upstream commit

author djm@openbsd.org <djm@openbsd.org>

Fri, 3 Jul 2015 04:39:23 +0000 (04:39 +0000)

committer Damien Miller <djm@mindrot.org>

Wed, 15 Jul 2015 06:04:02 +0000 (16:04 +1000)
author djm@openbsd.org <djm@openbsd.org>
Fri, 3 Jul 2015 04:39:23 +0000 (04:39 +0000)
committer Damien Miller <djm@mindrot.org>
Wed, 15 Jul 2015 06:04:02 +0000 (16:04 +1000)
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh

index 51685dc2b54b07b40bf550c15ce86608cb64a825..c99c2b1c36de0ac83db42306540123da5ff40b94 100644 (file)
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+#      $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
  #      Placed in the Public Domain.
  
  tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
  
  PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
  
-type_has_legacy() {
-       case $1 in
-               ed25519*|ecdsa*) return 1 ;;
-       esac
-       return 0
-}
-
  # Prepare certificate, plain key and CA KRLs
  ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
  ${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
                 fatal "KRL update failed"
         cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
         serial=`expr $serial + 1`
-       type_has_legacy $ktype || continue
-       cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
-       cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
-       verbose "$tid: sign host ${ktype}_v00 cert"
-       ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
-           -I "regress host key for $USER" \
-           -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
-               fatal "couldn't sign cert_host_key_${ktype}_v00"
-       ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
-           $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
-               fatal "KRL update failed"
-       cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
  done
  
  attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
  
  # Basic connect and revocation tests.
  for privsep in yes no ; do
-       for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+       for ktype in $PLAIN_TYPES ; do 
                 verbose "$tid: host ${ktype} cert connect privsep $privsep"
                 (
                         cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
         printf '@cert-authority '
         printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
-       for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+       for ktype in $PLAIN_TYPES ; do
                 test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
                 printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
         done
  ) > $OBJ/known_hosts-cert.orig
  cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
  for privsep in yes no ; do
-       for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
+       for ktype in $PLAIN_TYPES ; do 
                 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                 (
                         cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
         cat $OBJ/host_ca_key.pub
  ) > $OBJ/known_hosts-cert.orig
  cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
         verbose "$tid: host ${ktype} revoked cert"
         (
                 cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
         result=$2
         sign_opts=$3
  
-       for kt in rsa rsa_v00 ; do
-               case $kt in
-               *_v00) args="-t v00" ;;
-               *) args="" ;;
-               esac
-
-               verbose "$tid: host cert connect $ident $kt expect $result"
+       for kt in rsa ed25519 ; do
                 ${SSHKEYGEN} -q -s $OBJ/host_ca_key \
                     -I "regress host key for $USER" \
-                   $sign_opts $args \
-                   $OBJ/cert_host_key_${kt} ||
+                   $sign_opts $OBJ/cert_host_key_${kt} ||
                         fail "couldn't sign cert_host_key_${kt}"
                 (
                         cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval"    success "-h -V-1w:+2w"
  test_one "cert has constraints"        failure "-h -Oforce-command=false"
  
  # Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ;  do 
-       for ktype in $PLAIN_TYPES ; do 
-               type_has_legacy $ktype || continue
-               rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
-               verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
-               # Generate and sign a host key
-               ${SSHKEYGEN} -q -N '' -t ${ktype} \
-                   -f $OBJ/cert_host_key_${ktype} || \
-                       fail "ssh-keygen of cert_host_key_${ktype} failed"
-               ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
-                   -I "regress host key for $USER" \
-                   -n $HOSTS $OBJ/cert_host_key_${ktype} ||
-                       fail "couldn't sign cert_host_key_${ktype}"
-               (
-                       printf "$HOSTS "
-                       cat $OBJ/cert_host_key_${ktype}.pub
-               ) > $OBJ/known_hosts-cert
-               (
-                       cat $OBJ/sshd_proxy_bak
-                       echo HostKey $OBJ/cert_host_key_${ktype}
-                       echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
-               ) > $OBJ/sshd_proxy
-               
-               ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                   -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                       -F $OBJ/ssh_proxy somehost true
-               if [ $? -ne 0 ]; then
-                       fail "ssh cert connect failed"
-               fi
-       done
+for ktype in $PLAIN_TYPES ; do 
+       rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+       verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+       # Generate and sign a host key
+       ${SSHKEYGEN} -q -N '' -t ${ktype} \
+           -f $OBJ/cert_host_key_${ktype} || \
+               fail "ssh-keygen of cert_host_key_${ktype} failed"
+       ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+           -I "regress host key for $USER" \
+           -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+               fail "couldn't sign cert_host_key_${ktype}"
+       (
+               printf "$HOSTS "
+               cat $OBJ/cert_host_key_${ktype}.pub
+       ) > $OBJ/known_hosts-cert
+       (
+               cat $OBJ/sshd_proxy_bak
+               echo HostKey $OBJ/cert_host_key_${ktype}
+               echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+       ) > $OBJ/sshd_proxy
+       
+       ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+           -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+               -F $OBJ/ssh_proxy somehost true
+       if [ $? -ne 0 ]; then
+               fail "ssh cert connect failed"
+       fi
  done
  
