lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-08-08 19:02:06 +03:00
Code Activity

tests: PUBLICKEY_ACCEPTED_TYPES are effective

Browse Source 
Verify the PUBLICKEY_ACCEPTED_TYPES option is handled correctly
and affects the signature algorithm selection based on the
extensions and can be used to limit list of offered mechanisms
to the server.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2018-08-07 11:34:30 +02:00
committed by Andreas Schneider
parent 4169be45eb
commit 594c62d718
3 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/libssh/pki_priv.h
View File

@@ -47,6 +47,8 @@ int pki_key_ecdsa_nid_from_name(const char *name);
const char *pki_key_ecdsa_nid_to_name(int nid); const char *pki_key_ecdsa_nid_to_name(int nid);
const char *ssh_key_signature_to_char(enum ssh_keytypes_e type, const char *ssh_key_signature_to_char(enum ssh_keytypes_e type,
enum ssh_digest_e hash_type); enum ssh_digest_e hash_type);
enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
enum ssh_keytypes_e type);
/* SSH Key Functions */ /* SSH Key Functions */
ssh_key pki_key_dup(const ssh_key key, int demote); ssh_key pki_key_dup(const ssh_key key, int demote);

2
src/pki.c
View File

@@ -303,7 +303,7 @@ int ssh_key_algorithm_allowed(ssh_session session, const char *type)
* *
* @return A hash type to be used. * @return A hash type to be used.
*/ */
static enum ssh_digest_e ssh_key_type_to_hash(ssh_session session, enum ssh_digest_e ssh_key_type_to_hash(ssh_session session,
enum ssh_keytypes_e type) enum ssh_keytypes_e type)
{ {
switch (type) { switch (type) {

50
tests/unittests/torture_options.c
View File

@@ -11,6 +11,7 @@
#include "torture_key.h" #include "torture_key.h"
#include <libssh/session.h> #include <libssh/session.h>
#include <libssh/misc.h> #include <libssh/misc.h>
#include <libssh/pki_priv.h>
static int setup(void **state) static int setup(void **state)
{ {
@@ -115,6 +116,54 @@ static void torture_options_set_hostkey(void **state) {
assert_false(rc == 0); assert_false(rc == 0);
} }
static void torture_options_set_pubkey_accepted_types(void **state) {
ssh_session session = *state;
int rc;
enum ssh_digest_e type;
/* Test known public key algorithms */
rc = ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
assert_true(rc == 0);
assert_string_equal(session->opts.pubkey_accepted_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
/* Test one unknown public key algorithms */
rc = ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-ed25519,unknown-crap@example.com,ssh-rsa");
assert_true(rc == 0);
assert_string_equal(session->opts.pubkey_accepted_types,
"ssh-ed25519,ssh-rsa");
/* Test all unknown public key algorithms */
rc = ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"unknown-crap@example.com,more-crap@example.com");
assert_false(rc == 0);
/* Test that the option affects the algorithm selection for RSA keys */
/* simulate the SHA2 extension was negotiated */
session->extensions = SSH_EXT_SIG_RSA_SHA256;
/* previous configuration did not list the SHA2 extension algoritms, so
* it should not be used */
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
assert_int_equal(type, SSH_DIGEST_SHA1);
/* now, lets allow the signature from SHA2 extension and expect
* it to be used */
rc = ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"rsa-sha2-256,ssh-rsa");
assert_true(rc == 0);
assert_string_equal(session->opts.pubkey_accepted_types,
"rsa-sha2-256,ssh-rsa");
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
assert_int_equal(type, SSH_DIGEST_SHA256);
}
static void torture_options_set_macs(void **state) { static void torture_options_set_macs(void **state) {
ssh_session session = *state; ssh_session session = *state;
int rc; int rc;
@@ -401,6 +450,7 @@ int torture_run_tests(void) {
cmocka_unit_test_setup_teardown(torture_options_set_ciphers, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_ciphers, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_set_key_exchange, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_key_exchange, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_set_hostkey, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_hostkey, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_set_pubkey_accepted_types, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_set_macs, setup, teardown), cmocka_unit_test_setup_teardown(torture_options_set_macs, setup, teardown),
cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown) cmocka_unit_test_setup_teardown(torture_options_config_host, setup, teardown)
}; };