summaryrefslogtreecommitdiffstats
path: root/regress
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--regress/Makefile6
-rw-r--r--regress/cfgmatchlisten.sh2
-rw-r--r--regress/dropbear-ciphers.sh15
-rw-r--r--regress/dropbear-kex.sh14
-rw-r--r--regress/key-options.sh2
-rw-r--r--regress/misc/fuzz-harness/agent_fuzz_helper.c1
-rw-r--r--regress/misc/fuzz-harness/kex_fuzz.cc8
-rw-r--r--regress/misc/fuzz-harness/sig_fuzz.cc8
-rw-r--r--regress/penalty-expire.sh35
-rw-r--r--regress/penalty.sh52
-rw-r--r--regress/percent.sh5
-rw-r--r--regress/rekey.sh4
-rw-r--r--regress/sftp-cmds.sh29
-rw-r--r--regress/test-exec.sh96
-rw-r--r--regress/unittests/kex/Makefile3
-rw-r--r--regress/unittests/kex/test_kex.c6
-rw-r--r--regress/yes-head.sh2
17 files changed, 199 insertions, 89 deletions
diff --git a/regress/Makefile b/regress/Makefile
index c9a495f..7f73497 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $
+# $OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $
tests: prep file-tests t-exec unit
@@ -109,7 +109,9 @@ LTESTS= connect \
connection-timeout \
match-subsystem \
agent-pkcs11-restrict \
- agent-pkcs11-cert
+ agent-pkcs11-cert \
+ penalty \
+ penalty-expire
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
INTEROP_TESTS+= dropbear-ciphers dropbear-kex
diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh
index a4fd66b..2308db1 100644
--- a/regress/cfgmatchlisten.sh
+++ b/regress/cfgmatchlisten.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $
+# $OpenBSD: cfgmatchlisten.sh,v 1.4 2024/03/25 01:40:47 dtucker Exp $
# Placed in the Public Domain.
tid="sshd_config matchlisten"
diff --git a/regress/dropbear-ciphers.sh b/regress/dropbear-ciphers.sh
index 2e0f9a1..1500fa0 100644
--- a/regress/dropbear-ciphers.sh
+++ b/regress/dropbear-ciphers.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+# $OpenBSD: dropbear-ciphers.sh,v 1.3 2024/06/20 08:23:18 dtucker Exp $
# Placed in the Public Domain.
tid="dropbear ciphers"
@@ -7,13 +7,18 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
skip "dropbear interop tests not enabled"
fi
+# Enable all support algorithms
+algs=`$SSH -Q key-sig | tr '\n' ,`
cat >>$OBJ/sshd_proxy <<EOD
-PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
-HostkeyAlgorithms +ssh-rsa,ssh-dss
+PubkeyAcceptedAlgorithms $algs
+HostkeyAlgorithms $algs
EOD
-ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
-macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
+ciphers=`$DBCLIENT -c help hst 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
+macs=`$DBCLIENT -m help hst 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
+if [ -z "$macs" ] || [ -z "$ciphers" ]; then
+ skip "dbclient query ciphers '$ciphers' or macs '$macs' failed"
+fi
keytype=`(cd $OBJ/.dropbear && ls id_*)`
for c in $ciphers ; do
diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh
index a25de3e..d9f1b32 100644
--- a/regress/dropbear-kex.sh
+++ b/regress/dropbear-kex.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $
# Placed in the Public Domain.
tid="dropbear kex"
@@ -7,21 +7,19 @@ if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
skip "dropbear interop tests not enabled"
fi
-cat >>$OBJ/sshd_proxy <<EOD
-PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
-HostkeyAlgorithms +ssh-rsa,ssh-dss
-EOD
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
-kex="curve25519-sha256 curve25519-sha256@libssh.org
- diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+kex="curve25519-sha256 curve25519-sha256@libssh.org"
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then
+ kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+fi
for k in $kex; do
verbose "$tid: kex $k"
rm -f ${COPY}
# dbclient doesn't have switch for kex, so force in server
(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \
+ env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
-J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
diff --git a/regress/key-options.sh b/regress/key-options.sh
index 2f3d66e..623128c 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
+# $OpenBSD: key-options.sh,v 1.10 2024/03/25 02:07:08 dtucker Exp $
# Placed in the Public Domain.
tid="key options"
diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c
index c3051c7..321343b 100644
--- a/regress/misc/fuzz-harness/agent_fuzz_helper.c
+++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c
@@ -112,7 +112,6 @@ reset_idtab(void)
idtab_init();
// Load keys.
