From c50a9a6562a14f3a9fbd2071e3b19eed8c9c9b4b Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Wed, 21 Oct 2015 17:25:42 +0200 Subject: ssh, public_key: random selection of diffie-hellman moduli Also tool (public_key:gen_moduli_hrl) to convert an openssh moduli file to erlang format. --- lib/ssh/test/ssh_algorithms_SUITE.erl | 74 ++++++++++++++++++++++++++--------- lib/ssh/test/ssh_protocol_SUITE.erl | 28 +++---------- 2 files changed, 61 insertions(+), 41 deletions(-) (limited to 'lib/ssh/test') diff --git a/lib/ssh/test/ssh_algorithms_SUITE.erl b/lib/ssh/test/ssh_algorithms_SUITE.erl index 2ab83d84e1..85415a17de 100644 --- a/lib/ssh/test/ssh_algorithms_SUITE.erl +++ b/lib/ssh/test/ssh_algorithms_SUITE.erl @@ -83,7 +83,7 @@ init_per_suite(Config) -> ssh_test_lib:default_algorithms(sshc), ssh_test_lib:default_algorithms(sshd), {?DEFAULT_DH_GROUP_MIN,?DEFAULT_DH_GROUP_NBITS,?DEFAULT_DH_GROUP_MAX}, - [KeyLen || {KeyLen,_} <- ?dh_default_groups], + public_key:dh_gex_group_sizes(), ?MAX_NUM_ALGORITHMS ]), ct:log("all() ->~n ~p.~n~ngroups()->~n ~p.~n",[all(),groups()]), @@ -171,20 +171,51 @@ simple_exec(Config) -> {Host,Port} = ?config(srvr_addr, Config), ssh_test_lib:std_simple_exec(Host, Port, Config). +%%-------------------------------------------------------------------- +%% Testing if no group matches +simple_exec_groups_no_match_too_small(Config) -> + try simple_exec_group({400,500,600}, Config) + of + _ -> ct:fail("Exec though no group available") + catch + error:{badmatch,{error,"No possible diffie-hellman-group-exchange group found"}} -> + ok + end. + +simple_exec_groups_no_match_too_large(Config) -> + try simple_exec_group({9200,9500,9700}, Config) + of + _ -> ct:fail("Exec though no group available") + catch + error:{badmatch,{error,"No possible diffie-hellman-group-exchange group found"}} -> + ok + end. + %%-------------------------------------------------------------------- %% Testing all default groups -simple_exec_group14(Config) -> simple_exec_group(2048, Config). -simple_exec_group15(Config) -> simple_exec_group(3072, Config). -simple_exec_group16(Config) -> simple_exec_group(4096, Config). -simple_exec_group17(Config) -> simple_exec_group(6144, Config). -simple_exec_group18(Config) -> simple_exec_group(8192, Config). - -simple_exec_group(I, Config) -> - Min = I-100, - Max = I+100, - {Host,Port} = ?config(srvr_addr, Config), - ssh_test_lib:std_simple_exec(Host, Port, Config, - [{dh_gex_limits,{Min,I,Max}}]). +simple_exec_groups(Config) -> + Sizes = interpolate( public_key:dh_gex_group_sizes() ), + lists:foreach( + fun(Sz) -> + ct:log("Try size ~p",[Sz]), + ct:comment(Sz), + case simple_exec_group(Sz, Config) of + expected -> ct:log("Size ~p ok",[Sz]); + _ -> ct:log("Size ~p not ok",[Sz]) + end + end, Sizes), + ct:comment("~p",[lists:map(fun({_,I,_}) -> I; + (I) -> I + end,Sizes)]). + + +interpolate([I1,I2|Is]) -> + OneThird = (I2-I1) div 3, + [I1, + {I1, I1 + OneThird, I2}, + {I1, I1 + 2*OneThird, I2} | interpolate([I2|Is])]; +interpolate(Is) -> + Is. %%-------------------------------------------------------------------- %% Use the ssh client of the OS to connect @@ -283,11 +314,10 @@ specific_test_cases(Tag, Alg, SshcAlgos, SshdAlgos) -> case {Tag,Alg} of {kex,_} when Alg == 'diffie-hellman-group-exchange-sha1' ; Alg == 'diffie-hellman-group-exchange-sha256' -> - [simple_exec_group14, - simple_exec_group15, - simple_exec_group16, - simple_exec_group17, - simple_exec_group18]; + [simple_exec_groups, + simple_exec_groups_no_match_too_large, + simple_exec_groups_no_match_too_small + ]; _ -> [] end. @@ -331,3 +361,11 @@ setup_pubkey(Config) -> ssh_test_lib:setup_dsa_known_host(DataDir, UserDir), Config. + +simple_exec_group(I, Config) when