summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile5
-rw-r--r--regress/README.regress2
-rw-r--r--regress/agent-getpeereid.sh3
-rw-r--r--regress/agent-ptrace.sh2
-rw-r--r--regress/agent.sh144
-rw-r--r--regress/allow-deny-users.sh1
-rw-r--r--regress/authinfo.sh4
-rw-r--r--regress/cert-userkey.sh5
-rw-r--r--regress/cfgmatch.sh6
-rw-r--r--regress/connect-uri.sh29
-rw-r--r--regress/forward-control.sh29
-rw-r--r--regress/key-options.sh68
-rw-r--r--regress/keys-command.sh2
-rw-r--r--regress/keytype.sh14
-rw-r--r--regress/limit-keytype.sh9
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc12
-rw-r--r--regress/misc/kexfuzz/Makefile32
-rw-r--r--regress/misc/kexfuzz/README2
-rw-r--r--[-rwxr-xr-x]regress/modpipe.c0
-rw-r--r--regress/netcat.c7
-rw-r--r--regress/proxy-connect.sh30
-rw-r--r--regress/putty-ciphers.sh2
-rw-r--r--regress/putty-kex.sh2
-rw-r--r--regress/putty-transfer.sh6
-rw-r--r--regress/scp-uri.sh70
-rw-r--r--regress/sftp-chroot.sh7
-rw-r--r--regress/sftp-uri.sh63
-rw-r--r--regress/sftp.sh6
-rw-r--r--regress/sshd-log-wrapper.sh2
-rw-r--r--regress/test-exec.sh6
-rw-r--r--regress/unittests/Makefile3
-rw-r--r--regress/unittests/Makefile.inc16
-rw-r--r--regress/unittests/authopt/testdata/all_permit.cert1
-rw-r--r--regress/unittests/authopt/testdata/bad_sourceaddr.cert1
-rw-r--r--regress/unittests/authopt/testdata/force_command.cert1
-rw-r--r--regress/unittests/authopt/testdata/host.cert1
-rw-r--r--regress/unittests/authopt/testdata/mktestdata.sh48
-rw-r--r--regress/unittests/authopt/testdata/no_agentfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_permit.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_portfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_pty.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_user_rc.cert1
-rw-r--r--regress/unittests/authopt/testdata/no_x11fwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_agentfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_portfwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_pty.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_user_rc.cert1
-rw-r--r--regress/unittests/authopt/testdata/only_x11fwd.cert1
-rw-r--r--regress/unittests/authopt/testdata/sourceaddr.cert1
-rw-r--r--regress/unittests/authopt/testdata/unknown_critical.cert1
-rw-r--r--regress/unittests/authopt/tests.c573
-rw-r--r--regress/unittests/bitmap/Makefile6
-rw-r--r--regress/unittests/conversion/Makefile7
-rw-r--r--regress/unittests/hostkeys/Makefile15
-rw-r--r--regress/unittests/kex/Makefile19
-rw-r--r--regress/unittests/match/Makefile8
-rw-r--r--regress/unittests/sshbuf/Makefile12
-rw-r--r--regress/unittests/sshkey/Makefile15
-rw-r--r--regress/unittests/sshkey/test_fuzz.c6
-rw-r--r--regress/unittests/sshkey/test_sshkey.c8
-rw-r--r--regress/unittests/test_helper/test_helper.c14
-rw-r--r--regress/unittests/test_helper/test_helper.h4
-rw-r--r--regress/unittests/utf8/Makefile6
-rw-r--r--regress/yes-head.sh2
64 files changed, 1182 insertions, 167 deletions
diff --git a/regress/Makefile b/regress/Makefile
index 7d50f9cfa..d15898ad0 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.95 2017/06/24 06:35:24 djm Exp $ 1# $OpenBSD: Makefile,v 1.96 2017/10/24 19:33:32 millert Exp $
2 2
3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec 3REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
4tests: prep $(REGRESS_TARGETS) 4tests: prep $(REGRESS_TARGETS)
@@ -19,6 +19,7 @@ distclean: clean
19LTESTS= connect \ 19LTESTS= connect \
20 proxy-connect \ 20 proxy-connect \
21 connect-privsep \ 21 connect-privsep \
22 connect-uri \
22 proto-version \ 23 proto-version \
23 proto-mismatch \ 24 proto-mismatch \
24 exit-status \ 25 exit-status \
@@ -42,6 +43,7 @@ LTESTS= connect \
42 keygen-moduli \ 43 keygen-moduli \
43 key-options \ 44 key-options \
44 scp \ 45 scp \
46 scp-uri \
45 sftp \ 47 sftp \
46 sftp-chroot \ 48 sftp-chroot \
47 sftp-cmds \ 49 sftp-cmds \
@@ -49,6 +51,7 @@ LTESTS= connect \
49 sftp-batch \ 51 sftp-batch \
50 sftp-glob \ 52 sftp-glob \
51 sftp-perm \ 53 sftp-perm \
54 sftp-uri \
52 reconfigure \ 55 reconfigure \
53 dynamic-forward \ 56 dynamic-forward \
54 forwarding \ 57 forwarding \
diff --git a/regress/README.regress b/regress/README.regress
index 9b99bdacb..867855017 100644
--- a/regress/README.regress
+++ b/regress/README.regress
@@ -100,5 +100,3 @@ Known Issues.
100- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head 100- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
101 test to fail. The old behaviour can be restored by setting (and 101 test to fail. The old behaviour can be restored by setting (and
102 exporting) _POSIX2_VERSION=199209 before running the tests. 102 exporting) _POSIX2_VERSION=199209 before running the tests.
103
104$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 037a50914..769c29e8d 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.9 2017/09/13 14:58:26 bluhm Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.10 2018/02/09 03:40:22 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -18,6 +18,7 @@ case "x$SUDO" in
18 xdoas) ;; 18 xdoas) ;;
19 x) 19 x)
20 echo "need SUDO to switch to uid $UNPRIV" 20 echo "need SUDO to switch to uid $UNPRIV"
21 echo SKIPPED
21 exit 0 ;; 22 exit 0 ;;
22 *) 23 *)
23 echo "unsupported $SUDO - "doas" and "sudo" are allowed" 24 echo "unsupported $SUDO - "doas" and "sudo" are allowed"
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index bb676d631..2d795ee32 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-ptrace.sh,v 1.2 2014/02/27 21:21:25 djm Exp $ 1# $OpenBSD: agent-ptrace.sh,v 1.3 2015/09/11 04:55:01 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent ptrace attach" 4tid="disallow agent ptrace attach"
diff --git a/regress/agent.sh b/regress/agent.sh
index 0baf0c74a..7111056c9 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: agent.sh,v 1.13 2017/12/19 00:49:30 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="simple agent test" 4tid="simple agent test"
@@ -12,66 +12,106 @@ trace "start agent"
12eval `${SSHAGENT} -s` > /dev/null 12eval `${SSHAGENT} -s` > /dev/null
13r=$? 13r=$?
14if [ $r -ne 0 ]; then 14if [ $r -ne 0 ]; then
15 fail "could not start ssh-agent: exit code $r" 15 fatal "could not start ssh-agent: exit code $r"
16else 16fi
17 ${SSHADD} -l > /dev/null 2>&1 17
18 if [ $? -ne 1 ]; then 18${SSHADD} -l > /dev/null 2>&1
19 fail "ssh-add -l did not fail with exit code 1" 19if [ $? -ne 1 ]; then
20 fi 20 fail "ssh-add -l did not fail with exit code 1"
21 trace "overwrite authorized keys" 21fi
22 printf '' > $OBJ/authorized_keys_$USER 22
23 for t in ${SSH_KEYTYPES}; do 23rm -f $OBJ/user_ca_key $OBJ/user_ca_key.pub
24 # generate user key for agent 24${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key \
25 rm -f $OBJ/$t-agent 25 || fatal "ssh-keygen failed"
26 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ 26
27 fail "ssh-keygen for $t-agent failed" 27trace "overwrite authorized keys"
28 # add to authorized keys 28printf '' > $OBJ/authorized_keys_$USER
29 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER 29
30 # add privat key to agent 30for t in ${SSH_KEYTYPES}; do
31 ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1 31 # generate user key for agent
32 if [ $? -ne 0 ]; then 32 rm -f $OBJ/$t-agent $OBJ/$t-agent.pub*
33 fail "ssh-add did succeed exit code 0" 33 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
34 fi 34 fatal "ssh-keygen for $t-agent failed"
35 done 35 # Make a certificate for each too.
36 ${SSHADD} -l > /dev/null 2>&1 36 ${SSHKEYGEN} -qs $OBJ/user_ca_key -I "$t cert" \
37 r=$? 37 -n estragon $OBJ/$t-agent.pub || fatal "ca sign failed"
38 if [ $r -ne 0 ]; then 38
39 fail "ssh-add -l failed: exit code $r" 39 # add to authorized keys
40 fi 40 cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
41 # the same for full pubkey output 41 # add privat key to agent
42 ${SSHADD} -L > /dev/null 2>&1 42 ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
43 r=$? 43 if [ $? -ne 0 ]; then
44 if [ $r -ne 0 ]; then 44 fail "ssh-add did succeed exit code 0"
45 fail "ssh-add -L failed: exit code $r"
46 fi 45 fi
46 # Remove private key to ensure that we aren't accidentally using it.
47 rm -f $OBJ/$t-agent
48done
49
50# Remove explicit identity directives from ssh_proxy
51mv $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
52grep -vi identityfile $OBJ/ssh_proxy_bak > $OBJ/ssh_proxy
53
54${SSHADD} -l > /dev/null 2>&1
55r=$?
56if [ $r -ne 0 ]; then
57 fail "ssh-add -l failed: exit code $r"
58fi
59# the same for full pubkey output
60${SSHADD} -L > /dev/null 2>&1
61r=$?
62if [ $r -ne 0 ]; then
63 fail "ssh-add -L failed: exit code $r"
64fi
47 65
48 trace "simple connect via agent" 66trace "simple connect via agent"
49 ${SSH} -F $OBJ/ssh_proxy somehost exit 52 67${SSH} -F $OBJ/ssh_proxy somehost exit 52
68r=$?
69if [ $r -ne 52 ]; then
70 fail "ssh connect with failed (exit code $r)"
71fi
72
73for t in ${SSH_KEYTYPES}; do
74 trace "connect via agent using $t key"
75 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub -oIdentitiesOnly=yes \
76 somehost exit 52
50 r=$? 77 r=$?
51 if [ $r -ne 52 ]; then 78 if [ $r -ne 52 ]; then
52 fail "ssh connect with failed (exit code $r)" 79 fail "ssh connect with failed (exit code $r)"
53 fi 80 fi
81done
54 82
55 trace "agent forwarding" 83trace "agent forwarding"
56 ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 84${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
57 r=$? 85r=$?
58 if [ $r -ne 0 ]; then 86if [ $r -ne 0 ]; then
59 fail "ssh-add -l via agent fwd failed (exit code $r)" 87 fail "ssh-add -l via agent fwd failed (exit code $r)"
60 fi 88fi
61 ${SSH} -A -F $OBJ/ssh_proxy somehost \ 89${SSH} -A -F $OBJ/ssh_proxy somehost \
62 "${SSH} -F $OBJ/ssh_proxy somehost exit 52" 90 "${SSH} -F $OBJ/ssh_proxy somehost exit 52"
63 r=$? 91r=$?
64 if [ $r -ne 52 ]; then 92if [ $r -ne 52 ]; then
65 fail "agent fwd failed (exit code $r)" 93 fail "agent fwd failed (exit code $r)"
66 fi 94fi
67 95
68 trace "delete all agent keys" 96(printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \
69 ${SSHADD} -D > /dev/null 2>&1 97 > $OBJ/authorized_keys_$USER
98for t in ${SSH_KEYTYPES}; do
99 trace "connect via agent using $t key"
100 ${SSH} -F $OBJ/ssh_proxy -i $OBJ/$t-agent.pub \
101 -oCertificateFile=$OBJ/$t-agent-cert.pub \
102 -oIdentitiesOnly=yes somehost exit 52
70 r=$? 103 r=$?
