From f22019bdbfb986daf24428a9d37f9fe9bb3ff7ad Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 5 May 2011 13:48:37 +1000 Subject: - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac] [entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms. --- regress/README.regress | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'regress') diff --git a/regress/README.regress b/regress/README.regress index da9bb6a99..82e4cc751 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -93,10 +93,6 @@ Failed tests can be difficult to diagnose. Suggestions: Known Issues. -- If your build requires ssh-rand-helper regress tests will fail - unless ssh-rand-helper is in pre-installed (the path to - ssh-rand-helper is hard coded). - - Similarly, if you do not have "scp" in your system's $PATH then the multiplex scp tests will fail (since the system's shell startup scripts will determine where the shell started by sshd will look for scp). @@ -105,4 +101,4 @@ Known Issues. test to fail. The old behaviour can be restored by setting (and exporting) _POSIX2_VERSION=199209 before running the tests. -$Id: README.regress,v 1.11 2010/08/16 21:04:29 djm Exp $ +$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $ -- cgit v1.2.3 From f67188fe13d3ac96493c9cd67e87f64fd07f20e5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:06:48 +1000 Subject: - djm@cvs.openbsd.org 2011/05/17 07:13:31 [regress/cert-userkey.sh] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) --- ChangeLog | 4 ++++ regress/cert-userkey.sh | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 2cb2dce0c..80947351e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ code locations in perfect sync and ordering "this is at once beautiful and horrible" + ok dtucker@ + - djm@cvs.openbsd.org 2011/05/17 07:13:31 + [regress/cert-userkey.sh] + fatal() if asked to generate a legacy ECDSA cert (these don't exist) + and fix the regress test that was trying to generate them :) 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh index fcca3708b..6700db274 100644 --- a/regress/cert-userkey.sh +++ b/regress/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.7 2010/08/31 12:24:09 djm Exp $ +# $OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -27,7 +27,7 @@ for ktype in rsa dsa $ecdsa ; do -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" # v00 ecdsa certs do not exist - test "{ktype}" = "ecdsa" && continue + test "${ktype}" = "ecdsa" && continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ -- cgit v1.2.3 From 3045b45a030f04af7daf9037939a8aca5a54a574 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:07:45 +1000 Subject: - djm@cvs.openbsd.org 2011/05/20 02:43:36 [cert-hostkey.sh] another attempt to generate a v00 ECDSA key that broke the test ID sync only - portable already had this somehow --- ChangeLog | 4 ++++ regress/cert-hostkey.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 80947351e..e6723e687 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,10 @@ [regress/cert-userkey.sh] fatal() if asked to generate a legacy ECDSA cert (these don't exist) and fix the regress test that was trying to generate them :) + - djm@cvs.openbsd.org 2011/05/20 02:43:36 + [cert-hostkey.sh] + another attempt to generate a v00 ECDSA key that broke the test + ID sync only - portable already had this somehow 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3b147b9f7..6216abd87 100644 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.5 2010/08/31 12:24:09 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $ # Placed in the Public Domain. tid="certified host keys" -- cgit v1.2.3 From 7b9451f382156bdc20945a63c1507a466959fab1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:08:11 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 [dynamic-forward.sh] Prevent races in dynamic forwarding test; ok djm --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 23 ++++++++++++++++++++--- 2 files changed, 23 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index e6723e687..d5d5df3fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,9 @@ [cert-hostkey.sh] another attempt to generate a v00 ECDSA key that broke the test ID sync only - portable already had this somehow + - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 + [dynamic-forward.sh] + Prevent races in dynamic forwarding test; ok djm 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 4674a7baf..12ddef3a5 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.5 2011/05/20 05:19:50 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,8 +21,21 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + rm -f $OBJ/remote_pid + ${SSH} -$p -F $OBJ/ssh_config -D $FWDPORT -q somehost \ + exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' & + client_pid=$! + + # Wait for ssh to start + n=0 + while test ! -f $OBJ/remote_pid; do + sleep 1 + n=`expr $n + 1` + if test $n > 60; then + kill $client_pid + fail "Timed out waiting for client to connect" + fi + done for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -41,10 +54,14 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi + rm -f $OBJ/remote_pid else fail "no pid file: $OBJ/remote_pid" fi + # Wait for listening ssh to terminate + wait + # Must allow time for connection tear-down sleep 2 done -- cgit v1.2.3 From acacced70b3fd520ee3f12d3f477f9fd7c2f687a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 May 2011 19:08:40 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 [dynamic-forward.sh] fix dumb error in dynamic-forward test --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index d5d5df3fa..1aac69cbc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ - dtucker@cvs.openbsd.org 2011/05/20 05:19:50 [dynamic-forward.sh] Prevent races in dynamic forwarding test; ok djm + - dtucker@cvs.openbsd.org 2011/05/20 06:32:30 + [dynamic-forward.sh] + fix dumb error in