diff options
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/Makefile | 3 | ||||
| -rw-r--r-- | regress/allow-deny-users.sh | 12 | ||||
| -rw-r--r-- | regress/authinfo.sh | 2 | ||||
| -rwxr-xr-x | regress/cert-file.sh | 6 | ||||
| -rwxr-xr-x | regress/cert-hostkey.sh | 9 | ||||
| -rw-r--r-- | regress/cfgmatchlisten.sh | 202 | ||||
| -rwxr-xr-x | regress/cfgparse.sh | 6 | ||||
| -rwxr-xr-x | regress/forward-control.sh | 77 | ||||
| -rw-r--r-- | regress/forwarding.sh | 3 | ||||
| -rwxr-xr-x | regress/key-options.sh | 5 | ||||
| -rwxr-xr-x | regress/keygen-knownhosts.sh | 35 | ||||
| -rw-r--r-- | regress/mkdtemp.c | 61 | ||||
| -rw-r--r-- | regress/multiplex.sh | 3 | ||||
| -rw-r--r-- | regress/rekey.sh | 12 | ||||
| -rw-r--r-- | regress/setuid-allowed.c | 1 | ||||
| -rw-r--r-- | regress/sshcfgparse.sh | 62 | ||||
| -rw-r--r-- | regress/test-exec.sh | 32 | ||||
| -rw-r--r-- | regress/unittests/hostkeys/test_iterate.c | 37 | ||||
| -rw-r--r-- | regress/unittests/match/tests.c | 4 | ||||
| -rw-r--r-- | regress/unittests/sshkey/test_sshkey.c | 5 | ||||
| -rwxr-xr-x | regress/valgrind-unit.sh | 6 |
21 files changed, 526 insertions, 57 deletions
diff --git a/regress/Makefile b/regress/Makefile index d15898ad0ba15..647b4a049be3a 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.96 2017/10/24 19:33:32 millert Exp $ +# $OpenBSD: Makefile,v 1.97 2018/06/07 04:46:34 djm Exp $ REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec tests: prep $(REGRESS_TARGETS) @@ -61,6 +61,7 @@ LTESTS= connect \ sshcfgparse \ cfgparse \ cfgmatch \ + cfgmatchlisten \ addrmatch \ localcommand \ forcecommand \ diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh index 4165111e0da15..5c389512247c9 100644 --- a/regress/allow-deny-users.sh +++ b/regress/allow-deny-users.sh @@ -1,6 +1,6 @@ # Public Domain # Zev Weiss, 2016 -# $OpenBSD: allow-deny-users.sh,v 1.4 2017/10/20 02:13:41 djm Exp $ +# $OpenBSD: allow-deny-users.sh,v 1.5 2018/07/13 02:13:50 djm Exp $ tid="AllowUsers/DenyUsers" @@ -10,6 +10,8 @@ if [ "x$me" = "x" ]; then fi other="nobody" +cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig + test_auth() { deny="$1" @@ -17,17 +19,19 @@ test_auth() should_succeed="$3" failmsg="$4" + cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + echo DenyUsers="$deny" >> $OBJ/sshd_proxy + echo AllowUsers="$allow" >> $OBJ/sshd_proxy + start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow" - ${SSH} -F $OBJ/ssh_config "$me@somehost" true + ${SSH} -F $OBJ/ssh_proxy "$me@somehost" true status=$? if (test $status -eq 0 && ! $should_succeed) \ || (test $status -ne 0 && $should_succeed); then fail "$failmsg" fi - - stop_sshd } # DenyUsers AllowUsers should_succeed failure_message diff --git a/regress/authinfo.sh b/regress/authinfo.sh index 3caf89478c1bb..693424afafa7e 100644 --- a/regress/authinfo.sh +++ b/regress/authinfo.sh @@ -1,4 +1,4 @@ -# $OpenBSD: authinfo.sh,v 1.2 2017/10/25 20:08:36 millert Exp $ +# $OpenBSD: authinfo.sh,v 1.3 2018/04/10 00:13:27 djm Exp $ # Placed in the Public Domain. tid="authinfo" diff --git a/regress/cert-file.sh b/regress/cert-file.sh index 8fd62c7730d97..1157a3582e5f0 100755 --- a/regress/cert-file.sh +++ b/regress/cert-file.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $ +# $OpenBSD: cert-file.sh,v 1.7 2018/04/10 00:14:10 djm Exp $ # Placed in the Public Domain. tid="ssh with certificates" @@ -52,7 +52,7 @@ echo "cert-authority $(cat $OBJ/user_ca_key1.pub)" > $OBJ/authorized_keys_$USER cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config # XXX: verify that certificate used was what we expect. Needs exposure of -# keys via enviornment variable or similar. +# keys via environment variable or similar. # Key with no .pub should work - finding the equivalent *-cert.pub. verbose "identity cert with no plain public file" @@ -138,7 +138,7 @@ fi # try ssh with the agent and certificates opts="-F $OBJ/ssh_proxy" -# with no certificates, shoud fail +# with no certificates, should fail ${SSH} $opts somehost exit 52 if [ $? -eq 52 ]; then fail "ssh connect with agent in succeeded with no cert" diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh index 3d5732a5d4faf..d2ecd318beae7 100755 --- a/regress/cert-hostkey.sh +++ b/regress/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.16 2018/07/03 11:43:49 djm Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -14,6 +14,13 @@ for i in `$SSH -Q key`; do continue fi case "$i" in + # Special treatment for RSA keys. + *rsa*cert*) + types="rsa-sha2-256-cert-v01@openssh.com,$i,$types" + types="rsa-sha2-512-cert-v01@openssh.com,$types";; + *rsa*) + types="$types,rsa-sha2-512,rsa-sha2-256,$i";; + # Prefer certificate to plain keys. *cert*) types="$i,$types";; *) types="$types,$i";; esac diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh new file mode 100644 index 0000000000000..a4fd66b3224c6 --- /dev/null +++ b/regress/cfgmatchlisten.sh @@ -0,0 +1,202 @@ +# $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $ +# Placed in the Public Domain. + +tid="sshd_config matchlisten" + +pidfile=$OBJ/remote_pid +fwdport=3301 +fwdspec="localhost:${fwdport}" +fwd="-R $fwdport:127.0.0.1:$PORT" + +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy + +start_client() +{ + rm -f $pidfile + ${SSH} -vvv $fwd "$@" somehost true >>$TEST_REGRESS_LOGFILE 2>&1 + r=$? + if [ $r -ne 0 ]; then + return $r + fi + ${SSH} -vvv $fwd "$@" somehost \ + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ + >>$TEST_REGRESS_LOGFILE 2>&1 & + client_pid=$! + # Wait for remote end + n=0 + while test ! -f $pidfile ; do + sleep 1 + n=`expr $n + 1` + if test $n -gt 60; then + kill $client_pid + fatal "timeout waiting for background ssh" + fi + done + return $r +} + +expect_client_ok() +{ + start_client "$@" || + fail "client did not start" +} + +expect_client_fail() +{ + local failmsg="$1" + shift + start_client "$@" && + fail $failmsg +} + +stop_client() +{ + pid=`cat $pidfile` + if [ ! -z "$pid" ]; then + kill $pid + fi + wait +} + +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_config +echo "Match Address 127.0.0.1" >>$OBJ/sshd_config +echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_config + +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_proxy +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy +echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_proxy + +start_sshd + +#set -x + +# Test Match + PermitListen in sshd_config. This should be permitted +trace "match permitlisten localhost" +expect_client_ok -F $OBJ/ssh_config +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitlisten permit" +stop_client + +# Same but from different source. This should not be permitted +trace "match permitlisten proxy" +expect_client_fail "match permitlisten deny" \ + -F $OBJ/ssh_proxy + +# Retry previous with key option, should also be denied. +cp /dev/null $OBJ/authorized_keys_$USER +for t in ${SSH_KEYTYPES}; do + printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER +done +trace "match permitlisten proxy w/key opts" +expect_client_fail "match permitlisten deny w/key opt"\ + -F $OBJ/ssh_proxy + +# Test both sshd_config and key options permitting the same dst/port pair. +# Should be permitted. +trace "match permitlisten localhost" +expect_client_ok -F $OBJ/ssh_config +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitlisten permit" +stop_client + +# Test that a bare port number is accepted in PermitListen +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy +trace "match permitlisten bare" +expect_client_ok -F $OBJ/ssh_config +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match permitlisten bare" +stop_client + +# Test that an incorrect bare port number is denied as expected +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy +trace "match permitlisten bare" +expect_client_fail -F $OBJ/ssh_config + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy +echo "Match User $USER" >>$OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy + +# Test that a Match overrides a PermitListen in the global section +trace "match permitlisten proxy w/key opts" +expect_client_fail "match override