upstream: make DSA testing optional, defaulting to on

ok markus

OpenBSD-Regress-ID: dfc27b5574e3f19dc4043395594cea5f90b8572a

regress/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.131 2023/12/18 14:50:08 djm Exp $
+#	$OpenBSD: Makefile,v 1.132 2024/01/11 01:45:58 djm Exp $
 
 tests:		prep file-tests t-exec unit
 
@@ -180,10 +180,12 @@ t5:
 		awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
 
 t6:
-	${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
-	${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
-	chmod 600 $(OBJ)/t6.out1
-	${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
+	set -xe ; if ${TEST_SSH_SSH} -Q key | grep -q ^ssh-dss ; then \
+		${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1 ; \
+		${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2 ; \
+		chmod 600 $(OBJ)/t6.out1 ; \
+		${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2 ; \
+	fi
 
 $(OBJ)/t7.out:
 	${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@
@@ -193,11 +195,15 @@ t7: $(OBJ)/t7.out
 	${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null
 
 $(OBJ)/t8.out:
-	${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@
+	set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
+		${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@ ; \
+	fi
 
 t8: $(OBJ)/t8.out
-	${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null
-	${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null
+	set -xe ; if ssh -Q key | grep -q ^ssh-dss ; then \
+		${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null ; \
+		${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null ; \
+	fi
 
 $(OBJ)/t9.out:
 	! ${TEST_SSH_SSH} -Q key-plain | grep ecdsa >/dev/null || \

regress/unittests/Makefile.inc

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.15 2023/09/24 08:14:13 claudio Exp $
+#	$OpenBSD: Makefile.inc,v 1.16 2024/01/11 01:45:58 djm Exp $
 
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -13,6 +13,11 @@ TEST_ENV?=		MALLOC_OPTIONS=${MALLOC_OPTIONS}
 
 # XXX detect from ssh binary?
 OPENSSL?=	yes
+DSAKEY?=	yes
+
+.if (${DSAKEY:L} == "yes")
+CFLAGS+=	-DWITH_DSA
+.endif
 
 .if (${OPENSSL:L} == "yes")
 CFLAGS+=	-DWITH_OPENSSL

regress/unittests/hostkeys/test_iterate.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_iterate.c,v 1.8 2021/12/14 21:25:27 deraadt Exp $ */
+/* 	$OpenBSD: test_iterate.c,v 1.9 2024/01/11 01:45:58 djm Exp $ */
 /*
  * Regress test for hostfile.h hostkeys_foreach()
  *
@@ -94,6 +94,11 @@ check(struct hostkey_foreach_line *l, void *_ctx)
 	    expected->no_parse_keytype == KEY_ECDSA)
 		skip = 1;
 #endif /* OPENSSL_HAS_ECC */
+#ifndef WITH_DSA
+	if (expected->l.keytype == KEY_DSA ||
+	    expected->no_parse_keytype == KEY_DSA)
+		skip = 1;
+#endif
 #ifndef WITH_OPENSSL
 	if (expected->l.keytype == KEY_DSA ||
 	    expected->no_parse_keytype == KEY_DSA ||
@@ -155,6 +160,10 @@ prepare_expected(struct expected *expected, size_t n)
 		if (expected[i].l.keytype == KEY_ECDSA)
 			continue;
 #endif /* OPENSSL_HAS_ECC */
+#ifndef WITH_DSA
+		if (expected[i].l.keytype == KEY_DSA)
+			continue;
+#endif
 #ifndef WITH_OPENSSL
 		switch (expected[i].l.keytype) {
 		case KEY_RSA:

regress/unittests/kex/test_kex.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_kex.c,v 1.6 2021/12/14 21:25:27 deraadt Exp $ */
+/* 	$OpenBSD: test_kex.c,v 1.7 2024/01/11 01:45:58 djm Exp $ */
 /*
  * Regress test KEX
  *
@@ -179,7 +179,9 @@ do_kex(char *kex)
 {
 #ifdef WITH_OPENSSL
 	do_kex_with_key(kex, KEY_RSA, 2048);
+#ifdef WITH_DSA
 	do_kex_with_key(kex, KEY_DSA, 1024);
+#endif
 #ifdef OPENSSL_HAS_ECC
 	do_kex_with_key(kex, KEY_ECDSA, 256);
 #endif /* OPENSSL_HAS_ECC */

regress/unittests/sshkey/test_file.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_file.c,v 1.10 2021/12/14 21:25:27 deraadt Exp $ */
+/* 	$OpenBSD: test_file.c,v 1.11 2024/01/11 01:45:58 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -165,6 +165,7 @@ sshkey_file_tests(void)
 
 	sshkey_free(k1);
 
