From 5fe81e89fb0ce68cef0846a265900d3331396ae6 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 2 Jul 2018 16:49:04 +0200 Subject: [PATCH] tests: Verify the public key algorithms can be limited by configuration option SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES configuration option can limit what keys can or can not be used for public key authentication. This is useful for disabling obsolete algorithms while not completely removing the support for them or allows to configure what public key algorithms will be used with the SHA2 RSA extension. Signed-off-by: Jakub Jelen Reviewed-by: Andreas Schneider --- tests/client/torture_auth.c | 87 +++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c index 7c436711..eed29a00 100644 --- a/tests/client/torture_auth.c +++ b/tests/client/torture_auth.c @@ -547,6 +547,87 @@ static void torture_auth_agent_cert_nonblocking(void **state) { torture_auth_agent_nonblocking(state); } +static void torture_auth_pubkey_types(void **state) { + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); + assert_ssh_return_code(session, rc); + + rc = ssh_connect(session); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_none(session,NULL); + /* This request should return a SSH_REQUEST_DENIED error */ + if (rc == SSH_ERROR) { + assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED); + } + rc = ssh_userauth_list(session, NULL); + assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY); + + /* Disable RSA key types for authentication */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-dss"); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + assert_int_equal(rc, SSH_AUTH_DENIED); + + /* Now enable it and retry */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "rsa-sha2-512,ssh-rsa"); + assert_ssh_return_code(session, rc); + + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + assert_int_equal(rc, SSH_AUTH_SUCCESS); +} + +static void torture_auth_pubkey_types_nonblocking(void **state) { + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE); + assert_ssh_return_code(session, rc); + + rc = ssh_connect(session); + assert_ssh_return_code(session, rc); + + ssh_set_blocking(session,0); + do { + rc = ssh_userauth_none(session, NULL); + } while (rc == SSH_AUTH_AGAIN); + + /* This request should return a SSH_REQUEST_DENIED error */ + if (rc == SSH_ERROR) { + assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED); + } + + rc = ssh_userauth_list(session, NULL); + assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY); + + /* Disable RSA key types for authentication */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-dss"); + assert_ssh_return_code(session, rc); + + do { + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + } while (rc == SSH_AUTH_AGAIN); + assert_int_equal(rc, SSH_AUTH_DENIED); + + /* Now enable it and retry */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "rsa-sha2-512,ssh-rsa"); + assert_ssh_return_code(session, rc); + + do { + rc = ssh_userauth_publickey_auto(session, NULL, NULL); + } while (rc == SSH_AUTH_AGAIN); + assert_int_equal(rc, SSH_AUTH_SUCCESS); +} + int torture_run_tests(void) { int rc; @@ -590,6 +671,12 @@ int torture_run_tests(void) { cmocka_unit_test_setup_teardown(torture_auth_agent_cert_nonblocking, agent_cert_setup, agent_teardown), + cmocka_unit_test_setup_teardown(torture_auth_pubkey_types, + pubkey_setup, + session_teardown), + cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_nonblocking, + pubkey_setup, + session_teardown), }; ssh_init();