1 /* 	$OpenBSD: tests.c,v 1.1 2018/03/03 03:16:17 djm Exp $ */
2 
3 /*
4  * Regress test for keys options functions.
5  *
6  * Placed in the public domain
7  */
8 
9 #include "includes.h"
10 
11 #include <sys/types.h>
12 #include <sys/param.h>
13 #include <stdio.h>
14 #include <stdint.h>
15 #include <stdlib.h>
16 #include <string.h>
17 
18 #include "../test_helper/test_helper.h"
19 
20 #include "sshkey.h"
21 #include "authfile.h"
22 #include "auth-options.h"
23 #include "misc.h"
24 #include "log.h"
25 
26 static struct sshkey *
load_key(const char * name)27 load_key(const char *name)
28 {
29 	struct sshkey *ret;
30 	int r;
31 
32 	r = sshkey_load_public(test_data_file(name), &ret, NULL);
33 	ASSERT_INT_EQ(r, 0);
34 	ASSERT_PTR_NE(ret, NULL);
35 	return ret;
36 }
37 
38 static struct sshauthopt *
default_authkey_opts(void)39 default_authkey_opts(void)
40 {
41 	struct sshauthopt *ret = sshauthopt_new();
42 
43 	ASSERT_PTR_NE(ret, NULL);
44 	ret->permit_port_forwarding_flag = 1;
45 	ret->permit_agent_forwarding_flag = 1;
46 	ret->permit_x11_forwarding_flag = 1;
47 	ret->permit_pty_flag = 1;
48 	ret->permit_user_rc = 1;
49 	return ret;
50 }
51 
52 static struct sshauthopt *
default_authkey_restrict_opts(void)53 default_authkey_restrict_opts(void)
54 {
55 	struct sshauthopt *ret = sshauthopt_new();
56 
57 	ASSERT_PTR_NE(ret, NULL);
58 	ret->permit_port_forwarding_flag = 0;
59 	ret->permit_agent_forwarding_flag = 0;
60 	ret->permit_x11_forwarding_flag = 0;
61 	ret->permit_pty_flag = 0;
62 	ret->permit_user_rc = 0;
63 	ret->restricted = 1;
64 	return ret;
65 }
66 
67 static char **
commasplit(const char * s,size_t * np)68 commasplit(const char *s, size_t *np)
69 {
70 	char *ocp, *cp, *cp2, **ret = NULL;
71 	size_t n;
72 
73 	ocp = cp = strdup(s);
74 	ASSERT_PTR_NE(cp, NULL);
75 	for (n = 0; (cp2 = strsep(&cp, ",")) != NULL;) {
76 		ret = recallocarray(ret, n, n + 1, sizeof(*ret));
77 		ASSERT_PTR_NE(ret, NULL);
78 		cp2 = strdup(cp2);
79 		ASSERT_PTR_NE(cp2, NULL);
80 		ret[n++] = cp2;
81 	}
82 	free(ocp);
83 	*np = n;
84 	return ret;
85 }
86 
87 static void
compare_opts(const struct sshauthopt * opts,const struct sshauthopt * expected)88 compare_opts(const struct sshauthopt *opts,
89     const struct sshauthopt *expected)
90 {
91 	size_t i;
92 
93 	ASSERT_PTR_NE(opts, NULL);
94 	ASSERT_PTR_NE(expected, NULL);
95 	ASSERT_PTR_NE(expected, opts); /* bozo :) */
96 
97 #define FLAG_EQ(x) ASSERT_INT_EQ(opts->x, expected->x)
98 	FLAG_EQ(permit_port_forwarding_flag);
99 	FLAG_EQ(permit_agent_forwarding_flag);
100 	FLAG_EQ(permit_x11_forwarding_flag);
101 	FLAG_EQ(permit_pty_flag);
102 	FLAG_EQ(permit_user_rc);
103 	FLAG_EQ(restricted);
104 	FLAG_EQ(cert_authority);
105 #undef FLAG_EQ
106 
107 #define STR_EQ(x) \
108 	do { \
109 		if (expected->x == NULL) \
110 			ASSERT_PTR_EQ(opts->x, expected->x); \
111 		else \
112 			ASSERT_STRING_EQ(opts->x, expected->x); \
113 	} while (0)
114 	STR_EQ(cert_principals);
115 	STR_EQ(force_command);
116 	STR_EQ(required_from_host_cert);
117 	STR_EQ(required_from_host_keys);
118 #undef STR_EQ
119 
120 #define ARRAY_EQ(nx, x) \
