Home | History | Annotate | Download | only in regress 
      1 #	$OpenBSD: keygen-knownhosts.sh,v 1.3 2015/07/17 03:34:27 djm Exp $
      2 #	Placed in the Public Domain.
      3 
      4 tid="ssh-keygen known_hosts"
      5 
      6 rm -f $OBJ/kh.*
      7 
      8 # Generate some keys for testing (just ed25519 for speed) and make a hosts file.
      9 for x in host-a host-b host-c host-d host-e host-f host-a2 host-b2; do
     10 	${SSHKEYGEN} -qt ed25519 -f $OBJ/kh.$x -C "$x" -N "" || \
     11 		fatal "ssh-keygen failed"
     12 	# Add a comment that we expect should be preserved.
     13 	echo "# $x" >> $OBJ/kh.hosts
     14 	(
     15 		case "$x" in
     16 		host-a|host-b)	printf "$x " ;;
     17 		host-c)		printf "@cert-authority $x " ;;
     18 		host-d)		printf "@revoked $x " ;;
     19 		host-e)		printf "host-e* " ;;
     20 		host-f)		printf "host-f,host-g,host-h " ;;
     21 		host-a2)	printf "host-a " ;;
     22 		host-b2)	printf "host-b " ;;
     23 		esac
     24 		cat $OBJ/kh.${x}.pub
     25 		# Blank line should be preserved.
     26 		echo "" >> $OBJ/kh.hosts
     27 	) >> $OBJ/kh.hosts
     28 done
     29 
     30 # Generate a variant with an invalid line. We'll use this for most tests,
     31 # because keygen should be able to cope and it should be preserved in any
     32 # output file.
     33 cat $OBJ/kh.hosts >> $OBJ/kh.invalid
     34 echo "host-i " >> $OBJ/kh.invalid
     35 
     36 cp $OBJ/kh.invalid $OBJ/kh.invalid.orig
     37 cp $OBJ/kh.hosts $OBJ/kh.hosts.orig
     38 
     39 expect_key() {
     40 	_host=$1
     41 	_hosts=$2
     42 	_key=$3
     43 	_line=$4
     44 	_mark=$5
     45 	_marker=""
     46 	test "x$_mark" = "xCA" && _marker="@cert-authority "
     47 	test "x$_mark" = "xREVOKED" && _marker="@revoked "
     48 	test "x$_line" != "x" &&
     49 	    echo "# Host $_host found: line $_line $_mark" >> $OBJ/kh.expect
     50 	printf "${_marker}$_hosts " >> $OBJ/kh.expect
     51 	cat $OBJ/kh.${_key}.pub >> $OBJ/kh.expect ||
     52 	    fatal "${_key}.pub missing"
     53 }
     54 
     55 check_find() {
     56 	_host=$1
     57 	_name=$2
     58 	_keygenopt=$3
     59 	${SSHKEYGEN} $_keygenopt -f $OBJ/kh.invalid -F $_host > $OBJ/kh.result
     60 	if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then
     61 		fail "didn't find $_name"
     62 	fi
     63 }
     64 
     65 # Find key
     66 rm -f $OBJ/kh.expect
     67 expect_key host-a host-a host-a 2
     68 expect_key host-a host-a host-a2 20
     69 check_find host-a "simple find"
     70 
     71 # find CA key
     72 rm -f $OBJ/kh.expect
     73 expect_key host-c host-c host-c 8 CA
     74 check_find host-c "find CA key"
     75 
     76 # find revoked key
     77 rm -f $OBJ/kh.expect
     78 expect_key host-d host-d host-d 11 REVOKED
     79 check_find host-d "find revoked key"
     80 
     81 # find key with wildcard
     82 rm -f $OBJ/kh.expect
     83 expect_key host-e.somedomain "host-e*" host-e 14
     84 check_find host-e.somedomain "find wildcard key"
     85 
     86 # find key among multiple hosts
     87 rm -f $OBJ/kh.expect
     88 expect_key host-h "host-f,host-g,host-h " host-f 17
     89 check_find host-h "find multiple hosts"
     90 
     91 check_hashed_find() {
     92 	_host=$1
     93 	_name=$2
     94 	_file=$3
     95 	test "x$_file" = "x" && _file=$OBJ/kh.invalid
     96 	${SSHKEYGEN} -f $_file -HF $_host | grep '|1|' | \
     97 	    sed "s/^[^ ]*/$_host/" > $OBJ/kh.result
     98 	if ! diff -w $OBJ/kh.expect $OBJ/kh.result ; then
     99 		fail "didn't find $_name"
    100 	fi
    101 }
    102 
    103 # Find key and hash
    104 rm -f $OBJ/kh.expect
    105 expect_key host-a host-a host-a
    106 expect_key host-a host-a host-a2
    107 check_hashed_find host-a "find simple and hash"
    108 
    109 # Find CA key and hash
    110 rm -f $OBJ/kh.expect
    111 expect_key host-c host-c host-c "" CA
    112 # CA key output is not hashed.
    113 check_find host-c "find simple and hash" -H
    114 
    115 # Find revoked key and hash
    116 rm -f $OBJ/kh.expect
    117 expect_key host-d host-d host-d "" REVOKED
    118 # Revoked key output is not hashed.
    119 check_find host-d "find simple and hash" -H
    120 
    121 # find key with wildcard and hash
    122 rm -f $OBJ/kh.expect
    123 expect_key host-e "host-e*" host-e ""
    124 # Key with wildcard hostname should not be hashed.
    125 check_find host-e "find wildcard key" -H
    126 
    127 # find key among multiple hosts
    128 rm -f $OBJ/kh.expect
    129 # Comma-separated hostnames should be expanded and hashed.
    130 expect_key host-f "host-h " host-f
    131 expect_key host-g "host-h " host-f
    132 expect_key host-h "host-h " host-f
    133 check_hashed_find host-h "find multiple hosts"
    134 
    135 # Attempt remove key on invalid file.
    136 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
    137 ${SSHKEYGEN} -qf $OBJ/kh.invalid -R host-a 2>/dev/null
    138 diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "remove on invalid succeeded"
    139 
    140 # Remove key
    141 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    142 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-a 2>/dev/null
    143 grep -v "^host-a " $OBJ/kh.hosts.orig > $OBJ/kh.expect
    144 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove simple"
    145 
    146 # Remove CA key
    147 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    148 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-c 2>/dev/null
    149 # CA key should not be removed.
    150 diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove CA"
    151 
    152 # Remove revoked key
    153 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    154 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-d 2>/dev/null
    155 # revoked key should not be removed.
    156 diff $OBJ/kh.hosts $OBJ/kh.hosts.orig || fail "remove revoked"
    157 
    158 # Remove wildcard
    159 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    160 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-e.blahblah 2>/dev/null
    161 grep -v "^host-e[*] " $OBJ/kh.hosts.orig > $OBJ/kh.expect
    162 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
    163 
    164 # Remove multiple
    165 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    166 ${SSHKEYGEN} -qf $OBJ/kh.hosts -R host-h 2>/dev/null
    167 grep -v "^host-f," $OBJ/kh.hosts.orig > $OBJ/kh.expect
    168 diff $OBJ/kh.hosts $OBJ/kh.expect || fail "remove wildcard"
    169 
    170 # Attempt hash on invalid file
    171 cp $OBJ/kh.invalid.orig $OBJ/kh.invalid
    172 ${SSHKEYGEN} -qf $OBJ/kh.invalid -H 2>/dev/null && fail "hash invalid succeeded"
    173 diff $OBJ/kh.invalid $OBJ/kh.invalid.orig || fail "invalid file modified"
    174 
    175 # Hash valid file
    176 cp $OBJ/kh.hosts.orig $OBJ/kh.hosts
    177 ${SSHKEYGEN} -qf $OBJ/kh.hosts -H 2>/dev/null || fail "hash failed"
    178 diff $OBJ/kh.hosts.old $OBJ/kh.hosts.orig || fail "backup differs"
    179 grep "^host-[abfgh]" $OBJ/kh.hosts && fail "original hostnames persist"
    180 
    181 cp $OBJ/kh.hosts $OBJ/kh.hashed.orig
    182 
    183 # Test lookup
    184 rm -f $OBJ/kh.expect
    185 expect_key host-a host-a host-a
    186 expect_key host-a host-a host-a2
    187 check_hashed_find host-a "find simple in hashed" $OBJ/kh.hosts
    188 
    189 # Test multiple expanded
    190 rm -f $OBJ/kh.expect
    191 expect_key host-h host-h host-f
    192 check_hashed_find host-h "find simple in hashed" $OBJ/kh.hosts
    193 
    194 # Test remove
    195 cp $OBJ/kh.hashed.orig $OBJ/kh.hashed
    196 ${SSHKEYGEN} -qf $OBJ/kh.hashed -R host-a 2>/dev/null
    197 ${SSHKEYGEN} -qf $OBJ/kh.hashed -F host-a && fail "found key after hashed remove"
    198