aboutsummaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authorEd Maste <emaste@FreeBSD.org>2024-03-17 17:47:10 +0000
committerEd Maste <emaste@FreeBSD.org>2024-03-17 17:47:10 +0000
commit9200ce3210fdc00706904d2eb2d8a481ed84eef3 (patch)
tree44c20fef4e888723daa2d0c91e8e91f1e6dc8a08 /regress
parent38f55691cb1b1029d9daac42fc5b6b1850eb19c3 (diff)
downloadsrc-9200ce3210fdc00706904d2eb2d8a481ed84eef3.tar.gz
src-9200ce3210fdc00706904d2eb2d8a481ed84eef3.zip
Diffstat (limited to 'regress')
-rw-r--r--regress/Makefile77
-rw-r--r--regress/channel-timeout.sh74
-rw-r--r--regress/dynamic-forward.sh9
-rw-r--r--regress/misc/fuzz-harness/Makefile8
-rw-r--r--regress/misc/fuzz-harness/agent_fuzz_helper.c7
-rw-r--r--regress/multiplex.sh3
-rw-r--r--regress/putty-ciphers.sh51
-rw-r--r--regress/putty-kex.sh40
-rw-r--r--regress/putty-transfer.sh13
-rw-r--r--regress/test-exec.sh28
-rw-r--r--regress/unittests/Makefile.inc7
-rw-r--r--regress/unittests/hostkeys/test_iterate.c11
-rw-r--r--regress/unittests/kex/test_kex.c4
-rw-r--r--regress/unittests/sshkey/test_file.c4
-rw-r--r--regress/unittests/sshkey/test_fuzz.c8
-rw-r--r--regress/unittests/sshkey/test_sshkey.c23
-rw-r--r--regress/unittests/sshsig/tests.c4
17 files changed, 273 insertions, 98 deletions
diff --git a/regress/Makefile b/regress/Makefile
index f5cb9bd4779d..c9a495f6f4cc 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $
+# $OpenBSD: Makefile,v 1.133 2024/01/11 04:50:28 djm Exp $
tests: prep file-tests t-exec unit
@@ -156,48 +156,67 @@ TEST_SSH_SSHKEYGEN?=ssh-keygen
CPPFLAGS=-I..
t1:
- ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
- tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
- ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv
- awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv
- ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
+ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
+ tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv ; \
+ ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
+ awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv ; \
+ ${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv ; \
+ fi
t2:
- cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
- chmod 600 $(OBJ)/t2.out
- ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
+ cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out ; \
+ chmod 600 $(OBJ)/t2.out ; \
+ ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
+ fi
t3:
- ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out
- ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
+ ${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out ; \
+ ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub ; \
+ fi
t4:
- ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
- awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
+ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
+ awk '{print $$2}' | diff - ${.CURDIR}/t4.ok ; \
+ fi
t5:
- ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
- awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
-
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-rsa" ; then \
+ ${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
+ awk '{print $$2}' | diff - ${.CURDIR}/t5.ok ; \
+ fi
t6:
- ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
- ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
- chmod 600 $(OBJ)/t6.out1
- ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \
+ ${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \
+ chmod 600 $(OBJ)/t6.out1 ; \
+ ${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 ; \
+ fi
$(OBJ)/t7.out:
- ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@ ; \
+ fi
t7: $(OBJ)/t7.out
- ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null
- ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null ; \
+ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null ; \
+ fi
$(OBJ)/t8.out:
- ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@
+ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \
+ fi
t8: $(OBJ)/t8.out
- ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null
- ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null
+ set -xe ; if ssh -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \
+ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \
+ fi
$(OBJ)/t9.out:
! ${TEST_SSH_SSH} -Q key-plain | grep ecdsa >/dev/null || \
@@ -218,8 +237,10 @@ t10: $(OBJ)/t10.out
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
t11:
- ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
- awk '{print $$2}' | diff - ${.CURDIR}/t11.ok
+ set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q "^ssh-dss" ; then \
+ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
+ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok ; \
+ fi
$(OBJ)/t12.out:
${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -C 'test-comment-1234' -f $@
