1# $OpenBSD: test-exec.sh,v 1.62 2018/03/16 09:06:31 dtucker Exp $ 2# Placed in the Public Domain. 3 4#SUDO=sudo 5 6# Unbreak GNU head(1) 7_POSIX2_VERSION=199209 8export _POSIX2_VERSION 9 10case `uname -s 2>/dev/null` in 11OSF1*) 12 BIN_SH=xpg4 13 export BIN_SH 14 ;; 15CYGWIN_NT-5.0) 16 os=cygwin 17 TEST_SSH_IPV6=no 18 ;; 19CYGWIN*) 20 os=cygwin 21 ;; 22esac 23 24if [ ! -z "$TEST_SSH_PORT" ]; then 25 PORT="$TEST_SSH_PORT" 26else 27 PORT=4242 28fi 29 30if [ -x /usr/ucb/whoami ]; then 31 USER=`/usr/ucb/whoami` 32elif whoami >/dev/null 2>&1; then 33 USER=`whoami` 34elif logname >/dev/null 2>&1; then 35 USER=`logname` 36else 37 USER=`id -un` 38fi 39 40OBJ=$1 41if [ "x$OBJ" = "x" ]; then 42 echo '$OBJ not defined' 43 exit 2 44fi 45if [ ! -d $OBJ ]; then 46 echo "not a directory: $OBJ" 47 exit 2 48fi 49SCRIPT=$2 50if [ "x$SCRIPT" = "x" ]; then 51 echo '$SCRIPT not defined' 52 exit 2 53fi 54if [ ! -f $SCRIPT ]; then 55 echo "not a file: $SCRIPT" 56 exit 2 57fi 58if $TEST_SHELL -n $SCRIPT; then 59 true 60else 61 echo "syntax error in $SCRIPT" 62 exit 2 63fi 64unset SSH_AUTH_SOCK 65 66SRC=`dirname ${SCRIPT}` 67 68# defaults 69SSH=ssh 70SSHD=sshd 71SSHAGENT=ssh-agent 72SSHADD=ssh-add 73SSHKEYGEN=ssh-keygen 74SSHKEYSCAN=ssh-keyscan 75SFTP=sftp 76SFTPSERVER=/usr/libexec/openssh/sftp-server 77SCP=scp 78 79# Interop testing 80PLINK=plink 81PUTTYGEN=puttygen 82CONCH=conch 83 84if [ "x$TEST_SSH_SSH" != "x" ]; then 85 SSH="${TEST_SSH_SSH}" 86fi 87if [ "x$TEST_SSH_SSHD" != "x" ]; then 88 SSHD="${TEST_SSH_SSHD}" 89fi 90if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then 91 SSHAGENT="${TEST_SSH_SSHAGENT}" 92fi 93if [ "x$TEST_SSH_SSHADD" != "x" ]; then 94 SSHADD="${TEST_SSH_SSHADD}" 95fi 96if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then 97 SSHKEYGEN="${TEST_SSH_SSHKEYGEN}" 98fi 99if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then 100 SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}" 101fi 102if [ "x$TEST_SSH_SFTP" != "x" ]; then 103 SFTP="${TEST_SSH_SFTP}" 104fi 105if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then 106 SFTPSERVER="${TEST_SSH_SFTPSERVER}" 107fi 108if [ "x$TEST_SSH_SCP" != "x" ]; then 109 SCP="${TEST_SSH_SCP}" 110fi 111if [ "x$TEST_SSH_PLINK" != "x" ]; then 112 # Find real binary, if it exists 113 case "${TEST_SSH_PLINK}" in 114 /*) PLINK="${TEST_SSH_PLINK}" ;; 115 *) PLINK=`which ${TEST_SSH_PLINK} 2>/dev/null` ;; 116 esac 117fi 118if [ "x$TEST_SSH_PUTTYGEN" != "x" ]; then 119 # Find real binary, if it exists 120 case "${TEST_SSH_PUTTYGEN}" in 121 /*) PUTTYGEN="${TEST_SSH_PUTTYGEN}" ;; 122 *) PUTTYGEN=`which ${TEST_SSH_PUTTYGEN} 2>/dev/null` ;; 123 esac 124fi 125if [ "x$TEST_SSH_CONCH" != "x" ]; then 126 # Find real binary, if it exists 127 case "${TEST_SSH_CONCH}" in 128 /*) CONCH="${TEST_SSH_CONCH}" ;; 129 *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; 130 esac 