From a176e1823013dd8533a20235b3a5131f0626f46b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 18 Oct 2013 09:05:41 +1100 Subject: - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile regress/sftp-perm.sh] regression test for sftp request white/blacklisting and readonly mode. --- regress/Makefile | 4 +- regress/sftp-perm.sh | 269 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 272 insertions(+), 1 deletion(-) create mode 100644 regress/sftp-perm.sh (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index ab2a6ae7b..4c64b576f 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -44,6 +44,7 @@ LTESTS= connect \ sftp-badcmds \ sftp-batch \ sftp-glob \ + sftp-perm \ reconfigure \ dynamic-forward \ forwarding \ @@ -86,7 +87,8 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ authorized_principals_${USER} expect actual ready \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ - regress.log failed-regress.log ssh-log-wrapper.sh + regress.log failed-regress.log ssh-log-wrapper.sh \ + sftp-server.sh sftp-server.log sftp.log SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh new file mode 100644 index 000000000..3448740bc --- /dev/null +++ b/regress/sftp-perm.sh @@ -0,0 +1,269 @@ +# $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $ +# Placed in the Public Domain. + +tid="sftp permissions" + +SERVER_LOG=${OBJ}/sftp-server.log +CLIENT_LOG=${OBJ}/sftp.log +TEST_SFTP_SERVER=${OBJ}/sftp-server.sh + +prepare_server() { + printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \ + > $TEST_SFTP_SERVER + chmod a+x $TEST_SFTP_SERVER +} + +run_client() { + echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1 +} + +prepare_files() { + _prep="$1" + rm -f ${COPY} ${COPY}.1 + test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; } + test -z "$_prep" && return + sh -c "$_prep" || fail "preparation failed: \"$_prep\"" +} + +postcondition() { + _title="$1" + _check="$2" + test -z "$_check" && return + sh -c "$_check" || fail "postcondition check failed: $_title" +} + +ro_test() { + _desc=$1 + _cmd="$2" + _prep="$3" + _expect_success_post="$4" + _expect_fail_post="$5" + verbose "$tid: read-only $_desc" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_desc failed" + postcondition "$_desc no-readonly" "$_expect_success_post" + # Read-only enabled + prepare_files "$_prep" + prepare_server -R + run_client "$_cmd" && fail "read-only $_desc succeeded" + postcondition "$_desc readonly" "$_expect_fail_post" +} + +perm_test() { + _op=$1 + _whitelist_ops=$2 + _cmd="$3" + _prep="$4" + _expect_success_post="$5" + _expect_fail_post="$6" + verbose "$tid: explicit $_op" + # Plain (no options, mostly to test that _cmd is good) + prepare_files "$_prep" + prepare_server + run_client "$_cmd" || fail "plain $_op failed" + postcondition "$_op no white/blacklists" "$_expect_success_post" + # Whitelist + prepare_files "$_prep" + prepare_server -p $_op,$_whitelist_ops + run_client "$_cmd" || fail "whitelisted $_op failed" + postcondition "$_op whitelisted" "$_expect_success_post" + # Blacklist + prepare_files "$_prep" + prepare_server -P $_op + run_client "$_cmd" && fail "blacklisted $_op succeeded" + postcondition "$_op blacklisted" "$_expect_fail_post" + # Whitelist with op missing. + prepare_files "$_prep" + prepare_server -p $_whitelist_ops + run_client "$_cmd" && fail "no whitelist $_op succeeded" + postcondition "$_op not in whitelist" "$_expect_fail_post" +} + +ro_test \ + "upload" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "test ! -f $COPY" + +ro_test \ + "setstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +ro_test \ + "rm" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +ro_test \ + "mkdir" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +ro_test \ + "rmdir" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +ro_test \ + "posix-rename" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "oldrename" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +ro_test \ + "symlink" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +ro_test \ + "hardlink" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +# Test explicit permissions + +perm_test \ + "open" \ + "realpath,stat,lstat,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "read" \ + "realpath,stat,lstat,open,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "write" \ + "realpath,stat,lstat,open,close" \ + "put $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "lstat" \ + "realpath,stat,open,read,close" \ + "get $DATA $COPY" \ + "" \ + "cmp $DATA $COPY" \ + "! cmp $DATA $COPY 2>/dev/null" + +perm_test \ + "opendir" \ + "realpath,readdir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "readdir" \ + "realpath,opendir,stat,lstat" \ + "ls -ln $OBJ" + +perm_test \ + "setstat" \ + "realpath,stat,lstat" \ + "chmod 0700 $COPY" \ + "touch $COPY; chmod 0400 $COPY" \ + "test -x $COPY" \ + "test ! -x $COPY" + +perm_test \ + "remove" \ + "realpath,stat,lstat" \ + "rm $COPY" \ + "touch $COPY" \ + "test ! -f $COPY" \ + "test -f $COPY" + +perm_test \ + "mkdir" \ + "realpath,stat,lstat" \ + "mkdir ${COPY}.dd" \ + "" \ + "test -d ${COPY}.dd" \ + "test ! -d ${COPY}.dd" + +perm_test \ + "rmdir" \ + "realpath,stat,lstat" \ + "rmdir ${COPY}.dd" \ + "mkdir ${COPY}.dd" \ + "test ! -d ${COPY}.dd" \ + "test -d ${COPY}.dd" + +perm_test \ + "posix-rename" \ + "realpath,stat,lstat" \ + "rename $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "rename" \ + "realpath,stat,lstat" \ + "rename -l $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1 -a ! -f $COPY" \ + "test -f $COPY -a ! -f ${COPY}.1" + +perm_test \ + "symlink" \ + "realpath,stat,lstat" \ + "ln -s $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -h ${COPY}.1" \ + "test ! -h ${COPY}.1" + +perm_test \ + "hardlink" \ + "realpath,stat,lstat" \ + "ln $COPY ${COPY}.1" \ + "touch $COPY" \ + "test -f ${COPY}.1" \ + "test ! -f ${COPY}.1" + +perm_test \ + "statvfs" \ + "realpath,stat,lstat" \ + "df /" + +# XXX need good tests for: +# fstat +# fsetstat +# realpath +# stat +# readlink +# fstatvfs + +rm -rf ${COPY} ${COPY}.1 ${COPY}.dd + -- cgit v1.2.3 From bd43e8872325e9bbb3319c89da593614709f317c Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 24 Oct 2013 12:22:49 -0700 Subject: - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" --- ChangeLog | 1 + regress/sftp-perm.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index b4bbea167..e396e470e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ fix bug introduced in hostname canonicalisation commit: don't try to resolve hostnames when a ProxyCommand is set unless the user has forced canonicalisation; spotted by Iain Morgan + - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd" 20131023 - (djm) OpenBSD CVS Sync diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh index 3448740bc..304ca0ac5 100644 --- a/regress/sftp-perm.sh +++ b/regress/sftp-perm.sh @@ -29,7 +29,7 @@ postcondition() { _title="$1" _check="$2" test -z "$_check" && return - sh -c "$_check" || fail "postcondition check failed: $_title" + ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title" } ro_test() { -- cgit v1.2.3 From c98319750b0bbdd0d1794420ec97d65dd9244613 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 7 Nov 2013 12:00:23 +1100 Subject: - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff --- ChangeLog | 1 + Makefile.in | 7 ++++--- monitor.c | 1 + regress/modpipe.c | 4 ++-- regress/rekey.sh | 2 ++ 5 files changed, 10 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 44c47527c..0f6412fb3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) that got lost in recent merge. + - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff 20131104 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index 797aa3e0c..58ea78a72 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.341 2013/11/03 21:26:53 djm Exp $ +# $Id: Makefile.in,v 1.342 2013/11/07 01:00:24 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -73,7 +73,8 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o + jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \ + kexc25519.o kexc25519c.