import openssh-regress as of 2012/01/05

regress/CVS/Entries

@@ -0,0 +1,69 @@
+/Makefile/1.58/Thu Jan  6 22:46:21 2011//
+/addrmatch.sh/1.3/Tue Feb  9 04:57:36 2010//
+/agent-getpeereid.sh/1.4/Sun Nov 25 15:35:09 2007//
+/agent-pkcs11.sh/1.1/Mon Feb  8 10:52:47 2010//
+/agent-ptrace.sh/1.1/Mon Dec  9 15:38:30 2002//
+/agent-timeout.sh/1.1/Thu Jun  6 00:38:40 2002//
+/agent.sh/1.7/Sun Nov 25 15:35:09 2007//
+/banner.sh/1.2/Sat Oct 11 11:49:49 2003//
+/broken-pipe.sh/1.4/Fri Mar 15 13:08:56 2002//
+/brokenkeys.sh/1.1/Fri Oct 29 23:59:22 2004//
+/cert-hostkey.sh/1.6/Fri May 20 02:43:36 2011//
+/cert-userkey.sh/1.8/Tue May 17 07:13:31 2011//
+/cfgmatch.sh/1.6/Fri Jun  3 05:35:10 2011//
+/cipher-speed.sh/1.4/Tue Aug  2 01:23:41 2011//
+/conch-ciphers.sh/1.2/Mon Jun 30 10:43:03 2008//
+/connect-privsep.sh/1.2/Thu Jun 30 22:44:43 2011//
+/connect.sh/1.4/Fri Mar 15 13:08:56 2002//
+/dsa_ssh2.prv/1.1/Thu Jan 17 13:21:28 2002//
+/dsa_ssh2.pub/1.1/Thu Jan 17 13:21:28 2002//
+/dynamic-forward.sh/1.9/Fri Jun  3 00:29:52 2011//
+/envpass.sh/1.4/Fri Mar  4 08:48:46 2005//
+/exit-status.sh/1.6/Fri Mar 15 13:08:56 2002//
+/forcecommand.sh/1.1/Wed Jul 19 13:09:28 2006//
+/forwarding.sh/1.7/Mon Jan 11 02:53:44 2010//
+/host-expand.sh/1.1/Thu Jan  6 22:46:21 2011//
+/kextype.sh/1.1/Wed Sep 22 12:26:05 2010//
+/key-options.sh/1.2/Mon Jun 30 08:07:34 2008//
+/keygen-change.sh/1.2/Tue Jul 16 09:15:55 2002//
+/keygen-convert.sh/1.1/Mon Nov  9 04:20:04 2009//
+/keyscan.sh/1.3/Fri Mar 15 13:08:56 2002//
+/keytype.sh/1.1/Thu Sep  2 16:12:55 2010//
+/localcommand.sh/1.1/Mon Oct 29 06:57:13 2007//
+/login-timeout.sh/1.4/Sun Feb 27 23:13:36 2005//
+/multiplex.sh/1.12/Tue May  5 07:51:36 2009//
+/portnum.sh/1.1/Thu Aug 13 00:57:17 2009//
+/proto-mismatch.sh/1.3/Fri Mar 15 13:08:56 2002//
+/proto-version.sh/1.3/Fri Mar 15 13:08:56 2002//
+/proxy-connect.sh/1.5/Mon Dec  9 15:28:46 2002//
+/putty-ciphers.sh/1.3/Mon Nov 10 02:06:35 2008//
+/putty-kex.sh/1.2/Mon Jun 30 10:31:11 2008//
+/putty-transfer.sh/1.2/Mon Jun 30 10:31:11 2008//
+/reconfigure.sh/1.2/Sat Jun 21 09:14:05 2003//
+/reexec.sh/1.5/Fri Oct  8 02:01:50 2004//
+/rekey.sh/1.1/Fri Mar 28 13:58:28 2003//
+/rsa_openssh.prv/1.1/Thu Jan 17 13:21:28 2002//
+/rsa_openssh.pub/1.1/Thu Jan 17 13:21:28 2002//
+/rsa_ssh2.prv/1.1/Thu Jan 17 13:21:28 2002//
+/scp-ssh-wrapper.sh/1.2/Wed Dec 14 04:36:39 2005//
+/scp.sh/1.7/Tue Jan 31 10:36:33 2006//
+/sftp-badcmds.sh/1.4/Thu Aug 13 01:11:55 2009//
+/sftp-batch.sh/1.4/Thu Aug 13 01:11:55 2009//
+/sftp-cmds.sh/1.11/Sat Dec  4 00:21:19 2010//
+/sftp-glob.sh/1.4/Thu Aug 13 01:11:55 2009//
+/sftp.sh/1.3/Thu Aug 13 01:11:55 2009//
+/ssh-com-client.sh/1.6/Tue Feb 24 17:06:52 2004//
+/ssh-com-keygen.sh/1.4/Tue Feb 24 17:06:52 2004//
+/ssh-com-sftp.sh/1.6/Thu Aug 20 18:43:07 2009//
+/ssh-com.sh/1.7/Tue Feb 24 17:06:52 2004//
+/ssh2putty.sh/1.2/Tue Oct  6 23:51:49 2009//
+/sshd-log-wrapper.sh/1.2/Sun Feb 27 11:40:30 2005//
+/stderr-after-eof.sh/1.1/Sat Mar 23 16:38:09 2002//
+/stderr-data.sh/1.2/Wed Mar 27 22:39:52 2002//
+/t4.ok/1.1/Thu Jan 17 13:21:28 2002//
+/t5.ok/1.1/Thu Jan 17 13:21:28 2002//
+/test-exec.sh/1.37/Wed Feb 24 06:21:56 2010//
+/transfer.sh/1.1/Wed Mar 27 00:03:37 2002//
+/try-ciphers.sh/1.12/Tue Aug  2 01:23:41 2011//
+/yes-head.sh/1.4/Fri Mar 15 13:08:56 2002//
+D

regress/CVS/Repository

@@ -0,0 +1 @@
+src/regress/usr.bin/ssh

regress/CVS/Root

@@ -0,0 +1 @@
+/cvs

regress/Makefile

@@ -0,0 +1,147 @@
+#	$OpenBSD: Makefile,v 1.58 2011/01/06 22:46:21 djm Exp $
+
+REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t8 t9
+
+CLEANFILES+=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
+		t8.out t8.out.pub t9.out t9.out.pub
+
+LTESTS= 	connect \
+		proxy-connect \
+		connect-privsep \
+		proto-version \
+		proto-mismatch \
+		exit-status \
+		envpass \
+		transfer \
+		banner \
+		rekey \
+		stderr-data \
+		stderr-after-eof \
+		broken-pipe \
+		try-ciphers \
+		yes-head \
+		login-timeout \
+		agent \
+		agent-getpeereid \
+		agent-timeout \
+		agent-ptrace \
+		keyscan \
+		keygen-change \
+		keygen-convert \
+		key-options \
+		scp \
+		sftp \
+		sftp-cmds \
+		sftp-badcmds \
+		sftp-batch \
+		sftp-glob \
+		reconfigure \
+		dynamic-forward \
+		forwarding \
+		multiplex \
+		reexec \
+		brokenkeys \
+		cfgmatch \
+		addrmatch \
+		localcommand \
+		forcecommand \
+		portnum \
+		keytype \
+		kextype \
+		cert-hostkey \
+		cert-userkey \
+		host-expand
+
+INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
+#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
+
+#LTESTS= 	cipher-speed
+
+USER!=		id -un
+CLEANFILES+=	authorized_keys_${USER} known_hosts pidfile \
+		ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
+		rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
+		rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
+		ls.copy banner.in banner.out empty.in \
+		scp-ssh-wrapper.exe ssh_proxy_envpass remote_pid \
+		sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
+		known_hosts-cert host_ca_key* cert_host_key* \
+		authorized_principals_${USER} expect actual
+
+# Enable all malloc(3) randomisations and checks
+TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
+
+t1:
+	ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
+	tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
+	ssh-keygen -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv
+	awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv
+	ssh-keygen -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv
+
+t2:
+	cat ${.CURDIR}/rsa_openssh.prv > t2.out
+	chmod 600 t2.out
+	ssh-keygen -yf t2.out | diff - ${.CURDIR}/rsa_openssh.pub
+
+t3:
+	ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub |\
+		ssh-keygen -if /dev/stdin |\
+		diff - ${.CURDIR}/rsa_openssh.pub
+
+t4:
+	ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\
+		awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
+
+t5:
+	ssh-keygen -Bf ${.CURDIR}/rsa_openssh.pub |\
+		awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
+
+t6:
+	ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > t6.out1
+	ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > t6.out2
+	chmod 600 t6.out1
+	ssh-keygen -yf t6.out1 | diff - t6.out2
+
+t7.out:
+	ssh-keygen -q -t rsa -N '' -f $@
+
+t7: t7.out
+	ssh-keygen -lf t7.out > /dev/null
+	ssh-keygen -Bf t7.out > /dev/null
+
+t8.out:
+	ssh-keygen -q -t dsa -N '' -f $@
+
+t8: t8.out
+	ssh-keygen -lf t8.out > /dev/null
+	ssh-keygen -Bf t8.out > /dev/null
+
+t9.out:
+	ssh-keygen -q -t ecdsa -N '' -f $@
+
+t9: t9.out
+	ssh-keygen -lf t9.out > /dev/null
+	ssh-keygen -Bf t9.out > /dev/null
+
+.for t in ${LTESTS} ${INTEROP_TESTS}
+t-${t}:
+	env SUDO="${SUDO}" ${TEST_ENV} \
+	    sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
+.endfor
+
+.for t in ${LTESTS}
+REGRESS_TARGETS+=t-${t}
+.endfor
+
+.for t in ${INTEROP_TESTS}
+INTEROP_TARGETS+=t-${t}
+.endfor
+
+# Not run by default
+interop: ${INTEROP_TARGETS}
+
+clean:
+	rm -f ${CLEANFILES}
+	rm -rf .putty
+
+.include <bsd.regress.mk>

regress/addrmatch.sh

@@ -0,0 +1,44 @@
+#	$OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $
+#	Placed in the Public Domain.
+
+tid="address match"
+
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+run_trial()
+{
+	user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5"
+
+	verbose "test $descr for $user $addr $host"
+	result=`${SSHD} -f $OBJ/sshd_proxy -T \
+	    -C user=${user},addr=${addr},host=${host} | \
+	    awk '/^passwordauthentication/ {print $2}'`
+	if [ "$result" != "$expected" ]; then
+		fail "failed for $user $addr $host: expected $expected, got $result"
+	fi
+}
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+cat >>$OBJ/sshd_proxy <<EOD
+PasswordAuthentication no
+Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
+	PasswordAuthentication yes
+Match Address 1.1.1.1,::1,!::3,2000::/16
+	PasswordAuthentication yes
+EOD
+
+run_trial user 192.168.0.1 somehost yes		"permit, first entry"
+run_trial user 192.168.30.1 somehost no		"deny, negative match"
+run_trial user 19.0.0.1 somehost no		"deny, no match"
+run_trial user 10.255.255.254 somehost yes	"permit, list middle"
+run_trial user 192.168.30.1 192.168.0.1 no	"deny, faked IP in hostname"
+run_trial user 1.1.1.1 somehost.example.com yes	"permit, bare IP4 address"
+run_trial user ::1 somehost.example.com	 yes	"permit, bare IP6 address"
+run_trial user ::2 somehost.exaple.com no	"deny IPv6"
+run_trial user ::3 somehost no			"deny IP6 negated"
+run_trial user ::4 somehost no			"deny, IP6 no match"
+run_trial user 2000::1 somehost yes		"permit, IP6 network"
+run_trial user 2001::1 somehost no		"deny, IP6 network"
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+rm $OBJ/sshd_proxy_bak

regress/agent-getpeereid.sh

@@ -0,0 +1,38 @@
+#	$OpenBSD: agent-getpeereid.sh,v 1.4 2007/11/25 15:35:09 jmc Exp $
+#	Placed in the Public Domain.
+
+tid="disallow agent attach from other uid"
+
+UNPRIV=nobody
+ASOCK=${OBJ}/agent
+SSH_AUTH_SOCK=/nonexistent
+
+if [ -z "$SUDO" ]; then
+	fatal "need SUDO to switch to uid $UNPRIV, test won't work without"
+fi
+
+trace "start agent"
+eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	chmod 644 ${SSH_AUTH_SOCK}
+
+	ssh-add -l > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 1 ]; then
+		fail "ssh-add failed with $r != 1"
+	fi
+
+	< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
+	r=$?
+	if [ $r -lt 2 ]; then
+		fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi
+
+rm -f ${OBJ}/agent

regress/agent-pkcs11.sh

@@ -0,0 +1,69 @@
+#	$OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
+#	Placed in the Public Domain.
+
+tid="pkcs11 agent test"
+
+TEST_SSH_PIN=""
+TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
+
+# setup environment for soft-pkcs11 token
+SOFTPKCS11RC=$OBJ/pkcs11.info
+export SOFTPKCS11RC
+# prevent ssh-agent from calling ssh-askpass
+SSH_ASKPASS=/usr/bin/true
+export SSH_ASKPASS
+unset DISPLAY
+
+# start command w/o tty, so ssh-add accepts pin from stdin
+notty() {
+	perl -e 'use POSIX; POSIX::setsid(); 
+	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
+}
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	trace "generating key/cert"
+	rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
+	openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
+	chmod 600 $OBJ/pkcs11.key 
+	openssl req -key $OBJ/pkcs11.key -new -x509 \
+	    -out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
+	printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
+	# add to authorized keys
+	${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
+
+	trace "add pkcs11 key to agent"
+	echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -s failed: exit code $r"
+	fi
+
+	trace "pkcs11 list via agent"
+	${SSHADD} -l > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -l failed: exit code $r"
+	fi
+
+	trace "pkcs11 connect via agent"
+	${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
+	r=$?
+	if [ $r -ne 5 ]; then
+		fail "ssh connect failed (exit code $r)"
+	fi
+
+	trace "remove pkcs11 keys"
+	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -e failed: exit code $r"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi

regress/agent-ptrace.sh

@@ -0,0 +1,28 @@
+#	$OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
+#	Placed in the Public Domain.
+
+tid="disallow agent ptrace attach"
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	# ls -l ${SSH_AUTH_SOCK}
+	gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
+		quit
+EOF
+	if [ $? -ne 0 ]; then
+		fail "gdb failed: exit code $?"
+	fi
+	grep -q 'ptrace: Operation not permitted.' ${OBJ}/gdb.out
+	r=$?
+	rm -f ${OBJ}/gdb.out
+	if [ $r -ne 0 ]; then
+		fail "ptrace succeeded?: exit code $r"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi

regress/agent-timeout.sh

@@ -0,0 +1,36 @@
+#	$OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $
+#	Placed in the Public Domain.
+
+tid="agent timeout test"
+
+TIMEOUT=5
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	trace "add keys with timeout"
+	for t in rsa rsa1; do
+		${SSHADD} -t ${TIMEOUT} $OBJ/$t > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add did succeed exit code 0"
+		fi
+	done
+	n=`${SSHADD} -l 2> /dev/null | wc -l`
+	trace "agent has $n keys"
+	if [ $n -ne 2 ]; then
+		fail "ssh-add -l did not return 2 keys: $n"
+	fi
+	trace "sleeping 2*${TIMEOUT} seconds"
+	sleep ${TIMEOUT}
+	sleep ${TIMEOUT}
+	${SSHADD} -l 2> /dev/null | grep -q 'The agent has no identities.'
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -l still returns keys after timeout"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi

regress/agent.sh

@@ -0,0 +1,75 @@
+#	$OpenBSD: agent.sh,v 1.7 2007/11/25 15:35:09 jmc Exp $
+#	Placed in the Public Domain.
+
+tid="simple agent test"
+
+SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
+if [ $? -ne 2 ]; then
+	fail "ssh-add -l did not fail with exit code 2"
+fi
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	${SSHADD} -l > /dev/null 2>&1
+	if [ $? -ne 1 ]; then
+		fail "ssh-add -l did not fail with exit code 1"
+	fi
+	trace "overwrite authorized keys"
+	echo -n > $OBJ/authorized_keys_$USER
+	for t in rsa rsa1; do
+		# generate user key for agent
+		rm -f $OBJ/$t-agent
+		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
+			 fail "ssh-keygen for $t-agent failed"
+		# add to authorized keys
+		cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
+		# add privat key to agent
+		${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add did succeed exit code 0"
+		fi
+	done
+	${SSHADD} -l > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -l failed: exit code $?"
+	fi
+	# the same for full pubkey output
+	${SSHADD} -L > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -L failed: exit code $?"
+	fi
+
+	trace "simple connect via agent"
+	for p in 1 2; do
+		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
+		if [ $? -ne 5$p ]; then
+			fail "ssh connect with protocol $p failed (exit code $?)"
+		fi
+	done
+
+	trace "agent forwarding"
+	for p in 1 2; do
+		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
+		fi
+		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
+			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
+		if [ $? -ne 5$p ]; then
+			fail "agent fwd proto $p failed (exit code $?)"
+		fi
+	done
+
+	trace "delete all agent keys"
+	${SSHADD} -D > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -D failed: exit code $?"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi

regress/banner.sh

@@ -0,0 +1,44 @@
+#	$OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="banner"
+echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
+
+rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
+touch $OBJ/empty.in
+
+trace "test missing banner file"
+verbose "test $tid: missing banner file"
+( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	cmp $OBJ/empty.in $OBJ/banner.out ) || \
+	fail "missing banner file"
+
+for s in 0 10 100 1000 10000 100000 ; do
+	if [ "$s" = "0" ]; then
+		# create empty banner
+		touch $OBJ/banner.in
+	elif [ "$s" = "10" ]; then
+		# create 10-byte banner file
+		echo "abcdefghi" >$OBJ/banner.in
+	else
+		# increase size 10x
+		cp $OBJ/banner.in $OBJ/banner.out
+		for i in 0 1 2 3 4 5 6 7 8 ; do
+			cat $OBJ/banner.out >> $OBJ/banner.in
+		done
+	fi
+
+	trace "test banner size $s"
+	verbose "test $tid: size $s"
+	( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+		cmp $OBJ/banner.in $OBJ/banner.out ) || \
+		fail "banner size $s mismatch"
+done
+
+trace "test suppress banner (-q)"
+verbose "test $tid: suppress banner (-q)"
+( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	cmp $OBJ/empty.in $OBJ/banner.out ) || \
+	fail "suppress banner (-q)"
+
+rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in

regress/broken-pipe.sh

@@ -0,0 +1,15 @@
+#	$OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="broken pipe test"
+
+for p in 1 2; do
+	trace "protocol $p"
+	for i in 1 2 3 4; do
+		${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
+		r=$?
+		if [ $r -ne 0 ]; then
+			fail "broken pipe returns $r for protocol $p"
+		fi
+	done
+done

regress/brokenkeys.sh

@@ -0,0 +1,23 @@
+#	$OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
+#	Placed in the Public Domain.
+
+tid="broken keys"
+
+KEYS="$OBJ/authorized_keys_${USER}"
+
+start_sshd
+
+mv ${KEYS} ${KEYS}.bak
+
+# Truncated key
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
+cat ${KEYS}.bak >> ${KEYS}
+cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+
+${SSH} -2 -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with protocol $p failed"
+fi
+
+mv ${KEYS}.bak ${KEYS}
+

regress/cert-hostkey.sh

@@ -0,0 +1,248 @@
+#	$OpenBSD: cert-hostkey.sh,v 1.6 2011/05/20 02:43:36 djm Exp $
+#	Placed in the Public Domain.
+
+tid="certified host keys"
+
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+HOSTS='localhost-with-alias,127.0.0.1,::1'
+
+# Create a CA key and add it to known hosts
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
+	fail "ssh-keygen of host_ca_key failed"
+(
+	echo -n '@cert-authority '
+	echo -n "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
+# Generate and sign host keys
+for ktype in rsa dsa ecdsa ; do 
+	verbose "$tid: sign host ${ktype} cert"
+	# Generate and sign a host key
+	${SSHKEYGEN} -q -N '' -t ${ktype} \
+	    -f $OBJ/cert_host_key_${ktype} || \
+		fail "ssh-keygen of cert_host_key_${ktype} failed"
+	${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+		fail "couldn't sign cert_host_key_${ktype}"
+	# v00 ecdsa certs do not exist
+	test "${ktype}" = "ecdsa" && continue
+	cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
+	cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+	${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
+	    -I "regress host key for $USER" \
+	    -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
+		fail "couldn't sign cert_host_key_${ktype}_v00"
+done
+
+# Basic connect tests
+for privsep in yes no ; do
+	for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do 
+		verbose "$tid: host ${ktype} cert connect privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			echo UsePrivilegeSeparation $privsep
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+done
+
+# Revoked certificates with key present
+(
+	echo -n '@cert-authority '
+	echo -n "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/cert_host_key_rsa.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/cert_host_key_ecdsa.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/cert_host_key_dsa.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/cert_host_key_rsa_v00.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/cert_host_key_dsa_v00.pub
+) > $OBJ/known_hosts-cert
+for privsep in yes no ; do
+	for ktype in rsa dsa ecdsa rsa_v00 dsa_v00; do 
+		verbose "$tid: host ${ktype} revoked cert privsep $privsep"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+			echo UsePrivilegeSeparation $privsep
+		) > $OBJ/sshd_proxy
+
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	done
+done
+
+# Revoked CA
+(
+	echo -n '@cert-authority '
+	echo -n "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+	echo -n '@revoked '
+	echo -n "* "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do 
+	verbose "$tid: host ${ktype} revoked cert"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo HostKey $OBJ/cert_host_key_${ktype}
+		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+	) > $OBJ/sshd_proxy
+	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect succeeded unexpectedly"
+	fi
+done
+
+# Create a CA key and add it to known hosts
+(
+	echo -n '@cert-authority '
+	echo -n "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+
+test_one() {
+	ident=$1
+	result=$2
+	sign_opts=$3
+
+	for kt in rsa rsa_v00 ; do
+		case $kt in
+		*_v00) args="-t v00" ;;
+		*) args="" ;;
+		esac
+
+		verbose "$tid: host cert connect $ident $kt expect $result"
+		${SSHKEYGEN} -q -s $OBJ/host_ca_key \
+		    -I "regress host key for $USER" \
+		    $sign_opts $args \
+		    $OBJ/cert_host_key_${kt} ||
+			fail "couldn't sign cert_host_key_${kt}"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${kt}
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+		) > $OBJ/sshd_proxy
+	
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		rc=$?
+		if [ "x$result" = "xsuccess" ] ; then
+			if [ $rc -ne 0 ]; then
+				fail "ssh cert connect $ident failed unexpectedly"
+			fi
+		else
+			if [ $rc -eq 0 ]; then
+				fail "ssh cert connect $ident succeeded unexpectedly"
+			fi
+		fi
+	done
+}
+
+test_one "user-certificate"	failure "-n $HOSTS"
+test_one "empty principals"	success "-h"
+test_one "wrong principals"	failure "-h -n foo"
+test_one "cert not yet valid"	failure "-h -V20200101:20300101"
+test_one "cert expired"		failure "-h -V19800101:19900101"
+test_one "cert valid interval"	success "-h -V-1w:+2w"
+test_one "cert has constraints"	failure "-h -Oforce-command=false"
+
+# Check downgrade of cert to raw key when no CA found
+for v in v01 v00 ;  do 
+	for ktype in rsa dsa ecdsa ; do 
+		# v00 ecdsa certs do not exist.
+		test "${v}${ktype}" = "v00ecdsa" && continue
+		rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
+		verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
+		# Generate and sign a host key
+		${SSHKEYGEN} -q -N '' -t ${ktype} \
+		    -f $OBJ/cert_host_key_${ktype} || \
+			fail "ssh-keygen of cert_host_key_${ktype} failed"
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
+		    -I "regress host key for $USER" \
+		    -n $HOSTS $OBJ/cert_host_key_${ktype} ||
+			fail "couldn't sign cert_host_key_${ktype}"
+		(
+			echo -n "$HOSTS "
+			cat $OBJ/cert_host_key_${ktype}.pub
+		) > $OBJ/known_hosts-cert
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${ktype}
+			echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
+		) > $OBJ/sshd_proxy
+		
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+done
+
+# Wrong certificate
+(
+	echo -n '@cert-authority '
+	echo -n "$HOSTS "
+	cat $OBJ/host_ca_key.pub
+) > $OBJ/known_hosts-cert
+for v in v01 v00 ;  do 
+	for kt in rsa dsa ecdsa ; do 
+		# v00 ecdsa certs do not exist.
+		test "${v}${ktype}" = "v00ecdsa" && continue
+		rm -f $OBJ/cert_host_key*
+		# Self-sign key
+		${SSHKEYGEN} -q -N '' -t ${kt} \
+		    -f $OBJ/cert_host_key_${kt} || \
+			fail "ssh-keygen of cert_host_key_${kt} failed"
+		${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
+		    -I "regress host key for $USER" \
+		    -n $HOSTS $OBJ/cert_host_key_${kt} ||
+			fail "couldn't sign cert_host_key_${kt}"
+		verbose "$tid: host ${kt} connect wrong cert"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/cert_host_key_${kt}
+			echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
+		) > $OBJ/sshd_proxy
+	
+		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
+			-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect $ident succeeded unexpectedly"
+		fi
+	done
+done
+
+rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*

