From c433ac02bdfb5ec8d9a16074794be587cced59c1 Mon Sep 17 00:00:00 2001 From: Aris Adamantiadis Date: Sat, 1 Feb 2014 16:35:13 +0100 Subject: [PATCH] known_hosts: add ssh_knownhosts_algorithms() Goal of that function is to test the preferred key exchange methods based on what's available in the known_hosts file --- include/libssh/libssh.h | 1 + src/known_hosts.c | 77 +++++++++++++++++++++++++++++++ tests/client/torture_knownhosts.c | 37 +++++++++++++-- 3 files changed, 110 insertions(+), 5 deletions(-) diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h index a34e9ee4..b85960ff 100644 --- a/include/libssh/libssh.h +++ b/include/libssh/libssh.h @@ -517,6 +517,7 @@ LIBSSH_API int ssh_key_cmp(const ssh_key k1, const ssh_key k2, enum ssh_keycmp_e what); +LIBSSH_API int ssh_knownhosts_algorithms(ssh_session session); LIBSSH_API int ssh_pki_generate(enum ssh_keytypes_e type, int parameter, ssh_key *pkey); LIBSSH_API int ssh_pki_import_privkey_base64(const char *b64_key, diff --git a/src/known_hosts.c b/src/known_hosts.c index ded36a90..2d90a41d 100644 --- a/src/known_hosts.c +++ b/src/known_hosts.c @@ -647,6 +647,83 @@ int ssh_write_knownhost(ssh_session session) { return 0; } +/** + * @brief Check which kind of host keys should be preferred for connection + * by reading the known_hosts file. + * + * @param[in] session The SSH session to use. + * + * @returns Bitfield of supported SSH hostkey algorithms + * SSH_ERROR on error + */ +int ssh_knownhosts_algorithms(ssh_session session) { + FILE *file = NULL; + char **tokens; + char *host; + char *hostport; + const char *type; + int match; + int ret = 0; + + if (session->opts.knownhosts == NULL) { + if (ssh_options_apply(session) < 0) { + ssh_set_error(session, SSH_REQUEST_DENIED, + "Can't find a known_hosts file"); + return SSH_ERROR; + } + } + + if (session->opts.host == NULL) { + return 0; + } + + host = ssh_lowercase(session->opts.host); + hostport = ssh_hostport(host, session->opts.port); + if (host == NULL || hostport == NULL) { + ssh_set_error_oom(session); + SAFE_FREE(host); + SAFE_FREE(hostport); + + return SSH_ERROR; + } + + do { + tokens = ssh_get_knownhost_line(&file, + session->opts.knownhosts, &type); + + /* End of file, return the current state */ + if (tokens == NULL) { + break; + } + match = match_hashed_host(host, tokens[0]); + if (match == 0){ + match = match_hostname(hostport, tokens[0], strlen(tokens[0])); + } + if (match == 0) { + match = match_hostname(host, tokens[0], strlen(tokens[0])); + } + if (match == 0) { + match = match_hashed_host(hostport, tokens[0]); + } + if (match) { + /* We got a match. Now check the key type */ + SSH_LOG(SSH_LOG_DEBUG, "server %s:%d has %s in known_hosts", + host, session->opts.port, type); + ret |= 1 << ssh_key_type_from_name(type); + } + tokens_free(tokens); + } while (1); + + SAFE_FREE(host); + SAFE_FREE(hostport); + if (file != NULL) { + fclose(file); + } + + /* Return the current state at end of file */ + return ret; +} + /** @} */ /* vim: set ts=4 sw=4 et cindent: */ diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c index ad8c8114..69f0d7dc 100644 --- a/tests/client/torture_knownhosts.c +++ b/tests/client/torture_knownhosts.c @@ -134,7 +134,6 @@ static void torture_knownhosts_fail(void **state) { rc = ssh_is_server_known(session); assert_true(rc == SSH_SERVER_KNOWN_CHANGED); - } static void torture_knownhosts_other(void **state) { @@ -161,7 +160,6 @@ static void torture_knownhosts_other(void **state) { rc = ssh_is_server_known(session); assert_true(rc == SSH_SERVER_FOUND_OTHER); - } static void torture_knownhosts_conflict(void **state) { @@ -209,16 +207,45 @@ static void torture_knownhosts_conflict(void **state) { rc = ssh_is_server_known(session); assert_true(rc == SSH_SERVER_KNOWN_OK); - - } + +static void torture_knownhosts_precheck(void **state) { + ssh_session session = *state; + FILE *file; + int rc; + int dsa; + int rsa; + + rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost"); + assert_true(rc == SSH_OK); + + rc = ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, KNOWNHOSTFILES); + assert_true(rc == SSH_OK); + + file = fopen(KNOWNHOSTFILES, "w"); + assert_true(file != NULL); + fprintf(file, "localhost ssh-rsa %s\n", BADRSA); + fprintf(file, "localhost ssh-dss %s\n", BADDSA); + fclose(file); + + rc = ssh_knownhosts_algorithms(session); + assert_true(rc != SSH_ERROR); + dsa = 1 << SSH_KEYTYPE_DSS; + rsa = 1 << SSH_KEYTYPE_RSA; + assert_true(rc & dsa); + assert_true(rc & rsa); + /* nothing else than dsa and rsa */ + assert_true((rc & (dsa | rsa)) == rc); +} + int torture_run_tests(void) { int rc; const UnitTest tests[] = { unit_test_setup_teardown(torture_knownhosts_port, setup, teardown), unit_test_setup_teardown(torture_knownhosts_fail, setup, teardown), unit_test_setup_teardown(torture_knownhosts_other, setup, teardown), - unit_test_setup_teardown(torture_knownhosts_conflict, setup, teardown) + unit_test_setup_teardown(torture_knownhosts_conflict, setup, teardown), + unit_test_setup_teardown(torture_knownhosts_precheck, setup, teardown) }; ssh_init();