xref: /freebsd/crypto/openssh/regress/test-exec.sh (revision 2574974648c68c738aec3ff96644d888d7913a37)

#	$OpenBSD: test-exec.sh,v 1.139 2025/12/22 01:31:07 djm Exp $
#	Placed in the Public Domain.

#SUDO=sudo

if [ ! -z "$TEST_SSH_ELAPSED_TIMES" ]; then
	STARTTIME=`date '+%s'`
fi

if [ ! -z "$TEST_SSH_PORT" ]; then
	PORT="$TEST_SSH_PORT"
else
	PORT=4242
fi

OBJ=$1
if [ "x$OBJ" = "x" ]; then
	echo '$OBJ not defined'
	exit 2
fi
if [ ! -d $OBJ ]; then
	echo "not a directory: $OBJ"
	exit 2
fi
SCRIPT=$2
if [ "x$SCRIPT" = "x" ]; then
	echo '$SCRIPT not defined'
	exit 2
fi
if [ ! -f $SCRIPT ]; then
	echo "not a file: $SCRIPT"
	exit 2
fi
if $TEST_SHELL -n $SCRIPT; then
	true
else
	echo "syntax error in $SCRIPT"
	exit 2
fi
unset SSH_AUTH_SOCK

# Portable-specific settings.

if [ -x /usr/ucb/whoami ]; then
	USER=`/usr/ucb/whoami`
elif whoami >/dev/null 2>&1; then
	USER=`whoami`
elif logname >/dev/null 2>&1; then
	USER=`logname`
else
	USER=`id -un`
fi
if test -z "$LOGNAME"; then
	LOGNAME="${USER}"
	export LOGNAME
fi

# Unbreak GNU head(1)
_POSIX2_VERSION=199209
export _POSIX2_VERSION

case `uname -s 2>/dev/null` in
OSF1*)
	BIN_SH=xpg4
	export BIN_SH
	;;
CYGWIN*)
	os=cygwin
	;;
esac

# If configure tells us to use a different egrep, create a wrapper function
# to call it.  This means we don't need to change all the tests that depend
# on a good implementation.
if test "x${EGREP}" != "x"; then
	egrep ()
{
	 ${EGREP} "$@"
}
fi

SRC=`dirname ${SCRIPT}`

# defaults
SSH=ssh
SSHD=sshd
SSHAGENT=ssh-agent
SSHADD=ssh-add
SSHKEYGEN=ssh-keygen
SSHKEYSCAN=ssh-keyscan
SFTP=sftp
SFTPSERVER=/usr/libexec/openssh/sftp-server
SSHD_SESSION=/usr/libexec/sshd-session
SSHD_AUTH=/usr/libexec/sshd-auth
SCP=scp

# Set by make_tmpdir() on demand (below).
SSH_REGRESS_TMP=

# Interop testing
PLINK=/usr/local/bin/plink
PUTTYGEN=/usr/local/bin/puttygen
CONCH=/usr/local/bin/conch
DROPBEAR=/usr/local/sbin/dropbear
DBCLIENT=/usr/local/bin/dbclient
DROPBEARKEY=/usr/local/bin/dropbearkey
DROPBEARCONVERT=/usr/local/bin/dropbearconvert

# So we can override this in Portable.
TEST_SHELL="${TEST_SHELL:-/bin/sh}"

# Tools used by multiple tests
NC=$OBJ/netcat
# Always use the one configure tells us to, even if that's empty.
#OPENSSL_BIN="${OPENSSL_BIN:-openssl}"

