mirror of
https://git.libssh.org/projects/libssh.git
synced 2025-11-03 21:53:14 +03:00
tests/torture_options: Use only allowed algorithms if in FIPS mode
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Anderson Toshiyuki Sasaki
committed by
Andreas Schneider
Andreas Schneider
parent
ce888fd4c0
commit
39c69893c7
@@ -56,11 +56,14 @@ static void torture_options_set_host(void **state) {
|
|||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost");
|
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.host);
|
||||||
assert_string_equal(session->opts.host, "localhost");
|
assert_string_equal(session->opts.host, "localhost");
|
||||||
|
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
|
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.host);
|
||||||
assert_string_equal(session->opts.host, "meditation");
|
assert_string_equal(session->opts.host, "meditation");
|
||||||
|
assert_non_null(session->opts.username);
|
||||||
assert_string_equal(session->opts.username, "guru");
|
assert_string_equal(session->opts.username, "guru");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -69,17 +72,29 @@ static void torture_options_set_ciphers(void **state) {
|
|||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
/* Test known ciphers */
|
/* Test known ciphers */
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "aes128-ctr,aes192-ctr,aes256-ctr");
|
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S], "aes128-ctr,aes192-ctr,aes256-ctr");
|
assert_non_null(session->opts.wanted_methods[SSH_CRYPT_C_S]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
|
||||||
|
"aes128-ctr,aes256-ctr");
|
||||||
|
} else {
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown cipher */
|
/* Test one unknown cipher */
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr");
|
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
|
||||||
|
"aes128-ctr,unknown-crap@example.com,aes256-ctr");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S], "aes128-ctr,aes192-ctr,aes256-ctr");
|
assert_non_null(session->opts.wanted_methods[SSH_CRYPT_C_S]);
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
|
||||||
|
"aes128-ctr,aes256-ctr");
|
||||||
|
|
||||||
/* Test all unknown ciphers */
|
/* Test all unknown ciphers */
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "unknown-crap@example.com,more-crap@example.com");
|
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
|
||||||
|
"unknown-crap@example.com,more-crap@example.com");
|
||||||
assert_false(rc == 0);
|
assert_false(rc == 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -91,18 +106,35 @@ static void torture_options_set_key_exchange(void **state)
|
|||||||
/* Test known kexes */
|
/* Test known kexes */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
SSH_OPTIONS_KEY_EXCHANGE,
|
SSH_OPTIONS_KEY_EXCHANGE,
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"curve25519-sha256,curve25519-sha256@libssh.org,"
|
||||||
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512,"
|
||||||
|
"diffie-hellman-group14-sha1");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_KEX]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
|
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
|
} else {
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
|
||||||
|
"curve25519-sha256,curve25519-sha256@libssh.org,"
|
||||||
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512,"
|
||||||
|
"diffie-hellman-group14-sha1");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown kex */
|
/* Test one unknown kex */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
SSH_OPTIONS_KEY_EXCHANGE,
|
SSH_OPTIONS_KEY_EXCHANGE,
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,unknown-crap@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"diffie-hellman-group16-sha512,"
|
||||||
|
"unknown-crap@example.com,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_KEX]);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
|
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
|
|
||||||
/* Test all unknown kexes */
|
/* Test all unknown kexes */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
@@ -120,16 +152,26 @@ static void torture_options_set_hostkey(void **state) {
|
|||||||
SSH_OPTIONS_HOSTKEYS,
|
SSH_OPTIONS_HOSTKEYS,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_HOSTKEYS]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
|
||||||
|
"ecdsa-sha2-nistp384");
|
||||||
|
} else {
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown host key */
|
/* Test one unknown host key */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
SSH_OPTIONS_HOSTKEYS,
|
SSH_OPTIONS_HOSTKEYS,
|
||||||
"ssh-ed25519,unknown-crap@example.com,ssh-rsa");
