exp/ssh: cleanup client auth tests

This CL cleans up the client auth tests, making the
individual test body more manageable.

Also, adds tests for rsa and dsa key negotiation.

Finally, remove the package level use of the variable
strings, which avoids conflicting with the strings pkg.

R=gustav.paul, agl, n13m3y3r, rsc
CC=golang-dev
https://golang.org/cl/5447049

2 files changed, 129 insertions, 120 deletions

diff --git a/src/pkg/exp/ssh/client_auth_test.go b/src/pkg/exp/ssh/client_auth_test.go
index 4ef9213a9c..2b89e9728c 100644
--- a/src/pkg/exp/ssh/client_auth_test.go
+++ b/src/pkg/exp/ssh/client_auth_test.go
@@ -7,17 +7,20 @@ package ssh
 import (
 	"bytes"
 	"crypto"
-	"crypto/rand"
+	"crypto/dsa"
 	"crypto/rsa"
+	_ "crypto/sha1"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 	"io"
 	"io/ioutil"
+	"math/big"
 	"testing"
 )
 
-const _pem = `-----BEGIN RSA PRIVATE KEY-----
+// private key for mock server
+const testServerPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
 MIIEpAIBAAKCAQEA19lGVsTqIT5iiNYRgnoY1CwkbETW5cq+Rzk5v/kTlf31XpSU
 70HVWkbTERECjaYdXM2gGcbb+sxpq6GtXf1M3kVomycqhxwhPv4Cr6Xp4WT/jkFx
 9z+FFzpeodGJWjOH6L2H5uX1Cvr9EDdQp9t9/J32/qBFntY8GwoUI/y/1MSTmMiF
@@ -45,25 +48,32 @@ gqnBycHj6AhEycjda75cs+0zybZvN4x65KZHOGW/O/7OAWEcZP5TPb3zf9ned3Hl
 NsZoFj52ponUM6+99A2CmezFCN16c4mbA//luWF+k3VVqR6BpkrhKw==
 -----END RSA PRIVATE KEY-----`
 
-// reused internally by tests
-var serverConfig = new(ServerConfig)
-
-func init() {
-	if err := serverConfig.SetRSAPrivateKey([]byte(_pem)); err != nil {
-		panic("unable to set private key: " + err.Error())
-	}
-}
+const testClientPrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBALdGZxkXDAjsYk10ihwU6Id2KeILz1TAJuoq4tOgDWxEEGeTrcld
+r/ZwVaFzjWzxaf6zQIJbfaSEAhqD5yo72+sCAwEAAQJBAK8PEVU23Wj8mV0QjwcJ
+tZ4GcTUYQL7cF4+ezTCE9a1NrGnCP2RuQkHEKxuTVrxXt+6OF15/1/fuXnxKjmJC
+nxkCIQDaXvPPBi0c7vAxGwNY9726x01/dNbHCE0CBtcotobxpwIhANbbQbh3JHVW
+2haQh4fAG5mhesZKAGcxTyv4mQ7uMSQdAiAj+4dzMpJWdSzQ+qGHlHMIBvVHLkqB
+y2VdEyF7DPCZewIhAI7GOI/6LDIFOvtPo6Bj2nNmyQ1HU6k/LRtNIXi4c9NJAiAr
+rrxx26itVhJmcvoUhOjwuzSlP2bE5VHAvkGB352YBg==
+-----END RSA PRIVATE KEY-----`
 
 // keychain implements the ClientPublickey interface
 type keychain struct {
-	keys []*rsa.PrivateKey
+	keys []interface{}
 }
 
 func (k *keychain) Key(i int) (interface{}, error) {
 	if i < 0 || i >= len(k.keys) {
 		return nil, nil
 	}
-	return k.keys[i].PublicKey, nil
+	switch key := k.keys[i].(type) {
+	case *rsa.PrivateKey:
+		return key.PublicKey, nil
+	case *dsa.PrivateKey:
+		return key.PublicKey, nil
+	}
+	panic("unknown key type")
 }
 
 func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err error) {
@@ -71,7 +81,11 @@ func (k *keychain) Sign(i int, rand io.Reader, data []byte) (sig []byte, err err
 	h := hashFunc.New()
 	h.Write(data)
 	digest := h.Sum(nil)
-	return rsa.SignPKCS1v15(rand, k.keys[i], hashFunc, digest)
+	switch key := k.keys[i].(type) {
+	case *rsa.PrivateKey:
+		return rsa.SignPKCS1v15(rand, key, hashFunc, digest)
+	}
+	return nil, errors.New("unknown key type")
 }
 
 func (k *keychain) loadPEM(file string) error {
@@ -91,158 +105,153 @@ func (k *keychain) loadPEM(file string) error {
 	return nil
 }
 
-var pkey *rsa.PrivateKey
+// password implements the ClientPassword interface
+type password string
 
