From 114efe2bc0dd2842d997940a833f115e6fc04854 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 19 Aug 2016 06:44:13 +0000 Subject: upstream commit add tests for matching functions Upstream-Regress-ID: 0869d4f5c5d627c583c6a929d69c17d5dd65882c --- regress/unittests/Makefile | 4 +- regress/unittests/match/Makefile | 12 ++++++ regress/unittests/match/tests.c | 84 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 regress/unittests/match/Makefile create mode 100644 regress/unittests/match/tests.c (limited to 'regress') diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile index 0a95d4b20..e70b16644 100644 --- a/regress/unittests/Makefile +++ b/regress/unittests/Makefile @@ -1,5 +1,5 @@ -# $OpenBSD: Makefile,v 1.6 2016/05/26 19:14:25 schwarze Exp $ +# $OpenBSD: Makefile,v 1.7 2016/08/19 06:44:13 djm Exp $ REGRESS_FAIL_EARLY= yes -SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 +SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match .include diff --git a/regress/unittests/match/Makefile b/regress/unittests/match/Makefile new file mode 100644 index 000000000..dc802f58d --- /dev/null +++ b/regress/unittests/match/Makefile @@ -0,0 +1,12 @@ +# $OpenBSD: Makefile,v 1.1 2016/08/19 06:44:13 djm Exp $ + +TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" + +PROG=test_match +SRCS=tests.c +REGRESS_TARGETS=run-regress-${PROG} + +run-regress-${PROG}: ${PROG} + env ${TEST_ENV} ./${PROG} + +.include diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c new file mode 100644 index 000000000..aaca546bf --- /dev/null +++ b/regress/unittests/match/tests.c @@ -0,0 +1,84 @@ +/* $OpenBSD: tests.c,v 1.1 2016/08/19 06:44:13 djm Exp $ */ +/* + * Regress test for matching functions + * + * Placed in the public domain + */ + +#include +#include +#include +#include +#include +#include + +#include "test_helper.h" + +#include "match.h" + +void +tests(void) +{ + TEST_START("match_pattern"); + ASSERT_INT_EQ(match_pattern("", ""), 1); + ASSERT_INT_EQ(match_pattern("", "aaa"), 0); + ASSERT_INT_EQ(match_pattern("aaa", ""), 0); + ASSERT_INT_EQ(match_pattern("aaa", "aaaa"), 0); + ASSERT_INT_EQ(match_pattern("aaaa", "aaa"), 0); + TEST_DONE(); + + TEST_START("match_pattern wildcard"); + ASSERT_INT_EQ(match_pattern("", "*"), 1); + ASSERT_INT_EQ(match_pattern("a", "?"), 1); + ASSERT_INT_EQ(match_pattern("aa", "a?"), 1); + ASSERT_INT_EQ(match_pattern("a", "*"), 1); + ASSERT_INT_EQ(match_pattern("aa", "a*"), 1); + ASSERT_INT_EQ(match_pattern("aa", "?*"), 1); + ASSERT_INT_EQ(match_pattern("aa", "**"), 1); + ASSERT_INT_EQ(match_pattern("aa", "?a"), 1); + ASSERT_INT_EQ(match_pattern("aa", "*a"), 1); + ASSERT_INT_EQ(match_pattern("ba", "a?"), 0); + ASSERT_INT_EQ(match_pattern("ba", "a*"), 0); + ASSERT_INT_EQ(match_pattern("ab", "?a"), 0); + ASSERT_INT_EQ(match_pattern("ab", "*a"), 0); + TEST_DONE(); + + TEST_START("match_pattern_list"); + ASSERT_INT_EQ(match_pattern_list("", "", 0), 0); /* no patterns */ + ASSERT_INT_EQ(match_pattern_list("", "*", 0), 1); + ASSERT_INT_EQ(match_pattern_list("", "!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("", "!a,*", 0), 1); + ASSERT_INT_EQ(match_pattern_list("", "*,!a", 0), 1); + ASSERT_INT_EQ(match_pattern_list("", "a,!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("", "!*,a", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "", 0), 0); + ASSERT_INT_EQ(match_pattern_list("a", "*", 0), 1); + ASSERT_INT_EQ(match_pattern_list("a", "!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "!a,*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("b", "!a,*", 0), 1); + ASSERT_INT_EQ(match_pattern_list("a", "*,!a", 0), -1); + ASSERT_INT_EQ(match_pattern_list("b", "*,!a", 0), 1); + ASSERT_INT_EQ(match_pattern_list("a", "a,!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("b", "a,!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "!*,a", 0), -1); + ASSERT_INT_EQ(match_pattern_list("b", "!*,a", 0), -1); + TEST_DONE(); + + TEST_START("match_pattern_list lowercase"); + ASSERT_INT_EQ(match_pattern_list("abc", "ABC", 0), 0); + ASSERT_INT_EQ(match_pattern_list("ABC", "abc", 0), 0); + ASSERT_INT_EQ(match_pattern_list("abc", "ABC", 1), 1); + ASSERT_INT_EQ(match_pattern_list("ABC", "abc", 1), 0); + TEST_DONE(); + +/* + * XXX TODO + * int match_host_and_ip(const char *, const char *, const char *); + * int match_user(const char *, const char *, const char *, const char *); + * char *match_list(const char *, const char *, u_int *); + * int addr_match_list(const char *, const char *); + * int addr_match_cidr_list(const char *, const char *); + */ + +} + -- cgit v1.2.3 From 6ee4f1c01ee31e65245881d49d4bccf014956066 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Aug 2016 16:33:48 +1000 Subject: hook match and utf8 unittests up to Makefile --- Makefile.in | 34 ++++++++++++++++++++++++++++++++++ regress/Makefile | 2 ++ regress/unittests/match/tests.c | 4 +++- regress/unittests/utf8/tests.c | 4 +++- 4 files changed, 42 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/Makefile.in b/Makefile.in index 62fdb09f6..d6df2ff3c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -240,6 +240,10 @@ clean: regressclean rm -f regress/unittests/hostkeys/test_hostkeys rm -f regress/unittests/kex/*.o rm -f regress/unittests/kex/test_kex + rm -f regress/unittests/match/*.o + rm -f regress/unittests/match/test_match + rm -f regress/unittests/utf8/*.o + rm -f regress/unittests/utf8/test_utf8 rm -f regress/misc/kexfuzz/*.o rm -f regress/misc/kexfuzz/kexfuzz (cd openbsd-compat && $(MAKE) clean) @@ -262,6 +266,10 @@ distclean: regressclean rm -f regress/unittests/hostkeys/test_hostkeys rm -f regress/unittests/kex/*.o rm -f regress/unittests/kex/test_kex + rm -f regress/unittests/match/*.o + rm -f regress/unittests/match/test_match + rm -f regress/unittests/utf8/*.o + rm -f regress/unittests/utf8/test_utf8 rm -f regress/unittests/misc/kexfuzz (cd openbsd-compat && $(MAKE) distclean) if test -d pkg ; then \ @@ -422,6 +430,10 @@ regress-prep: mkdir -p `pwd`/regress/unittests/hostkeys [ -d `pwd`/regress/unittests/kex ] || \ mkdir -p `pwd`/regress/unittests/kex + [ -d `pwd`/regress/unittests/match ] || \ + mkdir -p `pwd`/regress/unittests/match + [ -d `pwd`/regress/unittests/utf8 ] || \ + mkdir -p `pwd`/regress/unittests/utf8 [ -d `pwd`/regress/misc/kexfuzz ] || \ mkdir -p `pwd`/regress/misc/kexfuzz [ -f `pwd`/regress/Makefile ] || \ @@ -512,6 +524,26 @@ regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \ regress/unittests/test_helper/libtest_helper.a \ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) +UNITTESTS_TEST_MATCH_OBJS=\ + regress/unittests/match/tests.o + +regress/unittests/match/test_match$(EXEEXT): \ + ${UNITTESTS_TEST_MATCH_OBJS} \ + regress/unittests/test_helper/libtest_helper.a libssh.a + $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_MATCH_OBJS) \ + regress/unittests/test_helper/libtest_helper.a \ + -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + +UNITTESTS_TEST_UTF8_OBJS=\ + regress/unittests/utf8/tests.o + +regress/unittests/utf8/test_utf8$(EXEEXT): \ + ${UNITTESTS_TEST_UTF8_OBJS} \ + regress/unittests/test_helper/libtest_helper.a libssh.a + $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_UTF8_OBJS) \ + regress/unittests/test_helper/libtest_helper.a \ + -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + MISC_KEX_FUZZ_OBJS=\ regress/misc/kexfuzz/kexfuzz.o @@ -528,6 +560,8 @@ regress-binaries: regress/modpipe$(EXEEXT) \ regress/unittests/bitmap/test_bitmap$(EXEEXT) \ regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \ regress/unittests/kex/test_kex$(EXEEXT) \ + regress/unittests/match/test_match$(EXEEXT) \ + regress/unittests/utf8/test_utf8$(EXEEXT) \ regress/misc/kexfuzz/kexfuzz$(EXEEXT) tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS) diff --git a/regress/Makefile b/regress/Makefile index 08fd82dbf..2910f13ab 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -222,4 +222,6 @@ unit: $$V ${.OBJDIR}/unittests/kex/test_kex ; \ $$V ${.OBJDIR}/unittests/hostkeys/test_hostkeys \ -d ${.CURDIR}/unittests/hostkeys/testdata ; \ + $$V ${.OBJDIR}/unittests/match/test_match ; \ + $$V ${.OBJDIR}/unittests/utf8/test_utf8 ; \ fi diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index aaca546bf..44b89a586 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c @@ -5,6 +5,8 @@ * Placed in the public domain */ +#include "includes.h" + #include #include #include @@ -12,7 +14,7 @@ #include #include -#include "test_helper.h" +#include "../test_helper/test_helper.h" #include "match.h" diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c index fad2ec279..6d06fa182 100644 --- a/regress/unittests/utf8/tests.c +++ b/regress/unittests/utf8/tests.c @@ -6,10 +6,12 @@ * and placed in the public domain. */ +#include "includes.h" + #include #include -#include "test_helper.h" +#include "../test_helper/test_helper.h" #include "utf8.h" -- cgit v1.2.3 From a39627134f6d90e7009eeb14e9582ecbc7a99192 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 23 Aug 2016 06:36:23 +0000 Subject: upstream commit remove Protocol directive from client/server configs that causes spammy deprecation warnings hardcode SSH_PROTOCOLS=2, since that's all we support on the server now (the client still may support both, so it could get confused) Upstream-Regress-ID: c16662c631af51633f9fd06aca552a70535de181 --- regress/test-exec.