regress/cert-userkey.sh

@@ -0,0 +1,332 @@
+#	$OpenBSD: cert-userkey.sh,v 1.8 2011/05/17 07:13:31 djm Exp $
+#	Placed in the Public Domain.
+
+tid="certified user keys"
+
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+# Create a CA key
+${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
+	fail "ssh-keygen of user_ca_key failed"
+
+# Generate and sign user keys
+for ktype in rsa dsa ecdsa ; do 
+	verbose "$tid: sign user ${ktype} cert"
+	${SSHKEYGEN} -q -N '' -t ${ktype} \
+	    -f $OBJ/cert_user_key_${ktype} || \
+		fail "ssh-keygen of cert_user_key_${ktype} failed"
+	${SSHKEYGEN} -q -s $OBJ/user_ca_key -I \
+	    "regress user key for $USER" \
+	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
+		fail "couldn't sign cert_user_key_${ktype}"
+	# v00 ecdsa certs do not exist
+	test "${ktype}" = "ecdsa" && continue
+	cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
+	cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+	${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
+	    "regress user key for $USER" \
+	    -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
+		fail "couldn't sign cert_user_key_${ktype}_v00"
+done
+
+# Test explicitly-specified principals
+for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do 
+	for privsep in yes no ; do
+		_prefix="${ktype} privsep $privsep"
+
+		# Setup for AuthorizedPrincipalsFile
+		rm -f $OBJ/authorized_keys_$USER
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "UsePrivilegeSeparation $privsep"
+			echo "AuthorizedPrincipalsFile " \
+			    "$OBJ/authorized_principals_%u"
+			echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
+		) > $OBJ/sshd_proxy
+
+		# Missing authorized_principals
+		verbose "$tid: ${_prefix} missing authorized_principals"
+		rm -f $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Empty authorized_principals
+		verbose "$tid: ${_prefix} empty authorized_principals"
+		echo > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+	
+		# Wrong authorized_principals
+		verbose "$tid: ${_prefix} wrong authorized_principals"
+		echo gregorsamsa > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Correct authorized_principals
+		verbose "$tid: ${_prefix} correct authorized_principals"
+		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+
+		# authorized_principals with bad key option
+		verbose "$tid: ${_prefix} authorized_principals bad key opt"
+		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# authorized_principals with command=false
+		verbose "$tid: ${_prefix} authorized_principals command=false"
+		echo 'command="false" mekmitasdigoat' > \
+		    $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+
+		# authorized_principals with command=true
+		verbose "$tid: ${_prefix} authorized_principals command=true"
+		echo 'command="true" mekmitasdigoat' > \
+		    $OBJ/authorized_principals_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+
+		# Setup for principals= key option
+		rm -f $OBJ/authorized_principals_$USER
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "UsePrivilegeSeparation $privsep"
+		) > $OBJ/sshd_proxy
+
+		# Wrong principals list
+		verbose "$tid: ${_prefix} wrong principals key option"
+		(
+			echo -n 'cert-authority,principals="gregorsamsa" '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpectedly"
+		fi
+
+		# Correct principals list
+		verbose "$tid: ${_prefix} correct principals key option"
+		(
+			echo -n 'cert-authority,principals="mekmitasdigoat" '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh cert connect failed"
+		fi
+	done
+done
+
+basic_tests() {
+	auth=$1
+	if test "x$auth" = "xauthorized_keys" ; then
+		# Add CA to authorized_keys
+		(
+			echo -n 'cert-authority '
+			cat $OBJ/user_ca_key.pub
+		) > $OBJ/authorized_keys_$USER
+	else
+		echo > $OBJ/authorized_keys_$USER
+		extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
+	fi
+	
+	for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do 
+		for privsep in yes no ; do
+			_prefix="${ktype} privsep $privsep $auth"
+			# Simple connect
+			verbose "$tid: ${_prefix} connect"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+	
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true
+			if [ $? -ne 0 ]; then
+				fail "ssh cert connect failed"
+			fi
+
+			# Revoked keys
+			verbose "$tid: ${_prefix} revoked key"
+			(
+				cat $OBJ/sshd_proxy_bak
+				echo "UsePrivilegeSeparation $privsep"
+				echo "RevokedKeys $OBJ/cert_user_key_${ktype}.pub"
+				echo "$extra_sshd"
+			) > $OBJ/sshd_proxy
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			if [ $? -eq 0 ]; then
+				fail "ssh cert connect succeeded unexpecedly"
+			fi
+		done
+	
+		# Revoked CA
+		verbose "$tid: ${ktype} $auth revoked CA key"
+		(
+			cat $OBJ/sshd_proxy_bak
+			echo "RevokedKeys $OBJ/user_ca_key.pub"
+			echo "$extra_sshd"
+		) > $OBJ/sshd_proxy
+		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+		    somehost true >/dev/null 2>&1
+		if [ $? -eq 0 ]; then
+			fail "ssh cert connect succeeded unexpecedly"
+		fi
+	done
+	
+	verbose "$tid: $auth CA does not authenticate"
+	(
+		cat $OBJ/sshd_proxy_bak
+		echo "$extra_sshd"
+	) > $OBJ/sshd_proxy
+	verbose "$tid: ensure CA key does not authenticate user"
+	${SSH} -2i $OBJ/user_ca_key \
+	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect with CA key succeeded unexpectedly"
+	fi
+}
+
+basic_tests authorized_keys
+basic_tests TrustedUserCAKeys
+
+test_one() {
+	ident=$1
+	result=$2
+	sign_opts=$3
+	auth_choice=$4
+	auth_opt=$5
+
+	if test "x$auth_choice" = "x" ; then
+		auth_choice="authorized_keys TrustedUserCAKeys"
+	fi
+
+	for auth in $auth_choice ; do
+		for ktype in rsa rsa_v00 ; do
+			case $ktype in
+			*_v00) keyv="-t v00" ;;
+			*) keyv="" ;;
+			esac
+
+			cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+			if test "x$auth" = "xauthorized_keys" ; then
+				# Add CA to authorized_keys
+				(
+					echo -n "cert-authority${auth_opt} "
+					cat $OBJ/user_ca_key.pub
+				) > $OBJ/authorized_keys_$USER
+			else
+				echo > $OBJ/authorized_keys_$USER
+				echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
+				    >> $OBJ/sshd_proxy
+				if test "x$auth_opt" != "x" ; then
+					echo $auth_opt >> $OBJ/sshd_proxy
+				fi
+			fi
+			
+			verbose "$tid: $ident auth $auth expect $result $ktype"
+			${SSHKEYGEN} -q -s $OBJ/user_ca_key \
+			    -I "regress user key for $USER" \
+			    $sign_opts $keyv \
+			    $OBJ/cert_user_key_${ktype} ||
+				fail "couldn't sign cert_user_key_${ktype}"
+
+			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
+			rc=$?
+			if [ "x$result" = "xsuccess" ] ; then
+				if [ $rc -ne 0 ]; then
+					fail "$ident failed unexpectedly"
+				fi
+			else
+				if [ $rc -eq 0 ]; then
+					fail "$ident succeeded unexpectedly"
+				fi
+			fi
+		done
+	done
+}
+
+test_one "correct principal"	success "-n ${USER}"
+test_one "host-certificate"	failure "-n ${USER} -h"
+test_one "wrong principals"	failure "-n foo"
+test_one "cert not yet valid"	failure "-n ${USER} -V20200101:20300101"
+test_one "cert expired"		failure "-n ${USER} -V19800101:19900101"
+test_one "cert valid interval"	success "-n ${USER} -V-1w:+2w"
+test_one "wrong source-address"	failure "-n ${USER} -Osource-address=10.0.0.0/8"
+test_one "force-command"	failure "-n ${USER} -Oforce-command=false"
+
+# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
+test_one "empty principals"	success "" authorized_keys
+test_one "empty principals"	failure "" TrustedUserCAKeys
+
+# Check explicitly-specified principals: an empty principals list in the cert
+# should always be refused.
+
+# AuthorizedPrincipalsFile
+rm -f $OBJ/authorized_keys_$USER
+echo mekmitasdigoat > $OBJ/authorized_principals_$USER
+test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+test_one "AuthorizedPrincipalsFile no principals" failure "" \
+    TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
+
+# principals= key option
+rm -f $OBJ/authorized_principals_$USER
+test_one "principals key option principals" success "-n mekmitasdigoat" \
+    authorized_keys ',principals="mekmitasdigoat"'
+test_one "principals key option no principals" failure "" \
+    authorized_keys ',principals="mekmitasdigoat"'
+
+# Wrong certificate
+cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+for ktype in rsa dsa ecdsa rsa_v00 dsa_v00 ; do 
+	case $ktype in
+	*_v00) args="-t v00" ;;
+	*) args="" ;;
+	esac
+	# Self-sign
+	${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
+	    "regress user key for $USER" \
+	    -n $USER $OBJ/cert_user_key_${ktype} ||
+		fail "couldn't sign cert_user_key_${ktype}"
+	verbose "$tid: user ${ktype} connect wrong cert"
+	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	    somehost true >/dev/null 2>&1
+	if [ $? -eq 0 ]; then
+		fail "ssh cert connect $ident succeeded unexpectedly"
+	fi
+done
+
+rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
+rm -f $OBJ/authorized_principals_$USER
+

regress/cfgmatch.sh

@@ -0,0 +1,126 @@
+#	$OpenBSD: cfgmatch.sh,v 1.6 2011/06/03 05:35:10 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="sshd_config match"
+
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
+
+start_client()
+{
+	rm -f $pidfile
+	${SSH} -q -$p $fwd "$@" somehost \
+	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
+	    >>$TEST_SSH_LOGFILE 2>&1 &
+	client_pid=$!
+	# Wait for remote end
+	n=0
+	while test ! -f $pidfile ; do
+		sleep 1
+		n=`expr $n + 1`
+		if test $n -gt 60; then
+			kill $client_pid
+			fatal "timeout waiting for background ssh"
+		fi
+	done	
+}
+
+stop_client()
+{
+	pid=`cat $pidfile`
+	if [ ! -z "$pid" ]; then
+		kill $pid
+	fi
+	wait
+}
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match user $USER" >>$OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+
+start_sshd
+
+#set -x
+
+# Test Match + PermitOpen in sshd_config.  This should be permitted
+for p in 1 2; do
+	trace "match permitopen localhost proto $p"
+	start_client -F $OBJ/ssh_config
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+	    fail "match permitopen permit proto $p"
+	stop_client
+done
+
+# Same but from different source.  This should not be permitted
+for p in 1 2; do
+	trace "match permitopen proxy proto $p"
+	start_client -F $OBJ/ssh_proxy
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match permitopen deny proto $p"
+	stop_client
+done
+
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+	trace "match permitopen proxy w/key opts proto $p"
+	start_client -F $OBJ/ssh_proxy
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match permitopen deny w/key opt proto $p"
+	stop_client
+done
+
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+	trace "match permitopen localhost proto $p"
+	start_client -F $OBJ/ssh_config
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+	    fail "match permitopen permit proto $p"
+	stop_client
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+	trace "match permitopen proxy w/key opts proto $p"
+	start_client -F $OBJ/ssh_proxy
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match override permitopen proto $p"
+	stop_client
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+
+# Test that a rule that doesn't match doesn't override, plus test a
+# PermitOpen entry that's not at the start of the list
+for p in 1 2; do
+	trace "nomatch permitopen proxy w/key opts proto $p"
+	start_client -F $OBJ/ssh_proxy
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+	    fail "nomatch override permitopen proto $p"
+	stop_client
+done

regress/cipher-speed.sh

@@ -0,0 +1,50 @@
+#	$OpenBSD: cipher-speed.sh,v 1.4 2011/08/02 01:23:41 djm Exp $
+#	Placed in the Public Domain.
+
+tid="cipher speed"
+
+getbytes ()
+{
+	sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+	arcfour128 arcfour256 arcfour 
+	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+	aes128-ctr aes192-ctr aes256-ctr"
+macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96
+	hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
+
+for c in $ciphers; do for m in $macs; do
+	trace "proto 2 cipher $c mac $m"
+	for x in $tries; do
+		echo -n "$c/$m:\t"
+		( ${SSH} -o 'compression no' \
+			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+			exec sh -c \'"dd of=/dev/null obs=32k"\' \
+		< ${DATA} ) 2>&1 | getbytes
+
+		if [ $? -ne 0 ]; then
+			fail "ssh -2 failed with mac $m cipher $c"
+		fi
+	done
+done; done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+	trace "proto 1 cipher $c"
+	for x in $tries; do
+		echo -n "$c:\t"
+		( ${SSH} -o 'compression no' \
+			-F $OBJ/ssh_proxy -1 -c $c somehost \
+			exec sh -c \'"dd of=/dev/null obs=32k"\' \
+		< ${DATA} ) 2>&1 | getbytes
+		if [ $? -ne 0 ]; then
+			fail "ssh -1 failed with cipher $c"
+		fi
+	done
+done

regress/conch-ciphers.sh

@@ -0,0 +1,30 @@
+#	$OpenBSD: conch-ciphers.sh,v 1.2 2008/06/30 10:43:03 djm Exp $
+#	Placed in the Public Domain.
+
+tid="conch ciphers"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
+	fatal "conch interop tests not enabled"
+fi
+
+start_sshd
+
+for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
+         cast128-cbc blowfish 3des-cbc ; do
+	verbose "$tid: cipher $c"
+	rm -f ${COPY}
+	# XXX the 2nd "cat" seems to be needed because of buggy FD handling
+	# in conch
+	${CONCH} --identity $OBJ/rsa --port $PORT --user $USER  -e none \
+	    --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
+	    127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+done
+rm -f ${COPY}
+

regress/connect-privsep.sh

@@ -0,0 +1,24 @@
+#	$OpenBSD: connect-privsep.sh,v 1.2 2011/06/30 22:44:43 markus Exp $
+#	Placed in the Public Domain.
+
+tid="proxy connect with privsep"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
+echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	if [ $? -ne 0 ]; then
+		fail "ssh privsep+proxyconnect protocol $p failed"
+	fi
+done
+
+cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	if [ $? -ne 0 ]; then
+		fail "ssh privsep/sandbox+proxyconnect protocol $p failed"
+	fi
+done

regress/connect.sh

@@ -0,0 +1,13 @@
+#	$OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="simple connect"
+
+start_sshd
+
+for p in 1 2; do
+	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh connect with protocol $p failed"
+	fi
+done

regress/dsa_ssh2.prv

@@ -0,0 +1,14 @@
+---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
+P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
+AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
+Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
+x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
+MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
+F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
+kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
+ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
+75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
+zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
+---- END SSH2 ENCRYPTED PRIVATE KEY ----

regress/dsa_ssh2.pub

@@ -0,0 +1,13 @@
+---- BEGIN SSH2 PUBLIC KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
+AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
+NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
+ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
+0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
+MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
+JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
+eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
+JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
+ixaVivLt8RgTwGF99uI=
+---- END SSH2 PUBLIC KEY ----

regress/dynamic-forward.sh

@@ -0,0 +1,59 @@
+#	$OpenBSD: dynamic-forward.sh,v 1.9 2011/06/03 00:29:52 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="dynamic forwarding"
+
+FWDPORT=`expr $PORT + 1`
+
+if [ -x "`which nc`" ] && nc -h 2>&1 | grep "proxy address" >/dev/null; then
+	proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
+elif [ -x "`which connect`" ]; then
+	proxycmd="connect -S 127.0.0.1:$FWDPORT -"
+else
+	echo "skipped (no suitable ProxyCommand found)"
+	exit 0
+fi
+trace "will use ProxyCommand $proxycmd"
+
+start_sshd
+
+for p in 1 2; do
+	n=0
+	error="1"
+	trace "start dynamic forwarding, fork to background"
+	while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
+		n=`expr $n + 1`
+		${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
+		    -oExitOnForwardFailure=yes somehost exec sh -c \
+			\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+		error=$?
+		if [ "$error" -ne 0 ]; then
+			trace "forward failed proto $p attempt $n err $error"
+			sleep $n
+		fi
+	done
+	if [ "$error" -ne 0 ]; then
+		fatal "failed to start dynamic forwarding proto $p"
+	fi
+
+	for s in 4 5; do
+	    for h in 127.0.0.1 localhost; do
+		trace "testing ssh protocol $p socks version $s host $h"
+		${SSH} -F $OBJ/ssh_config \
+			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+			somehost cat /bin/ls > $OBJ/ls.copy
+		test -f $OBJ/ls.copy	 || fail "failed copy /bin/ls"
+		cmp /bin/ls $OBJ/ls.copy || fail "corrupted copy of /bin/ls"
+	    done
+	done
+
+	if [ -f $OBJ/remote_pid ]; then
+		remote=`cat $OBJ/remote_pid`
+		trace "terminate remote shell, pid $remote"
+		if [ $remote -gt 1 ]; then
+			kill -HUP $remote
+		fi
+	else
+		fail "no pid file: $OBJ/remote_pid"
+	fi
+done

