[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v2 1/2] tests/pkd: repro rsa-sha2-{256,512} negotiation bug
[Thread Prev] | [Thread Next]
- Subject: [PATCH v2 1/2] tests/pkd: repro rsa-sha2-{256,512} negotiation bug
- From: Jon Simons <jon@xxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 6 Feb 2019 12:39:19 -0500
- To: libssh@xxxxxxxxxx
- Cc: jjelen@xxxxxxxxxx, Jon Simons <jon@xxxxxxxxxxxxx>
Add four passes to the pkd tests to exercise codepaths where an
OpenSSH client requests these HostKeyAlgorithms combinations:
* rsa-sha2-256
* rsa-sha2-512
* rsa-sha2-256,rsa-sha2-512
* rsa-sha2-512,rsa-sha2-256
The tests demonstrate that the third combination currently fails:
libssh ends up choosing `rsa-sha2-512` instead of `rsa-sha2-256`,
and the initial exchange fails on the client side citing a signature
failure.
Signed-off-by: Jon Simons <jon@xxxxxxxxxxxxx>
---
tests/pkd/pkd_client.h | 15 +++++++++------
tests/pkd/pkd_hello.c | 8 ++++++++
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/tests/pkd/pkd_client.h b/tests/pkd/pkd_client.h
index 4d01a607..783d4886 100644
--- a/tests/pkd/pkd_client.h
+++ b/tests/pkd/pkd_client.h
@@ -46,12 +46,12 @@
OPENSSH_PKACCEPTED_ECDSA \
OPENSSH_PKACCEPTED_DSA
-#define OPENSSH_CMD_START \
+#define OPENSSH_CMD_START(hostkey_algos) \
OPENSSH_BINARY " " \
"-o UserKnownHostsFile=/dev/null " \
"-o StrictHostKeyChecking=no " \
"-F /dev/null " \
- OPENSSH_HOSTKEY_ALGOS " " \
+ hostkey_algos " " \
OPENSSH_PKACCEPTED_TYPES " " \
"-i " CLIENT_ID_FILE " " \
"1> %s.out " \
@@ -61,16 +61,19 @@
#define OPENSSH_CMD_END "-p 1234 localhost ls"
#define OPENSSH_CMD \
- OPENSSH_CMD_START OPENSSH_CMD_END
+ OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) OPENSSH_CMD_END
#define OPENSSH_KEX_CMD(kexalgo) \
- OPENSSH_CMD_START "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END
+ OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o KexAlgorithms=" kexalgo " " OPENSSH_CMD_END
#define OPENSSH_CIPHER_CMD(ciphers) \
- OPENSSH_CMD_START "-c " ciphers " " OPENSSH_CMD_END
+ OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-c " ciphers " " OPENSSH_CMD_END
#define OPENSSH_MAC_CMD(macs) \
- OPENSSH_CMD_START "-o MACs=" macs " " OPENSSH_CMD_END
+ OPENSSH_CMD_START(OPENSSH_HOSTKEY_ALGOS) "-o MACs=" macs " " OPENSSH_CMD_END
+
+#define OPENSSH_HOSTKEY_CMD(hostkeyalgo) \
+ OPENSSH_CMD_START("-o HostKeyAlgorithms=" hostkeyalgo " ") OPENSSH_CMD_END
/* Dropbear */
diff --git a/tests/pkd/pkd_hello.c b/tests/pkd/pkd_hello.c
index 4c16267b..6ec3d048 100644
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -526,6 +526,12 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown)
#endif
+#define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \
+ f(client, rsa_sha2_256, hkcmd("rsa-sha2-256"), setup_rsa, teardown) \
+ f(client, rsa_sha2_512, hkcmd("rsa-sha2-512"), setup_rsa, teardown) \
+ f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"), setup_rsa, teardown) \
+ f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"), setup_rsa, teardown)
+
static void torture_pkd_client_noop(void **state) {
struct pkd_state *pstate = (struct pkd_state *) (*state);
(void) pstate;
@@ -593,6 +599,7 @@ PKDTESTS_CIPHER(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD)
PKDTESTS_CIPHER_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_CIPHER_CMD)
PKDTESTS_MAC(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD)
PKDTESTS_MAC_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_MAC_CMD)
+PKDTESTS_HOSTKEY_OPENSSHONLY(emit_keytest, openssh_rsa, OPENSSH_HOSTKEY_CMD)
#undef CLIENT_ID_FILE
#define CLIENT_ID_FILE OPENSSH_ECDSA256_TESTKEY
@@ -669,6 +676,7 @@ struct {
PKDTESTS_CIPHER_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_CIPHER_CMD)
PKDTESTS_MAC(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD)
PKDTESTS_MAC_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_MAC_CMD)
+ PKDTESTS_HOSTKEY_OPENSSHONLY(emit_testmap, openssh_rsa, OPENSSH_HOSTKEY_CMD)
PKDTESTS_DEFAULT(emit_testmap, openssh_e256, OPENSSH_CMD)
PKDTESTS_DEFAULT_OPENSSHONLY(emit_testmap, openssh_e256, OPENSSH_CMD)
--
2.19.1.593.gc670b1f
| [PATCH v2 0/2] kex: fix RFC8332 RSA extension selection bug | Jon Simons <jon@xxxxxxxxxxxxx> |