71 if [ $r -ne 0 ]; then 104 if [ $r -ne 52 ]; then
72 fail "ssh-add -D failed: exit code $r" 105 fail "ssh connect with failed (exit code $r)"
73 fi 106 fi
107done
74 108
75 trace "kill agent" 109trace "delete all agent keys"
76 ${SSHAGENT} -k > /dev/null 110${SSHADD} -D > /dev/null 2>&1
111r=$?
112if [ $r -ne 0 ]; then
113 fail "ssh-add -D failed: exit code $r"
77fi 114fi
115
116trace "kill agent"
117${SSHAGENT} -k > /dev/null
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
index 86805e193..4165111e0 100644
--- a/regress/allow-deny-users.sh
+++ b/regress/allow-deny-users.sh
@@ -1,5 +1,6 @@
1# Public Domain 1# Public Domain
2# Zev Weiss, 2016 2# Zev Weiss, 2016
3# $OpenBSD: allow-deny-users.sh,v 1.4 2017/10/20 02:13:41 djm Exp $
3 4
4tid="AllowUsers/DenyUsers" 5tid="AllowUsers/DenyUsers"
5 6
diff --git a/regress/authinfo.sh b/regress/authinfo.sh
index e725296c9..3caf89478 100644
--- a/regress/authinfo.sh
+++ b/regress/authinfo.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: authinfo.sh,v 1.1 2017/06/24 06:35:24 djm Exp $ 1# $OpenBSD: authinfo.sh,v 1.2 2017/10/25 20:08:36 millert Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authinfo" 4tid="authinfo"
@@ -6,7 +6,7 @@ tid="authinfo"
6# Ensure the environment variable doesn't leak when ExposeAuthInfo=no. 6# Ensure the environment variable doesn't leak when ExposeAuthInfo=no.
7verbose "ExposeAuthInfo=no" 7verbose "ExposeAuthInfo=no"
8env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \ 8env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \
9 'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present" 9 'env | grep SSH_USER_AUTH >/dev/null' && fail "SSH_USER_AUTH present"
10 10
11verbose "ExposeAuthInfo=yes" 11verbose "ExposeAuthInfo=yes"
12echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy 12echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6a23fe300..30c2c156d 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: cert-userkey.sh,v 1.19 2018/03/12 00:54:04 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="certified user keys" 4tid="certified user keys"
@@ -8,6 +8,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak 8cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
9 9
10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` 10PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
11EXTRA_TYPES=""
11 12
12if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then 13if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
13 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" 14 PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
@@ -15,7 +16,7 @@ fi
15 16
16kname() { 17kname() {
17 case $ktype in 18 case $ktype in
18 rsa-sha2-*) ;; 19 rsa-sha2-*) n="$ktype" ;;
19 # subshell because some seds will add a newline 20 # subshell because some seds will add a newline
20 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;; 21 *) n=$(echo $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/') ;;
21 esac 22 esac
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 2504d04f4..dd11e404d 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -41,7 +41,7 @@ stop_client()
41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 42echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
44echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 44echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config
45 45
46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy 47echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
@@ -49,7 +49,7 @@ echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49echo "Match user $USER" >>$OBJ/sshd_proxy 49echo "Match user $USER" >>$OBJ/sshd_proxy
50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53 53
54start_sshd 54start_sshd
55 55
diff --git a/regress/connect-uri.sh b/regress/connect-uri.sh
new file mode 100644
index 000000000..f13f15e66
--- /dev/null
+++ b/regress/connect-uri.sh
@@ -0,0 +1,29 @@
1# $OpenBSD: connect-uri.sh,v 1.1 2017/10/24 19:33:32 millert Exp $
2# Placed in the Public Domain.
3
4tid="uri connect"
5
6# Remove Port and User from ssh_config, we want to rely on the URI
7cp $OBJ/ssh_config $OBJ/ssh_config.orig
8egrep -v '^ +(Port|User) +.*$' $OBJ/ssh_config.orig > $OBJ/ssh_config
9
10start_sshd
11
12verbose "$tid: no trailing slash"
13${SSH} -F $OBJ/ssh_config "ssh://${USER}@somehost:${PORT}" true
14if [ $? -ne 0 ]; then
15 fail "ssh connection failed"
16fi
17
18verbose "$tid: trailing slash"
19${SSH} -F $OBJ/ssh_config "ssh://${USER}@somehost:${PORT}/" true
20if [ $? -ne 0 ]; then
21 fail "ssh connection failed"
22fi
23
24verbose "$tid: with path name"
25${SSH} -F $OBJ/ssh_config "ssh://${USER}@somehost:${PORT}/${DATA}" true \
26 > /dev/null 2>&1
27if [ $? -eq 0 ]; then
28 fail "ssh connection succeeded, expected failure"
29fi
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 2e9dbb53a..93d05cf63 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd control of local and remote forwarding" 4tid="sshd control of local and remote forwarding"
@@ -151,6 +151,33 @@ all_tests() {
151 > ${OBJ}/sshd_proxy 151 > ${OBJ}/sshd_proxy
152 check_lfwd $_permit_lfwd "$_prefix, permitopen" 152 check_lfwd $_permit_lfwd "$_prefix, permitopen"
153 check_rfwd $_permit_rfwd "$_prefix, permitopen" 153 check_rfwd $_permit_rfwd "$_prefix, permitopen"
154 # Check port-forwarding flags in authorized_keys.
155 # These two should refuse all.
156 sed "s/^/no-port-forwarding /" \
157 < ${OBJ}/authorized_keys_${USER}.bak \
158 > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
159 ( cat ${OBJ}/sshd_proxy.bak ;
160 echo "AllowTcpForwarding $_tcpfwd" ) \
161 > ${OBJ}/sshd_proxy
162 check_lfwd N "$_prefix, no-port-forwarding"
163 check_rfwd N "$_prefix, no-port-forwarding"
164 sed "s/^/restrict /" \
165 < ${OBJ}/authorized_keys_${USER}.bak \
166 > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
167 ( cat ${OBJ}/sshd_proxy.bak ;
168 echo "AllowTcpForwarding $_tcpfwd" ) \
169 > ${OBJ}/sshd_proxy
170 check_lfwd N "$_prefix, restrict"
171 check_rfwd N "$_prefix, restrict"
172 # This should pass the same cases as _nopermit*
173 sed "s/^/restrict,port-forwarding /" \
174 < ${OBJ}/authorized_keys_${USER}.bak \
175 > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
176 ( cat ${OBJ}/sshd_proxy.bak ;
177 echo "AllowTcpForwarding $_tcpfwd" ) \
178 > ${OBJ}/sshd_proxy
179 check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
180 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
154} 181}
155 182
156# no-permitopen mismatch-permitopen match-permitopen 183# no-permitopen mismatch-permitopen match-permitopen
diff --git a/regress/key-options.sh b/regress/key-options.sh
index 2adee6833..d680737c1 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: key-options.sh,v 1.8 2018/03/14 05:35:40 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="key options" 4tid="key options"
@@ -21,12 +21,46 @@ for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
21done 21done
22 22
23# Test no-pty 23# Test no-pty
24sed 's/.*/no-pty &/' $origkeys >$authkeys 24expect_pty_succeed() {
25verbose "key option proto no-pty" 25 which=$1
26r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty` 26 opts=$2
27if [ -f "$r" ]; then 27 rm -f $OBJ/data
28 fail "key option failed no-pty (pty $r)" 28 sed "s/.*/$opts &/" $origkeys >$authkeys
29fi 29 verbose "key option pty $which"
30 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
31 if [ $? -ne 0 ] ; then
32 fail "key option failed $which"
33 else
34 r=`cat $OBJ/data`
35 case "$r" in
36 /dev/*) ;;
37 *) fail "key option failed $which (pty $r)" ;;
38 esac
39 fi
40}
41expect_pty_fail() {
42 which=$1
43 opts=$2
44 rm -f $OBJ/data
45 sed "s/.*/$opts &/" $origkeys >$authkeys
46 verbose "key option pty $which"
47 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
48 if [ $? -eq 0 ]; then
49 r=`cat $OBJ/data`
50 if [ -e "$r" ]; then
51 fail "key option failed $which (pty $r)"
52 fi
53 case "$r" in
54 /dev/*) fail "key option failed $which (pty $r)" ;;
55 *) ;;
56 esac
57 fi
58}
59# First ensure that we can allocate a pty by default.
60expect_pty_succeed "default" ""
61expect_pty_fail "no-pty" "no-pty"
62expect_pty_fail "restrict" "restrict"
63expect_pty_succeed "restrict,pty" "restrict,pty"
30 64
31# Test environment= 65# Test environment=
32echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 66echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
@@ -60,4 +94,22 @@ for f in 127.0.0.1 '127.0.0.0\/8'; do
60 fi 94 fi
61done 95done
62 96
63rm -f "$origkeys" 97check_valid_before() {
98 which=$1
99 opts=$2
100 expect=$3
101 sed "s/.*/$opts &/" $origkeys >$authkeys
102 verbose "key option expiry-time $which"
103 ${SSH} -q -F $OBJ/ssh_proxy somehost true
104 r=$?
105 case "$expect" in
106 fail) test $r -eq 0 && fail "key option succeeded $which" ;;
107 pass) test $r -ne 0 && fail "key option failed $which" ;;
108 *) fatal "unknown expectation $expect" ;;
109 esac
110}
111check_valid_before "default" "" "pass"
112check_valid_before "invalid" 'expiry-time="INVALID"' "fail"
113check_valid_before "expired" 'expiry-time="19990101"' "fail"
114check_valid_before "valid" 'expiry-time="20380101"' "pass"
115
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index 9c9ada7c7..4029e2c78 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $ 1# $OpenBSD: keys-command.sh,v 1.4 2016/09/26 21:34:38 bluhm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="authorized keys from command" 4tid="authorized keys from command"
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 88b022de4..f78a2c171 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: keytype.sh,v 1.5 2017/03/20 22:08:06 djm Exp $ 1# $OpenBSD: keytype.sh,v 1.7 2018/03/12 00:54:04 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="login with different key types" 4tid="login with different key types"
@@ -17,7 +17,7 @@ for i in `$SSH -Q key`; do
17 esac 17 esac
18done 18done
19 19
20for kt in $ktypes; do 20for kt in $ktypes; do
21 rm -f $OBJ/key.$kt 21 rm -f $OBJ/key.$kt
22 bits=`echo ${kt} | awk -F- '{print $2}'` 22 bits=`echo ${kt} | awk -F- '{print $2}'`
23 type=`echo ${kt} | awk -F- '{print $1}'` 23 type=`echo ${kt} | awk -F- '{print $1}'`
@@ -27,28 +27,28 @@ for kt in $ktypes; do
27done 27done
28 28
29tries="1 2 3" 29tries="1 2 3"
30for ut in $ktypes; do 30for ut in $ktypes; do
31 htypes=$ut 31 htypes=$ut
32 #htypes=$ktypes 32 #htypes=$ktypes
33 for ht in $htypes; do 33 for ht in $htypes; do
34 case $ht in 34 case $ht in
35 dsa-1024) t=ssh-dss;; 35 dsa-1024) t=ssh-dss;;
36 ecdsa-256) t=ecdsa-sha2-nistp256;; 36 ecdsa-256) t=ecdsa-sha2-nistp256;;
37 ecdsa-384) t=ecdsa-sha2-nistp384;; 37 ecdsa-384) t=ecdsa-sha2-nistp384;;
38 ecdsa-521) t=ecdsa-sha2-nistp521;; 38 ecdsa-521) t=ecdsa-sha2-nistp521;;
39 ed25519-512) t=ssh-ed25519;; 39 ed25519-512) t=ssh-ed25519;;
40 rsa-*) t=ssh-rsa;; 40 rsa-*) t=rsa-sha2-512,rsa-sha2-256,ssh-rsa;;
41 esac 41 esac
42 trace "ssh connect, userkey $ut, hostkey $ht" 42 trace "ssh connect, userkey $ut, hostkey $ht"
43 ( 43 (
44 grep -v HostKey $OBJ/sshd_proxy_bak 44 grep -v HostKey $OBJ/sshd_proxy_bak
45 echo HostKey $OBJ/key.$ht 45 echo HostKey $OBJ/key.$ht
46 echo PubkeyAcceptedKeyTypes $t 46 echo PubkeyAcceptedKeyTypes $t
47 echo HostKeyAlgorithms $t 47 echo HostKeyAlgorithms $t
48 ) > $OBJ/sshd_proxy 48 ) > $OBJ/sshd_proxy
49 ( 49 (
50 grep -v IdentityFile $OBJ/ssh_proxy_bak 50 grep -v IdentityFile $OBJ/ssh_proxy_bak
51 echo IdentityFile $OBJ/key.$ut 51 echo IdentityFile $OBJ/key.$ut
52 echo PubkeyAcceptedKeyTypes $t 52 echo PubkeyAcceptedKeyTypes $t
53 echo HostKeyAlgorithms $t 53 echo HostKeyAlgorithms $t
54 ) > $OBJ/ssh_proxy 54 ) > $OBJ/ssh_proxy
diff --git a/regress/limit-keytype.sh b/regress/limit-keytype.sh
index c0cf2fed6..04f11977e 100644
--- a/regress/limit-keytype.sh
+++ b/regress/limit-keytype.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: limit-keytype.sh,v 1.4 2015/10/29 08:05:17 djm Exp $ 1# $OpenBSD: limit-keytype.sh,v 1.5 2018/03/12 00:52:57 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="restrict pubkey type" 4tid="restrict pubkey type"
@@ -60,7 +60,8 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
60 60
61# Allow plain Ed25519 and RSA. The certificate should fail. 61# Allow plain Ed25519 and RSA. The certificate should fail.
