From d336fc07bb398fb3bba704020f25a9c46aec8b89 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 9 Feb 2024 08:57:00 +0000 Subject: Expand the set of ciphers, MACs and KEX methods in the PuTTY interop tests. --- regress/usr.bin/ssh/putty-ciphers.sh | 42 +++++++++++++++++++++++++++++++----- regress/usr.bin/ssh/putty-kex.sh | 31 ++++++++++++++++++++------ 2 files changed, 61 insertions(+), 12 deletions(-) (limited to 'regress/usr.bin') diff --git a/regress/usr.bin/ssh/putty-ciphers.sh b/regress/usr.bin/ssh/putty-ciphers.sh index 6b832733cd2..30f6461cc31 100644 --- a/regress/usr.bin/ssh/putty-ciphers.sh +++ b/regress/usr.bin/ssh/putty-ciphers.sh @@ -1,15 +1,47 @@ -# $OpenBSD: putty-ciphers.sh,v 1.12 2024/02/09 08:47:42 dtucker Exp $ +# $OpenBSD: putty-ciphers.sh,v 1.13 2024/02/09 08:56:59 dtucker Exp $ # Placed in the Public Domain. tid="putty ciphers" puttysetup -for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" +cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak + +# Since there doesn't seem to be a way to set MACs on the PuTTY client side, +# we force each in turn on the server side, omitting the ones PuTTY doesn't +# support. Grepping the binary is pretty janky, but AFAIK there's no way to +# query for supported algos. +macs="" +for m in `${SSH} -Q MACs`; do + if strings "${PLINK}" | grep -E "^${m}$" >/dev/null; then + macs="${macs} ${m}" + else + trace "omitting unsupported MAC ${m}" + fi +done + +ciphers="" +for c in `${SSH} -Q Ciphers`; do + if strings "${PLINK}" | grep -E "^${c}$" >/dev/null; then + ciphers="${ciphers} ${c}" + else + trace "omitting unsupported cipher ${c}" + fi +done + +for c in default $ciphers; do + for m in default ${macs}; do + verbose "$tid: cipher $c mac $m" cp ${OBJ}/.putty/sessions/localhost_proxy \ ${OBJ}/.putty/sessions/cipher_$c - echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + if [ "${c}" != "default" ]; then + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + fi + + cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy + if [ "${m}" != "default" ]; then + echo "MACs $m" >> ${OBJ}/sshd_proxy + fi rm -f ${COPY} env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ @@ -18,6 +50,6 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do fail "ssh cat $DATA failed" fi cmp ${DATA} ${COPY} || fail "corrupted copy" + done done rm -f ${COPY} - diff --git a/regress/usr.bin/ssh/putty-kex.sh b/regress/usr.bin/ssh/putty-kex.sh index 9df15be5890..22f8bd7060f 100644 --- a/regress/usr.bin/ssh/putty-kex.sh +++ b/regress/usr.bin/ssh/putty-kex.sh @@ -1,19 +1,36 @@ -# $OpenBSD: putty-kex.sh,v 1.10 2024/02/09 08:47:42 dtucker Exp $ +# $OpenBSD: putty-kex.sh,v 1.11 2024/02/09 08:56:59 dtucker Exp $ # Placed in the Public Domain. tid="putty KEX" puttysetup -for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do +cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak + +# Enable group1, which PuTTY now disables by default +echo "KEX=dh-group1-sha1" >>${OBJ}/.putty/sessions/localhost_proxy + +# Grepping algos out of the binary is pretty janky, but AFAIK there's no way +# to query supported algos. +kex="" +for k in `$SSH -Q kex`; do + if strings "${PLINK}" | grep -E "^${k}$" >/dev/null; then + kex="${kex} ${k}" + else + trace "omitting unsupported KEX ${k}" + fi +done + +for k in ${kex}; do verbose "$tid: kex $k" - cp ${OBJ}/.putty/sessions/localhost_proxy \ - ${OBJ}/.putty/sessions/kex_$k - echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy + echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy - env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \ + 2>${OBJ}/log/putty-kex-$k.log if [ $? -ne 0 ]; then fail "KEX $k failed" fi + kexmsg=`grep -E '^Doing.* key exchange' ${OBJ}/log/putty-kex-$k.log` + trace putty: ${kexmsg} done - -- cgit v1.2.3