summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormarkus@openbsd.org <markus@openbsd.org>2015-07-10 06:23:25 +0000
committerDamien Miller <djm@mindrot.org>2015-07-15 16:04:27 +1000
commit5bf0933184cb622ca3f96d224bf3299fd2285acc (patch)
tree18ad0591b04a1ff98bb69265e04bc7c5b961533e
parent7a6e3fd7b41dbd3756b6bf9acd67954c0b1564cc (diff)
upstream commit
Adapt tests, now that DSA if off by default; use PubkeyAcceptedKeyTypes and PubkeyAcceptedKeyTypes to test DSA. Upstream-Regress-ID: 0ff2a3ff5ac1ce5f92321d27aa07b98656efcc5c
-rw-r--r--regress/cert-hostkey.sh23
-rw-r--r--regress/cert-userkey.sh31
-rw-r--r--regress/hostkey-agent.sh7
-rw-r--r--regress/hostkey-rotate.sh8
-rw-r--r--regress/keytype.sh14
-rw-r--r--regress/unittests/kex/test_kex.c7
6 files changed, 79 insertions, 11 deletions
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index c99c2b1c..3f53922c 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,11 +1,32 @@
-# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="certified host keys"
rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
+
+# Allow all hostkey/pubkey types, prefer certs for the client
+types=""
+for i in `$SSH -Q key`; do
+ if [ -z "$types" ]; then
+ types="$i"
+ continue
+ fi
+ case "$i" in
+ *cert*) types="$i,$types";;
+ *) types="$types,$i";;
+ esac
+done
+(
+ echo "HostKeyAlgorithms ${types}"
+ echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/ssh_proxy
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+(
+ echo "HostKeyAlgorithms *"
+ echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/sshd_proxy_bak
HOSTS='localhost-with-alias,127.0.0.1,::1'
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index d461b9e3..739a036e 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,13 +1,19 @@
-# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+kname() {
+ echo -n $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'
+ echo "*,ssh-rsa*,ssh-ed25519*"
+}
+
# Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
@@ -25,6 +31,7 @@ done
# Test explicitly-specified principals
for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep"
@@ -36,7 +43,12 @@ for ktype in $PLAIN_TYPES ; do
echo "AuthorizedPrincipalsFile " \
"$OBJ/authorized_principals_%u"
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
@@ -109,7 +121,12 @@ for ktype in $PLAIN_TYPES ; do
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
+ echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
# Wrong principals list
verbose "$tid: ${_prefix} wrong principals key option"
@@ -151,6 +168,7 @@ basic_tests() {
fi
for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
@@ -158,8 +176,13 @@ basic_tests() {
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
+ (
+ cat $OBJ/ssh_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
+ ) > $OBJ/ssh_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
@@ -173,6 +196,7 @@ basic_tests() {
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
echo "RevokedKeys $OBJ/cert_user_key_revoked"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \
@@ -205,6 +229,7 @@ basic_tests() {
(
cat $OBJ/sshd_proxy_bak
echo "RevokedKeys $OBJ/user_ca_key.pub"
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -217,6 +242,7 @@ basic_tests() {
verbose "$tid: $auth CA does not authenticate"
(
cat $OBJ/sshd_proxy_bak
+ echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
@@ -254,6 +280,8 @@ test_one() {
echo > $OBJ/authorized_keys_$USER
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
>> $OBJ/sshd_proxy
+ echo "PubkeyAcceptedKeyTypes ${t}*" \
+ >> $OBJ/sshd_proxy
if test "x$auth_opt" != "x" ; then
echo $auth_opt >> $OBJ/sshd_proxy
fi
@@ -315,6 +343,7 @@ test_one "principals key option no principals" failure "" \
# Wrong certificate
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
for ktype in $PLAIN_TYPES ; do
+ t=$(kname $ktype)
# Self-sign
${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index a011ec83..094700da 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-agent.sh,v 1.5 2015/02/21 20:51:02 djm Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@@ -31,10 +31,11 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
unset SSH_AUTH_SOCK
for ps in no yes; do
- cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
for k in `${SSH} -Q key-plain` ; do
verbose "key type $k privsep=$ps"
+ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+ echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+ echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
cp $OBJ/known_hosts.orig $OBJ/known_hosts
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
diff --git a/regress/hostkey-rotate.sh b/regress/hostkey-rotate.sh
index cde6008f..3aa8c40c 100644
--- a/regress/hostkey-rotate.sh
+++ b/regress/hostkey-rotate.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
+# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="hostkey rotate"
@@ -56,7 +56,7 @@ check_key_present ssh-ed25519 || fail "unstrict didn't learn key"
# Connect to sshd as usual
verbose "learn additional hostkeys"
-dossh -oStrictHostKeyChecking=yes
+dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that other keys learned
expect_nkeys $nkeys "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn keys"
@@ -74,7 +74,7 @@ verbose "learn changed non-primary hostkey"
mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old
rm -f $OBJ/hkr.ssh-rsa
${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k"
-dossh -oStrictHostKeyChecking=yes
+dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
# Check that the key was replaced
expect_nkeys $nkeys "learn hostkeys"
check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present"
@@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
expect_nkeys 1 "learn hostkeys"
check_key_present ssh-rsa || fail "didn't learn changed key"
-# $OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
+# $OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="hostkey rotate"
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 9752acb0..8f697788 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $
+# $OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
# Placed in the Public Domain.
tid="login with different key types"
@@ -36,14 +36,26 @@ for ut in $ktypes; do
htypes=$ut
#htypes=$ktypes
for ht in $htypes; do
+ case $ht in
+ dsa-1024) t=ssh-dss;;
+ ecdsa-256) t=ecdsa-sha2-nistp256;;
+ ecdsa-384) t=ecdsa-sha2-nistp384;;
+ ecdsa-521) t=ecdsa-sha2-nistp521;;
+ ed25519-512) t=ssh-ed25519;;
+ rsa-*) t=ssh-rsa;;
+ esac
trace "ssh connect, userkey $ut, hostkey $ht"
(
grep -v HostKey $OBJ/sshd_proxy_bak
echo HostKey $OBJ/key.$ht
+ echo PubkeyAcceptedKeyTypes $t
+ echo HostKeyAlgorithms $t
) > $OBJ/sshd_proxy
(
grep -v IdentityFile $OBJ/ssh_proxy_bak
echo IdentityFile $OBJ/key.$ut
+ echo PubkeyAcceptedKeyTypes $t
+ echo HostKeyAlgorithms $t
) > $OBJ/ssh_proxy
(
printf 'localhost-with-alias,127.0.0.1,::1 '
diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c
index c61e2bdb..6e5999bb 100644
--- a/regress/unittests/kex/test_kex.c
+++ b/regress/unittests/kex/test_kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_kex.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */
+/* $OpenBSD: test_kex.c,v 1.2 2015/07/10 06:23:25 markus Exp $ */
/*
* Regress test KEX
*
@@ -85,6 +85,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
struct sshbuf *state;
struct kex_params kex_params;
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ char *keyname = NULL;
TEST_START("sshkey_generate");
ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0);
@@ -98,6 +99,9 @@ do_kex_with_key(char *kex, int keytype, int bits)
memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
if (kex != NULL)
kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
+ keyname = strdup(sshkey_ssh_name(private));
+ ASSERT_PTR_NE(keyname, NULL);
+ kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
ASSERT_PTR_NE(client, NULL);
@@ -167,6 +171,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
ssh_free(client);
ssh_free(server);
ssh_free(server2);
+ free(keyname);
TEST_DONE();
}