dynamic-forward test 20110515 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 12ddef3a5..d6df4491a 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.5 2011/05/20 05:19:50 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.6 2011/05/20 06:32:30 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -31,7 +31,7 @@ for p in 1 2; do while test ! -f $OBJ/remote_pid; do sleep 1 n=`expr $n + 1` - if test $n > 60; then + if test $n -gt 60; then kill $client_pid fail "Timed out waiting for client to connect" fi -- cgit v1.2.3 From 8cb3587336d3fe8e67db1d75da5f4c11456d3f1a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 29 May 2011 21:59:10 +1000 Subject: - djm@cvs.openbsd.org 2011/05/23 03:31:31 [regress/cfgmatch.sh] include testing of multiple/overridden AuthorizedKeysFiles refactor to simply daemon start/stop and get rid of racy constructs --- ChangeLog | 4 ++++ regress/cfgmatch.sh | 66 +++++++++++++++++++++++++++-------------------------- 2 files changed, 38 insertions(+), 32 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index c7db4a5df..82aedc3a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ GlobalKnownHostsFile2 by making UserKnownHostsFile/GlobalKnownHostsFile accept multiple paths per line and making their defaults include known_hosts2; ok markus + - djm@cvs.openbsd.org 2011/05/23 03:31:31 + [regress/cfgmatch.sh] + include testing of multiple/overridden AuthorizedKeysFiles + refactor to simply daemon start/stop and get rid of racy constructs 20110520 - (djm) [session.c] call setexeccon() before executing passwd for pw diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 96badd51b..29234e566 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid fwdport=3301 fwd="-L $fwdport:127.0.0.1:$PORT" +echo "ExitOnForwardFailure=yes" >> ssh_config +echo "ExitOnForwardFailure=yes" >> ssh_proxy + +start_client() +{ + rm -f $pidfile + ${SSH} -q -$p $fwd "$@" somehost \ + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ + >>$TEST_SSH_LOGFILE 2>&1 & + client_pid=$! + # Wait for remote end + n=0 + while test ! -f $pidfile ; do + sleep 1 + n=`expr $n + 1` + if test $n -gt 60; then + kill $client_pid + fatal "timeout waiting for background ssh" + fi + done +} + stop_client() { pid=`cat $pidfile` @@ -14,11 +36,15 @@ stop_client() kill $pid sleep 1 fi + wait } cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak - +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_config echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config @@ -32,12 +58,8 @@ start_sshd # Test Match + PermitOpen in sshd_config. This should be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -45,12 +67,8 @@ done # Same but from different source. This should not be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proxy proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny proto $p" stop_client @@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen w/key opt proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny w/key opt proto $p" stop_client @@ -76,12 +90,8 @@ done # Test both sshd_config and key options permitting the same dst/port pair. # Should be permitted. for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a Match overrides a PermitOpen in the global section for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match override permitopen proto $p" stop_client @@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a rule that doesn't match doesn't override, plus test a # PermitOpen entry that's not at the start of the list for p in 1 2; do - rm -f $pidfile trace "nomatch permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "nomatch override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "nomatch override permitopen proto $p" stop_client -- cgit v1.2.3 From 260c8fbc4d8c5865fc312ed56a48b36817507b30 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:17:27 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 [regress/dynamic-forward.sh] back out revs 1.6 and 1.5 since it's not reliable --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 26 +++----------------------- 2 files changed, 6 insertions(+), 23 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 2831c374f..3b5aa258f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ has exited, rather than attempting to send a zero signal, since the latter won't work if the parent has changed privs. bz#1905, patch from Daniel Kahn Gillmor, ok djm@ + - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 + [regress/dynamic-forward.sh] + back out revs 1.6 and 1.5 since it's not reliable 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index d6df4491a..0a862b504 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.6 2011/05/20 06:32:30 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.7 2011/05/31 02:01:58 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,21 +21,8 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - rm -f $OBJ/remote_pid - ${SSH} -$p -F $OBJ/ssh_config -D $FWDPORT -q somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' & - client_pid=$! - - # Wait for ssh to start - n=0 - while test ! -f $OBJ/remote_pid; do - sleep 1 - n=`expr $n + 1` - if test $n -gt 60; then - kill $client_pid - fail "Timed out waiting for client to connect" - fi - done + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -54,14 +41,7 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi - rm -f $OBJ/remote_pid else fail "no pid file: $OBJ/remote_pid" fi - - # Wait for listening ssh to terminate - wait - - # Must allow time for connection tear-down - sleep 2 done -- cgit v1.2.3 From 75e035c34e323cccb19aab5d58cb9c706ce8fcee Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:18:17 +1000 Subject: - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 [regress/dynamic-forward.sh] work around startup and teardown races; caught by deraadt --- ChangeLog | 3 +++ regress/dynamic-forward.sh | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 3b5aa258f..af92ed3f9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,9 @@ - dtucker@cvs.openbsd.org 2011/05/31 02:01:58 [regress/dynamic-forward.sh] back out revs 1.6 and 1.5 since it's not reliable + - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 + [regress/dynamic-forward.sh] + work around startup and teardown races; caught by deraadt 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 0a862b504..39b58c817 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.7 2011/05/31 02:01:58 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.8 2011/05/31 02:03:34 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -21,7 +21,8 @@ start_sshd for p in 1 2; do trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \ + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost \ exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' for s in 4 5; do @@ -41,6 +42,7 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi + sleep 1 else fail "no pid file: $OBJ/remote_pid" fi -- cgit v1.2.3 From bf4d05a37ca67a2b2c69ef072652b6be3b24fd76 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Jun 2011 14:19:02 +1000 Subject: - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 [regress/dynamic-forward.sh] Retry establishing the port forwarding after a small delay, should make the tests less flaky when the previous test is slow to shut down and free up the port. --- ChangeLog | 5 +++++ regress/dynamic-forward.sh | 22 +++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index af92ed3f9..c4ced5da6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,11 @@ - dtucker@cvs.openbsd.org 2011/05/31 02:03:34 [regress/dynamic-forward.sh] work around startup and teardown races; caught by deraadt + - dtucker@cvs.openbsd.org 2011/06/03 00:29:52 + [regress/dynamic-forward.sh] + Retry establishing the port forwarding after a small delay, should make + the tests less flaky when the previous test is slow to shut down and free + up the port. 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 39b58c817..d1ab8059b 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dynamic-forward.sh,v 1.8 2011/05/31 02:03:34 dtucker Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $ # Placed in the Public Domain. tid="dynamic forwarding" @@ -20,10 +20,23 @@ trace "will use ProxyCommand $proxycmd" start_sshd for p in 1 2; do + n=0 + error="1" trace "start dynamic forwarding, fork to background" - ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ - -oExitOnForwardFailure=yes somehost \ - exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` + ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? + if [ "$error" -ne 0 ]; then + trace "forward failed proto $p attempt $n err $error" + sleep $n + fi + done + if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding proto $p" + fi for s in 4 5; do for h in 127.0.0.1 localhost; do @@ -42,7 +55,6 @@ for p in 1 2; do if [ $remote -gt 1 ]; then kill -HUP $remote fi - sleep 1 else fail "no pid file: $OBJ/remote_pid" fi -- cgit v1.2.3 From bc481570d14b6061fe4cb286cec56d555351c28d Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 2 Jun 2011 22:26:19 -0700 Subject: - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. --- ChangeLog | 1 + regress/cfgmatch.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index c4ced5da6..32a383603 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,7 @@ Retry establishing the port forwarding after a small delay, should make the tests less flaky when the previous test is slow to shut down and free up the port. + - (tim) [regress/cfgmatch.sh] Build/test out of tree fix. 20110529 - (djm) OpenBSD CVS Sync diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 29234e566..a16a5c13a 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -7,8 +7,8 @@ pidfile=$OBJ/remote_pid fwdport=3301 fwd="-L $fwdport:127.0.0.1:$PORT" -echo "ExitOnForwardFailure=yes" >> ssh_config -echo "ExitOnForwardFailure=yes" >> ssh_proxy +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy start_client() { -- cgit v1.2.3 From 9231c8bde4169895243a9f3e2dff09ae795c0d21 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:08:15 +1000 Subject: - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 [regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice --- ChangeLog | 4 ++++ regress/cfgmatch.sh | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index ab430749d..1ffc4b5f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ an explicitly requested sandbox type - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted by bisson AT archlinux.org + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 + [regress/cfgmatch.sh] + use OBJ to find test configs, patch from Tim Rice 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index a16a5c13a..0603fab64 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $ +# $OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config match" -- cgit v1.2.3 From faf4d80420af1eb5074a1ae2ce9fc3e1bf9850c0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:09:19 +1000 Subject: - markus@cvs.openbsd.org 2011/06/30 22:44:43 [connect-privsep.sh] test with sandbox enabled; ok djm@ --- ChangeLog | 3 +++ regress/connect-privsep.sh | 13 ++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 1ffc4b5f5..85dbe0f33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - dtucker@cvs.openbsd.org 2011/06/03 05:35:10 [regress/cfgmatch.sh] use OBJ to find test configs, patch from Tim Rice + - markus@cvs.openbsd.org 2011/06/30 22:44:43 + [regress/connect-privsep.sh] + test with sandbox enabled; ok djm@ 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index d23cadba5..e7f938981 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -1,8 +1,9 @@ -# $OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $ +# $OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $ # Placed in the Public Domain. tid="proxy connect with privsep" +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy for p in 1 2; do @@ -11,3 +12,13 @@ for p in 1 2; do fail "ssh privsep+proxyconnect protocol $p failed" fi done + +cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy +echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy + +for p in 1 2; do + ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true + if [ $? -ne 0 ]; then + fail "ssh privsep/sandbox+proxyconnect protocol $p failed" + fi +done -- cgit v1.2.3 From 062fa30532fdce4c2837e9d4e265595aa1cbca14 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:10:02 +1000 Subject: - djm@cvs.openbsd.org 2011/08/02 01:23:41 [regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes --- ChangeLog | 3 +++ regress/cipher-speed.sh | 9 ++++++--- regress/try-ciphers.sh | 5 +++-- 3 files changed, 12 insertions(+), 5 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 85dbe0f33..441f1c312 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ - markus@cvs.openbsd.org 2011/06/30 22:44:43 [regress/connect-privsep.sh] test with sandbox enabled; ok djm@ + - djm@cvs.openbsd.org 2011/08/02 01:23:41 + [regress/cipher-speed.sh regress/try-ciphers.sh] + add SHA256/SHA512 based HMAC modes 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 85de6d585..0cdafc092 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cipher-speed.sh,v 1.3 2007/06/07 19:41:46 pvalchev Exp $ +# $OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $ # Placed in the Public Domain. tid="cipher speed" @@ -12,9 +12,12 @@ tries="1 2" DATA=/bin/ls DATA=/bsd -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc - arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr" + arcfour128 arcfour256 arcfour + aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se + aes128-ctr aes192-ctr aes256-ctr" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 + hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do trace "proto 2 cipher $c mac $m" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index ef776d2ee..5affb3943 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: try-ciphers.sh,v 1.11 2007/06/07 19:41:46 pvalchev Exp $ +# $OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $ # Placed in the Public Domain. tid="try ciphers" @@ -7,7 +7,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 + hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do -- cgit v1.2.3 From 2df1bec086db1cf53db6620c18d88ae9cb27bb89 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Aug 2011 12:25:46 +1000 Subject: - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 MAC tests for platforms that hack EVP_SHA2 support --- ChangeLog | 2 ++ regress/cipher-speed.sh | 5 +++-- regress/try-ciphers.sh | 5 +++-- 3 files changed, 8 insertions(+), 4 deletions(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 441f1c312..c36d2c5eb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,8 @@ - djm@cvs.openbsd.org 2011/08/02 01:23:41 [regress/cipher-speed.sh regress/try-ciphers.sh] add SHA256/SHA512 based HMAC modes + - (djm) [regress/cipher-speed.sh regress/try-ciphers.sh] disable HMAC-SHA2 + MAC tests for platforms that hack EVP_SHA2 support 20110812 - (dtucker) [openbsd-compat/port-linux.c] Bug 1924: Improve selinux context diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 0cdafc092..257afd179 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh @@ -16,8 +16,9 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 - hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +config_defined HAVE_EVP_SHA256 && + macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do trace "proto 2 cipher $c mac $m" diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 5affb3943..0918d2245 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh @@ -7,8 +7,9 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr aes256-ctr" -macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96 - hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" +macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96" +config_defined HAVE_EVP_SHA256 && + macs="$macs hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96" for c in $ciphers; do for m in $macs; do -- cgit v1.2.3 From 6efd94f32e7ddf3cfdb94f0a3f91310304f8f6b5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 4 Sep 2011 19:04:16 +1000 Subject: - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal regress errors for the sandbox to warnings. ok tim dtucker --- ChangeLog | 4 ++++ regress/connect-privsep.sh | 3 ++- regress/test-exec.sh | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) (limited to 'regress') diff --git a/ChangeLog b/ChangeLog index 9bf90758c..0436c32f6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20110904 + - (djm) [regress/connect-privsep.sh regress/test-exec.sh] demote fatal + regress errors for the sandbox to warnings. ok tim dtucker + 20110829 - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting to switch SELinux context away from unconfined_t, based on patch from diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh index e7f938981..11fb9aef9 100644 --- a/regress/connect-privsep.sh +++ b/regress/connect-privsep.sh @@ -19,6 +19,7 @@ echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy for p in 1 2; do ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true if [ $? -ne 0 ]; then - fail "ssh privsep/sandbox+proxyconnect protocol $p failed" + # XXX replace this with fail once sandbox has stabilised + warn "ssh privsep/sandbox+proxyconnect protocol $p failed" fi done diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 5c56aefff..092cfed5b 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -204,6 +204,11 @@ verbose () fi } +warn () +{ + echo "WARNING: $@" >>$TEST_SSH_LOGFILE + echo "WARNING: $@" +} fail () { -- cgit v1.2.3