diff options
author | Jon Simons <jon@jonsimons.org> | 2019-02-04 17:39:36 -0500 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-02-07 14:22:58 +0100 |
commit | fa6aa125a260cbd9eddbbde27d8dfadc6be9f9bc (patch) | |
tree | 976a2ba6628057adff133204b2aa687ec9b83d31 | |
parent | a4948f62127859d2395b13c58cc3ada2699d00ff (diff) | |
download | libssh-fa6aa125a260cbd9eddbbde27d8dfadc6be9f9bc.tar.gz libssh-fa6aa125a260cbd9eddbbde27d8dfadc6be9f9bc.tar.xz libssh-fa6aa125a260cbd9eddbbde27d8dfadc6be9f9bc.zip |
tests/pkd: repro rsa-sha2-{256,512} negotiation bug
Add four passes to the pkd tests to exercise codepaths where an
OpenSSH client requests these HostKeyAlgorithms combinations:
* rsa-sha2-256
* rsa-sha2-512
* rsa-sha2-256,rsa-sha2-512
* rsa-sha2-512,rsa-sha2-256
The tests demonstrate that the third combination currently fails:
libssh ends up choosing `rsa-sha2-512` instead of `rsa-sha2-256`,
and the initial exchange fails on the client side citing a signature
failure.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit c2077ab7752c9d1fa149d7b5337d9e4aaeb96188)
-rw-r--r-- | tests/pkd/pkd_client.h | 15 | ||||
-rw-r--r-- | tests/pkd/pkd_hello.c | 8 |
2 files changed, 17 insertions, 6 deletions
diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h index 4d01a607..783d4886 100644 --- a/tests/pkd/pkd_client.h +++ b/tests/pkd/pkd_client.h @@ -46,12 +46,12 @@ OPENSSH_PKACCEPTED_ECDSA \ OPENSSH_PKACCEPTED_DSA -#define OPENSSH_CMD_START \ +#define OPENSSH_CMD_START(hostkey_algos) \ OPENSSH_BINARY " " \ "-o UserKnownHostsFile=/dev/null " \ "-o StrictHostKeyChecking=no " \ "-F /dev/null " \ - OPENSSH_HOSTKEY_ALGOS " " \ + hostkey_algos " " \ OPENSSH_PKACCEPTED_TYPES " " \ "-i " CLIENT_ID_FILE " " \ "1> %s.out " \ @@ -61,16 +61,19 @@ #define OPENSSH_CMD_END "-p 1234 localhost ls" #define OPENSSH_CMD \ - OPENSSH_CMD_START OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) OPENSSH_CMD_END #define OPENSSH_KEX_CMD(kexalgo) \ - OPENSSH_CMD_START "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END #define OPENSSH_CIPHER_CMD(ciphers) \ - OPENSSH_CMD_START "-c " ciphers " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-c " ciphers " " OPENSSH_CMD_END #define OPENSSH_MAC_CMD(macs) \ - OPENSSH_CMD_START "-o MACs=" macs " " OPENSSH_CMD_END + OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o MACs=" macs " " OPENSSH_CMD_END + +#define OPENSSH_HOSTKEY_CMD(hostkeyalgo) \ + OPENSSH_CMD_START("-o HostKeyAlgorithms=" hostkeyalgo " ") OPENSSH_CMD_END /* Dropbear */ diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c index 3435a64f..e9a7f2ce 100644 --- a/tests/pkd/pkd_hello.c +++ b/tests/pkd/pkd_hello.c @@ -478,6 +478,12 @@ static int torture_pkd_setup_ecdsa_521(void **state) { f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown) #endif +#define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \ + f(client, rsa_sha2_256, hkcmd("rsa-sha2-256"), setup_rsa, teardown) \ + f(client, rsa_sha2_512, hkcmd("rsa-sha2-512"), setup_rsa, teardown) \ + f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"), setup_rsa, teardown) \ + f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"), setup_rsa, teardown) + static void torture_pkd_client_noop(void **state) { struct pkd_state *pstate = (struct pkd_state *) (*state); (void) pstate; @@ -545,6 +551,7 @@ PKDTESTS_CIPHER(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_MAC(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD) +PKDTESTS_HOSTKEY_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_HOSTKEY_CMD) #undef CLIENT_ID_FILE #define CLIENT_ID_FILE OPENSSH_ECDSA256_TESTKEY @@ -621,6 +628,7 @@ struct { PKDTESTS_CIPHER_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CIPHER_CMD) PKDTESTS_MAC(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD) PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD) + PKDTESTS_HOSTKEY_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_HOSTKEY_CMD) PKDTESTS_DEFAULT(emit_testmap, openssh_e256, OPENSSH_CMD) PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_CMD) |