The previous timeout of 500 ms was not enough on slower machines or
while running the tests under valgrind. On much faster machines the
sleep() was bringing unnecessary overhead.
This method opens simple connection to the server verifying it is ready
to accept the connection from the test for 5 seconds. It the server
does not start until then, it fails the tests during initialization,
rather than leaving the cases to run against missing server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
These frees are unnecessary because the negative tests should not
allocate the keys, but the static analyser reports memory leak errors.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This is no longer needed since libssh can read the private keys
in new OpenSSH format.
This reverts commit 100c9c98ce.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This runs the same test that are ran on the legacy PEM files
also with the new OpenSSH key files.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This extends the torture API to provide a way to request
keys in different formats. This extends the keys with
private keys in the new OpenSSH format (default since
OpenSSH 7.8).
This also needs modifications to the ed25519 tests, which
do not support PEM format and expected the new format out of the
box.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Additionally, we can already work around the privilege separation.
http://www.openssh.com/txt/release-7.5
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
OpenSSH's sshd does not work well under valgrind so lets avoid tracing it.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Since the verbosity is now set from the setup phase, we do not
need to reset the verbosity, especially not to any arbirary value
such as WARNING.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This allows adjusting the log level of config and options tests using
environment variable LIBSSH_VERBOSITY as it works in most of the other
tests.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The match_hostname() expects comma separated list, while the Host
config keyword in openssh uses spaces separated list by default.
Therefore any subseqent match or negated match in space separated
list will overwrite the previous matches.
This also adjusts the tests to make sure both of the versions work.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This was already done in the torture_threads_pki.
Without the explicit initialization, we can observe random
failures tests (at least of the torture_threads_crypto) from
various threads.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This involves mostly creation of host keys proofs but needs
to follow the same procedure as the client authentication
signatures.
At the same time, the SHA2 extension is enabled in the pkd
so we are able to atomicaly provide correct signatures and
pass tests.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES configuration option can limit
what keys can or can not be used for public key authentication.
This is useful for disabling obsolete algorithms while not completely
removing the support for them or allows to configure what public key
algorithms will be used with the SHA2 RSA extension.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Verify the PUBLICKEY_ACCEPTED_TYPES option is handled correctly
and affects the signature algorithm selection based on the
extensions and can be used to limit list of offered mechanisms
to the server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This introduces a new test case for RSA unit tests, verifying that
libraries are able to provide and verify the RSA signatures with
SHA2 hash algorithms.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This changes the private API by adding one more argument to function
pki_signature_from_blob()
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This is required to work against OpenSSH 7.8, which is now
writing keys in new openssh format by default
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
tests/pkd/pkd_hello.c:743:12: error: assuming signed overflow does not
occur when simplifying conditional to constant [-Werror=strict-overflow]
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Since the call is made automatically when the library is loaded, these
calls are no longer required (if the library is not linked statically).
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
When pthreads is available, run the threads tests on Windows
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Run the tests from torture_pki_rsa.c on threads. Tests requiring files
to be removed are not tested, since they would require the access to
the files to be synchronized.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The test run crypto test on multiple threads.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The test run buffer tests on multiple threads.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The test runs ssh_init()/ssh_finalize() on multiple threads.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This makes unnecessary to call ssh_init() when the library is
dynamically loaded. Also removes the threads shared library. The used
threads implementation is chosen in configuration time, changing the
ssh_threads_get_default() depending on the available threads library.
Internally, it is expected a threads implementation providing:
- void ssh_mutex_lock(void **mutex);
- void ssh_mutex_unlock(void **mutex);
- struct ssh_threads_callbacks_struct *ssh_threads_get_default(void);
and a crypto implementation providing:
- int crypto_thread_init(struct ssh_threads_callbacks_struct *user_callbacks);
- void crypto_thread_finalize(void);
This adds internal threads implementation for pthreads and noop.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This adds support for the ed25519 keys in the pkd framework and adds
openssh-only tests utilizing these host keys (dropbear does not support
them yet).
