diff options
| author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-06 15:01:42 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-13 11:00:56 +0200 |
| commit | 0cfe4c7ab8030d5517357118102f1dc5c144a4c9 (patch) | |
| tree | 918c94028ca9b3547015b787104dd2c93491f85b /tests/client | |
| parent | 01f404021823a067e3681eb2bccaaa5b72a67e01 (diff) | |
| download | libssh-0cfe4c7ab8030d5517357118102f1dc5c144a4c9.tar.gz libssh-0cfe4c7ab8030d5517357118102f1dc5c144a4c9.tar.xz libssh-0cfe4c7ab8030d5517357118102f1dc5c144a4c9.zip | |
tests/torture_auth: Workaround OpenSSH agent bug
OpenSSH agent has a bug which makes it to not use SHA2 in signatures
when using certificates. It always uses SHA1.
See https://gitlab.com/libssh/libssh-mirror/merge_requests/34
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'tests/client')
| -rw-r--r-- | tests/client/torture_auth.c | 52 |
1 files changed, 47 insertions, 5 deletions
diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c index ac12bb00..de1b5984 100644 --- a/tests/client/torture_auth.c +++ b/tests/client/torture_auth.c @@ -543,13 +543,55 @@ static void torture_auth_cert(void **state) { SSH_KEY_FREE(cert); } -static void torture_auth_agent_cert(void **state) { - /* Setup loads a different key, tests are exactly the same. */ - torture_auth_agent(state); +static void torture_auth_agent_cert(void **state) +{ + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + /* Skip this test if in FIPS mode. + * + * OpenSSH agent has a bug which makes it to not use SHA2 in signatures when + * using certificates. It always uses SHA1. + * + * This should be removed as soon as OpenSSH agent bug is fixed. + * (see https://gitlab.com/libssh/libssh-mirror/merge_requests/34) */ + if (ssh_fips_mode()) { + skip(); + } else { + /* After the bug is solved, this also should be removed */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-rsa-cert-v01@openssh.com"); + assert_int_equal(rc, SSH_OK); + } + + /* Setup loads a different key, tests are exactly the same. */ + torture_auth_agent(state); } -static void torture_auth_agent_cert_nonblocking(void **state) { - torture_auth_agent_nonblocking(state); +static void torture_auth_agent_cert_nonblocking(void **state) +{ + struct torture_state *s = *state; + ssh_session session = s->ssh.session; + int rc; + + /* Skip this test if in FIPS mode. + * + * OpenSSH agent has a bug which makes it to not use SHA2 in signatures when + * using certificates. It always uses SHA1. + * + * This should be removed as soon as OpenSSH agent bug is fixed. + * (see https://gitlab.com/libssh/libssh-mirror/merge_requests/34) */ + if (ssh_fips_mode()) { + skip(); + } else { + /* After the bug is solved, this also should be removed */ + rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, + "ssh-rsa-cert-v01@openssh.com"); + assert_int_equal(rc, SSH_OK); + } + + torture_auth_agent_nonblocking(state); } static void torture_auth_pubkey_types(void **state) |