lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-07-16 08:41:51 +03:00
Code Activity

tests/torture_options: Use only allowed algorithms if in FIPS mode

Browse Source 
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Anderson Toshiyuki Sasaki
2019-06-05 15:28:03 +02:00
committed by Andreas Schneider
parent ce888fd4c0
commit 39c69893c7
1 changed files with 168 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

236
tests/unittests/torture_options.c
View File

@ -56,11 +56,14 @@ static void torture_options_set_host(void **state) {
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost"); rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "localhost"); assert_string_equal(session->opts.host, "localhost");
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation"); rc = ssh_options_set(session, SSH_OPTIONS_HOST, "guru@meditation");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.host);
assert_string_equal(session->opts.host, "meditation"); assert_string_equal(session->opts.host, "meditation");
assert_non_null(session->opts.username);
assert_string_equal(session->opts.username, "guru"); assert_string_equal(session->opts.username, "guru");
} }
@ -69,17 +72,29 @@ static void torture_options_set_ciphers(void **state) {
int rc; int rc;
/* Test known ciphers */ /* Test known ciphers */
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "aes128-ctr,aes192-ctr,aes256-ctr"); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
"aes128-ctr,aes192-ctr,aes256-ctr");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S], "aes128-ctr,aes192-ctr,aes256-ctr"); assert_non_null(session->opts.wanted_methods[SSH_CRYPT_C_S]);
if (ssh_fips_mode()) {
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes256-ctr");
} else {
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes192-ctr,aes256-ctr");
}
/* Test one unknown cipher */ /* Test one unknown cipher */
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr"); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
"aes128-ctr,unknown-crap@example.com,aes256-ctr");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S], "aes128-ctr,aes192-ctr,aes256-ctr"); assert_non_null(session->opts.wanted_methods[SSH_CRYPT_C_S]);
assert_string_equal(session->opts.wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes256-ctr");
/* Test all unknown ciphers */ /* Test all unknown ciphers */
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "unknown-crap@example.com,more-crap@example.com"); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S,
"unknown-crap@example.com,more-crap@example.com");
assert_false(rc == 0); assert_false(rc == 0);
} }
@ -91,18 +106,35 @@ static void torture_options_set_key_exchange(void **state)
/* Test known kexes */ /* Test known kexes */
rc = ssh_options_set(session, rc = ssh_options_set(session,
SSH_OPTIONS_KEY_EXCHANGE, SSH_OPTIONS_KEY_EXCHANGE,
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "curve25519-sha256,curve25519-sha256@libssh.org,"
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512,"
"diffie-hellman-group14-sha1");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.wanted_methods[SSH_KEX], assert_non_null(session->opts.wanted_methods[SSH_KEX]);
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); if (ssh_fips_mode()) {
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512");
} else {
assert_string_equal(session->opts.wanted_methods[SSH_KEX],
"curve25519-sha256,curve25519-sha256@libssh.org,"
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512,"
"diffie-hellman-group14-sha1");
}
/* Test one unknown kex */ /* Test one unknown kex */
rc = ssh_options_set(session, rc = ssh_options_set(session,
SSH_OPTIONS_KEY_EXCHANGE, SSH_OPTIONS_KEY_EXCHANGE,
"curve25519-sha256,curve25519-sha256@libssh.org,unknown-crap@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "diffie-hellman-group16-sha512,"
"unknown-crap@example.com,"
"diffie-hellman-group18-sha512");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.wanted_methods[SSH_KEX]);
assert_string_equal(session->opts.wanted_methods[SSH_KEX], assert_string_equal(session->opts.wanted_methods[SSH_KEX],
"curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512");
/* Test all unknown kexes */ /* Test all unknown kexes */
rc = ssh_options_set(session, rc = ssh_options_set(session,
@ -120,16 +152,26 @@ static void torture_options_set_hostkey(void **state) {
SSH_OPTIONS_HOSTKEYS, SSH_OPTIONS_HOSTKEYS,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS], assert_non_null(session->opts.wanted_methods[SSH_HOSTKEYS]);
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); if (ssh_fips_mode()) {
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
"ecdsa-sha2-nistp384");
} else {
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
}
/* Test one unknown host key */ /* Test one unknown host key */
rc = ssh_options_set(session, rc = ssh_options_set(session,
SSH_OPTIONS_HOSTKEYS, SSH_OPTIONS_HOSTKEYS,
"ssh-ed25519,unknown-crap@example.com,ssh-rsa"); "ecdsa-sha2-nistp521,"
"unknown-crap@example.com,"
"rsa-sha2-256");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS], assert_string_equal(session->opts.wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ssh-rsa"); "ecdsa-sha2-nistp521,"
"rsa-sha2-256");
/* Test all unknown host keys */ /* Test all unknown host keys */
rc = ssh_options_set(session, rc = ssh_options_set(session,
@ -148,31 +190,40 @@ static void torture_options_set_pubkey_accepted_types(void **state) {
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.pubkey_accepted_types, assert_non_null(session->opts.pubkey_accepted_types);
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); if (ssh_fips_mode()) {
assert_string_equal(session->opts.pubkey_accepted_types,
"ecdsa-sha2-nistp384");
} else {
assert_string_equal(session->opts.pubkey_accepted_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
}
/* Test one unknown public key algorithms */ if (!ssh_fips_mode()) {
rc = ssh_options_set(session, /* Test one unknown public key algorithms */
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, rc = ssh_options_set(session,
"ssh-ed25519,unknown-crap@example.com,ssh-rsa"); SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
assert_true(rc == 0); "ssh-ed25519,unknown-crap@example.com,ssh-rsa");
assert_string_equal(session->opts.pubkey_accepted_types, assert_true(rc == 0);
"ssh-ed25519,ssh-rsa"); assert_non_null(session->opts.pubkey_accepted_types);
assert_string_equal(session->opts.pubkey_accepted_types,
"ssh-ed25519,ssh-rsa");
/* Test all unknown public key algorithms */ /* Test all unknown public key algorithms */
rc = ssh_options_set(session, rc = ssh_options_set(session,
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"unknown-crap@example.com,more-crap@example.com"); "unknown-crap@example.com,more-crap@example.com");
assert_false(rc == 0); assert_false(rc == 0);
/* Test that the option affects the algorithm selection for RSA keys */ /* Test that the option affects the algorithm selection for RSA keys */
/* simulate the SHA2 extension was negotiated */ /* simulate the SHA2 extension was negotiated */
session->extensions = SSH_EXT_SIG_RSA_SHA256; session->extensions = SSH_EXT_SIG_RSA_SHA256;
/* previous configuration did not list the SHA2 extension algoritms, so /* previous configuration did not list the SHA2 extension algoritms, so
* it should not be used */ * it should not be used */
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA); type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
assert_int_equal(type, SSH_DIGEST_SHA1); assert_int_equal(type, SSH_DIGEST_SHA1);
}
/* now, lets allow the signature from SHA2 extension and expect /* now, lets allow the signature from SHA2 extension and expect
* it to be used */ * it to be used */
@ -180,8 +231,19 @@ static void torture_options_set_pubkey_accepted_types(void **state) {
SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES, SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES,
"rsa-sha2-256,ssh-rsa"); "rsa-sha2-256,ssh-rsa");
assert_true(rc == 0); assert_true(rc == 0);
assert_string_equal(session->opts.pubkey_accepted_types, assert_non_null(session->opts.pubkey_accepted_types);
"rsa-sha2-256,ssh-rsa"); if (ssh_fips_mode()) {
assert_string_equal(session->opts.pubkey_accepted_types,
"rsa-sha2-256");
} else {
assert_string_equal(session->opts.pubkey_accepted_types,
"rsa-sha2-256,ssh-rsa");
}
/* Test that the option affects the algorithm selection for RSA keys */
/* simulate the SHA2 extension was negotiated */
session->extensions = SSH_EXT_SIG_RSA_SHA256;
type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA); type = ssh_key_type_to_hash(session, SSH_KEYTYPE_RSA);
assert_int_equal(type, SSH_DIGEST_SHA256); assert_int_equal(type, SSH_DIGEST_SHA256);
} }
@ -193,6 +255,7 @@ static void torture_options_set_macs(void **state) {
/* Test known MACs */ /* Test known MACs */
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "hmac-sha1"); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "hmac-sha1");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1"); assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1");
/* Test multiple known MACs */ /* Test multiple known MACs */
@ -200,12 +263,14 @@ static void torture_options_set_macs(void **state) {
SSH_OPTIONS_HMAC_S_C, SSH_OPTIONS_HMAC_S_C,
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256"); "hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C],
"hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256"); "hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha1,hmac-sha2-256");
/* Test unknown MACs */ /* Test unknown MACs */
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "unknown-crap@example.com,hmac-sha1-etm@openssh.com,unknown@example.com"); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "unknown-crap@example.com,hmac-sha1-etm@openssh.com,unknown@example.com");
assert_true(rc == 0); assert_true(rc == 0);
assert_non_null(session->opts.wanted_methods[SSH_MAC_S_C]);
assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1-etm@openssh.com"); assert_string_equal(session->opts.wanted_methods[SSH_MAC_S_C], "hmac-sha1-etm@openssh.com");
/* Test all unknown MACs */ /* Test all unknown MACs */
@ -664,12 +729,12 @@ static void torture_options_copy(void **state)
"BindAddress 127.0.0.2\n" "BindAddress 127.0.0.2\n"
"GlobalKnownHostsFile /etc/ssh/known_hosts2\n" "GlobalKnownHostsFile /etc/ssh/known_hosts2\n"
"UserKnownHostsFile ~/.ssh/known_hosts2\n" "UserKnownHostsFile ~/.ssh/known_hosts2\n"
"KexAlgorithms curve25519-sha256\n" "KexAlgorithms curve25519-sha256,ecdh-sha2-nistp521\n"
"Ciphers aes256-ctr\n" "Ciphers aes256-ctr\n"
"MACs hmac-sha2-256\n" "MACs hmac-sha2-256\n"
"HostKeyAlgorithms ssh-ed25519\n" "HostKeyAlgorithms ssh-ed25519,ecdsa-sha2-nistp521\n"
"Compression yes\n" "Compression yes\n"
"PubkeyAcceptedTypes ssh-ed25519\n" "PubkeyAcceptedTypes ssh-ed25519,ecdsa-sha2-nistp521\n"
"ProxyCommand nc 127.0.0.10 22\n" "ProxyCommand nc 127.0.0.10 22\n"
/* ops.custombanner */ /* ops.custombanner */
"ConnectTimeout 42\n" "ConnectTimeout 42\n"
@ -1155,16 +1220,21 @@ static void torture_bind_options_set_ciphers(void **state)
"aes128-ctr,aes192-ctr,aes256-ctr"); "aes128-ctr,aes192-ctr,aes256-ctr");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]); assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S], if (ssh_fips_mode()) {
"aes128-ctr,aes192-ctr,aes256-ctr"); assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes256-ctr");
} else {
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes192-ctr,aes256-ctr");
}
/* Test one unknown cipher */ /* Test one unknown cipher */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
"aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr"); "aes128-ctr,unknown-crap@example.com,aes256-ctr");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]); assert_non_null(bind->wanted_methods[SSH_CRYPT_C_S]);
assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S], assert_string_equal(bind->wanted_methods[SSH_CRYPT_C_S],
"aes128-ctr,aes192-ctr,aes256-ctr"); "aes128-ctr,aes256-ctr");
/* Test all unknown ciphers */ /* Test all unknown ciphers */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_C_S,
@ -1176,16 +1246,21 @@ static void torture_bind_options_set_ciphers(void **state)
"aes128-ctr,aes192-ctr,aes256-ctr"); "aes128-ctr,aes192-ctr,aes256-ctr");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]); assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C], if (ssh_fips_mode()) {
"aes128-ctr,aes192-ctr,aes256-ctr"); assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
"aes128-ctr,aes256-ctr");
} else {
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
"aes128-ctr,aes192-ctr,aes256-ctr");
}
/* Test one unknown cipher */ /* Test one unknown cipher */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
"aes128-ctr,unknown-crap@example.com,aes192-ctr,aes256-ctr"); "aes128-ctr,unknown-crap@example.com,aes256-ctr");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]); assert_non_null(bind->wanted_methods[SSH_CRYPT_S_C]);
assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C], assert_string_equal(bind->wanted_methods[SSH_CRYPT_S_C],
"aes128-ctr,aes192-ctr,aes256-ctr"); "aes128-ctr,aes256-ctr");
/* Test all unknown ciphers */ /* Test all unknown ciphers */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_CIPHERS_S_C,
@ -1209,20 +1284,35 @@ static void torture_bind_options_set_key_exchange(void **state)
/* Test known kexes */ /* Test known kexes */
rc = ssh_bind_options_set(bind, rc = ssh_bind_options_set(bind,
SSH_BIND_OPTIONS_KEY_EXCHANGE, SSH_BIND_OPTIONS_KEY_EXCHANGE,
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "curve25519-sha256,curve25519-sha256@libssh.org,"
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512,"
"diffie-hellman-group14-sha1");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_KEX]); assert_non_null(bind->wanted_methods[SSH_KEX]);
assert_string_equal(bind->wanted_methods[SSH_KEX], if (ssh_fips_mode()) {
"curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); assert_string_equal(bind->wanted_methods[SSH_KEX],
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512");
} else {
assert_string_equal(bind->wanted_methods[SSH_KEX],
"curve25519-sha256,curve25519-sha256@libssh.org,"
"ecdh-sha2-nistp256,diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512,"
"diffie-hellman-group14-sha1");
}
/* Test one unknown kex */ /* Test one unknown kex */
rc = ssh_bind_options_set(bind, rc = ssh_bind_options_set(bind,
SSH_BIND_OPTIONS_KEY_EXCHANGE, SSH_BIND_OPTIONS_KEY_EXCHANGE,
"curve25519-sha256,curve25519-sha256@libssh.org,unknown-crap@example.com,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "diffie-hellman-group16-sha512,"
"unknown-crap@example.com,"
"diffie-hellman-group18-sha512");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_KEX]); assert_non_null(bind->wanted_methods[SSH_KEX]);
assert_string_equal(bind->wanted_methods[SSH_KEX], assert_string_equal(bind->wanted_methods[SSH_KEX],
"curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1"); "diffie-hellman-group16-sha512,"
"diffie-hellman-group18-sha512");
/* Test all unknown kexes */ /* Test all unknown kexes */
rc = ssh_bind_options_set(bind, rc = ssh_bind_options_set(bind,
@ -1375,18 +1465,23 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->pubkey_accepted_key_types); assert_non_null(bind->pubkey_accepted_key_types);
assert_string_equal(bind->pubkey_accepted_key_types, if (ssh_fips_mode()) {
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); assert_string_equal(bind->pubkey_accepted_key_types,
"ecdsa-sha2-nistp384");
} else {
assert_string_equal(bind->pubkey_accepted_key_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
}
SAFE_FREE(bind->pubkey_accepted_key_types); SAFE_FREE(bind->pubkey_accepted_key_types);
/* Test with some unknown type */ /* Test with some unknown type */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
"ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa"); "ecdsa-sha2-nistp384,unknown-type,rsa-sha2-256");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->pubkey_accepted_key_types); assert_non_null(bind->pubkey_accepted_key_types);
assert_string_equal(bind->pubkey_accepted_key_types, assert_string_equal(bind->pubkey_accepted_key_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384,rsa-sha2-256");
SAFE_FREE(bind->pubkey_accepted_key_types); SAFE_FREE(bind->pubkey_accepted_key_types);
@ -1398,11 +1493,11 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
/* Test with something set and then try unknown type */ /* Test with something set and then try unknown type */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->pubkey_accepted_key_types); assert_non_null(bind->pubkey_accepted_key_types);
assert_string_equal(bind->pubkey_accepted_key_types, assert_string_equal(bind->pubkey_accepted_key_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES,
"unknown-type"); "unknown-type");
assert_int_equal(rc, -1); assert_int_equal(rc, -1);
@ -1410,7 +1505,7 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
/* Check that nothing changed */ /* Check that nothing changed */
assert_non_null(bind->pubkey_accepted_key_types); assert_non_null(bind->pubkey_accepted_key_types);
assert_string_equal(bind->pubkey_accepted_key_types, assert_string_equal(bind->pubkey_accepted_key_types,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
} }
static void torture_bind_options_set_hostkey_algorithms(void **state) static void torture_bind_options_set_hostkey_algorithms(void **state)
@ -1427,21 +1522,26 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
/* Test known Pubkey Types */ /* Test known Pubkey Types */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], if (ssh_fips_mode()) {
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
"ecdsa-sha2-nistp384");
} else {
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
}
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]); SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
/* Test with some unknown type */ /* Test with some unknown type */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
"ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa"); "ecdsa-sha2-nistp384,unknown-type");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]); SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
@ -1453,11 +1553,11 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
/* Test with something set and then try unknown type */ /* Test with something set and then try unknown type */
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
assert_int_equal(rc, 0); assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
"unknown-type"); "unknown-type");
assert_int_equal(rc, -1); assert_int_equal(rc, -1);
@ -1465,7 +1565,7 @@ static void torture_bind_options_set_hostkey_algorithms(void **state)
/* Check that nothing changed */ /* Check that nothing changed */
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
"ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa"); "ecdsa-sha2-nistp384");
} }
#endif /* WITH_SERVER */ #endif /* WITH_SERVER */