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This verifies that all the supported host keys can be used and
verified by the client, including the SHA2 extension in RFC 8332.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Make the `test_data` larger so that tests do not read beyond
its length. Observed in testing with an `-fsanitize=address`
build locally.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Dropbear does not currently implement the 'chacha20-poly1305@openssh.com'
cipher, so move it into the OPENSSHONLY suite.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
That code is really ugly, but it wasn't meant to be modular at all in the
first place.
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
If you want modelines use my vim plugin:
https://github.com/cryptomilk/git-modeline.vim
git config --add vim.modeline "ts=4 sw=4 et"
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
The `-v` is only recognized by `dbclient` when dropbear is built
in its DEBUG_TRACE mode. Omit that flag by default to avoid a
warning log emitted to stderr.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Support for the `blowfish-cbc` cipher has been removed from OpenSSH
as of version 7.6. Remove this cipher from the pkd tests so that
the tests will pass together with a modern OpenSSH client.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Emit a friendly error message for OpenSSH clients older than
7.0. Some of the recent pkd changes now require a modern
client to support some newer config options.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
As of OpenSSH 6.9, support for `ssh-dss` user keys is disabled by default
at runtime. Specify an explicit `-o PubkeyAcceptedKeyTYpes` in the pkd
tests to explicitly enable each user key type being tested, including
`ssh-dss`.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
As of OpenSSH 6.9, support for `ssh-dss` host keys is disabled by default
at runtime. Specify an explicit `-o HostKeyAlgorithms` in the pkd tests
to explicitly enable each host key type being tested, including `ssh-dss`.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Use the socket_wrapper preload shim when running the `pkd_hello`
test with `make test`. The end goal here is to get this test
running alongside normal tests in regular CI. Changes to do
this:
* Configure PKD_ENVIRONMENT for the `pkd_hello_i1` test in the
CMakeLists.txt file.
* Add a `--socket-wrapper-dir|-w` flag that is used to opt-in to
initializing a SOCKET_WRAPPER_DIR as expected by the socket_wrapper
library.
A runtime flag is used here to make it easy to run `pkd_hello`
with the socket_wrapper library while avoiding a hard dependency.
Testing done: observed socker_wrapper in effect with `strace`;
running `make test` uses the wrapper correctly on my local
machine.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Add an entry for a `pkd_hello_i1` test which runs one iteration
through each of the pkd algorithm combinations.
Testing done: now `make test` will run `pkd_hello -i1` which
completes in ~25 seconds on my local machine.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Ensure to include config.h so that the `HAVE_DSA` value is properly set
when building the pkd tests.
Introduced with 778652460f,
Testing done: with this change, the `pkd_hello` test is passing on an
OpenSSL 1.1.0 build for me. Previously it would fail pubkey exchange
early on for DSA- and ECDSA-type host keys.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Wrap some function definitions with `HAVE_LIBCRYPTO` ifdefs to
match their usages in `torture_run_tests`.
Fixes this warning I observe when building locally:
torture_pki_ecdsa.c:341:13: warning:
‘torture_pki_ecdsa_write_privkey’ defined but not used
[-Wunused-function]
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This allows operating under environments where the username variables
are not present.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix OSX build error about embedding a directive within macro arguments.
Apparently, snprintf is implemented as a macro on that platform.
Signed-off-by: Alberto Aguirre <albaguirre@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
torture_rand and torture_server_x11 call ssh_init without checking
the return value. If mbedTLS is built without threading support
ssh_init fails but the tests continue and then segfault since threading
wasn't correctly initialised.
Add a section that documents requirements for mbedTLS usage in a
multi threaded environment to README.mbedtls.
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
We need to specify a cipher when we generate a key with a password.
OpenSSH uses aes_128_cbc, so we should use the same.
Thanks to Julian Lunz for the report.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Summary:
This patch adds support for mbedTLS as a crypto backend for libssh.
mbedTLS is an SSL/TLS library that has been designed to mainly be used
in embedded systems. It is loosely coupled and has a low memory
footprint. mbedTLS also provides a cryptography library (libmbedcrypto)
that can be used without the TLS modules.
The patch is unfortunately quite big, since several new files had to
be added.
DSA is disabled at compile time, since mbedTLS doesn't support DSA
Patch review and feedback would be appreciated, and if any issues or
suggestions appear, I'm willing to work on them.
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
Test Plan:
* The patch has been tested with a Debug and MinSizeRel build, with
libssh unit tests, client tests and the pkd tests.
* All the tests have been run with valgrind's memcheck, drd and helgrind
tools.
* The examples/samplessh client works when built with the patch.
Reviewers: asn, aris
Subscribers: simonsj
Differential Revision: https://bugs.libssh.org/D1
Pair-Programmed-With: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
pcap file is generated by the processes writing to the sockets,
which is not allowed for privilege-separated process in new
OpenSSH servers (confined by seccomp filter).
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
There's a race window between the accept loop's call to
accept(2) and it checking `ctx.keep_going`. Forcefully
close the server socket such that any raced `accept` ends
up failing.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Sometimes, but not always, the pkd tests will fail because they
close the socket at hand a bit too early for the client. The
client in turn may exit non-zero when that happens.
Split up the final close loop so that pkd waits to receive a
channel close from the client, and then socket close, before
finally returning.
With this change I observe that tests are now passing in
environments that would previously tickle the above race
and fail.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix a memory leak in the path where parsing returns early due
to seeing a repeated opcode. A testcase is added which
demonstrates the leak and fix with valgrind.
Resolves CID 1374267.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Summary:
Based on Dirkjan's original patch series here:
* https://www.libssh.org/archive/libssh/2015-08/0000029.html
Here the changes are adapted for the current master
branch, and expanded to include libgcrypt support.
Co-Authored-By: Dirkjan Bussink <d.bussink@gmail.com>
Signed-off-by: Jon Simons <jon@jonsimons.org>
Test Plan:
* Ran pkd tests for libcrypto and libgcrypt builds.
* Ran client torture_algorithms.c tests for libcrypto and libgcrypt builds.
* Tested across multiple libgcrypts ("1.6.3" and "1.7.6-beta").
Reviewers: aris, asn
Reviewed By: asn
Tags: #libssh
Differential Revision: https://bugs.libssh.org/D7
Summary:
Based on Dirkjan's original patch series here:
* https://www.libssh.org/archive/libssh/2015-08/0000029.html
Here the changes are adapted for the current master
branch, and expanded to include libgcrypt support.
Co-Authored-By: Dirkjan Bussink <d.bussink@gmail.com>
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Test Plan:
* Ran pkd tests for libcrypto and libgcrypt builds.
* Ran client torture_algorithms.c tests for libcrypto and libgcrypt builds.
* Tested across multiple libgcrypts ("1.6.3" and "1.7.6-beta").
Reviewers: aris, asn
Tags: #libssh
Differential Revision: https://bugs.libssh.org/D7
Summary:
Hello, this is a resend for a quick memory leak fix for one of the unit
tests, originally sent to the mailing list here:
* https://www.libssh.org/archive/libssh/2017-07/0000017.html
Test Plan:
* Before the fix and running the test with valgrind:
```
[simonsj@simonsj-lx5 : unittests] valgrind --leak-check=full ./torture_options >/dev/null
==93134== Memcheck, a memory error detector
==93134== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==93134== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==93134== Command: ./torture_options
==93134==
[ PASSED ] 10 test(s).
[ PASSED ] 1 test(s).
