ssh: add test for host key Test that the certificate check callback gets the right fingerprint from the host we're connecting to.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
diff --git a/script/cibuild.sh b/script/cibuild.sh
index 981f95b..c7c341c 100755
--- a/script/cibuild.sh
+++ b/script/cibuild.sh
@@ -33,6 +33,9 @@ ssh-keygen -t rsa -f ~/.ssh/id_rsa -N "" -q
cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys
ssh-keyscan -t rsa localhost >>~/.ssh/known_hosts
+# Get the fingerprint for localhost and remove the colons so we can parse it as a hex number
+export GITTEST_REMOTE_SSH_FINGERPRINT=$(ssh-keygen -F localhost -l | tail -n 1 | cut -d ' ' -f 2 | tr -d ':')
+
export GITTEST_REMOTE_URL="ssh://localhost/$HOME/_temp/test.git"
export GITTEST_REMOTE_USER=$USER
export GITTEST_REMOTE_SSH_KEY="$HOME/.ssh/id_rsa"
@@ -40,7 +43,7 @@ export GITTEST_REMOTE_SSH_PUBKEY="$HOME/.ssh/id_rsa.pub"
export GITTEST_REMOTE_SSH_PASSPHRASE=""
if [ -e ./libgit2_clar ]; then
- ./libgit2_clar -sonline::push -sonline::clone::cred_callback &&
+ ./libgit2_clar -sonline::push -sonline::clone::cred_callback -sonline::clone::ssh_cert &&
rm -rf $HOME/_temp/test.git &&
git init --bare $HOME/_temp/test.git && # create an empty one
./libgit2_clar -sonline::clone::ssh_with_paths
diff --git a/tests/online/clone.c b/tests/online/clone.c
index cebe3b2..2e51364 100644
--- a/tests/online/clone.c
+++ b/tests/online/clone.c
@@ -464,6 +464,38 @@ void test_online_clone__ssh_cannot_change_username(void)
cl_git_fail(git_clone(&g_repo, "ssh://git@github.com/libgit2/TestGitRepository", "./foo", &g_options));
}
+int ssh_certificate_check(git_cert_t type, void *data, size_t len, int valid, void *payload)
+{
+ git_cert_hostkey *key;
+ git_oid expected = {{0}}, actual = {{0}};
+ const char *expected_str;
+
+ GIT_UNUSED(len);
+ GIT_UNUSED(valid);
+ GIT_UNUSED(payload);
+
+ expected_str = cl_getenv("GITTEST_REMOTE_SSH_FINGERPRINT");
+ if (!expected_str)
+ cl_skip();
+
+ cl_git_pass(git_oid_fromstr(&expected, expected_str));
+ cl_assert_equal_i(GIT_CERT_HOSTKEY_LIBSSH2, type);
+
+ key = (git_cert_hostkey *) data;
+ git_oid_fromraw(&actual, key->hash);
+
+ cl_assert(git_oid_equal(&expected, &actual));
+
+ return GIT_EUSER;
+}
+
+void test_online_clone__ssh_cert(void)
+{
+ g_options.remote_callbacks.certificate_check = ssh_certificate_check;
+
+ cl_git_fail_with(GIT_EUSER, git_clone(&g_repo, "ssh://localhost/foo", "./foo", &g_options));
+}
+
void test_online_clone__url_with_no_path_returns_EINVALIDSPEC(void)
{
cl_git_fail_with(git_clone(&g_repo, "http://github.com", "./foo", &g_options),