summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile12
-rw-r--r--regress/README.regress2
-rw-r--r--regress/cfgparse.sh75
-rw-r--r--regress/cipher-speed.sh4
-rw-r--r--regress/hostkey-rotate.sh8
-rw-r--r--regress/integrity.sh4
-rw-r--r--regress/kextype.sh4
-rw-r--r--regress/keys-command.sh59
-rw-r--r--regress/netcat.c8
-rw-r--r--regress/principals-command.sh141
-rw-r--r--regress/ssh-com.sh6
-rwxr-xr-xregress/ssh2putty.sh6
-rw-r--r--regress/test-exec.sh2
-rw-r--r--regress/try-ciphers.sh4
-rw-r--r--regress/unittests/hostkeys/test_iterate.c6
-rw-r--r--regress/unittests/sshkey/test_sshkey.c4
16 files changed, 303 insertions, 42 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 99a7d60f5..cba83f4d6 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.78 2015/01/26 06:12:18 djm Exp $ 1# $OpenBSD: Makefile,v 1.81 2015/05/21 06:44:25 djm Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -54,6 +54,7 @@ LTESTS= connect \
54 multiplex \ 54 multiplex \
55 reexec \ 55 reexec \
56 brokenkeys \ 56 brokenkeys \
57 cfgparse \
57 cfgmatch \ 58 cfgmatch \
58 addrmatch \ 59 addrmatch \
59 localcommand \ 60 localcommand \
@@ -72,7 +73,8 @@ LTESTS= connect \
72 limit-keytype \ 73 limit-keytype \
73 hostkey-agent \ 74 hostkey-agent \
74 keygen-knownhosts \ 75 keygen-knownhosts \
75 hostkey-rotate 76 hostkey-rotate \
77 principals-command
76 78
77 79
78# dhgex \ 80# dhgex \
@@ -180,10 +182,10 @@ t11:
180 ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ 182 ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
181 awk '{print $$2}' | diff - ${.CURDIR}/t11.ok 183 awk '{print $$2}' | diff - ${.CURDIR}/t11.ok
182 184
183t12.out: 185$(OBJ)/t12.out:
184 ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $(OBJ)/$@ 186 ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@
185 187
186t12: t12.out 188t12: $(OBJ)/t12.out
187 ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t12.out.pub | grep test-comment-1234 >/dev/null 189 ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t12.out.pub | grep test-comment-1234 >/dev/null
188 190
189t-exec: ${LTESTS:=.sh} 191t-exec: ${LTESTS:=.sh}
diff --git a/regress/README.regress b/regress/README.regress
index 82e4cc751..9b99bdacb 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -31,7 +31,7 @@ TEST_SHELL: shell used for running the test scripts.
31TEST_SSH_PORT: TCP port to be used for the listening tests. 31TEST_SSH_PORT: TCP port to be used for the listening tests.
32TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config 32TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
33 before running each test. 33 before running each test.
34TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config 34TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
35 before running each test. 35 before running each test.
36 36
37 37
diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh
new file mode 100644
index 000000000..736f38976
--- /dev/null
+++ b/regress/cfgparse.sh
@@ -0,0 +1,75 @@
1# $OpenBSD: cfgparse.sh,v 1.5 2015/05/29 03:05:13 djm Exp $
2# Placed in the Public Domain.
3
4tid="config parse"
5
6# This is a reasonable proxy for IPv6 support.
7if ! config_defined HAVE_STRUCT_IN6_ADDR ; then
8 SKIP_IPV6=yes
9fi
10
11# We need to use the keys generated for the regression test because sshd -T
12# will fail if we're not running with SUDO (no permissions for real keys) or
13# if we are # running tests on a system that has never had sshd installed
14# (keys won't exist).
15
16grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal
17SSHD_KEYS="`cat $OBJ/sshd_config_minimal`"
18
19verbose "reparse minimal config"
20($SUDO ${SSHD} -T -f $OBJ/sshd_config_minimal >$OBJ/sshd_config.1 &&
21 $SUDO ${SSHD} -T -f $OBJ/sshd_config.1 >$OBJ/sshd_config.2 &&
22 diff $OBJ/sshd_config.1 $OBJ/sshd_config.2) || fail "reparse minimal config"
23
24verbose "reparse regress config"
25($SUDO ${SSHD} -T -f $OBJ/sshd_config >$OBJ/sshd_config.1 &&
26 $SUDO ${SSHD} -T -f $OBJ/sshd_config.1 >$OBJ/sshd_config.2 &&
27 diff $OBJ/sshd_config.1 $OBJ/sshd_config.2) || fail "reparse regress config"
28
29verbose "listenaddress order"
30# expected output
31cat > $OBJ/sshd_config.0 <<EOD
32listenaddress 1.2.3.4:1234
33listenaddress 1.2.3.4:5678
34EOD
35[ X${SKIP_IPV6} = Xyes ] || cat >> $OBJ/sshd_config.0 <<EOD
36listenaddress [::1]:1234
37listenaddress [::1]:5678
38EOD
39
40# test input sets. should all result in the output above.
41# test 1: addressfamily and port first
42cat > $OBJ/sshd_config.1 <<EOD
43${SSHD_KEYS}
44addressfamily any
45port 1234
46port 5678
47listenaddress 1.2.3.4
48EOD
49[ X${SKIP_IPV6} = Xyes ] || cat >> $OBJ/sshd_config.1 <<EOD
50listenaddress ::1
51EOD
52
53($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \
54 grep 'listenaddress ' >$OBJ/sshd_config.2 &&
55 diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \
56 fail "listenaddress order 1"
57# test 2: listenaddress first
58cat > $OBJ/sshd_config.1 <<EOD
59${SSHD_KEYS}
60listenaddress 1.2.3.4
61port 1234
62port 5678
63addressfamily any
64EOD
65[ X${SKIP_IPV6} = Xyes ] || cat >> $OBJ/sshd_config.1 <<EOD
66listenaddress ::1
67EOD
68
69($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \
70 grep 'listenaddress ' >$OBJ/sshd_config.2 &&
71 diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \
72 fail "listenaddress order 2"
73
74# cleanup
75rm -f $OBJ/sshd_config.[012]
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index ad2f9b90b..575dc2341 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.12 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
@@ -25,7 +25,7 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
25 fi 25 fi
26 done 26 done
27 # No point trying all MACs for AEAD ciphers since they are ignored. 27 # No point trying all MACs for AEAD ciphers since they are ignored.
28 if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then 28 if ${SSH} -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
29 break 29 break
30 fi 30 fi
31 n=`expr $n + 1` 31 n=`expr $n + 1`
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index b5d542d12..cde6008f4 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ 1# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey rotate" 4tid="hostkey rotate"
@@ -15,7 +15,7 @@ rm $OBJ/known_hosts
15trace "prepare hostkeys" 15trace "prepare hostkeys"
16nkeys=0 16nkeys=0
17all_algs="" 17all_algs=""
18for k in `ssh -Q key-plain` ; do 18for k in `${SSH} -Q key-plain` ; do
19 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k" 19 ${SSHKEYGEN} -qt $k -f $OBJ/hkr.$k -N '' || fatal "ssh-keygen $k"
20 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig 20 echo "Hostkey $OBJ/hkr.${k}" >> $OBJ/sshd_proxy.orig
21 nkeys=`expr $nkeys + 1` 21 nkeys=`expr $nkeys + 1`
@@ -62,7 +62,7 @@ expect_nkeys $nkeys "learn hostkeys"
62check_key_present ssh-rsa || fail "didn't learn keys" 62check_key_present ssh-rsa || fail "didn't learn keys"
63 63
64# Check each key type 64# Check each key type
65for k in `ssh -Q key-plain` ; do 65for k in `${SSH} -Q key-plain` ; do
66 verbose "learn additional hostkeys, type=$k" 66 verbose "learn additional hostkeys, type=$k"
67 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs 67 dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$k,$all_algs
68 expect_nkeys $nkeys "learn hostkeys $k" 68 expect_nkeys $nkeys "learn hostkeys $k"
@@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
109expect_nkeys 1 "learn hostkeys" 109expect_nkeys 1 "learn hostkeys"
110check_key_present ssh-rsa || fail "didn't learn changed key" 110check_key_present ssh-rsa || fail "didn't learn changed key"
111 111
112# $OpenBSD: hostkey-rotate.sh,v 1.2 2015/03/03 17:53:40 djm Exp $ 112# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
113# Placed in the Public Domain. 113# Placed in the Public Domain.
114 114
115tid="hostkey rotate" 115tid="hostkey rotate"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 2ff8b3f17..1d4976771 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.15 2015/01/19 20:42:31 markus Exp $ 1# $OpenBSD: integrity.sh,v 1.16 2015/03/24 20:22:17 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -38,7 +38,7 @@ for m in $macs; do
38 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 38 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
39 # modify output from sshd at offset $off 39 # modify output from sshd at offset $off
40 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" 40 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
41 if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then 41 if ${SSH} -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
42 echo "Ciphers=$m" >> $OBJ/sshd_proxy 42 echo "Ciphers=$m" >> $OBJ/sshd_proxy
43 macopt="-c $m" 43 macopt="-c $m"
44 else 44 else
diff --git a/regress/kextype.sh b/regress/kextype.sh
index 6f952f4e4..e27189904 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $ 1# $OpenBSD: kextype.sh,v 1.6 2015/03/24 20:19:15 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key exchange algorithms" 4tid="login with different key exchange algorithms"
@@ -8,7 +8,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10# Make server accept all key exchanges. 10# Make server accept all key exchanges.
11ALLKEX=`ssh -Q kex` 11ALLKEX=`${SSH} -Q kex`
12KEXOPT=`echo $ALLKEX | tr ' ' ,` 12KEXOPT=`echo $ALLKEX | tr ' ' ,`
13echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy 13echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
14 14
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index b595a434f..700273b66 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $ 1# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized keys from command" 4tid="authorized keys from command"
@@ -9,26 +9,63 @@ if test -z "$SUDO" ; then
9 exit 0 9 exit 0
10fi 10fi
11 11
12rm -f $OBJ/keys-command-args
13
14touch $OBJ/keys-command-args
15chmod a+rw $OBJ/keys-command-args
16
17expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
18expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
19
12# Establish a AuthorizedKeysCommand in /var/run where it will have 20# Establish a AuthorizedKeysCommand in /var/run where it will have
13# acceptable directory permissions. 21# acceptable directory permissions.
14KEY_COMMAND="/var/run/keycommand_${LOGNAME}" 22KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
15cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'" 23cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
16#!/bin/sh 24#!/bin/sh
25echo args: "\$@" >> $OBJ/keys-command-args
26echo "$PATH" | grep -q mekmitasdigoat && exit 7
17test "x\$1" != "x${LOGNAME}" && exit 1 27test "x\$1" != "x${LOGNAME}" && exit 1
28if test $# -eq 6 ; then
29 test "x\$2" != "xblah" && exit 2
30 test "x\$3" != "x${expected_key_text}" && exit 3
31 test "x\$4" != "xssh-rsa" && exit 4
32 test "x\$5" != "x${expected_key_fp}" && exit 5
33 test "x\$6" != "xblah" && exit 6
34fi
18exec cat "$OBJ/authorized_keys_${LOGNAME}" 35exec cat "$OBJ/authorized_keys_${LOGNAME}"
19_EOF 36_EOF
20$SUDO chmod 0755 "$KEY_COMMAND" 37$SUDO chmod 0755 "$KEY_COMMAND"
21 38
22cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
23(
24 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
25 echo AuthorizedKeysFile none
26 echo AuthorizedKeysCommand $KEY_COMMAND
27 echo AuthorizedKeysCommandUser ${LOGNAME}
28) > $OBJ/sshd_proxy
29
30if [ -x $KEY_COMMAND ]; then 39if [ -x $KEY_COMMAND ]; then
31 ${SSH} -F $OBJ/ssh_proxy somehost true 40 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
41
42 verbose "AuthorizedKeysCommand with arguments"
43 (
44 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
45 echo AuthorizedKeysFile none
46 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
47 echo AuthorizedKeysCommandUser ${LOGNAME}
48 ) > $OBJ/sshd_proxy
49
50 # Ensure that $PATH is sanitised in sshd
51 env PATH=$PATH:/sbin/mekmitasdigoat \
52 ${SSH} -F $OBJ/ssh_proxy somehost true
53 if [ $? -ne 0 ]; then
54 fail "connect failed"
55 fi
56
57 verbose "AuthorizedKeysCommand without arguments"
58 # Check legacy behavior of no-args resulting in username being passed.
