![Jakub Jelen](/assets/img/avatar_default.png)
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES configuration option can limit what keys can or can not be used for public key authentication. This is useful for disabling obsolete algorithms while not completely removing the support for them or allows to configure what public key algorithms will be used with the SHA2 RSA extension. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
689 строки
20 KiB
C
689 строки
20 KiB
C
/*
|
|
* This file is part of the SSH Library
|
|
*
|
|
* Copyright (c) 2010 by Aris Adamantiadis
|
|
*
|
|
* The SSH Library is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU Lesser General Public License as published by
|
|
* the Free Software Foundation; either version 2.1 of the License, or (at your
|
|
* option) any later version.
|
|
*
|
|
* The SSH Library is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
|
|
* License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public License
|
|
* along with the SSH Library; see the file COPYING. If not, write to
|
|
* the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
|
|
* MA 02111-1307, USA.
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#define LIBSSH_STATIC
|
|
|
|
#include "torture.h"
|
|
#include "libssh/libssh.h"
|
|
#include "libssh/priv.h"
|
|
#include "libssh/session.h"
|
|
|
|
#include <errno.h>
|
|
#include <sys/types.h>
|
|
#include <pwd.h>
|
|
|
|
/* agent_is_running */
|
|
#include "agent.c"
|
|
|
|
static int sshd_setup(void **state)
|
|
{
|
|
torture_setup_sshd_server(state);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int sshd_teardown(void **state) {
|
|
torture_teardown_sshd_server(state);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int session_setup(void **state)
|
|
{
|
|
struct torture_state *s = *state;
|
|
int verbosity = torture_libssh_verbosity();
|
|
|
|
s->ssh.session = ssh_new();
|
|
assert_non_null(s->ssh.session);
|
|
|
|
ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
|
|
ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int session_teardown(void **state)
|
|
{
|
|
struct torture_state *s = *state;
|
|
|
|
ssh_disconnect(s->ssh.session);
|
|
ssh_free(s->ssh.session);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int pubkey_setup(void **state)
|
|
{
|
|
int rc;
|
|
struct passwd *pwd;
|
|
|
|
rc = session_setup(state);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
pwd = getpwnam("bob");
|
|
assert_non_null(pwd);
|
|
|
|
rc = setuid(pwd->pw_uid);
|
|
assert_return_code(rc, errno);
|
|
|
|
/* Make sure we do not interfere with another ssh-agent */
|
|
unsetenv("SSH_AUTH_SOCK");
|
|
unsetenv("SSH_AGENT_PID");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int agent_setup(void **state)
|
|
{
|
|
struct torture_state *s = *state;
|
|
char ssh_agent_cmd[4096];
|
|
char ssh_agent_sock[1024];
|
|
char ssh_agent_pidfile[1024];
|
|
char bob_ssh_key[1024];
|
|
struct passwd *pwd;
|
|
int rc;
|
|
|
|
rc = pubkey_setup(state);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
pwd = getpwnam("bob");
|
|
assert_non_null(pwd);
|
|
|
|
snprintf(ssh_agent_sock,
|
|
sizeof(ssh_agent_sock),
|
|
"%s/agent.sock",
|
|
s->socket_dir);
|
|
|
|
snprintf(ssh_agent_pidfile,
|
|
sizeof(ssh_agent_pidfile),
|
|
"%s/agent.pid",
|
|
s->socket_dir);
|
|
|
|
/* Production ready code!!! */
|
|
snprintf(ssh_agent_cmd,
|
|
sizeof(ssh_agent_cmd),
|
|
"eval `ssh-agent -a %s`; echo $SSH_AGENT_PID > %s",
|
|
ssh_agent_sock, ssh_agent_pidfile);
|
|
|
|
/* run ssh-agent and ssh-add as the normal user */
|
|
unsetenv("UID_WRAPPER_ROOT");
|
|
|
|
rc = system(ssh_agent_cmd);
|
|
assert_return_code(rc, errno);
|
|
|
|
setenv("SSH_AUTH_SOCK", ssh_agent_sock, 1);
|
|
setenv("TORTURE_SSH_AGENT_PIDFILE", ssh_agent_pidfile, 1);
|
|
|
|
snprintf(bob_ssh_key,
|
|
sizeof(bob_ssh_key),
|
|
"ssh-add %s/.ssh/id_rsa",
|
|
pwd->pw_dir);
|
|
|
|
rc = system(bob_ssh_key);
|
|
assert_return_code(rc, errno);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int agent_cert_setup(void **state)
|
|
{
|
|
char bob_alt_ssh_key[1024];
|
|
struct passwd *pwd;
|
|
int rc;
|
|
|
|
rc = agent_setup(state);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
pwd = getpwnam("bob");
|
|
assert_non_null(pwd);
|
|
|
|
/* remove all keys, load alternative key + cert */
|
|
snprintf(bob_alt_ssh_key,
|
|
sizeof(bob_alt_ssh_key),
|
|
"ssh-add -D && ssh-add %s/.ssh_cert/id_rsa",
|
|
pwd->pw_dir);
|
|
|
|
rc = system(bob_alt_ssh_key);
|
|
assert_return_code(rc, errno);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int agent_teardown(void **state)
|
|
{
|
|
const char *ssh_agent_pidfile;
|
|
int rc;
|
|
|
|
