diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2013-12-06 13:52:47 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2013-12-06 13:52:47 +0000 |
| commit | c5c85fd4a33e981251bdb3d13ecec7267a50febf (patch) | |
| tree | 5c462410ca433aa35d96baaf13a51d343dda4ff1 | |
| parent | a290ddcba332424443fa2507428cf4bdfd415bac (diff) | |
test ed25519 support; from djm@
| -rw-r--r-- | regress/usr.bin/ssh/Makefile | 9 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/agent.sh | 4 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/cert-hostkey.sh | 44 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/cert-userkey.sh | 25 | ||||
| -rw-r--r-- | regress/usr.bin/ssh/keytype.sh | 4 |
5 files changed, 59 insertions, 27 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index 777c7e84d98..dc96a419f1b 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.66 2013/10/09 23:44:14 djm Exp $ +# $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $ REGRESS_FAIL_EARLY= yes REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 @@ -136,6 +136,13 @@ t9: t9.out ssh-keygen -lf t9.out > /dev/null ssh-keygen -Bf t9.out > /dev/null +t10.out: + ssh-keygen -q -t ed25519 -N '' -f $@ + +t10: t10.out + ssh-keygen -lf t10.out > /dev/null + ssh-keygen -Bf t10.out > /dev/null + modpipe: modpipe.c t-integrity: modpipe diff --git a/regress/usr.bin/ssh/agent.sh b/regress/usr.bin/ssh/agent.sh index be7d91334d6..90bad15d433 100644 --- a/regress/usr.bin/ssh/agent.sh +++ b/regress/usr.bin/ssh/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -20,7 +20,7 @@ else fi trace "overwrite authorized keys" printf '' > $OBJ/authorized_keys_$USER - for t in rsa rsa1; do + for t in ed25519 rsa rsa1; do # generate user key for agent rm -f $OBJ/$t-agent ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\ diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh index f4302852caf..6face87231a 100644 --- a/regress/usr.bin/ssh/cert-hostkey.sh +++ b/regress/usr.bin/ssh/cert-hostkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified host keys" @@ -17,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Generate and sign host keys -for ktype in rsa dsa ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign host ${ktype} cert" # Generate and sign a host key ${SSHKEYGEN} -q -N '' -t ${ktype} \ @@ -28,10 +37,10 @@ for ktype in rsa dsa ecdsa ; do -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype} || fail "couldn't sign cert_host_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00 cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \ -I "regress host key for $USER" \ -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 || @@ -40,7 +49,7 @@ done # Basic connect tests for privsep in yes no ; do - for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} cert connect privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -68,7 +77,16 @@ done cat $OBJ/cert_host_key_rsa.pub printf '@revoked ' printf "* " - cat $OBJ/cert_host_key_ecdsa.pub + cat $OBJ/cert_host_key_ecdsa-sha2-nistp256.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp384.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ecdsa-sha2-nistp521.pub + printf '@revoked ' + printf "* " + cat $OBJ/cert_host_key_ed25519.pub printf '@revoked ' printf "* " cat $OBJ/cert_host_key_dsa.pub @@ -80,7 +98,7 @@ done cat $OBJ/cert_host_key_dsa_v00.pub ) > $OBJ/known_hosts-cert for privsep in yes no ; do - for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do verbose "$tid: host ${ktype} revoked cert privsep $privsep" ( cat $OBJ/sshd_proxy_bak @@ -107,7 +125,7 @@ done printf "* " cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert -for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do verbose "$tid: host ${ktype} revoked cert" ( cat $OBJ/sshd_proxy_bak @@ -178,9 +196,8 @@ test_one "cert has constraints" failure "-h -Oforce-command=false" # Check downgrade of cert to raw key when no CA found for v in v01 v00 ; do - for ktype in rsa dsa ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for ktype in $PLAIN_TYPES ; do + type_has_legacy $ktype || continue rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key* verbose "$tid: host ${ktype} ${v} cert downgrade to raw key" # Generate and sign a host key @@ -217,9 +234,8 @@ done cat $OBJ/host_ca_key.pub ) > $OBJ/known_hosts-cert for v in v01 v00 ; do - for kt in rsa dsa ecdsa ; do - # v00 ecdsa certs do not exist. - test "${v}${ktype}" = "v00ecdsa" && continue + for kt in $PLAIN_TYPES ; do + type_has_legacy $kt || continue rm -f $OBJ/cert_host_key* # Self-sign key ${SSHKEYGEN} -q -N '' -t ${kt} \ diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh index 45398748010..b093a919614 100644 --- a/regress/usr.bin/ssh/cert-userkey.sh +++ b/regress/usr.bin/ssh/cert-userkey.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="certified user keys" @@ -6,12 +6,21 @@ tid="certified user keys" rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak +PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` + +type_has_legacy() { + case $1 in + ed25519*|ecdsa*) return 1 ;; + esac + return 0 +} + # Create a CA key ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\ fail "ssh-keygen of user_ca_key failed" # Generate and sign user keys -for ktype in rsa dsa ecdsa ; do +for ktype in $PLAIN_TYPES ; do verbose "$tid: sign user ${ktype} cert" ${SSHKEYGEN} -q -N '' -t ${ktype} \ -f $OBJ/cert_user_key_${ktype} || \ @@ -19,18 +28,18 @@ for ktype in rsa dsa ecdsa ; do ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} || fail "couldn't sign cert_user_key_${ktype}" - # v00 ecdsa certs do not exist - test "${ktype}" = "ecdsa" && continue + type_has_legacy $ktype || continue cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00 cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub + verbose "$tid: sign host ${ktype}_v00 cert" ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \ "regress user key for $USER" \ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 || - fail "couldn't sign cert_user_key_${ktype}_v00" + fatal "couldn't sign cert_user_key_${ktype}_v00" done # Test explicitly-specified principals -for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep" @@ -156,7 +165,7 @@ basic_tests() { extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub" fi - for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do + for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do for privsep in yes no ; do _prefix="${ktype} privsep $privsep $auth" # Simple connect @@ -326,7 +335,7 @@ test_one "principals key option no principals" failure "" \ # Wrong certificate cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy -for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do +for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do case $ktype in *_v00) args="-t v00" ;; *) args="" ;; diff --git a/regress/usr.bin/ssh/keytype.sh b/regress/usr.bin/ssh/keytype.sh index 1df2ad8577e..48c66ff7cf6 100644 --- a/regress/usr.bin/ssh/keytype.sh +++ b/regress/usr.bin/ssh/keytype.sh @@ -1,4 +1,4 @@ -# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $ +# $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $ # Placed in the Public Domain. tid="login with different key types" @@ -7,7 +7,7 @@ TIME=/usr/bin/time cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak -ktypes="dsa-1024 rsa-2048 ecdsa-256 rsa-3072 ecdsa-384 ecdsa-521" +ktypes="dsa-1024 rsa-2048 ecdsa-256 rsa-3072 ecdsa-384 ecdsa-521 ed25519-512" for kt in $ktypes; do rm -f $OBJ/key.$kt |