tests: Skip Ed25519 keys in FIPS mode

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2025-12-24 19:37:48 +03:00 · 2024-12-23 21:11:11 +01:00
parent b2b56151c0
commit 9735f074ba
3 changed files with 111 additions and 21 deletions
--- a/tests/torture.c
+++ b/tests/torture.c
@@ -650,14 +650,21 @@ void torture_setup_create_libssh_config(void **state)
    char sshd_path[1024];
    const char *additional_config = NULL;
    struct stat sb;
-    const char config_string[]=
-             "LogLevel DEBUG3\n"
-             "Port 22\n"
-             "ListenAddress 127.0.0.10\n"
-             "%s %s\n"
-             "%s %s\n"
-             "%s %s\n"
-             "%s\n"; /* The space for test-specific options */
+    const char config_string[] =
+        "LogLevel DEBUG3\n"
+        "Port 22\n"
+        "ListenAddress 127.0.0.10\n"
+        "%s %s\n"
+        "%s %s\n"
+        "%s %s\n"
+        "%s\n"; /* The space for test-specific options */
+    const char fips_config_string[] =
+        "LogLevel DEBUG3\n"
+        "Port 22\n"
+        "ListenAddress 127.0.0.10\n"
+        "%s %s\n"
+        "%s %s\n"
+        "%s\n"; /* The space for test-specific options */
    bool written = false;
    int rc;

@@ -705,12 +712,27 @@ void torture_setup_create_libssh_config(void **state)
    additional_config = (s->srv_additional_config != NULL ?
                         s->srv_additional_config : "");

-    snprintf(sshd_config, sizeof(sshd_config),
-            config_string,
-            "HostKey", ed25519_hostkey,
-            "HostKey", rsa_hostkey,
-            "HostKey", ecdsa_hostkey,
-            additional_config);
+    if (ssh_fips_mode()) {
+        snprintf(sshd_config,
+                 sizeof(sshd_config),
+                 fips_config_string,
+                 "HostKey",
+                 rsa_hostkey,
+                 "HostKey",
+                 ecdsa_hostkey,
+                 additional_config);
+    } else {
+        snprintf(sshd_config,
+                 sizeof(sshd_config),
+                 config_string,
+                 "HostKey",
+                 ed25519_hostkey,
+                 "HostKey",
+                 rsa_hostkey,
+                 "HostKey",
+                 ecdsa_hostkey,
+                 additional_config);
+    }

    torture_write_file(s->srv_config, sshd_config);
 }
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -2155,11 +2155,20 @@ torture_bind_options_import_key(void **state)
    /* set ed25519 key */
    base64_key = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0);
    rc = ssh_pki_import_privkey_base64(base64_key, NULL, NULL, NULL, &key);
-    assert_int_equal(rc, SSH_OK);
-    assert_non_null(key);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+        assert_null(key);
+    } else {
+        assert_int_equal(rc, SSH_OK);
+        assert_non_null(key);
+    }

    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY, key);
-    assert_int_equal(rc, 0);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+    } else {
+        assert_int_equal(rc, 0);
+    }

    /* set rsa key */
    base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0);
@@ -2208,7 +2217,11 @@ torture_bind_options_import_key_str(void **state)

    rc =
        ssh_bind_options_set(bind, SSH_BIND_OPTIONS_IMPORT_KEY_STR, base64_key);
-    assert_int_equal(rc, 0);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+    } else {
+        assert_int_equal(rc, 0);
+    }

    /* set rsa key */
    base64_key = torture_get_testkey(SSH_KEYTYPE_RSA, 0);
@@ -2250,9 +2263,14 @@ static void torture_bind_options_hostkey(void **state)
    rc = ssh_bind_options_set(bind,
                              SSH_BIND_OPTIONS_HOSTKEY,
                              LIBSSH_ED25519_TESTKEY);
-    assert_int_equal(rc, 0);
-    assert_non_null(bind->ed25519key);
-    assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY);
+    if (ssh_fips_mode()) {
+        assert_int_equal(rc, SSH_ERROR);
+        assert_null(bind->ed25519key);
+    } else {
+        assert_int_equal(rc, 0);
+        assert_non_null(bind->ed25519key);
+        assert_string_equal(bind->ed25519key, LIBSSH_ED25519_TESTKEY);
+    }

 #ifdef HAVE_ECC
    /* Test ECDSA key */
--- a/tests/unittests/torture_pki_ed25519.c
+++ b/tests/unittests/torture_pki_ed25519.c
@@ -128,6 +128,11 @@ static void torture_pki_ed25519_import_privkey_base64(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
    assert_non_null(key_str);

@@ -160,6 +165,11 @@ static void torture_pki_ed25519_import_privkey_base64_comment(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
    assert_non_null(key_str);

@@ -199,6 +209,11 @@ static void torture_pki_ed25519_import_privkey_base64_whitespace(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    key_str = torture_pki_read_file(LIBSSH_ED25519_TESTKEY);
    assert_non_null(key_str);

@@ -237,6 +252,11 @@ static void torture_pki_ed25519_import_export_privkey_base64(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    rc = ssh_pki_import_privkey_base64(torture_get_openssh_testkey(SSH_KEYTYPE_ED25519,
                                                                   false),
                                       passphrase,
@@ -289,6 +309,11 @@ static void torture_pki_ed25519_publickey_from_privatekey(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    keystring = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 0);
    rc = ssh_pki_import_privkey_base64(keystring,
                                       passphrase,
@@ -345,6 +370,11 @@ static void torture_pki_ed25519_publickey_base64(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    key_buf = strdup(torture_get_testkey_pub(SSH_KEYTYPE_ED25519));
    assert_non_null(key_buf);

@@ -388,6 +418,11 @@ static void torture_pki_ed25519_generate_pubkey_from_privkey(void **state)

    (void)state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    /* remove the public key, generate it from the private key and write it. */
    unlink(LIBSSH_ED25519_TESTKEY ".pub");

@@ -919,6 +954,11 @@ static void torture_pki_ed25519_import_privkey_base64_passphrase(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    /* same for ED25519 */
    testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1);
    rc = ssh_pki_import_privkey_base64(testkey,
@@ -954,6 +994,11 @@ static void torture_pki_ed25519_privkey_dup(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    testkey = torture_get_openssh_testkey(SSH_KEYTYPE_ED25519, 1);
    rc = ssh_pki_import_privkey_base64(testkey,
                                       passphrase,
@@ -984,6 +1029,11 @@ static void torture_pki_ed25519_pubkey_dup(void **state)

    (void) state; /* unused */

+    /* Skip test if in FIPS mode */
+    if (ssh_fips_mode()) {
+        skip();
+    }
+
    pub_str = strdup(p + 1);
    assert_non_null(pub_str);