1 files changed, 35 insertions, 6 deletions

diff --git a/vendor/golang.org/x/crypto/ssh/test/cert_test.go b/vendor/golang.org/x/crypto/ssh/test/cert_test.go
index bc83e4f5d..b231dd80c 100644
--- a/vendor/golang.org/x/crypto/ssh/test/cert_test.go
+++ b/vendor/golang.org/x/crypto/ssh/test/cert_test.go
@@ -7,12 +7,14 @@
 package test
 
 import (
+	"bytes"
 	"crypto/rand"
 	"testing"
 
 	"golang.org/x/crypto/ssh"
 )
 
+// Test both logging in with a cert, and also that the certificate presented by an OpenSSH host can be validated correctly
 func TestCertLogin(t *testing.T) {
 	s := newServer(t)
 	defer s.Shutdown()
@@ -36,13 +38,40 @@ func TestCertLogin(t *testing.T) {
 	}
 
 	conf := &ssh.ClientConfig{
-		User:            username(),
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		User: username(),
+		HostKeyCallback: (&ssh.CertChecker{
+			IsHostAuthority: func(pk ssh.PublicKey, addr string) bool {
+				return bytes.Equal(pk.Marshal(), testPublicKeys["ca"].Marshal())
+			},
+		}).CheckHostKey,
 	}
 	conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
-	client, err := s.TryDial(conf)
-	if err != nil {
-		t.Fatalf("TryDial: %v", err)
+
+	for _, test := range []struct {
+		addr    string
+		succeed bool
+	}{
+		{addr: "host.example.com:22", succeed: true},
+		{addr: "host.example.com:10000", succeed: true}, // non-standard port must be OK
+		{addr: "host.example.com", succeed: false},      // port must be specified
+		{addr: "host.ex4mple.com:22", succeed: false},   // wrong host
+	} {
+		client, err := s.TryDialWithAddr(conf, test.addr)
+
+		// Always close client if opened successfully
+		if err == nil {
+			client.Close()
+		}
+
+		// Now evaluate whether the test failed or passed
+		if test.succeed {
+			if err != nil {
+				t.Fatalf("TryDialWithAddr: %v", err)
+			}
+		} else {
+			if err == nil {
+				t.Fatalf("TryDialWithAddr, unexpected success")
+			}
+		}
 	}
-	client.Close()
 }