diff options
author | Hans Nilsson <hans@erlang.org> | 2019-11-19 12:38:39 +0100 |
---|---|---|
committer | Hans Nilsson <hans@erlang.org> | 2019-11-19 12:38:39 +0100 |
commit | 73a799c2794c2313304badc354b473a607ccfa36 (patch) | |
tree | 3b34e75ab801158d5f383de3526a272583d4143d | |
parent | 55f365f6db99077e8eec3d6faa40c6eb2d0bbde0 (diff) | |
parent | 64269aa48b9425eb038da3ac3970bd040ed4053f (diff) | |
download | erlang-73a799c2794c2313304badc354b473a607ccfa36.tar.gz |
Merge branch 'hans/ssh/cuddle_tests' into maint
* hans/ssh/cuddle_tests:
ssh/test: Handle FIPS disabled algorithms correctly for pass phrases
ssh/test: Skip old ssh finger print check (=md5) if FIPS mode
ssh/test: Start crypto in init_suite in ssh_property_test_SUITE
ssh/test: Extend crypto start to enable FIPS if possible
ssh/test: Don't propagate Config between test suites
ssh/test: Fix misspeling
-rw-r--r-- | lib/ssh/test/ssh_basic_SUITE.erl | 20 | ||||
-rw-r--r-- | lib/ssh/test/ssh_compat_SUITE.erl | 4 | ||||
-rw-r--r-- | lib/ssh/test/ssh_connection_SUITE.erl | 4 | ||||
-rw-r--r-- | lib/ssh/test/ssh_options_SUITE.erl | 5 | ||||
-rw-r--r-- | lib/ssh/test/ssh_property_test_SUITE.erl | 10 | ||||
-rw-r--r-- | lib/ssh/test/ssh_test_lib.erl | 94 | ||||
-rw-r--r-- | lib/ssh/test/ssh_test_lib.hrl | 14 |
7 files changed, 111 insertions, 40 deletions
diff --git a/lib/ssh/test/ssh_basic_SUITE.erl b/lib/ssh/test/ssh_basic_SUITE.erl index af4a3584bf..30d03f842f 100644 --- a/lib/ssh/test/ssh_basic_SUITE.erl +++ b/lib/ssh/test/ssh_basic_SUITE.erl @@ -255,23 +255,27 @@ init_per_group(ed448_key, Config) -> {skip, unsupported_pub_key} end; init_per_group(rsa_pass_key, Config) -> + DataDir = proplists:get_value(data_dir, Config), + PrivDir = proplists:get_value(priv_dir, Config), case lists:member('ssh-rsa', - ssh_transport:default_algorithms(public_key)) of + ssh_transport:default_algorithms(public_key)) + andalso + ssh_test_lib:setup_rsa_pass_phrase(DataDir, PrivDir, "Password") + of true -> - DataDir = proplists:get_value(data_dir, Config), - PrivDir = proplists:get_value(priv_dir, Config), - ssh_test_lib:setup_rsa_pass_pharse(DataDir, PrivDir, "Password"), [{pass_phrase, {rsa_pass_phrase, "Password"}}| Config]; false -> {skip, unsupported_pub_key} end; init_per_group(dsa_pass_key, Config) -> + DataDir = proplists:get_value(data_dir, Config), + PrivDir = proplists:get_value(priv_dir, Config), case lists:member('ssh-dss', - ssh_transport:default_algorithms(public_key)) of + ssh_transport:default_algorithms(public_key)) + andalso + ssh_test_lib:setup_dsa_pass_phrase(DataDir, PrivDir, "Password") + of true -> - DataDir = proplists:get_value(data_dir, Config), - PrivDir = proplists:get_value(priv_dir, Config), - ssh_test_lib:setup_dsa_pass_pharse(DataDir, PrivDir, "Password"), [{pass_phrase, {dsa_pass_phrase, "Password"}}| Config]; false -> {skip, unsupported_pub_key} diff --git a/lib/ssh/test/ssh_compat_SUITE.erl b/lib/ssh/test/ssh_compat_SUITE.erl index c42140cee7..93593c82b5 100644 --- a/lib/ssh/test/ssh_compat_SUITE.erl +++ b/lib/ssh/test/ssh_compat_SUITE.erl @@ -86,13 +86,13 @@ init_per_suite(Config) -> Config end). -end_per_suite(Config) -> +end_per_suite(_Config) -> %% Remove all containers that are not running: %%% os:cmd("docker rm $(docker ps -aq -f status=exited)"), %% Remove dangling images: %%% os:cmd("docker rmi $(docker images -f dangling=true -q)"), catch ssh:stop(), - Config. + ok. init_per_group(otp_server, Config) -> diff --git a/lib/ssh/test/ssh_connection_SUITE.erl b/lib/ssh/test/ssh_connection_SUITE.erl index dfc513fc12..c187a5e4b5 100644 --- a/lib/ssh/test/ssh_connection_SUITE.erl +++ b/lib/ssh/test/ssh_connection_SUITE.erl @@ -97,9 +97,9 @@ sock() -> init_per_suite(Config) -> ?CHECK_CRYPTO(Config). -end_per_suite(Config) -> +end_per_suite(_Config) -> catch ssh:stop(), - Config. + ok. %%-------------------------------------------------------------------- init_per_group(openssh, Config) -> diff --git a/lib/ssh/test/ssh_options_SUITE.erl b/lib/ssh/test/ssh_options_SUITE.erl index bf90f74324..b244c1bbd4 100644 --- a/lib/ssh/test/ssh_options_SUITE.erl +++ b/lib/ssh/test/ssh_options_SUITE.erl @@ -805,11 +805,14 @@ do_hostkey_fingerprint_check(Config, HashAlg) -> case supported_hash(HashAlg) of true -> really_do_hostkey_fingerprint_check(Config, HashAlg); + false when HashAlg == old -> + {skip,{unsupported_hash,md5}};% Happen to know that public_key:ssh_hostkey_fingerprint/1 uses md5... false -> {skip,{unsupported_hash,HashAlg}} end. -supported_hash(old) -> true; +supported_hash(old) -> + supported_hash(md5); % Happen to know that public_key:ssh_hostkey_fingerprint/1 uses md5... supported_hash(HashAlg) -> Hs = if is_atom(HashAlg) -> [HashAlg]; is_list(HashAlg) -> HashAlg diff --git a/lib/ssh/test/ssh_property_test_SUITE.erl b/lib/ssh/test/ssh_property_test_SUITE.erl index 9aaac898a0..4290ec1487 100644 --- a/lib/ssh/test/ssh_property_test_SUITE.erl +++ b/lib/ssh/test/ssh_property_test_SUITE.erl @@ -36,6 +36,8 @@ -compile(export_all). -include_lib("common_test/include/ct.hrl"). +-include("ssh_test_lib.hrl"). + all() -> [{group, messages}, client_sends_info_timing, @@ -54,10 +56,12 @@ groups() -> %%% First prepare Config and compile the property tests for the found tool: init_per_suite(Config) -> - ct_property_test:init_per_suite(Config). + ?CHECK_CRYPTO( + ct_property_test:init_per_suite(Config) + ). -end_per_suite(Config) -> - Config. +end_per_suite(_Config) -> + ok. %%% One group in this suite happens to support only QuickCheck, so skip it %%% if we run proper. diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl index 8bd00397d5..036820fa8d 100644 --- a/lib/ssh/test/ssh_test_lib.erl +++ b/lib/ssh/test/ssh_test_lib.erl @@ -451,25 +451,37 @@ clean_rsa(UserDir) -> file:delete(filename:join(UserDir,"known_hosts")), file:delete(filename:join(UserDir,"authorized_keys")). -setup_dsa_pass_pharse(DataDir, UserDir, Phrase) -> - {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_dsa")), - setup_pass_pharse(KeyBin, filename:join(UserDir, "id_dsa"), Phrase), - System = filename:join(UserDir, "system"), - file:make_dir(System), - file:copy(filename:join(DataDir, "ssh_host_dsa_key"), filename:join(System, "ssh_host_dsa_key")), - file:copy(filename:join(DataDir, "ssh_host_dsa_key.pub"), filename:join(System, "ssh_host_dsa_key.pub")), - setup_dsa_known_host(DataDir, UserDir), - setup_dsa_auth_keys(DataDir, UserDir). +setup_dsa_pass_phrase(DataDir, UserDir, Phrase) -> + try + {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_dsa")), + setup_pass_phrase(KeyBin, filename:join(UserDir, "id_dsa"), Phrase), + System = filename:join(UserDir, "system"), + file:make_dir(System), + file:copy(filename:join(DataDir, "ssh_host_dsa_key"), filename:join(System, "ssh_host_dsa_key")), + file:copy(filename:join(DataDir, "ssh_host_dsa_key.pub"), filename:join(System, "ssh_host_dsa_key.pub")), + setup_dsa_known_host(DataDir, UserDir), + setup_dsa_auth_keys(DataDir, UserDir) + of + _ -> true + catch + _:_ -> false + end. -setup_rsa_pass_pharse(DataDir, UserDir, Phrase) -> - {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_rsa")), - setup_pass_pharse(KeyBin, filename:join(UserDir, "id_rsa"), Phrase), - System = filename:join(UserDir, "system"), - file:make_dir(System), - file:copy(filename:join(DataDir, "ssh_host_rsa_key"), filename:join(System, "ssh_host_rsa_key")), - file:copy(filename:join(DataDir, "ssh_host_rsa_key.pub"), filename:join(System, "ssh_host_rsa_key.pub")), - setup_rsa_known_host(DataDir, UserDir), - setup_rsa_auth_keys(DataDir, UserDir). +setup_rsa_pass_phrase(DataDir, UserDir, Phrase) -> + try + {ok, KeyBin} = file:read_file(filename:join(DataDir, "id_rsa")), + setup_pass_phrase(KeyBin, filename:join(UserDir, "id_rsa"), Phrase), + System = filename:join(UserDir, "system"), + file:make_dir(System), + file:copy(filename:join(DataDir, "ssh_host_rsa_key"), filename:join(System, "ssh_host_rsa_key")), + file:copy(filename:join(DataDir, "ssh_host_rsa_key.pub"), filename:join(System, "ssh_host_rsa_key.pub")), + setup_rsa_known_host(DataDir, UserDir), + setup_rsa_auth_keys(DataDir, UserDir) + of + _ -> true + catch + _:_ -> false + end. setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) -> try @@ -481,7 +493,7 @@ setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) -> Other -> Other end, - setup_pass_pharse(KeyBin, filename:join(UserDir, "id_ecdsa"), Phrase), + setup_pass_phrase(KeyBin, filename:join(UserDir, "id_ecdsa"), Phrase), System = filename:join(UserDir, "system"), file:make_dir(System), file:copy(filename:join(DataDir, "ssh_host_ecdsa_key"++Size), filename:join(System, "ssh_host_ecdsa_key")), @@ -494,7 +506,7 @@ setup_ecdsa_pass_phrase(Size, DataDir, UserDir, Phrase) -> _:_ -> false end. -setup_pass_pharse(KeyBin, OutFile, Phrase) -> +setup_pass_phrase(KeyBin, OutFile, Phrase) -> [{KeyType, _,_} = Entry0] = public_key:pem_decode(KeyBin), Key = public_key:pem_entry_decode(Entry0), Salt = crypto:strong_rand_bytes(8), @@ -1070,3 +1082,45 @@ ntoa(A) -> _:_ when is_list(A) -> A end. +%%%---------------------------------------------------------------- +try_enable_fips_mode() -> + case crypto:info_fips() of + enabled -> + report("FIPS mode already enabled", ?LINE), + ok; + not_enabled -> + %% Erlang/crypto configured with --enable-fips + case crypto:enable_fips_mode(true) of + true -> + %% and also the cryptolib is fips enabled + report("FIPS mode enabled", ?LINE), + enabled = crypto:info_fips(), + ok; + false -> + case is_cryptolib_fips_capable() of + false -> + report("No FIPS mode in cryptolib", ?LINE), + {skip, "FIPS mode not supported in cryptolib"}; + true -> + ct:fail("Failed to enable FIPS mode", []) + end + end; + not_supported -> + report("FIPS mode not supported by Erlang/OTP", ?LINE), + {skip, "FIPS mode not supported"} + end. + +is_cryptolib_fips_capable() -> + [{_,_,Inf}] = crypto:info_lib(), + nomatch =/= re:run(Inf, "(F|f)(I|i)(P|p)(S|s)"). + +report(Comment, Line) -> + ct:comment(Comment), + ct:log("~p:~p try_enable_fips_mode~n" + "crypto:info_lib() = ~p~n" + "crypto:info_fips() = ~p~n" + "crypto:supports() =~n~p~n", + [?MODULE, Line, + crypto:info_lib(), + crypto:info_fips(), + crypto:supports()]). diff --git a/lib/ssh/test/ssh_test_lib.hrl b/lib/ssh/test/ssh_test_lib.hrl index 4b6579bd71..b9af2ecb5d 100644 --- a/lib/ssh/test/ssh_test_lib.hrl +++ b/lib/ssh/test/ssh_test_lib.hrl @@ -6,10 +6,16 @@ %%------------------------------------------------------------------------- %% Check for usable crypt %%------------------------------------------------------------------------- --define(CHECK_CRYPTO(Available), - try crypto:start() - of _ -> Available - catch _:_ -> {skip, "Can't start crypto"} +-define(CHECK_CRYPTO(UsersInitCode), + try + crypto:start(), + ssh_test_lib:try_enable_fips_mode() + of + ok -> UsersInitCode; + {skip,_} -> UsersInitCode; + Other -> Other + catch + _:_ -> {skip, "Can't start crypto"} end ). |