tests/pkd: Use only allowed algorithms if in FIPS mode
Use only allowed algorithms in FIPS mode. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
Anderson Toshiyuki Sasaki
Andreas Schneider
родитель
bb36cc30ee
Коммит
bd32fb020b
@ -24,6 +24,7 @@
|
||||
#include <libssh/server.h>
|
||||
#include <libssh/kex.h>
|
||||
|
||||
#include "torture.h" // for ssh_fips_mode()
|
||||
#include "pkd_daemon.h"
|
||||
|
||||
#include <setjmp.h> // for cmocka
|
||||
@ -290,6 +291,7 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
|
||||
goto outclose;
|
||||
}
|
||||
|
||||
if (!ssh_fips_mode()) {
|
||||
/* Add methods not enabled by default */
|
||||
#define GEX_SHA1 "diffie-hellman-group-exchange-sha1"
|
||||
default_kex = ssh_kex_get_default_methods(SSH_KEX);
|
||||
@ -321,6 +323,7 @@ static int pkd_exec_hello(int fd, struct pkd_daemon_args *args)
|
||||
pkderr("ssh_bind_options_set Ciphers S-C: %s\n", ssh_get_error(b));
|
||||
goto outclose;
|
||||
}
|
||||
}
|
||||
|
||||
s = ssh_new();
|
||||
if (s == NULL) {
|
||||
|
||||
@ -13,6 +13,7 @@
|
||||
#include <cmocka.h>
|
||||
|
||||
#include "libssh/priv.h"
|
||||
#include "torture.h" // for ssh_fips_mode()
|
||||
|
||||
#include "pkd_client.h"
|
||||
#include "pkd_daemon.h"
|
||||
@ -210,21 +211,21 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
* Test matrices: f(clientname, testname, ssh-command, setup-function, teardown-function).
|
||||
*/
|
||||
|
||||
#define PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
|
||||
f(client, rsa_default, cmd, setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_default, cmd, setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown)
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_DEFAULT(f, client, cmd) \
|
||||
/* Default passes by server key type. */ \
|
||||
f(client, rsa_default, cmd, setup_rsa, teardown) \
|
||||
f(client, dsa_default, cmd, setup_dsa, teardown) \
|
||||
f(client, ecdsa_256_default, cmd, setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown)
|
||||
PKDTESTS_DEFAULT_FIPS(f, client, cmd) \
|
||||
f(client, dsa_default, cmd, setup_dsa, teardown)
|
||||
#else
|
||||
#define PKDTESTS_DEFAULT(f, client, cmd) \
|
||||
/* Default passes by server key type. */ \
|
||||
f(client, rsa_default, cmd, setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_default, cmd, setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_default, cmd, setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_default, cmd, setup_ecdsa_521, teardown)
|
||||
PKDTESTS_DEFAULT_FIPS(f, client, cmd)
|
||||
#endif
|
||||
|
||||
#define PKDTESTS_DEFAULT_OPENSSHONLY(f, client, cmd) \
|
||||
@ -234,49 +235,80 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
#define GEX_SHA256 "diffie-hellman-group-exchange-sha256"
|
||||
#define GEX_SHA1 "diffie-hellman-group-exchange-sha1"
|
||||
|
||||
#define PKDTESTS_KEX_COMMON(f, client, kexcmd) \
|
||||
f(client, rsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_rsa, teardown) \
|
||||
f(client, rsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_rsa, teardown) \
|
||||
#if defined(WITH_GEX)
|
||||
#define PKDTESTS_KEX_FIPS(f, client, kexcmd) \
|
||||
f(client, rsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_rsa, teardown) \
|
||||
f(client, rsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_rsa, teardown) \
|
||||
f(client, rsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521, teardown) \
|
||||
f(client, rsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_521, teardown)
|
||||
#elif /* !defined(WITH_GEX) */
|
||||
#define PKDTESTS_KEX_FIPS(f, client, kexcmd) \
|
||||
f(client, rsa_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_rsa, teardown) \
|
||||
f(client, rsa_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_rsa, teardown) \
