summaryrefslogtreecommitdiff
path: root/regress/integrity.sh
AgeCommit message (Collapse)Author
2017-03-29Make integrity tests more robust against timeoutsColin Watson
If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Handle this failure mode. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2658 Patch-Name: regress-integrity-robust.patch Last-Update: 2017-01-01
2017-01-30upstream commitdtucker@openbsd.org
Account for timeouts in the integrity tests as failures. If the first test in a series for a given MAC happens to modify the low bytes of a packet length, then ssh will time out and this will be interpreted as a test failure. Patch from cjwatson at debian.org via bz#2658. Upstream-Regress-ID: e7467613b0badedaa300bc6fc7495ec2f44e2fb9
2016-11-29upstream commitdtucker@openbsd.org
Reverse args to sshd-log-wrapper. Matches change in portable, where it allows sshd do be optionally run under Valgrind. Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906
2016-03-04upstream commitdtucker@openbsd.org
Filter debug messages out of log before picking the last two lines. Should prevent problems if any more debug output is added late in the connection. Upstream-Regress-ID: 345d0a9589c381e7d640a4ead06cfaadf4db1363
2016-03-04upstream commitdtucker@openbsd.org
Look back 3 lines for possible error messages. Changes to the code mean that "Bad packet length" errors are 3 lines back instead of the previous two, which meant we didn't skip some offsets that we intended to. Upstream-Regress-ID: 24f36912740a634d509a3144ebc8eb7c09b9c684
2015-04-01upstream commitmarkus@openbsd.org
use ${SSH} for -Q instead of installed ssh
2015-02-26valgrind supportDamien Miller
2015-01-20upstream commitmarkus@openbsd.org
adapt to new error message (SSH_ERR_MAC_INVALID)
2014-07-02 - djm@cvs.openbsd.org 2014/05/21 07:04:21Damien Miller
[regress/integrity.sh] when failing because of unexpected output, show the offending output
2014-05-15 - djm@cvs.openbsd.org 2014/04/21 22:15:37Damien Miller
[dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] repair regress tests broken by server-side default cipher/kex/mac changes by ensuring that the option under test is included in the server's algorithm list
2013-11-21 - djm@cvs.openbsd.org 2013/11/21 03:18:51Damien Miller
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com
2013-11-07 - dtucker@cvs.openbsd.org 2013/11/07 02:48:38Darren Tucker
[regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] Use ssh -Q instead of hardcoding lists of ciphers or MACs.
2013-05-17 - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]Darren Tucker
Move the jot helper function to portable-specific part of test-exec.sh.
2013-05-17 - dtucker@cvs.openbsd.org 2013/05/17 01:32:11Darren Tucker
[regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log)
2013-05-17 - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchangeDarren Tucker
methods. When the openssl version doesn't support ECDH then next one on the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for.
2013-05-17 - dtucker@cvs.openbsd.org 2013/04/07 02:16:03Darren Tucker
[regress/Makefile regress/rekey.sh regress/integrity.sh regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log.
2013-05-17 - dtucker@cvs.openbsd.org 2013/04/06 06:00:22Darren Tucker
[regress/rekey.sh regress/test-exec.sh regress/integrity.sh regress/multiplex.sh Makefile regress/cfgmatch.sh] Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added.
2013-02-26 - (tim) [regress/integrity.sh] keep old solaris awk from hanging.Tim Rice
2013-02-26 - (tim) [regress/integrity.sh] shell portability fix.Tim Rice
2013-02-26 - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakageDamien Miller
for UsePAM=yes configuration
2013-02-26 - djm@cvs.openbsd.org 2013/02/20 08:27:50Damien Miller
[integrity.sh] Add an option to modpipe that warns if the modification offset it not reached in it's stream and turn it on for t-integrity. This should catch cases where the session is not fuzzed for being too short (cf. my last "oops" commit)
2013-02-19 - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations thatDamien Miller
lack support for SHA2.
2013-02-19 - djm@cvs.openbsd.org 2013/02/19 02:14:09Damien Miller
[integrity.sh] oops, forgot to increase the output of the ssh command to ensure that we actually reach $offset
2013-02-19 - djm@cvs.openbsd.org 2013/02/18 22:26:47Damien Miller
[integrity.sh] crank the offset yet again; it was still fuzzing KEX one of Darren's portable test hosts at 2800
2013-02-18 - djm@cvs.openbsd.org 2013/02/17 23:16:55Damien Miller
[integrity.sh] make the ssh command generates some output to ensure that there are at least offset+tries bytes in the stream.
2013-02-16 - djm@cvs.openbsd.org 2013/02/16 06:08:45Damien Miller
[integrity.sh] make sure the fuzz offset is actually past the end of KEX for all KEX types. diffie-hellman-group-exchange-sha256 requires an offset around 2700. Noticed via test failures in portable OpenSSH on platforms that lack ECC and this the more byte-frugal ECDH KEX algorithms.
2013-02-14- (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (insteadDamien Miller
of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by Iain Morgan
2013-01-17 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]Damien Miller
check for GCM support before testing GCM ciphers.
2013-01-12 - (djm) [regress/integrity.sh] repair botched mergeDamien Miller
2013-01-12 - djm@cvs.openbsd.org 2013/01/12 11:23:53Damien Miller
[regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh] test AES-GCM modes; feedback markus@
2012-12-12- (djm) [regress/integrity.sh] Fix awk quoting, packet length skipDamien Miller
2012-12-12 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh testDamien Miller
work on platforms without 'jot'
2012-12-12 - markus@cvs.openbsd.org 2012/12/11 22:42:11Damien Miller
[regress/Makefile regress/modpipe.c regress/integrity.sh] test the integrity of the packets; with djm@