Upgrade to OpenSSH 6.5p1.

author: des <des@FreeBSD.org> 2014-01-31 13:12:02 +0000
committer: des <des@FreeBSD.org> 2014-01-31 13:12:02 +0000
commit: 7573e91b127f1c198210fd345d3ca198b598cfc6 (patch)
tree: d32fb61cec38c52314210c3459fd436685dacdba /crypto/openssh/regress
parent: c692973c992c321bb10e631f572fab1500ae5b0e (diff)
parent: 45d0197dd79eceffb5bbc29f75199eb09af5a5f9 (diff)
download: FreeBSD-src-7573e91b127f1c198210fd345d3ca198b598cfc6.zip
FreeBSD-src-7573e91b127f1c198210fd345d3ca198b598cfc6.tar.gz
19 files changed, 526 insertions, 168 deletions
diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile
index ab2a6ae..0c66b17 100644
--- a/crypto/openssh/regress/Makefile
+++ b/crypto/openssh/regress/Makefile
@@ -1,6 +1,6 @@
-#	$OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
+#	$OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $
 
-REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
+REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
 tests:		$(REGRESS_TARGETS)
 
 # Interop tests are not run by default
@@ -44,6 +44,7 @@ LTESTS= 	connect \
 		sftp-badcmds \
 		sftp-batch \
 		sftp-glob \
+		sftp-perm \
 		reconfigure \
 		dynamic-forward \
 		forwarding \
@@ -72,7 +73,7 @@ INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 
 USER!=		id -un
 CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
-		t8.out t8.out.pub t9.out t9.out.pub \
+		t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \
 		authorized_keys_${USER} known_hosts pidfile testdata \
 		ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
 		rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
@@ -86,7 +87,10 @@ CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
 		authorized_principals_${USER} expect actual ready \
 		sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
 		ssh.log failed-ssh.log sshd.log failed-sshd.log \
-		regress.log failed-regress.log ssh-log-wrapper.sh
+		regress.log failed-regress.log ssh-log-wrapper.sh \
+		sftp-server.sh sftp-server.log sftp.log setuid-allowed \
+		data ed25519-agent ed25519-agent.pub key.ed25519-512 \
+		key.ed25519-512.pub
 
 SUDO_CLEAN+=	/var/run/testdata_${USER} /var/run/keycommand_${USER}
 
@@ -151,6 +155,14 @@ t9: $(OBJ)/t9.out
 	test "${TEST_SSH_ECC}" != yes || \
 	${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
 
+
+$(OBJ)/t10.out:
+	${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@
+
+t10: $(OBJ)/t10.out
+	${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
+	${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
+
 t-exec:	${LTESTS:=.sh}
 	@if [ "x$?" = "x" ]; then exit 0; fi; \
 	for TEST in ""$?; do \
diff --git a/crypto/openssh/regress/agent-ptrace.sh b/crypto/openssh/regress/agent-ptrace.sh
index 9f29464..ae15064 100644
--- a/crypto/openssh/regress/agent-ptrace.sh
+++ b/crypto/openssh/regress/agent-ptrace.sh
@@ -19,6 +19,13 @@ else
 	exit 0
 fi
 
+if $OBJ/setuid-allowed ${SSHAGENT} ; then
+	: ok
+else
+	echo "skipped (${SSHAGENT} is mounted on a no-setuid filesystem)"
+	exit 0
+fi
+
 if test -z "$SUDO" ; then
 	echo "skipped (SUDO not set)"
 	exit 0
@@ -38,8 +45,9 @@ else
 	gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
 		quit
 EOF
-	if [ $? -ne 0 ]; then
-		fail "gdb failed: exit code $?"
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "gdb failed: exit code $r"
 	fi
 	egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out
 	r=$?
diff --git a/crypto/openssh/regress/agent.sh b/crypto/openssh/regress/agent.sh
index be7d913..cf1a45f 100644
--- a/crypto/openssh/regress/agent.sh
+++ b/crypto/openssh/regress/agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
+#	$OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $
 #	Placed in the Public Domain.
 
