Adapt tests, now that DSA if off by default; use PubkeyAcceptedKeyTypes

and PubkeyAcceptedKeyTypes to test DSA.

6 files changed, 79 insertions, 11 deletions

diff --git a/regress/usr.bin/ssh/cert-hostkey.sh b/regress/usr.bin/ssh/cert-hostkey.sh
index c99c2b1c36d..3f53922c89e 100644
--- a/regress/usr.bin/ssh/cert-hostkey.sh
+++ b/regress/usr.bin/ssh/cert-hostkey.sh
@@ -1,11 +1,32 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.13 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
 
 rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/host_revoked_*
 rm -f $OBJ/cert_host_key* $OBJ/host_krl_*
+
+# Allow all hostkey/pubkey types, prefer certs for the client
+types=""
+for i in `$SSH -Q key`; do
+	if [ -z "$types" ]; then
+		types="$i"
+		continue
+	fi
+	case "$i" in
+	*cert*)	types="$i,$types";;
+	*)	types="$types,$i";;
+	esac
+done
+(
+	echo "HostKeyAlgorithms ${types}"
+	echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/ssh_proxy
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+(
+	echo "HostKeyAlgorithms *"
+	echo "PubkeyAcceptedKeyTypes *"
+) >> $OBJ/sshd_proxy_bak
 
 HOSTS='localhost-with-alias,127.0.0.1,::1'
 
diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh
index d461b9e34ca..739a036e2f6 100644
--- a/regress/usr.bin/ssh/cert-userkey.sh
+++ b/regress/usr.bin/ssh/cert-userkey.sh
@@ -1,13 +1,19 @@
-#	$OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.14 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
 
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
 PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 
+kname() {
+	echo -n $1 | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'
+	echo "*,ssh-rsa*,ssh-ed25519*"
+}
+
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
@@ -25,6 +31,7 @@ done
 
 # Test explicitly-specified principals
 for ktype in $PLAIN_TYPES ; do 
+	t=$(kname $ktype)
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
 
@@ -36,7 +43,12 @@ for ktype in $PLAIN_TYPES ; do
 			echo "AuthorizedPrincipalsFile " \
 			    "$OBJ/authorized_principals_%u"
 			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+			echo "PubkeyAcceptedKeyTypes ${t}"
 		) > $OBJ/sshd_proxy
+		(
+			cat $OBJ/ssh_proxy_bak
+			echo "PubkeyAcceptedKeyTypes ${t}"
+		) > $OBJ/ssh_proxy
 
 		# Missing authorized_principals
 		verbose "$tid: ${_prefix} missing authorized_principals"
@@ -109,7 +121,12 @@ for ktype in $PLAIN_TYPES ; do
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo "UsePrivilegeSeparation $privsep"
+			echo "PubkeyAcceptedKeyTypes ${t}"
 		) > $OBJ/sshd_proxy
+		(
+			cat $OBJ/ssh_proxy_bak
+			echo "PubkeyAcceptedKeyTypes ${t}"
+		) > $OBJ/ssh_proxy
 
 		# Wrong principals list
 		verbose "$tid: ${_prefix} wrong principals key option"
@@ -151,6 +168,7 @@ basic_tests() {
 	fi
 	
 	for ktype in $PLAIN_TYPES ; do 
+		t=$(kname $ktype)
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@@ -158,8 +176,13 @@ basic_tests() {
 			(
 				cat $OBJ/sshd_proxy_bak
 				echo "UsePrivilegeSeparation $privsep"
+				echo "PubkeyAcceptedKeyTypes ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
+			(
+				cat $OBJ/ssh_proxy_bak
+				echo "PubkeyAcceptedKeyTypes ${t}"
+			) > $OBJ/ssh_proxy
 	
 			${SSH} -2i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true
@@ -173,6 +196,7 @@ basic_tests() {
 				cat $OBJ/sshd_proxy_bak
 				echo "UsePrivilegeSeparation $privsep"
 				echo "RevokedKeys $OBJ/cert_user_key_revoked"
+				echo "PubkeyAcceptedKeyTypes ${t}"
 				echo "$extra_sshd"
 			) > $OBJ/sshd_proxy
 			cp $OBJ/cert_user_key_${ktype}.pub \
@@ -205,6 +229,7 @@ basic_tests() {
 		(
 			cat $OBJ/sshd_proxy_bak
 			echo "RevokedKeys $OBJ/user_ca_key.pub"
+			echo "PubkeyAcceptedKeyTypes ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
 		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
@@ -217,6 +242,7 @@ basic_tests() {
 	verbose "$tid: $auth CA does not authenticate"
 	(
 		cat $OBJ/sshd_proxy_bak
+		echo "PubkeyAcceptedKeyTypes ${t}"
 		echo "$extra_sshd"
 	) > $OBJ/sshd_proxy
 	verbose "$tid: ensure CA key does not authenticate user"
@@ -254,6 +280,8 @@ test_one() {
 				echo > $OBJ/authorized_keys_$USER
 				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
 				    >> $OBJ/sshd_proxy
+				echo "PubkeyAcceptedKeyTypes ${t}*" \
+				    >> $OBJ/sshd_proxy
 				if test "x$auth_opt" != "x" ; then
 					echo $auth_opt >> $OBJ/sshd_proxy
 				fi
@@ -315,6 +343,7 @@ test_one "principals key option no principals" failure "" \
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
 for ktype in $PLAIN_TYPES ; do 
+	t=$(kname $ktype)
 	# Self-sign
 	${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
 	    "regress user key for $USER" \
diff --git a/regress/usr.bin/ssh/hostkey-agent.sh b/regress/usr.bin/ssh/hostkey-agent.sh
index a011ec83107..094700da62f 100644
--- a/regress/usr.bin/ssh/hostkey-agent.sh
+++ b/regress/usr.bin/ssh/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.5 2015/02/21 20:51:02 djm Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -31,10 +31,11 @@ cp $OBJ/known_hosts.orig $OBJ/known_hosts
 unset SSH_AUTH_SOCK
 
