1 /* $OpenBSD: tests.c,v 1.1 2018/03/03 03:16:17 djm Exp $ */
4 * Regress test for keys options functions.
6 * Placed in the public domain
10 #include <sys/param.h>
16 #include "test_helper.h"
20 #include "auth-options.h"
24 static struct sshkey *
25 load_key(const char *name)
30 r = sshkey_load_public(test_data_file(name), &ret, NULL);
32 ASSERT_PTR_NE(ret, NULL);
36 static struct sshauthopt *
37 default_authkey_opts(void)
39 struct sshauthopt *ret = sshauthopt_new();
41 ASSERT_PTR_NE(ret, NULL);
42 ret->permit_port_forwarding_flag = 1;
43 ret->permit_agent_forwarding_flag = 1;
44 ret->permit_x11_forwarding_flag = 1;
45 ret->permit_pty_flag = 1;
46 ret->permit_user_rc = 1;
50 static struct sshauthopt *
51 default_authkey_restrict_opts(void)
53 struct sshauthopt *ret = sshauthopt_new();
55 ASSERT_PTR_NE(ret, NULL);
56 ret->permit_port_forwarding_flag = 0;
57 ret->permit_agent_forwarding_flag = 0;
58 ret->permit_x11_forwarding_flag = 0;
59 ret->permit_pty_flag = 0;
60 ret->permit_user_rc = 0;
66 commasplit(const char *s, size_t *np)
68 char *ocp, *cp, *cp2, **ret = NULL;
72 ASSERT_PTR_NE(cp, NULL);
73 for (n = 0; (cp2 = strsep(&cp, ",")) != NULL;) {
74 ret = recallocarray(ret, n, n + 1, sizeof(*ret));
75 ASSERT_PTR_NE(ret, NULL);
77 ASSERT_PTR_NE(cp2, NULL);
86 compare_opts(const struct sshauthopt *opts,
87 const struct sshauthopt *expected)
91 ASSERT_PTR_NE(opts, NULL);
92 ASSERT_PTR_NE(expected, NULL);
93 ASSERT_PTR_NE(expected, opts); /* bozo :) */
95 #define FLAG_EQ(x) ASSERT_INT_EQ(opts->x, expected->x)
96 FLAG_EQ(permit_port_forwarding_flag);
97 FLAG_EQ(permit_agent_forwarding_flag);
98 FLAG_EQ(permit_x11_forwarding_flag);
99 FLAG_EQ(permit_pty_flag);
100 FLAG_EQ(permit_user_rc);
102 FLAG_EQ(cert_authority);
107 if (expected->x == NULL) \
108 ASSERT_PTR_EQ(opts->x, expected->x); \
110 ASSERT_STRING_EQ(opts->x, expected->x); \
112 STR_EQ(cert_principals);
113 STR_EQ(force_command);
114 STR_EQ(required_from_host_cert);
115 STR_EQ(required_from_host_keys);
118 #define ARRAY_EQ(nx, x) \
120 ASSERT_SIZE_T_EQ(opts->nx, expected->nx); \
121 if (expected->nx == 0) \
123 for (i = 0; i < expected->nx; i++) \
124 ASSERT_STRING_EQ(opts->x[i], expected->x[i]); \
127 ARRAY_EQ(npermitopen, permitopen);
132 test_authkeys_parse(void)
134 struct sshauthopt *opts, *expected;
137 #define FAIL_TEST(label, keywords) \
139 TEST_START("sshauthopt_parse invalid " label); \
140 opts = sshauthopt_parse(keywords, &errstr); \
141 ASSERT_PTR_EQ(opts, NULL); \
142 ASSERT_PTR_NE(errstr, NULL); \
145 #define CHECK_SUCCESS_AND_CLEANUP() \
147 if (errstr != NULL) \
148 ASSERT_STRING_EQ(errstr, ""); \
149 compare_opts(opts, expected); \
150 sshauthopt_free(expected); \
151 sshauthopt_free(opts); \
155 TEST_START("sshauthopt_parse empty");
156 expected = default_authkey_opts();
157 opts = sshauthopt_parse("", &errstr);
158 CHECK_SUCCESS_AND_CLEANUP();
161 TEST_START("sshauthopt_parse trailing whitespace");
162 expected = default_authkey_opts();
163 opts = sshauthopt_parse(" ", &errstr);
164 CHECK_SUCCESS_AND_CLEANUP();
167 TEST_START("sshauthopt_parse restrict");
168 expected = default_authkey_restrict_opts();
169 opts = sshauthopt_parse("restrict", &errstr);
170 CHECK_SUCCESS_AND_CLEANUP();