|
"ecdsa-sha2-nistp521,"
|
||||||
|
"unknown-crap@example.com,"
|
||||||
|
"rsa-sha2-256");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_HOSTKEYS]);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ssh-rsa");
|
"ecdsa-sha2-nistp521,"
|
||||||
|
"rsa-sha2-256");
|
||||||
|
|
||||||
/* Test all unknown host keys */
|
/* Test all unknown host keys */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
@@ -148,14 +190,22 @@ static void torture_options_set_pubkey_accepted_types(void **state) {
|
|||||||
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.pubkey_accepted_types);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(session->opts.pubkey_accepted_types,
|
||||||
|
"ecdsa-sha2-nistp384");
|
||||||
|
} else {
|
||||||
assert_string_equal(session->opts.pubkey_accepted_types,
|
assert_string_equal(session->opts.pubkey_accepted_types,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ssh_fips_mode()) {
|
||||||
/* Test one unknown public key algorithms */
|
/* Test one unknown public key algorithms */
|
||||||
rc = ssh_options_set(session,
|
rc = ssh_options_set(session,
|
||||||
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
||||||
"ssh-ed25519,unknown-crap@example.com,ssh-rsa");
|
"ssh-ed25519,unknown-crap@example.com,ssh-rsa");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.pubkey_accepted_types);
|
||||||
assert_string_equal(session->opts.pubkey_accepted_types,
|
assert_string_equal(session->opts.pubkey_accepted_types,
|
||||||
"ssh-ed25519,ssh-rsa");
|
"ssh-ed25519,ssh-rsa");
|
||||||
|
|
||||||
@@ -173,6 +223,7 @@ static void torture_options_set_pubkey_accepted_types(void **state) {
|
|||||||
* it should not be used */
|
* it should not be used */
|
||||||
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
|
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
|
||||||
assert_int_equal(type, SSH_DIGEST_SHA1);
|
assert_int_equal(type, SSH_DIGEST_SHA1);
|
||||||
|
}
|
||||||
|
|
||||||
/* now, lets allow the signature from SHA2 extension and expect
|
/* now, lets allow the signature from SHA2 extension and expect
|
||||||
* it to be used */
|
* it to be used */
|
||||||
@@ -180,8 +231,19 @@ static void torture_options_set_pubkey_accepted_types(void **state) {
|
|||||||
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
|
||||||
"rsa-sha2-256,ssh-rsa");
|
"rsa-sha2-256,ssh-rsa");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.pubkey_accepted_types);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(session->opts.pubkey_accepted_types,
|
||||||
|
"rsa-sha2-256");
|
||||||
|
} else {
|
||||||
assert_string_equal(session->opts.pubkey_accepted_types,
|
assert_string_equal(session->opts.pubkey_accepted_types,
|
||||||
"rsa-sha2-256,ssh-rsa");
|
"rsa-sha2-256,ssh-rsa");
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Test that the option affects the algorithm selection for RSA keys */
|
||||||
|
/* simulate the SHA2 extension was negotiated */
|
||||||
|
session->extensions = SSH_EXT_SIG_RSA_SHA256;
|
||||||
|
|
||||||
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
|
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
|
||||||
assert_int_equal(type, SSH_DIGEST_SHA256);
|
assert_int_equal(type, SSH_DIGEST_SHA256);
|
||||||
}
|
}
|
||||||
@@ -193,6 +255,7 @@ static void torture_options_set_macs(void **state) {
|
|||||||
/* Test known MACs */
|
/* Test known MACs */
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "hmac-sha1");
|
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "hmac-sha1");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1");
|
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1");
|
||||||
|
|
||||||
/* Test multiple known MACs */
|
/* Test multiple known MACs */
|
||||||
@@ -200,12 +263,14 @@ static void torture_options_set_macs(void **state) {
|
|||||||
SSH_OPTIONS_HMAC_S_C,
|
SSH_OPTIONS_HMAC_S_C,
|
||||||
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
|
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C],
|
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C],
|
||||||
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
|
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
|
||||||
|
|
||||||
/* Test unknown MACs */
|
/* Test unknown MACs */
|
||||||
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "unknown-crap@example.com,hmac-sha1-etm@openssh.com,unknown@example.com");
|
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "unknown-crap@example.com,hmac-sha1-etm@openssh.com,unknown@example.com");
|
||||||
assert_true(rc == 0);
|
assert_true(rc == 0);
|
||||||
|
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
|
||||||
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1-etm@openssh.com");