regress/envpass.sh

@@ -0,0 +1,60 @@
+#	$OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
+#	Placed in the Public Domain.
+
+tid="environment passing"
+
+# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
+
+# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
+cat << EOF > $OBJ/ssh_proxy_envpass
+Host test-sendenv-confparse-bug
+	SendEnv *
+EOF
+cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
+
+trace "pass env, don't accept"
+verbose "test $tid: pass env, don't accept"
+_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test -z "$_TEST_ENV"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment found"
+fi
+
+trace "don't pass env, accept"
+verbose "test $tid: don't pass env, accept"
+_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment found"
+fi
+
+trace "pass single env, accept single env"
+verbose "test $tid: pass single env, accept single env"
+_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
+    otherhost sh << 'EOF'
+	test X"$_XXX_TEST" = X"blah"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment not found"
+fi
+
+trace "pass multiple env, accept multiple env"
+verbose "test $tid: pass multiple env, accept multiple env"
+_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
+    -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment not found"
+fi
+
+rm -f $OBJ/ssh_proxy_envpass

regress/exit-status.sh

@@ -0,0 +1,24 @@
+#	$OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="remote exit status"
+
+for p in 1 2; do
+	for s in 0 1 4 5 44; do
+		trace "proto $p status $s"
+		verbose "test $tid: proto $p status $s"
+		${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
+		r=$?
+		if [ $r -ne $s ]; then
+			fail "exit code mismatch for protocol $p: $r != $s"
+		fi
+
+		# same with early close of stdout/err
+		${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
+                	exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+		r=$?
+		if [ $r -ne $s ]; then
+			fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+		fi
+	done
+done

regress/forcecommand.sh

@@ -0,0 +1,42 @@
+#	$OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="forced command"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echo -n 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+for p in 1 2; do
+	trace "forced command in key option proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done
+
+echo -n 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	trace "forced command in sshd_config overrides key option proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo "    ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	trace "forced command with match proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done

regress/forwarding.sh

@@ -0,0 +1,104 @@
+#	$OpenBSD: forwarding.sh,v 1.7 2010/01/11 02:53:44 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="local and remote forwarding"
+
+start_sshd
+
+base=33
+last=$PORT
+fwd=""
+for j in 0 1 2; do
+	for i in 0 1 2; do
+		a=$base$j$i
+		b=`expr $a + 50`
+		c=$last
+		# fwd chain: $a -> $b -> $c
+		fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
+		last=$a
+	done
+done
+for p in 1 2; do
+	q=`expr 3 - $p`
+	trace "start forwarding, fork to background"
+	${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
+
+	trace "transfer over forwarded channels and check result"
+	${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
+		somehost cat /bin/ls > $OBJ/ls.copy
+	test -f $OBJ/ls.copy			|| fail "failed copy /bin/ls"
+	cmp /bin/ls $OBJ/ls.copy		|| fail "corrupted copy of /bin/ls"
+
+	sleep 10
+done
+
+for p in 1 2; do
+for d in L R; do
+	trace "exit on -$d forward failure, proto $p"
+
+	# this one should succeed
+	${SSH} -$p -F $OBJ/ssh_config \
+	    -$d ${base}01:127.0.0.1:$PORT \
+	    -$d ${base}02:127.0.0.1:$PORT \
+	    -$d ${base}03:127.0.0.1:$PORT \
+	    -$d ${base}04:127.0.0.1:$PORT \
+	    -oExitOnForwardFailure=yes somehost true
+	if [ $? != 0 ]; then
+		fail "connection failed, should not"
+	else
+		# this one should fail
+		${SSH} -q -$p -F $OBJ/ssh_config \
+		    -$d ${base}01:127.0.0.1:$PORT \
+		    -$d ${base}02:127.0.0.1:$PORT \
+		    -$d ${base}03:127.0.0.1:$PORT \
+		    -$d ${base}01:127.0.0.1:$PORT \
+		    -$d ${base}04:127.0.0.1:$PORT \
+		    -oExitOnForwardFailure=yes somehost true
+		r=$?
+		if [ $r != 255 ]; then
+			fail "connection not termintated, but should ($r)"
+		fi
+	fi
+done
+done
+
+for p in 1 2; do
+	trace "simple clear forwarding proto $p"
+	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+	trace "clear local forward proto $p"
+	${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+	    -oClearAllForwardings=yes somehost sleep 10
+	if [ $? != 0 ]; then
+		fail "connection failed with cleared local forwarding"
+	else
+		# this one should fail
+		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+		     2>${TEST_SSH_LOGFILE} && \
+			fail "local forwarding not cleared"
+	fi
+	sleep 10
+	
+	trace "clear remote forward proto $p"
+	${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+	    -oClearAllForwardings=yes somehost sleep 10
+	if [ $? != 0 ]; then
+		fail "connection failed with cleared remote forwarding"
+	else
+		# this one should fail
+		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+		     2>${TEST_SSH_LOGFILE} && \
+			fail "remote forwarding not cleared"
+	fi
+	sleep 10
+done
+
+for p in 2; do
+	trace "stdio forwarding proto $p"
+	cmd="${SSH} -$p -F $OBJ/ssh_config"
+	$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
+		somehost true
+	if [ $? != 0 ]; then
+		fail "stdio forwarding proto $p"
+	fi
+done

regress/host-expand.sh

@@ -0,0 +1,18 @@
+#	Placed in the Public Domain.
+
+tid="expand %h and %n"
+
+echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
+printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy
+
+cat >expect <<EOE
+somehost
+127.0.0.1
+EOE
+
+for p in 1 2; do
+	verbose "test $tid: proto $p"
+	${SSH} -F $OBJ/ssh_proxy -$p somehost true >actual
+	diff expect actual || fail "$tid proto $p"
+done
+

regress/kextype.sh

@@ -0,0 +1,26 @@
+#	$OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
+#	Placed in the Public Domain.
+
+tid="login with different key exchange algorithms"
+
+TIME=/usr/bin/time
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+
+kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
+kextypes="$kextypes diffie-hellman-group-exchange-sha256"
+kextypes="$kextypes diffie-hellman-group-exchange-sha1"
+kextypes="$kextypes diffie-hellman-group14-sha1"
+kextypes="$kextypes diffie-hellman-group1-sha1"
+
+tries="1 2 3 4"
+for k in $kextypes; do 
+	verbose "kex $k"
+	for i in $tries; do
+		${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
+		if [ $? -ne 0 ]; then
+			fail "ssh kex $k"
+		fi
+	done
+done
+

regress/key-options.sh

@@ -0,0 +1,71 @@
+#	$OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $
+#	Placed in the Public Domain.
+
+tid="key options"
+
+origkeys="$OBJ/authkeys_orig"
+authkeys="$OBJ/authorized_keys_${USER}"
+cp $authkeys $origkeys
+
+# Test command= forced command
+for p in 1 2; do
+    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+	sed "s/.*/$c &/" $origkeys >$authkeys
+	verbose "key option proto $p $c"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+	if [ "$r" = "foo" ]; then
+		fail "key option forced command not restricted"
+	fi
+	if [ "$r" != "bar" ]; then
+		fail "key option forced command not executed"
+	fi
+    done
+done
+
+# Test no-pty
+sed 's/.*/no-pty &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p no-pty"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
+	if [ -f "$r" ]; then
+		fail "key option failed proto $p no-pty (pty $r)"
+	fi
+done
+
+# Test environment=
+echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
+sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p environment"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+	if [ "$r" != "bar" ]; then
+		fail "key option environment not set"
+	fi
+done
+
+# Test from= restriction
+start_sshd
+for p in 1 2; do
+    for f in 127.0.0.1 '127.0.0.0\/8'; do
+	cat  $origkeys >$authkeys
+	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "key option proto $p failed without restriction"
+	fi
+
+	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
+	from=`head -1 $authkeys | cut -f1 -d ' '`
+	verbose "key option proto $p $from"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+	if [ "$r" = "true" ]; then
+		fail "key option proto $p $from not restricted"
+	fi
+
+	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+	if [ "$r" != "true" ]; then
+		fail "key option proto $p $from not allowed but should be"
+	fi
+    done
+done
+
+rm -f "$origkeys"

regress/keygen-change.sh

@@ -0,0 +1,23 @@
+#	$OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
+#	Placed in the Public Domain.
+
+tid="change passphrase for key"
+
+S1="secret1"
+S2="2secret"
+
+for t in rsa dsa rsa1; do
+	# generate user key for agent
+	trace "generating $t key"
+	rm -f $OBJ/$t-key
+	${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
+	if [ $? -eq 0 ]; then
+		${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
+		if [ $? -ne 0 ]; then
+			fail "ssh-keygen -p failed for $t-key"
+		fi
+	else
+		fail "ssh-keygen for $t-key failed"
+	fi
+	rm -f $OBJ/$t-key $OBJ/$t-key.pub
+done

regress/keygen-convert.sh

@@ -0,0 +1,33 @@
+#	$OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="convert keys"
+
+for t in rsa dsa; do
+	# generate user key for agent
+	trace "generating $t key"
+	rm -f $OBJ/$t-key
+	${SSHKEYGEN} -q -N "" -t $t -f $OBJ/$t-key
+
+	trace "export $t private to rfc4716 public"
+	${SSHKEYGEN} -q -e -f $OBJ/$t-key >$OBJ/$t-key-rfc || \
+	    fail "export $t private to rfc4716 public"
+
+	trace "export $t public to rfc4716 public"
+	${SSHKEYGEN} -q -e -f $OBJ/$t-key.pub >$OBJ/$t-key-rfc.pub || \
+	    fail "$t public to rfc4716 public"
+
+	cmp $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub || \
+	    fail "$t rfc4716 exports differ between public and private"
+
+	trace "import $t rfc4716 public"
+	${SSHKEYGEN} -q -i -f $OBJ/$t-key-rfc >$OBJ/$t-rfc-imported || \
+	    fail "$t import rfc4716 public"
+
+	cut -f1,2 -d " " $OBJ/$t-key.pub >$OBJ/$t-key-nocomment.pub
+	cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \
+	    fail "$t imported differs from original"
+
+	rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \
+	    $OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub
+done

regress/keyscan.sh

@@ -0,0 +1,19 @@
+#	$OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="keyscan"
+
+# remove DSA hostkey
+rm -f ${OBJ}/host.dsa
+
+start_sshd
+
+for t in rsa1 rsa dsa; do
+	trace "keyscan type $t"
+	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
+		> /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-keyscan -t $t failed with: $r"
+	fi
+done

regress/keytype.sh

@@ -0,0 +1,48 @@
+#	$OpenBSD: keytype.sh,v 1.1 2010/09/02 16:12:55 markus Exp $
+#	Placed in the Public Domain.
+
+tid="login with different key types"
+
+TIME=/usr/bin/time
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+
+ktypes="dsa-1024 rsa-2048 ecdsa-256 rsa-3072 ecdsa-384 ecdsa-521"
+
+for kt in $ktypes; do 
+	rm -f $OBJ/key.$kt
+	bits=${kt#*-}
+	type=${kt%-*} 
+	printf "keygen $type, $bits bits:\t"
+	${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type  -f $OBJ/key.$kt ||\
+		fail "ssh-keygen for type $type, $bits bits failed"
+done
+
+tries="1 2 3"
+for ut in $ktypes; do 
+	htypes=$ut
+	#htypes=$ktypes
+	for ht in $htypes; do 
+		trace "ssh connect, userkey $ut, hostkey $ht"
+		(
+			grep -v HostKey $OBJ/sshd_proxy_bak
+			echo HostKey $OBJ/key.$ht 
+		) > $OBJ/sshd_proxy
+		(
+			grep -v IdentityFile $OBJ/ssh_proxy_bak
+			echo IdentityFile $OBJ/key.$ut 
+		) > $OBJ/ssh_proxy
+		(
+			echo -n 'localhost-with-alias,127.0.0.1,::1 '
+			cat $OBJ/key.$ht.pub
+		) > $OBJ/known_hosts
+		cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
+		for i in $tries; do
+			printf "userkey $ut, hostkey ${ht}:\t"
+			${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+			if [ $? -ne 0 ]; then
+				fail "ssh userkey $ut, hostkey $ht failed"
+			fi
+		done
+	done
+done

regress/localcommand.sh

@@ -0,0 +1,15 @@
+#	$OpenBSD: localcommand.sh,v 1.1 2007/10/29 06:57:13 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="localcommand"
+
+echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
+echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
+
+for p in 1 2; do
+	verbose "test $tid: proto $p localcommand"
+	a=$(${SSH} -F $OBJ/ssh_proxy -$p somehost true)
+	if [ "$a" != "foo" ] ; then
+		fail "$tid proto $p"
+	fi
+done

regress/login-timeout.sh

@@ -0,0 +1,29 @@
+#	$OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $
+#	Placed in the Public Domain.
+
+tid="connect after login grace timeout"
+
+trace "test login grace with privsep"
+echo "LoginGraceTime 10s" >> $OBJ/sshd_config
+echo "MaxStartups 1" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect after login grace timeout failed with privsep"
+fi
+
+$SUDO kill `cat $PIDFILE`
+
+trace "test login grace without privsep"
+echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect after login grace timeout failed without privsep"
+fi

