From 9e7e4ab6617fef1d1681fc2d3e02554264ccc954 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 27 Apr 2024 13:13:18 +0200
Subject: Adding upstream version 1:8.4p1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 regress/forward-control.sh | 235 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 235 insertions(+)
 create mode 100644 regress/forward-control.sh

(limited to 'regress/forward-control.sh')

diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 0000000..3b1f69a
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,235 @@
+#	$OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sshd control of local and remote forwarding"
+
+LFWD_PORT=3320
+RFWD_PORT=3321
+CTL=$OBJ/ctl-sock
+READY=$OBJ/ready
+
+wait_for_file_to_appear() {
+	_path=$1
+	_n=0
+	while test ! -f $_path ; do
+		test $_n -eq 1 && trace "waiting for $_path to appear"
+		_n=`expr $_n + 1`
+		test $_n -ge 20 && return 1
+		sleep 1
+	done
+	return 0
+}
+
+wait_for_process_to_exit() {
+	_pid=$1
+	_n=0
+	while kill -0 $_pid 2>/dev/null ; do
+		test $_n -eq 1 && trace "waiting for $_pid to exit"
+		_n=`expr $_n + 1`
+		test $_n -ge 20 && return 1
+		sleep 1
+	done
+	return 0
+}
+
+# usage: check_lfwd Y|N message
+check_lfwd() {
+	_expected=$1
+	_message=$2
+	rm -f $READY
+	${SSH} -F $OBJ/ssh_proxy \
+	    -L$LFWD_PORT:127.0.0.1:$PORT \
+	    -o ExitOnForwardFailure=yes \
+	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+	    >/dev/null 2>&1 &
+	_sshpid=$!
+	wait_for_file_to_appear $READY || \
+		fatal "check_lfwd ssh fail: $_message"
+	${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
+	    -oConnectionAttempts=4 host true >/dev/null 2>&1
+	_result=$?
+	kill $_sshpid `cat $READY` 2>/dev/null
+	wait_for_process_to_exit $_sshpid
+	if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+		fail "check_lfwd failed (expecting success): $_message"
+	elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+		fail "check_lfwd succeeded (expecting failure): $_message"
+	elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+		fatal "check_lfwd invalid argument \"$_expected\""
+	else
+		verbose "check_lfwd done (expecting $_expected): $_message"
+	fi
+}
+
+# usage: check_rfwd Y|N message
+check_rfwd() {
+	_expected=$1
+	_message=$2
+	rm -f $READY
+	${SSH} -F $OBJ/ssh_proxy \
+	    -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
+	    -o ExitOnForwardFailure=yes \
+	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+	    >/dev/null 2>&1 &
+	_sshpid=$!
+	wait_for_file_to_appear $READY
+	_result=$?
+	if test $_result -eq 0 ; then
+		${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
+		    -oConnectionAttempts=4 host true >/dev/null 2>&1
+		_result=$?
+		kill $_sshpid `cat $READY` 2>/dev/null
+		wait_for_process_to_exit $_sshpid
+	fi
+	if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+		fail "check_rfwd failed (expecting success): $_message"
+	elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+		fail "check_rfwd succeeded (expecting failure): $_message"
+	elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+		fatal "check_rfwd invalid argument \"$_expected\""
+	else
+		verbose "check_rfwd done (expecting $_expected): $_message"
+	fi
+}
+
+start_sshd
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
+cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
+
+# Sanity check: ensure the default config allows forwarding
+check_lfwd Y "default configuration"
+check_rfwd Y "default configuration"
+
+# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+lperm_tests() {
+	_tcpfwd=$1
+	_plain_lfwd=$2
+	_plain_rfwd=$3
+	_nopermit_lfwd=$4
+	_nopermit_rfwd=$5
+	_permit_lfwd=$6
+	_permit_rfwd=$7
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:22
+	_goodfwd=127.0.0.1:${PORT}
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+
+	# No PermitOpen
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix"
+	check_rfwd $_plain_rfwd "$_prefix"
+
+	# PermitOpen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd1 $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
+	# PermitOpen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
+
+	# permitopen keys option.
+	# NB. permitopen via authorized_keys should have same
+	# success/fail as via sshd_config
+	# permitopen via authorized_keys that doesn't match
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
+	# permitopen via authorized_keys that does match
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_permit_lfwd "$_prefix, permitopen"
+	check_rfwd $_permit_rfwd "$_prefix, permitopen"
+
+	# Check port-forwarding flags in authorized_keys.
+	# These two should refuse all.
+	sed "s/^/no-port-forwarding /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd N "$_prefix, no-port-forwarding"
+	check_rfwd N "$_prefix, no-port-forwarding"
+	sed "s/^/restrict /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd N "$_prefix, restrict"
+	check_rfwd N "$_prefix, restrict"
+	# This should pass the same cases as _nopermit*
+	sed "s/^/restrict,port-forwarding /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
+	check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
+}
+
+#          permit-open      none          mismatch         match
+#   AllowTcpForwarding  local remote    local remote    local remote
+lperm_tests     yes     Y     Y         N     Y         Y     Y
+lperm_tests   local     Y     N         N     N         Y     N
+lperm_tests  remote     N     Y         N     Y         N     Y
+lperm_tests      no     N     N         N     N         N     N
+
+# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+rperm_tests() {
+	_tcpfwd=$1
+	_plain_lfwd=$2
+	_plain_rfwd=$3
+	_nopermit_lfwd=$4
+	_nopermit_rfwd=$5
+	_permit_lfwd=$6
+	_permit_rfwd=$7
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:${RFWD_PORT}
+	_goodfwd=127.0.0.1:${RFWD_PORT}
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+
+	# PermitListen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitListen $_badfwd1 $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen"
+	# PermitListen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitListen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitListen"
+}
+
+#   permit-remote-open      none          mismatch         match
+#   AllowTcpForwarding  local remote    local remote    local remote
+rperm_tests     yes     Y     Y         Y     N         Y     Y
+rperm_tests   local     Y     N         Y     N         Y     N
+rperm_tests  remote     N     Y         N     N         N     Y
+rperm_tests      no     N     N         N     N         N     N
+
-- 
cgit v1.2.3