 for ps in no yes; do
-	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
-	echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
 	for k in `${SSH} -Q key-plain` ; do
 		verbose "key type $k privsep=$ps"
+		cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+		echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+		echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
 		opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
 		cp $OBJ/known_hosts.orig $OBJ/known_hosts
 		SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
diff --git a/regress/usr.bin/ssh/hostkey-rotate.sh b/regress/usr.bin/ssh/hostkey-rotate.sh
index cde6008f462..3aa8c40c0ad 100644
--- a/regress/usr.bin/ssh/hostkey-rotate.sh
+++ b/regress/usr.bin/ssh/hostkey-rotate.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey rotate"
@@ -56,7 +56,7 @@ check_key_present ssh-ed25519 || fail "unstrict didn't learn key"
 
 # Connect to sshd as usual
 verbose "learn additional hostkeys"
-dossh -oStrictHostKeyChecking=yes
+dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
 # Check that other keys learned
 expect_nkeys $nkeys "learn hostkeys"
 check_key_present ssh-rsa || fail "didn't learn keys"
@@ -74,7 +74,7 @@ verbose "learn changed non-primary hostkey"
 mv $OBJ/hkr.ssh-rsa.pub $OBJ/hkr.ssh-rsa.pub.old
 rm -f $OBJ/hkr.ssh-rsa
 ${SSHKEYGEN} -qt ssh-rsa -f $OBJ/hkr.ssh-rsa -N '' || fatal "ssh-keygen $k"
-dossh -oStrictHostKeyChecking=yes
+dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=$all_algs
 # Check that the key was replaced
 expect_nkeys $nkeys "learn hostkeys"
 check_key_present ssh-rsa $OBJ/hkr.ssh-rsa.pub.old && fail "old key present"
@@ -109,7 +109,7 @@ dossh -oStrictHostKeyChecking=yes -oHostKeyAlgorithms=ssh-rsa
 expect_nkeys 1 "learn hostkeys"
 check_key_present ssh-rsa || fail "didn't learn changed key"
 
-#	$OpenBSD: hostkey-rotate.sh,v 1.3 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: hostkey-rotate.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey rotate"
diff --git a/regress/usr.bin/ssh/keytype.sh b/regress/usr.bin/ssh/keytype.sh
index 48c66ff7cf6..cb8cb734260 100644
--- a/regress/usr.bin/ssh/keytype.sh
+++ b/regress/usr.bin/ssh/keytype.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $
+#	$OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
 #	Placed in the Public Domain.
 
 tid="login with different key types"
@@ -23,14 +23,26 @@ for ut in $ktypes; do
 	htypes=$ut
 	#htypes=$ktypes
 	for ht in $htypes; do 
+		case $ht in
+		dsa-1024)	t=ssh-dss;;
+		ecdsa-256)	t=ecdsa-sha2-nistp256;;
+		ecdsa-384)	t=ecdsa-sha2-nistp384;;
+		ecdsa-521)	t=ecdsa-sha2-nistp521;;
+		ed25519-512)	t=ssh-ed25519;;
+		rsa-*)		t=ssh-rsa;;
+		esac
 		trace "ssh connect, userkey $ut, hostkey $ht"
 		(
 			grep -v HostKey $OBJ/sshd_proxy_bak
 			echo HostKey $OBJ/key.$ht 
+			echo PubkeyAcceptedKeyTypes $t
+			echo HostKeyAlgorithms $t
 		) > $OBJ/sshd_proxy
 		(
 			grep -v IdentityFile $OBJ/ssh_proxy_bak
 			echo IdentityFile $OBJ/key.$ut 
+			echo PubkeyAcceptedKeyTypes $t
+			echo HostKeyAlgorithms $t
 		) > $OBJ/ssh_proxy
 		(
 			printf 'localhost-with-alias,127.0.0.1,::1 '
diff --git a/regress/usr.bin/ssh/unittests/kex/test_kex.c b/regress/usr.bin/ssh/unittests/kex/test_kex.c
index e906477639d..65bd97ebf9f 100644
--- a/regress/usr.bin/ssh/unittests/kex/test_kex.c
+++ b/regress/usr.bin/ssh/unittests/kex/test_kex.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_kex.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */
+/* 	$OpenBSD: test_kex.c,v 1.2 2015/07/10 06:23:25 markus Exp $ */
 /*
  * Regress test KEX
  *
@@ -79,6 +79,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
 	struct sshbuf *state;
 	struct kex_params kex_params;
 	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+	char *keyname = NULL;
 
 	TEST_START("sshkey_generate");
 	ASSERT_INT_EQ(sshkey_generate(keytype, bits, &private), 0);
@@ -92,6 +93,9 @@ do_kex_with_key(char *kex, int keytype, int bits)
 	memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
 	if (kex != NULL)
 		kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
+	keyname = strdup(sshkey_ssh_name(private));
+	ASSERT_PTR_NE(keyname, NULL);
+	kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
 	ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
 	ASSERT_INT_EQ(ssh_init(&server, 1, &kex_params), 0);
 	ASSERT_PTR_NE(client, NULL);
@@ -159,6 +163,7 @@ do_kex_with_key(char *kex, int keytype, int bits)
 	ssh_free(client);
 	ssh_free(server);
 	ssh_free(server2);
+	free(keyname);
 	TEST_DONE();
 }