aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorAnderson Toshiyuki Sasaki <ansasaki@redhat.com>2019-06-05 15:06:13 +0200
committerAndreas Schneider <asn@cryptomilk.org>2019-06-13 16:28:25 +0200
commit41834f228bc4a5a89bfe8c71c13c051fc6f2993a (patch)
treeb3d9a53fb3b4a9a10f5963bb8a515947e037d175 /tests
parent03ca994cc048ac5af7c2722e9f4e4b27d8a95784 (diff)
downloadlibssh-41834f228bc4a5a89bfe8c71c13c051fc6f2993a.tar.gz
libssh-41834f228bc4a5a89bfe8c71c13c051fc6f2993a.tar.xz
libssh-41834f228bc4a5a89bfe8c71c13c051fc6f2993a.zip
tests: Use different config if in FIPS mode
Use a different OpenSSH configuration if running in FIPS mode, which contains only allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'tests')
-rw-r--r--tests/torture.c102
1 files changed, 76 insertions, 26 deletions
diff --git a/tests/torture.c b/tests/torture.c
index 6d37e7a2..772942c2 100644
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -598,12 +598,12 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
const char config_string[]=
"Port 22\n"
"ListenAddress 127.0.0.10\n"
- "HostKey %s\n"
+ "%s %s\n"
#ifdef HAVE_DSA
- "HostKey %s\n"
+ "%s %s\n"
#endif /* HAVE_DSA */
- "HostKey %s\n"
- "HostKey %s\n"
+ "%s %s\n"
+ "%s %s\n"
"\n"
"TrustedUserCAKeys %s\n"
"\n"
@@ -651,6 +651,54 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
"\n"
"PidFile %s\n"
"%s\n"; /* The space for test-specific options */
+ /* FIPS config */
+ const char fips_config_string[]=
+ "Port 22\n"
+ "ListenAddress 127.0.0.10\n"
+ "%s %s\n" /* HostKey */
+ "%s %s\n" /* HostKey */
+ "\n"
+ "TrustedUserCAKeys %s\n" /* Trusted CA */
+ "\n"
+ "LogLevel DEBUG3\n"
+ "Subsystem sftp %s -l DEBUG2\n" /* SFTP server */
+ "\n"
+ "PasswordAuthentication yes\n"
+ "PubkeyAuthentication yes\n"
+ "\n"
+ "StrictModes no\n"
+ "\n"
+ "%s" /* UsePam */
+ "\n"
+ "Ciphers "
+ "aes256-gcm@openssh.com,aes256-ctr,aes256-cbc,"
+ "aes128-gcm@openssh.com,aes128-ctr,aes128-cbc"
+ "\n"
+ "MACs "
+ "hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,"
+ "hmac-sha2-512-etm@openssh.com,hmac-sha2-256,"
+ "hmac-sha1,hmac-sha2-512"
+ "\n"
+ "GSSAPIKeyExchange no\n"
+ "KexAlgorithms "
+ "ecdh-sha2-nistp256,ecdh-sha2-nistp384,"
+ "ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,"
+ "diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,"
+ "diffie-hellman-group18-sha512"
+ "\n"
+ "PubkeyAcceptedKeyTypes "
+ "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+ "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com"
+ "\n"
+ "AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\n"
+ "AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\n"
+ "AcceptEnv LC_IDENTIFICATION LC_ALL LC_LIBSSH\n"
+ "\n"
+ "PidFile %s\n" /* PID file */
+ "%s\n"; /* The space for test-specific options */
const char usepam_yes[] =
"UsePAM yes\n"
"KbdInteractiveAuthentication yes\n";
@@ -742,30 +790,32 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
additional_config = (s->srv_additional_config != NULL ?
s->srv_additional_config : "");
+
+ if (ssh_fips_mode()) {
+ snprintf(sshd_config, sizeof(sshd_config),
+ fips_config_string,
+ "HostKey", rsa_hostkey,
+ "HostKey", ecdsa_hostkey,
+ trusted_ca_pubkey,
+ sftp_server,
+ usepam,
+ s->srv_pidfile,
+ additional_config);
+ } else {
+ snprintf(sshd_config, sizeof(sshd_config),
+ config_string,
+ "HostKey", ed25519_hostkey,
#ifdef HAVE_DSA
- snprintf(sshd_config, sizeof(sshd_config),
- config_string,
- ed25519_hostkey,
- dsa_hostkey,
- rsa_hostkey,
- ecdsa_hostkey,
- trusted_ca_pubkey,
- sftp_server,
- usepam,
- s->srv_pidfile,
- additional_config);
-#else /* HAVE_DSA */
- snprintf(sshd_config, sizeof(sshd_config),
- config_string,
- ed25519_hostkey,
- rsa_hostkey,
- ecdsa_hostkey,
- trusted_ca_pubkey,
- sftp_server,
- usepam,
- s->srv_pidfile,
- additional_config);
+ "HostKey", dsa_hostkey,
#endif /* HAVE_DSA */
+ "HostKey", rsa_hostkey,
+ "HostKey", ecdsa_hostkey,
+ trusted_ca_pubkey,
+ sftp_server,
+ usepam,
+ s->srv_pidfile,
+ additional_config);
+ }
torture_write_file(s->srv_config, sshd_config);
}