ssh: add test for host key

Test that the certificate check callback gets the right fingerprint from the host we're connecting to.
2025-06-02 21:55:59 +00:00 · 2014-09-15 21:51:42 +02:00 · 2014-09-15 21:51:42 +02:00 · bf8756d6a2
commit bf8756d6a2
parent 41698f22f6
2 changed files with 36 additions and 1 deletions
--- a/script/cibuild.sh
+++ b/script/cibuild.sh
@ -33,6 +33,9 @@ ssh-keygen -t rsa -f ~/.ssh/id_rsa -N "" -q
 cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys
 ssh-keyscan -t rsa localhost >>~/.ssh/known_hosts

+# Get the fingerprint for localhost and remove the colons so we can parse it as a hex number
+export GITTEST_REMOTE_SSH_FINGERPRINT=$(ssh-keygen -F localhost -l | tail -n 1 | cut -d ' ' -f 2 | tr -d ':')
+
 export GITTEST_REMOTE_URL="ssh://localhost/$HOME/_temp/test.git"
 export GITTEST_REMOTE_USER=$USER
 export GITTEST_REMOTE_SSH_KEY="$HOME/.ssh/id_rsa"
@ -40,7 +43,7 @@ export GITTEST_REMOTE_SSH_PUBKEY="$HOME/.ssh/id_rsa.pub"
 export GITTEST_REMOTE_SSH_PASSPHRASE=""

 if [ -e ./libgit2_clar ]; then
-    ./libgit2_clar -sonline::push -sonline::clone::cred_callback &&
+    ./libgit2_clar -sonline::push -sonline::clone::cred_callback -sonline::clone::ssh_cert &&
    rm -rf $HOME/_temp/test.git &&
    git init --bare $HOME/_temp/test.git && # create an empty one
    ./libgit2_clar -sonline::clone::ssh_with_paths
--- a/tests/online/clone.c
+++ b/tests/online/clone.c
@ -464,6 +464,38 @@ void test_online_clone__ssh_cannot_change_username(void)
 	cl_git_fail(git_clone(&g_repo, "ssh://git@github.com/libgit2/TestGitRepository", "./foo", &g_options));
 }

+int ssh_certificate_check(git_cert_t type, void *data, size_t len, int valid, void *payload)
+{
+	git_cert_hostkey *key;
+	git_oid expected = {{0}}, actual = {{0}};
+	const char *expected_str;
+
+	GIT_UNUSED(len);
+	GIT_UNUSED(valid);
+	GIT_UNUSED(payload);
+
+	expected_str = cl_getenv("GITTEST_REMOTE_SSH_FINGERPRINT");
+	if (!expected_str)
+		cl_skip();
+
+	cl_git_pass(git_oid_fromstr(&expected, expected_str));
+	cl_assert_equal_i(GIT_CERT_HOSTKEY_LIBSSH2, type);
+
+	key = (git_cert_hostkey *) data;
+	git_oid_fromraw(&actual, key->hash);
+
+	cl_assert(git_oid_equal(&expected, &actual));
+
+	return GIT_EUSER;
+}
+
+void test_online_clone__ssh_cert(void)
+{
+	g_options.remote_callbacks.certificate_check = ssh_certificate_check;
+
+	cl_git_fail_with(GIT_EUSER, git_clone(&g_repo, "ssh://localhost/foo", "./foo", &g_options));
+}
+
 void test_online_clone__url_with_no_path_returns_EINVALIDSPEC(void)
 {
 	cl_git_fail_with(git_clone(&g_repo, "http://github.com", "./foo", &g_options),