add_key(PRIV_RSA, CERT_RSA);
- add_key(PRIV_DSA, CERT_DSA);
add_key(PRIV_ECDSA, CERT_ECDSA);
add_key(PRIV_ED25519, CERT_ED25519);
add_key(PRIV_ECDSA_SK, CERT_ECDSA_SK);
diff --git a/regress/misc/fuzz-harness/kex_fuzz.cc b/regress/misc/fuzz-harness/kex_fuzz.cc
index d38ca85..f126d93 100644
--- a/regress/misc/fuzz-harness/kex_fuzz.cc
+++ b/regress/misc/fuzz-harness/kex_fuzz.cc
@@ -144,7 +144,6 @@ static int
prepare_keys(struct shared_state *st)
{
if (prepare_key(st, KEY_RSA, 2048) != 0 ||
- prepare_key(st, KEY_DSA, 1024) != 0 ||
prepare_key(st, KEY_ECDSA, 256) != 0 ||
prepare_key(st, KEY_ED25519, 256) != 0) {
error_f("key prepare failed");
@@ -264,10 +263,6 @@ prepare_key(struct shared_state *st, int kt, int bits)
pubstr = PUB_RSA;
privstr = PRIV_RSA;
break;
- case KEY_DSA:
- pubstr = PUB_DSA;
- privstr = PRIV_DSA;
- break;
case KEY_ECDSA:
pubstr = PUB_ECDSA;
privstr = PRIV_ECDSA;
@@ -325,7 +320,7 @@ int main(void)
{
static struct shared_state *st;
struct test_state *ts;
- const int keytypes[] = { KEY_RSA, KEY_DSA, KEY_ECDSA, KEY_ED25519, -1 };
+ const int keytypes[] = { KEY_RSA, KEY_ECDSA, KEY_ED25519, -1 };
static const char * const kextypes[] = {
"sntrup761x25519-sha512@openssh.com",
"curve25519-sha256@libssh.org",
@@ -399,7 +394,6 @@ static void
do_kex(struct shared_state *st, struct test_state *ts, const char *kex)
{
do_kex_with_key(st, ts, kex, KEY_RSA);
- do_kex_with_key(st, ts, kex, KEY_DSA);
do_kex_with_key(st, ts, kex, KEY_ECDSA);
do_kex_with_key(st, ts, kex, KEY_ED25519);
}
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
index b32502b..639e4d2 100644
--- a/regress/misc/fuzz-harness/sig_fuzz.cc
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -26,7 +26,6 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
{
#ifdef WITH_OPENSSL
static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
- static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
@@ -41,19 +40,20 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
details = NULL;
- sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
- sshkey_sig_details_free(details);
- details = NULL;
+
sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
details = NULL;
+
sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
details = NULL;
+
sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
details = NULL;
#endif
+
sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details);
sshkey_sig_details_free(details);
return 0;
diff --git a/regress/penalty-expire.sh b/regress/penalty-expire.sh
new file mode 100644
index 0000000..4f0bbe6
--- /dev/null
+++ b/regress/penalty-expire.sh
@@ -0,0 +1,35 @@
+# $OpenBSD
+# Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+ test -z "$PIDFILE" || stop_sshd
+ (cat $OBJ/sshd_config.bak ;
+ echo "PerSourcePenalties $@") > $OBJ/sshd_config
+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+ start_sshd
+}
+
+conf "noauth:10s authfail:10s max:20s min:1s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty expiry"
+
+# Incur a penalty
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+sleep 2
+
+# Check denied
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
+
+# Let it expire and try again.
