tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-28 08:14:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

upstream: Only use supported key types during KRL test, preferring

Browse Source 
ed25519 since it's supported by both OpenSSL and non-OpenSSL builds.

OpenBSD-Regress-ID: 9f2bb3eadd50fcc8245b1bd8fd6f0e53602f71aa
This commit is contained in:
dtucker@openbsd.org 2019-07-25 09:17:35 +00:00 committed by Darren Tucker
parent 47f8ff1fa5
commit 061407efc1
1 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
regress/krl.sh
View File

@ -1,13 +1,18 @@
# $OpenBSD: krl.sh,v 1.7 2018/09/12 01:23:48 djm Exp $ # $OpenBSD: krl.sh,v 1.8 2019/07/25 09:17:35 dtucker Exp $
# Placed in the Public Domain. # Placed in the Public Domain.
tid="key revocation lists" tid="key revocation lists"
# If we don't support ecdsa keys then this tell will be much slower. # Use ed25519 by default since it's fast and it's supported when building
ECDSA=ecdsa # w/out OpenSSL. Populate ktype[2-4] with the other types if supported.
if test "x$TEST_SSH_ECC" != "xyes"; then ktype1=ed25519; ktype2=ed25519; ktype3=ed25519; ktype4=ed25519
ECDSA=rsa for t in `${SSH} -Q key-plain`; do
fi case "$t" in
ecdsa*) ktype2=ecdsa ;;
ssh-rsa) ktype3=rsa ;;
ssh-dss) ktype4=dsa ;;
esac
done
# Do most testing with ssh-keygen; it uses the same verification code as sshd. # Do most testing with ssh-keygen; it uses the same verification code as sshd.
@ -15,9 +20,9 @@ fi
rm -f $OBJ/revoked-* $OBJ/krl-* rm -f $OBJ/revoked-* $OBJ/krl-*
# Generate a CA key # Generate a CA key
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null || $SSHKEYGEN -t $ktype1 -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA failed" fatal "$SSHKEYGEN CA failed"
$SSHKEYGEN -t ed25519 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null || $SSHKEYGEN -t $ktype2 -f $OBJ/revoked-ca2 -C "" -N "" > /dev/null ||
fatal "$SSHKEYGEN CA2 failed" fatal "$SSHKEYGEN CA2 failed"
# A specification that revokes some certificates by serial numbers # A specification that revokes some certificates by serial numbers
@ -55,11 +60,13 @@ done
keygen() { keygen() {
N=$1 N=$1
f=$OBJ/revoked-`printf "%04d" $N` f=$OBJ/revoked-`printf "%04d" $N`
# Vary the keytype. We use mostly ECDSA since this is fastest by far. # Vary the keytype. We use mostly ed25519 since this is fast and well
keytype=$ECDSA # supported.
keytype=$ktype1
case $N in case $N in
2 | 10 | 510 | 1001) keytype=rsa;; 2 | 10 | 510 | 1001) keytype=$ktype2 ;;
4 | 30 | 520 | 1002) keytype=ed25519;; 4 | 30 | 520 | 1002) keytype=$ktype3 ;;
8 | 50 | 530 | 1003) keytype=$ktype4 ;;
esac esac
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \ $SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|| fatal "$SSHKEYGEN failed" || fatal "$SSHKEYGEN failed"