source-git / libssh

Clone
Source Code
GIT

Blame tests/client/torture_rekey.c

c8 c8s master
  1.   a2e944b9df4f0164936d3babbb910a2479718f52
  2.   tests
  3.   client
  4.   torture_rekey.c
Blob History Raw
Packit Service 31306d 
/*
Packit Service 31306d 
 * This file is part of the SSH Library
Packit Service 31306d 
 *
Packit Service 31306d 
 * Copyright (c) 2018 by Red Hat, Inc.
Packit Service 31306d 
 *
Packit Service 31306d 
 * Authors: Jakub Jelen <jjelen@redhat.com>
Packit Service 31306d 
 *
Packit Service 31306d 
 * The SSH Library is free software; you can redistribute it and/or modify
Packit Service 31306d 
 * it under the terms of the GNU Lesser General Public License as published by
Packit Service 31306d 
 * the Free Software Foundation; either version 2.1 of the License, or (at your
Packit Service 31306d 
 * option) any later version.
Packit Service 31306d 
 *
Packit Service 31306d 
 * The SSH Library is distributed in the hope that it will be useful, but
Packit Service 31306d 
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
Packit Service 31306d 
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
Packit Service 31306d 
 * License for more details.
Packit Service 31306d 
 *
Packit Service 31306d 
 * You should have received a copy of the GNU Lesser General Public License
Packit Service 31306d 
 * along with the SSH Library; see the file COPYING.  If not, write to
Packit Service 31306d 
 * the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
Packit Service 31306d 
 * MA 02111-1307, USA.
Packit Service 31306d 
 */
Packit Service 31306d
Packit Service 31306d 
#include "config.h"
Packit Service 31306d
Packit Service 31306d 
#define LIBSSH_STATIC
Packit Service 31306d
Packit Service 31306d 
#include "torture.h"
Packit Service 31306d 
#include "libssh/sftp.h"
Packit Service 31306d 
#include "libssh/libssh.h"
Packit Service 31306d 
#include "libssh/priv.h"
Packit Service 31306d 
#include "libssh/session.h"
Packit Service 31306d 
#include "libssh/crypto.h"
Packit Service 31306d
Packit Service 31306d 
#include <errno.h>
Packit Service 31306d 
#include <sys/types.h>
Packit Service 31306d 
#include <sys/stat.h>
Packit Service 31306d 
#include <fcntl.h>
Packit Service 31306d 
#include <pwd.h>
Packit Service 31306d
Packit Service 31306d 
static int sshd_setup(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    torture_setup_sshd_server(state, false);
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static int sshd_teardown(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    torture_teardown_sshd_server(state);
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static int session_setup(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int verbosity = torture_libssh_verbosity();
Packit Service 31306d 
    struct passwd *pwd;
Packit Service 31306d 
    bool b = false;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    pwd = getpwnam("bob");
Packit Service 31306d 
    assert_non_null(pwd);
Packit Service 31306d
Packit Service 31306d 
    rc = setuid(pwd->pw_uid);
Packit Service 31306d 
    assert_return_code(rc, errno);
Packit Service 31306d
Packit Service 31306d 
    s->ssh.session = ssh_new();
Packit Service 31306d 
    assert_non_null(s->ssh.session);
Packit Service 31306d
Packit Service 31306d 
    ssh_options_set(s->ssh.session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
Packit Service 31306d 
    ssh_options_set(s->ssh.session, SSH_OPTIONS_HOST, TORTURE_SSH_SERVER);
Packit Service 31306d
Packit Service 31306d 
    /* Authenticate as alice with bob's pubkey */
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
Packit Service 31306d 
    assert_int_equal(rc, SSH_OK);
Packit Service 31306d
Packit Service 31306d 
    /* Make sure no other configuration options from system will get used */
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_PROCESS_CONFIG, &b);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    /* Make sure we do not interfere with another ssh-agent */
Packit Service 31306d 
    unsetenv("SSH_AUTH_SOCK");
Packit Service 31306d 
    unsetenv("SSH_AGENT_PID");
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static int session_teardown(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d
Packit Service 31306d 
    ssh_free(s->ssh.session);
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/* Check that the default limits for rekeying are enforced.
Packit Service 31306d 
 * the limits are too high for testsuite to verify so
Packit Service 31306d 
 * we should be fine with checking the values in internal
Packit Service 31306d 
 * structures
Packit Service 31306d 
 */
Packit Service 31306d 
static void torture_rekey_default(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d
Packit Service 31306d 
    /* Define preferred ciphers: */
Packit Service 31306d 
    if (ssh_fips_mode()) {
Packit Service 31306d 
        /* We do not have any FIPS allowed cipher with different block size */
Packit Service 31306d 
        rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_CIPHERS_C_S,
Packit Service 31306d 
                             "aes128-gcm@openssh.com");
Packit Service 31306d 
    } else {
Packit Service 31306d 
        /* (out) C->S has 8B block */
Packit Service 31306d 
        rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_CIPHERS_C_S,
Packit Service 31306d 
                             "chacha20-poly1305@openssh.com");
Packit Service 31306d 
    }
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d 
    /* (in) S->C has 16B block */
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_CIPHERS_S_C,
Packit Service 31306d 
                         "aes128-cbc");
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_connect(s->ssh.session);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    /* The blocks limit is set correctly */
Packit Service 31306d 
    /* For S->C (in) we have 16B block => 2**(L/4) blocks */
Packit Service 31306d 
    assert_int_equal(c->in_cipher->max_blocks,
Packit Service 31306d 
                     (uint64_t)1 << (2 * c->in_cipher->blocksize));
Packit Service 31306d 
    if (ssh_fips_mode()) {
Packit Service 31306d 
        /* We do not have any FIPS allowed cipher with different block size */
Packit Service 31306d 
        assert_int_equal(c->in_cipher->max_blocks,
Packit Service 31306d 
                         (uint64_t)1 << (2 * c->in_cipher->blocksize));
Packit Service 31306d 
    } else {
Packit Service 31306d 
        /* The C->S (out) we have 8B block => 1 GB limit */
Packit Service 31306d 
        assert_int_equal(c->out_cipher->max_blocks,
Packit Service 31306d 
                         ((uint64_t)1 << 30) / c->out_cipher->blocksize);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/* We lower the rekey limits manually and check that the rekey
Packit Service 31306d 
 * really happens when sending data
Packit Service 31306d 
 */
Packit Service 31306d 
static void torture_rekey_send(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d 
    char data[256];
Packit Service 31306d 
    unsigned int i;
Packit Service 31306d 
    uint64_t bytes = 2048; /* 2KB (more than the authentication phase) */
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d 
    unsigned char *secret_hash = NULL;
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_REKEY_DATA, &bytes);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_connect(s->ssh.session);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    /* The blocks limit is set correctly */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_int_equal(c->in_cipher->max_blocks,
Packit Service 31306d 
                     bytes / c->in_cipher->blocksize);
Packit Service 31306d 
    assert_int_equal(c->out_cipher->max_blocks,
Packit Service 31306d 
                     bytes / c->out_cipher->blocksize);
Packit Service 31306d 
    /* We should have less encrypted packets than transfered (first are not encrypted) */
Packit Service 31306d 
    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
Packit Service 31306d 
    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
Packit Service 31306d 
    /* Copy the initial secret hash = session_id so we know we changed keys later */
Packit Service 31306d 
    secret_hash = malloc(c->digest_len);
Packit Service 31306d 
    assert_non_null(secret_hash);
Packit Service 31306d 
    memcpy(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* OpenSSH can not rekey before authentication so authenticate here */
Packit Service 31306d 
    rc = ssh_userauth_none(s->ssh.session, NULL);
Packit Service 31306d 
    /* This request should return a SSH_REQUEST_DENIED error */
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        assert_int_equal(ssh_get_error_code(s->ssh.session), SSH_REQUEST_DENIED);
Packit Service 31306d 
    }
Packit Service 31306d 
    rc = ssh_userauth_list(s->ssh.session, NULL);
Packit Service 31306d 
    assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
Packit Service 31306d 
    assert_int_equal(rc, SSH_AUTH_SUCCESS);
Packit Service 31306d
Packit Service 31306d 
    /* send ignore packets of up to 1KB to trigger rekey */
Packit Service 31306d 
    memset(data, 0, sizeof(data));
Packit Service 31306d 
    memset(data, 'A', 128);
Packit Service 31306d 
    for (i = 0; i < 16; i++) {
Packit Service 31306d 
        ssh_send_ignore(s->ssh.session, data);
Packit Service 31306d 
        ssh_handle_packets(s->ssh.session, 50);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* The rekey limit was restored in the new crypto to the same value */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
Packit Service 31306d 
    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
Packit Service 31306d 
    /* Check that the secret hash is different than initially */
Packit Service 31306d 
    assert_memory_not_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d 
    free(secret_hash);
Packit Service 31306d
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
#ifdef WITH_SFTP
Packit Service 31306d 
static void session_setup_sftp(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_connect(s->ssh.session);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    /* OpenSSH can not rekey before authentication so authenticate here */
Packit Service 31306d 
    rc = ssh_userauth_none(s->ssh.session, NULL);
Packit Service 31306d 
    /* This request should return a SSH_REQUEST_DENIED error */
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        assert_int_equal(ssh_get_error_code(s->ssh.session), SSH_REQUEST_DENIED);
Packit Service 31306d 
    }
Packit Service 31306d 
    rc = ssh_userauth_list(s->ssh.session, NULL);
Packit Service 31306d 
    assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
Packit Service 31306d 
    assert_int_equal(rc, SSH_AUTH_SUCCESS);
Packit Service 31306d
Packit Service 31306d 
    /* Initialize SFTP session */
Packit Service 31306d 
    s->ssh.tsftp = torture_sftp_session(s->ssh.session);
Packit Service 31306d 
    assert_non_null(s->ssh.tsftp);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
uint64_t bytes = 2048; /* 2KB */
Packit Service 31306d
Packit Service 31306d 
static int session_setup_sftp_client(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d
Packit Service 31306d 
    session_setup(state);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_REKEY_DATA, &bytes);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    session_setup_sftp(state);
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
#define MAX_XFER_BUF_SIZE 16384
Packit Service 31306d
Packit Service 31306d 
/* To trigger rekey by receiving data, the easiest thing is probably to
Packit Service 31306d 
 * use sftp
Packit Service 31306d 
 */
Packit Service 31306d 
static void torture_rekey_recv(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d 
    unsigned char *secret_hash = NULL;
Packit Service 31306d
Packit Service 31306d 
    char libssh_tmp_file[] = "/tmp/libssh_sftp_test_XXXXXX";
Packit Service 31306d 
    char buf[MAX_XFER_BUF_SIZE];
Packit Service 31306d 
    ssize_t bytesread;
Packit Service 31306d 
    ssize_t byteswritten;
Packit Service 31306d 
    int fd;
Packit Service 31306d 
    sftp_file file;
Packit Service 31306d 
    mode_t mask;
Packit Service 31306d
Packit Service 31306d 
    /* The blocks limit is set correctly */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
Packit Service 31306d 
    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
Packit Service 31306d 
    /* We should have less encrypted packets than transfered (first are not encrypted) */
Packit Service 31306d 
    assert_true(c->out_cipher->packets < s->ssh.session->send_seq);
Packit Service 31306d 
    assert_true(c->in_cipher->packets < s->ssh.session->recv_seq);
Packit Service 31306d 
    /* Copy the initial secret hash = session_id so we know we changed keys later */
Packit Service 31306d 
    secret_hash = malloc(c->digest_len);
Packit Service 31306d 
    assert_non_null(secret_hash);
Packit Service 31306d 
    memcpy(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* Download a file */
Packit Service 31306d 
    file = sftp_open(s->ssh.tsftp->sftp, "/usr/bin/ssh", O_RDONLY, 0);
Packit Service 31306d 
    assert_non_null(file);
Packit Service 31306d
Packit Service 31306d 
    mask = umask(S_IRWXO | S_IRWXG);
Packit Service 31306d 
    fd = mkstemp(libssh_tmp_file);
Packit Service 31306d 
    umask(mask);
Packit Service 31306d 
    unlink(libssh_tmp_file);
Packit Service 31306d
Packit Service 31306d 
    for (;;) {
Packit Service 31306d 
        bytesread = sftp_read(file, buf, MAX_XFER_BUF_SIZE);
Packit Service 31306d 
        if (bytesread == 0) {
Packit Service 31306d 
                break; /* EOF */
Packit Service 31306d 
        }
Packit Service 31306d 
        assert_false(bytesread < 0);
Packit Service 31306d
Packit Service 31306d 
        byteswritten = write(fd, buf, bytesread);
Packit Service 31306d 
        assert_int_equal(byteswritten, bytesread);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    close(fd);
Packit Service 31306d
Packit Service 31306d 
    /* The rekey limit was restored in the new crypto to the same value */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_int_equal(c->in_cipher->max_blocks, bytes / c->in_cipher->blocksize);
Packit Service 31306d 
    assert_int_equal(c->out_cipher->max_blocks, bytes / c->out_cipher->blocksize);
Packit Service 31306d 
    /* Check that the secret hash is different than initially */
Packit Service 31306d 
    assert_memory_not_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d 
    free(secret_hash);
Packit Service 31306d
Packit Service 31306d 
    torture_sftp_close(s->ssh.tsftp);
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d 
#endif /* WITH_SFTP */
Packit Service 31306d
Packit Service 31306d 
/* Rekey time requires rekey after specified time and is off by default.
Packit Service 31306d 
 * Setting the time to small enough value and waiting, we should trigger
Packit Service 31306d 
 * rekey on the first sent packet afterward.
Packit Service 31306d 
 */
Packit Service 31306d 
static void torture_rekey_time(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d 
    char data[256];
Packit Service 31306d 
    unsigned int i;
Packit Service 31306d 
    uint32_t time = 3; /* 3 seconds */
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d 
    unsigned char *secret_hash = NULL;
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_options_set(s->ssh.session, SSH_OPTIONS_REKEY_TIME, &time);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d 
    /* The time is internally stored in microseconds */
Packit Service 31306d 
    assert_int_equal(time * 1000, s->ssh.session->opts.rekey_time);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_connect(s->ssh.session);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    /* Copy the initial secret hash = session_id so we know we changed keys later */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    secret_hash = malloc(c->digest_len);
Packit Service 31306d 
    assert_non_null(secret_hash);
Packit Service 31306d 
    memcpy(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* OpenSSH can not rekey before authentication so authenticate here */
Packit Service 31306d 
    rc = ssh_userauth_none(s->ssh.session, NULL);
Packit Service 31306d 
    /* This request should return a SSH_REQUEST_DENIED error */
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        assert_int_equal(ssh_get_error_code(s->ssh.session), SSH_REQUEST_DENIED);
Packit Service 31306d 
    }
Packit Service 31306d 
    rc = ssh_userauth_list(s->ssh.session, NULL);
Packit Service 31306d 
    assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
Packit Service 31306d 
    assert_int_equal(rc, SSH_AUTH_SUCCESS);
Packit Service 31306d
Packit Service 31306d 
    /* Send some data. This should not trigger rekey yet */
Packit Service 31306d 
    memset(data, 0, sizeof(data));
Packit Service 31306d 
    memset(data, 'A', 8);
Packit Service 31306d 
    for (i = 0; i < 3; i++) {
Packit Service 31306d 
        ssh_send_ignore(s->ssh.session, data);
Packit Service 31306d 
        ssh_handle_packets(s->ssh.session, 50);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* Check that the secret hash is the same */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_memory_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* Wait some more time */
Packit Service 31306d 
    sleep(3);
Packit Service 31306d
Packit Service 31306d 
    /* send some more data to trigger rekey and handle the
Packit Service 31306d 
     * key exchange "in background" */
Packit Service 31306d 
    for (i = 0; i < 8; i++) {
Packit Service 31306d 
        ssh_send_ignore(s->ssh.session, data);
Packit Service 31306d 
        ssh_handle_packets(s->ssh.session, 50);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* Check that the secret hash is different than initially */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_memory_not_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d 
    free(secret_hash);
Packit Service 31306d
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
/* We lower the rekey limits manually and check that the rekey
Packit Service 31306d 
 * really happens when sending data
Packit Service 31306d 
 */
Packit Service 31306d 
static void torture_rekey_server_send(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    int rc;
Packit Service 31306d 
    char data[256];
Packit Service 31306d 
    unsigned int i;
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d 
    unsigned char *secret_hash = NULL;
Packit Service 31306d 
    const char *sshd_config = "RekeyLimit 2K none";
Packit Service 31306d
Packit Service 31306d 
    torture_update_sshd_config(state, sshd_config);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_connect(s->ssh.session);
Packit Service 31306d 
    assert_ssh_return_code(s->ssh.session, rc);
Packit Service 31306d
Packit Service 31306d 
    /* Copy the initial secret hash = session_id so we know we changed keys later */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    secret_hash = malloc(c->digest_len);
Packit Service 31306d 
    assert_non_null(secret_hash);
Packit Service 31306d 
    memcpy(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* OpenSSH can not rekey before authentication so authenticate here */
Packit Service 31306d 
    rc = ssh_userauth_none(s->ssh.session, NULL);
Packit Service 31306d 
    /* This request should return a SSH_REQUEST_DENIED error */
Packit Service 31306d 
    if (rc == SSH_ERROR) {
Packit Service 31306d 
        assert_int_equal(ssh_get_error_code(s->ssh.session), SSH_REQUEST_DENIED);
Packit Service 31306d 
    }
Packit Service 31306d 
    rc = ssh_userauth_list(s->ssh.session, NULL);
Packit Service 31306d 
    assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
Packit Service 31306d
Packit Service 31306d 
    rc = ssh_userauth_publickey_auto(s->ssh.session, NULL, NULL);
Packit Service 31306d 
    assert_int_equal(rc, SSH_AUTH_SUCCESS);
Packit Service 31306d
Packit Service 31306d 
    /* send ignore packets of up to 1KB to trigger rekey */
Packit Service 31306d 
    memset(data, 0, sizeof(data));
Packit Service 31306d 
    memset(data, 'A', 128);
Packit Service 31306d 
    for (i = 0; i < 20; i++) {
Packit Service 31306d 
        ssh_send_ignore(s->ssh.session, data);
Packit Service 31306d 
        ssh_handle_packets(s->ssh.session, 50);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    /* Check that the secret hash is different than initially */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_memory_not_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d 
    free(secret_hash);
Packit Service 31306d
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
#ifdef WITH_SFTP
Packit Service 31306d 
static int session_setup_sftp_server(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    const char *sshd_config = "RekeyLimit 2K none";
Packit Service 31306d
Packit Service 31306d 
    session_setup(state);
Packit Service 31306d
Packit Service 31306d 
    torture_update_sshd_config(state, sshd_config);
Packit Service 31306d
Packit Service 31306d 
    session_setup_sftp(state);
Packit Service 31306d
Packit Service 31306d 
    return 0;
Packit Service 31306d 
}
Packit Service 31306d
Packit Service 31306d 
static void torture_rekey_server_recv(void **state)
Packit Service 31306d 
{
Packit Service 31306d 
    struct torture_state *s = *state;
Packit Service 31306d 
    struct ssh_crypto_struct *c = NULL;
Packit Service 31306d 
    unsigned char *secret_hash = NULL;
Packit Service 31306d 
    char libssh_tmp_file[] = "/tmp/libssh_sftp_test_XXXXXX";
Packit Service 31306d 
    char buf[MAX_XFER_BUF_SIZE];
Packit Service 31306d 
    ssize_t bytesread;
Packit Service 31306d 
    ssize_t byteswritten;
Packit Service 31306d 
    int fd;
Packit Service 31306d 
    sftp_file file;
Packit Service 31306d 
    mode_t mask;
Packit Service 31306d
Packit Service 31306d 
    /* Copy the initial secret hash = session_id so we know we changed keys later */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    secret_hash = malloc(c->digest_len);
Packit Service 31306d 
    assert_non_null(secret_hash);
Packit Service 31306d 
    memcpy(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d
Packit Service 31306d 
    /* Download a file */
Packit Service 31306d 
    file = sftp_open(s->ssh.tsftp->sftp, "/usr/bin/ssh", O_RDONLY, 0);
Packit Service 31306d 
    assert_non_null(file);
Packit Service 31306d
Packit Service 31306d 
    mask = umask(S_IRWXO | S_IRWXG);
Packit Service 31306d 
    fd = mkstemp(libssh_tmp_file);
Packit Service 31306d 
    umask(mask);
Packit Service 31306d 
    unlink(libssh_tmp_file);
Packit Service 31306d
Packit Service 31306d 
    for (;;) {
Packit Service 31306d 
        bytesread = sftp_read(file, buf, MAX_XFER_BUF_SIZE);
Packit Service 31306d 
        if (bytesread == 0) {
Packit Service 31306d 
                break; /* EOF */
Packit Service 31306d 
        }
Packit Service 31306d 
        assert_false(bytesread < 0);
Packit Service 31306d
Packit Service 31306d 
        byteswritten = write(fd, buf, bytesread);
Packit Service 31306d 
        assert_int_equal(byteswritten, bytesread);
Packit Service 31306d 
    }
Packit Service 31306d
Packit Service 31306d 
    close(fd);
Packit Service 31306d
Packit Service 31306d 
    /* Check that the secret hash is different than initially */
Packit Service 31306d 
    c = s->ssh.session->current_crypto;
Packit Service 31306d 
    assert_memory_not_equal(secret_hash, c->secret_hash, c->digest_len);
Packit Service 31306d 
    free(secret_hash);
Packit Service 31306d
Packit Service 31306d 
    torture_sftp_close(s->ssh.tsftp);
Packit Service 31306d 
    ssh_disconnect(s->ssh.session);
Packit Service 31306d 
}
Packit Service 31306d 
#endif /* WITH_SFTP */
Packit Service 31306d
Packit Service 31306d
Packit Service 31306d 
int torture_run_tests(void) {
Packit Service 31306d 
    int rc;
Packit Service 31306d 
    struct CMUnitTest tests[] = {
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_default,
Packit Service 31306d 
                                        session_setup,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_time,
Packit Service 31306d 
                                        session_setup,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
#ifdef WITH_SFTP
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_recv,
Packit Service 31306d 
                                        session_setup_sftp_client,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
#endif /* WITH_SFTP */
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_send,
Packit Service 31306d 
                                        session_setup,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
        /* Note, that this modifies the sshd_config */
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_server_send,
Packit Service 31306d 
                                        session_setup,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
#ifdef WITH_SFTP
Packit Service 31306d 
        cmocka_unit_test_setup_teardown(torture_rekey_server_recv,
Packit Service 31306d 
                                        session_setup_sftp_server,
Packit Service 31306d 
                                        session_teardown),
Packit Service 31306d 
#endif /* WITH_SFTP */
Packit Service 31306d 
        /* TODO verify the two rekey are possible and the states are not broken after rekey */
Packit Service 31306d 
    };
Packit Service 31306d
Packit Service 31306d 
    ssh_init();
Packit Service 31306d
Packit Service 31306d 
    torture_filter_tests(tests);
Packit Service 31306d 
    rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
Packit Service 31306d
Packit Service 31306d 
    ssh_finalize();
Packit Service 31306d
Packit Service 31306d 
    return rc;
Packit Service 31306d 
}

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation