feat: Add interoperability tests for PuTTY

Signed-off-by: Nikhil V <nikhilgreyshines@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-02-04 12:20:42 +09:00 · 2025-12-24 07:27:48 +05:30
parent c36bd2304a
commit 06186279a8
8 changed files with 372 additions and 212 deletions
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -229,6 +229,31 @@ else()
    set(DROPBEAR_EXECUTABLE "/bin/false")
 endif()

+find_program(PUTTY_EXECUTABLE 
+             NAMES 
+                plink 
+                plink.exe 
+                putty   # Fallback for systems where plink isn't separate
+             DOC "Path to PuTTY plink executable for automated tests")
+
+if (PUTTY_EXECUTABLE)
+    message(STATUS "Found PuTTY client: ${PUTTY_EXECUTABLE}")
+else()
+    set(PUTTY_EXECUTABLE "/bin/putty-not-found")
+endif()
+
+find_program(PUTTYGEN_EXECUTABLE 
+             NAMES 
+                puttygen 
+                puttygen.exe 
+             DOC "Path to PuTTYgen executable for key conversion")
+
+if (PUTTYGEN_EXECUTABLE)
+    message(STATUS "Found PuTTY keygen: ${PUTTYGEN_EXECUTABLE}")
+else()
+    set(PUTTYGEN_EXECUTABLE "/bin/puttygen-not-found")
+endif()
+
 find_program(SSHD_EXECUTABLE
             NAME
                sshd
--- a/tests/pkd/pkd_client.h
+++ b/tests/pkd/pkd_client.h
@@ -31,11 +31,13 @@
 #define SECURITY_KEY_PROVIDER ""
 #endif

+/* GlobalKnownHostsFile is just a place holder and won't actually set the hostkey */
 #define OPENSSH_CMD_START(hostkey_algos) \
    OPENSSH_BINARY " "                  \
    "-o UserKnownHostsFile=/dev/null "  \
    "-o StrictHostKeyChecking=no "      \
    SECURITY_KEY_PROVIDER               \
+    "-o GlobalKnownHostsFile=%s "       \
    "-F /dev/null "                     \
    hostkey_algos " "                   \
    OPENSSH_PKACCEPTED_TYPES " "        \
@@ -72,9 +74,11 @@
 #define DROPBEAR_BINARY DROPBEAR_EXECUTABLE
 #define DROPBEAR_KEYGEN "dropbearkey"

+/* HostKeyAlias is just a place holder and won't actually set the hostkey */
 #define DROPBEAR_CMD_START \
    DROPBEAR_BINARY " "      \
    "-y -y "                 \
+    "-o HostKeyAlias=%s "    \
    "-i " CLIENT_ID_FILE " " \
    "1> %s.out "             \
    "2> %s.err "
@@ -95,4 +99,22 @@
 #define DROPBEAR_MAC_CMD(macs) \
    DROPBEAR_CMD_START "-m " macs " " DROPBEAR_CMD_END

+/* PuTTY */
+
+#define PUTTY_BINARY PUTTY_EXECUTABLE
+#define PUTTY_KEYGEN PUTTYGEN_EXECUTABLE
+
+#define PUTTY_CMD_START                                    \
+    PUTTY_BINARY " "                                       \
+    "-batch -ssh -P 1234 "                                 \
+    "-i " CLIENT_ID_FILE " "                               \
+    "-hostkey $(" OPENSSH_KEYGEN                           \
+    " -l -f %s.pub -E md5 | awk '{print $2}' | cut -d: -f2-) " \
+    "1> %s.out 2> %s.err "
+
+#define PUTTY_CMD_END " localhost ls"
+
+#define PUTTY_CMD \
+    PUTTY_CMD_START PUTTY_CMD_END
+
 #endif /* __PKD_CLIENT_H__ */
--- a/tests/pkd/pkd_hello.c
+++ b/tests/pkd/pkd_hello.c
@@ -215,81 +215,81 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
 */

 #define PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
-    f(client, rsa_default,        cmd,  setup_rsa,        teardown) \
-    f(client, ecdsa_256_default,  cmd,  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_default,  cmd,  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_default,  cmd,  setup_ecdsa_521,  teardown)
+    f(client, rsa_default,        cmd,  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_default,  cmd,  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_default,  cmd,  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_default,  cmd,  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #define PKDTESTS_DEFAULT(f, client, cmd) \
    /* Default passes by server key type. */ \
    PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
-    f(client, ed25519_default,    cmd,  setup_ed25519,    teardown)
+    f(client, ed25519_default,    cmd,  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)

 #define GEX_SHA256 "diffie-hellman-group-exchange-sha256"
 #define GEX_SHA1   "diffie-hellman-group-exchange-sha1"

