The OpenSSH in RHEL 8 in FIPS Mode outputs information about this on start
and it needs to be skipped for the version detection (and build) to pass:
$ ssh -V
FIPS mode initialized
OpenSSH_8.0p1, OpenSSL 1.1.1c FIPS 28 May 2019
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Tests were failing to build on macOS with OpenSS installed using homebrew.
Signed-off-by: Ben Toews <mastahyeti@gmail.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
The server can be configured through command line options or by
providing a state structure with the desired values set.
Currently supports only password based authentication.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
This was failing when I tried to run the testsuite without
gcrypt devel libraries installed.
Signed-off-by: Jakub Jelen <jakuje@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
The previous timeout of 500 ms was not enough on slower machines or
while running the tests under valgrind. On much faster machines the
sleep() was bringing unnecessary overhead.
This method opens simple connection to the server verifying it is ready
to accept the connection from the test for 5 seconds. It the server
does not start until then, it fails the tests during initialization,
rather than leaving the cases to run against missing server.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This makes unnecessary to call ssh_init() when the library is
dynamically loaded. Also removes the threads shared library. The used
threads implementation is chosen in configuration time, changing the
ssh_threads_get_default() depending on the available threads library.
Internally, it is expected a threads implementation providing:
- void ssh_mutex_lock(void **mutex);
- void ssh_mutex_unlock(void **mutex);
- struct ssh_threads_callbacks_struct *ssh_threads_get_default(void);
and a crypto implementation providing:
- int crypto_thread_init(struct ssh_threads_callbacks_struct *user_callbacks);
- void crypto_thread_finalize(void);
This adds internal threads implementation for pthreads and noop.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
- enabled TrustedUserCAKeys option in torture.c
- adds a new set of (signed) keys for bob in a separate dir
The private key used to generate the certs is included, but not required.
Signed-off-by: Axel Eppe <aeppe@google.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
ssh-agent needs to be executed as the local user and not a fake user or
we will not be able to add identies.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Fix a build breakage when '-DWITH_SERVER=OFF' is set: skip building the
pkd test for that case. Add some missing includes for the OpenIndiana
and FreeBSD builds.
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Introduce a sample public-key testing daemon to the 'pkd' test directory,
and add support code for cycling through various combinations of different
key exchange, cipher, and MAC algorithms.
The goal of the 'pkd_hello' test is to make it easy to test interactions
between non-libssh clients and a libssh-server, and to provide a starting
point for testing new implementations for key types, ciphers, MACs, and
so on. The thinking is that testing a new algorithm should be as simple
as adding a new line for it in the PKDTESTS_* lists.
Macros are used to generate the tests and helper functions for a couple of
clients -- here, OpenSSH and dropbear are included for the first cut. If
binaries are found for these clients, their test lists will be enabled;
when binaries are not found for a given client, those tests are skipped.
Tests are run in one large batch by default, but can also be run individually
to help with tracking down things like signature bugs that may take many
iterations to reproduce.
Each test logs its stdout and stderr to its own file, which is cleaned up
when a test succeeds. For failures, those logs can be combined with verbose
libssh output from pkd itself to start debugging things.
Some example usages:
pkd_hello
Run all tests with default number of iterations.
pkd_hello --list
List available individual test names.
pkd_hello -i 1000 -t torture_pkd_openssh_ecdsa_256_ecdh_sha2_nistp256
Run only the torture_pkd_openssh_ecdsa_256_ecdh_sha2_nistp256
testcase 1000 times.
pkd_hello -v -v -v -v -e -o
Run all tests with maximum libssh and pkd logging.
Included in the tests are passes for all existing kex, cipher, and MAC
algorithms.
BUG: https://red.libssh.org/issues/144
Signed-off-by: Jon Simons <jon@jonsimons.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