diff --git a/regress/channel-timeout.sh b/regress/channel-timeout.sh
index 1c42e832ae2c..97708f2a2c9b 100644
--- a/regress/channel-timeout.sh
+++ b/regress/channel-timeout.sh
@@ -1,10 +1,33 @@
-# $OpenBSD: channel-timeout.sh,v 1.1 2023/01/06 08:07:39 djm Exp $
+# $OpenBSD: channel-timeout.sh,v 1.2 2024/01/09 22:19:36 djm Exp $
# Placed in the Public Domain.
tid="channel timeout"
# XXX not comprehensive. Still need -R -L agent X11 forwarding + interactive
+rm -f $OBJ/finished.* $OBJ/mux.*
+
+MUXPATH=$OBJ/mux.$$
+open_mux() {
+ ${SSH} -nNfM -oControlPath=$MUXPATH -F $OBJ/ssh_proxy "$@" somehost ||
+ fatal "open mux failed"
+ test -e $MUXPATH || fatal "mux socket $MUXPATH not established"
+}
+
+close_mux() {
+ test -e $MUXPATH || fatal "mux socket $MUXPATH missing"
+ ${SSH} -qF $OBJ/ssh_proxy -oControlPath=$MUXPATH -O exit somehost ||
+ fatal "could not terminate mux process"
+ for x in 1 2 3 4 5 6 7 8 9 10 ; do
+ test -e $OBJ/mux && break
+ sleep 1
+ done
+ test -e $MUXPATH && fatal "mux did not clean up"
+}
+mux_client() {
+ ${SSH} -F $OBJ/ssh_proxy -oControlPath=$MUXPATH somehost "$@"
+}
+
rm -f $OBJ/sshd_proxy.orig
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
@@ -24,6 +47,15 @@ if [ $r -ne 255 ]; then
fail "ssh returned unexpected error code $r"
fi
+verbose "command long timeout"
+(cat $OBJ/sshd_proxy.orig ; echo "ChannelTimeout session:command=60") \
+ > $OBJ/sshd_proxy
+${SSH} -F $OBJ/ssh_proxy somehost "exit 23"
+r=$?
+if [ $r -ne 23 ]; then
+ fail "ssh returned unexpected error code $r"
+fi
+
verbose "command wildcard timeout"
(cat $OBJ/sshd_proxy.orig ; echo "ChannelTimeout session:*=1") \
> $OBJ/sshd_proxy
@@ -42,6 +74,45 @@ if [ $r -ne 23 ]; then
fail "ssh failed"
fi
+if config_defined DISABLE_FD_PASSING ; then
+ verbose "skipping multiplexing tests"
+else
+ verbose "multiplexed command timeout"
+ (cat $OBJ/sshd_proxy.orig ; echo "ChannelTimeout session:command=1") \
+ > $OBJ/sshd_proxy
+ open_mux
+ mux_client "sleep 5 ; exit 23"
+ r=$?
+ if [ $r -ne 255 ]; then
+ fail "ssh returned unexpected error code $r"
+ fi
+ close_mux
+
+ verbose "irrelevant multiplexed command timeout"
+ (cat $OBJ/sshd_proxy.orig ; echo "ChannelTimeout session:shell=1") \
+ > $OBJ/sshd_proxy
+ open_mux
+ mux_client "sleep 5 ; exit 23"
+ r=$?
+ if [ $r -ne 23 ]; then
+ fail "ssh returned unexpected error code $r"
+ fi
+ close_mux
+
+ verbose "global command timeout"
+ (cat $OBJ/sshd_proxy.orig ; echo "ChannelTimeout global=10") \
+ > $OBJ/sshd_proxy
+ open_mux
+ mux_client "sleep 1 ; echo ok ; sleep 1; echo ok; sleep 60; touch $OBJ/finished.1" >/dev/null &
+ mux_client "sleep 60 ; touch $OBJ/finished.2" >/dev/null &
+ mux_client "sleep 2 ; touch $OBJ/finished.3" >/dev/null &
+ wait
+ test -f $OBJ/finished.1 && fail "first mux process completed"
+ test -f $OBJ/finished.2 && fail "second mux process completed"
+ test -f $OBJ/finished.3 || fail "third mux process did not complete"
+ close_mux
+fi
+
# Set up a "slow sftp server" that sleeps before executing the real one.
cat > $OBJ/slow-sftp-server.sh << _EOF
#!/bin/sh
@@ -88,4 +159,3 @@ if [ $r -ne 0 ]; then
fail "sftp failed"
fi
cmp $DATA $COPY || fail "corrupted copy"
-
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 5a4aa6d8e9f7..85901eaa6340 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dynamic-forward.sh,v 1.15 2023/01/06 08:50:33 dtucker Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.17 2024/03/08 11:34:10 dtucker Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
@@ -20,6 +20,7 @@ start_ssh() {
arg="$2"
n=0
error="1"
+ # Use a multiplexed ssh so we can control its lifecycle.
trace "start dynamic -$direction forwarding, fork to background"
(cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config
${REAL_SSH} -vvvnNfF $OBJ/ssh_config -E$TEST_SSH_LOGFILE \
@@ -56,9 +57,9 @@ check_socks() {
for s in 4 5; do
for h in 127.0.0.1 localhost; do
trace "testing ssh socks version $s host $h (-$direction)"
- ${REAL_SSH} -q -F $OBJ/ssh_config \
- -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \
- somehost cat ${DATA} > ${COPY}
+ ${REAL_SSH} -q -F $OBJ/ssh_config -o \
+ "ProxyCommand ${TEST_SHELL} -c '${proxycmd}${s} $h $PORT 2>/dev/null'" \
+ somehost cat ${DATA} > ${COPY}
r=$?
if [ "x$expect_success" = "xY" ] ; then
if [ $r -ne 0 ] ; then
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
index 0b4238fd39a4..107213029e0c 100644
--- a/regress/misc/fuzz-harness/Makefile
+++ b/regress/misc/fuzz-harness/Makefile
@@ -1,10 +1,10 @@
# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
-CC=clang-11
-CXX=clang++-11
+CC=clang-16
+CXX=clang++-16
FUZZ_FLAGS=-fsanitize=address,fuzzer -fno-omit-frame-pointer
-FUZZ_LIBS=-lFuzzer
+FUZZ_LIBS=-L/usr/lib/llvm-16/lib -lFuzzer
-CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -I ../../.. $(FUZZ_FLAGS)
+CXXFLAGS=-O2 -g -Wall -Wextra -Wno-unused-parameter -Wno-exceptions -I ../../.. $(FUZZ_FLAGS)
CFLAGS=$(CXXFLAGS)
LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
LIBS=-lssh -lopenbsd-compat -lmd -lcrypto -lfido2 -lcbor $(FUZZ_LIBS)
diff --git a/regress/misc/fuzz-harness/agent_fuzz_helper.c b/regress/misc/fuzz-harness/agent_fuzz_helper.c
index 1d419820cc5d..c3051c72b8db 100644
--- a/regress/misc/fuzz-harness/agent_fuzz_helper.c
+++ b/regress/misc/fuzz-harness/agent_fuzz_helper.c
@@ -175,3 +175,10 @@ test_one(const uint8_t* s, size_t slen)
cleanup_idtab();
cleanup_sockettab();
}
+
+int
+pkcs11_make_cert(const struct sshkey *priv,
+ const struct sshkey *certpub, struct sshkey **certprivp)
+{
+ return -1; /* XXX */
+}
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 8282d0d940f5..b992cd412149 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -8,8 +8,7 @@ tid="connection multiplexing"
trace "will use ProxyCommand $proxycmd"
if config_defined DISABLE_FD_PASSING ; then
- echo "skipped (not supported on this platform)"
- exit 0
+ skip "not supported on this platform (FD passing disabled)"
fi
P=3301 # test port
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 5b8e25a27199..30f6461cc318 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,24 +1,47 @@