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'regress') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 1b6526d0b..7a456bbee 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.53 2016/04/15 02:57:10 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.54 2016/08/23 06:36:23 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -130,7 +130,8 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then esac fi -SSH_PROTOCOLS=`$SSH -Q protocol-version` +SSH_PROTOCOLS=2 +#SSH_PROTOCOLS=`$SSH -Q protocol-version` if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}" fi @@ -400,7 +401,6 @@ fi cat << EOF > $OBJ/sshd_config StrictModes no Port $PORT - Protocol $PROTO AddressFamily inet ListenAddress 127.0.0.1 #ListenAddress ::1 @@ -433,7 +433,6 @@ echo 'StrictModes no' >> $OBJ/sshd_proxy # create client config cat << EOF > $OBJ/ssh_config Host * - Protocol $PROTO Hostname 127.0.0.1 HostKeyAlias localhost-with-alias Port $PORT -- cgit v1.2.3 From 44e5f756d286bc3a1a5272ea484ee276ba3ac5c2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 23 Aug 2016 08:17:04 +0000 Subject: upstream commit add tests for addr_match_list() Upstream-Regress-ID: fae2d1fef84687ece584738a924c7bf969616c8e --- regress/unittests/match/tests.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) (limited to 'regress') diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index 44b89a586..e6eb4af26 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.1 2016/08/19 06:44:13 djm Exp $ */ +/* $OpenBSD: tests.c,v 1.2 2016/08/23 08:17:04 djm Exp $ */ /* * Regress test for matching functions * @@ -56,12 +56,16 @@ tests(void) ASSERT_INT_EQ(match_pattern_list("a", "", 0), 0); ASSERT_INT_EQ(match_pattern_list("a", "*", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "!a", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "!b", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "!a,*", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "!a,*", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "*,!a", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "*,!a", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "a,!*", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "a,!*", 0), -1); + ASSERT_INT_EQ(match_pattern_list("a", "a,!a", 0), -1); + ASSERT_INT_EQ(match_pattern_list("b", "a,!a", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "!*,a", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "!*,a", 0), -1); TEST_DONE(); @@ -73,14 +77,35 @@ tests(void) ASSERT_INT_EQ(match_pattern_list("ABC", "abc", 1), 0); TEST_DONE(); + TEST_START("addr_match_list"); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.1/44"), -2); + ASSERT_INT_EQ(addr_match_list(NULL, "127.0.0.1/44"), -2); + ASSERT_INT_EQ(addr_match_list("a", "*"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "*"), 1); + ASSERT_INT_EQ(addr_match_list(NULL, "*"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.1"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1"), -1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.0.255", "127.0.0.0/24"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.1.1", "127.0.0.0/24"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.0/24"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.1.0/24"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.0/24"), -1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.1.0/24"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.1"), -1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1,10.0.0.1"), -1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,127.0.0.2"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2,10.0.0.1"), 0); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.2"), 1); + ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2,10.0.0.1"), 1); + TEST_DONE(); + /* * XXX TODO * int match_host_and_ip(const char *, const char *, const char *); * int match_user(const char *, const char *, const char *, const char *); * char *match_list(const char *, const char *, u_int *); - * int addr_match_list(const char *, const char *); * int addr_match_cidr_list(const char *, const char *); */ - } - -- cgit v1.2.3 From 44d82fc83be6c5ccd70881c2dac1a73e5050398b Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Mon, 12 Sep 2016 02:25:46 +0000 Subject: upstream commit Add testcase for ssh-keygen -j, -J and -K options for moduli screening. Does not currently test generation as that is extremely slow. Upstream-Regress-ID: 9de6ce801377ed3ce0a63a1413f1cd5fd3c2d062 --- regress/Makefile | 3 ++- regress/keygen-moduli.sh | 15 +++++++++++++++ regress/moduli.in | 3 +++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 regress/keygen-moduli.sh create mode 100644 regress/moduli.in (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index 2910f13ab..e9121f5f6 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.88 2016/06/03 04:10:41 dtucker Exp $ +# $OpenBSD: Makefile,v 1.89 2016/09/12 02:25:46 dtucker Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -39,6 +39,7 @@ LTESTS= connect \ keyscan \ keygen-change \ keygen-convert \ + keygen-moduli \ key-options \ scp \ sftp \ diff --git a/regress/keygen-moduli.sh b/regress/keygen-moduli.sh new file mode 100644 index 000000000..4be7b4d63 --- /dev/null +++ b/regress/keygen-moduli.sh @@ -0,0 +1,15 @@ +# $OpenBSD: keygen-moduli.sh,v 1.1 2016/09/12 02:25:46 dtucker Exp $ +# Placed in the Public Domain. + +tid="keygen moduli" + +for i in 0 1 2; do + rm -f $OBJ/moduli.out $OBJ/moduli.ckpt + ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in -j$i -J1 \ + -K $OBJ/moduli.ckpt 2>/dev/null || \ + fail "keygen screen failed line $i" + lines=`wc -l <$OBJ/moduli.out` + test "$lines" -eq "1" || fail "expected 1 line, got $lines" +done + +rm -f $OBJ/moduli.out $OBJ/moduli.ckpt diff --git a/regress/moduli.in b/regress/moduli.in new file mode 100644 index 000000000..e69c902a2 --- /dev/null +++ b/regress/moduli.in @@ -0,0 +1,3 @@ +20160301052556 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D19F4647 +20160301052601 2 6 100 2047 2 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1A5C13B +20160301052612 2 6 100 2047 5 DA57B18976E9C55CEAC3BFFF70419A1550258EA7359400BD4FAC8F4203B73E0BC54D62C0A2D9AA9B543FACA0290514EA426DE6FEF897CB858243511DCE5170420C799D888DCFDC4502FF49B66F34E75C00E98A55408A791FF5CFEA7C288F8E6664226A6A90BE237D2E40C207B5AD0CAEDFDA4946E63AEA351A09EF462515FED4098694241CD07E2CB7727B39B8B1B9467D72DFB908D8169F5DB3CD5A6BEBE1344C585A882508B760402E86EB9B5548A7B98635ECFCDC02FF62B29C53847142FC598ADC66F622F6E9F73BDF02B3D795C0DF23D00E5A3A7748F3E1D5B06F46D4568CE3F4CC57E67D4C36DF5C12800620698C727CC5F5BCACF3B7E17E37D1B7A3EF -- cgit v1.2.3 From 2b939c272a81c4d0c47badeedbcb2ba7c128ccda Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Wed, 14 Sep 2016 00:45:31 +0000 Subject: upstream commit Improve test coverage of ssh-keygen -T a bit. Upstream-Regress-ID: 8851668c721bcc2b400600cfc5a87644cc024e72 --- regress/keygen-moduli.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/regress/keygen-moduli.sh b/regress/keygen-moduli.sh index 4be7b4d63..d4e771383 100644 --- a/regress/keygen-moduli.sh +++ b/regress/keygen-moduli.sh @@ -1,13 +1,16 @@ -# $OpenBSD: keygen-moduli.sh,v 1.1 2016/09/12 02:25:46 dtucker Exp $ +# $OpenBSD: keygen-moduli.sh,v 1.2 2016/09/14 00:45:31 dtucker Exp $ # Placed in the Public Domain. tid="keygen moduli" -for i in 0 1 2; do +# Try "start at the beginning and stop after 1", "skip 1 then stop after 1" +# and "skip 2 and run to the end with checkpointing". Since our test data +# file has 3 lines, these should always result in 1 line of output. +for i in "-J1" "-j1 -J1" "-j2 -K $OBJ/moduli.ckpt"; do + trace "keygen $i" rm -f $OBJ/moduli.out $OBJ/moduli.ckpt - ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in -j$i -J1 \ - -K $OBJ/moduli.ckpt 2>/dev/null || \ - fail "keygen screen failed line $i" + ${SSHKEYGEN} -T $OBJ/moduli.out -f ${SRC}/moduli.in $i 2>/dev/null || \ + fail "keygen screen failed $i" lines=`wc -l <$OBJ/moduli.out` test "$lines" -eq "1" || fail "expected 1 line, got $lines" done -- cgit v1.2.3 From 0445ff184080b196e12321998b4ce80b0f33f8d1 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Sep 2016 01:01:41 +0000 Subject: upstream commit fix for newer modp DH groups (diffie-hellman-group14-sha256 etc) Upstream-Regress-ID: fe942c669959462b507516ae1634fde0725f1c68 --- regress/misc/kexfuzz/kexfuzz.