| Test Execution Status | Statistics |
|---|---|
| Passed | 0.000% (0/10) |
| Incident | 0.000% (0/10) |
| Skipped | 0.000% (0/10) |
| Failed | 0.000% (0/10) |
| Requires Manual Checking | 0.000% (0/10) |
| Unknown | 0.000% (0/10) |
| All | 0.000% (0/10) |
| Category | Removed Lines | Inserted Lines | Total |
|---|---|---|---|
| Modified lines executed: | 0.000% (0/10) | 0.000% (0/42) | 0.000% (0/52) |
| Modified lines not executed: | 40.000% (4/10) | 42.857% (18/42) | 42.308% (22/52) |
| Source code lines not instrumented: | 60.000% (6/10) | 57.143% (24/42) | 57.692% (30/52) |
| Execution Name | State |
|---|
| Line | Tests | Difference Output |
|---|---|---|
| diff --git a/readconf.c b/readconf.c | ||
| index db5f2d54..057726d0 100644 | ||
| --- a/readconf.c | ||
| +++ b/readconf.c | ||
| @@ -1,4 +1,4 @@ | ||
| 1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: readconf.c,v 1.297 2018/08/12 20:19:13 djm Exp $ */ |
| 1 | - | +/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */ |
| 2 | /* | |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
| @@ -172,7 +172,7 @@ typedef enum { | ||
| 172 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | |
| 173 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | |
| 174 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | |
| 175 | - No equivalent source code line in the reference code can be identified. | - oPubkeyAcceptedKeyTypes, oProxyJump, |
| 175 | - | + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
| 176 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | |
| 177 | } OpCodes; | |
| 178 | ||
| @@ -266,6 +266,7 @@ static struct { | ||
| 266 | { "dynamicforward", oDynamicForward }, | |
| 267 | { "preferredauthentications", oPreferredAuthentications }, | |
| 268 | { "hostkeyalgorithms", oHostKeyAlgorithms }, | |
| 269 | - | + { "casignaturealgorithms", oCASignatureAlgorithms }, |
| 269 ➡ 270 | { "bindaddress", oBindAddress }, | |
| 270 ➡ 271 | { "bindinterface", oBindInterface }, | |
| 271 ➡ 272 | { "clearallforwardings", oClearAllForwardings }, | |
| @@ -1221,6 +1222,10 @@ parse_keytypes: | ||
| 1221 ➡ 1222 | *charptr = xstrdup(arg); | |
| 1222 ➡ 1223 | break; | |
| 1223 ➡ 1224 | ||
| 1225 | 0 | + case oCASignatureAlgorithms: |
| 1226 | 0 | + charptr = &options->ca_sign_algorithms; |
| 1227 | 0 | + goto parse_keytypes; |
| 1228 | - | + |
| 1224 ➡ 1229 | case oLogLevel: | |
| 1225 ➡ 1230 | log_level_ptr = &options->log_level; | |
| 1226 ➡ 1231 | arg = strdelim(&s); | |
| @@ -1836,6 +1841,7 @@ initialize_options(Options * options) | ||
| 1836 ➡ 1841 | options->macs = NULL; | |
| 1837 ➡ 1842 | options->kex_algorithms = NULL; | |
| 1838 ➡ 1843 | options->hostkeyalgorithms = NULL; | |
| 1844 | 0 | + options->ca_sign_algorithms = NULL; |
| 1839 ➡ 1845 | options->num_identity_files = 0; | |
| 1840 ➡ 1846 | options->num_certificate_files = 0; | |
| 1841 ➡ 1847 | options->hostname = NULL; | |
| @@ -1924,7 +1930,7 @@ fill_default_options_for_canonicalization(Options *options) | ||
| 1924 ➡ 1930 | void | |
| 1925 ➡ 1931 | fill_default_options(Options * options) | |
| 1926 ➡ 1932 | { | |
| 1927 | 0 | - char *all_cipher, *all_mac, *all_kex, *all_key; |
