[openssh-commits] [openssh] 03/06: upstream commit
git+noreply at mindrot.org
git+noreply at mindrot.org
Wed Jul 15 16:04:38 AEST 2015
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 6a977a4b68747ade189e43d302f33403fd4a47ac
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri Jul 3 04:39:23 2015 +0000
upstream commit
legacy v00 certificates are gone; adapt and don't try to
test them; "sure" markus@ dtucker@
Upstream-Regress-ID: c57321e69b3cd4a3b3396dfcc43f0803d047da12
---
regress/cert-hostkey.sh | 148 +++++++++++++--------------------
regress/cert-userkey.sh | 39 ++-------
regress/unittests/sshkey/test_sshkey.c | 4 +-
3 files changed, 67 insertions(+), 124 deletions(-)
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 51685dc..c99c2b1 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-hostkey.sh,v 1.11 2015/01/19 06:01:32 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.12 2015/07/03 04:39:23 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@@ -27,13 +27,6 @@ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
-type_has_legacy() {
- case $1 in
- ed25519*|ecdsa*) return 1 ;;
- esac
- return 0
-}
-
# Prepare certificate, plain key and CA KRLs
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
${SSHKEYGEN} -kf $OBJ/host_krl_plain || fatal "KRL init failed"
@@ -61,18 +54,6 @@ for ktype in $PLAIN_TYPES ; do
fatal "KRL update failed"
cat $OBJ/cert_host_key_${ktype}-cert.pub >> $OBJ/host_revoked_cert
serial=`expr $serial + 1`
- type_has_legacy $ktype || continue
- cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
- cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
- verbose "$tid: sign host ${ktype}_v00 cert"
- ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
- -I "regress host key for $USER" \
- -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
- fatal "couldn't sign cert_host_key_${ktype}_v00"
- ${SSHKEYGEN} -ukf $OBJ/host_krl_cert \
- $OBJ/cert_host_key_${ktype}_v00-cert.pub || \
- fatal "KRL update failed"
- cat $OBJ/cert_host_key_${ktype}_v00-cert.pub >> $OBJ/host_revoked_cert
done
attempt_connect() {
@@ -98,7 +79,7 @@ attempt_connect() {
# Basic connect and revocation tests.
for privsep in yes no ; do
- for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+ for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} cert connect privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
@@ -133,14 +114,14 @@ done
printf '@cert-authority '
printf "$HOSTS "
cat $OBJ/host_ca_key.pub
- for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+ for ktype in $PLAIN_TYPES ; do
test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
done
) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
for privsep in yes no ; do
- for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+ for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
(
cat $OBJ/sshd_proxy_bak
@@ -169,7 +150,7 @@ done
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
+for ktype in $PLAIN_TYPES ; do
verbose "$tid: host ${ktype} revoked cert"
(
cat $OBJ/sshd_proxy_bak
@@ -198,17 +179,10 @@ test_one() {
result=$2
sign_opts=$3
- for kt in rsa rsa_v00 ; do
- case $kt in
- *_v00) args="-t v00" ;;
- *) args="" ;;
- esac
-
- verbose "$tid: host cert connect $ident $kt expect $result"
+ for kt in rsa ed25519 ; do
${SSHKEYGEN} -q -s $OBJ/host_ca_key \
-I "regress host key for $USER" \
- $sign_opts $args \
- $OBJ/cert_host_key_${kt} ||
+ $sign_opts $OBJ/cert_host_key_${kt} ||
fail "couldn't sign cert_host_key_${kt}"
(
cat $OBJ/sshd_proxy_bak
@@ -242,36 +216,33 @@ test_one "cert valid interval" success "-h -V-1w:+2w"
test_one "cert has constraints" failure "-h -Oforce-command=false"
# Check downgrade of cert to raw key when no CA found
-for v in v01 v00 ; do
- for ktype in $PLAIN_TYPES ; do
- type_has_legacy $ktype || continue
- rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
- verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
- # Generate and sign a host key
- ${SSHKEYGEN} -q -N '' -t ${ktype} \
- -f $OBJ/cert_host_key_${ktype} || \
- fail "ssh-keygen of cert_host_key_${ktype} failed"
- ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
- -I "regress host key for $USER" \
- -n $HOSTS $OBJ/cert_host_key_${ktype} ||
- fail "couldn't sign cert_host_key_${ktype}"
- (
- printf "$HOSTS "
- cat $OBJ/cert_host_key_${ktype}.pub
- ) > $OBJ/known_hosts-cert
- (
- cat $OBJ/sshd_proxy_bak
- echo HostKey $OBJ/cert_host_key_${ktype}
- echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
- ) > $OBJ/sshd_proxy
-
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
- -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
- -F $OBJ/ssh_proxy somehost true
- if [ $? -ne 0 ]; then
- fail "ssh cert connect failed"
- fi
- done
+for ktype in $PLAIN_TYPES ; do
+ rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+ verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+ # Generate and sign a host key
+ ${SSHKEYGEN} -q -N '' -t ${ktype} \
+ -f $OBJ/cert_host_key_${ktype} || \
+ fail "ssh-keygen of cert_host_key_${ktype} failed"
+ ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+ -I "regress host key for $USER" \
+ -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+ fail "couldn't sign cert_host_key_${ktype}"
+ (
+ printf "$HOSTS "
+ cat $OBJ/cert_host_key_${ktype}.pub
+ ) > $OBJ/known_hosts-cert
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${ktype}
+ echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+ ) > $OBJ/sshd_proxy
+
+ ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy somehost true
+ if [ $? -ne 0 ]; then
+ fail "ssh cert connect failed"
+ fi
done
# Wrong certificate
@@ -281,33 +252,30 @@ done
cat $OBJ/host_ca_key.pub
) > $OBJ/known_hosts-cert.orig
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-for v in v01 v00 ; do
- for kt in $PLAIN_TYPES ; do
- type_has_legacy $kt || continue
- rm -f $OBJ/cert_host_key*
- # Self-sign key
- ${SSHKEYGEN} -q -N '' -t ${kt} \
- -f $OBJ/cert_host_key_${kt} || \
- fail "ssh-keygen of cert_host_key_${kt} failed"
- ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
- -I "regress host key for $USER" \
- -n $HOSTS $OBJ/cert_host_key_${kt} ||
- fail "couldn't sign cert_host_key_${kt}"
- verbose "$tid: host ${kt} connect wrong cert"
- (
- cat $OBJ/sshd_proxy_bak
- echo HostKey $OBJ/cert_host_key_${kt}
- echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
- ) > $OBJ/sshd_proxy
-
- cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
- -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
- -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- fail "ssh cert connect $ident succeeded unexpectedly"
- fi
- done
+for kt in $PLAIN_TYPES ; do
+ rm -f $OBJ/cert_host_key*
+ # Self-sign key
+ ${SSHKEYGEN} -q -N '' -t ${kt} \
+ -f $OBJ/cert_host_key_${kt} || \
+ fail "ssh-keygen of cert_host_key_${kt} failed"
+ ${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+ -I "regress host key for $USER" \
+ -n $HOSTS $OBJ/cert_host_key_${kt} ||
+ fail "couldn't sign cert_host_key_${kt}"
+ verbose "$tid: host ${kt} connect wrong cert"
+ (
+ cat $OBJ/sshd_proxy_bak
+ echo HostKey $OBJ/cert_host_key_${kt}
+ echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+ ) > $OBJ/sshd_proxy
+
+ cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
+ ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+ -F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+ if [ $? -eq 0 ]; then
+ fail "ssh cert connect $ident succeeded unexpectedly"
+ fi
done
rm -f $OBJ/known_hosts-cert* $OBJ/host_ca_key* $OBJ/cert_host_key*
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index b093a91..d461b9e 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
+# $OpenBSD: cert-userkey.sh,v 1.13 2015/07/03 04:39:23 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@@ -8,13 +8,6 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
-type_has_legacy() {
- case $1 in
- ed25519*|ecdsa*) return 1 ;;
- esac
- return 0
-}
-
# Create a CA key
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
fail "ssh-keygen of user_ca_key failed"
@@ -28,18 +21,10 @@ for ktype in $PLAIN_TYPES ; do
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
- type_has_legacy $ktype || continue
- cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
- cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
- verbose "$tid: sign host ${ktype}_v00 cert"
- ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
- "regress user key for $USER" \
- -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
- fatal "couldn't sign cert_user_key_${ktype}_v00"
done
# Test explicitly-specified principals
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
+for ktype in $PLAIN_TYPES ; do
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep"
@@ -165,7 +150,7 @@ basic_tests() {
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
fi
- for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
+ for ktype in $PLAIN_TYPES ; do
for privsep in yes no ; do
_prefix="${ktype} privsep $privsep $auth"
# Simple connect
@@ -257,12 +242,7 @@ test_one() {
fi
for auth in $auth_choice ; do
- for ktype in rsa rsa_v00 ; do
- case $ktype in
- *_v00) keyv="-t v00" ;;
- *) keyv="" ;;
- esac
-
+ for ktype in rsa ed25519 ; do
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
if test "x$auth" = "xauthorized_keys" ; then
# Add CA to authorized_keys
@@ -282,8 +262,7 @@ test_one() {
verbose "$tid: $ident auth $auth expect $result $ktype"
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
-I "regress user key for $USER" \
- $sign_opts $keyv \
- $OBJ/cert_user_key_${ktype} ||
+ $sign_opts $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \
@@ -335,13 +314,9 @@ test_one "principals key option no principals" failure "" \
# Wrong certificate
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do
- case $ktype in
- *_v00) args="-t v00" ;;
- *) args="" ;;
- esac
+for ktype in $PLAIN_TYPES ; do
# Self-sign
- ${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+ ${SSHKEYGEN} -q -s $OBJ/cert_user_key_${ktype} -I \
"regress user key for $USER" \
-n $USER $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 4453a85..9e78070 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: test_sshkey.c,v 1.4 2015/04/22 01:38:36 djm Exp $ */
+/* $OpenBSD: test_sshkey.c,v 1.5 2015/07/03 04:39:23 djm Exp $ */
/*
* Regress test for sshkey.h key management API
*
@@ -424,7 +424,7 @@ sshkey_tests(void)
ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"),
&k1, NULL), 0);
k2 = get_private("ed25519_2");
- ASSERT_INT_EQ(sshkey_to_certified(k1, 0), 0);
+ ASSERT_INT_EQ(sshkey_to_certified(k1), 0);
ASSERT_PTR_NE(k1->cert, NULL);
k1->cert->type = SSH2_CERT_TYPE_USER;
k1->cert->serial = 1234;
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list