1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
#include "config.h"
#define LIBSSH_STATIC
#include <pwd.h>
#include <errno.h>
#include "torture.h"
#include "libssh/session.h"
#include "libssh/misc.h"
#define LIBSSH_SSH_CONFIG "libssh_config"
#define TORTURE_CONFIG_USER "test-user"
#define CIPHERS "aes256-gcm@openssh.com,chacha20-poly1305@openssh.com"
#define CIPHERS2 "aes256-cbc,aes128-ctr"
static int sshd_setup(void **state)
{
torture_setup_sshd_server(state, false);
return 0;
}
static int sshd_teardown(void **state) {
torture_teardown_sshd_server(state);
return 0;
}
static int setup_config_files(void **state)
{
struct torture_state *s = *state;
int verbosity;
struct passwd *pwd;
char *filename = NULL;
int rc;
/* Work under the bob's UID to be able to load his configuration file */
pwd = getpwnam("bob");
assert_non_null(pwd);
rc = setuid(pwd->pw_uid);
assert_return_code(rc, errno);
s->ssh.session = ssh_new();
assert_non_null(s->ssh.session);
filename = ssh_path_expand_tilde("~/.ssh/config");
torture_write_file(filename, "Ciphers "CIPHERS"\nTestBogus1\nUser "TORTURE_CONFIG_USER);
free(filename);
torture_write_file(LIBSSH_SSH_CONFIG, "Ciphers "CIPHERS2"\nTestBogus2\n");
verbosity = torture_libssh_verbosity();
ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
return 0;
}
static int teardown(void **state)
{
struct torture_state *s = *state;
char *filename;
filename = ssh_path_expand_tilde("~/.ssh/config");
if (filename != NULL) {
if (strlen(filename) > 0) {
unlink(filename);
}
SAFE_FREE(filename);
}
unlink(LIBSSH_SSH_CONFIG);
ssh_disconnect(s->ssh.session);
ssh_free(s->ssh.session);
return 0;
}
/* This tests makes sure that parsing both system-wide and per-user
* configuration files retains OpenSSH semantics (the per-user overrides
* the system-wide values).
* This function ssh_options_parse_config() has hardcoded path to the
* system-wide configuration file so this might not test anything at all
* if this system-wide file does not overwrite this option.
*/
static void torture_client_config_system(void **state)
{
struct torture_state *s = *state;
int ret = 0;
char *fips_ciphers = NULL;
if (ssh_fips_mode()) {
fips_ciphers = ssh_keep_fips_algos(SSH_CRYPT_C_S, CIPHERS);
assert_non_null(fips_ciphers);
}
/* The first tests assumes there is system-wide configuration file
* setting Ciphers to some non-default value. We do not have any control
* of that in this test case.
*/
ret = ssh_options_parse_config(s->ssh.session, NULL);
assert_ssh_return_code(s->ssh.session, ret);
assert_non_null(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S]);
assert_non_null(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C]);
if (ssh_fips_mode()) {
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S],
fips_ciphers);
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C],
fips_ciphers);
} else {
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S],
CIPHERS);
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C],
CIPHERS);
}
/* Make sure the configuration was processed and user modified */
assert_string_equal(s->ssh.session->opts.username, TORTURE_CONFIG_USER);
SAFE_FREE(fips_ciphers);
}
/* This tests makes sure that parsing both system-wide and per-user
* configuration files retains OpenSSH semantics (the per-user overrides
* the system-wide values).
* The function ssh_options_parse_config() has hardcoded path to the
* system-wide configuration file so we try to emulate the behavior by parsing
* the files separately in the same order.
*/
static void torture_client_config_emulate(void **state)
{
struct torture_state *s = *state;
char *filename = NULL;
int ret = 0;
char *fips_ciphers = NULL;
if (ssh_fips_mode()) {
fips_ciphers = ssh_keep_fips_algos(SSH_CRYPT_C_S, CIPHERS);
assert_non_null(fips_ciphers);
}
/* The first tests assumes there is system-wide configuration file
* setting Ciphers to some non-default value. We do not have any control
* of that in this test case
*/
filename = ssh_path_expand_tilde("~/.ssh/config");
ret = ssh_options_parse_config(s->ssh.session, filename);
free(filename);
assert_ssh_return_code(s->ssh.session, ret);
ret = ssh_options_parse_config(s->ssh.session, LIBSSH_SSH_CONFIG);
assert_ssh_return_code(s->ssh.session, ret);
assert_non_null(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S]);
assert_non_null(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C]);
if (ssh_fips_mode()) {
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S],
fips_ciphers);
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C],
fips_ciphers);
} else {
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_C_S],
CIPHERS);
assert_string_equal(s->ssh.session->opts.wanted_methods[SSH_CRYPT_S_C],
CIPHERS);
}
/* Make sure the configuration was processed and user modified */
assert_string_equal(s->ssh.session->opts.username, TORTURE_CONFIG_USER);
SAFE_FREE(fips_ciphers);
}
/* This verifies that configuration files are parsed by default.
*/
static void torture_client_config_autoparse(void **state)
{
struct torture_state *s = *state;
int ret = 0;
ret = ssh_connect(s->ssh.session);
assert_ssh_return_code(s->ssh.session, ret);
/* Make sure the configuration was processed and user modified */
assert_string_equal(s->ssh.session->opts.username, TORTURE_CONFIG_USER);
}
/* This verifies that we are able to suppress parsing of the configuration files
* on connect using an option.
*/
static void torture_client_config_suppress(void **state)
{
struct torture_state *s = *state;
bool b = false;
int ret = 0;
ret = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
assert_ssh_return_code(s->ssh.session, ret);
ret = ssh_connect(s->ssh.session);
assert_ssh_return_code(s->ssh.session, ret);
/* Make sure the configuration was not processed and user modified */
assert_string_equal(s->ssh.session->opts.username, "bob");
}
int torture_run_tests(void) {
int rc;
struct CMUnitTest tests[] = {
cmocka_unit_test_setup_teardown(torture_client_config_system,
setup_config_files,
teardown),
cmocka_unit_test_setup_teardown(torture_client_config_emulate,
setup_config_files,
teardown),
cmocka_unit_test_setup_teardown(torture_client_config_autoparse,
setup_config_files,
teardown),
cmocka_unit_test_setup_teardown(torture_client_config_suppress,
setup_config_files,
teardown),
};
ssh_init();
torture_filter_tests(tests);
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
ssh_finalize();
return rc;
}
|
