- dtucker@cvs.openbsd.org 2008/06/10 05:23:32

[addrmatch.sh Makefile] Regress test for Match CIDR rules. ok djm@
2008-06-10 23:16:46 +10:00 · 2008-06-10 23:16:46 +10:00 · 10f9242b86
parent d788b7cb35
commit 10f9242b86
3 changed files with 46 additions and 1 deletions
--- a/5
+++ b/5
@ -29,6 +29,9 @@
   - dtucker@cvs.openbsd.org 2008/06/09 18:06:32
     [regress/test-exec.sh]
     Don't generate putty keys if we're not going to use them.  ok djm
+   - dtucker@cvs.openbsd.org 2008/06/10 05:23:32
+     [regress/addrmatch.sh regress/Makefile]
+     Regress test for Match CIDR rules.  ok djm@

 20080609
 - (dtucker) OpenBSD CVS Sync
@ -4115,4 +4118,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4954 2008/06/10 13:15:54 dtucker Exp $
+$Id: ChangeLog,v 1.4955 2008/06/10 13:16:46 dtucker Exp $
--- a/regress/Makefile
+++ b/regress/Makefile
@ -47,6 +47,7 @@ LTESTS= 	connect \
 		reexec \
 		brokenkeys \
 		cfgmatch \
+		addrmatch \
 		localcommand \
 		forcecommand

--- a/regress/addrmatch.sh
+++ b/regress/addrmatch.sh
@ -0,0 +1,41 @@
+#	$OpenBSD: addrmatch.sh,v 1.0 2008/06/10 05:23:32 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="address match"
+
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy_orig
+
+run_trial()
+{
+	user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"
+
+	verbose "test $descr for $user $addr $host"
+	result=`${SSHD} -f $OBJ/sshd_proxy -T \
+	    -C user=${user},addr=${addr},host=${host} | \
+	    awk '/passwordauthentication/ {print $2}'`
+	if [ "$result" != "$expected" ]; then
+		fail "failed for $user $addr $host: expected $expected, got $result"
+	fi
+}
+
+cp $OBJ/sshd_proxy_orig $OBJ/sshd_proxy
+cat >>$OBJ/sshd_proxy <<EOD
+PasswordAuthentication no
+Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
+	PasswordAuthentication yes
+Match Address 1.1.1.1,::1,!::3,2000::/16
+	PasswordAuthentication yes
+EOD
+
+run_trial user 192.168.0.1 somehost yes		"permit, first entry"
+run_trial user 192.168.30.1 somehost no		"deny, negative match"
+run_trial user 19.0.0.1 somehost no		"deny, no match"
+run_trial user 10.255.255.254 somehost yes	"permit, list middle"
+run_trial user 192.168.30.1 192.168.0.1 no	"deny, faked IP in hostname"
+run_trial user 1.1.1.1 somehost.example.com yes	"permit, bare IP4 address"
+run_trial user ::1 somehost.example.com	 yes	"permit, bare IP6 address"
+run_trial user ::2 somehost.exaple.com no	"deny IPv6"
+run_trial user ::3 somehost no			"deny IP6 negated"
+run_trial user ::4 somehost no			"deny, IP6 no match"
+run_trial user 2000::1 somehost yes		"permit, IP6 network"
+run_trial user 2001::1 somehost no		"deny, IP6 network"