 tid="simple agent test"
@@ -20,7 +20,7 @@ else
 	fi
 	trace "overwrite authorized keys"
 	printf '' > $OBJ/authorized_keys_$USER
-	for t in rsa rsa1; do
+	for t in ed25519 rsa rsa1; do
 		# generate user key for agent
 		rm -f $OBJ/$t-agent
 		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
@@ -34,40 +34,46 @@ else
 		fi
 	done
 	${SSHADD} -l > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -l failed: exit code $?"
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -l failed: exit code $r"
 	fi
 	# the same for full pubkey output
 	${SSHADD} -L > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -L failed: exit code $?"
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -L failed: exit code $r"
 	fi
 
 	trace "simple connect via agent"
 	for p in 1 2; do
 		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
-		if [ $? -ne 5$p ]; then
-			fail "ssh connect with protocol $p failed (exit code $?)"
+		r=$?
+		if [ $r -ne 5$p ]; then
+			fail "ssh connect with protocol $p failed (exit code $r)"
 		fi
 	done
 
 	trace "agent forwarding"
 	for p in 1 2; do
 		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-		if [ $? -ne 0 ]; then
-			fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
+		r=$?
+		if [ $r -ne 0 ]; then
+			fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
 		fi
 		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
 			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
-		if [ $? -ne 5$p ]; then
-			fail "agent fwd proto $p failed (exit code $?)"
+		r=$?
+		if [ $r -ne 5$p ]; then
+			fail "agent fwd proto $p failed (exit code $r)"
 		fi
 	done
 
 	trace "delete all agent keys"
 	${SSHADD} -D > /dev/null 2>&1
-	if [ $? -ne 0 ]; then
-		fail "ssh-add -D failed: exit code $?"
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -D failed: exit code $r"
 	fi
 
 	trace "kill agent"
diff --git a/crypto/openssh/regress/cert-hostkey.sh b/crypto/openssh/regress/cert-hostkey.sh
index 35cd392..a1318cd 100755
--- a/crypto/openssh/regress/cert-hostkey.sh
+++ b/crypto/openssh/regress/cert-hostkey.sh
@@ -1,14 +1,8 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
 
-# used to disable ECC based tests on platforms without ECC
-ecdsa=""
-if test "x$TEST_SSH_ECC" = "xyes"; then
-	ecdsa=ecdsa
-fi
-
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
@@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 
+PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+
+type_has_legacy() {
+	case $1 in
+		ed25519*|ecdsa*) return 1 ;;
+	esac
+	return 0
+}
+
 # Generate and sign host keys
-for ktype in rsa dsa $ecdsa ; do 
+for ktype in $PLAIN_TYPES ; do 
 	verbose "$tid: sign host ${ktype} cert"
 	# Generate and sign a host key
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
 		fail "couldn't sign cert_host_key_${ktype}"
-	# v00 ecdsa certs do not exist
-	test "${ktype}" = "ecdsa" && continue
+	type_has_legacy $ktype || continue
 	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
 	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+	verbose "$tid: sign host ${ktype}_v00 cert"
 	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
 	    -I "regress host key for $USER" \
 	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
@@ -46,7 +49,7 @@ done
 
 # Basic connect tests
 for privsep in yes no ; do
-	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} cert connect privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -69,26 +72,13 @@ done
 	printf '@cert-authority '
 	printf "$HOSTS "
 	cat $OBJ/host_ca_key.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_rsa.pub
-	if test "x$TEST_SSH_ECC" = "xyes"; then
-		printf '@revoked '
-		printf "* "
-		cat $OBJ/cert_host_key_ecdsa.pub
-	fi
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_dsa.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_rsa_v00.pub
-	printf '@revoked '
-	printf "* "
-	cat $OBJ/cert_host_key_dsa_v00.pub
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+		test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
+		printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
+	done
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
 		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
 		(
 			cat $OBJ/sshd_proxy_bak
@@ -115,7 +105,7 @@ done
 	printf "* "
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 	verbose "$tid: host ${ktype} revoked cert"
 	(
 		cat $OBJ/sshd_proxy_bak
@@ -186,9 +176,8 @@ test_one "cert has constraints"	failure "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
 for v in v01 v00 ;  do 
-	for ktype in rsa dsa $ecdsa ; do 
-		# v00 ecdsa certs do not exist.
-		test "${v}${ktype}" = "v00ecdsa" && continue
+	for ktype in $PLAIN_TYPES ; do 
+		type_has_legacy $ktype || continue
 		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
 		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
 		# Generate and sign a host key
@@ -225,9 +214,8 @@ done
 	cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 for v in v01 v00 ;  do 
-	for kt in rsa dsa $ecdsa ; do 
-		# v00 ecdsa certs do not exist.
-		test "${v}${ktype}" = "v00ecdsa" && continue
+	for kt in $PLAIN_TYPES ; do 
+		type_has_legacy $kt || continue
 		rm -f $OBJ/cert_host_key*
 		# Self-sign key
 		${SSHKEYGEN} -q -N '' -t ${kt} \
diff --git a/crypto/openssh/regress/cert-userkey.sh b/crypto/openssh/regress/cert-userkey.sh
index 6018b38..b093a91 100755
--- a/crypto/openssh/regress/cert-userkey.sh
+++ b/crypto/openssh/regress/cert-userkey.sh
@@ -1,23 +1,26 @@
-#	$OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
 