 #if defined(WITH_GEX)
 #define PKDTESTS_KEX_FIPS(f, client, kexcmd) \
-    f(client, rsa_ecdh_sha2_nistp256,                 kexcmd("ecdh-sha2-nistp256"),            setup_rsa,        teardown) \
-    f(client, rsa_ecdh_sha2_nistp384,                 kexcmd("ecdh-sha2-nistp384"),            setup_rsa,        teardown) \
-    f(client, rsa_ecdh_sha2_nistp521,                 kexcmd("ecdh-sha2-nistp521"),            setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_rsa,        teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521,  teardown) \
-    f(client, rsa_diffie_hellman_group_exchange_sha256,       kexcmd(GEX_SHA256),              setup_rsa,        teardown) \
-    f(client, ecdsa_256_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_521,  teardown)
+    f(client, rsa_ecdh_sha2_nistp256,                 kexcmd("ecdh-sha2-nistp256"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_ecdh_sha2_nistp384,                 kexcmd("ecdh-sha2-nistp384"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_ecdh_sha2_nistp521,                 kexcmd("ecdh-sha2-nistp521"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, rsa_diffie_hellman_group_exchange_sha256,       kexcmd(GEX_SHA256),              setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),              setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)
 #else /* !defined(WITH_GEX) */
 #define PKDTESTS_KEX_FIPS(f, client, kexcmd) \
-    f(client, rsa_ecdh_sha2_nistp256,                 kexcmd("ecdh-sha2-nistp256"),            setup_rsa,        teardown) \
-    f(client, rsa_ecdh_sha2_nistp384,                 kexcmd("ecdh-sha2-nistp384"),            setup_rsa,        teardown) \
-    f(client, rsa_ecdh_sha2_nistp521,                 kexcmd("ecdh-sha2-nistp521"),            setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group14_sha256,      kexcmd("diffie-hellman-group14-sha256"), setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_rsa,        teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521,  teardown)
+    f(client, rsa_ecdh_sha2_nistp256,                 kexcmd("ecdh-sha2-nistp256"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_ecdh_sha2_nistp384,                 kexcmd("ecdh-sha2-nistp384"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_ecdh_sha2_nistp521,                 kexcmd("ecdh-sha2-nistp521"),            setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group14_sha256,      kexcmd("diffie-hellman-group14-sha256"), setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group16_sha512,      kexcmd("diffie-hellman-group16-sha512"), setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group18_sha512,      kexcmd("diffie-hellman-group18-sha512"), setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp256,           kexcmd("ecdh-sha2-nistp256"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp384,           kexcmd("ecdh-sha2-nistp384"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_ecdh_sha2_nistp521,           kexcmd("ecdh-sha2-nistp521"),            setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group14_sha256,kexcmd("diffie-hellman-group14-sha256"), setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)
 #endif

 #ifdef OPENSSH_SNTRUP761X25519_SHA512_OPENSSH_COM
 #define SNTRUP_OPENSSH_NAME "sntrup761x25519-sha512@openssh.com"
 #define PKDTESTS_KEX_SNTRUP761_OPENSSH(f, client, kexcmd) \
-    f(client, rsa_sntrup761x25519_sha512_openssh_com,       kexcmd(SNTRUP_OPENSSH_NAME), setup_rsa,       teardown) \
-    f(client, ecdsa_256_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_256, teardown) \
-    f(client, ecdsa_384_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_384, teardown) \
-    f(client, ecdsa_521_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_521, teardown) \
-    f(client, ed25519_sntrup761x25519_sha512_openssh_com,   kexcmd(SNTRUP_OPENSSH_NAME), setup_ed25519,   teardown)
+    f(client, rsa_sntrup761x25519_sha512_openssh_com,       kexcmd(SNTRUP_OPENSSH_NAME), setup_rsa,       teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_256, teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_384, teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_sntrup761x25519_sha512_openssh_com, kexcmd(SNTRUP_OPENSSH_NAME), setup_ecdsa_521, teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ed25519_sntrup761x25519_sha512_openssh_com,   kexcmd(SNTRUP_OPENSSH_NAME), setup_ed25519,   teardown, LIBSSH_ED25519_TESTKEY)
 #else
 #define PKDTESTS_KEX_SNTRUP761_OPENSSH(f, client, kexcmd)
 #endif
@@ -297,44 +297,44 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
 #ifdef OPENSSH_SNTRUP761X25519_SHA512
 #define SNTRUP_NAME         "sntrup761x25519-sha512"
 #define PKDTESTS_KEX_SNTRUP761(f, client, kexcmd) \
-    f(client, rsa_sntrup761x25519_sha512,                   kexcmd(SNTRUP_NAME),         setup_rsa,       teardown) \
-    f(client, ecdsa_256_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_256, teardown) \
-    f(client, ecdsa_384_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_384, teardown) \
-    f(client, ecdsa_521_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_521, teardown) \
-    f(client, ed25519_sntrup761x25519_sha512,               kexcmd(SNTRUP_NAME),         setup_ed25519,   teardown)
+    f(client, rsa_sntrup761x25519_sha512,                   kexcmd(SNTRUP_NAME),         setup_rsa,       teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_256, teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_384, teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_sntrup761x25519_sha512,             kexcmd(SNTRUP_NAME),         setup_ecdsa_521, teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ed25519_sntrup761x25519_sha512,               kexcmd(SNTRUP_NAME),         setup_ed25519,   teardown, LIBSSH_ED25519_TESTKEY)
 #else
 #define PKDTESTS_KEX_SNTRUP761(f, client, kexcmd)
 #endif

