summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile38
-rw-r--r--regress/agent-getpeereid.sh2
-rw-r--r--regress/agent-pkcs11.sh4
-rw-r--r--regress/agent.sh38
-rw-r--r--regress/authinfo.sh17
-rw-r--r--regress/banner.sh8
-rw-r--r--regress/broken-pipe.sh17
-rw-r--r--regress/brokenkeys.sh6
-rw-r--r--regress/cert-file.sh131
-rw-r--r--regress/cert-hostkey.sh14
-rw-r--r--regress/cert-userkey.sh36
-rw-r--r--regress/cfgmatch.sh76
-rw-r--r--regress/cipher-speed.sh27
-rw-r--r--regress/connect-privsep.sh30
-rw-r--r--regress/connect.sh12
-rw-r--r--regress/dhgex.sh3
-rw-r--r--regress/dynamic-forward.sh20
-rw-r--r--regress/exit-status.sh34
-rw-r--r--regress/forcecommand.sh23
-rw-r--r--regress/forward-control.sh109
-rw-r--r--regress/forwarding.sh174
-rw-r--r--regress/host-expand.sh9
-rw-r--r--regress/hostkey-agent.sh4
-rw-r--r--regress/integrity.sh10
-rw-r--r--regress/key-options.sh52
-rw-r--r--regress/keygen-change.sh5
-rw-r--r--regress/keyscan.sh6
-rw-r--r--regress/keytype.sh15
-rw-r--r--regress/localcommand.sh14
-rw-r--r--regress/login-timeout.sh20
-rw-r--r--regress/misc/fuzz-harness/Makefile22
-rw-r--r--regress/misc/fuzz-harness/README1
-rw-r--r--regress/misc/fuzz-harness/pubkey_fuzz.cc18
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc50
-rw-r--r--regress/misc/kexfuzz/Makefile4
-rw-r--r--regress/misc/kexfuzz/kexfuzz.c4
-rw-r--r--regress/multiplex.sh6
-rw-r--r--regress/principals-command.sh18
-rw-r--r--regress/proto-mismatch.sh12
-rw-r--r--regress/proto-version.sh16
-rw-r--r--regress/proxy-connect.sh41
-rw-r--r--regress/putty-ciphers.sh4
-rw-r--r--regress/putty-transfer.sh45
-rw-r--r--regress/reconfigure.sh22
-rw-r--r--regress/reexec.sh32
-rw-r--r--regress/ssh-com.sh4
-rw-r--r--regress/stderr-after-eof.sh4
-rw-r--r--regress/stderr-data.sh14
-rw-r--r--regress/test-exec.sh37
-rw-r--r--regress/transfer.sh29
-rw-r--r--regress/try-ciphers.sh24
-rw-r--r--regress/unittests/Makefile.inc4
-rw-r--r--regress/unittests/hostkeys/mktestdata.sh16
-rw-r--r--regress/unittests/hostkeys/test_iterate.c249
-rw-r--r--regress/unittests/hostkeys/testdata/known_hosts45
-rwxr-xr-xregress/unittests/sshkey/mktestdata.sh35
-rw-r--r--regress/unittests/sshkey/test_file.c51
-rw-r--r--regress/unittests/sshkey/test_fuzz.c45
-rw-r--r--regress/unittests/sshkey/test_sshkey.c22
-rw-r--r--regress/yes-head.sh18
60 files changed, 733 insertions, 1113 deletions
diff --git a/regress/Makefile b/regress/Makefile
index b23496b98..7d50f9cfa 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $ 1# $OpenBSD: Makefile,v 1.95 2017/06/24 06:35:24 djm Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -79,7 +79,8 @@ LTESTS= connect \
79 principals-command \ 79 principals-command \
80 cert-file \ 80 cert-file \
81 cfginclude \ 81 cfginclude \
82 allow-deny-users 82 allow-deny-users \
83 authinfo
83 84
84 85
85# dhgex \ 86# dhgex \
@@ -89,30 +90,33 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
89 90
90#LTESTS= cipher-speed 91#LTESTS= cipher-speed
91 92
92USERNAME!= id -un 93USERNAME= ${LOGNAME}
93CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ 94CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
94 authorized_keys_${USERNAME}.* \ 95 authorized_keys_${USERNAME}.* \
95 authorized_principals_${USERNAME} \ 96 authorized_principals_${USERNAME} \
96 banner.in banner.out cert_host_key* cert_user_key* \ 97 banner.in banner.out cert_host_key* cert_user_key* \
97 copy.1 copy.2 data ed25519-agent ed25519-agent* \ 98 copy.1 copy.2 data ed25519-agent ed25519-agent* \
98 ed25519-agent.pub empty.in expect failed-regress.log \ 99 ed25519-agent.pub ed25519 ed25519.pub empty.in \
99 failed-ssh.log failed-sshd.log hkr.* host.rsa host.rsa1 \ 100 expect failed-regress.log failed-ssh.log failed-sshd.log \
100 host_* host_ca_key* host_krl_* host_revoked_* key.* \ 101 hkr.* host.ed25519 host.rsa host.rsa1 host_* \
101 key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \ 102 host_ca_key* host_krl_* host_revoked_* key.* \
102 key.rsa-* keys-command-args kh.* known_hosts \ 103 key.dsa-* key.ecdsa-* key.ed25519-512 \
103 known_hosts-cert known_hosts.* krl-* ls.copy modpipe \ 104 key.ed25519-512.pub key.rsa-* keys-command-args kh.* \
104 netcat pidfile putty.rsa2 ready regress.log remote_pid \ 105 known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
105 revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa1 \ 106 modpipe netcat no_identity_config \
106 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ 107 pidfile putty.rsa2 ready regress.log \
108 remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
109 rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
107 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ 110 rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
108 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ 111 scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
109 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ 112 sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
110 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ 113 ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
111 ssh_proxy_envpass sshd.log sshd_config sshd_config.orig \ 114 ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
112 sshd_proxy sshd_proxy.* sshd_proxy_bak sshd_proxy_orig \ 115 sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
113 t10.out t10.out.pub t12.out t12.out.pub t2.out t3.out \ 116 sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
114 t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \ 117 t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
115 t9.out t9.out.pub testdata user_*key* user_ca* user_key* 118 t8.out t8.out.pub t9.out t9.out.pub testdata \
119 user_*key* user_ca* user_key*
116 120
117SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} 121SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME}
118 122
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 34bced154..037a50914 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.8 2017/01/06 02:51:16 djm Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.9 2017/09/13 14:58:26 bluhm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 3aa20c8b1..db3018b88 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $ 1# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="pkcs11 agent test" 4tid="pkcs11 agent test"
@@ -53,7 +53,7 @@ else
53 fi 53 fi
54 54
55 trace "pkcs11 connect via agent" 55 trace "pkcs11 connect via agent"
56 ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5 56 ${SSH} -F $OBJ/ssh_proxy somehost exit 5
57 r=$? 57 r=$?
58 if [ $r -ne 5 ]; then 58 if [ $r -ne 5 ]; then
59 fail "ssh connect failed (exit code $r)" 59 fail "ssh connect failed (exit code $r)"
diff --git a/regress/agent.sh b/regress/agent.sh
index c5e2794b7..0baf0c74a 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -46,28 +46,24 @@ else
46 fi 46 fi
47 47
48 trace "simple connect via agent" 48 trace "simple connect via agent"
49 for p in ${SSH_PROTOCOLS}; do 49 ${SSH} -F $OBJ/ssh_proxy somehost exit 52
50 ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p 50 r=$?
51 r=$? 51 if [ $r -ne 52 ]; then
52 if [ $r -ne 5$p ]; then 52 fail "ssh connect with failed (exit code $r)"
53 fail "ssh connect with protocol $p failed (exit code $r)" 53 fi
54 fi
55 done
56 54
57 trace "agent forwarding" 55 trace "agent forwarding"
58 for p in ${SSH_PROTOCOLS}; do 56 ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
59 ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 57 r=$?
60 r=$? 58 if [ $r -ne 0 ]; then
61 if [ $r -ne 0 ]; then 59 fail "ssh-add -l via agent fwd failed (exit code $r)"
62 fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" 60 fi
63 fi 61 ${SSH} -A -F $OBJ/ssh_proxy somehost \
64 ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ 62 "${SSH} -F $OBJ/ssh_proxy somehost exit 52"
65 "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" 63 r=$?
66 r=$? 64 if [ $r -ne 52 ]; then
67 if [ $r -ne 5$p ]; then 65 fail "agent fwd failed (exit code $r)"
68 fail "agent fwd proto $p failed (exit code $r)" 66 fi
69 fi
70 done
71 67
72 trace "delete all agent keys" 68 trace "delete all agent keys"
73 ${SSHADD} -D > /dev/null 2>&1 69 ${SSHADD} -D > /dev/null 2>&1
diff --git a/regress/authinfo.sh b/regress/authinfo.sh
new file mode 100644
index 000000000..e725296c9
--- /dev/null
+++ b/regress/authinfo.sh
@@ -0,0 +1,17 @@
1# $OpenBSD: authinfo.sh,v 1.1 2017/06/24 06:35:24 djm Exp $
2# Placed in the Public Domain.
3
4tid="authinfo"
5
6# Ensure the environment variable doesn't leak when ExposeAuthInfo=no.
7verbose "ExposeAuthInfo=no"
8env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \
9 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"
10
11verbose "ExposeAuthInfo=yes"
12echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy
13${SSH} -F $OBJ/ssh_proxy x \
14 'grep ^publickey "$SSH_USER_AUTH" /dev/null >/dev/null' ||
15 fail "ssh with ExposeAuthInfo failed"
16
17# XXX test multiple auth and key contents
diff --git a/regress/banner.sh b/regress/banner.sh
index 0b9c95007..0d9654fe2 100644
--- a/regress/banner.sh
+++ b/regress/banner.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ 1# $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="banner" 4tid="banner"
@@ -9,7 +9,7 @@ touch $OBJ/empty.in
9 9
10trace "test missing banner file" 10trace "test missing banner file"
11verbose "test $tid: missing banner file" 11verbose "test $tid: missing banner file"
12( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ 12( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
13 cmp $OBJ/empty.in $OBJ/banner.out ) || \ 13 cmp $OBJ/empty.in $OBJ/banner.out ) || \
14 fail "missing banner file" 14 fail "missing banner file"
15 15
@@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do
30 30
31 trace "test banner size $s" 31 trace "test banner size $s"
32 verbose "test $tid: size $s" 32 verbose "test $tid: size $s"
33 ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ 33 ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
34 cmp $OBJ/banner.in $OBJ/banner.out ) || \ 34 cmp $OBJ/banner.in $OBJ/banner.out ) || \
35 fail "banner size $s mismatch" 35 fail "banner size $s mismatch"
36done 36done
37 37
38trace "test suppress banner (-q)" 38trace "test suppress banner (-q)"
39verbose "test $tid: suppress banner (-q)" 39verbose "test $tid: suppress banner (-q)"
40( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ 40( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
41 cmp $OBJ/empty.in $OBJ/banner.out ) || \ 41 cmp $OBJ/empty.in $OBJ/banner.out ) || \
42 fail "suppress banner (-q)" 42 fail "suppress banner (-q)"
43 43
diff --git a/regress/broken-pipe.sh b/regress/broken-pipe.sh
index a416f7a3b..c69276e27 100644
--- a/regress/broken-pipe.sh
+++ b/regress/broken-pipe.sh
@@ -1,15 +1,12 @@
1# $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="broken pipe test" 4tid="broken pipe test"
5 5
6for p in ${SSH_PROTOCOLS}; do 6for i in 1 2 3 4; do
7 trace "protocol $p" 7 ${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
8 for i in 1 2 3 4; do 8 r=$?
9 ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true 9 if [ $r -ne 0 ]; then
10 r=$? 10 fail "broken pipe returns $r"
11 if [ $r -ne 0 ]; then 11 fi
12 fail "broken pipe returns $r for protocol $p"
13 fi
14 done
15done 12done
diff --git a/regress/brokenkeys.sh b/regress/brokenkeys.sh
index 3e70c348a..9d5a54fa9 100644
--- a/regress/brokenkeys.sh
+++ b/regress/brokenkeys.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $ 1# $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="broken keys" 4tid="broken keys"
@@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
14cat ${KEYS}.bak >> ${KEYS} 14cat ${KEYS}.bak >> ${KEYS}
15cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 15cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
16 16
17${SSH} -2 -F $OBJ/ssh_config somehost true 17${SSH} -F $OBJ/ssh_config somehost true
18if [ $? -ne 0 ]; then 18if [ $? -ne 0 ]; then
19 fail "ssh connect with protocol $p failed" 19 fail "ssh connect with failed"
20fi 20fi
21 21
22mv ${KEYS}.bak ${KEYS} 22mv ${KEYS}.bak ${KEYS}
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 43b8e0201..8fd62c773 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $ 1# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="ssh with certificates" 4tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
54# XXX: verify that certificate used was what we expect. Needs exposure of 54# XXX: verify that certificate used was what we expect. Needs exposure of
55# keys via enviornment variable or similar. 55# keys via enviornment variable or similar.
56 56
57for p in ${SSH_PROTOCOLS}; do
58 # Key with no .pub should work - finding the equivalent *-cert.pub. 57 # Key with no .pub should work - finding the equivalent *-cert.pub.
59 verbose "protocol $p: identity cert with no plain public file" 58verbose "identity cert with no plain public file"
60 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 59${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
61 -i $OBJ/user_key3 somehost exit 5$p 60 -i $OBJ/user_key3 somehost exit 52
62 [ $? -ne 5$p ] && fail "ssh failed" 61[ $? -ne 52 ] && fail "ssh failed"
63 62
64 # CertificateFile matching private key with no .pub file should work. 63# CertificateFile matching private key with no .pub file should work.
65 verbose "protocol $p: CertificateFile with no plain public file" 64verbose "CertificateFile with no plain public file"
66 ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ 65${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
67 -oCertificateFile=$OBJ/user_key3-cert.pub \ 66 -oCertificateFile=$OBJ/user_key3-cert.pub \
68 -i $OBJ/user_key3 somehost exit 5$p 67 -i $OBJ/user_key3 somehost exit 52
69 [ $? -ne 5$p ] && fail "ssh failed" 68[ $? -ne 52 ] && fail "ssh failed"
70 69
71 # Just keys should fail 70# Just keys should fail
72 verbose "protocol $p: plain keys" 71verbose "plain keys"
73 ${SSH} $opts2 somehost exit 5$p 72${SSH} $opts2 somehost exit 52
74 r=$? 73r=$?
75 if [ $r -eq 5$p ]; then 74if [ $r -eq 52 ]; then
76 fail "ssh succeeded with no certs in protocol $p" 75 fail "ssh succeeded with no certs"
77 fi 76fi
78 77
79 # Keys with untrusted cert should fail. 78# Keys with untrusted cert should fail.
80 verbose "protocol $p: untrusted cert" 79verbose "untrusted cert"
81 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 80opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
82 ${SSH} $opts3 somehost exit 5$p 81${SSH} $opts3 somehost exit 52
83 r=$? 82r=$?
84 if [ $r -eq 5$p ]; then 83if [ $r -eq 52 ]; then
85 fail "ssh succeeded with bad cert in protocol $p" 84 fail "ssh succeeded with bad cert"
86 fi 85fi
87 86
88 # Good cert with bad key should fail. 87# Good cert with bad key should fail.
89 verbose "protocol $p: good cert, bad key" 88verbose "good cert, bad key"
90 opts3="$opts -i $OBJ/user_key2" 89opts3="$opts -i $OBJ/user_key2"
91 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 90opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
92 ${SSH} $opts3 somehost exit 5$p 91${SSH} $opts3 somehost exit 52
93 r=$? 92r=$?
94 if [ $r -eq 5$p ]; then 93if [ $r -eq 52 ]; then
95 fail "ssh succeeded with no matching key in protocol $p" 94 fail "ssh succeeded with no matching key"
96 fi 95fi
97 96
98 # Keys with one trusted cert, should succeed. 97# Keys with one trusted cert, should succeed.
99 verbose "protocol $p: single trusted" 98verbose "single trusted"
100 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 99opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
101 ${SSH} $opts3 somehost exit 5$p 100${SSH} $opts3 somehost exit 52
102 r=$? 101r=$?
103 if [ $r -ne 5$p ]; then 102if [ $r -ne 52 ]; then
104 fail "ssh failed with trusted cert and key in protocol $p" 103 fail "ssh failed with trusted cert and key"
105 fi 104fi
106 105
107 # Multiple certs and keys, with one trusted cert, should succeed. 106# Multiple certs and keys, with one trusted cert, should succeed.
108 verbose "protocol $p: multiple trusted" 107verbose "multiple trusted"
109 opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" 108opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
110 opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" 109opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
111 ${SSH} $opts3 somehost exit 5$p 110${SSH} $opts3 somehost exit 52
112 r=$? 111r=$?
113 if [ $r -ne 5$p ]; then 112if [ $r -ne 52 ]; then
114 fail "ssh failed with multiple certs in protocol $p" 113 fail "ssh failed with multiple certs"
115 fi 114fi
116done
117 115
118#next, using an agent in combination with the keys 116#next, using an agent in combination with the keys
119SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1 117SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
139fi 137fi
140 138
141# try ssh with the agent and certificates 139# try ssh with the agent and certificates
142# note: ssh agent only uses certificates in protocol 2
143opts="-F $OBJ/ssh_proxy" 140opts="-F $OBJ/ssh_proxy"
144# with no certificates, shoud fail 141# with no certificates, shoud fail
145${SSH} -2 $opts somehost exit 52 142${SSH} $opts somehost exit 52
146if [ $? -eq 52 ]; then 143if [ $? -eq 52 ]; then
147 fail "ssh connect with agent in protocol 2 succeeded with no cert" 144 fail "ssh connect with agent in succeeded with no cert"
148fi 145fi
149 146
150#with an untrusted certificate, should fail 147#with an untrusted certificate, should fail
151opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub" 148opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
152${SSH} -2 $opts somehost exit 52 149${SSH} $opts somehost exit 52
153if [ $? -eq 52 ]; then 150if [ $? -eq 52 ]; then
154 fail "ssh connect with agent in protocol 2 succeeded with bad cert" 151 fail "ssh connect with agent in succeeded with bad cert"
155fi 152fi
156 153
157#with an additional trusted certificate, should succeed 154#with an additional trusted certificate, should succeed
158opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub" 155opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
159${SSH} -2 $opts somehost exit 52 156${SSH} $opts somehost exit 52
160if [ $? -ne 52 ]; then 157if [ $? -ne 52 ]; then
161 fail "ssh connect with agent in protocol 2 failed with good cert" 158 fail "ssh connect with agent in failed with good cert"
162fi 159fi
163 160
164trace "kill agent" 161trace "kill agent"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 62261cf8b..3d5732a5d 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $ 1# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified host keys" 4tid="certified host keys"
@@ -104,7 +104,7 @@ attempt_connect() {
104 shift; shift 104 shift; shift
105 verbose "$tid: $_ident expect success $_expect_success" 105 verbose "$tid: $_ident expect success $_expect_success"
106 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 106 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
107 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 107 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
108 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 108 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
109 "$@" -F $OBJ/ssh_proxy somehost true 109 "$@" -F $OBJ/ssh_proxy somehost true
110 _r=$? 110 _r=$?