131fi 132 133# Path to sshd must be absolute for rexec 134case "$SSHD" in 135/*) ;; 136*) SSHD=`which $SSHD` ;; 137esac 138 139case "$SSHAGENT" in 140/*) ;; 141*) SSHAGENT=`which $SSHAGENT` ;; 142esac 143 144# Record the actual binaries used. 145SSH_BIN=${SSH} 146SSHD_BIN=${SSHD} 147SSHAGENT_BIN=${SSHAGENT} 148SSHADD_BIN=${SSHADD} 149SSHKEYGEN_BIN=${SSHKEYGEN} 150SSHKEYSCAN_BIN=${SSHKEYSCAN} 151SFTP_BIN=${SFTP} 152SFTPSERVER_BIN=${SFTPSERVER} 153SCP_BIN=${SCP} 154 155if [ "x$USE_VALGRIND" != "x" ]; then 156 mkdir -p $OBJ/valgrind-out 157 VG_TEST=`basename $SCRIPT .sh` 158 159 # Some tests are difficult to fix. 160 case "$VG_TEST" in 161 connect-privsep|reexec) 162 VG_SKIP=1 ;; 163 esac 164 165 if [ x"$VG_SKIP" = "x" ]; then 166 VG_IGNORE="/bin/*,/sbin/*,/usr/*,/var/*" 167 VG_LOG="$OBJ/valgrind-out/${VG_TEST}." 168 VG_OPTS="--track-origins=yes --leak-check=full" 169 VG_OPTS="$VG_OPTS --trace-children=yes" 170 VG_OPTS="$VG_OPTS --trace-children-skip=${VG_IGNORE}" 171 VG_PATH="valgrind" 172 if [ "x$VALGRIND_PATH" != "x" ]; then 173 VG_PATH="$VALGRIND_PATH" 174 fi 175 VG="$VG_PATH $VG_OPTS" 176 SSH="$VG --log-file=${VG_LOG}ssh.%p $SSH" 177 SSHD="$VG --log-file=${VG_LOG}sshd.%p $SSHD" 178 SSHAGENT="$VG --log-file=${VG_LOG}ssh-agent.%p $SSHAGENT" 179 SSHADD="$VG --log-file=${VG_LOG}ssh-add.%p $SSHADD" 180 SSHKEYGEN="$VG --log-file=${VG_LOG}ssh-keygen.%p $SSHKEYGEN" 181 SSHKEYSCAN="$VG --log-file=${VG_LOG}ssh-keyscan.%p $SSHKEYSCAN" 182 SFTP="$VG --log-file=${VG_LOG}sftp.%p ${SFTP}" 183 SCP="$VG --log-file=${VG_LOG}scp.%p $SCP" 184 cat > $OBJ/valgrind-sftp-server.sh << EOF 185#!/bin/sh 186exec $VG --log-file=${VG_LOG}sftp-server.%p $SFTPSERVER "\$@" 187EOF 188 chmod a+rx $OBJ/valgrind-sftp-server.sh 189 SFTPSERVER="$OBJ/valgrind-sftp-server.sh" 190 fi 191fi 192 193# Logfiles. 194# SSH_LOGFILE should be the debug output of ssh(1) only 195# SSHD_LOGFILE should be the debug output of sshd(8) only 196# REGRESS_LOGFILE is the output of the test itself stdout and stderr 197if [ "x$TEST_SSH_LOGFILE" = "x" ]; then 198 TEST_SSH_LOGFILE=$OBJ/ssh.log 199fi 200if [ "x$TEST_SSHD_LOGFILE" = "x" ]; then 201 TEST_SSHD_LOGFILE=$OBJ/sshd.log 202fi 203if [ "x$TEST_REGRESS_LOGFILE" = "x" ]; then 204 TEST_REGRESS_LOGFILE=$OBJ/regress.log 205fi 206 207# truncate logfiles 208>$TEST_SSH_LOGFILE 209>$TEST_SSHD_LOGFILE 210>$TEST_REGRESS_LOGFILE 211 212# Create wrapper ssh with logging. We can't just specify "SSH=ssh -E..." 213# because sftp and scp don't handle spaces in arguments. 214SSHLOGWRAP=$OBJ/ssh-log-wrapper.sh 215echo "#!/bin/sh" > $SSHLOGWRAP 216echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP 217 218chmod a+rx $OBJ/ssh-log-wrapper.sh 219REAL_SSH="$SSH" 220SSH="$SSHLOGWRAP" 221 222# Some test data. We make a copy because some tests will overwrite it. 223# The tests may assume that $DATA exists and is writable and $COPY does 224# not exist. Tests requiring larger data files can call increase_datafile_size 225# [kbytes] to ensure the file is at least that large. 