2019-08-22 22:04:46 +02:00
#!/bin/bash
#
# This script will set up a docker image with multiple versions of OpenSSH, then
# use it to run tests.
#
2023-03-21 16:28:52 +01:00
# Optional arguments:
# --accept: accepts test failures and overwrites expected results with actual results (useful for updating the tests themselves).
# --create: attempts to create a new docker image.
#
#
2019-08-22 22:04:46 +02:00
# For debugging purposes, here is a cheat sheet for manually running the docker image:
#
# docker run -p 2222:22 -it ssh-audit-test:X /bin/bash
# docker run -p 2222:22 --security-opt seccomp:unconfined -it ssh-audit-test /debug.sh
# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-5.6p1 -D -f /etc/ssh/sshd_config-5.6p1_test1
# docker run -d -p 2222:22 ssh-audit-test:X /openssh/sshd-8.0p1 -D -f /etc/ssh/sshd_config-8.0p1_test1
#
# This is the docker tag for the image. If this tag doesn't exist, then we assume the
# image is out of date, and generate a new one with this tag.
2019-08-28 04:28:24 +02:00
IMAGE_VERSION = 3
2019-08-22 22:04:46 +02:00
# This is the name of our docker image.
2020-10-02 01:42:48 +02:00
IMAGE_NAME = positronsecurity/ssh-audit-test-framework
2019-08-22 22:04:46 +02:00
# Terminal colors.
CLR = "\033[0m"
2023-09-05 19:14:21 +02:00
#RED="\033[0;31m"
#YELLOW="\033[0;33m"
2019-08-22 22:04:46 +02:00
GREEN = "\033[0;32m"
2023-03-21 16:28:52 +01:00
REDB = "\033[1;31m" # Red + bold
YELLOWB = "\033[1;33m" # Yellow + bold
GREENB = "\033[1;32m" # Green + bold
2019-08-22 22:04:46 +02:00
2020-07-07 21:56:37 +02:00
# Program return values.
PROGRAM_RETVAL_FAILURE = 3
PROGRAM_RETVAL_WARNING = 2
2023-09-05 19:14:21 +02:00
#PROGRAM_RETVAL_CONNECTION_ERROR=1
2020-07-07 21:56:37 +02:00
PROGRAM_RETVAL_GOOD = 0
2019-08-22 22:04:46 +02:00
2020-10-21 03:26:06 +02:00
# Counts the number of test failures.
num_failures = 0
2023-03-21 16:28:52 +01:00
# When set, if a failure is encountered, overwrite the expected output with the actual value (i.e.: the user validated the failures already and wants to update the tests themselves).
accept = 0
2020-10-21 03:26:06 +02:00
2019-08-22 22:04:46 +02:00
# Returns 0 if current docker image exists.
2021-08-27 17:19:18 +02:00
check_if_docker_image_exists( ) {
images = $( docker image ls | grep -E " $IMAGE_NAME [[:space:]]+ $IMAGE_VERSION " )
2019-08-22 22:04:46 +02:00
}
2019-08-26 20:45:31 +02:00
# Uncompresses and compiles the specified version of Dropbear.
2021-08-27 17:19:18 +02:00
compile_dropbear( ) {
2019-08-26 20:45:31 +02:00
version = $1
2023-09-05 19:14:21 +02:00
compile "Dropbear" " $version "
2019-08-26 20:45:31 +02:00
}
2019-08-22 22:04:46 +02:00
# Uncompresses and compiles the specified version of OpenSSH.
2021-08-27 17:19:18 +02:00
compile_openssh( ) {
2019-08-26 20:45:31 +02:00
version = $1
2023-09-05 19:14:21 +02:00
compile "OpenSSH" " $version "
2019-08-26 20:45:31 +02:00
}
2019-08-28 04:28:24 +02:00
# Uncompresses and compiles the specified version of TinySSH.
2021-08-27 17:19:18 +02:00
compile_tinyssh( ) {
2019-08-28 04:28:24 +02:00
version = $1
2023-09-05 19:14:21 +02:00
compile "TinySSH" " $version "
2019-08-28 04:28:24 +02:00
}
2021-08-27 17:19:18 +02:00
compile( ) {
2019-08-26 20:45:31 +02:00
project = $1
version = $2
tarball =
uncompress_options =
source_dir =
server_executable =
2023-09-05 19:14:21 +02:00
if [ [ $project = = "OpenSSH" ] ] ; then
2021-08-27 17:19:18 +02:00
tarball = " openssh- ${ version } .tar.gz "
uncompress_options = "xzf"
source_dir = " openssh- ${ version } "
server_executable = sshd
2023-09-05 19:14:21 +02:00
elif [ [ $project = = "Dropbear" ] ] ; then
2021-08-27 17:19:18 +02:00
tarball = " dropbear- ${ version } .tar.bz2 "
uncompress_options = "xjf"
source_dir = " dropbear- ${ version } "
server_executable = dropbear
2023-09-05 19:14:21 +02:00
elif [ [ $project = = "TinySSH" ] ] ; then
2021-08-27 17:19:18 +02:00
tarball = " ${ version } .tar.gz "
uncompress_options = "xzf"
source_dir = " tinyssh- ${ version } "
2023-09-05 19:14:21 +02:00
server_executable = "build/bin/tinysshd"
2019-08-26 20:45:31 +02:00
fi
echo " Uncompressing ${ project } ${ version } ... "
2021-08-27 17:19:18 +02:00
tar $uncompress_options " $tarball "
2019-08-22 22:04:46 +02:00
2019-08-26 20:45:31 +02:00
echo " Compiling ${ project } ${ version } ... "
2023-09-05 19:14:21 +02:00
pushd " $source_dir " || exit > /dev/null
2019-08-28 04:28:24 +02:00
# TinySSH has no configure script... only a Makefile.
2023-09-05 19:14:21 +02:00
if [ [ $project = = "TinySSH" ] ] ; then
2021-08-27 17:19:18 +02:00
make -j 10
2019-08-28 04:28:24 +02:00
else
2021-08-27 17:19:18 +02:00
./configure && make -j 10
2019-08-28 04:28:24 +02:00
fi
2019-08-22 22:04:46 +02:00
2019-08-26 20:45:31 +02:00
if [ [ ! -f $server_executable ] ] ; then
2021-08-27 17:19:18 +02:00
echo -e " ${ REDB } Error: ${ server_executable } not built! ${ CLR } "
exit 1
2019-08-22 22:04:46 +02:00
fi
2019-08-26 20:45:31 +02:00
echo -e " \n ${ GREEN } Successfully built ${ project } ${ version } ${ CLR } \n "
2023-09-05 19:14:21 +02:00
popd || exit > /dev/null
2019-08-22 22:04:46 +02:00
}
# Creates a new docker image.
2021-08-27 17:19:18 +02:00
create_docker_image( ) {
2019-08-22 22:04:46 +02:00
# Create a new temporary directory.
2021-08-27 17:19:18 +02:00
TMP_DIR = $( mktemp -d /tmp/sshaudit-docker-XXXXXXXXXX)
2019-08-22 22:04:46 +02:00
2019-08-28 04:28:24 +02:00
# Copy the Dockerfile and all files in the test/docker/ dir to our new temp directory.
2023-09-05 19:14:21 +02:00
find test/docker/ -maxdepth 1 -type f -exec cp -t " $TMP_DIR " "{}" +
2019-08-22 22:04:46 +02:00
# Make the temp directory our working directory for the duration of the build
# process.
2023-09-05 19:14:21 +02:00
pushd " $TMP_DIR " || exit > /dev/null
2019-08-22 22:04:46 +02:00
2019-08-28 04:28:24 +02:00
# Get the release keys.
2019-08-26 20:45:31 +02:00
get_dropbear_release_key
2019-08-28 04:28:24 +02:00
get_openssh_release_key
get_tinyssh_release_key
2019-08-22 22:04:46 +02:00
# Aside from checking the GPG signatures, we also compare against this known-good
# SHA-256 hash just in case.
2023-09-05 19:14:21 +02:00
get_openssh "4.0p1" "5adb9b2c2002650e15216bf94ed9db9541d9a17c96fcd876784861a8890bc92b"
get_openssh "5.6p1" "538af53b2b8162c21a293bb004ae2bdb141abd250f61b4cea55244749f3c6c2b"
get_openssh "8.0p1" "bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68"
get_dropbear "2019.78" "525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4"
get_tinyssh "20190101" "554a9a94e53b370f0cd0c5fbbd322c34d1f695cbcea6a6a32dcb8c9f595b3fea"
2019-08-22 22:04:46 +02:00
# Compile the versions of OpenSSH.
2023-09-05 19:14:21 +02:00
compile_openssh "4.0p1"
compile_openssh "5.6p1"
compile_openssh "8.0p1"
2019-08-22 22:04:46 +02:00
2019-08-26 20:45:31 +02:00
# Compile the versions of Dropbear.
2023-09-05 19:14:21 +02:00
compile_dropbear "2019.78"
2019-08-26 20:45:31 +02:00
2019-08-28 04:28:24 +02:00
# Compile the versions of TinySSH.
2023-09-05 19:14:21 +02:00
compile_tinyssh "20190101"
2019-08-28 04:28:24 +02:00
2019-08-26 20:45:31 +02:00
2019-08-22 22:04:46 +02:00
# Rename the default config files so we know they are our originals.
2019-08-22 22:48:23 +02:00
mv openssh-4.0p1/sshd_config sshd_config-4.0p1_orig
2019-08-22 22:04:46 +02:00
mv openssh-5.6p1/sshd_config sshd_config-5.6p1_orig
mv openssh-8.0p1/sshd_config sshd_config-8.0p1_orig
# Create the configurations for each test.
2019-08-22 22:48:23 +02:00
#
# OpenSSH v4.0p1
#
# Test 1: Basic test.
2023-09-05 19:14:21 +02:00
create_openssh_config "4.0p1" "test1" "HostKey /etc/ssh/ssh1_host_key\nHostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
2019-08-22 22:48:23 +02:00
2019-08-22 22:04:46 +02:00
#
# OpenSSH v5.6p1
#
# Test 1: Basic test.
2023-09-05 19:14:21 +02:00
create_openssh_config "5.6p1" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostKey /etc/ssh/ssh_host_dsa_key"
2019-08-22 22:04:46 +02:00
# Test 2: RSA 1024 host key with RSA 1024 certificate.
2023-09-05 19:14:21 +02:00
create_openssh_config "5.6p1" "test2" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_1024.pub"
2021-08-27 17:19:18 +02:00
2019-08-22 22:04:46 +02:00
# Test 3: RSA 1024 host key with RSA 3072 certificate.
2023-09-05 19:14:21 +02:00
create_openssh_config "5.6p1" "test3" "HostKey /etc/ssh/ssh_host_rsa_key_1024\nHostCertificate /etc/ssh/ssh_host_rsa_key_1024-cert_3072.pub"
2019-08-22 22:04:46 +02:00
# Test 4: RSA 3072 host key with RSA 1024 certificate.
2023-09-05 19:14:21 +02:00
create_openssh_config "5.6p1" "test4" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_1024.pub"
2019-08-22 22:04:46 +02:00
# Test 5: RSA 3072 host key with RSA 3072 certificate.
2023-09-05 19:14:21 +02:00
create_openssh_config "5.6p1" "test5" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostCertificate /etc/ssh/ssh_host_rsa_key_3072-cert_3072.pub"
2019-08-22 22:04:46 +02:00
#
# OpenSSH v8.0p1
#
# Test 1: Basic test.
2023-09-05 19:14:21 +02:00
create_openssh_config "8.0p" "test1" "HostKey /etc/ssh/ssh_host_rsa_key_3072\nHostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key"
2019-08-22 22:04:46 +02:00
# Test 2: ED25519 certificate test.
2023-09-05 19:14:21 +02:00
create_openssh_config "8.0p1" "test2" "HostKey /etc/ssh/ssh_host_ed25519_key\nHostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub"
2019-08-22 22:04:46 +02:00
# Test 3: Hardened installation test.
2023-09-05 19:14:21 +02:00
create_openssh_config "8.0p1" "test3" "HostKey /etc/ssh/ssh_host_ed25519_key\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com"
2019-08-22 22:04:46 +02:00
# Now build the docker image!
2021-08-27 17:19:18 +02:00
docker build --tag " $IMAGE_NAME : $IMAGE_VERSION " .
