From bdb3bb9ccd81dc3e4c7a6b90868fd4e6e4fc428c Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 18 Oct 2018 16:18:22 +0200
Subject: [PATCH] tests: Verify the hostkey ordering for negotiation is correct

Previously, not all of the host keys algorithms were used for algorithm
negotiation. This verifies the algorithms list is sane and ordered
with the key types from known hosts in the first place.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
---
 include/libssh/kex.h                         |  1 +
 src/kex.c                                    |  2 +-
 tests/unittests/torture_knownhosts_parsing.c | 30 ++++++++++++++++++++
 3 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/include/libssh/kex.h b/include/libssh/kex.h
index 58a9c555..a626d105 100644
--- a/include/libssh/kex.h
+++ b/include/libssh/kex.h
@@ -45,5 +45,6 @@ char *ssh_find_matching(const char *in_d, const char *what_d);
 const char *ssh_kex_get_supported_method(uint32_t algo);
 const char *ssh_kex_get_default_methods(uint32_t algo);
 const char *ssh_kex_get_description(uint32_t algo);
+char *ssh_client_select_hostkeys(ssh_session session);
 
 #endif /* KEX_H_ */
diff --git a/src/kex.c b/src/kex.c
index bb014baf..8bb19db0 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -606,7 +606,7 @@ void ssh_list_kex(struct ssh_kex_struct *kex) {
  * @returns a cstring containing a comma-separated list of hostkey methods.
  *          NULL if no method matches
  */
-static char *ssh_client_select_hostkeys(ssh_session session)
+char *ssh_client_select_hostkeys(ssh_session session)
 {
     char methods_buffer[128]={0};
     char tail_buffer[128]={0};
diff --git a/tests/unittests/torture_knownhosts_parsing.c b/tests/unittests/torture_knownhosts_parsing.c
index a4ed14d8..b17a3355 100644
--- a/tests/unittests/torture_knownhosts_parsing.c
+++ b/tests/unittests/torture_knownhosts_parsing.c
@@ -277,6 +277,33 @@ static void torture_knownhosts_host_exists(void **state)
     ssh_free(session);
 }
 
+static void
+torture_knownhosts_algorithms(void **state)
+{
+    const char *knownhosts_file = *state;
+    char *algo_list = NULL;
+    ssh_session session;
+    const char *expect = "ssh-ed25519,ssh-rsa,ecdsa-sha2-nistp521,"
+                         "ecdsa-sha2-nistp384,ecdsa-sha2-nistp256"
+#ifdef HAVE_DSA
+                         ",ssh-dss"
+#endif
+    ;
+
+    session = ssh_new();
+    assert_non_null(session);
+
+    ssh_options_set(session, SSH_OPTIONS_HOST, "localhost");
+    ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, knownhosts_file);
+
+    algo_list = ssh_client_select_hostkeys(session);
+    assert_non_null(algo_list);
+    assert_string_equal(algo_list, expect);
+    free(algo_list);
+
+    ssh_free(session);
+}
+
 int torture_run_tests(void) {
     int rc;
     struct CMUnitTest tests[] = {
@@ -292,6 +319,9 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_knownhosts_host_exists,
                                         setup_knownhosts_file,
                                         teardown_knownhosts_file),
+        cmocka_unit_test_setup_teardown(torture_knownhosts_algorithms,
+                                        setup_knownhosts_file,
+                                        teardown_knownhosts_file),
     };
 
     ssh_init();