==93134==
==93134== HEAP SUMMARY:
==93134== in use at exit: 80 bytes in 1 blocks
==93134== total heap usage: 977 allocs, 976 frees, 75,029 bytes allocated
==93134==
==93134== 80 bytes in 1 blocks are definitely lost in loss record 1 of 1
==93134== at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==93134== by 0x41BAB0: ssh_key_new (pki.c:107)
==93134== by 0x40DF90: torture_bind_options_import_key (torture_options.c:222)
==93134== by 0x4E3AA3A: cmocka_run_one_test_or_fixture (cmocka.c:2304)
==93134== by 0x4E3ACEA: cmocka_run_one_tests (cmocka.c:2412)
==93134== by 0x4E3B036: _cmocka_run_group_tests (cmocka.c:2517)
==93134== by 0x40E9E3: torture_run_tests (torture_options.c:276)
==93134== by 0x40DE68: main (torture.c:1100)
==93134==
==93134== LEAK SUMMARY:
==93134== definitely lost: 80 bytes in 1 blocks
==93134== indirectly lost: 0 bytes in 0 blocks
==93134== possibly lost: 0 bytes in 0 blocks
==93134== still reachable: 0 bytes in 0 blocks
==93134== suppressed: 0 bytes in 0 blocks
==93134==
==93134== For counts of detected and suppressed errors, rerun with: -v
==93134== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```
* And after:
```
[simonsj@simonsj-lx5 : unittests] valgrind --leak-check=full ./torture_options >/dev/null
==93294== Memcheck, a memory error detector
==93294== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==93294== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==93294== Command: ./torture_options
==93294==
[ PASSED ] 10 test(s).
[ PASSED ] 1 test(s).
==93294==
==93294== HEAP SUMMARY:
==93294== in use at exit: 0 bytes in 0 blocks
==93294== total heap usage: 977 allocs, 977 frees, 75,029 bytes allocated
==93294==
==93294== All heap blocks were freed -- no leaks are possible
==93294==
==93294== For counts of detected and suppressed errors, rerun with: -v
==93294== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
```
Reviewers: asn
Reviewed By: asn
Differential Revision: https://bugs.libssh.org/D3
Summary:
Hello, resending this patch series for the `pkd` tests, originally
sent to the mailing list here:
* https://www.libssh.org/archive/libssh/2017-07/0000011.html
Here are a few improvements and fixups for the `pkd` tests, including
a new flag `-m` that can be used to run only certain subsets of the
test passes.
Jon Simons (5):
pkd: rename AES192 cipher suite -> OPENSSHONLY
pkd_daemon.c: mark `pkd_ready` field as volatile
pkd: fixups for updated CMocka CMUnitTest struct
pkd: refactor -t testname lookup-by-name
pkd: support -m to match multiple tests
tests/pkd/pkd_daemon.c | 2 +-
tests/pkd/pkd_daemon.h | 1 +
tests/pkd/pkd_hello.c | 84 +++++++++++++++++++++++++++++++++-----------------
3 files changed, 58 insertions(+), 29 deletions(-)
--
Test Plan:
* I've been using the new `-m` mode locally for a long time to run
only certain groups of tests.
* The CMocka struct fixes can be seen in the pkd output before and
after: after, there are no more extraneous test output strings.
* The fix for the `pkd_ready` field can be observed when building
the libssh tests with `-Os` on a Debian system (before the fix,
pkd would hang, after the fix, it runs as intended).
Reviewers: asn
Reviewed By: asn
Tags: #libssh
Differential Revision: https://bugs.libssh.org/D2
Relax the cases where `ssh_analyze_banner` fails to extract a
major and minor version from banners which appear like OpenSSH
banners.
Update the tests to demonstrate that now a banner as might be
sent by `ssh-keyscan(1)` ("SSH-2.0-OpenSSH-keyscan") no longer
returns failure.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix error-checking for `strtoul` in `ssh_analyze_banner`, and
enable some tests which demonstrate the fix before-and-after.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This sets the bind private key directly from an ssh_key struct instead
of reading a file.
Signed-off-by: Alfredo Mazzinghi <am2419@cl.cam.ac.uk>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
* tests/torture.c (torture_setup_create_sshd_config): Rework how the
location of the sftp server is discovered, and add the Debian-specific
location.
Signed-off-by: Justus Winter <justus@g10code.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
- enabled TrustedUserCAKeys option in torture.c
- adds a new set of (signed) keys for bob in a separate dir
The private key used to generate the certs is included, but not required.
