xref: /openbsd/regress/usr.bin/ssh/test-exec.sh (revision f6b91270) 
1#	$OpenBSD: test-exec.sh,v 1.122 2024/12/06 07:05:54 dtucker Exp $
2#	Placed in the Public Domain.
3
4#SUDO=sudo
5
6if [ ! -z "$TEST_SSH_ELAPSED_TIMES" ]; then
7	STARTTIME=`date '+%s'`
8fi
9
10if [ ! -z "$TEST_SSH_PORT" ]; then
11	PORT="$TEST_SSH_PORT"
12else
13	PORT=4242
14fi
15
16OBJ=$1
17if [ "x$OBJ" = "x" ]; then
18	echo '$OBJ not defined'
19	exit 2
20fi
21if [ ! -d $OBJ ]; then
22	echo "not a directory: $OBJ"
23	exit 2
24fi
25SCRIPT=$2
26if [ "x$SCRIPT" = "x" ]; then
27	echo '$SCRIPT not defined'
28	exit 2
29fi
30if [ ! -f $SCRIPT ]; then
31	echo "not a file: $SCRIPT"
32	exit 2
33fi
34if sh -n $SCRIPT; then
35	true
36else
37	echo "syntax error in $SCRIPT"
38	exit 2
39fi
40unset SSH_AUTH_SOCK
41
42USER=`id -un`
43
44SRC=`dirname ${SCRIPT}`
45
46# defaults
47SSH=ssh
48SSHD=sshd
49SSHAGENT=ssh-agent
50SSHADD=ssh-add
51SSHKEYGEN=ssh-keygen
52SSHKEYSCAN=ssh-keyscan
53SFTP=sftp
54SFTPSERVER=/usr/libexec/sftp-server
55SSHD_SESSION=/usr/libexec/sshd-session
56SSHD_AUTH=/usr/libexec/sshd-auth
57SCP=scp
58
59# Interop testing
60PLINK=/usr/local/bin/plink
61PUTTYGEN=/usr/local/bin/puttygen
62CONCH=/usr/local/bin/conch
63DROPBEAR=/usr/local/bin/dropbear
64DBCLIENT=/usr/local/bin/dbclient
65DROPBEARKEY=/usr/local/bin/dropbearkey
66DROPBEARCONVERT=/usr/local/bin/dropbearconvert
67
68# So we can override this in Portable.
69TEST_SHELL="${TEST_SHELL:-/bin/sh}"
70
71# Tools used by multiple tests
72NC=nc
73OPENSSL_BIN="${OPENSSL_BIN:-openssl}"
74
75if [ "x$TEST_SSH_SSH" != "x" ]; then
76	SSH="${TEST_SSH_SSH}"
77fi
78if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then
79	SSHD_SESSION="${TEST_SSH_SSHD_SESSION}"
80fi
81if [ "x$TEST_SSH_SSHD_AUTH" != "x" ]; then
82	SSHD_AUTH="${TEST_SSH_SSHD_AUTH}"
83fi
84if [ "x$TEST_SSH_SSHD" != "x" ]; then
85	SSHD="${TEST_SSH_SSHD}"
86fi
87if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
88	SSHAGENT="${TEST_SSH_SSHAGENT}"
89fi
90if [ "x$TEST_SSH_SSHADD" != "x" ]; then
91	SSHADD="${TEST_SSH_SSHADD}"
92fi
93if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
94	SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
95fi
96if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
97	SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
98fi
99if [ "x$TEST_SSH_SFTP" != "x" ]; then
100	SFTP="${TEST_SSH_SFTP}"
101fi
102if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
103	SFTPSERVER="${TEST_SSH_SFTPSERVER}"
104fi
105if [ "x$TEST_SSH_SCP" != "x" ]; then
106	SCP="${TEST_SSH_SCP}"
107fi
108if [ "x$TEST_SSH_PLINK" != "x" ]; then
109	PLINK="${TEST_SSH_PLINK}"
110fi
111if [ "x$TEST_SSH_PUTTYGEN" != "x" ]; then
112	PUTTYGEN="${TEST_SSH_PUTTYGEN}"
113fi
114if [ "x$TEST_SSH_CONCH" != "x" ]; then
115	CONCH="${TEST_SSH_CONCH}"
116fi
117if [ "x$TEST_SSH_DROPBEAR" != "x" ]; then
118	DROPBEAR="${TEST_SSH_DROPBEAR}"
119fi
120if [ "x$TEST_SSH_DBCLIENT" != "x" ]; then
121	DBCLIENT="${TEST_SSH_DBCLIENT}"
122fi
123if [ "x$TEST_SSH_DROPBEARKEY" != "x" ]; then
124	DROPBEARKEY="${TEST_SSH_DROPBEARKEY}"
125fi
126if [ "x$TEST_SSH_DROPBEARCONVERT" != "x" ]; then
127	DROPBEARCONVERT="${TEST_SSH_DROPBEARCONVERT}"
128fi
129if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
130	SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
131fi
132if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
133	SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
134fi
135if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
136	OPENSSL_BIN="${TEST_SSH_OPENSSL}"
137fi
138
139# Path to sshd must be absolute for rexec
140case "$SSHD" in
141/*) ;;
142*) SSHD=`which $SSHD` ;;
143esac
144
145case "$SSH" in
146/*) ;;
147*) SSH=`which $SSH` ;;
148esac
149
150case "$SSHAGENT" in
151/*) ;;
152*) SSHAGENT=`which $SSHAGENT` ;;
153esac
154
155# Logfiles.
156# SSH_LOGFILE should be the debug output of ssh(1) only
157# SSHD_LOGFILE should be the debug output of sshd(8) only
158# REGRESS_LOGFILE is the log of progress of the regress test itself.
159# TEST_SSH_LOGDIR will contain datestamped logs of all binaries run in
160# chronological order.
161if [ "x$TEST_SSH_LOGDIR" = "x" ]; then
162	TEST_SSH_LOGDIR=$OBJ/log
163	mkdir -p $TEST_SSH_LOGDIR
164fi
165if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
166	TEST_SSH_LOGFILE=$OBJ/ssh.log
167fi
168if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then
169	TEST_SSHD_LOGFILE=$OBJ/sshd.log
170fi
171if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then
172	TEST_REGRESS_LOGFILE=$OBJ/regress.log
173fi
174
175# If set, keep track of successful tests and skip them them if we've
176# previously completed that test.
177if [ "x$TEST_REGRESS_CACHE_DIR" != "x" ]; then
178	if [ ! -d "$TEST_REGRESS_CACHE_DIR" ]; then
179		mkdir -p "$TEST_REGRESS_CACHE_DIR"
180	fi
181	TEST="`basename $SCRIPT .sh`"
182	CACHE="${TEST_REGRESS_CACHE_DIR}/${TEST}.cache"
183	for i in ${SSH} ${SSHD} ${SSHAGENT} ${SSHADD} ${SSHKEYGEN} ${SCP} \
184	    ${SFTP} ${SFTPSERVER} ${SSHKEYSCAN}; do
185		case $i in
186		/*)	bin="$i" ;;
187		*)	bin="`which $i`" ;;
188		esac
189		if [ "$bin" -nt "$CACHE" ]; then
190			rm -f "$CACHE"
191		fi
192	done
193	if [ -f "$CACHE" ]; then
194		echo ok cached $CACHE
195		exit 0
196	fi
197fi
198
199# truncate logfiles
200>$TEST_REGRESS_LOGFILE
201
202# Create ssh and sshd wrappers with logging.  These create a datestamped
203# unique file for every invocation so that we can retain all logs from a
204# given test no matter how many times it's invoked.  It also leaves a
205# symlink with the original name for tests (and people) who look for that.
206
207# For ssh, e can't just specify "SSH=ssh -E..." because sftp and scp don't
208# handle spaces in arguments.  scp and sftp like to use -q so we remove those
209# to preserve our debug logging.  In the rare instance where -q is desirable
210# -qq is equivalent and is not removed.
211SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh
212rm -f ${SSHLOGWRAP}
213cat >$SSHLOGWRAP <<EOD
214#!/bin/sh
215timestamp="\`$OBJ/timestamp\`"
216logfile="${TEST_SSH_LOGDIR}/\${timestamp}.ssh.\$\$.log"
217echo "Executing: ${SSH} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE
218echo "Executing: ${SSH} \$@" >>\${logfile}
219for i in "\$@";do shift;case "\$i" in -q):;; *) set -- "\$@" "\$i";;esac;done
220rm -f $TEST_SSH_LOGFILE
221ln -f -s \${logfile} $TEST_SSH_LOGFILE
222exec ${SSH} -E\${logfile} "\$@"
223EOD
224
225chmod a+rx $OBJ/ssh-log-wrapper.sh
226REAL_SSH="$SSH"
227REAL_SSHD="$SSHD"
228SSH="$SSHLOGWRAP"
229
230SSHDLOGWRAP=$OBJ/sshd-log-wrapper.sh
231rm -f ${SSHDLOGWRAP}
232cat >$SSHDLOGWRAP <<EOD
233#!/bin/sh
234timestamp="\`$OBJ/timestamp\`"
235logfile="${TEST_SSH_LOGDIR}/\${timestamp}.sshd.\$\$.log"
236rm -f $TEST_SSHD_LOGFILE
237touch \$logfile
238test -z "$SUDO" || chown $USER \$logfile
239ln -f -s \${logfile} $TEST_SSHD_LOGFILE
240echo "Executing: ${SSHD} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE
241echo "Executing: ${SSHD} \$@" >>\${logfile}
242exec ${SSHD} -E\${logfile} "\$@"
243EOD
244chmod a+rx $OBJ/sshd-log-wrapper.sh
245
246ssh_logfile ()
247{
248	tool="$1"
249	timestamp="`$OBJ/timestamp`"
250	logfile="${TEST_SSH_LOGDIR}/${timestamp}.$tool.$$.log"
251	echo "Logging $tool to log \${logfile}" >>$TEST_REGRESS_LOGFILE
252	echo $logfile
253}
254
255# Some test data.  We make a copy because some tests will overwrite it.
256# The tests may assume that $DATA exists and is writable and $COPY does
257# not exist.  Tests requiring larger data files can call increase_datafile_size
258# [kbytes] to ensure the file is at least that large.
259DATANAME=data
260DATA=$OBJ/${DATANAME}
261cat ${SSH} >${DATA}
262COPY=$OBJ/copy
263rm -f ${COPY}
264
265increase_datafile_size()
266{
267	while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
268		cat ${SSH} >>${DATA}
269	done
270}
271
272# these should be used in tests
273export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
274export SSH_PKCS11_HELPER SSH_SK_HELPER
275#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
276
277stop_sshd ()
278{
279	[ -z $PIDFILE ] && return
280	[ -f $PIDFILE ] || return
281	pid=`$SUDO cat $PIDFILE`
282	if [ "X$pid" = "X" ]; then
283		echo "no sshd running" 1>&2
284		return
285	elif [ $pid -lt 2 ]; then
286		echo "bad pid for sshd: $pid" 1>&2
287		return
288	fi
289	$SUDO kill $pid
290	trace "wait for sshd to exit"
291	i=0;
292	while [ -f $PIDFILE -a $i -lt 5 ]; do
293		i=`expr $i + 1`
294		sleep $i
295	done
296	if test -f $PIDFILE; then
297		if $SUDO kill -0 $pid; then
298			echo "sshd didn't exit port $PORT pid $pid" 1>&2
299		else
300			echo "sshd died without cleanup" 1>&2
301		fi
302		exit 1
303	fi
304	PIDFILE=""
305}
306
307# helper
308cleanup ()
309{
310	if [ "x$SSH_PID" != "x" ]; then
311		if [ $SSH_PID -lt 2 ]; then
312			echo bad pid for ssh: $SSH_PID
313		else
314			kill $SSH_PID
315		fi
316	fi
317	stop_sshd
318	if [ ! -z "$TEST_SSH_ELAPSED_TIMES" ]; then
319		now=`date '+%s'`
320		elapsed=$(($now - $STARTTIME))
321		echo elapsed $elapsed `basename $SCRIPT .sh`
322	fi
323}
324
325start_debug_log ()
326{
327	echo "trace: $@" >>$TEST_REGRESS_LOGFILE
328	if [ -d "$TEST_SSH_LOGDIR" ]; then
329		rm -f $TEST_SSH_LOGDIR/*
330	fi
331}
332
333save_debug_log ()
334{
335	testname=`echo $tid | tr ' ' _`
336	tarname="$OBJ/failed-$testname-logs.tar"
337
338	for logfile in $TEST_SSH_LOGDIR $TEST_REGRESS_LOGFILE \
339	    $TEST_SSH_LOGFILE $TEST_SSHD_LOGFILE; do
340		if [ ! -z "$SUDO" ] && [ -f "$logfile" ]; then
341			$SUDO chown -R $USER $logfile
342		fi
343	done
344	echo $@ >>$TEST_REGRESS_LOGFILE
345	echo $@ >>$TEST_SSH_LOGFILE
346	echo $@ >>$TEST_SSHD_LOGFILE
347	echo "Saving debug logs to $tarname" >>$TEST_REGRESS_LOGFILE
348	(cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log
349	(cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log
350	(cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log
351
352	# Save all logfiles in a tarball.
353	(cd $OBJ &&
354	  logfiles=""
355	  for i in $TEST_REGRESS_LOGFILE $TEST_SSH_LOGFILE $TEST_SSHD_LOGFILE \
356	    $TEST_SSH_LOGDIR; do
357		if [ -e "`basename $i`" ]; then
358			logfiles="$logfiles `basename $i`"
359		else
360			logfiles="$logfiles $i"
361		fi
362	  done
363	  tar cf "$tarname" $logfiles)
364}
365
366trace ()
367{
368	start_debug_log $@
369	if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
370		echo "$@"
371	fi
372}
373
374verbose ()
375{
376	start_debug_log $@
377	if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
378		echo "$@"
379	fi
380}
381
382fail ()
383{
384	save_debug_log "FAIL: $@"
385	RESULT=1
386	echo "$@"
387	if test "x$TEST_SSH_FAIL_FATAL" != "x" ; then
388		cleanup
389		exit $RESULT
390	fi
391}
392
393fatal ()
394{
395	save_debug_log "FATAL: $@"
396	printf "FATAL: "
397	fail "$@"
398	cleanup
399	exit $RESULT
400}
401
402# Skip remaining tests in script.
403skip ()
404{
405	echo "SKIPPED: $@"
406	cleanup
407	exit $RESULT
408}
409
410maybe_add_scp_path_to_sshd ()
411{
412	# If we're testing a non-installed scp, add its directory to sshd's
413	# PATH so we can test it.  We don't do this for all tests as it
414	# breaks the SetEnv tests.
415	case "$SCP" in
416	/*)	PATH_WITH_SCP="`dirname $SCP`:$PATH"
417		echo "	SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config
418		echo "	SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_proxy ;;
419	esac
420}
421
422RESULT=0
423PIDFILE=$OBJ/pidfile
424
425trap fatal 3 2
426
427# create server config
428cat << EOF > $OBJ/sshd_config
429	Port			$PORT
430	AddressFamily		inet
431	ListenAddress		127.0.0.1
432	#ListenAddress		::1
433	PidFile			$PIDFILE
434	AuthorizedKeysFile	$OBJ/authorized_keys_%u
435	LogLevel		DEBUG3
436	AcceptEnv		_XXX_TEST_*
437	AcceptEnv		_XXX_TEST
438	Subsystem	sftp	$SFTPSERVER
439	SshdSessionPath		$SSHD_SESSION
440	SshdAuthPath		$SSHD_AUTH
441	PerSourcePenalties	no
442EOF
443
444# This may be necessary if /usr/src and/or /usr/obj are group-writable,
445# but if you aren't careful with permissions then the unit tests could
446# be abused to locally escalate privileges.