121 	do { \
122 		ASSERT_SIZE_T_EQ(opts->nx, expected->nx); \
123 		if (expected->nx == 0) \
124 			break; \
125 		for (i = 0; i < expected->nx; i++) \
126 			ASSERT_STRING_EQ(opts->x[i], expected->x[i]); \
127 	} while (0)
128 	ARRAY_EQ(nenv, env);
129 	ARRAY_EQ(npermitopen, permitopen);
130 #undef ARRAY_EQ
131 }
132 
133 static void
test_authkeys_parse(void)134 test_authkeys_parse(void)
135 {
136 	struct sshauthopt *opts, *expected;
137 	const char *errstr;
138 
139 #define FAIL_TEST(label, keywords) \
140 	do { \
141 		TEST_START("sshauthopt_parse invalid " label); \
142 		opts = sshauthopt_parse(keywords, &errstr); \
143 		ASSERT_PTR_EQ(opts, NULL); \
144 		ASSERT_PTR_NE(errstr, NULL); \
145 		TEST_DONE(); \
146 	} while (0)
147 #define CHECK_SUCCESS_AND_CLEANUP() \
148 	do { \
149 		if (errstr != NULL) \
150 			ASSERT_STRING_EQ(errstr, ""); \
151 		compare_opts(opts, expected); \
152 		sshauthopt_free(expected); \
153 		sshauthopt_free(opts); \
154 	} while (0)
155 
156 	/* Basic tests */
157 	TEST_START("sshauthopt_parse empty");
158 	expected = default_authkey_opts();
159 	opts = sshauthopt_parse("", &errstr);
160 	CHECK_SUCCESS_AND_CLEANUP();
161 	TEST_DONE();
162 
163 	TEST_START("sshauthopt_parse trailing whitespace");
164 	expected = default_authkey_opts();
165 	opts = sshauthopt_parse(" ", &errstr);
166 	CHECK_SUCCESS_AND_CLEANUP();
167 	TEST_DONE();
168 
169 	TEST_START("sshauthopt_parse restrict");
170 	expected = default_authkey_restrict_opts();
171 	opts = sshauthopt_parse("restrict", &errstr);
172 	CHECK_SUCCESS_AND_CLEANUP();
173 	TEST_DONE();
174 
175 	/* Invalid syntax */
176 	FAIL_TEST("trailing comma", "restrict,");
177 	FAIL_TEST("bare comma", ",");
178 	FAIL_TEST("unknown option", "BLAH");
179 	FAIL_TEST("unknown option with trailing comma", "BLAH,");
180 	FAIL_TEST("unknown option with trailing whitespace", "BLAH ");
181 
182 	/* force_tun_device */
183 	TEST_START("sshauthopt_parse tunnel explicit");
184 	expected = default_authkey_opts();
185 	expected->force_tun_device = 1;
186 	opts = sshauthopt_parse("tunnel=\"1\"", &errstr);
187 	CHECK_SUCCESS_AND_CLEANUP();
188 	TEST_DONE();
189 
190 	TEST_START("sshauthopt_parse tunnel any");
191 	expected = default_authkey_opts();
192 	expected->force_tun_device = SSH_TUNID_ANY;
193 	opts = sshauthopt_parse("tunnel=\"any\"", &errstr);
194 	CHECK_SUCCESS_AND_CLEANUP();
195 	TEST_DONE();
196 
197 	FAIL_TEST("tunnel", "tunnel=\"blah\"");
198 
199 	/* Flag options */
200 #define FLAG_TEST(keyword, var, val) \
201 	do { \
202 		TEST_START("sshauthopt_parse " keyword); \
203 		expected = default_authkey_opts(); \
204 		expected->var = val; \
205 		opts = sshauthopt_parse(keyword, &errstr); \
206 		CHECK_SUCCESS_AND_CLEANUP(); \
207 		expected = default_authkey_restrict_opts(); \
208 		expected->var = val; \
209 		opts = sshauthopt_parse("restrict,"keyword, &errstr); \
210 		CHECK_SUCCESS_AND_CLEANUP(); \
211 		TEST_DONE(); \
212 	} while (0)
213 	/* Positive flags */
214 	FLAG_TEST("cert-authority", cert_authority, 1);
215 	FLAG_TEST("port-forwarding", permit_port_forwarding_flag, 1);
