tests: detect OpenSSH supported ciphers

Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-10-11 17:07:32 +02:00 · 2019-10-11 17:07:32 +02:00 · 3063a57fc8
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -43,6 +43,66 @@ set(TEST_TARGET_LIBRARIES

 add_subdirectory(unittests)

+# OpenSSH Capabilities are required for all unit tests
+find_program(SSH_EXECUTABLE NAMES ssh)
+if (SSH_EXECUTABLE)
+    execute_process(COMMAND ${SSH_EXECUTABLE} -V ERROR_VARIABLE OPENSSH_VERSION_STR)
+    string(REGEX REPLACE "^.*OpenSSH_([0-9]).[0-9].*$" "\\1" OPENSSH_VERSION_MAJOR "${OPENSSH_VERSION_STR}")
+    string(REGEX REPLACE "^.*OpenSSH_[0-9].([0-9]).*$" "\\1" OPENSSH_VERSION_MINOR "${OPENSSH_VERSION_STR}")
+    set(OPENSSH_VERSION "${OPENSSH_VERSION_MAJOR}.${OPENSSH_VERSION_MINOR}")
+    if("${OPENSSH_VERSION}" VERSION_LESS "6.3")
+        # ssh - Q was introduced in 6.3
+        message("Version less than 6.3, hardcoding cipher list")
+        set(OPENSSH_CIPHERS "aes128-ctr\naes192-ctr\naes256-ctr\narcfour256\narcfour128\naes128-gcm@openssh.com\naes256-gcm@openssh.com\naes128-cbc\n3des-cbc\nblowfish-cbc\ncast128-cbc\naes192-cbc\naes256-cbc\narcfour\nrijndael-cbc@lysator.liu.se\n")
+        set(OPENSSH_MACS "hmac-md5-etm@openssh.com\nhmac-sha1-etm@openssh.com\numac-64-etm@openssh.com\numac-128-etm@openssh.com\nhmac-sha2-256-etm@openssh.com\nhmac-sha2-512-etm@openssh.com\nhmac-ripemd160-etm@openssh.com\nhmac-sha1-96-etm@openssh.com\nhmac-md5-96-etm@openssh.com\nhmac-md5\nhmac-sha1\numac-64@openssh.com\numac-128@openssh.com\nhmac-sha2-256\nhmac-sha2-512\nhmac-ripemd160\nhmac-ripemd160@openssh.com\nhmac-sha1-96\nhmac-md5-96\n")
+        set(OPENSSH_KEX "ecdh-sha2-nistp256\necdh-sha2-nistp384\necdh-sha2-nistp521\ndiffie-hellman-group-exchange-sha256\ndiffie-hellman-group-exchange-sha1\ndiffie-hellman-group14-sha1\ndiffie-hellman-group1-sha1\n")
+        set(OPENSSH_KEYS "ssh-rsa\nssh-dss\necdsa-sha2-nistp256\n")
+    else()
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q cipher OUTPUT_VARIABLE OPENSSH_CIPHERS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q mac OUTPUT_VARIABLE OPENSSH_MACS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q kex OUTPUT_VARIABLE OPENSSH_KEX)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q key OUTPUT_VARIABLE OPENSSH_KEYS)
+        execute_process(COMMAND ${SSH_EXECUTABLE} -Q sig OUTPUT_VARIABLE OPENSSH_SIGS ERROR_QUIET)
+        set(OPENSSH_KEYS "${OPENSSH_KEYS}${OPENSSH_SIGS}")
+    endif()
+
+    set(SSH_ALGORITHMS
+        3des-cbc aes128-cbc aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se aes128-ctr aes192-ctr
+        aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
+        hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com
+        umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com
+        hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com
+        hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
+        diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256
+        diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1
+        diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
+        curve25519-sha256 curve25519-sha256@libssh.org
+        ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss
+        ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
+        ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com
+        ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com
+        ecdsa-sha2-nistp521-cert-v01@openssh.com
+        )
+    foreach(ALGORITHM ${SSH_ALGORITHMS})
+        string(TOUPPER ${ALGORITHM} VARNAME)
+        string(REGEX REPLACE "[-@.]" "_" VARNAME "OPENSSH_${VARNAME}")
+
+        # Match the current algorithm into the complete list of OpenSSH supported algorithms.
+        # If matching, create an OPENSSH_CIPHER_NAME variable.
+        string(REGEX MATCH ".*${ALGORITHM}\n" "${VARNAME}" "${OPENSSH_CIPHERS}${OPENSSH_MACS}${OPENSSH_KEX}${OPENSSH_KEYS}")
+    endforeach(ALGORITHM)
+
+    string(STRIP "${OPENSSH_CIPHERS}" OPENSSH_CIPHERS)
+    string(STRIP "${OPENSSH_MACS}" OPENSSH_MACS)
+    string(STRIP "${OPENSSH_KEX}" OPENSSH_KEX)
+    string(STRIP "${OPENSSH_KEYS}" OPENSSH_KEYS)
+    string(REPLACE "\n" "," OPENSSH_CIPHERS "${OPENSSH_CIPHERS}")
+    string(REPLACE "\n" "," OPENSSH_MACS "${OPENSSH_MACS}")
+    string(REPLACE "\n" "," OPENSSH_KEX "${OPENSSH_KEX}")
+    string(REPLACE "\n" "," OPENSSH_KEYS "${OPENSSH_KEYS}")
+
+endif()
+
 if (CLIENT_TESTING OR SERVER_TESTING)
    find_package(socket_wrapper 1.1.5 REQUIRED)
    find_package(nss_wrapper 1.1.2 REQUIRED)
@ -60,6 +120,14 @@ if (CLIENT_TESTING OR SERVER_TESTING)
        message(SEND_ERROR "Could not find sshd which is required for client testing")
    endif()

