Re: [PATCH 4/3] Add test for -Z option

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 25/04/2020 at 02:58, Loïc wrote :
> Add private key protection information extraction to shh-keygen using -v
> option on top of -y option which is already parsing the private key.
>
> Technically, the passphrase isn't necessary to do this, but it is the
> most logical thing to do for me.
>
> Adding this to -l option is not appropriate because fingerprinting is
> using the .pub file when available.
>
> An other idea is to add a new option, I can do it if you prefer.
>
> Also, I'm laking information for information extraction from PEM and
> PKCS8 file format, I'm OK to have a pointer to implement this correctly.
>
> This patch is also adding a regression test for the functionnality.
>
> ---
>
>  authfile.c                            |  16 ++--
>  authfile.h                            |   7 +-
>  regress/Makefile                      |   3 +-
>  regress/keygen-private-information.sh |  81 +++++++++++++++++++++
>  ssh-keygen.c                          |  44 +++++++----
>  ssh-keysign.c                         |   2 +-
>  sshconnect2.c                         |   2 +-
>  sshd.c                                |   2 +-
>  sshkey.c                              | 101 +++++++++++++++++++++++---
>  sshkey.h                              |  14 +++-
>  10 files changed, 234 insertions(+), 38 deletions(-)
>  create mode 100644 regress/keygen-private-information.sh
>
In since I discovered the -Z option, I'm adding here a regression test
for this option, the patch below applies on top on the upper one I'm
replying to.

Hope it is useful.

---
 regress/keygen-private-information.sh | 82 ++++++++++++++++-----------
 1 file changed, 50 insertions(+), 32 deletions(-)

diff --git a/regress/keygen-private-information.sh
b/regress/keygen-private-information.sh
index a9959e919fd1..ddf74eb95c3c 100644
--- a/regress/keygen-private-information.sh
+++ b/regress/keygen-private-information.sh
@@ -7,7 +7,8 @@ check_private_key () {
     format="$2"
     comment="$3"
     secret="$4"
-    rounds="$5"
+    cipher="$5"
+    rounds="$6"
 
     # construct expected output in $exp file
     exp=$OBJ/$t-expected
@@ -25,7 +26,7 @@ EOF
         echo "no passphrase" >> $exp
     else
         cat >> $exp << EOF
-cipher: aes256-ctr
+cipher: $cipher
 kdf: bcrypt
 rounds: $rounds
 EOF
@@ -44,37 +45,54 @@ EOF
     rm -f $OBJ/$t-pub $OBJ/$t-tmp $exp
 }
 
-for fmt in '' PKCS8 PEM ; do
+for fmt in '' RFC4716 PKCS8 PEM ; do
     for secret in '' 'secret1'; do
-        rounds_list="0"
-        test -n "$secret" -a -z "$fmt" && rounds_list="2 16"
-        for rounds in $rounds_list; do
-            for t in $SSH_KEYTYPES; do
-                trace "generating $t key in '$fmt' format with
'$secret' passphrase and '$rounds' rounds"
-                rm -f $OBJ/$t-key*
-                oldfmt=""
-                case "$fmt" in
-                PKCS8|PEM) oldfmt=1 ;;
-                esac
-                # Some key types like ssh-ed25519 and *@openssh.com are
never
-                # stored in old formats.
-                case "$t" in
-                ssh-ed25519|*openssh.com) test -z "$oldfmt" || continue ;;
-                esac
-                comment="foo bar"
-                fmtarg=""
-                test -z "$fmt" || fmtarg="-m $fmt"
-                test "$rounds" = "0" || roundarg="-a $rounds"
-                ${SSHKEYGEN} $fmtarg $roundarg -N "${secret}" -C
"${comment}" \
-                    -t $t -f $OBJ/$t-key >/dev/null 2>&1 || \
-                    fatal "keygen of $t in format $fmt failed"
-                rm -f $OBJ/$t-key.pub # .pub file not used, remove it
to be sure it is not used
-                if [ ! -z "$oldfmt" ] ; then
-                    # Comment cannot be recovered from old format keys.
-                    comment=""
-                fi
-                check_private_key $OBJ/$t-key "${fmt}" "${comment}"
"${secret}" "${rounds}"
-                rm -f $OBJ/$t-key*
+        cipher_list="default"
+        test -n "$secret" -a -z "$fmt" && cipher_list=`${SSH} -Q cipher`
+        for cipher in $cipher_list; do
+            rounds_list="default"
+            test -n "$secret" -a -z "$fmt" && rounds_list="2 16"
+            for rounds in $rounds_list; do
+                for t in $SSH_KEYTYPES; do
+                    trace "generating $t key in '$fmt' format with
'$secret' passphrase, '$cipher' cipher and '$rounds' rounds"
+                    rm -f $OBJ/$t-key*
+                    oldfmt=""
+                    case "$fmt" in
+                    PKCS8|PEM) oldfmt=1 ;;
+                    esac
+                    # Some key types like ssh-ed25519 and *@openssh.com
are never
+                    # stored in old formats.
+                    case "$t" in
+                    ssh-ed25519|*openssh.com) test -z "$oldfmt" ||
continue ;;
+                    esac
+                    comment="foo bar"
+                    fmtarg=""
+                    test -z "$fmt" || fmtarg="-m $fmt"
+                    if test "$rounds" = "default" ; then
+                        rounds=16;
+                        roundarg=""
+                    else
+                        roundarg="-a $rounds";
+                    fi
+                    if test "$cipher" = "default" ; then
+                        cipher="aes256-ctr" ;
+                        cipherarg=""
+                    else
+                        cipherarg="-Z $cipher";
+                    fi
+                    ${SSHKEYGEN} $fmtarg $cipherarg $roundarg \
+                        -N "${secret}" -C "${comment}" \
+                        -t $t -f $OBJ/$t-key >/dev/null 2>&1 || \
+                        fatal "keygen of $t in format $fmt failed"
+                    rm -f $OBJ/$t-key.pub # .pub file not used, remove
it to be sure it is not used
+                    if [ ! -z "$oldfmt" ] ; then
+                        # Comment cannot be recovered from old format keys.
+                        comment=""
+                    fi
+                    check_private_key $OBJ/$t-key "${fmt}" "${comment}" \
+                        "${secret}" "${cipher}" "${rounds}"
+                    rm -f $OBJ/$t-key*
+                done
             done
         done
     done
-- 
2.17.1


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux