diff options
Diffstat (limited to '')
-rw-r--r-- | regress/Makefile | 6 | ||||
-rw-r--r-- | regress/cfgmatchlisten.sh | 2 | ||||
-rw-r--r-- | regress/dropbear-ciphers.sh | 15 | ||||
-rw-r--r-- | regress/dropbear-kex.sh | 14 | ||||
-rw-r--r-- | regress/key-options.sh | 2 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/agent_fuzz_helper.c | 1 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/kex_fuzz.cc | 8 | ||||
-rw-r--r-- | regress/misc/fuzz-harness/sig_fuzz.cc | 8 | ||||
-rw-r--r-- | regress/penalty-expire.sh | 35 | ||||
-rw-r--r-- | regress/penalty.sh | 52 | ||||
-rw-r--r-- | regress/percent.sh | 5 | ||||
-rw-r--r-- | regress/rekey.sh | 4 | ||||
-rw-r--r-- | regress/sftp-cmds.sh | 29 | ||||
-rw-r--r-- | regress/test-exec.sh | 96 | ||||
-rw-r--r-- | regress/unittests/kex/Makefile | 3 | ||||
-rw-r--r-- | regress/unittests/kex/test_kex.c | 6 | ||||
-rw-r--r-- | regress/yes-head.sh | 2 |
17 files changed, 199 insertions, 89 deletions
diff --git a/regress/Makefile b/regress/Makefile index c9a495f..7f73497 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $ +# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $ tests: prep file-tests t-exec unit @@ -109,7 +109,9 @@ LTESTS= connect \ connection-timeout \ match-subsystem \ agent-pkcs11-restrict \ - agent-pkcs11-cert + agent-pkcs11-cert \ + penalty \ + penalty-expire INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh index a4fd66b..2308db1 100644 --- a/regress/cfgmatchlisten.sh +++ b/regress/cfgmatchlisten.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $ +# $OpenBSD: cfgmatchlisten.sh,v 1.4 2024/03/25 01:40:47 dtucker Exp $ # Placed in the Public Domain. tid="sshd_config matchlisten" diff --git a/regress/dropbear-ciphers.sh b/regress/dropbear-ciphers.sh index 2e0f9a1..1500fa0 100644 --- a/regress/dropbear-ciphers.sh +++ b/regress/dropbear-ciphers.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $ +# $OpenBSD: dropbear-ciphers.sh,v 1.3 2024/06/20 08:23:18 dtucker Exp $ # Placed in the Public Domain. tid="dropbear ciphers" @@ -7,13 +7,18 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then skip "dropbear interop tests not enabled" fi +# Enable all support algorithms +algs=`$SSH -Q key-sig | tr '\n' ,` cat >>$OBJ/sshd_proxy <<EOD -PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss -HostkeyAlgorithms +ssh-rsa,ssh-dss +PubkeyAcceptedAlgorithms $algs +HostkeyAlgorithms $algs EOD -ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` -macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` +ciphers=`$DBCLIENT -c help hst 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '` +macs=`$DBCLIENT -m help hst 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '` +if [ -z "$macs" ] || [ -z "$ciphers" ]; then + skip "dbclient query ciphers '$ciphers' or macs '$macs' failed" +fi keytype=`(cd $OBJ/.dropbear && ls id_*)` for c in $ciphers ; do diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh index a25de3e..d9f1b32 100644 --- a/regress/dropbear-kex.sh +++ b/regress/dropbear-kex.sh @@ -1,4 +1,4 @@ -# $OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $ +# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $ # Placed in the Public Domain. tid="dropbear kex" @@ -7,21 +7,19 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then skip "dropbear interop tests not enabled" fi -cat >>$OBJ/sshd_proxy <<EOD -PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss -HostkeyAlgorithms +ssh-rsa,ssh-dss -EOD cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak -kex="curve25519-sha256 curve25519-sha256@libssh.org - diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" +kex="curve25519-sha256 curve25519-sha256@libssh.org" +if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then + kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" +fi for k in $kex; do verbose "$tid: kex $k" rm -f ${COPY} # dbclient doesn't have switch for kex, so force in server (cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy - env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \ + env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} if [ $? -ne 0 ]; then fail "ssh cat $DATA failed" diff --git a/regress/key-options.sh b/regress/key-options.sh index 2f3d66e..623128c 100644 --- a/regress/key-options.sh +++ b/regress/key-options.sh @@ -1,4 +1,4 @@ -# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ +# $OpenBSD: key-options.sh,v 1.10 2024/03/25 02:07:08 dtucker Exp $ # Placed in the Public Domain. tid="key options" diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c index c3051c7..321343b 100644 --- a/regress/misc/fuzz-harness/agent_fuzz_helper.c +++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c @@ -112,7 +112,6 @@ reset_idtab(void) idtab_init(); // Load keys. add_key(PRIV_RSA, CERT_RSA); - add_key(PRIV_DSA, CERT_DSA); add_key(PRIV_ECDSA, CERT_ECDSA); add_key(PRIV_ED25519, CERT_ED25519); add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK); diff --git a/regress/misc/fuzz-harness/kex_fuzz.cc b/regress/misc/fuzz-harness/kex_fuzz.cc index d38ca85..f126d93 100644 --- a/regress/misc/fuzz-harness/kex_fuzz.cc +++ b/regress/misc/fuzz-harness/kex_fuzz.cc @@ -144,7 +144,6 @@ static int prepare_keys(struct shared_state *st) { if (prepare_key(st, KEY_RSA, 2048) != 0 || - prepare_key(st, KEY_DSA, 1024) != 0 || prepare_key(st, KEY_ECDSA, 256) != 0 || prepare_key(st, KEY_ED25519, 256) != 0) { error_f("key prepare failed"); @@ -264,10 +263,6 @@ prepare_key(struct shared_state *st, int kt, int bits) pubstr = PUB_RSA; privstr = PRIV_RSA; break; - case KEY_DSA: - pubstr = PUB_DSA; - privstr = PRIV_DSA; - break; case KEY_ECDSA: pubstr = PUB_ECDSA; privstr = PRIV_ECDSA; @@ -325,7 +320,7 @@ int main(void) { static struct shared_state *st; struct test_state *ts; - const int keytypes[] = { KEY_RSA, KEY_DSA, KEY_ECDSA, KEY_ED25519, -1 }; + const int keytypes[] = { KEY_RSA, KEY_ECDSA, KEY_ED25519, -1 }; static const char * const kextypes[] = { "sntrup761x25519-sha512@openssh.com", "curve25519-sha256@libssh.org", @@ -399,7 +394,6 @@ static void do_kex(struct shared_state *st, struct test_state *ts, const char *kex) { do_kex_with_key(st, ts, kex, KEY_RSA); - do_kex_with_key(st, ts, kex, KEY_DSA); do_kex_with_key(st, ts, kex, KEY_ECDSA); do_kex_with_key(st, ts, kex, KEY_ED25519); } diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc index b32502b..639e4d2 100644 --- a/regress/misc/fuzz-harness/sig_fuzz.cc +++ b/regress/misc/fuzz-harness/sig_fuzz.cc @@ -26,7 +26,6 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) { #ifdef WITH_OPENSSL static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048); - static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024); static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); @@ -41,19 +40,20 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; - sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); - sshkey_sig_details_free(details); - details = NULL; + sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; + sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); details = NULL; #endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); return 0; diff --git a/regress/penalty-expire.sh b/regress/penalty-expire.sh new file mode 100644 index 0000000..4f0bbe6 --- /dev/null +++ b/regress/penalty-expire.sh @@ -0,0 +1,35 @@ +# $OpenBSD +# Placed in the Public Domain. + +tid="penalties" + +grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak +cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak + +conf() { + test -z "$PIDFILE" || stop_sshd + (cat $OBJ/sshd_config.bak ; + echo "PerSourcePenalties $@") > $OBJ/sshd_config + cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + start_sshd +} + +conf "noauth:10s authfail:10s max:20s min:1s" + +verbose "test connect" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" + +verbose "penalty expiry" + +# Incur a penalty +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded" +sleep 2 + +# Check denied +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected" + +# Let it expire and try again. +sleep 11 +${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired" diff --git a/regress/penalty.sh b/regress/penalty.sh new file mode 100644 index 0000000..8b83532 --- /dev/null +++ b/regress/penalty.sh @@ -0,0 +1,52 @@ +# $OpenBSD +# Placed in the Public Domain. + +tid="penalties" + +grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak +cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak + +conf() { + test -z "$PIDFILE" || stop_sshd + (cat $OBJ/sshd_config.bak ; + echo "PerSourcePenalties $@") > $OBJ/sshd_config + cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} + start_sshd +} + +conf "authfail:300s min:350s max:900s" + +verbose "test connect" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" + +verbose "penalty for authentication failure" + +# Fail authentication once +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} +sleep 2 + +# Should be below penalty threshold +${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired" +sleep 2 + +# Fail authentication again; penalty should activate +cat /dev/null > $OBJ/authorized_keys_${USER} +${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded" +cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER} +sleep 2 + +# These should be refused by the active penalty +${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected" +${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected" + +conf "noauth:100s" +${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed" +verbose "penalty for no authentication" +${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed" +sleep 2 + +# Repeat attempt should be penalised +${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected" + diff --git a/regress/percent.sh b/regress/percent.sh index 44561d4..354854f 100644 --- a/regress/percent.sh +++ b/regress/percent.sh @@ -3,11 +3,6 @@ tid="percent expansions" -if [ -x "/usr/xpg4/bin/id" ]; then - PATH=/usr/xpg4/bin:$PATH - export PATH -fi - USER=`id -u -n` USERID=`id -u` HOST=`hostname | cut -f1 -d.` diff --git a/regress/rekey.sh b/regress/rekey.sh index 61723cd..8005a86 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.19 2021/07/19 05:08:54 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.20 2024/05/22 04:20:00 djm Exp $ # Placed in the Public Domain. tid="rekey" @@ -14,7 +14,7 @@ ssh_data_rekeying() { _kexopt=$1 ; shift _opts="$@" - if ! test -z "$_kexopts" ; then + if ! test -z "$_kexopt" ; then cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "$_kexopt" >> $OBJ/sshd_proxy _opts="$_opts -o$_kexopt" diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index 85f0e97..5640471 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.15 2022/03/31 03:07:33 djm Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.20 2024/07/01 03:10:19 djm Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -28,12 +28,12 @@ rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 mkdir ${COPY}.dd verbose "$tid: lls" -(echo "lcd ${OBJ}" ; echo "lls") | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ - grep copy.dd >/dev/null 2>&1 || fail "lls failed" +printf "lcd ${OBJ}\nlls\n" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ + grep copy.dd >/dev/null || fail "lls failed" verbose "$tid: lls w/path" echo "lls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ - grep copy.dd >/dev/null 2>&1 || fail "lls w/path failed" + grep copy.dd >/dev/null || fail "lls w/path failed" verbose "$tid: ls" echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ @@ -41,9 +41,8 @@ echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ # XXX always successful verbose "$tid: shell" -echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ - || fail "shell failed" -# XXX always successful +echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \ + egrep '^hi there$' >/dev/null || fail "shell failed" verbose "$tid: pwd" echo "pwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ @@ -104,7 +103,7 @@ rm -f ${COPY}.dd/* verbose "$tid: get to directory" echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to directory" @@ -116,13 +115,13 @@ done rm -f ${COPY}.dd/* verbose "$tid: get to local dir" -(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ +printf "lcd ${COPY}.dd\nget $DATA\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" -cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get" +cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after get" rm -f ${COPY}.dd/* verbose "$tid: glob get to local dir" -(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ +printf "lcd ${COPY}.dd\nget /bin/l*\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" for x in $GLOBFILES; do cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get" @@ -150,7 +149,7 @@ rm -f ${COPY}.dd/* verbose "$tid: put to directory" echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to directory" @@ -162,13 +161,13 @@ done rm -f ${COPY}.dd/* verbose "$tid: put to local dir" -(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ +printf "cd ${COPY}.dd\nput $DATA\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" -cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put" +cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after put" rm -f ${COPY}.dd/* verbose "$tid: glob put to local dir" -(echo "cd ${COPY}.dd"; echo "put /bin/l?") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ +printf "cd ${COPY}.dd\nput /bin/l*\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \ || fail "put failed" for x in $GLOBFILES; do cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put" diff --git a/regress/test-exec.sh b/regress/test-exec.sh index ad62794..7afc280 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.108 2024/03/08 11:34:10 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.119 2024/06/20 08:18:34 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -90,6 +90,7 @@ SSHKEYGEN=ssh-keygen SSHKEYSCAN=ssh-keyscan SFTP=sftp SFTPSERVER=/usr/libexec/openssh/sftp-server +SSHD_SESSION=/usr/libexec/sshd-session SCP=scp # Set by make_tmpdir() on demand (below). @@ -115,6 +116,9 @@ NC=$OBJ/netcat if [ "x$TEST_SSH_SSH" != "x" ]; then SSH="${TEST_SSH_SSH}" fi +if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then + SSHD_SESSION="${TEST_SSH_SSHD_SESSION}" +fi if [ "x$TEST_SSH_SSHD" != "x" ]; then SSHD="${TEST_SSH_SSHD}" fi @@ -348,7 +352,7 @@ ssh_logfile () # [kbytes] to ensure the file is at least that large. DATANAME=data DATA=$OBJ/${DATANAME} -cat ${SSHAGENT_BIN} >${DATA} +cat ${SSH_BIN} >${DATA} chmod u+w ${DATA} COPY=$OBJ/copy rm -f ${COPY} @@ -356,7 +360,7 @@ rm -f ${COPY} increase_datafile_size() { while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do - cat ${SSHAGENT_BIN} >>${DATA} + cat ${SSH_BIN} >>${DATA} done } @@ -392,6 +396,7 @@ have_prog() jot() { awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" } + if [ ! -x "`which rev`" ]; then rev() { @@ -399,6 +404,13 @@ rev() } fi +if [ -x "/usr/xpg4/bin/id" ]; then +id() +{ + /usr/xpg4/bin/id $@ +} +fi + # Check whether preprocessor symbols are defined in config.h. config_defined () { @@ -444,33 +456,32 @@ make_tmpdir () stop_sshd () { - if [ -f $PIDFILE ]; then - pid=`$SUDO cat $PIDFILE` - if [ "X$pid" = "X" ]; then - echo no sshd running + [ -z $PIDFILE ] && return + [ -f $PIDFILE ] || return + pid=`$SUDO cat $PIDFILE` + if [ "X$pid" = "X" ]; then + echo "no sshd running" 1>&2 + return + elif [ $pid -lt 2 ]; then + echo "bad pid for sshd: $pid" 1>&2 + return + fi + $SUDO kill $pid + trace "wait for sshd to exit" + i=0; + while [ -f $PIDFILE -a $i -lt 5 ]; do + i=`expr $i + 1` + sleep $i + done + if test -f $PIDFILE; then + if $SUDO kill -0 $pid; then + echo "sshd didn't exit port $PORT pid $pid" 1>&2 else - if [ $pid -lt 2 ]; then - echo bad pid for sshd: $pid - else - $SUDO kill $pid - trace "wait for sshd to exit" - i=0; - while [ -f $PIDFILE -a $i -lt 5 ]; do - i=`expr $i + 1` - sleep $i - done - if test -f $PIDFILE; then - if $SUDO kill -0 $pid; then - echo "sshd didn't exit " \ - "port $PORT pid $pid" - else - echo "sshd died without cleanup" - fi - exit 1 - fi - fi + echo "sshd died without cleanup" 1>&2 fi + exit 1 fi + PIDFILE="" } # helper @@ -609,6 +620,8 @@ cat << EOF > $OBJ/sshd_config AcceptEnv _XXX_TEST_* AcceptEnv _XXX_TEST Subsystem sftp $SFTPSERVER + SshdSessionPath $SSHD_SESSION + PerSourcePenalties no EOF # This may be necessary if /usr/src and/or /usr/obj are group-writable, @@ -802,17 +815,18 @@ puttysetup() { echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`" + PUTTYMAJORVER="`echo ${PUTTYVER} | cut -f1 -d.`" PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`" - verbose "plink version ${PUTTYVER} minor ${PUTTYMINORVER}" + verbose "plink version ${PUTTYVER} major ${PUTTYMAJORVER} minor ${PUTTYMINORVER}" # Re-enable ssh-rsa on older PuTTY versions since they don't do newer # key types. - if [ "$PUTTYMINORVER" -lt "76" ]; then + if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -lt "76" ]; then echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy fi - if [ "$PUTTYMINORVER" -le "64" ]; then + if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -le "64" ]; then echo "KexAlgorithms +diffie-hellman-group14-sha1" \ >>${OBJ}/sshd_proxy fi @@ -832,15 +846,25 @@ esac if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then trace Create dropbear keys and add to authorized_keys mkdir -p $OBJ/.dropbear - for i in rsa ecdsa ed25519 dss; do + kt="ed25519" + for i in dss rsa ecdsa; do + if $SSH -Q key-plain | grep "$i" >/dev/null; then + kt="$kt $i" + else + rm -f "$OBJ/.dropbear/id_$i" + fi + done + for i in $kt; do if [ ! -f "$OBJ/.dropbear/id_$i" ]; then - ($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i - $DROPBEARCONVERT dropbear openssh \ - $OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i - ) > /dev/null 2>&1 + verbose Create dropbear key type $i + $DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \ + >/dev/null 2>&1 fi + $DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \ + $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1 $SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \ >>$OBJ/authorized_keys_$USER + rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i done fi @@ -861,6 +885,7 @@ chmod a+x $OBJ/ssh_proxy.sh start_sshd () { + PIDFILE=$OBJ/pidfile # start sshd logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log" $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" @@ -873,6 +898,7 @@ start_sshd () i=`expr $i + 1` sleep $i done + ln -f -s ${logfile} $TEST_SSHD_LOGFILE test -f $PIDFILE || fatal "no sshd running on port $PORT" } diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile index 981affe..3c89840 100644 --- a/regress/unittests/kex/Makefile +++ b/regress/unittests/kex/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2023/02/02 12:12:52 djm Exp $ +# $OpenBSD: Makefile,v 1.15 2024/05/19 19:10:01 anton Exp $ PROG=test_kex SRCS=tests.c test_kex.c test_proposal.c @@ -14,6 +14,7 @@ SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c SRCS+=ssh-ed25519-sk.c sk-usbhid.c SRCS+= kex.c +SRCS+= kex-names.c SRCS+= dh.c SRCS+= kexdh.c SRCS+= kexecdh.c diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c index dc1014e..b1161ea 100644 --- a/regress/unittests/kex/test_kex.c +++ b/regress/unittests/kex/test_kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */ +/* $OpenBSD: test_kex.c,v 1.8 2024/03/25 19:28:09 djm Exp $ */ /* * Regress test KEX * @@ -22,6 +22,7 @@ #include "sshbuf.h" #include "packet.h" #include "myproposal.h" +#include "log.h" void kex_tests(void); static int do_debug = 0; @@ -177,6 +178,9 @@ do_kex_with_key(char *kex, int keytype, int bits) static void do_kex(char *kex) { +#if 0 + log_init("test_kex", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 1); +#endif #ifdef WITH_OPENSSL do_kex_with_key(kex, KEY_RSA, 2048); #ifdef WITH_DSA diff --git a/regress/yes-head.sh b/regress/yes-head.sh index 1bde504..9885501 100644 --- a/regress/yes-head.sh +++ b/regress/yes-head.sh @@ -6,7 +6,7 @@ tid="yes pipe head" lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` if [ $? -ne 0 ]; then fail "yes|head test failed" -+ lines=0 + lines=0 fi if [ $lines -ne 2000 ]; then fail "yes|head returns $lines lines instead of 2000" |