226DATANAME=data 227DATA=$OBJ/${DATANAME} 228cat ${SSHAGENT_BIN} >${DATA} 229chmod u+w ${DATA} 230COPY=$OBJ/copy 231rm -f ${COPY} 232 233increase_datafile_size() 234{ 235 while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do 236 cat ${SSHAGENT_BIN} >>${DATA} 237 done 238} 239 240# these should be used in tests 241export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 242#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 243 244# Portable specific functions 245have_prog() 246{ 247 saved_IFS="$IFS" 248 IFS=":" 249 for i in $PATH 250 do 251 if [ -x $i/$1 ]; then 252 IFS="$saved_IFS" 253 return 0 254 fi 255 done 256 IFS="$saved_IFS" 257 return 1 258} 259 260jot() { 261 awk "BEGIN { for (i = $2; i < $2 + $1; i++) { printf \"%d\n\", i } exit }" 262} 263 264# Check whether preprocessor symbols are defined in config.h. 265config_defined () 266{ 267 str=$1 268 while test "x$2" != "x" ; do 269 str="$str|$2" 270 shift 271 done 272 egrep "^#define.*($str)" ${BUILDDIR}/config.h >/dev/null 2>&1 273} 274 275md5 () { 276 if have_prog md5sum; then 277 md5sum 278 elif have_prog openssl; then 279 openssl md5 280 elif have_prog cksum; then 281 cksum 282 elif have_prog sum; then 283 sum 284 else 285 wc -c 286 fi 287} 288# End of portable specific functions 289 290stop_sshd () 291{ 292 if [ -f $PIDFILE ]; then 293 pid=`$SUDO cat $PIDFILE` 294 if [ "X$pid" = "X" ]; then 295 echo no sshd running 296 else 297 if [ $pid -lt 2 ]; then 298 echo bad pid for sshd: $pid 299 else 300 $SUDO kill $pid 301 trace "wait for sshd to exit" 302 i=0; 303 while [ -f $PIDFILE -a $i -lt 5 ]; do 304 i=`expr $i + 1` 305 sleep $i 306 done 307 if test -f $PIDFILE; then 308 if $SUDO kill -0 $pid; then 309 echo "sshd didn't exit " \ 310 "port $PORT pid $pid" 311 else 312 echo "sshd died without cleanup" 313 fi 314 exit 1 315 fi 316 fi 317 fi 318 fi 319} 320 321# helper 322cleanup () 323{ 324 if [ "x$SSH_PID" != "x" ]; then 325 if [ $SSH_PID -lt 2 ]; then 326 echo bad pid for ssh: $SSH_PID 327 else 328 kill $SSH_PID 329 fi 330 fi 331 stop_sshd 332} 333 334start_debug_log () 335{ 336 echo "trace: $@" >$TEST_REGRESS_LOGFILE 337 echo "trace: $@" >$TEST_SSH_LOGFILE 338 echo "trace: $@" >$TEST_SSHD_LOGFILE 339} 340 341save_debug_log () 342{ 343 echo $@ >>$TEST_REGRESS_LOGFILE 344 echo $@ >>$TEST_SSH_LOGFILE 345 echo $@ >>$TEST_SSHD_LOGFILE 346 (cat $TEST_REGRESS_LOGFILE; echo) >>$OBJ/failed-regress.log 347 (cat $TEST_SSH_LOGFILE; echo) >>$OBJ/failed-ssh.log 348 (cat $TEST_SSHD_LOGFILE; echo) >>$OBJ/failed-sshd.log 349} 350 351trace () 352{ 353 start_debug_log $@ 354 if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then 355 echo "$@" 356 fi 357} 358 359verbose () 360{ 361 start_debug_log $@ 362 