+sleep 11
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
diff --git a/regress/penalty.sh b/regress/penalty.sh
new file mode 100644
index 0000000..8b83532
--- /dev/null
+++ b/regress/penalty.sh
@@ -0,0 +1,52 @@
+# $OpenBSD
+# Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+ test -z "$PIDFILE" || stop_sshd
+ (cat $OBJ/sshd_config.bak ;
+ echo "PerSourcePenalties $@") > $OBJ/sshd_config
+ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+ start_sshd
+}
+
+conf "authfail:300s min:350s max:900s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty for authentication failure"
+
+# Fail authentication once
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
+
+# Should be below penalty threshold
+${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
+sleep 2
+
+# Fail authentication again; penalty should activate
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
+
+# These should be refused by the active penalty
+${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
+${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
+
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+verbose "penalty for no authentication"
+${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
+sleep 2
+
+# Repeat attempt should be penalised
+${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"
+
diff --git a/regress/percent.sh b/regress/percent.sh
index 44561d4..354854f 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -3,11 +3,6 @@
tid="percent expansions"
-if [ -x "/usr/xpg4/bin/id" ]; then
- PATH=/usr/xpg4/bin:$PATH
- export PATH
-fi
-
USER=`id -u -n`
USERID=`id -u`
HOST=`hostname | cut -f1 -d.`
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 61723cd..8005a86 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: rekey.sh,v 1.19 2021/07/19 05:08:54 dtucker Exp $
+# $OpenBSD: rekey.sh,v 1.20 2024/05/22 04:20:00 djm Exp $
# Placed in the Public Domain.
tid="rekey"
@@ -14,7 +14,7 @@ ssh_data_rekeying()
{
_kexopt=$1 ; shift
_opts="$@"
- if ! test -z "$_kexopts" ; then
+ if ! test -z "$_kexopt" ; then
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "$_kexopt" >> $OBJ/sshd_proxy
_opts="$_opts -o$_kexopt"
diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh
index 85f0e97..5640471 100644
--- a/regress/sftp-cmds.sh
+++ b/regress/sftp-cmds.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: sftp-cmds.sh,v 1.15 2022/03/31 03:07:33 djm Exp $
+# $OpenBSD: sftp-cmds.sh,v 1.20 2024/07/01 03:10:19 djm Exp $
# Placed in the Public Domain.
# XXX - TODO:
@@ -28,12 +28,12 @@ rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
mkdir ${COPY}.dd
verbose "$tid: lls"
-(echo "lcd ${OBJ}" ; echo "lls") | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
- grep copy.dd >/dev/null 2>&1 || fail "lls failed"
+printf "lcd ${OBJ}\nlls\n" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
+ grep copy.dd >/dev/null || fail "lls failed"
verbose "$tid: lls w/path"
echo "lls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
- grep copy.dd >/dev/null 2>&1 || fail "lls w/path failed"
+ grep copy.dd >/dev/null || fail "lls w/path failed"
verbose "$tid: ls"
echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
@@ -41,9 +41,8 @@ echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
# XXX always successful
verbose "$tid: shell"
-echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
- || fail "shell failed"
-# XXX always successful
+echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
+ egrep '^hi there$' >/dev/null || fail "shell failed"
verbose "$tid: pwd"
echo "pwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
@@ -104,7 +103,7 @@ rm -f ${COPY}.dd/*
verbose "$tid: get to directory"
echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "get failed"
-cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
+cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after get"
rm -f ${COPY}.dd/*
verbose "$tid: glob get to directory"
@@ -116,13 +115,13 @@ done
rm -f ${COPY}.dd/*
verbose "$tid: get to local dir"
-(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+printf "lcd ${COPY}.dd\nget $DATA\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "get failed"
-cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after get"
+cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after get"
rm -f ${COPY}.dd/*
verbose "$tid: glob get to local dir"
-(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+printf "lcd ${COPY}.dd\nget /bin/l*\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "get failed"
for x in $GLOBFILES; do
cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
@@ -150,7 +149,7 @@ rm -f ${COPY}.dd/*
verbose "$tid: put to directory"
echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "put failed"
-cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
+cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after put"
rm -f ${COPY}.dd/*
verbose "$tid: glob put to directory"
@@ -162,13 +161,13 @@ done
rm -f ${COPY}.dd/*
verbose "$tid: put to local dir"
-(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+printf "cd ${COPY}.dd\nput $DATA\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "put failed"
-cmp $DATA ${COPY}.dd/$DATANAME || fail "corrupted copy after put"
+cmp $DATA ${COPY}.dd/${DATANAME} || fail "corrupted copy after put"
rm -f ${COPY}.dd/*
verbose "$tid: glob put to local dir"
-(echo "cd ${COPY}.dd"; echo "put /bin/l?") | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+printf "cd ${COPY}.dd\nput /bin/l*\n" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
|| fail "put failed"
for x in $GLOBFILES; do
cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index ad62794..7afc280 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.108 2024/03/08 11:34:10 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.119 2024/06/20 08:18:34 dtucker Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -90,6 +90,7 @@ SSHKEYGEN=ssh-keygen