|
||||
f(client, rsa_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp256, kexcmd("ecdh-sha2-nistp256"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp384, kexcmd("ecdh-sha2-nistp384"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_ecdh_sha2_nistp521, kexcmd("ecdh-sha2-nistp521"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group16_sha512,kexcmd("diffie-hellman-group16-sha512"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group18_sha512,kexcmd("diffie-hellman-group18-sha512"), setup_ecdsa_521, teardown)
|
||||
#endif
|
||||
|
||||
#define PKDTESTS_KEX_COMMON(f, client, kexcmd) \
|
||||
PKDTESTS_KEX_FIPS(f, client, kexcmd) \
|
||||
f(client, rsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_rsa, teardown) \
|
||||
f(client, rsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_curve25519_sha256, kexcmd("curve25519-sha256"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_ecdsa_521, teardown)
|
||||
|
||||
#if defined(HAVE_DSA) && defined(WITH_GEX)
|
||||
/* GEX_SHA256 with RSA and ECDSA is included in PKDTESTS_KEX_FIPS if available */
|
||||
#define PKDTESTS_KEX(f, client, kexcmd) \
|
||||
/* Kex algorithms. */ \
|
||||
PKDTESTS_KEX_COMMON(f, client, kexcmd) \
|
||||
f(client, rsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_rsa, teardown) \
|
||||
f(client, dsa_curve25519_sha256, kexcmd("curve25519-sha256"), setup_dsa, teardown) \
|
||||
f(client, dsa_curve25519_sha256_libssh_org, kexcmd("curve25519-sha256@libssh.org"), setup_dsa, teardown) \
|
||||
@ -289,11 +321,8 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_dsa, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_521, teardown)
|
||||
|
||||
#elif defined(HAVE_DSA) /* && !defined(WITH_GEX) */
|
||||
@ -308,28 +337,23 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
f(client, dsa_diffie_hellman_group16_sha512, kexcmd("diffie-hellman-group16-sha512"), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group18_sha512, kexcmd("diffie-hellman-group18-sha512"), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group14_sha1, kexcmd("diffie-hellman-group14-sha1"), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown) \
|
||||
f(client, dsa_diffie_hellman_group1_sha1, kexcmd("diffie-hellman-group1-sha1"), setup_dsa, teardown)
|
||||
|
||||
#elif defined(WITH_GEX) /* && !defined(HAVE_DSA) */
|
||||
/* GEX_SHA256 is included in PKDTESTS_KEX_FIPS if available */
|
||||
#define PKDTESTS_KEX(f, client, kexcmd) \
|
||||
/* Kex algorithms. */ \
|
||||
PKDTESTS_KEX_COMMON(f, client, kexcmd) \
|
||||
f(client, rsa_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_rsa, teardown) \
|
||||
f(client, rsa_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group_exchange_sha256, kexcmd(GEX_SHA256), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ecdsa_521, teardown)
|
||||
|
||||
#else
|
||||
#define PKDTESTS_KEX(f, client, kexcmd) \
|
||||
/* Kex algorithms. */ \
|
||||
PKDTESTS_KEX_COMMON(f, client, kexcmd)
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_KEX_OPENSSHONLY(f, client, kexcmd) \
|
||||
/* Kex algorithms. */ \
|
||||
@ -359,71 +383,69 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
f(client, ed25519_diffie_hellman_group_exchange_sha1, kexcmd(GEX_SHA1), setup_ed25519, teardown)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_CIPHER(f, client, ciphercmd) \
|
||||
/* Ciphers. */ \
|
||||
f(client, rsa_3des_cbc, ciphercmd("3des-cbc"), setup_rsa, teardown) \
|
||||
|
||||
#define PKDTESTS_CIPHER_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_521, teardown)
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_CIPHER(f, client, ciphercmd) \
|
||||
/* Ciphers. */ \
|
||||
PKDTESTS_CIPHER_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_3des_cbc, ciphercmd("3des-cbc"), setup_rsa, teardown) \
