From c2077ab7752c9d1fa149d7b5337d9e4aaeb96188 Mon Sep 17 00:00:00 2001 From: Jon Simons Date: Mon, 4 Feb 2019 17:39:36 -0500 Subject: tests/pkd: repro rsa-sha2-{256,512} negotiation bug Add four passes to the pkd tests to exercise codepaths where an OpenSSH client requests these HostKeyAlgorithms combinations: * rsa-sha2-256 * rsa-sha2-512 * rsa-sha2-256,rsa-sha2-512 * rsa-sha2-512,rsa-sha2-256 The tests demonstrate that the third combination currently fails: libssh ends up choosing `rsa-sha2-512` instead of `rsa-sha2-256`, and the initial exchange fails on the client side citing a signature failure. Signed-off-by: Jon Simons Reviewed-by: Jakub Jelen Reviewed-by: Andreas Schneider --- tests/pkd/pkd_client.h | 15 +++++++++------ tests/pkd/pkd_hello.c | 8 ++++++++ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h index 4d01a607..783d4886 100644 --- a/tests/pkd/pkd_client.h +++ b/tests/pkd/pkd_client.h @@ -46,12 +46,12 @@ OPENSSH_PKACCEPTED_ECDSA \ OPENSSH_PKACCEPTED_DSA -#define OPENSSH_CMD_START \ +#define OPENSSH_CMD_START(hostkey_algos) \ OPENSSH_BINARY " " \ "-o UserKnownHostsFile=/dev/null " \ "-o StrictHostKeyChecking=no " \ "-F /dev/null " \ - OPENSSH_HOSTKEY_ALGOS " " \ + hostkey_algos " " \ OPENSSH_PKACCEPTED_TYPES " " \ "-i " CLIENT_ID_FILE " " \ "1> %s.out " \ @@ -61,16 +61,19 @@ #define OPENSSH_CMD_END "-p 1234 localhost ls" #define OPENSSH_CMD \ - OPENSSH_CMD_START OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) OPENSSH_CMD_END #define OPENSSH_KEX_CMD(kexalgo) \ - OPENSSH_CMD_START "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END #define OPENSSH_CIPHER_CMD(ciphers) \ - OPENSSH_CMD_START "-c " ciphers " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-c " ciphers " " OPENSSH_CMD_END #define OPENSSH_MAC_CMD(macs) \ - OPENSSH_CMD_START "-o MACs=" macs " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o MACs=" macs " " OPENSSH_CMD_END + +#define OPENSSH_HOSTKEY_CMD(hostkeyalgo) \ + OPENSSH_CMD_START("-o HostKeyAlgorithms=" hostkeyalgo " ") OPENSSH_CMD_END /* Dropbear */ diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c index 9c739701..c68c4dcd 100644 --- a/tests/pkd/pkd_hello.c +++ b/tests/pkd/pkd_hello.c @@ -516,6 +516,12 @@ static int torture_pkd_setup_ecdsa_521(void **state) { f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown) #endif +#define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \ + f(client, rsa_sha2_256, hkcmd("rsa-sha2-256"), setup_rsa, teardown) \ + f(client, rsa_sha2_512, hkcmd("rsa-sha2-512"), setup_rsa, teardown) \ + f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"), setup_rsa, teardown) \ + f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"), setup_rsa, teardown) + static void torture_pkd_client_noop(void **state) { struct pkd_state *pstate = (struct pkd_state *) (*state); (void) pstate; @@ -583,6 +589,7 @@ PKDTESTS_CIPHER(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_MAC(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD) +PKDTESTS_HOSTKEY_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_HOSTKEY_CMD) #undef CLIENT_ID_FILE #define CLIENT_ID_FILE OPENSSH_ECDSA256_TESTKEY @@ -659,6 +666,7 @@ struct { PKDTESTS_CIPHER_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_MAC(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD) + PKDTESTS_HOSTKEY_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_HOSTKEY_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_e256, OPENSSH_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_CMD) -- cgit v1.2.3