diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2022-01-05 04:56:15 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2022-01-05 16:06:09 +1100 |
| commit | 2ea1108c30e3edb6f872dfc1e6da10b041ddf2c0 (patch) | |
| tree | 302c28ee383ff782851ddcf2d36ec3079129e86c /regress/sshsig.sh | |
| parent | 2327c306b5d4a2b7e71178e5a4d139af9902c2b0 (diff) | |
| download | openssh-git-2ea1108c30e3edb6f872dfc1e6da10b041ddf2c0.tar.gz | |
upstream: regress test both sshsig message hash algorithms, possible
now because the algorithm is controllable via the CLI
OpenBSD-Regress-ID: 0196fa87acc3544b2b4fd98de844a571cb09a39f
Diffstat (limited to 'regress/sshsig.sh')
| -rw-r--r-- | regress/sshsig.sh | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/regress/sshsig.sh b/regress/sshsig.sh index 40aa0c38..f8d85c2f 100644 --- a/regress/sshsig.sh +++ b/regress/sshsig.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshsig.sh,v 1.12 2022/01/05 04:10:39 djm Exp $ +# $OpenBSD: sshsig.sh,v 1.13 2022/01/05 04:56:15 djm Exp $ # Placed in the Public Domain. tid="sshsig" @@ -52,13 +52,23 @@ for t in $SIGNKEYS; do sigfile_cert=${OBJ}/sshsig-${keybase}-cert.sig ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ - < $DATA > $sigfile 2>/dev/null || fail "sign using $t failed" - - (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers - ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ - -I $sig_principal -f $OBJ/allowed_signers \ - < $DATA >/dev/null 2>&1 || \ - fail "failed signature for $t key" + -Ohashalg=sha1 < $DATA > $sigfile 2>/dev/null && \ + fail "sign using $t with bad hash algorithm succeeded" + + for h in default sha256 sha512 ; do + case "$h" in + default) hashalg_arg="" ;; + *) hashalg_arg="-Ohashalg=$h" ;; + esac + ${SSHKEYGEN} -vvv -Y sign -f ${OBJ}/$t -n $sig_namespace \ + $hashalg_arg < $DATA > $sigfile 2>/dev/null || \ + fail "sign using $t / $h failed" + (printf "$sig_principal " ; cat $pubkey) > $OBJ/allowed_signers + ${SSHKEYGEN} -vvv -Y verify -s $sigfile -n $sig_namespace \ + -I $sig_principal -f $OBJ/allowed_signers \ + < $DATA >/dev/null 2>&1 || \ + fail "failed signature for $t / $h key" + done (printf "$sig_principal namespaces=\"$sig_namespace,whatever\" "; cat $pubkey) > $OBJ/allowed_signers |