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ @@ -87,7 +88,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - auth-krb5.o \ + kexc25519s.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ diff --git a/monitor.c b/monitor.c index 44dff98c9..328a605d9 100644 --- a/monitor.c +++ b/monitor.c @@ -1855,6 +1855,7 @@ mm_get_kex(Buffer *m) kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->server = 1; kex->hostkey_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m); diff --git a/regress/modpipe.c b/regress/modpipe.c index 85747cf7d..183a58695 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -68,7 +68,7 @@ usage(void) #define MAX_MODIFICATIONS 256 struct modification { enum { MOD_XOR, MOD_AND_OR } what; - u_int64_t offset; + unsigned long long offset; u_int8_t m1, m2; }; @@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m) int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i", what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { diff --git a/regress/rekey.sh b/regress/rekey.sh index 8eb7efaf9..cf3dce99f 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,6 +1,8 @@ # $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. +set -x + tid="rekey" LOG=${TEST_SSH_LOGFILE} -- cgit v1.2.3 From a6fd1d3c38a562709374a70fa76423859160aa90 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 7 Nov 2013 12:03:26 +1100 Subject: - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these --- ChangeLog | 1 + regress/modpipe.c | 4 ++-- regress/rekey.sh | 2 -- 3 files changed, 3 insertions(+), 4 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 0f6412fb3..2864e1623 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) that got lost in recent merge. - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff + - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/modpipe.c b/regress/modpipe.c index 183a58695..85747cf7d 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -68,7 +68,7 @@ usage(void) #define MAX_MODIFICATIONS 256 struct modification { enum { MOD_XOR, MOD_AND_OR } what; - unsigned long long offset; + u_int64_t offset; u_int8_t m1, m2; }; @@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m) int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i", + if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { diff --git a/regress/rekey.sh b/regress/rekey.sh index cf3dce99f..8eb7efaf9 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,8 +1,6 @@ # $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ # Placed in the Public Domain. -set -x - tid="rekey" LOG=${TEST_SSH_LOGFILE} -- cgit v1.2.3 From aa19548a98c0f89283ebd7354abd746ca6bc4fdf Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 14:50:09 +1100 Subject: - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile] (ID sync only) regression test for sftp request white/blacklisting and readonly mode. --- ChangeLog | 4 ++++ regress/Makefile | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index b8ca4d4bf..4933ade91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,10 @@ [ssh-pkcs11.c] from portable: s/true/true_val/ to avoid name collisions on dump platforms RCSID sync only + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2013/10/09 23:44:14 + [regress/Makefile] (ID sync only) + regression test for sftp request white/blacklisting and readonly mode. 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/Makefile b/regress/Makefile index 4c64b576f..eca634a60 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $ +# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec tests: $(REGRESS_TARGETS) -- cgit v1.2.3 From bbfb9b0f386aab0c3e19d11f136199ef1b9ad0ef Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 14:56:43 +1100 Subject: - markus@cvs.openbsd.org 2013/11/02 22:39:53 [regress/kextype.sh] add curve25519-sha256@libssh.org --- ChangeLog | 3 +++ regress/kextype.sh | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 4933ade91..7e5eeb2fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - djm@cvs.openbsd.org 2013/10/09 23:44:14 [regress/Makefile] (ID sync only) regression test for sftp request white/blacklisting and readonly mode. + - markus@cvs.openbsd.org 2013/11/02 22:39:53 + [regress/kextype.sh] + add curve25519-sha256@libssh.org 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/kextype.sh b/regress/kextype.sh index 79c0817bb..1cca12637 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $ +# $OpenBSD: kextype.sh,v 1.2 2013/11/02 22:39:53 markus Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -16,6 +16,7 @@ fi kextypes="$kextypes diffie-hellman-group-exchange-sha1" kextypes="$kextypes diffie-hellman-group14-sha1" kextypes="$kextypes diffie-hellman-group1-sha1" +kextypes="$kextypes curve25519-sha256@libssh.org" tries="1 2 3 4" for k in $kextypes; do -- cgit v1.2.3 From 234557762ba1096a867ca6ebdec07efebddb5153 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:00:51 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 [regress/rekey.sh] Test rekeying with all KexAlgorithms. --- ChangeLog | 3 +++ regress/rekey.sh | 13 ++++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 7e5eeb2fa..930975a95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,9 @@ - markus@cvs.openbsd.org 2013/11/02 22:39:53 [regress/kextype.sh] add curve25519-sha256@libssh.org + - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 + [regress/rekey.sh] + Test rekeying with all KexAlgorithms. 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/rekey.sh b/regress/rekey.sh index 8eb7efaf9..5f32961c8 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.9 2013/11/04 12:27:42 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -7,11 +7,17 @@ LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} +kexalgs="curve25519-sha256@libssh.org ecdh-sha2-nistp256 \ +ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 \ +diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 \ +diffie-hellman-group1-sha1" + for s in 16 1k 128k 256k; do - verbose "client rekeylimit ${s}" + for a in $kexalgs; do + verbose "client rekeylimit ${s} ${a}" rm -f ${COPY} ${LOG} cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=$s \ + ${SSH} -oCompression=no -oRekeyLimit=$s -oKexAlgorithms=$a \ -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed" @@ -23,6 +29,7 @@ for s in 16 1k 128k 256k; do if [ $n -lt 1 ]; then fail "no rekeying occured" fi + done done for s in 5 10; do -- cgit v1.2.3 From 651dc8b2592202dac6b16ee3b82ce5b331be7da3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:04:44 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 [regress/rekey.sh] Test rekeying for every Cipher, MAC and KEX, plus test every KEX with the GCM ciphers. --- ChangeLog | 4 ++++ regress/rekey.sh | 64 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 59 insertions(+), 9 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 930975a95..3aa955def 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,10 @@ - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 [regress/rekey.sh] Test rekeying with all KexAlgorithms. + - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 + [regress/rekey.sh] + Test rekeying for every Cipher, MAC and KEX, plus test every KEX with + the GCM ciphers. 