upstream: regress test for PKCS#11 directly in ssh (not via ssh-agent)

would have caught bz3879

OpenBSD-Regress-ID: ceafb1e9a6c07185cc0cb0589f3170489a516123

diff --git a/regress/Makefile b/regress/Makefile
index ece093a2ba87532ee4727a05e0bbc9730a11fb5a..0bb90bcb4fb2d7f45ba6c6f9356e784d6bcb55ff 100644 (file)
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.140 2025/07/04 07:52:17 djm Exp $
+#      $OpenBSD: Makefile,v 1.141 2025/10/16 00:01:54 djm Exp $
 
 tests:         prep file-tests t-exec unit
 
@@ -114,7 +114,8 @@ LTESTS=     connect \
                agent-pkcs11-cert \
                penalty \
                penalty-expire \
-               connect-bigconf
+               connect-bigconf \
+               ssh-pkcs11
 
 INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=        dropbear-ciphers dropbear-kex dropbear-server
@@ -151,7 +152,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
                sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
                t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
                t8.out t8.out.pub t9.out t9.out.pub \
-               timestamp testdata user_*key* user_ca* user_key*
+               timestamp testdata user_*key* user_ca* user_key* \
+               pin.sh nopin.sh wrongpin.sh key.pub
 
 # Enable all malloc(3) randomisations and checks
 TEST_ENV=      "MALLOC_OPTIONS=CFGJRSUX"

diff --git a/regress/ssh-pkcs11.sh b/regress/ssh-pkcs11.sh
new file mode 100644 (file)
index 0000000..96680fc
--- /dev/null
+++ b/regress/ssh-pkcs11.sh
@@ -0,0 +1,40 @@
+#      $OpenBSD: ssh-pkcs11.sh,v 1.1 2025/10/16 00:01:54 djm Exp $
+#      Placed in the Public Domain.
+
+tid="pkcs11 ssh test"
+
+p11_setup || skip "No PKCS#11 library found"
+
+grep -iv IdentityFile $OBJ/ssh_proxy |
+       grep -vi BatchMode > $OBJ/ssh_proxy.orig
+#echo "IdentitiesOnly=yes" >> $OBJ/ssh_proxy.orig
+echo "PKCS11Provider=${TEST_SSH_PKCS11}" >> $OBJ/ssh_proxy.orig
+
+check_all() {
+       tag="$1"
+       expect_success=$2
+       pinsh="$3"
+       for k in $ED25519 $RSA $EC; do
+               kshort=`basename "$k"`
+               verbose "$tag: $kshort"
+               pub="$k.pub"
+               cp $pub $OBJ/key.pub
+               chmod 0600 $OBJ/key.pub
+               cat $OBJ/key.pub > $OBJ/authorized_keys_$USER
+               cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy
+               env SSH_ASKPASS="$pinsh" SSH_ASKPASS_REQUIRE=force \
+                       ${SSH} -F $OBJ/ssh_proxy somehost exit 5 >/dev/null 2>&1
+               r=$?
+               if [ "x$expect_success" = "xy" ]; then
+                       if [ $r -ne 5 ]; then
+                               fail "ssh connect failed (exit code $r)"
+                       fi
+               elif [ $r -eq 5 ]; then
+                       fail "ssh connect succeeded unexpectedly (exit code $r)"
+               fi
+       done
+}
+
+check_all "correct pin" y $PIN_SH
+check_all "wrong pin" n $WRONGPIN_SH
+check_all "nopin" n `which true`

diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 34fb58fda0f8802110db344b0258cfad3ecdb443..f13750eaeaebcfc76e40305f74e10ef497723838 100644 (file)
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#      $OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $
+#      $OpenBSD: test-exec.sh,v 1.132 2025/10/16 00:01:54 djm Exp $
 #      Placed in the Public Domain.
 
 #SUDO=sudo
@@ -991,13 +991,19 @@ EOF
                fatal "softhsm import ed25519 fail"
        chmod 600 $ED25519
        ${SSHKEYGEN} -y -f $ED25519 > ${ED25519}.pub
-       # Prepare askpass script to load PIN.
+       # Prepare some askpass scripts to load PINs.
        PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
        cat > $PIN_SH << EOF
 #!/bin/sh
 echo "${TEST_SSH_PIN}"
 EOF
        chmod 0700 "$PIN_SH"
+       WRONGPIN_SH=$SSH_SOFTHSM_DIR/wrongpin.sh
+       cat > $WRONGPIN_SH << EOF
+#!/bin/sh
+echo "0000"
+EOF
+       chmod 0700 "$WRONGPIN_SH"
        PKCS11_OK=yes
        if env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force \
            ${SSHKEYGEN} -D ${TEST_SSH_PKCS11} >/dev/null 2>&1 ; then