9 files changed, 83 insertions, 51 deletions
diff --git a/regress/README.regress b/regress/README.regress
index da9bb6a99..82e4cc751 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -93,10 +93,6 @@ Failed tests can be difficult to diagnose. Suggestions:
 Known Issues.
- If your build requires ssh-rand-helper regress tests will fail
-  unless ssh-rand-helper is in pre-installed (the path to
-  ssh-rand-helper is hard coded).
 - Similarly, if you do not have "scp" in your system's $PATH then the
  multiplex scp tests will fail (since the system's shell startup scripts
  will determine where the shell started by sshd will look for scp).
@@ -105,4 +101,4 @@ Known Issues.
  test to fail.  The old behaviour can be restored by setting (and
  exporting) _POSIX2_VERSION=199209 before running the tests.
-$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $
+$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 3b147b9f7..6216abd87 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
 #       Placed in the Public Domain.
 tid="certified host keys"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index fcca3708b..6700db274 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $
 #       Placed in the Public Domain.
 tid="certified user keys"
@@ -27,7 +27,7 @@ for ktype in rsa dsa $ecdsa ; do
            -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                fail "couldn't sign cert_user_key_${ktype}"
        # v00 ecdsa certs do not exist
-        test "{ktype}" = "ecdsa" && continue
+        test "${ktype}" = "ecdsa" && continue
        cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
        cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
        ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 96badd51b..0603fab64 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $
+#       $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $
 #       Placed in the Public Domain.
 tid="sshd_config match"
@@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid
 fwdport=3301
 fwd="-L $fwdport:127.0.0.1:$PORT"
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
+start_client()
+{
+        rm -f $pidfile
+        ${SSH} -q -$p $fwd "$@" somehost \
+            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
+            >>$TEST_SSH_LOGFILE 2>&1 &
+        client_pid=$!
+        # Wait for remote end
+        n=0
+        while test ! -f $pidfile ; do
+                sleep 1
+                n=`expr $n + 1`
+                if test $n -gt 60; then
+                        kill $client_pid
+                        fatal "timeout waiting for background ssh"
+                fi
+        done    
+}
 stop_client()
 {
        pid=`cat $pidfile`
@@ -14,11 +36,15 @@ stop_client()
                kill $pid
                sleep 1
        fi
+        wait
 }
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match user $USER" >>$OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
 echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
@@ -32,12 +58,8 @@ start_sshd
 # Test Match + PermitOpen in sshd_config.  This should be permitted
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen localhost proto $p"
-        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+        start_client -F $OBJ/ssh_config
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "match permitopen permit proto $p"
        stop_client
@@ -45,12 +67,8 @@ done
 # Same but from different source.  This should not be permitted
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proxy proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match permitopen deny proto $p"
        stop_client
@@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
 echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen w/key opt proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match permitopen deny w/key opt proto $p"
        stop_client
@@ -76,12 +90,8 @@ done
 # Test both sshd_config and key options permitting the same dst/port pair.
 # Should be permitted.
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen localhost proto $p"
-        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+        start_client -F $OBJ/ssh_config
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "match permitopen permit proto $p"
        stop_client
@@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 # Test that a Match overrides a PermitOpen in the global section
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match override permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match override permitopen proto $p"
        stop_client
@@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 # Test that a rule that doesn't match doesn't override, plus test a
 # PermitOpen entry that's not at the start of the list
 for p in 1 2; do
-        rm -f $pidfile
        trace "nomatch permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "nomatch override permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "nomatch override permitopen proto $p"
        stop_client
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 85de6d585..257afd179 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cipher-speed.sh,v 1.3 2007/06/07 19:41:46 pvalchev Exp $
+#       $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $
 #       Placed in the Public Domain.
 tid="cipher speed"
@@ -12,9 +12,13 @@ tries="1 2"
 DATA=/bin/ls
 DATA=/bsd
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
 ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-        arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+        arcfour128 arcfour256 arcfour 
+        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+        aes128-ctr aes192-ctr aes256-ctr"
+macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
+config_defined HAVE_EVP_SHA256 &&
+    macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
 for c in $ciphers; do for m in $macs; do
        trace "proto 2 cipher $c mac $m"
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index d23cadba5..11fb9aef9 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,8 +1,9 @@
-#       $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $
+#       $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $
 #       Placed in the Public Domain.
 tid="proxy connect with privsep"
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
 for p in 1 2; do
@@ -11,3 +12,14 @@ for p in 1 2; do
                fail "ssh privsep+proxyconnect protocol $p failed"
        fi
 done
+cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
+for p in 1 2; do
+        ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+        if [ $? -ne 0 ]; then
+                # XXX replace this with fail once sandbox has stabilised
+                warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
+        fi
+done
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 4674a7baf..d1ab8059b 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $
+#       $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $
 #       Placed in the Public Domain.
 tid="dynamic forwarding"
@@ -20,9 +20,23 @@ trace "will use ProxyCommand $proxycmd"
 start_sshd
 for p in 1 2; do
+        n=0
+        error="1"
        trace "start dynamic forwarding, fork to background"
-        ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \
+        while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
-                exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+                n=`expr $n + 1`
+                ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
+                    -oExitOnForwardFailure=yes somehost exec sh -c \
+                        \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+                error=$?
+                if [ "$error" -ne 0 ]; then
+                        trace "forward failed proto $p attempt $n err $error"
+                        sleep $n
+                fi
+        done
+        if [ "$error" -ne 0 ]; then
+                fatal "failed to start dynamic forwarding proto $p"
+        fi
        for s in 4 5; do
            for h in 127.0.0.1 localhost; do
@@ -44,7 +58,4 @@ for p in 1 2; do
        else
                fail "no pid file: $OBJ/remote_pid"
        fi
-        # Must allow time for connection tear-down
-        sleep 2
 done
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 5c56aefff..092cfed5b 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -204,6 +204,11 @@ verbose ()
        fi
 }
+warn ()
+{
+        echo "WARNING: $@" >>$TEST_SSH_LOGFILE
+        echo "WARNING: $@"
+}
 fail ()
 {
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index ef776d2ee..0918d2245 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: try-ciphers.sh,v 1.11 2007/06/07 19:41:46 pvalchev Exp $
+#       $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $
 #       Placed in the Public Domain.
 tid="try ciphers"
@@ -8,6 +8,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
        aes128-ctr aes192-ctr aes256-ctr"
 macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
+config_defined HAVE_EVP_SHA256 &&
+    macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
 for c in $ciphers; do
        for m in $macs; do