2019-08-22 22:04:46 +02:00
2023-09-05 19:14:21 +02:00
popd || exit > /dev/null
2021-08-27 17:19:18 +02:00
rm -rf -- " $TMP_DIR "
2019-08-22 22:04:46 +02:00
}
# Creates an OpenSSH configuration file for a specific test.
2021-08-27 17:19:18 +02:00
create_openssh_config( ) {
2019-08-22 22:04:46 +02:00
openssh_version = $1
test_number = $2
config_text = $3
2021-08-27 17:19:18 +02:00
cp " sshd_config- ${ openssh_version } _orig " " sshd_config- ${ openssh_version } _ ${ test_number } "
echo -e " ${ config_text } " >> " sshd_config- ${ openssh_version } _ ${ test_number } "
2019-08-22 22:04:46 +02:00
}
2019-08-26 20:45:31 +02:00
# Downloads the Dropbear release key and adds it to the local keyring.
2021-08-27 17:19:18 +02:00
get_dropbear_release_key( ) {
2023-09-05 19:14:21 +02:00
get_release_key "Dropbear" "https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc" "F29C6773" "F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773"
2019-08-26 20:45:31 +02:00
}
2019-08-22 22:04:46 +02:00
# Downloads the OpenSSH release key and adds it to the local keyring.
2021-08-27 17:19:18 +02:00
get_openssh_release_key( ) {
2023-09-05 19:14:21 +02:00
get_release_key "OpenSSH" "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc" "6D920D30" "59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30"
2019-08-26 20:45:31 +02:00
}
2019-08-28 04:28:24 +02:00
# Downloads the TinySSH release key and adds it to the local keyring.
2021-08-27 17:19:18 +02:00
get_tinyssh_release_key( ) {
2023-09-05 19:14:21 +02:00
get_release_key "TinySSH" "" "96939FF9" "AADF 2EDF 5529 F170 2772 C8A2 DEC4 D246 931E F49B"
2019-08-28 04:28:24 +02:00
}
2021-08-27 17:19:18 +02:00
get_release_key( ) {
2019-08-26 20:45:31 +02:00
project = $1
key_url = $2
key_id = $3
release_key_fingerprint_expected = $4
2019-08-22 22:04:46 +02:00
2019-08-28 04:28:24 +02:00
# The TinySSH release key isn't on any website, apparently.
2023-09-05 19:14:21 +02:00
if [ [ $project = = "TinySSH" ] ] ; then
2021-08-27 17:19:18 +02:00
gpg --keyserver keys.gnupg.net --recv-key " $key_id "
2019-08-28 04:28:24 +02:00
else
2021-08-27 17:19:18 +02:00
echo -e " \nGetting ${ project } release key...\n "
wget -O key.asc " $2 "
2019-08-22 22:04:46 +02:00
2021-08-27 17:19:18 +02:00
echo -e " \nImporting ${ project } release key...\n "
gpg --import key.asc
2019-08-22 22:04:46 +02:00
2021-08-27 17:19:18 +02:00
rm key.asc
2019-08-28 04:28:24 +02:00
fi
2019-08-26 20:45:31 +02:00
2023-09-05 19:14:21 +02:00
local release_key_fingerprint_actual
release_key_fingerprint_actual = $( gpg --fingerprint " $key_id " )
2019-08-22 22:04:46 +02:00
if [ [ $release_key_fingerprint_actual != *" $release_key_fingerprint_expected " * ] ] ; then
2019-08-26 20:45:31 +02:00
echo -e " \n ${ REDB } Error: ${ project } release key fingerprint does not match expected value!\n\tExpected: $release_key_fingerprint_expected \n\tActual: $release_key_fingerprint_actual \n\nTerminating. ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
2019-08-26 20:45:31 +02:00
echo -e " \n\n ${ GREEN } ${ project } release key matches expected value. ${ CLR } \n "
}
# Downloads the specified version of Dropbear.
2021-08-27 17:19:18 +02:00
get_dropbear( ) {
2019-08-26 20:45:31 +02:00
version = $1
tarball_checksum_expected = $2
2023-09-05 19:14:21 +02:00
get_source "Dropbear" " $version " " $tarball_checksum_expected "
2019-08-22 22:04:46 +02:00
}
# Downloads the specified version of OpenSSH.
2021-08-27 17:19:18 +02:00
get_openssh( ) {
2019-08-26 20:45:31 +02:00
version = $1
tarball_checksum_expected = $2
2023-09-05 19:14:21 +02:00
get_source "OpenSSH" " $version " " $tarball_checksum_expected "
2019-08-26 20:45:31 +02:00
}
2019-08-22 22:04:46 +02:00
2019-08-22 22:48:23 +02:00
2019-08-28 04:28:24 +02:00
# Downloads the specified version of TinySSH.
2021-08-27 17:19:18 +02:00
get_tinyssh( ) {
2019-08-28 04:28:24 +02:00
version = $1
tarball_checksum_expected = $2
2023-09-05 19:14:21 +02:00
get_source "TinySSH" " $version " " $tarball_checksum_expected "
2019-08-28 04:28:24 +02:00
}
2021-08-27 17:19:18 +02:00
get_source( ) {
2019-08-26 20:45:31 +02:00
project = $1
version = $2
tarball_checksum_expected = $3
2019-08-28 04:28:24 +02:00
base_url_source =
base_url_sig =
2019-08-26 20:45:31 +02:00
tarball =
sig =
signer =
2023-09-05 19:14:21 +02:00
if [ [ $project = = "OpenSSH" ] ] ; then
base_url_source = "https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/"
2021-08-27 17:19:18 +02:00
base_url_sig = $base_url_source
tarball = " openssh- ${ version } .tar.gz "
sig = " ${ tarball } .asc "
signer = "Damien Miller "
2023-09-05 19:14:21 +02:00
elif [ [ $project = = "Dropbear" ] ] ; then
base_url_source = "https://matt.ucc.asn.au/dropbear/releases/"
2021-08-27 17:19:18 +02:00
base_url_sig = $base_url_source
tarball = " dropbear- ${ version } .tar.bz2 "
sig = " ${ tarball } .asc "
signer = "Dropbear SSH Release Signing <matt@ucc.asn.au>"
2023-09-05 19:14:21 +02:00
elif [ [ $project = = "TinySSH" ] ] ; then
base_url_source = "https://github.com/janmojzis/tinyssh/archive/"
2021-08-27 17:19:18 +02:00
base_url_sig = " https://github.com/janmojzis/tinyssh/releases/download/ ${ version } / "
tarball = " ${ version } .tar.gz "
sig = " ${ tarball } .asc "
signer = "Jan Mojžíš <jan.mojzis@gmail.com>"
2019-08-22 22:48:23 +02:00
fi
2019-08-22 22:04:46 +02:00
2019-08-26 20:45:31 +02:00
echo -e " \nGetting ${ project } ${ version } sources...\n "
2019-08-28 04:28:24 +02:00
wget " ${ base_url_source } ${ tarball } "
2019-08-26 20:45:31 +02:00
echo -e " \nGetting ${ project } ${ version } signature...\n "
2019-08-28 04:28:24 +02:00
wget " ${ base_url_sig } ${ sig } "
2019-08-26 20:45:31 +02:00
# Older OpenSSH releases were .sigs.
2023-09-05 19:14:21 +02:00
if [ [ ( $project = = "OpenSSH" ) && ( ! -f $sig ) ] ] ; then
2021-08-27 17:19:18 +02:00
wget " ${ base_url_sig } openssh- ${ version } .tar.gz.sig "
sig = openssh-${ version } .tar.gz.sig
2019-08-26 20:45:31 +02:00
fi
2023-09-05 19:14:21 +02:00
local gpg_verify
gpg_verify = $( gpg --verify " ${ sig } " " ${ tarball } " 2>& 1)
retval = $?
2019-08-26 20:45:31 +02:00
if [ [ $gpg_verify != *" Good signature from \" ${ signer } " * ] ] ; then
echo -e " \n\n ${ REDB } Error: ${ project } signature invalid!\n $gpg_verify \n\nTerminating. ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
# Check GPG's return value. 0 denotes a valid signature, and 1 is returned
# on invalid signatures.
2023-09-05 19:14:21 +02:00
if [ [ ${ retval } != 0 ] ] ; then
2019-08-26 20:45:31 +02:00
echo -e " \n\n ${ REDB } Error: ${ project } signature invalid! Verification returned code: $? \n\nTerminating. ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
2019-08-26 20:45:31 +02:00
echo -e " ${ GREEN } Signature on ${ project } sources verified. ${ CLR } \n "
2019-08-22 22:04:46 +02:00
2023-09-05 19:14:21 +02:00
local checksum_actual
checksum_actual = $( sha256sum " ${ tarball } " | cut -f1 -d" " )
2021-08-27 17:19:18 +02:00
if [ [ $checksum_actual != " $tarball_checksum_expected " ] ] ; then
2019-08-26 20:45:31 +02:00
echo -e " ${ REDB } Error: ${ project } checksum is invalid!\n Expected: ${ tarball_checksum_expected } \n Actual: ${ checksum_actual } \n\n Terminating. ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
2019-08-26 20:45:31 +02:00
}
2020-10-02 01:42:48 +02:00
# Pulls the defined image from Dockerhub.
2021-08-27 17:19:18 +02:00
pull_docker_image( ) {
2023-09-05 19:14:21 +02:00
docker pull " ${ IMAGE_NAME } : ${ IMAGE_VERSION } "
retval = $?
if [ [ ${ retval } = = 0 ] ] ; then
echo -e " ${ GREEN } Successfully downloaded image ${ IMAGE_NAME } : ${ IMAGE_VERSION } from Dockerhub. ${ CLR } \n "
2020-10-02 01:42:48 +02:00
else
2023-09-05 19:14:21 +02:00
echo -e " ${ REDB } Failed to pull image ${ IMAGE_NAME } : ${ IMAGE_VERSION } from Dockerhub! Error code: ${ retval } ${ CLR } \n "
2021-08-27 17:19:18 +02:00
exit 1
2020-10-02 01:42:48 +02:00
fi
}
2019-08-26 20:45:31 +02:00
# Runs a Dropbear test. Upon failure, a diff between the expected and actual results
# is shown, then the script immediately terminates.
2021-08-27 17:19:18 +02:00
run_dropbear_test( ) {
2019-08-26 20:45:31 +02:00
dropbear_version = $1
test_number = $2
options = $3
2020-07-07 21:56:37 +02:00
expected_retval = $4
2019-08-22 22:04:46 +02:00
2023-09-05 19:14:21 +02:00
run_test "Dropbear" " ${ dropbear_version } " " ${ test_number } " " ${ options } " " ${ expected_retval } "
2019-08-22 22:04:46 +02:00
}
# Runs an OpenSSH test. Upon failure, a diff between the expected and actual results
# is shown, then the script immediately terminates.
2021-08-27 17:19:18 +02:00
run_openssh_test( ) {
2019-08-22 22:04:46 +02:00
openssh_version = $1
test_number = $2
2020-07-07 21:56:37 +02:00
expected_retval = $3
2019-08-22 22:04:46 +02:00
2023-09-05 19:14:21 +02:00
run_test "OpenSSH" " ${ openssh_version } " " ${ test_number } " "" " ${ expected_retval } "
2019-08-26 20:45:31 +02:00
}
2019-08-28 04:28:24 +02:00
# Runs a TinySSH test. Upon failure, a diff between the expected and actual results
# is shown, then the script immediately terminates.
2021-08-27 17:19:18 +02:00
run_tinyssh_test( ) {
2019-08-28 04:28:24 +02:00
tinyssh_version = $1
test_number = $2
2020-07-07 21:56:37 +02:00
expected_retval = $3
2019-08-28 04:28:24 +02:00
2023-09-05 19:14:21 +02:00
run_test "TinySSH" " ${ tinyssh_version } " " ${ test_number } " "" " ${ expected_retval } "
2019-08-28 04:28:24 +02:00
}
2021-08-27 17:19:18 +02:00
run_test( ) {
2019-08-26 20:45:31 +02:00
server_type = $1
version = $2
test_number = $3
options = $4
2020-07-07 21:56:37 +02:00
expected_retval = $5
2019-08-26 20:45:31 +02:00
2020-10-21 03:26:06 +02:00
failed = 0 # Set to 1 if this test fails.
