From 31761c85c053d0573e80856d893ff2c966b75c61 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Sat, 26 Aug 2023 21:56:23 +0000 Subject: [PATCH] md5: allow disabling old-style encrypted private keys at build-time Before this patch, this happened at runtime when using an old (pre-3.0), FIPS-enabled OpenSSL backend. This patch makes it possible to disable this via the build-time option `LIBSSH2_NO_MD5_PEM`. Also: - make sure to exclude all MD5 internal APIs when both the above and `LIBSSH2_NO_MD5` are enabled. - fix tests to support build with`LIBSSH2_NO_MD5`, `LIBSSH2_NO_MD5_PEM` and `LIBSSH2_NO_3DES`. - add FIXME to apply this change to `os400qc3.*`. Old-style encrypted private keys require MD5 and they look like this: ``` -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC, -----END RSA PRIVATE KEY----- ``` E.g.: `tests/key_rsa_encrypted` Ref: https://github.com/libssh2/www/issues/20 Closes #1181 --- .github/workflows/ci.yml | 2 +- src/Makefile.inc | 1 + src/crypto.h | 65 ------------------- src/crypto_config.h | 76 +++++++++++++++++++++++ src/libgcrypt.h | 8 +++ src/mbedtls.h | 9 ++- src/openssl.c | 2 + src/openssl.h | 4 ++ src/os400qc3.h | 4 ++ src/pem.c | 11 ++-- src/wincng.c | 10 +++ src/wincng.h | 8 +++ tests/session_fixture.c | 35 +++++++++-- tests/test_auth_pubkey_ok_rsa_encrypted.c | 2 +- tests/test_hostkey_hash.c | 12 ++++ 15 files changed, 170 insertions(+), 79 deletions(-) create mode 100644 src/crypto_config.h diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2442fb3fd..8e8065a22f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -322,7 +322,7 @@ jobs: - name: 'make build' if: ${{ matrix.build == 'make' }} env: - CPPFLAGS: -DLIBSSH2_NO_MD5 -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_NO_DSA -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES + CPPFLAGS: -DLIBSSH2_NO_MD5 -DLIBSSH2_NO_MD5_PEM -DLIBSSH2_NO_HMAC_RIPEMD -DLIBSSH2_NO_DSA -DLIBSSH2_NO_AES_CBC -DLIBSSH2_NO_AES_CTR -DLIBSSH2_NO_BLOWFISH -DLIBSSH2_NO_RC4 -DLIBSSH2_NO_CAST -DLIBSSH2_NO_3DES LIBSSH2_CPPFLAGS_LIB: -DLIBSSH2_EXPORTS ZLIB_PATH: /${{ matrix.sys }} OPENSSL_PATH: /${{ matrix.sys }} diff --git a/src/Makefile.inc b/src/Makefile.inc index a1876daceb..9133819a62 100644 --- a/src/Makefile.inc +++ b/src/Makefile.inc @@ -29,6 +29,7 @@ HHEADERS = \ channel.h \ comp.h \ crypto.h \ + crypto_config.h \ libgcrypt.h \ libssh2_priv.h \ libssh2_setup.h \ diff --git a/src/crypto.h b/src/crypto.h index 561cd96e2b..c30d613a9d 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -55,71 +55,6 @@ #error "no cryptography backend selected" #endif -#ifdef LIBSSH2_NO_MD5 -#undef LIBSSH2_MD5 -#define LIBSSH2_MD5 0 -#endif - -#ifdef LIBSSH2_NO_HMAC_RIPEMD -#undef LIBSSH2_HMAC_RIPEMD -#define LIBSSH2_HMAC_RIPEMD 0 -#endif - -#ifdef LIBSSH2_NO_DSA -#undef LIBSSH2_DSA -#define LIBSSH2_DSA 0 -#endif - -#ifdef LIBSSH2_NO_RSA -#undef LIBSSH2_RSA -#define LIBSSH2_RSA 0 -#endif - -#ifdef LIBSSH2_NO_RSA_SHA1 -#undef LIBSSH2_RSA_SHA1 -#define LIBSSH2_RSA_SHA1 0 -#endif - -#ifdef LIBSSH2_NO_ECDSA -#undef LIBSSH2_ECDSA -#define LIBSSH2_ECDSA 0 -#endif - -#ifdef LIBSSH2_NO_ED25519 -#undef LIBSSH2_ED25519 -#define LIBSSH2_ED25519 0 -#endif - -#ifdef LIBSSH2_NO_AES_CTR -#undef LIBSSH2_AES_CTR -#define LIBSSH2_AES_CTR 0 -#endif - -#ifdef LIBSSH2_NO_AES_CBC -#undef LIBSSH2_AES_CBC -#define LIBSSH2_AES_CBC 0 -#endif - -#ifdef LIBSSH2_NO_BLOWFISH -#undef LIBSSH2_BLOWFISH -#define LIBSSH2_BLOWFISH 0 -#endif - -#ifdef LIBSSH2_NO_RC4 -#undef LIBSSH2_RC4 -#define LIBSSH2_RC4 0 -#endif - -#ifdef LIBSSH2_NO_CAST -#undef LIBSSH2_CAST -#define LIBSSH2_CAST 0 -#endif - -#ifdef LIBSSH2_NO_3DES -#undef LIBSSH2_3DES -#define LIBSSH2_3DES 0 -#endif - #define LIBSSH2_ED25519_KEY_LEN 32 #define LIBSSH2_ED25519_PRIVATE_KEY_LEN 64 #define LIBSSH2_ED25519_SIG_LEN 64 diff --git a/src/crypto_config.h b/src/crypto_config.h new file mode 100644 index 0000000000..5934e140b6 --- /dev/null +++ b/src/crypto_config.h @@ -0,0 +1,76 @@ +/* Copyright (C) Viktor Szakats + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#define LIBSSH2_MD5_PEM LIBSSH2_MD5 + +#ifdef LIBSSH2_NO_MD5 +#undef LIBSSH2_MD5 +#define LIBSSH2_MD5 0 +#endif + +#ifdef LIBSSH2_NO_MD5_PEM +#undef LIBSSH2_MD5_PEM +#define LIBSSH2_MD5_PEM 0 +#endif + +#ifdef LIBSSH2_NO_HMAC_RIPEMD +#undef LIBSSH2_HMAC_RIPEMD +#define LIBSSH2_HMAC_RIPEMD 0 +#endif + +#ifdef LIBSSH2_NO_DSA +#undef LIBSSH2_DSA +#define LIBSSH2_DSA 0 +#endif + +#ifdef LIBSSH2_NO_RSA +#undef LIBSSH2_RSA +#define LIBSSH2_RSA 0 +#endif + +#ifdef LIBSSH2_NO_RSA_SHA1 +#undef LIBSSH2_RSA_SHA1 +#define LIBSSH2_RSA_SHA1 0 +#endif + +#ifdef LIBSSH2_NO_ECDSA +#undef LIBSSH2_ECDSA +#define LIBSSH2_ECDSA 0 +#endif + +#ifdef LIBSSH2_NO_ED25519 +#undef LIBSSH2_ED25519 +#define LIBSSH2_ED25519 0 +#endif + +#ifdef LIBSSH2_NO_AES_CTR +#undef LIBSSH2_AES_CTR +#define LIBSSH2_AES_CTR 0 +#endif + +#ifdef LIBSSH2_NO_AES_CBC +#undef LIBSSH2_AES_CBC +#define LIBSSH2_AES_CBC 0 +#endif + +#ifdef LIBSSH2_NO_BLOWFISH +#undef LIBSSH2_BLOWFISH +#define LIBSSH2_BLOWFISH 0 +#endif + +#ifdef LIBSSH2_NO_RC4 +#undef LIBSSH2_RC4 +#define LIBSSH2_RC4 0 +#endif + +#ifdef LIBSSH2_NO_CAST +#undef LIBSSH2_CAST +#define LIBSSH2_CAST 0 +#endif + +#ifdef LIBSSH2_NO_3DES +#undef LIBSSH2_3DES +#define LIBSSH2_3DES 0 +#endif diff --git a/src/libgcrypt.h b/src/libgcrypt.h index 10e36fc7ed..dbd820d253 100644 --- a/src/libgcrypt.h +++ b/src/libgcrypt.h @@ -66,7 +66,11 @@ #define LIBSSH2_ECDSA 0 #define LIBSSH2_ED25519 0 +#include "crypto_config.h" + +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define MD5_DIGEST_LENGTH 16 +#endif #define SHA_DIGEST_LENGTH 20 #define SHA256_DIGEST_LENGTH 32 #define SHA384_DIGEST_LENGTH 48 @@ -124,6 +128,7 @@ #define libssh2_sha512(message, len, out) \ gcry_md_hash_buffer(GCRY_MD_SHA512, out, message, len) +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define libssh2_md5_ctx gcry_md_hd_t /* returns 0 in case of failure */ @@ -136,15 +141,18 @@ memcpy(out, gcry_md_read(ctx, 0), MD5_DIGEST_LENGTH), gcry_md_close(ctx) #define libssh2_md5(message, len, out) \ gcry_md_hash_buffer(GCRY_MD_MD5, out, message, len) +#endif #define libssh2_hmac_ctx gcry_md_hd_t #define libssh2_hmac_ctx_init(ctx) #define libssh2_hmac_sha1_init(ctx, key, keylen) \ gcry_md_open(ctx, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC), \ gcry_md_setkey(*ctx, key, keylen) +#if LIBSSH2_MD5 #define libssh2_hmac_md5_init(ctx, key, keylen) \ gcry_md_open(ctx, GCRY_MD_MD5, GCRY_MD_FLAG_HMAC), \ gcry_md_setkey(*ctx, key, keylen) +#endif #define libssh2_hmac_ripemd160_init(ctx, key, keylen) \ gcry_md_open(ctx, GCRY_MD_RMD160, GCRY_MD_FLAG_HMAC), \ gcry_md_setkey(*ctx, key, keylen) diff --git a/src/mbedtls.h b/src/mbedtls.h index 6091f2ec86..7061ba4bf8 100644 --- a/src/mbedtls.h +++ b/src/mbedtls.h @@ -92,7 +92,11 @@ #endif #define LIBSSH2_ED25519 0 +#include "crypto_config.h" + +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define MD5_DIGEST_LENGTH 16 +#endif #define SHA_DIGEST_LENGTH 20 #define SHA256_DIGEST_LENGTH 32 #define SHA384_DIGEST_LENGTH 48 @@ -134,8 +138,10 @@ #define libssh2_hmac_sha1_init(pctx, key, keylen) \ _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_SHA1, key, keylen) +#if LIBSSH2_MD5 #define libssh2_hmac_md5_init(pctx, key, keylen) \ _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_MD5, key, keylen) +#endif #define libssh2_hmac_ripemd160_init(pctx, key, keylen) \ _libssh2_mbedtls_hash_init(pctx, MBEDTLS_MD_RIPEMD160, key, keylen) #define libssh2_hmac_sha256_init(pctx, key, keylen) \ @@ -219,6 +225,7 @@ * mbedTLS backend: MD5 functions */ +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define libssh2_md5_ctx mbedtls_md_context_t #define libssh2_md5_init(pctx) \ @@ -229,7 +236,7 @@ _libssh2_mbedtls_hash_final(&ctx, hash) #define libssh2_md5(data, datalen, hash) \ _libssh2_mbedtls_hash(data, datalen, MBEDTLS_MD_MD5, hash) - +#endif /*******************************************************************/ /* diff --git a/src/openssl.c b/src/openssl.c index 0f06d40935..13b389c8dc 100644 --- a/src/openssl.c +++ b/src/openssl.c @@ -2495,6 +2495,7 @@ _libssh2_sha512(const unsigned char *message, size_t len, return 1; /* error */ } +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM int _libssh2_md5_init(libssh2_md5_ctx *ctx) { @@ -2530,6 +2531,7 @@ _libssh2_md5_init(libssh2_md5_ctx *ctx) return EVP_DigestInit(ctx, EVP_get_digestbyname("md5")); #endif } +#endif #if LIBSSH2_ECDSA diff --git a/src/openssl.h b/src/openssl.h index 4a2b63195e..a663c6fb13 100644 --- a/src/openssl.h +++ b/src/openssl.h @@ -194,6 +194,8 @@ # define LIBSSH2_3DES 1 #endif +#include "crypto_config.h" + #define EC_MAX_POINT_LEN ((528 * 2 / 8) + 1) #define _libssh2_random(buf, len) \ @@ -296,6 +298,7 @@ int _libssh2_sha512(const unsigned char *message, size_t len, unsigned char *out); #define libssh2_sha512(x,y,z) _libssh2_sha512(x,y,z) +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #ifdef HAVE_OPAQUE_STRUCTS #define libssh2_md5_ctx EVP_MD_CTX * #else @@ -315,6 +318,7 @@ int _libssh2_md5_init(libssh2_md5_ctx *ctx); #define libssh2_md5_update(ctx, data, len) EVP_DigestUpdate(&(ctx), data, len) #define libssh2_md5_final(ctx, out) EVP_DigestFinal(&(ctx), out, NULL) #endif +#endif #ifdef HAVE_OPAQUE_STRUCTS #define libssh2_hmac_ctx HMAC_CTX * diff --git a/src/os400qc3.h b/src/os400qc3.h