Signed-off-by: Axel Eppe <aeppe@google.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
ssh-agent needs to be executed as the local user and not a fake user or
we will not be able to add identies.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
As ssh_buffer_get_len() actually calls ssh_buffer_get_rest_len(), let's
just use the first one. This is a preparatory step for removing
ssh_buffer_get_rest_len().
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
/home/ffidenci/src/upstream/libssh/tests/benchmarks/bench_scp.c: In
function ‘benchmarks_scp_down’:
/home/ffidenci/src/upstream/libssh/tests/benchmarks/bench_scp.c:112:14:
warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has
type ‘size_t {aka long unsigned int}’ [-Wformat=]
printf("Only %d bytes available (on %lu requested).\n",size,bytes);
^
/home/ffidenci/src/upstream/libssh/tests/benchmarks/bench_scp.c:116:14:
warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has
type ‘size_t {aka long unsigned int}’ [-Wformat=]
printf("File is %d bytes (on %lu requested). Will cut the end\n"
,size,bytes);
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Having "ssh_" prefix in the functions' name will avoid possible clashes
when compiling libssh statically.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Option can be used to filter out irrelevant tests
usage: ./torture_pki '*ed25519'
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
torture_server_x11 tests whether a libssh server can correctly parse an
X11 request.
Signed-off-by: Alan Dunn <amdunn@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Add the ability to generate a keypair (RSA, but tests that focus on
what occurs over a connection may well not care) and an ssh_bind
easily.
Signed-off-by: Alan Dunn <amdunn@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Fix a build breakage when '-DWITH_SERVER=OFF' is set: skip building the
pkd test for that case. Add some missing includes for the OpenIndiana
and FreeBSD builds.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Introduce a sample public-key testing daemon to the 'pkd' test directory,
and add support code for cycling through various combinations of different
key exchange, cipher, and MAC algorithms.
The goal of the 'pkd_hello' test is to make it easy to test interactions
between non-libssh clients and a libssh-server, and to provide a starting
point for testing new implementations for key types, ciphers, MACs, and
so on. The thinking is that testing a new algorithm should be as simple
as adding a new line for it in the PKDTESTS_* lists.
Macros are used to generate the tests and helper functions for a couple of
clients -- here, OpenSSH and dropbear are included for the first cut. If
binaries are found for these clients, their test lists will be enabled;
when binaries are not found for a given client, those tests are skipped.
Tests are run in one large batch by default, but can also be run individually
to help with tracking down things like signature bugs that may take many
iterations to reproduce.
Each test logs its stdout and stderr to its own file, which is cleaned up
when a test succeeds. For failures, those logs can be combined with verbose
libssh output from pkd itself to start debugging things.
Some example usages:
pkd_hello
Run all tests with default number of iterations.
pkd_hello --list
List available individual test names.
pkd_hello -i 1000 -t torture_pkd_openssh_ecdsa_256_ecdh_sha2_nistp256
Run only the torture_pkd_openssh_ecdsa_256_ecdh_sha2_nistp256
testcase 1000 times.
pkd_hello -v -v -v -v -e -o
Run all tests with maximum libssh and pkd logging.
Included in the tests are passes for all existing kex, cipher, and MAC
algorithms.
BUG: https://red.libssh.org/issues/144
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
ssh-keygen makes the tests very slow because new keys are generated
at the start of every test.
ssh-keygen on OSX doesn't support ecdsa keys, even if libcrypto does.
Reviewed-by: Andreas Schneider <asn@samba.org>
Enable retrieving the "ecdsa-sha2-nistpNNN" name of ECDSA keys with a
new 'ssh_pki_key_ecdsa_name' API. This gives more information than the
'ssh_key_type_to_char' API, which yields "ssh-ecdsa" for ECDSA keys.
The motivation is that this info is useful to have in a server context.
The torture_pki unit test is updated to include the new API, and a few
more passes are added to additionally test 384 and 521-bit keys.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