@@ -169,7 +169,7 @@ for privsep in yes no ; do
169 ) > $OBJ/sshd_proxy 169 ) > $OBJ/sshd_proxy
170 170
171 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 171 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
172 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 172 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
173 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 173 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
174 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 174 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
175 if [ $? -eq 0 ]; then 175 if [ $? -eq 0 ]; then
@@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do
190 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 190 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
191 ) > $OBJ/sshd_proxy 191 ) > $OBJ/sshd_proxy
192 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 192 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
193 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 193 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
194 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 194 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
195 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 195 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
196 if [ $? -eq 0 ]; then 196 if [ $? -eq 0 ]; then
@@ -222,7 +222,7 @@ test_one() {
222 ) > $OBJ/sshd_proxy 222 ) > $OBJ/sshd_proxy
223 223
224 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 224 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
225 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 225 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
226 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 226 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
227 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 227 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
228 rc=$? 228 rc=$?
@@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do
271 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub 271 echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
272 ) > $OBJ/sshd_proxy 272 ) > $OBJ/sshd_proxy
273 273
274 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 274 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
275 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 275 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
276 -F $OBJ/ssh_proxy somehost true 276 -F $OBJ/ssh_proxy somehost true
277 if [ $? -ne 0 ]; then 277 if [ $? -ne 0 ]; then
@@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do
303 ) > $OBJ/sshd_proxy 303 ) > $OBJ/sshd_proxy
304 304
305 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert 305 cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
306 ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \ 306 ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
307 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \ 307 -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
308 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1 308 -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
309 if [ $? -eq 0 ]; then 309 if [ $? -eq 0 ]; then
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7005fd55e..6a23fe300 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
67 # Missing authorized_principals 67 # Missing authorized_principals
68 verbose "$tid: ${_prefix} missing authorized_principals" 68 verbose "$tid: ${_prefix} missing authorized_principals"
69 rm -f $OBJ/authorized_principals_$USER 69 rm -f $OBJ/authorized_principals_$USER
70 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 70 ${SSH} -i $OBJ/cert_user_key_${ktype} \
71 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 71 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
72 if [ $? -eq 0 ]; then 72 if [ $? -eq 0 ]; then
73 fail "ssh cert connect succeeded unexpectedly" 73 fail "ssh cert connect succeeded unexpectedly"
@@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
76 # Empty authorized_principals 76 # Empty authorized_principals
77 verbose "$tid: ${_prefix} empty authorized_principals" 77 verbose "$tid: ${_prefix} empty authorized_principals"
78 echo > $OBJ/authorized_principals_$USER 78 echo > $OBJ/authorized_principals_$USER
79 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 79 ${SSH} -i $OBJ/cert_user_key_${ktype} \
80 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 80 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
81 if [ $? -eq 0 ]; then 81 if [ $? -eq 0 ]; then
82 fail "ssh cert connect succeeded unexpectedly" 82 fail "ssh cert connect succeeded unexpectedly"
@@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
85 # Wrong authorized_principals 85 # Wrong authorized_principals
86 verbose "$tid: ${_prefix} wrong authorized_principals" 86 verbose "$tid: ${_prefix} wrong authorized_principals"
87 echo gregorsamsa > $OBJ/authorized_principals_$USER 87 echo gregorsamsa > $OBJ/authorized_principals_$USER
88 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 88 ${SSH} -i $OBJ/cert_user_key_${ktype} \
89 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 89 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
90 if [ $? -eq 0 ]; then 90 if [ $? -eq 0 ]; then
91 fail "ssh cert connect succeeded unexpectedly" 91 fail "ssh cert connect succeeded unexpectedly"
@@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
94 # Correct authorized_principals 94 # Correct authorized_principals
95 verbose "$tid: ${_prefix} correct authorized_principals" 95 verbose "$tid: ${_prefix} correct authorized_principals"
96 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 96 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
97 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 97 ${SSH} -i $OBJ/cert_user_key_${ktype} \
98 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 98 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
99 if [ $? -ne 0 ]; then 99 if [ $? -ne 0 ]; then
100 fail "ssh cert connect failed" 100 fail "ssh cert connect failed"
@@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
103 # authorized_principals with bad key option 103 # authorized_principals with bad key option
104 verbose "$tid: ${_prefix} authorized_principals bad key opt" 104 verbose "$tid: ${_prefix} authorized_principals bad key opt"
105 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 105 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
106 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 106 ${SSH} -i $OBJ/cert_user_key_${ktype} \
107 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 107 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
108 if [ $? -eq 0 ]; then 108 if [ $? -eq 0 ]; then
109 fail "ssh cert connect succeeded unexpectedly" 109 fail "ssh cert connect succeeded unexpectedly"
@@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
113 verbose "$tid: ${_prefix} authorized_principals command=false" 113 verbose "$tid: ${_prefix} authorized_principals command=false"
114 echo 'command="false" mekmitasdigoat' > \ 114 echo 'command="false" mekmitasdigoat' > \
115 $OBJ/authorized_principals_$USER 115 $OBJ/authorized_principals_$USER
116 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 116 ${SSH} -i $OBJ/cert_user_key_${ktype} \
117 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 117 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
118 if [ $? -eq 0 ]; then 118 if [ $? -eq 0 ]; then
119 fail "ssh cert connect succeeded unexpectedly" 119 fail "ssh cert connect succeeded unexpectedly"
@@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
124 verbose "$tid: ${_prefix} authorized_principals command=true" 124 verbose "$tid: ${_prefix} authorized_principals command=true"
125 echo 'command="true" mekmitasdigoat' > \ 125 echo 'command="true" mekmitasdigoat' > \
126 $OBJ/authorized_principals_$USER 126 $OBJ/authorized_principals_$USER
127 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 127 ${SSH} -i $OBJ/cert_user_key_${ktype} \
128 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 128 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
129 if [ $? -ne 0 ]; then 129 if [ $? -ne 0 ]; then
130 fail "ssh cert connect failed" 130 fail "ssh cert connect failed"
@@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
148 printf 'cert-authority,principals="gregorsamsa" ' 148 printf 'cert-authority,principals="gregorsamsa" '
149 cat $OBJ/user_ca_key.pub 149 cat $OBJ/user_ca_key.pub
150 ) > $OBJ/authorized_keys_$USER 150 ) > $OBJ/authorized_keys_$USER
151 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 151 ${SSH} -i $OBJ/cert_user_key_${ktype} \
152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 152 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
153 if [ $? -eq 0 ]; then 153 if [ $? -eq 0 ]; then
154 fail "ssh cert connect succeeded unexpectedly" 154 fail "ssh cert connect succeeded unexpectedly"
@@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
160 printf 'cert-authority,principals="mekmitasdigoat" ' 160 printf 'cert-authority,principals="mekmitasdigoat" '
161 cat $OBJ/user_ca_key.pub 161 cat $OBJ/user_ca_key.pub
162 ) > $OBJ/authorized_keys_$USER 162 ) > $OBJ/authorized_keys_$USER
163 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 163 ${SSH} -i $OBJ/cert_user_key_${ktype} \
164 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 164 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
165 if [ $? -ne 0 ]; then 165 if [ $? -ne 0 ]; then
166 fail "ssh cert connect failed" 166 fail "ssh cert connect failed"
@@ -198,7 +198,7 @@ basic_tests() {
198 echo "PubkeyAcceptedKeyTypes ${t}" 198 echo "PubkeyAcceptedKeyTypes ${t}"
199 ) > $OBJ/ssh_proxy 199 ) > $OBJ/ssh_proxy
200 200
201 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 201 ${SSH} -i $OBJ/cert_user_key_${ktype} \
202 -F $OBJ/ssh_proxy somehost true 202 -F $OBJ/ssh_proxy somehost true
203 if [ $? -ne 0 ]; then 203 if [ $? -ne 0 ]; then
204 fail "ssh cert connect failed" 204 fail "ssh cert connect failed"
@@ -215,7 +215,7 @@ basic_tests() {
215 ) > $OBJ/sshd_proxy 215 ) > $OBJ/sshd_proxy
216 cp $OBJ/cert_user_key_${ktype}.pub \ 216 cp $OBJ/cert_user_key_${ktype}.pub \
217 $OBJ/cert_user_key_revoked 217 $OBJ/cert_user_key_revoked
218 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 218 ${SSH} -i $OBJ/cert_user_key_${ktype} \
219 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 219 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
220 if [ $? -eq 0 ]; then 220 if [ $? -eq 0 ]; then
221 fail "ssh cert connect succeeded unexpecedly" 221 fail "ssh cert connect succeeded unexpecedly"
@@ -224,14 +224,14 @@ basic_tests() {
224 rm $OBJ/cert_user_key_revoked 224 rm $OBJ/cert_user_key_revoked
225 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \ 225 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
226 $OBJ/cert_user_key_${ktype}.pub 226 $OBJ/cert_user_key_${ktype}.pub
227 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 227 ${SSH} -i $OBJ/cert_user_key_${ktype} \
228 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 228 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
229 if [ $? -eq 0 ]; then 229 if [ $? -eq 0 ]; then
230 fail "ssh cert connect succeeded unexpecedly" 230 fail "ssh cert connect succeeded unexpecedly"
231 fi 231 fi
232 verbose "$tid: ${_prefix} empty KRL" 232 verbose "$tid: ${_prefix} empty KRL"
233 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked 233 ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
234 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 234 ${SSH} -i $OBJ/cert_user_key_${ktype} \
235 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 235 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
236 if [ $? -ne 0 ]; then 236 if [ $? -ne 0 ]; then
237 fail "ssh cert connect failed" 237 fail "ssh cert connect failed"
@@ -246,7 +246,7 @@ basic_tests() {
246 echo "PubkeyAcceptedKeyTypes ${t}" 246 echo "PubkeyAcceptedKeyTypes ${t}"
247 echo "$extra_sshd" 247 echo "$extra_sshd"
248 ) > $OBJ/sshd_proxy 248 ) > $OBJ/sshd_proxy
249 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 249 ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
250 somehost true >/dev/null 2>&1 250 somehost true >/dev/null 2>&1
251 if [ $? -eq 0 ]; then 251 if [ $? -eq 0 ]; then
252 fail "ssh cert connect succeeded unexpecedly" 252 fail "ssh cert connect succeeded unexpecedly"
@@ -260,7 +260,7 @@ basic_tests() {
260 echo "$extra_sshd" 260 echo "$extra_sshd"
261 ) > $OBJ/sshd_proxy 261 ) > $OBJ/sshd_proxy
262 verbose "$tid: ensure CA key does not authenticate user" 262 verbose "$tid: ensure CA key does not authenticate user"
263 ${SSH} -2i $OBJ/user_ca_key \ 263 ${SSH} -i $OBJ/user_ca_key \
264 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 264 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
265 if [ $? -eq 0 ]; then 265 if [ $? -eq 0 ]; then
266 fail "ssh cert connect with CA key succeeded unexpectedly" 266 fail "ssh cert connect with CA key succeeded unexpectedly"
@@ -307,7 +307,7 @@ test_one() {
307 $sign_opts $OBJ/cert_user_key_${ktype} || 307 $sign_opts $OBJ/cert_user_key_${ktype} ||
308 fail "couldn't sign cert_user_key_${ktype}" 308 fail "couldn't sign cert_user_key_${ktype}"
309 309
310 ${SSH} -2i $OBJ/cert_user_key_${ktype} \ 310 ${SSH} -i $OBJ/cert_user_key_${ktype} \
311 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 311 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
312 rc=$? 312 rc=$?
313 if [ "x$result" = "xsuccess" ] ; then 313 if [ "x$result" = "xsuccess" ] ; then
@@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do
378 -n $USER $OBJ/cert_user_key_${ktype} || 378 -n $USER $OBJ/cert_user_key_${ktype} ||
379 fatal "couldn't sign cert_user_key_${ktype}" 379 fatal "couldn't sign cert_user_key_${ktype}"
380 verbose "$tid: user ${ktype} connect wrong cert" 380 verbose "$tid: user ${ktype} connect wrong cert"
381 ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \ 381 ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
382 somehost true >/dev/null 2>&1 382 somehost true >/dev/null 2>&1
383 if [ $? -eq 0 ]; then 383 if [ $? -eq 0 ]; then
384 fail "ssh cert connect $ident succeeded unexpectedly" 384 fail "ssh cert connect $ident succeeded unexpectedly"
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 056296398..2504d04f4 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
13start_client() 13start_client()
14{ 14{
15 rm -f $pidfile 15 rm -f $pidfile
16 ${SSH} -q -$p $fwd "$@" somehost \ 16 ${SSH} -q $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_REGRESS_LOGFILE 2>&1 & 18 >>$TEST_REGRESS_LOGFILE 2>&1 &
19 client_pid=$! 19 client_pid=$!
@@ -56,22 +56,18 @@ start_sshd
56#set -x 56#set -x
57 57
58# Test Match + PermitOpen in sshd_config. This should be permitted 58# Test Match + PermitOpen in sshd_config. This should be permitted
59for p in ${SSH_PROTOCOLS}; do 59trace "match permitopen localhost"
60 trace "match permitopen localhost proto $p" 60start_client -F $OBJ/ssh_config
61 start_client -F $OBJ/ssh_config 61${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
62 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 62 fail "match permitopen permit"
63 fail "match permitopen permit proto $p" 63stop_client
64 stop_client
65done
66 64
67# Same but from different source. This should not be permitted 65# Same but from different source. This should not be permitted
68for p in ${SSH_PROTOCOLS}; do 66trace "match permitopen proxy"
69 trace "match permitopen proxy proto $p" 67start_client -F $OBJ/ssh_proxy
70 start_client -F $OBJ/ssh_proxy 68${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 69 fail "match permitopen deny"
72 fail "match permitopen deny proto $p" 70stop_client
73 stop_client
74done
75 71
76# Retry previous with key option, should also be denied. 72# Retry previous with key option, should also be denied.
77cp /dev/null $OBJ/authorized_keys_$USER 73cp /dev/null $OBJ/authorized_keys_$USER
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do
79 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 75 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
80 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 76 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
81done 77done
82for p in ${SSH_PROTOCOLS}; do 78trace "match permitopen proxy w/key opts"
83 trace "match permitopen proxy w/key opts proto $p" 79start_client -F $OBJ/ssh_proxy
84 start_client -F $OBJ/ssh_proxy 80${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 81 fail "match permitopen deny w/key opt"
86 fail "match permitopen deny w/key opt proto $p" 82stop_client
87 stop_client
88done
89 83
90# Test both sshd_config and key options permitting the same dst/port pair. 84# Test both sshd_config and key options permitting the same dst/port pair.
91# Should be permitted. 85# Should be permitted.
92for p in ${SSH_PROTOCOLS}; do 86trace "match permitopen localhost"
93 trace "match permitopen localhost proto $p" 87start_client -F $OBJ/ssh_config
94 start_client -F $OBJ/ssh_config 88${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
95 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 89 fail "match permitopen permit"
96 fail "match permitopen permit proto $p" 90stop_client
97 stop_client
98done
99 91
100cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 92cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
101echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 93echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy
103echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 95echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
104 96
105# Test that a Match overrides a PermitOpen in the global section 97# Test that a Match overrides a PermitOpen in the global section
106for p in ${SSH_PROTOCOLS}; do 98trace "match permitopen proxy w/key opts"
107 trace "match permitopen proxy w/key opts proto $p" 99start_client -F $OBJ/ssh_proxy
108 start_client -F $OBJ/ssh_proxy 100${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
109 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 101 fail "match override permitopen"
110 fail "match override permitopen proto $p" 102stop_client
111 stop_client
112done
113 103
114cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 104cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
115echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 105echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
118 108
119# Test that a rule that doesn't match doesn't override, plus test a 109# Test that a rule that doesn't match doesn't override, plus test a
120# PermitOpen entry that's not at the start of the list 110# PermitOpen entry that's not at the start of the list
121for p in ${SSH_PROTOCOLS}; do 111trace "nomatch permitopen proxy w/key opts"
122 trace "nomatch permitopen proxy w/key opts proto $p" 112start_client -F $OBJ/ssh_proxy
123 start_client -F $OBJ/ssh_proxy 113${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
124 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 114 fail "nomatch override permitopen"
125 fail "nomatch override permitopen proto $p" 115stop_client
126 stop_client
127done
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 575dc2341..5da95b3a9 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
@@ -12,16 +12,16 @@ getbytes ()
12tries="1 2" 12tries="1 2"
13 13
14for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do 14for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
15 trace "proto 2 cipher $c mac $m" 15 trace "cipher $c mac $m"
16 for x in $tries; do 16 for x in $tries; do
17 printf "%-60s" "$c/$m:" 17 printf "%-60s" "$c/$m:"
18 ( ${SSH} -o 'compression no' \ 18 ( ${SSH} -o 'compression no' \
19 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ 19 -F $OBJ/ssh_proxy -m $m -c $c somehost \
20 exec sh -c \'"dd of=/dev/null obs=32k"\' \ 20 exec sh -c \'"dd of=/dev/null obs=32k"\' \
21 < ${DATA} ) 2>&1 | getbytes 21 < ${DATA} ) 2>&1 | getbytes
22 22
23 if [ $? -ne 0 ]; then 23 if [ $? -ne 0 ]; then
24 fail "ssh -2 failed with mac $m cipher $c" 24 fail "ssh failed with mac $m cipher $c"
25 fi 25 fi
26 done 26 done
27 # No point trying all MACs for AEAD ciphers since they are ignored. 27 # No point trying all MACs for AEAD ciphers since they are ignored.
@@ -30,22 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
30 fi 30 fi
31 n=`expr $n + 1` 31 n=`expr $n + 1`
32done; done 32done; done
33
34if ssh_version 1; then
35 ciphers="3des blowfish"
36else
37 ciphers=""
38fi
39for c in $ciphers; do
40 trace "proto 1 cipher $c"
41 for x in $tries; do
42 printf "%-60s" "$c:"
43 ( ${SSH} -o 'compression no' \
44 -F $OBJ/ssh_proxy -1 -c $c somehost \
45 exec sh -c \'"dd of=/dev/null obs=32k"\' \
46 < ${DATA} ) 2>&1 | getbytes
47 if [ $? -ne 0 ]; then
48 fail "ssh -1 failed with cipher $c"
49 fi
50 done
51done
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index 81cedc7e5..b6abb65e3 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect with privsep" 4tid="proxy connect with privsep"
@@ -6,23 +6,19 @@ tid="proxy connect with privsep"
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 6cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
7echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy 7echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
8 8
9for p in ${SSH_PROTOCOLS}; do 9${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
10 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true 10if [ $? -ne 0 ]; then
11 if [ $? -ne 0 ]; then 11 fail "ssh privsep+proxyconnect failed"
12 fail "ssh privsep+proxyconnect protocol $p failed" 12fi
13 fi
14done
15 13
16cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 14cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
17echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy 15echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
18 16
19for p in ${SSH_PROTOCOLS}; do 17${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
20 ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true 18if [ $? -ne 0 ]; then
21 if [ $? -ne 0 ]; then 19 # XXX replace this with fail once sandbox has stabilised
22 # XXX replace this with fail once sandbox has stabilised 20 warn "ssh privsep/sandbox+proxyconnect failed"
23 warn "ssh privsep/sandbox+proxyconnect protocol $p failed" 21fi
24 fi
25done
26 22
27# Because sandbox is sensitive to changes in libc, especially malloc, retest 23# Because sandbox is sensitive to changes in libc, especially malloc, retest
28# with every malloc.conf option (and none). 24# with every malloc.conf option (and none).
@@ -32,10 +28,8 @@ else
32 mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` 28 mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'`
33fi 29fi
34for m in '' $mopts ; do 30for m in '' $mopts ; do
35 for p in ${SSH_PROTOCOLS}; do 31 env MALLOC_OPTIONS="$m" ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
36 env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
37 if [ $? -ne 0 ]; then 32 if [ $? -ne 0 ]; then
38 fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed" 33 fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed"
39 fi 34 fi
40 done
41done 35done
diff --git a/regress/connect.sh b/regress/connect.sh
index f0d55d343..1b344b603 100644
--- a/regress/connect.sh
+++ b/regress/connect.sh
@@ -1,13 +1,11 @@
1# $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple connect" 4tid="simple connect"
5 5
6start_sshd 6start_sshd
7 7
8for p in ${SSH_PROTOCOLS}; do 8${SSH} -F $OBJ/ssh_config somehost true
9 ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true 9if [ $? -ne 0 ]; then
10 if [ $? -ne 0 ]; then 10 fail "ssh connect with failed"
11 fail "ssh connect with protocol $p failed" 11fi
12 fi
13done
diff --git a/regress/dhgex.sh b/regress/dhgex.sh
index e7c573397..61fc178e8 100644
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $ 1# $OpenBSD: dhgex.sh,v 1.4 2017/05/08 01:52:49 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dhgex" 4tid="dhgex"
@@ -54,7 +54,6 @@ check()
54 54
55#check 2048 3des-cbc 55#check 2048 3des-cbc
56check 3072 `${SSH} -Q cipher | grep 128` 56check 3072 `${SSH} -Q cipher | grep 128`
57check 3072 arcfour blowfish-cbc
58check 7680 `${SSH} -Q cipher | grep 192` 57check 7680 `${SSH} -Q cipher | grep 192`
59check 8192 `${SSH} -Q cipher | grep 256` 58check 8192 `${SSH} -Q cipher | grep 256`
60check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com 59check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index dd67c9639..84f8ee192 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="dynamic forwarding" 4tid="dynamic forwarding"
@@ -17,33 +17,34 @@ trace "will use ProxyCommand $proxycmd"
17 17
18start_sshd 18start_sshd
19 19
20for p in ${SSH_PROTOCOLS}; do 20for d in D R; do
21 n=0 21 n=0
22 error="1" 22 error="1"
23 trace "start dynamic forwarding, fork to background" 23 trace "start dynamic forwarding, fork to background"
24
24 while [ "$error" -ne 0 -a "$n" -lt 3 ]; do 25 while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
25 n=`expr $n + 1` 26 n=`expr $n + 1`
26 ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ 27 ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \
27 -oExitOnForwardFailure=yes somehost exec sh -c \ 28 -oExitOnForwardFailure=yes somehost exec sh -c \
28 \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' 29 \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
29 error=$? 30 error=$?
30 if [ "$error" -ne 0 ]; then 31 if [ "$error" -ne 0 ]; then
31 trace "forward failed proto $p attempt $n err $error" 32 trace "forward failed attempt $n err $error"
32 sleep $n 33 sleep $n
33 fi 34 fi
34 done 35 done
35 if [ "$error" -ne 0 ]; then 36 if [ "$error" -ne 0 ]; then
36 fatal "failed to start dynamic forwarding proto $p" 37 fatal "failed to start dynamic forwarding"
37 fi 38 fi
38 39
39 for s in 4 5; do 40 for s in 4 5; do
40 for h in 127.0.0.1 localhost; do 41 for h in 127.0.0.1 localhost; do
41 trace "testing ssh protocol $p socks version $s host $h" 42 trace "testing ssh socks version $s host $h (-$d)"
42 ${SSH} -F $OBJ/ssh_config \ 43 ${SSH} -F $OBJ/ssh_config \
43 -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ 44 -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
44 somehost cat $DATA > $OBJ/ls.copy 45 somehost cat ${DATA} > ${COPY}
45 test -f $OBJ/ls.copy || fail "failed copy $DATA" 46 test -f ${COPY} || fail "failed copy ${DATA}"
46 cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA" 47 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
47 done 48 done
48 done 49 done
49 50
@@ -56,4 +57,5 @@ for p in ${SSH_PROTOCOLS}; do
56 else 57 else
57 fail "no pid file: $OBJ/remote_pid" 58 fail "no pid file: $OBJ/remote_pid"
58 fi 59 fi
60
59done 61done
diff --git a/regress/exit-status.sh b/regress/exit-status.sh
index 397d8d732..aadf99fb3 100644
--- a/regress/exit-status.sh
+++ b/regress/exit-status.sh
@@ -1,24 +1,22 @@
1# $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="remote exit status" 4tid="remote exit status"
5 5
6for p in ${SSH_PROTOCOLS}; do 6for s in 0 1 4 5 44; do
7 for s in 0 1 4 5 44; do 7 trace "status $s"
8 trace "proto $p status $s" 8 verbose "test $tid: status $s"
9 verbose "test $tid: proto $p status $s" 9 ${SSH} -F $OBJ/ssh_proxy otherhost exit $s
10 ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s 10 r=$?
11 r=$? 11 if [ $r -ne $s ]; then
12 if [ $r -ne $s ]; then 12 fail "exit code mismatch for: $r != $s"
13 fail "exit code mismatch for protocol $p: $r != $s" 13 fi
14 fi
15 14
16 # same with early close of stdout/err 15 # same with early close of stdout/err
17 ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \ 16 ${SSH} -F $OBJ/ssh_proxy -n otherhost exec \
18 exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' 17 sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
19 r=$? 18 r=$?
20 if [ $r -ne $s ]; then 19 if [ $r -ne $s ]; then
21 fail "exit code (with sleep) mismatch for protocol $p: $r != $s" 20 fail "exit code (with sleep) mismatch for: $r != $s"
22 fi 21 fi
23 done
24done 22done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index 8a9b090ea..e059f1fdb 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="forced command" 4tid="forced command"
@@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do
11 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 11 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
12done 12done
13 13
14for p in ${SSH_PROTOCOLS}; do 14trace "forced command in key option"
15 trace "forced command in key option proto $p" 15${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
16 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
17 fail "forced command in key proto $p"
18done
19 16
20cp /dev/null $OBJ/authorized_keys_$USER 17cp /dev/null $OBJ/authorized_keys_$USER
21for t in ${SSH_KEYTYPES}; do 18for t in ${SSH_KEYTYPES}; do
@@ -26,19 +23,13 @@ done
26cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 23cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
27echo "ForceCommand true" >> $OBJ/sshd_proxy 24echo "ForceCommand true" >> $OBJ/sshd_proxy
28 25
29for p in ${SSH_PROTOCOLS}; do 26trace "forced command in sshd_config overrides key option"
30 trace "forced command in sshd_config overrides key option proto $p" 27${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
31 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
32 fail "forced command in key proto $p"
33done
34 28
35cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 29cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
36echo "ForceCommand false" >> $OBJ/sshd_proxy 30echo "ForceCommand false" >> $OBJ/sshd_proxy
37echo "Match User $USER" >> $OBJ/sshd_proxy 31echo "Match User $USER" >> $OBJ/sshd_proxy
38echo " ForceCommand true" >> $OBJ/sshd_proxy 32echo " ForceCommand true" >> $OBJ/sshd_proxy
39 33
40for p in ${SSH_PROTOCOLS}; do 34trace "forced command with match"
41 trace "forced command with match proto $p" 35${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
42 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
43 fail "forced command in key proto $p"
44done
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 91957098f..2e9dbb53a 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd control of local and remote forwarding" 4tid="sshd control of local and remote forwarding"
@@ -32,13 +32,12 @@ wait_for_process_to_exit() {
32 return 0 32 return 0
33} 33}
34 34
35# usage: check_lfwd protocol Y|N message 35# usage: check_lfwd Y|N message
36check_lfwd() { 36check_lfwd() {
37 _proto=$1 37 _expected=$1
38 _expected=$2 38 _message=$2
39 _message=$3
40 rm -f $READY 39 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 40 ${SSH} -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \ 41 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \ 42 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 43 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -62,13 +61,12 @@ check_lfwd() {
62 fi 61 fi
63} 62}
64 63
65# usage: check_rfwd protocol Y|N message 64# usage: check_rfwd Y|N message
66check_rfwd() { 65check_rfwd() {
67 _proto=$1 66 _expected=$1
68 _expected=$2 67 _message=$2
69 _message=$3
70 rm -f $READY 68 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 69 ${SSH} -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \ 70 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \ 71 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak 97cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100 98
101# Sanity check: ensure the default config allows forwarding 99# Sanity check: ensure the default config allows forwarding
102for p in ${SSH_PROTOCOLS} ; do 100check_lfwd Y "default configuration"
103 check_lfwd $p Y "proto $p, default configuration" 101check_rfwd Y "default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106 102
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N 103# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() { 104all_tests() {
@@ -115,49 +111,46 @@ all_tests() {
115 _permit_rfwd=$7 111 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22 112 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT} 113 _goodfwd=127.0.0.1:${PORT}
118 for _proto in ${SSH_PROTOCOLS} ; do 114 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
119 cp ${OBJ}/authorized_keys_${USER}.bak \ 115 _prefix="AllowTcpForwarding=$_tcpfwd"
120 ${OBJ}/authorized_keys_${USER} 116 # No PermitOpen
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" 117 ( cat ${OBJ}/sshd_proxy.bak ;
122 # No PermitOpen 118 echo "AllowTcpForwarding $_tcpfwd" ) \
123 ( cat ${OBJ}/sshd_proxy.bak ; 119 > ${OBJ}/sshd_proxy
124 echo "AllowTcpForwarding $_tcpfwd" ) \ 120 check_lfwd $_plain_lfwd "$_prefix"
125 > ${OBJ}/sshd_proxy 121 check_rfwd $_plain_rfwd "$_prefix"
126 check_lfwd $_proto $_plain_lfwd "$_prefix" 122 # PermitOpen via sshd_config that doesn't match
127 check_rfwd $_proto $_plain_rfwd "$_prefix" 123 ( cat ${OBJ}/sshd_proxy.bak ;
128 # PermitOpen via sshd_config that doesn't match 124 echo "AllowTcpForwarding $_tcpfwd" ;
129 ( cat ${OBJ}/sshd_proxy.bak ; 125 echo "PermitOpen $_badfwd" ) \
130 echo "AllowTcpForwarding $_tcpfwd" ; 126 > ${OBJ}/sshd_proxy
131 echo "PermitOpen $_badfwd" ) \ 127 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
132 > ${OBJ}/sshd_proxy 128 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" 129 # PermitOpen via sshd_config that does match
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" 130 ( cat ${OBJ}/sshd_proxy.bak ;
135 # PermitOpen via sshd_config that does match 131 echo "AllowTcpForwarding $_tcpfwd" ;
136 ( cat ${OBJ}/sshd_proxy.bak ; 132 echo "PermitOpen $_badfwd $_goodfwd" ) \
137 echo "AllowTcpForwarding $_tcpfwd" ; 133 > ${OBJ}/sshd_proxy
138 echo "PermitOpen $_badfwd $_goodfwd" ) \ 134 # NB. permitopen via authorized_keys should have same
139 > ${OBJ}/sshd_proxy 135 # success/fail as via sshd_config
140 # NB. permitopen via authorized_keys should have same 136 # permitopen via authorized_keys that doesn't match
141 # success/fail as via sshd_config 137 sed "s/^/permitopen=\"$_badfwd\" /" \
142 # permitopen via authorized_keys that doesn't match 138 < ${OBJ}/authorized_keys_${USER}.bak \
143 sed "s/^/permitopen=\"$_badfwd\" /" \ 139 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
144 < ${OBJ}/authorized_keys_${USER}.bak \ 140 ( cat ${OBJ}/sshd_proxy.bak ;
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" 141 echo "AllowTcpForwarding $_tcpfwd" ) \
146 ( cat ${OBJ}/sshd_proxy.bak ; 142 > ${OBJ}/sshd_proxy
147 echo "AllowTcpForwarding $_tcpfwd" ) \ 143 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
148 > ${OBJ}/sshd_proxy 144 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" 145 # permitopen via authorized_keys that does match
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" 146 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
151 # permitopen via authorized_keys that does match 147 < ${OBJ}/authorized_keys_${USER}.bak \
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ 148 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
153 < ${OBJ}/authorized_keys_${USER}.bak \ 149 ( cat ${OBJ}/sshd_proxy.bak ;
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" 150 echo "AllowTcpForwarding $_tcpfwd" ) \
155 ( cat ${OBJ}/sshd_proxy.bak ; 151 > ${OBJ}/sshd_proxy
156 echo "AllowTcpForwarding $_tcpfwd" ) \ 152 check_lfwd $_permit_lfwd "$_prefix, permitopen"
157 > ${OBJ}/sshd_proxy 153 check_rfwd $_permit_rfwd "$_prefix, permitopen"
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161} 154}
162 155
163# no-permitopen mismatch-permitopen match-permitopen 156# no-permitopen mismatch-permitopen match-permitopen
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 45c596d7d..39fccba73 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $ 1# $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -22,30 +22,24 @@ for j in 0 1 2; do
22 last=$a 22 last=$a
23 done 23 done
24done 24done
25for p in ${SSH_PROTOCOLS}; do
26 q=`expr 3 - $p`
27 if ! ssh_version $q; then
28 q=$p
29 fi
30 trace "start forwarding, fork to background"
31 rm -f $CTL
32 ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
33 25
34 trace "transfer over forwarded channels and check result" 26trace "start forwarding, fork to background"
35 ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \ 27rm -f $CTL
36 somehost cat ${DATA} > ${COPY} 28${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10
37 test -s ${COPY} || fail "failed copy of ${DATA}"
38 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
39 29
40 ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 30trace "transfer over forwarded channels and check result"
41done 31${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
32 somehost cat ${DATA} > ${COPY}
33test -s ${COPY} || fail "failed copy of ${DATA}"
34cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
35
36${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
42 37
43for p in ${SSH_PROTOCOLS}; do
44for d in L R; do 38for d in L R; do
45 trace "exit on -$d forward failure, proto $p" 39 trace "exit on -$d forward failure"
46 40
47 # this one should succeed 41 # this one should succeed
48 ${SSH} -$p -F $OBJ/ssh_config \ 42 ${SSH} -F $OBJ/ssh_config \
49 -$d ${base}01:127.0.0.1:$PORT \ 43 -$d ${base}01:127.0.0.1:$PORT \
50 -$d ${base}02:127.0.0.1:$PORT \ 44 -$d ${base}02:127.0.0.1:$PORT \
51 -$d ${base}03:127.0.0.1:$PORT \ 45 -$d ${base}03:127.0.0.1:$PORT \
@@ -55,7 +49,7 @@ for d in L R; do
55 fatal "connection failed, should not" 49 fatal "connection failed, should not"
56 else 50 else
57 # this one should fail 51 # this one should fail
58 ${SSH} -q -$p -F $OBJ/ssh_config \ 52 ${SSH} -q -F $OBJ/ssh_config \
59 -$d ${base}01:127.0.0.1:$PORT \ 53 -$d ${base}01:127.0.0.1:$PORT \
60 -$d ${base}02:127.0.0.1:$PORT \ 54 -$d ${base}02:127.0.0.1:$PORT \
61 -$d ${base}03:127.0.0.1:$PORT \ 55 -$d ${base}03:127.0.0.1:$PORT \
@@ -68,82 +62,74 @@ for d in L R; do
68 fi 62 fi
69 fi 63 fi
70done 64done
71done
72 65
73for p in ${SSH_PROTOCOLS}; do 66trace "simple clear forwarding"
74 trace "simple clear forwarding proto $p" 67${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
75 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true 68
76 69trace "clear local forward"
77 trace "clear local forward proto $p" 70rm -f $CTL
78 rm -f $CTL 71${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
79 ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \ 72 -oClearAllForwardings=yes somehost sleep 10
80 -oClearAllForwardings=yes somehost sleep 10 73if [ $? != 0 ]; then
81 if [ $? != 0 ]; then 74 fail "connection failed with cleared local forwarding"
82 fail "connection failed with cleared local forwarding" 75else
83 else 76 # this one should fail
84 # this one should fail 77 ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
85 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ 78 >>$TEST_REGRESS_LOGFILE 2>&1 && \
86 >>$TEST_REGRESS_LOGFILE 2>&1 && \ 79 fail "local forwarding not cleared"
87 fail "local forwarding not cleared" 80fi
88 fi 81${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
89 ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 82
90 83trace "clear remote forward"
91 trace "clear remote forward proto $p" 84rm -f $CTL
92 rm -f $CTL 85${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
93 ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \ 86 -oClearAllForwardings=yes somehost sleep 10
94 -oClearAllForwardings=yes somehost sleep 10 87if [ $? != 0 ]; then
95 if [ $? != 0 ]; then 88 fail "connection failed with cleared remote forwarding"
96 fail "connection failed with cleared remote forwarding" 89else
97 else 90 # this one should fail
98 # this one should fail 91 ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
99 ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \ 92 >>$TEST_REGRESS_LOGFILE 2>&1 && \
100 >>$TEST_REGRESS_LOGFILE 2>&1 && \ 93 fail "remote forwarding not cleared"
101 fail "remote forwarding not cleared" 94fi
102 fi 95${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
103 ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 96
104done 97trace "stdio forwarding"
105 98cmd="${SSH} -F $OBJ/ssh_config"
106for p in 2; do 99$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true
107 trace "stdio forwarding proto $p" 100if [ $? != 0 ]; then
108 cmd="${SSH} -$p -F $OBJ/ssh_config" 101 fail "stdio forwarding"
109 $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \ 102fi
110 somehost true
111 if [ $? != 0 ]; then
112 fail "stdio forwarding proto $p"
113 fi
114done