permitlisten" \ + -F $OBJ/ssh_proxy + +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy +echo "Match User NoSuchUser" >>$OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy + +# Test that a rule that doesn't match doesn't override, plus test a +# PermitListen entry that's not at the start of the list +trace "nomatch permitlisten proxy w/key opts" +expect_client_ok -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "nomatch override permitlisten" +stop_client + +# bind to 127.0.0.1 instead of default localhost +fwdspec2="127.0.0.1:${fwdport}" +fwd="-R ${fwdspec2}:127.0.0.1:$PORT" + +# first try w/ old fwdspec both in server config and key opts +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy +cp /dev/null $OBJ/authorized_keys_$USER +for t in ${SSH_KEYTYPES}; do + printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER +done +trace "nomatch permitlisten 127.0.0.1 server config and userkey" +expect_client_fail "nomatch 127.0.0.1 server config and userkey" \ + -F $OBJ/ssh_config + +# correct server config, denied by key opts +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy +echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy +trace "nomatch permitlisten 127.0.0.1 w/key opts" +expect_client_fail "nomatch 127.0.0.1 w/key opts" \ + -F $OBJ/ssh_config + +# fix key opts +cp /dev/null $OBJ/authorized_keys_$USER +for t in ${SSH_KEYTYPES}; do + printf 'permitlisten="'$fwdspec2'" ' >> $OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER +done +trace "match permitlisten 127.0.0.1 server config w/key opts" +expect_client_ok -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match 127.0.0.1 server config w/key opts" +stop_client + +# key opts with bare port number +cp /dev/null $OBJ/authorized_keys_$USER +for t in ${SSH_KEYTYPES}; do + printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER +done +trace "match permitlisten 127.0.0.1 server config w/key opts (bare)" +expect_client_ok -F $OBJ/ssh_proxy +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ + fail "match 127.0.0.1 server config w/key opts (bare)" +stop_client + +# key opts with incorrect bare port number +cp /dev/null $OBJ/authorized_keys_$USER +for t in ${SSH_KEYTYPES}; do + printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER +done +trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)" +expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \ + -F $OBJ/ssh_config diff --git a/regress/cfgparse.sh b/regress/cfgparse.sh index ccf511f6b861e..a9e5c6b09ee2d 100755 --- a/regress/cfgparse.sh +++ b/regress/cfgparse.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgparse.sh,v 1.6 2016/06/03 03:47:59 dtucker Exp $ +# $OpenBSD: cfgparse.sh,v 1.7 2018/05/11 03:51:06 dtucker Exp $ # Placed in the Public Domain. tid="sshd config parse" @@ -10,8 +10,8 @@ fi # We need to use the keys generated for the regression test because sshd -T # will fail if we're not running with SUDO (no permissions for real keys) or -# if we are # running tests on a system that has never had sshd installed -# (keys won't exist). +# if we are running tests on a system that has never had sshd installed +# because the keys won't exist. grep "HostKey " $OBJ/sshd_config > $OBJ/sshd_config_minimal SSHD_KEYS="`cat $OBJ/sshd_config_minimal`" diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 93d05cf6393b3..3b1f69a71e560 100755 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" @@ -67,7 +67,7 @@ check_rfwd() { _message=$2 rm -f $READY ${SSH} -F $OBJ/ssh_proxy \ - -R$RFWD_PORT:127.0.0.1:$PORT \ + -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ >/dev/null 2>&1 & @@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak check_lfwd Y "default configuration" check_rfwd Y "default configuration" -# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N -all_tests() { +# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +lperm_tests() { _tcpfwd=$1 _plain_lfwd=$2 _plain_rfwd=$3 @@ -109,32 +109,39 @@ all_tests() { _nopermit_rfwd=$5 _permit_lfwd=$6 _permit_rfwd=$7 - _badfwd=127.0.0.1:22 