-# $OpenBSD: putty-ciphers.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
+# $OpenBSD: putty-ciphers.sh,v 1.13 2024/02/09 08:56:59 dtucker Exp $
# Placed in the Public Domain.
tid="putty ciphers"
-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
- skip "putty interop tests not enabled"
-fi
+puttysetup
-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
- echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
- echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
-for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
- verbose "$tid: cipher $c"
+# Since there doesn't seem to be a way to set MACs on the PuTTY client side,
+# we force each in turn on the server side, omitting the ones PuTTY doesn't
+# support. Grepping the binary is pretty janky, but AFAIK there's no way to
+# query for supported algos.
+macs=""
+for m in `${SSH} -Q MACs`; do
+ if strings "${PLINK}" | grep -E "^${m}$" >/dev/null; then
+ macs="${macs} ${m}"
+ else
+ trace "omitting unsupported MAC ${m}"
+ fi
+done
+
+ciphers=""
+for c in `${SSH} -Q Ciphers`; do
+ if strings "${PLINK}" | grep -E "^${c}$" >/dev/null; then
+ ciphers="${ciphers} ${c}"
+ else
+ trace "omitting unsupported cipher ${c}"
+ fi
+done
+
+for c in default $ciphers; do
+ for m in default ${macs}; do
+ verbose "$tid: cipher $c mac $m"
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/cipher_$c
- echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+ if [ "${c}" != "default" ]; then
+ echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+ fi
+
+ cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+ if [ "${m}" != "default" ]; then
+ echo "MACs $m" >> ${OBJ}/sshd_proxy
+ fi
rm -f ${COPY}
env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
@@ -27,6 +50,6 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
+ done
done
rm -f ${COPY}
-
diff --git a/regress/putty-kex.sh b/regress/putty-kex.sh
index c75802a06103..22f8bd7060f6 100644
--- a/regress/putty-kex.sh
+++ b/regress/putty-kex.sh
@@ -1,28 +1,36 @@
-# $OpenBSD: putty-kex.sh,v 1.9 2021/09/01 03:16:06 dtucker Exp $
+# $OpenBSD: putty-kex.sh,v 1.11 2024/02/09 08:56:59 dtucker Exp $
# Placed in the Public Domain.
tid="putty KEX"
-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
- skip "putty interop tests not enabled"
-fi
+puttysetup
-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
- echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
- echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
-for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
+# Enable group1, which PuTTY now disables by default
+echo "KEX=dh-group1-sha1" >>${OBJ}/.putty/sessions/localhost_proxy
+
+# Grepping algos out of the binary is pretty janky, but AFAIK there's no way
+# to query supported algos.
+kex=""
+for k in `$SSH -Q kex`; do
+ if strings "${PLINK}" | grep -E "^${k}$" >/dev/null; then
+ kex="${kex} ${k}"
+ else
+ trace "omitting unsupported KEX ${k}"
+ fi
+done
+
+for k in ${kex}; do
verbose "$tid: kex $k"
- cp ${OBJ}/.putty/sessions/localhost_proxy \
- ${OBJ}/.putty/sessions/kex_$k
- echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+ cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+ echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy
- env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+ env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \
+ 2>${OBJ}/log/putty-kex-$k.log
if [ $? -ne 0 ]; then
fail "KEX $k failed"
fi
+ kexmsg=`grep -E '^Doing.* key exchange' ${OBJ}/log/putty-kex-$k.log`
+ trace putty: ${kexmsg}
done
-
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index a6864f9515a7..1920f49ac8d3 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,18 +1,9 @@
-# $OpenBSD: putty-transfer.sh,v 1.11 2021/09/01 03:16:06 dtucker Exp $
+# $OpenBSD: putty-transfer.sh,v 1.12 2024/02/09 08:47:42 dtucker Exp $
# Placed in the Public Domain.
tid="putty transfer data"
-if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
- skip "putty interop tests not enabled"
-fi
-
-# Re-enable ssh-rsa on older PuTTY versions.
-oldver="`${PLINK} --version | awk '/plink: Release/{if ($3<0.76)print "yes"}'`"
-if [ "x$oldver" = "xyes" ]; then
- echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
- echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
-fi
+puttysetup
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 089ef73c4ebb..ad627941f4d2 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: test-exec.sh,v 1.105 2023/10/31 04:15:40 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.108 2024/03/08 11:34:10 dtucker Exp $
# Placed in the Public Domain.
#SUDO=sudo
@@ -104,6 +104,9 @@ DBCLIENT=/usr/local/bin/dbclient
DROPBEARKEY=/usr/local/bin/dropbearkey
DROPBEARCONVERT=/usr/local/bin/dropbearconvert
+# So we can override this in Portable.
+TEST_SHELL="${TEST_SHELL:-/bin/sh}"
+
# Tools used by multiple tests
NC=$OBJ/netcat
# Always use the one configure tells us to, even if that's empty.
@@ -761,7 +764,11 @@ case "$SCRIPT" in
*) REGRESS_INTEROP_PUTTY=no ;;
esac
-if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
+puttysetup() {
+ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
+ skip "putty interop tests not enabled"
+ fi
+
mkdir -p ${OBJ}/.putty
# Add a PuTTY key to authorized_keys
@@ -794,9 +801,24 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
+ PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
+ PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
+ verbose "plink version ${PUTTYVER} minor ${PUTTYMINORVER}"
+
+ # Re-enable ssh-rsa on older PuTTY versions since they don't do newer
+ # key types.
+ if [ "$PUTTYMINORVER" -lt "76" ]; then
+ echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
+ echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
+ fi
+
+ if [ "$PUTTYMINORVER" -le "64" ]; then
+ echo "KexAlgorithms +diffie-hellman-group14-sha1" \
+ >>${OBJ}/sshd_proxy
+ fi
PUTTYDIR=${OBJ}/.putty
export PUTTYDIR
-fi
+}
REGRESS_INTEROP_DROPBEAR=no
if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 623896ffa152..98e280486ab1 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.15 2023/09/24 08:14:13 claudio Exp $