is_integer(I) -> + simple_exec_group({I,I,I}, Config); +simple_exec_group({Min,I,Max}, Config) -> + {Host,Port} = ?config(srvr_addr, Config), + ssh_test_lib:std_simple_exec(Host, Port, Config, + [{dh_gex_limits,{Min,I,Max}}]). + diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl index b84ccac885..9d54f14ff6 100644 --- a/lib/ssh/test/ssh_protocol_SUITE.erl +++ b/lib/ssh/test/ssh_protocol_SUITE.erl @@ -66,8 +66,6 @@ groups() -> {kex, [], [no_common_alg_server_disconnects, no_common_alg_client_disconnects, - gex_client_init_default_noexact, - gex_client_init_default_exact, gex_client_init_option_groups, gex_client_init_option_groups_file ]}, @@ -91,9 +89,7 @@ end_per_suite(Config) -> init_per_testcase(no_common_alg_server_disconnects, Config) -> start_std_daemon(Config, [{preferred_algorithms,[{public_key,['ssh-rsa']}]}]); -init_per_testcase(TC, Config) when TC == gex_client_init_default_noexact ; - TC == gex_client_init_default_exact ; - TC == gex_client_init_option_groups ; +init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; TC == gex_client_init_option_groups_file -> Opts = case TC of gex_client_init_option_groups -> @@ -113,9 +109,7 @@ init_per_testcase(_TestCase, Config) -> end_per_testcase(no_common_alg_server_disconnects, Config) -> stop_std_daemon(Config); -end_per_testcase(TC, Config) when TC == gex_client_init_default_noexact ; - TC == gex_client_init_default_exact ; - TC == gex_client_init_option_groups ; +end_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; TC == gex_client_init_option_groups_file -> stop_std_daemon(Config); end_per_testcase(_TestCase, Config) -> @@ -332,28 +326,16 @@ no_common_alg_client_disconnects(Config) -> end. %%%-------------------------------------------------------------------- -gex_client_init_default_noexact(Config) -> - do_gex_client_init(Config, {2000, 3000, 4000}, - %% Warning, app knowledege: - ?dh_group15). - - -gex_client_init_default_exact(Config) -> - do_gex_client_init(Config, {2000, 2048, 4000}, - %% Warning, app knowledege: - ?dh_group14). - - gex_client_init_option_groups(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, - {'n/a',{3,41}}). + {3,41}). gex_client_init_option_groups_file(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, - {'n/a',{5,61}}). + {5,61}). -do_gex_client_init(Config, {Min,N,Max}, {_,{G,P}}) -> +do_gex_client_init(Config, {Min,N,Max}, {G,P}) -> {ok,_} = ssh_trpt_test_lib:exec( [{set_options, [print_ops, print_seqnums, print_messages]}, -- cgit v1.2.3 From 961bb51d1b73c6ff2ad5f08e0a4c13fbfc2fbb98 Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Fri, 23 Oct 2015 18:33:05 +0200 Subject: ssh: option dh_gex_groups with tag ssh_moduli_file Makes this existing option also accept a file in openssh format OTP-13052 --- lib/ssh/test/ssh_protocol_SUITE.erl | 11 +++++++++++ lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test.moduli | 3 +++ 2 files changed, 14 insertions(+) create mode 100644 lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test.moduli (limited to 'lib/ssh/test') diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl index 9d54f14ff6..0292c8d149 100644 --- a/lib/ssh/test/ssh_protocol_SUITE.erl +++ b/lib/ssh/test/ssh_protocol_SUITE.erl @@ -67,6 +67,7 @@ groups() -> {kex, [], [no_common_alg_server_disconnects, no_common_alg_client_disconnects, gex_client_init_option_groups, + gex_client_init_option_groups_moduli_file, gex_client_init_option_groups_file ]}, {service_requests, [], [bad_service_name, @@ -90,6 +91,7 @@ init_per_testcase(no_common_alg_server_disconnects, Config) -> start_std_daemon(Config, [{preferred_algorithms,[{public_key,['ssh-rsa']}]}]); init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_moduli_file ; TC == gex_client_init_option_groups_file -> Opts = case TC of gex_client_init_option_groups -> @@ -98,6 +100,10 @@ init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; DataDir = ?config(data_dir, Config), F = filename:join(DataDir, "dh_group_test"), [{dh_gex_groups, {file,F}}]; + gex_client_init_option_groups_moduli_file -> + DataDir = ?config(data_dir, Config), + F = filename:join(DataDir, "dh_group_test.moduli"), + [{dh_gex_groups, {ssh_moduli_file,F}}]; _ -> [] end, @@ -110,6 +116,7 @@ init_per_testcase(_TestCase, Config) -> end_per_testcase(no_common_alg_server_disconnects, Config) -> stop_std_daemon(Config); end_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; + TC == gex_client_init_option_groups_moduli_file ; TC == gex_client_init_option_groups_file -> stop_std_daemon(Config); end_per_testcase(_TestCase, Config) -> @@ -335,6 +342,10 @@ gex_client_init_option_groups_file(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, {5,61}). +gex_client_init_option_groups_moduli_file(Config) -> + do_gex_client_init(Config, {2000, 2048, 4000}, + {5,16#B7}). + do_gex_client_init(Config, {Min,N,Max}, {G,P}) -> {ok,_} = ssh_trpt_test_lib:exec( diff --git a/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test.moduli b/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test.moduli new file mode 100644 index 0000000000..f6995ba4c9 --- /dev/null +++ b/lib/ssh/test/ssh_protocol_SUITE_data/dh_group_test.moduli @@ -0,0 +1,3 @@ +20151021104105 2 6 100 2222 5 B7 +20151021104106 2 6 100 1111 5 4F + -- cgit v1.2.3 From 18b9fc4c61f487007c8bff3bbb52f9466f3454ce Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Mon, 26 Oct 2015 15:56:13 +0100 Subject: ssh: extend 'dh_gex_limits' to server side OTP-13066 --- lib/ssh/test/ssh_protocol_SUITE.erl | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'lib/ssh/test') diff --git a/lib/ssh/test/ssh_protocol_SUITE.erl b/lib/ssh/test/ssh_protocol_SUITE.erl index 0292c8d149..3a7f47c2dd 100644 --- a/lib/ssh/test/ssh_protocol_SUITE.erl +++ b/lib/ssh/test/ssh_protocol_SUITE.erl @@ -67,6 +67,7 @@ groups() -> {kex, [], [no_common_alg_server_disconnects, no_common_alg_client_disconnects, gex_client_init_option_groups, + gex_server_gex_limit, gex_client_init_option_groups_moduli_file, gex_client_init_option_groups_file ]}, @@ -92,7 +93,8 @@ init_per_testcase(no_common_alg_server_disconnects, Config) -> init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; TC == gex_client_init_option_groups_moduli_file ; - TC == gex_client_init_option_groups_file -> + TC == gex_client_init_option_groups_file ; + TC == gex_server_gex_limit -> Opts = case TC of gex_client_init_option_groups -> [{dh_gex_groups, [{2345, 3, 41}]}]; @@ -104,6 +106,12 @@ init_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; DataDir = ?config(data_dir, Config), F = filename:join(DataDir, "dh_group_test.moduli"), [{dh_gex_groups, {ssh_moduli_file,F}}]; + gex_server_gex_limit -> + [{dh_gex_groups, [{ 500, 3, 18}, + {1000, 7, 91}, + {3000, 5, 61}]}, + {dh_gex_limits,{500,1500}} + ]; _ -> [] end, @@ -117,7 +125,8 @@ end_per_testcase(no_common_alg_server_disconnects, Config) -> stop_std_daemon(Config); end_per_testcase(TC, Config) when TC == gex_client_init_option_groups ; TC == gex_client_init_option_groups_moduli_file ; - TC == gex_client_init_option_groups_file -> + TC == gex_client_init_option_groups_file ; + TC == gex_server_gex_limit -> stop_std_daemon(Config); end_per_testcase(_TestCase, Config) -> check_std_daemon_works(Config, ?LINE). @@ -337,7 +346,6 @@ gex_client_init_option_groups(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, {3,41}). - gex_client_init_option_groups_file(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, {5,61}). @@ -346,6 +354,11 @@ gex_client_init_option_groups_moduli_file(Config) -> do_gex_client_init(Config, {2000, 2048, 4000}, {5,16#B7}). +gex_server_gex_limit(Config) -> + do_gex_client_init(Config, {1000, 3000, 4000}, + {7,91}). + + do_gex_client_init(Config, {Min,N,Max}, {G,P}) -> {ok,_} = ssh_trpt_test_lib:exec( -- cgit v1.2.3