216 	FLAG_TEST("agent-forwarding", permit_agent_forwarding_flag, 1);
217 	FLAG_TEST("x11-forwarding", permit_x11_forwarding_flag, 1);
218 	FLAG_TEST("pty", permit_pty_flag, 1);
219 	FLAG_TEST("user-rc", permit_user_rc, 1);
220 	/* Negative flags */
221 	FLAG_TEST("no-port-forwarding", permit_port_forwarding_flag, 0);
222 	FLAG_TEST("no-agent-forwarding", permit_agent_forwarding_flag, 0);
223 	FLAG_TEST("no-x11-forwarding", permit_x11_forwarding_flag, 0);
224 	FLAG_TEST("no-pty", permit_pty_flag, 0);
225 	FLAG_TEST("no-user-rc", permit_user_rc, 0);
226 #undef FLAG_TEST
227 	FAIL_TEST("no-cert-authority", "no-cert-authority");
228 
229 	/* String options */
230 #define STRING_TEST(keyword, var, val) \
231 	do { \
232 		TEST_START("sshauthopt_parse " keyword); \
233 		expected = default_authkey_opts(); \
234 		expected->var = strdup(val); \
235 		ASSERT_PTR_NE(expected->var, NULL); \
236 		opts = sshauthopt_parse(keyword "=" #val, &errstr); \
237 		CHECK_SUCCESS_AND_CLEANUP(); \
238 		expected = default_authkey_restrict_opts(); \
239 		expected->var = strdup(val); \
240 		ASSERT_PTR_NE(expected->var, NULL); \
241 		opts = sshauthopt_parse( \
242 		    "restrict," keyword "=" #val ",restrict", &errstr); \
243 		CHECK_SUCCESS_AND_CLEANUP(); \
244 		TEST_DONE(); \
245 	} while (0)
246 	STRING_TEST("command", force_command, "/bin/true");
247 	STRING_TEST("principals", cert_principals, "gregor,josef,K");
248 	STRING_TEST("from", required_from_host_keys, "127.0.0.0/8");
249 #undef STRING_TEST
250 	FAIL_TEST("unquoted command", "command=oops");
251 	FAIL_TEST("unquoted principals", "principals=estragon");
252 	FAIL_TEST("unquoted from", "from=127.0.0.1");
253 
254 	/* String array option tests */
255 #define ARRAY_TEST(label, keywords, var, nvar, val) \
256 	do { \
257 		TEST_START("sshauthopt_parse " label); \
258 		expected = default_authkey_opts(); \
259 		expected->var = commasplit(val, &expected->nvar); \
260 		ASSERT_PTR_NE(expected->var, NULL); \
261 		opts = sshauthopt_parse(keywords, &errstr); \
262 		CHECK_SUCCESS_AND_CLEANUP(); \
263 		expected = default_authkey_restrict_opts(); \
264 		expected->var = commasplit(val, &expected->nvar); \
265 		ASSERT_PTR_NE(expected->var, NULL); \
266 		opts = sshauthopt_parse( \
267 		    "restrict," keywords ",restrict", &errstr); \
268 		CHECK_SUCCESS_AND_CLEANUP(); \
269 		TEST_DONE(); \
270 	} while (0)
271 	ARRAY_TEST("environment", "environment=\"foo=1\",environment=\"bar=2\"",
272 	    env, nenv, "foo=1,bar=2");
273 	ARRAY_TEST("permitopen", "permitopen=\"foo:123\",permitopen=\"bar:*\"",
274 	    permitopen, npermitopen, "foo:123,bar:*");
275 #undef ARRAY_TEST
276 	FAIL_TEST("environment", "environment=\",=bah\"");
277 	FAIL_TEST("permitopen port", "foo:bar");
278 	FAIL_TEST("permitopen missing port", "foo:");
279 	FAIL_TEST("permitopen missing port specification", "foo");
280 	FAIL_TEST("permitopen invalid host", "[:");
281 
282 #undef CHECK_SUCCESS_AND_CLEANUP
283 #undef FAIL_TEST
284 }
285 
286 static void
test_cert_parse(void)287 test_cert_parse(void)
288 {
289 	struct sshkey *cert;