2019-08-26 20:45:31 +02:00
server_exec =
2019-11-09 00:40:32 +01:00
test_result_stdout =
test_result_json =
expected_result_stdout =
expected_result_json =
2019-08-26 20:45:31 +02:00
test_name =
2023-09-05 19:14:21 +02:00
if [ [ $server_type = = "OpenSSH" ] ] ; then
2021-08-27 17:19:18 +02:00
server_exec = " /openssh/sshd- ${ version } -D -f /etc/ssh/sshd_config- ${ version } _ ${ test_number } "
test_result_stdout = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _ ${ test_number } .txt "
test_result_json = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _ ${ test_number } .json "
expected_result_stdout = " test/docker/expected_results/openssh_ ${ version } _ ${ test_number } .txt "
expected_result_json = " test/docker/expected_results/openssh_ ${ version } _ ${ test_number } .json "
test_name = " OpenSSH ${ version } ${ test_number } "
options =
2023-09-05 19:14:21 +02:00
elif [ [ $server_type = = "Dropbear" ] ] ; then
2021-08-27 17:19:18 +02:00
server_exec = " /dropbear/dropbear- ${ version } -F ${ options } "
test_result_stdout = " ${ TEST_RESULT_DIR } /dropbear_ ${ version } _ ${ test_number } .txt "
test_result_json = " ${ TEST_RESULT_DIR } /dropbear_ ${ version } _ ${ test_number } .json "
expected_result_stdout = " test/docker/expected_results/dropbear_ ${ version } _ ${ test_number } .txt "
expected_result_json = " test/docker/expected_results/dropbear_ ${ version } _ ${ test_number } .json "
test_name = " Dropbear ${ version } ${ test_number } "
2023-09-05 19:14:21 +02:00
elif [ [ $server_type = = "TinySSH" ] ] ; then
2021-08-27 17:19:18 +02:00
server_exec = "/usr/bin/tcpserver -HRDl0 0.0.0.0 22 /tinysshd/tinyssh-20190101 -v /etc/tinyssh/"
test_result_stdout = " ${ TEST_RESULT_DIR } /tinyssh_ ${ version } _ ${ test_number } .txt "
test_result_json = " ${ TEST_RESULT_DIR } /tinyssh_ ${ version } _ ${ test_number } .json "
expected_result_stdout = " test/docker/expected_results/tinyssh_ ${ version } _ ${ test_number } .txt "
expected_result_json = " test/docker/expected_results/tinyssh_ ${ version } _ ${ test_number } .json "
test_name = " TinySSH ${ version } ${ test_number } "
2019-08-26 20:45:31 +02:00
fi
2023-09-12 14:38:07 +02:00
#echo "Running: docker run --rm -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
cid = $( docker run --rm -d -p 2222:22 " ${ IMAGE_NAME } : ${ IMAGE_VERSION } " ${ server_exec } )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
echo -e " ${ REDB } Failed to run docker image! (exit code: ${ retval } ) ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
2021-08-27 17:19:18 +02:00
./ssh-audit.py localhost:2222 > " $test_result_stdout "
2020-07-07 21:56:37 +02:00
actual_retval = $?
2021-08-27 17:19:18 +02:00
if [ [ $actual_retval != " $expected_retval " ] ] ; then
echo -e " ${ REDB } Unexpected return value. Expected: ${ expected_retval } ; Actual: ${ actual_retval } ${ CLR } "
2023-03-21 16:28:52 +01:00
if [ [ $accept = = 1 ] ] ; then
echo -e " \n ${ REDB } This failure cannot be automatically fixed; this script must be manually updated with the new expected return value. ${ CLR } "
fi
2023-09-05 19:14:21 +02:00
cat " ${ test_result_stdout } "
docker container stop -t 0 " ${ cid } " > /dev/null
2021-08-27 17:19:18 +02:00
exit 1
2019-11-09 00:40:32 +01:00
fi
2023-03-24 23:48:36 +01:00
./ssh-audit.py -jj localhost:2222 > " $test_result_json "
2020-07-07 21:56:37 +02:00
actual_retval = $?
2021-08-27 17:19:18 +02:00
if [ [ $actual_retval != " $expected_retval " ] ] ; then
echo -e " ${ REDB } Unexpected return value. Expected: ${ expected_retval } ; Actual: ${ actual_retval } ${ CLR } "
2023-03-21 16:28:52 +01:00
if [ [ $accept = = 1 ] ] ; then
echo -e " \n ${ REDB } This failure cannot be automatically fixed; this script must be manually updated with the new expected return value. ${ CLR } "
fi
2023-09-05 19:14:21 +02:00
cat " ${ test_result_json } "
docker container stop -t 0 " ${ cid } " > /dev/null
2021-08-27 17:19:18 +02:00
exit 1
2019-08-22 22:04:46 +02:00
fi
2023-09-05 19:14:21 +02:00
docker container stop -t 0 " ${ cid } " > /dev/null
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
echo -e " ${ REDB } Failed to stop docker container ${ cid } ! (exit code: ${ retval } ) ${ CLR } "
2019-08-22 22:04:46 +02:00
exit 1
fi
2019-08-28 04:28:24 +02:00
# TinySSH outputs a random string in each banner, which breaks our test. So
# we need to filter out the banner part of the output so we get stable, repeatable
# results.
2023-09-05 19:14:21 +02:00
if [ [ $server_type = = "TinySSH" ] ] ; then
2021-08-27 17:19:18 +02:00
grep -v "(gen) banner: " " ${ test_result_stdout } " > " ${ test_result_stdout } .tmp "
mv " ${ test_result_stdout } .tmp " " ${ test_result_stdout } "
cat " ${ test_result_json } " | perl -pe 's/"comments": ".*?"/"comments": ""/' | perl -pe 's/"raw": ".+?"/"raw": ""/' > " ${ test_result_json } .tmp "
mv " ${ test_result_json } .tmp " " ${ test_result_json } "
2019-08-28 04:28:24 +02:00
fi
2021-08-27 17:19:18 +02:00
diff = $( diff -u " ${ expected_result_stdout } " " ${ test_result_stdout } " )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
2023-03-21 16:28:52 +01:00
# If the user wants to update the tests, then overwrite the expected results with the actual results.
if [ [ $accept = = 1 ] ] ; then
cp " ${ test_result_stdout } " " ${ expected_result_stdout } "
echo -e " ${ test_name } ${ YELLOWB } UPDATED ${ CLR } \n "
else
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } .\n\n ${ diff } \n "
failed = 1
num_failures = $(( num_failures+1))
fi
2019-08-22 22:04:46 +02:00
fi
2021-08-27 17:19:18 +02:00
diff = $( diff -u " ${ expected_result_json } " " ${ test_result_json } " )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
2023-03-21 16:28:52 +01:00
# If the user wants to update the tests, then overwrite the expected results with the actual results.
if [ [ $accept = = 1 ] ] ; then
cp " ${ test_result_json } " " ${ expected_result_json } "
echo -e " ${ test_name } ${ YELLOWB } UPDATED ${ CLR } \n "
else
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } .\n\n ${ diff } \n "
failed = 1
num_failures = $(( num_failures+1))
fi
2020-10-21 03:26:06 +02:00
fi
if [ [ $failed = = 0 ] ] ; then
2021-08-27 17:19:18 +02:00
echo -e " ${ test_name } ${ GREEN } passed ${ CLR } . "
2019-11-09 00:40:32 +01:00
fi
}
2019-08-22 22:04:46 +02:00
2021-08-27 17:19:18 +02:00
run_builtin_policy_test( ) {
2020-10-19 23:27:37 +02:00
policy_name = $1 # The built-in policy name to use.
version = $2 # Version of OpenSSH to test with.
test_number = $3 # The test number to run.
server_options = $4 # The options to start the server with (i.e.: "-o option1,options2,...")
expected_exit_code = $5 # The expected exit code of ssh-audit.py.
server_exec = " /openssh/sshd- ${ version } -D -f /etc/ssh/sshd_config-8.0p1_test1 ${ server_options } "
test_result_stdout = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _builtin_policy_ ${ test_number } .txt "
test_result_json = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _builtin_policy_ ${ test_number } .json "
expected_result_stdout = " test/docker/expected_results/openssh_ ${ version } _builtin_policy_ ${ test_number } .txt "
expected_result_json = " test/docker/expected_results/openssh_ ${ version } _builtin_policy_ ${ test_number } .json "
test_name = " OpenSSH ${ version } built-in policy ${ test_number } "
run_policy_test " ${ test_name } " " ${ server_exec } " " ${ policy_name } " " ${ test_result_stdout } " " ${ test_result_json } " " ${ expected_exit_code } "
}
2019-08-26 20:45:31 +02:00
2020-10-19 23:27:37 +02:00
2021-08-27 17:19:18 +02:00
run_custom_policy_test( ) {
2020-06-30 21:53:50 +02:00
config_number = $1 # The configuration number to use.
test_number = $2 # The policy test number to run.
expected_exit_code = $3 # The expected exit code of ssh-audit.py.
version =
config =
2023-09-05 19:14:21 +02:00
if [ [ ${ config_number } = = "config1" ] ] ; then
version = "5.6p1"
config = "sshd_config-5.6p1_test1"
elif [ [ ${ config_number } = = "config2" ] ] ; then
version = "8.0p1"
config = "sshd_config-8.0p1_test1"
elif [ [ ${ config_number } = = "config3" ] ] ; then
version = "5.6p1"
config = "sshd_config-5.6p1_test4"
2020-06-30 21:53:50 +02:00
fi
server_exec = " /openssh/sshd- ${ version } -D -f /etc/ssh/ ${ config } "
policy_path = " test/docker/policies/policy_ ${ test_number } .txt "
2020-10-19 23:27:37 +02:00
test_result_stdout = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _custom_policy_ ${ test_number } .txt "
test_result_json = " ${ TEST_RESULT_DIR } /openssh_ ${ version } _custom_policy_ ${ test_number } .json "
expected_result_stdout = " test/docker/expected_results/openssh_ ${ version } _custom_policy_ ${ test_number } .txt "
expected_result_json = " test/docker/expected_results/openssh_ ${ version } _custom_policy_ ${ test_number } .json "
test_name = " OpenSSH ${ version } custom policy ${ test_number } "
run_policy_test " ${ test_name } " " ${ server_exec } " " ${ policy_path } " " ${ test_result_stdout } " " ${ test_result_json } " " ${ expected_exit_code } "
}
2021-08-27 17:19:18 +02:00
run_policy_test( ) {
2020-10-19 23:27:37 +02:00
test_name = $1
server_exec = $2
policy_path = $3
test_result_stdout = $4
test_result_json = $5
expected_exit_code = $6
2020-06-30 21:53:50 +02:00
2023-09-12 14:38:07 +02:00
#echo "Running: docker run --rm -d -p 2222:22 $IMAGE_NAME:$IMAGE_VERSION ${server_exec}"
cid = $( docker run --rm -d -p 2222:22 " ${ IMAGE_NAME } : ${ IMAGE_VERSION } " ${ server_exec } )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
echo -e " ${ REDB } Failed to run docker image! (exit code: ${ retval } ) ${ CLR } "
2021-08-27 17:19:18 +02:00
exit 1
2020-06-30 21:53:50 +02:00
fi
2020-10-19 23:27:37 +02:00
#echo "Running: ./ssh-audit.py -P \"${policy_path}\" localhost:2222 > ${test_result_stdout}"
2021-08-27 17:19:18 +02:00
./ssh-audit.py -P " ${ policy_path } " localhost:2222 > " ${ test_result_stdout } "
2020-06-30 21:53:50 +02:00
actual_exit_code = $?
