bind_config: Add support for HostKeyAlgorithms

Add support for setting the allowed HostKey algorithms through
configuration file.

Note that this does NOT add support for adding or removing values using
'+' or '-'. Only replacing the whole list is supported.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>

3 files changed, 78 insertions, 0 deletions

diff --git a/include/libssh/bind_config.h b/include/libssh/bind_config.h
index 080c1bc9..cb68da89 100644
--- a/include/libssh/bind_config.h
+++ b/include/libssh/bind_config.h
@@ -47,6 +47,7 @@ enum ssh_bind_config_opcode_e {
     BIND_CFG_KEXALGORITHMS,
     BIND_CFG_MATCH,
     BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES,
+    BIND_CFG_HOSTKEY_ALGORITHMS,
 
     BIND_CFG_MAX /* Keep this one last in the list */
 };
diff --git a/src/bind_config.c b/src/bind_config.c
index ba70e8b2..30412213 100644
--- a/src/bind_config.c
+++ b/src/bind_config.c
@@ -98,6 +98,11 @@ ssh_bind_config_keyword_table[] = {
         .allowed_in_match = true
     },
     {
+        .name   = "hostkeyalgorithms",
+        .opcode = BIND_CFG_HOSTKEY_ALGORITHMS,
+        .allowed_in_match = true
+    },
+    {
         .opcode = BIND_CFG_UNKNOWN,
     }
 };
@@ -501,6 +506,13 @@ ssh_bind_config_parse_line(ssh_bind bind,
                                  SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, p);
         }
         break;
+    case BIND_CFG_HOSTKEY_ALGORITHMS:
+        p = ssh_config_get_str_tok(&s, NULL);
+        if (p && (*parser_flags & PARSING)) {
+            ssh_bind_options_set(bind,
+                                 SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, p);
+        }
+        break;
     case BIND_CFG_NOT_ALLOWED_IN_MATCH:
         SSH_LOG(SSH_LOG_WARN, "Option not allowed in Match block: %s, line: %d",
                 keyword, count);
diff --git a/tests/unittests/torture_bind_config.c b/tests/unittests/torture_bind_config.c
index d9e67068..01d45811 100644
--- a/tests/unittests/torture_bind_config.c
+++ b/tests/unittests/torture_bind_config.c
@@ -46,6 +46,7 @@ extern LIBSSH_THREAD int ssh_log_level;
 #define CIPHERS "aes128-ctr,aes192-ctr,aes256-ctr"
 #define CIPHERS2 "aes256-ctr"
 #define HOSTKEYALGORITHMS "ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa"
+#define HOSTKEYALGORITHMS_UNKNOWN "ssh-ed25519,ecdsa-sha2-nistp521,unknown,ssh-rsa"
 #define HOSTKEYALGORITHMS2 "ssh-rsa"
 #define PUBKEYACCEPTEDTYPES "rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp521"
 #define PUBKEYACCEPTEDTYPES_UNKNOWN "rsa-sha2-512,ssh-rsa,unknown,ecdsa-sha2-nistp521"
@@ -110,6 +111,12 @@ extern LIBSSH_THREAD int ssh_log_level;
 #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_TWICE_REC "libssh_test_bind_config_pubkey_twice_rec"
 #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN "libssh_test_bind_config_pubkey_unknown"
 
+#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS "libssh_test_bind_config_hostkey_alg"
+#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2 "libssh_test_bind_config_hostkey_alg2"
+#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE "libssh_test_bind_config_hostkey_alg_twice"
+#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC "libssh_test_bind_config_hostkey_alg_twice_rec"
+#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN "libssh_test_bind_config_hostkey_alg_unknown"
+
 const char template[] = "temp_dir_XXXXXX";
 
 struct bind_st {
@@ -338,6 +345,19 @@ static int setup_config_files(void **state)
                        "Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n");
     torture_write_file(LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN,
                        "PubkeyAcceptedKeyTypes "PUBKEYACCEPTEDTYPES_UNKNOWN"\n");
+
+    torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS,
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS"\n");
+    torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2,
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n");
+    torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE,
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS"\n"
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n");
+    torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC,
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n"
+                       "Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n");
+    torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN,
+                       "HostKeyAlgorithms "HOSTKEYALGORITHMS_UNKNOWN"\n");
     return 0;
 }
 
@@ -754,6 +774,49 @@ static void torture_bind_config_pubkey_accepted(void **state)
     assert_string_equal(bind->pubkey_accepted_key_types, PUBKEYACCEPTEDTYPES);
 }
 
+static void torture_bind_config_hostkey_algorithms(void **state)
+{
+    struct bind_st *test_state;
+    ssh_bind bind;
+    int rc;
+
+    assert_non_null(state);
+    test_state = *((struct bind_st **)state);
+    assert_non_null(test_state);
+    assert_non_null(test_state->bind);
+    bind = test_state->bind;
+
+    rc = ssh_bind_config_parse_file(bind,
+            LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS);
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
+
+    rc = ssh_bind_config_parse_file(bind,
+            LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2);
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2);
+
+    rc = ssh_bind_config_parse_file(bind,
+            LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE);
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
+
+    rc = ssh_bind_config_parse_file(bind,
+            LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC);
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2);
+
+    rc = ssh_bind_config_parse_file(bind,
+            LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN);
+    assert_int_equal(rc, 0);
+    assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
+    assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
+}
+
 static int assert_full_bind_config(void **state)
 {
     struct bind_st *test_state;
@@ -1098,6 +1161,8 @@ int torture_run_tests(void)
                 sshbind_setup, sshbind_teardown),
         cmocka_unit_test_setup_teardown(torture_bind_config_pubkey_accepted,
                 sshbind_setup, sshbind_teardown),
+        cmocka_unit_test_setup_teardown(torture_bind_config_hostkey_algorithms,
+                sshbind_setup, sshbind_teardown),
     };
 
     ssh_init();