1
0
mirror of https://github.com/golang/go synced 2024-11-25 07:17:56 -07:00

exp/ssh: cleanup client auth tests

This CL cleans up the client auth tests, making the
individual test body more manageable.

Also, adds tests for rsa and dsa key negotiation.

Finally, remove the package level use of the variable
strings, which avoids conflicting with the strings pkg.

R=gustav.paul, agl, n13m3y3r, rsc
CC=golang-dev
https://golang.org/cl/5447049
This commit is contained in:
Dave Cheney 2011-12-06 18:13:20 -05:00 committed by Adam Langley
parent 2c7a84a95b
commit bf59f081c1
2 changed files with 138 additions and 129 deletions

View File

@ -7,17 +7,20 @@ package ssh
import ( import (
"bytes" "bytes"
"crypto" "crypto"
"crypto/rand" "crypto/dsa"
"crypto/rsa" "crypto/rsa"
_ "crypto/sha1"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
"errors" "errors"
"io" "io"
"io/ioutil" "io/ioutil"
"math/big"
"testing" "testing"
) )
const _pem = `-----BEGIN RSA PRIVATE KEY----- // private key for mock server
const testServerPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA19lGVsTqIT5iiNYRgnoY1CwkbETW5cq+Rzk5v/kTlf31XpSU MIIEpAIBAAKCAQEA19lGVsTqIT5iiNYRgnoY1CwkbETW5cq+Rzk5v/kTlf31XpSU
70HVWkbTERECjaYdXM2gGcbb+sxpq6GtXf1M3kVomycqhxwhPv4Cr6Xp4WT/jkFx 70HVWkbTERECjaYdXM2gGcbb+sxpq6GtXf1M3kVomycqhxwhPv4Cr6Xp4WT/jkFx
9z+FFzpeodGJWjOH6L2H5uX1Cvr9EDdQp9t9/J32/qBFntY8GwoUI/y/1MSTmMiF 9z+FFzpeodGJWjOH6L2H5uX1Cvr9EDdQp9t9/J32/qBFntY8GwoUI/y/1MSTmMiF
@ -45,25 +48,32 @@ gqnBycHj6AhEycjda75cs+0zybZvN4x65KZHOGW/O/7OAWEcZP5TPb3zf9ned3Hl
NsZoFj52ponUM6+99A2CmezFCN16c4mbA//luWF+k3VVqR6BpkrhKw== NsZoFj52ponUM6+99A2CmezFCN16c4mbA//luWF+k3VVqR6BpkrhKw==
-----END RSA PRIVATE KEY-----` -----END RSA PRIVATE KEY-----`
// reused internally by tests const testClientPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
var serverConfig = new(ServerConfig) MIIBOwIBAAJBALdGZxkXDAjsYk10ihwU6Id2KeILz1TAJuoq4tOgDWxEEGeTrcld
r/ZwVaFzjWzxaf6zQIJbfaSEAhqD5yo72+sCAwEAAQJBAK8PEVU23Wj8mV0QjwcJ
func init() { tZ4GcTUYQL7cF4+ezTCE9a1NrGnCP2RuQkHEKxuTVrxXt+6OF15/1/fuXnxKjmJC
if err := serverConfig.SetRSAPrivateKey([]byte(_pem)); err != nil { nxkCIQDaXvPPBi0c7vAxGwNY9726x01/dNbHCE0CBtcotobxpwIhANbbQbh3JHVW
panic("unable to set private key: " + err.Error()) 2haQh4fAG5mhesZKAGcxTyv4mQ7uMSQdAiAj+4dzMpJWdSzQ+qGHlHMIBvVHLkqB
} y2VdEyF7DPCZewIhAI7GOI/6LDIFOvtPo6Bj2nNmyQ1HU6k/LRtNIXi4c9NJAiAr
} rrxx26itVhJmcvoUhOjwuzSlP2bE5VHAvkGB352YBg==
-----END RSA PRIVATE KEY-----`
// keychain implements the ClientPublickey interface // keychain implements the ClientPublickey interface
type keychain struct { type keychain struct {
keys []*rsa.PrivateKey keys []interface{}
} }
func (k *keychain) Key(i int) (interface{}, error) { func (k *keychain) Key(i int) (interface{}, error) {
if i < 0 || i >= len(k.keys) { if i < 0 || i >= len(k.keys) {
return nil, nil return nil, nil
} }
return k.keys[i].PublicKey, nil switch key := k.keys[i].(type) {
case *rsa.PrivateKey:
return key.PublicKey, nil
case *dsa.PrivateKey:
return key.PublicKey, nil
}
panic("unknown key type")
} }
func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err error) { func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err error) {
@ -71,7 +81,11 @@ func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err err
h := hashFunc.New() h := hashFunc.New()
h.Write(data) h.Write(data)
digest := h.Sum(nil) digest := h.Sum(nil)
return rsa.SignPKCS1v15(rand, k.keys[i], hashFunc, digest) switch key := k.keys[i].(type) {
case *rsa.PrivateKey:
return rsa.SignPKCS1v15(rand, key, hashFunc, digest)
}
return nil, errors.New("unknown key type")
} }
func (k *keychain) loadPEM(file string) error { func (k *keychain) loadPEM(file string) error {
@ -91,61 +105,6 @@ func (k *keychain) loadPEM(file string) error {
return nil return nil
} }
var pkey *rsa.PrivateKey
func init() {
var err error
pkey, err = rsa.GenerateKey(rand.Reader, 512)
if err != nil {
panic("unable to generate public key")
}
}