rc = session_teardown(state);
|
|
if (rc != 0) {
|
|
return rc;
|
|
}
|
|
|
|
ssh_agent_pidfile = getenv("TORTURE_SSH_AGENT_PIDFILE");
|
|
assert_non_null(ssh_agent_pidfile);
|
|
|
|
/* kill agent pid */
|
|
torture_terminate_process(ssh_agent_pidfile);
|
|
|
|
unlink(ssh_agent_pidfile);
|
|
|
|
unsetenv("TORTURE_SSH_AGENT_PIDFILE");
|
|
unsetenv("SSH_AUTH_SOCK");
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void torture_auth_none(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
assert_int_equal(rc, SSH_AUTH_DENIED);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
|
|
}
|
|
}
|
|
|
|
static void torture_auth_none_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
|
|
ssh_set_blocking(session,0);
|
|
|
|
do {
|
|
rc = ssh_userauth_none(session,NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_DENIED);
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
|
|
}
|
|
|
|
static void torture_auth_autopubkey(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
/* Authenticate as alice with bob his pubkey */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_autopubkey_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
ssh_set_blocking(session,0);
|
|
do {
|
|
rc = ssh_userauth_none(session, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
|
|
}
|
|
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
do {
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_kbdint(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_INTERACTIVE);
|
|
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
assert_int_equal(rc, SSH_AUTH_INFO);
|
|
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 1);
|
|
|
|
rc = ssh_userauth_kbdint_setanswer(session, 0, TORTURE_SSH_USER_BOB_PASSWORD);
|
|
assert_false(rc < 0);
|
|
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
/* Sometimes, SSH server send an empty query at the end of exchange */
|
|
if(rc == SSH_AUTH_INFO) {
|
|
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 0);
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
}
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_kbdint_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
ssh_set_blocking(session,0);
|
|
do {
|
|
rc = ssh_userauth_none(session, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_INTERACTIVE);
|
|
|
|
do {
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_INFO);
|
|
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 1);
|
|
rc = ssh_userauth_kbdint_setanswer(session, 0, TORTURE_SSH_USER_BOB_PASSWORD);
|
|
assert_false(rc < 0);
|
|
|
|
do {
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
/* Sometimes, SSH server send an empty query at the end of exchange */
|
|
if(rc == SSH_AUTH_INFO) {
|
|
assert_int_equal(ssh_userauth_kbdint_getnprompts(session), 0);
|
|
do {
|
|
rc = ssh_userauth_kbdint(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
}
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_password(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session, NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_AUTH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PASSWORD);
|
|
|
|
rc = ssh_userauth_password(session, NULL, TORTURE_SSH_USER_BOB_PASSWORD);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_password_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_BOB);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
ssh_set_blocking(session,0);
|
|
do {
|
|
rc = ssh_userauth_none(session, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_AUTH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PASSWORD);
|
|
|
|
do {
|
|
rc = ssh_userauth_password(session, NULL, TORTURE_SSH_USER_BOB_PASSWORD);
|
|
} while(rc==SSH_AUTH_AGAIN);
|
|
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_agent(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
if (!ssh_agent_is_running(session)){
|
|
print_message("*** Agent not running. Test ignored\n");
|
|
return;
|
|
}
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
rc = ssh_userauth_agent(session, NULL);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_agent_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
if (!ssh_agent_is_running(session)){
|
|
print_message("*** Agent not running. Test ignored\n");
|
|
return;
|
|
}
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
ssh_set_blocking(session,0);
|
|
|
|
do {
|
|
rc = ssh_userauth_agent(session, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_cert(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
ssh_key privkey = NULL;
|
|
ssh_key cert = NULL;
|
|
char bob_ssh_key[1024];
|
|
char bob_ssh_cert[2048];
|
|
struct passwd *pwd;
|
|
int rc;
|
|
|
|
pwd = getpwnam("bob");