115 103
116echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config 104echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
117echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config 105echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
118for p in ${SSH_PROTOCOLS}; do
119 trace "config file: start forwarding, fork to background"
120 rm -f $CTL
121 ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
122
123 trace "config file: transfer over forwarded channels and check result"
124 ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
125 somehost cat ${DATA} > ${COPY}
126 test -s ${COPY} || fail "failed copy of ${DATA}"
127 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
128
129 ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
130done
131 106
132for p in 2; do 107trace "config file: start forwarding, fork to background"
133 trace "transfer over chained unix domain socket forwards and check result" 108rm -f $CTL
134 rm -f $OBJ/unix-[123].fwd 109${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10
135 rm -f $CTL $CTL.[123] 110
136 ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10 111trace "config file: transfer over forwarded channels and check result"
137 ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10 112${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
138 ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10 113 somehost cat ${DATA} > ${COPY}
139 ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10 114test -s ${COPY} || fail "failed copy of ${DATA}"
140 ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \ 115cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
141 somehost cat ${DATA} > ${COPY} 116
142 test -s ${COPY} || fail "failed copy ${DATA}" 117${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
143 cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" 118
144 119trace "transfer over chained unix domain socket forwards and check result"
145 ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost 120rm -f $OBJ/unix-[123].fwd
146 ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost 121rm -f $CTL $CTL.[123]
147 ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost 122${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
148 ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost 123${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
149done 124${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
125${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
126${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
127 somehost cat ${DATA} > ${COPY}
128test -s ${COPY} || fail "failed copy ${DATA}"
129cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
130
131${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
132${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
133${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
134${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
135
diff --git a/regress/host-expand.sh b/regress/host-expand.sh
index 2a95bfe1b..9444f7fb6 100644
--- a/regress/host-expand.sh
+++ b/regress/host-expand.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="expand %h and %n" 4tid="expand %h and %n"
@@ -11,9 +11,6 @@ somehost
11127.0.0.1 11127.0.0.1
12EOE 12EOE
13 13
14for p in ${SSH_PROTOCOLS}; do 14${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual
15 verbose "test $tid: proto $p" 15diff $OBJ/expect $OBJ/actual || fail "$tid"
16 ${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
17 diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
18done
19 16
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 094700da6..811b6b9ab 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="hostkey agent" 4tid="hostkey agent"
@@ -40,7 +40,7 @@ for ps in no yes; do
40 cp $OBJ/known_hosts.orig $OBJ/known_hosts 40 cp $OBJ/known_hosts.orig $OBJ/known_hosts
41 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'` 41 SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
42 if [ $? -ne 0 ]; then 42 if [ $? -ne 0 ]; then
43 fail "protocol $p privsep=$ps failed" 43 fail "privsep=$ps failed"
44 fi 44 fi
45 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 45 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
46 fail "bad SSH_CONNECTION key type $k privsep=$ps" 46 fail "bad SSH_CONNECTION key type $k privsep=$ps"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 1df2924f5..3eda40f0a 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.20 2017/01/06 02:26:10 dtucker Exp $ 1# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -46,7 +46,7 @@ for m in $macs; do
46 macopt="-m $m -c aes128-ctr" 46 macopt="-m $m -c aes128-ctr"
47 fi 47 fi
48 verbose "test $tid: $m @$off" 48 verbose "test $tid: $m @$off"
49 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 49 ${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
50 -oServerAliveInterval=1 -oServerAliveCountMax=30 \ 50 -oServerAliveInterval=1 -oServerAliveCountMax=30 \
51 999.999.999.999 'printf "%4096s" " "' >/dev/null 51 999.999.999.999 'printf "%4096s" " "' >/dev/null
52 if [ $? -eq 0 ]; then 52 if [ $? -eq 0 ]; then
@@ -60,14 +60,16 @@ for m in $macs; do
60 Corrupted?MAC* | *message?authentication?code?incorrect*) 60 Corrupted?MAC* | *message?authentication?code?incorrect*)
61 emac=`expr $emac + 1`; skip=0;; 61 emac=`expr $emac + 1`; skip=0;;
62 padding*) epad=`expr $epad + 1`; skip=0;; 62 padding*) epad=`expr $epad + 1`; skip=0;;
63 *Timeout,?server*)
64 etmo=`expr $etmo + 1`; skip=0;;
63 *) fail "unexpected error mac $m at $off: $out";; 65 *) fail "unexpected error mac $m at $off: $out";;
64 esac 66 esac
65 done 67 done
66 verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" 68 verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
67 if [ $emac -eq 0 ]; then 69 if [ $emac -eq 0 ]; then
68 fail "$m: no mac errors" 70 fail "$m: no mac errors"
69 fi 71 fi
70 expect=`expr $ecnt - $epad - $elen` 72 expect=`expr $ecnt - $epad - $elen - $etmo`
71 if [ $emac -ne $expect ]; then 73 if [ $emac -ne $expect ]; then
72 fail "$m: expected $expect mac errors, got $emac" 74 fail "$m: expected $expect mac errors, got $emac"
73 fi 75 fi
diff --git a/regress/key-options.sh b/regress/key-options.sh
index 7a68ad358..2adee6833 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key options" 4tid="key options"
@@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}"
8cp $authkeys $origkeys 8cp $authkeys $origkeys
9 9
10# Test command= forced command 10# Test command= forced command
11for p in ${SSH_PROTOCOLS}; do 11for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
12 for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
13 sed "s/.*/$c &/" $origkeys >$authkeys 12 sed "s/.*/$c &/" $origkeys >$authkeys
14 verbose "key option proto $p $c" 13 verbose "key option $c"
15 r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` 14 r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
16 if [ "$r" = "foo" ]; then 15 if [ "$r" = "foo" ]; then
17 fail "key option forced command not restricted" 16 fail "key option forced command not restricted"
18 fi 17 fi
19 if [ "$r" != "bar" ]; then 18 if [ "$r" != "bar" ]; then
20 fail "key option forced command not executed" 19 fail "key option forced command not executed"
21 fi 20 fi
22 done
23done 21done
24 22
25# Test no-pty 23# Test no-pty
26sed 's/.*/no-pty &/' $origkeys >$authkeys 24sed 's/.*/no-pty &/' $origkeys >$authkeys
27for p in ${SSH_PROTOCOLS}; do 25verbose "key option proto no-pty"
28 verbose "key option proto $p no-pty" 26r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty`
29 r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` 27if [ -f "$r" ]; then
30 if [ -f "$r" ]; then 28 fail "key option failed no-pty (pty $r)"
31 fail "key option failed proto $p no-pty (pty $r)" 29fi
32 fi
33done
34 30
35# Test environment= 31# Test environment=
36echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 32echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
37sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 33sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
38for p in ${SSH_PROTOCOLS}; do 34verbose "key option environment"
39 verbose "key option proto $p environment" 35r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
40 r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` 36if [ "$r" != "bar" ]; then
41 if [ "$r" != "bar" ]; then 37 fail "key option environment not set"
42 fail "key option environment not set" 38fi
43 fi
44done
45 39
46# Test from= restriction 40# Test from= restriction
47start_sshd 41start_sshd
48for p in ${SSH_PROTOCOLS}; do 42for f in 127.0.0.1 '127.0.0.0\/8'; do
49 for f in 127.0.0.1 '127.0.0.0\/8'; do
50 cat $origkeys >$authkeys 43 cat $origkeys >$authkeys
51 ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true 44 ${SSH} -q -F $OBJ/ssh_proxy somehost true
52 if [ $? -ne 0 ]; then 45 if [ $? -ne 0 ]; then
53 fail "key option proto $p failed without restriction" 46 fail "key option failed without restriction"
54 fi 47 fi
55 48
56 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys 49 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
57 from=`head -1 $authkeys | cut -f1 -d ' '` 50 from=`head -1 $authkeys | cut -f1 -d ' '`
58 verbose "key option proto $p $from" 51 verbose "key option $from"
59 r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` 52 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
60 if [ "$r" = "true" ]; then 53 if [ "$r" = "true" ]; then
61 fail "key option proto $p $from not restricted" 54 fail "key option $from not restricted"
62 fi 55 fi
63 56
64 r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` 57 r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
65 if [ "$r" != "true" ]; then 58 if [ "$r" != "true" ]; then
66 fail "key option proto $p $from not allowed but should be" 59 fail "key option $from not allowed but should be"
67 fi 60 fi
68 done
69done 61done
70 62
71rm -f "$origkeys" 63rm -f "$origkeys"
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index e56185050..8b8acd52f 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="change passphrase for key" 4tid="change passphrase for key"
@@ -7,9 +7,6 @@ S1="secret1"
7S2="2secret" 7S2="2secret"
8 8
9KEYTYPES=`${SSH} -Q key-plain` 9KEYTYPES=`${SSH} -Q key-plain`
10if ssh_version 1; then
11 KEYTYPES="${KEYTYPES} rsa1"
12fi
13 10
14for t in $KEYTYPES; do 11for t in $KEYTYPES; do
15 # generate user key for agent 12 # generate user key for agent
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index f97364b76..3bde1219a 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $ 1# $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="keyscan" 4tid="keyscan"
@@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa
9start_sshd 9start_sshd
10 10
11KEYTYPES=`${SSH} -Q key-plain` 11KEYTYPES=`${SSH} -Q key-plain`
12if ssh_version 1; then
13 KEYTYPES="${KEYTYPES} rsa1"
14fi
15
16for t in $KEYTYPES; do 12for t in $KEYTYPES; do
17 trace "keyscan type $t" 13 trace "keyscan type $t"
18 ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \ 14 ${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 8f697788f..88b022de4 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,13 +1,8 @@
1# $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $ 1# $OpenBSD: keytype.sh,v 1.5 2017/03/20 22:08:06 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
5 5
6TIME=`which time 2>/dev/null`
7if test ! -x "$TIME"; then
8 TIME=""
9fi
10
11cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
12cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 7cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
13 8
@@ -26,8 +21,8 @@ for kt in $ktypes; do
26 rm -f $OBJ/key.$kt 21 rm -f $OBJ/key.$kt
27 bits=`echo ${kt} | awk -F- '{print $2}'` 22 bits=`echo ${kt} | awk -F- '{print $2}'`
28 type=`echo ${kt} | awk -F- '{print $1}'` 23 type=`echo ${kt} | awk -F- '{print $1}'`
29 printf "keygen $type, $bits bits:\t" 24 verbose "keygen $type, $bits bits"
30 ${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\ 25 ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
31 fail "ssh-keygen for type $type, $bits bits failed" 26 fail "ssh-keygen for type $type, $bits bits failed"
32done 27done
33 28
@@ -63,8 +58,8 @@ for ut in $ktypes; do
63 ) > $OBJ/known_hosts 58 ) > $OBJ/known_hosts
64 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER 59 cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
65 for i in $tries; do 60 for i in $tries; do
66 printf "userkey $ut, hostkey ${ht}:\t" 61 verbose "userkey $ut, hostkey ${ht}"
67 ${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true 62 ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
68 if [ $? -ne 0 ]; then 63 if [ $? -ne 0 ]; then
69 fail "ssh userkey $ut, hostkey $ht failed" 64 fail "ssh userkey $ut, hostkey $ht failed"
70 fi 65 fi
diff --git a/regress/localcommand.sh b/regress/localcommand.sh
index 220f19a4d..5224a16b2 100644
--- a/regress/localcommand.sh
+++ b/regress/localcommand.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="localcommand" 4tid="localcommand"
@@ -6,10 +6,8 @@ tid="localcommand"
6echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy 6echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
7echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy 7echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
8 8
9for p in ${SSH_PROTOCOLS}; do 9verbose "test $tid: proto $p localcommand"
10 verbose "test $tid: proto $p localcommand" 10a=`${SSH} -F $OBJ/ssh_proxy somehost true`
11 a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true` 11if [ "$a" != "foo" ] ; then
12 if [ "$a" != "foo" ] ; then 12 fail "$tid proto $p"
13 fail "$tid proto $p" 13fi
14 fi
15done
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 12207fd99..4c2d07dc2 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $ 1# $OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect after login grace timeout" 4tid="connect after login grace timeout"
@@ -10,23 +10,9 @@ echo "LoginGraceTime 10s" >> $OBJ/sshd_config
10echo "MaxStartups 1" >> $OBJ/sshd_config 10echo "MaxStartups 1" >> $OBJ/sshd_config
11start_sshd 11start_sshd
12 12
13(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 13(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
14sleep 15 14sleep 15
15${SSH} -F $OBJ/ssh_config somehost true 15${SSH} -F $OBJ/ssh_config somehost true
16if [ $? -ne 0 ]; then 16if [ $? -ne 0 ]; then
17 fail "ssh connect after login grace timeout failed with privsep" 17 fail "ssh connect after login grace timeout failed"
18fi
19
20stop_sshd
21
22trace "test login grace without privsep"
23echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
24start_sshd
25sleep 1
26
27(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
28sleep 15
29${SSH} -F $OBJ/ssh_config somehost true
30if [ $? -ne 0 ]; then
31 fail "ssh connect after login grace timeout failed without privsep"
32fi 18fi
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
new file mode 100644
index 000000000..8fbfc20c6
--- /dev/null
+++ b/regress/misc/fuzz-harness/Makefile
@@ -0,0 +1,22 @@
1# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
2CXX=clang++-3.9
3FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge
4FUZZ_LIBS=-lFuzzer
5
6CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
7LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
8LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
9
10all: pubkey_fuzz sig_fuzz
11
12.cc.o:
13 $(CXX) $(CXXFLAGS) -c $< -o $@
14
15pubkey_fuzz: pubkey_fuzz.o
16 $(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS)
17
18sig_fuzz: sig_fuzz.o
19 $(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS)
20
21clean:
22 -rm -f *.o pubkey_fuzz sig_fuzz
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README
new file mode 100644
index 000000000..ae6fbe75d
--- /dev/null
+++ b/regress/misc/fuzz-harness/README
@@ -0,0 +1 @@
This directory contains fuzzing harnesses for use with clang's libfuzzer.
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc
new file mode 100644
index 000000000..8bbc11093
--- /dev/null
+++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc
@@ -0,0 +1,18 @@
1#include <stddef.h>
2#include <stdio.h>
3#include <stdint.h>
4
5extern "C" {
6
7#include "sshkey.h"
8
9int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
10{
11 struct sshkey *k = NULL;
12 int r = sshkey_from_blob(data, size, &k);
13 if (r == 0) sshkey_free(k);
14 return 0;
15}
16
17} // extern
18
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
new file mode 100644
index 000000000..0e535b49a
--- /dev/null
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -0,0 +1,50 @@
1// cc_fuzz_target test for public key parsing.
2
3#include <stddef.h>
4#include <stdio.h>
5#include <stdint.h>
6#include <stdlib.h>
7#include <string.h>
8
9extern "C" {
10
11#include "includes.h"
12#include "sshkey.h"
13#include "ssherr.h"
14
15static struct sshkey *generate_or_die(int type, unsigned bits) {
16 int r;
17 struct sshkey *ret;
18 if ((r = sshkey_generate(type, bits, &ret)) != 0) {
19 fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r));
20 abort();
21 }
22 return ret;
23}
24
25int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
26{
27#ifdef WITH_OPENSSL
28 static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
29 static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
30 static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
31 static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
32 static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
33#endif
34 static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
35 static const char *data = "If everyone started announcing his nose had "
36 "run away, I don’t know how it would all end";
37 static const size_t dlen = strlen(data);
38
39#ifdef WITH_OPENSSL
40 sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, 0);
41 sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, 0);
42 sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, 0);
43 sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, 0);
44 sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, 0);
45#endif
46 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, 0);
47 return 0;
48}
49
50} // extern
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index 3018b632f..d0aca8dfe 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.1 2016/03/04 02:30:37 djm Exp $ 1# $OpenBSD: Makefile,v 1.2 2017/04/17 11:02:31 jsg Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.include <bsd.obj.mk> 4.include <bsd.obj.mk>
@@ -49,7 +49,7 @@ CDIAGFLAGS+= -Wswitch
49CDIAGFLAGS+= -Wtrigraphs 49CDIAGFLAGS+= -Wtrigraphs
50CDIAGFLAGS+= -Wuninitialized 50CDIAGFLAGS+= -Wuninitialized
51CDIAGFLAGS+= -Wunused 51CDIAGFLAGS+= -Wunused
52.if ${COMPILER_VERSION} == "gcc4" 52.if ${COMPILER_VERSION:L} != "gcc3"
53CDIAGFLAGS+= -Wpointer-sign 53CDIAGFLAGS+= -Wpointer-sign
54CDIAGFLAGS+= -Wold-style-definition 54CDIAGFLAGS+= -Wold-style-definition
55.endif 55.endif
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
index 67058027f..3e2c48160 100644
--- a/regress/misc/kexfuzz/kexfuzz.c
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */ 1/* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
2/* 2/*
3 * Fuzz harness for KEX code 3 * Fuzz harness for KEX code
4 * 4 *
@@ -418,7 +418,7 @@ main(int argc, char **argv)
418 close(fd); 418 close(fd);
419 /* XXX check that it is a private key */ 419 /* XXX check that it is a private key */
420 /* XXX support certificates */ 420 /* XXX support certificates */
421 if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1) 421 if (key == NULL || key->type == KEY_UNSPEC)
422 badusage("Invalid key file (-k flag)"); 422 badusage("Invalid key file (-k flag)");
423 423
424 /* Replace (fuzz) mode */ 424 /* Replace (fuzz) mode */
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index acb9234d9..078a53a88 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $ 1# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4CTL=/tmp/openssh.regress.ctl-sock.$$ 4CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -101,7 +101,7 @@ for s in 0 1 4 5 44; do
101 ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s 101 ${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
102 r=$? 102 r=$?