if [ "x$TEST_SSH_SSH" != "x" ]; then
	SSH="${TEST_SSH_SSH}"
fi
if [ "x$TEST_SSH_SSHD_SESSION" != "x" ]; then
	SSHD_SESSION="${TEST_SSH_SSHD_SESSION}"
fi
if [ "x$TEST_SSH_SSHD_AUTH" != "x" ]; then
	SSHD_AUTH="${TEST_SSH_SSHD_AUTH}"
fi
if [ "x$TEST_SSH_SSHD" != "x" ]; then
	SSHD="${TEST_SSH_SSHD}"
fi
if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
	SSHAGENT="${TEST_SSH_SSHAGENT}"
fi
if [ "x$TEST_SSH_SSHADD" != "x" ]; then
	SSHADD="${TEST_SSH_SSHADD}"
fi
if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
	SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
fi
if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
	SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
fi
if [ "x$TEST_SSH_SFTP" != "x" ]; then
	SFTP="${TEST_SSH_SFTP}"
fi
if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
	SFTPSERVER="${TEST_SSH_SFTPSERVER}"
fi
if [ "x$TEST_SSH_SCP" != "x" ]; then
	SCP="${TEST_SSH_SCP}"
fi
if [ "x$TEST_SSH_PLINK" != "x" ]; then
	PLINK="${TEST_SSH_PLINK}"
fi
if [ "x$TEST_SSH_PUTTYGEN" != "x" ]; then
	PUTTYGEN="${TEST_SSH_PUTTYGEN}"
fi
if [ "x$TEST_SSH_CONCH" != "x" ]; then
	CONCH="${TEST_SSH_CONCH}"
fi
if [ "x$TEST_SSH_DROPBEAR" != "x" ]; then
	DROPBEAR="${TEST_SSH_DROPBEAR}"
fi
if [ "x$TEST_SSH_DBCLIENT" != "x" ]; then
	DBCLIENT="${TEST_SSH_DBCLIENT}"
fi
if [ "x$TEST_SSH_DROPBEARKEY" != "x" ]; then
	DROPBEARKEY="${TEST_SSH_DROPBEARKEY}"
fi
if [ "x$TEST_SSH_DROPBEARCONVERT" != "x" ]; then
	DROPBEARCONVERT="${TEST_SSH_DROPBEARCONVERT}"
fi
if [ "x$TEST_SSH_TMUX" != "x" ]; then
	TMUX="${TEST_SSH_TMUX}"
fi
if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
	SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
fi
if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
	SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
fi
if [ "x$TEST_SSH_OPENSSL" != "x" ]; then
	OPENSSL_BIN="${TEST_SSH_OPENSSL}"
fi

# Path to sshd must be absolute for rexec
case "$SSHD" in
/*) ;;
*) SSHD=`which $SSHD` ;;
esac

case "$SSH" in
/*) ;;
*) SSH=`which $SSH` ;;
esac

case "$SSHAGENT" in
/*) ;;
*) SSHAGENT=`which $SSHAGENT` ;;
esac

# Record the actual binaries used.
SSH_BIN=${SSH}
SSHD_BIN=${SSHD}
SSHAGENT_BIN=${SSHAGENT}
SSHADD_BIN=${SSHADD}
SSHKEYGEN_BIN=${SSHKEYGEN}
SSHKEYSCAN_BIN=${SSHKEYSCAN}
SFTP_BIN=${SFTP}
SFTPSERVER_BIN=${SFTPSERVER}
SCP_BIN=${SCP}

if [ "x$USE_VALGRIND" != "x" ]; then
	rm -rf $OBJ/valgrind-out $OBJ/valgrind-vgdb
	mkdir -p $OBJ/valgrind-out $OBJ/valgrind-vgdb
	# When using sudo ensure low-priv tests can write pipes and logs.
	if [ "x$SUDO" != "x" ]; then
		chmod 777 $OBJ/valgrind-out $OBJ/valgrind-vgdb
	fi
	VG_TEST=`basename $SCRIPT .sh`

	# Some tests are difficult to fix.
	case "$VG_TEST" in
	reexec)
		VG_SKIP=1 ;;
	sftp-chroot)
		if [ "x${SUDO}" != "x" ]; then
			VG_SKIP=1
		fi ;;
	esac

	if [ x"$VG_SKIP" = "x" ]; then
		VG_LEAK="--leak-check=no"
		if [ x"$VALGRIND_CHECK_LEAKS" != "x" ]; then
			VG_LEAK="--leak-check=full"
		fi
		VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*"
		VG_LOG="$OBJ/valgrind-out/${VG_TEST}."
		VG_OPTS="--track-origins=yes $VG_LEAK"
		VG_OPTS="$VG_OPTS --trace-children=yes"
		VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}"
		VG_OPTS="$VG_OPTS --vgdb-prefix=$OBJ/valgrind-vgdb/"
		VG_PATH="valgrind"
		if [ "x$VALGRIND_PATH" != "x" ]; then
			VG_PATH="$VALGRIND_PATH"
		fi
		VG="$VG_PATH $VG_OPTS"
		SSH="$VG --log-file=${VG_LOG}ssh.%p $SSH"
		SSHD="$VG --log-file=${VG_LOG}sshd.%p $SSHD"
		SSHAGENT="$VG --log-file=${VG_LOG}ssh-agent.%p $SSHAGENT"
		SSHADD="$VG --log-file=${VG_LOG}ssh-add.%p $SSHADD"
		SSHKEYGEN="$VG --log-file=${VG_LOG}ssh-keygen.%p $SSHKEYGEN"
		SSHKEYSCAN="$VG --log-file=${VG_LOG}ssh-keyscan.%p $SSHKEYSCAN"
		SFTP="$VG --log-file=${VG_LOG}sftp.%p ${SFTP}"
		SCP="$VG --log-file=${VG_LOG}scp.%p $SCP"
		cat > $OBJ/valgrind-sftp-server.sh << EOF
#!/bin/sh
exec $VG --log-file=${VG_LOG}sftp-server.%p $SFTPSERVER "\$@"
EOF
		chmod a+rx $OBJ/valgrind-sftp-server.sh
		SFTPSERVER="$OBJ/valgrind-sftp-server.sh"
	fi
fi

# Logfiles.
# SSH_LOGFILE should be the debug output of ssh(1) only
# SSHD_LOGFILE should be the debug output of sshd(8) only
# REGRESS_LOGFILE is the log of progress of the regress test itself.
# TEST_SSH_LOGDIR will contain datestamped logs of all binaries run in
# chronological order.
if [ "x$TEST_SSH_LOGDIR" = "x" ]; then
	TEST_SSH_LOGDIR=$OBJ/log
	mkdir -p $TEST_SSH_LOGDIR
fi
if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
	TEST_SSH_LOGFILE=$OBJ/ssh.log
fi
if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then
	TEST_SSHD_LOGFILE=$OBJ/sshd.log
fi
if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then
	TEST_REGRESS_LOGFILE=$OBJ/regress.log
fi

# If set, keep track of successful tests and skip them them if we've
# previously completed that test.
if [ "x$TEST_REGRESS_CACHE_DIR" != "x" ]; then
	if [ ! -d "$TEST_REGRESS_CACHE_DIR" ]; then
		mkdir -p "$TEST_REGRESS_CACHE_DIR"
	fi
	TEST="`basename $SCRIPT .sh`"
	CACHE="${TEST_REGRESS_CACHE_DIR}/${TEST}.cache"
	for i in ${SSH} ${SSHD} ${SSHAGENT} ${SSHADD} ${SSHKEYGEN} ${SCP} \
	    ${SFTP} ${SFTPSERVER} ${SSHKEYSCAN}; do
		case $i in
		/*)	bin="$i" ;;
		*)	bin="`which $i`" ;;
		esac
		if [ "$bin" -nt "$CACHE" ]; then
			rm -f "$CACHE"
		fi
	done
	if [ -f "$CACHE" ]; then
		echo ok cached $CACHE
		exit 0
	fi
fi

# truncate logfiles
>$TEST_REGRESS_LOGFILE

# Create ssh and sshd wrappers with logging.  These create a datestamped
# unique file for every invocation so that we can retain all logs from a
# given test no matter how many times it's invoked.  It also leaves a
# symlink with the original name for tests (and people) who look for that.

# For ssh, e can't just specify "SSH=ssh -E..." because sftp and scp don't
# handle spaces in arguments.  scp and sftp like to use -q so we remove those
# to preserve our debug logging.  In the rare instance where -q is desirable
# -qq is equivalent and is not removed.
SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh
rm -f ${SSHLOGWRAP}
cat >$SSHLOGWRAP <<EOD
#!/bin/sh
timestamp="\`$OBJ/timestamp\`"
logfile="${TEST_SSH_LOGDIR}/\${timestamp}.ssh.\$\$.log"
echo "Executing: ${SSH} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE
echo "Executing: ${SSH} \$@" >>\${logfile}
for i in "\$@";do shift;case "\$i" in -q):;; *) set -- "\$@" "\$i";;esac;done
rm -f $TEST_SSH_LOGFILE
ln -f -s \${logfile} $TEST_SSH_LOGFILE
exec ${SSH} -E\${logfile} "\$@"
EOD

chmod a+rx $OBJ/ssh-log-wrapper.sh
REAL_SSH="$SSH"
REAL_SSHD="$SSHD"
SSH="$SSHLOGWRAP"

SSHDLOGWRAP=$OBJ/sshd-log-wrapper.sh
rm -f ${SSHDLOGWRAP}
cat >$SSHDLOGWRAP <<EOD
#!/bin/sh
timestamp="\`$OBJ/timestamp\`"
logfile="${TEST_SSH_LOGDIR}/\${timestamp}.sshd.\$\$.log"
rm -f $TEST_SSHD_LOGFILE
touch \$logfile
test -z "$SUDO" || chown $USER \$logfile
ln -f -s \${logfile} $TEST_SSHD_LOGFILE
echo "Executing: ${SSHD} \$@" log \${logfile} >>$TEST_REGRESS_LOGFILE
echo "Executing: ${SSHD} \$@" >>\${logfile}
exec ${SSHD} -E\${logfile} "\$@"
EOD
chmod a+rx $OBJ/sshd-log-wrapper.sh

ssh_logfile ()
{
	tool="$1"
	timestamp="`$OBJ/timestamp`"
	logfile="${TEST_SSH_LOGDIR}/${timestamp}.$tool.$$.log"
	echo "Logging $tool to log \${logfile}" >>$TEST_REGRESS_LOGFILE
	echo $logfile
}

