diff options
| author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-05 18:44:00 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-13 16:29:32 +0200 |
| commit | bb36cc30eee94b682baa328b6fe4b9159327b1c2 (patch) | |
| tree | 8141582c799f21bce787942bb4587338d1193367 /tests | |
| parent | b6aef1fdd5fd2b7e90eb33ff73b61c6d76dc7138 (diff) | |
| download | libssh-bb36cc30eee94b682baa328b6fe4b9159327b1c2.tar.gz libssh-bb36cc30eee94b682baa328b6fe4b9159327b1c2.tar.xz libssh-bb36cc30eee94b682baa328b6fe4b9159327b1c2.zip | |
tests/torture_pki_rsa: Avoid using SHA1 in FIPS mode
Do not use SHA1 in signatures in FIPS mode.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/unittests/torture_pki_rsa.c | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c index b4a12396..24094302 100644 --- a/tests/unittests/torture_pki_rsa.c +++ b/tests/unittests/torture_pki_rsa.c @@ -543,14 +543,16 @@ static void torture_pki_rsa_sha2(void **state) assert_int_equal(rc, SSH_OK); assert_non_null(pubkey); - /* Sign using old SHA1 digest */ - sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); - assert_non_null(sign); - rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); - assert_ssh_return_code(session, rc); - rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); - assert_ssh_return_code(session, rc); - ssh_signature_free(sign); + if (!ssh_fips_mode()) { + /* Sign using old SHA1 digest */ + sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1); + assert_non_null(sign); + rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT)); + assert_ssh_return_code(session, rc); + rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT)); + assert_ssh_return_code(session, rc); + ssh_signature_free(sign); + } /* Sign using new SHA256 digest */ sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256); @@ -625,9 +627,11 @@ static void torture_pki_sign_data_rsa(void **state) assert_int_equal(rc, SSH_OK); assert_non_null(key); - /* Test using SHA1 */ - rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT)); - assert_int_equal(rc, SSH_OK); + if (!ssh_fips_mode()) { + /* Test using SHA1 */ + rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT)); + assert_int_equal(rc, SSH_OK); + } /* Test using SHA256 */ rc = test_sign_verify_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT)); @@ -661,7 +665,7 @@ static void torture_pki_fail_sign_with_incompatible_hash(void **state) assert_non_null(pubkey); /* Sign the buffer */ - sig = pki_sign_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT)); + sig = pki_sign_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT)); assert_non_null(sig); /* Verify signature */ |