upstream: regress test for PKCS#11 directly in ssh (not via ssh-agent)

would have caught bz3879 OpenBSD-Regress-ID: ceafb1e9a6c07185cc0cb0589f3170489a516123
2026-06-24 08:48:18 +00:00 · 2025-10-16 00:01:54 +00:00
parent e3fdb82fb0
commit 946574b97c
3 changed files with 53 additions and 5 deletions
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.140 2025/07/04 07:52:17 djm Exp $
+#	$OpenBSD: Makefile,v 1.141 2025/10/16 00:01:54 djm Exp $

 tests:		prep file-tests t-exec unit

@@ -114,7 +114,8 @@ LTESTS= 	connect \
 		agent-pkcs11-cert \
 		penalty \
 		penalty-expire \
-		connect-bigconf
+		connect-bigconf \
+		ssh-pkcs11

 INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 INTEROP_TESTS+=	dropbear-ciphers dropbear-kex dropbear-server
@@ -151,7 +152,8 @@ CLEANFILES=	*.core actual agent-key.* authorized_keys_${USERNAME} \
 		sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
 		t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
 		t8.out t8.out.pub t9.out t9.out.pub \
-		timestamp testdata user_*key* user_ca* user_key*
+		timestamp testdata user_*key* user_ca* user_key* \
+		pin.sh nopin.sh wrongpin.sh key.pub

 # Enable all malloc(3) randomisations and checks
 TEST_ENV=      "MALLOC_OPTIONS=CFGJRSUX"
--- a/regress/ssh-pkcs11.sh
+++ b/regress/ssh-pkcs11.sh
@@ -0,0 +1,40 @@
+#	$OpenBSD: ssh-pkcs11.sh,v 1.1 2025/10/16 00:01:54 djm Exp $
+#	Placed in the Public Domain.
+
+tid="pkcs11 ssh test"
+
+p11_setup || skip "No PKCS#11 library found"
+
+grep -iv IdentityFile $OBJ/ssh_proxy |
+	grep -vi BatchMode > $OBJ/ssh_proxy.orig
+#echo "IdentitiesOnly=yes" >> $OBJ/ssh_proxy.orig
+echo "PKCS11Provider=${TEST_SSH_PKCS11}" >> $OBJ/ssh_proxy.orig
+
+check_all() {
+	tag="$1"
+	expect_success=$2
+	pinsh="$3"
+	for k in $ED25519 $RSA $EC; do
+		kshort=`basename "$k"`
+		verbose "$tag: $kshort"
+		pub="$k.pub"
+		cp $pub $OBJ/key.pub
+		chmod 0600 $OBJ/key.pub
+		cat $OBJ/key.pub > $OBJ/authorized_keys_$USER
+		cp $OBJ/ssh_proxy.orig $OBJ/ssh_proxy
+		env SSH_ASKPASS="$pinsh" SSH_ASKPASS_REQUIRE=force \
+			${SSH} -F $OBJ/ssh_proxy somehost exit 5 >/dev/null 2>&1
+		r=$?
+		if [ "x$expect_success" = "xy" ]; then
+			if [ $r -ne 5 ]; then
+				fail "ssh connect failed (exit code $r)"
+			fi
+		elif [ $r -eq 5 ]; then
+			fail "ssh connect succeeded unexpectedly (exit code $r)"
+		fi
+	done
+}
+
+check_all "correct pin" y $PIN_SH
+check_all "wrong pin" n $WRONGPIN_SH
+check_all "nopin" n `which true`
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.131 2025/07/26 01:53:31 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.132 2025/10/16 00:01:54 djm Exp $
 #	Placed in the Public Domain.

 #SUDO=sudo
@@ -991,13 +991,19 @@ EOF
 		fatal "softhsm import ed25519 fail"
 	chmod 600 $ED25519
 	${SSHKEYGEN} -y -f $ED25519 > ${ED25519}.pub
-	# Prepare askpass script to load PIN.
+	# Prepare some askpass scripts to load PINs.
 	PIN_SH=$SSH_SOFTHSM_DIR/pin.sh
 	cat > $PIN_SH << EOF
 #!/bin/sh
 echo "${TEST_SSH_PIN}"
 EOF
 	chmod 0700 "$PIN_SH"
+	WRONGPIN_SH=$SSH_SOFTHSM_DIR/wrongpin.sh
+	cat > $WRONGPIN_SH << EOF
+#!/bin/sh
+echo "0000"
+EOF
+	chmod 0700 "$WRONGPIN_SH"
 	PKCS11_OK=yes
 	if env SSH_ASKPASS="$PIN_SH" SSH_ASKPASS_REQUIRE=force \
 	    ${SSHKEYGEN} -D ${TEST_SSH_PKCS11} >/dev/null 2>&1 ; then