diff options
author | Jakub Jelen <jjelen@redhat.com> | 2018-09-17 15:20:46 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-09-17 16:39:38 +0200 |
commit | 6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701 (patch) | |
tree | 8943e455d13204e60e3247042b6076fe555a5019 | |
parent | e5170107c9e38f49adb7865a019e6931ad9803d2 (diff) | |
download | libssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.tar.gz libssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.tar.xz libssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.zip |
tests: Verify the pubkey authentication works with ECDSA keys
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r-- | tests/CMakeLists.txt | 5 | ||||
-rw-r--r-- | tests/client/torture_auth.c | 98 | ||||
-rw-r--r-- | tests/keys/id_ecdsa | 5 | ||||
-rw-r--r-- | tests/keys/id_ecdsa.pub | 1 |
4 files changed, 107 insertions, 2 deletions
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 001f9760..3fb68738 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -111,9 +111,14 @@ if (CLIENT_TESTING) # Give bob some keys file(COPY keys/id_rsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) file(COPY keys/id_rsa.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) + file(COPY keys/id_ecdsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) + file(COPY keys/id_ecdsa.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) # Allow to auth with bob his public keys on alice account configure_file(keys/id_rsa.pub ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys @ONLY) + # append ECDSA public key + file(READ keys/id_ecdsa.pub CONTENTS) + file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys "${CONTENTS}") # Copy the signed key to an alternative directory in bob's homedir. file(COPY keys/certauth/id_rsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh_cert/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE) diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c index eed29a00..df7f2714 100644 --- a/tests/client/torture_auth.c +++ b/tests/client/torture_auth.c @@ -547,7 +547,8 @@ static void torture_auth_agent_cert_nonblocking(void **state) { torture_auth_agent_nonblocking(state); } -static void torture_auth_pubkey_types(void **state) { +static void torture_auth_pubkey_types(void **state) +{ struct torture_state *s = *state; ssh_session session = s->ssh.session; int rc; @@ -583,7 +584,46 @@ static void torture_auth_pubkey_types(void **state) { assert_int_equal(rc, SSH_AUTH_SUCCESS); } -static void torture_auth_pubkey_types_nonblocking(void **state) { +static void torture_auth_pubkey_types_ecdsa(void **state) +{ + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); + assert_ssh_return_code(session, rc); + + rc = ssh_connect(session); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_none(session,NULL); + /* This request should return a SSH_REQUEST_DENIED error */ + if (rc == SSH_ERROR) { + assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED); + } + rc = ssh_userauth_list(session, NULL); + assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY); + + /* We have only the 256b key -- whitelisting only larger should fail */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ecdsa-sha2-nistp384"); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + assert_int_equal(rc, SSH_AUTH_DENIED); + + /* Verify we can use also ECDSA keys with their various names */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ecdsa-sha2-nistp256"); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + assert_int_equal(rc, SSH_AUTH_SUCCESS); + +} + +static void torture_auth_pubkey_types_nonblocking(void **state) +{ struct torture_state *s = *state; ssh_session session = s->ssh.session; int rc; @@ -626,6 +666,54 @@ static void torture_auth_pubkey_types_nonblocking(void **state) { rc = ssh_userauth_publickey_auto(session, NULL, NULL); } while (rc == SSH_AUTH_AGAIN); assert_int_equal(rc, SSH_AUTH_SUCCESS); + +} + +static void torture_auth_pubkey_types_ecdsa_nonblocking(void **state) +{ + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); + assert_ssh_return_code(session, rc); + + rc = ssh_connect(session); + assert_ssh_return_code(session, rc); + + ssh_set_blocking(session,0); + do { + rc = ssh_userauth_none(session, NULL); + } while (rc == SSH_AUTH_AGAIN); + + /* This request should return a SSH_REQUEST_DENIED error */ + if (rc == SSH_ERROR) { + assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED); + } + + rc = ssh_userauth_list(session, NULL); + assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY); + + /* We have only the 256b key -- whitelisting only larger should fail */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ecdsa-sha2-nistp384"); + assert_ssh_return_code(session, rc); + + do { + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + } while (rc == SSH_AUTH_AGAIN); + assert_int_equal(rc, SSH_AUTH_DENIED); + + /* Verify we can use also ECDSA keys with their various names */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ecdsa-sha2-nistp256"); + assert_ssh_return_code(session, rc); + + do { + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + } while (rc == SSH_AUTH_AGAIN); + assert_int_equal(rc, SSH_AUTH_SUCCESS); + } @@ -677,6 +765,12 @@ int torture_run_tests(void) { cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_nonblocking, pubkey_setup, session_teardown), + cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa, + pubkey_setup, + session_teardown), + cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa_nonblocking, + pubkey_setup, + session_teardown), }; ssh_init(); diff --git a/tests/keys/id_ecdsa b/tests/keys/id_ecdsa new file mode 100644 index 00000000..7a1827c6 --- /dev/null +++ b/tests/keys/id_ecdsa @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIHbL0nzpzLS3ImIlhEffbDzPlIw/tn5QcfB64PbSiBl6oAoGCCqGSM49 +AwEHoUQDQgAERzA8X8OP7C3W/e1UNLh+21xIZVBiQ7i4Qb4xoOebRWuwzitEZon/ +8Dz+VpE29krJgCagqSt5RLllOx8eS2i8fw== +-----END EC PRIVATE KEY----- diff --git a/tests/keys/id_ecdsa.pub b/tests/keys/id_ecdsa.pub new file mode 100644 index 00000000..43b613bd --- /dev/null +++ b/tests/keys/id_ecdsa.pub @@ -0,0 +1 @@ +ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEcwPF/Dj+wt1v3tVDS4fttcSGVQYkO4uEG+MaDnm0VrsM4rRGaJ//A8/laRNvZKyYAmoKkreUS5ZTsfHktovH8= comment |