diff options
author | Axel Eppe <aeppe@google.com> | 2016-03-04 00:11:24 +0000 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2016-03-15 08:38:13 +0100 |
commit | 252cd6eae92e19ac909a4354c42fca0f8c8b40a1 (patch) | |
tree | 0d6a1827a61ae7b9943e7ac6a04eedb5b18cd325 /tests/client | |
parent | 8fe8dbb378d1d9d7cde54dfd3aa7ff9acca77733 (diff) | |
download | libssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.tar.gz libssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.tar.xz libssh-252cd6eae92e19ac909a4354c42fca0f8c8b40a1.zip |
torture_auth: Add tests for client side certificate authentication
- enabled TrustedUserCAKeys option in torture.c
- adds a new set of (signed) keys for bob in a separate dir
The private key used to generate the certs is included, but not required.
Signed-off-by: Axel Eppe <aeppe@google.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'tests/client')
-rw-r--r-- | tests/client/torture_auth.c | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c index 77a3c555..8a23454e 100644 --- a/tests/client/torture_auth.c +++ b/tests/client/torture_auth.c @@ -147,6 +147,32 @@ static int agent_setup(void **state) return 0; } +static int agent_cert_setup(void **state) +{ + char bob_alt_ssh_key[1024]; + struct passwd *pwd; + int rc; + + rc = agent_setup(state); + if (rc != 0) { + return rc; + } + + pwd = getpwnam("bob"); + assert_non_null(pwd); + + /* remove all keys, load alternative key + cert */ + snprintf(bob_alt_ssh_key, + sizeof(bob_alt_ssh_key), + "ssh-add -D && ssh-add %s/.ssh_cert/id_rsa", + pwd->pw_dir); + + rc = system(bob_alt_ssh_key); + assert_return_code(rc, errno); + + return 0; +} + static int agent_teardown(void **state) { const char *ssh_agent_pidfile; @@ -464,6 +490,69 @@ static void torture_auth_agent_nonblocking(void **state) { assert_int_equal(rc, SSH_AUTH_SUCCESS); } +static void torture_auth_cert(void **state) { + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + ssh_key privkey = NULL; + ssh_key cert = NULL; + char bob_ssh_key[1024]; + char bob_ssh_cert[1024]; + struct passwd *pwd; + int rc; + + privkey = ssh_key_new(); + assert_true(privkey != NULL); + + cert = ssh_key_new(); + assert_true(cert != NULL); + + pwd = getpwnam("bob"); + assert_non_null(pwd); + + snprintf(bob_ssh_key, + sizeof(bob_ssh_key), + "%s/.ssh_cert/id_rsa", + pwd->pw_dir); + snprintf(bob_ssh_cert, + sizeof(bob_ssh_cert), + "%s-cert.pub", + bob_ssh_key); + + /* cert has been signed for login as alice */ + rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); + assert_int_equal(rc, SSH_OK); + + rc = ssh_connect(session); + assert_int_equal(rc, SSH_OK); + + rc = ssh_pki_import_privkey_file(bob_ssh_key, NULL, NULL, NULL, &privkey); + assert_int_equal(rc, SSH_OK); + + rc = ssh_pki_import_cert_file(bob_ssh_cert, &cert); + assert_int_equal(rc, SSH_OK); + + rc = ssh_pki_copy_cert_to_privkey(cert, privkey); + assert_int_equal(rc, SSH_OK); + + rc = ssh_userauth_try_publickey(session, NULL, cert); + assert_int_equal(rc, SSH_AUTH_SUCCESS); + + rc = ssh_userauth_publickey(session, NULL, privkey); + assert_int_equal(rc, SSH_AUTH_SUCCESS); + + ssh_key_free(privkey); + ssh_key_free(cert); +} + +static void torture_auth_agent_cert(void **state) { + /* Setup loads a different key, tests are exactly the same. */ + torture_auth_agent(state); +} + +static void torture_auth_agent_cert_nonblocking(void **state) { + torture_auth_agent_nonblocking(state); +} + int torture_run_tests(void) { int rc; @@ -498,6 +587,15 @@ int torture_run_tests(void) { cmocka_unit_test_setup_teardown(torture_auth_agent_nonblocking, agent_setup, agent_teardown), + cmocka_unit_test_setup_teardown(torture_auth_cert, + pubkey_setup, + session_teardown), + cmocka_unit_test_setup_teardown(torture_auth_agent_cert, + agent_cert_setup, + agent_teardown), + cmocka_unit_test_setup_teardown(torture_auth_agent_cert_nonblocking, + agent_cert_setup, + agent_teardown), }; ssh_init(); |