Test Execution Status | Statistics |
---|---|
Passed | 0.000% (0/10) |
Incident | 0.000% (0/10) |
Skipped | 0.000% (0/10) |
Failed | 0.000% (0/10) |
Requires Manual Checking | 0.000% (0/10) |
Unknown | 0.000% (0/10) |
All | 0.000% (0/10) |
Category | Removed Lines | Inserted Lines | Total |
---|---|---|---|
Modified lines executed: | 0.000% (0/10) | 0.000% (0/42) | 0.000% (0/52) |
Modified lines not executed: | 40.000% (4/10) | 42.857% (18/42) | 42.308% (22/52) |
Source code lines not instrumented: | 60.000% (6/10) | 57.143% (24/42) | 57.692% (30/52) |
Execution Name | State |
---|
Line | Tests | Difference Output |
---|---|---|
diff --git a/readconf.c b/readconf.c | ||
index db5f2d54..057726d0 100644 | ||
--- a/readconf.c | ||
+++ b/readconf.c | ||
@@ -1,4 +1,4 @@ | ||
1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: readconf.c,v 1.297 2018/08/12 20:19:13 djm Exp $ */ |
1 | - | +/* $OpenBSD: readconf.c,v 1.298 2018/09/20 03:30:44 djm Exp $ */ |
2 | /* | |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
@@ -172,7 +172,7 @@ typedef enum { | ||
172 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | |
173 | oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, | |
174 | oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, | |
175 | - No equivalent source code line in the reference code can be identified. | - oPubkeyAcceptedKeyTypes, oProxyJump, |
175 | - | + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, |
176 | oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported | |
177 | } OpCodes; | |
178 | ||
@@ -266,6 +266,7 @@ static struct { | ||
266 | { "dynamicforward", oDynamicForward }, | |
267 | { "preferredauthentications", oPreferredAuthentications }, | |
268 | { "hostkeyalgorithms", oHostKeyAlgorithms }, | |
269 | - | + { "casignaturealgorithms", oCASignatureAlgorithms }, |
269 ➡ 270 | { "bindaddress", oBindAddress }, | |
270 ➡ 271 | { "bindinterface", oBindInterface }, | |
271 ➡ 272 | { "clearallforwardings", oClearAllForwardings }, | |
@@ -1221,6 +1222,10 @@ parse_keytypes: | ||
1221 ➡ 1222 | *charptr = xstrdup(arg); | |
1222 ➡ 1223 | break; | |
1223 ➡ 1224 | ||
1225 | 0 | + case oCASignatureAlgorithms: |
1226 | 0 | + charptr = &options->ca_sign_algorithms; |
1227 | 0 | + goto parse_keytypes; |
1228 | - | + |
1224 ➡ 1229 | case oLogLevel: | |
1225 ➡ 1230 | log_level_ptr = &options->log_level; | |
1226 ➡ 1231 | arg = strdelim(&s); | |
@@ -1836,6 +1841,7 @@ initialize_options(Options * options) | ||
1836 ➡ 1841 | options->macs = NULL; | |
1837 ➡ 1842 | options->kex_algorithms = NULL; | |
1838 ➡ 1843 | options->hostkeyalgorithms = NULL; | |
1844 | 0 | + options->ca_sign_algorithms = NULL; |
1839 ➡ 1845 | options->num_identity_files = 0; | |
1840 ➡ 1846 | options->num_certificate_files = 0; | |
1841 ➡ 1847 | options->hostname = NULL; | |
@@ -1924,7 +1930,7 @@ fill_default_options_for_canonicalization(Options *options) | ||
1924 ➡ 1930 | void | |
1925 ➡ 1931 | fill_default_options(Options * options) | |
1926 ➡ 1932 | { | |
1927 | 0 | - char *all_cipher, *all_mac, *all_kex, *all_key; |