+# $OpenBSD: Makefile.inc,v 1.16 2024/01/11 01:45:58 djm Exp $
.include <bsd.own.mk>
.include <bsd.obj.mk>
@@ -13,6 +13,11 @@ TEST_ENV?= MALLOC_OPTIONS=${MALLOC_OPTIONS}
# XXX detect from ssh binary?
OPENSSL?= yes
+DSAKEY?= yes
+
+.if (${DSAKEY:L} == "yes")
+CFLAGS+= -DWITH_DSA
+.endif
.if (${OPENSSL:L} == "yes")
CFLAGS+= -DWITH_OPENSSL
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index 84f26b5c72f5..7efb8e1b9cc6 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_iterate.c,v 1.8 2021/12/14 21:25:27 deraadt Exp $ */
+/* $OpenBSD: test_iterate.c,v 1.9 2024/01/11 01:45:58 djm Exp $ */
/*
* Regress test for hostfile.h hostkeys_foreach()
*
@@ -94,6 +94,11 @@ check(struct hostkey_foreach_line *l, void *_ctx)
expected->no_parse_keytype == KEY_ECDSA)
skip = 1;
#endif /* OPENSSL_HAS_ECC */
+#ifndef WITH_DSA
+ if (expected->l.keytype == KEY_DSA ||
+ expected->no_parse_keytype == KEY_DSA)
+ skip = 1;
+#endif
#ifndef WITH_OPENSSL
if (expected->l.keytype == KEY_DSA ||
expected->no_parse_keytype == KEY_DSA ||
@@ -155,6 +160,10 @@ prepare_expected(struct expected *expected, size_t n)
if (expected[i].l.keytype == KEY_ECDSA)
continue;
#endif /* OPENSSL_HAS_ECC */
+#ifndef WITH_DSA
+ if (expected[i].l.keytype == KEY_DSA)
+ continue;
+#endif
#ifndef WITH_OPENSSL
switch (expected[i].l.keytype) {
case KEY_RSA:
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index c26761ee7c48..dc1014ea4492 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_kex.c,v 1.6 2021/12/14 21:25:27 deraadt Exp $ */
+/* $OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */
/*
* Regress test KEX
*
@@ -179,7 +179,9 @@ do_kex(char *kex)
{
#ifdef WITH_OPENSSL
do_kex_with_key(kex, KEY_RSA, 2048);
+#ifdef WITH_DSA
do_kex_with_key(kex, KEY_DSA, 1024);
+#endif
#ifdef OPENSSL_HAS_ECC
do_kex_with_key(kex, KEY_ECDSA, 256);
#endif /* OPENSSL_HAS_ECC */
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
index 488944c3b76b..45284059657b 100644
--- a/regress/unittests/sshkey/test_file.c
+++ b/regress/unittests/sshkey/test_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_file.c,v 1.10 2021/12/14 21:25:27 deraadt Exp $ */
+/* $OpenBSD: test_file.c,v 1.11 2024/01/11 01:45:58 djm Exp $ */
/*
* Regress test for sshkey.h key management API
*
@@ -165,6 +165,7 @@ sshkey_file_tests(void)
sshkey_free(k1);
+#ifdef WITH_DSA
TEST_START("parse DSA from private");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -255,6 +256,7 @@ sshkey_file_tests(void)
TEST_DONE();
sshkey_free(k1);
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("parse ECDSA from private");
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 2fae19dcfe08..0aff7c9bf4e4 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_fuzz.c,v 1.13 2021/12/14 21:25:27 deraadt Exp $ */
+/* $OpenBSD: test_fuzz.c,v 1.14 2024/01/11 01:45:58 djm Exp $ */
/*
* Fuzz tests for key parsing
*
@@ -160,6 +160,7 @@ sshkey_fuzz_tests(void)
fuzz_cleanup(fuzz);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("fuzz DSA private");
buf = load_file("dsa_1");
fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
@@ -203,6 +204,7 @@ sshkey_fuzz_tests(void)
sshbuf_free(fuzzed);
fuzz_cleanup(fuzz);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA private");
@@ -288,6 +290,7 @@ sshkey_fuzz_tests(void)
sshkey_free(k1);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("fuzz DSA public");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -301,6 +304,7 @@ sshkey_fuzz_tests(void)
public_fuzz(k1);
sshkey_free(k1);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA public");
@@ -358,6 +362,7 @@ sshkey_fuzz_tests(void)
sshkey_free(k1);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("fuzz DSA sig");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -365,6 +370,7 @@ sshkey_fuzz_tests(void)
sig_fuzz(k1, NULL);
