gssapi: enable gssapi-keyex in FIPS mode

All gssapi-keyex tests have to be disabled in Centos Stream 8
because the KEX is not allowed in FIPS. In Centos Stream 9,
only tests against OpenSSH have to be disabled because
OpenSSH only enables gssapi-keyex since Centos Stream 10.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

tests/client/torture_gssapi_key_exchange.c

@@ -78,11 +78,6 @@ static void torture_gssapi_key_exchange(void **state)
     int rc;
     bool t = true;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Valid */
     torture_setup_kdc_server(
         state,
@@ -108,11 +103,6 @@ static void torture_gssapi_key_exchange_no_tgt(void **state)
     int rc;
     bool t = true;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Don't run kinit */
     torture_setup_kdc_server(
         state,
@@ -144,11 +134,6 @@ static void torture_gssapi_key_exchange_alg(void **state,
     int rc;
     bool t = true;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Valid */
     torture_setup_kdc_server(
         state,
@@ -213,11 +198,6 @@ static void torture_gssapi_key_exchange_auth(void **state)
     int rc;
     bool t = true;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Valid */
     torture_setup_kdc_server(
         state,
@@ -247,11 +227,6 @@ static void torture_gssapi_key_exchange_no_auth(void **state)
     int rc;
     bool f = false;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Valid */
     torture_setup_kdc_server(
         state,

tests/client/torture_gssapi_key_exchange_null.c

@@ -18,23 +18,21 @@ static int sshd_setup(void **state)
     s = *state;
     s->disable_hostkeys = true;
 
-    if (!ssh_fips_mode()) {
-        /* Temporary kerberos server */
-        torture_setup_kdc_server(
-            state,
-            "kadmin.local addprinc -randkey host/server.libssh.site \n"
-            "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
-            "kadmin.local addprinc -pw bar alice \n"
-            "kadmin.local list_principals",
+    torture_setup_kdc_server(
+        state,
+        "kadmin.local addprinc -randkey host/server.libssh.site \n"
+        "kadmin.local ktadd -k $(dirname $0)/d/ssh.keytab host/server.libssh.site \n"
+        "kadmin.local addprinc -pw bar alice \n"
+        "kadmin.local list_principals",
 
-            "echo bar | kinit alice");
+        "echo bar | kinit alice");
 
-        torture_update_sshd_config(state,
-                                   "GSSAPIAuthentication yes\n"
-                                   "GSSAPIKeyExchange yes\n");
+    torture_update_sshd_config(state,
+                               "GSSAPIAuthentication yes\n"
+                               "GSSAPIKeyExchange yes\n");
+
+    torture_teardown_kdc_server(state);
 
-        torture_teardown_kdc_server(state);
-    }
     return 0;
 }
 
@@ -95,11 +93,6 @@ static void torture_gssapi_key_exchange_null(void **state)
     int rc;
     bool t = true;
 
-    /* Skip test if in FIPS mode */
-    if (ssh_fips_mode()) {
-        skip();
-    }
-
     /* Valid */
     torture_setup_kdc_server(
         state,