From b5faf0e69814e8c1113ed95f6f1174b999496793 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 14 Jun 2024 04:43:11 +0000
Subject: [PATCH] split the PerSourcePenalties test in two: one tests penalty
 enforcement but not penalty expiry, the other tests penalty expiry.

This lets us disable the expiry testing in certain CI test environments.
---
 regress/usr.bin/ssh/Makefile          |  5 ++--
 regress/usr.bin/ssh/penalty-expire.sh | 34 +++++++++++++++++++++++++++
 regress/usr.bin/ssh/penalty.sh        |  9 +++----
 3 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 regress/usr.bin/ssh/penalty-expire.sh

diff --git a/regress/usr.bin/ssh/Makefile b/regress/usr.bin/ssh/Makefile
index 27737c38a76..820ac68e497 100644
--- a/regress/usr.bin/ssh/Makefile
+++ b/regress/usr.bin/ssh/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.134 2024/06/06 19:49:25 djm Exp $
+#	$OpenBSD: Makefile,v 1.135 2024/06/14 04:43:11 djm Exp $
 
 OPENSSL?=	yes
 
@@ -103,7 +103,8 @@ LTESTS= 	connect \
 		match-subsystem \
 		agent-pkcs11-restrict \
 		agent-pkcs11-cert \
-		penalty
+		penalty \
+		penalty-expire
 
 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=	dropbear-ciphers dropbear-kex
diff --git a/regress/usr.bin/ssh/penalty-expire.sh b/regress/usr.bin/ssh/penalty-expire.sh
new file mode 100644
index 00000000000..30b7bd45db1
--- /dev/null
+++ b/regress/usr.bin/ssh/penalty-expire.sh
@@ -0,0 +1,34 @@
+#	$OpenBSD
+#	Placed in the Public Domain.
+
+tid="penalties"
+
+grep -vi PerSourcePenalties $OBJ/sshd_config > $OBJ/sshd_config.bak
+cp $OBJ/authorized_keys_${USER} $OBJ/authorized_keys_${USER}.bak
+
+conf() {
+	test -z "$PIDFILE" || stop_sshd
+	(cat $OBJ/sshd_config.bak ;
+	 echo "PerSourcePenalties $@") > $OBJ/sshd_config
+	cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+	start_sshd
+}
+
+conf "noauth:10s authfail:10s max:20s min:1s"
+
+verbose "test connect"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
+
+verbose "penalty expiry"
+
+# Incur a penalty
+cat /dev/null > $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+
+# Check denied
+cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail not rejected"
+
+# Let it expire and try again.
+sleep 11
+${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
diff --git a/regress/usr.bin/ssh/penalty.sh b/regress/usr.bin/ssh/penalty.sh
index 0285f003696..4308e0b82a2 100644
--- a/regress/usr.bin/ssh/penalty.sh
+++ b/regress/usr.bin/ssh/penalty.sh
@@ -14,7 +14,7 @@ conf() {
 	start_sshd
 }
 
-conf "noauth:10s authfail:6s grace-exceeded:10s min:8s max:20s"
+conf "authfail:30s min:50s max:200s"
 
 verbose "test connect"
 ${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
@@ -36,13 +36,10 @@ cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
 
 # These should be refused by the active penalty
 ${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
-sleep 5
 ${SSH} -F $OBJ/ssh_config somehost true && fail "repeat authfail not rejected"
 
-# Penalty should have expired, this should succeed.
-sleep 8
-${SSH} -F $OBJ/ssh_config somehost true || fail "authfail not expired"
-
+conf "noauth:100s"
+${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
 verbose "penalty for no authentication"
 ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
 
-- 
2.20.1