if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then 363 echo "$@" 364 fi 365} 366 367warn () 368{ 369 echo "WARNING: $@" >>$TEST_SSH_LOGFILE 370 echo "WARNING: $@" 371} 372 373fail () 374{ 375 save_debug_log "FAIL: $@" 376 RESULT=1 377 echo "$@" 378 379} 380 381fatal () 382{ 383 save_debug_log "FATAL: $@" 384 printf "FATAL: " 385 fail "$@" 386 cleanup 387 exit $RESULT 388} 389 390RESULT=0 391PIDFILE=$OBJ/pidfile 392 393trap fatal 3 2 394 395# create server config 396cat << EOF > $OBJ/sshd_config 397 StrictModes no 398 Port $PORT 399 AddressFamily inet 400 ListenAddress 127.0.0.1 401 #ListenAddress ::1 402 PidFile $PIDFILE 403 AuthorizedKeysFile $OBJ/authorized_keys_%u 404 LogLevel DEBUG3 405 AcceptEnv _XXX_TEST_* 406 AcceptEnv _XXX_TEST 407 Subsystem sftp $SFTPSERVER 408EOF 409 410# This may be necessary if /usr/src and/or /usr/obj are group-writable, 411# but if you aren't careful with permissions then the unit tests could 412# be abused to locally escalate privileges. 413if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then 414 echo "StrictModes no" >> $OBJ/sshd_config 415fi 416 417if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then 418 trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS" 419 echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config 420fi 421 422# server config for proxy connects 423cp $OBJ/sshd_config $OBJ/sshd_proxy 424 425# allow group-writable directories in proxy-mode 426echo 'StrictModes no' >> $OBJ/sshd_proxy 427 428# create client config 429cat << EOF > $OBJ/ssh_config 430Host * 431 Hostname 127.0.0.1 432 HostKeyAlias localhost-with-alias 433 Port $PORT 434 User $USER 435 GlobalKnownHostsFile $OBJ/known_hosts 436 UserKnownHostsFile $OBJ/known_hosts 437 PubkeyAuthentication yes 438 ChallengeResponseAuthentication no 439 HostbasedAuthentication no 440 PasswordAuthentication no 441 BatchMode yes 442 StrictHostKeyChecking yes 443 LogLevel DEBUG3 444EOF 445 446if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then 447 trace "adding ssh_config option $TEST_SSH_SSH_CONFOPTS" 448 echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config 449fi 450 451rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER 452 453SSH_KEYTYPES="rsa ed25519" 454 455trace "generate keys" 456for t in ${SSH_KEYTYPES}; do 457 # generate user key 458 if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN_BIN} -nt $OBJ/$t ]; then 459 rm -f $OBJ/$t 460 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t ||\ 461 fail "ssh-keygen for $t failed" 462 fi 463 464 # known hosts file for client 465 ( 466 printf 'localhost-with-alias,127.0.0.1,::1 ' 467 cat $OBJ/$t.pub 468 ) >> $OBJ/known_hosts 469 470 # setup authorized keys 471 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 472 echo IdentityFile $OBJ/$t >> $OBJ/ssh_config 473 474 # use key as host key, too 475 $SUDO cp $OBJ/$t $OBJ/host.