func TestClientAuthPublickey(t *testing.T) {
k := new(keychain)
k.keys = append(k.keys, pkey)
serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
expected := []byte(serializePublickey(k.keys[0].PublicKey))
algoname := algoName(k.keys[0].PublicKey)
return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
}
serverConfig.PasswordCallback = nil
l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
if err != nil {
t.Fatalf("unable to listen: %s", err)
}
defer l.Close()
done := make(chan bool, 1)
go func() {
c, err := l.Accept()
if err != nil {
t.Fatal(err)
}
defer c.Close()
if err := c.Handshake(); err != nil {
t.Error(err)
}
done <- true
}()
config := &ClientConfig{
User: "testuser",
Auth: []ClientAuth{
ClientAuthPublickey(k),
},
}
c, err := Dial("tcp", l.Addr().String(), config)
if err != nil {
t.Fatalf("unable to dial remote side: %s", err)
}
defer c.Close()
<-done
}
// password implements the ClientPassword interface // password implements the ClientPassword interface
type password string type password string
@ -153,96 +112,146 @@ func (p password) Password(user string) (string, error) {
return string(p), nil return string(p), nil
} }
func TestClientAuthPassword(t *testing.T) { // reused internally by tests
pw := password("tiger") var (
rsakey *rsa.PrivateKey
serverConfig.PasswordCallback = func(user, pass string) bool { dsakey *dsa.PrivateKey
return user == "testuser" && pass == string(pw) clientKeychain = new(keychain)
clientPassword = password("tiger")
serverConfig = &ServerConfig{
PasswordCallback: func(user, pass string) bool {
return user == "testuser" && pass == string(clientPassword)
},
PubKeyCallback: func(user, algo string, pubkey []byte) bool {
key := clientKeychain.keys[0].(*rsa.PrivateKey).PublicKey
expected := []byte(serializePublickey(key))
algoname := algoName(key)
return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
},
} }
serverConfig.PubKeyCallback = nil )
func init() {
if err := serverConfig.SetRSAPrivateKey([]byte(testServerPrivateKey)); err != nil {
panic("unable to set private key: " + err.Error())
}
block, _ := pem.Decode([]byte(testClientPrivateKey))
rsakey, _ = x509.ParsePKCS1PrivateKey(block.Bytes)
clientKeychain.keys = append(clientKeychain.keys, rsakey)
dsakey = new(dsa.PrivateKey)
// taken from crypto/dsa/dsa_test.go
dsakey.P, _ = new(big.Int).SetString("A9B5B793FB4785793D246BAE77E8FF63CA52F442DA763C440259919FE1BC1D6065A9350637A04F75A2F039401D49F08E066C4D275A5A65DA5684BC563C14289D7AB8A67163BFBF79D85972619AD2CFF55AB0EE77A9002B0EF96293BDD0F42685EBB2C66C327079F6C98000FBCB79AACDE1BC6F9D5C7B1A97E3D9D54ED7951FEF", 16)
dsakey.Q, _ = new(big.Int).SetString("E1D3391245933D68A0714ED34BBCB7A1F422B9C1", 16)
dsakey.G, _ = new(big.Int).SetString("634364FC25248933D01D1993ECABD0657CC0CB2CEED7ED2E3E8AECDFCDC4A25C3B15E9E3B163ACA2984B5539181F3EFF1A5E8903D71D5B95DA4F27202B77D2C44B430BB53741A8D59A8F86887525C9F2A6A5980A195EAA7F2FF910064301DEF89D3AA213E1FAC7768D89365318E370AF54A112EFBA9246D9158386BA1B4EEFDA", 16)
dsakey.Y, _ = new(big.Int).SetString("32969E5780CFE1C849A1C276D7AEB4F38A23B591739AA2FE197349AEEBD31366AEE5EB7E6C6DDB7C57D02432B30DB5AA66D9884299FAA72568944E4EEDC92EA3FBC6F39F53412FBCC563208F7C15B737AC8910DBC2D9C9B8C001E72FDC40EB694AB1F06A5A2DBD18D9E36C66F31F566742F11EC0A52E9F7B89355C02FB5D32D2", 16)
dsakey.X, _ = new(big.Int).SetString("5078D4D29795CBE76D3AACFE48C9AF0BCDBEE91A", 16)
}
// newMockAuthServer creates a new Server bound to
// the loopback interface. The server exits after
// processing one handshake.
func newMockAuthServer(t *testing.T) string {
l, err := Listen("tcp", "127.0.0.1:0", serverConfig) l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
if err != nil { if err != nil {
t.Fatalf("unable to listen: %s", err) t.Fatalf("unable to newMockAuthServer: %s", err)
} }
defer l.Close()
done := make(chan bool)
go func() { go func() {
defer l.Close()
c, err := l.Accept() c, err := l.Accept()
defer c.Close()
if err != nil { if err != nil {
t.Fatal(err) t.Errorf("Unable to accept incoming connection: %v", err)
return
} }
if err := c.Handshake(); err != nil { if err := c.Handshake(); err != nil {
t.Error(err) // not Errorf because this is expected to
// fail for some tests.
t.Logf("Handshaking error: %v", err)
return
} }
defer c.Close()
done <- true
}() }()
return l.Addr().String()
}
func TestClientAuthPublickey(t *testing.T) {
config := &ClientConfig{ config := &ClientConfig{
User: "testuser", User: "testuser",
Auth: []ClientAuth{ Auth: []ClientAuth{
ClientAuthPassword(pw), ClientAuthPublickey(clientKeychain),
}, },
} }
c, err := Dial("tcp", newMockAuthServer(t), config)
c, err := Dial("tcp", l.Addr().String(), config)
if err != nil { if err != nil {
t.Fatalf("unable to dial remote side: %s", err) t.Fatalf("unable to dial remote side: %s", err)
} }
defer c.Close() c.Close()
<-done
} }
func TestClientAuthPasswordAndPublickey(t *testing.T) { func TestClientAuthPassword(t *testing.T) {
pw := password("tiger") config := &ClientConfig{
User: "testuser",
serverConfig.PasswordCallback = func(user, pass string) bool { Auth: []ClientAuth{
return user == "testuser" && pass == string(pw) ClientAuthPassword(clientPassword),
},
} }
k := new(keychain) c, err := Dial("tcp", newMockAuthServer(t), config)
k.keys = append(k.keys, pkey)
serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
expected := []byte(serializePublickey(k.keys[0].PublicKey))
algoname := algoName(k.keys[0].PublicKey)
return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
}
l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
if err != nil { if err != nil {
t.Fatalf("unable to listen: %s", err) t.Fatalf("unable to dial remote side: %s", err)
}
c.Close()
} }
defer l.Close()
done := make(chan bool)
go func() {
c, err := l.Accept()
if err != nil {
t.Fatal(err)
}
if err := c.Handshake(); err != nil {
t.Error(err)
}
defer c.Close()
done <- true
}()
func TestClientAuthWrongPassword(t *testing.T) {
wrongPw := password("wrong") wrongPw := password("wrong")
config := &ClientConfig{ config := &ClientConfig{
User: "testuser", User: "testuser",
Auth: []ClientAuth{ Auth: []ClientAuth{
ClientAuthPassword(wrongPw), ClientAuthPassword(wrongPw),
ClientAuthPublickey(k), ClientAuthPublickey(clientKeychain),
}, },
} }
c, err := Dial("tcp", l.Addr().String(), config) c, err := Dial("tcp", newMockAuthServer(t), config)
if err != nil { if err != nil {
t.Fatalf("unable to dial remote side: %s", err) t.Fatalf("unable to dial remote side: %s", err)
} }
defer c.Close() c.Close()
<-done }
// the mock server will only authenticate ssh-rsa keys
func TestClientAuthInvalidPublickey(t *testing.T) {
kc := new(keychain)
kc.keys = append(kc.keys, dsakey)
config := &ClientConfig{
User: "testuser",
Auth: []ClientAuth{
ClientAuthPublickey(kc),
},
}
c, err := Dial("tcp", newMockAuthServer(t), config)
if err == nil {
c.Close()
t.Fatalf("dsa private key should not have authenticated with rsa public key")
}
}
// the client should authenticate with the second key
func TestClientAuthRSAandDSA(t *testing.T) {
kc := new(keychain)
kc.keys = append(kc.keys, dsakey, rsakey)
config := &ClientConfig{
User: "testuser",
Auth: []ClientAuth{
ClientAuthPublickey(kc),
},
}
c, err := Dial("tcp", newMockAuthServer(t), config)
if err != nil {
t.Fatalf("client could not authenticate with rsa key: %v", err)
}
c.Close()
} }

View File

@ -8,7 +8,8 @@ import (
"testing" "testing"
) )
var strings = map[string]string{ func TestSafeString(t *testing.T) {
strings := map[string]string{
"\x20\x0d\x0a": "\x20\x0d\x0a", "\x20\x0d\x0a": "\x20\x0d\x0a",
"flibble": "flibble", "flibble": "flibble",
"new\x20line": "new\x20line", "new\x20line": "new\x20line",
@ -16,7 +17,6 @@ var strings = map[string]string{
"\t\t\x10\r\n": "\t\t \r\n", "\t\t\x10\r\n": "\t\t \r\n",
} }
func TestSafeString(t *testing.T) {
for s, expected := range strings { for s, expected := range strings {
actual := safeString(s) actual := safeString(s)
if expected != actual { if expected != actual {