hostname and address entries", |
@@ -453,7 +402,7 @@ struct expected expected_full[] = { | |||
453 | } }, | 402 | } }, |
454 | { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 403 | { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
455 | NULL, | 404 | NULL, |
456 | 23, | 405 | 20, |
457 | HKF_STATUS_OK, | 406 | HKF_STATUS_OK, |
458 | 0, | 407 | 0, |
459 | NULL, | 408 | NULL, |
@@ -466,7 +415,7 @@ struct expected expected_full[] = { | |||
466 | } }, | 415 | } }, |
467 | { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 416 | { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
468 | NULL, | 417 | NULL, |
469 | 24, | 418 | 21, |
470 | HKF_STATUS_OK, | 419 | HKF_STATUS_OK, |
471 | 0, | 420 | 0, |
472 | NULL, | 421 | NULL, |
@@ -479,7 +428,7 @@ struct expected expected_full[] = { | |||
479 | } }, | 428 | } }, |
480 | { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 429 | { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
481 | NULL, | 430 | NULL, |
482 | 25, | 431 | 22, |
483 | HKF_STATUS_OK, | 432 | HKF_STATUS_OK, |
484 | 0, | 433 | 0, |
485 | NULL, | 434 | NULL, |
@@ -490,22 +439,9 @@ struct expected expected_full[] = { | |||
490 | NULL, /* filled at runtime */ | 439 | NULL, /* filled at runtime */ |
491 | "ED25519 #5", | 440 | "ED25519 #5", |
492 | } }, | 441 | } }, |
493 | { "rsa1_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | ||
494 | NULL, | ||
495 | 26, | ||
496 | HKF_STATUS_OK, | ||
497 | 0, | ||
498 | NULL, | ||
499 | MRK_NONE, | ||
500 | NULL, | ||
501 | NULL, | ||
502 | KEY_RSA1, | ||
503 | NULL, /* filled at runtime */ | ||
504 | "RSA1 #5", | ||
505 | } }, | ||
506 | { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { | 442 | { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { |
507 | NULL, | 443 | NULL, |
508 | 27, | 444 | 23, |
509 | HKF_STATUS_OK, | 445 | HKF_STATUS_OK, |
510 | 0, | 446 | 0, |
511 | NULL, | 447 | NULL, |
@@ -518,7 +454,7 @@ struct expected expected_full[] = { | |||
518 | } }, | 454 | } }, |
519 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 455 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
520 | NULL, | 456 | NULL, |
521 | 28, | 457 | 24, |
522 | HKF_STATUS_COMMENT, | 458 | HKF_STATUS_COMMENT, |
523 | 0, | 459 | 0, |
524 | "", | 460 | "", |
@@ -536,7 +472,7 @@ struct expected expected_full[] = { | |||
536 | */ | 472 | */ |
537 | { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 473 | { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
538 | NULL, | 474 | NULL, |
539 | 29, | 475 | 25, |
540 | HKF_STATUS_OK, | 476 | HKF_STATUS_OK, |
541 | 0, | 477 | 0, |
542 | NULL, | 478 | NULL, |
@@ -549,7 +485,7 @@ struct expected expected_full[] = { | |||
549 | } }, | 485 | } }, |
550 | { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 486 | { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
551 | NULL, | 487 | NULL, |
552 | 30, | 488 | 26, |
553 | HKF_STATUS_OK, | 489 | HKF_STATUS_OK, |
554 | 0, | 490 | 0, |
555 | NULL, | 491 | NULL, |
@@ -562,7 +498,7 @@ struct expected expected_full[] = { | |||
562 | } }, | 498 | } }, |
563 | { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 499 | { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
564 | NULL, | 500 | NULL, |
565 | 31, | 501 | 27, |
566 | HKF_STATUS_OK, | 502 | HKF_STATUS_OK, |
567 | 0, | 503 | 0, |
568 | NULL, | 504 | NULL, |
@@ -575,7 +511,7 @@ struct expected expected_full[] = { | |||
575 | } }, | 511 | } }, |
576 | { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 512 | { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
577 | NULL, | 513 | NULL, |
578 | 32, | 514 | 28, |
579 | HKF_STATUS_OK, | 515 | HKF_STATUS_OK, |
580 | 0, | 516 | 0, |
581 | NULL, | 517 | NULL, |
@@ -588,7 +524,7 @@ struct expected expected_full[] = { | |||
588 | } }, | 524 | } }, |
589 | { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 525 | { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
590 | NULL, | 526 | NULL, |
591 | 33, | 527 | 29, |
592 | HKF_STATUS_OK, | 528 | HKF_STATUS_OK, |
593 | 0, | 529 | 0, |
594 | NULL, | 530 | NULL, |
@@ -601,7 +537,7 @@ struct expected expected_full[] = { | |||
601 | } }, | 537 | } }, |
602 | { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 538 | { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
603 | NULL, | 539 | NULL, |
604 | 34, | 540 | 30, |
605 | HKF_STATUS_OK, | 541 | HKF_STATUS_OK, |
606 | 0, | 542 | 0, |
607 | NULL, | 543 | NULL, |
@@ -614,7 +550,7 @@ struct expected expected_full[] = { | |||
614 | } }, | 550 | } }, |
615 | { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 551 | { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
616 | NULL, | 552 | NULL, |
617 | 35, | 553 | 31, |
618 | HKF_STATUS_OK, | 554 | HKF_STATUS_OK, |
619 | 0, | 555 | 0, |
620 | NULL, | 556 | NULL, |
@@ -627,7 +563,7 @@ struct expected expected_full[] = { | |||
627 | } }, | 563 | } }, |
628 | { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 564 | { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
629 | NULL, | 565 | NULL, |
630 | 36, | 566 | 32, |