-# used to disable ECC based tests on platforms without ECC
-ecdsa=""
-if test "x$TEST_SSH_ECC" = "xyes"; then
-	ecdsa=ecdsa
-fi
-
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
+PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+
+type_has_legacy() {
+	case $1 in
+		ed25519*|ecdsa*) return 1 ;;
+	esac
+	return 0
+}
+
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
 	fail "ssh-keygen of user_ca_key failed"
 
 # Generate and sign user keys
-for ktype in rsa dsa $ecdsa ; do 
+for ktype in $PLAIN_TYPES ; do 
 	verbose "$tid: sign user ${ktype} cert"
 	${SSHKEYGEN} -q -N '' -t ${ktype} \
 	    -f $OBJ/cert_user_key_${ktype} || \
@@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do
 	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
 	    -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
 		fail "couldn't sign cert_user_key_${ktype}"
-	# v00 ecdsa certs do not exist
-	test "${ktype}" = "ecdsa" && continue
+	type_has_legacy $ktype || continue
 	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
 	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+	verbose "$tid: sign host ${ktype}_v00 cert"
 	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
 	    "regress user key for $USER" \
 	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-		fail "couldn't sign cert_user_key_${ktype}_v00"
+		fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 
 # Test explicitly-specified principals
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 	for privsep in yes no ; do
 		_prefix="${ktype} privsep $privsep"
 
@@ -162,7 +165,7 @@ basic_tests() {
 		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
 	fi
 	
-	for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+	for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 		for privsep in yes no ; do
 			_prefix="${ktype} privsep $privsep $auth"
 			# Simple connect
@@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \
 
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
 	case $ktype in
 	*_v00) args="-t v00" ;;
 	*) args="" ;;
diff --git a/crypto/openssh/regress/cipher-speed.sh b/crypto/openssh/regress/cipher-speed.sh
index 489d9f5..a6d53a7 100644
--- a/crypto/openssh/regress/cipher-speed.sh
+++ b/crypto/openssh/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
+#	$OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.
 
 tid="cipher speed"
@@ -11,18 +11,7 @@ getbytes ()
 
 tries="1 2"
 
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-	arcfour128 arcfour256 arcfour 
-	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-	aes128-ctr aes192-ctr aes256-ctr"
-config_defined OPENSSL_HAVE_EVPGCM && \
-	ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-	hmac-sha1-96 hmac-md5-96"
-config_defined HAVE_EVP_SHA256 && \
-    macs="$macs hmac-sha2-256 hmac-sha2-512"
-
-for c in $ciphers; do n=0; for m in $macs; do
+for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
 	trace "proto 2 cipher $c mac $m"
 	for x in $tries; do
 		printf "%-60s" "$c/$m:"
@@ -35,10 +24,10 @@ for c in $ciphers; do n=0; for m in $macs; do
 			fail "ssh -2 failed with mac $m cipher $c"
 		fi
 	done
-	# No point trying all MACs for GCM since they are ignored.
-	case $c in
-	aes*-gcm@openssh.com)	test $n -gt 0 && break;;
-	esac
+	# No point trying all MACs for AEAD ciphers since they are ignored.
+	if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+		break
+	fi
 	n=`expr $n + 1`
 done; done
 
diff --git a/crypto/openssh/regress/forward-control.sh b/crypto/openssh/regress/forward-control.sh
index 80ddb41..7f7d105 100755
--- a/crypto/openssh/regress/forward-control.sh
+++ b/crypto/openssh/regress/forward-control.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
+#	$OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $
 #	Placed in the Public Domain.
 
 tid="sshd control of local and remote forwarding"
diff --git a/crypto/openssh/regress/integrity.sh b/crypto/openssh/regress/integrity.sh
index 1d17fe1..852d826 100755
--- a/crypto/openssh/regress/integrity.sh
+++ b/crypto/openssh/regress/integrity.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.
 