|
||||
f(client, dsa_3des_cbc, ciphercmd("3des-cbc"), setup_dsa, teardown) \
|
||||
f(client, dsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_dsa, teardown) \
|
||||
f(client, dsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_dsa, teardown) \
|
||||
f(client, dsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_dsa, teardown) \
|
||||
f(client, dsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_dsa, teardown) \
|
||||
f(client, ecdsa_256_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_521, teardown)
|
||||
f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown)
|
||||
#else
|
||||
#define PKDTESTS_CIPHER(f, client, ciphercmd) \
|
||||
/* Ciphers. */ \
|
||||
PKDTESTS_CIPHER_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_3des_cbc, ciphercmd("3des-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes128_cbc, ciphercmd("aes128-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes128_ctr, ciphercmd("aes128-ctr"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_cbc, ciphercmd("aes256-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_ctr, ciphercmd("aes256-ctr"), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_cbc, ciphercmd("aes128-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_ctr, ciphercmd("aes128-ctr"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_cbc, ciphercmd("aes256-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_ctr, ciphercmd("aes256-ctr"), setup_ecdsa_521, teardown)
|
||||
f(client, ecdsa_521_3des_cbc, ciphercmd("3des-cbc"), setup_ecdsa_521, teardown)
|
||||
#endif
|
||||
|
||||
#define CHACHA20 "chacha20-poly1305@openssh.com"
|
||||
#define AES128_GCM "aes128-gcm@openssh.com"
|
||||
#define AES256_GCM "aes256-gcm@openssh.com"
|
||||
|
||||
#define PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_aes128_gcm, ciphercmd(AES128_GCM), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_gcm, ciphercmd(AES256_GCM), setup_rsa, teardown) \
|
||||
f(client, ecdsa_256_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown)
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
|
||||
/* Ciphers. */ \
|
||||
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
|
||||
f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
|
||||
f(client, rsa_aes128_gcm, ciphercmd(AES128_GCM), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_gcm, ciphercmd(AES256_GCM), setup_rsa, teardown) \
|
||||
f(client, dsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_dsa, teardown) \
|
||||
f(client, dsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_dsa, teardown) \
|
||||
f(client, dsa_chacha20, ciphercmd(CHACHA20), setup_dsa, teardown) \
|
||||
@ -442,26 +464,19 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
f(client, ecdsa_256_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_chacha20, ciphercmd(CHACHA20), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_chacha20, ciphercmd(CHACHA20), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown)
|
||||
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
|
||||
#else
|
||||
#define PKDTESTS_CIPHER_OPENSSHONLY(f, client, ciphercmd) \
|
||||
/* Ciphers. */ \
|
||||
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(f, client, ciphercmd) \
|
||||
f(client, rsa_aes192_cbc, ciphercmd("aes192-cbc"), setup_rsa, teardown) \
|
||||
f(client, rsa_aes192_ctr, ciphercmd("aes192-ctr"), setup_rsa, teardown) \
|
||||
f(client, rsa_chacha20, ciphercmd(CHACHA20), setup_rsa, teardown) \
|
||||
f(client, rsa_aes128_gcm, ciphercmd(AES128_GCM), setup_rsa, teardown) \
|
||||
f(client, rsa_aes256_gcm, ciphercmd(AES256_GCM), setup_rsa, teardown) \
|
||||
f(client, ed25519_3des_cbc, ciphercmd("3des-cbc"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_aes128_cbc, ciphercmd("aes128-cbc"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_aes128_ctr, ciphercmd("aes128-ctr"), setup_ed25519, teardown) \
|
||||
@ -470,108 +485,88 @@ static int torture_pkd_setup_ecdsa_521(void **state) {
|
||||
f(client, ed25519_aes192_cbc, ciphercmd("aes192-cbc"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_aes192_ctr, ciphercmd("aes192-ctr"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_chacha20, ciphercmd(CHACHA20), setup_ed25519, teardown) \
|
||||
f(client, ed25519_aes128_gcm, ciphercmd(AES128_GCM), setup_ed25519, teardown) \
|
||||
f(client, ed25519_aes256_gcm, ciphercmd(AES256_GCM), setup_ed25519, teardown) \
|
||||
f(client, ecdsa_256_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_chacha20, ciphercmd(CHACHA20), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_chacha20, ciphercmd(CHACHA20), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_aes192_cbc, ciphercmd("aes192-cbc"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes192_ctr, ciphercmd("aes192-ctr"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes128_gcm, ciphercmd(AES128_GCM), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_aes256_gcm, ciphercmd(AES256_GCM), setup_ecdsa_521, teardown)
|
||||
f(client, ecdsa_521_chacha20, ciphercmd(CHACHA20), setup_ecdsa_521, teardown)
|
||||
#endif
|
||||
|
||||
|
||||
#define PKDTESTS_MAC_FIPS(f, client, maccmd) \
|
||||
f(client, ecdsa_256_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_521, teardown) \
|
||||
f(client, rsa_hmac_sha1, maccmd("hmac-sha1"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_rsa, teardown)
|
||||
|
||||
#define PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
|
||||
f(client, ecdsa_256_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, rsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown)
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
#define PKDTESTS_MAC(f, client, maccmd) \
|
||||
/* MACs. */ \
|
||||
PKDTESTS_MAC_FIPS(f, client, maccmd) \
|
||||
f(client, dsa_hmac_sha1, maccmd("hmac-sha1"), setup_dsa, teardown) \
|
||||
f(client, dsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_dsa, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_521, teardown) \
|
||||
f(client, rsa_hmac_sha1, maccmd("hmac-sha1"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_rsa, teardown)
|
||||
f(client, dsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_dsa, teardown)
|
||||
#define PKDTESTS_MAC_OPENSSHONLY(f, client, maccmd) \
|
||||
PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
|
||||
f(client, dsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_dsa, teardown) \
|
||||
f(client, dsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_dsa, teardown) \
|
||||
f(client, dsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_dsa, teardown) \
|
||||
f(client, dsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_dsa, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ed25519_hmac_sha1, maccmd("hmac-sha1"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, rsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown)
|
||||
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
|
||||
#else
|
||||
#define PKDTESTS_MAC(f, client, maccmd) \
|
||||
/* MACs. */ \
|
||||
f(client, ecdsa_256_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1, maccmd("hmac-sha1"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ecdsa_521, teardown) \
|
||||
f(client, rsa_hmac_sha1, maccmd("hmac-sha1"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_rsa, teardown)
|
||||
PKDTESTS_MAC_FIPS(f, client, maccmd)
|
||||
#define PKDTESTS_MAC_OPENSSHONLY(f, client, maccmd) \
|
||||