290 	struct sshauthopt *opts, *expected;
291 
292 #define CHECK_SUCCESS_AND_CLEANUP() \
293 	do { \
294 		compare_opts(opts, expected); \
295 		sshauthopt_free(expected); \
296 		sshauthopt_free(opts); \
297 		sshkey_free(cert); \
298 	} while (0)
299 #define FLAG_TEST(keybase, var) \
300 	do { \
301 		TEST_START("sshauthopt_from_cert no_" keybase); \
302 		cert = load_key("no_" keybase ".cert"); \
303 		expected = default_authkey_opts(); \
304 		expected->var = 0; \
305 		opts = sshauthopt_from_cert(cert); \
306 		CHECK_SUCCESS_AND_CLEANUP(); \
307 		TEST_DONE(); \
308 		TEST_START("sshauthopt_from_cert only_" keybase); \
309 		cert = load_key("only_" keybase ".cert"); \
310 		expected = sshauthopt_new(); \
311 		ASSERT_PTR_NE(expected, NULL); \
312 		expected->var = 1; \
313 		opts = sshauthopt_from_cert(cert); \
314 		CHECK_SUCCESS_AND_CLEANUP(); \
315 		TEST_DONE(); \
316 	} while (0)
317 	FLAG_TEST("agentfwd", permit_agent_forwarding_flag);
318 	FLAG_TEST("portfwd", permit_port_forwarding_flag);
319 	FLAG_TEST("pty", permit_pty_flag);
320 	FLAG_TEST("user_rc", permit_user_rc);
321 	FLAG_TEST("x11fwd", permit_x11_forwarding_flag);
322 #undef FLAG_TEST
323 
324 	TEST_START("sshauthopt_from_cert all permitted");
325 	cert = load_key("all_permit.cert");
326 	expected = default_authkey_opts();
327 	opts = sshauthopt_from_cert(cert);
328 	CHECK_SUCCESS_AND_CLEANUP();
329 	TEST_DONE();
330 
331 	TEST_START("sshauthopt_from_cert nothing permitted");
332 	cert = load_key("no_permit.cert");
333 	expected = sshauthopt_new();
334 	ASSERT_PTR_NE(expected, NULL);
335 	opts = sshauthopt_from_cert(cert);
336 	CHECK_SUCCESS_AND_CLEANUP();
337 	TEST_DONE();
338 
339 	TEST_START("sshauthopt_from_cert force-command");
340 	cert = load_key("force_command.cert");
341 	expected = default_authkey_opts();
342 	expected->force_command = strdup("foo");
343 	ASSERT_PTR_NE(expected->force_command, NULL);
344 	opts = sshauthopt_from_cert(cert);
345 	CHECK_SUCCESS_AND_CLEANUP();
346 	TEST_DONE();
347 
348 	TEST_START("sshauthopt_from_cert source-address");
349 	cert = load_key("sourceaddr.cert");
350 	expected = default_authkey_opts();
351 	expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
352 	ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
353 	opts = sshauthopt_from_cert(cert);
354 	CHECK_SUCCESS_AND_CLEANUP();
355 	TEST_DONE();
356 #undef CHECK_SUCCESS_AND_CLEANUP
357 
358 #define FAIL_TEST(keybase) \
359 	do { \
360 		TEST_START("sshauthopt_from_cert " keybase); \
361 		cert = load_key(keybase ".cert"); \
362 		opts = sshauthopt_from_cert(cert); \
363 		ASSERT_PTR_EQ(opts, NULL); \
364 		sshkey_free(cert); \
365 		TEST_DONE(); \
366 	} while (0)
367 	FAIL_TEST("host");
368 	FAIL_TEST("bad_sourceaddr");
369 	FAIL_TEST("unknown_critical");
370 #undef FAIL_TEST
371 }
372 
373 static void
test_merge(void)374 test_merge(void)
375 {
376 	struct sshkey *cert;
377 	struct sshauthopt *key_opts, *cert_opts, *merge_opts, *expected;
378 	const char *errstr;
379 
380 	/*
381 	 * Prepare for a test by making some key and cert options and
382 	 * attempting to merge them.