 #if defined(HAVE_MLKEM) && defined(OPENSSH_MLKEM768X25519_SHA256)
 #define PKDTESTS_KEX_MLKEM768X25519(f, client, kexcmd) \
-    f(client, rsa_mlkem768x25519_sha256,       kexcmd("mlkem768x25519-sha256"), setup_rsa,       teardown) \
-    f(client, ecdsa_256_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_256, teardown) \
-    f(client, ecdsa_384_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_384, teardown) \
-    f(client, ecdsa_521_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_521, teardown) \
-    f(client, ed25519_mlkem768x25519_sha256,   kexcmd("mlkem768x25519-sha256"), setup_ed25519,   teardown)
+    f(client, rsa_mlkem768x25519_sha256,       kexcmd("mlkem768x25519-sha256"), setup_rsa,       teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_256, teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_384, teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_mlkem768x25519_sha256, kexcmd("mlkem768x25519-sha256"), setup_ecdsa_521, teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ed25519_mlkem768x25519_sha256,   kexcmd("mlkem768x25519-sha256"), setup_ed25519,   teardown, LIBSSH_ED25519_TESTKEY)
 #else
 #define PKDTESTS_KEX_MLKEM768X25519(f, client, kexcmd)
 #endif

 #if defined(HAVE_MLKEM) && defined(OPENSSH_MLKEM768NISTP256_SHA256)
 #define PKDTESTS_KEX_MLKEM768NISTP256(f, client, kexcmd) \
-    f(client, rsa_mlkem768nistp256_sha256,       kexcmd("mlkem768nistp256-sha256"), setup_rsa,       teardown) \
-    f(client, ecdsa_256_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_256, teardown) \
-    f(client, ecdsa_384_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_384, teardown) \
-    f(client, ecdsa_521_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_521, teardown) \
-    f(client, ed25519_mlkem768nistp256_sha256,   kexcmd("mlkem768nistp256-sha256"), setup_ed25519,   teardown)
+    f(client, rsa_mlkem768nistp256_sha256,       kexcmd("mlkem768nistp256-sha256"), setup_rsa,       teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_256, teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_384, teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_mlkem768nistp256_sha256, kexcmd("mlkem768nistp256-sha256"), setup_ecdsa_521, teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ed25519_mlkem768nistp256_sha256,   kexcmd("mlkem768nistp256-sha256"), setup_ed25519,   teardown, LIBSSH_ED25519_TESTKEY)
 #else
 #define PKDTESTS_KEX_MLKEM768NISTP256(f, client, kexcmd)
 #endif

 #if defined(HAVE_MLKEM) && defined(OPENSSH_MLKEM1024NISTP384_SHA384)
 #define PKDTESTS_KEX_MLKEM1024NISTP384(f, client, kexcmd) \
-    f(client, rsa_mlkem1024nistp384_sha384,       kexcmd("mlkem1024nistp384-sha384"), setup_rsa,       teardown) \
-    f(client, ecdsa_256_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_256, teardown) \
-    f(client, ecdsa_384_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_384, teardown) \
-    f(client, ecdsa_521_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_521, teardown) \
-    f(client, ed25519_mlkem1024nistp384_sha384,   kexcmd("mlkem1024nistp384-sha384"), setup_ed25519,   teardown)
+    f(client, rsa_mlkem1024nistp384_sha384,       kexcmd("mlkem1024nistp384-sha384"), setup_rsa,       teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_256, teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_384, teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_mlkem1024nistp384_sha384, kexcmd("mlkem1024nistp384-sha384"), setup_ecdsa_521, teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ed25519_mlkem1024nistp384_sha384,   kexcmd("mlkem1024nistp384-sha384"), setup_ed25519,   teardown, LIBSSH_ED25519_TESTKEY)
 #else
 #define PKDTESTS_KEX_MLKEM1024NISTP384(f, client, kexcmd)
 #endif
@@ -346,146 +346,146 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
    PKDTESTS_KEX_MLKEM768X25519(f, client, kexcmd) \
    PKDTESTS_KEX_MLKEM768NISTP256(f, client, kexcmd) \
    PKDTESTS_KEX_MLKEM1024NISTP384(f, client, kexcmd) \
-    f(client, rsa_curve25519_sha256,                  kexcmd("curve25519-sha256"),             setup_rsa,        teardown) \
-    f(client, rsa_curve25519_sha256_libssh_org,       kexcmd("curve25519-sha256@libssh.org"),  setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group14_sha1,        kexcmd("diffie-hellman-group14-sha1"),   setup_rsa,        teardown) \
-    f(client, rsa_diffie_hellman_group1_sha1,         kexcmd("diffie-hellman-group1-sha1"),    setup_rsa,        teardown) \
-    f(client, ecdsa_256_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_521,  teardown)
+    f(client, rsa_curve25519_sha256,                  kexcmd("curve25519-sha256"),             setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_curve25519_sha256_libssh_org,       kexcmd("curve25519-sha256@libssh.org"),  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group14_sha1,        kexcmd("diffie-hellman-group14-sha1"),   setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_diffie_hellman_group1_sha1,         kexcmd("diffie-hellman-group1-sha1"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_curve25519_sha256,            kexcmd("curve25519-sha256"),             setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"),  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group14_sha1,  kexcmd("diffie-hellman-group14-sha1"),   setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group1_sha1,   kexcmd("diffie-hellman-group1-sha1"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #if defined(WITH_GEX)
    /* GEX_SHA256 is included in PKDTESTS_KEX_FIPS if available */
 #define PKDTESTS_KEX(f, client, kexcmd) \
    /* Kex algorithms. */ \
    PKDTESTS_KEX_COMMON(f, client, kexcmd) \
-    f(client, rsa_diffie_hellman_group_exchange_sha1,         kexcmd(GEX_SHA1),                setup_rsa,        teardown) \
-    f(client, ecdsa_256_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_521,  teardown)
+    f(client, rsa_diffie_hellman_group_exchange_sha1,         kexcmd(GEX_SHA1),                setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_diffie_hellman_group_exchange_sha1,   kexcmd(GEX_SHA1),                setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)
 #else
 #define PKDTESTS_KEX(f, client, kexcmd) \
    /* Kex algorithms. */ \
-    f(client, ed25519_curve25519_sha256,              kexcmd("curve25519-sha256"),             setup_ed25519,    teardown) \
-    f(client, ed25519_curve25519_sha256_libssh_org,   kexcmd("curve25519-sha256@libssh.org"),  setup_ed25519,    teardown) \
-    f(client, ed25519_ecdh_sha2_nistp256,             kexcmd("ecdh-sha2-nistp256"),            setup_ed25519,    teardown) \
-    f(client, ed25519_ecdh_sha2_nistp384,             kexcmd("ecdh-sha2-nistp384"),            setup_ed25519,    teardown) \
-    f(client, ed25519_ecdh_sha2_nistp521,             kexcmd("ecdh-sha2-nistp521"),            setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group14_sha256,  kexcmd("diffie-hellman-group14-sha256"), setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group16_sha512,  kexcmd("diffie-hellman-group16-sha512"), setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group18_sha512,  kexcmd("diffie-hellman-group18-sha512"), setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group1_sha1,     kexcmd("diffie-hellman-group1-sha1"),    setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),                setup_ed25519,    teardown) \
-    f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1),                    setup_ed25519,    teardown)
+    f(client, ed25519_curve25519_sha256,              kexcmd("curve25519-sha256"),             setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_curve25519_sha256_libssh_org,   kexcmd("curve25519-sha256@libssh.org"),  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_ecdh_sha2_nistp256,             kexcmd("ecdh-sha2-nistp256"),            setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_ecdh_sha2_nistp384,             kexcmd("ecdh-sha2-nistp384"),            setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_ecdh_sha2_nistp521,             kexcmd("ecdh-sha2-nistp521"),            setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group14_sha256,  kexcmd("diffie-hellman-group14-sha256"), setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group16_sha512,  kexcmd("diffie-hellman-group16-sha512"), setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group18_sha512,  kexcmd("diffie-hellman-group18-sha512"), setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group1_sha1,     kexcmd("diffie-hellman-group1-sha1"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256),                setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1),                    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)
 #endif

 #define PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \
-    f(client, rsa_aes128_ctr,          ciphercmd("aes128-ctr"),    setup_rsa,        teardown) \
-    f(client, rsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_rsa,        teardown) \
-    f(client, ecdsa_256_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_521,  teardown)
+    f(client, rsa_aes128_ctr,          ciphercmd("aes128-ctr"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes256_ctr,          ciphercmd("aes256-ctr"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_aes128_ctr,    ciphercmd("aes128-ctr"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes256_ctr,    ciphercmd("aes256-ctr"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #define PKDTESTS_CIPHER_FIPS(f, client, ciphercmd) \
    PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \
-    f(client, rsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_rsa,        teardown) \
-    f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown) \
-    f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown)
+    f(client, rsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #define CHACHA20 "chacha20-poly1305@openssh.com"
 #define PKDTESTS_CIPHER_CHACHA(f, client, ciphercmd) \
-    f(client, rsa_chacha20,            ciphercmd(CHACHA20),        setup_rsa,        teardown) \
-    f(client, ed25519_chacha20,        ciphercmd(CHACHA20),        setup_ed25519,    teardown) \
-    f(client, ecdsa_256_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown)
+    f(client, rsa_chacha20,            ciphercmd(CHACHA20),        setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ed25519_chacha20,        ciphercmd(CHACHA20),        setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ecdsa_256_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_chacha20,      ciphercmd(CHACHA20),        setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #define PKDTESTS_CIPHER(f, client, ciphercmd) \
    /* Ciphers. */ \
    PKDTESTS_CIPHER_COMMON(f, client, ciphercmd) \
    PKDTESTS_CIPHER_CHACHA(f, client, ciphercmd) \
-    f(client, ed25519_aes128_ctr,      ciphercmd("aes128-ctr"),    setup_ed25519,    teardown) \
-    f(client, ed25519_aes256_ctr,      ciphercmd("aes256-ctr"),    setup_ed25519,    teardown)
+    f(client, ed25519_aes128_ctr,      ciphercmd("aes128-ctr"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes256_ctr,      ciphercmd("aes256-ctr"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)

 #define AES128_GCM "aes128-gcm@openssh.com"
 #define AES256_GCM "aes256-gcm@openssh.com"

 #define PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
-    f(client, rsa_aes128_gcm,          ciphercmd(AES128_GCM),      setup_rsa,        teardown) \
-    f(client, rsa_aes256_gcm,          ciphercmd(AES256_GCM),      setup_rsa,        teardown) \
-    f(client, ecdsa_256_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_521,  teardown)
+    f(client, rsa_aes128_gcm,          ciphercmd(AES128_GCM),      setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes256_gcm,          ciphercmd(AES256_GCM),      setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ecdsa_256_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_aes128_gcm,    ciphercmd(AES128_GCM),      setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes256_gcm,    ciphercmd(AES256_GCM),      setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)

 #define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
    /* Ciphers. */ \
    PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
-    f(client, rsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_rsa,        teardown) \
-    f(client, rsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_rsa,        teardown) \
-    f(client, rsa_aes192_cbc,          ciphercmd("aes192-cbc"),    setup_rsa,        teardown) \
-    f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown) \
-    f(client, rsa_aes192_ctr,          ciphercmd("aes192-ctr"),    setup_rsa,        teardown) \
-    f(client, ed25519_3des_cbc,        ciphercmd("3des-cbc"),      setup_ed25519,    teardown) \
-    f(client, ed25519_aes128_cbc,      ciphercmd("aes128-cbc"),    setup_ed25519,    teardown) \
-    f(client, ed25519_aes256_cbc,      ciphercmd("aes256-cbc"),    setup_ed25519,    teardown) \
-    f(client, ed25519_aes192_cbc,      ciphercmd("aes192-cbc"),    setup_ed25519,    teardown) \
-    f(client, ed25519_aes192_ctr,      ciphercmd("aes192-ctr"),    setup_ed25519,    teardown) \
-    f(client, ed25519_aes128_gcm,      ciphercmd(AES128_GCM),      setup_ed25519,    teardown) \
-    f(client, ed25519_aes256_gcm,      ciphercmd(AES256_GCM),      setup_ed25519,    teardown) \
-    f(client, ecdsa_256_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown)
+    f(client, rsa_3des_cbc,            ciphercmd("3des-cbc"),      setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes128_cbc,          ciphercmd("aes128-cbc"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes192_cbc,          ciphercmd("aes192-cbc"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes256_cbc,          ciphercmd("aes256-cbc"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_aes192_ctr,          ciphercmd("aes192-ctr"),    setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, ed25519_3des_cbc,        ciphercmd("3des-cbc"),      setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes128_cbc,      ciphercmd("aes128-cbc"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes256_cbc,      ciphercmd("aes256-cbc"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes192_cbc,      ciphercmd("aes192-cbc"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes192_ctr,      ciphercmd("aes192-ctr"),    setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes128_gcm,      ciphercmd(AES128_GCM),      setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_aes256_gcm,      ciphercmd(AES256_GCM),      setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ecdsa_256_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_3des_cbc,      ciphercmd("3des-cbc"),      setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes128_cbc,    ciphercmd("aes128-cbc"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes192_cbc,    ciphercmd("aes192-cbc"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes256_cbc,    ciphercmd("aes256-cbc"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_aes192_ctr,    ciphercmd("aes192-ctr"),    setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY)


 #define PKDTESTS_MAC_FIPS_BASE(f, client, maccmd) \
-    f(client, ecdsa_256_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_521,  teardown) \
-    f(client, rsa_hmac_sha2_256,            maccmd("hmac-sha2-256"),                  setup_rsa,        teardown)
+    f(client, ecdsa_256_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha2_256,      maccmd("hmac-sha2-256"),                  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, rsa_hmac_sha2_256,            maccmd("hmac-sha2-256"),                  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY)

 #define PKDTESTS_MAC_FIPS_SHA1(f, client, maccmd) \
-    f(client, ecdsa_256_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_521,  teardown) \
-    f(client, rsa_hmac_sha1,                maccmd("hmac-sha1"),                      setup_rsa,        teardown)
+    f(client, ecdsa_256_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha1,          maccmd("hmac-sha1"),                      setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, rsa_hmac_sha1,                maccmd("hmac-sha1"),                      setup_rsa,        teardown, LIBSSH_RSA_TESTKEY)

 #ifdef DROPBEAR_SUPPORTS_HMAC_SHA1
 #define PKDTESTS_MAC_FIPS(f, client, maccmd)  \
    PKDTESTS_MAC_FIPS_BASE(f, client, maccmd) \
    PKDTESTS_MAC_FIPS_SHA1(f, client, maccmd) \
-    f(client, ed25519_hmac_sha1,            maccmd("hmac-sha1"),                      setup_ed25519,    teardown)
+    f(client, ed25519_hmac_sha1,            maccmd("hmac-sha1"),                      setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)
 #define PKDTESTS_MAC_OPENSSHONLY_FIPS_SHA1(f, client, maccmd)
 #else
 #define PKDTESTS_MAC_FIPS(f, client, maccmd) \
@@ -496,41 +496,41 @@ static int torture_pkd_setup_ecdsa_521(void **state) {

 #define PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
    PKDTESTS_MAC_OPENSSHONLY_FIPS_SHA1(f, client, maccmd) \
-    f(client, ecdsa_256_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_256_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_256,  teardown) \
-    f(client, ecdsa_384_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_384_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_384,  teardown) \
-    f(client, ecdsa_521_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_521,  teardown) \
-    f(client, ecdsa_521_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_521,  teardown) \
-    f(client, rsa_hmac_sha1_etm,            maccmd("hmac-sha1-etm@openssh.com"),      setup_rsa,        teardown) \
-    f(client, rsa_hmac_sha2_256_etm,        maccmd("hmac-sha2-256-etm@openssh.com"),  setup_rsa,        teardown) \
-    f(client, rsa_hmac_sha2_512,            maccmd("hmac-sha2-512"),                  setup_rsa,        teardown) \
-    f(client, rsa_hmac_sha2_512_etm,        maccmd("hmac-sha2-512-etm@openssh.com"),  setup_rsa,        teardown)
+    f(client, ecdsa_256_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_256_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_256,  teardown, LIBSSH_ECDSA_256_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_384_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_384,  teardown, LIBSSH_ECDSA_384_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha1_etm,      maccmd("hmac-sha1-etm@openssh.com"),      setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha2_256_etm,  maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha2_512,      maccmd("hmac-sha2-512"),                  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, ecdsa_521_hmac_sha2_512_etm,  maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ecdsa_521,  teardown, LIBSSH_ECDSA_521_TESTKEY) \
+    f(client, rsa_hmac_sha1_etm,            maccmd("hmac-sha1-etm@openssh.com"),      setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_hmac_sha2_256_etm,        maccmd("hmac-sha2-256-etm@openssh.com"),  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_hmac_sha2_512,            maccmd("hmac-sha2-512"),                  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_hmac_sha2_512_etm,        maccmd("hmac-sha2-512-etm@openssh.com"),  setup_rsa,        teardown, LIBSSH_RSA_TESTKEY)

