From: djm@openbsd.org Date: Thu, 16 Oct 2025 00:01:54 +0000 (+0000) Subject: upstream: regress test for PKCS#11 directly in ssh (not via ssh-agent) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=946574b97ceae126e0f0af2db43abb454937defe;p=thirdparty%2Fopenssh-portable.git upstream: regress test for PKCS#11 directly in ssh (not via ssh-agent) would have caught bz3879 OpenBSD-Regress-ID: ceafb1e9a6c07185cc0cb0589f3170489a516123 --- diff --git a/regress/Makefile b/regress/Makefile index ece093a2b..0bb90bcb4 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.140 2025/07/04 07:52:17 djm Exp $ +# $OpenBSD: Makefile,v 1.141 2025/10/16 00:01:54 djm Exp $ tests: prep file-tests t-exec unit @@ -114,7 +114,8 @@ LTESTS= connect \ agent-pkcs11-cert \ penalty \ penalty-expire \ - connect-bigconf + connect-bigconf \ + ssh-pkcs11 INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers INTEROP_TESTS+= dropbear-ciphers dropbear-kex dropbear-server @@ -151,7 +152,8 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \ t8.out t8.out.pub t9.out t9.out.pub \ - timestamp testdata user_*key* user_ca* user_key* + timestamp testdata user_*key* user_ca* user_key* \ + pin.sh nopin.sh wrongpin.sh key.pub # Enable all malloc(3) randomisations and checks TEST_ENV= "MALLOC_OPTIONS=CFGJRSUX" diff --git a/regress/ssh-pkcs11.sh b/regress/ssh-pkcs11.sh new file mode 100644 index 000000000..96680fca9 --- /dev/null +++ b/regress/ssh-pkcs11.sh @@ -0,0 +1,40 @@ +# $OpenBSD: ssh-pkcs11.sh,v 1.1 2025/10/16 00:01:54 djm Exp $ +# Placed in the Public Domain. + +tid="pkcs11 ssh test" + +p11_setup || skip "No PKCS#11 library found" + +grep -iv IdentityFile $OBJ/ssh_proxy | + grep -vi BatchMode > $OBJ/ssh_proxy.orig +#echo "IdentitiesOnly=yes" >> $OBJ/ssh_proxy.orig +echo "PKCS11Provider=${TEST_SSH_PKCS11}" >> $OBJ/ssh_proxy.orig + +check_all() { + tag="$1" + expect_success=$2 + pinsh="$3" + for k in $ED25519 $RSA $EC; do + kshort=`basename "$k"` + verbose "$tag: $kshort" + pub="$k.pub" + cp $pub $OBJ/key.pub + chmod 0600 $OBJ/key.pub + cat $OBJ/key.pub > $OBJ/authorized_keys_$USER + cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy + env SSH_ASKPASS="$pinsh" SSH_ASKPASS_REQUIRE=force \ + ${SSH} -F $OBJ/ssh_proxy somehost exit 5 >/dev/null 2>&1 + r=$? + if [ "x$expect_success" = "xy" ]; then + if [ $r -ne 5 ]; then + fail "ssh connect failed (exit code $r)" + fi + elif [ $r -eq 5 ]; then + fail "ssh connect succeeded unexpectedly (exit code $r)" + fi + done +} + +check_all "correct pin" y $PIN_SH +check_all "wrong pin" n $WRONGPIN_SH +check_all "nopin" n `which true` diff --git a/regress/test-exec.sh b/regress/test-exec.sh index 34fb58fda..f13750eae 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -1,4 +1,4 @@ -# $OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $ +# $OpenBSD: test-exec.sh,v 1.132 2025/10/16 00:01:54 djm Exp $ # Placed in the Public Domain. #SUDO=sudo @@ -991,13 +991,19 @@ EOF fatal "softhsm import ed25519 fail" chmod 600 $ED25519 ${SSHKEYGEN} -y -f $ED25519 > ${ED25519}.pub - # Prepare askpass script to load PIN. + # Prepare some askpass scripts to load PINs. PIN_SH=$SSH_SOFTHSM_DIR/pin.sh cat > $PIN_SH << EOF #!/bin/sh echo "${TEST_SSH_PIN}" EOF chmod 0700 "$PIN_SH" + WRONGPIN_SH=$SSH_SOFTHSM_DIR/wrongpin.sh + cat > $WRONGPIN_SH << EOF +#!/bin/sh +echo "0000" +EOF + chmod 0700 "$WRONGPIN_SH" PKCS11_OK=yes if env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force \ ${SSHKEYGEN} -D ${TEST_SSH_PKCS11} >/dev/null 2>&1 ; then