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/rekey.sh b/regress/rekey.sh index 5f32961c8..156179b38 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.9 2013/11/04 12:27:42 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.10 2013/11/07 00:12:05 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -7,17 +7,44 @@ LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} -kexalgs="curve25519-sha256@libssh.org ecdh-sha2-nistp256 \ -ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 \ -diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 \ -diffie-hellman-group1-sha1" +opts="" +for i in `${SSH} -Q kex`; do + opts="$opts KexAlgorithms=$i" +done +for i in `${SSH} -Q cipher`; do + opts="$opts Ciphers=$i" +done +for i in `${SSH} -Q mac`; do + opts="$opts MACs=$i" +done -for s in 16 1k 128k 256k; do - for a in $kexalgs; do - verbose "client rekeylimit ${s} ${a}" +for opt in $opts; do + verbose "client rekey $opt" + rm -f ${COPY} ${LOG} + cat $DATA | \ + ${SSH} -oCompression=no -oRekeyLimit=16 -o$opt \ + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi +done + +# GCM is magical so test with all KexAlgorithms +if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then + for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do + for kex in `${SSH} -Q kex`; do + verbose "client rekey $c $kex" rm -f ${COPY} ${LOG} cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=$s -oKexAlgorithms=$a \ + ${SSH} -oCompression=no -oRekeyLimit=16 \ + -oCiphers=$c -oKexAlgorithms=$kex \ -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh failed" @@ -30,6 +57,25 @@ for s in 16 1k 128k 256k; do fail "no rekeying occured" fi done + done +fi + +for s in 16 1k 128k 256k; do + verbose "client rekeylimit ${s}" + rm -f ${COPY} ${LOG} + cat $DATA | \ + ${SSH} -oCompression=no -oRekeyLimit=$s \ + -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp $DATA ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured" + fi done for s in 5 10; do -- cgit v1.2.3 From 06595d639577577bc15d359e037a31eb83563269 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:08:02 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 [regress/rekey.sh] Factor out the data transfer rekey tests --- ChangeLog | 3 +++ regress/rekey.sh | 74 ++++++++++++++++++++------------------------------------ 2 files changed, 29 insertions(+), 48 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 3aa955def..24f7f4591 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,9 @@ [regress/rekey.sh] Test rekeying for every Cipher, MAC and KEX, plus test every KEX with the GCM ciphers. + - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 + [regress/rekey.sh] + Factor out the data transfer rekey tests 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/rekey.sh b/regress/rekey.sh index 156179b38..7131a6f0a 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.10 2013/11/07 00:12:05 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.11 2013/11/07 01:12:51 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -7,6 +7,25 @@ LOG=${TEST_SSH_LOGFILE} rm -f ${LOG} +# Test rekeying based on data volume only. +# Arguments will be passed to ssh. +ssh_data_rekeying() +{ + rm -f ${COPY} ${LOG} + ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ + "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh failed ($@)" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occured ($@)" + fi +} + opts="" for i in `${SSH} -Q kex`; do opts="$opts KexAlgorithms=$i" @@ -20,20 +39,7 @@ done for opt in $opts; do verbose "client rekey $opt" - rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=16 -o$opt \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh failed" - fi - cmp $DATA ${COPY} || fail "corrupted copy" - n=`grep 'NEWKEYS sent' ${LOG} | wc -l` - n=`expr $n - 1` - trace "$n rekeying(s)" - if [ $n -lt 1 ]; then - fail "no rekeying occured" - fi + ssh_data_rekeying -oRekeyLimit=16 -o$opt done # GCM is magical so test with all KexAlgorithms @@ -41,53 +47,25 @@ if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do for kex in `${SSH} -Q kex`; do verbose "client rekey $c $kex" - rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=16 \ - -oCiphers=$c -oKexAlgorithms=$kex \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh failed" - fi - cmp $DATA ${COPY} || fail "corrupted copy" - n=`grep 'NEWKEYS sent' ${LOG} | wc -l` - n=`expr $n - 1` - trace "$n rekeying(s)" - if [ $n -lt 1 ]; then - fail "no rekeying occured" - fi + ssh_data_rekeying -oRekeyLimit=16 -oCiphers=$c -oKexAlgorithms=$kex done done fi for s in 16 1k 128k 256k; do verbose "client rekeylimit ${s}" - rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit=$s \ - -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" - if [ $? -ne 0 ]; then - fail "ssh failed" - fi - cmp $DATA ${COPY} || fail "corrupted copy" - n=`grep 'NEWKEYS sent' ${LOG} | wc -l` - n=`expr $n - 1` - trace "$n rekeying(s)" - if [ $n -lt 1 ]; then - fail "no rekeying occured" - fi + ssh_data_rekeying -oCompression=no -oRekeyLimit=$s done for s in 5 10; do verbose "client rekeylimit default ${s}" rm -f ${COPY} ${LOG} - cat $DATA | \ - ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ - $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" + ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" if [ $? -ne 0 ]; then fail "ssh failed" fi - cmp $DATA ${COPY} || fail "corrupted copy" + cmp ${DATA} ${COPY} || fail "corrupted copy" n=`grep 'NEWKEYS sent' ${LOG} | wc -l` n=`expr $n - 1` trace "$n rekeying(s)" -- cgit v1.2.3 From a955041c930e63405159ff7d25ef14272f36eab3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:21:19 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] Use ssh -Q instead of hardcoding lists of ciphers or MACs. --- ChangeLog | 3 +++ regress/cipher-speed.sh | 15 ++------------- regress/integrity.sh | 14 +++----------- regress/try-ciphers.sh | 22 +++------------------- 4 files changed, 11 insertions(+), 43 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 24f7f4591..e07776512 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ - dtucker@cvs.openbsd.org 2013/11/07 01:12:51 [regress/rekey.sh] Factor out the data transfer rekey tests + - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 + [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] + Use ssh -Q instead of hardcoding lists of ciphers or MACs. 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 489d9f5fa..8ff9b3220 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -11,18 +11,7 @@ getbytes () tries="1 2" -ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour - aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr" -config_defined OPENSSL_HAVE_EVPGCM && \ - ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96" -config_defined HAVE_EVP_SHA256 && \ - macs="$macs hmac-sha2-256 hmac-sha2-512" - -for c in $ciphers; do n=0; for m in $macs; do +for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do trace "proto 2 cipher $c mac $m" for x in $tries; do printf "%-60s" "$c/$m:" diff --git a/regress/integrity.sh b/regress/integrity.sh index 1d17fe10a..de2b8d05a 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="integrity" @@ -8,18 +8,10 @@ tid="integrity" # XXX and ssh tries to read... tries=10 startoffset=2900 -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96 - hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com - umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com" -config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-512 - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" +macs=`${SSH} -Q mac` # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. -config_defined OPENSSL_HAVE_EVPGCM && \ - macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com" +macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" # avoid DH group exchange as the extra traffic makes it harder to get the # offset into the stream right. diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index e17c9f5e9..485843299 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,27 +1,11 @@ -# $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ # Placed in the Public Domain. tid="try ciphers" -ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour - aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se - aes128-ctr aes192-ctr aes256-ctr" -config_defined OPENSSL_HAVE_EVPGCM && \ - ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com - hmac-sha1-96 hmac-md5-96 - hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com - umac-64-etm@openssh.com umac-128-etm@openssh.com - hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com" -config_defined HAVE_EVP_SHA256 && - macs="$macs hmac-sha2-256 hmac-sha2-512 - hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" - -for c in $ciphers; do +for c in `${SSH} -Q cipher`; do n=0 - for m in $macs; do + for m in `${SSH} -Q mac`; do trace "proto 2 cipher $c mac $m" verbose "test $tid: proto 2 cipher $c mac $m" ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true -- cgit v1.2.3 From 74cbc22529f3e5de756e1b7677b7624efb28f62c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:26:12 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 [regress/kextype.sh] Use ssh -Q to get kex types instead of a static list. --- ChangeLog | 3 +++ regress/kextype.sh | 15 ++------------- 2 files changed, 5 insertions(+), 13 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index e07776512..3a6e7b512 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ - dtucker@cvs.openbsd.org 2013/11/07 02:48:38 [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh] Use ssh -Q instead of hardcoding lists of ciphers or MACs. + - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 + [regress/kextype.sh] + Use ssh -Q to get kex types instead of a static list. 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/kextype.sh b/regress/kextype.sh index 1cca12637..278c73e58 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.2 2013/11/02 22:39:53 markus Exp $ +# $OpenBSD: kextype.sh,v 1.3 2013/11/07 03:55:41 dtucker Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -7,19 +7,8 @@ TIME=/usr/bin/time cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -if test "$TEST_SSH_ECC" = "yes"; then - kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521" -fi -if test "$TEST_SSH_SHA256" = "yes"; then - kextypes="$kextypes diffie-hellman-group-exchange-sha256" -fi -kextypes="$kextypes diffie-hellman-group-exchange-sha1" -kextypes="$kextypes diffie-hellman-group14-sha1" -kextypes="$kextypes diffie-hellman-group1-sha1" -kextypes="$kextypes curve25519-sha256@libssh.org" - tries="1 2 3 4" -for k in $kextypes; do +for k in `${SSH} -Q kex`; do verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -- cgit v1.2.3 From 6e9d6f411288374d1dee4b7debbfa90bc7e73035 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 7 Nov 2013 15:32:37 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 [regress/kextype.sh] trailing space --- ChangeLog | 3 +++ regress/kextype.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 3a6e7b512..4a98668ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - dtucker@cvs.openbsd.org 2013/11/07 03:55:41 [regress/kextype.sh] Use ssh -Q to get kex types instead of a static list. + - dtucker@cvs.openbsd.org 2013/11/07 04:26:56 + [regress/kextype.sh] + trailing space 20131104 - (djm) OpenBSD CVS Sync diff --git a/regress/kextype.sh b/regress/kextype.sh index 278c73e58..8c2ac09d6 100644 --- a/regress/kextype.sh +++ b/regress/kextype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: kextype.sh,v 1.3 2013/11/07 03:55:41 dtucker Exp $ +# $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $ # Placed in the Public Domain. tid="login with different key exchange algorithms" @@ -8,7 +8,7 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak tries="1 2 3 4" -for k in `${SSH} -Q kex`; do +for k in `${SSH} -Q kex`; do verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -- cgit v1.2.3 From 08998c5fb9c7c1d248caa73b76e02ca0482e6d85 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 8 Nov 2013 12:11:46 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 [regress/rekey.sh] Rekey less frequently during tests to speed them up --- ChangeLog | 6 ++++++ regress/rekey.sh | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 339577202..ca7cb03e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20131108 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 + [regress/rekey.sh] + Rekey less frequently during tests to speed them up + 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) that got lost in recent merge. diff --git a/regress/rekey.sh b/regress/rekey.sh index 7131a6f0a..6095da8d5 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.11 2013/11/07 01:12:51 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.12 2013/11/08 01:06:14 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -39,7 +39,7 @@ done for opt in $opts; do verbose "client rekey $opt" - ssh_data_rekeying -oRekeyLimit=16 -o$opt + ssh_data_rekeying -oRekeyLimit=256k -o$opt done # GCM is magical so test with all KexAlgorithms @@ -47,7 +47,7 @@ if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do for kex in `${SSH} -Q kex`; do verbose "client rekey $c $kex" - ssh_data_rekeying -oRekeyLimit=16 -oCiphers=$c -oKexAlgorithms=$kex + ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex done done fi -- cgit v1.2.3 From 6e2fe81f926d995bae4be4a6b5b3c88c1c525187 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 9 Nov 2013 16:55:03 +1100 Subject: - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 [regress/test-exec.sh regress/rekey.sh] Use smaller test data files to speed up tests. Grow test datafiles where necessary for a specific test. --- ChangeLog | 12 ++++++++++++ regress/rekey.sh | 4 +++- regress/test-exec.sh | 21 +++++++++++++++++---- 3 files changed, 32 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 7372ad237..a6360197b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20131109 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. + 20131108 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/11/08 01:06:14 @@ -32,6 +39,11 @@ - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation: rather than testing and generating each key, call ssh-keygen -A. Patch from vinschen at redhat.com. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 + [regress/test-exec.sh regress/rekey.sh] + Use smaller test data files to speed up tests. Grow test datafiles + where necessary for a specific test. 20131107 - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5) diff --git a/regress/rekey.sh b/regress/rekey.sh index 6095da8d5..fe81f0c33 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.12 2013/11/08 01:06:14 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ # Placed in the Public Domain. tid="rekey" @@ -26,6 +26,8 @@ ssh_data_rekeying() fi } +increase_datafile_size 300 + opts="" for i in `${SSH} -Q kex`; do opts="$opts KexAlgorithms=$i" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index eee446264..aac8aa5c2 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -133,7 +133,12 @@ fi # Path to sshd must be absolute for rexec case "$SSHD" in /*) ;; -*) SSHD=`which sshd` ;; +*) SSHD=`which $SSHD` ;; +esac + +case "$SSHAGENT" in +/*) ;; +*) SSHAGENT=`which $SSHAGENT` ;; esac # Logfiles. @@ -166,14 +171,22 @@ SSH="$SSHLOGWRAP" # Some test data. We make a copy because some tests will overwrite it. # The tests may assume that $DATA exists and is writable and $COPY does -# not exist. +# not exist. Tests requiring larger data files can call increase_datafile_size +# [kbytes] to ensure the file is at least that large. DATANAME=data DATA=$OBJ/${DATANAME} -cat $SSHD $SSHD $SSHD $SSHD >${DATA} +cat ${SSHAGENT} >${DATA} chmod u+w ${DATA} COPY=$OBJ/copy rm -f ${COPY} +increase_datafile_size() +{ + while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do + cat ${SSHAGENT} >>${DATA} + done +} + # these should be used in tests export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP -- cgit v1.2.3 From b6a75b0b93b8faa6f79c3a395ab6c71f3f880b80 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 10 Nov 2013 20:25:22 +1100 Subject: - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by querying the ones that are compiled in. --- ChangeLog | 4 ++++ regress/keytype.sh | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index e22ac3cd4..3fd51a6bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20131110 + - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by + querying the ones that are compiled in. + 20131109 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2013/11/09 05:41:34 diff --git a/regress/keytype.sh b/regress/keytype.sh index 59586bf0d..65436b2c0 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -12,9 +12,13 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak ktypes="dsa-1024 rsa-2048 rsa-3072" -if test "$TEST_SSH_ECC" = "yes"; then - ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521" -fi +for i in `$SSH -Q key`; do + case "$i" in + ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; + ecdsa-sha2-nistp384) ktype="$ktype ecdsa-384" ;; + ecdsa-sha2-nistp521) ktype="$ktype ecdsa-521" ;; + esac +done for kt in $ktypes; do rm -f $OBJ/key.$kt -- cgit v1.2.3 From fa7a20bc289f09b334808d988746bc260a2f60c9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 21 Nov 2013 14:24:08 +1100 Subject: - naddy@cvs.openbsd.org 2013/11/18 05:09:32 [regress/forward-control.sh] bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) to successfully run this; ok djm@ (ID sync only; our timeouts are already longer) --- ChangeLog | 4 ++++ regress/forward-control.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 28186e89f..1f39b76e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,10 @@ Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC ok markus@ naddy@ + - naddy@cvs.openbsd.org 2013/11/18 05:09:32 + [regress/forward-control.sh] + bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) + to successfully run this; ok djm@ 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 80ddb4167..7f7d105e8 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" -- cgit v1.2.3 From 36aba25b0409d2db6afc84d54bc47a2532d38424 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 21 Nov 2013 14:24:42 +1100 Subject: - djm@cvs.openbsd.org 2013/11/21 03:15:46 [regress/krl.sh] add some reminders for additional tests that I'd like to implement --- ChangeLog | 3 +++ regress/krl.sh | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 1f39b76e3..29ba4273b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ [regress/forward-control.sh] bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164) to successfully run this; ok djm@ + - djm@cvs.openbsd.org 2013/11/21 03:15:46 + [regress/krl.sh] + add some reminders for additional tests that I'd like to implement 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/regress/krl.sh b/regress/krl.sh index de9cc8764..09246371c 100644 --- a/regress/krl.sh +++ b/regress/krl.sh @@ -1,4 +1,4 @@ -# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $ +# $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $ # Placed in the Public Domain. tid="key revocation lists" @@ -101,6 +101,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \ >/dev/null || fatal "$SSHKEYGEN KRL failed" } +## XXX dump with trace and grep for set cert serials +## XXX test ranges near (u64)-1, etc. + verbose "$tid: generating KRLs" genkrls -- cgit v1.2.3 From ea61b2179f63d48968dd2c9617621002bb658bfe Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 21 Nov 2013 14:25:15 +1100 Subject: - djm@cvs.openbsd.org 2013/11/21 03:16:47 [regress/modpipe.c] use unsigned long long instead of u_int64_t here to avoid warnings on some systems portable OpenSSH is built on. --- ChangeLog | 4 ++++ regress/modpipe.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 29ba4273b..377d35994 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,10 @@ - djm@cvs.openbsd.org 2013/11/21 03:15:46 [regress/krl.sh] add some reminders for additional tests that I'd like to implement + - djm@cvs.openbsd.org 2013/11/21 03:16:47 + [regress/modpipe.c] + use unsigned long long instead of u_int64_t here to avoid warnings + on some systems portable OpenSSH is built on. 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/regress/modpipe.c b/regress/modpipe.c index 85747cf7d..e854f9e07 100755 --- a/regress/modpipe.c +++ b/regress/modpipe.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */ +/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */ #include "includes.h" @@ -68,7 +68,7 @@ usage(void) #define MAX_MODIFICATIONS 256 struct modification { enum { MOD_XOR, MOD_AND_OR } what; - u_int64_t offset; + unsigned long long offset; u_int8_t m1, m2; }; @@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m) int n, m1, m2; bzero(m, sizeof(*m)); - if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i", + if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i", what, &m->offset, &m1, &m2)) < 3) errx(1, "Invalid modification spec \"%s\"", s); if (strcasecmp(what, "xor") == 0) { -- cgit v1.2.3 From 8a073cf57940aabf85e49799f89f5d5e9b072c1b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 21 Nov 2013 14:26:18 +1100 Subject: - djm@cvs.openbsd.org 2013/11/21 03:18:51 [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com --- ChangeLog | 9 +++++++++ regress/cipher-speed.sh | 10 +++++----- regress/integrity.sh | 14 ++++++++------ regress/rekey.sh | 12 ++++++------ regress/try-ciphers.sh | 11 ++++++----- 5 files changed, 34 insertions(+), 22 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 377d35994..8cf8a20ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -47,6 +47,15 @@ [regress/modpipe.c] use unsigned long long instead of u_int64_t here to avoid warnings on some systems portable OpenSSH is built on. + - djm@cvs.openbsd.org 2013/11/21 03:18:51 + [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] + [regress/try-ciphers.sh] + use new "ssh -Q cipher-auth" query to obtain lists of authenticated + encryption ciphers instead of specifying them manually; ensures that + the new chacha20poly1305@openssh.com mode is tested; + + ok markus@ and naddy@ as part of the diff to add + chacha20poly1305@openssh.com 20131110 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 8ff9b3220..a6d53a78d 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do fail "ssh -2 failed with mac $m cipher $c" fi done - # No point trying all MACs for GCM since they are ignored. - case $c in - aes*-gcm@openssh.com) test $n -gt 0 && break;; - esac + # No point trying all MACs for AEAD ciphers since they are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi n=`expr $n + 1` done; done diff --git a/regress/integrity.sh b/regress/integrity.sh index de2b8d05a..852d82690 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="integrity" @@ -11,7 +11,7 @@ startoffset=2900 macs=`${SSH} -Q mac` # The following are not MACs, but ciphers with integrated integrity. They are # handled specially