- djm@cvs.openbsd.org 2014/04/21 22:15:37

[dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh] repair regress tests broken by server-side default cipher/kex/mac changes by ensuring that the option under test is included in the server's algorithm list
2024-12-22 01:50:16 +00:00 · 2014-05-15 15:07:53 +10:00 · 2014-05-15 15:07:53 +10:00 · edb1af5044
commit edb1af5044
parent 54343e95c7
6 changed files with 42 additions and 10 deletions
--- a/5
+++ b/5
@ -97,6 +97,11 @@
     this test is a sorry mess of race conditions; add another sleep
     to avoid a failure on slow machines (at least until I find a
     better way)
+   - djm@cvs.openbsd.org 2014/04/21 22:15:37
+     [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
+     repair regress tests broken by server-side default cipher/kex/mac changes
+     by ensuring that the option under test is included in the server's
+     algorithm list

 20140430
 - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@ -1,10 +1,11 @@
-#	$OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $
+#	$OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $
 #	Placed in the Public Domain.

 tid="dhgex"

 LOG=${TEST_SSH_LOGFILE}
 rm -f ${LOG}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange`

@ -14,6 +15,9 @@ ssh_test_dhgex()
 	cipher="$1"; shift
 	kex="$1"; shift

+	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+	echo "KexAlgorithms=$kex" >> $OBJ/sshd_proxy
+	echo "Ciphers=$cipher" >> $OBJ/sshd_proxy
 	rm -f ${LOG}
 	opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
 	groupsz="1024<$bits<8192"
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@ -1,7 +1,8 @@
-#	$OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
+#	$OpenBSD: integrity.sh,v 1.13 2014/04/21 22:15:37 djm Exp $
 #	Placed in the Public Domain.

 tid="integrity"
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 # start at byte 2900 (i.e. after kex) and corrupt at different offsets
 # XXX the test hangs if we modify the low bytes of the packet length
@ -34,11 +35,15 @@ for m in $macs; do
 			# avoid modifying the high bytes of the length
 			continue
 		fi
+		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 		# modify output from sshd at offset $off
 		pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
 		if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+			echo "Ciphers=$m" >> $OBJ/sshd_proxy
 			macopt="-c $m"
 		else
+			echo "Ciphers=aes128-ctr" >> $OBJ/sshd_proxy
+			echo "MACs=$m" >> $OBJ/sshd_proxy
 			macopt="-m $m -c aes128-ctr"
 		fi
 		verbose "test $tid: $m @$off"
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $
+#	$OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $
 #	Placed in the Public Domain.

 tid="login with different key exchange algorithms"
@ -7,6 +7,11 @@ TIME=/usr/bin/time
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak

+# Make server accept all key exchanges.
+ALLKEX=`ssh -Q kex`
+KEXOPT=`echo $ALLKEX | tr ' ' ,`
+echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
+
 tries="1 2 3 4"
 for k in `${SSH} -Q kex`; do
 	verbose "kex $k"
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
+#	$OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $
 #	Placed in the Public Domain.

 tid="rekey"
@ -6,14 +6,22 @@ tid="rekey"
 LOG=${TEST_SSH_LOGFILE}

 rm -f ${LOG}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak

 # Test rekeying based on data volume only.
 # Arguments will be passed to ssh.
 ssh_data_rekeying()
 {
+	_kexopt=$1 ; shift
+	_opts="$@"
+	if ! test -z "$_kexopts" ; then
+		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+		echo "$_kexopt" >> $OBJ/sshd_proxy
+		_opts="$_opts -o$_kexopt"
+	fi
 	rm -f ${COPY} ${LOG}
-	${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \
-		"cat > ${COPY}"
+	_opts="$_opts -oCompression=no"
+	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
 	if [ $? -ne 0 ]; then
 		fail "ssh failed ($@)"
 	fi
@ -41,7 +49,7 @@ done

 for opt in $opts; do
 	verbose "client rekey $opt"
-	ssh_data_rekeying -oRekeyLimit=256k -o$opt
+	ssh_data_rekeying "$opt" -oRekeyLimit=256k
 done

 # AEAD ciphers are magical so test with all KexAlgorithms
@ -49,14 +57,14 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
  for c in `${SSH} -Q cipher-auth`; do
    for kex in `${SSH} -Q kex`; do
 	verbose "client rekey $c $kex"
-	ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
+	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
    done
  done
 fi

 for s in 16 1k 128k 256k; do
 	verbose "client rekeylimit ${s}"
-	ssh_data_rekeying -oCompression=no -oRekeyLimit=$s
+	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
 done

 for s in 5 10; do
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@ -1,13 +1,18 @@
-#	$OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.23 2014/04/21 22:15:37 djm Exp $
 #	Placed in the Public Domain.

 tid="try ciphers"

+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
 for c in `${SSH} -Q cipher`; do
 	n=0
 	for m in `${SSH} -Q mac`; do
 		trace "proto 2 cipher $c mac $m"
 		verbose "test $tid: proto 2 cipher $c mac $m"
+		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+		echo "Ciphers=$c" >> $OBJ/sshd_proxy
+		echo "MACs=$m" >> $OBJ/sshd_proxy
 		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
 		if [ $? -ne 0 ]; then
 			fail "ssh -2 failed with mac $m cipher $c"