 #define PKDTESTS_MAC(f, client, maccmd) \
    /* MACs. */ \
    PKDTESTS_MAC_FIPS(f, client, maccmd) \
-    f(client, ed25519_hmac_sha2_256,        maccmd("hmac-sha2-256"),                  setup_ed25519,    teardown)
+    f(client, ed25519_hmac_sha2_256,        maccmd("hmac-sha2-256"),                  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)

 #define PKDTESTS_MAC_OPENSSHONLY(f, client, maccmd) \
    PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
-    f(client, ed25519_hmac_sha1_etm,        maccmd("hmac-sha1-etm@openssh.com"),      setup_ed25519,    teardown) \
-    f(client, ed25519_hmac_sha2_256_etm,    maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ed25519,    teardown) \
-    f(client, ed25519_hmac_sha2_512,        maccmd("hmac-sha2-512"),                  setup_ed25519,    teardown) \
-    f(client, ed25519_hmac_sha2_512_etm,    maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ed25519,    teardown)
+    f(client, ed25519_hmac_sha1_etm,        maccmd("hmac-sha1-etm@openssh.com"),      setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_hmac_sha2_256_etm,    maccmd("hmac-sha2-256-etm@openssh.com"),  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_hmac_sha2_512,        maccmd("hmac-sha2-512"),                  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY) \
+    f(client, ed25519_hmac_sha2_512_etm,    maccmd("hmac-sha2-512-etm@openssh.com"),  setup_ed25519,    teardown, LIBSSH_ED25519_TESTKEY)


 #define PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd) \
-    f(client, rsa_sha2_256,     hkcmd("rsa-sha2-256"),               setup_rsa,    teardown) \
-    f(client, rsa_sha2_512,     hkcmd("rsa-sha2-512"),               setup_rsa,    teardown) \
-    f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"),  setup_rsa,    teardown) \
-    f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"),  setup_rsa,    teardown)
+    f(client, rsa_sha2_256,     hkcmd("rsa-sha2-256"),               setup_rsa,    teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_sha2_512,     hkcmd("rsa-sha2-512"),               setup_rsa,    teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"),  setup_rsa,    teardown, LIBSSH_RSA_TESTKEY) \
+    f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"),  setup_rsa,    teardown, LIBSSH_RSA_TESTKEY)

 #define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \
    PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd)
@@ -567,12 +567,12 @@ static void torture_pkd_runtest(const char *testname,
 * defined here to result in distinct output when running the tests.
 */

-#define emit_keytest(client, testname, sshcmd, setup, teardown) \
+#define emit_keytest(client, testname, sshcmd, setup, teardown, hostkey) \
    static void torture_pkd_## client ## _ ## testname(void **state) { \
        const char *tname = "torture_pkd_" #client "_" #testname;      \
        char testcmd[2048] = { 0 };                                    \
        (void) state;                                                  \
-        snprintf(&testcmd[0], sizeof(testcmd), sshcmd, tname, tname);  \
+        snprintf(&testcmd[0], sizeof(testcmd), sshcmd, hostkey, tname, tname);  \
        torture_pkd_runtest(tname, testcmd);                           \
    }

@@ -655,23 +655,35 @@ PKDTESTS_CIPHER(emit_keytest, dropbear_ed, DROPBEAR_CIPHER_CMD)
 PKDTESTS_MAC(emit_keytest, dropbear_ed, DROPBEAR_MAC_CMD)
 #undef CLIENT_ID_FILE

+#define CLIENT_ID_FILE PUTTY_RSA_PPK_TESTKEY
+PKDTESTS_DEFAULT(emit_keytest, putty_rsa, PUTTY_CMD)
+#undef CLIENT_ID_FILE
+
+#define CLIENT_ID_FILE PUTTY_ED25519_PPK_TESTKEY
+PKDTESTS_DEFAULT(emit_keytest, putty_ed, PUTTY_CMD)
+#undef CLIENT_ID_FILE
+
+#define CLIENT_ID_FILE PUTTY_ECDSA256_PPK_TESTKEY
+PKDTESTS_DEFAULT(emit_keytest, putty_e256, PUTTY_CMD)
+#undef CLIENT_ID_FILE
+
 /*
 * Define an array of testname strings mapped to their associated
 * test function.  Enables running tests individually by name from
 * the command line.
 */

