shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-04 12:20:42 +09:00
Code Issues Packages Projects Releases Wiki Activity

gssapi: enable gssapi-keyex in FIPS mode

Browse Source 
All gssapi-keyex tests have to be disabled in Centos Stream 8
because the KEX is not allowed in FIPS. In Centos Stream 9,
only tests against OpenSSH have to be disabled because
OpenSSH only enables gssapi-keyex since Centos Stream 10.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Pavol Žáčik
2025-12-02 10:31:01 +01:00
committed by Jakub Jelen
parent d3e80d9a19
commit 9b4ee9c6d4
10 changed files with 32 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
tests/client/torture_gssapi_key_exchange.c
View File

@@ -78,11 +78,6 @@ static void torture_gssapi_key_exchange(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */
torture_setup_kdc_server(
state,
@@ -108,11 +103,6 @@ static void torture_gssapi_key_exchange_no_tgt(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Don't run kinit */
torture_setup_kdc_server(
state,
@@ -144,11 +134,6 @@ static void torture_gssapi_key_exchange_alg(void **state,
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */
torture_setup_kdc_server(
state,
@@ -213,11 +198,6 @@ static void torture_gssapi_key_exchange_auth(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */
torture_setup_kdc_server(
state,
@@ -247,11 +227,6 @@ static void torture_gssapi_key_exchange_no_auth(void **state)
int rc;
bool f = false;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */
torture_setup_kdc_server(
state,

31
tests/client/torture_gssapi_key_exchange_null.c
View File

@@ -18,23 +18,21 @@ static int sshd_setup(void **state)
s = *state;
s->disable_hostkeys = true;
if (!ssh_fips_mode()) {
/* Temporary kerberos server */
torture_setup_kdc_server(
state,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
torture_setup_kdc_server(
state,
"kadmin.local addprinc -randkey host/server.libssh.site \n"
"kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
"kadmin.local addprinc -pw bar alice \n"
"kadmin.local list_principals",
"echo bar | kinit alice");
"echo bar | kinit alice");
torture_update_sshd_config(state,
"GSSAPIAuthentication yes\n"
"GSSAPIKeyExchange yes\n");
torture_update_sshd_config(state,
"GSSAPIAuthentication yes\n"
"GSSAPIKeyExchange yes\n");
torture_teardown_kdc_server(state);
torture_teardown_kdc_server(state);
}
return 0;
}
@@ -95,11 +93,6 @@ static void torture_gssapi_key_exchange_null(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */
torture_setup_kdc_server(
state,

24
tests/server/torture_gssapi_server_key_exchange.c
View File

@@ -281,11 +281,6 @@ static void torture_gssapi_server_key_exchange(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;
@@ -321,10 +316,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
@@ -366,11 +357,6 @@ static void torture_gssapi_server_key_exchange_alg(void **state,
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;
@@ -444,11 +430,6 @@ static void torture_gssapi_server_key_exchange_auth(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;
@@ -487,11 +468,6 @@ static void torture_gssapi_server_key_exchange_no_auth(void **state)
int rc;
bool f = false;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;

5
tests/server/torture_gssapi_server_key_exchange_fallback.c
View File

@@ -278,11 +278,6 @@ static void torture_gssapi_server_key_exchange_fallback(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;

9
tests/server/torture_gssapi_server_key_exchange_null.c
View File

@@ -250,11 +250,6 @@ static void torture_gssapi_server_key_exchange_null(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);
s = tss->state;
@@ -293,10 +288,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state)
int rc;
bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss);

6
tests/torture.c
View File

@@ -999,10 +999,8 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
fips_config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey",
rsa_hostkey,
"HostKey",
ecdsa_hostkey,
s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : rsa_hostkey,
s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : ecdsa_hostkey,
trusted_ca_pubkey,
sftp_server,
usepam,