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c index 2894d3a1e..8535980b0 100644 --- a/regress/misc/kexfuzz/kexfuzz.c +++ b/regress/misc/kexfuzz/kexfuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexfuzz.c,v 1.1 2016/03/04 02:30:37 djm Exp $ */ +/* $OpenBSD: kexfuzz.c,v 1.2 2016/09/16 01:01:41 djm Exp $ */ /* * Fuzz harness for KEX code * @@ -231,12 +231,17 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, sshbuf_free(state); ASSERT_PTR_NE(server2->kex, NULL); /* XXX we need to set the callbacks */ +#ifdef WITH_OPENSSL server2->kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; server2->kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server; + server2->kex->kex[KEX_DH_GRP14_SHA256] = kexdh_server; + server2->kex->kex[KEX_DH_GRP16_SHA512] = kexdh_server; + server2->kex->kex[KEX_DH_GRP18_SHA512] = kexdh_server; server2->kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; server2->kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; -#ifdef OPENSSL_HAS_ECC +# ifdef OPENSSL_HAS_ECC server2->kex->kex[KEX_ECDH_SHA2] = kexecdh_server; +# endif #endif server2->kex->kex[KEX_C25519_SHA256] = kexc25519_server; server2->kex->load_host_public_key = server->kex->load_host_public_key; -- cgit v1.2.3 From 920585b826af1c639e4ed78b2eba01fd2337b127 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Sep 2016 06:09:31 +0000 Subject: upstream commit add a note on kexfuzz' limitations Upstream-Regress-ID: 03804d4a0dbc5163e1a285a4c8cc0a76a4e864ec --- regress/misc/kexfuzz/README | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'regress') diff --git a/regress/misc/kexfuzz/README b/regress/misc/kexfuzz/README index 8b215b5bf..abd7b50ee 100644 --- a/regress/misc/kexfuzz/README +++ b/regress/misc/kexfuzz/README @@ -26,3 +26,7 @@ A comprehensive KEX fuzz run would fuzz every packet in both directions for each key exchange type and every hostkey type. This will take some time. +Limitations: kexfuzz can't change the ordering of packets at +present. It is limited to replacing individual packets with +fuzzed variants with the same type. It really should allow +insertion, deletion on replacement of packets too. -- cgit v1.2.3 From 119b7a2ca0ef2bf3f81897ae10301b8ca8cba844 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 21 Sep 2016 01:35:12 +0000 Subject: upstream commit test all the AuthorizedPrincipalsCommand % expansions Upstream-Regress-ID: 0a79a84dfaa59f958e46b474c3db780b454d30e3 --- regress/principals-command.sh | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) (limited to 'regress') diff --git a/regress/principals-command.sh b/regress/principals-command.sh index c0be7e747..19d7d6c96 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.1 2015/05/21 06:44:25 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -12,12 +12,36 @@ if test -z "$SUDO" ; then exit 0 fi +SERIAL=$$ + +# Create a CA key and a user certificate. +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ + fatal "ssh-keygen of user_ca_key failed" +${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/cert_user_key || \ + fatal "ssh-keygen of cert_user_key failed" +${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "Joanne User" \ + -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ + fatal "couldn't sign cert_user_key" + +CERT_BODY=`cat $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_BODY=`cat $OBJ/user_ca_key.pub | awk '{ print $2 }'` +CERT_FP=`${SSHKEYGEN} -lf $OBJ/cert_user_key-cert.pub | awk '{ print $2 }'` +CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` + # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 +test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 +test "x\$3" != "xssh-ed25519" && exit 1 +test "x\$4" != "xJoanne User" && exit 1 +test "x\$5" != "x${SERIAL}" && exit 1 +test "x\$6" != "x${CA_FP}" && exit 1 +test "x\$7" != "x${CERT_FP}" && exit 1 +test "x\$8" != "x${CERT_BODY}" && exit 1 +test "x\$9" != "x${CA_BODY}" && exit 1 test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF @@ -31,15 +55,6 @@ if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then exit 0 fi -# Create a CA key and a user certificate. -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ - fatal "ssh-keygen of user_ca_key failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/cert_user_key || \ - fatal "ssh-keygen of cert_user_key failed" -${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ - -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ - fatal "couldn't sign cert_user_key" - if [ -x $PRINCIPALS_CMD ]; then # Test explicitly-specified principals for privsep in yes no ; do @@ -51,7 +66,8 @@ if [ -x $PRINCIPALS_CMD ]; then cat $OBJ/sshd_proxy_bak echo "UsePrivilegeSeparation $privsep" echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND" \ + "%u %t %T %i %s %F %f %k %K" echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" ) > $OBJ/sshd_proxy -- cgit v1.2.3 From 5f63ab474f58834feca4f35c498be03b7dd38a16 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 21 Sep 2016 17:03:54 +0000 Subject: upstream commit disable tests for affirmative negated match after backout of match change Upstream-Regress-ID: acebb8e5042f03d66d86a50405c46c4de0badcfd --- regress/unittests/match/tests.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'regress') diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index e6eb4af26..bcba7667c 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.2 2016/08/23 08:17:04 djm Exp $ */ +/* $OpenBSD: tests.c,v 1.3 2016/09/21 17:03:54 djm Exp $ */ /* * Regress test for matching functions * @@ -57,7 +57,7 @@ tests(void) ASSERT_INT_EQ(match_pattern_list("a", "*", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "!*", 0), -1); ASSERT_INT_EQ(match_pattern_list("a", "!a", 0), -1); - ASSERT_INT_EQ(match_pattern_list("a", "!b", 0), 1); + /* XXX negated ASSERT_INT_EQ(match_pattern_list("a", "!b", 0), 1); */ ASSERT_INT_EQ(match_pattern_list("a", "!a,*", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "!a,*", 0), 1); ASSERT_INT_EQ(match_pattern_list("a", "*,!a", 0), -1); @@ -65,7 +65,7 @@ tests(void) ASSERT_INT_EQ(match_pattern_list("a", "a,!*", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "a,!*", 0), -1); ASSERT_INT_EQ(match_pattern_list("a", "a,!a", 0), -1); - ASSERT_INT_EQ(match_pattern_list("b", "a,!a", 0), 1); + /* XXX negated ASSERT_INT_EQ(match_pattern_list("b", "a,!a", 0), 1); */ ASSERT_INT_EQ(match_pattern_list("a", "!*,a", 0), -1); ASSERT_INT_EQ(match_pattern_list("b", "!*,a", 0), -1); TEST_DONE(); @@ -86,19 +86,19 @@ tests(void) ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.1"), 1); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2"), 0); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1"), -1); - ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2"), 1); + /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2"), 1); */ ASSERT_INT_EQ(addr_match_list("127.0.0.255", "127.0.0.0/24"), 1); ASSERT_INT_EQ(addr_match_list("127.0.1.1", "127.0.0.0/24"), 0); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.0/24"), 1); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.1.0/24"), 0); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.0/24"), -1); - ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.1.0/24"), 1); + /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.1.0/24"), 1); */ ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.1"), -1); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.1,10.0.0.1"), -1); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,127.0.0.2"), 0); ASSERT_INT_EQ(addr_match_list("127.0.0.1", "127.0.0.2,10.0.0.1"), 0); - ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.2"), 1); - ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2,10.0.0.1"), 1); + /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "10.0.0.1,!127.0.0.2"), 1); */ + /* XXX negated ASSERT_INT_EQ(addr_match_list("127.0.0.1", "!127.0.0.2,10.0.0.1"), 1); */ TEST_DONE(); /* -- cgit v1.2.3 From ce44c970f913d2a047903dba8670554ac42fc479 Mon Sep 17 00:00:00 2001 From: "bluhm@openbsd.org" Date: Mon, 26 Sep 2016 21:34:38 +0000 Subject: upstream commit Allow to run ssh regression tests as root. If the user is already root, the test should not expect that SUDO is set. If ssh needs another user, use sudo or doas to switch from root if necessary. OK dtucker@ Upstream-Regress-ID: b464e55185ac4303529e3e6927db41683aaeace2 --- regress/agent-getpeereid.sh | 2 +- regress/keys-command.sh | 2 +- regress/principals-command.sh | 4 ++-- regress/sftp-chroot.sh | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'regress') diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 24b71f458..91621a59c 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent-getpeereid.sh,v 1.6 2016/05/03 14:41:04 djm Exp $ +# $OpenBSD: agent-getpeereid.sh,v 1.7 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="disallow agent attach from other uid" diff --git a/regress/keys-command.sh b/regress/keys-command.sh index af68cf15c..9c9ada7c7 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh @@ -3,7 +3,7 @@ tid="authorized keys from command" -if test -z "$SUDO" ; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped (SUDO not set)" echo "need SUDO to create file in /var/run, test won't work without" exit 0 diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 19d7d6c96..680bd957f 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -1,4 +1,4 @@ -# $OpenBSD: principals-command.sh,v 1.2 2016/09/21 01:35:12 djm Exp $ +# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="authorized principals command" @@ -6,7 +6,7 @@ tid="authorized principals command" rm -f $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -if test -z "$SUDO" ; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped (SUDO not set)" echo "need SUDO to create file in /var/run, test won't work without" exit 0 diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh index 9c26eb680..4ea2fce85 100644 --- a/regress/sftp-chroot.sh +++ b/regress/sftp-chroot.