+#ifdef WITH_DSA
 	TEST_START("parse DSA from private");
 	buf = load_file("dsa_1");
 	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -255,6 +256,7 @@ sshkey_file_tests(void)
 	TEST_DONE();
 
 	sshkey_free(k1);
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("parse ECDSA from private");

regress/unittests/sshkey/test_fuzz.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_fuzz.c,v 1.13 2021/12/14 21:25:27 deraadt Exp $ */
+/* 	$OpenBSD: test_fuzz.c,v 1.14 2024/01/11 01:45:58 djm Exp $ */
 /*
  * Fuzz tests for key parsing
  *
@@ -160,6 +160,7 @@ sshkey_fuzz_tests(void)
 	fuzz_cleanup(fuzz);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("fuzz DSA private");
 	buf = load_file("dsa_1");
 	fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
@@ -203,6 +204,7 @@ sshkey_fuzz_tests(void)
 	sshbuf_free(fuzzed);
 	fuzz_cleanup(fuzz);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("fuzz ECDSA private");
@@ -288,6 +290,7 @@ sshkey_fuzz_tests(void)
 	sshkey_free(k1);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("fuzz DSA public");
 	buf = load_file("dsa_1");
 	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -301,6 +304,7 @@ sshkey_fuzz_tests(void)
 	public_fuzz(k1);
 	sshkey_free(k1);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("fuzz ECDSA public");
@@ -358,13 +362,15 @@ sshkey_fuzz_tests(void)
 	sshkey_free(k1);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("fuzz DSA sig");
 	buf = load_file("dsa_1");
 	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
 	sshbuf_free(buf);
 	sig_fuzz(k1, NULL);
 	sshkey_free(k1);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("fuzz ECDSA sig");

regress/unittests/sshkey/test_sshkey.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.23 2023/01/04 22:48:57 tb Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.24 2024/01/11 01:45:58 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -180,14 +180,14 @@ get_private(const char *n)
 void
 sshkey_tests(void)
 {
-	struct sshkey *k1, *k2, *k3, *kf;
+	struct sshkey *k1 = NULL, *k2 = NULL, *k3 = NULL, *kf = NULL;
 #ifdef WITH_OPENSSL
-	struct sshkey *k4, *kr, *kd;
+	struct sshkey *k4 = NULL, *kr = NULL, *kd = NULL;
 #ifdef OPENSSL_HAS_ECC
-	struct sshkey *ke;
+	struct sshkey *ke = NULL;
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
-	struct sshbuf *b;
+	struct sshbuf *b = NULL;
 
 	TEST_START("new invalid");
 	k1 = sshkey_new(-42);
@@ -208,12 +208,14 @@ sshkey_tests(void)
 	sshkey_free(k1);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("new/free KEY_DSA");
 	k1 = sshkey_new(KEY_DSA);
 	ASSERT_PTR_NE(k1, NULL);
 	ASSERT_PTR_NE(k1->dsa, NULL);
 	sshkey_free(k1);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("new/free KEY_ECDSA");
@@ -245,12 +247,14 @@ sshkey_tests(void)
 	ASSERT_PTR_EQ(k1, NULL);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("generate KEY_DSA wrong bits");
 	ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1),
 	    SSH_ERR_KEY_LENGTH);
 	ASSERT_PTR_EQ(k1, NULL);
 	sshkey_free(k1);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("generate KEY_ECDSA wrong bits");
@@ -273,13 +277,15 @@ sshkey_tests(void)
 	ASSERT_INT_EQ(BN_num_bits(rsa_n(kr)), 1024);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("generate KEY_DSA");
 	ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0);
 	ASSERT_PTR_NE(kd, NULL);
 	ASSERT_PTR_NE(kd->dsa, NULL);
 	ASSERT_PTR_NE(dsa_g(kd), NULL);
 	ASSERT_PTR_NE(dsa_priv_key(kd), NULL);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("generate KEY_ECDSA");
@@ -317,6 +323,7 @@ sshkey_tests(void)
 	sshkey_free(k1);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("demote KEY_DSA");
 	ASSERT_INT_EQ(sshkey_from_private(kd, &k1), 0);
 	ASSERT_PTR_NE(k1, NULL);
@@ -331,6 +338,7 @@ sshkey_tests(void)
 	ASSERT_INT_EQ(sshkey_equal(kd, k1), 1);
 	sshkey_free(k1);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("demote KEY_ECDSA");
@@ -382,9 +390,6 @@ sshkey_tests(void)
 	ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &k1), 0);
 	ASSERT_INT_EQ(sshkey_equal(kr, k1), 0);
 	sshkey_free(k1);
-	ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0);
-	ASSERT_INT_EQ(sshkey_equal(kd, k1), 0);
-	sshkey_free(k1);
 #ifdef OPENSSL_HAS_ECC
 	ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0);
 	ASSERT_INT_EQ(sshkey_equal(ke, k1), 0);
@@ -479,6 +484,7 @@ sshkey_tests(void)
 	sshkey_free(k2);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("sign and verify DSA");
 	k1 = get_private("dsa_1");
 	ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_2.pub"), &k2,
@@ -487,6 +493,7 @@ sshkey_tests(void)
 	sshkey_free(k1);
 	sshkey_free(k2);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("sign and verify ECDSA");

regress/unittests/sshsig/tests.c

@@ -1,4 +1,4 @@
-/* 	$OpenBSD: tests.c,v 1.3 2021/12/14 21:25:27 deraadt Exp $ */
+/* 	$OpenBSD: tests.c,v 1.4 2024/01/11 01:45:59 djm Exp $ */
 /*
  * Regress test for sshbuf.h buffer API
  *
@@ -103,9 +103,11 @@ tests(void)
 	check_sig("rsa.pub", "rsa.sig", msg, namespace);
 	TEST_DONE();
 
+#ifdef WITH_DSA
 	TEST_START("check DSA signature");
 	check_sig("dsa.pub", "dsa.sig", msg, namespace);
 	TEST_DONE();
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("check ECDSA signature");