2021-08-27 17:19:18 +02:00
if [ [ ${ actual_exit_code } != " ${ expected_exit_code } " ] ] ; then
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } (expected exit code: ${ expected_exit_code } ; actual exit code: ${ actual_exit_code } \n "
2023-03-21 16:28:52 +01:00
if [ [ $accept = = 1 ] ] ; then
echo -e " \n ${ REDB } This failure cannot be automatically fixed; this script must be manually updated with the new expected return value. ${ CLR } "
fi
2021-08-27 17:19:18 +02:00
cat " ${ test_result_stdout } "
2023-09-05 19:14:21 +02:00
docker container stop -t 0 " ${ cid } " > /dev/null
2021-08-27 17:19:18 +02:00
exit 1
2020-06-30 21:53:50 +02:00
fi
2023-04-25 15:17:32 +02:00
#echo "Running: ./ssh-audit.py -P \"${policy_path}\" -jj localhost:2222 > ${test_result_json} 2> /dev/null"
./ssh-audit.py -P " ${ policy_path } " -jj localhost:2222 > " ${ test_result_json } " 2> /dev/null
2020-06-30 21:53:50 +02:00
actual_exit_code = $?
2021-08-27 17:19:18 +02:00
if [ [ ${ actual_exit_code } != " ${ expected_exit_code } " ] ] ; then
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } (expected exit code: ${ expected_exit_code } ; actual exit code: ${ actual_exit_code } \n "
2023-03-21 16:28:52 +01:00
if [ [ $accept = = 1 ] ] ; then
echo -e " \n ${ REDB } This failure cannot be automatically fixed; this script must be manually updated with the new expected return value. ${ CLR } "
fi
2021-08-27 17:19:18 +02:00
cat " ${ test_result_json } "
2023-09-05 19:14:21 +02:00
docker container stop -t 0 " ${ cid } " > /dev/null
2021-08-27 17:19:18 +02:00
exit 1
2020-06-30 21:53:50 +02:00
fi
2023-09-05 19:14:21 +02:00
docker container stop -t 0 " ${ cid } " > /dev/null
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
echo -e " ${ REDB } Failed to stop docker container ${ cid } ! (exit code: ${ retval } ) ${ CLR } "
2020-06-30 21:53:50 +02:00
exit 1
fi
2021-08-27 17:19:18 +02:00
diff = $( diff -u " ${ expected_result_stdout } " " ${ test_result_stdout } " )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
2023-03-21 16:28:52 +01:00
# If the user wants to update the tests, then overwrite the expected results with the actual results.
if [ [ $accept = = 1 ] ] ; then
cp " ${ test_result_stdout } " " ${ expected_result_stdout } "
echo -e " ${ test_name } ${ YELLOWB } UPDATED ${ CLR } \n "
else
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } .\n\n ${ diff } \n "
exit 1
fi
2020-06-30 21:53:50 +02:00
fi
2021-08-27 17:19:18 +02:00
diff = $( diff -u " ${ expected_result_json } " " ${ test_result_json } " )
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
2023-03-21 16:28:52 +01:00
# If the user wants to update the tests, then overwrite the expected results with the actual results.
if [ [ $accept = = 1 ] ] ; then
cp " ${ test_result_json } " " ${ expected_result_json } "
echo -e " ${ test_name } ${ YELLOWB } UPDATED ${ CLR } \n "
else
echo -e " ${ test_name } ${ REDB } FAILED ${ CLR } .\n\n ${ diff } \n "
exit 1
fi
2020-06-30 21:53:50 +02:00
fi
echo -e " ${ test_name } ${ GREEN } passed ${ CLR } . "
}
2019-08-22 22:04:46 +02:00
# First check if docker is functional.
docker version > /dev/null
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } != 0 ] ] ; then
echo -e " ${ REDB } Error: 'docker version' command failed (error code: ${ retval } ). Is docker installed and functioning? ${ CLR } "
2019-08-22 22:04:46 +02:00
exit 1
fi
2020-10-02 01:42:48 +02:00
# Check if the docker image is the most up-to-date version.
docker_image_exists = 0
2019-08-22 22:04:46 +02:00
check_if_docker_image_exists
2023-09-05 19:14:21 +02:00
retval = $?
if [ [ ${ retval } = = 0 ] ] ; then
2020-10-02 01:42:48 +02:00
docker_image_exists = 1
2019-08-22 22:04:46 +02:00
fi
2020-10-02 01:42:48 +02:00
# Check if the user specified --create to build a new image.
if [ [ ( $# = = 1) && ( $1 = = "--create" ) ] ] ; then
# Ensure that the image name doesn't already exist before building.
2023-09-05 19:14:21 +02:00
if [ [ ${ docker_image_exists } = = 1 ] ] ; then
echo -e " ${ REDB } Error: --create specified, but ${ IMAGE_NAME } : ${ IMAGE_VERSION } already exists! ${ CLR } "
2020-10-02 01:42:48 +02:00
exit 1
else
2023-09-05 19:14:21 +02:00
echo -e " \nCreating docker image ${ IMAGE_NAME } : ${ IMAGE_VERSION } ... "
2020-10-02 01:42:48 +02:00
create_docker_image
echo -e " \n ${ GREEN } Done creating docker image! ${ CLR } "
exit 0
fi
fi
2023-03-21 16:28:52 +01:00
# If the user passes --accept, then the actual results will replace the expected results (meaning the user wants to update the tests themselves due to new functionality).
if [ [ ( $# = = 1) && ( $1 = = "--accept" ) ] ] ; then
accept = 1
echo -e " \n ${ YELLOWB } Expected test results will be replaced with actual results. ${ CLR } "
fi
2020-10-02 01:42:48 +02:00
# If we weren't explicitly told to create a new image, and it doesn't exist, then pull it from Dockerhub.
2023-09-05 19:14:21 +02:00
if [ [ ${ docker_image_exists } = = 0 ] ] ; then
echo -e " \nPulling docker image ${ IMAGE_NAME } : ${ IMAGE_VERSION } ... "
2020-10-02 01:42:48 +02:00
pull_docker_image
fi
echo -e " \n ${ GREEN } Starting tests... ${ CLR } "
2019-08-22 22:04:46 +02:00
# Create a temporary directory to write test results to.
2021-08-27 17:19:18 +02:00
TEST_RESULT_DIR = $( mktemp -d /tmp/ssh-audit_test-results_XXXXXXXXXX)
2019-08-22 22:04:46 +02:00
# Now run all the tests.
echo -e "\nRunning tests..."