SSHKEYSCAN=ssh-keyscan
SFTP=sftp
SFTPSERVER=/usr/libexec/openssh/sftp-server
+SSHD_SESSION=/usr/libexec/sshd-session
SCP=scp
# Set by make_tmpdir() on demand (below).
@@ -115,6 +116,9 @@ NC=$OBJ/netcat
if [ "x$TEST_SSH_SSH" != "x" ]; then
SSH="${TEST_SSH_SSH}"
fi
+if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then
+ SSHD_SESSION="${TEST_SSH_SSHD_SESSION}"
+fi
if [ "x$TEST_SSH_SSHD" != "x" ]; then
SSHD="${TEST_SSH_SSHD}"
fi
@@ -348,7 +352,7 @@ ssh_logfile ()
# [kbytes] to ensure the file is at least that large.
DATANAME=data
DATA=$OBJ/${DATANAME}
-cat ${SSHAGENT_BIN} >${DATA}
+cat ${SSH_BIN} >${DATA}
chmod u+w ${DATA}
COPY=$OBJ/copy
rm -f ${COPY}
@@ -356,7 +360,7 @@ rm -f ${COPY}
increase_datafile_size()
{
while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
- cat ${SSHAGENT_BIN} >>${DATA}
+ cat ${SSH_BIN} >>${DATA}
done
}
@@ -392,6 +396,7 @@ have_prog()
jot() {
awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
}
+
if [ ! -x "`which rev`" ]; then
rev()
{
@@ -399,6 +404,13 @@ rev()
}
fi
+if [ -x "/usr/xpg4/bin/id" ]; then
+id()
+{
+ /usr/xpg4/bin/id $@
+}
+fi
+
# Check whether preprocessor symbols are defined in config.h.
config_defined ()
{
@@ -444,33 +456,32 @@ make_tmpdir ()
stop_sshd ()
{
- if [ -f $PIDFILE ]; then
- pid=`$SUDO cat $PIDFILE`
- if [ "X$pid" = "X" ]; then
- echo no sshd running
+ [ -z $PIDFILE ] && return
+ [ -f $PIDFILE ] || return
+ pid=`$SUDO cat $PIDFILE`
+ if [ "X$pid" = "X" ]; then
+ echo "no sshd running" 1>&2
+ return
+ elif [ $pid -lt 2 ]; then
+ echo "bad pid for sshd: $pid" 1>&2
+ return
+ fi
+ $SUDO kill $pid
+ trace "wait for sshd to exit"
+ i=0;
+ while [ -f $PIDFILE -a $i -lt 5 ]; do
+ i=`expr $i + 1`
+ sleep $i
+ done
+ if test -f $PIDFILE; then
+ if $SUDO kill -0 $pid; then
+ echo "sshd didn't exit port $PORT pid $pid" 1>&2
else
- if [ $pid -lt 2 ]; then
- echo bad pid for sshd: $pid
- else
- $SUDO kill $pid
- trace "wait for sshd to exit"
- i=0;
- while [ -f $PIDFILE -a $i -lt 5 ]; do
- i=`expr $i + 1`
- sleep $i
- done
- if test -f $PIDFILE; then
- if $SUDO kill -0 $pid; then
- echo "sshd didn't exit " \
- "port $PORT pid $pid"
- else
- echo "sshd died without cleanup"
- fi
- exit 1
- fi
- fi
+ echo "sshd died without cleanup" 1>&2
fi
+ exit 1
fi
+ PIDFILE=""
}
# helper
@@ -609,6 +620,8 @@ cat << EOF > $OBJ/sshd_config
AcceptEnv _XXX_TEST_*
AcceptEnv _XXX_TEST
Subsystem sftp $SFTPSERVER
+ SshdSessionPath $SSHD_SESSION
+ PerSourcePenalties no
EOF
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
@@ -802,17 +815,18 @@ puttysetup() {
echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
+ PUTTYMAJORVER="`echo ${PUTTYVER} | cut -f1 -d.`"
PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
- verbose "plink version ${PUTTYVER} minor ${PUTTYMINORVER}"
+ verbose "plink version ${PUTTYVER} major ${PUTTYMAJORVER} minor ${PUTTYMINORVER}"