below. -macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" +macs="$macs `${SSH} -Q cipher-auth`" # avoid DH group exchange as the extra traffic makes it harder to get the # offset into the stream right. @@ -36,12 +36,14 @@ for m in $macs; do fi # modify output from sshd at offset $off pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" - case $m in - aes*gcm*) macopt="-c $m";; - *) macopt="-m $m";; - esac + if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then + macopt="-c $m" + else + macopt="-m $m -c aes128-ctr" + fi verbose "test $tid: $m @$off" ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ + -oServerAliveInterval=1 -oServerAliveCountMax=30 \ 999.999.999.999 'printf "%4096s" " "' >/dev/null if [ $? -eq 0 ]; then fail "ssh -m $m succeeds with bit-flip at $off" diff --git a/regress/rekey.sh b/regress/rekey.sh index fe81f0c33..cf9401ea0 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="rekey" @@ -44,9 +44,9 @@ for opt in $opts; do ssh_data_rekeying -oRekeyLimit=256k -o$opt done -# GCM is magical so test with all KexAlgorithms -if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then - for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do +# AEAD ciphers are magical so test with all KexAlgorithms +if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then + for c in `${SSH} -Q cipher-auth`; do for kex in `${SSH} -Q kex`; do verbose "client rekey $c $kex" ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex @@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do awk '/rekeylimit/{print $3}'` if [ "$bytes" != "$b" ]; then - fatal "rekeylimit size: expected $bytes got $b" + fatal "rekeylimit size: expected $bytes bytes got $b" fi if [ "$seconds" != "$s" ]; then - fatal "rekeylimit time: expected $time got $s" + fatal "rekeylimit time: expected $time seconds got $s" fi done done diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 485843299..ac34cedbf 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ +# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do if [ $? -ne 0 ]; then fail "ssh -2 failed with mac $m cipher $c" fi - # No point trying all MACs for GCM since they are ignored. - case $c in - aes*-gcm@openssh.com) test $n -gt 0 && break;; - esac + # No point trying all MACs for AEAD ciphers since they + # are ignored. + if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then + break + fi n=`expr $n + 1` done done -- cgit v1.2.3 From f54542af3ad07532188b10136ae302314ec69ed6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 7 Dec 2013 16:32:44 +1100 Subject: - markus@cvs.openbsd.org 2013/12/06 13:52:46 [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] [regress/cert-userkey.sh regress/keytype.sh] test ed25519 support; from djm@ --- ChangeLog | 4 ++++ regress/Makefile | 12 ++++++++++-- regress/agent.sh | 4 ++-- regress/cert-hostkey.sh | 48 ++++++++++++++++++++++++++++-------------------- regress/cert-userkey.sh | 31 +++++++++++++++++-------------- regress/keytype.sh | 4 ++-- 6 files changed, 63 insertions(+), 40 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index cf5e0d504..5edeb82b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,10 @@ - djm@cvs.openbsd.org 2013/12/07 00:19:15 [key.c] set k->cert = NULL after freeing it + - markus@cvs.openbsd.org 2013/12/06 13:52:46 + [regress/Makefile regress/agent.sh regress/cert-hostkey.sh] + [regress/cert-userkey.sh regress/keytype.sh] + test ed25519 support; from djm@ - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h] [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents - (djm) [Makefile.in] Add ed25519 sources diff --git a/regress/Makefile b/regress/Makefile index eca634a60..098f2014b 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ +# $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $ -REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec +REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec tests: $(REGRESS_TARGETS) # Interop tests are not run by default @@ -153,6 +153,14 @@ t9: $(OBJ)/t9.out test "${TEST_SSH_ECC}" != yes || \ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null + +$(OBJ)/t10.out: + ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@ + +t10: $(OBJ)/t10.out + ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null + ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null + t-exec: ${LTESTS:=.sh} @if [ "x$?" = "x" ]; then exit 0; fi; \ for TEST in ""$?; do \ diff --git a/regress/agent.sh b/regress/agent.sh index be7d91334..90bad15d4 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -20,7 +20,7 @@ else fi trace "overwrite authorized keys" printf '' > $OBJ/authorized_keys_$USER - for t in rsa rsa1; do + for t in ed25519 rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 35cd39293..da2cec87d 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,14 +1,8 @@ -# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified host keys" -# used to disable ECC based tests on platforms without ECC -ecdsa="" -if test "x$TEST_SSH_ECC" = "xyes"; then - ecdsa=ecdsa -fi - rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak @@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Generate and sign host keys -for ktype in rsa dsa $ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign host ${ktype} cert" # Generate and sign a host key ${SSHKEYGEN} -q -N '' -t ${ktype} \ @@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || @@ -46,7 +49,7 @@ done # Basic connect tests for privsep in yes no ; do - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} cert connect privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -73,9 +76,16 @@ done printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then + cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub printf '@revoked ' printf "* " - cat $OBJ/cert_host_key_ecdsa.pub + cat $OBJ/cert_host_key_ed25519.pub fi printf '@revoked ' printf "* " @@ -88,7 +98,7 @@ done cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -115,7 +125,7 @@ done printf "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak @@ -186,9 +196,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found for v in v01 v00 ; do - for ktype in rsa dsa $ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for ktype in $PLAIN_TYPES ; do + type_has_legacy $ktype || continue rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" # Generate and sign a host key @@ -225,9 +234,8 @@ done cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for v in v01 v00 ; do - for kt in rsa dsa $ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for kt in $PLAIN_TYPES ; do + type_has_legacy $kt || continue rm -f $OBJ/cert_host_key* # Self-sign key ${SSHKEYGEN} -q -N '' -t ${kt} \ diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 6018b38f4..b093a9196 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,23 +1,26 @@ -# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified user keys" -# used to disable ECC based tests on platforms without ECC -ecdsa="" -if test "x$TEST_SSH_ECC" = "xyes"; then - ecdsa=ecdsa -fi - rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Create a CA key ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" # Generate and sign user keys -for ktype in rsa dsa $ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign user ${ktype} cert" ${SSHKEYGEN} -q -N '' -t ${ktype} \ -f $OBJ/cert_user_key_${ktype} || \ @@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fail "couldn't sign cert_user_key_${ktype}_v00" + fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -162,7 +165,7 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; *) args="" ;; diff --git a/regress/keytype.sh b/regress/keytype.sh index 