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-chroot.sh,v 1.4 2014/01/20 00:00:30 dtucker Exp $ +# $OpenBSD: sftp-chroot.sh,v 1.5 2016/09/26 21:34:38 bluhm Exp $ # Placed in the Public Domain. tid="sftp in chroot" @@ -7,7 +7,7 @@ CHROOT=/var/run FILENAME=testdata_${USER} PRIVDATA=${CHROOT}/${FILENAME} -if [ -z "$SUDO" ]; then +if [ -z "$SUDO" -a ! -w /var/run ]; then echo "skipped: need SUDO to create file in /var/run, test won't work without" exit 0 fi -- cgit v1.2.3 From ca71c36645fc26fcd739a8cfdc702cec85607761 Mon Sep 17 00:00:00 2001 From: "bluhm@openbsd.org" Date: Wed, 28 Sep 2016 20:09:52 +0000 Subject: upstream commit Add a makefile rule to create the ssh library when regress needs it. This allows to run the ssh regression tests without doing a "make build" before. Discussed with dtucker@ and djm@; OK djm@ Upstream-Regress-ID: ce489bd53afcd471225a125b4b94565d4717c025 --- regress/unittests/Makefile.inc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index 7385e2ba3..20d32a7bf 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.6 2015/07/01 23:11:18 djm Exp $ +# $OpenBSD: Makefile.inc,v 1.7 2016/09/28 20:09:52 bluhm Exp $ .include .include @@ -49,11 +49,15 @@ DPADD+=${.CURDIR}/../test_helper/libtest_helper.a .if exists(${.CURDIR}/${SSHREL}/lib/${__objdir}) LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh -DPADD+=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a +LIBSSH=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a .else LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh -DPADD+=${.CURDIR}/${SSHREL}/lib/libssh.a +LIBSSH=${.CURDIR}/${SSHREL}/lib/libssh.a .endif +DPADD+=${LIBSSH} +${PROG}: ${LIBSSH} +${LIBSSH}: + cd ${.CURDIR}/${SSHREL} && ${MAKE} lib LDADD+= -lcrypto DPADD+= ${LIBCRYPTO} -- cgit v1.2.3 From 09f997893f109799cddbfce6d7e67f787045cbb2 Mon Sep 17 00:00:00 2001 From: "natano@openbsd.org" Date: Thu, 6 Oct 2016 09:31:38 +0000 Subject: upstream commit Move USER out of the way to unbreak the BUILDUSER mechanism. ok tb Upstream-Regress-ID: 74ab9687417dd071d62316eaadd20ddad1d5af3c --- regress/Makefile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index e9121f5f6..c7708ecc3 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.89 2016/09/12 02:25:46 dtucker Exp $ +# $OpenBSD: Makefile,v 1.91 2016/10/06 09:31:38 natano Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -88,9 +88,10 @@ INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers #LTESTS= cipher-speed -USER!= id -un -CLEANFILES= *.core actual agent-key.* authorized_keys_${USER} \ - authorized_keys_${USER}.* authorized_principals_${USER} \ +USERNAME!= id -un +CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ + authorized_keys_${USERNAME}.* \ + authorized_principals_${USERNAME} \ banner.in banner.out cert_host_key* cert_user_key* \ copy.1 copy.2 data ed25519-agent ed25519-agent* \ ed25519-agent.pub empty.in expect failed-regress.log \ @@ -112,7 +113,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USER} \ t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \ t9.out t9.out.pub testdata user_*key* user_ca* user_key* -SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER} +SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" -- cgit v1.2.3 From 1723ec92eb485ce06b4cbf49712d21975d873909 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 11 Oct 2016 21:49:54 +0000 Subject: upstream commit fix the KEX fuzzer - the previous method of obtaining the packet contents was broken. This now uses the new per-packet input hook, so it sees exact post-decrypt packets and doesn't have to pass packet integrity checks. ok markus@ Upstream-Regress-ID: 402fb6ffabd97de590e8e57b25788949dce8d2fd --- regress/misc/kexfuzz/kexfuzz.c | 162 ++++++++++++++++++++++++++--------------- 1 file changed, 103 insertions(+), 59 deletions(-) (limited to 'regress') diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c index 8535980b0..67058027f 100644 --- a/regress/misc/kexfuzz/kexfuzz.c +++ b/regress/misc/kexfuzz/kexfuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kexfuzz.c,v 1.2 2016/09/16 01:01:41 djm Exp $ */ +/* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */ /* * Fuzz harness for KEX code * @@ -27,6 +27,7 @@ #include "packet.h" #include "myproposal.h" #include "authfile.h" +#include "log.h" struct ssh *active_state = NULL; /* XXX - needed for linking */ @@ -35,61 +36,93 @@ static int do_debug = 0; enum direction { S2C, C2S }; +struct hook_ctx { + struct ssh *client, *server, *server2; + int *c2s, *s2c; + int trigger_direction, packet_index; + const char *dump_path; + struct sshbuf *replace_data; +}; + static int -do_send_and_receive(struct ssh *from, struct ssh *to, int mydirection, - int *packet_count, int trigger_direction, int packet_index, - const char *dump_path, struct sshbuf *replace_data) +packet_hook(struct ssh *ssh, struct sshbuf *packet, u_char *typep, void *_ctx) +{ + struct hook_ctx *ctx = (struct hook_ctx *)_ctx; + int mydirection = ssh == ctx->client ? S2C : C2S; + int *packet_count = mydirection == S2C ? ctx->s2c : ctx->c2s; + FILE *dumpfile; + int r; + + if (do_debug) { + printf("%s packet %d type %u:\n", + mydirection == S2C ? "s2c" : "c2s", + *packet_count, *typep); + sshbuf_dump(packet, stdout); + } + if (mydirection == ctx->trigger_direction && + ctx->packet_index == *packet_count) { + if (ctx->replace_data != NULL) { + sshbuf_reset(packet); + /* Type is first byte of packet */ + if ((r = sshbuf_get_u8(ctx->replace_data, + typep)) != 0 || + (r = sshbuf_putb(packet, ctx->replace_data)) != 0) + return r; + if (do_debug) { + printf("***** replaced packet type %u\n", + *typep); + sshbuf_dump(packet, stdout); + } + } else if (ctx->dump_path != NULL) { + if ((dumpfile = fopen(ctx->dump_path, "w+")) == NULL) + err(1, "fopen %s", ctx->dump_path); + /* Write { type, packet } */ + if (fwrite(typep, 1, 1, dumpfile) != 1) + err(1, "fwrite type %s", ctx->dump_path); + if (sshbuf_len(packet) != 0 && + fwrite(sshbuf_ptr(packet), sshbuf_len(packet), + 1, dumpfile) != 1) + err(1, "fwrite body %s", ctx->dump_path); + if (do_debug) { + printf("***** dumped packet type %u len %zu\n", + *typep, sshbuf_len(packet)); + } + fclose(dumpfile); + /* No point in continuing */ + exit(0); + } + } + (*packet_count)++; + return 0; +} + +static int +do_send_and_receive(struct ssh *from, struct ssh *to) { u_char type; - size_t len, olen; + size_t len; const u_char *buf; int r; - FILE *dumpfile; for (;;) { if ((r = ssh_packet_next(from, &type)) != 0) { fprintf(stderr, "ssh_packet_next: %s\n", ssh_err(r)); return r; } + if (type != 0) return 0; buf = ssh_output_ptr(from, &len); - olen = len; - if (do_debug) { - printf("%s packet %d type %u len %zu:\n", - mydirection == S2C ? "s2c" : "c2s", - *packet_count, type, len); - sshbuf_dump_data(buf, len, stdout); - } - if (mydirection == trigger_direction && - packet_index == *packet_count) { - if (replace_data != NULL) { - buf = sshbuf_ptr(replace_data); - len = sshbuf_len(replace_data); - if (do_debug) { - printf("***** replaced packet " - "len %zu\n", len); - sshbuf_dump_data(buf, len, stdout); - } - } else if (dump_path != NULL) { - if ((dumpfile = fopen(dump_path, "w+")) == NULL) - err(1, "fopen %s", dump_path); - if (len != 0 && - fwrite(buf, len, 1, dumpfile) != 1) - err(1, "fwrite %s", dump_path); - if (do_debug) - printf("***** dumped packet " - "len %zu\n", len); - fclose(dumpfile); - exit(0); - } - } - (*packet_count)++; if (len == 0) return 0; - if ((r = ssh_input_append(to, buf, len)) != 0 || - (r = ssh_output_consume(from, olen)) != 0) + if ((r = ssh_input_append(to, buf, len)) != 0) { + debug("ssh_input_append: %s", ssh_err(r)); + return r; + } + if ((r = ssh_output_consume(from, len)) != 0) { + debug("ssh_output_consume: %s", ssh_err(r)); return r; + } } } @@ -141,19 +174,19 @@ const char *in_test = NULL; static void -run_kex(struct ssh *client, struct ssh *server, int *s2c, int *c2s, - int direction, int packet_index, - const char *dump_path, struct sshbuf *replace_data) +run_kex(struct ssh *client, struct ssh *server) { int r = 0; while (!server->kex->done || !client->kex->done) { - if ((r = do_send_and_receive(server, client, S2C, s2c, - direction, packet_index, dump_path, replace_data))) + if ((r = do_send_and_receive(server, client)) != 0) { + debug("do_send_and_receive S2C: %s", ssh_err(r)); break; - if ((r = do_send_and_receive(client, server, C2S, c2s, - direction, packet_index, dump_path, replace_data))) + } + if ((r = do_send_and_receive(client, server)) != 0) { + debug("do_send_and_receive C2S: %s", ssh_err(r)); break; + } } if (do_debug) printf("done: %s\n", ssh_err(r)); @@ -173,6 +206,7 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, struct kex_params kex_params; char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; char *keyname = NULL; + struct hook_ctx hook_ctx; TEST_START("sshkey_from_private"); ASSERT_INT_EQ(sshkey_from_private(prvkey, &pubkey), 0); @@ -187,30 +221,42 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0); + ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); ASSERT_PTR_NE(client, NULL); ASSERT_PTR_NE(server, NULL); + ASSERT_PTR_NE(server2, NULL); TEST_DONE(); + hook_ctx.c2s = c2s; + hook_ctx.s2c = s2c; + hook_ctx.trigger_direction = direction; + hook_ctx.packet_index = packet_index; + hook_ctx.dump_path = dump_path; + hook_ctx.replace_data = replace_data; + hook_ctx.client = client; + hook_ctx.server = server; + hook_ctx.server2 = server2; + ssh_packet_set_input_hook(client, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server, packet_hook, &hook_ctx); + ssh_packet_set_input_hook(server2, packet_hook, &hook_ctx); + TEST_START("ssh_add_hostkey"); ASSERT_INT_EQ(ssh_add_hostkey(server, prvkey), 0); ASSERT_INT_EQ(ssh_add_hostkey(client, pubkey), 0); TEST_DONE(); TEST_START("kex"); - run_kex(client, server, s2c, c2s, direction, packet_index, - dump_path, replace_data); + run_kex(client, server); TEST_DONE(); TEST_START("rekeying client"); ASSERT_INT_EQ(kex_send_kexinit(client), 0); - run_kex(client, server, s2c, c2s, direction, packet_index, - dump_path, replace_data); + run_kex(client, server); TEST_DONE(); TEST_START("rekeying server"); ASSERT_INT_EQ(kex_send_kexinit(server), 0); - run_kex(client, server, s2c, c2s, direction, packet_index, - dump_path, replace_data); + run_kex(client, server); TEST_DONE(); TEST_START("ssh_packet_get_state"); @@ -221,9 +267,6 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, TEST_DONE(); TEST_START("ssh_packet_set_state"); - server2 = NULL; - ASSERT_INT_EQ(ssh_init(&server2, 1, NULL), 0); - ASSERT_PTR_NE(server2, NULL); ASSERT_INT_EQ(ssh_add_hostkey(server2, prvkey), 0); kex_free(server2->kex); /* XXX or should ssh_packet_set_state()? */ ASSERT_INT_EQ(ssh_packet_set_state(server2, state), 0); @@ -251,11 +294,9 @@ do_kex_with_key(const char *kex, struct sshkey *prvkey, int *c2s, int *s2c, TEST_START("rekeying server2"); ASSERT_INT_EQ(kex_send_kexinit(server2), 0); - run_kex(client, server2, s2c, c2s, direction, packet_index, - dump_path, replace_data); + run_kex(client, server2); ASSERT_INT_EQ(kex_send_kexinit(client), 0); - run_kex(client, server2, s2c, c2s, direction, packet_index, - dump_path, replace_data); + run_kex(client, server2); TEST_DONE(); TEST_START("cleanup"); @@ -357,6 +398,9 @@ main(int argc, char **argv) argc -= optind; argv += optind; + log_init(argv[0], do_debug ? SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_INFO, + SYSLOG_FACILITY_USER, 1); + /* Must select a single mode */ if ((count_flag + dump_flag + replace_flag) != 1) badusage("Must select one mode: -c, -d or -r"); -- cgit v1.2.3 From ca04de83f210959ad2ed870a30ba1732c3ae00e3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 13 Oct 2016 18:53:43 +1100 Subject: unbreak principals-command test Undo inconsistetly updated variable name. --- regress/principals-command.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'regress') diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 680bd957f..9b38eb105 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -30,8 +30,8 @@ CA_FP=`${SSHKEYGEN} -lf $OBJ/user_ca_key.pub | awk '{ print $2 }'` # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. -PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" +PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 test "x\$2" != "xssh-rsa-cert-v01@openssh.com" && exit 1 @@ -46,16 +46,16 @@ test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF test $? -eq 0 || fatal "couldn't prepare principals command" -$SUDO chmod 0755 "$PRINCIPALS_CMD" +$SUDO chmod 0755 "$PRINCIPALS_COMMAND" -if ! $OBJ/check-perm -m keys-command $PRINCIPALS_CMD ; then - echo "skipping: $PRINCIPALS_CMD is unsuitable as " \ +if ! $OBJ/check-perm -m keys-command $PRINCIPALS_COMMAND ; then + echo "skipping: $PRINCIPALS_COMMAND is unsuitable as " \ "AuthorizedPrincipalsCommand" - $SUDO rm -f $PRINCIPALS_CMD + $SUDO rm -f $PRINCIPALS_COMMAND exit 0 fi -if [ -x $PRINCIPALS_CMD ]; then +if [ -x $PRINCIPALS_COMMAND ]; then # Test explicitly-specified principals for privsep in yes no ; do _prefix="privsep $privsep" -- cgit v1.2.3 From 09e6a7d8354224933febc08ddcbc2010f542284e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 24 Oct 2016 09:06:18 +1100 Subject: Wrap stdint.h include in ifdef. --- regress/unittests/match/tests.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'regress') diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index bcba7667c..7ff319c16 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c @@ -10,7 +10,9 @@ #include #include #include +#ifdef HAVE_STDINT_H #include +#endif #include #include -- cgit v1.2.3 From 36f58e68221bced35e06d1cca8d97c48807a8b71 Mon Sep 17 00:00:00 2001 From: "tb@openbsd.org" Date: Mon, 31 Oct 2016 23:45:08 +0000 Subject: upstream commit Remove the obsolete A and P flags from MALLOC_OPTIONS. ok dtucker Upstream-Regress-ID: 6cc25024c8174a87e5734a0dc830194be216dd59 --- regress/Makefile | 4 ++-- regress/connect-privsep.sh | 4 ++-- regress/unittests/bitmap/Makefile | 4 ++-- regress/unittests/hostkeys/Makefile | 4 ++-- regress/unittests/kex/Makefile | 4 ++-- regress/unittests/match/Makefile | 4 ++-- regress/unittests/sshkey/Makefile | 4 ++-- regress/unittests/utf8/Makefile | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index c7708ecc3..bc1555717 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.91 2016/10/06 09:31:38 natano Exp $ +# $OpenBSD: Makefile,v 1.92 2016/10/31 23:45:08 tb Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -116,7 +116,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} # Enable all malloc(3) randomisations and checks -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" TEST_SSH_SSHKEYGEN?=ssh-keygen diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index ea739f614..edfdbf0bf 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,4 +1,4 @@ -# $OpenBSD: connect-privsep.sh,v 1.6 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: connect-privsep.sh,v 1.7 2016/10/31 23:45:08 tb Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" @@ -27,7 +27,7 @@ done # Because sandbox is sensitive to changes in libc, especially malloc, retest # with every malloc.conf option (and none). if [ -z "TEST_MALLOC_OPTIONS" ]; then - mopts="A F G H J P R S X < >" + mopts="F G H J R S X < >" else mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` fi diff --git a/regress/unittests/bitmap/Makefile b/regress/unittests/bitmap/Makefile index b704d22d6..b3b7d12c7 100644 --- a/regress/unittests/bitmap/Makefile +++ b/regress/unittests/bitmap/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.1 2015/01/15 07:36:28 djm Exp $ +# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:08 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" PROG=test_bitmap SRCS=tests.c diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile index f52a85fb1..43968c701 100644 --- a/regress/unittests/hostkeys/Makefile +++ b/regress/unittests/hostkeys/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.1 2015/02/16 22:18:34 djm Exp $ +# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:08 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" PROG=test_hostkeys SRCS=tests.c test_iterate.c diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile index 6532cb00a..e268daad2 100644 --- a/regress/unittests/kex/Makefile +++ b/regress/unittests/kex/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.2 2015/01/24 10:39:21 miod Exp $ +# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" PROG=test_kex SRCS=tests.c test_kex.c diff --git a/regress/unittests/match/Makefile b/regress/unittests/match/Makefile index dc802f58d..3197ece99 100644 --- a/regress/unittests/match/Makefile +++ b/regress/unittests/match/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.1 2016/08/19 06:44:13 djm Exp $ +# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:09 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" PROG=test_match SRCS=tests.c diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile index 1bcd26676..8cfa3aa54 100644 --- a/regress/unittests/sshkey/Makefile +++ b/regress/unittests/sshkey/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.1 2014/06/24 01:14:18 djm Exp $ +# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" +TEST_ENV= "MALLOC_OPTIONS=FGJRX" PROG=test_sshkey SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c diff --git a/regress/unittests/utf8/Makefile b/regress/unittests/utf8/Makefile index 150ea2f2e..85cf7b81f 100644 --- a/regress/unittests/utf8/Makefile +++ b/regress/unittests/utf8/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.2 2016/05/30 12:14:08 schwarze Exp $ +# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ -TEST_ENV= "MALLOC_OPTIONS=CFGJPRSUX" +TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" PROG=test_utf8 SRCS=tests.c -- cgit v1.2.3 From 7da751d8b007c7f3e814fd5737c2351440d78b4c Mon Sep 17 00:00:00 2001 From: "tb@openbsd.org" Date: Tue, 1 Nov 2016 13:43:27 +0000 Subject: upstream commit Clean up MALLOC_OPTIONS. For the unittests, move MALLOC_OPTIONS and TEST_ENV to unittets/Makefile.inc. ok otto Upstream-Regress-ID: 890d497e0a38eeddfebb11cc429098d76cf29f12 --- regress/Makefile | 4 ++-- regress/connect-privsep.sh | 4 ++-- regress/unittests/Makefile.inc | 2 +- regress/unittests/bitmap/Makefile | 4 +--- regress/unittests/hostkeys/Makefile | 4 +--- regress/unittests/kex/Makefile | 4 +--- regress/unittests/match/Makefile | 4 +--- regress/unittests/sshbuf/Makefile | 2 +- regress/unittests/sshkey/Makefile | 4 +--- regress/unittests/utf8/Makefile | 4 +--- 10 files changed, 12 insertions(+), 24 deletions(-) (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index bc1555717..1f71761fa 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.92 2016/10/31 23:45:08 tb Exp $ +# $OpenBSD: Makefile,v 1.93 2016/11/01 13:43:27 tb Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -116,7 +116,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ SUDO_CLEAN+= /var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME} # Enable all malloc(3) randomisations and checks -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" TEST_SSH_SSHKEYGEN?