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:22 _goodfwd=127.0.0.1:${PORT} cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} _prefix="AllowTcpForwarding=$_tcpfwd" + # No PermitOpen ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ) \ > ${OBJ}/sshd_proxy check_lfwd $_plain_lfwd "$_prefix" check_rfwd $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd" ) \ + echo "PermitOpen $_badfwd1 $_badfwd2" ) \ > ${OBJ}/sshd_proxy check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" # PermitOpen via sshd_config that does match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd $_goodfwd" ) \ + echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitOpen" + + # permitopen keys option. # NB. permitopen via authorized_keys should have same # success/fail as via sshd_config # permitopen via authorized_keys that doesn't match - sed "s/^/permitopen=\"$_badfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -143,7 +150,7 @@ all_tests() { check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" # permitopen via authorized_keys that does match - sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -151,6 +158,7 @@ all_tests() { > ${OBJ}/sshd_proxy check_lfwd $_permit_lfwd "$_prefix, permitopen" check_rfwd $_permit_rfwd "$_prefix, permitopen" + # Check port-forwarding flags in authorized_keys. # These two should refuse all. sed "s/^/no-port-forwarding /" \ @@ -180,9 +188,48 @@ all_tests() { check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" } -# no-permitopen mismatch-permitopen match-permitopen -# AllowTcpForwarding local remote local remote local remote -all_tests yes Y Y N Y Y Y -all_tests local Y N N N Y N -all_tests remote N Y N Y N Y -all_tests no N N N N N N +# permit-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +lperm_tests yes Y Y N Y Y Y +lperm_tests local Y N N N Y N +lperm_tests remote N Y N Y N Y +lperm_tests no N N N N N N + +# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +rperm_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:${RFWD_PORT} + _goodfwd=127.0.0.1:${RFWD_PORT} + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + + # PermitListen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitListen $_badfwd1 $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen" + # PermitListen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitListen" + check_rfwd $_plain_rfwd "$_prefix, PermitListen" +} + +# permit-remote-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +rperm_tests yes Y Y Y N Y Y +rperm_tests local Y N Y N Y N +rperm_tests remote N Y N N N Y +rperm_tests no N N N N N N + diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 39fccba7385a6..7d0fae1146976 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh @@ -10,7 +10,8 @@ start_sshd base=33 last=$PORT fwd="" -CTL=/tmp/openssh.regress.ctl-sock.$$ +make_tmpdir +CTL=${SSH_REGRESS_TMP}/ctl-sock for j in 0 1 2; do for i in 0 1 2; do diff --git a/regress/key-options.sh b/regress/key-options.sh index d680737c168b3..112c9bd8ec5cf 100755 --- a/regress/key-options.sh +++ b/regress/key-options.sh @@ -1,4 +1,4 @@ -# $OpenBSD: key-options.sh,v 1.8 2018/03/14 05:35:40 djm Exp $ +# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ # Placed in the Public Domain. tid="key options" @@ -27,6 +27,7 @@ expect_pty_succeed() { rm -f $OBJ/data sed "s/.*/$opts &/" $origkeys >$authkeys verbose "key option pty $which" + config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" if [ $? -ne 0 ] ; then fail "key option failed $which" @@ -44,6 +45,7 @@ expect_pty_fail() { rm -f $OBJ/data sed "s/.*/$opts &/" $origkeys >$authkeys verbose "key option pty $which" + config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" if [ $? -eq 0 ]; then r=`cat $OBJ/data` @@ -63,6 +65,7 @@ expect_pty_fail "restrict" "restrict" expect_pty_succeed "restrict,pty" "restrict,pty" # Test environment= +# XXX this can fail if ~/.ssh/environment exists for the user running the test echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys verbose "key option environment" diff --git a/regress/keygen-knownhosts.sh b/regress/keygen-knownhosts.sh index 693cd0e754359..37af34769ecb3 100755 --- a/regress/keygen-knownhosts.sh +++ b/regress/keygen-knownhosts.