regress/multiplex.sh

@@ -0,0 +1,86 @@
+#	$OpenBSD: multiplex.sh,v 1.12 2009/05/05 07:51:36 dtucker Exp $
+#	Placed in the Public Domain.
+
+CTL=$OBJ/ctl-sock
+
+tid="connection multiplexing"
+
+DATA=/bin/ls
+COPY=$OBJ/ls.copy
+LOG=$TEST_SSH_LOGFILE
+
+start_sshd
+
+trace "start master, fork to background"
+${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
+MASTER_PID=$!
+
+# Wait for master to start and authenticate
+sleep 5
+
+verbose "test $tid: envpass"
+trace "env passing over multiplexed connection"
+_XXX_TEST=blah ${SSH} -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
+	test X"$_XXX_TEST" = X"blah"
+EOF
+if [ $? -ne 0 ]; then
+	fail "environment not found"
+fi
+
+verbose "test $tid: transfer"
+rm -f ${COPY}
+trace "ssh transfer over multiplexed connection and check result"
+${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
+test -f ${COPY}			|| fail "ssh -Sctl: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "ssh -Sctl: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "ssh transfer over multiplexed connection and check result"
+${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
+test -f ${COPY}			|| fail "ssh -S ctl: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "ssh -S ctl: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "sftp transfer over multiplexed connection and check result"
+echo "get ${DATA} ${COPY}" | \
+	${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >$LOG 2>&1
+test -f ${COPY}			|| fail "sftp: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "sftp: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "scp transfer over multiplexed connection and check result"
+${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >$LOG 2>&1
+test -f ${COPY}			|| fail "scp: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "scp: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+
+for s in 0 1 4 5 44; do
+	trace "exit status $s over multiplexed connection"
+	verbose "test $tid: status $s"
+	${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code mismatch for protocol $p: $r != $s"
+	fi
+
+	# same with early close of stdout/err
+	trace "exit status $s with early close over multiplexed connection"
+	${SSH} -F $OBJ/ssh_config -S $CTL -n otherhost \
+                exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+	fi
+done
+
+trace "test check command"
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost || fail "check command failed" 
+
+trace "test exit command"
+${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost || fail "send exit command failed" 
+
+# Wait for master to exit
+sleep 2
+
+ps -p $MASTER_PID >/dev/null && fail "exit command failed" 

regress/portnum.sh

@@ -0,0 +1,32 @@
+#	$OpenBSD: portnum.sh,v 1.1 2009/08/13 00:57:17 djm Exp $
+#	Placed in the Public Domain.
+
+tid="port number parsing"
+
+badport() {
+	port=$1
+	verbose "$tid: invalid port $port"
+	if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
+		fail "$tid accepted invalid port $port"
+	fi
+}
+goodport() {
+	port=$1
+	verbose "$tid: valid port $port"
+	if ! ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
+		fail "$tid rejected valid port $port"
+	fi
+}
+
+badport 0
+badport 65536
+badport 131073
+badport 2000blah
+badport blah2000
+
+goodport 1
+goodport 22
+goodport 2222
+goodport 22222
+goodport 65535
+

regress/proto-mismatch.sh

@@ -0,0 +1,19 @@
+#	$OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="protocol version mismatch"
+
+mismatch ()
+{
+	server=$1
+	client=$2
+	banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
+	r=$?
+	trace "sshd prints ${banner}"
+	if [ $r -ne 255 ]; then
+		fail "sshd prints ${banner} and accepts connect with version ${client}"
+	fi
+}
+
+mismatch	2	SSH-1.5-HALLO
+mismatch	1	SSH-2.0-HALLO

regress/proto-version.sh

@@ -0,0 +1,34 @@
+#	$OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="sshd version with different protocol combinations"
+
+# we just start sshd in inetd mode and check the banner
+check_version ()
+{
+	version=$1
+	expect=$2
+	banner=`echo -n | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+	case ${banner} in
+	SSH-1.99-*)
+		proto=199
+		;;
+	SSH-2.0-*)
+		proto=20
+		;;
+	SSH-1.5-*)
+		proto=15
+		;;
+	*)
+		proto=0
+		;;
+	esac
+	if [ ${expect} -ne ${proto} ]; then
+		fail "wrong protocol version ${banner} for ${version}"
+	fi
+}
+
+check_version	2,1	199
+check_version	1,2	199
+check_version	2	20
+check_version	1	15

regress/proxy-connect.sh

@@ -0,0 +1,18 @@
+#	$OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $
+#	Placed in the Public Domain.
+
+tid="proxy connect"
+
+for p in 1 2; do
+	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	if [ $? -ne 0 ]; then
+		fail "ssh proxyconnect protocol $p failed"
+	fi
+	SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'`
+	if [ $? -ne 0 ]; then
+		fail "ssh proxyconnect protocol $p failed"
+	fi
+	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+		fail "bad SSH_CONNECTION"
+	fi
+done

regress/putty-ciphers.sh

@@ -0,0 +1,28 @@
+#	$OpenBSD: putty-ciphers.sh,v 1.3 2008/11/10 02:06:35 djm Exp $
+#	Placed in the Public Domain.
+
+tid="putty ciphers"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
+	fatal "putty interop tests not enabled"
+fi
+
+for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do
+	verbose "$tid: cipher $c"
+	cp ${OBJ}/.putty/sessions/localhost_proxy \
+	    ${OBJ}/.putty/sessions/cipher_$c
+	echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
+
+	rm -f ${COPY}
+	env HOME=$PWD ${PLINK} -load cipher_$c -batch -i putty.rsa2 \
+	    127.0.0.1 cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+done
+rm -f ${COPY}
+

regress/putty-kex.sh

@@ -0,0 +1,25 @@
+#	$OpenBSD: putty-kex.sh,v 1.2 2008/06/30 10:31:11 djm Exp $
+#	Placed in the Public Domain.
+
+tid="putty KEX"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
+	fatal "putty interop tests not enabled"
+fi
+
+for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
+	verbose "$tid: kex $k"
+	cp ${OBJ}/.putty/sessions/localhost_proxy \
+	    ${OBJ}/.putty/sessions/kex_$k
+	echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
+
+	env HOME=$PWD ${PLINK} -load kex_$k -batch -i putty.rsa2 \
+	    127.0.0.1 true
+	if [ $? -ne 0 ]; then
+		fail "KEX $k failed"
+	fi
+done
+

regress/putty-transfer.sh

@@ -0,0 +1,43 @@
+#	$OpenBSD: putty-transfer.sh,v 1.2 2008/06/30 10:31:11 djm Exp $
+#	Placed in the Public Domain.
+
+tid="putty transfer data"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
+	fatal "putty interop tests not enabled"
+fi
+
+# XXX support protocol 1 too
+for p in 2; do
+	for c in 0 1 ; do 
+	verbose "$tid: proto $p compression $c"
+		rm -f ${COPY}
+		cp ${OBJ}/.putty/sessions/localhost_proxy \
+		    ${OBJ}/.putty/sessions/compression_$c
+		echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
+		env HOME=$PWD ${PLINK} -load compression_$c -batch \
+		    -i putty.rsa$p 127.0.0.1 cat ${DATA} > ${COPY}
+		if [ $? -ne 0 ]; then
+			fail "ssh cat $DATA failed"
+		fi
+		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+	
+		for s in 10 100 1k 32k 64k 128k 256k; do
+			trace "proto $p compression $c dd-size ${s}"
+			rm -f ${COPY}
+			dd if=$DATA obs=${s} 2> /dev/null | \
+				env HOME=$PWD ${PLINK} -load compression_$c \
+				    -batch -i putty.rsa$p 127.0.0.1 \
+				    "cat > ${COPY}"
+			if [ $? -ne 0 ]; then
+				fail "ssh cat $DATA failed"
+			fi
+			cmp $DATA ${COPY}	|| fail "corrupted copy"
+		done
+	done
+done
+rm -f ${COPY}
+

regress/reconfigure.sh

@@ -0,0 +1,28 @@
+#	$OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $
+#	Placed in the Public Domain.
+
+tid="simple connect after reconfigure"
+
+# we need the full path to sshd for -HUP
+SSHD=/usr/sbin/sshd
+
+start_sshd
+
+$SUDO kill -HUP `cat $PIDFILE`
+sleep 1
+
+trace "wait for sshd to restart"
+i=0;
+while [ ! -f $PIDFILE -a $i -lt 10 ]; do
+	i=`expr $i + 1`
+	sleep $i
+done
+
+test -f $PIDFILE || fatal "sshd did not restart"
+
+for p in 1 2; do
+	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh connect with protocol $p failed after reconfigure"
+	fi
+done

regress/reexec.sh

@@ -0,0 +1,72 @@
+#	$OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $
+#	Placed in the Public Domain.
+
+tid="reexec tests"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+SSHD_ORIG=$SSHD
+SSHD_COPY=$OBJ/sshd
+
+# Start a sshd and then delete it
+start_sshd_copy ()
+{
+	cp $SSHD_ORIG $SSHD_COPY
+	SSHD=$SSHD_COPY
+	start_sshd
+	SSHD=$SSHD_ORIG
+}
+
+# Do basic copy tests
+copy_tests ()
+{
+	rm -f ${COPY}
+	for p in 1 2; do
+		verbose "$tid: proto $p"
+		${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
+		    cat ${DATA} > ${COPY}
+		if [ $? -ne 0 ]; then
+			fail "ssh cat $DATA failed"
+		fi
+		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+		rm -f ${COPY}
+	done
+}
+
+verbose "test config passing"
+
+cp $OBJ/sshd_config $OBJ/sshd_config.orig
+start_sshd
+echo "InvalidXXX=no" >> $OBJ/sshd_config
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+cp $OBJ/sshd_config.orig $OBJ/sshd_config
+
+verbose "test reexec fallback"
+
+start_sshd_copy
+rm -f $SSHD_COPY
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+verbose "test reexec fallback without privsep"
+
+cp $OBJ/sshd_config.orig $OBJ/sshd_config
+echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config
+
+start_sshd_copy
+rm -f $SSHD_COPY
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+

regress/rekey.sh

@@ -0,0 +1,31 @@
+#	$OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $
+#	Placed in the Public Domain.
+
+tid="rekey during transfer data"
+
+DATA=${OBJ}/data
+COPY=${OBJ}/copy
+LOG=${OBJ}/log
+
+rm -f ${COPY} ${LOG} ${DATA}
+dd if=/dev/zero of=${DATA} bs=1k count=512 > /dev/null 2>&1
+
+for s in 16 1k 128k 256k; do
+	trace "rekeylimit ${s}"
+	rm -f ${COPY}
+	cat $DATA | \
+		${SSH} -oCompression=no -oRekeyLimit=$s \
+			-v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \
+		2> ${LOG}
+	if [ $? -ne 0 ]; then
+		fail "ssh failed"
+	fi
+	cmp $DATA ${COPY}		|| fail "corrupted copy"
+	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+	n=`expr $n - 1`
+	trace "$n rekeying(s)"
+	if [ $n -lt 1 ]; then
+		fail "no rekeying occured"
+	fi
+done
+rm -f ${COPY} ${LOG} ${DATA}

regress/rsa_openssh.prv

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
++dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
+xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
+An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
+Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
+wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
+mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
+qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
+7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
+9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
+/ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
+PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
+dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
+-----END RSA PRIVATE KEY-----

regress/rsa_openssh.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ==

regress/rsa_ssh2.prv

@@ -0,0 +1,16 @@
+---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit rsa, Sat Jun 23 2001 12:21:26 -0400"
+P2/56wAAAi4AAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
+1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAB3wAAAdsAAAARAQABAAAD9icflXO8eQxtKonp
+45gOxXCiZG9hsfkgRpiXXHpUBMhM28C72RR1Dg2xKm4xz7smP2Apm+Y7XLZgIpzQ/+I76L
+95XQv7JCHVHDXyNBmWX7XZP4tmspFq/Tdg28zHSA3CpZjjwq3qG/b8395tDMpF7v34PS3Z
+xOH3aFPvEQ0UsgEAAAQA7IpcCnGijesEjDXdVoEPfh0akBJA9JAk1bba2sxrtDoQVN1JKP
+nRQ9SKdAsXV5jduSUFsTmBe4fznLvD948790U1/O8SkdGM5V0y1/ki7Rf8knm0t8Vj65X0
+VA4YdN4UeVfvMcb78vcInT2CsP6CLcBkrnjrBKtS03Mwg79nQI0AAAH/VdpOHYCMLPl/GF
++uRLMshY55Q6l+MdJ0jo0AdZrCCnxwa3YeVywwU0wsZyoTCdGMf6KYDr39PVxwRcGkJ7Ue
+YgAAAgDWXpLlKafIgS3i0moMORZHD8D86us3xMW4b7GV2/AaP+En5TbOCR18CO0g/WfGiS
+7zOLkP+TO9JW5QzEONIt6NAAACAQEaegYoWMBSQkLA7VWbOlSowelFlU6uo/2FSY+PM0nm
+gE8UZ7j6HWGhJEU4DNo25m3yyxuposKTMHxt/OOqFmoB
+---- END SSH2 ENCRYPTED PRIVATE KEY ----
+---

regress/scp-ssh-wrapper.sh

@@ -0,0 +1,57 @@
+#!/bin/sh
+#       $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
+#       Placed in the Public Domain.
+
+printname () {
+	NAME=$1
+	save_IFS=$IFS
+	IFS=/
+	set -- `echo "$NAME"`
+	IFS="$save_IFS"
+	while [ $# -ge 1 ] ; do
+		if [ "x$1" != "x" ]; then
+			echo "D0755 0 $1"
+		fi
+		shift;
+	done
+}
+
+# Discard all but last argument.  We use arg later.
+while test "$1" != ""; do
+	arg="$1"
+	shift
+done
+
+BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
+
+case "$SCPTESTMODE" in
+badserver_0)
+	echo "D0755 0 /${DIR}/rootpathdir"
+	echo "C755 2 rootpathfile"
+	echo "X"
+	;;
+badserver_1)
+	echo "D0755 0 $BAD"
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_2)
+	echo "D0755 0 $BAD"
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_3)
+	printname $BAD
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_4)
+	printname $BAD
+	echo "D0755 0 .."
+	echo "C755 2 file"
+	echo "X"
+	;;
+*)
+	exec $arg
+	;;
+esac