=ssh-keygen diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index edfdbf0bf..81cedc7e5 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,4 +1,4 @@ -# $OpenBSD: connect-privsep.sh,v 1.7 2016/10/31 23:45:08 tb Exp $ +# $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" @@ -27,7 +27,7 @@ done # Because sandbox is sensitive to changes in libc, especially malloc, retest # with every malloc.conf option (and none). if [ -z "TEST_MALLOC_OPTIONS" ]; then - mopts="F G H J R S X < >" + mopts="C F G J R S U X < >" else mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'` fi diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc index 20d32a7bf..3d9eaba5c 100644 --- a/regress/unittests/Makefile.inc +++ b/regress/unittests/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.7 2016/09/28 20:09:52 bluhm Exp $ +# $OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $ .include .include diff --git a/regress/unittests/bitmap/Makefile b/regress/unittests/bitmap/Makefile index b3b7d12c7..bd21949f8 100644 --- a/regress/unittests/bitmap/Makefile +++ b/regress/unittests/bitmap/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:08 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ PROG=test_bitmap SRCS=tests.c diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile index 43968c701..ae3c342bd 100644 --- a/regress/unittests/hostkeys/Makefile +++ b/regress/unittests/hostkeys/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:08 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ PROG=test_hostkeys SRCS=tests.c test_iterate.c diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile index e268daad2..7ed312675 100644 --- a/regress/unittests/kex/Makefile +++ b/regress/unittests/kex/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ PROG=test_kex SRCS=tests.c test_kex.c diff --git a/regress/unittests/match/Makefile b/regress/unittests/match/Makefile index 3197ece99..bd4aed844 100644 --- a/regress/unittests/match/Makefile +++ b/regress/unittests/match/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2016/10/31 23:45:09 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +# $OpenBSD: Makefile,v 1.3 2016/11/01 13:43:27 tb Exp $ PROG=test_match SRCS=tests.c diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile index 85f99ac38..69b27566b 100644 --- a/regress/unittests/sshbuf/Makefile +++ b/regress/unittests/sshbuf/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.1 2014/04/30 05:32:00 djm Exp $ +# $OpenBSD: Makefile,v 1.5 2016/11/01 13:43:27 tb Exp $ PROG=test_sshbuf SRCS=tests.c diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile index 8cfa3aa54..cfbfcf8f1 100644 --- a/regress/unittests/sshkey/Makefile +++ b/regress/unittests/sshkey/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=FGJRX" +# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ PROG=test_sshkey SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c diff --git a/regress/unittests/utf8/Makefile b/regress/unittests/utf8/Makefile index 85cf7b81f..a975264fc 100644 --- a/regress/unittests/utf8/Makefile +++ b/regress/unittests/utf8/Makefile @@ -1,6 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2016/10/31 23:45:09 tb Exp $ - -TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" +# $OpenBSD: Makefile,v 1.4 2016/11/01 13:43:27 tb Exp $ PROG=test_utf8 SRCS=tests.c -- cgit v1.2.3 From bd13017736ec2f8f9ca498fe109fb0035f322733 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 25 Nov 2016 02:49:18 +0000 Subject: upstream commit Fix typo in trace message; from portable. Upstream-Regress-ID: 4c4a2ba0d37faf5fd230a91b4c7edb5699fbd73a --- regress/test-exec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 7a456bbee..f9dbc1c5f 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.54 2016/08/23 06:36:23 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.55 2016/11/25 02:49:18 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.3 From 504c3a9a1bf090f6b27260fc3e8ea7d984d163dc Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 25 Nov 2016 02:56:49 +0000 Subject: upstream commit Reverse args to sshd-log-wrapper. Matches change in portable, where it allows sshd do be optionally run under Valgrind. Upstream-Regress-ID: b438d1c6726dc5caa2a45153e6103a0393faa906 --- regress/integrity.sh | 2 +- regress/test-exec.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/integrity.sh b/regress/integrity.sh index bfadc6b48..39d310deb 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh @@ -1,4 +1,4 @@ -# $OpenBSD: integrity.sh,v 1.18 2016/03/04 02:48:06 dtucker Exp $ +# $OpenBSD: integrity.sh,v 1.19 2016/11/25 02:56:49 dtucker Exp $ # Placed in the Public Domain. tid="integrity" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index f9dbc1c5f..622bbc2d3 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.55 2016/11/25 02:49:18 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.56 2016/11/25 02:56:49 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo -- cgit v1.2.3 From 79e4829ec81dead1b30999e1626eca589319a47f Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 25 Nov 2016 03:02:01 +0000 Subject: upstream commit Allow PuTTY interop tests to run unattended. bz#2639, patch from cjwatson at debian.org. Upstream-Regress-ID: 4345253558ac23b2082aebabccd48377433b6fe0 --- regress/putty-ciphers.sh | 4 ++-- regress/putty-kex.sh | 5 ++--- regress/putty-transfer.sh | 6 +++--- regress/test-exec.sh | 12 +++++++++--- 4 files changed, 16 insertions(+), 11 deletions(-) (limited to 'regress') diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh index 724a98cc1..9adba674e 100644 --- a/regress/putty-ciphers.sh +++ b/regress/putty-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: putty-ciphers.sh,v 1.4 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $ # Placed in the Public Domain. tid="putty ciphers" @@ -16,7 +16,7 @@ for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do rm -f ${COPY} env HOME=$PWD ${PLINK} -load cipher_$c -batch -i putty.rsa2 \ - 127.0.0.1 cat ${DATA} > ${COPY} + cat ${DATA} > ${COPY} if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" fi diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh index 1844d6599..9d3c6a9f0 100644 --- a/regress/putty-kex.sh +++ b/regress/putty-kex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: putty-kex.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: putty-kex.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ # Placed in the Public Domain. tid="putty KEX" @@ -14,8 +14,7 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do ${OBJ}/.putty/sessions/kex_$k echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k - env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 \ - 127.0.0.1 true + env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 true if [ $? -ne 0 ]; then fail "KEX $k failed" fi diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh index aec0e04ee..8eb6ae0c0 100644 --- a/regress/putty-transfer.sh +++ b/regress/putty-transfer.sh @@ -1,4 +1,4 @@ -# $OpenBSD: putty-transfer.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $ +# $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $ # Placed in the Public Domain. tid="putty transfer data" @@ -17,7 +17,7 @@ for p in 2; do ${OBJ}/.putty/sessions/compression_$c echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k env HOME=$PWD ${PLINK} -load compression_$c -batch \ - -i putty.rsa$p 127.0.0.1 cat ${DATA} > ${COPY} + -i putty.rsa$p cat ${DATA} > ${COPY} if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" fi @@ -28,7 +28,7 @@ for p in 2; do rm -f ${COPY} dd if=$DATA obs=${s} 2> /dev/null | \ env HOME=$PWD ${PLINK} -load compression_$c \ - -batch -i putty.rsa$p 127.0.0.1 \ + -batch -i putty.rsa$p \ "cat > ${COPY}" if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 622bbc2d3..5d48706d4 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.56 2016/11/25 02:56:49 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.57 2016/11/25 03:02:01 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -512,7 +512,11 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then # Add a PuTTY key to authorized_keys rm -f ${OBJ}/putty.rsa2 - puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null + if ! puttygen -t rsa -o ${OBJ}/putty.rsa2 \ + --new-passphrase /dev/null < /dev/null > /dev/null; then + echo "Your installed version of PuTTY is too old to support --new-passphrase; trying without (may require manual interaction) ..." >&2 + puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null + fi puttygen -O public-openssh ${OBJ}/putty.rsa2 \ >> $OBJ/authorized_keys_$USER @@ -525,10 +529,12 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then # Setup proxied session mkdir -p ${OBJ}/.putty/sessions rm -f ${OBJ}/.putty/sessions/localhost_proxy - echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "Protocol=ssh" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy + echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy REGRESS_INTEROP_PUTTY=yes fi -- cgit v1.2.3 From 85aa2efeba51a96bf6834f9accf2935d96150296 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 30 Nov 2016 03:01:33 +0000 Subject: upstream commit test new behaviour of cert force-command restriction vs. authorized_key/ principals Upstream-Regress-ID: 399efa7469d40c404c0b0a295064ce75d495387c --- regress/cert-userkey.