sshkey_free(k1);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA sig");
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index cc359aea5063..c1cbb1128238 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_sshkey.c,v 1.23 2023/01/04 22:48:57 tb Exp $ */
+/* $OpenBSD: test_sshkey.c,v 1.24 2024/01/11 01:45:58 djm Exp $ */
/*
* Regress test for sshkey.h key management API
*
@@ -180,14 +180,14 @@ get_private(const char *n)
void
sshkey_tests(void)
{
- struct sshkey *k1, *k2, *k3, *kf;
+ struct sshkey *k1 = NULL, *k2 = NULL, *k3 = NULL, *kf = NULL;
#ifdef WITH_OPENSSL
- struct sshkey *k4, *kr, *kd;
+ struct sshkey *k4 = NULL, *kr = NULL, *kd = NULL;
#ifdef OPENSSL_HAS_ECC
- struct sshkey *ke;
+ struct sshkey *ke = NULL;
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
- struct sshbuf *b;
+ struct sshbuf *b = NULL;
TEST_START("new invalid");
k1 = sshkey_new(-42);
@@ -208,12 +208,14 @@ sshkey_tests(void)
sshkey_free(k1);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("new/free KEY_DSA");
k1 = sshkey_new(KEY_DSA);
ASSERT_PTR_NE(k1, NULL);
ASSERT_PTR_NE(k1->dsa, NULL);
sshkey_free(k1);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("new/free KEY_ECDSA");
@@ -245,12 +247,14 @@ sshkey_tests(void)
ASSERT_PTR_EQ(k1, NULL);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("generate KEY_DSA wrong bits");
ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1),
SSH_ERR_KEY_LENGTH);
ASSERT_PTR_EQ(k1, NULL);
sshkey_free(k1);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("generate KEY_ECDSA wrong bits");
@@ -273,6 +277,7 @@ sshkey_tests(void)
ASSERT_INT_EQ(BN_num_bits(rsa_n(kr)), 1024);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("generate KEY_DSA");
ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0);
ASSERT_PTR_NE(kd, NULL);
@@ -280,6 +285,7 @@ sshkey_tests(void)
ASSERT_PTR_NE(dsa_g(kd), NULL);
ASSERT_PTR_NE(dsa_priv_key(kd), NULL);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("generate KEY_ECDSA");
@@ -317,6 +323,7 @@ sshkey_tests(void)
sshkey_free(k1);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("demote KEY_DSA");
ASSERT_INT_EQ(sshkey_from_private(kd, &k1), 0);
ASSERT_PTR_NE(k1, NULL);
@@ -331,6 +338,7 @@ sshkey_tests(void)
ASSERT_INT_EQ(sshkey_equal(kd, k1), 1);
sshkey_free(k1);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("demote KEY_ECDSA");
@@ -382,9 +390,6 @@ sshkey_tests(void)
ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0);
ASSERT_INT_EQ(sshkey_equal(kr, k1), 0);
sshkey_free(k1);
- ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0);
- ASSERT_INT_EQ(sshkey_equal(kd, k1), 0);
- sshkey_free(k1);
#ifdef OPENSSL_HAS_ECC
ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0);
ASSERT_INT_EQ(sshkey_equal(ke, k1), 0);
@@ -479,6 +484,7 @@ sshkey_tests(void)
sshkey_free(k2);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("sign and verify DSA");
k1 = get_private("dsa_1");
ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2,
@@ -487,6 +493,7 @@ sshkey_tests(void)
sshkey_free(k1);
sshkey_free(k2);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("sign and verify ECDSA");
diff --git a/regress/unittests/sshsig/tests.c b/regress/unittests/sshsig/tests.c
index 13cfcfde210d..80966bdd2c27 100644
--- a/regress/unittests/sshsig/tests.c
+++ b/regress/unittests/sshsig/tests.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tests.c,v 1.3 2021/12/14 21:25:27 deraadt Exp $ */
+/* $OpenBSD: tests.c,v 1.4 2024/01/11 01:45:59 djm Exp $ */
/*
* Regress test for sshbuf.h buffer API
*
@@ -103,9 +103,11 @@ tests(void)
check_sig("rsa.pub", "rsa.sig", msg, namespace);
TEST_DONE();
+#ifdef WITH_DSA
TEST_START("check DSA signature");
check_sig("dsa.pub", "dsa.sig", msg, namespace);
TEST_DONE();
+#endif
#ifdef OPENSSL_HAS_ECC
TEST_START("check ECDSA signature");