From 9735f074bac1606fc275a9f36b7f5a31bb5e054e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 23 Dec 2024 21:11:11 +0100 Subject: [PATCH] tests: Skip Ed25519 keys in FIPS mode Signed-off-by: Jakub Jelen Reviewed-by: Sahana Prasad --- tests/torture.c | 50 +++++++++++++++++++-------- tests/unittests/torture_options.c | 32 +++++++++++++---- tests/unittests/torture_pki_ed25519.c | 50 +++++++++++++++++++++++++++ 3 files changed, 111 insertions(+), 21 deletions(-) diff --git a/tests/torture.c b/tests/torture.c index 5fae5af7..9a28c33e 100644 --- a/tests/torture.c +++ b/tests/torture.c @@ -650,14 +650,21 @@ void torture_setup_create_libssh_config(void **state) char sshd_path[1024]; const char *additional_config = NULL; struct stat sb; - const char config_string[]= - "LogLevel DEBUG3\n" - "Port 22\n" - "ListenAddress 127.0.0.10\n" - "%s %s\n" - "%s %s\n" - "%s %s\n" - "%s\n"; /* The space for test-specific options */ + const char config_string[] = + "LogLevel DEBUG3\n" + "Port 22\n" + "ListenAddress 127.0.0.10\n" + "%s %s\n" + "%s %s\n" + "%s %s\n" + "%s\n"; /* The space for test-specific options */ + const char fips_config_string[] = + "LogLevel DEBUG3\n" + "Port 22\n" + "ListenAddress 127.0.0.10\n" + "%s %s\n" + "%s %s\n" + "%s\n"; /* The space for test-specific options */ bool written = false; int rc; @@ -705,12 +712,27 @@ void torture_setup_create_libssh_config(void **state) additional_config = (s->srv_additional_config != NULL ? s->srv_additional_config : ""); - snprintf(sshd_config, sizeof(sshd_config), - config_string, - "HostKey", ed25519_hostkey, - "HostKey", rsa_hostkey, - "HostKey", ecdsa_hostkey, - additional_config); + if (ssh_fips_mode()) { + snprintf(sshd_config, + sizeof(sshd_config), + fips_config_string, + "HostKey", + rsa_hostkey, + "HostKey", + ecdsa_hostkey, + additional_config); + } else { + snprintf(sshd_config, + sizeof(sshd_config), + config_string, + "HostKey", + ed25519_hostkey, + "HostKey", + rsa_hostkey, + "HostKey", + ecdsa_hostkey, + additional_config); + } torture_write_file(s->srv_config, sshd_config); } diff --git a/tests/unittests/torture_options.c b/tests/unittests/torture_options.c index 7c08c705..3beaedbb 100644 --- a/tests/unittests/torture_options.c +++ b/tests/unittests/torture_options.c @@ -2155,11 +2155,20 @@ torture_bind_options_import_key(void **state) /* set ed25519 key */ base64_key = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0); rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key); - assert_int_equal(rc, SSH_OK); - assert_non_null(key); + if (ssh_fips_mode()) { + assert_int_equal(rc, SSH_ERROR); + assert_null(key); + } else { + assert_int_equal(rc, SSH_OK); + assert_non_null(key); + } rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key); - assert_int_equal(rc, 0); + if (ssh_fips_mode()) { + assert_int_equal(rc, SSH_ERROR); + } else { + assert_int_equal(rc, 0); + } /* set rsa key */ base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0); @@ -2208,7 +2217,11 @@ torture_bind_options_import_key_str(void **state) rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY_STR, base64_key); - assert_int_equal(rc, 0); + if (ssh_fips_mode()) { + assert_int_equal(rc, SSH_ERROR); + } else { + assert_int_equal(rc, 0); + } /* set rsa key */ base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0); @@ -2250,9 +2263,14 @@ static void torture_bind_options_hostkey(void **state) rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY, LIBSSH_ED25519_TESTKEY); - assert_int_equal(rc, 0); - assert_non_null(bind->ed25519key); - assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY); + if (ssh_fips_mode()) { + assert_int_equal(rc, SSH_ERROR); + assert_null(bind->ed25519key); + } else { + assert_int_equal(rc, 0); + assert_non_null(bind->ed25519key); + assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY); + } #ifdef HAVE_ECC /* Test ECDSA key */ diff --git a/tests/unittests/torture_pki_ed25519.c b/tests/unittests/torture_pki_ed25519.c index 097abcb9..b00c421e 100644 --- a/tests/unittests/torture_pki_ed25519.c +++ b/tests/unittests/torture_pki_ed25519.c @@ -128,6 +128,11 @@ static void torture_pki_ed25519_import_privkey_base64(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY); assert_non_null(key_str); @@ -160,6 +165,11 @@ static void torture_pki_ed25519_import_privkey_base64_comment(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY); assert_non_null(key_str); @@ -199,6 +209,11 @@ static void torture_pki_ed25519_import_privkey_base64_whitespace(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY); assert_non_null(key_str); @@ -237,6 +252,11 @@ static void torture_pki_ed25519_import_export_privkey_base64(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + rc = ssh_pki_import_privkey_base64(torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, false), passphrase, @@ -289,6 +309,11 @@ static void torture_pki_ed25519_publickey_from_privatekey(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0); rc = ssh_pki_import_privkey_base64(keystring, passphrase, @@ -345,6 +370,11 @@ static void torture_pki_ed25519_publickey_base64(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_ED25519)); assert_non_null(key_buf); @@ -388,6 +418,11 @@ static void torture_pki_ed25519_generate_pubkey_from_privkey(void **state) (void)state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + /* remove the public key, generate it from the private key and write it. */ unlink(LIBSSH_ED25519_TESTKEY ".pub"); @@ -919,6 +954,11 @@ static void torture_pki_ed25519_import_privkey_base64_passphrase(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + /* same for ED25519 */ testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1); rc = ssh_pki_import_privkey_base64(testkey, @@ -954,6 +994,11 @@ static void torture_pki_ed25519_privkey_dup(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1); rc = ssh_pki_import_privkey_base64(testkey, passphrase, @@ -984,6 +1029,11 @@ static void torture_pki_ed25519_pubkey_dup(void **state) (void) state; /* unused */ + /* Skip test if in FIPS mode */ + if (ssh_fips_mode()) { + skip(); + } + pub_str = strdup(p + 1); assert_non_null(pub_str);