631 | HKF_STATUS_OK, | 567 | HKF_STATUS_OK, |
632 | 0, | 568 | 0, |
633 | NULL, | 569 | NULL, |
@@ -640,7 +576,7 @@ struct expected expected_full[] = { | |||
640 | } }, | 576 | } }, |
641 | { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 577 | { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
642 | NULL, | 578 | NULL, |
643 | 37, | 579 | 33, |
644 | HKF_STATUS_OK, | 580 | HKF_STATUS_OK, |
645 | 0, | 581 | 0, |
646 | NULL, | 582 | NULL, |
@@ -651,48 +587,9 @@ struct expected expected_full[] = { | |||
651 | NULL, /* filled at runtime */ | 587 | NULL, /* filled at runtime */ |
652 | "ED25519 #6", | 588 | "ED25519 #6", |
653 | } }, | 589 | } }, |
654 | { "rsa1_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | ||
655 | NULL, | ||
656 | 38, | ||
657 | HKF_STATUS_OK, | ||
658 | 0, | ||
659 | NULL, | ||
660 | MRK_NONE, | ||
661 | NULL, | ||
662 | NULL, | ||
663 | KEY_RSA1, | ||
664 | NULL, /* filled at runtime */ | ||
665 | "RSA1 #6", | ||
666 | } }, | ||
667 | { "rsa1_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | ||
668 | NULL, | ||
669 | 39, | ||
670 | HKF_STATUS_OK, | ||
671 | 0, | ||
672 | NULL, | ||
673 | MRK_NONE, | ||
674 | NULL, | ||
675 | NULL, | ||
676 | KEY_RSA1, | ||
677 | NULL, /* filled at runtime */ | ||
678 | "RSA1 #6", | ||
679 | } }, | ||
680 | { "rsa1_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | ||
681 | NULL, | ||
682 | 40, | ||
683 | HKF_STATUS_OK, | ||
684 | 0, | ||
685 | NULL, | ||
686 | MRK_NONE, | ||
687 | NULL, | ||
688 | NULL, | ||
689 | KEY_RSA1, | ||
690 | NULL, /* filled at runtime */ | ||
691 | "RSA1 #6", | ||
692 | } }, | ||
693 | { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { | 590 | { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { |
694 | NULL, | 591 | NULL, |
695 | 41, | 592 | 34, |
696 | HKF_STATUS_OK, | 593 | HKF_STATUS_OK, |
697 | 0, | 594 | 0, |
698 | NULL, | 595 | NULL, |
@@ -705,7 +602,7 @@ struct expected expected_full[] = { | |||
705 | } }, | 602 | } }, |
706 | { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { | 603 | { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { |
707 | NULL, | 604 | NULL, |
708 | 42, | 605 | 35, |
709 | HKF_STATUS_OK, | 606 | HKF_STATUS_OK, |
710 | 0, | 607 | 0, |
711 | NULL, | 608 | NULL, |
@@ -718,7 +615,7 @@ struct expected expected_full[] = { | |||
718 | } }, | 615 | } }, |
719 | { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { | 616 | { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { |
720 | NULL, | 617 | NULL, |
721 | 43, | 618 | 36, |
722 | HKF_STATUS_OK, | 619 | HKF_STATUS_OK, |
723 | 0, | 620 | 0, |
724 | NULL, | 621 | NULL, |
@@ -731,7 +628,7 @@ struct expected expected_full[] = { | |||
731 | } }, | 628 | } }, |
732 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 629 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
733 | NULL, | 630 | NULL, |
734 | 44, | 631 | 37, |
735 | HKF_STATUS_COMMENT, | 632 | HKF_STATUS_COMMENT, |
736 | 0, | 633 | 0, |
737 | "", | 634 | "", |
@@ -744,7 +641,7 @@ struct expected expected_full[] = { | |||
744 | } }, | 641 | } }, |
745 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 642 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
746 | NULL, | 643 | NULL, |
747 | 45, | 644 | 38, |
748 | HKF_STATUS_COMMENT, | 645 | HKF_STATUS_COMMENT, |
749 | 0, | 646 | 0, |
750 | "", | 647 | "", |
@@ -757,7 +654,7 @@ struct expected expected_full[] = { | |||
757 | } }, | 654 | } }, |
758 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 655 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
759 | NULL, | 656 | NULL, |
760 | 46, | 657 | 39, |
761 | HKF_STATUS_COMMENT, | 658 | HKF_STATUS_COMMENT, |
762 | 0, | 659 | 0, |
763 | "# Revoked and CA keys", | 660 | "# Revoked and CA keys", |
@@ -768,22 +665,9 @@ struct expected expected_full[] = { | |||
768 | NULL, | 665 | NULL, |
769 | NULL, | 666 | NULL, |
770 | } }, | 667 | } }, |
771 | { "rsa1_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
772 | NULL, | ||
773 | 47, | ||
774 | HKF_STATUS_OK, | ||
775 | 0, | ||
776 | NULL, | ||
777 | MRK_REVOKE, | ||
778 | "sisyphus.example.com", | ||
779 | NULL, | ||
780 | KEY_RSA1, | ||
781 | NULL, /* filled at runtime */ | ||
782 | "RSA1 #4", | ||
783 | } }, | ||
784 | { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 668 | { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
785 | NULL, | 669 | NULL, |
786 | 48, | 670 | 40, |
787 | HKF_STATUS_OK, | 671 | HKF_STATUS_OK, |
788 | 0, | 672 | 0, |
789 | NULL, | 673 | NULL, |
@@ -796,7 +680,7 @@ struct expected expected_full[] = { | |||
796 | } }, | 680 | } }, |
797 | { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | 681 | { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { |
798 | NULL, | 682 | NULL, |
799 | 49, | 683 | 41, |
800 | HKF_STATUS_OK, | 684 | HKF_STATUS_OK, |
801 | 0, | 685 | 0, |
802 | NULL, | 686 | NULL, |
@@ -809,7 +693,7 @@ struct expected expected_full[] = { | |||
809 | } }, | 693 | } }, |
810 | { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, { | 694 | { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, { |
811 | NULL, | 695 | NULL, |
812 | 50, | 696 | 42, |
813 | HKF_STATUS_OK, | 697 | HKF_STATUS_OK, |
814 | 0, | 698 | 0, |
815 | NULL, | 699 | NULL, |
@@ -822,7 +706,7 @@ struct expected expected_full[] = { | |||
822 | } }, | 706 | } }, |
823 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 707 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
824 | NULL, | 708 | NULL, |
825 | 51, | 709 | 43, |
826 | HKF_STATUS_COMMENT, | 710 | HKF_STATUS_COMMENT, |
827 | 0, | 711 | 0, |
828 | "", | 712 | "", |
@@ -835,7 +719,7 @@ struct expected expected_full[] = { | |||
835 | } }, | 719 | } }, |
836 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 720 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
837 | NULL, | 721 | NULL, |
838 | 52, | 722 | 44, |
839 | HKF_STATUS_COMMENT, | 723 | HKF_STATUS_COMMENT, |
840 | 0, | 724 | 0, |
841 | "# Some invalid lines", | 725 | "# Some invalid lines", |
@@ -848,7 +732,7 @@ struct expected expected_full[] = { | |||
848 | } }, | 732 | } }, |
849 | { NULL, -1, -1, 0, 0, 0, 0, -1, { | 733 | { NULL, -1, -1, 0, 0, 0, 0, -1, { |
850 | NULL, | 734 | NULL, |
851 | 53, | 735 | 45, |
852 | HKF_STATUS_INVALID, | 736 | HKF_STATUS_INVALID, |
853 | 0, | 737 | 0, |
854 | NULL, | 738 | NULL, |
@@ -861,7 +745,7 @@ struct expected expected_full[] = { | |||
861 | } }, | 745 | } }, |
862 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 746 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
863 | NULL, | 747 | NULL, |
864 | 54, | 748 | 46, |
865 | HKF_STATUS_INVALID, | 749 | HKF_STATUS_INVALID, |
866 | 0, | 750 | 0, |
867 | NULL, | 751 | NULL, |
@@ -874,7 +758,7 @@ struct expected expected_full[] = { | |||
874 | } }, | 758 | } }, |
875 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | 759 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { |
876 | NULL, | 760 | NULL, |
877 | 55, | 761 | 47, |
878 | HKF_STATUS_INVALID, | 762 | HKF_STATUS_INVALID, |
879 | 0, | 763 | 0, |
880 | NULL, | 764 | NULL, |
@@ -887,33 +771,7 @@ struct expected expected_full[] = { | |||
887 | } }, | 771 | } }, |
888 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 772 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
889 | NULL, | 773 | NULL, |
890 | 56, | 774 | 48, |
891 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
892 | 0, | ||
893 | NULL, | ||
894 | MRK_NONE, | ||
895 | "sisyphus.example.com", | ||
896 | NULL, | ||
897 | KEY_UNSPEC, | ||
898 | NULL, | ||
899 | NULL, | ||
900 | } }, | ||
901 | { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { | ||
902 | NULL, | ||
903 | 57, | ||
904 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
905 | 0, | ||
906 | NULL, | ||
907 | MRK_NONE, | ||
908 | "prometheus.example.com", | ||
909 | NULL, | ||
910 | KEY_UNSPEC, | ||
911 | NULL, | ||
912 | NULL, | ||
913 | } }, | ||
914 | { NULL, HKF_STATUS_OK, KEY_RSA1, 0, HKF_MATCH_HOST, 0, 0, -1, { | ||
915 | NULL, | ||
916 | 58, | ||
917 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | 775 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ |
918 | 0, | 776 | 0, |
919 | NULL, | 777 | NULL, |
@@ -924,22 +782,9 @@ struct expected expected_full[] = { | |||
924 | NULL, | 782 | NULL, |
925 | NULL, | 783 | NULL, |
926 | } }, | 784 | } }, |
927 | { NULL, HKF_STATUS_OK, KEY_RSA1, HKF_MATCH_HOST, 0, 0, 0, -1, { | ||
928 | NULL, | ||
929 | 59, | ||
930 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | ||
931 | 0, | ||
932 | NULL, | ||
933 | MRK_NONE, | ||
934 | "prometheus.example.com", | ||
935 | NULL, | ||
936 | KEY_UNSPEC, | ||
937 | NULL, /* filled at runtime */ | ||
938 | NULL, | ||
939 | } }, | ||
940 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { | 785 | { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { |
941 | NULL, | 786 | NULL, |
942 | 60, | 787 | 49, |
943 | HKF_STATUS_INVALID, | 788 | HKF_STATUS_INVALID, |
944 | 0, | 789 | 0, |
945 | NULL, | 790 | NULL, |
@@ -952,7 +797,7 @@ struct expected expected_full[] = { | |||
952 | } }, | 797 | } }, |
953 | { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, { | 798 | { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, { |
954 | NULL, | 799 | NULL, |
955 | 61, | 800 | 50, |
956 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ | 801 | HKF_STATUS_INVALID, /* Would be ok if key not parsed */ |
957 | 0, | 802 | 0, |
958 | NULL, | 803 | NULL, |
diff --git a/regress/unittests/hostkeys/testdata/known_hosts b/regress/unittests/hostkeys/testdata/known_hosts index 3740f674b..4446f45df 100644 --- a/regress/unittests/hostkeys/testdata/known_hosts +++ b/regress/unittests/hostkeys/testdata/known_hosts | |||
@@ -2,60 +2,49 @@ | |||
2 | sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 | 2 | sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 |
3 | sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1 | 3 | sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1 |
4 | sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1 | 4 | sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1 |
5 | sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | ||
6 | sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1 | 5 | sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1 |
7 | 6 | ||
8 | # Plain host keys, hostnames + addresses | 7 | # Plain host keys, hostnames + addresses |
9 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2 | 8 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2 |
10 | prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2 | 9 | prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2 |
11 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2 | 10 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2 |
12 | prometheus.example.com,192.0.2.1,2001:db8::1 1024 65537 135970715082947442639683969597180728933388298633245835186618852623800675939308729462220235058285909679252157995530180587329132927339620517781785310829060832352381015614725360278571924286986474946772141568893116432268565829418506866604294073334978275702221949783314402806080929601995102334442541344606109853641 RSA1 #2 | ||
13 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2 | 11 | prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2 |
14 | 12 | ||
15 | # Some hosts with wildcard names / IPs | 13 | # Some hosts with wildcard names / IPs |
16 | *.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3 | 14 | *.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3 |
17 | *.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3 | 15 | *.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3 |
18 | *.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3 | 16 | *.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3 |
19 | *.example.com,192.0.2.*,2001:* 1024 65537 125895605498029643697051635076028105429632810811904702876152645261610759866299221305725069141163240694267669117205342283569102183636228981857946763978553664895308762890072813014496700601576921921752482059207749978374872713540759920335553799711267170948655579130584031555334229966603000896364091459595522912269 RSA1 #3 | ||
20 | *.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3 | 17 | *.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3 |
21 | 18 | ||
22 | # Hashed hostname and address entries | 19 | # Hashed hostname and address entries |
23 | |1|6FWxoqTCAfm8sZ7T/q73OmxCFGM=|S4eQmusok4cbyDzzGEFGIAthDbw= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5 | 20 | |1|z3xOIdT5ue3Vuf3MzT67kaioqjw=|GZhhe5uwDOBQrC9N4cCjpbLpSn4= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5 |
24 | |1|hTrfD0CuuB9ZbOa1CHFYvIk/gKE=|tPmW50t7flncm1UyM+DR97ubDNU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5 | 21 | |1|B7t/AYabn8zgwU47Cb4A/Nqt3eI=|arQPZyRphkzisr7w6wwikvhaOyE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5 |
25 | |1|fOGqe75X5ZpTz4c7DitP4E8/y30=|Lmcch2fh54bUYoV//S2VqDFVeiY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5 | 22 | |1|JR81WxEocTP5d7goIRkl8fHBbno=|l6sj6FOsoXxgEZMzn/BnOfPKN68= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5 |
26 | |1|0RVzLjY3lwE3MRweguaAXaCCWk8=|DbcIgJQcRZJMYI6NYDOM6oJycPk= 1024 65537 127931411493401587586867047972295564331543694182352197506125410692673654572057908999642645524647232712160516076508316152810117209181150078352725299319149726341058893406440426414316276977768958023952319602422835879783057966985348561111880658922724668687074412548487722084792283453716871417610020757212399252171 RSA1 #5 | 23 | |1|W7x4zY6KtTZJgsopyOusJqvVPag=|QauLt7hKezBZFZi2i4Xopho7Nsk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5 |
27 | |1|4q79XnHpKBNQhyMLAqbPPDN+JKo=|k1Wvjjb52zDdrXWM801+wX5oH8U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5 | ||
28 | 24 | ||
29 | |1|0M6PIx6THA3ipIOvTl3fcgn2z+A=|bwEJAOwJz+Sm7orFdgj170mD/zY= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 25 | |1|mxnU8luzqWLvfVi5qBm5xVIyCRM=|9Epopft7LBd80Bf6RmWPIpwa8yU= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
30 | |1|a6WGHcL+9gX3e96tMlgDSDJwtSg=|5Dqlb/yqNEf7jgfllrp/ygLmRV8= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 26 | |1|klvLmvh2vCpkNMDEjVvrE8SJWTg=|e/dqEEBLnbgqmwEesl4cDRu/7TM= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
31 | |1|OeCpi7Pn5Q6c8la4fPf9G8YctT8=|sC6D7lDXTafIpokZJ1+1xWg2R6Q= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 | 27 | |1|wsk3ddB3UjuxEsoeNCeZjZ6NvZs=|O3O/q2Z/u7DrxoTiIq6kzCevQT0= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 |
32 | |1|BHESVyiJ7G2NN0lxrw7vT109jmk=|TKof+015J77bXqibsh0N1Lp0MKk= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 28 | |1|B8epmkLSni+vGZDijr/EwxeR2k4=|7ct8yzNOVJhKm3ZD2w0XIT7df8E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
33 | |1|wY53mZNASDJ5/P3JYCJ4FUNa6WQ=|v8p0MfV5lqlZB2J0yLxl/gsWVQo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 29 | |1|JojD885UhYhbCu571rgyM/5PpYU=|BJaU2aE1FebQZy3B5tzTDRWFRG0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
34 | |1|horeoyFPwfKhyFN+zJZ5LCfOo/I=|2ofvp0tNwCbKsV8FuiFA4gQG2Z8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 | 30 | |1|5t7UDHDybVrDZVQPCpwdnr6nk4k=|EqJ73W/veIL3H2x+YWHcJxI5ETA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 |