1933 | 0 | + char *all_cipher, *all_mac, *all_kex, *all_key, *all_sig; |
1928 ➡ 1934 | int r; | |
1929 ➡ 1935 | ||
1930 ➡ 1936 | if (options->forward_agent == -1) | |
@@ -2077,6 +2083,7 @@ fill_default_options(Options * options) | ||
2077 ➡ 2083 | all_mac = mac_alg_list(','); | |
2078 ➡ 2084 | all_kex = kex_alg_list(','); | |
2079 ➡ 2085 | all_key = sshkey_alg_list(0, 0, 1, ','); | |
2086 | 0 | + all_sig = sshkey_alg_list(0, 1, 1, ','); |
2080 ➡ 2087 | #define ASSEMBLE(what, defaults, all) \ | |
2081 ➡ 2088 | do { \ | |
2082 ➡ 2089 | if ((r = kex_assemble_names(&options->what, \ | |
@@ -2088,11 +2095,13 @@ fill_default_options(Options * options) | ||
2088 ➡ 2095 | ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex); | |
2089 ➡ 2096 | ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key); | |
2090 ➡ 2097 | ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key); | |
2098 | 0 | + ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig); |
2091 ➡ 2099 | #undef ASSEMBLE | |
2092 ➡ 2100 | free(all_cipher); | |
2093 ➡ 2101 | free(all_mac); | |
2094 ➡ 2102 | free(all_kex); | |
2095 ➡ 2103 | free(all_key); | |
2104 | 0 | + free(all_sig); |
2096 ➡ 2105 | ||
2097 ➡ 2106 | #define CLEAR_ON_NONE(v) \ | |
2098 ➡ 2107 | do { \ | |
@@ -2614,6 +2623,7 @@ dump_client_config(Options *o, const char *host) | ||
2614 ➡ 2623 | dump_cfg_string(oIgnoreUnknown, o->ignored_unknown); | |
2615 ➡ 2624 | dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); | |
2616 ➡ 2625 | dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); | |
2626 | 0 | + dump_cfg_string(oCASignatureAlgorithms, o->ca_sign_algorithms ? o->ca_sign_algorithms : SSH_ALLOWED_CA_SIGALGS); |
2617 ➡ 2627 | dump_cfg_string(oLocalCommand, o->local_command); | |
2618 ➡ 2628 | dump_cfg_string(oRemoteCommand, o->remote_command); | |
2619 ➡ 2629 | dump_cfg_string(oLogLevel, log_level_name(o->log_level)); |
Line | Tests | Difference Output |
---|---|---|
diff --git a/readconf.h b/readconf.h | ||
index c5688781..fc7e3825 100644 | ||
--- a/readconf.h | ||
+++ b/readconf.h | ||
@@ -1,4 +1,4 @@ | ||
1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: readconf.h,v 1.127 2018/07/19 10:28:47 dtucker Exp $ */ |
1 | - | +/* $OpenBSD: readconf.h,v 1.128 2018/09/20 03:30:44 djm Exp $ */ |
2 | ||
3 | /* | |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
@@ -67,6 +67,7 @@ typedef struct { | ||
67 | char *macs; /* SSH2 macs in order of preference. */ | |
68 | char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ | |
69 | char *kex_algorithms; /* SSH2 kex methods in order of preference. */ | |
70 | - | + char *ca_sign_algorithms; /* Allowed CA signature algorithms */ |
70 ➡ 71 | char *hostname; /* Real host to connect. */ | |
71 ➡ 72 | char *host_key_alias; /* hostname alias for .ssh/known_hosts */ | |
72 ➡ 73 | char *proxy_command; /* Proxy command for connecting the host. */ |
Line | Tests | Difference Output |
---|---|---|
diff --git a/ssh_config.5 b/ssh_config.5 | ||
index f499396a..a9b44cc4 100644 | ||
--- a/ssh_config.5 | ||
+++ b/ssh_config.5 | ||
@@ -33,8 +33,8 @@ | ||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
35 | .\" | |