f(client, ecdsa_256_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_256_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_256, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_384_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_384, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ecdsa_521, teardown) \
|
||||
f(client, ecdsa_521_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ecdsa_521, teardown) \
|
||||
PKDTESTS_MAC_OPENSSHONLY_FIPS(f, client, maccmd) \
|
||||
f(client, ed25519_hmac_sha1, maccmd("hmac-sha1"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_256, maccmd("hmac-sha2-256"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_ed25519, teardown) \
|
||||
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown) \
|
||||
f(client, rsa_hmac_sha1_etm, maccmd("hmac-sha1-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_256_etm, maccmd("hmac-sha2-256-etm@openssh.com"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512, maccmd("hmac-sha2-512"), setup_rsa, teardown) \
|
||||
f(client, rsa_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_rsa, teardown)
|
||||
f(client, ed25519_hmac_sha2_512_etm, maccmd("hmac-sha2-512-etm@openssh.com"), setup_ed25519, teardown)
|
||||
#endif
|
||||
|
||||
#define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \
|
||||
|
||||
#define PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd) \
|
||||
f(client, rsa_sha2_256, hkcmd("rsa-sha2-256"), setup_rsa, teardown) \
|
||||
f(client, rsa_sha2_512, hkcmd("rsa-sha2-512"), setup_rsa, teardown) \
|
||||
f(client, rsa_sha2_256_512, hkcmd("rsa-sha2-256,rsa-sha2-512"), setup_rsa, teardown) \
|
||||
f(client, rsa_sha2_512_256, hkcmd("rsa-sha2-512,rsa-sha2-256"), setup_rsa, teardown)
|
||||
|
||||
#define PKDTESTS_HOSTKEY_OPENSSHONLY(f, client, hkcmd) \
|
||||
PKDTESTS_HOSTKEY_OPENSSHONLY_FIPS(f, client, hkcmd)
|
||||
|
||||
static void torture_pkd_client_noop(void **state) {
|
||||
struct pkd_state *pstate = (struct pkd_state *) (*state);
|
||||
(void) pstate;
|
||||
@ -810,6 +805,24 @@ static int pkd_run_tests(void) {
|
||||
PKDTESTS_MAC(emit_unit_test_comma, dropbear, DROPBEAR_MAC_CMD)
|
||||
};
|
||||
|
||||
const struct CMUnitTest openssh_fips_tests[] = {
|
||||
PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CMD)
|
||||
PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_cert_rsa, OPENSSH_CERT_CMD)
|
||||
PKDTESTS_KEX_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_KEX_CMD)
|
||||
PKDTESTS_CIPHER_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD)
|
||||
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_CIPHER_CMD)
|
||||
PKDTESTS_MAC_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_MAC_CMD)
|
||||
PKDTESTS_MAC_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_rsa, OPENSSH_MAC_CMD)
|
||||
|
||||
PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_CMD)
|
||||
PKDTESTS_DEFAULT_FIPS(emit_unit_test_comma, openssh_cert_e256, OPENSSH_CERT_CMD)
|
||||
PKDTESTS_KEX_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_KEX_CMD)
|
||||
PKDTESTS_CIPHER_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_CIPHER_CMD)
|
||||
PKDTESTS_CIPHER_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_CIPHER_CMD)
|
||||
PKDTESTS_MAC_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_MAC_CMD)
|
||||
PKDTESTS_MAC_OPENSSHONLY_FIPS(emit_unit_test_comma, openssh_e256, OPENSSH_MAC_CMD)
|
||||
};
|
||||
|
||||
const struct CMUnitTest noop_tests[] = {
|
||||
emit_unit_test(client, noop, "", setup_noop, teardown)
|
||||
};
|
||||
@ -823,15 +836,22 @@ static int pkd_run_tests(void) {
|
||||
/* Generate client keys and populate test list for each enabled client. */
|
||||
if (is_openssh_client_enabled()) {
|
||||
setup_openssh_client_keys();
|
||||
if (ssh_fips_mode()) {
|
||||
memcpy(&all_tests[tindex], &openssh_fips_tests[0], sizeof(openssh_fips_tests));
|
||||
tindex += (sizeof(openssh_fips_tests) / sizeof(openssh_fips_tests[0]));
|
||||
} else {
|
||||
memcpy(&all_tests[tindex], &openssh_tests[0], sizeof(openssh_tests));
|
||||
tindex += (sizeof(openssh_tests) / sizeof(openssh_tests[0]));
|
||||
}
|
||||
}
|
||||
|
||||
if (is_dropbear_client_enabled()) {
|
||||
setup_dropbear_client_rsa_key();
|
||||
if (!ssh_fips_mode()) {
|
||||
memcpy(&all_tests[tindex], &dropbear_tests[0], sizeof(dropbear_tests));
|
||||
tindex += (sizeof(dropbear_tests) / sizeof(dropbear_tests[0]));
|
||||
}
|
||||
}
|
||||
|
||||
memcpy(&all_tests[tindex], &noop_tests[0], sizeof(noop_tests));
|
||||
tindex += (sizeof(noop_tests) / sizeof(noop_tests[0]));
|
||||
@ -887,11 +907,13 @@ static int pkd_run_tests(void) {
|
||||
|
||||
/* Clean up any server keys that were generated. */
|
||||
cleanup_rsa_key();
|
||||
cleanup_ecdsa_keys();
|
||||
if (!ssh_fips_mode()) {
|
||||
cleanup_ed25519_key();
|
||||
#ifdef HAVE_DSA
|
||||
cleanup_dsa_key();
|
||||
#endif
|
||||
cleanup_ecdsa_keys();
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -4,6 +4,8 @@
|
||||
* (c) 2014 Jon Simons
|
||||
*/
|
||||
|
||||
#include "config.h"
|
||||
|
||||
#include <setjmp.h> // for cmocka
|
||||
#include <stdarg.h> // for cmocka
|
||||
#include <unistd.h> // for cmocka
|
||||
@ -14,6 +16,8 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "torture.h" // for ssh_fips_mode()
|
||||
|
||||
#include "pkd_client.h"
|
||||
#include "pkd_keyutil.h"
|
||||
#include "pkd_util.h"
|
||||
@ -96,20 +100,6 @@ void setup_openssh_client_keys() {
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
|
||||
#ifdef HAVE_DSA
|
||||
if (access(OPENSSH_DSA_TESTKEY, F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
|
||||
OPENSSH_DSA_TESTKEY);
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
|
||||
if (access(OPENSSH_DSA_TESTKEY "-cert.pub", F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY
|
||||
" " OPENSSH_DSA_TESTKEY ".pub 2>/dev/null");
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
#endif
|
||||
|
||||
if (access(OPENSSH_RSA_TESTKEY, F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -t rsa -q -N \"\" -f "
|
||||
OPENSSH_RSA_TESTKEY);
|
||||
@ -158,6 +148,21 @@ void setup_openssh_client_keys() {
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
|
||||
if (!ssh_fips_mode()) {
|
||||
#ifdef HAVE_DSA
|
||||
if (access(OPENSSH_DSA_TESTKEY, F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -t dsa -q -N \"\" -f "
|
||||
OPENSSH_DSA_TESTKEY);
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
|
||||
if (access(OPENSSH_DSA_TESTKEY "-cert.pub", F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -I ident -s " OPENSSH_CA_TESTKEY
|
||||
" " OPENSSH_DSA_TESTKEY ".pub 2>/dev/null");
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
#endif
|
||||
|
||||
if (access(OPENSSH_ED25519_TESTKEY, F_OK) != 0) {
|
||||
rc = system_checked(OPENSSH_KEYGEN " -t ed25519 -q -N \"\" -f "
|
||||
OPENSSH_ED25519_TESTKEY);
|
||||
@ -170,17 +175,20 @@ void setup_openssh_client_keys() {
|
||||
}
|
||||
assert_int_equal(rc, 0);
|
||||
}
|
||||
}
|
||||
|
||||
void cleanup_openssh_client_keys() {
|
||||
cleanup_key(OPENSSH_CA_TESTKEY);
|
||||
#ifdef HAVE_DSA
|
||||
cleanup_key(OPENSSH_DSA_TESTKEY);
|
||||
#endif
|
||||
cleanup_key(OPENSSH_RSA_TESTKEY);
|
||||
cleanup_key(OPENSSH_ECDSA256_TESTKEY);
|
||||
cleanup_key(OPENSSH_ECDSA384_TESTKEY);
|
||||
cleanup_key(OPENSSH_ECDSA521_TESTKEY);
|
||||
if (!ssh_fips_mode()) {
|
||||
cleanup_key(OPENSSH_ED25519_TESTKEY);
|
||||
#ifdef HAVE_DSA
|
||||
cleanup_key(OPENSSH_DSA_TESTKEY);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
void setup_dropbear_client_rsa_key() {
|
||||
|
||||
Загрузка…
Ссылка в новой задаче
Block a user