diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-05 15:19:22 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-13 16:29:30 +0200 |
commit | ce888fd4c0c3f8e36efac4712ecf37c0313f0fc9 (patch) | |
tree | 64ac01ff076d11746c64e119a21d80194fb4f005 | |
parent | af031d8df64d529da2488d08b82a33f2fa2032d2 (diff) | |
download | libssh-ce888fd4c0c3f8e36efac4712ecf37c0313f0fc9.tar.gz libssh-ce888fd4c0c3f8e36efac4712ecf37c0313f0fc9.tar.xz libssh-ce888fd4c0c3f8e36efac4712ecf37c0313f0fc9.zip |
tests/torture_config: Use only allowed algorithms in FIPS mode
Use only allowed algorithms if running in FIPS mode.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r-- | tests/unittests/torture_config.c | 57 |
1 files changed, 47 insertions, 10 deletions
diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c index baf90428..95f135e7 100644 --- a/tests/unittests/torture_config.c +++ b/tests/unittests/torture_config.c @@ -34,6 +34,8 @@ extern LIBSSH_THREAD int ssh_log_level; #define GLOBAL_KNOWN_HOSTS "/etc/ssh/my_ssh_known_hosts" #define BIND_ADDRESS "::1" + + static int setup_config_files(void **state) { ssh_session session; @@ -222,7 +224,8 @@ static int teardown(void **state) static void torture_config_from_file(void **state) { ssh_session session = *state; int ret; - char *v; + char *v = NULL; + char *fips_algos = NULL; ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG1); assert_true(ret == 0); @@ -250,14 +253,39 @@ static void torture_config_from_file(void **state) { assert_string_equal(v, USERNAME); SSH_STRING_FREE_CHAR(v); - assert_string_equal(session->opts.wanted_methods[SSH_KEX], KEXALGORITHMS); - - assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS); - - assert_string_equal(session->opts.pubkey_accepted_types, PUBKEYACCEPTEDTYPES); - - assert_string_equal(session->opts.wanted_methods[SSH_MAC_C_S], MACS); - assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], MACS); + if (ssh_fips_mode()) { + fips_algos = ssh_keep_fips_algos(SSH_KEX, KEXALGORITHMS); + assert_non_null(fips_algos); + assert_string_equal(session->opts.wanted_methods[SSH_KEX], fips_algos); + SAFE_FREE(fips_algos); + fips_algos = ssh_keep_fips_algos(SSH_HOSTKEYS, HOSTKEYALGORITHMS); + assert_non_null(fips_algos); + assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS], fips_algos); + SAFE_FREE(fips_algos); + fips_algos = ssh_keep_fips_algos(SSH_HOSTKEYS, PUBKEYACCEPTEDTYPES); + assert_non_null(fips_algos); + assert_string_equal(session->opts.pubkey_accepted_types, fips_algos); + SAFE_FREE(fips_algos); + fips_algos = ssh_keep_fips_algos(SSH_MAC_C_S, MACS); + assert_non_null(fips_algos); + assert_string_equal(session->opts.wanted_methods[SSH_MAC_C_S], fips_algos); + SAFE_FREE(fips_algos); + fips_algos = ssh_keep_fips_algos(SSH_MAC_S_C, MACS); + assert_non_null(fips_algos); + assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], fips_algos); + SAFE_FREE(fips_algos); + } else { + assert_non_null(session->opts.wanted_methods[SSH_KEX]); + assert_string_equal(session->opts.wanted_methods[SSH_KEX], KEXALGORITHMS); + assert_non_null(session->opts.wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS); + assert_non_null(session->opts.pubkey_accepted_types); + assert_string_equal(session->opts.pubkey_accepted_types, PUBKEYACCEPTEDTYPES); + assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]); + assert_string_equal(session->opts.wanted_methods[SSH_MAC_C_S], MACS); + assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]); + assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], MACS); + } } /** @@ -849,10 +877,19 @@ static void torture_config_pubkeyacceptedkeytypes(void **state) { ssh_session session = *state; int rc; + char *fips_algos; rc = ssh_config_parse_file(session, LIBSSH_TEST_PUBKEYACCEPTEDKEYTYPES); assert_int_equal(rc, SSH_OK); - assert_string_equal(session->opts.pubkey_accepted_types, PUBKEYACCEPTEDTYPES); + + if (ssh_fips_mode()) { + fips_algos = ssh_keep_fips_algos(SSH_HOSTKEYS, PUBKEYACCEPTEDTYPES); + assert_non_null(fips_algos); + assert_string_equal(session->opts.pubkey_accepted_types, fips_algos); + SAFE_FREE(fips_algos); + } else { + assert_string_equal(session->opts.pubkey_accepted_types, PUBKEYACCEPTEDTYPES); + } } int torture_run_tests(void) { |