ssh/server_test.go - crypto - Git at Google

 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 package ssh

 import (
 	"testing"
 )

 func TestClientAuthRestrictedPublicKeyAlgos(t *testing.T) {
 	for _, tt := range []struct {
 		name      string
 		key       Signer
 		wantError bool
 	}{
 		{"rsa", testSigners["rsa"], false},
 		{"dsa", testSigners["dsa"], true},
 		{"ed25519", testSigners["ed25519"], true},
 	} {
 		c1, c2, err := netPipe()
 		if err != nil {
 			t.Fatalf("netPipe: %v", err)
 		}
 		defer c1.Close()
 		defer c2.Close()
 		serverConf := &ServerConfig{
 			PublicKeyAuthAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
 			PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
 				return nil, nil
 			},
 		}
 		serverConf.AddHostKey(testSigners["ecdsap256"])

 		done := make(chan struct{})
 		go func() {
 			defer close(done)
 			NewServerConn(c1, serverConf)
 		}()

 		clientConf := ClientConfig{
 			User: "user",
 			Auth: []AuthMethod{
 				PublicKeys(tt.key),
 			},
 			HostKeyCallback: InsecureIgnoreHostKey(),
 		}

 		_, _, _, err = NewClientConn(c2, "", &clientConf)
 		if err != nil {
 			if !tt.wantError {
 				t.Errorf("%s: got unexpected error %q", tt.name, err.Error())
 			}
 		} else if tt.wantError {
 			t.Errorf("%s: succeeded, but want error", tt.name)
 		}
 		<-done
 	}
 }

 func TestNewServerConnValidationErrors(t *testing.T) {
 	c1, c2, err := netPipe()
 	if err != nil {
 		t.Fatalf("netPipe: %v", err)
 	}
 	defer c1.Close()
 	defer c2.Close()

 	serverConf := &ServerConfig{
 		PublicKeyAuthAlgorithms: []string{CertAlgoRSAv01},
 	}
 	_, _, _, err = NewServerConn(c1, serverConf)
 	if err == nil {
 		t.Fatal("NewServerConn with invalid public key auth algorithms succeeded")
 	}
 	serverConf = &ServerConfig{
 		Config: Config{
 			KeyExchanges: []string{kexAlgoDHGEXSHA256},
 		},
 	}
 	_, _, _, err = NewServerConn(c1, serverConf)
 	if err == nil {
 		t.Fatal("NewServerConn with unsupported key exchange succeeded")
 	}
 }
	// Copyright 2023 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package ssh

	import (
	"testing"
	)

	func TestClientAuthRestrictedPublicKeyAlgos(t *testing.T) {
	for _, tt := range []struct {
	name string
	key Signer
	wantError bool
	}{
	{"rsa", testSigners["rsa"], false},
	{"dsa", testSigners["dsa"], true},
	{"ed25519", testSigners["ed25519"], true},
	} {
	c1, c2, err := netPipe()
	if err != nil {
	t.Fatalf("netPipe: %v", err)
	}
	defer c1.Close()
	defer c2.Close()
	serverConf := &ServerConfig{
	PublicKeyAuthAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512},
	PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
	return nil, nil
	},
	}
	serverConf.AddHostKey(testSigners["ecdsap256"])

	done := make(chan struct{})
	go func() {
	defer close(done)
	NewServerConn(c1, serverConf)
	}()

	clientConf := ClientConfig{
	User: "user",
	Auth: []AuthMethod{
	PublicKeys(tt.key),
	},
	HostKeyCallback: InsecureIgnoreHostKey(),
	}

	_, _, _, err = NewClientConn(c2, "", &clientConf)
	if err != nil {
	if !tt.wantError {
	t.Errorf("%s: got unexpected error %q", tt.name, err.Error())
	}
	} else if tt.wantError {
	t.Errorf("%s: succeeded, but want error", tt.name)
	}
	<-done
	}
	}

	func TestNewServerConnValidationErrors(t *testing.T) {
	c1, c2, err := netPipe()
	if err != nil {
	t.Fatalf("netPipe: %v", err)
	}
	defer c1.Close()
	defer c2.Close()

	serverConf := &ServerConfig{
	PublicKeyAuthAlgorithms: []string{CertAlgoRSAv01},
	}
	_, _, _, err = NewServerConn(c1, serverConf)
	if err == nil {
	t.Fatal("NewServerConn with invalid public key auth algorithms succeeded")
	}
	serverConf = &ServerConfig{
	Config: Config{
	KeyExchanges: []string{kexAlgoDHGEXSHA256},
	},
	}
	_, _, _, err = NewServerConn(c1, serverConf)
	if err == nil {
	t.Fatal("NewServerConn with unsupported key exchange succeeded")
	}
	}