 tid="integrity"
@@ -8,18 +8,10 @@ tid="integrity"
 # XXX and ssh tries to read...
 tries=10
 startoffset=2900
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-	hmac-sha1-96 hmac-md5-96 
-	hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
-	umac-64-etm@openssh.com umac-128-etm@openssh.com
-	hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
-config_defined HAVE_EVP_SHA256 &&
-	macs="$macs hmac-sha2-256 hmac-sha2-512
-		hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
+macs=`${SSH} -Q mac`
 # The following are not MACs, but ciphers with integrated integrity. They are
 # handled specially below.
-config_defined OPENSSL_HAVE_EVPGCM && \
-	macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
+macs="$macs `${SSH} -Q cipher-auth`"
 
 # avoid DH group exchange as the extra traffic makes it harder to get the
 # offset into the stream right.
@@ -44,12 +36,14 @@ for m in $macs; do
 		fi
 		# modify output from sshd at offset $off
 		pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
-		case $m in
-			aes*gcm*)	macopt="-c $m";;
-			*)		macopt="-m $m";;
-		esac
+		if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+			macopt="-c $m"
+		else
+			macopt="-m $m -c aes128-ctr"
+		fi
 		verbose "test $tid: $m @$off"
 		${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+		    -oServerAliveInterval=1 -oServerAliveCountMax=30 \
 		    999.999.999.999 'printf "%4096s" " "' >/dev/null
 		if [ $? -eq 0 ]; then
 			fail "ssh -m $m succeeds with bit-flip at $off"
diff --git a/crypto/openssh/regress/kextype.sh b/crypto/openssh/regress/kextype.sh
index 79c0817..8c2ac09 100755
--- a/crypto/openssh/regress/kextype.sh
+++ b/crypto/openssh/regress/kextype.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
+#	$OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="login with different key exchange algorithms"
@@ -7,18 +7,8 @@ TIME=/usr/bin/time
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
-if test "$TEST_SSH_ECC" = "yes"; then
-	kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
-fi
-if test "$TEST_SSH_SHA256" = "yes"; then
-	kextypes="$kextypes diffie-hellman-group-exchange-sha256"
-fi
-kextypes="$kextypes diffie-hellman-group-exchange-sha1"
-kextypes="$kextypes diffie-hellman-group14-sha1"
-kextypes="$kextypes diffie-hellman-group1-sha1"
-
 tries="1 2 3 4"
-for k in $kextypes; do 
+for k in `${SSH} -Q kex`; do
 	verbose "kex $k"
 	for i in $tries; do
 		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff --git a/crypto/openssh/regress/keytype.sh b/crypto/openssh/regress/keytype.sh
index 59586bf..9752acb 100755
--- a/crypto/openssh/regress/keytype.sh
+++ b/crypto/openssh/regress/keytype.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
+#	$OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $
 #	Placed in the Public Domain.
 
 tid="login with different key types"
@@ -11,10 +11,16 @@ fi
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
-ktypes="dsa-1024 rsa-2048 rsa-3072"
-if test "$TEST_SSH_ECC" = "yes"; then
-	ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521"
-fi
+# Traditional and builtin key types.
+ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512"
+# Types not present in all OpenSSL versions.
+for i in `$SSH -Q key`; do
+	case "$i" in
+		ecdsa-sha2-nistp256)	ktypes="$ktypes ecdsa-256" ;;
+		ecdsa-sha2-nistp384)	ktypes="$ktypes ecdsa-384" ;;
+		ecdsa-sha2-nistp521)	ktypes="$ktypes ecdsa-521" ;;
+	esac
+done
 
 for kt in $ktypes; do 
 	rm -f $OBJ/key.$kt
diff --git a/crypto/openssh/regress/krl.sh b/crypto/openssh/regress/krl.sh
index de9cc87..0924637 100755
--- a/crypto/openssh/regress/krl.sh
+++ b/crypto/openssh/regress/krl.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
+#	$OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -101,6 +101,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
 	>/dev/null || fatal "$SSHKEYGEN KRL failed"
 }
 
+## XXX dump with trace and grep for set cert serials
+## XXX test ranges near (u64)-1, etc.
+
 verbose "$tid: generating KRLs"
 genkrls
 
diff --git a/crypto/openssh/regress/modpipe.c b/crypto/openssh/regress/modpipe.c
index 85747cf..e854f9e 100755
--- a/crypto/openssh/regress/modpipe.c
+++ b/crypto/openssh/regress/modpipe.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
+/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */
 
