By default, the list of already stored known host types is preferred,
but this selection so far ignored the SHA2 extension and excluded these
keys in the KEXINIT list leading to not using this extension if not
explicitly enabled from configuration.
This commit extends the default list with the SHA2 signatures algoritms
and compares only base types so they can be listed in the KEXINIT list.
This adjust the tests to expect the full list of algorithms to pass.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 531b80a60b)
When the server requests rekey, it can send the SSH2_MSG_EXT_INFO. This
message was being filtered out by the packet filtering. This includes a
test to enforce the filtering rules for this packet type.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit fe309ba43f)
Previously, not all of the host keys algorithms were used for algorithm
negotiation. This verifies the algorithms list is sane and ordered
with the key types from known hosts in the first place.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit bdb3bb9ccd)
Previously, the file contained the known_hosts strings separated
by NULL bytes which somehow magically worked.
The test was also expecting all the keys from the file will have
the same key type, which was not indeed true.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 32e502a79d)
Created the test torture_packet_filter.c which tests if packets are
being correctly filtered.
Fixes T101
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The added frees are unnecessary, but the static analyser does not know.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 6eef4b4a3c)
These frees are unnecessary because the negative tests should not
allocate the keys, but the static analyser reports memory leak errors.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 31f24ed23e)
This runs the same test that are ran on the legacy PEM files
also with the new OpenSSH key files.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit eaaa4131de)
This extends the torture API to provide a way to request
keys in different formats. This extends the keys with
private keys in the new OpenSSH format (default since
OpenSSH 7.8).
This also needs modifications to the ed25519 tests, which
do not support PEM format and expected the new format out of the
box.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit e365aed6d2)
Since the verbosity is now set from the setup phase, we do not
need to reset the verbosity, especially not to any arbirary value
such as WARNING.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit fcb203cb2d)
This allows adjusting the log level of config and options tests using
environment variable LIBSSH_VERBOSITY as it works in most of the other
tests.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 6dbcc21921)
The match_hostname() expects comma separated list, while the Host
config keyword in openssh uses spaces separated list by default.
Therefore any subseqent match or negated match in space separated
list will overwrite the previous matches.
This also adjusts the tests to make sure both of the versions work.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 9f5f10552b)
This was already done in the torture_threads_pki.
Without the explicit initialization, we can observe random
failures tests (at least of the torture_threads_crypto) from
various threads.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 6b10bbea2f)
Verify the PUBLICKEY_ACCEPTED_TYPES option is handled correctly
and affects the signature algorithm selection based on the
extensions and can be used to limit list of offered mechanisms
to the server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 594c62d718)
This introduces a new test case for RSA unit tests, verifying that
libraries are able to provide and verify the RSA signatures with
SHA2 hash algorithms.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit 945469c9e0)
This changes the private API by adding one more argument to function
pki_signature_from_blob()
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
(cherry picked from commit fa60827840)
