From 33ada5827e27260bfc1e486f1788d2885ea92e11 Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 11 Jan 2024 01:45:58 +0000 Subject: [PATCH] make DSA testing optional, defaulting to on ok markus --- regress/usr.bin/ssh/Makefile | 26 ++++++++++++------- regress/usr.bin/ssh/unittests/Makefile.inc | 7 ++++- .../ssh/unittests/hostkeys/test_iterate.c | 19 ++++++++++++-- regress/usr.bin/ssh/unittests/kex/test_kex.c | 4 ++- .../usr.bin/ssh/unittests/sshkey/test_file.c | 4 ++- .../usr.bin/ssh/unittests/sshkey/test_fuzz.c | 8 +++++- .../ssh/unittests/sshkey/test_sshkey.c | 20 +++++++++----- regress/usr.bin/ssh/unittests/sshsig/tests.c | 4 ++- 8 files changed, 70 insertions(+), 22 deletions(-) diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile index b8da40afc9d..ba1de9f0cf7 100644 --- a/regress/usr.bin/ssh/Makefile +++ b/regress/usr.bin/ssh/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $ +# $OpenBSD: Makefile,v 1.132 2024/01/11 01:45:58 djm Exp $ OPENSSL?= yes @@ -168,24 +168,32 @@ t5: awk '{print $$2}' | diff - ${.CURDIR}/t5.ok t6: - ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1 - ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2 - chmod 600 t6.out1 - ssh-keygen -yf t6.out1 | diff - t6.out2 + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1 ; \ + ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2 ; \ + chmod 600 t6.out1 ; \ + ssh-keygen -yf t6.out1 | diff - t6.out2 ; \ + fi t7.out: - ssh-keygen -q -t rsa -N '' -f $@ + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -q -t rsa -N '' -f $@ ; \ + fi t7: t7.out ssh-keygen -lf t7.out > /dev/null ssh-keygen -Bf t7.out > /dev/null t8.out: - ssh-keygen -q -t dsa -N '' -f $@ + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -q -t dsa -N '' -f $@ ; \ + fi t8: t8.out - ssh-keygen -lf t8.out > /dev/null - ssh-keygen -Bf t8.out > /dev/null + set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \ + ssh-keygen -lf t8.out > /dev/null ; \ + ssh-keygen -Bf t8.out > /dev/null ; \ + fi t9.out: ssh-keygen -q -t ecdsa -N '' -f $@ diff --git a/regress/usr.bin/ssh/unittests/Makefile.inc b/regress/usr.bin/ssh/unittests/Makefile.inc index 623896ffa15..98e280486ab 100644 --- a/regress/usr.bin/ssh/unittests/Makefile.inc +++ b/regress/usr.bin/ssh/unittests/Makefile.inc @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile.inc,v 1.15 2023/09/24 08:14:13 claudio Exp $ +# $OpenBSD: Makefile.inc,v 1.16 2024/01/11 01:45:58 djm Exp $ .include .include @@ -13,6 +13,11 @@ TEST_ENV?= MALLOC_OPTIONS=${MALLOC_OPTIONS} # XXX detect from ssh binary? OPENSSL?= yes +DSAKEY?= yes + +.if (${DSAKEY:L} == "yes") +CFLAGS+= -DWITH_DSA +.endif .if (${OPENSSL:L} == "yes") CFLAGS+= -DWITH_OPENSSL diff --git a/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c b/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c index 71f523bfe08..e19b86f6f82 100644 --- a/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c +++ b/regress/usr.bin/ssh/unittests/hostkeys/test_iterate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_iterate.c,v 1.8 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_iterate.c,v 1.9 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for hostfile.h hostkeys_foreach() * @@ -52,7 +52,7 @@ check(struct hostkey_foreach_line *l, void *_ctx) int parse_key = (ctx->flags & HKF_WANT_PARSE_KEY) != 0; const int matching = (ctx->flags & HKF_WANT_MATCH) != 0; u_int expected_status, expected_match; - int expected_keytype; + int expected_keytype, skip = 0; test_subtest_info("entry %zu/%zu, file line %ld", ctx->i + 1, ctx->nexpected, l->linenum); @@ -85,6 +85,17 @@ check(struct hostkey_foreach_line *l, void *_ctx) expected_keytype = (parse_key || expected->no_parse_keytype < 0) ? expected->l.keytype : expected->no_parse_keytype; +#ifndef WITH_DSA + if (expected->l.keytype == KEY_DSA || + expected->no_parse_keytype == KEY_DSA) + skip = 1; +#endif + + if (skip) { + expected_status = HKF_STATUS_INVALID; + expected_keytype = KEY_UNSPEC; + parse_key = 0; + } UPDATE_MATCH_STATUS(match_host_p); UPDATE_MATCH_STATUS(match_host_s); UPDATE_MATCH_STATUS(match_ipv4); @@ -128,6 +139,10 @@ prepare_expected(struct expected *expected, size_t n) for (i = 0; i < n; i++) { if (expected[i].key_file == NULL) continue; +#ifndef WITH_DSA + if (expected[i].l.keytype == KEY_DSA) + continue; +#endif ASSERT_INT_EQ(sshkey_load_public( test_data_file(expected[i].key_file), &expected[i].l.key, NULL), 0); diff --git a/regress/usr.bin/ssh/unittests/kex/test_kex.c b/regress/usr.bin/ssh/unittests/kex/test_kex.c index 1cb5b239715..3cb30a7b07f 100644 --- a/regress/usr.bin/ssh/unittests/kex/test_kex.c +++ b/regress/usr.bin/ssh/unittests/kex/test_kex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_kex.c,v 1.6 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test KEX * @@ -170,7 +170,9 @@ static void do_kex(char *kex) { do_kex_with_key(kex, KEY_RSA, 2048); +#ifdef WITH_DSA do_kex_with_key(kex, KEY_DSA, 1024); +#endif do_kex_with_key(kex, KEY_ECDSA, 256); do_kex_with_key(kex, KEY_ED25519, 256); } diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_file.c b/regress/usr.bin/ssh/unittests/sshkey/test_file.c index 6a0fdbad0a2..6c22548d5dc 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_file.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_file.c,v 1.10 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_file.c,v 1.11 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -154,6 +154,7 @@ sshkey_file_tests(void) sshkey_free(k1); +#ifdef WITH_DSA TEST_START("parse DSA from private"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -244,6 +245,7 @@ sshkey_file_tests(void) TEST_DONE(); sshkey_free(k1); +#endif TEST_START("parse ECDSA from private"); buf = load_file("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c b/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c index 2c3ffc720d2..c839700ac5a 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_fuzz.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_fuzz.c,v 1.13 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: test_fuzz.c,v 1.14 2024/01/11 01:45:58 djm Exp $ */ /* * Fuzz tests for key parsing * @@ -152,6 +152,7 @@ sshkey_fuzz_tests(void) fuzz_cleanup(fuzz); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA private"); buf = load_file("dsa_1"); fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf), @@ -195,6 +196,7 @@ sshkey_fuzz_tests(void) sshbuf_free(fuzzed); fuzz_cleanup(fuzz); TEST_DONE(); +#endif TEST_START("fuzz ECDSA private"); buf = load_file("ecdsa_1"); @@ -276,6 +278,7 @@ sshkey_fuzz_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA public"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -289,6 +292,7 @@ sshkey_fuzz_tests(void) public_fuzz(k1); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("fuzz ECDSA public"); buf = load_file("ecdsa_1"); @@ -342,6 +346,7 @@ sshkey_fuzz_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("fuzz DSA sig"); buf = load_file("dsa_1"); ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0); @@ -349,6 +354,7 @@ sshkey_fuzz_tests(void) sig_fuzz(k1, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("fuzz ECDSA sig"); buf = load_file("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c index 84019a16588..fe331d259b6 100644 --- a/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c +++ b/regress/usr.bin/ssh/unittests/sshkey/test_sshkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test_sshkey.c,v 1.23 2023/01/04 22:48:57 tb Exp $ */ +/* $OpenBSD: test_sshkey.c,v 1.24 2024/01/11 01:45:58 djm Exp $ */ /* * Regress test for sshkey.h key management API * @@ -170,8 +170,9 @@ get_private(const char *n) void sshkey_tests(void) { - struct sshkey *k1, *k2, *k3, *k4, *kr, *kd, *ke, *kf; - struct sshbuf *b; + struct sshkey *k1 = NULL, *k2 = NULL, *k3 = NULL, *k4 = NULL; + struct sshkey *kr = NULL, *kd = NULL, *ke = NULL, *kf = NULL; + struct sshbuf *b = NULL; TEST_START("new invalid"); k1 = sshkey_new(-42); @@ -191,12 +192,14 @@ sshkey_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WiTH_DSA TEST_START("new/free KEY_DSA"); k1 = sshkey_new(KEY_DSA); ASSERT_PTR_NE(k1, NULL); ASSERT_PTR_NE(k1->dsa, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("new/free KEY_ECDSA"); k1 = sshkey_new(KEY_ECDSA); @@ -226,12 +229,14 @@ sshkey_tests(void) ASSERT_PTR_EQ(k1, NULL); TEST_DONE(); +#ifdef WITH_DSA TEST_START("generate KEY_DSA wrong bits"); ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1), SSH_ERR_KEY_LENGTH); ASSERT_PTR_EQ(k1, NULL); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("generate KEY_ECDSA wrong bits"); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1), @@ -252,6 +257,7 @@ sshkey_tests(void) ASSERT_INT_EQ(BN_num_bits(rsa_n(kr)), 1024); TEST_DONE(); +#ifdef WITH_DSA TEST_START("generate KEY_DSA"); ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0); ASSERT_PTR_NE(kd, NULL); @@ -259,6 +265,7 @@ sshkey_tests(void) ASSERT_PTR_NE(dsa_g(kd), NULL); ASSERT_PTR_NE(dsa_priv_key(kd), NULL); TEST_DONE(); +#endif TEST_START("generate KEY_ECDSA"); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &ke), 0); @@ -292,6 +299,7 @@ sshkey_tests(void) sshkey_free(k1); TEST_DONE(); +#ifdef WITH_DSA TEST_START("demote KEY_DSA"); ASSERT_INT_EQ(sshkey_from_private(kd, &k1), 0); ASSERT_PTR_NE(k1, NULL); @@ -306,6 +314,7 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_equal(kd, k1), 1); sshkey_free(k1); TEST_DONE(); +#endif TEST_START("demote KEY_ECDSA"); ASSERT_INT_EQ(sshkey_from_private(ke, &k1), 0); @@ -349,9 +358,6 @@ sshkey_tests(void) ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0); ASSERT_INT_EQ(sshkey_equal(kr, k1), 0); sshkey_free(k1); - ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0); - ASSERT_INT_EQ(sshkey_equal(kd, k1), 0); - sshkey_free(k1); ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0); ASSERT_INT_EQ(sshkey_equal(ke, k1), 0); sshkey_free(k1); @@ -438,6 +444,7 @@ sshkey_tests(void) sshkey_free(k2); TEST_DONE(); +#ifdef WITH_DSA TEST_START("sign and verify DSA"); k1 = get_private("dsa_1"); ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2, @@ -446,6 +453,7 @@ sshkey_tests(void) sshkey_free(k1); sshkey_free(k2); TEST_DONE(); +#endif TEST_START("sign and verify ECDSA"); k1 = get_private("ecdsa_1"); diff --git a/regress/usr.bin/ssh/unittests/sshsig/tests.c b/regress/usr.bin/ssh/unittests/sshsig/tests.c index f1d7addae91..4e17ccd20af 100644 --- a/regress/usr.bin/ssh/unittests/sshsig/tests.c +++ b/regress/usr.bin/ssh/unittests/sshsig/tests.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tests.c,v 1.3 2021/12/14 21:25:27 deraadt Exp $ */ +/* $OpenBSD: tests.c,v 1.4 2024/01/11 01:45:59 djm Exp $ */ /* * Regress test for sshbuf.h buffer API * @@ -94,9 +94,11 @@ tests(void) check_sig("rsa.pub", "rsa.sig", msg, namespace); TEST_DONE(); +#ifdef WITH_DSA TEST_START("check DSA signature"); check_sig("dsa.pub", "dsa.sig", msg, namespace); TEST_DONE(); +#endif TEST_START("check ECDSA signature"); check_sig("ecdsa.pub", "ecdsa.sig", msg, namespace); -- 2.20.1