35 | |1|Aw4fXumZfx6jEIJuDGIyeEMd81A=|5FdLtdm2JeKNsS8IQeQlGYIadOE= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 31 | |1|OCcBfGc/b9+ip+W6Gp+3ftdluO4=|VbrKUdzOOtIBOOmEE+jlK4SD3Xc= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
36 | |1|+dGUNpv6GblrDd5fgHLlOWpSbEo=|He/pQ1yJjtiCyTNWpGwjBD4sZFI= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 32 | |1|9fLN0YdP+BJ25lKuKvYuOdUo93w=|vZyr0rOiX01hv5XbghhHMW+Zb3U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
37 | |1|E/PACGl8m1T7QnPedOoooozstP0=|w6DQAFT8yZgj0Hlkz5R1TppYHCA= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 | 33 | |1|nc9RoaaQ0s5jdPxwlUmluGHU3uk=|un6OsJajokKQ3MgyS9mfDNeyP6U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 |
38 | |1|SaoyMStgxpYfwedSXBAghi8Zo0s=|Gz78k69GaE6iViV3OOvbStKqyTA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 34 | |1|rsHB6juT9q6GOY91qOeOwL6TSJE=|ps/vXF9Izuues5PbOn887Gw/2Dg= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
39 | |1|8qfGeiT5WTCzWYbXPQ+lsLg7km4=|1sIBwiSUr8IGkvrUGm3/9QYurmA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 35 | |1|BsckdLH2aRyWQooRmv+Yo3t4dKg=|Lf3tJc5Iyx0KxNwAG89FsImsfEE= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
40 | |1|87M1OtyHg1BZiDY3rT6lYsZFnAU=|eddAQVcMNbn2OB87XWXFQnYo6R4= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 | 36 | |1|plqkBA4hq7UATyd5+/Xl+zL7ghw=|stacofaUed46666mfqxp9gJFjt4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 |
41 | |1|60w3wFfC0XWI+rRmRlxIRhh8lwE=|yMhsGrzBJKiesAdSQ/PVgkCrDKk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
42 | |1|5gdEMmLUJC7grqWhRJPy2OTaSyE=|/XTfmLMa/B8npcVCGFRdaHl+d/0= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
43 | |1|6FGCWUr42GHdMB/eifnHNCuwgdk=|ONJvYZ/ANmi59R5HrOhLPmvYENM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6 | ||
44 | 37 | ||
45 | 38 | ||
46 | # Revoked and CA keys | 39 | # Revoked and CA keys |
47 | @revoked sisyphus.example.com 1024 65537 174143366122697048196335388217056770310345753698079464367148030836533360510864881734142526411160017107552815906024399248049666856133771656680462456979369587903909343046704480897527203474513676654933090991684252819423129896444427656841613263783484827101210734799449281639493127615902427443211183258155381810593 RSA1 #4 | ||
48 | @revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4 | 40 | @revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4 |
49 | @cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4 | 41 | @cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4 |
50 | @cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4 | 42 | @cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4 |
51 | 43 | ||
52 | # Some invalid lines | 44 | # Some invalid lines |
53 | @what sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | 45 | @what sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 |
54 | sisyphus.example.com | 46 | sisyphus.example.com |
55 | prometheus.example.com ssh-ed25519 | 47 | prometheus.example.com ssh-ed25519 |
56 | sisyphus.example.com ssh-dsa AAAATgAAAAdz | 48 | sisyphus.example.com ssh-dsa AAAATgAAAAdz |
57 | prometheus.example.com 1024 | ||
58 | sisyphus.example.com 1024 65535 | ||
59 | prometheus.example.com 1025 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 | ||
60 | sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== | 49 | sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== |
61 | prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== | 50 | prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== |
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh index e11100145..8047bc62f 100755 --- a/regress/unittests/sshkey/mktestdata.sh +++ b/regress/unittests/sshkey/mktestdata.sh | |||
@@ -1,25 +1,8 @@ | |||
1 | #!/bin/sh | 1 | #!/bin/sh |
2 | # $OpenBSD: mktestdata.sh,v 1.5 2015/07/07 14:53:30 markus Exp $ | 2 | # $OpenBSD: mktestdata.sh,v 1.6 2017/04/30 23:33:48 djm Exp $ |
3 | 3 | ||
4 | PW=mekmitasdigoat | 4 | PW=mekmitasdigoat |
5 | 5 | ||
6 | rsa1_params() { | ||
7 | _in="$1" | ||
8 | _outbase="$2" | ||
9 | set -e | ||
10 | ssh-keygen -f $_in -e -m pkcs8 | \ | ||
11 | openssl rsa -noout -text -pubin | \ | ||
12 | awk '/^Modulus:$/,/^Exponent:/' | \ | ||
13 | grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n | ||
14 | # XXX need conversion support in ssh-keygen for the other params | ||
15 | for x in n ; do | ||
16 | echo "" >> ${_outbase}.$x | ||
17 | echo ============ ${_outbase}.$x | ||
18 | cat ${_outbase}.$x | ||
19 | echo ============ | ||
20 | done | ||
21 | } | ||
22 | |||
23 | rsa_params() { | 6 | rsa_params() { |
24 | _in="$1" | 7 | _in="$1" |
25 | _outbase="$2" | 8 | _outbase="$2" |
@@ -87,20 +70,18 @@ set -ex | |||
87 | 70 | ||
88 | cd testdata | 71 | cd testdata |
89 | 72 | ||
90 | rm -f rsa1_1 rsa_1 dsa_1 ecdsa_1 ed25519_1 | 73 | rm -f rsa_1 dsa_1 ecdsa_1 ed25519_1 |
91 | rm -f rsa1_2 rsa_2 dsa_2 ecdsa_2 ed25519_2 | 74 | rm -f rsa_2 dsa_2 ecdsa_2 ed25519_2 |
92 | rm -f rsa_n dsa_n ecdsa_n # new-format keys | 75 | rm -f rsa_n dsa_n ecdsa_n # new-format keys |