+    find_program(NC_EXECUTABLE
+                 NAME
+                    nc
+                 PATHS
+                    /bin
+                    /usr/bin
+                    /usr/local/bin)
+
    if (WITH_PKCS11_URI)
        find_package(softhsm)
        if (NOT SOFTHSM_FOUND)
@ -161,6 +229,8 @@ if (CLIENT_TESTING OR SERVER_TESTING)
    message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}")
 endif ()

+configure_file(tests_config.h.cmake ${CMAKE_CURRENT_BINARY_DIR}/tests_config.h)
+
 if (WITH_BENCHMARKS)
    add_subdirectory(benchmarks)
 endif ()
--- a/tests/tests_config.h.cmake
+++ b/tests/tests_config.h.cmake
@ -0,0 +1,63 @@
+/* OpenSSH capabilities */
+
+#cmakedefine OPENSSH_VERSION_MAJOR ${OPENSSH_VERSION_MAJOR}
+#cmakedefine OPENSSH_VERSION_MINOR ${OPENSSH_VERSION_MINOR}
+
+#cmakedefine OPENSSH_CIPHERS "${OPENSSH_CIPHERS}"
+#cmakedefine OPENSSH_MACS "${OPENSSH_MACS}"
+#cmakedefine OPENSSH_KEX "${OPENSSH_KEX}"
+#cmakedefine OPENSSH_KEYS "${OPENSSH_KEYS}"
+
+
+#cmakedefine OPENSSH_3DES_CBC 1
+#cmakedefine OPENSSH_AES128_CBC 1
+#cmakedefine OPENSSH_AES192_CBC 1
+#cmakedefine OPENSSH_AES256_CBC 1
+#cmakedefine OPENSSH_RIJNDAEL_CBC_LYSATOR_LIU_SE 1
+#cmakedefine OPENSSH_AES128_CTR 1
+#cmakedefine OPENSSH_AES192_CTR 1
+#cmakedefine OPENSSH_AES256_CTR 1
+#cmakedefine OPENSSH_AES128_GCM_OPENSSH_COM 1
+#cmakedefine OPENSSH_AES256_GCM_OPENSSH_COM 1
+#cmakedefine OPENSSH_CHACHA20_POLY1305_OPENSSH_COM 1
+#cmakedefine OPENSSH_BLOWFISH_CBC 1
+#cmakedefine OPENSSH_HMAC_SHA1 1
+#cmakedefine OPENSSH_HMAC_SHA1_96 1
+#cmakedefine OPENSSH_HMAC_SHA2_256 1
+#cmakedefine OPENSSH_HMAC_SHA2_512 1
+#cmakedefine OPENSSH_HMAC_MD5 1
+#cmakedefine OPENSSH_HMAC_MD5_96 1
+#cmakedefine OPENSSH_UMAC_64_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_128_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA1_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA1_96_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA2_256_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_SHA2_512_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_MD5_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_HMAC_MD5_96_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_64_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_UMAC_128_ETM_OPENSSH_COM 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP1_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP14_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP14_SHA256 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP16_SHA512 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP18_SHA512 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP_EXCHANGE_SHA1 1
+#cmakedefine OPENSSH_DIFFIE_HELLMAN_GROUP_EXCHANGE_SHA256 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP256 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP384 1
+#cmakedefine OPENSSH_ECDH_SHA2_NISTP521 1
+#cmakedefine OPENSSH_CURVE25519_SHA256 1
+#cmakedefine OPENSSH_CURVE25519_SHA256_LIBSSH_ORG 1
+#cmakedefine OPENSSH_SSH_ED25519 1
+#cmakedefine OPENSSH_SSH_ED25519_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_SSH_RSA 1
+#cmakedefine OPENSSH_SSH_DSS 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521 1
+#cmakedefine OPENSSH_SSH_RSA_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_SSH_DSS_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP256_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP384_CERT_V01_OPENSSH_COM 1
+#cmakedefine OPENSSH_ECDSA_SHA2_NISTP521_CERT_V01_OPENSSH_COM 1
--- a/tests/torture.c
+++ b/tests/torture.c
@ -22,7 +22,7 @@
 */

 #include "config.h"
-
+#include "tests_config.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
@ -605,6 +605,7 @@ static void torture_setup_create_sshd_config(void **state, bool pam)
        "/usr/lib/openssh/sftp-server",     /* Debian */
    };
 #ifndef OPENSSH_VERSION_MAJOR
+#warning "OPENSSH_VERSION_MAJOR undefined, using default"
 #define OPENSSH_VERSION_MAJOR 7U
 #define OPENSSH_VERSION_MINOR 0U
 #endif /* OPENSSH_VERSION_MAJOR */