diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-05-17 13:05:46 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-12 10:17:54 +0200 |
commit | 07faf95a105721422212c1a3216aba218cb94cd9 (patch) | |
tree | 4340eee6f621c70cc3847ecc9d34a3c15592119b | |
parent | 250a0be0f9fa371b3dda5db594729fae862ee26d (diff) | |
download | libssh-07faf95a105721422212c1a3216aba218cb94cd9.tar.gz libssh-07faf95a105721422212c1a3216aba218cb94cd9.tar.xz libssh-07faf95a105721422212c1a3216aba218cb94cd9.zip |
bind_config: Add support for HostKeyAlgorithms
Add support for setting the allowed HostKey algorithms through
configuration file.
Note that this does NOT add support for adding or removing values using
'+' or '-'. Only replacing the whole list is supported.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r-- | include/libssh/bind_config.h | 1 | ||||
-rw-r--r-- | src/bind_config.c | 12 | ||||
-rw-r--r-- | tests/unittests/torture_bind_config.c | 65 |
3 files changed, 78 insertions, 0 deletions
diff --git a/include/libssh/bind_config.h b/include/libssh/bind_config.h index 080c1bc9..cb68da89 100644 --- a/include/libssh/bind_config.h +++ b/include/libssh/bind_config.h @@ -47,6 +47,7 @@ enum ssh_bind_config_opcode_e { BIND_CFG_KEXALGORITHMS, BIND_CFG_MATCH, BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES, + BIND_CFG_HOSTKEY_ALGORITHMS, BIND_CFG_MAX /* Keep this one last in the list */ }; diff --git a/src/bind_config.c b/src/bind_config.c index ba70e8b2..30412213 100644 --- a/src/bind_config.c +++ b/src/bind_config.c @@ -98,6 +98,11 @@ ssh_bind_config_keyword_table[] = { .allowed_in_match = true }, { + .name = "hostkeyalgorithms", + .opcode = BIND_CFG_HOSTKEY_ALGORITHMS, + .allowed_in_match = true + }, + { .opcode = BIND_CFG_UNKNOWN, } }; @@ -501,6 +506,13 @@ ssh_bind_config_parse_line(ssh_bind bind, SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, p); } break; + case BIND_CFG_HOSTKEY_ALGORITHMS: + p = ssh_config_get_str_tok(&s, NULL); + if (p && (*parser_flags & PARSING)) { + ssh_bind_options_set(bind, + SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, p); + } + break; case BIND_CFG_NOT_ALLOWED_IN_MATCH: SSH_LOG(SSH_LOG_WARN, "Option not allowed in Match block: %s, line: %d", keyword, count); diff --git a/tests/unittests/torture_bind_config.c b/tests/unittests/torture_bind_config.c index d9e67068..01d45811 100644 --- a/tests/unittests/torture_bind_config.c +++ b/tests/unittests/torture_bind_config.c @@ -46,6 +46,7 @@ extern LIBSSH_THREAD int ssh_log_level; #define CIPHERS "aes128-ctr,aes192-ctr,aes256-ctr" #define CIPHERS2 "aes256-ctr" #define HOSTKEYALGORITHMS "ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa" +#define HOSTKEYALGORITHMS_UNKNOWN "ssh-ed25519,ecdsa-sha2-nistp521,unknown,ssh-rsa" #define HOSTKEYALGORITHMS2 "ssh-rsa" #define PUBKEYACCEPTEDTYPES "rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp521" #define PUBKEYACCEPTEDTYPES_UNKNOWN "rsa-sha2-512,ssh-rsa,unknown,ecdsa-sha2-nistp521" @@ -110,6 +111,12 @@ extern LIBSSH_THREAD int ssh_log_level; #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_TWICE_REC "libssh_test_bind_config_pubkey_twice_rec" #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN "libssh_test_bind_config_pubkey_unknown" +#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS "libssh_test_bind_config_hostkey_alg" +#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2 "libssh_test_bind_config_hostkey_alg2" +#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE "libssh_test_bind_config_hostkey_alg_twice" +#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC "libssh_test_bind_config_hostkey_alg_twice_rec" +#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN "libssh_test_bind_config_hostkey_alg_unknown" + const char template[] = "temp_dir_XXXXXX"; struct bind_st { @@ -338,6 +345,19 @@ static int setup_config_files(void **state) "Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n"); torture_write_file(LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN, "PubkeyAcceptedKeyTypes "PUBKEYACCEPTEDTYPES_UNKNOWN"\n"); + + torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS, + "HostKeyAlgorithms "HOSTKEYALGORITHMS"\n"); + torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2, + "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n"); + torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE, + "HostKeyAlgorithms "HOSTKEYALGORITHMS"\n" + "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n"); + torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC, + "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n" + "Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n"); + torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN, + "HostKeyAlgorithms "HOSTKEYALGORITHMS_UNKNOWN"\n"); return 0; } @@ -754,6 +774,49 @@ static void torture_bind_config_pubkey_accepted(void **state) assert_string_equal(bind->pubkey_accepted_key_types, PUBKEYACCEPTEDTYPES); } +static void torture_bind_config_hostkey_algorithms(void **state) +{ + struct bind_st *test_state; + ssh_bind bind; + int rc; + + assert_non_null(state); + test_state = *((struct bind_st **)state); + assert_non_null(test_state); + assert_non_null(test_state->bind); + bind = test_state->bind; + + rc = ssh_bind_config_parse_file(bind, + LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS); + assert_int_equal(rc, 0); + assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS); + + rc = ssh_bind_config_parse_file(bind, + LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2); + assert_int_equal(rc, 0); + assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2); + + rc = ssh_bind_config_parse_file(bind, + LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE); + assert_int_equal(rc, 0); + assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS); + + rc = ssh_bind_config_parse_file(bind, + LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC); + assert_int_equal(rc, 0); + assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2); + + rc = ssh_bind_config_parse_file(bind, + LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN); + assert_int_equal(rc, 0); + assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]); + assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS); +} + static int assert_full_bind_config(void **state) { struct bind_st *test_state; @@ -1098,6 +1161,8 @@ int torture_run_tests(void) sshbind_setup, sshbind_teardown), cmocka_unit_test_setup_teardown(torture_bind_config_pubkey_accepted, sshbind_setup, sshbind_teardown), + cmocka_unit_test_setup_teardown(torture_bind_config_hostkey_algorithms, + sshbind_setup, sshbind_teardown), }; ssh_init(); |