447if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
448	echo "	StrictModes no" >> $OBJ/sshd_config
449else
450	# check and warn if excessive permissions are likely to cause failures.
451	unsafe=""
452	dir="${OBJ}"
453	while test ${dir} != "/"; do
454		if test -d "${dir}" && ! test -h "${dir}"; then
455			perms=`ls -ld ${dir}`
456			case "${perms}" in
457			?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;;
458			esac
459		fi
460		dir=`dirname ${dir}`
461	done
462	if ! test  -z "${unsafe}"; then
463		cat <<EOD
464
465WARNING: Unsafe (group or world writable) directory permissions found:
466${unsafe}
467
468These could be abused to locally escalate privileges.  If you are
469sure that this is not a risk (eg there are no other users), you can
470bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1
471
472EOD
473	fi
474fi
475
476if [ ! -z "$TEST_SSH_MODULI_FILE" ]; then
477	trace "adding modulifile='$TEST_SSH_MODULI_FILE' to sshd_config"
478	echo "	ModuliFile '$TEST_SSH_MODULI_FILE'" >> $OBJ/sshd_config
479fi
480
481if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
482	trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
483	echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
484fi
485
486# server config for proxy connects
487cp $OBJ/sshd_config $OBJ/sshd_proxy
488
489# allow group-writable directories in proxy-mode
490echo 'StrictModes no' >> $OBJ/sshd_proxy
491
492# create client config
493cat << EOF > $OBJ/ssh_config
494Host *
495	Hostname		127.0.0.1
496	HostKeyAlias		localhost-with-alias
497	Port			$PORT
498	User			$USER
499	GlobalKnownHostsFile	$OBJ/known_hosts
500	UserKnownHostsFile	$OBJ/known_hosts
501	PubkeyAuthentication	yes
502	ChallengeResponseAuthentication	no
503	PasswordAuthentication	no
504	BatchMode		yes
505	StrictHostKeyChecking	yes
506	LogLevel		DEBUG3
507EOF
508
509if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
510	trace "adding ssh_config option $TEST_SSH_SSH_CONFOPTS"
511	echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
512fi
513
514rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
515
516SSH_SK_PROVIDER=
517if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
518	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
519elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
520	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
521fi
522export SSH_SK_PROVIDER
523
524if ! test -z "$SSH_SK_PROVIDER"; then
525	EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
526	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
527	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
528	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
529fi
530export EXTRA_AGENT_ARGS
531
532maybe_filter_sk() {
533	if test -z "$SSH_SK_PROVIDER" ; then
534		grep -v ^sk
535	else
536		cat
537	fi
538}
539
540SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
541SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
542
543for t in ${SSH_KEYTYPES}; do
544	# generate user key
545	if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN} -nt $OBJ/$t ]; then
546		trace "generating key type $t"
547		rm -f $OBJ/$t
548		${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
549			fail "ssh-keygen for $t failed"
550	else
551		trace "using cached key type $t"
552	fi
553
554	# setup authorized keys
555	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
556	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
557done
558
559for t in ${SSH_HOSTKEY_TYPES}; do
560	# known hosts file for client
561	(
562		printf 'localhost-with-alias,127.0.0.1,::1 '
563		cat $OBJ/$t.pub
564	) >> $OBJ/known_hosts
565
566	# use key as host key, too
567	(umask 077; $SUDO cp $OBJ/$t $OBJ/host.$t)
568	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
569
570	# don't use SUDO for proxy connect
571	echo HostKey $OBJ/$t >> $OBJ/sshd_proxy
572done
573chmod 644 $OBJ/authorized_keys_$USER
574
575# Activate Twisted Conch tests if the binary is present
576REGRESS_INTEROP_CONCH=no
577if test -x "$CONCH" ; then
578	REGRESS_INTEROP_CONCH=yes
579fi
580
581# If PuTTY is present, new enough and we are running a PuTTY test, prepare
582# keys and configuration.
583REGRESS_INTEROP_PUTTY=no
584if test -x "$PUTTYGEN" -a -x "$PLINK" &&
585    "$PUTTYGEN" --help 2>&1 | grep -- --new-passphrase >/dev/null; then
586	REGRESS_INTEROP_PUTTY=yes
587fi
588case "$SCRIPT" in
589*putty*)	;;
590*)		REGRESS_INTEROP_PUTTY=no ;;
591esac
592
593puttysetup() {
594	if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
595		skip "putty interop tests not enabled"
596	fi
597
598	mkdir -p ${OBJ}/.putty
599
600	# Add a PuTTY key to authorized_keys
601	rm -f ${OBJ}/putty.rsa2
602	if ! "$PUTTYGEN" -t rsa -o ${OBJ}/putty.rsa2 \
603	    --random-device=/dev/urandom \
604	    --new-passphrase /dev/null < /dev/null > /dev/null; then
605		echo "Your installed version of PuTTY is too old to support --new-passphrase, skipping test" >&2
606		exit 1
607	fi
608	"$PUTTYGEN" -O public-openssh ${OBJ}/putty.rsa2 \
609	    >> $OBJ/authorized_keys_$USER
610
611	# Convert rsa2 host key to PuTTY format
612	cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
613	${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
614	${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \
615	    ${OBJ}/.putty/sshhostkeys
616	${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \
617	    ${OBJ}/.putty/sshhostkeys
618	rm -f $OBJ/ssh-rsa_oldfmt
619
620	# Setup proxied session
621	mkdir -p ${OBJ}/.putty/sessions
622	rm -f ${OBJ}/.putty/sessions/localhost_proxy
623	echo "Protocol=ssh" >> ${OBJ}/.putty/sessions/localhost_proxy
624	echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
625	echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
626	echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
627	echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
628	echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy
629
630	PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
631	PUTTYMAJORVER="`echo ${PUTTYVER} | cut -f1 -d.`"
632	PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
633	verbose "plink version ${PUTTYVER} major ${PUTTYMAJORVER} minor ${PUTTYMINORVER}"
634
635	# Re-enable ssh-rsa on older PuTTY versions since they don't do newer
636	# key types.
637	if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -lt "76" ]; then
638		echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
639		echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
640	fi
641
642	if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -le "64" ]; then
643		echo "KexAlgorithms +diffie-hellman-group14-sha1" \
644		    >>${OBJ}/sshd_proxy
645	fi
646	PUTTYDIR=${OBJ}/.putty
647	export PUTTYDIR
648}
649
650REGRESS_INTEROP_DROPBEAR=no
651if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then
652	REGRESS_INTEROP_DROPBEAR=yes
653fi
654case "$SCRIPT" in
655*dropbear*)	;;
656*)		REGRESS_INTEROP_DROPBEAR=no ;;
657esac
658
659if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
660	trace Create dropbear keys and add to authorized_keys
661	mkdir -p $OBJ/.dropbear
662	kt="ed25519"
663	for i in dss rsa ecdsa; do
664		if $SSH -Q key-plain | grep "$i" >/dev/null; then
665			kt="$kt $i"
666		else
667			rm -f "$OBJ/.dropbear/id_$i"
668		fi
669	done
670	for i in $kt; do
671		if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
672			verbose Create dropbear key type $i
673			$DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \
674			    >/dev/null 2>&1
675		fi
676		$DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \
677		    $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1
678		$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
679		   >>$OBJ/authorized_keys_$USER
680		rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i
681	done
682fi
683
684# create a proxy version of the client config
685(
686	cat $OBJ/ssh_config
687	echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy
688) > $OBJ/ssh_proxy
689
690# check proxy config
691${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"
692
693# extract proxycommand into separate shell script for use by Dropbear.