59 (
60 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
61 echo AuthorizedKeysFile none
62 echo AuthorizedKeysCommand $KEY_COMMAND
63 echo AuthorizedKeysCommandUser ${LOGNAME}
64 ) > $OBJ/sshd_proxy
65
66 # Ensure that $PATH is sanitised in sshd
67 env PATH=$PATH:/sbin/mekmitasdigoat \
68 ${SSH} -F $OBJ/ssh_proxy somehost true
32 if [ $? -ne 0 ]; then 69 if [ $? -ne 0 ]; then
33 fail "connect failed" 70 fail "connect failed"
34 fi 71 fi
diff --git a/regress/netcat.c b/regress/netcat.c
index 1a9fc8730..6234ba019 100644
--- a/regress/netcat.c
+++ b/regress/netcat.c
@@ -42,7 +42,6 @@
42#include <netinet/in.h> 42#include <netinet/in.h>
43#include <netinet/tcp.h> 43#include <netinet/tcp.h>
44#include <netinet/ip.h> 44#include <netinet/ip.h>
45#include <arpa/telnet.h>
46 45
47#include <errno.h> 46#include <errno.h>
48#include <netdb.h> 47#include <netdb.h>
@@ -63,6 +62,13 @@
63# endif 62# endif
64#endif 63#endif
65 64
65/* Telnet options from arpa/telnet.h */
66#define IAC 255
67#define DONT 254
68#define DO 253
69#define WONT 252
70#define WILL 251
71
66#ifndef SUN_LEN 72#ifndef SUN_LEN
67#define SUN_LEN(su) \ 73#define SUN_LEN(su) \
68 (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path)) 74 (sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
new file mode 100644
index 000000000..90064373d
--- /dev/null
+++ b/regress/principals-command.sh
@@ -0,0 +1,141 @@
1# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $
2# Placed in the Public Domain.
3
4tid="authorized principals command"
5
6rm -f $OBJ/user_ca_key* $OBJ/cert_user_key*
7cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8
9if test -z "$SUDO" ; then
10 echo "skipped (SUDO not set)"
11 echo "need SUDO to create file in /var/run, test won't work without"
12 exit 0
13fi
14
15# Establish a AuthorizedPrincipalsCommand in /var/run where it will have
16# acceptable directory permissions.
17PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
18cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
19#!/bin/sh
20test "x\$1" != "x${LOGNAME}" && exit 1
21test -f "$OBJ/authorized_principals_${LOGNAME}" &&
22 exec cat "$OBJ/authorized_principals_${LOGNAME}"
23_EOF
24test $? -eq 0 || fatal "couldn't prepare principals command"
25$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
26
27# Create a CA key and a user certificate.
