aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2018-09-17 15:20:46 +0200
committerAndreas Schneider <asn@cryptomilk.org>2018-09-17 16:39:38 +0200
commit6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701 (patch)
tree8943e455d13204e60e3247042b6076fe555a5019
parente5170107c9e38f49adb7865a019e6931ad9803d2 (diff)
downloadlibssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.tar.gz
libssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.tar.xz
libssh-6efbf7a30e8dfa6e4bbceb4a11f0508504b1e701.zip
tests: Verify the pubkey authentication works with ECDSA keys
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r--tests/CMakeLists.txt5
-rw-r--r--tests/client/torture_auth.c98
-rw-r--r--tests/keys/id_ecdsa5
-rw-r--r--tests/keys/id_ecdsa.pub1
4 files changed, 107 insertions, 2 deletions
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 001f9760..3fb68738 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -111,9 +111,14 @@ if (CLIENT_TESTING)
# Give bob some keys
file(COPY keys/id_rsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
file(COPY keys/id_rsa.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
+ file(COPY keys/id_ecdsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
+ file(COPY keys/id_ecdsa.pub DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
# Allow to auth with bob his public keys on alice account
configure_file(keys/id_rsa.pub ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys @ONLY)
+ # append ECDSA public key
+ file(READ keys/id_ecdsa.pub CONTENTS)
+ file(APPEND ${CMAKE_CURRENT_BINARY_DIR}/home/alice/.ssh/authorized_keys "${CONTENTS}")
# Copy the signed key to an alternative directory in bob's homedir.
file(COPY keys/certauth/id_rsa DESTINATION ${CMAKE_CURRENT_BINARY_DIR}/home/bob/.ssh_cert/ FILE_PERMISSIONS OWNER_READ OWNER_WRITE)
diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c
index eed29a00..df7f2714 100644
--- a/tests/client/torture_auth.c
+++ b/tests/client/torture_auth.c
@@ -547,7 +547,8 @@ static void torture_auth_agent_cert_nonblocking(void **state) {
torture_auth_agent_nonblocking(state);
}
-static void torture_auth_pubkey_types(void **state) {
+static void torture_auth_pubkey_types(void **state)
+{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
@@ -583,7 +584,46 @@ static void torture_auth_pubkey_types(void **state) {
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
-static void torture_auth_pubkey_types_nonblocking(void **state) {
+static void torture_auth_pubkey_types_ecdsa(void **state)
+{
+ struct torture_state *s = *state;
+ ssh_session session = s->ssh.session;
+ int rc;
+
+ rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_connect(session);
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_userauth_none(session,NULL);
+ /* This request should return a SSH_REQUEST_DENIED error */
+ if (rc == SSH_ERROR) {
+ assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
+ }
+ rc = ssh_userauth_list(session, NULL);
+ assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
+
+ /* We have only the 256b key -- whitelisting only larger should fail */
+ rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+ "ecdsa-sha2-nistp384");
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_userauth_publickey_auto(session, NULL, NULL);
+ assert_int_equal(rc, SSH_AUTH_DENIED);
+
+ /* Verify we can use also ECDSA keys with their various names */
+ rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+ "ecdsa-sha2-nistp256");
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_userauth_publickey_auto(session, NULL, NULL);
+ assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+}
+
+static void torture_auth_pubkey_types_nonblocking(void **state)
+{
struct torture_state *s = *state;
ssh_session session = s->ssh.session;
int rc;
@@ -626,6 +666,54 @@ static void torture_auth_pubkey_types_nonblocking(void **state) {
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
} while (rc == SSH_AUTH_AGAIN);
assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+}
+
+static void torture_auth_pubkey_types_ecdsa_nonblocking(void **state)
+{
+ struct torture_state *s = *state;
+ ssh_session session = s->ssh.session;
+ int rc;
+
+ rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
+ assert_ssh_return_code(session, rc);
+
+ rc = ssh_connect(session);
+ assert_ssh_return_code(session, rc);
+
+ ssh_set_blocking(session,0);
+ do {
+ rc = ssh_userauth_none(session, NULL);
+ } while (rc == SSH_AUTH_AGAIN);
+
+ /* This request should return a SSH_REQUEST_DENIED error */
+ if (rc == SSH_ERROR) {
+ assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
+ }
+
+ rc = ssh_userauth_list(session, NULL);
+ assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
+
+ /* We have only the 256b key -- whitelisting only larger should fail */
+ rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+ "ecdsa-sha2-nistp384");
+ assert_ssh_return_code(session, rc);
+
+ do {
+ rc = ssh_userauth_publickey_auto(session, NULL, NULL);
+ } while (rc == SSH_AUTH_AGAIN);
+ assert_int_equal(rc, SSH_AUTH_DENIED);
+
+ /* Verify we can use also ECDSA keys with their various names */
+ rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+ "ecdsa-sha2-nistp256");
+ assert_ssh_return_code(session, rc);
+
+ do {
+ rc = ssh_userauth_publickey_auto(session, NULL, NULL);
+ } while (rc == SSH_AUTH_AGAIN);
+ assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
}
@@ -677,6 +765,12 @@ int torture_run_tests(void) {
cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_nonblocking,
pubkey_setup,
session_teardown),
+ cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa,
+ pubkey_setup,
+ session_teardown),
+ cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_ecdsa_nonblocking,
+ pubkey_setup,
+ session_teardown),
};
ssh_init();
diff --git a/tests/keys/id_ecdsa b/tests/keys/id_ecdsa
new file mode 100644
index 00000000..7a1827c6
--- /dev/null
+++ b/tests/keys/id_ecdsa
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHbL0nzpzLS3ImIlhEffbDzPlIw/tn5QcfB64PbSiBl6oAoGCCqGSM49
+AwEHoUQDQgAERzA8X8OP7C3W/e1UNLh+21xIZVBiQ7i4Qb4xoOebRWuwzitEZon/
+8Dz+VpE29krJgCagqSt5RLllOx8eS2i8fw==
+-----END EC PRIVATE KEY-----
diff --git a/tests/keys/id_ecdsa.pub b/tests/keys/id_ecdsa.pub
new file mode 100644
index 00000000..43b613bd
--- /dev/null
+++ b/tests/keys/id_ecdsa.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEcwPF/Dj+wt1v3tVDS4fttcSGVQYkO4uEG+MaDnm0VrsM4rRGaJ//A8/laRNvZKyYAmoKkreUS5ZTsfHktovH8= comment