 #include "includes.h"
 
@@ -68,7 +68,7 @@ usage(void)
 #define MAX_MODIFICATIONS 256
 struct modification {
 	enum { MOD_XOR, MOD_AND_OR } what;
-	u_int64_t offset;
+	unsigned long long offset;
 	u_int8_t m1, m2;
 };
 
@@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m)
 	int n, m1, m2;
 
 	bzero(m, sizeof(*m));
-	if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
+	if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i",
 	    what, &m->offset, &m1, &m2)) < 3)
 		errx(1, "Invalid modification spec \"%s\"", s);
 	if (strcasecmp(what, "xor") == 0) {
diff --git a/crypto/openssh/regress/rekey.sh b/crypto/openssh/regress/rekey.sh
index 8eb7efa..cf9401e 100644
--- a/crypto/openssh/regress/rekey.sh
+++ b/crypto/openssh/regress/rekey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $
+#	$OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.
 
 tid="rekey"
@@ -7,34 +7,67 @@ LOG=${TEST_SSH_LOGFILE}
 
 rm -f ${LOG}
 
-for s in 16 1k 128k 256k; do
-	verbose "client rekeylimit ${s}"
+# Test rekeying based on data volume only.
+# Arguments will be passed to ssh.
+ssh_data_rekeying()
+{
 	rm -f ${COPY} ${LOG}
-	cat $DATA | \
-		${SSH} -oCompression=no -oRekeyLimit=$s \
-			-v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+	${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \
+		"cat > ${COPY}"
 	if [ $? -ne 0 ]; then
-		fail "ssh failed"
+		fail "ssh failed ($@)"
 	fi
-	cmp $DATA ${COPY}		|| fail "corrupted copy"
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
 	n=`expr $n - 1`
 	trace "$n rekeying(s)"
 	if [ $n -lt 1 ]; then
-		fail "no rekeying occured"
+		fail "no rekeying occured ($@)"
 	fi
+}
+
+increase_datafile_size 300
+
+opts=""
+for i in `${SSH} -Q kex`; do
+	opts="$opts KexAlgorithms=$i"
+done
+for i in `${SSH} -Q cipher`; do
+	opts="$opts Ciphers=$i"
+done
+for i in `${SSH} -Q mac`; do
+	opts="$opts MACs=$i"
+done
+
+for opt in $opts; do
+	verbose "client rekey $opt"
+	ssh_data_rekeying -oRekeyLimit=256k -o$opt
+done
+
+# AEAD ciphers are magical so test with all KexAlgorithms
+if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
+  for c in `${SSH} -Q cipher-auth`; do
+    for kex in `${SSH} -Q kex`; do
+	verbose "client rekey $c $kex"
+	ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
+    done
+  done
+fi
+
+for s in 16 1k 128k 256k; do
+	verbose "client rekeylimit ${s}"
+	ssh_data_rekeying -oCompression=no -oRekeyLimit=$s
 done
 
 for s in 5 10; do
 	verbose "client rekeylimit default ${s}"
 	rm -f ${COPY} ${LOG}
-	cat $DATA | \
-		${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
-			$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
+	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
+		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
 	if [ $? -ne 0 ]; then
 		fail "ssh failed"
 	fi
-	cmp $DATA ${COPY}		|| fail "corrupted copy"
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
 	n=`expr $n - 1`
 	trace "$n rekeying(s)"
@@ -98,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
 	    awk '/rekeylimit/{print $3}'`
 
 	if [ "$bytes" != "$b" ]; then
-		fatal "rekeylimit size: expected $bytes got $b"
+		fatal "rekeylimit size: expected $bytes bytes got $b"
 	fi
 	if [ "$seconds" != "$s" ]; then
-		fatal "rekeylimit time: expected $time got $s"
+		fatal "rekeylimit time: expected $time seconds got $s"
 	fi
     done
 done
diff --git a/crypto/openssh/regress/scp-ssh-wrapper.sh b/crypto/openssh/regress/scp-ssh-wrapper.sh
index d1005a9..c63bc2b 100644
--- a/crypto/openssh/regress/scp-ssh-wrapper.sh
+++ b/crypto/openssh/regress/scp-ssh-wrapper.sh
@@ -17,7 +17,7 @@ printname () {
 }
 
