From 0cfe4c7ab8030d5517357118102f1dc5c144a4c9 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 6 Jun 2019 15:01:42 +0200
Subject: [PATCH] tests/torture_auth: Workaround OpenSSH agent bug

OpenSSH agent has a bug which makes it to not use SHA2 in signatures
when using certificates. It always uses SHA1.

See https://gitlab.com/libssh/libssh-mirror/merge_requests/34

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 tests/client/torture_auth.c | 52 +++++++++++++++++++++++++++++++++----
 1 file changed, 47 insertions(+), 5 deletions(-)

diff --git a/tests/client/torture_auth.c b/tests/client/torture_auth.c
index ac12bb00..de1b5984 100644
--- a/tests/client/torture_auth.c
+++ b/tests/client/torture_auth.c
@@ -543,13 +543,55 @@ static void torture_auth_cert(void **state) {
     SSH_KEY_FREE(cert);
 }
 
-static void torture_auth_agent_cert(void **state) {
-  /* Setup loads a different key, tests are exactly the same. */
-  torture_auth_agent(state);
+static void torture_auth_agent_cert(void **state)
+{
+    struct torture_state *s = *state;
+    ssh_session session = s->ssh.session;
+    int rc;
+
+    /* Skip this test if in FIPS mode.
+     *
+     * OpenSSH agent has a bug which makes it to not use SHA2 in signatures when
+     * using certificates. It always uses SHA1.
+     *
+     * This should be removed as soon as OpenSSH agent bug is fixed.
+     * (see https://gitlab.com/libssh/libssh-mirror/merge_requests/34) */
+    if (ssh_fips_mode()) {
+        skip();
+    } else {
+        /* After the bug is solved, this also should be removed */
+        rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                             "ssh-rsa-cert-v01@openssh.com");
+        assert_int_equal(rc, SSH_OK);
+    }
+
+    /* Setup loads a different key, tests are exactly the same. */
+    torture_auth_agent(state);
 }
 
-static void torture_auth_agent_cert_nonblocking(void **state) {
-  torture_auth_agent_nonblocking(state);
+static void torture_auth_agent_cert_nonblocking(void **state)
+{
+    struct torture_state *s = *state;
+    ssh_session session = s->ssh.session;
+    int rc;
+
+    /* Skip this test if in FIPS mode.
+     *
+     * OpenSSH agent has a bug which makes it to not use SHA2 in signatures when
+     * using certificates. It always uses SHA1.
+     *
+     * This should be removed as soon as OpenSSH agent bug is fixed.
+     * (see https://gitlab.com/libssh/libssh-mirror/merge_requests/34) */
+    if (ssh_fips_mode()) {
+        skip();
+    } else {
+        /* After the bug is solved, this also should be removed */
+        rc = ssh_options_set(session, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
+                             "ssh-rsa-cert-v01@openssh.com");
+        assert_int_equal(rc, SSH_OK);
+    }
+
+    torture_auth_agent_nonblocking(state);
 }
 
 static void torture_auth_pubkey_types(void **state)