[openssh-commits] [openssh] 04/04: upstream: regress test both sshsig message hash algorithms, possible

git+noreply at mindrot.org git+noreply at mindrot.org
Wed Jan 5 16:06:18 AEDT 2022 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 2ea1108c30e3edb6f872dfc1e6da10b041ddf2c0
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jan 5 04:56:15 2022 +0000

    upstream: regress test both sshsig message hash algorithms, possible
    
    now because the algorithm is controllable via the CLI
    
    OpenBSD-Regress-ID: 0196fa87acc3544b2b4fd98de844a571cb09a39f
---
 regress/sshsig.sh | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index 40aa0c38..f8d85c2f 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: sshsig.sh,v 1.12 2022/01/05 04:10:39 djm Exp $
+#	$OpenBSD: sshsig.sh,v 1.13 2022/01/05 04:56:15 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshsig"
@@ -52,13 +52,23 @@ for t in $SIGNKEYS; do
 	sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig
 
 	${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
-		< $DATA > $sigfile 2>/dev/null || fail "sign using $t failed"
+	    -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \
+		fail "sign using $t with bad hash algorithm succeeded"
 
-	(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
-	${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
-		-I $sig_principal -f $OBJ/allowed_signers \
-		< $DATA >/dev/null 2>&1 || \
-		fail "failed signature for $t key"
+	for h in default sha256 sha512 ; do
+		case "$h" in
+		default) hashalg_arg="" ;;
+		*) hashalg_arg="-Ohashalg=$h" ;;
+		esac
+		${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \
+		    $hashalg_arg < $DATA > $sigfile 2>/dev/null || \
+			fail "sign using $t / $h failed"
+		(printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers
+		${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \
+		    -I $sig_principal -f $OBJ/allowed_signers \
+		    < $DATA >/dev/null 2>&1 || \
+			fail "failed signature for $t / $h key"
+	done
 
 	(printf "$sig_principal namespaces=\"$sig_namespace,whatever\" ";
 	 cat $pubkey) > $OBJ/allowed_signers

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list