# Some test data.  We make a copy because some tests will overwrite it.
# The tests may assume that $DATA exists and is writable and $COPY does
# not exist.  Tests requiring larger data files can call increase_datafile_size
# [kbytes] to ensure the file is at least that large.
DATANAME=data
DATA=$OBJ/${DATANAME}
cat ${SSH_BIN} >${DATA}
chmod u+w ${DATA}
COPY=$OBJ/copy
rm -f ${COPY}

increase_datafile_size()
{
	while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
		cat ${SSH_BIN} >>${DATA}
	done
}

# these should be used in tests
export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
export SSH_PKCS11_HELPER SSH_SK_HELPER
#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP

# Portable specific functions
which()
{
	saved_IFS="$IFS"
	IFS=":"
	for i in $PATH
	do
		if [ -x $i/$1 ]; then
			IFS="$saved_IFS"
			echo "$i/$1"
			return 0
		fi
	done
	IFS="$saved_IFS"
	echo "$i/$1"
	return 1
}

have_prog()
{
	which "$1" >/dev/null 2>&1
	return $?
}

jot() {
	awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }"
}

if [ ! -x "`which rev`" ]; then
rev()
{
	awk '{for (i=length; i>0; i--) printf "%s", substr($0, i, 1); print ""}'
}
fi

if [ -x "/usr/xpg4/bin/id" ]; then
id()
{
	/usr/xpg4/bin/id $@
}
fi

# Check whether preprocessor symbols are defined in config.h.
config_defined ()
{
	str=$1
	while test "x$2" != "x" ; do
		str="$str|$2"
		shift
	done
	egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1
}

md5 () {
	if have_prog md5sum; then
		md5sum
	elif have_prog openssl; then
		openssl md5
	elif have_prog cksum; then
		cksum
	elif have_prog sum; then
		sum
	elif [ -x ${OPENSSL_BIN} ]; then
		${OPENSSL_BIN} md5
	else
		wc -c
	fi
}

# Some platforms don't have hostname at all, but on others uname -n doesn't
# provide the fully qualified name we need, so in the former case we create
# our own hostname function.
if ! have_prog hostname; then
	hostname() {
		uname -n
	}
fi

make_tmpdir ()
{
	SSH_REGRESS_TMP="$($OBJ/mkdtemp openssh-XXXXXXXX)" || \
	    fatal "failed to create temporary directory"
}
# End of portable specific functions

stop_sshd ()
{
	[ -z $PIDFILE ] && return
	[ -f $PIDFILE ] || return
	pid=`$SUDO cat $PIDFILE`
	if [ "X$pid" = "X" ]; then
		echo "no sshd running" 1>&2
		return
	elif [ $pid -lt 2 ]; then
		echo "bad pid for sshd: $pid" 1>&2
		return
	fi
	$SUDO kill $pid
	trace "wait for sshd to exit"
	i=0;
	while [ -f $PIDFILE -a $i -lt 5 ]; do
		i=`expr $i + 1`
		sleep $i
	done
	if test -f $PIDFILE; then
		if $SUDO kill -0 $pid; then
			echo "sshd didn't exit port $PORT pid $pid" 1>&2
		else
			echo "sshd died without cleanup" 1>&2
		fi
		exit 1
	fi
	PIDFILE=""
}

# helper
cleanup ()
{
	if [ "x$SSH_PID" != "x" ]; then
		if [ $SSH_PID -lt 2 ]; then
			echo bad pid for ssh: $SSH_PID
		else
			kill $SSH_PID
		fi
	fi
	if [ "x$SSH_REGRESS_TMP" != "x" ]; then
		rm -rf "$SSH_REGRESS_TMP"
	fi
	stop_sshd
	if [ ! -z "$TEST_SSH_ELAPSED_TIMES" ]; then
		now=`date '+%s'`
		elapsed=$(($now - $STARTTIME))
		echo elapsed $elapsed `basename $SCRIPT .sh`
	fi
}

start_debug_log ()
{
	echo "trace: $@" >>$TEST_REGRESS_LOGFILE
	if [ -d "$TEST_SSH_LOGDIR" ]; then
		rm -f $TEST_SSH_LOGDIR/*
	fi
}

save_debug_log ()
{
	testname=`echo $tid | tr ' ' _`
	tarname="$OBJ/failed-$testname-logs.tar"

	for logfile in $TEST_SSH_LOGDIR $TEST_REGRESS_LOGFILE \
	    $TEST_SSH_LOGFILE $TEST_SSHD_LOGFILE; do
		if [ ! -z "$SUDO" ]; then
			touch $logfile
			$SUDO chown -R $USER $logfile
			$SUDO chmod ug+rw $logfile
		fi
	done
	echo $@ >>$TEST_REGRESS_LOGFILE
	echo $@ >>$TEST_SSH_LOGFILE
	echo $@ >>$TEST_SSHD_LOGFILE
	echo "Saving debug logs to $tarname" >>$TEST_REGRESS_LOGFILE
	(cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log
	(cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log
	(cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log
}

trace ()
{
	start_debug_log $@
	if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
		echo "$@"
	fi
}

verbose ()
{
	start_debug_log $@
	if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
		echo "$@"
	fi
}

fail ()
{
	save_debug_log "FAIL: $@"
	RESULT=1
	echo "$@"
	if test "x$TEST_SSH_FAIL_FATAL" != "x" ; then
		cleanup
		exit $RESULT
	fi
}

fatal ()
{
	save_debug_log "FATAL: $@"
	printf "FATAL: "
	fail "$@"
	cleanup
	exit $RESULT
}

