options: Added an option to set server HostKey algorithms

The added option SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS allows restricting the signature algorithms to offer to the client for host authentication. The list set is used as a filter of allowed algorithms. First a list of possible signature algorithms to offer is created from the keys set and then such list is filtered against the allowed algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-02-07 10:40:28 +09:00 · 2019-05-17 11:38:43 +02:00
parent 8f6e6f774e
commit 250a0be0f9
4 changed files with 161 additions and 64 deletions
--- a/tests/unittests/torture_options.c
+++ b/tests/unittests/torture_options.c
@@ -1413,6 +1413,61 @@ static void torture_bind_options_set_pubkey_accepted_key_types(void **state)
        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
 }

+static void torture_bind_options_set_hostkey_algorithms(void **state)
+{
+    struct bind_st *test_state;
+    ssh_bind bind;
+    int rc;
+
+    assert_non_null(state);
+    test_state = *((struct bind_st **)state);
+    assert_non_null(test_state);
+    assert_non_null(test_state->bind);
+    bind = test_state->bind;
+
+    /* Test known Pubkey Types */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+
+    SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
+
+    /* Test with some unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+        "ssh-ed25519,ecdsa-sha2-nistp384,unknown-type,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+
+    SAFE_FREE(bind->wanted_methods[SSH_HOSTKEYS]);
+
+    /* Test with only unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+        "unknown-type");
+    assert_int_equal(rc, -1);
+    assert_null(bind->wanted_methods[SSH_HOSTKEYS]);
+
+    /* Test with something set and then try unknown type */
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+    rc = ssh_bind_options_set(bind, SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS,
+        "unknown-type");
+    assert_int_equal(rc, -1);
+
+    /* Check that nothing changed */
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS],
+        "ssh-ed25519,ecdsa-sha2-nistp384,ssh-rsa");
+}
+
 #endif /* WITH_SERVER */


@@ -1484,6 +1539,8 @@ int torture_run_tests(void) {
                sshbind_setup, sshbind_teardown),
        cmocka_unit_test_setup_teardown(torture_bind_options_set_pubkey_accepted_key_types,
                                        sshbind_setup, sshbind_teardown),
+        cmocka_unit_test_setup_teardown(torture_bind_options_set_hostkey_algorithms,
+                                        sshbind_setup, sshbind_teardown),
    };
 #endif /* WITH_SERVER */