Expand the set of ciphers, MACs and KEX methods in the PuTTY interop tests.

diff --git a/regress/usr.bin/ssh/putty-ciphers.sh b/regress/usr.bin/ssh/putty-ciphers.sh
index 6b83273..30f6461 100644 (file)
--- a/regress/usr.bin/ssh/putty-ciphers.sh
+++ b/regress/usr.bin/ssh/putty-ciphers.sh
@@ -1,15 +1,47 @@
-#      $OpenBSD: putty-ciphers.sh,v 1.12 2024/02/09 08:47:42 dtucker Exp $
+#      $OpenBSD: putty-ciphers.sh,v 1.13 2024/02/09 08:56:59 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="putty ciphers"
 
 puttysetup
 
-for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
-       verbose "$tid: cipher $c"
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
+
+# Since there doesn't seem to be a way to set MACs on the PuTTY client side,
+# we force each in turn on the server side, omitting the ones PuTTY doesn't
+# support.  Grepping the binary is pretty janky, but AFAIK there's no way to
+# query for supported algos.
+macs=""
+for m in `${SSH} -Q MACs`; do
+       if strings "${PLINK}" | grep -E "^${m}$" >/dev/null; then
+               macs="${macs} ${m}"
+       else
+               trace "omitting unsupported MAC ${m}"
+       fi
+done
+
+ciphers=""
+for c in `${SSH} -Q Ciphers`; do
+       if strings "${PLINK}" | grep -E "^${c}$" >/dev/null; then
+               ciphers="${ciphers} ${c}"
+       else
+               trace "omitting unsupported cipher ${c}"
+       fi
+done
+
+for c in default $ciphers; do
+    for m in default ${macs}; do
+       verbose "$tid: cipher $c mac $m"
        cp ${OBJ}/.putty/sessions/localhost_proxy \
            ${OBJ}/.putty/sessions/cipher_$c
-       echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+       if [ "${c}" != "default" ]; then
+               echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+       fi
+
+       cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+       if [ "${m}" != "default" ]; then
+               echo "MACs $m" >> ${OBJ}/sshd_proxy
+       fi
 
        rm -f ${COPY}
        env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
@@ -18,6 +50,6 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
                fail "ssh cat $DATA failed"
        fi
        cmp ${DATA} ${COPY}             || fail "corrupted copy"
+    done
 done
 rm -f ${COPY}
-

diff --git a/regress/usr.bin/ssh/putty-kex.sh b/regress/usr.bin/ssh/putty-kex.sh
index 9df15be..22f8bd7 100644 (file)
--- a/regress/usr.bin/ssh/putty-kex.sh
+++ b/regress/usr.bin/ssh/putty-kex.sh
@@ -1,19 +1,36 @@
-#      $OpenBSD: putty-kex.sh,v 1.10 2024/02/09 08:47:42 dtucker Exp $
+#      $OpenBSD: putty-kex.sh,v 1.11 2024/02/09 08:56:59 dtucker Exp $
 #      Placed in the Public Domain.
 
 tid="putty KEX"
 
 puttysetup
 
-for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy_bak
+
+# Enable group1, which PuTTY now disables by default
+echo "KEX=dh-group1-sha1" >>${OBJ}/.putty/sessions/localhost_proxy
+
+# Grepping algos out of the binary is pretty janky, but AFAIK there's no way
+# to query supported algos.
+kex=""
+for k in `$SSH -Q kex`; do
+       if strings "${PLINK}" | grep -E "^${k}$" >/dev/null; then
+               kex="${kex} ${k}"
+       else
+               trace "omitting unsupported KEX ${k}"
+       fi
+done
+
+for k in ${kex}; do
        verbose "$tid: kex $k"
-       cp ${OBJ}/.putty/sessions/localhost_proxy \
-           ${OBJ}/.putty/sessions/kex_$k
-       echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+       cp ${OBJ}/sshd_proxy_bak ${OBJ}/sshd_proxy
+       echo "KexAlgorithms ${k}" >>${OBJ}/sshd_proxy
 
-       env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
+       env HOME=$PWD ${PLINK} -v -load localhost_proxy -batch -i ${OBJ}/putty.rsa2 true \
+           2>${OBJ}/log/putty-kex-$k.log
        if [ $? -ne 0 ]; then
                fail "KEX $k failed"
        fi
+       kexmsg=`grep -E '^Doing.* key exchange' ${OBJ}/log/putty-kex-$k.log`
+       trace putty: ${kexmsg}
 done
-