|
|
assert_non_null(pwd);
|
|
|
|
snprintf(bob_ssh_key,
|
|
sizeof(bob_ssh_key),
|
|
"%s/.ssh_cert/id_rsa",
|
|
pwd->pw_dir);
|
|
snprintf(bob_ssh_cert,
|
|
sizeof(bob_ssh_cert),
|
|
"%s-cert.pub",
|
|
bob_ssh_key);
|
|
|
|
/* cert has been signed for login as alice */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_pki_import_privkey_file(bob_ssh_key, NULL, NULL, NULL, &privkey);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_pki_import_cert_file(bob_ssh_cert, &cert);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_pki_copy_cert_to_privkey(cert, privkey);
|
|
assert_int_equal(rc, SSH_OK);
|
|
|
|
rc = ssh_userauth_try_publickey(session, NULL, cert);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
|
|
rc = ssh_userauth_publickey(session, NULL, privkey);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
|
|
ssh_key_free(privkey);
|
|
ssh_key_free(cert);
|
|
}
|
|
|
|
static void torture_auth_agent_cert(void **state) {
|
|
/* Setup loads a different key, tests are exactly the same. */
|
|
torture_auth_agent(state);
|
|
}
|
|
|
|
static void torture_auth_agent_cert_nonblocking(void **state) {
|
|
torture_auth_agent_nonblocking(state);
|
|
}
|
|
|
|
static void torture_auth_pubkey_types(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
rc = ssh_userauth_none(session,NULL);
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_true(ssh_get_error_code(session) == SSH_REQUEST_DENIED);
|
|
}
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
/* Disable RSA key types for authentication */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
|
"ssh-dss");
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
assert_int_equal(rc, SSH_AUTH_DENIED);
|
|
|
|
/* Now enable it and retry */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
|
"rsa-sha2-512,ssh-rsa");
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
static void torture_auth_pubkey_types_nonblocking(void **state) {
|
|
struct torture_state *s = *state;
|
|
ssh_session session = s->ssh.session;
|
|
int rc;
|
|
|
|
rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
rc = ssh_connect(session);
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
ssh_set_blocking(session,0);
|
|
do {
|
|
rc = ssh_userauth_none(session, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
|
|
/* This request should return a SSH_REQUEST_DENIED error */
|
|
if (rc == SSH_ERROR) {
|
|
assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
|
|
}
|
|
|
|
rc = ssh_userauth_list(session, NULL);
|
|
assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
|
|
|
|
/* Disable RSA key types for authentication */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
|
"ssh-dss");
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
do {
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_DENIED);
|
|
|
|
/* Now enable it and retry */
|
|
rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
|
"rsa-sha2-512,ssh-rsa");
|
|
assert_ssh_return_code(session, rc);
|
|
|
|
do {
|
|
rc = ssh_userauth_publickey_auto(session, NULL, NULL);
|
|
} while (rc == SSH_AUTH_AGAIN);
|
|
assert_int_equal(rc, SSH_AUTH_SUCCESS);
|
|
}
|
|
|
|
|
|
int torture_run_tests(void) {
|
|
int rc;
|
|
struct CMUnitTest tests[] = {
|
|
cmocka_unit_test_setup_teardown(torture_auth_none,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_none_nonblocking,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_password,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_password_nonblocking,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_kbdint,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_kbdint_nonblocking,
|
|
session_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_autopubkey,
|
|
pubkey_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_autopubkey_nonblocking,
|
|
pubkey_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_agent,
|
|
agent_setup,
|
|
agent_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_agent_nonblocking,
|
|
agent_setup,
|
|
agent_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_cert,
|
|
pubkey_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_agent_cert,
|
|
agent_cert_setup,
|
|
agent_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_agent_cert_nonblocking,
|
|
agent_cert_setup,
|
|
agent_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_pubkey_types,
|
|
pubkey_setup,
|
|
session_teardown),
|
|
cmocka_unit_test_setup_teardown(torture_auth_pubkey_types_nonblocking,
|
|
pubkey_setup,
|
|
session_teardown),
|
|
};
|
|
|
|
ssh_init();
|
|
torture_filter_tests(tests);
|
|
rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
|
|
ssh_finalize();
|
|
|
|
return rc;
|
|
}
|