# Skip remaining tests in script.
skip ()
{
	echo "SKIPPED: $@"
	cleanup
	exit $RESULT
}

maybe_add_scp_path_to_sshd ()
{
	# If we're testing a non-installed scp, add its directory to sshd's
	# PATH so we can test it.  We don't do this for all tests as it
	# breaks the SetEnv tests.
	case "$SCP" in
	/*)	PATH_WITH_SCP="`dirname $SCP`:$PATH"
		echo "	SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config
		echo "	SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_proxy ;;
	esac
}

RESULT=0
PIDFILE=$OBJ/pidfile

trap fatal 3 2

# create server config
cat << EOF > $OBJ/sshd_config
	StrictModes		no
	Port			$PORT
	AddressFamily		inet
	ListenAddress		127.0.0.1
	#ListenAddress		::1
	PidFile			$PIDFILE
	AuthorizedKeysFile	$OBJ/authorized_keys_%u
	LogLevel		DEBUG3
	AcceptEnv		_XXX_TEST_*
	AcceptEnv		_XXX_TEST
	Subsystem	sftp	$SFTPSERVER
	SshdSessionPath		$SSHD_SESSION
	SshdAuthPath		$SSHD_AUTH
	PerSourcePenalties	no
EOF

# This may be necessary if /usr/src and/or /usr/obj are group-writable,
# but if you aren't careful with permissions then the unit tests could
# be abused to locally escalate privileges.
if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
	echo "	StrictModes no" >> $OBJ/sshd_config
else
	# check and warn if excessive permissions are likely to cause failures.
	unsafe=""
	dir="${OBJ}"
	while test ${dir} != "/"; do
		if test -d "${dir}" && ! test -h "${dir}"; then
			perms=`ls -ld ${dir}`
			case "${perms}" in
			?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;;
			esac
		fi
		dir=`dirname ${dir}`
	done
	if ! test  -z "${unsafe}"; then
		cat <<EOD

WARNING: Unsafe (group or world writable) directory permissions found:
${unsafe}

These could be abused to locally escalate privileges.  If you are
sure that this is not a risk (eg there are no other users), you can
bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1

EOD
	fi
fi

if [ ! -z "$TEST_SSH_MODULI_FILE" ]; then
	trace "adding modulifile='$TEST_SSH_MODULI_FILE' to sshd_config"
	echo "	ModuliFile '$TEST_SSH_MODULI_FILE'" >> $OBJ/sshd_config
fi

if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
	trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
	echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
fi

# server config for proxy connects
cp $OBJ/sshd_config $OBJ/sshd_proxy

# allow group-writable directories in proxy-mode
echo 'StrictModes no' >> $OBJ/sshd_proxy

# create client config
cat << EOF > $OBJ/ssh_config
Host *
	Hostname		127.0.0.1
	HostKeyAlias		localhost-with-alias
	Port			$PORT
	User			$USER
	GlobalKnownHostsFile	$OBJ/known_hosts
	UserKnownHostsFile	$OBJ/known_hosts
	PubkeyAuthentication	yes
	ChallengeResponseAuthentication	no
	PasswordAuthentication	no
	BatchMode		yes
	StrictHostKeyChecking	yes
	LogLevel		DEBUG3
EOF

if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
	trace "adding ssh_config option $TEST_SSH_SSH_CONFOPTS"
	echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
fi

rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER

SSH_SK_PROVIDER=
if ! config_defined ENABLE_SK; then
	trace skipping sk-dummy
elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
elif [ -f "${OBJ}/misc/sk-dummy/sk-dummy.so" ] ; then
	SSH_SK_PROVIDER="${OBJ}/misc/sk-dummy/sk-dummy.so"
elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
	SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
fi
export SSH_SK_PROVIDER

if ! test -z "$SSH_SK_PROVIDER"; then
	EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
	echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
fi
export EXTRA_AGENT_ARGS

maybe_filter_sk() {
	if test -z "$SSH_SK_PROVIDER" ; then
		grep -v ^sk | grep -v ^webauthn
	else
		grep -v ^webauthn
	fi
}

SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`

for t in ${SSH_KEYTYPES}; do
	# generate user key
	if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN_BIN} -nt $OBJ/$t ]; then
		trace "generating key type $t"
		rm -f $OBJ/$t
		${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
			fail "ssh-keygen for $t failed"
	else
		trace "using cached key type $t"
	fi

	# setup authorized keys
	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
done

for t in ${SSH_HOSTKEY_TYPES}; do
	# known hosts file for client
	(
		printf 'localhost-with-alias,127.0.0.1,::1 '
		cat $OBJ/$t.pub
	) >> $OBJ/known_hosts

	# use key as host key, too
	(umask 077; $SUDO cp $OBJ/$t $OBJ/host.$t)
	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config

	# don't use SUDO for proxy connect
	echo HostKey $OBJ/$t >> $OBJ/sshd_proxy
done
chmod 644 $OBJ/authorized_keys_$USER

# Activate Twisted Conch tests if the binary is present
REGRESS_INTEROP_CONCH=no
if test -x "$CONCH" ; then
	REGRESS_INTEROP_CONCH=yes
fi

# If PuTTY is present, new enough and we are running a PuTTY test, prepare
# keys and configuration.
REGRESS_INTEROP_PUTTY=no
if test -x "$PUTTYGEN" -a -x "$PLINK" &&
    "$PUTTYGEN" --help 2>&1 | grep -- --new-passphrase >/dev/null; then
	REGRESS_INTEROP_PUTTY=yes
fi
case "$SCRIPT" in
*putty*)	;;
*)		REGRESS_INTEROP_PUTTY=no ;;
esac

puttysetup() {
	if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
		skip "putty interop tests not enabled"
	fi

	mkdir -p ${OBJ}/.putty

	# Add a PuTTY key to authorized_keys
	rm -f ${OBJ}/putty.rsa2
	if ! "$PUTTYGEN" -t rsa -o ${OBJ}/putty.rsa2 \
	    --random-device=/dev/urandom \
	    --new-passphrase /dev/null < /dev/null > /dev/null; then
		echo "Your installed version of PuTTY is too old to support --new-passphrase, skipping test" >&2
		exit 1
	fi
	"$PUTTYGEN" -O public-openssh ${OBJ}/putty.rsa2 \
	    >> $OBJ/authorized_keys_$USER

	# Convert rsa2 host key to PuTTY format
	cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
	${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
	${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \
	    ${OBJ}/.putty/sshhostkeys
	${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \
	    ${OBJ}/.putty/sshhostkeys
	rm -f $OBJ/ssh-rsa_oldfmt

	# Setup proxied session
	mkdir -p ${OBJ}/.putty/sessions
	rm -f ${OBJ}/.putty/sessions/localhost_proxy
	echo "Protocol=ssh" >> ${OBJ}/.putty/sessions/localhost_proxy
	echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
	echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
	echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
	echo "ProxyTelnetCommand=${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy
	echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy

	PUTTYVER="`${PLINK} --version | awk '/plink: Release/{print $3}'`"
	PUTTYMAJORVER="`echo ${PUTTYVER} | cut -f1 -d.`"
	PUTTYMINORVER="`echo ${PUTTYVER} | cut -f2 -d.`"
	verbose "plink version ${PUTTYVER} major ${PUTTYMAJORVER} minor ${PUTTYMINORVER}"

	# Re-enable ssh-rsa on older PuTTY versions since they don't do newer
	# key types.
	if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -lt "76" ]; then
		echo "HostKeyAlgorithms +ssh-rsa" >> ${OBJ}/sshd_proxy
		echo "PubkeyAcceptedKeyTypes +ssh-rsa" >> ${OBJ}/sshd_proxy
	fi

	if [ "$PUTTYMAJORVER" -eq "0" ] && [ "$PUTTYMINORVER" -le "64" ]; then
		echo "KexAlgorithms +diffie-hellman-group14-sha1" \
		    >>${OBJ}/sshd_proxy
	fi
	PUTTYDIR=${OBJ}/.putty
	export PUTTYDIR
}

REGRESS_INTEROP_DROPBEAR=no
if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then
	REGRESS_INTEROP_DROPBEAR=yes
fi
case "$SCRIPT" in
*dropbear*)	;;
*)		REGRESS_INTEROP_DROPBEAR=no ;;
esac

if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
	trace Create dropbear keys and add to authorized_keys
	mkdir -p $OBJ/.dropbear $OBJ/.ssh
	awk '{print "somehost "$2" "$3}' $OBJ/known_hosts >$OBJ/.ssh/known_hosts
	kt="ed25519"
	for i in dss rsa ecdsa; do
		if $SSH -Q key-plain | grep "$i" >/dev/null; then
			kt="$kt $i"
		else
			rm -f "$OBJ/.dropbear/id_$i"
		fi
	done
	for i in $kt; do
		if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
			verbose Create dropbear key type $i
			$DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i \
			    >/dev/null 2>&1
		fi
		$DROPBEARCONVERT dropbear openssh $OBJ/.dropbear/id_$i \
		    $OBJ/.dropbear/ossh.id_$i >/dev/null 2>&1
		$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
		   >>$OBJ/authorized_keys_$USER
		rm -f $OBJ/.dropbear/id_$i.pub $OBJ/.dropbear/ossh.id_$i
	done
fi