694echo '#!/bin/sh' >$OBJ/ssh_proxy.sh
695awk '/^proxycommand/' $OBJ/ssh_proxy | sed 's/^proxycommand//' \
696   >>$OBJ/ssh_proxy.sh
697chmod a+x $OBJ/ssh_proxy.sh
698
699start_sshd ()
700{
701	PIDFILE=$OBJ/pidfile
702	# start sshd
703	logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log"
704	$SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
705	$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" \
706	    ${SSHD} -f $OBJ/sshd_config "$@" -E$logfile
707	echo "trace: Started sshd as daemon, logfile $logfile" >>$TEST_REGRESS_LOGFILE
708
709	trace "wait for sshd"
710	i=0;
711	while [ ! -f $PIDFILE -a $i -lt 10 ]; do
712		i=`expr $i + 1`
713		sleep $i
714	done
715	rm -f ${TEST_SSHD_LOGFILE}
716	ln -f -s ${logfile} $TEST_SSHD_LOGFILE
717
718	test -f $PIDFILE || fatal "no sshd running on port $PORT"
719}
720
721# Find a PKCS#11 library.
722p11_find_lib() {
723	TEST_SSH_PKCS11=""
724	for _lib in "$@" ; do
725		if test -f "$_lib" ; then
726			TEST_SSH_PKCS11="$_lib"
727			return
728		fi
729	done
730}
731
732# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
733# keys and loads them into the virtual token.
734PKCS11_OK=
735export PKCS11_OK
736p11_setup() {
737	p11_find_lib \
738		/usr/local/lib/softhsm/libsofthsm2.so
739	test -z "$TEST_SSH_PKCS11" && return 1
740	verbose "using token library $TEST_SSH_PKCS11"
741	TEST_SSH_PIN=1234
742	TEST_SSH_SOPIN=12345678
743	if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
744		SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
745		export SSH_PKCS11_HELPER
746	fi
747
748	# setup environment for softhsm2 token
749	SSH_SOFTHSM_DIR=$OBJ/SOFTHSM
750	export SSH_SOFTHSM_DIR
751	rm -rf $SSH_SOFTHSM_DIR
752	TOKEN=$SSH_SOFTHSM_DIR/tokendir
753	mkdir -p $TOKEN
754	SOFTHSM2_CONF=$SSH_SOFTHSM_DIR/softhsm2.conf
755	export SOFTHSM2_CONF
756	cat > $SOFTHSM2_CONF << EOF
757# SoftHSM v2 configuration file
758directories.tokendir = ${TOKEN}
759objectstore.backend = file
760# ERROR, WARNING, INFO, DEBUG
761log.level = DEBUG
762# If CKF_REMOVABLE_DEVICE flag should be set
763slots.removable = false
764EOF
765	out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
766	slot=$(echo -- $out | sed 's/.* //')
767	trace "generating keys"
768	# RSA key
769	RSA=${SSH_SOFTHSM_DIR}/RSA
770	RSAP8=${SSH_SOFTHSM_DIR}/RSAP8
771	$OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
772	    fatal "genpkey RSA fail"
773	$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
774	softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
775	    --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
776	chmod 600 $RSA
777	ssh-keygen -y -f $RSA > ${RSA}.pub
778	# ECDSA key
779	ECPARAM=${SSH_SOFTHSM_DIR}/ECPARAM
780	EC=${SSH_SOFTHSM_DIR}/EC
781	ECP8=${SSH_SOFTHSM_DIR}/ECP8
782	$OPENSSL_BIN genpkey -genparam -algorithm ec \
783	    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
784	    fatal "param EC fail"
785	$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
786	    fatal "genpkey EC fail"
787	$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
788	softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
789	    --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
790	chmod 600 $EC
791	ssh-keygen -y -f $EC > ${EC}.pub
792	# Prepare askpass script to load PIN.
793	PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
794	cat > $PIN_SH << EOF
795#!/bin/sh
796echo "${TEST_SSH_PIN}"
797EOF
798	chmod 0700 "$PIN_SH"
799	PKCS11_OK=yes
800	return 0
801}
802
803# Peforms ssh-add with the right token PIN.
804p11_ssh_add() {
805	env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
806}
807
808# source test body
809. $SCRIPT
810
811# kill sshd
812cleanup
813if [ $RESULT -eq 0 ]; then
814	verbose ok $tid
815	if [ "x$CACHE" != "x" ]; then
816		touch "$CACHE"
817	fi
818else
819	echo failed $tid
820fi
821exit $RESULT
822