regress/scp.sh

@@ -0,0 +1,120 @@
+#	$OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
+#	Placed in the Public Domain.
+
+tid="scp"
+
+#set -x
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+COPY2=${OBJ}/copy2
+DIR=${COPY}.dd
+DIR2=${COPY}.dd2
+
+SRC=`dirname ${SCRIPT}`
+cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.exe
+chmod 755 ${OBJ}/scp-ssh-wrapper.exe
+scpopts="-q -S ${OBJ}/scp-ssh-wrapper.exe"
+
+scpclean() {
+	rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
+	mkdir ${DIR} ${DIR2}
+}
+
+verbose "$tid: simple copy local file to local file"
+scpclean
+$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to remote file"
+scpclean
+$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy remote file to local file"
+scpclean
+$SCP $scpopts somehost:${DATA} ${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to remote dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to local dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: simple copy remote file to local dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts somehost:${COPY} ${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: recursive local dir to remote dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
+diff -rN ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: recursive local dir to local dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
+diff -rN ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: recursive remote dir to local dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
+diff -rN ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: shell metacharacters"
+scpclean
+(cd ${DIR} && \
+ touch '`touch metachartest`' && \
+ $SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
+ [ ! -f metachartest ] ) || fail "shell metacharacters"
+
+if [ ! -z "$SUDO" ]; then
+	verbose "$tid: skipped file after scp -p with failed chown+utimes"
+	scpclean
+	cp -p ${DATA} ${DIR}/copy
+	cp -p ${DATA} ${DIR}/copy2
+	cp ${DATA} ${DIR2}/copy
+	chmod 660 ${DIR2}/copy
+	$SUDO chown root ${DIR2}/copy
+	$SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
+	$SUDO diff -rN ${DIR} ${DIR2} || fail "corrupted copy"
+	$SUDO rm ${DIR2}/copy
+fi
+
+for i in 0 1 2 3 4; do
+	verbose "$tid: disallow bad server #$i"
+	SCPTESTMODE=badserver_$i
+	export DIR SCPTESTMODE
+	scpclean
+	$SCP $scpopts somehost:${DATA} ${DIR} >/dev/null 2>/dev/null
+	[ -d {$DIR}/rootpathdir ] && fail "allows dir relative to root dir"
+	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation in non-recursive mode"
+
+	scpclean
+	$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
+done
+
+verbose "$tid: detect non-directory target"
+scpclean
+echo a > ${COPY}
+echo b > ${COPY2}
+$SCP $scpopts ${DATA} ${COPY} ${COPY2}
+cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
+
+scpclean
+rm -f ${OBJ}/scp-ssh-wrapper.exe

regress/sftp-badcmds.sh

@@ -0,0 +1,67 @@
+#	$OpenBSD: sftp-badcmds.sh,v 1.4 2009/08/13 01:11:55 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sftp invalid commands"
+
+DATA=/bin/ls
+DATA2=/bin/cat
+NONEXIST=/NONEXIST.$$
+COPY=${OBJ}/copy
+GLOBFILES=`(cd /bin;echo l*)`
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+rm -f ${COPY}
+verbose "$tid: get nonexistent"
+echo "get $NONEXIST $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get nonexistent failed"
+test -f ${COPY} && fail "existing copy after get nonexistent"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to nonexistent directory"
+echo "get /bin/l* $NONEXIST" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent"
+done
+
+rm -f ${COPY}
+verbose "$tid: put nonexistent"
+echo "put $NONEXIST $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put nonexistent failed"
+test -f ${COPY} && fail "existing copy after put nonexistent"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to nonexistent directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after nonexistent"
+done
+
+rm -f ${COPY}
+verbose "$tid: rename nonexistent"
+echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename nonexist failed"
+test -f ${COPY}.1 && fail "file exists after rename nonexistent"
+
+rm -rf ${COPY} ${COPY}.dd
+cp $DATA $COPY
+mkdir ${COPY}.dd
+verbose "$tid: rename target exists (directory)"
+echo "rename $COPY ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename target exists (directory) failed"
+test -f ${COPY} || fail "oldname missing after rename target exists (directory)"
+test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)"
+cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)"
+
+rm -f ${COPY}.dd/*
+rm -rf ${COPY}
+cp ${DATA2} ${COPY}
+verbose "$tid: glob put files to local file"
+echo "put /bin/l* $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 
+cmp ${DATA2} ${COPY} || fail "put successed when it should have failed"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+

regress/sftp-batch.sh

@@ -0,0 +1,57 @@
+#	$OpenBSD: sftp-batch.sh,v 1.4 2009/08/13 01:11:55 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sftp batchfile"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+BATCH=${OBJ}/sftp.bb
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+cat << EOF > ${BATCH}.pass.1
+	get $DATA $COPY
+	put ${COPY} ${COPY}.1
+	rm ${COPY}
+	-put ${COPY} ${COPY}.2
+EOF
+
+cat << EOF > ${BATCH}.pass.2
+	# This is a comment
+
+	# That was a blank line
+	ls
+EOF
+
+cat << EOF > ${BATCH}.fail.1
+	get $DATA $COPY
+	put ${COPY} ${COPY}.3
+	rm ${COPY}.*
+	# The next command should fail
+	put ${COPY}.3 ${COPY}.4
+EOF
+
+cat << EOF > ${BATCH}.fail.2
+	# The next command should fail
+	jajajajaja
+EOF
+
+verbose "$tid: good commands"
+${SFTP} -b ${BATCH}.pass.1 -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "good commands failed"
+
+verbose "$tid: bad commands"
+${SFTP} -b ${BATCH}.fail.1 -D ${SFTPSERVER} >/dev/null 2>&1 \
+	&& fail "bad commands succeeded"
+
+verbose "$tid: comments and blanks"
+${SFTP} -b ${BATCH}.pass.2 -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "comments & blanks failed"
+
+verbose "$tid: junk command"
+${SFTP} -b ${BATCH}.fail.2 -D ${SFTPSERVER} >/dev/null 2>&1 \
+	&& fail "junk command succeeded"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+

regress/sftp-cmds.sh

@@ -0,0 +1,224 @@
+#	$OpenBSD: sftp-cmds.sh,v 1.11 2010/12/04 00:21:19 djm Exp $
+#	Placed in the Public Domain.
+
+# XXX - TODO: 
+# - chmod / chown / chgrp
+# - -p flag for get & put
+
+tid="sftp commands"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+GLOBFILES=`(cd /bin;echo l*)`
+
+# Path with embedded quote
+QUOTECOPY=${COPY}".\"blah\""
+QUOTECOPY_ARG=${COPY}'.\"blah\"'
+# File with spaces
+SPACECOPY="${COPY} this has spaces.txt"
+SPACECOPY_ARG="${COPY}\ this\ has\ spaces.txt"
+# File with glob metacharacters
+GLOBMETACOPY="${COPY} [metachar].txt"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 ${BATCH}.*
+mkdir ${COPY}.dd
+
+verbose "$tid: lls"
+echo "cd ${OBJ}\nlls" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
+	grep -q copy.dd || fail "lls failed"
+
+verbose "$tid: lls w/path"
+echo "lls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} 2>&1 | \
+	grep -q copy.dd || fail "lls w/path failed"
+
+verbose "$tid: ls"
+echo "ls ${OBJ}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "ls failed"
+# XXX always successful
+
+verbose "$tid: shell"
+echo "!echo hi there" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "shell failed"
+# XXX always successful
+
+verbose "$tid: pwd"
+echo "pwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "pwd failed"
+# XXX always successful
+
+verbose "$tid: lpwd"
+echo "lpwd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lpwd failed"
+# XXX always successful
+
+verbose "$tid: quit"
+echo "quit" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "quit failed"
+# XXX always successful
+
+verbose "$tid: help"
+echo "help" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "help failed"
+# XXX always successful
+
+rm -f ${COPY}
+verbose "$tid: get"
+echo "get $DATA $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get failed"
+cmp $DATA ${COPY} || fail "corrupted copy after get"
+
+rm -f ${COPY}
+verbose "$tid: get quoted"
+echo "get \"$DATA\" $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get failed"
+cmp $DATA ${COPY} || fail "corrupted copy after get"
+
+rm -f ${QUOTECOPY}
+cp $DATA ${QUOTECOPY}
+verbose "$tid: get filename with quotes"
+echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get failed"
+cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes"
+rm -f ${QUOTECOPY} ${COPY}
+
+rm -f "$SPACECOPY" ${COPY}
+cp $DATA "$SPACECOPY"
+verbose "$tid: get filename with spaces"
+echo "get ${SPACECOPY_ARG} ${COPY}" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp ${COPY} "$SPACECOPY" || fail "corrupted copy after get with spaces"
+
+rm -f "$GLOBMETACOPY" ${COPY}
+cp $DATA "$GLOBMETACOPY"
+verbose "$tid: get filename with glob metacharacters"
+echo "get \"${GLOBMETACOPY}\" ${COPY}" | \
+	${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "get failed"
+cmp ${COPY} "$GLOBMETACOPY" || \
+	fail "corrupted copy after get with glob metacharacters"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: get to directory"
+echo "get $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after get"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to directory"
+echo "get /bin/l* ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
+
+rm -f ${COPY}.dd/*
+verbose "$tid: get to local dir"
+echo "lcd ${COPY}.dd\nget $DATA" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after get"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to local dir"
+echo "lcd ${COPY}.dd\nget /bin/l*" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
+
+rm -f ${COPY}
+verbose "$tid: put"
+echo "put $DATA $COPY" | \
+	${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed"
+cmp $DATA ${COPY} || fail "corrupted copy after put"
+
+rm -f ${QUOTECOPY}
+verbose "$tid: put filename with quotes"
+echo "put $DATA \"$QUOTECOPY_ARG\"" | \
+	${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed"
+cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes"
+
+rm -f "$SPACECOPY"
+verbose "$tid: put filename with spaces"
+echo "put $DATA ${SPACECOPY_ARG}" | \
+	${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "put failed"
+cmp $DATA "$SPACECOPY" || fail "corrupted copy after put with spaces"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: put to directory"
+echo "put $DATA ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after put"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+for x in $GLOBFILES; do
+	cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
+
+rm -f ${COPY}.dd/*
+verbose "$tid: put to local dir"
+echo "cd ${COPY}.dd\nput $DATA" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${COPY}.dd/ls || fail "corrupted copy after put"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to local dir"
+echo "cd ${COPY}.dd\nput /bin/l*" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
+
+verbose "$tid: rename"
+echo "rename $COPY ${COPY}.1" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename failed"
+test -f ${COPY}.1 || fail "missing file after rename"
+cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename"
+
+verbose "$tid: rename directory"
+echo "rename ${COPY}.dd ${COPY}.dd2" | \
+	${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || \
+	fail "rename directory failed"
+test -d ${COPY}.dd && fail "oldname exists after rename directory"
+test -d ${COPY}.dd2 || fail "missing newname after rename directory"
+
+verbose "$tid: ln"
+echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed"
+test -f ${COPY}.2 || fail "missing file after ln"
+cmp ${COPY}.1 ${COPY}.2 || fail "created file is not equal after ln"
+
+verbose "$tid: ln -s"
+rm -f ${COPY}.2
+echo "ln -s ${COPY}.1 ${COPY}.2" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 || fail "ln -s failed"
+test -L ${COPY}.2 || fail "missing file after ln -s"
+
+verbose "$tid: mkdir"
+echo "mkdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "mkdir failed"
+test -d ${COPY}.dd || fail "missing directory after mkdir"
+
+# XXX do more here
+verbose "$tid: chdir"
+echo "chdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "chdir failed"
+
+verbose "$tid: rmdir"
+echo "rmdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rmdir failed"
+test -d ${COPY}.1 && fail "present directory after rmdir"
+
+verbose "$tid: lmkdir"
+echo "lmkdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lmkdir failed"
+test -d ${COPY}.dd || fail "missing directory after lmkdir"
+
+# XXX do more here
+verbose "$tid: lchdir"
+echo "lchdir ${COPY}.dd" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lchdir failed"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2 ${BATCH}.*
+rm -rf ${QUOTECOPY} "$SPACECOPY" "$GLOBMETACOPY"
+
+

regress/sftp-glob.sh

@@ -0,0 +1,65 @@
+#	$OpenBSD: sftp-glob.sh,v 1.4 2009/08/13 01:11:55 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sftp glob"
+
+sftp_ls() {
+	target=$1
+	errtag=$2
+	expected=$3
+	unexpected=$4
+	verbose "$tid: $errtag"
+	printf "ls -l %s" "${target}" | \
+		${SFTP} -b - -D ${SFTPSERVER} 2>/dev/null | \
+		grep -v "^sftp>" > ${RESULTS}
+	if [ $? -ne 0 ]; then
+		fail "$errtag failed"
+	fi
+	if test "x$expected" != "x" && \
+	   ! fgrep "$expected" ${RESULTS} >/dev/null 2>&1 ; then
+		fail "$expected missing from $errtag results"
+	fi
+	if test "x$unexpected" != "x" && \
+	   fgrep "$unexpected" ${RESULTS} >/dev/null 2>&1 ; then
+		fail "$unexpected present in $errtag results"
+	fi
+	rm -f ${RESULTS}
+}
+
+BASE=${OBJ}/glob
+RESULTS=${OBJ}/results
+DIR=${BASE}/dir
+DATA=${DIR}/file
+
+GLOB1="${DIR}/g-wild*"
+GLOB2="${DIR}/g-wildx"
+QUOTE="${DIR}/g-quote\""
+SLASH="${DIR}/g-sl\\ash"
+ESLASH="${DIR}/g-slash\\"
+QSLASH="${DIR}/g-qs\\\""
+SPACE="${DIR}/g-q space"
+
+rm -rf ${BASE}
+mkdir -p ${DIR}
+touch "${DATA}" "${GLOB1}" "${GLOB2}" "${QUOTE}"
+touch "${QSLASH}" "${ESLASH}" "${SLASH}" "${SPACE}"
+
+#       target                   message                expected     unexpected
+sftp_ls "${DIR}/fil*"            "file glob"            "${DATA}"    ""
+sftp_ls "${BASE}/d*"             "dir glob"             "`basename ${DATA}`" ""
+sftp_ls "${DIR}/g-wild\"*\""     "quoted glob"          "g-wild*"    "g-wildx"
+sftp_ls "${DIR}/g-wild\*"        "escaped glob"         "g-wild*"    "g-wildx"
+sftp_ls "${DIR}/g-quote\\\""     "escaped quote"        "g-quote\""  ""
+sftp_ls "\"${DIR}/g-quote\\\"\"" "quoted quote"         "g-quote\""  ""
+sftp_ls "'${DIR}/g-quote\"'"     "single-quoted quote"  "g-quote\""  ""
+sftp_ls "${DIR}/g-sl\\\\ash"     "escaped slash"        "g-sl\\ash"  ""
+sftp_ls "'${DIR}/g-sl\\\\ash'"   "quoted slash"         "g-sl\\ash"  ""
+sftp_ls "${DIR}/g-slash\\\\"     "escaped slash at EOL" "g-slash\\"  ""
+sftp_ls "'${DIR}/g-slash\\\\'"   "quoted slash at EOL"  "g-slash\\"  ""
+sftp_ls "${DIR}/g-qs\\\\\\\""    "escaped slash+quote"  "g-qs\\\""   ""
+sftp_ls "'${DIR}/g-qs\\\\\"'"    "quoted slash+quote"   "g-qs\\\""   ""
+sftp_ls "${DIR}/g-q\\ space"     "escaped space"        "g-q space"  ""
+sftp_ls "'${DIR}/g-q space'"     "quoted space"         "g-q space"  ""
+
+rm -rf ${BASE}
+