# create a proxy version of the client config
(
	cat $OBJ/ssh_config
	echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" ${TEST_SSH_SSHD_ENV} ${OBJ}/sshd-log-wrapper.sh -i -f $OBJ/sshd_proxy
) > $OBJ/ssh_proxy

# check proxy config
${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"

# extract proxycommand into separate shell script for use by Dropbear.
echo '#!/bin/sh' >$OBJ/ssh_proxy.sh
awk '/^proxycommand/' $OBJ/ssh_proxy | sed 's/^proxycommand//' \
   >>$OBJ/ssh_proxy.sh
chmod a+x $OBJ/ssh_proxy.sh

start_sshd ()
{
	PIDFILE=$OBJ/pidfile
	# start sshd
	logfile="${TEST_SSH_LOGDIR}/sshd.`$OBJ/timestamp`.$$.log"
	$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" ${TEST_SSH_SSHD_ENV} \
	    ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
	$SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" ${TEST_SSH_SSHD_ENV} \
	    ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE

	trace "wait for sshd"
	i=0;
	while [ ! -f $PIDFILE -a $i -lt 10 ]; do
		i=`expr $i + 1`
		sleep $i
	done
	rm -f ${TEST_SSHD_LOGFILE}
	ln -f -s ${logfile} $TEST_SSHD_LOGFILE

	test -f $PIDFILE || fatal "no sshd running on port $PORT"
}

enable_all_kexes_in_sshd ()
{
	kexs=`$SSH -Q KexAlgorithms | (tr '\n' ,; echo) | sed 's/,$//'`
	echo KexAlgorithms $kexs >>$OBJ/sshd_config
}

# Find a PKCS#11 library.
p11_find_lib() {
	TEST_SSH_PKCS11=""
	for _lib in "$@" ; do
		if test -f "$_lib" ; then
			TEST_SSH_PKCS11="$_lib"
			return
		fi
	done
}

# Perform PKCS#11 setup: prepares a softhsm2 token configuration, generated
# keys and loads them into the virtual token.
PKCS11_OK=
export PKCS11_OK
p11_setup() {
	# XXX we could potentially test ed25519 only in the absence of
	# RSA and ECDSA support.
	$SSH -Q key | grep ssh-rsa >/dev/null || return 1
	p11_find_lib \
		/usr/local/lib/softhsm/libsofthsm2.so \
		/usr/lib64/pkcs11/libsofthsm2.so \
		/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
	test -z "$TEST_SSH_PKCS11" && return 1
	trace "using token library $TEST_SSH_PKCS11"
	TEST_SSH_PIN=1234
	TEST_SSH_SOPIN=12345678
	if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then
		SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"
		export SSH_PKCS11_HELPER
	fi

	# setup environment for softhsm2 token
	SSH_SOFTHSM_DIR=$OBJ/SOFTHSM
	export SSH_SOFTHSM_DIR
	rm -rf $SSH_SOFTHSM_DIR
	TOKEN=$SSH_SOFTHSM_DIR/tokendir
	mkdir -p $TOKEN
	SOFTHSM2_CONF=$SSH_SOFTHSM_DIR/softhsm2.conf
	export SOFTHSM2_CONF
	cat > $SOFTHSM2_CONF << EOF
# SoftHSM v2 configuration file
directories.tokendir = ${TOKEN}
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = DEBUG
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
EOF
	out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")
	slot=$(echo -- $out | sed 's/.* //')
	trace "generating keys"
	# RSA key
	RSA=${SSH_SOFTHSM_DIR}/RSA
	RSAP8=${SSH_SOFTHSM_DIR}/RSAP8
	$OPENSSL_BIN genpkey -algorithm rsa > $RSA 2>/dev/null || \
	    fatal "genpkey RSA fail"
	$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
	softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" \
	    --import $RSAP8 >/dev/null || fatal "softhsm import RSA fail"
	chmod 600 $RSA
	${SSHKEYGEN} -y -f $RSA > ${RSA}.pub
	# ECDSA key
	ECPARAM=${SSH_SOFTHSM_DIR}/ECPARAM
	EC=${SSH_SOFTHSM_DIR}/EC
	ECP8=${SSH_SOFTHSM_DIR}/ECP8
	$OPENSSL_BIN genpkey -genparam -algorithm ec \
	    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || \
	    fatal "param EC fail"
	$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || \
	    fatal "genpkey EC fail"
	$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
	softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" \
	    --import $ECP8 >/dev/null || fatal "softhsm import EC fail"
	chmod 600 $EC
	${SSHKEYGEN} -y -f $EC > ${EC}.pub
	# Ed25519 key
	ED25519=${SSH_SOFTHSM_DIR}/ED25519
	ED25519P8=${SSH_SOFTHSM_DIR}/ED25519P8
	$OPENSSL_BIN genpkey -algorithm ed25519 > $ED25519 || \
	    fatal "genpkey Ed25519 fail"
	$OPENSSL_BIN pkcs8 -nocrypt -in $ED25519 > $ED25519P8 || \
		fatal "pkcs8 Ed25519 fail"
	softhsm2-util --slot "$slot" --label 03 --id 03 --pin "$TEST_SSH_PIN" \
	    --import $ED25519P8 >/dev/null || \
		fatal "softhsm import ed25519 fail"
	chmod 600 $ED25519
	${SSHKEYGEN} -y -f $ED25519 > ${ED25519}.pub
	# Prepare some askpass scripts to load PINs.
	PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
	cat > $PIN_SH << EOF
#!/bin/sh
echo "${TEST_SSH_PIN}"
EOF
	chmod 0700 "$PIN_SH"
	WRONGPIN_SH=$SSH_SOFTHSM_DIR/wrongpin.sh
	cat > $WRONGPIN_SH << EOF
#!/bin/sh
echo "0000"
EOF
	chmod 0700 "$WRONGPIN_SH"
	PKCS11_OK=yes
	if env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force \
	    ${SSHKEYGEN} -D ${TEST_SSH_PKCS11} >/dev/null 2>&1 ; then
		return 0
	fi
	return 1
}

