Merge branch 'hans/ssh/cuddle_tests' into maint

* hans/ssh/cuddle_tests: ssh/test: Handle FIPS disabled algorithms correctly for pass phrases ssh/test: Skip old ssh finger print check (=md5) if FIPS mode ssh/test: Start crypto in init_suite in ssh_property_test_SUITE ssh/test: Extend crypto start to enable FIPS if possible ssh/test: Don't propagate Config between test suites ssh/test: Fix misspeling
author: Hans Nilsson <hans@erlang.org> 2019-11-19 12:38:39 +0100
committer: Hans Nilsson <hans@erlang.org> 2019-11-19 12:38:39 +0100
commit: 73a799c2794c2313304badc354b473a607ccfa36 (patch)
tree: 3b34e75ab801158d5f383de3526a272583d4143d
parent: 55f365f6db99077e8eec3d6faa40c6eb2d0bbde0 (diff)
parent: 64269aa48b9425eb038da3ac3970bd040ed4053f (diff)
download: erlang-73a799c2794c2313304badc354b473a607ccfa36.tar.gz
7 files changed, 111 insertions, 40 deletions
diff --git a/lib/ssh/test/ssh_basic_SUITE.erl b/lib/ssh/test/ssh_basic_SUITE.erl
index af4a3584bf..30d03f842f 100644
--- a/lib/ssh/test/ssh_basic_SUITE.erl
+++ b/lib/ssh/test/ssh_basic_SUITE.erl
@@ -255,23 +255,27 @@ init_per_group(ed448_key, Config) ->
 	    {skip, unsupported_pub_key}
     end;
 init_per_group(rsa_pass_key, Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    PrivDir = proplists:get_value(priv_dir, Config),
     case lists:member('ssh-rsa',
-		      ssh_transport:default_algorithms(public_key)) of
+		      ssh_transport:default_algorithms(public_key))
+        andalso
+        ssh_test_lib:setup_rsa_pass_phrase(DataDir, PrivDir, "Password")
+    of
 	true ->
-            DataDir = proplists:get_value(data_dir, Config),
-            PrivDir = proplists:get_value(priv_dir, Config),
-            ssh_test_lib:setup_rsa_pass_pharse(DataDir, PrivDir, "Password"),
             [{pass_phrase, {rsa_pass_phrase, "Password"}}| Config];
 	false ->
 	    {skip, unsupported_pub_key}
     end;
 init_per_group(dsa_pass_key, Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    PrivDir = proplists:get_value(priv_dir, Config),
     case lists:member('ssh-dss',
-		      ssh_transport:default_algorithms(public_key)) of
+		      ssh_transport:default_algorithms(public_key))
+    andalso
+        ssh_test_lib:setup_dsa_pass_phrase(DataDir, PrivDir, "Password")
+    of
 	true ->
-            DataDir = proplists:get_value(data_dir, Config),
-            PrivDir = proplists:get_value(priv_dir, Config),
-            ssh_test_lib:setup_dsa_pass_pharse(DataDir, PrivDir, "Password"),
             [{pass_phrase, {dsa_pass_phrase, "Password"}}| Config];
 	false ->
 	    {skip, unsupported_pub_key}
diff --git a/lib/ssh/test/ssh_compat_SUITE.erl b/lib/ssh/test/ssh_compat_SUITE.erl
index c42140cee7..93593c82b5 100644
--- a/lib/ssh/test/ssh_compat_SUITE.erl
+++ b/lib/ssh/test/ssh_compat_SUITE.erl
@@ -86,13 +86,13 @@ init_per_suite(Config) ->
                Config
        end).
 
-end_per_suite(Config) ->
+end_per_suite(_Config) ->
     %% Remove all containers that are not running:
 %%%    os:cmd("docker rm $(docker ps -aq -f status=exited)"),
     %% Remove dangling images:
 %%%    os:cmd("docker rmi $(docker images -f dangling=true -q)"),
     catch ssh:stop(),
-    Config.
+    ok.
 
 
 init_per_group(otp_server, Config) ->
diff --git a/lib/ssh/test/ssh_connection_SUITE.erl b/lib/ssh/test/ssh_connection_SUITE.erl
index dfc513fc12..c187a5e4b5 100644
--- a/lib/ssh/test/ssh_connection_SUITE.erl
+++ b/lib/ssh/test/ssh_connection_SUITE.erl
@@ -97,9 +97,9 @@ sock() ->
 init_per_suite(Config) ->
     ?CHECK_CRYPTO(Config).
 
-end_per_suite(Config) ->
+end_per_suite(_Config) ->
     catch ssh:stop(),
-    Config.
+    ok.
 
 %%--------------------------------------------------------------------
 init_per_group(openssh, Config) ->
diff --git a/lib/ssh/test/ssh_options_SUITE.erl b/lib/ssh/test/ssh_options_SUITE.erl
index bf90f74324..b244c1bbd4 100644
--- a/lib/ssh/test/ssh_options_SUITE.erl
+++ b/lib/ssh/test/ssh_options_SUITE.erl
@@ -805,11 +805,14 @@ do_hostkey_fingerprint_check(Config, HashAlg) ->
     case supported_hash(HashAlg) of
 	true ->
 	    really_do_hostkey_fingerprint_check(Config, HashAlg);
+	false when HashAlg == old ->
+	    {skip,{unsupported_hash,md5}};% Happen to know that public_key:ssh_hostkey_fingerprint/1 uses md5...
 	false ->
 	    {skip,{unsupported_hash,HashAlg}}
     end.
 
-supported_hash(old) -> true;
+supported_hash(old) ->
+    supported_hash(md5); % Happen to know that public_key:ssh_hostkey_fingerprint/1 uses md5...
 supported_hash(HashAlg) ->
     Hs = if is_atom(HashAlg) -> [HashAlg];
             is_list(HashAlg) -> HashAlg
diff --git a/lib/ssh/test/ssh_property_test_SUITE.erl b/lib/ssh/test/ssh_property_test_SUITE.erl
index 9aaac898a0..4290ec1487 100644
--- a/lib/ssh/test/ssh_property_test_SUITE.erl
+++ b/lib/ssh/test/ssh_property_test_SUITE.erl
@@ -36,6 +36,8 @@
 -compile(export_all).
 
 -include_lib("common_test/include/ct.hrl").
+-include("ssh_test_lib.hrl").
+
 
 all() -> [{group, messages},
 	  client_sends_info_timing,
@@ -54,10 +56,12 @@ groups() ->
 
 %%% First prepare Config and compile the property tests for the found tool:
 init_per_suite(Config) ->
-    ct_property_test:init_per_suite(Config).
+    ?CHECK_CRYPTO(
+       ct_property_test:init_per_suite(Config)
+      ).
 
-end_per_suite(Config) ->
-    Config.
+end_per_suite(_Config) ->
+    ok.
 
 %%% One group in this suite happens to support only QuickCheck, so skip it
 %%% if we run proper.
diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl
index 8bd00397d5..036820fa8d 100644
--- a/lib/ssh/test/ssh_test_lib.erl
+++ b/lib/ssh/test/ssh_test_lib.erl
@@ -451,25 +451,37 @@ clean_rsa(UserDir) ->
     file:delete(filename:join(UserDir,"known_hosts")),
     file:delete(filename:join(UserDir,"authorized_keys")).
 
-setup_dsa_pass_pharse(DataDir, UserDir, Phrase) ->
-    {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_dsa")),
-    setup_pass_pharse(KeyBin, filename:join(UserDir, "id_dsa"), Phrase),
-    System = filename:join(UserDir, "system"),
-    file:make_dir(System),
-    file:copy(filename:join(DataDir, "ssh_host_dsa_key"), filename:join(System, "ssh_host_dsa_key")),
-    file:copy(filename:join(DataDir, "ssh_host_dsa_key.pub"), filename:join(System, "ssh_host_dsa_key.pub")),
-    setup_dsa_known_host(DataDir, UserDir),
-    setup_dsa_auth_keys(DataDir, UserDir).
+setup_dsa_pass_phrase(DataDir, UserDir, Phrase) ->
+    try
+        {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_dsa")),
+        setup_pass_phrase(KeyBin, filename:join(UserDir, "id_dsa"), Phrase),
+        System = filename:join(UserDir, "system"),
+        file:make_dir(System),
+        file:copy(filename:join(DataDir, "ssh_host_dsa_key"), filename:join(System, "ssh_host_dsa_key")),
+        file:copy(filename:join(DataDir, "ssh_host_dsa_key.pub"), filename:join(System, "ssh_host_dsa_key.pub")),
+        setup_dsa_known_host(DataDir, UserDir),
+        setup_dsa_auth_keys(DataDir, UserDir)
+    of 
+        _ -> true
+    catch
+        _:_ -> false
+    end.
 
-setup_rsa_pass_pharse(DataDir, UserDir, Phrase) ->
-    {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_rsa")),
-    setup_pass_pharse(KeyBin, filename:join(UserDir, "id_rsa"), Phrase),
-    System = filename:join(UserDir, "system"),
-    file:make_dir(System),
-    file:copy(filename:join(DataDir, "ssh_host_rsa_key"), filename:join(System, "ssh_host_rsa_key")),
-    file:copy(filename:join(DataDir, "ssh_host_rsa_key.pub"), filename:join(System, "ssh_host_rsa_key.pub")),
-    setup_rsa_known_host(DataDir, UserDir),
-    setup_rsa_auth_keys(DataDir, UserDir).
+setup_rsa_pass_phrase(DataDir, UserDir, Phrase) ->
+    try
+        {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_rsa")),
+        setup_pass_phrase(KeyBin, filename:join(UserDir, "id_rsa"), Phrase),
+        System = filename:join(UserDir, "system"),
+        file:make_dir(System),
+        file:copy(filename:join(DataDir, "ssh_host_rsa_key"), filename:join(System, "ssh_host_rsa_key")),
+        file:copy(filename:join(DataDir, "ssh_host_rsa_key.pub"), filename:join(System, "ssh_host_rsa_key.pub")),
+        setup_rsa_known_host(DataDir, UserDir),
+        setup_rsa_auth_keys(DataDir, UserDir)
+    of 
+        _ -> true
+    catch
+        _:_ -> false
+    end.
 
 setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) ->
     try
@@ -481,7 +493,7 @@ setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) ->
                 Other ->
                     Other
             end,
-        setup_pass_pharse(KeyBin, filename:join(UserDir, "id_ecdsa"), Phrase),
+        setup_pass_phrase(KeyBin, filename:join(UserDir, "id_ecdsa"), Phrase),
         System = filename:join(UserDir, "system"),
         file:make_dir(System),
         file:copy(filename:join(DataDir, "ssh_host_ecdsa_key"++Size), filename:join(System, "ssh_host_ecdsa_key")),
@@ -494,7 +506,7 @@ setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) ->
         _:_ -> false
     end.
 
-setup_pass_pharse(KeyBin, OutFile, Phrase) ->
+setup_pass_phrase(KeyBin, OutFile, Phrase) ->
     [{KeyType, _,_} = Entry0] = public_key:pem_decode(KeyBin),
     Key =  public_key:pem_entry_decode(Entry0),
     Salt = crypto:strong_rand_bytes(8),
@@ -1070,3 +1082,45 @@ ntoa(A) ->
         _:_ when is_list(A) -> A
     end.
     
+%%%----------------------------------------------------------------
+try_enable_fips_mode() ->
+    case crypto:info_fips() of
+        enabled ->
+            report("FIPS mode already enabled", ?LINE),
+            ok;
+        not_enabled ->
+            %% Erlang/crypto configured with --enable-fips
+            case crypto:enable_fips_mode(true) of
+		true ->
+                    %% and also the cryptolib is fips enabled
+                    report("FIPS mode enabled", ?LINE),
+		    enabled = crypto:info_fips(),
+		    ok;
+		false ->
+                    case is_cryptolib_fips_capable() of
+                        false ->
+                            report("No FIPS mode in cryptolib", ?LINE),
+                            {skip, "FIPS mode not supported in cryptolib"};
+                        true ->
+                            ct:fail("Failed to enable FIPS mode", [])
+                    end
+	    end;
+        not_supported ->
+            report("FIPS mode not supported by Erlang/OTP", ?LINE),
+            {skip, "FIPS mode not supported"}
+    end.
+
+is_cryptolib_fips_capable() ->
+    [{_,_,Inf}] = crypto:info_lib(),
+    nomatch =/= re:run(Inf, "(F|f)(I|i)(P|p)(S|s)").
+
+report(Comment, Line) ->
+    ct:comment(Comment),
+    ct:log("~p:~p  try_enable_fips_mode~n"
+           "crypto:info_lib() = ~p~n"
+           "crypto:info_fips() = ~p~n"
+           "crypto:supports() =~n~p~n", 
+           [?MODULE, Line,
+            crypto:info_lib(),
+            crypto:info_fips(),
+            crypto:supports()]).
diff --git a/lib/ssh/test/ssh_test_lib.hrl b/lib/ssh/test/ssh_test_lib.hrl
index 4b6579bd71..b9af2ecb5d 100644
--- a/lib/ssh/test/ssh_test_lib.hrl
+++ b/lib/ssh/test/ssh_test_lib.hrl
@@ -6,10 +6,16 @@
 %%-------------------------------------------------------------------------
 %% Check for usable crypt 
 %%-------------------------------------------------------------------------
--define(CHECK_CRYPTO(Available),
-	try crypto:start() 
-	of _ -> Available
-	catch _:_ -> {skip, "Can't start crypto"}
+-define(CHECK_CRYPTO(UsersInitCode),
+	try
+            crypto:start(),
+            ssh_test_lib:try_enable_fips_mode()
+	of
+            ok -> UsersInitCode;
+            {skip,_} -> UsersInitCode;
+            Other -> Other
+	catch
+            _:_ -> {skip, "Can't start crypto"}
 	end
        ).
author	Hans Nilsson <hans@erlang.org>	2019-11-19 12:38:39 +0100
committer	Hans Nilsson <hans@erlang.org>	2019-11-19 12:38:39 +0100
commit	73a799c2794c2313304badc354b473a607ccfa36 (patch)
tree	3b34e75ab801158d5f383de3526a272583d4143d
parent	55f365f6db99077e8eec3d6faa40c6eb2d0bbde0 (diff)
parent	64269aa48b9425eb038da3ac3970bd040ed4053f (diff)
download	erlang-73a799c2794c2313304badc354b473a607ccfa36.tar.gz