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $ +# $OpenBSD: keygen-knownhosts.sh,v 1.4 2018/06/01 03:52:37 djm Exp $ # Placed in the Public Domain. tid="ssh-keygen known_hosts" @@ -55,13 +55,24 @@ expect_key() { check_find() { _host=$1 _name=$2 - _keygenopt=$3 - ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result + shift; shift + ${SSHKEYGEN} "$@" -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then fail "didn't find $_name" fi } +check_find_exit_code() { + _host=$1 + _name=$2 + _keygenopt=$3 + _exp_exit_code=$4 + ${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > /dev/null + if [ "$?" != "$_exp_exit_code" ] ; then + fail "Unexpected exit code $_name" + fi +} + # Find key rm -f $OBJ/kh.expect expect_key host-a host-a host-a 2 @@ -88,6 +99,18 @@ rm -f $OBJ/kh.expect expect_key host-h "host-f,host-g,host-h " host-f 17 check_find host-h "find multiple hosts" +# Check exit code, known host +check_find_exit_code host-a "known host" "-q" "0" + +# Check exit code, unknown host +check_find_exit_code host-aa "unknown host" "-q" "1" + +# Check exit code, the hash mode, known host +check_find_exit_code host-a "known host" "-q -H" "0" + +# Check exit code, the hash mode, unknown host +check_find_exit_code host-aa "unknown host" "-q -H" "1" + check_hashed_find() { _host=$1 _name=$2 @@ -110,19 +133,19 @@ check_hashed_find host-a "find simple and hash" rm -f $OBJ/kh.expect expect_key host-c host-c host-c "" CA # CA key output is not hashed. -check_find host-c "find simple and hash" -H +check_find host-c "find simple and hash" -Hq # Find revoked key and hash rm -f $OBJ/kh.expect expect_key host-d host-d host-d "" REVOKED # Revoked key output is not hashed. -check_find host-d "find simple and hash" -H +check_find host-d "find simple and hash" -Hq # find key with wildcard and hash rm -f $OBJ/kh.expect expect_key host-e "host-e*" host-e "" # Key with wildcard hostname should not be hashed. -check_find host-e "find wildcard key" -H +check_find host-e "find wildcard key" -Hq # find key among multiple hosts rm -f $OBJ/kh.expect diff --git a/regress/mkdtemp.c b/regress/mkdtemp.c new file mode 100644 index 0000000000000..a7be1bdab4b05 --- /dev/null +++ b/regress/mkdtemp.c @@ -0,0 +1,61 @@ +/* + * Copyright (c) 2017 Colin Watson <cjwatson@debian.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* Roughly equivalent to "mktemp -d -t TEMPLATE", but portable. */ + +#include "includes.h" + +#include <limits.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include "log.h" + +static void +usage(void) +{ + fprintf(stderr, "mkdtemp template\n"); + exit(1); +} + +int +main(int argc, char **argv) +{ + const char *base; + const char *tmpdir; + char template[PATH_MAX]; + int r; + char *dir; + + if (argc != 2) + usage(); + base = argv[1]; + + if ((tmpdir = getenv("TMPDIR")) == NULL) + tmpdir = "/tmp"; + r = snprintf(template, sizeof(template), "%s/%s", tmpdir, base); + if (r < 0 || (size_t)r >= sizeof(template)) + fatal("template string too long"); + dir = mkdtemp(template); + if (dir == NULL) { + perror("mkdtemp"); + exit(1); + } + puts(dir); + return 0; +} diff --git a/regress/multiplex.sh b/regress/multiplex.sh index 078a53a889e51..a6fad8eb820cc 100644 --- a/regress/multiplex.sh +++ b/regress/multiplex.sh @@ -1,7 +1,8 @@ # $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $ # Placed in the Public Domain. -CTL=/tmp/openssh.regress.ctl-sock.