103 if [ $r -ne $s ]; then 103 if [ $r -ne $s ]; then
104 fail "exit code mismatch for protocol $p: $r != $s" 104 fail "exit code mismatch: $r != $s"
105 fi 105 fi
106 106
107 # same with early close of stdout/err 107 # same with early close of stdout/err
@@ -110,7 +110,7 @@ for s in 0 1 4 5 44; do
110 exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\' 110 exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
111 r=$? 111 r=$?
112 if [ $r -ne $s ]; then 112 if [ $r -ne $s ]; then
113 fail "exit code (with sleep) mismatch for protocol $p: $r != $s" 113 fail "exit code (with sleep) mismatch: $r != $s"
114 fi 114 fi
115done 115done
116 116
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 9b38eb105..bcc68e80b 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ 1# $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized principals command" 4tid="authorized principals command"
@@ -78,7 +78,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
78 # Empty authorized_principals 78 # Empty authorized_principals
79 verbose "$tid: ${_prefix} empty authorized_principals" 79 verbose "$tid: ${_prefix} empty authorized_principals"
80 echo > $OBJ/authorized_principals_$USER 80 echo > $OBJ/authorized_principals_$USER
81 ${SSH} -2i $OBJ/cert_user_key \ 81 ${SSH} -i $OBJ/cert_user_key \
82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 82 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83 if [ $? -eq 0 ]; then 83 if [ $? -eq 0 ]; then
84 fail "ssh cert connect succeeded unexpectedly" 84 fail "ssh cert connect succeeded unexpectedly"
@@ -87,7 +87,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
87 # Wrong authorized_principals 87 # Wrong authorized_principals
88 verbose "$tid: ${_prefix} wrong authorized_principals" 88 verbose "$tid: ${_prefix} wrong authorized_principals"
89 echo gregorsamsa > $OBJ/authorized_principals_$USER 89 echo gregorsamsa > $OBJ/authorized_principals_$USER
90 ${SSH} -2i $OBJ/cert_user_key \ 90 ${SSH} -i $OBJ/cert_user_key \
91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 91 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92 if [ $? -eq 0 ]; then 92 if [ $? -eq 0 ]; then
93 fail "ssh cert connect succeeded unexpectedly" 93 fail "ssh cert connect succeeded unexpectedly"
@@ -96,7 +96,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
96 # Correct authorized_principals 96 # Correct authorized_principals
97 verbose "$tid: ${_prefix} correct authorized_principals" 97 verbose "$tid: ${_prefix} correct authorized_principals"
98 echo mekmitasdigoat > $OBJ/authorized_principals_$USER 98 echo mekmitasdigoat > $OBJ/authorized_principals_$USER
99 ${SSH} -2i $OBJ/cert_user_key \ 99 ${SSH} -i $OBJ/cert_user_key \
100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 100 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
101 if [ $? -ne 0 ]; then 101 if [ $? -ne 0 ]; then
102 fail "ssh cert connect failed" 102 fail "ssh cert connect failed"
@@ -105,7 +105,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
105 # authorized_principals with bad key option 105 # authorized_principals with bad key option
106 verbose "$tid: ${_prefix} authorized_principals bad key opt" 106 verbose "$tid: ${_prefix} authorized_principals bad key opt"
107 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER 107 echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
108 ${SSH} -2i $OBJ/cert_user_key \ 108 ${SSH} -i $OBJ/cert_user_key \
109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 109 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
110 if [ $? -eq 0 ]; then 110 if [ $? -eq 0 ]; then
111 fail "ssh cert connect succeeded unexpectedly" 111 fail "ssh cert connect succeeded unexpectedly"
@@ -115,7 +115,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
115 verbose "$tid: ${_prefix} authorized_principals command=false" 115 verbose "$tid: ${_prefix} authorized_principals command=false"
116 echo 'command="false" mekmitasdigoat' > \ 116 echo 'command="false" mekmitasdigoat' > \
117 $OBJ/authorized_principals_$USER 117 $OBJ/authorized_principals_$USER
118 ${SSH} -2i $OBJ/cert_user_key \ 118 ${SSH} -i $OBJ/cert_user_key \
119 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 119 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
120 if [ $? -eq 0 ]; then 120 if [ $? -eq 0 ]; then
121 fail "ssh cert connect succeeded unexpectedly" 121 fail "ssh cert connect succeeded unexpectedly"
@@ -125,7 +125,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
125 verbose "$tid: ${_prefix} authorized_principals command=true" 125 verbose "$tid: ${_prefix} authorized_principals command=true"
126 echo 'command="true" mekmitasdigoat' > \ 126 echo 'command="true" mekmitasdigoat' > \
127 $OBJ/authorized_principals_$USER 127 $OBJ/authorized_principals_$USER
128 ${SSH} -2i $OBJ/cert_user_key \ 128 ${SSH} -i $OBJ/cert_user_key \
129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 129 -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
130 if [ $? -ne 0 ]; then 130 if [ $? -ne 0 ]; then
131 fail "ssh cert connect failed" 131 fail "ssh cert connect failed"
@@ -144,7 +144,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
144 printf 'cert-authority,principals="gregorsamsa" ' 144 printf 'cert-authority,principals="gregorsamsa" '
145 cat $OBJ/user_ca_key.pub 145 cat $OBJ/user_ca_key.pub
146 ) > $OBJ/authorized_keys_$USER 146 ) > $OBJ/authorized_keys_$USER
147 ${SSH} -2i $OBJ/cert_user_key \ 147 ${SSH} -i $OBJ/cert_user_key \
148 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 148 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
149 if [ $? -eq 0 ]; then 149 if [ $? -eq 0 ]; then
150 fail "ssh cert connect succeeded unexpectedly" 150 fail "ssh cert connect succeeded unexpectedly"
@@ -156,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
156 printf 'cert-authority,principals="mekmitasdigoat" ' 156 printf 'cert-authority,principals="mekmitasdigoat" '
157 cat $OBJ/user_ca_key.pub 157 cat $OBJ/user_ca_key.pub
158 ) > $OBJ/authorized_keys_$USER 158 ) > $OBJ/authorized_keys_$USER
159 ${SSH} -2i $OBJ/cert_user_key \ 159 ${SSH} -i $OBJ/cert_user_key \
160 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 160 -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
161 if [ $? -ne 0 ]; then 161 if [ $? -ne 0 ]; then
162 fail "ssh cert connect failed" 162 fail "ssh cert connect failed"
diff --git a/regress/proto-mismatch.sh b/regress/proto-mismatch.sh
index 9e8024beb..6ab28c9a7 100644
--- a/regress/proto-mismatch.sh
+++ b/regress/proto-mismatch.sh
@@ -1,21 +1,17 @@
1# $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="protocol version mismatch" 4tid="protocol version mismatch"
5 5
6mismatch () 6mismatch ()
7{ 7{
8 server=$1
9 client=$2 8 client=$2
10 banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy` 9 banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy`
11 r=$? 10 r=$?
12 trace "sshd prints ${banner}" 11 trace "sshd prints ${banner}"
13 if [ $r -ne 255 ]; then 12 if [ $r -ne 255 ]; then
14 fail "sshd prints ${banner} and accepts connect with version ${client}" 13 fail "sshd prints ${banner} but accepts version ${client}"
15 fi 14 fi
16} 15}
17 16
18mismatch 2 SSH-1.5-HALLO 17mismatch SSH-1.5-HALLO
19if ssh_version 1; then
20 mismatch 1 SSH-2.0-HALLO
21fi
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index cf4946115..1f33b1f00 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: proto-version.sh,v 1.7 2017/06/07 01:48:15 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd version with different protocol combinations" 4tid="sshd version with different protocol combinations"
@@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations"
6# we just start sshd in inetd mode and check the banner 6# we just start sshd in inetd mode and check the banner
7check_version () 7check_version ()
8{ 8{
9 version=$1 9 expect=$1
10 expect=$2 10 banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
11 banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
12 case ${banner} in 11 case ${banner} in
13 SSH-1.99-*) 12 SSH-1.99-*)
14 proto=199 13 proto=199
@@ -24,13 +23,8 @@ check_version ()
24 ;; 23 ;;
25 esac 24 esac
26 if [ ${expect} -ne ${proto} ]; then 25 if [ ${expect} -ne ${proto} ]; then
27 fail "wrong protocol version ${banner} for ${version}" 26 fail "wrong protocol version ${banner}"
28 fi 27 fi
29} 28}
30 29
31check_version 2 20 30check_version 20
32if ssh_version 1; then
33 check_version 2,1 199
34 check_version 1,2 199
35 check_version 1 15
36fi
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index b7a43fabe..f1b9d9f76 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
@@ -6,27 +6,22 @@ tid="proxy connect"
6mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 6mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
7 7
8for ps in no yes; do 8for ps in no yes; do
9 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 9 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
10 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy 10 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
11 11 for c in no yes; do
12 for p in ${SSH_PROTOCOLS}; do 12 verbose "plain username privsep=$ps comp=$c"
13 for c in no yes; do 13 opts="-oCompression=$c -F $OBJ/ssh_proxy"
14 verbose "plain username protocol $p privsep=$ps comp=$c" 14 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
15 opts="-$p -oCompression=$c -F $OBJ/ssh_proxy" 15 if [ $? -ne 0 ]; then
16 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` 16 fail "ssh proxyconnect privsep=$ps comp=$c failed"
17 if [ $? -ne 0 ]; then 17 fi
18 fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed" 18 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
19 fi 19 fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
20 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then 20 "$SSH_CONNECTION"
21 fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \ 21 fi
22 "$SSH_CONNECTION" 22 done
23 fi
24 done
25 done
26done 23done
27 24
28for p in ${SSH_PROTOCOLS}; do 25verbose "username with style"
29 verbose "username with style protocol $p" 26${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
30 ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \ 27 fail "ssh proxyconnect failed"
31 fail "ssh proxyconnect protocol $p failed"
32done
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 9adba674e..419daabba 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $ 1# $OpenBSD: putty-ciphers.sh,v 1.6 2017/05/08 01:52:49 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty ciphers" 4tid="putty ciphers"
@@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
8 exit 0 8 exit 0
9fi 9fi
10 10
11for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do 11for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
12 verbose "$tid: cipher $c" 12 verbose "$tid: cipher $c"
13 cp ${OBJ}/.putty/sessions/localhost_proxy \ 13 cp ${OBJ}/.putty/sessions/localhost_proxy \
14 ${OBJ}/.putty/sessions/cipher_$c 14 ${OBJ}/.putty/sessions/cipher_$c
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 8eb6ae0c0..32c79f9ea 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ 1# $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty transfer data" 4tid="putty transfer data"
@@ -8,33 +8,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
8 exit 0 8 exit 0
9fi 9fi
10 10
11# XXX support protocol 1 too 11for c in 0 1 ; do
12for p in 2; do 12 verbose "$tid: compression $c"
13 for c in 0 1 ; do 13 rm -f ${COPY}
14 verbose "$tid: proto $p compression $c" 14 cp ${OBJ}/.putty/sessions/localhost_proxy \
15 ${OBJ}/.putty/sessions/compression_$c
16 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
17 env HOME=$PWD ${PLINK} -load compression_$c -batch \
18 -i putty.rsa cat ${DATA} > ${COPY}
19 if [ $? -ne 0 ]; then
20 fail "ssh cat $DATA failed"
21 fi
22 cmp ${DATA} ${COPY} || fail "corrupted copy"
23
24 for s in 10 100 1k 32k 64k 128k 256k; do
25 trace "compression $c dd-size ${s}"
15 rm -f ${COPY} 26 rm -f ${COPY}
16 cp ${OBJ}/.putty/sessions/localhost_proxy \ 27 dd if=$DATA obs=${s} 2> /dev/null | \
17 ${OBJ}/.putty/sessions/compression_$c 28 env HOME=$PWD ${PLINK} -load compression_$c \
18 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k 29 -batch -i putty.rsa \
19 env HOME=$PWD ${PLINK} -load compression_$c -batch \ 30 "cat > ${COPY}"
20 -i putty.rsa$p cat ${DATA} > ${COPY}
21 if [ $? -ne 0 ]; then 31 if [ $? -ne 0 ]; then
22 fail "ssh cat $DATA failed" 32 fail "ssh cat $DATA failed"
23 fi 33 fi
24 cmp ${DATA} ${COPY} || fail "corrupted copy" 34 cmp $DATA ${COPY} || fail "corrupted copy"
25
26 for s in 10 100 1k 32k 64k 128k 256k; do
27 trace "proto $p compression $c dd-size ${s}"
28 rm -f ${COPY}
29 dd if=$DATA obs=${s} 2> /dev/null | \
30 env HOME=$PWD ${PLINK} -load compression_$c \
31 -batch -i putty.rsa$p \
32 "cat > ${COPY}"
33 if [ $? -ne 0 ]; then
34 fail "ssh cat $DATA failed"
35 fi
36 cmp $DATA ${COPY} || fail "corrupted copy"
37 done
38 done 35 done
39done 36done
40rm -f ${COPY} 37rm -f ${COPY}
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
index eecddd3c7..dd15eddb2 100644
--- a/regress/reconfigure.sh
+++ b/regress/reconfigure.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple connect after reconfigure" 4tid="simple connect after reconfigure"
@@ -18,12 +18,10 @@ fi
18start_sshd 18start_sshd
19 19
20trace "connect before restart" 20trace "connect before restart"
21for p in ${SSH_PROTOCOLS} ; do 21${SSH} -F $OBJ/ssh_config somehost true
22 ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true 22if [ $? -ne 0 ]; then
23 if [ $? -ne 0 ]; then 23 fail "ssh connect with failed before reconfigure"
24 fail "ssh connect with protocol $p failed before reconfigure" 24fi
25 fi
26done
27 25
28PID=`$SUDO cat $PIDFILE` 26PID=`$SUDO cat $PIDFILE`
29rm -f $PIDFILE 27rm -f $PIDFILE
@@ -39,9 +37,7 @@ done
39test -f $PIDFILE || fatal "sshd did not restart" 37test -f $PIDFILE || fatal "sshd did not restart"
40 38
41trace "connect after restart" 39trace "connect after restart"
42for p in ${SSH_PROTOCOLS} ; do 40${SSH} -F $OBJ/ssh_config somehost true
43 ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true 41if [ $? -ne 0 ]; then
44 if [ $? -ne 0 ]; then 42 fail "ssh connect with failed after reconfigure"
45 fail "ssh connect with protocol $p failed after reconfigure" 43fi
46 fi
47done
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 72957d4cd..2192456cd 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $ 1# $OpenBSD: reexec.sh,v 1.12 2017/08/07 03:52:55 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="reexec tests" 4tid="reexec tests"
@@ -19,16 +19,13 @@ start_sshd_copy ()
19copy_tests () 19copy_tests ()
20{ 20{
21 rm -f ${COPY} 21 rm -f ${COPY}
22 for p in ${SSH_PROTOCOLS} ; do 22 ${SSH} -nq -F $OBJ/ssh_config somehost \
23 verbose "$tid: proto $p" 23 cat ${DATA} > ${COPY}
24 ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \ 24 if [ $? -ne 0 ]; then
25 cat ${DATA} > ${COPY} 25 fail "ssh cat $DATA failed"
26 if [ $? -ne 0 ]; then 26 fi
27 fail "ssh cat $DATA failed" 27 cmp ${DATA} ${COPY} || fail "corrupted copy"
28 fi 28 rm -f ${COPY}
29 cmp ${DATA} ${COPY} || fail "corrupted copy"
30 rm -f ${COPY}
31 done
32} 29}
33 30
34verbose "test config passing" 31verbose "test config passing"
@@ -54,17 +51,4 @@ rm -f $SSHD_COPY
54copy_tests 51copy_tests
55 52
56stop_sshd 53stop_sshd
57
58verbose "test reexec fallback without privsep"
59
60cp $OBJ/sshd_config.orig $OBJ/sshd_config
61echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config
62
63start_sshd_copy
64rm -f $SSHD_COPY
65
66copy_tests
67
68stop_sshd
69
70fi 54fi
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 4371d5279..b1a2505d1 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $ 1# $OpenBSD: ssh-com.sh,v 1.10 2017/05/08 01:52:49 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="connect to ssh.com server" 4tid="connect to ssh.com server"
@@ -87,7 +87,7 @@ for v in ${VERSIONS}; do
87 fail "ssh connect to sshd2 ${v} failed" 87 fail "ssh connect to sshd2 ${v} failed"
88 fi 88 fi
89 89
90 ciphers="3des-cbc blowfish-cbc arcfour" 90 ciphers="3des-cbc"
91 macs="hmac-md5" 91 macs="hmac-md5"
92 case $v in 92 case $v in
93 2.4.*) 93 2.4.*)
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index 218ac6b68..9065245e8 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $ 1# $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data after eof" 4tid="stderr data after eof"
@@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do
10 (date;echo $i) | md5 >> ${DATA} 10 (date;echo $i) | md5 >> ${DATA}
11done 11done
12 12
13${SSH} -2 -F $OBJ/ssh_proxy otherhost \ 13${SSH} -F $OBJ/ssh_proxy otherhost \
14 exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \ 14 exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
15 2> ${COPY} 15 2> ${COPY}
16r=$? 16r=$?
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 8c8149a73..0ceb72b3a 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -1,13 +1,12 @@
1# $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="stderr data transfer" 4tid="stderr data transfer"
5 5
6for n in '' -n; do 6for n in '' -n; do
7for p in ${SSH_PROTOCOLS}; do 7 verbose "test $tid: ($n)"
8 verbose "test $tid: proto $p ($n)" 8 ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
9 ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ 9 sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
10 exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
11 2> ${COPY} 10 2> ${COPY}
12 r=$? 11 r=$?
13 if [ $r -ne 0 ]; then 12 if [ $r -ne 0 ]; then
@@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do
16 cmp ${DATA} ${COPY} || fail "stderr corrupt" 15 cmp ${DATA} ${COPY} || fail "stderr corrupt"
17 rm -f ${COPY} 16 rm -f ${COPY}
18 17
19 ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \ 18 ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
20 exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \ 19 sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
21 > /dev/null 2> ${COPY} 20 > /dev/null 2> ${COPY}
22 r=$? 21 r=$?
23 if [ $r -ne 0 ]; then 22 if [ $r -ne 0 ]; then
@@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do
26 cmp ${DATA} ${COPY} || fail "stderr corrupt" 25 cmp ${DATA} ${COPY} || fail "stderr corrupt"
27 rm -f ${COPY} 26 rm -f ${COPY}
28done 27done
29done
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index dc033cd96..68f010b70 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.61 2017/07/28 10:32:08 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -130,12 +130,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
130 esac 130 esac
131fi 131fi
132 132
133SSH_PROTOCOLS=2
134#SSH_PROTOCOLS=`$SSH -Q protocol-version`
135if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
136 SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
137fi
138
139# Path to sshd must be absolute for rexec 133# Path to sshd must be absolute for rexec
140case "$SSHD" in 134case "$SSHD" in
141/*) ;; 135/*) ;;
@@ -310,8 +304,15 @@ stop_sshd ()
310 i=`expr $i + 1` 304 i=`expr $i + 1`
311 sleep $i 305 sleep $i
312 done 306 done
313 test -f $PIDFILE && \ 307 if test -f $PIDFILE; then
314 fatal "sshd didn't exit port $PORT pid $pid" 308 if $SUDO kill -0 $pid; then
309 echo "sshd didn't exit " \
310 "port $PORT pid $pid"
311 else
312 echo "sshd died without cleanup"
313 fi
314 exit 1
315 fi
315 fi 316 fi
316 fi 317 fi
317 fi 318 fi
@@ -386,22 +387,11 @@ fatal ()
386 exit $RESULT 387 exit $RESULT
387} 388}
388 389
389ssh_version ()
390{
391 echo ${SSH_PROTOCOLS} | grep "$1" >/dev/null
392}
393
394RESULT=0 390RESULT=0
395PIDFILE=$OBJ/pidfile 391PIDFILE=$OBJ/pidfile
396 392
397trap fatal 3 2 393trap fatal 3 2
398 394
399if ssh_version 1; then
400 PROTO="2,1"
401else
402 PROTO="2"
403fi
404
405# create server config 395# create server config
406cat << EOF > $OBJ/sshd_config 396cat << EOF > $OBJ/sshd_config
407 StrictModes no 397 StrictModes no
@@ -460,11 +450,8 @@ fi
460 450
461rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER 451rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
462 452
463if ssh_version 1; then 453SSH_KEYTYPES="rsa ed25519"
464 SSH_KEYTYPES="rsa rsa1" 454
465else
466 SSH_KEYTYPES="rsa ed25519"
467fi
468trace "generate keys" 455trace "generate keys"
469for t in ${SSH_KEYTYPES}; do 456for t in ${SSH_KEYTYPES}; do
470 # generate user key 457 # generate user key
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 36c14634a..cf174a006 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -1,26 +1,23 @@
1# $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="transfer data" 4tid="transfer data"
5 5
6for p in ${SSH_PROTOCOLS}; do 6rm -f ${COPY}
7 verbose "$tid: proto $p" 7${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
8if [ $? -ne 0 ]; then
9 fail "ssh cat $DATA failed"
10fi
11cmp ${DATA} ${COPY} || fail "corrupted copy"
12
13for s in 10 100 1k 32k 64k 128k 256k; do
14 trace "dd-size ${s}"
8 rm -f ${COPY} 15 rm -f ${COPY}
9 ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY} 16 dd if=$DATA obs=${s} 2> /dev/null | \
17 ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
10 if [ $? -ne 0 ]; then 18 if [ $? -ne 0 ]; then
11 fail "ssh cat $DATA failed" 19 fail "ssh cat $DATA failed"
12 fi 20 fi
13 cmp ${DATA} ${COPY} || fail "corrupted copy" 21 cmp $DATA ${COPY} || fail "corrupted copy"
14
15 for s in 10 100 1k 32k 64k 128k 256k; do
16 trace "proto $p dd-size ${s}"
17 rm -f ${COPY}
18 dd if=$DATA obs=${s} 2> /dev/null | \
19 ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
20 if [ $? -ne 0 ]; then
21 fail "ssh cat $DATA failed"
22 fi
23 cmp $DATA ${COPY} || fail "corrupted copy"
24 done
25done 22done
26rm -f ${COPY} 23rm -f ${COPY}
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 889a735d2..e04268ba3 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8for c in `${SSH} -Q cipher`; do 8for c in `${SSH} -Q cipher`; do
9 n=0 9 n=0
10 for m in `${SSH} -Q mac`; do 10 for m in `${SSH} -Q mac`; do
11 trace "proto 2 cipher $c mac $m" 11 trace "cipher $c mac $m"
12 verbose "test $tid: proto 2 cipher $c mac $m" 12 verbose "test $tid: cipher $c mac $m"
13 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 13 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
14 echo "Ciphers=$c" >> $OBJ/sshd_proxy 14 echo "Ciphers=$c" >> $OBJ/sshd_proxy
15 echo "MACs=$m" >> $OBJ/sshd_proxy 15 echo "MACs=$m" >> $OBJ/sshd_proxy
16 ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true 16 ${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true
17 if [ $? -ne 0 ]; then 17 if [ $? -ne 0 ]; then
18 fail "ssh -2 failed with mac $m cipher $c" 18 fail "ssh failed with mac $m cipher $c"
19 fi 19 fi
20 # No point trying all MACs for AEAD ciphers since they 20 # No point trying all MACs for AEAD ciphers since they
21 # are ignored. 21 # are ignored.
@@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do
26 done 26 done
27done 27done
28 28
29if ssh_version 1; then
30 ciphers="3des blowfish"
31else
32 ciphers=""
33fi
34for c in $ciphers; do
35 trace "proto 1 cipher $c"
36 verbose "test $tid: proto 1 cipher $c"
37 ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
38 if [ $? -ne 0 ]; then
39 fail "ssh -1 failed with cipher $c"
40 fi
41done
42
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 3d9eaba5c..36d1ff42c 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile.inc,v 1.11 2017/04/30 23:33:48 djm Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.include <bsd.obj.mk> 4.include <bsd.obj.mk>
@@ -30,7 +30,7 @@ CDIAGFLAGS+= -Wswitch
30CDIAGFLAGS+= -Wtrigraphs 30CDIAGFLAGS+= -Wtrigraphs
31CDIAGFLAGS+= -Wuninitialized 31CDIAGFLAGS+= -Wuninitialized
32CDIAGFLAGS+= -Wunused 32CDIAGFLAGS+= -Wunused
33.if ${COMPILER_VERSION} == "gcc4" 33.if ${COMPILER_VERSION:L} != "gcc3"
34CDIAGFLAGS+= -Wpointer-sign 34CDIAGFLAGS+= -Wpointer-sign
35CDIAGFLAGS+= -Wold-style-definition 35CDIAGFLAGS+= -Wold-style-definition
36.endif 36.endif
diff --git a/regress/unittests/hostkeys/mktestdata.sh b/regress/unittests/hostkeys/mktestdata.sh
index 36890ba11..5a46de990 100644
--- a/regress/unittests/hostkeys/mktestdata.sh
+++ b/regress/unittests/hostkeys/mktestdata.sh
@@ -1,11 +1,11 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: mktestdata.sh,v 1.1 2015/02/16 22:18:34 djm Exp $ 2# $OpenBSD: mktestdata.sh,v 1.2 2017/04/30 23:33:48 djm Exp $
3 3
4set -ex 4set -ex
5 5
6cd testdata 6cd testdata
7 7
8rm -f rsa1* rsa* dsa* ecdsa* ed25519* 8rm -f rsa* dsa* ecdsa* ed25519*
9rm -f known_hosts* 9rm -f known_hosts*
10 10
11gen_all() { 11gen_all() {
@@ -13,13 +13,12 @@ gen_all() {
13 _ecdsa_bits=256 13 _ecdsa_bits=256
14 test "x$_n" = "x1" && _ecdsa_bits=384 14 test "x$_n" = "x1" && _ecdsa_bits=384
15 test "x$_n" = "x2" && _ecdsa_bits=521 15 test "x$_n" = "x2" && _ecdsa_bits=521
16 ssh-keygen -qt rsa1 -b 1024 -C "RSA1 #$_n" -N "" -f rsa1_$_n
17 ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n 16 ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n
18 ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n 17 ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n
19 ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n 18 ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n
20 ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n 19 ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n
21 # Don't need private keys 20 # Don't need private keys
22 rm -f rsa1_$_n rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n 21 rm -f rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n
23} 22}
24 23
25hentries() { 24hentries() {
@@ -64,7 +63,6 @@ rm -f known_hosts_hash_frag.old
64 echo 63 echo
65 64
66 echo "# Revoked and CA keys" 65 echo "# Revoked and CA keys"
67 printf "@revoked sisyphus.example.com " ; cat rsa1_4.pub
68 printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub 66 printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub
69 printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub 67 printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub
70 printf "@cert-authority *.example.com " ; cat dsa_4.pub 68 printf "@cert-authority *.example.com " ; cat dsa_4.pub
@@ -72,19 +70,13 @@ rm -f known_hosts_hash_frag.old
72 printf "\n" 70 printf "\n"
73 echo "# Some invalid lines" 71 echo "# Some invalid lines"
74 # Invalid marker 72 # Invalid marker
75 printf "@what sisyphus.example.com " ; cat rsa1_1.pub 73 printf "@what sisyphus.example.com " ; cat dsa_1.pub
76 # Key missing 74 # Key missing
77 echo "sisyphus.example.com " 75 echo "sisyphus.example.com "
78 # Key blob missing 76 # Key blob missing
79 echo "prometheus.example.com ssh-ed25519 " 77 echo "prometheus.example.com ssh-ed25519 "
80 # Key blob truncated 78 # Key blob truncated
81 echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz" 79 echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz"
82 # RSA1 key truncated after key bits
83 echo "prometheus.example.com 1024 "
84 # RSA1 key truncated after exponent
85 echo "sisyphus.example.com 1024 65535 "
86 # RSA1 key incorrect key bits
87 printf "prometheus.example.com 1025 " ; cut -d' ' -f2- < rsa1_1.pub
88 # Invalid type 80 # Invalid type
89 echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==" 81 echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg=="
90 # Type mismatch with blob 82 # Type mismatch with blob
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index 2eaaf063a..751825dda 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */ 1/* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */
2/* 2/*
3 * Regress test for hostfile.h hostkeys_foreach() 3 * Regress test for hostfile.h hostkeys_foreach()
4 * 4 *
@@ -90,14 +90,6 @@ check(struct hostkey_foreach_line *l, void *_ctx)
90 expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? 90 expected_keytype = (parse_key || expected->no_parse_keytype < 0) ?
91 expected->l.keytype : expected->no_parse_keytype; 91 expected->l.keytype : expected->no_parse_keytype;
92 92
93#ifndef WITH_SSH1
94 if (parse_key && (expected->l.keytype == KEY_RSA1 ||
95 expected->no_parse_keytype == KEY_RSA1)) {
96 expected_status = HKF_STATUS_INVALID;
97 expected_keytype = KEY_UNSPEC;
98 parse_key = 0;
99 }
100#endif
101#ifndef OPENSSL_HAS_ECC 93#ifndef OPENSSL_HAS_ECC
102 if (expected->l.keytype == KEY_ECDSA || 94 if (expected->l.keytype == KEY_ECDSA ||
103 expected->no_parse_keytype == KEY_ECDSA) { 95 expected->no_parse_keytype == KEY_ECDSA) {
@@ -150,10 +142,6 @@ prepare_expected(struct expected *expected, size_t n)
150 for (i = 0; i < n; i++) { 142 for (i = 0; i < n; i++) {
151 if (expected[i].key_file == NULL) 143 if (expected[i].key_file == NULL)
152 continue; 144 continue;
153#ifndef WITH_SSH1
154 if (expected[i].l.keytype == KEY_RSA1)
155 continue;
156#endif
157#ifndef OPENSSL_HAS_ECC 145#ifndef OPENSSL_HAS_ECC
158 if (expected[i].l.keytype == KEY_ECDSA) 146 if (expected[i].l.keytype == KEY_ECDSA)
159 continue; 147 continue;
@@ -217,22 +205,9 @@ struct expected expected_full[] = {
217 NULL, /* filled at runtime */ 205 NULL, /* filled at runtime */
218 "ED25519 #1", 206 "ED25519 #1",
219 } }, 207 } },
220 { "rsa1_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
221 NULL,
222 5,
223 HKF_STATUS_OK,
224 0,
225 NULL,
226 MRK_NONE,
227 "sisyphus.example.com",
228 NULL,
229 KEY_RSA1,
230 NULL, /* filled at runtime */
231 "RSA1 #1",
232 } },
233 { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { 208 { "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
234 NULL, 209 NULL,
235 6, 210 5,
236 HKF_STATUS_OK, 211 HKF_STATUS_OK,
237 0, 212 0,
238 NULL, 213 NULL,
@@ -245,7 +220,7 @@ struct expected expected_full[] = {
245 } }, 220 } },
246 { NULL, -1, -1, 0, 0, 0, 0, -1, { 221 { NULL, -1, -1, 0, 0, 0, 0, -1, {
247 NULL, 222 NULL,
248 7, 223 6,
249 HKF_STATUS_COMMENT, 224 HKF_STATUS_COMMENT,
250 0, 225 0,
251 "", 226 "",
@@ -258,7 +233,7 @@ struct expected expected_full[] = {
258 } }, 233 } },
259 { NULL, -1, -1, 0, 0, 0, 0, -1, { 234 { NULL, -1, -1, 0, 0, 0, 0, -1, {
260 NULL, 235 NULL,
261 8, 236 7,
262 HKF_STATUS_COMMENT, 237 HKF_STATUS_COMMENT,
263 0, 238 0,
264 "# Plain host keys, hostnames + addresses", 239 "# Plain host keys, hostnames + addresses",
@@ -271,7 +246,7 @@ struct expected expected_full[] = {
271 } }, 246 } },
272 { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 247 { "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
273 NULL, 248 NULL,
274 9, 249 8,
275 HKF_STATUS_OK, 250 HKF_STATUS_OK,
276 0, 251 0,
277 NULL, 252 NULL,
@@ -284,7 +259,7 @@ struct expected expected_full[] = {
284 } }, 259 } },
285 { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 260 { "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
286 NULL, 261 NULL,
287 10, 262 9,
288 HKF_STATUS_OK, 263 HKF_STATUS_OK,
289 0, 264 0,
290 NULL, 265 NULL,
@@ -297,7 +272,7 @@ struct expected expected_full[] = {
297 } }, 272 } },
298 { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 273 { "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
299 NULL, 274 NULL,
300 11, 275 10,
301 HKF_STATUS_OK, 276 HKF_STATUS_OK,
302 0, 277 0,
303 NULL, 278 NULL,
@@ -308,22 +283,9 @@ struct expected expected_full[] = {
308 NULL, /* filled at runtime */ 283 NULL, /* filled at runtime */
309 "ED25519 #2", 284 "ED25519 #2",
310 } }, 285 } },
311 { "rsa1_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
312 NULL,
313 12,
314 HKF_STATUS_OK,
315 0,
316 NULL,
317 MRK_NONE,
318 "prometheus.example.com,192.0.2.1,2001:db8::1",
319 NULL,
320 KEY_RSA1,
321 NULL, /* filled at runtime */
322 "RSA1 #2",
323 } },
324 { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 286 { "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
325 NULL, 287 NULL,
326 13, 288 11,
327 HKF_STATUS_OK, 289 HKF_STATUS_OK,
328 0, 290 0,
329 NULL, 291 NULL,
@@ -336,7 +298,7 @@ struct expected expected_full[] = {
336 } }, 298 } },
337 { NULL, -1, -1, 0, 0, 0, 0, -1, { 299 { NULL, -1, -1, 0, 0, 0, 0, -1, {
338 NULL, 300 NULL,
339 14, 301 12,
340 HKF_STATUS_COMMENT, 302 HKF_STATUS_COMMENT,
341 0, 303 0,
342 "", 304 "",
@@ -349,7 +311,7 @@ struct expected expected_full[] = {
349 } }, 311 } },
350 { NULL, -1, -1, 0, 0, 0, 0, -1, { 312 { NULL, -1, -1, 0, 0, 0, 0, -1, {
351 NULL, 313 NULL,
352 15, 314 13,
353 HKF_STATUS_COMMENT, 315 HKF_STATUS_COMMENT,
354 0, 316 0,
355 "# Some hosts with wildcard names / IPs", 317 "# Some hosts with wildcard names / IPs",
@@ -362,7 +324,7 @@ struct expected expected_full[] = {
362 } }, 324 } },
363 { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 325 { "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
364 NULL, 326 NULL,
365 16, 327 14,
366 HKF_STATUS_OK, 328 HKF_STATUS_OK,
367 0, 329 0,
368 NULL, 330 NULL,
@@ -375,7 +337,7 @@ struct expected expected_full[] = {
375 } }, 337 } },
376 { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 338 { "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
377 NULL, 339 NULL,
378 17, 340 15,
379 HKF_STATUS_OK, 341 HKF_STATUS_OK,
380 0, 342 0,
381 NULL, 343 NULL,
@@ -388,7 +350,7 @@ struct expected expected_full[] = {
388 } }, 350 } },
389 { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 351 { "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
390 NULL, 352 NULL,
391 18, 353 16,
392 HKF_STATUS_OK, 354 HKF_STATUS_OK,
393 0, 355 0,
394 NULL, 356 NULL,
@@ -399,22 +361,9 @@ struct expected expected_full[] = {
399 NULL, /* filled at runtime */ 361 NULL, /* filled at runtime */
400 "ED25519 #3", 362 "ED25519 #3",
401 } }, 363 } },
402 { "rsa1_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
403 NULL,
404 19,
405 HKF_STATUS_OK,
406 0,
407 NULL,
408 MRK_NONE,
409 "*.example.com,192.0.2.*,2001:*",
410 NULL,
411 KEY_RSA1,
412 NULL, /* filled at runtime */
413 "RSA1 #3",
414 } },
415 { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, { 364 { "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
416 NULL, 365 NULL,
417 20, 366 17,
418 HKF_STATUS_OK, 367 HKF_STATUS_OK,
419 0, 368 0,
420 NULL, 369 NULL,
@@ -427,7 +376,7 @@ struct expected expected_full[] = {
427 } }, 376 } },
428 { NULL, -1, -1, 0, 0, 0, 0, -1, { 377 { NULL, -1, -1, 0, 0, 0, 0, -1, {
429 NULL, 378 NULL,
430 21, 379 18,
431 HKF_STATUS_COMMENT, 380 HKF_STATUS_COMMENT,
432 0, 381 0,
433 "", 382 "",
@@ -440,7 +389,7 @@ struct expected expected_full[] = {
440 } }, 389 } },
441 { NULL, -1, -1, 0, 0, 0, 0, -1, { 390 { NULL, -1, -1, 0, 0, 0, 0, -1, {
442 NULL, 391 NULL,
443 22, 392 19,
444 HKF_STATUS_COMMENT, 393 HKF_STATUS_COMMENT,
445 0, 394 0,
446 "# Hashed hostname and address entries", 395 "# Hashed hostname and address entries",
@@ -453,7 +402,7 @@ struct expected expected_full[] = {
453 } }, 402 } },
454 { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { 403 { "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
455 NULL, 404 NULL,
456 23, 405 20,
457 HKF_STATUS_OK, 406 HKF_STATUS_OK,
458 0, 407 0,
459 NULL, 408 NULL,
@@ -466,7 +415,7 @@ struct expected expected_full[] = {
466 } }, 415 } },
467 { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { 416 { "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
468 NULL, 417 NULL,
469 24, 418 21,
