aboutsummaryrefslogtreecommitdiff
path: root/tests/client
diff options
context:
space:
mode:
authorAxel Eppe <aeppe@google.com>2016-03-04 00:11:24 +0000
committerAndreas Schneider <asn@cryptomilk.org>2016-03-15 08:38:13 +0100
commit252cd6eae92e19ac909a4354c42fca0f8c8b40a1 (patch)
tree0d6a1827a61ae7b9943e7ac6a04eedb5b18cd325 /tests/client
parent8fe8dbb378d1d9d7cde54dfd3aa7ff9acca77733 (diff)
downloadlibssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.tar.gz
libssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.tar.xz
libssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.zip
torture_auth: Add tests for client side certificate authentication
- enabled TrustedUserCAKeys option in torture.c - adds a new set of (signed) keys for bob in a separate dir The private key used to generate the certs is included, but not required. Signed-off-by: Axel Eppe <aeppe@google.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'tests/client')
-rw-r--r--tests/client/torture_auth.c98
1 files changed, 98 insertions, 0 deletions
diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c
index 77a3c555..8a23454e 100644
--- a/tests/client/torture_auth.c
+++ b/tests/client/torture_auth.c
@@ -147,6 +147,32 @@ static int agent_setup(void **state)
return 0;
}
+static int agent_cert_setup(void **state)
+{
+ char bob_alt_ssh_key[1024];
+ struct passwd *pwd;
+ int rc;
+
+ rc = agent_setup(state);
+ if (rc != 0) {
+ return rc;
+ }
+
+ pwd = getpwnam("bob");
+ assert_non_null(pwd);
+
+ /* remove all keys, load alternative key + cert */
+ snprintf(bob_alt_ssh_key,
+ sizeof(bob_alt_ssh_key),
+ "ssh-add -D && ssh-add %s/.ssh_cert/id_rsa",
+ pwd->pw_dir);
+
+ rc = system(bob_alt_ssh_key);
+ assert_return_code(rc, errno);
+
+ return 0;
+}
+
static int agent_teardown(void **state)
{
const char *ssh_agent_pidfile;
@@ -464,6 +490,69 @@ static void torture_auth_agent_nonblocking(void **state) {
assert_int_equal(rc, SSH_AUTH_SUCCESS);
}
+static void torture_auth_cert(void **state) {
+ struct torture_state *s = *state;
+ ssh_session session = s->ssh.session;
+ ssh_key privkey = NULL;
+ ssh_key cert = NULL;
+ char bob_ssh_key[1024];
+ char bob_ssh_cert[1024];
+ struct passwd *pwd;
+ int rc;
+
+ privkey = ssh_key_new();
+ assert_true(privkey != NULL);
+
+ cert = ssh_key_new();
+ assert_true(cert != NULL);
+
+ pwd = getpwnam("bob");
+ assert_non_null(pwd);
+
+ snprintf(bob_ssh_key,
+ sizeof(bob_ssh_key),
+ "%s/.ssh_cert/id_rsa",
+ pwd->pw_dir);
+ snprintf(bob_ssh_cert,
+ sizeof(bob_ssh_cert),
+ "%s-cert.pub",
+ bob_ssh_key);
+
+ /* cert has been signed for login as alice */
+ rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
+ assert_int_equal(rc, SSH_OK);
+
+ rc = ssh_connect(session);
+ assert_int_equal(rc, SSH_OK);
+
+ rc = ssh_pki_import_privkey_file(bob_ssh_key, NULL, NULL, NULL, &privkey);
+ assert_int_equal(rc, SSH_OK);
+
+ rc = ssh_pki_import_cert_file(bob_ssh_cert, &cert);
+ assert_int_equal(rc, SSH_OK);
+
+ rc = ssh_pki_copy_cert_to_privkey(cert, privkey);
+ assert_int_equal(rc, SSH_OK);
+
+ rc = ssh_userauth_try_publickey(session, NULL, cert);
+ assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+ rc = ssh_userauth_publickey(session, NULL, privkey);
+ assert_int_equal(rc, SSH_AUTH_SUCCESS);
+
+ ssh_key_free(privkey);
+ ssh_key_free(cert);
+}
+
+static void torture_auth_agent_cert(void **state) {
+ /* Setup loads a different key, tests are exactly the same. */
+ torture_auth_agent(state);
+}
+
+static void torture_auth_agent_cert_nonblocking(void **state) {
+ torture_auth_agent_nonblocking(state);
+}
+
int torture_run_tests(void) {
int rc;
@@ -498,6 +587,15 @@ int torture_run_tests(void) {
cmocka_unit_test_setup_teardown(torture_auth_agent_nonblocking,
agent_setup,
agent_teardown),
+ cmocka_unit_test_setup_teardown(torture_auth_cert,
+ pubkey_setup,
+ session_teardown),
+ cmocka_unit_test_setup_teardown(torture_auth_agent_cert,
+ agent_cert_setup,
+ agent_teardown),
+ cmocka_unit_test_setup_teardown(torture_auth_agent_cert_nonblocking,
+ agent_cert_setup,
+ agent_teardown),
};
ssh_init();