174 FAIL_TEST("trailing comma", "restrict,");
175 FAIL_TEST("bare comma", ",");
176 FAIL_TEST("unknown option", "BLAH");
177 FAIL_TEST("unknown option with trailing comma", "BLAH,");
178 FAIL_TEST("unknown option with trailing whitespace", "BLAH ");
180 /* force_tun_device */
181 TEST_START("sshauthopt_parse tunnel explicit");
182 expected = default_authkey_opts();
183 expected->force_tun_device = 1;
184 opts = sshauthopt_parse("tunnel=\"1\"", &errstr);
185 CHECK_SUCCESS_AND_CLEANUP();
188 TEST_START("sshauthopt_parse tunnel any");
189 expected = default_authkey_opts();
190 expected->force_tun_device = SSH_TUNID_ANY;
191 opts = sshauthopt_parse("tunnel=\"any\"", &errstr);
192 CHECK_SUCCESS_AND_CLEANUP();
195 FAIL_TEST("tunnel", "tunnel=\"blah\"");
198 #define FLAG_TEST(keyword, var, val) \
200 TEST_START("sshauthopt_parse " keyword); \
201 expected = default_authkey_opts(); \
202 expected->var = val; \
203 opts = sshauthopt_parse(keyword, &errstr); \
204 CHECK_SUCCESS_AND_CLEANUP(); \
205 expected = default_authkey_restrict_opts(); \
206 expected->var = val; \
207 opts = sshauthopt_parse("restrict,"keyword, &errstr); \
208 CHECK_SUCCESS_AND_CLEANUP(); \
212 FLAG_TEST("cert-authority", cert_authority, 1);
213 FLAG_TEST("port-forwarding", permit_port_forwarding_flag, 1);
214 FLAG_TEST("agent-forwarding", permit_agent_forwarding_flag, 1);
215 FLAG_TEST("x11-forwarding", permit_x11_forwarding_flag, 1);
216 FLAG_TEST("pty", permit_pty_flag, 1);
217 FLAG_TEST("user-rc", permit_user_rc, 1);
219 FLAG_TEST("no-port-forwarding", permit_port_forwarding_flag, 0);
220 FLAG_TEST("no-agent-forwarding", permit_agent_forwarding_flag, 0);
221 FLAG_TEST("no-x11-forwarding", permit_x11_forwarding_flag, 0);
222 FLAG_TEST("no-pty", permit_pty_flag, 0);
223 FLAG_TEST("no-user-rc", permit_user_rc, 0);
225 FAIL_TEST("no-cert-authority", "no-cert-authority");
228 #define STRING_TEST(keyword, var, val) \
230 TEST_START("sshauthopt_parse " keyword); \
231 expected = default_authkey_opts(); \
232 expected->var = strdup(val); \
233 ASSERT_PTR_NE(expected->var, NULL); \
234 opts = sshauthopt_parse(keyword "=" #val, &errstr); \
235 CHECK_SUCCESS_AND_CLEANUP(); \
236 expected = default_authkey_restrict_opts(); \
237 expected->var = strdup(val); \
238 ASSERT_PTR_NE(expected->var, NULL); \
239 opts = sshauthopt_parse( \
240 "restrict," keyword "=" #val ",restrict", &errstr); \
241 CHECK_SUCCESS_AND_CLEANUP(); \
244 STRING_TEST("command", force_command, "/bin/true");
245 STRING_TEST("principals", cert_principals, "gregor,josef,K");
246 STRING_TEST("from", required_from_host_keys, "127.0.0.0/8");
248 FAIL_TEST("unquoted command", "command=oops");
249 FAIL_TEST("unquoted principals", "principals=estragon");
250 FAIL_TEST("unquoted from", "from=127.0.0.1");
252 /* String array option tests */
253 #define ARRAY_TEST(label, keywords, var, nvar, val) \
255 TEST_START("sshauthopt_parse " label); \
256 expected = default_authkey_opts(); \
257 expected->var = commasplit(val, &expected->nvar); \
258 ASSERT_PTR_NE(expected->var, NULL); \
259 opts = sshauthopt_parse(keywords, &errstr); \
260 CHECK_SUCCESS_AND_CLEANUP(); \
261 expected = default_authkey_restrict_opts(); \
