mirror of
git://anongit.mindrot.org/openssh.git
synced 2025-01-03 16:22:05 +00:00
a6f4ac8a2b
Previously we would log to ssh.log and sshd.log, but that is insufficient for tests that have more than one concurent ssh/sshd. Instead, we'll log to separate datestamped files in a $OBJ/log/ and leave a symlink at the previous location pointing at the most recent instance with an entry in regress.log showing which files were created at each point. This should be sufficient to reconstruct what happened even for tests that use multiple instances of each program. If the test fails, tar up all of the logs for later analysis. This will let us also capture the output from some of the other tools which was previously sent to /dev/null although most of those will be in future commits. OpenBSD-Regress-ID: f802aa9e7fa51d1a01225c05fb0412d015c33e24
77 lines
2.3 KiB
Bash
77 lines
2.3 KiB
Bash
# $OpenBSD: integrity.sh,v 1.25 2023/03/01 09:29:32 dtucker Exp $
|
|
# Placed in the Public Domain.
|
|
|
|
tid="integrity"
|
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
|
|
|
# start at byte 2900 (i.e. after kex) and corrupt at different offsets
|
|
tries=10
|
|
startoffset=2900
|
|
macs=`${SSH} -Q mac`
|
|
# The following are not MACs, but ciphers with integrated integrity. They are
|
|
# handled specially below.
|
|
macs="$macs `${SSH} -Q cipher-auth`"
|
|
|
|
# avoid DH group exchange as the extra traffic makes it harder to get the
|
|
# offset into the stream right.
|
|
#echo "KexAlgorithms -diffie-hellman-group*" \
|
|
# >> $OBJ/ssh_proxy
|
|
|
|
# sshd-command for proxy (see test-exec.sh)
|
|
cmd="$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" sh ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy"
|
|
|
|
for m in $macs; do
|
|
trace "test $tid: mac $m"
|
|
elen=0
|
|
epad=0
|
|
emac=0
|
|
etmo=0
|
|
ecnt=0
|
|
skip=0
|
|
for off in `jot $tries $startoffset`; do
|
|
skip=`expr $skip - 1`
|
|
if [ $skip -gt 0 ]; then
|
|
# avoid modifying the high bytes of the length
|
|
continue
|
|
fi
|
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
|
# modify output from sshd at offset $off
|
|
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
|
|
if ${SSH} -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
|
|
echo "Ciphers=$m" >> $OBJ/sshd_proxy
|
|
macopt="-c $m"
|
|
else
|
|
echo "Ciphers=aes128-ctr" >> $OBJ/sshd_proxy
|
|
echo "MACs=$m" >> $OBJ/sshd_proxy
|
|
macopt="-m $m -c aes128-ctr"
|
|
fi
|
|
verbose "test $tid: $m @$off"
|
|
${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
|
|
-oServerAliveInterval=1 -oServerAliveCountMax=30 \
|
|
999.999.999.999 'printf "%4096s" " "' >/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
fail "ssh -m $m succeeds with bit-flip at $off"
|
|
fi
|
|
ecnt=`expr $ecnt + 1`
|
|
out=$(egrep -v "^debug" $TEST_SSH_LOGFILE | tail -2 | \
|
|
tr -s '\r\n' '.')
|
|
case "$out" in
|
|
Bad?packet*) elen=`expr $elen + 1`; skip=3;;
|
|
Corrupted?MAC* | *message?authentication?code?incorrect*)
|
|
emac=`expr $emac + 1`; skip=0;;
|
|
padding*) epad=`expr $epad + 1`; skip=0;;
|
|
*Timeout,?server*)
|
|
etmo=`expr $etmo + 1`; skip=0;;
|
|
*) fail "unexpected error mac $m at $off: $out";;
|
|
esac
|
|
done
|
|
verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
|
|
if [ $emac -eq 0 ]; then
|
|
fail "$m: no mac errors"
|
|
fi
|
|
expect=`expr $ecnt - $epad - $elen - $etmo`
|
|
if [ $emac -ne $expect ]; then
|
|
fail "$m: expected $expect mac errors, got $emac"
|
|
fi
|
|
done
|