From 9c1aa6af88df97634a66726b66bb12e56d1ef6c6 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 12 Apr 2025 17:38:29 +0200 Subject: ssh/test: reset the random source before capturing a recording If a recording file exists but is invalid for any reason, the random source may have already been used, resulting in a recording that cannot be replayed. Change-Id: Ib81aaf163f5783fede2c14a0ac10a8d2af6019c6 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/664917 LUCI-TryBot-Result: Go LUCI Reviewed-by: Michael Pratt Reviewed-by: Dmitri Shuralyov Reviewed-by: Filippo Valsorda Auto-Submit: Nicola Murino --- ssh/test/recording_client_test.go | 4 ++-- ssh/test/recording_server_test.go | 6 ++---- ssh/test/recording_test.go | 10 ++++++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ssh/test/recording_client_test.go b/ssh/test/recording_client_test.go index 167dba9..a312003 100644 --- a/ssh/test/recording_client_test.go +++ b/ssh/test/recording_client_test.go @@ -21,7 +21,6 @@ import ( "time" "golang.org/x/crypto/internal/testenv" - "golang.org/x/crypto/sha3" "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/testdata" ) @@ -169,6 +168,8 @@ func (test *clientTest) run(t *testing.T, write bool) { var clientConn net.Conn var recordingConn *recordingConn + setDeterministicRandomSource(&test.config.Config) + if write { // We store the username used when we record the connection so we can // reuse the same username when running tests. @@ -238,7 +239,6 @@ func recordingsClientConfig() *ssh.ClientConfig { if config.KeyExchanges[0] == "mlkem768x25519-sha256" { config.KeyExchanges = config.KeyExchanges[1:] } - config.Rand = sha3.NewShake128() config.Auth = []ssh.AuthMethod{ ssh.PublicKeys(testSigners["rsa"]), } diff --git a/ssh/test/recording_server_test.go b/ssh/test/recording_server_test.go index b5f9d91..6a17040 100644 --- a/ssh/test/recording_server_test.go +++ b/ssh/test/recording_server_test.go @@ -18,7 +18,6 @@ import ( "time" "golang.org/x/crypto/internal/testenv" - "golang.org/x/crypto/sha3" "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/testdata" ) @@ -132,6 +131,8 @@ func (test *serverTest) run(t *testing.T, write bool) { var serverConn net.Conn var recordingConn *recordingConn + setDeterministicRandomSource(&test.config.Config) + if write { var err error recordingConn, err = test.connFromCommand(t) @@ -211,9 +212,6 @@ func (test *serverTest) run(t *testing.T, write bool) { func recordingsServerConfig() *ssh.ServerConfig { config := &ssh.ServerConfig{ - Config: ssh.Config{ - Rand: sha3.NewShake128(), - }, PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { return nil, nil }, diff --git a/ssh/test/recording_test.go b/ssh/test/recording_test.go index 25590a2..4f8bb2a 100644 --- a/ssh/test/recording_test.go +++ b/ssh/test/recording_test.go @@ -23,6 +23,7 @@ import ( "text/template" "time" + "golang.org/x/crypto/sha3" "golang.org/x/crypto/ssh" ) @@ -412,6 +413,15 @@ func writeFile(path string, contents []byte) { } } +// setDeterministicRandomSource sets a deterministic random source for the +// provided ssh.Config. It is intended solely for use in test cases, as +// deterministic randomness is insecure and should never be used in production +// environments. A deterministic random source is required to enable consistent +// testing against recorded session files. +func setDeterministicRandomSource(config *ssh.Config) { + config.Rand = sha3.NewShake128() +} + func TestMain(m *testing.M) { flag.Usage = func() { fmt.Fprintf(flag.CommandLine.Output(), "Usage of %s:\n", os.Args) -- cgit v1.3