aboutsummaryrefslogtreecommitdiff
path: root/tests
AgeCommit message (Collapse)AuthorFilesLines
2019-06-13tests: Fix the glob test on musl libcAndreas Schneider1-4/+4
Fixes #150 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/pkd: Fix OpenSSH version checkAnderson Toshiyuki Sasaki1-5/+9
When running in FIPS mode, the OpenSSH version is not the first string printed by "ssh -V". This makes the parser to find the first occurrence of the version ignoring anything printed before it. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/pkd: Check OpenSSH version only onceAnderson Toshiyuki Sasaki1-1/+5
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_server_config: Use only allowed algorithmsAnderson Toshiyuki Sasaki1-58/+63
Use ssh_kex_get_fips_methods() instead of ssh_get_default_methods() if in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/pkd: Add tests using certificates with SHA2 in signaturesAnderson Toshiyuki Sasaki3-1/+17
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/pkd: Accept certificates with SHA2 in signaturesAnderson Toshiyuki Sasaki1-1/+1
Previously the server in pkd tests would not accept certificates using SHA2 in signatures. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/pkd: Use only allowed algorithms if in FIPS modeAnderson Toshiyuki Sasaki3-185/+218
Use only allowed algorithms in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_pki_rsa: Avoid using SHA1 in FIPS modeAnderson Toshiyuki Sasaki1-12/+16
Do not use SHA1 in signatures in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Update negative test cases to use EC instead of ED keysJakub Jelen2-38/+38
Also systematically use assert_ssh_return_code() instead of various checks for return codes. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: There is no 8B block cipher in FIPS ModeJakub Jelen1-6/+20
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Use more widely supported RSA key as a hostkeyJakub Jelen1-10/+10
Intially introduced for the FIPS support Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Avoid mixing stderr with stdoutJakub Jelen1-2/+2
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Use consistent checking for ssh return codeJakub Jelen1-2/+2
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Adjust for FIPS and simplify initializationJakub Jelen1-85/+84
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_pki_dsa: Skip completely if in FIPS modeAnderson Toshiyuki Sasaki1-2/+14
DSA is not allowed in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_pki: Skip some tests if in FIPS modeAnderson Toshiyuki Sasaki1-0/+19
Skip tests requiring algorithms not allowed in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_options: Use only allowed algorithms if in FIPS modeAnderson Toshiyuki Sasaki1-70/+170
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_config: Use only allowed algorithms in FIPS modeAnderson Toshiyuki Sasaki1-10/+47
Use only allowed algorithms if running in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_bind_config: Use allowed algorithms in FIPS modeAnderson Toshiyuki Sasaki1-54/+196
Use only allowed algorithms if in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_hostkey: Skip some tests in FIPS modeAnderson Toshiyuki Sasaki1-0/+12
Skip tests using non allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_client_config: Adjust lists in FIPS modeAnderson Toshiyuki Sasaki1-5/+42
Use only allowed algorithms if in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_algorithms: Skip some tests in FIPS modeAnderson Toshiyuki Sasaki1-0/+120
When running in FIPS mode, skip the tests using algorithms not allowed. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Use different config if in FIPS modeAnderson Toshiyuki Sasaki1-26/+76
Use a different OpenSSH configuration if running in FIPS mode, which contains only allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Use the SHA2 extension by default to avoid issues in FIPS modeJakub Jelen1-2/+2
2019-06-13tests: Use ed25519 keys explicitlyJakub Jelen1-4/+35
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: The DSA is not available in mbedtlsJakub Jelen1-4/+4
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/client/torture_auth: Skip some tests if in FIPS modeAnderson Toshiyuki Sasaki1-2/+10
If in FIPS mode, skip tests which require algorithms not allowed. Also use allowed algorithms when possible to avoid skipping the test. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Do not free pcap context while it is in use by the server sessionJakub Jelen1-1/+5
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Cover comparison of public keys, which was missingJakub Jelen3-13/+25
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests: Add PKCS#8 PEM encrypted private keysAnderson Toshiyuki Sasaki1-7/+109
Copies of the DSA, RSA, and ECDSA keys were added encoded in PKCS#8 format. For now, these keys are only used when testing with OpenSSL. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-13tests/torture_auth: Workaround OpenSSH agent bugAnderson Toshiyuki Sasaki1-5/+47
OpenSSH agent has a bug which makes it to not use SHA2 in signatures when using certificates. It always uses SHA1. See https://gitlab.com/libssh/libssh-mirror/merge_requests/34 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12tests: Verify duplicate items are removed from knownhosts entries listJakub Jelen1-0/+74
