From 75129025a2d504b630d1718fef0da002f5662f63 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:19:10 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/06 06:00:22 [regress/rekey.sh regress/test-exec.sh regress/integrity.sh regress/multiplex.sh Makefile regress/cfgmatch.sh] Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. --- regress/integrity.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'regress/integrity.sh') diff --git a/regress/integrity.sh b/regress/integrity.sh index 4d46926d5..1bd330a18 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.7 2013/02/20 08:27:50 djm Exp $ +# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -22,7 +22,7 @@ config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" # sshd-command for proxy (see test-exec.sh) -cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" +cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -- cgit v1.2.3 From dfea3bcdd7c980c2335402464b7dd8d8721e426d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 09:31:39 +1000 Subject: - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 [regress/Makefile regress/rekey.sh regress/integrity.sh regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and save the output from any failing tests. If a test fails the debug output from ssh and sshd for the failing tests (and only the failing tests) should be available in failed-ssh{,d}.log. --- ChangeLog | 7 +++++++ regress/Makefile | 5 +++-- regress/forwarding.sh | 6 +++--- regress/integrity.sh | 11 ++++++----- regress/rekey.sh | 5 ++--- regress/sshd-log-wrapper.sh | 4 ++-- regress/test-exec.sh | 44 ++++++++++++++++++++++++++++++++++++-------- 7 files changed, 59 insertions(+), 23 deletions(-) (limited to 'regress/integrity.sh') diff --git a/ChangeLog b/ChangeLog index 14450ac65..bb6787cf4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,13 @@ Split the regress log into 3 parts: the debug output from ssh, the debug log from sshd and the output from the client command (ssh, scp or sftp). Somewhat functional now, will become more useful when ssh/sshd -E is added. + - dtucker@cvs.openbsd.org 2013/04/07 02:16:03 + [regress/Makefile regress/rekey.sh regress/integrity.sh + regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh] + use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and + save the output from any failing tests. If a test fails the debug output + from ssh and sshd for the failing tests (and only the failing tests) should + be available in failed-ssh{,d}.log. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/Makefile b/regress/Makefile index b99bd3e83..4ac5b4d42 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.63 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: Makefile,v 1.64 2013/04/07 02:16:03 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) @@ -83,7 +83,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ key.rsa-* key.dsa-* key.ecdsa-* \ authorized_principals_${USER} expect actual ready \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ - ssh.log sshd.log regress.log + ssh.log failed-ssh.log sshd.log failed-sshd.log \ + regress.log failed-regress.log ssh-log-wrapper.sh # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" diff --git a/regress/forwarding.sh b/regress/forwarding.sh index f9c367beb..6a7003070 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forwarding.sh,v 1.8 2012/06/01 00:47:35 djm Exp $ +# $OpenBSD: forwarding.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="local and remote forwarding" @@ -75,7 +75,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "local forwarding not cleared" fi sleep 10 @@ -88,7 +88,7 @@ for p in 1 2; do else # this one should fail ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \ - 2>>$TEST_SSH_LOGFILE && \ + >>$TEST_REGRESS_LOGFILE 2>&1 && \ fail "remote forwarding not cleared" fi sleep 10 diff --git a/regress/integrity.sh b/regress/integrity.sh index 1bd330a18..3950b7d1f 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.8 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -47,14 +47,15 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - output=`${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ - 999.999.999.999 'printf "%4096s" " "' 2>&1` + verbose "test $tid: $m @$off $output" + ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" fi ecnt=`expr $ecnt + 1` - output=`echo $output | tr -s '\r\n' '.'` - verbose "test $tid: $m @$off $output" + output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \ + tr -s '\r\n' '.') case "$output" in Bad?packet*) elen=`expr $elen + 1`; skip=3;; Corrupted?MAC* | Decryption?integrity?check?failed*) diff --git a/regress/rekey.sh b/regress/rekey.sh index b23cfca70..d2542ecd4 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.2 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. tid="rekey during transfer data" @@ -16,8 +16,7 @@ for s in 16 1k 128k 256k; do rm -f ${COPY} cat $DATA | \ ${SSH} -oCompression=no -oRekeyLimit=$s \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \ - 2> ${LOG} + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed" fi diff --git a/regress/sshd-log-wrapper.sh b/regress/sshd-log-wrapper.sh index c7a5ef3a6..a9386be4d 100644 --- a/regress/sshd-log-wrapper.sh +++ b/regress/sshd-log-wrapper.sh @@ -1,5 +1,5 @@ #!/bin/sh -# $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $ +# $OpenBSD: sshd-log-wrapper.sh,v 1.3 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. # # simple wrapper for sshd proxy mode to catch stderr output @@ -10,4 +10,4 @@ log=$2 shift shift -exec $sshd $@ -e 2>>$log +exec $sshd -E$log $@ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b02172c03..f797ab68d 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.39 2013/04/06 06:00:22 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.40 2013/04/07 02:16:03 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -159,6 +159,15 @@ fi DATA=$OBJ/testdata cat $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} $SSHD${EXEEXT} >$DATA +# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." +# because sftp and scp don't handle spaces in arguments. +SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh +echo "#!