93 | rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw | 76 | rm -f rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw |
94 | rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw | 77 | rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw |
95 | rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb | 78 | rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb |
96 | 79 | ||
97 | ssh-keygen -t rsa1 -b 1024 -C "RSA1 test key #1" -N "" -f rsa1_1 | ||
98 | ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 | 80 | ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 |
99 | ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 | 81 | ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 |
100 | ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 | 82 | ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 |
101 | ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 | 83 | ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 |
102 | 84 | ||
103 | ssh-keygen -t rsa1 -b 2048 -C "RSA1 test key #2" -N "" -f rsa1_2 | ||
104 | ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 | 85 | ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 |
105 | ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 | 86 | ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 |
106 | ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 | 87 | ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 |
@@ -110,7 +91,6 @@ cp rsa_1 rsa_n | |||
110 | cp dsa_1 dsa_n | 91 | cp dsa_1 dsa_n |
111 | cp ecdsa_1 ecdsa_n | 92 | cp ecdsa_1 ecdsa_n |
112 | 93 | ||
113 | cp rsa1_1 rsa1_1_pw | ||
114 | cp rsa_1 rsa_1_pw | 94 | cp rsa_1 rsa_1_pw |
115 | cp dsa_1 dsa_1_pw | 95 | cp dsa_1 dsa_1_pw |
116 | cp ecdsa_1 ecdsa_1_pw | 96 | cp ecdsa_1 ecdsa_1_pw |
@@ -119,7 +99,6 @@ cp rsa_1 rsa_n_pw | |||
119 | cp dsa_1 dsa_n_pw | 99 | cp dsa_1 dsa_n_pw |
120 | cp ecdsa_1 ecdsa_n_pw | 100 | cp ecdsa_1 ecdsa_n_pw |
121 | 101 | ||
122 | ssh-keygen -pf rsa1_1_pw -N "$PW" | ||
123 | ssh-keygen -pf rsa_1_pw -N "$PW" | 102 | ssh-keygen -pf rsa_1_pw -N "$PW" |
124 | ssh-keygen -pf dsa_1_pw -N "$PW" | 103 | ssh-keygen -pf dsa_1_pw -N "$PW" |
125 | ssh-keygen -pf ecdsa_1_pw -N "$PW" | 104 | ssh-keygen -pf ecdsa_1_pw -N "$PW" |
@@ -128,8 +107,6 @@ ssh-keygen -opf rsa_n_pw -N "$PW" | |||
128 | ssh-keygen -opf dsa_n_pw -N "$PW" | 107 | ssh-keygen -opf dsa_n_pw -N "$PW" |
129 | ssh-keygen -opf ecdsa_n_pw -N "$PW" | 108 | ssh-keygen -opf ecdsa_n_pw -N "$PW" |
130 | 109 | ||
131 | rsa1_params rsa1_1 rsa1_1.param | ||
132 | rsa1_params rsa1_2 rsa1_2.param | ||
133 | rsa_params rsa_1 rsa_1.param | 110 | rsa_params rsa_1 rsa_1.param |
134 | rsa_params rsa_2 rsa_2.param | 111 | rsa_params rsa_2 rsa_2.param |
135 | dsa_params dsa_1 dsa_1.param | 112 | dsa_params dsa_1 dsa_1.param |
@@ -160,12 +137,10 @@ ssh-keygen -s ecdsa_1 -I julius -n host1,host2 -h \ | |||
160 | ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \ | 137 | ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \ |
161 | -V 19990101:20110101 -z 8 ed25519_1.pub | 138 | -V 19990101:20110101 -z 8 ed25519_1.pub |
162 | 139 | ||
163 | ssh-keygen -lf rsa1_1 | awk '{print $2}' > rsa1_1.fp | ||
164 | ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp | 140 | ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp |
165 | ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp | 141 | ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp |
166 | ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp | 142 | ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp |
167 | ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp | 143 | ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp |
168 | ssh-keygen -lf rsa1_2 | awk '{print $2}' > rsa1_2.fp | ||
169 | ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp | 144 | ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp |
170 | ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp | 145 | ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp |
171 | ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp | 146 | ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp |
@@ -176,12 +151,10 @@ ssh-keygen -lf ecdsa_1-cert.pub | awk '{print $2}' > ecdsa_1-cert.fp | |||
176 | ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp | 151 | ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp |
177 | ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp | 152 | ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp |
178 | 153 | ||
179 | ssh-keygen -Bf rsa1_1 | awk '{print $2}' > rsa1_1.fp.bb | ||
180 | ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb | 154 | ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb |
181 | ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb | 155 | ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb |
182 | ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb | 156 | ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb |
183 | ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb | 157 | ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb |
184 | ssh-keygen -Bf rsa1_2 | awk '{print $2}' > rsa1_2.fp.bb | ||
185 | ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb | 158 | ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb |
186 | ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb | 159 | ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb |
187 | ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb | 160 | ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb |
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c index 906491f2b..99b7e21c0 100644 --- a/regress/unittests/sshkey/test_file.c +++ b/regress/unittests/sshkey/test_file.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */ | 1 | /* $OpenBSD: test_file.c,v 1.6 2017/04/30 23:33:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for sshkey.h key management API | 3 | * Regress test for sshkey.h key management API |
4 | * | 4 | * |
@@ -51,55 +51,6 @@ sshkey_file_tests(void) | |||
51 | pw = load_text_file("pw"); | 51 | pw = load_text_file("pw"); |
52 | TEST_DONE(); | 52 | TEST_DONE(); |
53 | 53 | ||
54 | #ifdef WITH_SSH1 | ||
55 | TEST_START("parse RSA1 from private"); | ||
56 | buf = load_file("rsa1_1"); | ||
57 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); | ||
58 | sshbuf_free(buf); | ||
59 | ASSERT_PTR_NE(k1, NULL); | ||
60 | a = load_bignum("rsa1_1.param.n"); | ||
61 | ASSERT_BIGNUM_EQ(k1->rsa->n, a); | ||
62 | BN_free(a); | ||
63 | TEST_DONE(); | ||
64 | |||
65 | TEST_START("parse RSA1 from private w/ passphrase"); | ||
66 | buf = load_file("rsa1_1_pw"); | ||
67 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, | ||
68 | (const char *)sshbuf_ptr(pw), &k2, NULL), 0); | ||
69 | sshbuf_free(buf); | ||
70 | ASSERT_PTR_NE(k2, NULL); | ||
71 | ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); | ||
72 | sshkey_free(k2); | ||
73 | TEST_DONE(); | ||
74 | |||
75 | TEST_START("load RSA1 from public"); | ||
76 | ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2, | ||
77 | NULL), 0); | ||
78 | ASSERT_PTR_NE(k2, NULL); | ||
79 | ASSERT_INT_EQ(sshkey_equal(k1, k2), 1); | ||
80 | sshkey_free(k2); | ||
81 | TEST_DONE(); | ||
82 | |||
83 | TEST_START("RSA1 key hex fingerprint"); | ||
84 | buf = load_text_file("rsa1_1.fp"); | ||
85 | cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64); | ||
86 | ASSERT_PTR_NE(cp, NULL); | ||
87 | ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); | ||
88 | sshbuf_free(buf); | ||
89 | free(cp); | ||
90 | TEST_DONE(); | ||
91 | |||
92 | TEST_START("RSA1 key bubblebabble fingerprint"); | ||
93 | buf = load_text_file("rsa1_1.fp.bb"); | ||
94 | cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); | ||
95 | ASSERT_PTR_NE(cp, NULL); | ||
96 | ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); | ||
97 | sshbuf_free(buf); | ||
98 | free(cp); | ||
99 | TEST_DONE(); | ||
100 | |||
101 | sshkey_free(k1); | ||
102 | #endif | ||
103 | 54 | ||
104 | TEST_START("parse RSA from private"); | 55 | TEST_START("parse RSA from private"); |
105 | buf = load_file("rsa_1"); | 56 | buf = load_file("rsa_1"); |
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c index 1f414e0ac..6706045d5 100644 --- a/regress/unittests/sshkey/test_fuzz.c +++ b/regress/unittests/sshkey/test_fuzz.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */ | 1 | /* $OpenBSD: test_fuzz.c,v 1.7 2017/04/30 23:33:48 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Fuzz tests for key parsing | 3 | * Fuzz tests for key parsing |
4 | * | 4 | * |
@@ -104,49 +104,6 @@ sshkey_fuzz_tests(void) | |||
104 | struct fuzz *fuzz; | 104 | struct fuzz *fuzz; |
105 | int r; | 105 | int r; |
106 | 106 | ||
107 | #ifdef WITH_SSH1 | ||
108 | TEST_START("fuzz RSA1 private"); | ||
109 | buf = load_file("rsa1_1"); | ||
110 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | | ||
111 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, | ||
112 | sshbuf_mutable_ptr(buf), sshbuf_len(buf)); | ||
113 | ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); | ||
114 | sshkey_free(k1); | ||
115 | sshbuf_free(buf); | ||
116 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | ||
117 | TEST_ONERROR(onerror, fuzz); | ||
118 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | ||
119 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | ||
120 | ASSERT_INT_EQ(r, 0); | ||
121 | if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0) | ||
122 | sshkey_free(k1); | ||
123 | sshbuf_reset(fuzzed); | ||
124 | } | ||
125 | sshbuf_free(fuzzed); | ||
126 | fuzz_cleanup(fuzz); | ||
127 | TEST_DONE(); | ||
128 | |||
129 | TEST_START("fuzz RSA1 public"); | ||
130 | buf = load_file("rsa1_1_pw"); | ||
131 | fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP | | ||
132 | FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, | ||
133 | sshbuf_mutable_ptr(buf), sshbuf_len(buf)); | ||
134 | ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0); | ||
135 | sshkey_free(k1); | ||
136 | sshbuf_free(buf); | ||
137 | ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL); | ||