regress/sftp.sh

@@ -0,0 +1,29 @@
+#	$OpenBSD: sftp.sh,v 1.3 2009/08/13 01:11:55 djm Exp $
+#	Placed in the Public Domain.
+
+tid="basic sftp put/get"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+BUFFERSIZE="5 1000 32000 64000"
+REQUESTS="1 2 10"
+
+for B in ${BUFFERSIZE}; do
+	for R in ${REQUESTS}; do
+                verbose "test $tid: buffer_size $B num_requests $R"
+		rm -f ${COPY}.1 ${COPY}.2
+		${SFTP} -D ${SFTPSERVER} -B $B -R $R -b /dev/stdin \
+		> /dev/null 2>&1 << EOF
+		version
+		get $DATA ${COPY}.1
+		put $DATA ${COPY}.2
+EOF
+		r=$?
+		if [ $r -ne 0 ]; then
+			fail "sftp failed with $r"
+		fi
+		cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+		cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
+	done
+done

regress/ssh-com-client.sh

@@ -0,0 +1,134 @@
+#	$OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="connect with ssh.com client"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+# 2.0.10 2.0.12 2.0.13 don't like the test setup
+
+# setup authorized keys
+SRC=`dirname ${SCRIPT}`
+cp ${SRC}/dsa_ssh2.prv ${OBJ}/id.com
+chmod 600 ${OBJ}/id.com
+${SSHKEYGEN} -i -f ${OBJ}/id.com	> $OBJ/id.openssh
+chmod 600 ${OBJ}/id.openssh
+${SSHKEYGEN} -y -f ${OBJ}/id.openssh	> $OBJ/authorized_keys_$USER
+${SSHKEYGEN} -e -f ${OBJ}/id.openssh	> $OBJ/id.com.pub
+echo IdKey ${OBJ}/id.com > ${OBJ}/id.list
+
+# we need a DSA host key
+t=dsa
+rm -f                             ${OBJ}/$t ${OBJ}/$t.pub
+${SSHKEYGEN} -q -N '' -t $t -f	  ${OBJ}/$t
+$SUDO cp $OBJ/$t $OBJ/host.$t
+echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
+
+# add hostkeys to known hosts
+mkdir -p ${OBJ}/${USER}/hostkeys
+HK=${OBJ}/${USER}/hostkeys/key_${PORT}_127.0.0.1
+${SSHKEYGEN} -e -f ${OBJ}/rsa.pub > ${HK}.ssh-rsa.pub
+${SSHKEYGEN} -e -f ${OBJ}/dsa.pub > ${HK}.ssh-dss.pub
+
+cat > ${OBJ}/ssh2_config << EOF
+*:
+	QuietMode			yes
+	StrictHostKeyChecking		yes
+	Port				${PORT}
+	User				${USER}
+	Host				127.0.0.1
+	IdentityFile			${OBJ}/id.list
+	RandomSeedFile			${OBJ}/random_seed
+        UserConfigDirectory             ${OBJ}/%U
+	AuthenticationSuccessMsg	no
+	BatchMode			yes
+	ForwardX11			no
+EOF
+
+# we need a real server (no ProxyConnect option)
+start_sshd
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+rm -f ${COPY}
+
+# go for it
+for v in ${VERSIONS}; do
+	ssh2=${TEST_COMBASE}/${v}/ssh2
+	if [ ! -x ${ssh2} ]; then
+		continue
+	fi
+	verbose "ssh2 ${v}"
+	key=ssh-dss
+	skipcat=0
+        case $v in
+        2.1.*|2.3.0)
+                skipcat=1
+                ;;
+        3.0.*)
+                key=ssh-rsa
+                ;;
+        esac
+	cp ${HK}.$key.pub ${HK}.pub
+
+	# check exit status
+	${ssh2} -q -F ${OBJ}/ssh2_config somehost exit 42
+	r=$?
+        if [ $r -ne 42 ]; then
+                fail "ssh2 ${v} exit code test failed (got $r, expected 42)"
+        fi
+
+	# data transfer
+	rm -f ${COPY}
+	${ssh2} -F ${OBJ}/ssh2_config somehost cat ${DATA} > ${COPY}
+        if [ $? -ne 0 ]; then
+                fail "ssh2 ${v} cat test (receive) failed"
+        fi
+	cmp ${DATA} ${COPY}	|| fail "ssh2 ${v} cat test (receive) data mismatch"
+
+	# data transfer, again
+	if [ $skipcat -eq 0 ]; then
+		rm -f ${COPY}
+		cat ${DATA} | \
+			${ssh2} -F ${OBJ}/ssh2_config host "cat > ${COPY}"
+		if [ $? -ne 0 ]; then
+			fail "ssh2 ${v} cat test (send) failed"
+		fi
+		cmp ${DATA} ${COPY}	|| \
+			fail "ssh2 ${v} cat test (send) data mismatch"
+	fi
+
+	# no stderr after eof
+	rm -f ${COPY}
+	${ssh2} -F ${OBJ}/ssh2_config somehost \
+		exec sh -c \'"exec > /dev/null; sleep 1; echo bla 1>&2; exit 0"\' \
+		2> /dev/null
+        if [ $? -ne 0 ]; then
+                fail "ssh2 ${v} stderr test failed"
+        fi
+done
+
+rm -rf ${OBJ}/${USER}
+for i in ssh2_config random_seed dsa.pub dsa host.dsa \
+    id.list id.com id.com.pub id.openssh; do
+	rm -f ${OBJ}/$i
+done

regress/ssh-com-keygen.sh

@@ -0,0 +1,74 @@
+#	$OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="ssh.com key import"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.10
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+COMPRV=${OBJ}/comkey
+COMPUB=${COMPRV}.pub
+OPENSSHPRV=${OBJ}/opensshkey
+OPENSSHPUB=${OPENSSHPRV}.pub
+
+# go for it
+for v in ${VERSIONS}; do
+	keygen=${TEST_COMBASE}/${v}/ssh-keygen2
+	if [ ! -x ${keygen} ]; then
+		continue
+	fi
+	types="dss"
+        case $v in
+        2.3.1|3.*)
+                types="$types rsa"
+                ;;
+        esac
+	for t in $types; do
+		verbose "ssh-keygen $v/$t"
+		rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB
+		${keygen} -q -P -t $t ${COMPRV} > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "${keygen} -t $t failed"
+			continue
+		fi
+		${SSHKEYGEN} -if ${COMPUB} > ${OPENSSHPUB}
+		if [ $? -ne 0 ]; then
+			fail "import public key ($v/$t) failed"
+			continue
+		fi
+		${SSHKEYGEN} -if ${COMPRV} > ${OPENSSHPRV}
+		if [ $? -ne 0 ]; then
+			fail "import private key ($v/$t) failed"
+			continue
+		fi
+		chmod 600 ${OPENSSHPRV}
+		${SSHKEYGEN} -yf ${OPENSSHPRV} |\
+			diff - ${OPENSSHPUB}
+		if [ $? -ne 0 ]; then
+			fail "public keys ($v/$t) differ"
+		fi
+	done
+done
+
+rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB

regress/ssh-com-sftp.sh

@@ -0,0 +1,61 @@
+#	$OpenBSD: ssh-com-sftp.sh,v 1.6 2009/08/20 18:43:07 djm Exp $
+#	Placed in the Public Domain.
+
+tid="basic sftp put/get with ssh.com server"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+BUFFERSIZE="5 1000 32000 64000"
+REQUESTS="1 2 10"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.10
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+# go for it
+for v in ${VERSIONS}; do
+	server=${TEST_COMBASE}/${v}/sftp-server2
+	if [ ! -x ${server} ]; then
+		continue
+	fi
+	verbose "sftp-server $v"
+	for B in ${BUFFERSIZE}; do
+		for R in ${REQUESTS}; do
+			verbose "test $tid: buffer_size $B num_requests $R"
+			rm -f ${COPY}.1 ${COPY}.2
+			${SFTP} -D ${server} -B $B -R $R -b /dev/stdin \
+			> /dev/null 2>&1 << EOF
+			version
+			get $DATA ${COPY}.1
+			put $DATA ${COPY}.2
+EOF
+			r=$?
+			if [ $r -ne 0 ]; then
+				fail "sftp failed with $r"
+			fi
+			cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+			cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
+		done
+	done
+done

regress/ssh-com.sh

@@ -0,0 +1,119 @@
+#	$OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="connect to ssh.com server"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+# 2.0.10 does not support UserConfigDirectory
+# 2.3.1 requires a config in $HOME/.ssh2
+
+SRC=`dirname ${SCRIPT}`
+
+# ssh.com
+cat << EOF > $OBJ/sshd2_config
+#*:
+	# Port and ListenAddress are not used.
+	QuietMode			yes
+	Port				4343
+	ListenAddress			127.0.0.1
+	UserConfigDirectory		${OBJ}/%U
+	Ciphers				AnyCipher
+	PubKeyAuthentication		yes
+	#AllowedAuthentications		publickey
+	AuthorizationFile		authorization
+	HostKeyFile			${SRC}/dsa_ssh2.prv
+	PublicHostKeyFile		${SRC}/dsa_ssh2.pub
+	RandomSeedFile			${OBJ}/random_seed
+	MaxConnections			0 
+	PermitRootLogin			yes
+	VerboseMode			no
+	CheckMail			no
+	Ssh1Compatibility		no
+EOF
+
+# create client config 
+sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \
+	< $OBJ/ssh_config > $OBJ/ssh_config_com
+
+# we need a DSA key for
+rm -f                             ${OBJ}/dsa ${OBJ}/dsa.pub
+${SSHKEYGEN} -q -N '' -t dsa -f	  ${OBJ}/dsa
+
+# setup userdir, try rsa first
+mkdir -p ${OBJ}/${USER}
+cp /dev/null ${OBJ}/${USER}/authorization
+for t in rsa dsa; do
+	${SSHKEYGEN} -e -f ${OBJ}/$t.pub	>  ${OBJ}/${USER}/$t.com
+	echo Key $t.com			>> ${OBJ}/${USER}/authorization
+	echo IdentityFile ${OBJ}/$t	>> ${OBJ}/ssh_config_com
+done
+
+# convert and append DSA hostkey
+(
+	echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 '
+	${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
+) >> $OBJ/known_hosts
+
+# go for it
+for v in ${VERSIONS}; do
+	sshd2=${TEST_COMBASE}/${v}/sshd2
+	if [ ! -x ${sshd2} ]; then
+		continue
+	fi
+	trace "sshd2 ${v}"
+	PROXY="proxycommand ${sshd2} -qif ${OBJ}/sshd2_config 2> /dev/null"
+	${SSH} -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
+        if [ $? -ne 0 ]; then
+                fail "ssh connect to sshd2 ${v} failed"
+        fi
+
+	ciphers="3des-cbc blowfish-cbc arcfour"
+	macs="hmac-md5"
+	case $v in
+	2.4.*)
+		ciphers="$ciphers cast128-cbc"
+		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
+		;;
+	3.*)
+		ciphers="$ciphers aes128-cbc cast128-cbc"
+		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
+		;;
+	esac
+	#ciphers="3des-cbc"
+	for m in $macs; do
+	for c in $ciphers; do
+		trace "sshd2 ${v} cipher $c mac $m"
+		verbose "test ${tid}: sshd2 ${v} cipher $c mac $m"
+		${SSH} -c $c -m $m -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
+		if [ $? -ne 0 ]; then
+			fail "ssh connect to sshd2 ${v} with $c/$m failed"
+		fi
+	done
+	done
+done
+
+rm -rf ${OBJ}/${USER}
+for i in sshd_config_proxy ssh_config_proxy random_seed \
+	sshd2_config dsa.pub dsa ssh_config_com; do
+	rm -f ${OBJ}/$i
+done

regress/ssh2putty.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+#	$OpenBSD: ssh2putty.sh,v 1.2 2009/10/06 23:51:49 dtucker Exp $
+
+if test "x$1" = "x" -o "x$2" = "x" -o "x$3" = "x" ; then
+	echo "Usage: ssh2putty hostname port ssh-private-key"
+	exit 1
+fi
+
+HOST=$1
+PORT=$2
+KEYFILE=$3
+
+# XXX - support DSA keys too
+if ! grep -q "BEGIN RSA PRIVATE KEY" $KEYFILE ; then
+	echo "Unsupported private key format"
+	exit 1
+fi
+
+public_exponent=`
+	openssl rsa -noout -text -in $KEYFILE | grep ^publicExponent | 
+	sed 's/.*(//;s/).*//'
+`
+test $? -ne 0 && exit 1
+
+modulus=`
+	openssl rsa -noout -modulus -in $KEYFILE | grep ^Modulus= | 
+	sed 's/^Modulus=/0x/' | tr A-Z a-z
+`
+test $? -ne 0 && exit 1
+
+echo "rsa2@$PORT:$HOST $public_exponent,$modulus"
+