470 HKF_STATUS_OK, 419 HKF_STATUS_OK,
471 0, 420 0,
472 NULL, 421 NULL,
@@ -479,7 +428,7 @@ struct expected expected_full[] = {
479 } }, 428 } },
480 { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { 429 { "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
481 NULL, 430 NULL,
482 25, 431 22,
483 HKF_STATUS_OK, 432 HKF_STATUS_OK,
484 0, 433 0,
485 NULL, 434 NULL,
@@ -490,22 +439,9 @@ struct expected expected_full[] = {
490 NULL, /* filled at runtime */ 439 NULL, /* filled at runtime */
491 "ED25519 #5", 440 "ED25519 #5",
492 } }, 441 } },
493 { "rsa1_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
494 NULL,
495 26,
496 HKF_STATUS_OK,
497 0,
498 NULL,
499 MRK_NONE,
500 NULL,
501 NULL,
502 KEY_RSA1,
503 NULL, /* filled at runtime */
504 "RSA1 #5",
505 } },
506 { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, { 442 { "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
507 NULL, 443 NULL,
508 27, 444 23,
509 HKF_STATUS_OK, 445 HKF_STATUS_OK,
510 0, 446 0,
511 NULL, 447 NULL,
@@ -518,7 +454,7 @@ struct expected expected_full[] = {
518 } }, 454 } },
519 { NULL, -1, -1, 0, 0, 0, 0, -1, { 455 { NULL, -1, -1, 0, 0, 0, 0, -1, {
520 NULL, 456 NULL,
521 28, 457 24,
522 HKF_STATUS_COMMENT, 458 HKF_STATUS_COMMENT,
523 0, 459 0,
524 "", 460 "",
@@ -536,7 +472,7 @@ struct expected expected_full[] = {
536 */ 472 */
537 { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { 473 { "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
538 NULL, 474 NULL,
539 29, 475 25,
540 HKF_STATUS_OK, 476 HKF_STATUS_OK,
541 0, 477 0,
542 NULL, 478 NULL,
@@ -549,7 +485,7 @@ struct expected expected_full[] = {
549 } }, 485 } },
550 { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { 486 { "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
551 NULL, 487 NULL,
552 30, 488 26,
553 HKF_STATUS_OK, 489 HKF_STATUS_OK,
554 0, 490 0,
555 NULL, 491 NULL,
@@ -562,7 +498,7 @@ struct expected expected_full[] = {
562 } }, 498 } },
563 { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { 499 { "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
564 NULL, 500 NULL,
565 31, 501 27,
566 HKF_STATUS_OK, 502 HKF_STATUS_OK,
567 0, 503 0,
568 NULL, 504 NULL,
@@ -575,7 +511,7 @@ struct expected expected_full[] = {
575 } }, 511 } },
576 { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { 512 { "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
577 NULL, 513 NULL,
578 32, 514 28,
579 HKF_STATUS_OK, 515 HKF_STATUS_OK,
580 0, 516 0,
581 NULL, 517 NULL,
@@ -588,7 +524,7 @@ struct expected expected_full[] = {
588 } }, 524 } },
589 { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { 525 { "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
590 NULL, 526 NULL,
591 33, 527 29,
592 HKF_STATUS_OK, 528 HKF_STATUS_OK,
593 0, 529 0,
594 NULL, 530 NULL,
@@ -601,7 +537,7 @@ struct expected expected_full[] = {
601 } }, 537 } },
602 { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { 538 { "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
603 NULL, 539 NULL,
604 34, 540 30,
605 HKF_STATUS_OK, 541 HKF_STATUS_OK,
606 0, 542 0,
607 NULL, 543 NULL,
@@ -614,7 +550,7 @@ struct expected expected_full[] = {
614 } }, 550 } },
615 { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { 551 { "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
616 NULL, 552 NULL,
617 35, 553 31,
618 HKF_STATUS_OK, 554 HKF_STATUS_OK,
619 0, 555 0,
620 NULL, 556 NULL,
@@ -627,7 +563,7 @@ struct expected expected_full[] = {
627 } }, 563 } },
628 { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { 564 { "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
629 NULL, 565 NULL,
630 36, 566 32,
631 HKF_STATUS_OK, 567 HKF_STATUS_OK,
632 0, 568 0,
633 NULL, 569 NULL,
@@ -640,7 +576,7 @@ struct expected expected_full[] = {
640 } }, 576 } },
641 { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { 577 { "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
642 NULL, 578 NULL,
643 37, 579 33,
644 HKF_STATUS_OK, 580 HKF_STATUS_OK,
645 0, 581 0,
646 NULL, 582 NULL,
@@ -651,48 +587,9 @@ struct expected expected_full[] = {
651 NULL, /* filled at runtime */ 587 NULL, /* filled at runtime */
652 "ED25519 #6", 588 "ED25519 #6",
653 } }, 589 } },
654 { "rsa1_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
655 NULL,
656 38,
657 HKF_STATUS_OK,
658 0,
659 NULL,
660 MRK_NONE,
661 NULL,
662 NULL,
663 KEY_RSA1,
664 NULL, /* filled at runtime */
665 "RSA1 #6",
666 } },
667 { "rsa1_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
668 NULL,
669 39,
670 HKF_STATUS_OK,
671 0,
672 NULL,
673 MRK_NONE,
674 NULL,
675 NULL,
676 KEY_RSA1,
677 NULL, /* filled at runtime */
678 "RSA1 #6",
679 } },
680 { "rsa1_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
681 NULL,
682 40,
683 HKF_STATUS_OK,
684 0,
685 NULL,
686 MRK_NONE,
687 NULL,
688 NULL,
689 KEY_RSA1,
690 NULL, /* filled at runtime */
691 "RSA1 #6",
692 } },
693 { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, { 590 { "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
694 NULL, 591 NULL,
695 41, 592 34,
696 HKF_STATUS_OK, 593 HKF_STATUS_OK,
697 0, 594 0,
698 NULL, 595 NULL,
@@ -705,7 +602,7 @@ struct expected expected_full[] = {
705 } }, 602 } },
706 { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, { 603 { "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
707 NULL, 604 NULL,
708 42, 605 35,
709 HKF_STATUS_OK, 606 HKF_STATUS_OK,
710 0, 607 0,
711 NULL, 608 NULL,
@@ -718,7 +615,7 @@ struct expected expected_full[] = {
718 } }, 615 } },
719 { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, { 616 { "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
720 NULL, 617 NULL,
721 43, 618 36,
722 HKF_STATUS_OK, 619 HKF_STATUS_OK,
723 0, 620 0,
724 NULL, 621 NULL,
@@ -731,7 +628,7 @@ struct expected expected_full[] = {
731 } }, 628 } },
732 { NULL, -1, -1, 0, 0, 0, 0, -1, { 629 { NULL, -1, -1, 0, 0, 0, 0, -1, {
733 NULL, 630 NULL,
734 44, 631 37,
735 HKF_STATUS_COMMENT, 632 HKF_STATUS_COMMENT,
736 0, 633 0,
737 "", 634 "",
@@ -744,7 +641,7 @@ struct expected expected_full[] = {
744 } }, 641 } },
745 { NULL, -1, -1, 0, 0, 0, 0, -1, { 642 { NULL, -1, -1, 0, 0, 0, 0, -1, {
746 NULL, 643 NULL,
747 45, 644 38,
748 HKF_STATUS_COMMENT, 645 HKF_STATUS_COMMENT,
749 0, 646 0,
750 "", 647 "",
@@ -757,7 +654,7 @@ struct expected expected_full[] = {
757 } }, 654 } },
758 { NULL, -1, -1, 0, 0, 0, 0, -1, { 655 { NULL, -1, -1, 0, 0, 0, 0, -1, {
759 NULL, 656 NULL,
760 46, 657 39,
761 HKF_STATUS_COMMENT, 658 HKF_STATUS_COMMENT,
762 0, 659 0,
763 "# Revoked and CA keys", 660 "# Revoked and CA keys",
@@ -768,22 +665,9 @@ struct expected expected_full[] = {
768 NULL, 665 NULL,
769 NULL, 666 NULL,
770 } }, 667 } },
771 { "rsa1_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
772 NULL,
773 47,
774 HKF_STATUS_OK,
775 0,
776 NULL,
777 MRK_REVOKE,
778 "sisyphus.example.com",
779 NULL,
780 KEY_RSA1,
781 NULL, /* filled at runtime */
782 "RSA1 #4",
783 } },
784 { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { 668 { "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
785 NULL, 669 NULL,
786 48, 670 40,
787 HKF_STATUS_OK, 671 HKF_STATUS_OK,
788 0, 672 0,
789 NULL, 673 NULL,
@@ -796,7 +680,7 @@ struct expected expected_full[] = {
796 } }, 680 } },
797 { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { 681 { "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
798 NULL, 682 NULL,
799 49, 683 41,
800 HKF_STATUS_OK, 684 HKF_STATUS_OK,
801 0, 685 0,
802 NULL, 686 NULL,
@@ -809,7 +693,7 @@ struct expected expected_full[] = {
809 } }, 693 } },
810 { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, { 694 { "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, {
811 NULL, 695 NULL,
812 50, 696 42,
813 HKF_STATUS_OK, 697 HKF_STATUS_OK,
814 0, 698 0,
815 NULL, 699 NULL,
@@ -822,7 +706,7 @@ struct expected expected_full[] = {
822 } }, 706 } },
823 { NULL, -1, -1, 0, 0, 0, 0, -1, { 707 { NULL, -1, -1, 0, 0, 0, 0, -1, {
824 NULL, 708 NULL,
825 51, 709 43,
826 HKF_STATUS_COMMENT, 710 HKF_STATUS_COMMENT,
827 0, 711 0,
828 "", 712 "",
@@ -835,7 +719,7 @@ struct expected expected_full[] = {
835 } }, 719 } },
836 { NULL, -1, -1, 0, 0, 0, 0, -1, { 720 { NULL, -1, -1, 0, 0, 0, 0, -1, {
837 NULL, 721 NULL,
838 52, 722 44,
839 HKF_STATUS_COMMENT, 723 HKF_STATUS_COMMENT,
840 0, 724 0,
841 "# Some invalid lines", 725 "# Some invalid lines",
@@ -848,7 +732,7 @@ struct expected expected_full[] = {
848 } }, 732 } },
849 { NULL, -1, -1, 0, 0, 0, 0, -1, { 733 { NULL, -1, -1, 0, 0, 0, 0, -1, {
850 NULL, 734 NULL,
851 53, 735 45,
852 HKF_STATUS_INVALID, 736 HKF_STATUS_INVALID,
853 0, 737 0,
854 NULL, 738 NULL,
@@ -861,7 +745,7 @@ struct expected expected_full[] = {
861 } }, 745 } },
862 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { 746 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
863 NULL, 747 NULL,
864 54, 748 46,
865 HKF_STATUS_INVALID, 749 HKF_STATUS_INVALID,
866 0, 750 0,
867 NULL, 751 NULL,
@@ -874,7 +758,7 @@ struct expected expected_full[] = {
874 } }, 758 } },
875 { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, { 759 { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
876 NULL, 760 NULL,
877 55, 761 47,
878 HKF_STATUS_INVALID, 762 HKF_STATUS_INVALID,
879 0, 763 0,
880 NULL, 764 NULL,
@@ -887,33 +771,7 @@ struct expected expected_full[] = {
887 } }, 771 } },
888 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { 772 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
889 NULL, 773 NULL,
890 56, 774 48,
891 HKF_STATUS_INVALID, /* Would be ok if key not parsed */
892 0,
893 NULL,
894 MRK_NONE,
895 "sisyphus.example.com",
896 NULL,
897 KEY_UNSPEC,
898 NULL,
899 NULL,
900 } },
901 { NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
902 NULL,
903 57,
904 HKF_STATUS_INVALID, /* Would be ok if key not parsed */
905 0,
906 NULL,
907 MRK_NONE,
908 "prometheus.example.com",
909 NULL,
910 KEY_UNSPEC,
911 NULL,
912 NULL,
913 } },
914 { NULL, HKF_STATUS_OK, KEY_RSA1, 0, HKF_MATCH_HOST, 0, 0, -1, {
915 NULL,
916 58,
917 HKF_STATUS_INVALID, /* Would be ok if key not parsed */ 775 HKF_STATUS_INVALID, /* Would be ok if key not parsed */
918 0, 776 0,
919 NULL, 777 NULL,
@@ -924,22 +782,9 @@ struct expected expected_full[] = {
924 NULL, 782 NULL,
925 NULL, 783 NULL,
926 } }, 784 } },
927 { NULL, HKF_STATUS_OK, KEY_RSA1, HKF_MATCH_HOST, 0, 0, 0, -1, {
928 NULL,
929 59,
930 HKF_STATUS_INVALID, /* Would be ok if key not parsed */
931 0,
932 NULL,
933 MRK_NONE,
934 "prometheus.example.com",
935 NULL,
936 KEY_UNSPEC,
937 NULL, /* filled at runtime */
938 NULL,
939 } },
940 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, { 785 { NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
941 NULL, 786 NULL,
942 60, 787 49,
943 HKF_STATUS_INVALID, 788 HKF_STATUS_INVALID,
944 0, 789 0,
945 NULL, 790 NULL,
@@ -952,7 +797,7 @@ struct expected expected_full[] = {
952 } }, 797 } },
953 { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, { 798 { NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, {
954 NULL, 799 NULL,
955 61, 800 50,
956 HKF_STATUS_INVALID, /* Would be ok if key not parsed */ 801 HKF_STATUS_INVALID, /* Would be ok if key not parsed */
957 0, 802 0,
958 NULL, 803 NULL,
diff --git a/regress/unittests/hostkeys/testdata/known_hosts b/regress/unittests/hostkeys/testdata/known_hosts
index 3740f674b..4446f45df 100644
--- a/regress/unittests/hostkeys/testdata/known_hosts
+++ b/regress/unittests/hostkeys/testdata/known_hosts
@@ -2,60 +2,49 @@
2sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1 2sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1
3sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1 3sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1
4sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1 4sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1
5sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1
6sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1 5sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1
7 6
8# Plain host keys, hostnames + addresses 7# Plain host keys, hostnames + addresses
9prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2 8prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2
10prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2 9prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2
11prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2 10prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2
12prometheus.example.com,192.0.2.1,2001:db8::1 1024 65537 135970715082947442639683969597180728933388298633245835186618852623800675939308729462220235058285909679252157995530180587329132927339620517781785310829060832352381015614725360278571924286986474946772141568893116432268565829418506866604294073334978275702221949783314402806080929601995102334442541344606109853641 RSA1 #2
13prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2 11prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2
14 12
15# Some hosts with wildcard names / IPs 13# Some hosts with wildcard names / IPs
16*.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3 14*.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3
17*.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3 15*.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3
18*.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3 16*.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3
19*.example.com,192.0.2.*,2001:* 1024 65537 125895605498029643697051635076028105429632810811904702876152645261610759866299221305725069141163240694267669117205342283569102183636228981857946763978553664895308762890072813014496700601576921921752482059207749978374872713540759920335553799711267170948655579130584031555334229966603000896364091459595522912269 RSA1 #3
20*.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3 17*.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3
21 18
22# Hashed hostname and address entries 19# Hashed hostname and address entries
23|1|6FWxoqTCAfm8sZ7T/q73OmxCFGM=|S4eQmusok4cbyDzzGEFGIAthDbw= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5 20|1|z3xOIdT5ue3Vuf3MzT67kaioqjw=|GZhhe5uwDOBQrC9N4cCjpbLpSn4= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5
24|1|hTrfD0CuuB9ZbOa1CHFYvIk/gKE=|tPmW50t7flncm1UyM+DR97ubDNU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5 21|1|B7t/AYabn8zgwU47Cb4A/Nqt3eI=|arQPZyRphkzisr7w6wwikvhaOyE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5
25|1|fOGqe75X5ZpTz4c7DitP4E8/y30=|Lmcch2fh54bUYoV//S2VqDFVeiY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5 22|1|JR81WxEocTP5d7goIRkl8fHBbno=|l6sj6FOsoXxgEZMzn/BnOfPKN68= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5
26|1|0RVzLjY3lwE3MRweguaAXaCCWk8=|DbcIgJQcRZJMYI6NYDOM6oJycPk= 1024 65537 127931411493401587586867047972295564331543694182352197506125410692673654572057908999642645524647232712160516076508316152810117209181150078352725299319149726341058893406440426414316276977768958023952319602422835879783057966985348561111880658922724668687074412548487722084792283453716871417610020757212399252171 RSA1 #5 23|1|W7x4zY6KtTZJgsopyOusJqvVPag=|QauLt7hKezBZFZi2i4Xopho7Nsk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5
27|1|4q79XnHpKBNQhyMLAqbPPDN+JKo=|k1Wvjjb52zDdrXWM801+wX5oH8U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5
28 24
29|1|0M6PIx6THA3ipIOvTl3fcgn2z+A=|bwEJAOwJz+Sm7orFdgj170mD/zY= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 25|1|mxnU8luzqWLvfVi5qBm5xVIyCRM=|9Epopft7LBd80Bf6RmWPIpwa8yU= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
30|1|a6WGHcL+9gX3e96tMlgDSDJwtSg=|5Dqlb/yqNEf7jgfllrp/ygLmRV8= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 26|1|klvLmvh2vCpkNMDEjVvrE8SJWTg=|e/dqEEBLnbgqmwEesl4cDRu/7TM= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
31|1|OeCpi7Pn5Q6c8la4fPf9G8YctT8=|sC6D7lDXTafIpokZJ1+1xWg2R6Q= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6 27|1|wsk3ddB3UjuxEsoeNCeZjZ6NvZs=|O3O/q2Z/u7DrxoTiIq6kzCevQT0= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
32|1|BHESVyiJ7G2NN0lxrw7vT109jmk=|TKof+015J77bXqibsh0N1Lp0MKk= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 28|1|B8epmkLSni+vGZDijr/EwxeR2k4=|7ct8yzNOVJhKm3ZD2w0XIT7df8E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
33|1|wY53mZNASDJ5/P3JYCJ4FUNa6WQ=|v8p0MfV5lqlZB2J0yLxl/gsWVQo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 29|1|JojD885UhYhbCu571rgyM/5PpYU=|BJaU2aE1FebQZy3B5tzTDRWFRG0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
34|1|horeoyFPwfKhyFN+zJZ5LCfOo/I=|2ofvp0tNwCbKsV8FuiFA4gQG2Z8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6 30|1|5t7UDHDybVrDZVQPCpwdnr6nk4k=|EqJ73W/veIL3H2x+YWHcJxI5ETA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
35|1|Aw4fXumZfx6jEIJuDGIyeEMd81A=|5FdLtdm2JeKNsS8IQeQlGYIadOE= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 31|1|OCcBfGc/b9+ip+W6Gp+3ftdluO4=|VbrKUdzOOtIBOOmEE+jlK4SD3Xc= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
36|1|+dGUNpv6GblrDd5fgHLlOWpSbEo=|He/pQ1yJjtiCyTNWpGwjBD4sZFI= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 32|1|9fLN0YdP+BJ25lKuKvYuOdUo93w=|vZyr0rOiX01hv5XbghhHMW+Zb3U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
