From bb36cc30eee94b682baa328b6fe4b9159327b1c2 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Wed, 5 Jun 2019 18:44:00 +0200
Subject: [PATCH] tests/torture_pki_rsa: Avoid using SHA1 in FIPS mode

Do not use SHA1 in signatures in FIPS mode.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 tests/unittests/torture_pki_rsa.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/tests/unittests/torture_pki_rsa.c b/tests/unittests/torture_pki_rsa.c
index b4a12396..24094302 100644
--- a/tests/unittests/torture_pki_rsa.c
+++ b/tests/unittests/torture_pki_rsa.c
@@ -543,14 +543,16 @@ static void torture_pki_rsa_sha2(void **state)
     assert_int_equal(rc, SSH_OK);
     assert_non_null(pubkey);
 
-    /* Sign using old SHA1 digest */
-    sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
-    assert_non_null(sign);
-    rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
-    assert_ssh_return_code(session, rc);
-    rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT));
-    assert_ssh_return_code(session, rc);
-    ssh_signature_free(sign);
+    if (!ssh_fips_mode()) {
+        /* Sign using old SHA1 digest */
+        sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA1);
+        assert_non_null(sign);
+        rc = pki_signature_verify(session, sign, pubkey, INPUT, sizeof(INPUT));
+        assert_ssh_return_code(session, rc);
+        rc = pki_signature_verify(session, sign, cert, INPUT, sizeof(INPUT));
+        assert_ssh_return_code(session, rc);
+        ssh_signature_free(sign);
+    }
 
     /* Sign using new SHA256 digest */
     sign = pki_do_sign(key, INPUT, sizeof(INPUT), SSH_DIGEST_SHA256);
@@ -625,9 +627,11 @@ static void torture_pki_sign_data_rsa(void **state)
     assert_int_equal(rc, SSH_OK);
     assert_non_null(key);
 
-    /* Test using SHA1 */
-    rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
-    assert_int_equal(rc, SSH_OK);
+    if (!ssh_fips_mode()) {
+        /* Test using SHA1 */
+        rc = test_sign_verify_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
+        assert_int_equal(rc, SSH_OK);
+    }
 
     /* Test using SHA256 */
     rc = test_sign_verify_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT));
@@ -661,7 +665,7 @@ static void torture_pki_fail_sign_with_incompatible_hash(void **state)
     assert_non_null(pubkey);
 
     /* Sign the buffer */
-    sig = pki_sign_data(key, SSH_DIGEST_SHA1, INPUT, sizeof(INPUT));
+    sig = pki_sign_data(key, SSH_DIGEST_SHA256, INPUT, sizeof(INPUT));
     assert_non_null(sig);
 
     /* Verify signature */