tests: Skip Ed25519 keys in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>

tests/torture.c

@@ -650,14 +650,21 @@ void torture_setup_create_libssh_config(void **state)
     char sshd_path[1024];
     const char *additional_config = NULL;
     struct stat sb;
-    const char config_string[]=
+    const char config_string[] =
-             "LogLevel DEBUG3\n"
+        "LogLevel DEBUG3\n"
-             "Port 22\n"
+        "Port 22\n"
-             "ListenAddress 127.0.0.10\n"
+        "ListenAddress 127.0.0.10\n"
-             "%s %s\n"
+        "%s %s\n"
-             "%s %s\n"
+        "%s %s\n"
-             "%s %s\n"
+        "%s %s\n"
-             "%s\n"; /* The space for test-specific options */
+        "%s\n"; /* The space for test-specific options */
+    const char fips_config_string[] =
+        "LogLevel DEBUG3\n"
+        "Port 22\n"
+        "ListenAddress 127.0.0.10\n"
+        "%s %s\n"
+        "%s %s\n"
+        "%s\n"; /* The space for test-specific options */
     bool written = false;
     int rc;
 
@@ -705,12 +712,27 @@ void torture_setup_create_libssh_config(void **state)
     additional_config = (s->srv_additional_config != NULL ?
                          s->srv_additional_config : "");
 
-    snprintf(sshd_config, sizeof(sshd_config),
+    if (ssh_fips_mode()) {
-            config_string,
+        snprintf(sshd_config,
-            "HostKey", ed25519_hostkey,
+                 sizeof(sshd_config),
-            "HostKey", rsa_hostkey,
+                 fips_config_string,
-            "HostKey", ecdsa_hostkey,
+                 "HostKey",
-            additional_config);
+                 rsa_hostkey,
+                 "HostKey",
+                 ecdsa_hostkey,
+                 additional_config);
+    } else {
+        snprintf(sshd_config,
+                 sizeof(sshd_config),
+                 config_string,
+                 "HostKey",
+                 ed25519_hostkey,
+                 "HostKey",
+                 rsa_hostkey,
+                 "HostKey",
+                 ecdsa_hostkey,
+                 additional_config);
+    }
 
     torture_write_file(s->srv_config, sshd_config);
 }

tests/unittests/torture_options.c

@@ -2155,11 +2155,20 @@ torture_bind_options_import_key(void **state)
     /* set ed25519 key */
     base64_key = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0);
     rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key);
-    assert_int_equal(rc, SSH_OK);
+    if (ssh_fips_mode()) {
-    assert_non_null(key);
+        assert_int_equal(rc, SSH_ERROR);
+        assert_null(key);
+    } else {
+        assert_int_equal(rc, SSH_OK);
+        assert_non_null(key);
+    }
 
     rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
-    assert_int_equal(rc, 0);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+    } else {
+        assert_int_equal(rc, 0);
+    }
 
     /* set rsa key */
     base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0);
@@ -2208,7 +2217,11 @@ torture_bind_options_import_key_str(void **state)
 
     rc =
         ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY_STR, base64_key);
-    assert_int_equal(rc, 0);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+    } else {
+        assert_int_equal(rc, 0);
+    }
 
     /* set rsa key */
     base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0);
@@ -2250,9 +2263,14 @@ static void torture_bind_options_hostkey(void **state)
     rc = ssh_bind_options_set(bind,
                               SSH_BIND_OPTIONS_HOSTKEY,
                               LIBSSH_ED25519_TESTKEY);
-    assert_int_equal(rc, 0);
+    if (ssh_fips_mode()) {
-    assert_non_null(bind->ed25519key);
+        assert_int_equal(rc, SSH_ERROR);
-    assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY);
+        assert_null(bind->ed25519key);
+    } else {
+        assert_int_equal(rc, 0);
+        assert_non_null(bind->ed25519key);
+        assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY);
+    }
 
 #ifdef HAVE_ECC
     /* Test ECDSA key */

tests/unittests/torture_pki_ed25519.c

@@ -128,6 +128,11 @@ static void torture_pki_ed25519_import_privkey_base64(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
     assert_non_null(key_str);
 
@@ -160,6 +165,11 @@ static void torture_pki_ed25519_import_privkey_base64_comment(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
     assert_non_null(key_str);
 
@@ -199,6 +209,11 @@ static void torture_pki_ed25519_import_privkey_base64_whitespace(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
     assert_non_null(key_str);
 
@@ -237,6 +252,11 @@ static void torture_pki_ed25519_import_export_privkey_base64(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     rc = ssh_pki_import_privkey_base64(torture_get_openssh_testkey(SSH_KEYTYPE_ED25519,
                                                                    false),
                                        passphrase,
@@ -289,6 +309,11 @@ static void torture_pki_ed25519_publickey_from_privatekey(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0);
     rc = ssh_pki_import_privkey_base64(keystring,
                                        passphrase,
@@ -345,6 +370,11 @@ static void torture_pki_ed25519_publickey_base64(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_ED25519));
     assert_non_null(key_buf);
 
@@ -388,6 +418,11 @@ static void torture_pki_ed25519_generate_pubkey_from_privkey(void **state)
 
     (void)state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     /* remove the public key, generate it from the private key and write it. */
     unlink(LIBSSH_ED25519_TESTKEY ".pub");
 
@@ -919,6 +954,11 @@ static void torture_pki_ed25519_import_privkey_base64_passphrase(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     /* same for ED25519 */
     testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1);
     rc = ssh_pki_import_privkey_base64(testkey,
@@ -954,6 +994,11 @@ static void torture_pki_ed25519_privkey_dup(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1);
     rc = ssh_pki_import_privkey_base64(testkey,
                                        passphrase,
@@ -984,6 +1029,11 @@ static void torture_pki_ed25519_pubkey_dup(void **state)
 
     (void) state; /* unused */
 
+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
     pub_str = strdup(p + 1);
     assert_non_null(pub_str);