36 | - No equivalent source code line in the reference code can be identified. | -.\" $OpenBSD: ssh_config.5,v 1.281 2018/07/23 19:02:49 kn Exp $ |
37 | - No equivalent source code line in the reference code can be identified. | -.Dd $Mdocdate: July 23 2018 $ |
36 | - | +.\" $OpenBSD: ssh_config.5,v 1.282 2018/09/20 03:30:44 djm Exp $ |
37 | - | +.Dd $Mdocdate: September 20 2018 $ |
38 | .Dt SSH_CONFIG 5 | |
39 | .Os | |
40 | .Sh NAME | |
@@ -261,6 +261,18 @@ Only useful on systems with more than one address. | ||
261 | .It Cm BindInterface | |
262 | Use the address of the specified interface on the local machine as the | |
263 | source address of the connection. | |
264 | - | +.It Cm CASignatureAlgorithms |
265 | - | +Specifies which algorithms are allowed for signing of certificates |
266 | - | +by certificate authorities (CAs). |
267 | - | +The default is: |
268 | - | +.Bd -literal -offset indent |
269 | - | +ecdsa-sha2-nistp256.ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, |
270 | - | +ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa |
271 | - | +.Ed |
272 | - | +.Pp |
273 | - | +.Xr ssh 1 |
274 | - | +will not accept host certificates signed using algorithms other than those |
275 | - | +specified. |
264 ➡ 276 | .It Cm CanonicalDomains | |
265 ➡ 277 | When | |
266 ➡ 278 | .Cm CanonicalizeHostname |
Line | Tests | Difference Output |
---|---|---|
diff --git a/sshconnect.c b/sshconnect.c | ||
index 78813c16..6d819279 100644 | ||
--- a/sshconnect.c | ||
+++ b/sshconnect.c | ||
@@ -1,4 +1,4 @@ | ||
1 | - No equivalent source code line in the reference code can be identified. | -/* $OpenBSD: sshconnect.c,v 1.304 2018/07/27 05:34:42 dtucker Exp $ */ |
1 | - | +/* $OpenBSD: sshconnect.c,v 1.305 2018/09/20 03:30:44 djm Exp $ */ |
2 | /* | |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
@@ -734,19 +734,28 @@ confirm(const char *prompt) | ||
734 | } | |
735 | ||
736 | static int | |
737 | 0 | -check_host_cert(const char *host, const struct sshkey *host_key) |
737 | - | +check_host_cert(const char *host, const struct sshkey *key) |
738 | { | |
739 | const char *reason; | |
740 | 0 | + int r; |
740 ➡ 741 | ||
741 | 0 | - if (sshkey_cert_check_authority(host_key, 1, 0, host, &reason) != 0) { |
742 | 0 | + if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { |
742 ➡ 743 | error("%s", reason); | |
743 ➡ 744 | return 0; | |
744 ➡ 745 | } | |
745 | 0 | - if (sshbuf_len(host_key->cert->critical) != 0) { |
746 | 0 | + if (sshbuf_len(key->cert->critical) != 0) { |
746 ➡ 747 | error("Certificate for %s contains unsupported " | |
747 ➡ 748 | "critical options(s)", host); | |
748 ➡ 749 | return 0; | |
749 ➡ 750 | } | |
751 | 0 | + if ((r = sshkey_check_cert_sigtype(key, |
752 | 0 | + options.ca_sign_algorithms)) != 0) { |
753 | 0 | + logit("%s: certificate signature algorithm %s: %s", __func__, |
754 | 0 | + (key->cert == NULL || key->cert->signature_type == NULL) ? |
755 | 0 | + "(null)" : key->cert->signature_type, ssh_err(r)); |
756 | 0 | + return 0; |
757 | - | + } |
758 | - | + |
750 ➡ 759 | return 1; | |
751 ➡ 760 | } | |
752 ➡ 761 |