regress/sshd-log-wrapper.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+#       $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $
+#       Placed in the Public Domain.
+#
+# simple wrapper for sshd proxy mode to catch stderr output
+# sh sshd-log-wrapper.sh /path/to/sshd /path/to/logfile
+
+sshd=$1
+log=$2
+shift
+shift
+
+exec $sshd $@ -e 2>>$log

regress/stderr-after-eof.sh

@@ -0,0 +1,28 @@
+#	$OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $
+#	Placed in the Public Domain.
+
+tid="stderr data after eof"
+
+DATA=/etc/motd
+DATA=${OBJ}/data
+COPY=${OBJ}/copy
+
+# setup data
+rm -f ${DATA} ${COPY}
+cp /dev/null ${DATA}
+for i in 1 2 3 4 5 6; do
+	(date;echo $i) | md5 >> ${DATA}
+done
+
+${SSH} -2 -F $OBJ/ssh_proxy otherhost \
+	exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
+	2> ${COPY}
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh failed with exit code $r"
+fi
+egrep 'Disconnecting: Received extended_data after EOF' ${COPY} &&
+	fail "ext data received after eof"
+cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+
+rm -f ${DATA} ${COPY}

regress/stderr-data.sh

@@ -0,0 +1,33 @@
+#	$OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="stderr data transfer"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+rm -f ${COPY}
+
+for n in '' -n; do
+for p in 1 2; do
+	verbose "test $tid: proto $p ($n)"
+	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
+		exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+		2> ${COPY}
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh failed with exit code $r"
+	fi
+	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+	rm -f ${COPY}
+
+	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
+		exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+		> /dev/null 2> ${COPY}
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh failed with exit code $r"
+	fi
+	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+	rm -f ${COPY}
+done
+done

regress/t4.ok

@@ -0,0 +1 @@
+3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36

regress/t5.ok

@@ -0,0 +1 @@
+xokes-lylis-byleh-zebib-kalus-bihas-tevah-haroz-suhar-foved-noxex

regress/test-exec.sh

@@ -0,0 +1,327 @@
+#	$OpenBSD: test-exec.sh,v 1.37 2010/02/24 06:21:56 djm Exp $
+#	Placed in the Public Domain.
+
+USER=`id -un`
+#SUDO=sudo
+
+if [ ! -z "$TEST_SSH_PORT" ]; then
+	PORT="$TEST_SSH_PORT"
+else
+	PORT=4242
+fi
+
+OBJ=$1
+if [ "x$OBJ" = "x" ]; then
+	echo '$OBJ not defined'
+	exit 2
+fi
+if [ ! -d $OBJ ]; then
+	echo "not a directory: $OBJ"
+	exit 2
+fi
+SCRIPT=$2
+if [ "x$SCRIPT" = "x" ]; then
+	echo '$SCRIPT not defined'
+	exit 2
+fi
+if [ ! -f $SCRIPT ]; then
+	echo "not a file: $SCRIPT"
+	exit 2
+fi
+if sh -n $SCRIPT; then
+	true
+else
+	echo "syntax error in $SCRIPT"
+	exit 2
+fi
+unset SSH_AUTH_SOCK
+
+SRC=`dirname ${SCRIPT}`
+
+# defaults
+SSH=ssh
+SSHD=sshd
+SSHAGENT=ssh-agent
+SSHADD=ssh-add
+SSHKEYGEN=ssh-keygen
+SSHKEYSCAN=ssh-keyscan
+SFTP=sftp
+SFTPSERVER=/usr/libexec/sftp-server
+SCP=scp
+
+# Interop testing
+PLINK=/usr/local/bin/plink
+PUTTYGEN=/usr/local/bin/puttygen
+CONCH=/usr/local/bin/conch
+
+if [ "x$TEST_SSH_SSH" != "x" ]; then
+	SSH="${TEST_SSH_SSH}"
+fi
+if [ "x$TEST_SSH_SSHD" != "x" ]; then
+	SSHD="${TEST_SSH_SSHD}"
+fi
+if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
+	SSHAGENT="${TEST_SSH_SSHAGENT}"
+fi
+if [ "x$TEST_SSH_SSHADD" != "x" ]; then
+	SSHADD="${TEST_SSH_SSHADD}"
+fi
+if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
+	SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
+fi
+if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
+	SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
+fi
+if [ "x$TEST_SSH_SFTP" != "x" ]; then
+	SFTP="${TEST_SSH_SFTP}"
+fi
+if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
+	SFTPSERVER="${TEST_SSH_SFTPSERVER}"
+fi
+if [ "x$TEST_SSH_SCP" != "x" ]; then
+	SCP="${TEST_SSH_SCP}"
+fi
+if [ "x$TEST_SSH_PLINK" != "x" ]; then
+	PLINK="${TEST_SSH_PLINK}"
+fi
+if [ "x$TEST_SSH_PUTTYGEN" != "x" ]; then
+	PUTTYGEN="${TEST_SSH_PUTTYGEN}"
+fi
+if [ "x$TEST_SSH_CONCH" != "x" ]; then
+	CONCH="${TEST_SSH_CONCH}"
+fi
+
+# Path to sshd must be absolute for rexec
+if [ ! -x /$SSHD ]; then
+	SSHD=`which sshd`
+fi
+
+if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
+	TEST_SSH_LOGFILE=/dev/null
+fi
+
+# these should be used in tests
+export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
+#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
+
+# helper
+cleanup ()
+{
+	if [ -f $PIDFILE ]; then
+		pid=`cat $PIDFILE`
+		if [ "X$pid" = "X" ]; then
+			echo no sshd running
+		else
+			if [ $pid -lt 2 ]; then
+				echo bad pid for ssh: $pid
+			else
+				$SUDO kill $pid
+				trace "wait for sshd to exit"
+				i=0;
+				while [ -f $PIDFILE -a $i -lt 5 ]; do
+					i=`expr $i + 1`
+					sleep $i
+				done
+				test -f $PIDFILE && \
+				    fatal "sshd didn't exit port $PORT pid $pid"
+			fi
+		fi
+	fi
+}
+
+trace ()
+{
+	echo "trace: $@" >>$TEST_SSH_LOGFILE
+	if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
+		echo "$@"
+	fi
+}
+
+verbose ()
+{
+	echo "verbose: $@" >>$TEST_SSH_LOGFILE
+	if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
+		echo "$@"
+	fi
+}
+
+
+fail ()
+{
+	echo "FAIL: $@" >>$TEST_SSH_LOGFILE
+	RESULT=1
+	echo "$@"
+}
+
+fatal ()
+{
+	echo "FATAL: $@" >>$TEST_SSH_LOGFILE
+	echo -n "FATAL: "
+	fail "$@"
+	cleanup
+	exit $RESULT
+}
+
+RESULT=0
+PIDFILE=$OBJ/pidfile
+
+trap fatal 3 2
+
+# create server config
+cat << EOF > $OBJ/sshd_config
+	Port			$PORT
+	Protocol		2,1
+	AddressFamily		inet
+	ListenAddress		127.0.0.1
+	#ListenAddress		::1
+	PidFile			$PIDFILE
+	AuthorizedKeysFile	$OBJ/authorized_keys_%u
+	LogLevel		DEBUG
+	AcceptEnv		_XXX_TEST_*
+	AcceptEnv		_XXX_TEST
+	Subsystem	sftp	$SFTPSERVER
+EOF
+
+if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
+	trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
+	echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
+fi
+
+# server config for proxy connects
+cp $OBJ/sshd_config $OBJ/sshd_proxy
+
+# allow group-writable directories in proxy-mode
+echo 'StrictModes no' >> $OBJ/sshd_proxy
+
+# create client config
+cat << EOF > $OBJ/ssh_config
+Host *
+	Protocol		2,1
+	Hostname		127.0.0.1
+	HostKeyAlias		localhost-with-alias
+	Port			$PORT
+	User			$USER
+	GlobalKnownHostsFile	$OBJ/known_hosts
+	UserKnownHostsFile	$OBJ/known_hosts
+	RSAAuthentication	yes
+	PubkeyAuthentication	yes
+	ChallengeResponseAuthentication	no
+	HostbasedAuthentication	no
+	PasswordAuthentication	no
+	RhostsRSAAuthentication	no
+	BatchMode		yes
+	StrictHostKeyChecking	yes
+EOF
+
+if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
+	trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS"
+	echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
+fi
+
+rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
+
+trace "generate keys"
+for t in rsa rsa1; do
+	# generate user key
+	rm -f $OBJ/$t
+	${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
+		fail "ssh-keygen for $t failed"
+
+	# known hosts file for client
+	(
+		echo -n 'localhost-with-alias,127.0.0.1,::1 '
+		cat $OBJ/$t.pub
+	) >> $OBJ/known_hosts
+
+	# setup authorized keys
+	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
+
+	# use key as host key, too
+	$SUDO cp $OBJ/$t $OBJ/host.$t
+	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
+
+	# don't use SUDO for proxy connect
+	echo HostKey $OBJ/$t >> $OBJ/sshd_proxy
+done
+chmod 644 $OBJ/authorized_keys_$USER
+
+# Activate Twisted Conch tests if the binary is present
+REGRESS_INTEROP_CONCH=no
+if test -x "$CONCH" ; then
+	REGRESS_INTEROP_CONCH=yes
+fi
+
+# If PuTTY is present and we are running a PuTTY test, prepare keys and
+# configuration
+REGRESS_INTEROP_PUTTY=no
+if test -x "$PUTTYGEN" -a -x "$PLINK" ; then
+	REGRESS_INTEROP_PUTTY=yes
+fi
+case "$SCRIPT" in
+*putty*)	;;
+*)		REGRESS_INTEROP_PUTTY=no ;;
+esac
+
+if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
+	mkdir -p ${OBJ}/.putty
+
+	# Add a PuTTY key to authorized_keys
+	rm -f ${OBJ}/putty.rsa2
+	puttygen -t rsa -o ${OBJ}/putty.rsa2 < /dev/null > /dev/null
+	puttygen -O public-openssh ${OBJ}/putty.rsa2 \
+	    >> $OBJ/authorized_keys_$USER
+
+	# Convert rsa2 host key to PuTTY format
+	${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa > \
+	    ${OBJ}/.putty/sshhostkeys
+	${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa >> \
+	    ${OBJ}/.putty/sshhostkeys
+
+	# Setup proxied session
+	mkdir -p ${OBJ}/.putty/sessions
+	rm -f ${OBJ}/.putty/sessions/localhost_proxy
+	echo "Hostname=127.0.0.1" >> ${OBJ}/.putty/sessions/localhost_proxy
+	echo "PortNumber=$PORT" >> ${OBJ}/.putty/sessions/localhost_proxy
+	echo "ProxyMethod=5" >> ${OBJ}/.putty/sessions/localhost_proxy
+	echo "ProxyTelnetCommand=sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" >> ${OBJ}/.putty/sessions/localhost_proxy 
+
+	REGRESS_INTEROP_PUTTY=yes
+fi
+
+# create a proxy version of the client config
+(
+	cat $OBJ/ssh_config
+	echo proxycommand sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy
+) > $OBJ/ssh_proxy
+
+# check proxy config
+${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"
+
+start_sshd ()
+{
+	# start sshd
+	$SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
+	$SUDO ${SSHD} -f $OBJ/sshd_config -e "$@" >>$TEST_SSH_LOGFILE 2>&1
+
+	trace "wait for sshd"
+	i=0;
+	while [ ! -f $PIDFILE -a $i -lt 5 ]; do
+		i=`expr $i + 1`
+		sleep $i
+	done
+
+	test -f $PIDFILE || fatal "no sshd running on port $PORT"
+}
+
+# source test body
+. $SCRIPT
+
+# kill sshd
+cleanup
+if [ $RESULT -eq 0 ]; then
+	verbose ok $tid
+else
+	echo failed $tid
+fi
+exit $RESULT

regress/transfer.sh

@@ -0,0 +1,29 @@
+#	$OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $
+#	Placed in the Public Domain.
+
+tid="transfer data"
+
+DATA=/bin/ls
+COPY=${OBJ}/copy
+
+for p in 1 2; do
+	verbose "$tid: proto $p"
+	rm -f ${COPY}
+	${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+	for s in 10 100 1k 32k 64k 128k 256k; do
+		trace "proto $p dd-size ${s}"
+		rm -f ${COPY}
+		dd if=$DATA obs=${s} 2> /dev/null | \
+			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+		if [ $? -ne 0 ]; then
+			fail "ssh cat $DATA failed"
+		fi
+		cmp $DATA ${COPY}		|| fail "corrupted copy"
+	done
+done
+rm -f ${COPY}

regress/try-ciphers.sh

@@ -0,0 +1,43 @@
+#	$OpenBSD: try-ciphers.sh,v 1.12 2011/08/02 01:23:41 djm Exp $
+#	Placed in the Public Domain.
+
+tid="try ciphers"
+
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+	arcfour128 arcfour256 arcfour 
+	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+	aes128-ctr aes192-ctr aes256-ctr"
+macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96
+	hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96"
+
+for c in $ciphers; do
+	for m in $macs; do
+		trace "proto 2 cipher $c mac $m"
+		verbose "test $tid: proto 2 cipher $c mac $m"
+		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh -2 failed with mac $m cipher $c"
+		fi
+	done
+done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+	trace "proto 1 cipher $c"
+	verbose "test $tid: proto 1 cipher $c"
+	${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh -1 failed with cipher $c"
+	fi
+done
+
+echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
+c=acss@openssh.org
+for m in $macs; do
+	trace "proto 2 $c mac $m"
+	verbose "test $tid: proto 2 cipher $c mac $m"
+	${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh -2 failed with mac $m cipher $c"
+	fi
+done

regress/yes-head.sh

@@ -0,0 +1,15 @@
+#	$OpenBSD: yes-head.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="yes pipe head"
+
+for p in 1 2; do
+	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
+	if [ $? -ne 0 ]; then
+		fail "yes|head test failed"
+		lines = 0;
+	fi
+	if [ $lines -ne 2000 ]; then
+		fail "yes|head returns $lines lines instead of 2000"
+	fi
+done