From fbaa707d455a61d0aef8ae65e02a25bac5351e5c Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 20 Oct 2023 06:56:45 +0000
Subject: [PATCH] upstream: Add interop test with Dropbear.

Right now this is only dbclient not the Dropbear server since it won't
currently run as a ProxyCommand.

OpenBSD-Regress-ID: 8cb898c414fcdb252ca6328896b0687acdaee496
---
 regress/Makefile            |  4 +++-
 regress/dropbear-ciphers.sh | 33 +++++++++++++++++++++++++++++++++
 regress/dropbear-kex.sh     | 31 +++++++++++++++++++++++++++++++
 regress/test-exec.sh        | 36 +++++++++++++++++++++++++++++++++++-
 4 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 regress/dropbear-ciphers.sh
 create mode 100644 regress/dropbear-kex.sh

diff --git a/regress/Makefile b/regress/Makefile
index a3a35c25f..d1e52b375 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.126 2023/09/06 23:36:09 djm Exp $
+#	$OpenBSD: Makefile,v 1.128 2023/10/20 06:56:45 dtucker Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -18,6 +18,7 @@ prep:
 clean:
 	for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
 	rm -rf $(OBJ).putty
+	rm -rf $(OBJ).dropbear
 
 distclean:	clean
 
@@ -109,6 +110,7 @@ LTESTS= 	connect \
 		match-subsystem
 
 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
+INTEROP_TESTS+=	dropbear-ciphers dropbear-kex
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
 
 EXTRA_TESTS=	agent-pkcs11
diff --git a/regress/dropbear-ciphers.sh b/regress/dropbear-ciphers.sh
new file mode 100644
index 000000000..2e0f9a1d3
--- /dev/null
+++ b/regress/dropbear-ciphers.sh
@@ -0,0 +1,33 @@
+#	$OpenBSD: dropbear-ciphers.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="dropbear ciphers"
+
+if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
+	skip "dropbear interop tests not enabled"
+fi
+
+cat >>$OBJ/sshd_proxy <<EOD
+PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
+HostkeyAlgorithms +ssh-rsa,ssh-dss
+EOD
+
+ciphers=`$DBCLIENT -c help 2>&1 | awk '/ ciphers: /{print $4}' | tr ',' ' '`
+macs=`$DBCLIENT -m help 2>&1 | awk '/ MACs: /{print $4}' | tr ',' ' '`
+keytype=`(cd $OBJ/.dropbear && ls id_*)`
+
+for c in $ciphers ; do
+  for m in $macs; do
+    for kt in $keytype; do
+	verbose "$tid: cipher $c mac $m kt $kt"
+	rm -f ${COPY}
+	env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/$kt 2>$OBJ/dbclient.log \
+	    -c $c -m $m -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+    done
+  done
+done
+rm -f ${COPY}
diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh
new file mode 100644
index 000000000..a25de3edd
--- /dev/null
+++ b/regress/dropbear-kex.sh
@@ -0,0 +1,31 @@
+#	$OpenBSD: dropbear-kex.sh,v 1.1 2023/10/20 06:56:45 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="dropbear kex"
+
+if test "x$REGRESS_INTEROP_DROPBEAR" != "xyes" ; then
+	skip "dropbear interop tests not enabled"
+fi
+
+cat >>$OBJ/sshd_proxy <<EOD
+PubkeyAcceptedAlgorithms +ssh-rsa,ssh-dss
+HostkeyAlgorithms +ssh-rsa,ssh-dss
+EOD
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
+
+kex="curve25519-sha256 curve25519-sha256@libssh.org
+    diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+
+for k in $kex; do
+	verbose "$tid: kex $k"
+	rm -f ${COPY}
+	# dbclient doesn't have switch for kex, so force in server
+	(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
+	env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_rsa 2>$OBJ/dbclient.log \
+	    -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+done
+rm -f ${COPY}
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index d060b79dc..995b48904 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.99 2023/10/12 03:48:53 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.100 2023/10/20 06:56:45 dtucker Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -99,6 +99,10 @@ SSH_REGRESS_TMP=
 PLINK=plink
 PUTTYGEN=puttygen
 CONCH=conch
+DROPBEAR=dropbear
+DBCLIENT=dbclient
+DROPBEARKEY=dropbearkey
+DROPBEARCONVERT=dropbearconvert
 
 # Tools used by multiple tests
 NC=$OBJ/netcat
@@ -790,6 +794,30 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then
 	export PUTTYDIR
 fi
 
+REGRESS_INTEROP_DROPBEAR=no
+if test -x "$DROPBEARKEY" -a -x "$DBCLIENT" -a -x "$DROPBEARCONVERT"; then
+	REGRESS_INTEROP_DROPBEAR=yes
+fi
+case "$SCRIPT" in
+*dropbear*)	;;
+*)		REGRESS_INTEROP_DROPBEAR=no ;;
+esac
+
+if test "$REGRESS_INTEROP_DROPBEAR" = "yes" ; then
+	trace Create dropbear keys and add to authorized_keys
+	mkdir -p $OBJ/.dropbear
+	for i in rsa ecdsa ed25519 dss; do
+		if [ ! -f "$OBJ/.dropbear/id_$i" ]; then
+			($DROPBEARKEY -t $i -f $OBJ/.dropbear/id_$i
+			$DROPBEARCONVERT dropbear openssh \
+			    $OBJ/.dropbear/id_$i $OBJ/.dropbear/ossh.id_$i
+			) > /dev/null 2>&1
+		fi
+		$SSHKEYGEN -y -f $OBJ/.dropbear/ossh.id_$i \
+		   >>$OBJ/authorized_keys_$USER
+	done
+fi
+
 # create a proxy version of the client config
 (
 	cat $OBJ/ssh_config
@@ -799,6 +827,12 @@ fi
 # check proxy config
 ${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"
 
+# extract proxycommand into separate shell script for use by Dropbear.
+echo '#!/bin/sh' >$OBJ/ssh_proxy.sh
+awk '/^proxycommand/' $OBJ/ssh_proxy | sed 's/^proxycommand//' \
+   >>$OBJ/ssh_proxy.sh
+chmod a+x $OBJ/ssh_proxy.sh
+
 start_sshd ()
 {
 	# start sshd