|
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1-etm@openssh.com");
|
||||||
|
|
||||||
/* Test all unknown MACs */
|
/* Test all unknown MACs */
|
||||||
@@ -664,12 +729,12 @@ static void torture_options_copy(void **state)
|
|||||||
"BindAddress 127.0.0.2\n"
|
"BindAddress 127.0.0.2\n"
|
||||||
"GlobalKnownHostsFile /etc/ssh/known_hosts2\n"
|
"GlobalKnownHostsFile /etc/ssh/known_hosts2\n"
|
||||||
"UserKnownHostsFile ~/.ssh/known_hosts2\n"
|
"UserKnownHostsFile ~/.ssh/known_hosts2\n"
|
||||||
"KexAlgorithms curve25519-sha256\n"
|
"KexAlgorithms curve25519-sha256,ecdh-sha2-nistp521\n"
|
||||||
"Ciphers aes256-ctr\n"
|
"Ciphers aes256-ctr\n"
|
||||||
"MACs hmac-sha2-256\n"
|
"MACs hmac-sha2-256\n"
|
||||||
"HostKeyAlgorithms ssh-ed25519\n"
|
"HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521\n"
|
||||||
"Compression yes\n"
|
"Compression yes\n"
|
||||||
"PubkeyAcceptedTypes ssh-ed25519\n"
|
"PubkeyAcceptedTypes ssh-ed25519,ecdsa-sha2-nistp521\n"
|
||||||
"ProxyCommand nc 127.0.0.10 22\n"
|
"ProxyCommand nc 127.0.0.10 22\n"
|
||||||
/* ops.custombanner */
|
/* ops.custombanner */
|
||||||
"ConnectTimeout 42\n"
|
"ConnectTimeout 42\n"
|
||||||
@@ -1155,16 +1220,21 @@ static void torture_bind_options_set_ciphers(void **state)
|
|||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
|
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
|
||||||
|
"aes128-ctr,aes256-ctr");
|
||||||
|
} else {
|
||||||
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown cipher */
|
/* Test one unknown cipher */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
|
||||||
"aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr");
|
"aes128-ctr,unknown-crap@example.com,aes256-ctr");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
|
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes256-ctr");
|
||||||
|
|
||||||
/* Test all unknown ciphers */
|
/* Test all unknown ciphers */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
|
||||||
@@ -1176,16 +1246,21 @@ static void torture_bind_options_set_ciphers(void **state)
|
|||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
|
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
|
||||||
|
"aes128-ctr,aes256-ctr");
|
||||||
|
} else {
|
||||||
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes192-ctr,aes256-ctr");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown cipher */
|
/* Test one unknown cipher */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
|
||||||
"aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr");
|
"aes128-ctr,unknown-crap@example.com,aes256-ctr");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
|
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
|
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr");
|
"aes128-ctr,aes256-ctr");
|
||||||
|
|
||||||
/* Test all unknown ciphers */
|
/* Test all unknown ciphers */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
|
||||||
@@ -1209,20 +1284,35 @@ static void torture_bind_options_set_key_exchange(void **state)
|
|||||||
/* Test known kexes */
|
/* Test known kexes */
|
||||||
rc = ssh_bind_options_set(bind,
|
rc = ssh_bind_options_set(bind,
|
||||||
SSH_BIND_OPTIONS_KEY_EXCHANGE,
|
SSH_BIND_OPTIONS_KEY_EXCHANGE,
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"curve25519-sha256,curve25519-sha256@libssh.org,"
|
||||||
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512,"
|
||||||
|
"diffie-hellman-group14-sha1");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_KEX]);
|
assert_non_null(bind->wanted_methods[SSH_KEX]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
assert_string_equal(bind->wanted_methods[SSH_KEX],
|
assert_string_equal(bind->wanted_methods[SSH_KEX],
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
|
} else {
|
||||||
|
assert_string_equal(bind->wanted_methods[SSH_KEX],
|
||||||
|
"curve25519-sha256,curve25519-sha256@libssh.org,"
|
||||||
|
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512,"
|
||||||
|
"diffie-hellman-group14-sha1");
|
||||||
|
}
|
||||||
|
|
||||||
/* Test one unknown kex */
|
/* Test one unknown kex */
|
||||||
rc = ssh_bind_options_set(bind,
|
rc = ssh_bind_options_set(bind,
|
||||||
SSH_BIND_OPTIONS_KEY_EXCHANGE,
|
SSH_BIND_OPTIONS_KEY_EXCHANGE,
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,unknown-crap@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"diffie-hellman-group16-sha512,"
|
||||||
|
"unknown-crap@example.com,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_KEX]);
|
assert_non_null(bind->wanted_methods[SSH_KEX]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_KEX],
|
assert_string_equal(bind->wanted_methods[SSH_KEX],