62verbose "allow rsa,ed25519" 62verbose "allow rsa,ed25519"
63prepare_config "PubkeyAcceptedKeyTypes ssh-rsa,ssh-ed25519" 63prepare_config \
64 "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-ed25519"
64${SSH} $certopts proxy true && fatal "cert succeeded" 65${SSH} $certopts proxy true && fatal "cert succeeded"
65${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed" 66${SSH} $opts -i $OBJ/user_key1 proxy true || fatal "key1 failed"
66${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed" 67${SSH} $opts -i $OBJ/user_key2 proxy true || fatal "key2 failed"
@@ -74,14 +75,14 @@ ${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
74 75
75# Allow all certs. Plain keys should fail. 76# Allow all certs. Plain keys should fail.
76verbose "allow cert only" 77verbose "allow cert only"
77prepare_config "PubkeyAcceptedKeyTypes ssh-*-cert-v01@openssh.com" 78prepare_config "PubkeyAcceptedKeyTypes *-cert-v01@openssh.com"
78${SSH} $certopts proxy true || fatal "cert failed" 79${SSH} $certopts proxy true || fatal "cert failed"
79${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 80${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
80${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded" 81${SSH} $opts -i $OBJ/user_key2 proxy true && fatal "key2 succeeded"
81 82
82# Allow RSA in main config, Ed25519 for non-existent user. 83# Allow RSA in main config, Ed25519 for non-existent user.
83verbose "match w/ no match" 84verbose "match w/ no match"
84prepare_config "PubkeyAcceptedKeyTypes ssh-rsa" \ 85prepare_config "PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ssh-rsa" \
85 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519" 86 "Match user x$USER" "PubkeyAcceptedKeyTypes +ssh-ed25519"
86${SSH} $certopts proxy true && fatal "cert succeeded" 87${SSH} $certopts proxy true && fatal "cert succeeded"
87${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded" 88${SSH} $opts -i $OBJ/user_key1 proxy true && fatal "key1 succeeded"
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
index 0e535b49a..dd1fda091 100644
--- a/regress/misc/fuzz-harness/sig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -37,13 +37,13 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
37 static const size_t dlen = strlen(data); 37 static const size_t dlen = strlen(data);
38 38
39#ifdef WITH_OPENSSL 39#ifdef WITH_OPENSSL
40 sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, 0); 40 sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
41 sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, 0); 41 sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0);
42 sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, 0); 42 sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0);
43 sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, 0); 43 sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0);
44 sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, 0); 44 sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0);
45#endif 45#endif
46 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, 0); 46 sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0);
47 return 0; 47 return 0;
48} 48}
49 49
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index d0aca8dfe..a7bb6b70d 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.2 2017/04/17 11:02:31 jsg Exp $ 1# $OpenBSD: Makefile,v 1.3 2017/12/21 05:46:35 djm Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.include <bsd.obj.mk> 4.include <bsd.obj.mk>
@@ -9,6 +9,25 @@ OPENSSL?= yes
9 9
10PROG= kexfuzz 10PROG= kexfuzz
11SRCS= kexfuzz.c 11SRCS= kexfuzz.c
12
13SSHREL=../../../../../usr.bin/ssh
14.PATH: ${.CURDIR}/${SSHREL}
15# From usr.bin/ssh
16SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
17SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
18SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
19SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
20SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
21SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c
22SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c
23SRCS+=dh.c compat.c
24SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
25SRCS+=cipher-chachapoly.c chacha.c poly1305.c
26SRCS+=smult_curve25519_ref.c
27
28SRCS+=digest-openssl.c
29#SRCS+=digest-libc.c
30
12NOMAN= 1 31NOMAN= 1
13 32
14.if (${OPENSSL:L} == "yes") 33.if (${OPENSSL:L} == "yes")
@@ -49,23 +68,14 @@ CDIAGFLAGS+= -Wswitch
49CDIAGFLAGS+= -Wtrigraphs 68CDIAGFLAGS+= -Wtrigraphs
50CDIAGFLAGS+= -Wuninitialized 69CDIAGFLAGS+= -Wuninitialized
51CDIAGFLAGS+= -Wunused 70CDIAGFLAGS+= -Wunused
71CDIAGFLAGS+= -Wno-unused-parameter
52.if ${COMPILER_VERSION:L} != "gcc3" 72.if ${COMPILER_VERSION:L} != "gcc3"
53CDIAGFLAGS+= -Wpointer-sign
54CDIAGFLAGS+= -Wold-style-definition 73CDIAGFLAGS+= -Wold-style-definition
55.endif 74.endif
56 75
57SSHREL=../../../../../usr.bin/ssh
58 76
59CFLAGS+=-I${.CURDIR}/${SSHREL} 77CFLAGS+=-I${.CURDIR}/${SSHREL}
60 78
61.if exists(${.CURDIR}/${SSHREL}/lib/${__objdir})
62LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh
63DPADD+=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
64.else
65LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh
66DPADD+=${.CURDIR}/${SSHREL}/lib/libssh.a
67.endif
68
69LDADD+= -lutil -lz 79LDADD+= -lutil -lz
70DPADD+= ${LIBUTIL} ${LIBZ} 80DPADD+= ${LIBUTIL} ${LIBZ}
71 81
diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README
index abd7b50ee..504c26f3b 100644
--- a/regress/misc/kexfuzz/README
+++ b/regress/misc/kexfuzz/README
@@ -30,3 +30,5 @@ Limitations: kexfuzz can't change the ordering of packets at
30present. It is limited to replacing individual packets with 30present. It is limited to replacing individual packets with
31fuzzed variants with the same type. It really should allow 31fuzzed variants with the same type. It really should allow
32insertion, deletion on replacement of packets too. 32insertion, deletion on replacement of packets too.
33
34$OpenBSD: README,v 1.3 2017/10/20 02:13:41 djm Exp $
diff --git a/regress/modpipe.c b/regress/modpipe.c
index 5f4824b51..5f4824b51 100755..100644
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
diff --git a/regress/netcat.c b/regress/netcat.c
index 98a08b1ec..56bd09de5 100644
--- a/regress/netcat.c
+++ b/regress/netcat.c
@@ -738,7 +738,12 @@ local_listen(char *host, char *port, struct addrinfo hints)
738#ifdef SO_REUSEPORT 738#ifdef SO_REUSEPORT
739 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); 739 ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
740 if (ret == -1) 740 if (ret == -1)
741 err(1, "setsockopt"); 741 err(1, "setsockopt SO_REUSEPORT");
742#endif
743#ifdef SO_REUSEADDR
744 ret = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
745 if (ret == -1)
746 err(1, "setsockopt SO_REUSEADDR");
742#endif 747#endif
743 set_common_sockopts(s); 748 set_common_sockopts(s);
744 749
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index f1b9d9f76..39bbd3c96 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,25 +1,19 @@
1# $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: proxy-connect.sh,v 1.11 2017/09/26 22:39:25 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="proxy connect" 4tid="proxy connect"
5 5
6mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig 6for c in no yes; do
7 7 verbose "plain username comp=$c"
8for ps in no yes; do 8 opts="-oCompression=$c -F $OBJ/ssh_proxy"
9 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy 9 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
10 echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy 10 if [ $? -ne 0 ]; then
11 for c in no yes; do 11 fail "ssh proxyconnect comp=$c failed"
12 verbose "plain username privsep=$ps comp=$c" 12 fi
13 opts="-oCompression=$c -F $OBJ/ssh_proxy" 13 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
14 SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'` 14 fail "bad SSH_CONNECTION comp=$c: " \
15 if [ $? -ne 0 ]; then 15 "$SSH_CONNECTION"
16 fail "ssh proxyconnect privsep=$ps comp=$c failed" 16 fi
17 fi
18 if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
19 fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
20 "$SSH_CONNECTION"
21 fi
22 done
23done 17done
24 18
25verbose "username with style" 19verbose "username with style"
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 419daabba..191a2bda8 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -15,7 +15,7 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
15 echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c 15 echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
16 16
17 rm -f ${COPY} 17 rm -f ${COPY}
18 env HOME=$PWD ${PLINK} -load cipher_$c -batch -i putty.rsa2 \ 18 env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
19 cat ${DATA} > ${COPY} 19 cat ${DATA} > ${COPY}
20 if [ $? -ne 0 ]; then 20 if [ $? -ne 0 ]; then
21 fail "ssh cat $DATA failed" 21 fail "ssh cat $DATA failed"
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index 9d3c6a9f0..71c09701b 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -14,7 +14,7 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
14 ${OBJ}/.putty/sessions/kex_$k 14 ${OBJ}/.putty/sessions/kex_$k
15 echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k 15 echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
16 16
17 env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 true 17 env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
18 if [ $? -ne 0 ]; then 18 if [ $? -ne 0 ]; then
19 fail "KEX $k failed" 19 fail "KEX $k failed"
20 fi 20 fi
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 32c79f9ea..4928d4533 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $ 1# $OpenBSD: putty-transfer.sh,v 1.6 2018/02/23 03:03:00 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="putty transfer data" 4tid="putty transfer data"
@@ -15,7 +15,7 @@ for c in 0 1 ; do
15 ${OBJ}/.putty/sessions/compression_$c 15 ${OBJ}/.putty/sessions/compression_$c
16 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k 16 echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
17 env HOME=$PWD ${PLINK} -load compression_$c -batch \ 17 env HOME=$PWD ${PLINK} -load compression_$c -batch \
18 -i putty.rsa cat ${DATA} > ${COPY} 18 -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
19 if [ $? -ne 0 ]; then 19 if [ $? -ne 0 ]; then
20 fail "ssh cat $DATA failed" 20 fail "ssh cat $DATA failed"
21 fi 21 fi
@@ -26,7 +26,7 @@ for c in 0 1 ; do
26 rm -f ${COPY} 26 rm -f ${COPY}
27 dd if=$DATA obs=${s} 2> /dev/null | \ 27 dd if=$DATA obs=${s} 2> /dev/null | \
28 env HOME=$PWD ${PLINK} -load compression_$c \ 28 env HOME=$PWD ${PLINK} -load compression_$c \
29 -batch -i putty.rsa \ 29 -batch -i ${OBJ}/putty.rsa2 \
30 "cat > ${COPY}" 30 "cat > ${COPY}"
31 if [ $? -ne 0 ]; then 31 if [ $? -ne 0 ]; then
32 fail "ssh cat $DATA failed" 32 fail "ssh cat $DATA failed"
diff --git a/regress/scp-uri.sh b/regress/scp-uri.sh