 # Discard all but last argument.  We use arg later.
-while test "$1" != ""; do
+while test "x$1" != "x"; do
 	arg="$1"
 	shift
 done
@@ -52,6 +52,8 @@ badserver_4)
 	echo "X"
 	;;
 *)
-	exec $arg
+	set -- $arg
+	shift
+	exec $SCP "$@"
 	;;
 esac
diff --git a/crypto/openssh/regress/scp.sh b/crypto/openssh/regress/scp.sh
index 29c5b35..c2da2a8 100644
--- a/crypto/openssh/regress/scp.sh
+++ b/crypto/openssh/regress/scp.sh
@@ -20,6 +20,7 @@ SRC=`dirname ${SCRIPT}`
 cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
 chmod 755 ${OBJ}/scp-ssh-wrapper.scp
 scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp"
+export SCP # used in scp-ssh-wrapper.scp
 
 scpclean() {
 	rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
diff --git a/crypto/openssh/regress/setuid-allowed.c b/crypto/openssh/regress/setuid-allowed.c
new file mode 100644
index 0000000..37b7dc8
--- /dev/null
+++ b/crypto/openssh/regress/setuid-allowed.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $OpenBSD$ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_STATVFS_H
+# include <sys/statvfs.h>
+#endif
+#include <stdio.h>
+#include <errno.h>
+
+void
+usage(void)
+{
+	fprintf(stderr, "check-setuid [path]\n");
+	exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+	const char *path = ".";
+	struct statvfs sb;
+
+	if (argc > 2)
+		usage();
+	else if (argc == 2)
+		path = argv[1];
+
+	if (statvfs(path, &sb) != 0) {
+		/* Don't return an error if the host doesn't support statvfs */
+		if (errno == ENOSYS)
+			return 0;
+		fprintf(stderr, "statvfs for \"%s\" failed: %s\n",
+		     path, strerror(errno));
+	}
+	return (sb.f_flag & ST_NOSUID) ? 1 : 0;
+}
+
+
diff --git a/crypto/openssh/regress/sftp-perm.sh b/crypto/openssh/regress/sftp-perm.sh
new file mode 100644
index 0000000..304ca0a
--- /dev/null
+++ b/crypto/openssh/regress/sftp-perm.sh
@@ -0,0 +1,269 @@
+#	$OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sftp permissions"
+
+SERVER_LOG=${OBJ}/sftp-server.log
+CLIENT_LOG=${OBJ}/sftp.log
+TEST_SFTP_SERVER=${OBJ}/sftp-server.sh
+
+prepare_server() {
+	printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \
+	> $TEST_SFTP_SERVER
+	chmod a+x $TEST_SFTP_SERVER
+}
+
+run_client() {
+	echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1
+}
+
+prepare_files() {
+	_prep="$1"
+	rm -f ${COPY} ${COPY}.1
+	test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; }
+	test -z "$_prep" && return
+	sh -c "$_prep" || fail "preparation failed: \"$_prep\""
+}
+
+postcondition() {
+	_title="$1"
+	_check="$2"
+	test -z "$_check" && return
+	${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title"
+}
+
+ro_test() {
+	_desc=$1
+	_cmd="$2"
+	_prep="$3"
+	_expect_success_post="$4"
+	_expect_fail_post="$5"
+	verbose "$tid: read-only $_desc"
+	# Plain (no options, mostly to test that _cmd is good)
+	prepare_files "$_prep"
+	prepare_server
+	run_client "$_cmd" || fail "plain $_desc failed"
+	postcondition "$_desc no-readonly" "$_expect_success_post"
+	# Read-only enabled
+	prepare_files "$_prep"
+	prepare_server -R
+	run_client "$_cmd" && fail "read-only $_desc succeeded"
+	postcondition "$_desc readonly" "$_expect_fail_post"
+}
+
+perm_test() {
+	_op=$1
+	_whitelist_ops=$2
+	_cmd="$3"
+	_prep="$4"
+	_expect_success_post="$5"
+	_expect_fail_post="$6"
+	verbose "$tid: explicit $_op"
+	# Plain (no options, mostly to test that _cmd is good)
+	prepare_files "$_prep"
+	prepare_server
+	run_client "$_cmd" || fail "plain $_op failed"
+	postcondition "$_op no white/blacklists" "$_expect_success_post"
+	# Whitelist
+	prepare_files "$_prep"
+	prepare_server -p $_op,$_whitelist_ops
+	run_client "$_cmd" || fail "whitelisted $_op failed"
+	postcondition "$_op whitelisted" "$_expect_success_post"
+	# Blacklist
+	prepare_files "$_prep"
+	prepare_server -P $_op
+	run_client "$_cmd" && fail "blacklisted $_op succeeded"
+	postcondition "$_op blacklisted" "$_expect_fail_post"
+	# Whitelist with op missing.
+	prepare_files "$_prep"