|
||||||
"curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1");
|
"diffie-hellman-group16-sha512,"
|
||||||
|
"diffie-hellman-group18-sha512");
|
||||||
|
|
||||||
/* Test all unknown kexes */
|
/* Test all unknown kexes */
|
||||||
rc = ssh_bind_options_set(bind,
|
rc = ssh_bind_options_set(bind,
|
||||||
@@ -1375,18 +1465,23 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
|
|||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->pubkey_accepted_key_types);
|
assert_non_null(bind->pubkey_accepted_key_types);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(bind->pubkey_accepted_key_types,
|
||||||
|
"ecdsa-sha2-nistp384");
|
||||||
|
} else {
|
||||||
assert_string_equal(bind->pubkey_accepted_key_types,
|
assert_string_equal(bind->pubkey_accepted_key_types,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
|
}
|
||||||
|
|
||||||
SAFE_FREE(bind->pubkey_accepted_key_types);
|
SAFE_FREE(bind->pubkey_accepted_key_types);
|
||||||
|
|
||||||
/* Test with some unknown type */
|
/* Test with some unknown type */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa");
|
"ecdsa-sha2-nistp384,unknown-type,rsa-sha2-256");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->pubkey_accepted_key_types);
|
assert_non_null(bind->pubkey_accepted_key_types);
|
||||||
assert_string_equal(bind->pubkey_accepted_key_types,
|
assert_string_equal(bind->pubkey_accepted_key_types,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384,rsa-sha2-256");
|
||||||
|
|
||||||
SAFE_FREE(bind->pubkey_accepted_key_types);
|
SAFE_FREE(bind->pubkey_accepted_key_types);
|
||||||
|
|
||||||
@@ -1398,11 +1493,11 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
|
|||||||
|
|
||||||
/* Test with something set and then try unknown type */
|
/* Test with something set and then try unknown type */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->pubkey_accepted_key_types);
|
assert_non_null(bind->pubkey_accepted_key_types);
|
||||||
assert_string_equal(bind->pubkey_accepted_key_types,
|
assert_string_equal(bind->pubkey_accepted_key_types,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
|
||||||
"unknown-type");
|
"unknown-type");
|
||||||
assert_int_equal(rc, -1);
|
assert_int_equal(rc, -1);
|
||||||
@@ -1410,7 +1505,7 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
|
|||||||
/* Check that nothing changed */
|
/* Check that nothing changed */
|
||||||
assert_non_null(bind->pubkey_accepted_key_types);
|
assert_non_null(bind->pubkey_accepted_key_types);
|
||||||
assert_string_equal(bind->pubkey_accepted_key_types,
|
assert_string_equal(bind->pubkey_accepted_key_types,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void torture_bind_options_set_hostkey_algorithms(void **state)
|
static void torture_bind_options_set_hostkey_algorithms(void **state)
|
||||||
@@ -1430,18 +1525,23 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
|
|||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
|
if (ssh_fips_mode()) {
|
||||||
|
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
||||||
|
"ecdsa-sha2-nistp384");
|
||||||
|
} else {
|
||||||
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
||||||
|
}
|
||||||
|
|
||||||
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
|
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
|
|
||||||
/* Test with some unknown type */
|
/* Test with some unknown type */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa");
|
"ecdsa-sha2-nistp384,unknown-type");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
|
|
||||||
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
|
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
|
|
||||||
@@ -1453,11 +1553,11 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
|
|||||||
|
|
||||||
/* Test with something set and then try unknown type */
|
/* Test with something set and then try unknown type */
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
assert_int_equal(rc, 0);
|
assert_int_equal(rc, 0);
|
||||||
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
|
||||||
"unknown-type");
|
"unknown-type");
|
||||||
assert_int_equal(rc, -1);
|
assert_int_equal(rc, -1);
|
||||||
@@ -1465,7 +1565,7 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
|
|||||||
/* Check that nothing changed */
|
/* Check that nothing changed */
|
||||||
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
|
||||||
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
|
||||||
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
|
"ecdsa-sha2-nistp384");
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* WITH_SERVER */
|
#endif /* WITH_SERVER */
|
||||||
|
|||||||
Reference in New Issue
Block a user