383 	 */
384 #define PREPARE(label, keyname, keywords) \
385 	do { \
386 		expected = NULL; \
387 		TEST_START("sshauthopt_merge " label); \
388 		cert = load_key(keyname ".cert"); \
389 		cert_opts = sshauthopt_from_cert(cert); \
390 		ASSERT_PTR_NE(cert_opts, NULL); \
391 		key_opts = sshauthopt_parse(keywords, &errstr); \
392 		if (errstr != NULL) \
393 			ASSERT_STRING_EQ(errstr, ""); \
394 		ASSERT_PTR_NE(key_opts, NULL); \
395 		merge_opts = sshauthopt_merge(key_opts, \
396 		    cert_opts, &errstr); \
397 	} while (0)
398 
399 	/* Cleanup stuff allocated by PREPARE() */
400 #define CLEANUP() \
401 	do { \
402 		sshauthopt_free(expected); \
403 		sshauthopt_free(merge_opts); \
404 		sshauthopt_free(key_opts); \
405 		sshauthopt_free(cert_opts); \
406 		sshkey_free(cert); \
407 	} while (0)
408 
409 	/* Check the results of PREPARE() against expectation; calls CLEANUP */
410 #define CHECK_SUCCESS_AND_CLEANUP() \
411 	do { \
412 		if (errstr != NULL) \
413 			ASSERT_STRING_EQ(errstr, ""); \
414 		compare_opts(merge_opts, expected); \
415 		CLEANUP(); \
416 	} while (0)
417 
418 	/* Check a single case of merging of flag options */
419 #define FLAG_CASE(keybase, label, keyname, keywords, mostly_off, var, val) \
420 	do { \
421 		PREPARE(keybase " " label, keyname, keywords); \
422 		expected = mostly_off ? \
423 		    sshauthopt_new() : default_authkey_opts(); \
424 		expected->var = val; \
425 		ASSERT_PTR_NE(expected, NULL); \
426 		CHECK_SUCCESS_AND_CLEANUP(); \
427 		TEST_DONE(); \
428 	} while (0)
429 
430 	/*
431 	 * Fairly exhaustive exercise of a flag option. Tests
432 	 * option both set and clear in certificate, set and clear in
433 	 * authorized_keys and set and cleared via restrict keyword.
434 	 */
435 #define FLAG_TEST(keybase, keyword, var) \
436 	do { \
437 		FLAG_CASE(keybase, "keys:default,yes cert:default,no", \
438 		    "no_" keybase, keyword, 0, var, 0); \
439 		FLAG_CASE(keybase,"keys:-*,yes cert:default,no", \
440 		    "no_" keybase, "restrict," keyword, 1, var, 0); \
441 		FLAG_CASE(keybase, "keys:default,no cert:default,no", \
442 		    "no_" keybase, "no-" keyword, 0, var, 0); \
443 		FLAG_CASE(keybase, "keys:-*,no cert:default,no", \
444 		    "no_" keybase, "restrict,no-" keyword, 1, var, 0); \
445 		\
446 		FLAG_CASE(keybase, "keys:default,yes cert:-*,yes", \
447 		    "only_" keybase, keyword, 1, var, 1); \
448 		FLAG_CASE(keybase,"keys:-*,yes cert:-*,yes", \
449 		    "only_" keybase, "restrict," keyword, 1, var, 1); \
450 		FLAG_CASE(keybase, "keys:default,no cert:-*,yes", \
451 		    "only_" keybase, "no-" keyword, 1, var, 0); \
452 		FLAG_CASE(keybase, "keys:-*,no cert:-*,yes", \
453 		    "only_" keybase, "restrict,no-" keyword, 1, var, 0); \
454 		\
455 		FLAG_CASE(keybase, "keys:default,yes cert:-*", \
456 		    "no_permit", keyword, 1, var, 0); \
457 		FLAG_CASE(keybase,"keys:-*,yes cert:-*", \
458 		    "no_permit", "restrict," keyword, 1, var, 0); \
459 		FLAG_CASE(keybase, "keys:default,no cert:-*", \
460 		    "no_permit", "no-" keyword, 1, var, 0); \
461 		FLAG_CASE(keybase, "keys:-*,no cert:-*", \
462 		    "no_permit", "restrict,no-" keyword, 1, var, 0); \
463 		\
464 		FLAG_CASE(keybase, "keys:default,yes cert:*", \
465 		    "all_permit", keyword, 0, var, 1); \
466 		FLAG_CASE(keybase,"keys:-*,yes cert:*", \
467 		    "all_permit", "restrict," keyword, 1, var, 1); \
468 		FLAG_CASE(keybase, "keys:default,no cert:*", \
469 		    "all_permit", "no-" keyword, 0, var, 0); \
470 		FLAG_CASE(keybase, "keys:-*,no cert:*", \
471 		    "all_permit", "restrict,no-" keyword, 1, var, 0); \
472 		\
473 	} while (0)
474 	FLAG_TEST("portfwd", "port-forwarding", permit_port_forwarding_flag);
475 	FLAG_TEST("agentfwd", "agent-forwarding", permit_agent_forwarding_flag);
476 	FLAG_TEST("pty", "pty", permit_pty_flag);
477 	FLAG_TEST("user_rc", "user-rc", permit_user_rc);
478 	FLAG_TEST("x11fwd", "x11-forwarding", permit_x11_forwarding_flag);
479 #undef FLAG_TEST
480 
481 	PREPARE("source-address both", "sourceaddr", "from=\"127.0.0.1\"");
482 	expected = default_authkey_opts();
483 	expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
484 	ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
485 	expected->required_from_host_keys = strdup("127.0.0.1");
486 	ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
487 	CHECK_SUCCESS_AND_CLEANUP();
488 	TEST_DONE();
489 
490 	PREPARE("source-address none", "all_permit", "");
491 	expected = default_authkey_opts();
492 	CHECK_SUCCESS_AND_CLEANUP();
493 	TEST_DONE();
494 
495 	PREPARE("source-address keys", "all_permit", "from=\"127.0.0.1\"");
496 	expected = default_authkey_opts();
497 	expected->required_from_host_keys = strdup("127.0.0.1");
498 	ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
499 	CHECK_SUCCESS_AND_CLEANUP();
500 	TEST_DONE();
501 
502 	PREPARE("source-address cert", "sourceaddr", "");
503 	expected = default_authkey_opts();
504 	expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
505 	ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
506 	CHECK_SUCCESS_AND_CLEANUP();
507 	TEST_DONE();
508 
509 	PREPARE("force-command both", "force_command", "command=\"foo\"");
510 	expected = default_authkey_opts();
511 	expected->force_command = strdup("foo");
512 	ASSERT_PTR_NE(expected->force_command, NULL);
513 	CHECK_SUCCESS_AND_CLEANUP();
514 	TEST_DONE();
515 
516 	PREPARE("force-command none", "all_permit", "");
517 	expected = default_authkey_opts();
518 	CHECK_SUCCESS_AND_CLEANUP();
519 	TEST_DONE();
520 
521 	PREPARE("force-command keys", "all_permit", "command=\"bar\"");
522 	expected = default_authkey_opts();
523 	expected->force_command = strdup("bar");
524 	ASSERT_PTR_NE(expected->force_command, NULL);
525 	CHECK_SUCCESS_AND_CLEANUP();
526 	TEST_DONE();
527 
528 	PREPARE("force-command cert", "force_command", "");
529 	expected = default_authkey_opts();
530 	expected->force_command = strdup("foo");
531 	ASSERT_PTR_NE(expected->force_command, NULL);
532 	CHECK_SUCCESS_AND_CLEANUP();
533 	TEST_DONE();
534 
535 	PREPARE("force-command mismatch", "force_command", "command=\"bar\"");
536 	ASSERT_PTR_EQ(merge_opts, NULL);
537 	CLEANUP();
538 	TEST_DONE();
539 
540 	PREPARE("tunnel", "all_permit", "tunnel=\"6\"");
541 	expected = default_authkey_opts();
542 	expected->force_tun_device = 6;
543 	CHECK_SUCCESS_AND_CLEANUP();
544 	TEST_DONE();
545 
546 	PREPARE("permitopen", "all_permit",
547 	    "permitopen=\"127.0.0.1:*\",permitopen=\"127.0.0.1:123\"");
548 	expected = default_authkey_opts();
549 	expected->permitopen = commasplit("127.0.0.1:*,127.0.0.1:123",
550 	    &expected->npermitopen);
551 	CHECK_SUCCESS_AND_CLEANUP();
552 	TEST_DONE();
553 
554 	PREPARE("environment", "all_permit",
555 	    "environment=\"foo=a\",environment=\"bar=b\"");
556 	expected = default_authkey_opts();
557 	expected->env = commasplit("foo=a,bar=b", &expected->nenv);
558 	CHECK_SUCCESS_AND_CLEANUP();
559 	TEST_DONE();
560 }
561 
562 void
tests(void)563 tests(void)
564 {
565 	extern char *__progname;
566 	LogLevel ll = test_is_verbose() ?
567 	    SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_QUIET;
568 
569 	/* test_cert_parse() are a bit spammy to error() by default... */
570 	log_init(__progname, ll, SYSLOG_FACILITY_USER, 1);
571 
572 	test_authkeys_parse();
573 	test_cert_parse();
574 	test_merge();
575 }
576