upstream: regress test for ssh-add -d; ok dtucker@

OpenBSD-Regress-ID: 3a2e044be616afc7dd4f56c100179e83b33d8abf

1 files changed, 68 insertions, 5 deletions

diff --git a/regress/agent.sh b/regress/agent.sh
index 39403653c..66973de2b 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $
+#	$OpenBSD: agent.sh,v 1.18 2020/06/26 05:12:21 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple agent test"
@@ -45,17 +45,20 @@ for t in ${SSH_KEYTYPES}; do
 	# add to authorized keys
 	cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
 	# add private key to agent
-	${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
+	${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
 	if [ $? -ne 0 ]; then
 		fail "ssh-add failed exit code $?"
 	fi
 	# add private key to second agent
-	SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1
+	SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
 	if [ $? -ne 0 ]; then
 		fail "ssh-add failed exit code $?"
 	fi
-	# Remove private key to ensure that we aren't accidentally using it.
-	rm -f $OBJ/$t-agent
+	# Move private key to ensure that we aren't accidentally using it.
+	# Keep the corresponding public keys/certs around for later use.
+	mv -f $OBJ/$t-agent $OBJ/$t-agent-private
+	cp -f $OBJ/$t-agent.pub $OBJ/$t-agent-private.pub
+	cp -f $OBJ/$t-agent-cert.pub $OBJ/$t-agent-private-cert.pub
 done
 
 # Remove explicit identity directives from ssh_proxy
@@ -152,12 +155,72 @@ for t in ${SSH_KEYTYPES}; do
     fi
 done
 
+## Deletion tests.
+
 trace "delete all agent keys"
 ${SSHADD} -D > /dev/null 2>&1
 r=$?
 if [ $r -ne 0 ]; then
 	fail "ssh-add -D failed: exit code $r"
 fi
+# make sure they're gone
+${SSHADD} -l > /dev/null 2>&1
+r=$?
+if [ $r -ne 1 ]; then
+	fail "ssh-add -l returned unexpected exit code: $r"
+fi
+trace "readd keys"
+# re-add keys/certs to agent
+for t in ${SSH_KEYTYPES}; do
+	${SSHADD} $OBJ/$t-agent-private >/dev/null 2>&1 || \
+		fail "ssh-add failed exit code $?"
+done
+# make sure they are there
+${SSHADD} -l > /dev/null 2>&1
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh-add -l failed: exit code $r"
+fi
+
+check_key_absent() {
+	${SSHADD} -L | grep "^$1 " >/dev/null
+	if [ $? -eq 0 ]; then
+		fail "$1 key unexpectedly present"
+	fi
+}
+check_key_present() {
+	${SSHADD} -L | grep "^$1 " >/dev/null
+	if [ $? -ne 0 ]; then
+		fail "$1 key missing from agent"
+	fi
+}
+
+# delete the ed25519 key
+trace "delete single key by file"
+${SSHADD} -qdk ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
+check_key_absent ssh-ed25519
+check_key_present ssh-ed25519-cert-v01@openssh.com
+# Put key/cert back.
+${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
+	fail "ssh-add failed exit code $?"
+check_key_present ssh-ed25519
+# Delete both key and certificate.
+trace "delete key/cert by file"
+${SSHADD} -qd ssh-ed25519-agent || fail "ssh-add -d ed25519 failed"
+check_key_absent ssh-ed25519
+check_key_absent ssh-ed25519-cert-v01@openssh.com
+# Put key/cert back.
+${SSHADD} $OBJ/ssh-ed25519-agent-private >/dev/null 2>&1 || \
+	fail "ssh-add failed exit code $?"
+check_key_present ssh-ed25519
+# Delete certificate via stdin
+${SSHADD} -qd - < ssh-ed25519-agent-cert.pub || fail "ssh-add -d - failed"
+check_key_present ssh-ed25519
+check_key_absent ssh-ed25519-cert-v01@openssh.com
+# Delete key via stdin
+${SSHADD} -qd - < ssh-ed25519-agent.pub || fail "ssh-add -d - failed"
+check_key_absent ssh-ed25519
+check_key_absent ssh-ed25519-cert-v01@openssh.com
 
 trace "kill agent"
 ${SSHAGENT} -k > /dev/null