| 1933 | 0 | + char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
| 1928 ➡ 1934 | int r; | |
| 1929 ➡ 1935 | ||
| 1930 ➡ 1936 | if (options->forward_agent == -1) | |
| @@ -2077,6 +2083,7 @@ fill_default_options(Options * options) | ||
| 2077 ➡ 2083 | all_mac = mac_alg_list(','); | |
| 2078 ➡ 2084 | all_kex = kex_alg_list(','); | |
| 2079 ➡ 2085 | all_key = sshkey_alg_list(0, 0, 1, ','); | |
| 2086 | 0 | + all_sig = sshkey_alg_list(0, 1, 1, ','); |
| 2080 ➡ 2087 | #define ASSEMBLE(what, defaults, all) \ | |
| 2081 ➡ 2088 | do { \ | |
| 2082 ➡ 2089 | if ((r = kex_assemble_names(&options->what, \ | |
| @@ -2088,11 +2095,13 @@ fill_default_options(Options * options) | ||
| 2088 ➡ 2095 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | |
| 2089 ➡ 2096 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | |
| 2090 ➡ 2097 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | |
| 2098 | 0 | + ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
| 2091 ➡ 2099 | #undef ASSEMBLE | |
| 2092 ➡ 2100 | free(all_cipher); | |
| 2093 ➡ 2101 | free(all_mac); | |
| 2094 ➡ 2102 | free(all_kex); | |
| 2095 ➡ 2103 | free(all_key); | |
| 2104 | 0 | + free(all_sig); |
| 2096 ➡ 2105 | ||
| 2097 ➡ 2106 | #define CLEAR_ON_NONE(v) \ | |
| 2098 ➡ 2107 | do { \ | |
| @@ -2614,6 +2623,7 @@ dump_client_config(Options *o, const char *host) | ||
| 2614 ➡ 2623 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | |
| 2615 ➡ 2624 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | |
| 2616 ➡ 2625 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | |
| 2626 | 0 | + dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); |
| 2617 ➡ 2627 | dump_cfg_string(oLocalCommand, o->local_command); | |
| 2618 ➡ 2628 | dump_cfg_string(oRemoteCommand, o->remote_command); | |
| 2619 ➡ 2629 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
| Line | Tests | Difference Output |
|---|---|---|
| diff --git a/readconf.h b/readconf.h | ||
| index c5688781..fc7e3825 100644 | ||
| --- a/readconf.h | ||
| +++ b/readconf.h | ||
| @@ -1,4 +1,4 @@ | ||
| 1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: readconf.h,v 1.127 2018/07/19 10:28:47 dtucker Exp $ */ |
| 1 | - | +/* $OpenBSD: readconf.h,v 1.128 2018/09/20 03:30:44 djm Exp $ */ |
| 2 | ||
| 3 | /* | |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
| @@ -67,6 +67,7 @@ typedef struct { | ||
| 67 | char *macs; /* SSH2 macs in order of preference. */ | |
| 68 | char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ | |
| 69 | char *kex_algorithms; /* SSH2 kex methods in order of preference. */ | |
| 70 | - | + char *ca_sign_algorithms; /* Allowed CA signature algorithms */ |
| 70 ➡ 71 | char *hostname; /* Real host to connect. */ | |
| 71 ➡ 72 | char *host_key_alias; /* hostname alias for .ssh/known_hosts */ | |
| 72 ➡ 73 | char *proxy_command; /* Proxy command for connecting the host. */ |
| Line | Tests | Difference Output |
|---|---|---|
| diff --git a/ssh_config.5 b/ssh_config.5 | ||
| index f499396a..a9b44cc4 100644 | ||
| --- a/ssh_config.5 | ||
| +++ b/ssh_config.5 | ||
| @@ -33,8 +33,8 @@ | ||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
| 35 | .\" | |