28${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
29 fatal "ssh-keygen of user_ca_key failed"
30${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \
31 fatal "ssh-keygen of cert_user_key failed"
32${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
33 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
34 fatal "couldn't sign cert_user_key"
35
36# Test explicitly-specified principals
37for privsep in yes no ; do
38 _prefix="privsep $privsep"
39
40 # Setup for AuthorizedPrincipalsCommand
41 rm -f $OBJ/authorized_keys_$USER
42 (
43 cat $OBJ/sshd_proxy_bak
44 echo "UsePrivilegeSeparation $privsep"
45 echo "AuthorizedKeysFile none"
46 echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
47 echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
48 echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
49 ) > $OBJ/sshd_proxy
50
51 # XXX test missing command
52 # XXX test failing command
53
54 # Empty authorized_principals
55 verbose "$tid: ${_prefix} empty authorized_principals"
56 echo > $OBJ/authorized_principals_$USER
57 ${SSH} -2i $OBJ/cert_user_key \
58 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
59 if [ $? -eq 0 ]; then
60 fail "ssh cert connect succeeded unexpectedly"
61 fi
62
63 # Wrong authorized_principals
64 verbose "$tid: ${_prefix} wrong authorized_principals"
65 echo gregorsamsa > $OBJ/authorized_principals_$USER
66 ${SSH} -2i $OBJ/cert_user_key \
67 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
68 if [ $? -eq 0 ]; then
69 fail "ssh cert connect succeeded unexpectedly"
70 fi
71
72 # Correct authorized_principals
73 verbose "$tid: ${_prefix} correct authorized_principals"
74 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
75 ${SSH} -2i $OBJ/cert_user_key \
76 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
77 if [ $? -ne 0 ]; then
78 fail "ssh cert connect failed"
79 fi
80
81 # authorized_principals with bad key option
82 verbose "$tid: ${_prefix} authorized_principals bad key opt"
83 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
84 ${SSH} -2i $OBJ/cert_user_key \
85 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
86 if [ $? -eq 0 ]; then
87 fail "ssh cert connect succeeded unexpectedly"
88 fi
89
90 # authorized_principals with command=false
91 verbose "$tid: ${_prefix} authorized_principals command=false"
92 echo 'command="false" mekmitasdigoat' > \
93 $OBJ/authorized_principals_$USER
94 ${SSH} -2i $OBJ/cert_user_key \
95 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
96 if [ $? -eq 0 ]; then
97 fail "ssh cert connect succeeded unexpectedly"
98 fi
99
100
101 # authorized_principals with command=true
102 verbose "$tid: ${_prefix} authorized_principals command=true"
103 echo 'command="true" mekmitasdigoat' > \
104 $OBJ/authorized_principals_$USER
105 ${SSH} -2i $OBJ/cert_user_key \
106 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
107 if [ $? -ne 0 ]; then
108 fail "ssh cert connect failed"
109 fi
110
111 # Setup for principals= key option
112 rm -f $OBJ/authorized_principals_$USER
113 (
114 cat $OBJ/sshd_proxy_bak
115 echo "UsePrivilegeSeparation $privsep"
116 ) > $OBJ/sshd_proxy
117
118 # Wrong principals list
119 verbose "$tid: ${_prefix} wrong principals key option"
120 (
121 printf 'cert-authority,principals="gregorsamsa" '
122 cat $OBJ/user_ca_key.pub
123 ) > $OBJ/authorized_keys_$USER
124 ${SSH} -2i $OBJ/cert_user_key \
125 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
126 if [ $? -eq 0 ]; then
127 fail "ssh cert connect succeeded unexpectedly"
128 fi
129
130 # Correct principals list
131 verbose "$tid: ${_prefix} correct principals key option"
132 (
133 printf 'cert-authority,principals="mekmitasdigoat" '
134 cat $OBJ/user_ca_key.pub
135 ) > $OBJ/authorized_keys_$USER
136 ${SSH} -2i $OBJ/cert_user_key \
137 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
138 if [ $? -ne 0 ]; then
139 fail "ssh cert connect failed"
140 fi
141done
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 6c5cfe888..4371d5279 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ 1# $OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect to ssh.com server" 4tid="connect to ssh.com server"
@@ -44,14 +44,14 @@ cat << EOF > $OBJ/sshd2_config
44 HostKeyFile ${SRC}/dsa_ssh2.prv 44 HostKeyFile ${SRC}/dsa_ssh2.prv
45 PublicHostKeyFile ${SRC}/dsa_ssh2.pub 45 PublicHostKeyFile ${SRC}/dsa_ssh2.pub
46 RandomSeedFile ${OBJ}/random_seed 46 RandomSeedFile ${OBJ}/random_seed
47 MaxConnections 0 47 MaxConnections 0
48 PermitRootLogin yes 48 PermitRootLogin yes
49 VerboseMode no 49 VerboseMode no
50 CheckMail no 50 CheckMail no
51 Ssh1Compatibility no 51 Ssh1Compatibility no
52EOF 52EOF
53 53
54# create client config 54# create client config
55sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \ 55sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \
56 < $OBJ/ssh_config > $OBJ/ssh_config_com 56 < $OBJ/ssh_config > $OBJ/ssh_config_com
57 57
diff --git a/regress/ssh2putty.sh b/regress/ssh2putty.sh
index 691db1690..bcf83afe9 100755
--- a/regress/ssh2putty.sh
+++ b/regress/ssh2putty.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: ssh2putty.sh,v 1.2 2009/10/06 23:51:49 dtucker Exp $ 2# $OpenBSD: ssh2putty.sh,v 1.3 2015/05/08 07:26:13 djm Exp $
3 3
4if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then 4if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then
5 echo "Usage: ssh2putty hostname port ssh-private-key" 5 echo "Usage: ssh2putty hostname port ssh-private-key"
@@ -19,13 +19,13 @@ else
19fi 19fi
20 20
21public_exponent=` 21public_exponent=`
22 openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent | 22 openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent |
23 sed 's/.*(//;s/).*//' 23 sed 's/.*(//;s/).*//'
24` 24`
25test $? -ne 0 && exit 1 25test $? -ne 0 && exit 1
26 26
27modulus=` 27modulus=`
28 openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= | 28 openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= |
29 sed 's/^Modulus=/0x/' | tr A-Z a-z 29 sed 's/^Modulus=/0x/' | tr A-Z a-z
30` 30`
31test $? -ne 0 && exit 1 31test $? -ne 0 && exit 1
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 0f766620d..114e129f2 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -444,7 +444,7 @@ Host *
444EOF 444EOF
445 445
446if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then 446if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
447 trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS" 447 trace "adding ssh_config option $TEST_SSH_SSH_CONFOPTS"
448 echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config 448 echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
449fi 449fi
450 450
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 4165c7b88..889a735d2 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.24 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -19,7 +19,7 @@ for c in `${SSH} -Q cipher`; do
19 fi 19 fi
20 # No point trying all MACs for AEAD ciphers since they 20 # No point trying all MACs for AEAD ciphers since they
21 # are ignored. 21 # are ignored.
22 if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then 22 if ${SSH} -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
23 break 23 break
24 fi 24 fi
25 n=`expr $n + 1` 25 n=`expr $n + 1`
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index d81291b68..2eaaf063a 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_iterate.c,v 1.3 2015/03/07 04:41:48 djm Exp $ */ 1/* $OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */
2/* 2/*
3 * Regress test for hostfile.h hostkeys_foreach() 3 * Regress test for hostfile.h hostkeys_foreach()
4 * 4 *
@@ -91,8 +91,8 @@ check(struct hostkey_foreach_line *l, void *_ctx)
91 expected->l.keytype : expected->no_parse_keytype; 91 expected->l.keytype : expected->no_parse_keytype;
92 92
93#ifndef WITH_SSH1 93#ifndef WITH_SSH1
94 if (expected->l.keytype == KEY_RSA1 || 94 if (parse_key && (expected->l.keytype == KEY_RSA1 ||
95 expected->no_parse_keytype == KEY_RSA1) { 95 expected->no_parse_keytype == KEY_RSA1)) {
96 expected_status = HKF_STATUS_INVALID; 96 expected_status = HKF_STATUS_INVALID;
97 expected_keytype = KEY_UNSPEC; 97 expected_keytype = KEY_UNSPEC;
98 parse_key = 0; 98 parse_key = 0;
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index ad10c9be2..4453a8599 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.3 2015/01/26 06:11:28 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -505,7 +505,7 @@ sshkey_tests(void)
505 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0); 505 ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
506 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2, 506 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
507 NULL), 0); 507 NULL), 0);
508 k3 = get_private("ed25519_2"); 508 k3 = get_private("rsa_1");
509 build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1); 509 build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1);
510 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), 510 ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
511 SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); 511 SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);