/bin/sh" > $SSHLOGWRAP +echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP + +chmod a+rx $OBJ/ssh-log-wrapper.sh +SSH="$SSHLOGWRAP" + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP @@ -214,9 +223,26 @@ cleanup () fi } +start_debug_log () +{ + echo "trace: $@" >$TEST_REGRESS_LOGFILE + echo "trace: $@" >$TEST_SSH_LOGFILE + echo "trace: $@" >$TEST_SSHD_LOGFILE +} + +save_debug_log () +{ + echo $@ >>$TEST_REGRESS_LOGFILE + echo $@ >>$TEST_SSH_LOGFILE + echo $@ >>$TEST_SSHD_LOGFILE + (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log + (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log + (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log +} + trace () { - echo "trace: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then echo "$@" fi @@ -224,7 +250,7 @@ trace () verbose () { - echo "verbose: $@" >>$TEST_REGRESS_LOGFILE + start_debug_log $@ if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then echo "$@" fi @@ -238,15 +264,16 @@ warn () fail () { - echo "FAIL: $@" >>$TEST_REGRESS_LOGFILE + save_debug_log "FAIL: $@" RESULT=1 echo "$@" + } fatal () { - echo "FATAL: $@" >>$TEST_REGRESS_LOGFILE - echon "FATAL: " + save_debug_log "FATAL: $@" + echo -n "FATAL: " fail "$@" cleanup exit $RESULT @@ -278,7 +305,7 @@ cat << EOF > $OBJ/sshd_config #ListenAddress ::1 PidFile $PIDFILE AuthorizedKeysFile $OBJ/authorized_keys_%u - LogLevel VERBOSE + LogLevel DEBUG3 AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST Subsystem sftp $SFTPSERVER @@ -312,6 +339,7 @@ Host * PasswordAuthentication no BatchMode yes StrictHostKeyChecking yes + LogLevel DEBUG3 EOF if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then @@ -405,7 +433,7 @@ start_sshd () { # start sshd $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" - $SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSHD_LOGFILE 2>&1 + $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE trace "wait for sshd" i=0; -- cgit v1.2.3 From 91af05c5167fe0aa5bd41d2e4a83757d9f627c18 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 13:16:59 +1000 Subject: - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange methods. When the openssl version doesn't support ECDH then next one on the list is DH group exchange, but that causes a bit more traffic which can mean that the tests flip bits in the initial exchange rather than the MACed traffic and we get different errors to what the tests look for. --- ChangeLog | 5 +++++ regress/integrity.sh | 5 +++++ 2 files changed, 10 insertions(+) (limited to 'regress/integrity.sh') diff --git a/ChangeLog b/ChangeLog index 61601f6ba..2f6572779 100644 --- a/ChangeLog +++ b/ChangeLog @@ -44,6 +44,11 @@ add tests for RekeyLimit parsing - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. + - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange + methods. When the openssl version doesn't support ECDH then next one on + the list is DH group exchange, but that causes a bit more traffic which can + mean that the tests flip bits in the initial exchange rather than the MACed + traffic and we get different errors to what the tests look for. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 3950b7d1f..2621a0025 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -21,6 +21,11 @@ config_defined HAVE_EVP_SHA256 && config_defined OPENSSL_HAVE_EVPGCM && \ macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" +# avoid DH group exchange as the extra traffic makes it harder to get the +# offset into the stream right. +echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ + >> $OBJ/ssh_proxy + # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -- cgit v1.2.3 From 34035be27b7ddd84706fe95c39d37cba7d5c9572 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 14:47:51 +1000 Subject: - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 [regress/integrity.sh] don't print output from ssh before getting it (it's available in ssh.log) --- ChangeLog | 3 +++ regress/integrity.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'regress/integrity.sh') diff --git a/ChangeLog b/ChangeLog index db23b2e2a..a12bf335c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,9 @@ - TIMEOUT is a read-only variable in some shells - not all greps have -q so redirect to /dev/null instead. (ID sync only) + - dtucker@cvs.openbsd.org 2013/05/17 01:32:11 + [regress/integrity.sh] + don't print output from ssh before getting it (it's available in ssh.log) - (dtucker) [regress/bsd.regress.mk] Remove unused file. We've never used it in portable and it's long gone in openbsd. - (dtucker) [regress/integrity.sh]. Force fixed Diffie-Hellman key exchange diff --git a/regress/integrity.sh b/regress/integrity.sh index 2621a0025..982eced21 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.9 2013/04/07 02:16:03 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -52,7 +52,7 @@ for m in $macs; do aes*gcm*) macopt="-c $m";; *) macopt="-m $m";; esac - verbose "test $tid: $m @$off $output" + verbose "test $tid: $m @$off" ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then -- cgit v1.2.3 From 5f1a89a3b67264f4aa83e057cd4f74fd60b9ffa4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 May 2013 19:17:58 +1000 Subject: - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] Move the jot helper function to portable-specific part of test-exec.sh. --- ChangeLog | 2 ++ regress/integrity.sh | 4 ---- regress/krl.sh | 4 ---- regress/test-exec.sh | 6 ++++++ 4 files changed, 8 insertions(+), 8 deletions(-) (limited to 'regress/integrity.sh') diff --git a/ChangeLog b/ChangeLog index b02acb2d9..620a635f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,8 @@ - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits. - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd. - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd. + - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh] + Move the jot helper function to portable-specific part of test-exec.sh. 20130516 - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be diff --git a/regress/integrity.sh b/regress/integrity.sh index 982eced21..1d17fe10a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -29,10 +29,6 @@ echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \ # sshd-command for proxy (see test-exec.sh) cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy" -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - for m in $macs; do trace "test $tid: mac $m" elen=0 diff --git a/regress/krl.sh b/regress/krl.sh index 62a239c38..de9cc8764 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -39,10 +39,6 @@ serial: 799 serial: 599-701 EOF -jot() { - awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" -} - # A specification that revokes some certificated by key ID. touch $OBJ/revoked-keyid for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 599b8d9ba..910ed4f70 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -177,6 +177,7 @@ rm -f ${COPY} export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP +# Portable specific functions have_prog() { saved_IFS="$IFS" @@ -192,6 +193,11 @@ have_prog() return 1 } +jot() { + awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" +} +# End of portable specific functions + cleanup () { if [ -f $PIDFILE ]; then -- cgit v1.2.3