lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-11-30 13:01:23 +03:00
Code Activity

bind_config: Add support for HostKeyAlgorithms

Browse Source 
Add support for setting the allowed HostKey algorithms through
configuration file.

Note that this does NOT add support for adding or removing values using
'+' or '-'. Only replacing the whole list is supported.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Anderson Toshiyuki Sasaki
2019-05-17 13:05:46 +02:00
committed by Andreas Schneider
parent 250a0be0f9
commit 07faf95a10
3 changed files with 78 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
include/libssh/bind_config.h
View File

@@ -47,6 +47,7 @@ enum ssh_bind_config_opcode_e {
BIND_CFG_KEXALGORITHMS, BIND_CFG_KEXALGORITHMS,
BIND_CFG_MATCH, BIND_CFG_MATCH,
BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES, BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES,
BIND_CFG_HOSTKEY_ALGORITHMS,
BIND_CFG_MAX /* Keep this one last in the list */ BIND_CFG_MAX /* Keep this one last in the list */
}; };

12
src/bind_config.c
View File

@@ -97,6 +97,11 @@ ssh_bind_config_keyword_table[] = {
.opcode = BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES, .opcode = BIND_CFG_PUBKEY_ACCEPTED_KEY_TYPES,
.allowed_in_match = true .allowed_in_match = true
}, },
{
.name = "hostkeyalgorithms",
.opcode = BIND_CFG_HOSTKEY_ALGORITHMS,
.allowed_in_match = true
},
{ {
.opcode = BIND_CFG_UNKNOWN, .opcode = BIND_CFG_UNKNOWN,
} }
@@ -501,6 +506,13 @@ ssh_bind_config_parse_line(ssh_bind bind,
SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, p); SSH_BIND_OPTIONS_PUBKEY_ACCEPTED_KEY_TYPES, p);
} }
break; break;
case BIND_CFG_HOSTKEY_ALGORITHMS:
p = ssh_config_get_str_tok(&s, NULL);
if (p && (*parser_flags & PARSING)) {
ssh_bind_options_set(bind,
SSH_BIND_OPTIONS_HOSTKEY_ALGORITHMS, p);
}
break;
case BIND_CFG_NOT_ALLOWED_IN_MATCH: case BIND_CFG_NOT_ALLOWED_IN_MATCH:
SSH_LOG(SSH_LOG_WARN, "Option not allowed in Match block: %s, line: %d", SSH_LOG(SSH_LOG_WARN, "Option not allowed in Match block: %s, line: %d",
keyword, count); keyword, count);