new file mode 100644
index 000000000..c03d8bbe0
--- /dev/null
+++ b/regress/scp-uri.sh
@@ -0,0 +1,70 @@
1# $OpenBSD: scp-uri.sh,v 1.2 2017/12/11 11:41:56 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="scp-uri"
5
6#set -x
7
8COPY2=${OBJ}/copy2
9DIR=${COPY}.dd
10DIR2=${COPY}.dd2
11
12SRC=`dirname ${SCRIPT}`
13cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
14chmod 755 ${OBJ}/scp-ssh-wrapper.scp
15scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp"
16export SCP # used in scp-ssh-wrapper.scp
17
18scpclean() {
19 rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
20 mkdir ${DIR} ${DIR2}
21}
22
23# Remove Port and User from ssh_config, we want to rely on the URI
24cp $OBJ/ssh_config $OBJ/ssh_config.orig
25egrep -v '^ +(Port|User) +.*$' $OBJ/ssh_config.orig > $OBJ/ssh_config
26
27verbose "$tid: simple copy local file to remote file"
28scpclean
29$SCP $scpopts ${DATA} "scp://${USER}@somehost:${PORT}/${COPY}" || fail "copy failed"
30cmp ${DATA} ${COPY} || fail "corrupted copy"
31
32verbose "$tid: simple copy remote file to local file"
33scpclean
34$SCP $scpopts "scp://${USER}@somehost:${PORT}/${DATA}" ${COPY} || fail "copy failed"
35cmp ${DATA} ${COPY} || fail "corrupted copy"
36
37verbose "$tid: simple copy local file to remote dir"
38scpclean
39cp ${DATA} ${COPY}
40$SCP $scpopts ${COPY} "scp://${USER}@somehost:${PORT}/${DIR}" || fail "copy failed"
41cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
42
43verbose "$tid: simple copy remote file to local dir"
44scpclean
45cp ${DATA} ${COPY}
46$SCP $scpopts "scp://${USER}@somehost:${PORT}/${COPY}" ${DIR} || fail "copy failed"
47cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
48
49verbose "$tid: recursive local dir to remote dir"
50scpclean
51rm -rf ${DIR2}
52cp ${DATA} ${DIR}/copy
53$SCP $scpopts -r ${DIR} "scp://${USER}@somehost:${PORT}/${DIR2}" || fail "copy failed"
54for i in $(cd ${DIR} && echo *); do
55 cmp ${DIR}/$i ${DIR2}/$i || fail "corrupted copy"
56done
57
58verbose "$tid: recursive remote dir to local dir"
59scpclean
60rm -rf ${DIR2}
61cp ${DATA} ${DIR}/copy
62$SCP $scpopts -r "scp://${USER}@somehost:${PORT}/${DIR}" ${DIR2} || fail "copy failed"
63for i in $(cd ${DIR} && echo *); do
64 cmp ${DIR}/$i ${DIR2}/$i || fail "corrupted copy"
65done
66
67# TODO: scp -3
68
69scpclean
70rm -f ${OBJ}/scp-ssh-wrapper.exe
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
index 4ea2fce85..ba5bd1efb 100644
--- a/regress/sftp-chroot.sh
+++ b/regress/sftp-chroot.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sftp-chroot.sh,v 1.5 2016/09/26 21:34:38 bluhm Exp $ 1# $OpenBSD: sftp-chroot.sh,v 1.6 2018/02/09 03:42:57 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sftp in chroot" 4tid="sftp in chroot"
@@ -8,8 +8,9 @@ FILENAME=testdata_${USER}
8PRIVDATA=${CHROOT}/${FILENAME} 8PRIVDATA=${CHROOT}/${FILENAME}
9 9
10if [ -z "$SUDO" -a ! -w /var/run ]; then 10if [ -z "$SUDO" -a ! -w /var/run ]; then
11 echo "skipped: need SUDO to create file in /var/run, test won't work without" 11 echo "need SUDO to create file in /var/run, test won't work without"
12 exit 0 12 echo SKIPPED
13 exit 0
13fi 14fi
14 15
15if ! $OBJ/check-perm -m chroot "$CHROOT" ; then 16if ! $OBJ/check-perm -m chroot "$CHROOT" ; then
diff --git a/regress/sftp-uri.sh b/regress/sftp-uri.sh
new file mode 100644
index 000000000..7be104dfb
--- /dev/null
+++ b/regress/sftp-uri.sh
@@ -0,0 +1,63 @@
1# $OpenBSD: sftp-uri.sh,v 1.1 2017/10/24 19:33:32 millert Exp $
2# Placed in the Public Domain.
3
4tid="sftp-uri"
5
6#set -x
7
8COPY2=${OBJ}/copy2
9DIR=${COPY}.dd
10DIR2=${COPY}.dd2
11SRC=`dirname ${SCRIPT}`
12
13sftpclean() {
14 rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
15 mkdir ${DIR} ${DIR2}
16}
17
18start_sshd -oForceCommand="internal-sftp -d /"
19
20# Remove Port and User from ssh_config, we want to rely on the URI
21cp $OBJ/ssh_config $OBJ/ssh_config.orig
22egrep -v '^ +(Port|User) +.*$' $OBJ/ssh_config.orig > $OBJ/ssh_config
23
24verbose "$tid: non-interactive fetch to local file"
25sftpclean
26${SFTP} -q -S "$SSH" -F $OBJ/ssh_config "sftp://${USER}@somehost:${PORT}/${DATA}" ${COPY} || fail "copy failed"
27cmp ${DATA} ${COPY} || fail "corrupted copy"
28
29verbose "$tid: non-interactive fetch to local dir"
30sftpclean
31cp ${DATA} ${COPY}
32${SFTP} -q -S "$SSH" -F $OBJ/ssh_config "sftp://${USER}@somehost:${PORT}/${COPY}" ${DIR} || fail "copy failed"
33cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
34
35verbose "$tid: put to remote directory (trailing slash)"
36sftpclean
37${SFTP} -q -S "$SSH" -F $OBJ/ssh_config -b - \
38 "sftp://${USER}@somehost:${PORT}/${DIR}/" > /dev/null 2>&1 << EOF
39 version
40 put ${DATA} copy
41EOF
42r=$?
43if [ $r -ne 0 ]; then
44 fail "sftp failed with $r"
45else
46 cmp ${DATA} ${DIR}/copy || fail "corrupted copy"
47fi
48
49verbose "$tid: put to remote directory (no slash)"
50sftpclean
51${SFTP} -q -S "$SSH" -F $OBJ/ssh_config -b - \
52 "sftp://${USER}@somehost:${PORT}/${DIR}" > /dev/null 2>&1 << EOF
53 version
54 put ${DATA} copy
55EOF
56r=$?
57if [ $r -ne 0 ]; then
58 fail "sftp failed with $r"
59else
60 cmp ${DATA} ${DIR}/copy || fail "corrupted copy"
61fi
62
63sftpclean
diff --git a/regress/sftp.sh b/regress/sftp.sh
index b8e9f7527..a5c88f584 100644
--- a/regress/sftp.sh
+++ b/regress/sftp.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: sftp.sh,v 1.5 2013/05/17 10:28:11 dtucker Exp $ 1# $OpenBSD: sftp.sh,v 1.6 2017/10/30 21:59:43 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="basic sftp put/get" 4tid="basic sftp put/get"
@@ -22,11 +22,11 @@ for B in ${BUFFERSIZE}; do
22 r=$? 22 r=$?
23 if [ $r -ne 0 ]; then 23 if [ $r -ne 0 ]; then
24 fail "sftp failed with $r" 24 fail "sftp failed with $r"
25 else 25 else
26 cmp $DATA ${COPY}.1 || fail "corrupted copy after get" 26 cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
27 cmp $DATA ${COPY}.2 || fail "corrupted copy after put" 27 cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
28 fi 28 fi
29 done 29 done
30done 30done
31rm -f ${COPY}.1 ${COPY}.2 31rm -f ${COPY}.1 ${COPY}.2
32rm -f $SFTPCMDFILE 32rm -f $SFTPCMDFILE
diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh
index c00934c78..29dc44aa0 100644
--- a/regress/sshd-log-wrapper.sh
+++ b/regress/sshd-log-wrapper.sh
@@ -1,5 +1,5 @@
1#!/bin/sh 1#!/bin/sh
2# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ 2# $OpenBSD: sshd-log-wrapper.sh,v 1.4 2016/11/25 02:56:49 dtucker Exp $
3# Placed in the Public Domain. 3# Placed in the Public Domain.
4# 4#
5# simple wrapper for sshd proxy mode to catch stderr output 5# simple wrapper for sshd proxy mode to catch stderr output
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 68f010b70..b6169f157 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.61 2017/07/28 10:32:08 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.62 2018/03/16 09:06:31 dtucker Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -503,6 +503,7 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
503 # Add a PuTTY key to authorized_keys 503 # Add a PuTTY key to authorized_keys
504 rm -f ${OBJ}/putty.rsa2 504 rm -f ${OBJ}/putty.rsa2
505 if ! puttygen -t rsa -o ${OBJ}/putty.rsa2 \ 505 if ! puttygen -t rsa -o ${OBJ}/putty.rsa2 \
506 --random-device=/dev/urandom \
506 --new-passphrase /dev/null < /dev/null > /dev/null; then 507 --new-passphrase /dev/null < /dev/null > /dev/null; then
507 echo "Your installed version of PuTTY is too old to support --new-passphrase; trying without (may require manual interaction) ..." >&2 508 echo "Your installed version of PuTTY is too old to support --new-passphrase; trying without (may require manual interaction) ..." >&2
508 puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null 509 puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null
@@ -526,6 +527,9 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
526 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 527 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
527 echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy 528 echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
528 529
530 PUTTYDIR=${OBJ}/.putty
531 export PUTTYDIR
532
529 REGRESS_INTEROP_PUTTY=yes 533 REGRESS_INTEROP_PUTTY=yes
530fi 534fi
531 535
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
index e975f6ca4..e464b085a 100644
--- a/regress/unittests/Makefile
+++ b/regress/unittests/Makefile
@@ -1,6 +1,7 @@
1# $OpenBSD: Makefile,v 1.9 2017/03/14 01:20:29 dtucker Exp $ 1# $OpenBSD: Makefile,v 1.10 2018/03/03 03:16:17 djm Exp $
2 2
3REGRESS_FAIL_EARLY?= yes 3REGRESS_FAIL_EARLY?= yes
4SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion 4SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
5SUBDIR+=authopt
5 6
6.include <bsd.subdir.mk> 7.include <bsd.subdir.mk>
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 36d1ff42c..b509f4452 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile.inc,v 1.11 2017/04/30 23:33:48 djm Exp $ 1# $OpenBSD: Makefile.inc,v 1.12 2017/12/21 00:41:22 djm Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.include <bsd.obj.mk> 4.include <bsd.obj.mk>
@@ -30,8 +30,8 @@ CDIAGFLAGS+= -Wswitch
30CDIAGFLAGS+= -Wtrigraphs 30CDIAGFLAGS+= -Wtrigraphs
31CDIAGFLAGS+= -Wuninitialized 31CDIAGFLAGS+= -Wuninitialized
32CDIAGFLAGS+= -Wunused 32CDIAGFLAGS+= -Wunused
33CDIAGFLAGS+= -Wno-unused-parameter
33.if ${COMPILER_VERSION:L} != "gcc3" 34.if ${COMPILER_VERSION:L} != "gcc3"
34CDIAGFLAGS+= -Wpointer-sign
35CDIAGFLAGS+= -Wold-style-definition 35CDIAGFLAGS+= -Wold-style-definition
36.endif 36.endif
37 37
@@ -47,17 +47,7 @@ LDADD+=-L${.CURDIR}/../test_helper -ltest_helper
47DPADD+=${.CURDIR}/../test_helper/libtest_helper.a 47DPADD+=${.CURDIR}/../test_helper/libtest_helper.a
48.endif 48.endif
49 49
50.if exists(${.CURDIR}/${SSHREL}/lib/${__objdir}) 50.PATH: ${.CURDIR}/${SSHREL}
51LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh
52LIBSSH=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
53.else
54LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh
55LIBSSH=${.CURDIR}/${SSHREL}/lib/libssh.a
56.endif
57DPADD+=${LIBSSH}
58${PROG}: ${LIBSSH}
59${LIBSSH}:
60 cd ${.CURDIR}/${SSHREL} && ${MAKE} lib
61 51
62LDADD+= -lcrypto 52LDADD+= -lcrypto
63DPADD+= ${LIBCRYPTO} 53DPADD+= ${LIBCRYPTO}
diff --git a/regress/unittests/authopt/testdata/all_permit.cert b/regress/unittests/authopt/testdata/all_permit.cert
new file mode 100644
index 000000000..38ac57318
--- /dev/null
+++ b/regress/unittests/authopt/testdata/all_permit.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOv/h7mJS1WkRHukSvqPwKDiNVrcib/VqBLpbHW6xjWCAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQNe1XDN+J4Eb82TH5J5sYypcabocufjTFRfpU57K+csRP41Yo1FCSEWx95ilUuNvK9Iv3yFDOeVPzdqRqzWoHwE= user key
diff --git a/regress/unittests/authopt/testdata/bad_sourceaddr.cert b/regress/unittests/authopt/testdata/bad_sourceaddr.cert
new file mode 100644
index 000000000..9732745ac