$$ +make_tmpdir +CTL=${SSH_REGRESS_TMP}/ctl-sock tid="connection multiplexing" diff --git a/regress/rekey.sh b/regress/rekey.sh index ae145bc8b92ea..fd6a02cc7a625 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ +# $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $ # Placed in the Public Domain. tid="rekey" @@ -30,7 +30,7 @@ ssh_data_rekeying() n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured ($@)" + fail "no rekeying occurred ($@)" fi } @@ -80,7 +80,7 @@ for s in 5 10; do n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured" + fail "no rekeying occurred" fi done @@ -96,7 +96,7 @@ for s in 5 10; do n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured" + fail "no rekeying occurred" fi done @@ -115,7 +115,7 @@ for s in 16 1k 128k 256k; do n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured" + fail "no rekeying occurred" fi done @@ -132,7 +132,7 @@ for s in 5 10; do n=`expr $n - 1` trace "$n rekeying(s)" if [ $n -lt 1 ]; then - fail "no rekeying occured" + fail "no rekeying occurred" fi done diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c index 7a0527fd064c2..d91d9f194d11e 100644 --- a/regress/setuid-allowed.c +++ b/regress/setuid-allowed.c @@ -22,6 +22,7 @@ #ifdef HAVE_SYS_STATVFS_H # include <sys/statvfs.h> #endif +#include <stdlib.h> #include <stdio.h> #include <string.h> #include <errno.h> diff --git a/regress/sshcfgparse.sh b/regress/sshcfgparse.sh index 010e028656ce5..e0ce568d71c40 100644 --- a/regress/sshcfgparse.sh +++ b/regress/sshcfgparse.sh @@ -1,8 +1,27 @@ -# $OpenBSD: sshcfgparse.sh,v 1.2 2016/07/14 01:24:21 dtucker Exp $ +# $OpenBSD: sshcfgparse.sh,v 1.4 2018/07/04 13:51:12 djm Exp $ # Placed in the Public Domain. tid="ssh config parse" +expect_result_present() { + _str="$1" ; shift + for _expect in "$@" ; do + echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null + if test $? -ne 0 ; then + fail "missing expected \"$_expect\" from \"$_str\"" + fi + done +} +expect_result_absent() { + _str="$1" ; shift + for _expect in "$@" ; do + echo "$f" | tr ',' '\n' | grep "^$_expect\$" >/dev/null + if test $? -eq 0 ; then + fail "unexpected \"$_expect\" present in \"$_str\"" + fi + done +} + verbose "reparse minimal config" (${SSH} -G -F $OBJ/ssh_config somehost >$OBJ/ssh_config.1 && ${SSH} -G -F $OBJ/ssh_config.1 somehost >$OBJ/ssh_config.2 && @@ -25,5 +44,46 @@ f=`${SSH} -GF $OBJ/ssh_config -W a:1 -o clearallforwardings=no h | \ awk '/clearallforwardings/{print $2}'` test "$f" = "no" || fail "clearallforwardings override" +verbose "user first match" +user=`awk '$1=="User" {print $2}' $OBJ/ssh_config` +f=`${SSH} -GF $OBJ/ssh_config host | awk '/^user /{print $2}'` +test "$f" = "$user" || fail "user from config, expected '$user' got '$f'" +f=`${SSH} -GF $OBJ/ssh_config -o user=foo -l bar baz@host | awk '/^user /{print $2}'` +test "$f" = "foo" || fail "user first match -oUser, expected 'foo' got '$f' " +f=`${SSH} -GF $OBJ/ssh_config -lbar baz@host user=foo baz@host | awk '/^user /{print $2}'` +test "$f" = "bar" || fail "user first match -l, expected 'bar' got '$f'" +f=`${SSH} -GF $OBJ/ssh_config baz@host -o user=foo -l bar baz@host | awk '/^user /{print $2}'` +test "$f" = "baz" || fail "user first match user@host, expected 'baz' got '$f'" + +verbose "pubkeyacceptedkeytypes" +# Default set +f=`${SSH} -GF none host | awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" +expect_result_absent "$f" "ssh-dss" +# Explicit override +f=`${SSH} -GF none -opubkeyacceptedkeytypes=ssh-ed25519 host | \ + awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519" +expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss" +# Removal from default set +f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519-cert* host | \ + awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519" +expect_result_absent "$f" "ssh-ed25519-cert-v01.*" "ssh-dss" +f=`${SSH} -GF none -opubkeyacceptedkeytypes=-ssh-ed25519 host | \ + awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519-cert-v01.*" +expect_result_absent "$f" "ssh-ed25519" "ssh-dss" +# Append to default set. +# XXX this will break for !WITH_OPENSSL +f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss-cert* host | \ + awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519" "ssh-dss-cert-v01.*" +expect_result_absent "$f" "ssh-dss" +f=`${SSH} -GF none -opubkeyacceptedkeytypes=+ssh-dss host | \ + awk '/^pubkeyacceptedkeytypes /{print $2}'` +expect_result_present "$f" "ssh-ed25519" "ssh-ed25519-cert-v01.*" "ssh-dss" +expect_result_absent "$f" "ssh-dss-cert-v01.*" + # cleanup rm -f $OBJ/ssh_config.