# Re-enable ssh-rsa on older PuTTY versions since they don't do newer
# key types.
- if [ "$PUTTYMINORVER" -lt "76" ]; then
+ if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -lt "76" ]; then
echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
fi
- if [ "$PUTTYMINORVER" -le "64" ]; then
+ if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -le "64" ]; then
echo "KexAlgorithms +diffie-hellman-group14-sha1" \
>>${OBJ}/sshd_proxy
fi
@@ -832,15 +846,25 @@ esac
if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
trace Create dropbear keys and add to authorized_keys
mkdir -p $OBJ/.dropbear
- for i in rsa ecdsa ed25519 dss; do
+ kt="ed25519"
+ for i in dss rsa ecdsa; do
+ if $SSH -Q key-plain | grep "$i" >/dev/null; then
+ kt="$kt $i"
+ else
+ rm -f "$OBJ/.dropbear/id_$i"
+ fi
+ done
+ for i in $kt; do
if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
- ($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i
- $DROPBEARCONVERT dropbear openssh \
- $OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i
- ) > /dev/null 2>&1
+ verbose Create dropbear key type $i
+ $DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \
+ >/dev/null 2>&1
fi
+ $DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \
+ $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1
$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
>>$OBJ/authorized_keys_$USER
+ rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i
done
fi
@@ -861,6 +885,7 @@ chmod a+x $OBJ/ssh_proxy.sh
start_sshd ()
{
+ PIDFILE=$OBJ/pidfile
# start sshd
logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log"
$SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
@@ -873,6 +898,7 @@ start_sshd ()
i=`expr $i + 1`
sleep $i
done
+ ln -f -s ${logfile} $TEST_SSHD_LOGFILE
test -f $PIDFILE || fatal "no sshd running on port $PORT"
}
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile
index 981affe..3c89840 100644
--- a/regress/unittests/kex/Makefile
+++ b/regress/unittests/kex/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.14 2023/02/02 12:12:52 djm Exp $
+# $OpenBSD: Makefile,v 1.15 2024/05/19 19:10:01 anton Exp $
PROG=test_kex
SRCS=tests.c test_kex.c test_proposal.c
@@ -14,6 +14,7 @@ SRCS+=cipher-chachapoly.c chacha.c poly1305.c ssh-ecdsa-sk.c ssh-sk.c
SRCS+=ssh-ed25519-sk.c sk-usbhid.c
SRCS+= kex.c
+SRCS+= kex-names.c
SRCS+= dh.c
SRCS+= kexdh.c
SRCS+= kexecdh.c
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index dc1014e..b1161ea 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */
+/* $OpenBSD: test_kex.c,v 1.8 2024/03/25 19:28:09 djm Exp $ */
/*
* Regress test KEX
*
@@ -22,6 +22,7 @@
#include "sshbuf.h"
#include "packet.h"
#include "myproposal.h"
+#include "log.h"
void kex_tests(void);
static int do_debug = 0;
@@ -177,6 +178,9 @@ do_kex_with_key(char *kex, int keytype, int bits)
static void
do_kex(char *kex)
{
+#if 0
+ log_init("test_kex", SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 1);
+#endif
#ifdef WITH_OPENSSL
do_kex_with_key(kex, KEY_RSA, 2048);
#ifdef WITH_DSA
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 1bde504..9885501 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -6,7 +6,7 @@ tid="yes pipe head"
lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
-+ lines=0
+ lines=0
fi
if [ $lines -ne 2000 ]; then
fail "yes|head returns $lines lines instead of 2000"