65436b2c0..2c57ec6b1 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -11,7 +11,7 @@ fi cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -ktypes="dsa-1024 rsa-2048 rsa-3072" +ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" for i in `$SSH -Q key`; do case "$i" in ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; -- cgit v1.2.3 From eb401585bb8336cbf81fe4fc58eb9f7cac3ab874 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 7 Dec 2013 17:07:15 +1100 Subject: - (djm) [regress/cert-hostkey.sh] Fix merge botch --- ChangeLog | 1 + regress/cert-hostkey.sh | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 5edeb82b2..317dd2c46 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,7 @@ - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in] [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on Linux + - (djm) [regress/cert-hostkey.sh] Fix merge botch 20131205 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index da2cec87d..1ed5af501 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -76,6 +76,8 @@ done printf "* " cat $OBJ/cert_host_key_rsa.pub if test "x$TEST_SSH_ECC" = "xyes"; then + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub printf '@revoked ' printf "* " @@ -83,12 +85,12 @@ done printf '@revoked ' printf "* " cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ed25519.pub fi printf '@revoked ' printf "* " + cat $OBJ/cert_host_key_ed25519.pub + printf '@revoked ' + printf "* " cat $OBJ/cert_host_key_dsa.pub printf '@revoked ' printf "* " -- cgit v1.2.3 From 6d6fcd14e23a9053198342bb379815b15e504084 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 8 Dec 2013 15:53:28 +1100 Subject: - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid filesystem before running agent-ptrace.sh; ok dtucker --- ChangeLog | 3 +++ Makefile.in | 9 +++++++- regress/Makefile | 2 +- regress/agent-ptrace.sh | 7 ++++++ regress/setuid-allowed.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 regress/setuid-allowed.c (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 3434d6d27..c56f59785 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20131208 - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna Vinschen + - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh] + [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid + filesystem before running agent-ptrace.sh; ok dtucker 20131207 - (djm) OpenBSD CVS Sync diff --git a/Makefile.in b/Makefile.in index f45c88098..e789b476a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.347 2013/12/07 10:43:47 djm Exp $ +# $Id: Makefile.in,v 1.348 2013/12/08 04:53:28 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -401,6 +401,13 @@ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c + [ -d `pwd`/regress ] || mkdir -p `pwd`/regress + [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \ + $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ TEST_SHELL="@TEST_SHELL@"; \ diff --git a/regress/Makefile b/regress/Makefile index 098f2014b..ba8504837 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -88,7 +88,7 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh \ - sftp-server.sh sftp-server.log sftp.log + sftp-server.sh sftp-server.log sftp.log setuid-allowed SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 9f29464c5..6824b8141 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -19,6 +19,13 @@ else exit 0 fi +if $OBJ/setuid-allowed ${SSHAGENT} ; then + : ok +else + echo "skipped (${SSHAGENT} is mounted on a no-setuid filesystem)" + exit 0 +fi + if test -z "$SUDO" ; then echo "skipped (SUDO not set)" exit 0 diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c new file mode 100644 index 000000000..37b7dc8ad --- /dev/null +++ b/regress/setuid-allowed.c @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2013 Damien Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* $OpenBSD$ */ + +#include "includes.h" + +#include +#ifdef HAVE_SYS_STATVFS_H +# include +#endif +#include +#include + +void +usage(void) +{ + fprintf(stderr, "check-setuid [path]\n"); + exit(1); +} + +int +main(int argc, char **argv) +{ + const char *path = "."; + struct statvfs sb; + + if (argc > 2) + usage(); + else if (argc == 2) + path = argv[1]; + + if (statvfs(path, &sb) != 0) { + /* Don't return an error if the host doesn't support statvfs */ + if (errno == ENOSYS) + return 0; + fprintf(stderr, "statvfs for \"%s\" failed: %s\n", + path, strerror(errno)); + } + return (sb.f_flag & ST_NOSUID) ? 1 : 0; +} + + -- cgit v1.2.3 From 77244afe3b6d013b485e0952eaab89b9db83380f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 21 Dec 2013 17:02:39 +1100 Subject: 20131221 - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. --- ChangeLog | 3 +++ regress/keytype.sh | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 3b64040c0..017c05a73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20131221 + - (dtucker) [regress/keytype.sh] Actually test ecdsa key types. + 20131219 - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions greater than 11 either rather than just 11. Patch from Tomas Kuthan. diff --git a/regress/keytype.sh b/regress/keytype.sh index 2c57ec6b1..9752acb0a 100644 --- a/regress/keytype.sh +++ b/regress/keytype.sh @@ -11,12 +11,14 @@ fi cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak +# Traditional and builtin key types. ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512" +# Types not present in all OpenSSL versions. for i in `$SSH -Q key`; do case "$i" in - ecdsa-sha2-nistp256) ktype="$ktype ecdsa-256" ;; - ecdsa-sha2-nistp384) ktype="$ktype ecdsa-384" ;; - ecdsa-sha2-nistp521) ktype="$ktype ecdsa-521" ;; + ecdsa-sha2-nistp256) ktypes="$ktypes ecdsa-256" ;; + ecdsa-sha2-nistp384) ktypes="$ktypes ecdsa-384" ;; + ecdsa-sha2-nistp521) ktypes="$ktypes ecdsa-521" ;; esac done -- cgit v1.2.3 From 9f4c8e797ea002a883307ca906f1f1f815010e78 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 Dec 2013 17:57:46 +1100 Subject: - (djm) [regress/Makefile] Add some generated files for cleaning --- ChangeLog | 1 + regress/Makefile | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 02d8050a2..d33de38a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20131229 - (djm) [loginrec.c] Check for username truncation when looking up lastlog entries + - (djm) [regress/Makefile] Add some generated files for cleaning - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/19 00:10:30 [ssh-add.c] diff --git a/regress/Makefile b/regress/Makefile index ba8504837..0c66b1774 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -73,7 +73,7 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers USER!= id -un CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ - t8.out t8.out.pub t9.out t9.out.pub \ + t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \ authorized_keys_${USER} known_hosts pidfile testdata \ ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ @@ -88,7 +88,9 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \ ssh.log failed-ssh.log sshd.log failed-sshd.log \ regress.log failed-regress.log ssh-log-wrapper.sh \ - sftp-server.sh sftp-server.log sftp.log setuid-allowed + sftp-server.sh sftp-server.log sftp.log setuid-allowed \ + data ed25519-agent ed25519-agent.pub key.ed25519-512 \ + key.ed25519-512.pub SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} -- cgit v1.2.3 From a9c1e500ef609795cbc662848edb1a1dca279c81 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 8 Jan 2014 16:13:12 +1100 Subject: - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ --- ChangeLog | 3 +++ regress/.cvsignore | 30 +++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 7b5123412..c429c3b8a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20140108 + - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@ + 20131231 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2013/12/30 23:52:28 diff --git a/regress/.cvsignore b/regress/.cvsignore index f3c7a7c5d..99add9cc3 100644 --- a/regress/.cvsignore +++ b/regress/.cvsignore @@ -1 +1,29 @@ -Makefile +*-agent +*.copy +*.log +*.prv +*.pub +actual +authorized_keys_* +data +expect +host.rsa* +key.