  # Wrong certificate
@@ -281,33 +252,30 @@ done
         cat $OBJ/host_ca_key.pub
  ) > $OBJ/known_hosts-cert.orig
  cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ;  do 
-       for kt in $PLAIN_TYPES ; do 
-               type_has_legacy $kt || continue
-               rm -f $OBJ/cert_host_key*
-               # Self-sign key
-               ${SSHKEYGEN} -q -N '' -t ${kt} \
-                   -f $OBJ/cert_host_key_${kt} || \
-                       fail "ssh-keygen of cert_host_key_${kt} failed"
-               ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
-                   -I "regress host key for $USER" \
-                   -n $HOSTS $OBJ/cert_host_key_${kt} ||
-                       fail "couldn't sign cert_host_key_${kt}"
-               verbose "$tid: host ${kt} connect wrong cert"
-               (
-                       cat $OBJ/sshd_proxy_bak
-                       echo HostKey $OBJ/cert_host_key_${kt}
-                       echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
-               ) > $OBJ/sshd_proxy
-       
-               cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-               ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-                   -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-                       -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
-               if [ $? -eq 0 ]; then
-                       fail "ssh cert connect $ident succeeded unexpectedly"
-               fi
-       done
+for kt in $PLAIN_TYPES ; do 
+       rm -f $OBJ/cert_host_key*
+       # Self-sign key
+       ${SSHKEYGEN} -q -N '' -t ${kt} \
+           -f $OBJ/cert_host_key_${kt} || \
+               fail "ssh-keygen of cert_host_key_${kt} failed"
+       ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+           -I "regress host key for $USER" \
+           -n $HOSTS $OBJ/cert_host_key_${kt} ||
+               fail "couldn't sign cert_host_key_${kt}"
+       verbose "$tid: host ${kt} connect wrong cert"
+       (
+               cat $OBJ/sshd_proxy_bak
+               echo HostKey $OBJ/cert_host_key_${kt}
+               echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+       ) > $OBJ/sshd_proxy
+
+       cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+       ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+           -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+               -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+       if [ $? -eq 0 ]; then
+               fail "ssh cert connect $ident succeeded unexpectedly"
+       fi
  done
  
  rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh

index b093a919614723770d28a8463528dd52b09f9841..d461b9e34ca5b65a7d2258a73ee385af931d99d4 100644 (file)
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+#      $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
  #      Placed in the Public Domain.
  
  tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
  
  PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
  
-type_has_legacy() {
-       case $1 in
-               ed25519*|ecdsa*) return 1 ;;
-       esac
-       return 0
-}
-
  # Create a CA key
  ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
         fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
         ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
             -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                 fail "couldn't sign cert_user_key_${ktype}"
-       type_has_legacy $ktype || continue
-       cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
-       cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
-       verbose "$tid: sign host ${ktype}_v00 cert"
-       ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
-           "regress user key for $USER" \
-           -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-               fatal "couldn't sign cert_user_key_${ktype}_v00"
  done
  
  # Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES ; do 
         for privsep in yes no ; do
                 _prefix="${ktype} privsep $privsep"
  
@@ -165,7 +150,7 @@ basic_tests() {
                 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
         fi
         
-       for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
+       for ktype in $PLAIN_TYPES ; do 
                 for privsep in yes no ; do
                         _prefix="${ktype} privsep $privsep $auth"
                         # Simple connect
@@ -257,12 +242,7 @@ test_one() {
         fi
  
         for auth in $auth_choice ; do
-               for ktype in rsa rsa_v00 ; do
-                       case $ktype in
-                       *_v00) keyv="-t v00" ;;
-                       *) keyv="" ;;
-                       esac
-
+               for ktype in rsa ed25519 ; do
                         cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
                         if test "x$auth" = "xauthorized_keys" ; then
                                 # Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
                         verbose "$tid: $ident auth $auth expect $result $ktype"
                         ${SSHKEYGEN} -q -s $OBJ/user_ca_key \
                             -I "regress user key for $USER" \
-                           $sign_opts $keyv \
-                           $OBJ/cert_user_key_${ktype} ||
+                           $sign_opts $OBJ/cert_user_key_${ktype} ||
                                 fail "couldn't sign cert_user_key_${ktype}"
  
                         ${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
  
  # Wrong certificate
  cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
-       case $ktype in
-       *_v00) args="-t v00" ;;
-       *) args="" ;;
-       esac
+for ktype in $PLAIN_TYPES ; do 
         # Self-sign
-       ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+       ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
             "regress user key for $USER" \
             -n $USER $OBJ/cert_user_key_${ktype} ||
                 fail "couldn't sign cert_user_key_${ktype}"
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c

index 4453a8599e0d1f48ff2f65a7799cae7dda77d7f2..9e780701a33ca525d41074c5881a1fe50f80dcae 100644 (file)
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */
+/*     $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
  /*
   * Regress test for sshkey.h key management API
   *
@@ -424,7 +424,7 @@ sshkey_tests(void)
         ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
             &k1, NULL), 0);
         k2 = get_private("ed25519_2");
-       ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0);
+       ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
         ASSERT_PTR_NE(k1->cert, NULL);
         k1->cert->type = SSH2_CERT_TYPE_USER;
         k1->cert->serial = 1234;
author	djm@openbsd.org <djm@openbsd.org>
	Fri, 3 Jul 2015 04:39:23 +0000 (04:39 +0000)
committer	Damien Miller <djm@mindrot.org>
	Wed, 15 Jul 2015 06:04:02 +0000 (16:04 +1000)
regress/cert-hostkey.sh		patch \| blob \| blame \| history
regress/cert-userkey.sh		patch \| blob \| blame \| history
regress/unittests/sshkey/test_sshkey.c		patch \| blob \| blame \| history