| 36 | - No equivalent source code line in the reference code can be identified. | -.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $ |
| 37 | - No equivalent source code line in the reference code can be identified. | -.Dd $Mdocdate: July 23 2018 $ |
| 36 | - | +.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $ |
| 37 | - | +.Dd $Mdocdate: September 20 2018 $ |
| 38 | .Dt SSH_CONFIG 5 | |
| 39 | .Os | |
| 40 | .Sh NAME | |
| @@ -261,6 +261,18 @@ Only useful on systems with more than one address. | ||
| 261 | .It Cm BindInterface | |
| 262 | Use the address of the specified interface on the local machine as the | |
| 263 | source address of the connection. | |
| 264 | - | +.It Cm CASignatureAlgorithms |
| 265 | - | +Specifies which algorithms are allowed for signing of certificates |
| 266 | - | +by certificate authorities (CAs). |
| 267 | - | +The default is: |
| 268 | - | +.Bd -literal -offset indent |
| 269 | - | +ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
| 270 | - | +ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
| 271 | - | +.Ed |
| 272 | - | +.Pp |
| 273 | - | +.Xr ssh 1 |
| 274 | - | +will not accept host certificates signed using algorithms other than those |
| 275 | - | +specified. |
| 264 ➡ 276 | .It Cm CanonicalDomains | |
| 265 ➡ 277 | When | |
| 266 ➡ 278 | .Cm CanonicalizeHostname |
| Line | Tests | Difference Output |
|---|---|---|
| diff --git a/sshconnect.c b/sshconnect.c | ||
| index 78813c16..6d819279 100644 | ||
| --- a/sshconnect.c | ||
| +++ b/sshconnect.c | ||
| @@ -1,4 +1,4 @@ | ||
| 1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: sshconnect.c,v 1.304 2018/07/27 05:34:42 dtucker Exp $ */ |
| 1 | - | +/* $OpenBSD: sshconnect.c,v 1.305 2018/09/20 03:30:44 djm Exp $ */ |
| 2 | /* | |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
| @@ -734,19 +734,28 @@ confirm(const char *prompt) | ||
| 734 | } | |
| 735 | ||
| 736 | static int | |
| 737 | 0 | -check_host_cert(const char *host, const struct sshkey *host_key) |
| 737 | - | +check_host_cert(const char *host, const struct sshkey *key) |
| 738 | { | |
| 739 | const char *reason; | |
| 740 | 0 | + int r; |
| 740 ➡ 741 | ||
| 741 | 0 | - if (sshkey_cert_check_authority(host_key, 1, 0, host, &reason) != 0) { |
| 742 | 0 | + if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { |
| 742 ➡ 743 | error("%s", reason); | |
| 743 ➡ 744 | return 0; | |
| 744 ➡ 745 | } | |
| 745 | 0 | - if (sshbuf_len(host_key->cert->critical) != 0) { |
| 746 | 0 | + if (sshbuf_len(key->cert->critical) != 0) { |
| 746 ➡ 747 | error("Certificate for %s contains unsupported " | |
| 747 ➡ 748 | "critical options(s)", host); | |
| 748 ➡ 749 | return 0; | |
| 749 ➡ 750 | } | |
| 751 | 0 | + if ((r = sshkey_check_cert_sigtype(key, |
| 752 | 0 | + options.ca_sign_algorithms)) != 0) { |
| 753 | 0 | + logit("%s: certificate signature algorithm %s: %s", __func__, |
| 754 | 0 | + (key->cert == NULL || key->cert->signature_type == NULL) ? |
| 755 | 0 | + "(null)" : key->cert->signature_type, ssh_err(r)); |
| 756 | 0 | + return 0; |
| 757 | - | + } |
| 758 | - | + |
| 750 ➡ 759 | return 1; | |
| 751 ➡ 760 | } | |
| 752 ➡ 761 |