-func init() {
-	var err error
-	pkey, err = rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		panic("unable to generate public key")
-	}
+func (p password) Password(user string) (string, error) {
+	return string(p), nil
 }
 
-func TestClientAuthPublickey(t *testing.T) {
-	k := new(keychain)
-	k.keys = append(k.keys, pkey)
+// reused internally by tests
+var (
+	rsakey         *rsa.PrivateKey
+	dsakey         *dsa.PrivateKey
+	clientKeychain = new(keychain)
+	clientPassword = password("tiger")
+	serverConfig   = &ServerConfig{
+		PasswordCallback: func(user, pass string) bool {
+			return user == "testuser" && pass == string(clientPassword)
+		},
+		PubKeyCallback: func(user, algo string, pubkey []byte) bool {
+			key := clientKeychain.keys[0].(*rsa.PrivateKey).PublicKey
+			expected := []byte(serializePublickey(key))
+			algoname := algoName(key)
+			return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
+		},
+	}
+)
 
-	serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
-		expected := []byte(serializePublickey(k.keys[0].PublicKey))
-		algoname := algoName(k.keys[0].PublicKey)
-		return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
+func init() {
+	if err := serverConfig.SetRSAPrivateKey([]byte(testServerPrivateKey)); err != nil {
+		panic("unable to set private key: " + err.Error())
 	}
-	serverConfig.PasswordCallback = nil
 
+	block, _ := pem.Decode([]byte(testClientPrivateKey))
+	rsakey, _ = x509.ParsePKCS1PrivateKey(block.Bytes)
+
+	clientKeychain.keys = append(clientKeychain.keys, rsakey)
+	dsakey = new(dsa.PrivateKey)
+	// taken from crypto/dsa/dsa_test.go
+	dsakey.P, _ = new(big.Int).SetString("A9B5B793FB4785793D246BAE77E8FF63CA52F442DA763C440259919FE1BC1D6065A9350637A04F75A2F039401D49F08E066C4D275A5A65DA5684BC563C14289D7AB8A67163BFBF79D85972619AD2CFF55AB0EE77A9002B0EF96293BDD0F42685EBB2C66C327079F6C98000FBCB79AACDE1BC6F9D5C7B1A97E3D9D54ED7951FEF", 16)
+	dsakey.Q, _ = new(big.Int).SetString("E1D3391245933D68A0714ED34BBCB7A1F422B9C1", 16)
+	dsakey.G, _ = new(big.Int).SetString("634364FC25248933D01D1993ECABD0657CC0CB2CEED7ED2E3E8AECDFCDC4A25C3B15E9E3B163ACA2984B5539181F3EFF1A5E8903D71D5B95DA4F27202B77D2C44B430BB53741A8D59A8F86887525C9F2A6A5980A195EAA7F2FF910064301DEF89D3AA213E1FAC7768D89365318E370AF54A112EFBA9246D9158386BA1B4EEFDA", 16)
+	dsakey.Y, _ = new(big.Int).SetString("32969E5780CFE1C849A1C276D7AEB4F38A23B591739AA2FE197349AEEBD31366AEE5EB7E6C6DDB7C57D02432B30DB5AA66D9884299FAA72568944E4EEDC92EA3FBC6F39F53412FBCC563208F7C15B737AC8910DBC2D9C9B8C001E72FDC40EB694AB1F06A5A2DBD18D9E36C66F31F566742F11EC0A52E9F7B89355C02FB5D32D2", 16)
+	dsakey.X, _ = new(big.Int).SetString("5078D4D29795CBE76D3AACFE48C9AF0BCDBEE91A", 16)
+}
+
+// newMockAuthServer creates a new Server bound to 
+// the loopback interface. The server exits after 
+// processing one handshake.
+func newMockAuthServer(t *testing.T) string {
 	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
 	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
+		t.Fatalf("unable to newMockAuthServer: %s", err)
 	}
-	defer l.Close()
-
-	done := make(chan bool, 1)
 	go func() {
+		defer l.Close()
 		c, err := l.Accept()
+		defer c.Close()
 		if err != nil {
-			t.Fatal(err)
+			t.Errorf("Unable to accept incoming connection: %v", err)
+			return
 		}
-		defer c.Close()
 		if err := c.Handshake(); err != nil {
-			t.Error(err)
+			// not Errorf because this is expected to
+			// fail for some tests.
+			t.Logf("Handshaking error: %v", err)
+			return
 		}
-		done <- true
 	}()
+	return l.Addr().String()
+}
 