--- /dev/null
+++ b/regress/unittests/authopt/testdata/bad_sourceaddr.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILFEJyunlz9scYU3mwbOEJoSSkeO1z20uNBw13tEn+lJAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAHwAAAA5zb3VyY2UtYWRkcmVzcwAAAAkAAAAFeHh4eHgAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEA5xY/OEAJ3tgg8/KJqaBR5KMdYYRDiMJ6u4VKS9lQOV1HJQvDDvjj3F5k53BIqTJRVQx242YWs+B3C4db/uLgB user key
diff --git a/regress/unittests/authopt/testdata/force_command.cert b/regress/unittests/authopt/testdata/force_command.cert
new file mode 100644
index 000000000..f7af27e43
--- /dev/null
+++ b/regress/unittests/authopt/testdata/force_command.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJkpCeqaVl6qnp7qa90KehAmHFecx3HW8HZQ22KEqeKBAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAHAAAAA1mb3JjZS1jb21tYW5kAAAABwAAAANmb28AAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAxbhjgbXvfEumRP1E7VH8nUfuJyVlDChhCxiPg9Nvb9PFK8cHdDUEybDCzKCsIDieRc3mtLTyEu7Kb52va/B4C user key
diff --git a/regress/unittests/authopt/testdata/host.cert b/regress/unittests/authopt/testdata/host.cert
new file mode 100644
index 000000000..6326d0453
--- /dev/null
+++ b/regress/unittests/authopt/testdata/host.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFWMw3ftP29RSefnxQwdvK1KiE2G9Y7rPRrJ7ZsrDiOeAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAACAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAKTMqwPkaBg23RS7/aj347dc2kY4bWt/sHwzREYSrKRqZ5RNBnSvZOQ8m5euMCEuf92bZ8VJEdF653jRiW6VoBA== user key
diff --git a/regress/unittests/authopt/testdata/mktestdata.sh b/regress/unittests/authopt/testdata/mktestdata.sh
new file mode 100644
index 000000000..06a24e390
--- /dev/null
+++ b/regress/unittests/authopt/testdata/mktestdata.sh
@@ -0,0 +1,48 @@
1#/bin/sh
2
3set -xe
4
5rm -f ca_key ca_key.pub
6rm -f user_key user_key.pub
7rm -f *.cert
8
9ssh-keygen -q -f ca_key -t ed25519 -C CA -N ''
10ssh-keygen -q -f user_key -t ed25519 -C "user key" -N ''
11
12sign() {
13 output=$1
14 shift
15 set -xe
16 ssh-keygen -q -s ca_key -I user -n user \
17 -V 19990101:19991231 -z 1 "$@" user_key.pub
18 mv user_key-cert.pub "$output"
19}
20
21sign all_permit.cert -Opermit-agent-forwarding -Opermit-port-forwarding \
22 -Opermit-pty -Opermit-user-rc -Opermit-X11-forwarding
23sign no_permit.cert -Oclear
24
25sign no_agentfwd.cert -Ono-agent-forwarding
26sign no_portfwd.cert -Ono-port-forwarding
27sign no_pty.cert -Ono-pty
28sign no_user_rc.cert -Ono-user-rc
29sign no_x11fwd.cert -Ono-X11-forwarding
30
31sign only_agentfwd.cert -Oclear -Opermit-agent-forwarding
32sign only_portfwd.cert -Oclear -Opermit-port-forwarding
33sign only_pty.cert -Oclear -Opermit-pty
34sign only_user_rc.cert -Oclear -Opermit-user-rc
35sign only_x11fwd.cert -Oclear -Opermit-X11-forwarding
36
37sign force_command.cert -Oforce-command="foo"
38sign sourceaddr.cert -Osource-address="127.0.0.1/32,::1/128"
39
40# ssh-keygen won't permit generation of certs with invalid source-address
41# values, so we do it as a custom extension.
42sign bad_sourceaddr.cert -Ocritical:source-address=xxxxx
43
44sign unknown_critical.cert -Ocritical:blah=foo
45
46sign host.cert -h
47
48rm -f user_key ca_key user_key.pub ca_key.pub
diff --git a/regress/unittests/authopt/testdata/no_agentfwd.cert b/regress/unittests/authopt/testdata/no_agentfwd.cert
new file mode 100644
index 000000000..bfa5c2e65
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_agentfwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIL2qEsLCVtKaBkbCrZicxbPUorcHHrQ8yw5h/26krTOlAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGMAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAdRhISpol01OwV30g39PM/JD1t35muskX4lyCcGpFQ08GQtBuHE/hABOp6apbGBJIC7CZYYF+uHkD7PfGU3NPAQ== user key
diff --git a/regress/unittests/authopt/testdata/no_permit.cert b/regress/unittests/authopt/testdata/no_permit.cert
new file mode 100644
index 000000000..351e138ae
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_permit.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGVQtVgp9sD4sc8esIhVWbZaM8d0NxpX3UbEVzTHm9feAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAIKlI0TqqraKjYTjIuKhwoxAV/XnzWRJHq8lNs4aj5yDb84un2xXDF/0vXoLjPgVcLgEbksBKKn0i4whp+xn9Ag== user key
diff --git a/regress/unittests/authopt/testdata/no_portfwd.cert b/regress/unittests/authopt/testdata/no_portfwd.cert
new file mode 100644
index 000000000..9457dc34e
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_portfwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIE6gC/QjjuzGWVDkr8ZyaHhja80V+lKLC/MvmEFa+CEBAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGQAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQEzpgckYlfc1BK1ir0reDSXo9OIDx4UoDMrNXrFO6I44NXoJJ4TlUUJH07WcKp/Xp5ESCdyVZtqwgHQxZr0+PwI= user key
diff --git a/regress/unittests/authopt/testdata/no_pty.cert b/regress/unittests/authopt/testdata/no_pty.cert
new file mode 100644
index 000000000..e8154ec7f
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_pty.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFFjhISpSDR3blDejuCf2T9Fe4aHW53jG7KOH2PV/E7jAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAHAAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQF5c4BdxVYgqbMGAep414IGFK4deCFBCeNUTOLpKodrfb1M0gS4d2qoeMxZvMv5yMf/viKl/gallHzEmcrEcIQY= user key
diff --git a/regress/unittests/authopt/testdata/no_user_rc.cert b/regress/unittests/authopt/testdata/no_user_rc.cert
new file mode 100644
index 000000000..6676a0cbd
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_user_rc.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIFUM0VLATkYh05QeS5uuhB1X50NMom3jTWeQUmrPQ1FwAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGwAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAcmJ3c2FCKJL9BCLv1Ij+uN1N+NWZmMXYionsSkv42Go4pMZiH3g8UfTd+OKq9Q7GAcCzGXa///6Dr/wqFssoDA== user key
diff --git a/regress/unittests/authopt/testdata/no_x11fwd.cert b/regress/unittests/authopt/testdata/no_x11fwd.cert
new file mode 100644
index 000000000..0aff9e6cf
--- /dev/null
+++ b/regress/unittests/authopt/testdata/no_x11fwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIPRKPAP+b5S+4zihdgoJrYNcMovFBgKZaJupIhN1kUvkAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAGUAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECMzj6VDfT+BJmIEo1qUKdr8VDLExF92K7KkbNxTH77n7uip7TL24HDfXjYBCvqxSSn9KAGBhnWsIC/GPx6A+cP user key
diff --git a/regress/unittests/authopt/testdata/only_agentfwd.cert b/regress/unittests/authopt/testdata/only_agentfwd.cert
new file mode 100644
index 000000000..3cf64b05c
--- /dev/null
+++ b/regress/unittests/authopt/testdata/only_agentfwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOvJ28yW5uvA7yxE3ySuyFvPjcRYKAr03CYr4okGTNIFAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB8AAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQEG2uTgmOSk9dJ0s/Ol1EIERXFP9PF6AauF9t5jBMSthNyvSANSrC/1EIaf4TV5kMYfhZxJXoS0XHQjGndcq2AE= user key
diff --git a/regress/unittests/authopt/testdata/only_portfwd.cert b/regress/unittests/authopt/testdata/only_portfwd.cert
new file mode 100644
index 000000000..bb09c3a63
--- /dev/null
+++ b/regress/unittests/authopt/testdata/only_portfwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIGPoYoExiSyHMyDEvOFgoNZXk5z91u7xq/7357X23TotAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB4AAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABAHN3YnwipcbDKVn+PObGSoaT9rwlau+yrPYZ50oetvCKng3RMjGaV+roqlv0vjjLcxE9J4Y0ti+9MXtQ0D7beBA== user key
diff --git a/regress/unittests/authopt/testdata/only_pty.cert b/regress/unittests/authopt/testdata/only_pty.cert
new file mode 100644
index 000000000..520c89f3b
--- /dev/null
+++ b/regress/unittests/authopt/testdata/only_pty.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAILvocWYto5Lg7P46YLbe7U4/b2h9Lr5rWqMZ4Cj4ra7RAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAABIAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACAoVYLMLNBOH1SSgemFuDBprzpDXop6ufRSOo6vtD4mTwAAAFMAAAALc3NoLWVkMjU1MTkAAABASv2xQvp+Y6E8dCf5pzg3MZaan5bl1ToYXNcmQ3ysGrk9Djkcu8m3TytDpF471KmUejxy/iF4xjs9CDpk7h+SBQ== user key
diff --git a/regress/unittests/authopt/testdata/only_user_rc.cert b/regress/unittests/authopt/testdata/only_user_rc.cert
new file mode 100644
index 000000000..fb49c35f3
--- /dev/null
+++ b/regress/unittests/authopt/testdata/only_user_rc.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJwsRZQ7kx4A8AQ0q/G/3i6sHM48kr4TxJtTcyy3lZAPAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAABYAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAgKFWCzCzQTh9UkoHphbgwaa86Q16Kern0UjqOr7Q+Jk8AAABTAAAAC3NzaC1lZDI1NTE5AAAAQDhgEXsvoHr21XrxmiZq/sIjWeYapp11XvEVkkTBPVhBnPwtrrUeJbPmGs3gmJkQdv8BYajYpT7TXEX8GvEeLwU= user key
diff --git a/regress/unittests/authopt/testdata/only_x11fwd.cert b/regress/unittests/authopt/testdata/only_x11fwd.cert
new file mode 100644
index 000000000..6715585a0
--- /dev/null
+++ b/regress/unittests/authopt/testdata/only_x11fwd.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIDAhZFZBl3eu8Qa8I5BaHCz/mpH8xCjaPusBwo1eJ9OGAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAAAAAAB0AAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDysfgbhniX/zdA8576rrDJpaO2D7QtQse2KWIM9XmREPkLKeP6FKiXKKFcPQiMyV28rptfvK8bBXAiOvITSUgL user key
diff --git a/regress/unittests/authopt/testdata/sourceaddr.cert b/regress/unittests/authopt/testdata/sourceaddr.cert
new file mode 100644
index 000000000..0fcf7b182
--- /dev/null
+++ b/regress/unittests/authopt/testdata/sourceaddr.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIJ54qqoPs87gtjN1aJoLUn7ZTYUtcaGxkzLyJvRkYG7nAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAALgAAAA5zb3VyY2UtYWRkcmVzcwAAABgAAAAUMTI3LjAuMC4xLzMyLDo6MS8xMjgAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEAppSUKQ/a9tw/HgIazWceCO3d48GU7mkV4iQMpWWs2nB1dFryY1GDtZrBggAjMviwmBXyM3jIk5vxJDINZXGQJ user key
diff --git a/regress/unittests/authopt/testdata/unknown_critical.cert b/regress/unittests/authopt/testdata/unknown_critical.cert
new file mode 100644
index 000000000..216960ab3
--- /dev/null
+++ b/regress/unittests/authopt/testdata/unknown_critical.cert
@@ -0,0 +1 @@
ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIIjs/wRAB/p5QShSfqoU9cWnCLT3lSveUirk61A27KxVAAAAICeF4LbtRqwIRhewXifa5PKpbSU9P/K8CzeVYj8J/iBoAAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANouDYAAAAAA4a2VgAAAAEwAAAARibGFoAAAABwAAAANmb28AAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIChVgsws0E4fVJKB6YW4MGmvOkNeinq59FI6jq+0PiZPAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDix3FV7JIBuHNAwtZOVIqGBq8lqhnEwP51DqPA43qt+Tzynm56EWxuFzgGehBPF3L8gl+fVqxIJmiQ9iHB0LUD user key
diff --git a/regress/unittests/authopt/tests.c b/regress/unittests/authopt/tests.c
new file mode 100644
index 000000000..0e8aacb91
--- /dev/null
+++ b/regress/unittests/authopt/tests.c
@@ -0,0 +1,573 @@
1/* $OpenBSD: tests.c,v 1.1 2018/03/03 03:16:17 djm Exp $ */
2
3/*
4 * Regress test for keys options functions.