+	prepare_server -p $_whitelist_ops
+	run_client "$_cmd" && fail "no whitelist $_op succeeded"
+	postcondition "$_op not in whitelist" "$_expect_fail_post"
+}
+
+ro_test \
+	"upload" \
+	"put $DATA $COPY" \
+	"" \
+	"cmp $DATA $COPY" \
+	"test ! -f $COPY"
+
+ro_test \
+	"setstat" \
+	"chmod 0700 $COPY" \
+	"touch $COPY; chmod 0400 $COPY" \
+	"test -x $COPY" \
+	"test ! -x $COPY"
+
+ro_test \
+	"rm" \
+	"rm $COPY" \
+	"touch $COPY" \
+	"test ! -f $COPY" \
+	"test -f $COPY"
+
+ro_test \
+	"mkdir" \
+	"mkdir ${COPY}.dd" \
+	"" \
+	"test -d ${COPY}.dd" \
+	"test ! -d ${COPY}.dd"
+
+ro_test \
+	"rmdir" \
+	"rmdir ${COPY}.dd" \
+	"mkdir ${COPY}.dd" \
+	"test ! -d ${COPY}.dd" \
+	"test -d ${COPY}.dd"
+
+ro_test \
+	"posix-rename" \
+	"rename $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1 -a ! -f $COPY" \
+	"test -f $COPY -a ! -f ${COPY}.1"
+
+ro_test \
+	"oldrename" \
+	"rename -l $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1 -a ! -f $COPY" \
+	"test -f $COPY -a ! -f ${COPY}.1"
+
+ro_test \
+	"symlink" \
+	"ln -s $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -h ${COPY}.1" \
+	"test ! -h ${COPY}.1"
+
+ro_test \
+	"hardlink" \
+	"ln $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1" \
+	"test ! -f ${COPY}.1"
+
+# Test explicit permissions
+
+perm_test \
+	"open" \
+	"realpath,stat,lstat,read,close" \
+	"get $DATA $COPY" \
+	"" \
+	"cmp $DATA $COPY" \
+	"! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+	"read" \
+	"realpath,stat,lstat,open,close" \
+	"get $DATA $COPY" \
+	"" \
+	"cmp $DATA $COPY" \
+	"! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+	"write" \
+	"realpath,stat,lstat,open,close" \
+	"put $DATA $COPY" \
+	"" \
+	"cmp $DATA $COPY" \
+	"! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+	"lstat" \
+	"realpath,stat,open,read,close" \
+	"get $DATA $COPY" \
+	"" \
+	"cmp $DATA $COPY" \
+	"! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+	"opendir" \
+	"realpath,readdir,stat,lstat" \
+	"ls -ln $OBJ"
+
+perm_test \
+	"readdir" \
+	"realpath,opendir,stat,lstat" \
+	"ls -ln $OBJ"
+
+perm_test \
+	"setstat" \
+	"realpath,stat,lstat" \
+	"chmod 0700 $COPY" \
+	"touch $COPY; chmod 0400 $COPY" \
+	"test -x $COPY" \
+	"test ! -x $COPY"
+
+perm_test \
+	"remove" \
+	"realpath,stat,lstat" \
+	"rm $COPY" \
+	"touch $COPY" \
+	"test ! -f $COPY" \
+	"test -f $COPY"
+
+perm_test \
+	"mkdir" \
+	"realpath,stat,lstat" \
+	"mkdir ${COPY}.dd" \
+	"" \
+	"test -d ${COPY}.dd" \
+	"test ! -d ${COPY}.dd"
+
+perm_test \
+	"rmdir" \
+	"realpath,stat,lstat" \
+	"rmdir ${COPY}.dd" \
+	"mkdir ${COPY}.dd" \
+	"test ! -d ${COPY}.dd" \
+	"test -d ${COPY}.dd"
+
+perm_test \
+	"posix-rename" \
+	"realpath,stat,lstat" \
+	"rename $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1 -a ! -f $COPY" \
+	"test -f $COPY -a ! -f ${COPY}.1"
+
+perm_test \
+	"rename" \
+	"realpath,stat,lstat" \
+	"rename -l $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1 -a ! -f $COPY" \
+	"test -f $COPY -a ! -f ${COPY}.1"
+
+perm_test \
+	"symlink" \
+	"realpath,stat,lstat" \
+	"ln -s $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -h ${COPY}.1" \
+	"test ! -h ${COPY}.1"
+
+perm_test \
+	"hardlink" \
+	"realpath,stat,lstat" \
+	"ln $COPY ${COPY}.1" \
+	"touch $COPY" \
+	"test -f ${COPY}.1" \
+	"test ! -f ${COPY}.1"
+
+perm_test \
+	"statvfs" \
+	"realpath,stat,lstat" \
+	"df /"
+
+# XXX need good tests for:
+# fstat
+# fsetstat
+# realpath
+# stat
+# readlink
+# fstatvfs
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.dd
+
diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh
index eee4462..aac8aa5 100644
--- a/crypto/openssh/regress/test-exec.sh
+++ b/crypto/openssh/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -133,7 +133,12 @@ fi
 # Path to sshd must be absolute for rexec
 case "$SSHD" in
 /*) ;;
-*) SSHD=`which sshd` ;;
+*) SSHD=`which $SSHD` ;;
+esac
+
+case "$SSHAGENT" in
+/*) ;;
+*) SSHAGENT=`which $SSHAGENT` ;;
 esac
 
 # Logfiles.
@@ -166,14 +171,22 @@ SSH="$SSHLOGWRAP"
 
 # Some test data.  We make a copy because some tests will overwrite it.
 # The tests may assume that $DATA exists and is writable and $COPY does
-# not exist.
+# not exist.  Tests requiring larger data files can call increase_datafile_size
+# [kbytes] to ensure the file is at least that large.
 DATANAME=data
 DATA=$OBJ/${DATANAME}
-cat $SSHD $SSHD $SSHD $SSHD >${DATA}
+cat ${SSHAGENT} >${DATA}
 chmod u+w ${DATA}
 COPY=$OBJ/copy
 rm -f ${COPY}
 
+increase_datafile_size()
+{
+	while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
+		cat ${SSHAGENT} >>${DATA}
+	done
+}
+
 # these should be used in tests
 export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
 #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh
index e17c9f5..ac34ced 100644
--- a/crypto/openssh/regress/try-ciphers.sh
+++ b/crypto/openssh/regress/try-ciphers.sh
@@ -1,37 +1,22 @@
-#	$OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.
 
 tid="try ciphers"
 
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-	arcfour128 arcfour256 arcfour 
-	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-	aes128-ctr aes192-ctr aes256-ctr"
-config_defined OPENSSL_HAVE_EVPGCM && \
-	ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-	hmac-sha1-96 hmac-md5-96
-	hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
-	umac-64-etm@openssh.com umac-128-etm@openssh.com
-	hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com
-	hmac-ripemd160-etm@openssh.com"
-config_defined HAVE_EVP_SHA256 &&
-    macs="$macs hmac-sha2-256 hmac-sha2-512
-	hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
-
-for c in $ciphers; do
+for c in `${SSH} -Q cipher`; do
 	n=0
-	for m in $macs; do
+	for m in `${SSH} -Q mac`; do
 		trace "proto 2 cipher $c mac $m"
 		verbose "test $tid: proto 2 cipher $c mac $m"
 		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
 		if [ $? -ne 0 ]; then
 			fail "ssh -2 failed with mac $m cipher $c"
 		fi
-		# No point trying all MACs for GCM since they are ignored.
-		case $c in
-		aes*-gcm@openssh.com)	test $n -gt 0 && break;;
-		esac
+		# No point trying all MACs for AEAD ciphers since they
+		# are ignored.
+		if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+			break
+		fi
 		n=`expr $n + 1`
 	done
 done
author	des <des@FreeBSD.org>	2014-01-31 13:12:02 +0000
committer	des <des@FreeBSD.org>	2014-01-31 13:12:02 +0000
commit	7573e91b127f1c198210fd345d3ca198b598cfc6 (patch)
tree	d32fb61cec38c52314210c3459fd436685dacdba /crypto/openssh/regress
parent	c692973c992c321bb10e631f572fab1500ae5b0e (diff)
parent	45d0197dd79eceffb5bbc29f75199eb09af5a5f9 (diff)
download	FreeBSD-src-7573e91b127f1c198210fd345d3ca198b598cfc6.zip FreeBSD-src-7573e91b127f1c198210fd345d3ca198b598cfc6.tar.gz