# Peforms ssh-add with the right token PIN.
p11_ssh_add() {
	env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force ${SSHADD} "$@"
}

start_ssh_agent() {
	EXTRA_AGENT_ARGS="$1"
	if [ "$PKCS11_OK" = "yes" ]; then
		EXTRA_AGENT_ARGS="${EXTRA_AGENT_ARGS} -P${TEST_SSH_PKCS11}"
	fi
	SSH_AUTH_SOCK="$OBJ/agent.sock"
	export SSH_AUTH_SOCK
	rm -f $SSH_AUTH_SOCK $OBJ/agent.log
	trace "start agent"
	${SSHAGENT} ${EXTRA_AGENT_ARGS} -d -a $SSH_AUTH_SOCK \
	    > $OBJ/agent.log 2>&1 &
	AGENT_PID=$!
	trap "kill $AGENT_PID" EXIT
	for x in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 ; do
		# Give it a chance to start
		${SSHADD} -l > /dev/null 2>&1
		r=$?
		test $r -eq 1 && break
		sleep 1
	done
	if [ $r -ne 1 ]; then
		fatal "ssh-add -l did not fail with exit code 1 (got $r)"
	fi
}

# source test body
. $SCRIPT

# kill sshd
cleanup

if [ "x$USE_VALGRIND" != "x" ]; then
	# If there is an EXIT trap handler, invoke it now.
	# Some tests set these to clean up processes such as ssh-agent.  We
	# need to wait for all valgrind processes to complete so we can check
	# their logs, but since the EXIT traps are not invoked until
	# test-exec.sh exits, waiting here will deadlock.
	# This is not very portable but then neither is valgrind itself.
	# As a bonus, dash (as used on the runners) has a "trap" that doesn't
	# work in a pipeline (hence the temp file) or a subshell.
	exithandler=""
	trap >/tmp/trap.$$ && exithandler=$(cat /tmp/trap.$$ | \
	    awk -F "'" '/EXIT$/{print $2}')
	rm -f /tmp/trap.$$
	if [ "x${exithandler}" != "x" ]; then
		verbose invoking EXIT trap handler early: ${exithandler}
		eval "${exithandler}"
		trap '' EXIT
	fi

	# wait for any running process to complete
	wait; sleep 1
	VG_RESULTS=$(find $OBJ/valgrind-out -type f -print)
	VG_RESULT_COUNT=0
	VG_FAIL_COUNT=0
	for i in $VG_RESULTS; do
		if grep "ERROR SUMMARY" $i >/dev/null; then
			VG_RESULT_COUNT=$(($VG_RESULT_COUNT + 1))
			if ! grep "ERROR SUMMARY: 0 errors" $i >/dev/null; then
				VG_FAIL_COUNT=$(($VG_FAIL_COUNT + 1))
				RESULT=1
				verbose valgrind failure $i
				cat $i
			fi
		fi
	done
	if [ x"$VG_SKIP" != "x" ]; then
		verbose valgrind skipped
	else
		verbose valgrind results $VG_RESULT_COUNT failures $VG_FAIL_COUNT
	fi
fi

if [ $RESULT -eq 0 ]; then
	verbose ok $tid
	if [ "x$CACHE" != "x" ]; then
		touch "$CACHE"
	fi
else
	echo failed $tid
fi
exit $RESULT