-#define emit_testmap(client, testname, sshcmd, setup, teardown) \
+#define emit_testmap(client, testname, sshcmd, setup, teardown, ...) \
    { "torture_pkd_" #client "_" #testname,                     \
-      emit_unit_test(client, testname, sshcmd, setup, teardown) },
+      emit_unit_test(client, testname, sshcmd, setup, teardown, ##__VA_ARGS__) },

-#define emit_unit_test(client, testname, sshcmd, setup, teardown) \
+#define emit_unit_test(client, testname, sshcmd, setup, teardown, ...) \
    cmocka_unit_test_setup_teardown(torture_pkd_ ## client ## _ ## testname, \
                                    torture_pkd_ ## setup, \
                                    torture_pkd_ ## teardown)

-#define emit_unit_test_comma(client, testname, sshcmd, setup, teardown) \
-    emit_unit_test(client, testname, sshcmd, setup, teardown),
+#define emit_unit_test_comma(client, testname, sshcmd, setup, teardown, ...) \
+    emit_unit_test(client, testname, sshcmd, setup, teardown, ##__VA_ARGS__),

 struct {
    const char *testname;
@@ -718,8 +730,15 @@ struct {
    PKDTESTS_CIPHER(emit_testmap, dropbear_ed, DROPBEAR_CIPHER_CMD)
    PKDTESTS_MAC(emit_testmap, dropbear_ed, DROPBEAR_MAC_CMD)

+    /* PuTTY */
+    PKDTESTS_DEFAULT(emit_testmap, putty_rsa, PUTTY_CMD)
+
+    PKDTESTS_DEFAULT(emit_testmap, putty_e256, PUTTY_CMD)
+
+    PKDTESTS_DEFAULT(emit_testmap, putty_ed, PUTTY_CMD)
+
    /* Noop */
-    emit_testmap(client, noop, "", setup_noop, teardown)
+    emit_testmap(client, noop, "", setup_noop, teardown, NULL)

    /* NULL tail entry */
    { .testname = NULL,
@@ -798,6 +817,14 @@ static int pkd_run_tests(void) {
        PKDTESTS_MAC(emit_unit_test_comma, dropbear_ed, DROPBEAR_MAC_CMD)
    };

+    const struct CMUnitTest putty_tests[] = {
+        PKDTESTS_DEFAULT(emit_unit_test_comma, putty_rsa, PUTTY_CMD)
+
+        PKDTESTS_DEFAULT(emit_unit_test_comma, putty_e256, PUTTY_CMD)
+
+        PKDTESTS_DEFAULT(emit_unit_test_comma, putty_ed, PUTTY_CMD)
+    };
+
    const struct CMUnitTest openssh_fips_tests[] = {
        PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
        PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_sha256_cert_rsa,
@@ -818,12 +845,13 @@ static int pkd_run_tests(void) {
    };

    const struct CMUnitTest noop_tests[] = {
-        emit_unit_test(client, noop, "", setup_noop, teardown)
+        emit_unit_test(client, noop, "", setup_noop, teardown, NULL)
    };

    /* Test list is populated depending on which clients are enabled. */
    struct CMUnitTest all_tests[(sizeof(openssh_tests) / sizeof(openssh_tests[0])) +
                                (sizeof(dropbear_tests) / sizeof(dropbear_tests[0])) +
+                                (sizeof(putty_tests) / sizeof(putty_tests[0])) +
                                (sizeof(noop_tests) / sizeof(noop_tests[0]))];
    memset(&all_tests[0], 0x0, sizeof(all_tests));

@@ -847,6 +875,14 @@ static int pkd_run_tests(void) {
        }
    }

+    if (is_putty_client_enabled()) {
+        setup_putty_client_keys();
+        if (!ssh_fips_mode()) {
+            memcpy(&all_tests[tindex], &putty_tests[0], sizeof(putty_tests));
+            tindex += (sizeof(putty_tests) / sizeof(putty_tests[0]));
+        }
+    }
+
    memcpy(&all_tests[tindex], &noop_tests[0], sizeof(noop_tests));
    tindex += (sizeof(noop_tests) / sizeof(noop_tests[0]));

@@ -899,6 +935,10 @@ static int pkd_run_tests(void) {
        cleanup_openssh_client_keys();
    }