diff --git a/regress/README.regress b/regress/README.regress index da9bb6a99..82e4cc751 100644 --- a/regress/README.regress +++ b/regress/README.regress
@@ -93,10 +93,6 @@ Failed tests can be difficult to diagnose. Suggestions:
93		93
94	Known Issues.	94	Known Issues.
95		95
96	- If your build requires ssh-rand-helper regress tests will fail
97	unless ssh-rand-helper is in pre-installed (the path to
98	ssh-rand-helper is hard coded).
99
100	- Similarly, if you do not have "scp" in your system's $PATH then the	96	- Similarly, if you do not have "scp" in your system's $PATH then the
101	multiplex scp tests will fail (since the system's shell startup scripts	97	multiplex scp tests will fail (since the system's shell startup scripts
102	will determine where the shell started by sshd will look for scp).	98	will determine where the shell started by sshd will look for scp).
@@ -105,4 +101,4 @@ Known Issues.
105	test to fail. The old behaviour can be restored by setting (and	101	test to fail. The old behaviour can be restored by setting (and
106	exporting) _POSIX2_VERSION=199209 before running the tests.	102	exporting) _POSIX2_VERSION=199209 before running the tests.
107		103
108	$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $	104	$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $


diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3b147b9f7..6216abd87 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $	1	# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified host keys"	4	tid="certified host keys"


diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index fcca3708b..6700db274 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $	1	# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="certified user keys"	4	tid="certified user keys"
@@ -27,7 +27,7 @@ for ktype in rsa dsa $ecdsa ; do
27	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|	27	-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} \|\|
28	fail "couldn't sign cert_user_key_${ktype}"	28	fail "couldn't sign cert_user_key_${ktype}"
29	# v00 ecdsa certs do not exist	29	# v00 ecdsa certs do not exist
30	test "{ktype}" = "ecdsa" && continue	30	test "${ktype}" = "ecdsa" && continue
31	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00	31	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
32	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub	32	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
33	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \	33	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \


diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 96badd51b..0603fab64 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $	1	# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="sshd_config match"	4	tid="sshd_config match"
@@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid
7	fwdport=3301	7	fwdport=3301
8	fwd="-L $fwdport:127.0.0.1:$PORT"	8	fwd="-L $fwdport:127.0.0.1:$PORT"
9		9
		10	echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
		11	echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
		12
		13	start_client()
		14	{
		15	rm -f $pidfile
		16	${SSH} -q -$p $fwd "$@" somehost \
		17	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
		18	>>$TEST_SSH_LOGFILE 2>&1 &
		19	client_pid=$!
		20	# Wait for remote end
		21	n=0
		22	while test ! -f $pidfile ; do
		23	sleep 1
		24	n=`expr $n + 1`
		25	if test $n -gt 60; then
		26	kill $client_pid
		27	fatal "timeout waiting for background ssh"
		28	fi
		29	done
		30	}
		31
10	stop_client()	32	stop_client()
11	{	33	{
12	pid=`cat $pidfile`	34	pid=`cat $pidfile`
@@ -14,11 +36,15 @@ stop_client()
14	kill $pid	36	kill $pid
15	sleep 1	37	sleep 1
16	fi	38	fi
		39	wait
17	}	40	}
18		41
19	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak	42	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
20		43	grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
		44	echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
21	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config	45	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
		46	echo "Match user $USER" >>$OBJ/sshd_proxy
		47	echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
22	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config	48	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
23	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config	49	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
24		50
@@ -32,12 +58,8 @@ start_sshd
32		58
33	# Test Match + PermitOpen in sshd_config. This should be permitted	59	# Test Match + PermitOpen in sshd_config. This should be permitted
34	for p in 1 2; do	60	for p in 1 2; do
35	rm -f $pidfile
36	trace "match permitopen localhost proto $p"	61	trace "match permitopen localhost proto $p"
37	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \	62	start_client -F $OBJ/ssh_config
38	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
39	fail "match permitopen proto $p sshd failed"
40	sleep 1;
41	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	63	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
42	fail "match permitopen permit proto $p"	64	fail "match permitopen permit proto $p"
43	stop_client	65	stop_client
@@ -45,12 +67,8 @@ done
45		67
46	# Same but from different source. This should not be permitted	68	# Same but from different source. This should not be permitted
47	for p in 1 2; do	69	for p in 1 2; do
48	rm -f $pidfile
49	trace "match permitopen proxy proto $p"	70	trace "match permitopen proxy proto $p"
50	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	71	start_client -F $OBJ/ssh_proxy
51	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
52	fail "match permitopen proxy proto $p sshd failed"
53	sleep 1;
54	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	72	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
55	fail "match permitopen deny proto $p"	73	fail "match permitopen deny proto $p"
56	stop_client	74	stop_client
@@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
62	echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER	80	echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
63	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER	81	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
64	for p in 1 2; do	82	for p in 1 2; do
65	rm -f $pidfile
66	trace "match permitopen proxy w/key opts proto $p"	83	trace "match permitopen proxy w/key opts proto $p"
67	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	84	start_client -F $OBJ/ssh_proxy
68	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
69	fail "match permitopen w/key opt proto $p sshd failed"
70	sleep 1;
71	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72	fail "match permitopen deny w/key opt proto $p"	86	fail "match permitopen deny w/key opt proto $p"
73	stop_client	87	stop_client
@@ -76,12 +90,8 @@ done
76	# Test both sshd_config and key options permitting the same dst/port pair.	90	# Test both sshd_config and key options permitting the same dst/port pair.
77	# Should be permitted.	91	# Should be permitted.
78	for p in 1 2; do	92	for p in 1 2; do
79	rm -f $pidfile
80	trace "match permitopen localhost proto $p"	93	trace "match permitopen localhost proto $p"
81	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \	94	start_client -F $OBJ/ssh_config
82	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
83	fail "match permitopen proto $p sshd failed"
84	sleep 1;
85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	95	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
86	fail "match permitopen permit proto $p"	96	fail "match permitopen permit proto $p"
87	stop_client	97	stop_client
@@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
94		104
95	# Test that a Match overrides a PermitOpen in the global section	105	# Test that a Match overrides a PermitOpen in the global section
96	for p in 1 2; do	106	for p in 1 2; do
97	rm -f $pidfile
98	trace "match permitopen proxy w/key opts proto $p"	107	trace "match permitopen proxy w/key opts proto $p"
99	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	108	start_client -F $OBJ/ssh_proxy
100	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
101	fail "match override permitopen proto $p sshd failed"
102	sleep 1;
103	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	109	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
104	fail "match override permitopen proto $p"	110	fail "match override permitopen proto $p"
105	stop_client	111	stop_client
@@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
113	# Test that a rule that doesn't match doesn't override, plus test a	119	# Test that a rule that doesn't match doesn't override, plus test a
114	# PermitOpen entry that's not at the start of the list	120	# PermitOpen entry that's not at the start of the list
115	for p in 1 2; do	121	for p in 1 2; do
116	rm -f $pidfile
117	trace "nomatch permitopen proxy w/key opts proto $p"	122	trace "nomatch permitopen proxy w/key opts proto $p"
118	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	123	start_client -F $OBJ/ssh_proxy
119	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
120	fail "nomatch override permitopen proto $p sshd failed"
121	sleep 1;
122	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	124	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
123	fail "nomatch override permitopen proto $p"	125	fail "nomatch override permitopen proto $p"
124	stop_client	126	stop_client


diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 85de6d585..257afd179 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cipher-speed.sh,v 1.3 2007/06/07 19:41:46 pvalchev Exp $	1	# $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="cipher speed"	4	tid="cipher speed"
@@ -12,9 +12,13 @@ tries="1 2"
12	DATA=/bin/ls	12	DATA=/bin/ls
13	DATA=/bsd	13	DATA=/bsd
14		14
15	macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
16	ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc	15	ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
17	arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"	16	arcfour128 arcfour256 arcfour
		17	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
		18	aes128-ctr aes192-ctr aes256-ctr"
		19	macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
		20	config_defined HAVE_EVP_SHA256 &&
		21	macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
18		22
19	for c in $ciphers; do for m in $macs; do	23	for c in $ciphers; do for m in $macs; do
20	trace "proto 2 cipher $c mac $m"	24	trace "proto 2 cipher $c mac $m"


diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index d23cadba5..11fb9aef9 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh
@@ -1,8 +1,9 @@
1	# $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $	1	# $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="proxy connect with privsep"	4	tid="proxy connect with privsep"
5		5
		6	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
6	echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy	7	echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
7		8
8	for p in 1 2; do	9	for p in 1 2; do
@@ -11,3 +12,14 @@ for p in 1 2; do
11	fail "ssh privsep+proxyconnect protocol $p failed"	12	fail "ssh privsep+proxyconnect protocol $p failed"
12	fi	13	fi
13	done	14	done
		15
		16	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
		17	echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
		18
		19	for p in 1 2; do
		20	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
		21	if [ $? -ne 0 ]; then
		22	# XXX replace this with fail once sandbox has stabilised
		23	warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
		24	fi
		25	done


diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 4674a7baf..d1ab8059b 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $	1	# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="dynamic forwarding"	4	tid="dynamic forwarding"
@@ -20,9 +20,23 @@ trace "will use ProxyCommand $proxycmd"
20	start_sshd	20	start_sshd
21		21
22	for p in 1 2; do	22	for p in 1 2; do
		23	n=0
		24	error="1"
23	trace "start dynamic forwarding, fork to background"	25	trace "start dynamic forwarding, fork to background"
24	${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \	26	while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
25	exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'	27	n=`expr $n + 1`
		28	${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
		29	-oExitOnForwardFailure=yes somehost exec sh -c \
		30	\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
		31	error=$?
		32	if [ "$error" -ne 0 ]; then
		33	trace "forward failed proto $p attempt $n err $error"
		34	sleep $n
		35	fi
		36	done
		37	if [ "$error" -ne 0 ]; then
		38	fatal "failed to start dynamic forwarding proto $p"
		39	fi
26		40
27	for s in 4 5; do	41	for s in 4 5; do
28	for h in 127.0.0.1 localhost; do	42	for h in 127.0.0.1 localhost; do
@@ -44,7 +58,4 @@ for p in 1 2; do
44	else	58	else
45	fail "no pid file: $OBJ/remote_pid"	59	fail "no pid file: $OBJ/remote_pid"
46	fi	60	fi
47
48	# Must allow time for connection tear-down
49	sleep 2
50	done	61	done


diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 5c56aefff..092cfed5b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh
@@ -204,6 +204,11 @@ verbose ()
204	fi	204	fi
205	}	205	}
206		206
		207	warn ()
		208	{
		209	echo "WARNING: $@" >>$TEST_SSH_LOGFILE
		210	echo "WARNING: $@"
		211	}
207		212
208	fail ()	213	fail ()
209	{	214	{


diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ef776d2ee..0918d2245 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: try-ciphers.sh,v 1.11 2007/06/07 19:41:46 pvalchev Exp $	1	# $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="try ciphers"	4	tid="try ciphers"
@@ -8,6 +8,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
8	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se	8	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
9	aes128-ctr aes192-ctr aes256-ctr"	9	aes128-ctr aes192-ctr aes256-ctr"
10	macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"	10	macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96"
		11	config_defined HAVE_EVP_SHA256 &&
		12	macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
11		13
12	for c in $ciphers; do	14	for c in $ciphers; do
13	for m in $macs; do	15	for m in $macs; do