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index 319746395..7005fd55e 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.16 2016/05/03 12:15:49 dtucker Exp $ +# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -354,6 +354,20 @@ test_one "principals key option principals" success "-n mekmitasdigoat" \ test_one "principals key option no principals" failure "" \ authorized_keys ',principals="mekmitasdigoat"' +# command= options vs. force-command in key +test_one "force-command match true" success \ + "-n ${USER} -Oforce-command=true" \ + authorized_keys ',command="true"' +test_one "force-command match true" failure \ + "-n ${USER} -Oforce-command=false" \ + authorized_keys ',command="false"' +test_one "force-command mismatch 1" failure \ + "-n ${USER} -Oforce-command=false" \ + authorized_keys ',command="true"' +test_one "force-command mismatch 2" failure \ + "-n ${USER} -Oforce-command=true" \ + authorized_keys ',command="false"' + # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy for ktype in $PLAIN_TYPES ; do -- cgit v1.2.3 From 47b8c99ab3221188ad3926108dd9d36da3b528ec Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Dec 2016 15:48:34 +1100 Subject: Check for utf8 local support before testing it. Check for utf8 local support and if not found, do not attempt to run the utf8 tests. Suggested by djm@ --- Makefile.in | 2 ++ configure.ac | 18 ++++++++++++++++++ regress/Makefile | 4 +++- 3 files changed, 23 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/Makefile.in b/Makefile.in index 3990f5525..e10f3742a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -580,6 +580,7 @@ tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS) TEST_SSH_PUTTYGEN="puttygen"; \ TEST_SSH_CONCH="conch"; \ TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \ + TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \ TEST_SSH_ECC="@TEST_SSH_ECC@" ; \ cd $(srcdir)/regress || exit $$?; \ $(MAKE) \ @@ -604,6 +605,7 @@ tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS) TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \ TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \ TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \ + TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \ TEST_SSH_ECC="$${TEST_SSH_ECC}" \ TEST_SHELL="${TEST_SHELL}" \ EXEEXT="$(EXEEXT)" \ diff --git a/configure.ac b/configure.ac index 4d9382ca7..9c8d1173b 100644 --- a/configure.ac +++ b/configure.ac @@ -1776,6 +1776,23 @@ CFLAGS="$CFLAGS -D_XOPEN_SOURCE" AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth]) CFLAGS="$saved_CFLAGS" +TEST_SSH_UTF8=yes +AC_MSG_CHECKING([for utf8 locale support]) +AC_RUN_IFELSE( + [AC_LANG_PROGRAM([[ +#include + ]], [[ + char *loc = setlocale(LC_CTYPE, "en_US.UTF-8"); + if (loc != NULL) + exit(0); + exit(1); + ]])], + AC_MSG_RESULT(yes), + [AC_MSG_RESULT(no) + TEST_SSH_UTF8=no], + AC_MSG_WARN([cross compiling: assuming yes]) +) + AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], @@ -5009,6 +5026,7 @@ else fi AC_CHECK_DECL([BROKEN_GETADDRINFO], [TEST_SSH_IPV6=no]) AC_SUBST([TEST_SSH_IPV6], [$TEST_SSH_IPV6]) +AC_SUBST([TEST_SSH_UTF8], [$TEST_SSH_UTF8]) AC_SUBST([TEST_MALLOC_OPTIONS], [$TEST_MALLOC_OPTIONS]) AC_SUBST([UNSUPPORTED_ALGORITHMS], [$unsupported_algorithms]) diff --git a/regress/Makefile b/regress/Makefile index 1f71761fa..bb8806818 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -225,5 +225,7 @@ unit: $$V ${.OBJDIR}/unittests/hostkeys/test_hostkeys \ -d ${.CURDIR}/unittests/hostkeys/testdata ; \ $$V ${.OBJDIR}/unittests/match/test_match ; \ - $$V ${.OBJDIR}/unittests/utf8/test_utf8 ; \ + if test "x${TEST_SSH_UTF8}" = "xyes" ; then \ + $$V ${.OBJDIR}/unittests/utf8/test_utf8 ; \ + fi \ fi -- cgit v1.2.3 From 9a70ec085faf6e55db311cd1a329f1a35ad2a500 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Thu, 15 Dec 2016 23:50:37 +0000 Subject: upstream commit Use $SUDO to read pidfile in case root's umask is restricted. From portable. Upstream-Regress-ID: f6b1c7ffbc5a0dfb7d430adb2883344899174a98 --- regress/reexec.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/reexec.sh b/regress/reexec.sh index 5c0a7b46f..6ac648fd3 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reexec.sh,v 1.8 2015/03/03 22:35:19 markus Exp $ +# $OpenBSD: reexec.sh,v 1.9 2016/12/15 23:50:37 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" -- cgit v1.2.3 From e15e7152331e3976b35475fd4e9c72897ad0f074 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Dec 2016 01:01:07 +0000 Subject: upstream commit regression test for certificates along with private key with no public half. bz#2617, mostly from Adam Eijdenberg Upstream-Regress-ID: 2e74dc2c726f4dc839609b3ce045466b69f01115 --- regress/cert-file.sh | 53 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 11 deletions(-) (limited to 'regress') diff --git a/regress/cert-file.sh b/regress/cert-file.sh index bad923ad0..36f7d33f5 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.2 2015/09/24 07:15:39 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.3 2016/12/16 01:01:07 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -17,24 +17,59 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ + fatal "ssh-keygen failed" +${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ + fatal "ssh-keygen failed" + # Move the certificate to a different address to better control # when it is offered. ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ -z $$ -n ${USER} $OBJ/user_key1 || - fail "couldn't sign user_key1 with user_ca_key1" + fatal "couldn't sign user_key1 with user_ca_key1" mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ -z $$ -n ${USER} $OBJ/user_key1 || - fail "couldn't sign user_key1 with user_ca_key2" + fatal "couldn't sign user_key1 with user_ca_key2" mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub +${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ + -z $$ -n ${USER} $OBJ/user_key3 || + fatal "couldn't sign user_key3 with user_ca_key1" +rm $OBJ/user_key3.pub # to test use of private key w/o public half. +${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ + -z $$ -n ${USER} $OBJ/user_key4 || + fatal "couldn't sign user_key4 with user_ca_key1" +rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. trace 'try with identity files' opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER +# Make a clean config that doesn't have any pre-added identities. +cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config + +# XXX: verify that certificate used was what we expect. Needs exposure of +# keys via enviornment variable or similar. + for p in ${SSH_PROTOCOLS}; do + # Key with no .pub should work - finding the equivalent *-cert.pub. + verbose "protocol $p: identity cert with no plain public file" + ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -i $OBJ/user_key3 somehost exit 5$p + [ $? -ne 5$p ] && fail "ssh failed" + + # CertificateFile matching private key with no .pub file should work. + verbose "protocol $p: CertificateFile with no plain public file" + ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ + -oCertificateFile=$OBJ/user_key3-cert.pub \ + -i $OBJ/user_key3 somehost exit 5$p + [ $? -ne 5$p ] && fail "ssh failed" + # Just keys should fail + verbose "protocol $p: plain keys" ${SSH} $opts2 somehost exit 5$p r=$? if [ $r -eq 5$p ]; then @@ -42,6 +77,7 @@ for p in ${SSH_PROTOCOLS}; do fi # Keys with untrusted cert should fail. + verbose "protocol $p: untrusted cert" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" ${SSH} $opts3 somehost exit 5$p r=$? @@ -50,6 +86,7 @@ for p in ${SSH_PROTOCOLS}; do fi # Good cert with bad key should fail. + verbose "protocol $p: good cert, bad key" opts3="$opts -i $OBJ/user_key2" opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p @@ -59,6 +96,7 @@ for p in ${SSH_PROTOCOLS}; do fi # Keys with one trusted cert, should succeed. + verbose "protocol $p: single trusted" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p r=$? @@ -67,6 +105,7 @@ for p in ${SSH_PROTOCOLS}; do fi # Multiple certs and keys, with one trusted cert, should succeed. + verbose "protocol $p: multiple trusted" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p @@ -74,14 +113,6 @@ for p in ${SSH_PROTOCOLS}; do if [ $r -ne 5$p ]; then fail "ssh failed with multiple certs in protocol $p" fi - - #Keys with trusted certificate specified in config options, should succeed. - opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" - ${SSH} $opts3 somehost exit 5$p - r=$? - if [ $r -ne 5$p ]; then - fail "ssh failed with trusted cert in config in protocol $p" - fi done #next, using an agent in combination with the keys -- cgit v1.2.3 From 2f2ffa4fbe4b671bbffa0611f15ba44cff64d58e Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 16 Dec 2016 01:06:27 +0000 Subject: upstream commit Move the "stop sshd" code into its own helper function. Patch from Zev Weiss , ok djm@ Upstream-Regress-ID: a113dea77df5bd97fb4633ea31f3d72dbe356329 --- regress/login-timeout.sh | 4 ++-- regress/reexec.sh | 11 ++++------- regress/test-exec.sh | 25 +++++++++++++++---------- 3 files changed, 21 insertions(+), 19 deletions(-) (limited to 'regress') diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh index eb76f554b..12207fd99 100644 --- a/regress/login-timeout.sh +++ b/regress/login-timeout.sh @@ -1,4 +1,4 @@ -# $OpenBSD: login-timeout.sh,v 1.7 2014/03/13 20:44:49 djm Exp $ +# $OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $ # Placed in the Public Domain. tid="connect after login grace timeout" @@ -17,7 +17,7 @@ if [ $? -ne 0 ]; then fail "ssh connect after login grace timeout failed with privsep" fi -$SUDO kill `$SUDO cat $PIDFILE` +stop_sshd trace "test login grace without privsep" echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config diff --git a/regress/reexec.sh b/regress/reexec.sh index 6ac648fd3..72957d4cd 100644 --- a/regress/reexec.sh +++ b/regress/reexec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: reexec.sh,v 1.9 2016/12/15 23:50:37 dtucker Exp $ +# $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $ # Placed in the Public Domain. tid="reexec tests" @@ -39,8 +39,7 @@ echo "InvalidXXX=no" >> $OBJ/sshd_config copy_tests -$SUDO kill `$SUDO cat $PIDFILE` -rm -f $PIDFILE +stop_sshd cp $OBJ/sshd_config.orig $OBJ/sshd_config @@ -54,8 +53,7 @@ rm -f $SSHD_COPY copy_tests -$SUDO kill `$SUDO cat $PIDFILE` -rm -f $PIDFILE +stop_sshd verbose "test reexec fallback without