65
tests/unittests/torture_bind_config.c
View File

@@ -46,6 +46,7 @@ extern LIBSSH_THREAD int ssh_log_level;
#define CIPHERS "aes128-ctr,aes192-ctr,aes256-ctr" #define CIPHERS "aes128-ctr,aes192-ctr,aes256-ctr"
#define CIPHERS2 "aes256-ctr" #define CIPHERS2 "aes256-ctr"
#define HOSTKEYALGORITHMS "ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa" #define HOSTKEYALGORITHMS "ssh-ed25519,ecdsa-sha2-nistp521,ssh-rsa"
#define HOSTKEYALGORITHMS_UNKNOWN "ssh-ed25519,ecdsa-sha2-nistp521,unknown,ssh-rsa"
#define HOSTKEYALGORITHMS2 "ssh-rsa" #define HOSTKEYALGORITHMS2 "ssh-rsa"
#define PUBKEYACCEPTEDTYPES "rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp521" #define PUBKEYACCEPTEDTYPES "rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp521"
#define PUBKEYACCEPTEDTYPES_UNKNOWN "rsa-sha2-512,ssh-rsa,unknown,ecdsa-sha2-nistp521" #define PUBKEYACCEPTEDTYPES_UNKNOWN "rsa-sha2-512,ssh-rsa,unknown,ecdsa-sha2-nistp521"
@@ -110,6 +111,12 @@ extern LIBSSH_THREAD int ssh_log_level;
#define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_TWICE_REC "libssh_test_bind_config_pubkey_twice_rec" #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_TWICE_REC "libssh_test_bind_config_pubkey_twice_rec"
#define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN "libssh_test_bind_config_pubkey_unknown" #define LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN "libssh_test_bind_config_pubkey_unknown"
#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS "libssh_test_bind_config_hostkey_alg"
#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2 "libssh_test_bind_config_hostkey_alg2"
#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE "libssh_test_bind_config_hostkey_alg_twice"
#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC "libssh_test_bind_config_hostkey_alg_twice_rec"
#define LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN "libssh_test_bind_config_hostkey_alg_unknown"
const char template[] = "temp_dir_XXXXXX"; const char template[] = "temp_dir_XXXXXX";
struct bind_st { struct bind_st {
@@ -338,6 +345,19 @@ static int setup_config_files(void **state)
"Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n"); "Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN, torture_write_file(LIBSSH_TEST_BIND_CONFIG_PUBKEY_ACCEPTED_UNKNOWN,
"PubkeyAcceptedKeyTypes "PUBKEYACCEPTEDTYPES_UNKNOWN"\n"); "PubkeyAcceptedKeyTypes "PUBKEYACCEPTEDTYPES_UNKNOWN"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS,
"HostKeyAlgorithms "HOSTKEYALGORITHMS"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2,
"HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE,
"HostKeyAlgorithms "HOSTKEYALGORITHMS"\n"
"HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC,
"HostKeyAlgorithms "HOSTKEYALGORITHMS2"\n"
"Include "LIBSSH_TEST_BIND_CONFIG_KEXALGORITHMS"\n");
torture_write_file(LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN,
"HostKeyAlgorithms "HOSTKEYALGORITHMS_UNKNOWN"\n");
return 0; return 0;
} }
@@ -754,6 +774,49 @@ static void torture_bind_config_pubkey_accepted(void **state)
assert_string_equal(bind->pubkey_accepted_key_types, PUBKEYACCEPTEDTYPES); assert_string_equal(bind->pubkey_accepted_key_types, PUBKEYACCEPTEDTYPES);
} }
static void torture_bind_config_hostkey_algorithms(void **state)
{
struct bind_st *test_state;
ssh_bind bind;
int rc;
assert_non_null(state);
test_state = *((struct bind_st **)state);
assert_non_null(test_state);
assert_non_null(test_state->bind);
bind = test_state->bind;
rc = ssh_bind_config_parse_file(bind,
LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS);
assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
rc = ssh_bind_config_parse_file(bind,
LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS2);
assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2);
rc = ssh_bind_config_parse_file(bind,
LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE);
assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
rc = ssh_bind_config_parse_file(bind,
LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_TWICE_REC);
assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS2);
rc = ssh_bind_config_parse_file(bind,
LIBSSH_TEST_BIND_CONFIG_HOSTKEY_ALGORITHMS_UNKNOWN);
assert_int_equal(rc, 0);
assert_non_null(bind->wanted_methods[SSH_HOSTKEYS]);
assert_string_equal(bind->wanted_methods[SSH_HOSTKEYS], HOSTKEYALGORITHMS);
}
static int assert_full_bind_config(void **state) static int assert_full_bind_config(void **state)
{ {
struct bind_st *test_state; struct bind_st *test_state;
@@ -1098,6 +1161,8 @@ int torture_run_tests(void)
sshbind_setup, sshbind_teardown), sshbind_setup, sshbind_teardown),
cmocka_unit_test_setup_teardown(torture_bind_config_pubkey_accepted, cmocka_unit_test_setup_teardown(torture_bind_config_pubkey_accepted,
sshbind_setup, sshbind_teardown), sshbind_setup, sshbind_teardown),
cmocka_unit_test_setup_teardown(torture_bind_config_hostkey_algorithms,
sshbind_setup, sshbind_teardown),
}; };
ssh_init(); ssh_init();