* +known_hosts +krl-* +modpipe +remote_pid +revoked-* +revoked-ca +revoked-keyid +revoked-serials +rsa +rsa1 +sftp-server.sh +ssh-log-wrapper.sh +ssh_config +ssh_proxy* +sshd_config +sshd_proxy* +t*.out +t*.out[0-9] -- cgit v1.2.3 From f9df7f6f477792254eab33cdef71a6d66488cb88 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Jan 2014 20:07:15 +1100 Subject: - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ --- ChangeLog | 2 ++ regress/cert-hostkey.sh | 30 ++++-------------------------- 2 files changed, 6 insertions(+), 26 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 6073abbb8..66c3b6248 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos implementation does not have krb5_cc_new_unique, similar to what we do in auth-krb5.c. + - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that + skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@ - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2014/01/20 00:08:48 [digest.c] diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 1ed5af501..a1318cd53 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -72,32 +72,10 @@ done printf '@cert-authority ' printf "$HOSTS " cat $OBJ/host_ca_key.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_rsa.pub - if test "x$TEST_SSH_ECC" = "xyes"; then - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub - fi - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_ed25519.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_dsa.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_rsa_v00.pub - printf '@revoked ' - printf "* " - cat $OBJ/cert_host_key_dsa_v00.pub + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do + test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey" + printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n" + done ) > $OBJ/known_hosts-cert for privsep in yes no ; do for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do -- cgit v1.2.3 From b0e0f760b861676a3fe5c40133b270713d5321a9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 24 Jan 2014 14:27:04 +1100 Subject: - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make the scp regress test actually test the built scp rather than the one in $PATH. ok dtucker@ --- ChangeLog | 5 +++++ Makefile.in | 4 +++- regress/scp-ssh-wrapper.sh | 6 ++++-- regress/scp.sh | 1 + 4 files changed, 13 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index e352892c5..d92847996 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20130124 + - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make + the scp regress test actually test the built scp rather than the one + in $PATH. ok dtucker@ + 20130123 - (tim) [session.c] Improve error reporting on set_id(). - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously diff --git a/Makefile.in b/Makefile.in index f5dd3b834..e3dfab2fa 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.350 2014/01/17 05:47:04 djm Exp $ +# $Id: Makefile.in,v 1.351 2014/01/24 03:27:04 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -411,6 +411,7 @@ regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) BUILDDIR=`pwd`; \ TEST_SHELL="@TEST_SHELL@"; \ + TEST_SSH_SCP="$${BUILDDIR}/scp"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ @@ -434,6 +435,7 @@ tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT) PATH="$${BUILDDIR}:$${PATH}" \ TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \ TEST_SHELL="$${TEST_SHELL}" \ + TEST_SSH_SCP="$${TEST_SSH_SCP}" \ TEST_SSH_SSH="$${TEST_SSH_SSH}" \ TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh index d1005a995..c63bc2bc1 100644 --- a/regress/scp-ssh-wrapper.sh +++ b/regress/scp-ssh-wrapper.sh @@ -17,7 +17,7 @@ printname () { } # Discard all but last argument. We use arg later. -while test "$1" != ""; do +while test "x$1" != "x"; do arg="$1" shift done @@ -52,6 +52,8 @@ badserver_4) echo "X" ;; *) - exec $arg + set -- $arg + shift + exec $SCP "$@" ;; esac diff --git a/regress/scp.sh b/regress/scp.sh index 29c5b35d4..c2da2a862 100644 --- a/regress/scp.sh +++ b/regress/scp.sh @@ -20,6 +20,7 @@ SRC=`dirname ${SCRIPT}` cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp chmod 755 ${OBJ}/scp-ssh-wrapper.scp scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp" +export SCP # used in scp-ssh-wrapper.scp scpclean() { rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2} -- cgit v1.2.3 From 6f917ad376481995ab7d29fb53b08ec8d507eb9e Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Tue, 28 Jan 2014 10:26:25 -0800 Subject: - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable when used as an error message inside an if statement so we display the correct into. agent.sh patch from Petr Lautrbach. --- ChangeLog | 3 +++ regress/agent-ptrace.sh | 5 +++-- regress/agent.sh | 30 ++++++++++++++++++------------ 3 files changed, 24 insertions(+), 14 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 549db120b..74390565e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the latter being specified to have undefined behaviour in SUSv3; ok dtucker + - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable + when used as an error message inside an if statement so we display the + correct into. agent.sh patch from Petr Lautrbach. 20140127 - (dtucker) [Makefile.in] Remove trailing backslash which some make diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 6824b8141..ae150641f 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -45,8 +45,9 @@ else gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF quit EOF - if [ $? -ne 0 ]; then - fail "gdb failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "gdb failed: exit code $r" fi egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out r=$? diff --git a/regress/agent.sh b/regress/agent.sh index 90bad15d4..cf1a45fe0 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -34,40 +34,46 @@ else fi done ${SSHADD} -l > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -l failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l failed: exit code $r" fi # the same for full pubkey output ${SSHADD} -L > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -L failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -L failed: exit code $r" fi trace "simple connect via agent" for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p - if [ $? -ne 5$p ]; then - fail "ssh connect with protocol $p failed (exit code $?)" + r=$? + if [ $r -ne 5$p ]; then + fail "ssh connect with protocol $p failed (exit code $r)" fi done trace "agent forwarding" for p in 1 2; do ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -l via agent fwd proto $p failed (exit code $?)" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -l via agent fwd proto $p failed (exit code $r)" fi ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \ "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p" - if [ $? -ne 5$p ]; then - fail "agent fwd proto $p failed (exit code $?)" + r=$? + if [ $r -ne 5$p ]; then + fail "agent fwd proto $p failed (exit code $r)" fi done trace "delete all agent keys" ${SSHADD} -D > /dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh-add -D failed: exit code $?" + r=$? + if [ $r -ne 0 ]; then + fail "ssh-add -D failed: exit code $r" fi trace "kill agent" -- cgit v1.2.3