shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-12 03:00:26 +09:00
Code Issues Packages Projects Releases Wiki Activity

gssapi: enable gssapi-keyex in FIPS mode

Browse Source 
All gssapi-keyex tests have to be disabled in Centos Stream 8
because the KEX is not allowed in FIPS. In Centos Stream 9,
only tests against OpenSSH have to be disabled because
OpenSSH only enables gssapi-keyex since Centos Stream 10.

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Pavol Žáčik
2025-12-02 10:31:01 +01:00
committed by Jakub Jelen
parent d3e80d9a19
commit 9b4ee9c6d4
10 changed files with 32 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.gitlab-ci.yml
View File

@@ -201,9 +201,11 @@ centos9s/openssl_3.5.x/x86_64/fips:
variables: variables:
OPENSSL_ENABLE_SHA1_SIGNATURES: 1 OPENSSL_ENABLE_SHA1_SIGNATURES: 1
script: script:
# torture_gssapi_key_exchange_* tests are excluded because gssapi-keyex is disabled
# by OpenSSH in FIPS mode in RHEL 9
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. && - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) && make -j$(nproc) &&
OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure -E "^torture_gssapi_key_exchange.*"
centos8s/openssl_1.1.1/x86_64: centos8s/openssl_1.1.1/x86_64:
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
@@ -219,9 +221,11 @@ centos8s/openssl_1.1.1/x86_64/fips:
extends: .fips extends: .fips
image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
script: script:
# torture_gssapi_key_exchange_* and torture_gssapi_server_key_exchange_* tests are excluded
# because gssapi-keyex is not allowed in FIPS mode in RHEL 8
- cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. && - cmake $CMAKE_OPTIONS $CMAKE_ADDITIONAL_OPTIONS .. &&
make -j$(nproc) && make -j$(nproc) &&
OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure OPENSSL_FORCE_FIPS_MODE=1 ctest --output-on-failure -E "^torture_gssapi.*key_exchange.*"
############################################################################### ###############################################################################
# Fedora builds # # Fedora builds #

15
src/gssapi.c
View File

@@ -672,7 +672,6 @@ fail:
*/ */
char *ssh_gssapi_oid_hash(ssh_string oid) char *ssh_gssapi_oid_hash(ssh_string oid)
{ {
MD5CTX ctx = NULL;
unsigned char *h = NULL; unsigned char *h = NULL;
int rc; int rc;
char *base64 = NULL; char *base64 = NULL;
@@ -682,19 +681,7 @@ char *ssh_gssapi_oid_hash(ssh_string oid)
return NULL; return NULL;
} }
ctx = md5_init(); rc = md5(ssh_string_data(oid), ssh_string_len(oid), h);
if (ctx == NULL) {
SAFE_FREE(h);
return NULL;
}
rc = md5_update(ctx, ssh_string_data(oid), ssh_string_len(oid));
if (rc != SSH_OK) {
SAFE_FREE(h);
md5_ctx_free(ctx);
return NULL;
}
rc = md5_final(h, ctx);
if (rc != SSH_OK) { if (rc != SSH_OK) {
SAFE_FREE(h); SAFE_FREE(h);
return NULL; return NULL;

8
src/kex.c
View File

@@ -811,7 +811,7 @@ int ssh_set_client_kex(ssh_session session)
return SSH_ERROR; return SSH_ERROR;
} }
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) { if (session->opts.gssapi_key_exchange) {
char *gssapi_algs = NULL; char *gssapi_algs = NULL;
ok = ssh_gssapi_init(session); ok = ssh_gssapi_init(session);
@@ -831,9 +831,15 @@ int ssh_set_client_kex(ssh_session session)
} }
/* Prefix the default algorithms with gsskex algs */ /* Prefix the default algorithms with gsskex algs */
if (ssh_fips_mode()) {
session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(fips_methods[SSH_KEX],
gssapi_algs);
} else {
session->opts.wanted_methods[SSH_KEX] = session->opts.wanted_methods[SSH_KEX] =
ssh_prefix_without_duplicates(default_methods[SSH_KEX], ssh_prefix_without_duplicates(default_methods[SSH_KEX],
gssapi_algs); gssapi_algs);
}
gssapi_null_alg = true; gssapi_null_alg = true;