5 *
6 * Placed in the public domain
7 */
8
9#include <sys/types.h>
10#include <sys/param.h>
11#include <stdio.h>
12#include <stdint.h>
13#include <stdlib.h>
14#include <string.h>
15
16#include "test_helper.h"
17
18#include "sshkey.h"
19#include "authfile.h"
20#include "auth-options.h"
21#include "misc.h"
22#include "log.h"
23
24static struct sshkey *
25load_key(const char *name)
26{
27 struct sshkey *ret;
28 int r;
29
30 r = sshkey_load_public(test_data_file(name), &ret, NULL);
31 ASSERT_INT_EQ(r, 0);
32 ASSERT_PTR_NE(ret, NULL);
33 return ret;
34}
35
36static struct sshauthopt *
37default_authkey_opts(void)
38{
39 struct sshauthopt *ret = sshauthopt_new();
40
41 ASSERT_PTR_NE(ret, NULL);
42 ret->permit_port_forwarding_flag = 1;
43 ret->permit_agent_forwarding_flag = 1;
44 ret->permit_x11_forwarding_flag = 1;
45 ret->permit_pty_flag = 1;
46 ret->permit_user_rc = 1;
47 return ret;
48}
49
50static struct sshauthopt *
51default_authkey_restrict_opts(void)
52{
53 struct sshauthopt *ret = sshauthopt_new();
54
55 ASSERT_PTR_NE(ret, NULL);
56 ret->permit_port_forwarding_flag = 0;
57 ret->permit_agent_forwarding_flag = 0;
58 ret->permit_x11_forwarding_flag = 0;
59 ret->permit_pty_flag = 0;
60 ret->permit_user_rc = 0;
61 ret->restricted = 1;
62 return ret;
63}
64
65static char **
66commasplit(const char *s, size_t *np)
67{
68 char *ocp, *cp, *cp2, **ret = NULL;
69 size_t n;
70
71 ocp = cp = strdup(s);
72 ASSERT_PTR_NE(cp, NULL);
73 for (n = 0; (cp2 = strsep(&cp, ",")) != NULL;) {
74 ret = recallocarray(ret, n, n + 1, sizeof(*ret));
75 ASSERT_PTR_NE(ret, NULL);
76 cp2 = strdup(cp2);
77 ASSERT_PTR_NE(cp2, NULL);
78 ret[n++] = cp2;
79 }
80 free(ocp);
81 *np = n;
82 return ret;
83}
84
85static void
86compare_opts(const struct sshauthopt *opts,
87 const struct sshauthopt *expected)
88{
89 size_t i;
90
91 ASSERT_PTR_NE(opts, NULL);
92 ASSERT_PTR_NE(expected, NULL);
93 ASSERT_PTR_NE(expected, opts); /* bozo :) */
94
95#define FLAG_EQ(x) ASSERT_INT_EQ(opts->x, expected->x)
96 FLAG_EQ(permit_port_forwarding_flag);
97 FLAG_EQ(permit_agent_forwarding_flag);
98 FLAG_EQ(permit_x11_forwarding_flag);
99 FLAG_EQ(permit_pty_flag);
100 FLAG_EQ(permit_user_rc);
101 FLAG_EQ(restricted);
102 FLAG_EQ(cert_authority);
103#undef FLAG_EQ
104
105#define STR_EQ(x) \
106 do { \
107 if (expected->x == NULL) \
108 ASSERT_PTR_EQ(opts->x, expected->x); \
109 else \
110 ASSERT_STRING_EQ(opts->x, expected->x); \
111 } while (0)
112 STR_EQ(cert_principals);
113 STR_EQ(force_command);
114 STR_EQ(required_from_host_cert);
115 STR_EQ(required_from_host_keys);
116#undef STR_EQ
117
118#define ARRAY_EQ(nx, x) \
119 do { \
120 ASSERT_SIZE_T_EQ(opts->nx, expected->nx); \
121 if (expected->nx == 0) \
122 break; \
123 for (i = 0; i < expected->nx; i++) \
124 ASSERT_STRING_EQ(opts->x[i], expected->x[i]); \
125 } while (0)
126 ARRAY_EQ(nenv, env);
127 ARRAY_EQ(npermitopen, permitopen);
128#undef ARRAY_EQ
129}
130
131static void
132test_authkeys_parse(void)
133{
134 struct sshauthopt *opts, *expected;
135 const char *errstr;
136
137#define FAIL_TEST(label, keywords) \
138 do { \
139 TEST_START("sshauthopt_parse invalid " label); \
140 opts = sshauthopt_parse(keywords, &errstr); \
141 ASSERT_PTR_EQ(opts, NULL); \
142 ASSERT_PTR_NE(errstr, NULL); \
143 TEST_DONE(); \
144 } while (0)
145#define CHECK_SUCCESS_AND_CLEANUP() \
146 do { \
147 if (errstr != NULL) \
148 ASSERT_STRING_EQ(errstr, ""); \
149 compare_opts(opts, expected); \
150 sshauthopt_free(expected); \
151 sshauthopt_free(opts); \
152 } while (0)
153
154 /* Basic tests */
155 TEST_START("sshauthopt_parse empty");
156 expected = default_authkey_opts();
157 opts = sshauthopt_parse("", &errstr);
158 CHECK_SUCCESS_AND_CLEANUP();
159 TEST_DONE();
160
161 TEST_START("sshauthopt_parse trailing whitespace");
162 expected = default_authkey_opts();
163 opts = sshauthopt_parse(" ", &errstr);
164 CHECK_SUCCESS_AND_CLEANUP();
165 TEST_DONE();
166
167 TEST_START("sshauthopt_parse restrict");
168 expected = default_authkey_restrict_opts();
169 opts = sshauthopt_parse("restrict", &errstr);
170 CHECK_SUCCESS_AND_CLEANUP();
171 TEST_DONE();
172
173 /* Invalid syntax */
174 FAIL_TEST("trailing comma", "restrict,");
175 FAIL_TEST("bare comma", ",");
176 FAIL_TEST("unknown option", "BLAH");
177 FAIL_TEST("unknown option with trailing comma", "BLAH,");
178 FAIL_TEST("unknown option with trailing whitespace", "BLAH ");
179
180 /* force_tun_device */
181 TEST_START("sshauthopt_parse tunnel explicit");
182 expected = default_authkey_opts();
183 expected->force_tun_device = 1;
184 opts = sshauthopt_parse("tunnel=\"1\"", &errstr);
185 CHECK_SUCCESS_AND_CLEANUP();
186 TEST_DONE();
187
188 TEST_START("sshauthopt_parse tunnel any");
189 expected = default_authkey_opts();
190 expected->force_tun_device = SSH_TUNID_ANY;
191 opts = sshauthopt_parse("tunnel=\"any\"", &errstr);
192 CHECK_SUCCESS_AND_CLEANUP();
193 TEST_DONE();
194
195 FAIL_TEST("tunnel", "tunnel=\"blah\"");
196
197 /* Flag options */
198#define FLAG_TEST(keyword, var, val) \
199 do { \
200 TEST_START("sshauthopt_parse " keyword); \
201 expected = default_authkey_opts(); \
202 expected->var = val; \
203 opts = sshauthopt_parse(keyword, &errstr); \
204 CHECK_SUCCESS_AND_CLEANUP(); \
205 expected = default_authkey_restrict_opts(); \
206 expected->var = val; \
207 opts = sshauthopt_parse("restrict,"keyword, &errstr); \
208 CHECK_SUCCESS_AND_CLEANUP(); \
209 TEST_DONE(); \
210 } while (0)
211 /* Positive flags */
212 FLAG_TEST("cert-authority", cert_authority, 1);
213 FLAG_TEST("port-forwarding", permit_port_forwarding_flag, 1);
214 FLAG_TEST("agent-forwarding", permit_agent_forwarding_flag, 1);
215 FLAG_TEST("x11-forwarding", permit_x11_forwarding_flag, 1);
216 FLAG_TEST("pty", permit_pty_flag, 1);
217 FLAG_TEST("user-rc", permit_user_rc, 1);
218 /* Negative flags */
219 FLAG_TEST("no-port-forwarding", permit_port_forwarding_flag, 0);
220 FLAG_TEST("no-agent-forwarding", permit_agent_forwarding_flag, 0);
221 FLAG_TEST("no-x11-forwarding", permit_x11_forwarding_flag, 0);
222 FLAG_TEST("no-pty", permit_pty_flag, 0);
223 FLAG_TEST("no-user-rc", permit_user_rc, 0);
224#undef FLAG_TEST
225 FAIL_TEST("no-cert-authority", "no-cert-authority");
226
227 /* String options */
228#define STRING_TEST(keyword, var, val) \
229 do { \
230 TEST_START("sshauthopt_parse " keyword); \
231 expected = default_authkey_opts(); \
232 expected->var = strdup(val); \
233 ASSERT_PTR_NE(expected->var, NULL); \
234 opts = sshauthopt_parse(keyword "=" #val, &errstr); \
235 CHECK_SUCCESS_AND_CLEANUP(); \
236 expected = default_authkey_restrict_opts(); \
237 expected->var = strdup(val); \
238 ASSERT_PTR_NE(expected->var, NULL); \
239 opts = sshauthopt_parse( \
240 "restrict," keyword "=" #val ",restrict", &errstr); \
241 CHECK_SUCCESS_AND_CLEANUP(); \
242 TEST_DONE(); \
243 } while (0)
244 STRING_TEST("command", force_command, "/bin/true");
245 STRING_TEST("principals", cert_principals, "gregor,josef,K");
246 STRING_TEST("from", required_from_host_keys, "127.0.0.0/8");
247#undef STRING_TEST
248 FAIL_TEST("unquoted command", "command=oops");
249 FAIL_TEST("unquoted principals", "principals=estragon");
250 FAIL_TEST("unquoted from", "from=127.0.0.1");
251
252 /* String array option tests */
253#define ARRAY_TEST(label, keywords, var, nvar, val) \
254 do { \
255 TEST_START("sshauthopt_parse " label); \
256 expected = default_authkey_opts(); \
257 expected->var = commasplit(val, &expected->nvar); \
258 ASSERT_PTR_NE(expected->var, NULL); \
259 opts = sshauthopt_parse(keywords, &errstr); \
260 CHECK_SUCCESS_AND_CLEANUP(); \
261 expected = default_authkey_restrict_opts(); \
262 expected->var = commasplit(val, &expected->nvar); \
263 ASSERT_PTR_NE(expected->var, NULL); \
264 opts = sshauthopt_parse( \
265 "restrict," keywords ",restrict", &errstr); \
266 CHECK_SUCCESS_AND_CLEANUP(); \
267 TEST_DONE(); \
268 } while (0)
269 ARRAY_TEST("environment", "environment=\"foo=1\",environment=\"bar=2\"",
270 env, nenv, "foo=1,bar=2");
271 ARRAY_TEST("permitopen", "permitopen=\"foo:123\",permitopen=\"bar:*\"",
272 permitopen, npermitopen, "foo:123,bar:*");
273#undef ARRAY_TEST
274 FAIL_TEST("environment", "environment=\",=bah\"");
275 FAIL_TEST("permitopen port", "foo:bar");
276 FAIL_TEST("permitopen missing port", "foo:");
277 FAIL_TEST("permitopen missing port specification", "foo");
278 FAIL_TEST("permitopen invalid host", "[:");
279
280#undef CHECK_SUCCESS_AND_CLEANUP
281#undef FAIL_TEST
282}
283
284static void
285test_cert_parse(void)
286{
287 struct sshkey *cert;
288 struct sshauthopt *opts, *expected;
289
290#define CHECK_SUCCESS_AND_CLEANUP() \
291 do { \
292 compare_opts(opts, expected); \
293 sshauthopt_free(expected); \
294 sshauthopt_free(opts); \
295 sshkey_free(cert); \
296 } while (0)
297#define FLAG_TEST(keybase, var) \
298 do { \
299 TEST_START("sshauthopt_from_cert no_" keybase); \
300 cert = load_key("no_" keybase ".cert"); \
301 expected = default_authkey_opts(); \
302 expected->var = 0; \
303 opts = sshauthopt_from_cert(cert); \
304 CHECK_SUCCESS_AND_CLEANUP(); \
305 TEST_DONE(); \
