summaryrefslogtreecommitdiff
path: root/regress/usr.bin/ssh
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2013-01-18 00:45:30 +0000
committerDamien Miller <djm@cvs.openbsd.org>2013-01-18 00:45:30 +0000
commitdd01a00603c325ddcd7b14978bdb6a915ca6fed8 (patch)
treeacae15d4f0fd2c550ebc05ca6ed622fe4b6b685c /regress/usr.bin/ssh
parentaa95d22c55450b1ab98e42b730ac6cab71cac76c (diff)
Tests for Key Revocation Lists (KRLs)
Diffstat (limited to 'regress/usr.bin/ssh')
-rw-r--r--regress/usr.bin/ssh/Makefile9
-rw-r--r--regress/usr.bin/ssh/cert-userkey.sh22
-rw-r--r--regress/usr.bin/ssh/krl.sh151
3 files changed, 176 insertions, 6 deletions
diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index a502cd3d3bd..e1c4c2bd239 100644
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.61 2012/12/11 22:42:11 markus Exp $
+# $OpenBSD: Makefile,v 1.62 2013/01/18 00:45:29 djm Exp $
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9
@@ -53,7 +53,8 @@ LTESTS= connect \
host-expand \
keys-command \
forward-control \
- integrity
+ integrity \
+ krl
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -68,9 +69,9 @@ CLEANFILES+= authorized_keys_${USER} known_hosts pidfile \
ls.copy banner.in banner.out empty.in \
scp-ssh-wrapper.exe ssh_proxy_envpass remote_pid \
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
- known_hosts-cert host_ca_key* cert_host_key* \
+ known_hosts-cert host_ca_key* cert_user_key* cert_host_key* \
authorized_principals_${USER} expect actual ready \
- sshd_proxy.* authorized_keys_${USER}.*
+ sshd_proxy.* authorized_keys_${USER}.* revoked-* krl-*
# Enable all malloc(3) randomisations and checks
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
diff --git a/regress/usr.bin/ssh/cert-userkey.sh b/regress/usr.bin/ssh/cert-userkey.sh
index 85e13b1c3b2..8dc9a691ac8 100644
--- a/regress/usr.bin/ssh/cert-userkey.sh
+++ b/regress/usr.bin/ssh/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.9 2012/10/19 05:10:42 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.10 2013/01/18 00:45:29 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -178,14 +178,32 @@ basic_tests() {
(
cat $OBJ/sshd_proxy_bak
echo "UsePrivilegeSeparation $privsep"
- echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+ echo "RevokedKeys $OBJ/cert_user_key_revoked"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
+ cp $OBJ/cert_user_key_${ktype}.pub \
+ $OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
+ verbose "$tid: ${_prefix} revoked via KRL"
+ rm $OBJ/cert_user_key_revoked
+ ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
+ $OBJ/cert_user_key_${ktype}.pub
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect succeeded unexpecedly"
+ fi
+ verbose "$tid: ${_prefix} empty KRL"
+ ${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
+ ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
done
# Revoked CA
diff --git a/regress/usr.bin/ssh/krl.sh b/regress/usr.bin/ssh/krl.sh
new file mode 100644
index 00000000000..3ee5a906086
--- /dev/null
+++ b/regress/usr.bin/ssh/krl.sh
@@ -0,0 +1,151 @@
+# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
+# Placed in the Public Domain.
+
+tid="key revocation lists"
+
+# Do most testing with ssh-keygen; it uses the same verification code as sshd.
+
+# Old keys will interfere with ssh-keygen.
+rm -f $OBJ/revoked-* $OBJ/krl-*
+
+# Generate a CA key
+$SSHKEYGEN -t ecdsa -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
+ fatal "$SSHKEYGEN CA failed"
+
+# A specification that revokes some certificates by serial numbers
+# The serial pattern is chosen to ensure the KRL includes list, range and
+# bitmap sections.
+cat << EOF >> $OBJ/revoked-serials
+serial: 1-4
+serial: 10
+serial: 15
+serial: 30
+serial: 50
+serial: 999
+# The following sum to 500-799
+serial: 500
+serial: 501
+serial: 502
+serial: 503-600
+serial: 700-797
+serial: 798
+serial: 799
+serial: 599-701
+EOF
+
+# A specification that revokes some certificated by key ID.
+touch $OBJ/revoked-keyid
+for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
+ # Fill in by-ID revocation spec.
+ echo "id: revoked $n" >> $OBJ/revoked-keyid
+done
+
+keygen() {
+ N=$1
+ f=$OBJ/revoked-`printf "%04d" $N`
+ # Vary the keytype. We use mostly ECDSA since this is fastest by far.
+ keytype=ecdsa
+ case $N in
+ 2 | 10 | 510 | 1001) keytype=rsa;;
+ 4 | 30 | 520 | 1002) keytype=dsa;;
+ esac
+ $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
+ || fatal "$SSHKEYGEN failed"
+ # Sign cert
+ $SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
+ || fatal "$SSHKEYGEN sign failed"
+ echo $f
+}
+
+# Generate some keys.
+verbose "$tid: generating test keys"
+REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
+for n in $REVOKED_SERIALS ; do
+ f=`keygen $n`
+ REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
+ REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
+done
+NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
+NOTREVOKED=""
+for n in $NOTREVOKED_SERIALS ; do
+ NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
+ NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
+done
+
+genkrls() {
+ OPTS=$1
+$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+# KRLs from serial/key-id spec need the CA specified.
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
+ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
+ >/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
+ >/dev/null || fatal "$SSHKEYGEN KRL failed"
+}
+
+verbose "$tid: generating KRLs"
+genkrls
+
+check_krl() {
+ KEY=$1
+ KRL=$2
+ EXPECT_REVOKED=$3
+ TAG=$4
+ $SSHKEYGEN -Qf $KRL $KEY >/dev/null
+ result=$?
+ if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
+ fatal "key $KEY not revoked by KRL $KRL: $TAG"
+ elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
+ fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
+ fi
+}
+test_all() {
+ FILES=$1
+ TAG=$2
+ KEYS_RESULT=$3
+ ALL_RESULT=$4
+ SERIAL_RESULT=$5
+ KEYID_RESULT=$6
+ CERTS_RESULT=$7
+ CA_RESULT=$8
+ verbose "$tid: checking revocations for $TAG"
+ for f in $FILES ; do
+ check_krl $f $OBJ/krl-empty no "$TAG"
+ check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
+ check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
+ check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
+ check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
+ check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
+ done
+}
+# keys all serial keyid certs CA
+test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
+test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
+test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
+
+# Check update. Results should be identical.
+verbose "$tid: testing KRL update"
+for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
+ $OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
+ cp -f $OBJ/krl-empty $f
+ genkrls -u
+done
+# keys all serial keyid certs CA
+test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
+test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
+test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
+test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes