upstream commit

eliminate explicit specification of protocol in tests and
loops over protocol. We only support SSHv2 now.

Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd

1 files changed, 64 insertions, 67 deletions

diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 43b8e020..8fd62c77 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
+#	$OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
 # XXX: verify that certificate used was what we expect. Needs exposure of
 # keys via enviornment variable or similar.
 
-for p in ${SSH_PROTOCOLS}; do
 	# Key with no .pub should work - finding the equivalent *-cert.pub.
-	verbose "protocol $p: identity cert with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# CertificateFile matching private key with no .pub file should work.
-	verbose "protocol $p: CertificateFile with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -oCertificateFile=$OBJ/user_key3-cert.pub \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# Just keys should fail
-	verbose "protocol $p: plain keys"
-	${SSH} $opts2 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no certs in protocol $p"
-	fi
-
-	# Keys with untrusted cert should fail.
-	verbose "protocol $p: untrusted cert"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with bad cert in protocol $p"
-	fi
-
-	# Good cert with bad key should fail.
-	verbose "protocol $p: good cert, bad key"
-	opts3="$opts -i $OBJ/user_key2"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no matching key in protocol $p"
-	fi
-
-	# Keys with one trusted cert, should succeed.
-	verbose "protocol $p: single trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with trusted cert and key in protocol $p"
-	fi
-
-	# Multiple certs and keys, with one trusted cert, should succeed.
-	verbose "protocol $p: multiple trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with multiple certs in protocol $p"
-	fi
-done
+verbose "identity cert with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# CertificateFile matching private key with no .pub file should work.
+verbose "CertificateFile with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -oCertificateFile=$OBJ/user_key3-cert.pub \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# Just keys should fail
+verbose "plain keys"
+${SSH} $opts2 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no certs"
+fi
+
+# Keys with untrusted cert should fail.
+verbose "untrusted cert"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with bad cert"
+fi
+
+# Good cert with bad key should fail.
+verbose "good cert, bad key"
+opts3="$opts -i $OBJ/user_key2"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no matching key"
+fi
+
+# Keys with one trusted cert, should succeed.
+verbose "single trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with trusted cert and key"
+fi
+
+# Multiple certs and keys, with one trusted cert, should succeed.
+verbose "multiple trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with multiple certs"
+fi
 
 #next, using an agent in combination with the keys
 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
 fi
 
 # try ssh with the agent and certificates
-# note: ssh agent only uses certificates in protocol 2
 opts="-F $OBJ/ssh_proxy"
 # with no certificates, shoud fail
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with no cert"
+	fail "ssh connect with agent in succeeded with no cert"
 fi
 
 #with an untrusted certificate, should fail
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+	fail "ssh connect with agent in succeeded with bad cert"
 fi
 
 #with an additional trusted certificate, should succeed
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -ne 52 ]; then
-	fail "ssh connect with agent in protocol 2 failed with good cert"
+	fail "ssh connect with agent in failed with good cert"
 fi
 
 trace "kill agent"