306 TEST_START("sshauthopt_from_cert only_" keybase); \
307 cert = load_key("only_" keybase ".cert"); \
308 expected = sshauthopt_new(); \
309 ASSERT_PTR_NE(expected, NULL); \
310 expected->var = 1; \
311 opts = sshauthopt_from_cert(cert); \
312 CHECK_SUCCESS_AND_CLEANUP(); \
313 TEST_DONE(); \
314 } while (0)
315 FLAG_TEST("agentfwd", permit_agent_forwarding_flag);
316 FLAG_TEST("portfwd", permit_port_forwarding_flag);
317 FLAG_TEST("pty", permit_pty_flag);
318 FLAG_TEST("user_rc", permit_user_rc);
319 FLAG_TEST("x11fwd", permit_x11_forwarding_flag);
320#undef FLAG_TEST
321
322 TEST_START("sshauthopt_from_cert all permitted");
323 cert = load_key("all_permit.cert");
324 expected = default_authkey_opts();
325 opts = sshauthopt_from_cert(cert);
326 CHECK_SUCCESS_AND_CLEANUP();
327 TEST_DONE();
328
329 TEST_START("sshauthopt_from_cert nothing permitted");
330 cert = load_key("no_permit.cert");
331 expected = sshauthopt_new();
332 ASSERT_PTR_NE(expected, NULL);
333 opts = sshauthopt_from_cert(cert);
334 CHECK_SUCCESS_AND_CLEANUP();
335 TEST_DONE();
336
337 TEST_START("sshauthopt_from_cert force-command");
338 cert = load_key("force_command.cert");
339 expected = default_authkey_opts();
340 expected->force_command = strdup("foo");
341 ASSERT_PTR_NE(expected->force_command, NULL);
342 opts = sshauthopt_from_cert(cert);
343 CHECK_SUCCESS_AND_CLEANUP();
344 TEST_DONE();
345
346 TEST_START("sshauthopt_from_cert source-address");
347 cert = load_key("sourceaddr.cert");
348 expected = default_authkey_opts();
349 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
350 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
351 opts = sshauthopt_from_cert(cert);
352 CHECK_SUCCESS_AND_CLEANUP();
353 TEST_DONE();
354#undef CHECK_SUCCESS_AND_CLEANUP
355
356#define FAIL_TEST(keybase) \
357 do { \
358 TEST_START("sshauthopt_from_cert " keybase); \
359 cert = load_key(keybase ".cert"); \
360 opts = sshauthopt_from_cert(cert); \
361 ASSERT_PTR_EQ(opts, NULL); \
362 sshkey_free(cert); \
363 TEST_DONE(); \
364 } while (0)
365 FAIL_TEST("host");
366 FAIL_TEST("bad_sourceaddr");
367 FAIL_TEST("unknown_critical");
368#undef FAIL_TEST
369}
370
371static void
372test_merge(void)
373{
374 struct sshkey *cert;
375 struct sshauthopt *key_opts, *cert_opts, *merge_opts, *expected;
376 const char *errstr;
377
378 /*
379 * Prepare for a test by making some key and cert options and
380 * attempting to merge them.
381 */
382#define PREPARE(label, keyname, keywords) \
383 do { \
384 expected = NULL; \
385 TEST_START("sshauthopt_merge " label); \
386 cert = load_key(keyname ".cert"); \
387 cert_opts = sshauthopt_from_cert(cert); \
388 ASSERT_PTR_NE(cert_opts, NULL); \
389 key_opts = sshauthopt_parse(keywords, &errstr); \
390 if (errstr != NULL) \
391 ASSERT_STRING_EQ(errstr, ""); \
392 ASSERT_PTR_NE(key_opts, NULL); \
393 merge_opts = sshauthopt_merge(key_opts, \
394 cert_opts, &errstr); \
395 } while (0)
396
397 /* Cleanup stuff allocated by PREPARE() */
398#define CLEANUP() \
399 do { \
400 sshauthopt_free(expected); \
401 sshauthopt_free(merge_opts); \
402 sshauthopt_free(key_opts); \
403 sshauthopt_free(cert_opts); \
404 sshkey_free(cert); \
405 } while (0)
406
407 /* Check the results of PREPARE() against expectation; calls CLEANUP */
408#define CHECK_SUCCESS_AND_CLEANUP() \
409 do { \
410 if (errstr != NULL) \
411 ASSERT_STRING_EQ(errstr, ""); \
412 compare_opts(merge_opts, expected); \
413 CLEANUP(); \
414 } while (0)
415
416 /* Check a single case of merging of flag options */
417#define FLAG_CASE(keybase, label, keyname, keywords, mostly_off, var, val) \
418 do { \
419 PREPARE(keybase " " label, keyname, keywords); \
420 expected = mostly_off ? \
421 sshauthopt_new() : default_authkey_opts(); \
422 expected->var = val; \
423 ASSERT_PTR_NE(expected, NULL); \
424 CHECK_SUCCESS_AND_CLEANUP(); \
425 TEST_DONE(); \
426 } while (0)
427
428 /*
429 * Fairly exhaustive exercise of a flag option. Tests
430 * option both set and clear in certificate, set and clear in
431 * authorized_keys and set and cleared via restrict keyword.
432 */
433#define FLAG_TEST(keybase, keyword, var) \
434 do { \
435 FLAG_CASE(keybase, "keys:default,yes cert:default,no", \
436 "no_" keybase, keyword, 0, var, 0); \
437 FLAG_CASE(keybase,"keys:-*,yes cert:default,no", \
438 "no_" keybase, "restrict," keyword, 1, var, 0); \
439 FLAG_CASE(keybase, "keys:default,no cert:default,no", \
440 "no_" keybase, "no-" keyword, 0, var, 0); \
441 FLAG_CASE(keybase, "keys:-*,no cert:default,no", \
442 "no_" keybase, "restrict,no-" keyword, 1, var, 0); \
443 \
444 FLAG_CASE(keybase, "keys:default,yes cert:-*,yes", \
445 "only_" keybase, keyword, 1, var, 1); \
446 FLAG_CASE(keybase,"keys:-*,yes cert:-*,yes", \
447 "only_" keybase, "restrict," keyword, 1, var, 1); \
448 FLAG_CASE(keybase, "keys:default,no cert:-*,yes", \
449 "only_" keybase, "no-" keyword, 1, var, 0); \
450 FLAG_CASE(keybase, "keys:-*,no cert:-*,yes", \
451 "only_" keybase, "restrict,no-" keyword, 1, var, 0); \
452 \
453 FLAG_CASE(keybase, "keys:default,yes cert:-*", \
454 "no_permit", keyword, 1, var, 0); \
455 FLAG_CASE(keybase,"keys:-*,yes cert:-*", \
456 "no_permit", "restrict," keyword, 1, var, 0); \
457 FLAG_CASE(keybase, "keys:default,no cert:-*", \
458 "no_permit", "no-" keyword, 1, var, 0); \
459 FLAG_CASE(keybase, "keys:-*,no cert:-*", \
460 "no_permit", "restrict,no-" keyword, 1, var, 0); \
461 \
462 FLAG_CASE(keybase, "keys:default,yes cert:*", \
463 "all_permit", keyword, 0, var, 1); \
464 FLAG_CASE(keybase,"keys:-*,yes cert:*", \
465 "all_permit", "restrict," keyword, 1, var, 1); \
466 FLAG_CASE(keybase, "keys:default,no cert:*", \
467 "all_permit", "no-" keyword, 0, var, 0); \
468 FLAG_CASE(keybase, "keys:-*,no cert:*", \
469 "all_permit", "restrict,no-" keyword, 1, var, 0); \
470 \
471 } while (0)
472 FLAG_TEST("portfwd", "port-forwarding", permit_port_forwarding_flag);
473 FLAG_TEST("agentfwd", "agent-forwarding", permit_agent_forwarding_flag);
474 FLAG_TEST("pty", "pty", permit_pty_flag);
475 FLAG_TEST("user_rc", "user-rc", permit_user_rc);
476 FLAG_TEST("x11fwd", "x11-forwarding", permit_x11_forwarding_flag);
477#undef FLAG_TEST
478
479 PREPARE("source-address both", "sourceaddr", "from=\"127.0.0.1\"");
480 expected = default_authkey_opts();
481 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
482 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
483 expected->required_from_host_keys = strdup("127.0.0.1");
484 ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
485 CHECK_SUCCESS_AND_CLEANUP();
486 TEST_DONE();
487
488 PREPARE("source-address none", "all_permit", "");
489 expected = default_authkey_opts();
490 CHECK_SUCCESS_AND_CLEANUP();
491 TEST_DONE();
492
493 PREPARE("source-address keys", "all_permit", "from=\"127.0.0.1\"");
494 expected = default_authkey_opts();
495 expected->required_from_host_keys = strdup("127.0.0.1");
496 ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
497 CHECK_SUCCESS_AND_CLEANUP();
498 TEST_DONE();
499
500 PREPARE("source-address cert", "sourceaddr", "");
501 expected = default_authkey_opts();
502 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
503 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
504 CHECK_SUCCESS_AND_CLEANUP();
505 TEST_DONE();
506
507 PREPARE("force-command both", "force_command", "command=\"foo\"");
508 expected = default_authkey_opts();
509 expected->force_command = strdup("foo");
510 ASSERT_PTR_NE(expected->force_command, NULL);
511 CHECK_SUCCESS_AND_CLEANUP();
512 TEST_DONE();
513
514 PREPARE("force-command none", "all_permit", "");
515 expected = default_authkey_opts();
516 CHECK_SUCCESS_AND_CLEANUP();
517 TEST_DONE();
518
519 PREPARE("force-command keys", "all_permit", "command=\"bar\"");
520 expected = default_authkey_opts();
521 expected->force_command = strdup("bar");
522 ASSERT_PTR_NE(expected->force_command, NULL);
523 CHECK_SUCCESS_AND_CLEANUP();
524 TEST_DONE();
525
526 PREPARE("force-command cert", "force_command", "");
527 expected = default_authkey_opts();
528 expected->force_command = strdup("foo");
529 ASSERT_PTR_NE(expected->force_command, NULL);
530 CHECK_SUCCESS_AND_CLEANUP();
531 TEST_DONE();
532
533 PREPARE("force-command mismatch", "force_command", "command=\"bar\"");
534 ASSERT_PTR_EQ(merge_opts, NULL);
535 CLEANUP();
536 TEST_DONE();
537
538 PREPARE("tunnel", "all_permit", "tunnel=\"6\"");
539 expected = default_authkey_opts();
540 expected->force_tun_device = 6;
541 CHECK_SUCCESS_AND_CLEANUP();
542 TEST_DONE();
543
544 PREPARE("permitopen", "all_permit",
545 "permitopen=\"127.0.0.1:*\",permitopen=\"127.0.0.1:123\"");
546 expected = default_authkey_opts();
547 expected->permitopen = commasplit("127.0.0.1:*,127.0.0.1:123",
548 &expected->npermitopen);
549 CHECK_SUCCESS_AND_CLEANUP();
550 TEST_DONE();
551
552 PREPARE("environment", "all_permit",
553 "environment=\"foo=a\",environment=\"bar=b\"");
554 expected = default_authkey_opts();
555 expected->env = commasplit("foo=a,bar=b", &expected->nenv);
556 CHECK_SUCCESS_AND_CLEANUP();
557 TEST_DONE();
558}
559
560void
561tests(void)
562{
563 extern char *__progname;