+    if (is_putty_client_enabled()) {
+        cleanup_putty_client_keys();
+    }
+
    /* Clean up any server keys that were generated. */
    cleanup_rsa_key();
    cleanup_ecdsa_keys();
@@ -1118,4 +1158,4 @@ out_finalize:
 #endif
 out:
    return exit_code;
-}
+}
--- a/tests/pkd/pkd_keyutil.c
+++ b/tests/pkd/pkd_keyutil.c
@@ -214,3 +214,56 @@ void cleanup_dropbear_client_keys(void)
    cleanup_key(DROPBEAR_ECDSA256_TESTKEY);
    cleanup_key(DROPBEAR_ED25519_TESTKEY);
 }
+
+void setup_putty_client_keys(void)
+{
+    int rc = 0;
+
+    /* RSA Keys */
+    if (access(PUTTY_RSA_TESTKEY, F_OK) != 0 ||
+        access(PUTTY_RSA_PPK_TESTKEY, F_OK) != 0) {
+        rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
+                            PUTTY_RSA_TESTKEY);
+        assert_int_equal(rc, 0);
+
+        rc = system_checked(PUTTY_KEYGEN " " PUTTY_RSA_TESTKEY
+                            " -O private -o " PUTTY_RSA_PPK_TESTKEY);
+        assert_int_equal(rc, 0);
+    }
+
+    /* ECDSA 256 Keys */
+    if (access(PUTTY_ECDSA256_TESTKEY, F_OK) != 0 ||
+        access(PUTTY_ECDSA256_PPK_TESTKEY, F_OK) != 0) {
+        rc = system_checked(OPENSSH_KEYGEN " -t ecdsa -b 256 -q -N \"\" -f "
+                            PUTTY_ECDSA256_TESTKEY);
+        assert_int_equal(rc, 0);
+
+        rc = system_checked(PUTTY_KEYGEN " " PUTTY_ECDSA256_TESTKEY
+                            " -O private -o " PUTTY_ECDSA256_PPK_TESTKEY);
+        assert_int_equal(rc, 0);
+    }
+
+    /* ED25519 Keys */
+    if (access(PUTTY_ED25519_TESTKEY, F_OK) != 0 ||
+        access(PUTTY_ED25519_PPK_TESTKEY, F_OK) != 0) {
+        rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
+                            PUTTY_ED25519_TESTKEY);
+        assert_int_equal(rc, 0);
+
+        rc = system_checked(PUTTY_KEYGEN " " PUTTY_ED25519_TESTKEY
+                            " -O private -o " PUTTY_ED25519_PPK_TESTKEY);
+        assert_int_equal(rc, 0);
+    }
+}
+
+void cleanup_putty_client_keys(void)
+{
+    cleanup_key(PUTTY_RSA_TESTKEY);
+    cleanup_file(PUTTY_RSA_PPK_TESTKEY);
+
+    cleanup_key(PUTTY_ECDSA256_TESTKEY);
+    cleanup_file(PUTTY_ECDSA256_PPK_TESTKEY);
+    
+    cleanup_key(PUTTY_ED25519_TESTKEY);
+    cleanup_file(PUTTY_ED25519_PPK_TESTKEY);
+}
--- a/tests/pkd/pkd_keyutil.h
+++ b/tests/pkd/pkd_keyutil.h
@@ -37,12 +37,22 @@ void cleanup_ecdsa_keys(void);
 #define DROPBEAR_ECDSA256_TESTKEY "dropbear_testkey.id_ecdsa256"
 #define DROPBEAR_ED25519_TESTKEY  "dropbear_testkey.id_ed25519"

+#define PUTTY_RSA_TESTKEY          "putty_testkey.id_rsa"
+#define PUTTY_RSA_PPK_TESTKEY      "putty_testkey.id_rsa.ppk"
+#define PUTTY_ECDSA256_TESTKEY     "putty_testkey.id_ecdsa256"
+#define PUTTY_ECDSA256_PPK_TESTKEY "putty_testkey.id_ecdsa256.ppk"
+#define PUTTY_ED25519_TESTKEY      "putty_testkey.id_ed25519"
+#define PUTTY_ED25519_PPK_TESTKEY  "putty_testkey.id_ed25519.ppk"
+
 void setup_openssh_client_keys(void);
 void cleanup_openssh_client_keys(void);

 void setup_dropbear_client_keys(void);
 void cleanup_dropbear_client_keys(void);

+void setup_putty_client_keys(void);
+void cleanup_putty_client_keys(void);
+
 #define cleanup_file(name) do {\
    if (access((name), F_OK) != -1) {\
        unlink((name));\
--- a/tests/pkd/pkd_util.c
+++ b/tests/pkd/pkd_util.c
@@ -112,3 +112,10 @@ int is_openssh_client_enabled(void) {
 int is_dropbear_client_enabled(void) {
    return (bin_exists(DROPBEAR_BINARY) && bin_exists(DROPBEAR_KEYGEN));
 }
+
+int is_putty_client_enabled(void)
+{
+    return (bin_exists(PUTTY_BINARY) &&
+            bin_exists(PUTTY_KEYGEN) &&
+            bin_exists(OPENSSH_KEYGEN));
+}
--- a/tests/pkd/pkd_util.h
+++ b/tests/pkd/pkd_util.h
@@ -12,5 +12,6 @@ int system_checked(const char *cmd);
 /* Is client 'X' enabled? */
 int is_openssh_client_enabled(void);
 int is_dropbear_client_enabled(void);
+int is_putty_client_enabled(void);

-#endif /* __PKD_UTIL_H__ */
+#endif /* __PKD_UTIL_H__ */
--- a/tests/tests_config.h.cmake
+++ b/tests/tests_config.h.cmake
@@ -78,6 +78,8 @@
 #cmakedefine SSH_EXECUTABLE_SIZE "${SSH_EXECUTABLE_SIZE}"
 #cmakedefine SSH_KEYGEN_EXECUTABLE "${SSH_KEYGEN_EXECUTABLE}"
 #cmakedefine DROPBEAR_EXECUTABLE "${DROPBEAR_EXECUTABLE}"
+#cmakedefine PUTTY_EXECUTABLE "${PUTTY_EXECUTABLE}"
+#cmakedefine PUTTYGEN_EXECUTABLE "${PUTTYGEN_EXECUTABLE}"
 #cmakedefine WITH_TIMEOUT ${WITH_TIMEOUT}
 #cmakedefine TIMEOUT_EXECUTABLE "${TIMEOUT_EXECUTABLE}"
 #cmakedefine SOFTHSM2_LIBRARY "${SOFTHSM2_LIBRARY}"