$t 476 echo HostKey $OBJ/host.$t >> $OBJ/sshd_config 477 478 # don't use SUDO for proxy connect 479 echo HostKey $OBJ/$t >> $OBJ/sshd_proxy 480done 481chmod 644 $OBJ/authorized_keys_$USER 482 483# Activate Twisted Conch tests if the binary is present 484REGRESS_INTEROP_CONCH=no 485if test -x "$CONCH" ; then 486 REGRESS_INTEROP_CONCH=yes 487fi 488 489# If PuTTY is present and we are running a PuTTY test, prepare keys and 490# configuration 491REGRESS_INTEROP_PUTTY=no 492if test -x "$PUTTYGEN" -a -x "$PLINK" ; then 493 REGRESS_INTEROP_PUTTY=yes 494fi 495case "$SCRIPT" in 496*putty*) ;; 497*) REGRESS_INTEROP_PUTTY=no ;; 498esac 499 500if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then 501 mkdir -p ${OBJ}/.putty 502 503 # Add a PuTTY key to authorized_keys 504 rm -f ${OBJ}/putty.rsa2 505 if ! puttygen -t rsa -o ${OBJ}/putty.rsa2 \ 506 --random-device=/dev/urandom \ 507 --new-passphrase /dev/null < /dev/null > /dev/null; then 508 echo "Your installed version of PuTTY is too old to support --new-passphrase; trying without (may require manual interaction) ..." >&2 509 puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null 510 fi 511 puttygen -O public-openssh ${OBJ}/putty.rsa2 \ 512 >> $OBJ/authorized_keys_$USER 513 514 # Convert rsa2 host key to PuTTY format 515 ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \ 516 ${OBJ}/.putty/sshhostkeys 517 ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \ 518 ${OBJ}/.putty/sshhostkeys 519 520 # Setup proxied session 521 mkdir -p ${OBJ}/.putty/sessions 522 rm -f ${OBJ}/.putty/sessions/localhost_proxy 523 echo "Protocol=ssh" >> ${OBJ}/.putty/sessions/localhost_proxy 524 echo "HostName=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy 525 echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy 526 echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy 527 echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 528 echo "ProxyLocalhost=1" >> ${OBJ}/.putty/sessions/localhost_proxy 529 530 PUTTYDIR=${OBJ}/.putty 531 export PUTTYDIR 532 533 REGRESS_INTEROP_PUTTY=yes 534fi 535 536# create a proxy version of the client config 537( 538 cat $OBJ/ssh_config 539 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy 540) > $OBJ/ssh_proxy 541 542# check proxy config 543${SSHD} -t -f $OBJ/sshd_proxy || fatal "sshd_proxy broken" 544 545start_sshd () 546{ 547 # start sshd 548 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" 549 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE 550 551 trace "wait for sshd" 552 i=0; 553 while [ ! -f $PIDFILE -a $i -lt 10 ]; do 554 i=`expr $i + 1` 555 sleep $i 556 done 557 558 test -f $PIDFILE || fatal "no sshd running on port $PORT" 559} 560 561# source test body 562. $SCRIPT 563 564# kill sshd 565cleanup 566if [ $RESULT -eq 0 ]; then 567 verbose ok $tid 568else 569 echo failed $tid 570fi 571exit $RESULT 572