2023-09-05 19:14:21 +02:00
run_openssh_test "4.0p1" "test1" " ${ PROGRAM_RETVAL_FAILURE } "
2019-08-22 22:48:23 +02:00
echo
2023-09-05 19:14:21 +02:00
run_openssh_test "5.6p1" "test1" " ${ PROGRAM_RETVAL_FAILURE } "
run_openssh_test "5.6p1" "test2" " ${ PROGRAM_RETVAL_FAILURE } "
run_openssh_test "5.6p1" "test3" " ${ PROGRAM_RETVAL_FAILURE } "
run_openssh_test "5.6p1" "test4" " ${ PROGRAM_RETVAL_FAILURE } "
run_openssh_test "5.6p1" "test5" " ${ PROGRAM_RETVAL_FAILURE } "
2019-08-22 22:48:23 +02:00
echo
2023-09-05 19:14:21 +02:00
run_openssh_test "8.0p1" "test1" " ${ PROGRAM_RETVAL_FAILURE } "
run_openssh_test "8.0p1" "test2" " ${ PROGRAM_RETVAL_FAILURE } "
2023-12-19 20:03:28 +01:00
run_openssh_test "8.0p1" "test3" " ${ PROGRAM_RETVAL_WARNING } "
2019-08-26 20:45:31 +02:00
echo
2023-09-05 19:14:21 +02:00
run_dropbear_test "2019.78" "test1" "-r /etc/dropbear/dropbear_rsa_host_key_1024 -r /etc/dropbear/dropbear_dss_host_key -r /etc/dropbear/dropbear_ecdsa_host_key" 3
2019-08-28 04:28:24 +02:00
echo
2023-09-05 19:14:21 +02:00
run_tinyssh_test "20190101" "test1" " ${ PROGRAM_RETVAL_WARNING } "
2020-06-30 21:53:50 +02:00
echo
echo
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config1" "test1" " ${ PROGRAM_RETVAL_GOOD } "
run_custom_policy_test "config1" "test2" " ${ PROGRAM_RETVAL_FAILURE } "
run_custom_policy_test "config1" "test3" " ${ PROGRAM_RETVAL_FAILURE } "
run_custom_policy_test "config1" "test4" " ${ PROGRAM_RETVAL_FAILURE } "
run_custom_policy_test "config1" "test5" " ${ PROGRAM_RETVAL_FAILURE } "
run_custom_policy_test "config2" "test6" " ${ PROGRAM_RETVAL_GOOD } "
2020-06-30 21:53:50 +02:00
# Passing test with host key certificate and CA key certificates.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config3" "test7" " ${ PROGRAM_RETVAL_GOOD } "
2020-06-30 21:53:50 +02:00
# Failing test with host key certificate and non-compliant CA key length.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config3" "test8" " ${ PROGRAM_RETVAL_FAILURE } "
2020-06-30 21:53:50 +02:00
# Failing test with non-compliant host key certificate and CA key certificate.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config3" "test9" " ${ PROGRAM_RETVAL_FAILURE } "
2020-06-30 21:53:50 +02:00
# Failing test with non-compliant host key certificate and non-compliant CA key certificate.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config3" "test10" " ${ PROGRAM_RETVAL_FAILURE } "
2020-06-30 21:53:50 +02:00
# Passing test with host key size check.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config2" "test11" " ${ PROGRAM_RETVAL_GOOD } "
2020-06-30 21:53:50 +02:00
# Failing test with non-compliant host key size check.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config2" "test12" " ${ PROGRAM_RETVAL_FAILURE } "
2020-06-30 21:53:50 +02:00
# Passing test with DH modulus test.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config2" "test13" " ${ PROGRAM_RETVAL_GOOD } "
2020-06-30 21:53:50 +02:00
# Failing test with DH modulus test.
2023-09-05 19:14:21 +02:00
run_custom_policy_test "config2" "test14" " ${ PROGRAM_RETVAL_FAILURE } "
2020-10-19 23:27:37 +02:00
2024-03-18 22:48:50 +01:00
# Passing test with algorithm subset matching.
run_custom_policy_test "config2" "test15" " ${ PROGRAM_RETVAL_GOOD } "
# Failing test with algorithm subset matching.
run_custom_policy_test "config2" "test16" " ${ PROGRAM_RETVAL_FAILURE } "
2024-03-19 19:45:19 +01:00
# Passing test with larger key matching.
run_custom_policy_test "config2" "test17" " ${ PROGRAM_RETVAL_GOOD } "
2023-04-26 21:47:58 +02:00
# Failing test for built-in OpenSSH 8.0p1 server policy (RSA host key size is 3072 instead of 4096).
2023-12-19 20:03:28 +01:00
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 4)" "8.0p1" "test1" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -o MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" " ${ PROGRAM_RETVAL_FAILURE } "
2020-10-19 23:27:37 +02:00
# Failing test for built-in OpenSSH 8.0p1 server policy (MACs not hardened).
2023-12-19 20:03:28 +01:00
run_builtin_policy_test "Hardened OpenSSH Server v8.0 (version 4)" "8.0p1" "test2" "-o HostKeyAlgorithms=rsa-sha2-512,rsa-sha2-256,ssh-ed25519 -o KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 -o Ciphers=chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" " ${ PROGRAM_RETVAL_FAILURE } "
2020-06-30 21:53:50 +02:00
2019-08-22 22:04:46 +02:00
2020-10-21 03:26:06 +02:00
if [ [ $num_failures = = 0 ] ] ; then
echo -e " \n ${ GREENB } ALL TESTS PASS! ${ CLR } \n "
2023-09-05 19:14:21 +02:00
rm -rf -- " ${ TEST_RESULT_DIR } "
2020-10-21 03:26:06 +02:00
else
echo -e " \n ${ REDB } ${ num_failures } TESTS FAILED! ${ CLR } \n "
fi
2019-08-22 22:04:46 +02:00
exit 0