+func TestClientAuthPublickey(t *testing.T) {
 	config := &ClientConfig{
 		User: "testuser",
 		Auth: []ClientAuth{
-			ClientAuthPublickey(k),
+			ClientAuthPublickey(clientKeychain),
 		},
 	}
-
-	c, err := Dial("tcp", l.Addr().String(), config)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
 		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer c.Close()
-	<-done
-}
-
-// password implements the ClientPassword interface
-type password string
-
-func (p password) Password(user string) (string, error) {
-	return string(p), nil
+	c.Close()
 }
 
 func TestClientAuthPassword(t *testing.T) {
-	pw := password("tiger")
-
-	serverConfig.PasswordCallback = func(user, pass string) bool {
-		return user == "testuser" && pass == string(pw)
+	config := &ClientConfig{
+		User: "testuser",
+		Auth: []ClientAuth{
+			ClientAuthPassword(clientPassword),
+		},
 	}
-	serverConfig.PubKeyCallback = nil
 
-	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
+		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer l.Close()
-
-	done := make(chan bool)
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if err := c.Handshake(); err != nil {
-			t.Error(err)
-		}
-		defer c.Close()
-		done <- true
-	}()
+	c.Close()
+}
 
+func TestClientAuthWrongPassword(t *testing.T) {
+	wrongPw := password("wrong")
 	config := &ClientConfig{
 		User: "testuser",
 		Auth: []ClientAuth{
-			ClientAuthPassword(pw),
+			ClientAuthPassword(wrongPw),
+			ClientAuthPublickey(clientKeychain),
 		},
 	}
 
-	c, err := Dial("tcp", l.Addr().String(), config)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
 		t.Fatalf("unable to dial remote side: %s", err)
 	}
-	defer c.Close()
-	<-done
+	c.Close()
 }
 
-func TestClientAuthPasswordAndPublickey(t *testing.T) {
-	pw := password("tiger")
-
-	serverConfig.PasswordCallback = func(user, pass string) bool {
-		return user == "testuser" && pass == string(pw)
-	}
-
-	k := new(keychain)
-	k.keys = append(k.keys, pkey)
-
-	serverConfig.PubKeyCallback = func(user, algo string, pubkey []byte) bool {
-		expected := []byte(serializePublickey(k.keys[0].PublicKey))
-		algoname := algoName(k.keys[0].PublicKey)
-		return user == "testuser" && algo == algoname && bytes.Equal(pubkey, expected)
+// the mock server will only authenticate ssh-rsa keys
+func TestClientAuthInvalidPublickey(t *testing.T) {
+	kc := new(keychain)
+	kc.keys = append(kc.keys, dsakey)
+	config := &ClientConfig{
+		User: "testuser",
+		Auth: []ClientAuth{
+			ClientAuthPublickey(kc),
+		},
 	}
 
-	l, err := Listen("tcp", "127.0.0.1:0", serverConfig)
-	if err != nil {
-		t.Fatalf("unable to listen: %s", err)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
+	if err == nil {
+		c.Close()
+		t.Fatalf("dsa private key should not have authenticated with rsa public key")
 	}
-	defer l.Close()
-
-	done := make(chan bool)
-	go func() {
-		c, err := l.Accept()
-		if err != nil {
-			t.Fatal(err)
-		}
-		if err := c.Handshake(); err != nil {
-			t.Error(err)
-		}
-		defer c.Close()
-		done <- true
-	}()
+}
 
-	wrongPw := password("wrong")
+// the client should authenticate with the second key
+func TestClientAuthRSAandDSA(t *testing.T) {
+	kc := new(keychain)
+	kc.keys = append(kc.keys, dsakey, rsakey)
 	config := &ClientConfig{
 		User: "testuser",
 		Auth: []ClientAuth{
-			ClientAuthPassword(wrongPw),
-			ClientAuthPublickey(k),
+			ClientAuthPublickey(kc),
 		},
 	}
-
-	c, err := Dial("tcp", l.Addr().String(), config)
+	c, err := Dial("tcp", newMockAuthServer(t), config)
 	if err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
+		t.Fatalf("client could not authenticate with rsa key: %v", err)
 	}
-	defer c.Close()
-	<-done
+	c.Close()
 }
diff --git a/src/pkg/exp/ssh/common_test.go b/src/pkg/exp/ssh/common_test.go
index 2f4448a1bd..058fb04fe1 100644
--- a/src/pkg/exp/ssh/common_test.go
+++ b/src/pkg/exp/ssh/common_test.go
@@ -8,15 +8,15 @@ import (
 	"testing"
 )
 
-var strings = map[string]string{
-	"\x20\x0d\x0a":  "\x20\x0d\x0a",
-	"flibble":       "flibble",
-	"new\x20line":   "new\x20line",
-	"123456\x07789": "123456 789",
-	"\t\t\x10\r\n":  "\t\t \r\n",
-}
-
 func TestSafeString(t *testing.T) {
+	strings := map[string]string{
+		"\x20\x0d\x0a":  "\x20\x0d\x0a",
+		"flibble":       "flibble",
+		"new\x20line":   "new\x20line",
+		"123456\x07789": "123456 789",
+		"\t\t\x10\r\n":  "\t\t \r\n",
+	}
+
 	for s, expected := range strings {
 		actual := safeString(s)
 		if expected != actual {