2
src/server.c
View File

@@ -172,7 +172,7 @@ int server_set_kex(ssh_session session)
} }
} }
#ifdef WITH_GSSAPI #ifdef WITH_GSSAPI
if (session->opts.gssapi_key_exchange && !ssh_fips_mode()) { if (session->opts.gssapi_key_exchange) {
ok = ssh_gssapi_init(session); ok = ssh_gssapi_init(session);
if (ok != SSH_OK) { if (ok != SSH_OK) {
ssh_set_error_oom(session); ssh_set_error_oom(session);

25
tests/client/torture_gssapi_key_exchange.c
View File

@@ -78,11 +78,6 @@ static void torture_gssapi_key_exchange(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,
@@ -108,11 +103,6 @@ static void torture_gssapi_key_exchange_no_tgt(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Don't run kinit */ /* Don't run kinit */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,
@@ -144,11 +134,6 @@ static void torture_gssapi_key_exchange_alg(void **state,
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,
@@ -213,11 +198,6 @@ static void torture_gssapi_key_exchange_auth(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,
@@ -247,11 +227,6 @@ static void torture_gssapi_key_exchange_no_auth(void **state)
int rc; int rc;
bool f = false; bool f = false;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,

9
tests/client/torture_gssapi_key_exchange_null.c
View File

@@ -18,8 +18,6 @@ static int sshd_setup(void **state)
s = *state; s = *state;
s->disable_hostkeys = true; s->disable_hostkeys = true;
if (!ssh_fips_mode()) {
/* Temporary kerberos server */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,
"kadmin.local addprinc -randkey host/server.libssh.site \n" "kadmin.local addprinc -randkey host/server.libssh.site \n"
@@ -34,7 +32,7 @@ static int sshd_setup(void **state)
"GSSAPIKeyExchange yes\n"); "GSSAPIKeyExchange yes\n");
torture_teardown_kdc_server(state); torture_teardown_kdc_server(state);
}
return 0; return 0;
} }
@@ -95,11 +93,6 @@ static void torture_gssapi_key_exchange_null(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
/* Valid */ /* Valid */
torture_setup_kdc_server( torture_setup_kdc_server(
state, state,

24
tests/server/torture_gssapi_server_key_exchange.c
View File

@@ -281,11 +281,6 @@ static void torture_gssapi_server_key_exchange(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;
@@ -321,10 +316,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
@@ -366,11 +357,6 @@ static void torture_gssapi_server_key_exchange_alg(void **state,
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;
@@ -444,11 +430,6 @@ static void torture_gssapi_server_key_exchange_auth(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;
@@ -487,11 +468,6 @@ static void torture_gssapi_server_key_exchange_no_auth(void **state)
int rc; int rc;
bool f = false; bool f = false;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;

5
tests/server/torture_gssapi_server_key_exchange_fallback.c
View File

@@ -278,11 +278,6 @@ static void torture_gssapi_server_key_exchange_fallback(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;

9
tests/server/torture_gssapi_server_key_exchange_null.c
View File

@@ -250,11 +250,6 @@ static void torture_gssapi_server_key_exchange_null(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);
s = tss->state; s = tss->state;
@@ -293,10 +288,6 @@ static void torture_gssapi_server_key_exchange_no_tgt(void **state)
int rc; int rc;
bool t = true; bool t = true;
/* Skip test if in FIPS mode */
if (ssh_fips_mode()) {
skip();
}
assert_non_null(tss); assert_non_null(tss);

6
tests/torture.c
View File

@@ -999,10 +999,8 @@ torture_setup_create_sshd_config(void **state, bool pam, bool second_sshd)
fips_config_string, fips_config_string,
second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4, second_sshd ? TORTURE_SSHD_SRV1_IPV4 : TORTURE_SSHD_SRV_IPV4,
second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6, second_sshd ? TORTURE_SSHD_SRV1_IPV6 : TORTURE_SSHD_SRV_IPV6,
"HostKey", s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : rsa_hostkey,
rsa_hostkey, s->disable_hostkeys ? "" : "HostKey", s->disable_hostkeys ? "" : ecdsa_hostkey,
"HostKey",
ecdsa_hostkey,
trusted_ca_pubkey, trusted_ca_pubkey,
sftp_server, sftp_server,
usepam, usepam,