564 LogLevel ll = test_is_verbose() ?
565 SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_QUIET;
566
567 /* test_cert_parse() are a bit spammy to error() by default... */
568 log_init(__progname, ll, SYSLOG_FACILITY_USER, 1);
569
570 test_authkeys_parse();
571 test_cert_parse();
572 test_merge();
573}
diff --git a/regress/unittests/bitmap/Makefile b/regress/unittests/bitmap/Makefile
index bd21949f8..fe30acc77 100644
--- a/regress/unittests/bitmap/Makefile
+++ b/regress/unittests/bitmap/Makefile
@@ -1,7 +1,11 @@
1# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.4 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_bitmap 3PROG=test_bitmap
4SRCS=tests.c 4SRCS=tests.c
5
6# From usr.sbin/ssh
7SRCS+=bitmap.c atomicio.c
8
5REGRESS_TARGETS=run-regress-${PROG} 9REGRESS_TARGETS=run-regress-${PROG}
6 10
7run-regress-${PROG}: ${PROG} 11run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/conversion/Makefile b/regress/unittests/conversion/Makefile
index cde97dc28..8b2a09cc3 100644
--- a/regress/unittests/conversion/Makefile
+++ b/regress/unittests/conversion/Makefile
@@ -1,7 +1,12 @@
1# $OpenBSD: Makefile,v 1.1 2017/03/14 01:20:29 dtucker Exp $ 1# $OpenBSD: Makefile,v 1.2 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_conversion 3PROG=test_conversion
4SRCS=tests.c 4SRCS=tests.c
5
6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c misc.c xmalloc.c log.c uidswap.c cleanup.c fatal.c ssherr.c
9
5REGRESS_TARGETS=run-regress-${PROG} 10REGRESS_TARGETS=run-regress-${PROG}
6 11
7run-regress-${PROG}: ${PROG} 12run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile
index ae3c342bd..336885122 100644
--- a/regress/unittests/hostkeys/Makefile
+++ b/regress/unittests/hostkeys/Makefile
@@ -1,7 +1,20 @@
1# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.4 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_hostkeys 3PROG=test_hostkeys
4SRCS=tests.c test_iterate.c 4SRCS=tests.c test_iterate.c
5
6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c hostfile.c
12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
13SRCS+=cipher-chachapoly.c chacha.c poly1305.c
14
15SRCS+=digest-openssl.c
16#SRCS+=digest-libc.c
17
5REGRESS_TARGETS=run-regress-${PROG} 18REGRESS_TARGETS=run-regress-${PROG}
6 19
7run-regress-${PROG}: ${PROG} 20run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile
index 7ed312675..5c61307a3 100644
--- a/regress/unittests/kex/Makefile
+++ b/regress/unittests/kex/Makefile
@@ -1,7 +1,24 @@
1# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.5 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_kex 3PROG=test_kex
4SRCS=tests.c test_kex.c 4SRCS=tests.c test_kex.c
5
6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
12SRCS+=kex.c kexc25519.c kexc25519c.c kexc25519s.c kexdh.c kexdhc.c kexdhs.c
13SRCS+=kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c kexgexs.c
14SRCS+=dh.c compat.c
15SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
16SRCS+=cipher-chachapoly.c chacha.c poly1305.c
17SRCS+=smult_curve25519_ref.c
18
19SRCS+=digest-openssl.c
20#SRCS+=digest-libc.c
21
5REGRESS_TARGETS=run-regress-${PROG} 22REGRESS_TARGETS=run-regress-${PROG}
6 23
7run-regress-${PROG}: ${PROG} 24run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/match/Makefile b/regress/unittests/match/Makefile
index bd4aed844..87e75826a 100644
--- a/regress/unittests/match/Makefile
+++ b/regress/unittests/match/Makefile
@@ -1,7 +1,13 @@
1# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.4 2017/12/21 03:01:49 djm Exp $
2 2
3PROG=test_match 3PROG=test_match
4SRCS=tests.c 4SRCS=tests.c
5
6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=match.c misc.c log.c uidswap.c fatal.c ssherr.c addrmatch.c xmalloc.c
9SRCS+=cleanup.c atomicio.c
10
5REGRESS_TARGETS=run-regress-${PROG} 11REGRESS_TARGETS=run-regress-${PROG}
6 12
7run-regress-${PROG}: ${PROG} 13run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile
index 69b27566b..81d4f27a6 100644
--- a/regress/unittests/sshbuf/Makefile
+++ b/regress/unittests/sshbuf/Makefile
@@ -1,4 +1,6 @@
1# $OpenBSD: Makefile,v 1.5 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.6 2017/12/21 00:41:22 djm Exp $
2
3.include <bsd.regress.mk>
2 4
3PROG=test_sshbuf 5PROG=test_sshbuf
4SRCS=tests.c 6SRCS=tests.c
@@ -10,5 +12,11 @@ SRCS+=test_sshbuf_fuzz.c
10SRCS+=test_sshbuf_getput_fuzz.c 12SRCS+=test_sshbuf_getput_fuzz.c
11SRCS+=test_sshbuf_fixed.c 13SRCS+=test_sshbuf_fixed.c
12 14
13.include <bsd.regress.mk> 15# From usr.bin/ssh
16SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
17SRCS+=atomicio.c
18
19run-regress-${PROG}: ${PROG}
20 env ${TEST_ENV} ./${PROG}
21
14 22
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile
index cfbfcf8f1..1c940bec6 100644
--- a/regress/unittests/sshkey/Makefile
+++ b/regress/unittests/sshkey/Makefile
@@ -1,7 +1,20 @@
1# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.5 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_sshkey 3PROG=test_sshkey
4SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c 4SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c
5
6# From usr.bin/ssh
7SRCS+=sshbuf-getput-basic.c sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c
8SRCS+=atomicio.c sshkey.c authfile.c cipher.c log.c ssh-rsa.c ssh-dss.c
9SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
10SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
11SRCS+=addrmatch.c bitmap.c
12SRCS+=ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
13SRCS+=cipher-chachapoly.c chacha.c poly1305.c
14
15SRCS+=digest-openssl.c
16#SRCS+=digest-libc.c
17
5REGRESS_TARGETS=run-regress-${PROG} 18REGRESS_TARGETS=run-regress-${PROG}
6 19
7run-regress-${PROG}: ${PROG} 20run-regress-${PROG}: ${PROG}
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 6706045d5..d3b0c92b4 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_fuzz.c,v 1.7 2017/04/30 23:33:48 djm Exp $ */ 1/* $OpenBSD: test_fuzz.c,v 1.8 2017/12/21 00:41:22 djm Exp $ */
2/* 2/*
3 * Fuzz tests for key parsing 3 * Fuzz tests for key parsing
4 * 4 *
@@ -83,7 +83,7 @@ sig_fuzz(struct sshkey *k, const char *sig_alg)
83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */ 83 fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP | 84 FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
85 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l); 85 FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l);
86 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), 0), 0); 86 ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), NULL, 0), 0);
87 free(sig); 87 free(sig);
88 TEST_ONERROR(onerror, fuzz); 88 TEST_ONERROR(onerror, fuzz);
89 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) { 89 for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
@@ -91,7 +91,7 @@ sig_fuzz(struct sshkey *k, const char *sig_alg)
91 if (fuzz_matches_original(fuzz)) 91 if (fuzz_matches_original(fuzz))
92 continue; 92 continue;
93 ASSERT_INT_NE(sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz), 93 ASSERT_INT_NE(sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
94 c, sizeof(c), 0), 0); 94 c, sizeof(c), NULL, 0), 0);
95 } 95 }
96 fuzz_cleanup(fuzz); 96 fuzz_cleanup(fuzz);
97} 97}
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 0a73322a3..1aa608f92 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_sshkey.c,v 1.12 2017/05/08 06:08:42 djm Exp $ */ 1/* $OpenBSD: test_sshkey.c,v 1.13 2017/12/21 00:41:22 djm Exp $ */
2/* 2/*
3 * Regress test for sshkey.h key management API 3 * Regress test for sshkey.h key management API
4 * 4 *
@@ -121,11 +121,11 @@ signature_test(struct sshkey *k, struct sshkey *bad, const char *sig_alg,
121 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0); 121 ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, 0), 0);
122 ASSERT_SIZE_T_GT(len, 8); 122 ASSERT_SIZE_T_GT(len, 8);
123 ASSERT_PTR_NE(sig, NULL); 123 ASSERT_PTR_NE(sig, NULL);
124 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, 0), 0); 124 ASSERT_INT_EQ(sshkey_verify(k, sig, len, d, l, NULL, 0), 0);
125 ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, 0), 0); 125 ASSERT_INT_NE(sshkey_verify(bad, sig, len, d, l, NULL, 0), 0);
126 /* Fuzz test is more comprehensive, this is just a smoke test */ 126 /* Fuzz test is more comprehensive, this is just a smoke test */
127 sig[len - 5] ^= 0x10; 127 sig[len - 5] ^= 0x10;
128 ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, 0), 0); 128 ASSERT_INT_NE(sshkey_verify(k, sig, len, d, l, NULL, 0), 0);
129 free(sig); 129 free(sig);
130} 130}
131 131
diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c
index f855137fb..866f3495d 100644
--- a/regress/unittests/test_helper/test_helper.c
+++ b/regress/unittests/test_helper/test_helper.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_helper.c,v 1.7 2017/03/14 01:10:07 dtucker Exp $ */ 1/* $OpenBSD: test_helper.c,v 1.8 2018/02/08 08:46:20 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -166,6 +166,18 @@ main(int argc, char **argv)
166 return 0; 166 return 0;
167} 167}
168 168
169int
170test_is_verbose()
171{
172 return verbose_mode;
173}
174
175int
176test_is_quiet()
177{
178 return quiet_mode;
179}
180
169const char * 181const char *
170test_data_file(const char *name) 182test_data_file(const char *name)
171{ 183{
diff --git a/regress/unittests/test_helper/test_helper.h b/regress/unittests/test_helper/test_helper.h
index 615b7832b..6da0066e9 100644
--- a/regress/unittests/test_helper/test_helper.h
+++ b/regress/unittests/test_helper/test_helper.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: test_helper.h,v 1.7 2017/03/14 01:10:07 dtucker Exp $ */ 1/* $OpenBSD: test_helper.h,v 1.8 2018/02/08 08:46:20 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org> 3 * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
4 * 4 *
@@ -43,6 +43,8 @@ void test_start(const char *n);
43void test_info(char *s, size_t len); 43void test_info(char *s, size_t len);
44void set_onerror_func(test_onerror_func_t *f, void *ctx); 44void set_onerror_func(test_onerror_func_t *f, void *ctx);
45void test_done(void); 45void test_done(void);
46int test_is_verbose(void);
47int test_is_quiet(void);
46void test_subtest_info(const char *fmt, ...) 48void test_subtest_info(const char *fmt, ...)
47 __attribute__((format(printf, 1, 2))); 49 __attribute__((format(printf, 1, 2)));
48void ssl_err_check(const char *file, int line); 50void ssl_err_check(const char *file, int line);
diff --git a/regress/unittests/utf8/Makefile b/regress/unittests/utf8/Makefile
index a975264fc..f8eec0484 100644
--- a/regress/unittests/utf8/Makefile
+++ b/regress/unittests/utf8/Makefile
@@ -1,7 +1,11 @@
1# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ 1# $OpenBSD: Makefile,v 1.5 2017/12/21 00:41:22 djm Exp $
2 2
3PROG=test_utf8 3PROG=test_utf8
4SRCS=tests.c 4SRCS=tests.c
5
6# From usr.bin/ssh
7SRCS+=utf8.c atomicio.c
8
5REGRESS_TARGETS=run-regress-${PROG} 9REGRESS_TARGETS=run-regress-${PROG}
6 10
7run-regress-${PROG}: ${PROG} 11run-regress-${PROG}: ${PROG}
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index fce2f6580..2759eb8ce 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: yes-head.sh,v 1.5 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: yes-head.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="yes pipe head" 4tid="yes pipe head"
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 05:35:57 +0000