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12tests: Verify duplicate items are removed from knownhosts algorithmsJakub Jelen1-0/+54
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12torture_hashes: Skip the MD5 tests in FIPS modeJakub Jelen1-0/+4
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12session: Do not use MD5 in FIPS modeAnderson Toshiyuki Sasaki1-8/+13
Do not use MD5 when generating fingerprints in FIPS mode. The call will fail in such case. The test suite was updated with a negative test for this case. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12tests: Make sure unknown options are ignored in server configAnderson Toshiyuki Sasaki1-0/+24
Added a test to make sure unknown options in the configuration file are ignored and don't make ssh_bind_options_parse_config() to fail. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12server: Use default methods instead of allAnderson Toshiyuki Sasaki1-0/+16
Previously, when no methods were set, the server would enable all supported methods. This changes this behaviour by setting only the default methods. The server in pkd_daemon.c was changed to set explicitly all the supported methods to keep the previous behaviour. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12tests: Added tests for server config fileAnderson Toshiyuki Sasaki2-0/+828
The added tests run the server with different combinations of algorithms and try to connect using a client. Note that few combinations are tested. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12tests: Allow setting configuration file for test serverAnderson Toshiyuki Sasaki4-0/+68
This allows testing the server with a configuration file. This also adds an option for the stand-alone test server to skip parsing the system-wide configuration file. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12bind_config: Add support for HostKeyAlgorithmsAnderson Toshiyuki Sasaki1-0/+65
Add support for setting the allowed HostKey algorithms through configuration file. Note that this does NOT add support for adding or removing values using '+' or '-'. Only replacing the whole list is supported. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12options: Added an option to set server HostKey algorithmsAnderson Toshiyuki Sasaki1-0/+57
The added option SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS allows restricting the signature algorithms to offer to the client for host authentication. The list set is used as a filter of allowed algorithms. First a list of possible signature algorithms to offer is created from the keys set and then such list is filtered against the allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12bind_config: Add support for PubkeyAcceptedKeyTypesAnderson Toshiyuki Sasaki1-0/+64
Add support for setting the accepted public key types through configuration file. Note that this does NOT add support for adding or removing values using '+' or '-'. Only replacing the whole list is supported. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12options: Add option to set server accepted pubkey typesAnderson Toshiyuki Sasaki1-1/+57
The added option SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES allows restricting the allowed public key types accepted by the server for authentication. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12token, kex: Add functions to handle tokens listsAnderson Toshiyuki Sasaki2-0/+164
The added functions allow splitting chains of tokens separated by a given character (usually ','), and extracting matching parts between two chains of tokens. The previously existing functions in kex.c were replaced by the introduced ones. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-06-12pki: Check if the key is allowed against right listAnderson Toshiyuki Sasaki1-0/+2
Previously when generating the signature in server side the key was checked against the wrong list, potentially making the server to select the wrong algorithm to sign (e.g. rsa-sha2-512 instead of rsa-sha2-256). Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-05-28tests: Fix null termination in torture_read_one_line()Andreas Schneider1-15/+16
CID 1393902 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-05-28tests: Fix assert_return_code in server testAndreas Schneider1-5/+5
CID 1398983 CID 1398982 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2019-05-14config: Add support for PubkeyAcceptedKeyTypesAnderson Toshiyuki Sasaki1-0/+20
The added option is an alias for the previously existing option PubkeyAcceptedTypes. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-05-14tests: Update knownhost tests with reproducer from T110Jakub Jelen2-0/+117
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-05-14cmake,options: Allow to set global client config fileAnderson Toshiyuki Sasaki1-0/+2
This allows the global client (ssh_session) configuration file path to be set in configuration time by defining GLOBAL_CLIENT_CONFIG when calling cmake. If it is not defined, the default path is set as "/etc/ssh/ssh_config". usage example: $ cmake -DGLOBAL_CLIENT_CONFIG=/etc/my/custom/path .. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>