138 | TEST_ONERROR(onerror, fuzz); | ||
139 | for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { | ||
140 | r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz)); | ||
141 | ASSERT_INT_EQ(r, 0); | ||
142 | if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0) | ||
143 | sshkey_free(k1); | ||
144 | sshbuf_reset(fuzzed); | ||
145 | } | ||
146 | sshbuf_free(fuzzed); | ||
147 | fuzz_cleanup(fuzz); | ||
148 | TEST_DONE(); | ||
149 | #endif | ||
150 | 107 | ||
151 | TEST_START("fuzz RSA private"); | 108 | TEST_START("fuzz RSA private"); |
152 | buf = load_file("rsa_1"); | 109 | buf = load_file("rsa_1"); |
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 1476dc2e3..0a73322a3 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */ | 1 | /* $OpenBSD: test_sshkey.c,v 1.12 2017/05/08 06:08:42 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Regress test for sshkey.h key management API | 3 | * Regress test for sshkey.h key management API |
4 | * | 4 | * |
@@ -193,16 +193,6 @@ sshkey_tests(void) | |||
193 | sshkey_free(k1); | 193 | sshkey_free(k1); |
194 | TEST_DONE(); | 194 | TEST_DONE(); |
195 | 195 | ||
196 | TEST_START("new/free KEY_RSA1"); | ||
197 | k1 = sshkey_new(KEY_RSA1); | ||
198 | ASSERT_PTR_NE(k1, NULL); | ||
199 | ASSERT_PTR_NE(k1->rsa, NULL); | ||
200 | ASSERT_PTR_NE(k1->rsa->n, NULL); | ||
201 | ASSERT_PTR_NE(k1->rsa->e, NULL); | ||
202 | ASSERT_PTR_EQ(k1->rsa->p, NULL); | ||
203 | sshkey_free(k1); | ||
204 | TEST_DONE(); | ||
205 | |||
206 | TEST_START("new/free KEY_RSA"); | 196 | TEST_START("new/free KEY_RSA"); |
207 | k1 = sshkey_new(KEY_RSA); | 197 | k1 = sshkey_new(KEY_RSA); |
208 | ASSERT_PTR_NE(k1, NULL); | 198 | ASSERT_PTR_NE(k1, NULL); |
@@ -263,19 +253,19 @@ sshkey_tests(void) | |||
263 | 253 | ||
264 | TEST_START("generate KEY_RSA too small modulus"); | 254 | TEST_START("generate KEY_RSA too small modulus"); |
265 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), | 255 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), |
266 | SSH_ERR_INVALID_ARGUMENT); | 256 | SSH_ERR_KEY_LENGTH); |
267 | ASSERT_PTR_EQ(k1, NULL); | 257 | ASSERT_PTR_EQ(k1, NULL); |
268 | TEST_DONE(); | 258 | TEST_DONE(); |
269 | 259 | ||
270 | TEST_START("generate KEY_RSA too large modulus"); | 260 | TEST_START("generate KEY_RSA too large modulus"); |
271 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), | 261 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), |
272 | SSH_ERR_INVALID_ARGUMENT); | 262 | SSH_ERR_KEY_LENGTH); |
273 | ASSERT_PTR_EQ(k1, NULL); | 263 | ASSERT_PTR_EQ(k1, NULL); |
274 | TEST_DONE(); | 264 | TEST_DONE(); |
275 | 265 | ||
276 | TEST_START("generate KEY_DSA wrong bits"); | 266 | TEST_START("generate KEY_DSA wrong bits"); |
277 | ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), | 267 | ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), |
278 | SSH_ERR_INVALID_ARGUMENT); | 268 | SSH_ERR_KEY_LENGTH); |
279 | ASSERT_PTR_EQ(k1, NULL); | 269 | ASSERT_PTR_EQ(k1, NULL); |
280 | sshkey_free(k1); | 270 | sshkey_free(k1); |
281 | TEST_DONE(); | 271 | TEST_DONE(); |
@@ -283,7 +273,7 @@ sshkey_tests(void) | |||
283 | #ifdef OPENSSL_HAS_ECC | 273 | #ifdef OPENSSL_HAS_ECC |
284 | TEST_START("generate KEY_ECDSA wrong bits"); | 274 | TEST_START("generate KEY_ECDSA wrong bits"); |
285 | ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), | 275 | ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), |
286 | SSH_ERR_INVALID_ARGUMENT); | 276 | SSH_ERR_KEY_LENGTH); |
287 | ASSERT_PTR_EQ(k1, NULL); | 277 | ASSERT_PTR_EQ(k1, NULL); |
288 | sshkey_free(k1); | 278 | sshkey_free(k1); |
289 | TEST_DONE(); | 279 | TEST_DONE(); |
@@ -291,7 +281,7 @@ sshkey_tests(void) | |||
291 | 281 | ||
292 | TEST_START("generate KEY_RSA"); | 282 | TEST_START("generate KEY_RSA"); |
293 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), | 283 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), |
294 | SSH_ERR_INVALID_ARGUMENT); | 284 | SSH_ERR_KEY_LENGTH); |
295 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); | 285 | ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); |
296 | ASSERT_PTR_NE(kr, NULL); | 286 | ASSERT_PTR_NE(kr, NULL); |
297 | ASSERT_PTR_NE(kr->rsa, NULL); | 287 | ASSERT_PTR_NE(kr->rsa, NULL); |
diff --git a/regress/yes-head.sh b/regress/yes-head.sh index 1fc754211..fce2f6580 100644 --- a/regress/yes-head.sh +++ b/regress/yes-head.sh | |||
@@ -3,13 +3,11 @@ | |||
3 | 3 | ||
4 | tid="yes pipe head" | 4 | tid="yes pipe head" |
5 | 5 | ||
6 | for p in ${SSH_PROTOCOLS}; do | 6 | lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` |
7 | lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` | 7 | if [ $? -ne 0 ]; then |
8 | if [ $? -ne 0 ]; then | 8 | fail "yes|head test failed" |
9 | fail "yes|head test failed" | 9 | lines = 0; |
10 | lines = 0; | 10 | fi |
11 | fi | 11 | if [ $lines -ne 2000 ]; then |
12 | if [ $lines -ne 2000 ]; then | 12 | fail "yes|head returns $lines lines instead of 2000" |
13 | fail "yes|head returns $lines lines instead of 2000" | 13 | fi |
14 | fi | ||
15 | done | ||