index 8280d9ce77..29a34a3286 100644 --- a/src/os400qc3.h +++ b/src/os400qc3.h @@ -164,6 +164,8 @@ #undef Qc3_MK_Pending #define Qc3_MK_Pending '\xF3' /* '3' */ +/* FIXME: Disable MD5 macros/constants and functions when + LIBSSH2_MD5 and LIBSSH_MD5_PEM have the value 0. */ /* Define which features are supported. */ #define LIBSSH2_MD5 1 @@ -186,6 +188,8 @@ #define LIBSSH2_ECDSA 0 #define LIBSSH2_ED25519 0 +#include "crypto_config.h" + #define MD5_DIGEST_LENGTH 16 #define SHA_DIGEST_LENGTH 20 #define SHA256_DIGEST_LENGTH 32 diff --git a/src/pem.c b/src/pem.c index 17096cb57b..41ebf439e4 100644 --- a/src/pem.c +++ b/src/pem.c @@ -106,12 +106,6 @@ static unsigned char hex_decode(char digit) ((digit >= 'A') ? (0xA + (digit - 'A')) : (digit - '0')); } -/* Hack to fix builds with crypto backends with MD5 support disabled. - FIXME: Honor our LIBSSH2_MD5 macro for MD5-dependent logic. */ -#ifdef OPENSSL_NO_MD5 -#define MD5_DIGEST_LENGTH 16 -#endif - int _libssh2_pem_parse(LIBSSH2_SESSION * session, const char *headerbegin, @@ -215,6 +209,7 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session, } if(method) { +#if LIBSSH2_MD5_PEM /* Set up decryption */ int free_iv = 0, free_secret = 0, len_decrypted = 0, padding = 0; int blocksize = method->blocksize; @@ -292,6 +287,10 @@ _libssh2_pem_parse(LIBSSH2_SESSION * session, /* Clean up */ _libssh2_explicit_zero((char *)secret, sizeof(secret)); method->dtor(session, &abstract); +#else + ret = -1; + goto out; +#endif } ret = 0; diff --git a/src/wincng.c b/src/wincng.c index 69afd4c978..c7e20fc200 100644 --- a/src/wincng.c +++ b/src/wincng.c @@ -94,9 +94,11 @@ #define BCRYPT_RNG_ALGORITHM L"RNG" #endif +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #ifndef BCRYPT_MD5_ALGORITHM #define BCRYPT_MD5_ALGORITHM L"MD5" #endif +#endif #ifndef BCRYPT_SHA1_ALGORITHM #define BCRYPT_SHA1_ALGORITHM L"SHA1" @@ -254,11 +256,13 @@ _libssh2_wincng_init(void) _libssh2_wincng.hAlgRNG = NULL; } +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashMD5, BCRYPT_MD5_ALGORITHM, NULL, 0); if(!BCRYPT_SUCCESS(ret)) { _libssh2_wincng.hAlgHashMD5 = NULL; } +#endif ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHashSHA1, BCRYPT_SHA1_ALGORITHM, NULL, 0); if(!BCRYPT_SUCCESS(ret)) { @@ -280,12 +284,14 @@ _libssh2_wincng_init(void) _libssh2_wincng.hAlgHashSHA512 = NULL; } +#if LIBSSH2_MD5 ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacMD5, BCRYPT_MD5_ALGORITHM, NULL, BCRYPT_ALG_HANDLE_HMAC_FLAG); if(!BCRYPT_SUCCESS(ret)) { _libssh2_wincng.hAlgHmacMD5 = NULL; } +#endif ret = BCryptOpenAlgorithmProvider(&_libssh2_wincng.hAlgHmacSHA1, BCRYPT_SHA1_ALGORITHM, NULL, BCRYPT_ALG_HANDLE_HMAC_FLAG); @@ -395,8 +401,10 @@ _libssh2_wincng_free(void) { if(_libssh2_wincng.hAlgRNG) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgRNG, 0); +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM if(_libssh2_wincng.hAlgHashMD5) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashMD5, 0); +#endif if(_libssh2_wincng.hAlgHashSHA1) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA1, 0); if(_libssh2_wincng.hAlgHashSHA256) @@ -405,8 +413,10 @@ _libssh2_wincng_free(void) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA384, 0); if(_libssh2_wincng.hAlgHashSHA512) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHashSHA512, 0); +#if LIBSSH2_MD5 if(_libssh2_wincng.hAlgHmacMD5) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacMD5, 0); +#endif if(_libssh2_wincng.hAlgHmacSHA1) (void)BCryptCloseAlgorithmProvider(_libssh2_wincng.hAlgHmacSHA1, 0); if(_libssh2_wincng.hAlgHmacSHA256) diff --git a/src/wincng.h b/src/wincng.h index a65f90e151..7f6c78b49e 100644 --- a/src/wincng.h +++ b/src/wincng.h @@ -74,7 +74,11 @@ #define LIBSSH2_ECDSA 0 #define LIBSSH2_ED25519 0 +#include "crypto_config.h" + +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define MD5_DIGEST_LENGTH 16 +#endif #define SHA_DIGEST_LENGTH 20 #define SHA256_DIGEST_LENGTH 32 #define SHA384_DIGEST_LENGTH 48 @@ -204,6 +208,7 @@ typedef struct __libssh2_wincng_hash_ctx { _libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashSHA512, \ hash, SHA512_DIGEST_LENGTH) +#if LIBSSH2_MD5 || LIBSSH2_MD5_PEM #define libssh2_md5_ctx _libssh2_wincng_hash_ctx #define libssh2_md5_init(ctx) \ (_libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHashMD5, \ @@ -216,6 +221,7 @@ typedef struct __libssh2_wincng_hash_ctx { #define libssh2_md5(data, datalen, hash) \ _libssh2_wincng_hash(data, datalen, _libssh2_wincng.hAlgHashMD5, \ hash, MD5_DIGEST_LENGTH) +#endif /* * Windows CNG backend: HMAC functions @@ -226,9 +232,11 @@ typedef struct __libssh2_wincng_hash_ctx { #define libssh2_hmac_sha1_init(ctx, key, keylen) \ _libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacSHA1, \ SHA_DIGEST_LENGTH, key, (ULONG) keylen) +#if LIBSSH2_MD5 #define libssh2_hmac_md5_init(ctx, key, keylen) \ _libssh2_wincng_hash_init(ctx, _libssh2_wincng.hAlgHmacMD5, \ MD5_DIGEST_LENGTH, key, (ULONG) keylen) +#endif #define libssh2_hmac_ripemd160_init(ctx, key, keylen) /* not implemented */ #define libssh2_hmac_sha256_init(ctx, key, keylen) \ diff --git a/tests/session_fixture.c b/tests/session_fixture.c index 752615d74b..6ee54989fd 100644 --- a/tests/session_fixture.c +++ b/tests/session_fixture.c @@ -91,6 +91,10 @@ static char const *skip_crypt[] = { "rijndael-cbc@lysator.liu.se", #endif +#if !LIBSSH2_3DES + "3des-cbc", +#endif + #if defined(LIBSSH2_LIBGCRYPT) || defined(LIBSSH2_OS400QC3) || \ defined(LIBSSH2_WINCNG) /* Support for AES-GCM hasn't been added to these back-ends yet */ @@ -101,6 +105,15 @@ static char const *skip_crypt[] = { NULL }; +/* List of MAC protocols for which tests are skipped */ +static char const *skip_mac[] = { +#if !LIBSSH2_MD5 + "hmac-md5", + "hmac-md5-96", +#endif + NULL +}; + LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err) { int rc; @@ -112,11 +125,23 @@ LIBSSH2_SESSION *start_session_fixture(int *skipped, int *err) *err = LIBSSH2_ERROR_NONE; if(crypt) { - char const * const *cr; - for(cr = skip_crypt; *cr; ++cr) { - if(strcmp(*cr, crypt) == 0) { - fprintf(stderr, "crypt algorithm (%s) skipped " - "for this crypto backend.\n", crypt); + char const * const *sk; + for(sk = skip_crypt; *sk; ++sk) { + if(strcmp(*sk, crypt) == 0) { + fprintf(stderr, "unsupported crypt algorithm (%s) skipped.\n", + crypt); + *skipped = 1; + return NULL; + } + } + } + + if(mac) { + char const * const *sk; + for(sk = skip_mac; *sk; ++sk) { + if(strcmp(*sk, mac) == 0) { + fprintf(stderr, "unsupported MAC algorithm (%s) skipped.\n", + mac); *skipped = 1; return NULL; } diff --git a/tests/test_auth_pubkey_ok_rsa_encrypted.c b/tests/test_auth_pubkey_ok_rsa_encrypted.c index d9d9243e1b..86ca84299a 100644 --- a/tests/test_auth_pubkey_ok_rsa_encrypted.c +++ b/tests/test_auth_pubkey_ok_rsa_encrypted.c @@ -7,7 +7,7 @@ int test(LIBSSH2_SESSION *session) { -#if LIBSSH2_RSA_SHA1 +#if LIBSSH2_RSA_SHA1 && LIBSSH2_MD5_PEM /* set in Dockerfile */ return test_auth_pubkey(session, 0, "libssh2", diff --git a/tests/test_hostkey_hash.c b/tests/test_hostkey_hash.c index 578c024d26..9fa35957dc 100644 --- a/tests/test_hostkey_hash.c +++ b/tests/test_hostkey_hash.c @@ -20,8 +20,10 @@ static const char *EXPECTED_ECDSA_HOSTKEY = static const char *EXPECTED_ED25519_HOSTKEY = "AAAAC3NzaC1lZDI1NTE5AAAAIIxtdyg2ZRXE70UwyPVUH3UyfDBV8GX5cPF636P6hjom"; +#if LIBSSH2_MD5 static const char *EXPECTED_RSA_MD5_HASH_DIGEST = "0C0ED1A5BB10275F76924CE187CE5C5E"; +#endif static const char *EXPECTED_RSA_SHA1_HASH_DIGEST = "F3CD59E2913F4422B80F7B0A82B2B89EAE449387"; @@ -29,8 +31,10 @@ static const char *EXPECTED_RSA_SHA1_HASH_DIGEST = static const char *EXPECTED_RSA_SHA256_HASH_DIGEST = "92E3DA49DF3C7F99A828F505ED8239397A5D1F62914459760F878F7510F563A3"; +#if LIBSSH2_MD5 static const char *EXPECTED_ECDSA_MD5_HASH_DIGEST = "0402E4D897580BBC911379CBD88BCD3D"; +#endif static const char *EXPECTED_ECDSA_SHA1_HASH_DIGEST = "12FDAD1E3B31B10BABB00F2A8D1B9A62C326BD2F"; @@ -41,7 +45,9 @@ static const char *EXPECTED_ECDSA_SHA256_HASH_DIGEST = static const char *EXPECTED_ED25519_SHA256_HASH_DIGEST = "2638B020F6121FA750A7F4754B718419F621814C6E779D68ADF26AA68814ADDF"; +#if LIBSSH2_MD5 static const int MD5_HASH_SIZE = 16; +#endif static const int SHA1_HASH_SIZE = 20; static const int SHA256_HASH_SIZE = 32; @@ -62,7 +68,9 @@ int test(LIBSSH2_SESSION *session) char buf[BUFSIZ]; const char *hostkey; +#if LIBSSH2_MD5 const char *md5_hash; +#endif const char *sha1_hash; const char *sha256_hash; int type; @@ -100,6 +108,7 @@ int test(LIBSSH2_SESSION *session) } else if(type == LIBSSH2_HOSTKEY_TYPE_ECDSA_256) { +#if LIBSSH2_MD5 md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5); if(!md5_hash) { print_last_session_error( @@ -115,6 +124,7 @@ int test(LIBSSH2_SESSION *session) buf, EXPECTED_ECDSA_MD5_HASH_DIGEST); return 1; } +#endif sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); if(!sha1_hash) { @@ -151,6 +161,7 @@ int test(LIBSSH2_SESSION *session) } else if(type == LIBSSH2_HOSTKEY_TYPE_RSA) { +#if LIBSSH2_MD5 md5_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_MD5); if(!md5_hash) { print_last_session_error( @@ -166,6 +177,7 @@ int test(LIBSSH2_SESSION *session) buf, EXPECTED_RSA_MD5_HASH_DIGEST); return 1; } +#endif sha1_hash = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA1); if(!sha1_hash) {