diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-08-07 11:34:30 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-08-31 14:18:34 +0200 |
commit | 594c62d718ced4706a545c2ff21add5e3e1b652f (patch) | |
tree | 19be799cf20f64abebde570ac8e463b6851667ea | |
parent | 4169be45eb5262a1a4aba775740b65206906e772 (diff) | |
download | libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.gz libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.xz libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.zip |
tests: PUBLICKEY_ACCEPTED_TYPES are effective
Verify the PUBLICKEY_ACCEPTED_TYPES option is handled correctly
and affects the signature algorithm selection based on the
extensions and can be used to limit list of offered mechanisms
to the server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | include/libssh/pki_priv.h | 2 | ||||
-rw-r--r-- | src/pki.c | 2 | ||||
-rw-r--r-- | tests/unittests/torture_options.c | 50 |
3 files changed, 53 insertions, 1 deletions
diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h index 38c7aa4b..623ca5a1 100644 --- a/include/libssh/pki_priv.h +++ b/include/libssh/pki_priv.h @@ -47,6 +47,8 @@ int pki_key_ecdsa_nid_from_name(const char *name); const char *pki_key_ecdsa_nid_to_name(int nid); const char *ssh_key_signature_to_char(enum ssh_keytypes_e type, enum ssh_digest_e hash_type); +enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, + enum ssh_keytypes_e type); /* SSH Key Functions */ ssh_key pki_key_dup(const ssh_key key, int demote); @@ -303,7 +303,7 @@ int ssh_key_algorithm_allowed(ssh_session session, const char *type) * * @return A hash type to be used. */ -static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, +enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_keytypes_e type) { switch (type) { diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c index 412df102..b531b542 100644 --- a/tests/unittests/torture_options.c +++ b/tests/unittests/torture_options.c @@ -11,6 +11,7 @@ #include "torture_key.h" #include <libssh/session.h> #include <libssh/misc.h> +#include <libssh/pki_priv.h> static int setup(void **state) { @@ -115,6 +116,54 @@ static void torture_options_set_hostkey(void **state) { assert_false(rc == 0); } +static void torture_options_set_pubkey_accepted_types(void **state) { + ssh_session session = *state; + int rc; + enum ssh_digest_e type; + + /* Test known public key algorithms */ + rc = ssh_options_set(session, + SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); + assert_true(rc == 0); + assert_string_equal(session->opts.pubkey_accepted_types, + "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); + + /* Test one unknown public key algorithms */ + rc = ssh_options_set(session, + SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-ed25519,unknown-crap@example.com,ssh-rsa"); + assert_true(rc == 0); + assert_string_equal(session->opts.pubkey_accepted_types, + "ssh-ed25519,ssh-rsa"); + + /* Test all unknown public key algorithms */ + rc = ssh_options_set(session, + SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "unknown-crap@example.com,more-crap@example.com"); + assert_false(rc == 0); + + /* Test that the option affects the algorithm selection for RSA keys */ + /* simulate the SHA2 extension was negotiated */ + session->extensions = SSH_EXT_SIG_RSA_SHA256; + + /* previous configuration did not list the SHA2 extension algoritms, so + * it should not be used */ + type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA); + assert_int_equal(type, SSH_DIGEST_SHA1); + + /* now, lets allow the signature from SHA2 extension and expect + * it to be used */ + rc = ssh_options_set(session, + SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "rsa-sha2-256,ssh-rsa"); + assert_true(rc == 0); + assert_string_equal(session->opts.pubkey_accepted_types, + "rsa-sha2-256,ssh-rsa"); + type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA); + assert_int_equal(type, SSH_DIGEST_SHA256); +} + static void torture_options_set_macs(void **state) { ssh_session session = *state; int rc; @@ -401,6 +450,7 @@ int torture_run_tests(void) { cmocka_unit_test_setup_teardown(torture_options_set_ciphers, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_key_exchange, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_hostkey, setup, teardown), + cmocka_unit_test_setup_teardown(torture_options_set_pubkey_accepted_types, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_macs, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown) }; |