[012] diff --git a/regress/test-exec.sh b/regress/test-exec.sh index b6169f15703ab..40d46e3cd4caf 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.62 2018/03/16 09:06:31 dtucker Exp $ +# $OpenBSD: test-exec.sh,v 1.64 2018/08/10 01:35:49 dtucker Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -76,6 +76,9 @@ SFTP=sftp SFTPSERVER=/usr/libexec/openssh/sftp-server SCP=scp +# Set by make_tmpdir() on demand (below). +SSH_REGRESS_TMP= + # Interop testing PLINK=plink PUTTYGEN=puttygen @@ -163,9 +166,13 @@ if [ "x$USE_VALGRIND" != "x" ]; then esac if [ x"$VG_SKIP" = "x" ]; then + VG_LEAK="--leak-check=no" + if [ x"$VALGRIND_CHECK_LEAKS" != "x" ]; then + VG_LEAK="--leak-check=full" + fi VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*" VG_LOG="$OBJ/valgrind-out/${VG_TEST}." - VG_OPTS="--track-origins=yes --leak-check=full" + VG_OPTS="--track-origins=yes $VG_LEAK" VG_OPTS="$VG_OPTS --trace-children=yes" VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" VG_PATH="valgrind" @@ -318,6 +325,12 @@ stop_sshd () fi } +make_tmpdir () +{ + SSH_REGRESS_TMP="$($OBJ/mkdtemp openssh-XXXXXXXX)" || \ + fatal "failed to create temporary directory" +} + # helper cleanup () { @@ -328,6 +341,9 @@ cleanup () kill $SSH_PID fi fi + if [ "x$SSH_REGRESS_TMP" != "x" ]; then + rm -rf "$SSH_REGRESS_TMP" + fi stop_sshd } @@ -375,7 +391,10 @@ fail () save_debug_log "FAIL: $@" RESULT=1 echo "$@" - + if test "x$TEST_SSH_FAIL_FATAL" != "x" ; then + cleanup + exit $RESULT + fi } fatal () @@ -512,10 +531,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then >> $OBJ/authorized_keys_$USER # Convert rsa2 host key to PuTTY format - ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \ + cp $OBJ/rsa $OBJ/rsa_oldfmt + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null + ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \ ${OBJ}/.putty/sshhostkeys - ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \ + ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \ ${OBJ}/.putty/sshhostkeys + rm -f $OBJ/rsa_oldfmt # Setup proxied session mkdir -p ${OBJ}/.putty/sessions diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c index 751825ddae9e1..d6963bd2a30f1 100644 --- a/regress/unittests/hostkeys/test_iterate.c +++ b/regress/unittests/hostkeys/test_iterate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */ +/* $OpenBSD: test_iterate.c,v 1.6 2018/07/16 03:09:59 djm Exp $ */ /* * Regress test for hostfile.h hostkeys_foreach() * @@ -152,6 +152,17 @@ prepare_expected(struct expected *expected, size_t n) } } +static void +cleanup_expected(struct expected *expected, size_t n) +{ + size_t i; + + for (i = 0; i < n; i++) { + sshkey_free(expected[i].l.key); + expected[i].l.key = NULL; + } +} + struct expected expected_full[] = { { NULL, -1, -1, 0, 0, 0, 0, -1, { NULL, /* path, don't care */ @@ -825,6 +836,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, NULL, NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate all without key parse"); @@ -835,6 +847,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, NULL, NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify host 1"); @@ -846,6 +859,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify host 2"); @@ -857,6 +871,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match host 1"); @@ -868,6 +883,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "prometheus.example.com", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match host 2"); @@ -879,6 +895,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "sisyphus.example.com", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify host missing"); @@ -889,6 +906,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match host missing"); @@ -899,6 +917,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "actaeon.example.org", NULL, ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify IPv4"); @@ -910,6 +929,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify IPv6"); @@ -921,6 +941,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match IPv4"); @@ -932,6 +953,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "192.0.2.1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match IPv6"); @@ -943,6 +965,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "2001:db8::1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify addr missing"); @@ -953,6 +976,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "192.168.0.1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match addr missing"); @@ -963,6 +987,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "tiresias.example.org", "::1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify host 2 and IPv4"); @@ -975,6 +1000,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match host 1 and IPv6"); @@ -986,7 +1012,9 @@ test_iterate(void) ctx.match_ipv6 = 1; prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), - check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); + check, &ctx, "prometheus.example.com", + "2001:db8::1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate specify host 2 and IPv4 w/ key parse"); @@ -999,6 +1027,7 @@ test_iterate(void) prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), check, &ctx, "sisyphus.example.com", "192.0.2.1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); TEST_START("hostkeys_iterate match host 1 and IPv6 w/ key parse"); @@ -1010,7 +1039,9 @@ test_iterate(void) ctx.match_ipv6 = 1; prepare_expected(expected_full, ctx.nexpected); ASSERT_INT_EQ(hostkeys_foreach(test_data_file("known_hosts"), - check, &ctx, "prometheus.example.com", "2001:db8::1", ctx.flags), 0); + check, &ctx, "prometheus.example.com", + "2001:db8::1", ctx.flags), 0); + cleanup_expected(expected_full, ctx.nexpected); TEST_DONE(); } diff --git a/regress/unittests/match/tests.c b/regress/unittests/match/tests.c index e1593367bf3ba..3d9af55f2849f 100644 --- a/regress/unittests/match/tests.c +++ b/regress/unittests/match/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.4 2017/02/03 23:01:42 djm Exp $ */ +/* $OpenBSD: tests.c,v 1.5 2018/07/04 13:51:45 djm Exp $ */ /* * Regress test for matching functions * @@ -105,7 +105,7 @@ tests(void) #define CHECK_FILTER(string,filter,expected) \ do { \ - char *result = match_filter_list((string), (filter)); \ + char *result = match_filter_blacklist((string), (filter)); \ ASSERT_STRING_EQ(result, expected); \ free(result); \ } while (0) diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c index 1aa608f92b03c..72367bde77c2b 100644 --- a/regress/unittests/sshkey/test_sshkey.c +++ b/regress/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.13 2017/12/21 00:41:22 djm Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.14 2018/07/13 02:13:19 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -434,10 +434,13 @@ sshkey_tests(void) ASSERT_PTR_NE(k1->cert->principals[1], NULL); ASSERT_PTR_NE(k1->cert->principals[2], NULL); ASSERT_PTR_NE(k1->cert->principals[3], NULL); + k1->cert->nprincipals = 4; k1->cert->valid_after = 0; k1->cert->valid_before = (u_int64_t)-1; + sshbuf_free(k1->cert->critical); k1->cert->critical = sshbuf_new(); ASSERT_PTR_NE(k1->cert->critical, NULL); + sshbuf_free(k1->cert->extensions); k1->cert->extensions = sshbuf_new(); ASSERT_PTR_NE(k1->cert->extensions, NULL); put_opt(k1->cert->critical, "force-command", "/usr/bin/true"); diff --git a/regress/valgrind-unit.sh b/regress/valgrind-unit.sh index 433cb069a75a3..4143ead4b62ea 100755 --- a/regress/valgrind-unit.sh +++ b/regress/valgrind-unit.sh @@ -7,10 +7,12 @@ UNIT_ARGS="$@" test "x$OBJ" = "x" && OBJ=$PWD # This mostly replicates the logic in test-exec.sh for running the -# regress tests under valgrind. +# regress tests under valgrind, except that we unconditionally enable +# leak checking because the unit tests should be clean. +VG_LEAK="--leak-check=full" VG_TEST=`basename $UNIT_BINARY` VG_LOG="$OBJ/valgrind-out/${VG_TEST}.%p" -VG_OPTS="--track-origins=yes --leak-check=full --log-file=${VG_LOG}" +VG_OPTS="--track-origins=yes $VG_LEAK --log-file=${VG_LOG}" VG_OPTS="$VG_OPTS --trace-children=yes" VG_PATH="valgrind" if [ "x$VALGRIND_PATH" != "x" ]; then |