262 expected->var = commasplit(val, &expected->nvar); \
263 ASSERT_PTR_NE(expected->var, NULL); \
264 opts = sshauthopt_parse( \
265 "restrict," keywords ",restrict", &errstr); \
266 CHECK_SUCCESS_AND_CLEANUP(); \
269 ARRAY_TEST("environment", "environment=\"foo=1\",environment=\"bar=2\"",
270 env, nenv, "foo=1,bar=2");
271 ARRAY_TEST("permitopen", "permitopen=\"foo:123\",permitopen=\"bar:*\"",
272 permitopen, npermitopen, "foo:123,bar:*");
274 FAIL_TEST("environment", "environment=\",=bah\"");
275 FAIL_TEST("permitopen port", "foo:bar");
276 FAIL_TEST("permitopen missing port", "foo:");
277 FAIL_TEST("permitopen missing port specification", "foo");
278 FAIL_TEST("permitopen invalid host", "[:");
280 #undef CHECK_SUCCESS_AND_CLEANUP
285 test_cert_parse(void)
288 struct sshauthopt *opts, *expected;
290 #define CHECK_SUCCESS_AND_CLEANUP() \
292 compare_opts(opts, expected); \
293 sshauthopt_free(expected); \
294 sshauthopt_free(opts); \
297 #define FLAG_TEST(keybase, var) \
299 TEST_START("sshauthopt_from_cert no_" keybase); \
300 cert = load_key("no_" keybase ".cert"); \
301 expected = default_authkey_opts(); \
303 opts = sshauthopt_from_cert(cert); \
304 CHECK_SUCCESS_AND_CLEANUP(); \
306 TEST_START("sshauthopt_from_cert only_" keybase); \
307 cert = load_key("only_" keybase ".cert"); \
308 expected = sshauthopt_new(); \
309 ASSERT_PTR_NE(expected, NULL); \
311 opts = sshauthopt_from_cert(cert); \
312 CHECK_SUCCESS_AND_CLEANUP(); \
315 FLAG_TEST("agentfwd", permit_agent_forwarding_flag);
316 FLAG_TEST("portfwd", permit_port_forwarding_flag);
317 FLAG_TEST("pty", permit_pty_flag);
318 FLAG_TEST("user_rc", permit_user_rc);
319 FLAG_TEST("x11fwd", permit_x11_forwarding_flag);
322 TEST_START("sshauthopt_from_cert all permitted");
323 cert = load_key("all_permit.cert");
324 expected = default_authkey_opts();
325 opts = sshauthopt_from_cert(cert);
326 CHECK_SUCCESS_AND_CLEANUP();
329 TEST_START("sshauthopt_from_cert nothing permitted");
330 cert = load_key("no_permit.cert");
331 expected = sshauthopt_new();
332 ASSERT_PTR_NE(expected, NULL);
333 opts = sshauthopt_from_cert(cert);
334 CHECK_SUCCESS_AND_CLEANUP();
337 TEST_START("sshauthopt_from_cert force-command");
338 cert = load_key("force_command.cert");
339 expected = default_authkey_opts();
340 expected->force_command = strdup("foo");
341 ASSERT_PTR_NE(expected->force_command, NULL);
342 opts = sshauthopt_from_cert(cert);
343 CHECK_SUCCESS_AND_CLEANUP();
346 TEST_START("sshauthopt_from_cert source-address");
347 cert = load_key("sourceaddr.cert");
348 expected = default_authkey_opts();
349 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
350 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
351 opts = sshauthopt_from_cert(cert);
352 CHECK_SUCCESS_AND_CLEANUP();
354 #undef CHECK_SUCCESS_AND_CLEANUP
356 #define FAIL_TEST(keybase) \
358 TEST_START("sshauthopt_from_cert " keybase); \
359 cert = load_key(keybase ".cert"); \
360 opts = sshauthopt_from_cert(cert); \
361 ASSERT_PTR_EQ(opts, NULL); \
366 FAIL_TEST("bad_sourceaddr");
367 FAIL_TEST("unknown_critical");
375 struct sshauthopt *key_opts, *cert_opts, *merge_opts, *expected;
379 * Prepare for a test by making some key and cert options and
380 * attempting to merge them.
382 #define PREPARE(label, keyname, keywords) \
385 TEST_START("sshauthopt_merge " label); \
386 cert = load_key(keyname ".cert"); \
387 cert_opts = sshauthopt_from_cert(cert); \
388 ASSERT_PTR_NE(cert_opts, NULL); \
389 key_opts = sshauthopt_parse(keywords, &errstr); \
390 if (errstr != NULL) \
391 ASSERT_STRING_EQ(errstr, ""); \
392 ASSERT_PTR_NE(key_opts, NULL); \
393 merge_opts = sshauthopt_merge(key_opts, \
394 cert_opts, &errstr); \
397 /* Cleanup stuff allocated by PREPARE() */
400 sshauthopt_free(expected); \
401 sshauthopt_free(merge_opts); \
402 sshauthopt_free(key_opts); \
403 sshauthopt_free(cert_opts); \
407 /* Check the results of PREPARE() against expectation; calls CLEANUP */
408 #define CHECK_SUCCESS_AND_CLEANUP() \
410 if (errstr != NULL) \
411 ASSERT_STRING_EQ(errstr, ""); \
412 compare_opts(merge_opts, expected); \
416 /* Check a single case of merging of flag options */
417 #define FLAG_CASE(keybase, label, keyname, keywords, mostly_off, var, val) \
419 PREPARE(keybase " " label, keyname, keywords); \
420 expected = mostly_off ? \
421 sshauthopt_new() : default_authkey_opts(); \
422 expected->var = val; \
423 ASSERT_PTR_NE(expected, NULL); \
424 CHECK_SUCCESS_AND_CLEANUP(); \
429 * Fairly exhaustive exercise of a flag option. Tests
430 * option both set and clear in certificate, set and clear in
431 * authorized_keys and set and cleared via restrict keyword.
433 #define FLAG_TEST(keybase, keyword, var) \
435 FLAG_CASE(keybase, "keys:default,yes cert:default,no", \
436 "no_" keybase, keyword, 0, var, 0); \
437 FLAG_CASE(keybase,"keys:-*,yes cert:default,no", \
438 "no_" keybase, "restrict," keyword, 1, var, 0); \
439 FLAG_CASE(keybase, "keys:default,no cert:default,no", \
440 "no_" keybase, "no-" keyword, 0, var, 0); \
441 FLAG_CASE(keybase, "keys:-*,no cert:default,no", \
442 "no_" keybase, "restrict,no-" keyword, 1, var, 0); \
444 FLAG_CASE(keybase, "keys:default,yes cert:-*,yes", \
445 "only_" keybase, keyword, 1, var, 1); \
446 FLAG_CASE(keybase,"keys:-*,yes cert:-*,yes", \
447 "only_" keybase, "restrict," keyword, 1, var, 1); \
448 FLAG_CASE(keybase, "keys:default,no cert:-*,yes", \
449 "only_" keybase, "no-" keyword, 1, var, 0); \
450 FLAG_CASE(keybase, "keys:-*,no cert:-*,yes", \
451 "only_" keybase, "restrict,no-" keyword, 1, var, 0); \
453 FLAG_CASE(keybase, "keys:default,yes cert:-*", \
454 "no_permit", keyword, 1, var, 0); \
455 FLAG_CASE(keybase,"keys:-*,yes cert:-*", \
456 "no_permit", "restrict," keyword, 1, var, 0); \
457 FLAG_CASE(keybase, "keys:default,no cert:-*", \
458 "no_permit", "no-" keyword, 1, var, 0); \
459 FLAG_CASE(keybase, "keys:-*,no cert:-*", \
460 "no_permit", "restrict,no-" keyword, 1, var, 0); \
462 FLAG_CASE(keybase, "keys:default,yes cert:*", \
463 "all_permit", keyword, 0, var, 1); \
464 FLAG_CASE(keybase,"keys:-*,yes cert:*", \
465 "all_permit", "restrict," keyword, 1, var, 1); \
466 FLAG_CASE(keybase, "keys:default,no cert:*", \
467 "all_permit", "no-" keyword, 0, var, 0); \
468 FLAG_CASE(keybase, "keys:-*,no cert:*", \
469 "all_permit", "restrict,no-" keyword, 1, var, 0); \
472 FLAG_TEST("portfwd", "port-forwarding", permit_port_forwarding_flag);
473 FLAG_TEST("agentfwd", "agent-forwarding", permit_agent_forwarding_flag);
474 FLAG_TEST("pty", "pty", permit_pty_flag);
475 FLAG_TEST("user_rc", "user-rc", permit_user_rc);
476 FLAG_TEST("x11fwd", "x11-forwarding", permit_x11_forwarding_flag);
479 PREPARE("source-address both", "sourceaddr", "from=\"127.0.0.1\"");
480 expected = default_authkey_opts();
481 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
482 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
483 expected->required_from_host_keys = strdup("127.0.0.1");
484 ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
485 CHECK_SUCCESS_AND_CLEANUP();
488 PREPARE("source-address none", "all_permit", "");
489 expected = default_authkey_opts();
490 CHECK_SUCCESS_AND_CLEANUP();
493 PREPARE("source-address keys", "all_permit", "from=\"127.0.0.1\"");
494 expected = default_authkey_opts();
495 expected->required_from_host_keys = strdup("127.0.0.1");
496 ASSERT_PTR_NE(expected->required_from_host_keys, NULL);
497 CHECK_SUCCESS_AND_CLEANUP();
500 PREPARE("source-address cert", "sourceaddr", "");
501 expected = default_authkey_opts();
502 expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128");
503 ASSERT_PTR_NE(expected->required_from_host_cert, NULL);
504 CHECK_SUCCESS_AND_CLEANUP();
507 PREPARE("force-command both", "force_command", "command=\"foo\"");
508 expected = default_authkey_opts();
509 expected->force_command = strdup("foo");
510 ASSERT_PTR_NE(expected->force_command, NULL);
511 CHECK_SUCCESS_AND_CLEANUP();
514 PREPARE("force-command none", "all_permit", "");
515 expected = default_authkey_opts();
516 CHECK_SUCCESS_AND_CLEANUP();
519 PREPARE("force-command keys", "all_permit", "command=\"bar\"");
520 expected = default_authkey_opts();
521 expected->force_command = strdup("bar");
522 ASSERT_PTR_NE(expected->force_command, NULL);
523 CHECK_SUCCESS_AND_CLEANUP();
526 PREPARE("force-command cert", "force_command", "");
527 expected = default_authkey_opts();
528 expected->force_command = strdup("foo");
529 ASSERT_PTR_NE(expected->force_command, NULL);
530 CHECK_SUCCESS_AND_CLEANUP();
533 PREPARE("force-command mismatch", "force_command", "command=\"bar\"");
534 ASSERT_PTR_EQ(merge_opts, NULL);
538 PREPARE("tunnel", "all_permit", "tunnel=\"6\"");
539 expected = default_authkey_opts();
540 expected->force_tun_device = 6;
541 CHECK_SUCCESS_AND_CLEANUP();
544 PREPARE("permitopen", "all_permit",
545 "permitopen=\"127.0.0.1:*\",permitopen=\"127.0.0.1:123\"");
546 expected = default_authkey_opts();
547 expected->permitopen = commasplit("127.0.0.1:*,127.0.0.1:123",
548 &expected->npermitopen);
549 CHECK_SUCCESS_AND_CLEANUP();
552 PREPARE("environment", "all_permit",
553 "environment=\"foo=a\",environment=\"bar=b\"");
554 expected = default_authkey_opts();
555 expected->env = commasplit("foo=a,bar=b", &expected->nenv);
556 CHECK_SUCCESS_AND_CLEANUP();
563 extern char *__progname;
564 LogLevel ll = test_is_verbose() ?
565 SYSLOG_LEVEL_DEBUG3 : SYSLOG_LEVEL_QUIET;
567 /* test_cert_parse() are a bit spammy to error() by default... */
568 log_init(__progname, ll, SYSLOG_FACILITY_USER, 1);
570 test_authkeys_parse();
projects / FreeBSD / FreeBSD.git / blob