tests: PUBLICKEY_ACCEPTED_TYPES are effective

Verify the PUBLICKEY_ACCEPTED_TYPES option is handled correctly and affects the signature algorithm selection based on the extensions and can be used to limit list of offered mechanisms to the server. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
author: Jakub Jelen <jjelen@redhat.com> 2018-08-07 11:34:30 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2018-08-31 14:18:34 +0200
commit: 594c62d718ced4706a545c2ff21add5e3e1b652f (patch)
tree: 19be799cf20f64abebde570ac8e463b6851667ea
parent: 4169be45eb5262a1a4aba775740b65206906e772 (diff)
download: libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.gz
libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.xz
libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.zip
3 files changed, 53 insertions, 1 deletions
diff --git a/include/libssh/pki_priv.h b/include/libssh/pki_priv.h
index 38c7aa4b..623ca5a1 100644
--- a/include/libssh/pki_priv.h
+++ b/include/libssh/pki_priv.h
@@ -47,6 +47,8 @@ int pki_key_ecdsa_nid_from_name(const char *name);
 const char *pki_key_ecdsa_nid_to_name(int nid);
 const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
                                       enum ssh_digest_e hash_type);
+enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
+                                       enum ssh_keytypes_e type);
 
 /* SSH Key Functions */
 ssh_key pki_key_dup(const ssh_key key, int demote);
diff --git a/src/pki.c b/src/pki.c
index 69d76c27..9e1bfc43 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -303,7 +303,7 @@ int ssh_key_algorithm_allowed(ssh_session session, const char *type)
  *
  * @return              A hash type to be used.
  */
-static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
+enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
                                        enum ssh_keytypes_e type)
 {
     switch (type) {
diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c
index 412df102..b531b542 100644
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -11,6 +11,7 @@
 #include "torture_key.h"
 #include <libssh/session.h>
 #include <libssh/misc.h>
+#include <libssh/pki_priv.h>
 
 static int setup(void **state)
 {
@@ -115,6 +116,54 @@ static void torture_options_set_hostkey(void **state) {
     assert_false(rc == 0);
 }
 
+static void torture_options_set_pubkey_accepted_types(void **state) {
+    ssh_session session = *state;
+    int rc;
+    enum ssh_digest_e type;
+
+    /* Test known public key algorithms */
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                         "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    assert_true(rc == 0);
+    assert_string_equal(session->opts.pubkey_accepted_types,
+                        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+
+    /* Test one unknown public key algorithms */
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                         "ssh-ed25519,unknown-crap@example.com,ssh-rsa");
+    assert_true(rc == 0);
+    assert_string_equal(session->opts.pubkey_accepted_types,
+                        "ssh-ed25519,ssh-rsa");
+
+    /* Test all unknown public key algorithms */
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                         "unknown-crap@example.com,more-crap@example.com");
+    assert_false(rc == 0);
+
+    /* Test that the option affects the algorithm selection for RSA keys */
+    /* simulate the SHA2 extension was negotiated */
+    session->extensions = SSH_EXT_SIG_RSA_SHA256;
+
+    /* previous configuration did not list the SHA2 extension algoritms, so
+     * it should not be used */
+    type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
+    assert_int_equal(type, SSH_DIGEST_SHA1);
+
+    /* now, lets allow the signature from SHA2 extension and expect
+     * it to be used */
+    rc = ssh_options_set(session,
+                         SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                         "rsa-sha2-256,ssh-rsa");
+    assert_true(rc == 0);
+    assert_string_equal(session->opts.pubkey_accepted_types,
+                        "rsa-sha2-256,ssh-rsa");
+    type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
+    assert_int_equal(type, SSH_DIGEST_SHA256);
+}
+
 static void torture_options_set_macs(void **state) {
     ssh_session session = *state;
     int rc;
@@ -401,6 +450,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_options_set_ciphers, setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_set_key_exchange, setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_set_hostkey, setup, teardown),
+        cmocka_unit_test_setup_teardown(torture_options_set_pubkey_accepted_types, setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_set_macs, setup, teardown),
         cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown)
     };
author	Jakub Jelen <jjelen@redhat.com>	2018-08-07 11:34:30 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2018-08-31 14:18:34 +0200
commit	594c62d718ced4706a545c2ff21add5e3e1b652f (patch)
tree	19be799cf20f64abebde570ac8e463b6851667ea
parent	4169be45eb5262a1a4aba775740b65206906e772 (diff)
download	libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.gz libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.tar.xz libssh-594c62d718ced4706a545c2ff21add5e3e1b652f.zip