privsep" @@ -67,7 +65,6 @@ rm -f $SSHD_COPY copy_tests -$SUDO kill `$SUDO cat $PIDFILE` -rm -f $PIDFILE +stop_sshd fi diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 5d48706d4..bfa48803b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.57 2016/11/25 03:02:01 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.58 2016/12/16 01:06:27 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -293,16 +293,8 @@ md5 () { } # End of portable specific functions -# helper -cleanup () +stop_sshd () { - if [ "x$SSH_PID" != "x" ]; then - if [ $SSH_PID -lt 2 ]; then - echo bad pid for ssh: $SSH_PID - else - kill $SSH_PID - fi - fi if [ -f $PIDFILE ]; then pid=`$SUDO cat $PIDFILE` if [ "X$pid" = "X" ]; then @@ -325,6 +317,19 @@ cleanup () fi } +# helper +cleanup () +{ + if [ "x$SSH_PID" != "x" ]; then + if [ $SSH_PID -lt 2 ]; then + echo bad pid for ssh: $SSH_PID + else + kill $SSH_PID + fi + fi + stop_sshd +} + start_debug_log () { echo "trace: $@" >$TEST_REGRESS_LOGFILE -- cgit v1.2.3 From 410681f9015d76cc7b137dd90dac897f673244a0 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 16 Dec 2016 02:48:55 +0000 Subject: upstream commit revert to rev1.2; the new bits in this test depend on changes to ssh that aren't yet committed Upstream-Regress-ID: 828ffc2c7afcf65d50ff2cf3dfc47a073ad39123 --- regress/cert-file.sh | 53 +++++++++++----------------------------------------- 1 file changed, 11 insertions(+), 42 deletions(-) (limited to 'regress') diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 36f7d33f5..b184e7fea 100644 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.3 2016/12/16 01:01:07 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.4 2016/12/16 02:48:55 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -17,59 +17,24 @@ ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key1 || \ fatal "ssh-keygen failed" ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key2 || \ fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key3 || \ - fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key4 || \ - fatal "ssh-keygen failed" -${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_key5 || \ - fatal "ssh-keygen failed" - # Move the certificate to a different address to better control # when it is offered. ${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ -z $$ -n ${USER} $OBJ/user_key1 || - fatal "couldn't sign user_key1 with user_ca_key1" + fail "couldn't sign user_key1 with user_ca_key1" mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_1.pub ${SSHKEYGEN} -q -s $OBJ/user_ca_key2 -I "regress user key for $USER" \ -z $$ -n ${USER} $OBJ/user_key1 || - fatal "couldn't sign user_key1 with user_ca_key2" + fail "couldn't sign user_key1 with user_ca_key2" mv $OBJ/user_key1-cert.pub $OBJ/cert_user_key1_2.pub -${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ - -z $$ -n ${USER} $OBJ/user_key3 || - fatal "couldn't sign user_key3 with user_ca_key1" -rm $OBJ/user_key3.pub # to test use of private key w/o public half. -${SSHKEYGEN} -q -s $OBJ/user_ca_key1 -I "regress user key for $USER" \ - -z $$ -n ${USER} $OBJ/user_key4 || - fatal "couldn't sign user_key4 with user_ca_key1" -rm $OBJ/user_key4 $OBJ/user_key4.pub # to test no matching pub/private key case. trace 'try with identity files' opts="-F $OBJ/ssh_proxy -oIdentitiesOnly=yes" opts2="$opts -i $OBJ/user_key1 -i $OBJ/user_key2" echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER -# Make a clean config that doesn't have any pre-added identities. -cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config - -# XXX: verify that certificate used was what we expect. Needs exposure of -# keys via enviornment variable or similar. - for p in ${SSH_PROTOCOLS}; do - # Key with no .pub should work - finding the equivalent *-cert.pub. - verbose "protocol $p: identity cert with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - - # CertificateFile matching private key with no .pub file should work. - verbose "protocol $p: CertificateFile with no plain public file" - ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \ - -oCertificateFile=$OBJ/user_key3-cert.pub \ - -i $OBJ/user_key3 somehost exit 5$p - [ $? -ne 5$p ] && fail "ssh failed" - # Just keys should fail - verbose "protocol $p: plain keys" ${SSH} $opts2 somehost exit 5$p r=$? if [ $r -eq 5$p ]; then @@ -77,7 +42,6 @@ for p in ${SSH_PROTOCOLS}; do fi # Keys with untrusted cert should fail. - verbose "protocol $p: untrusted cert" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" ${SSH} $opts3 somehost exit 5$p r=$? @@ -86,7 +50,6 @@ for p in ${SSH_PROTOCOLS}; do fi # Good cert with bad key should fail. - verbose "protocol $p: good cert, bad key" opts3="$opts -i $OBJ/user_key2" opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p @@ -96,7 +59,6 @@ for p in ${SSH_PROTOCOLS}; do fi # Keys with one trusted cert, should succeed. - verbose "protocol $p: single trusted" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p r=$? @@ -105,7 +67,6 @@ for p in ${SSH_PROTOCOLS}; do fi # Multiple certs and keys, with one trusted cert, should succeed. - verbose "protocol $p: multiple trusted" opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub" opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub" ${SSH} $opts3 somehost exit 5$p @@ -113,6 +74,14 @@ for p in ${SSH_PROTOCOLS}; do if [ $r -ne 5$p ]; then fail "ssh failed with multiple certs in protocol $p" fi + + #Keys with trusted certificate specified in config options, should succeed. + opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub" + ${SSH} $opts3 somehost exit 5$p + r=$? + if [ $r -ne 5$p ]; then + fail "ssh failed with trusted cert in config in protocol $p" + fi done #next, using an agent in combination with the keys -- cgit v1.2.3 From 0d2f88428487518eea60602bd593989013831dcf Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Fri, 16 Dec 2016 03:51:19 +0000 Subject: upstream commit Add regression test for AllowUsers and DenyUsers. Patch from Zev Weiss Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9 --- regress/Makefile | 5 +++-- regress/allow-deny-users.sh | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 regress/allow-deny-users.sh (limited to 'regress') diff --git a/regress/Makefile b/regress/Makefile index bb8806818..c2dba4fdf 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.93 2016/11/01 13:43:27 tb Exp $ +# $OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -78,7 +78,8 @@ LTESTS= connect \ hostkey-rotate \ principals-command \ cert-file \ - cfginclude + cfginclude \ + allow-deny-users # dhgex \ diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh new file mode 100644 index 000000000..217b15940 --- /dev/null +++ b/regress/allow-deny-users.sh @@ -0,0 +1,37 @@ +# Public Domain +# Zev Weiss, 2016 + +tid="AllowUsers/DenyUsers" + +me=`whoami` +other="nobody" + +test_auth() +{ + deny="$1" + allow="$2" + should_succeed="$3" + failmsg="$4" + + start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow" + + ${SSH} -F $OBJ/ssh_config "$me@somehost" true + status=$? + + if (test $status -eq 0 && ! $should_succeed) \ + || (test $status -ne 0 && $should_succeed); then + fail "$failmsg" + fi + + stop_sshd +} + +# DenyUsers AllowUsers should_succeed failure_message +test_auth "" "" true "user in neither DenyUsers nor AllowUsers denied" +test_auth "$other $me" "" false "user in DenyUsers allowed" +test_auth "$me $other" "" false "user in DenyUsers allowed" +test_auth "" "$other" false "user not in AllowUsers allowed" +test_auth "" "$other $me" true "user in AllowUsers denied" +test_auth "" "$me $other" true "user in AllowUsers denied" +test_auth "$me $other" "$me $other" false "user in both DenyUsers and AllowUsers allowed" +test_auth "$other $me" "$other $me" false "user in both DenyUsers and AllowUsers allowed" -- cgit v1.2.3 From eae735a82d759054f6ec7b4e887fb7a5692c66d7 Mon Sep 17 00:00:00 2001 From: "dtucker@openbsd.org" Date: Mon, 19 Dec 2016 03:32:57 +0000 Subject: upstream commit Use LOGNAME to get current user and fall back to whoami if not set. Mainly to benefit -portable since some platforms don't have whoami. Upstream-Regress-ID: e3a16b7836a3ae24dc8f8a4e43fdf8127a60bdfa --- regress/allow-deny-users.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh index 217b15940..32a269afa 100644 --- a/regress/allow-deny-users.sh +++ b/regress/allow-deny-users.sh @@ -3,7 +3,10 @@ tid="AllowUsers/DenyUsers" -me=`whoami` +me="$LOGNAME" +if [ "x$me" == "x" ]; then + me=`whoami` +fi other="nobody" test_auth() -- cgit v1.2.3 From 3a8213ea0ed843523e34e55ab9c852332bab4c7b Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 19 Dec 2016 04:55:18 +0000 Subject: upstream commit remove testcase that depends on exact output and behaviour of snprintf(..., "%s", NULL) Upstream-Regress-ID: cab4288531766bd9593cb556613b91a2eeefb56f --- regress/unittests/utf8/tests.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'regress') diff --git a/regress/unittests/utf8/tests.c b/regress/unittests/utf8/tests.c index 6d06fa182..31f9fe9c3 100644 --- a/regress/unittests/utf8/tests.c +++ b/regress/unittests/utf8/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.2 2016/05/30 12:05:56 schwarze Exp $ */ +/* $OpenBSD: tests.c,v 1.3 2016/12/19 04:55:18 djm Exp $ */ /* * Regress test for the utf8.h *mprintf() API * @@ -65,7 +65,6 @@ tests(void) TEST_DONE(); badarg(); - one("null", NULL, 8, 6, 6, "(null)"); one("empty", "", 2, 0, 0, ""); one("ascii", "x", -2, -2, -2, "x"); one("newline", "a\nb", -2, -2, -2, "a\nb"); -- cgit v1.2.3