37|1|E/PACGl8m1T7QnPedOoooozstP0=|w6DQAFT8yZgj0Hlkz5R1TppYHCA= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6 33|1|nc9RoaaQ0s5jdPxwlUmluGHU3uk=|un6OsJajokKQ3MgyS9mfDNeyP6U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
38|1|SaoyMStgxpYfwedSXBAghi8Zo0s=|Gz78k69GaE6iViV3OOvbStKqyTA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 34|1|rsHB6juT9q6GOY91qOeOwL6TSJE=|ps/vXF9Izuues5PbOn887Gw/2Dg= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
39|1|8qfGeiT5WTCzWYbXPQ+lsLg7km4=|1sIBwiSUr8IGkvrUGm3/9QYurmA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 35|1|BsckdLH2aRyWQooRmv+Yo3t4dKg=|Lf3tJc5Iyx0KxNwAG89FsImsfEE= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
40|1|87M1OtyHg1BZiDY3rT6lYsZFnAU=|eddAQVcMNbn2OB87XWXFQnYo6R4= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6 36|1|plqkBA4hq7UATyd5+/Xl+zL7ghw=|stacofaUed46666mfqxp9gJFjt4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
41|1|60w3wFfC0XWI+rRmRlxIRhh8lwE=|yMhsGrzBJKiesAdSQ/PVgkCrDKk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
42|1|5gdEMmLUJC7grqWhRJPy2OTaSyE=|/XTfmLMa/B8npcVCGFRdaHl+d/0= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
43|1|6FGCWUr42GHdMB/eifnHNCuwgdk=|ONJvYZ/ANmi59R5HrOhLPmvYENM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
44 37
45 38
46# Revoked and CA keys 39# Revoked and CA keys
47@revoked sisyphus.example.com 1024 65537 174143366122697048196335388217056770310345753698079464367148030836533360510864881734142526411160017107552815906024399248049666856133771656680462456979369587903909343046704480897527203474513676654933090991684252819423129896444427656841613263783484827101210734799449281639493127615902427443211183258155381810593 RSA1 #4
48@revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4 40@revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4
49@cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4 41@cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4
50@cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4 42@cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4
51 43
52# Some invalid lines 44# Some invalid lines
53@what sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1 45@what sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1
54sisyphus.example.com 46sisyphus.example.com
55prometheus.example.com ssh-ed25519 47prometheus.example.com ssh-ed25519
56sisyphus.example.com ssh-dsa AAAATgAAAAdz 48sisyphus.example.com ssh-dsa AAAATgAAAAdz
57prometheus.example.com 1024
58sisyphus.example.com 1024 65535
59prometheus.example.com 1025 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1
60sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== 49sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==
61prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg== 50prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh
index e11100145..8047bc62f 100755
--- a/regress/unittests/sshkey/mktestdata.sh
+++ b/regress/unittests/sshkey/mktestdata.sh
@@ -1,25 +1,8 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: mktestdata.sh,v 1.5 2015/07/07 14:53:30 markus Exp $ 2# $OpenBSD: mktestdata.sh,v 1.6 2017/04/30 23:33:48 djm Exp $
3 3
4PW=mekmitasdigoat 4PW=mekmitasdigoat
5 5
6rsa1_params() {
7 _in="$1"
8 _outbase="$2"
9 set -e
10 ssh-keygen -f $_in -e -m pkcs8 | \
11 openssl rsa -noout -text -pubin | \
12 awk '/^Modulus:$/,/^Exponent:/' | \
13 grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n
14 # XXX need conversion support in ssh-keygen for the other params
15 for x in n ; do
16 echo "" >> ${_outbase}.$x
17 echo ============ ${_outbase}.$x
18 cat ${_outbase}.$x
19 echo ============
20 done
21}
22
23rsa_params() { 6rsa_params() {
24 _in="$1" 7 _in="$1"
25 _outbase="$2" 8 _outbase="$2"
@@ -87,20 +70,18 @@ set -ex
87 70
88cd testdata 71cd testdata
89 72
90rm -f rsa1_1 rsa_1 dsa_1 ecdsa_1 ed25519_1 73rm -f rsa_1 dsa_1 ecdsa_1 ed25519_1
91rm -f rsa1_2 rsa_2 dsa_2 ecdsa_2 ed25519_2 74rm -f rsa_2 dsa_2 ecdsa_2 ed25519_2
92rm -f rsa_n dsa_n ecdsa_n # new-format keys 75rm -f rsa_n dsa_n ecdsa_n # new-format keys
93rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw 76rm -f rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw
94rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw 77rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw
95rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb 78rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb
96 79
97ssh-keygen -t rsa1 -b 1024 -C "RSA1 test key #1" -N "" -f rsa1_1
98ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 80ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1
99ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 81ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1
100ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 82ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1
101ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1 83ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1
102 84
103ssh-keygen -t rsa1 -b 2048 -C "RSA1 test key #2" -N "" -f rsa1_2
104ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 85ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2
105ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 86ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2
106ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 87ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2
@@ -110,7 +91,6 @@ cp rsa_1 rsa_n
110cp dsa_1 dsa_n 91cp dsa_1 dsa_n
111cp ecdsa_1 ecdsa_n 92cp ecdsa_1 ecdsa_n
112 93
113cp rsa1_1 rsa1_1_pw
114cp rsa_1 rsa_1_pw 94cp rsa_1 rsa_1_pw
115cp dsa_1 dsa_1_pw 95cp dsa_1 dsa_1_pw
116cp ecdsa_1 ecdsa_1_pw 96cp ecdsa_1 ecdsa_1_pw
@@ -119,7 +99,6 @@ cp rsa_1 rsa_n_pw
119cp dsa_1 dsa_n_pw 99cp dsa_1 dsa_n_pw
120cp ecdsa_1 ecdsa_n_pw 100cp ecdsa_1 ecdsa_n_pw
121 101
122ssh-keygen -pf rsa1_1_pw -N "$PW"
123ssh-keygen -pf rsa_1_pw -N "$PW" 102ssh-keygen -pf rsa_1_pw -N "$PW"
124ssh-keygen -pf dsa_1_pw -N "$PW" 103ssh-keygen -pf dsa_1_pw -N "$PW"
125ssh-keygen -pf ecdsa_1_pw -N "$PW" 104ssh-keygen -pf ecdsa_1_pw -N "$PW"
@@ -128,8 +107,6 @@ ssh-keygen -opf rsa_n_pw -N "$PW"
128ssh-keygen -opf dsa_n_pw -N "$PW" 107ssh-keygen -opf dsa_n_pw -N "$PW"
129ssh-keygen -opf ecdsa_n_pw -N "$PW" 108ssh-keygen -opf ecdsa_n_pw -N "$PW"
130 109
131rsa1_params rsa1_1 rsa1_1.param
132rsa1_params rsa1_2 rsa1_2.param
133rsa_params rsa_1 rsa_1.param 110rsa_params rsa_1 rsa_1.param
134rsa_params rsa_2 rsa_2.param 111rsa_params rsa_2 rsa_2.param
135dsa_params dsa_1 dsa_1.param 112dsa_params dsa_1 dsa_1.param
@@ -160,12 +137,10 @@ ssh-keygen -s ecdsa_1 -I julius -n host1,host2 -h \
160ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \ 137ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \
161 -V 19990101:20110101 -z 8 ed25519_1.pub 138 -V 19990101:20110101 -z 8 ed25519_1.pub
162 139
163ssh-keygen -lf rsa1_1 | awk '{print $2}' > rsa1_1.fp
164ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp 140ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp
165ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp 141ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp
166ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp 142ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp
167ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp 143ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp
168ssh-keygen -lf rsa1_2 | awk '{print $2}' > rsa1_2.fp
169ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp 144ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp
170ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp 145ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp
171ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp 146ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp
@@ -176,12 +151,10 @@ ssh-keygen -lf ecdsa_1-cert.pub | awk '{print $2}' > ecdsa_1-cert.fp
176ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp 151ssh-keygen -lf ed25519_1-cert.pub | awk '{print $2}' > ed25519_1-cert.fp
177ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp 152ssh-keygen -lf rsa_1-cert.pub | awk '{print $2}' > rsa_1-cert.fp
178 153
179ssh-keygen -Bf rsa1_1 | awk '{print $2}' > rsa1_1.fp.bb
180ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb 154ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb
181ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb 155ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb
182ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb 156ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb
183ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb 157ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb
184ssh-keygen -Bf rsa1_2 | awk '{print $2}' > rsa1_2.fp.bb
185ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb 158ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb
186ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb 159ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb
187ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb 160ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
index 906491f2b..99b7e21c0 100644
--- a/regress/unittests/sshkey/test_file.c
+++ b/regress/unittests/sshkey/test_file.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */ 1/* $OpenBSD: test_file.c,v 1.6 2017/04/30 23:33:48 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -51,55 +51,6 @@ sshkey_file_tests(void)
51 pw = load_text_file("pw"); 51 pw = load_text_file("pw");
52 TEST_DONE(); 52 TEST_DONE();
53 53
54#ifdef WITH_SSH1
55 TEST_START("parse RSA1 from private");
56 buf = load_file("rsa1_1");
57 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
58 sshbuf_free(buf);
59 ASSERT_PTR_NE(k1, NULL);
60 a = load_bignum("rsa1_1.param.n");
61 ASSERT_BIGNUM_EQ(k1->rsa->n, a);
62 BN_free(a);
63 TEST_DONE();
64
65 TEST_START("parse RSA1 from private w/ passphrase");
66 buf = load_file("rsa1_1_pw");
67 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
68 (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
69 sshbuf_free(buf);
70 ASSERT_PTR_NE(k2, NULL);
71 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
72 sshkey_free(k2);
73 TEST_DONE();
74
75 TEST_START("load RSA1 from public");
76 ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,
77 NULL), 0);
78 ASSERT_PTR_NE(k2, NULL);
79 ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
80 sshkey_free(k2);
81 TEST_DONE();
82
83 TEST_START("RSA1 key hex fingerprint");
84 buf = load_text_file("rsa1_1.fp");
85 cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
86 ASSERT_PTR_NE(cp, NULL);
87 ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
88 sshbuf_free(buf);
89 free(cp);
90 TEST_DONE();
91
92 TEST_START("RSA1 key bubblebabble fingerprint");
93 buf = load_text_file("rsa1_1.fp.bb");
94 cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
95 ASSERT_PTR_NE(cp, NULL);
96 ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
97 sshbuf_free(buf);
98 free(cp);
99 TEST_DONE();
100
101 sshkey_free(k1);
102#endif
103 54
104 TEST_START("parse RSA from private"); 55 TEST_START("parse RSA from private");
105 buf = load_file("rsa_1"); 56 buf = load_file("rsa_1");
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 1f414e0ac..6706045d5 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */ 1/* $OpenBSD: test_fuzz.c,v 1.7 2017/04/30 23:33:48 djm Exp $ */
2/* 2/*
3 * Fuzz tests for key parsing 3 * Fuzz tests for key parsing
4 * 4 *
@@ -104,49 +104,6 @@ sshkey_fuzz_tests(void)
104 struct fuzz *fuzz; 104 struct fuzz *fuzz;
105 int r; 105 int r;
106 106
107#ifdef WITH_SSH1
108 TEST_START("fuzz RSA1 private");
109 buf = load_file("rsa1_1");
110 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
111 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
112 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
113 ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
114 sshkey_free(k1);
115 sshbuf_free(buf);
116 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
117 TEST_ONERROR(onerror, fuzz);
118 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
119 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
120 ASSERT_INT_EQ(r, 0);
121 if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
122 sshkey_free(k1);
123 sshbuf_reset(fuzzed);
124 }
125 sshbuf_free(fuzzed);
126 fuzz_cleanup(fuzz);
127 TEST_DONE();
128
129 TEST_START("fuzz RSA1 public");
130 buf = load_file("rsa1_1_pw");
131 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
132 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
133 sshbuf_mutable_ptr(buf), sshbuf_len(buf));
134 ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
135 sshkey_free(k1);
136 sshbuf_free(buf);
137 ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
138 TEST_ONERROR(onerror, fuzz);
139 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
140 r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
141 ASSERT_INT_EQ(r, 0);
142 if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
143 sshkey_free(k1);
144 sshbuf_reset(fuzzed);
145 }
146 sshbuf_free(fuzzed);
147 fuzz_cleanup(fuzz);
148 TEST_DONE();
149#endif
150 107
151 TEST_START("fuzz RSA private"); 108 TEST_START("fuzz RSA private");
152 buf = load_file("rsa_1"); 109 buf = load_file("rsa_1");
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 1476dc2e3..0a73322a3 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.12 2017/05/08 06:08:42 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -193,16 +193,6 @@ sshkey_tests(void)
193 sshkey_free(k1); 193 sshkey_free(k1);
194 TEST_DONE(); 194 TEST_DONE();
195 195
196 TEST_START("new/free KEY_RSA1");
197 k1 = sshkey_new(KEY_RSA1);
198 ASSERT_PTR_NE(k1, NULL);
199 ASSERT_PTR_NE(k1->rsa, NULL);
200 ASSERT_PTR_NE(k1->rsa->n, NULL);
201 ASSERT_PTR_NE(k1->rsa->e, NULL);
202 ASSERT_PTR_EQ(k1->rsa->p, NULL);
203 sshkey_free(k1);
204 TEST_DONE();
205
206 TEST_START("new/free KEY_RSA"); 196 TEST_START("new/free KEY_RSA");
207 k1 = sshkey_new(KEY_RSA); 197 k1 = sshkey_new(KEY_RSA);
208 ASSERT_PTR_NE(k1, NULL); 198 ASSERT_PTR_NE(k1, NULL);
@@ -263,19 +253,19 @@ sshkey_tests(void)
263 253
264 TEST_START("generate KEY_RSA too small modulus"); 254 TEST_START("generate KEY_RSA too small modulus");
265 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1), 255 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1),
266 SSH_ERR_INVALID_ARGUMENT); 256 SSH_ERR_KEY_LENGTH);
267 ASSERT_PTR_EQ(k1, NULL); 257 ASSERT_PTR_EQ(k1, NULL);
268 TEST_DONE(); 258 TEST_DONE();
269 259
270 TEST_START("generate KEY_RSA too large modulus"); 260 TEST_START("generate KEY_RSA too large modulus");
271 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1), 261 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1),
272 SSH_ERR_INVALID_ARGUMENT); 262 SSH_ERR_KEY_LENGTH);
273 ASSERT_PTR_EQ(k1, NULL); 263 ASSERT_PTR_EQ(k1, NULL);
274 TEST_DONE(); 264 TEST_DONE();
275 265
276 TEST_START("generate KEY_DSA wrong bits"); 266 TEST_START("generate KEY_DSA wrong bits");
277 ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), 267 ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1),
278 SSH_ERR_INVALID_ARGUMENT); 268 SSH_ERR_KEY_LENGTH);
279 ASSERT_PTR_EQ(k1, NULL); 269 ASSERT_PTR_EQ(k1, NULL);
280 sshkey_free(k1); 270 sshkey_free(k1);
281 TEST_DONE(); 271 TEST_DONE();
@@ -283,7 +273,7 @@ sshkey_tests(void)
283#ifdef OPENSSL_HAS_ECC 273#ifdef OPENSSL_HAS_ECC
284 TEST_START("generate KEY_ECDSA wrong bits"); 274 TEST_START("generate KEY_ECDSA wrong bits");
285 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), 275 ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1),
286 SSH_ERR_INVALID_ARGUMENT); 276 SSH_ERR_KEY_LENGTH);
287 ASSERT_PTR_EQ(k1, NULL); 277 ASSERT_PTR_EQ(k1, NULL);
288 sshkey_free(k1); 278 sshkey_free(k1);
289 TEST_DONE(); 279 TEST_DONE();
@@ -291,7 +281,7 @@ sshkey_tests(void)
291 281
292 TEST_START("generate KEY_RSA"); 282 TEST_START("generate KEY_RSA");
293 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr), 283 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr),
294 SSH_ERR_INVALID_ARGUMENT); 284 SSH_ERR_KEY_LENGTH);
295 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0); 285 ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0);
296 ASSERT_PTR_NE(kr, NULL); 286 ASSERT_PTR_NE(kr, NULL);
297 ASSERT_PTR_NE(kr->rsa, NULL); 287 ASSERT_PTR_NE(kr->rsa, NULL);
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 1fc754211..fce2f6580 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -3,13 +3,11 @@
3 3
4tid="yes pipe head" 4tid="yes pipe head"
5 5
6for p in ${SSH_PROTOCOLS}; do 6lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
7 lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` 7if [ $? -ne 0 ]; then
8 if [ $? -ne 0 ]; then 8 fail "yes|head test failed"
9 fail "yes|head test failed" 9 lines = 0;
10 lines = 0; 10fi
11 fi 11if [ $lines -ne 2000 ]; then
12 if [ $lines -ne 2000 ]; then 12 fail "yes|head returns $lines lines instead of 2000"
13 fail "yes|head returns $lines lines instead of 2000" 13fi
14 fi
15done