libguile-ssh/session-func: Handle SSH_OPTIONS_RSA_MIN_SIZE

artyom-poptsov · artyom-poptsov · commit 40b0e8aa7177 · 2024-05-01T09:46:03.000+03:00
* libguile-ssh/session-func.c (set_option): Handle SSH_OPTIONS_RSA_MIN_SIZE.
* doc/api-sessions.texi: Update.
* tests/session.scm ("session-set!, rsa-min-size"): New test.
* NEWS: Update.
diff --git a/NEWS b/NEWS
@@ -17,6 +17,10 @@ This patch fixes this error.
 
 Reported by graywolf in
 <https://github.com/artyom-poptsov/guile-ssh/issues/38>
+** =session-set!= now allows to set =rsa-min-size=
+Only available if Guile-SSH is compiled with libssh 0.10.
+** Add new tests.
+** Update the documentation.
 
 * Changes in version 0.16.4 (2023-12-17)
 ** =private-key-from-file= now allows to read encrypted keys
diff --git a/doc/api-sessions.texi b/doc/api-sessions.texi
@@ -176,8 +176,11 @@ replaced by the user home directory.
 
 Expected type of @var{value}: string.
 @item identity
-Set the identity file name.  By default identity, @file{id_dsa} and
-@file{id_rsa} are checked.
+Set the identity file name.  In libssh prior version 0.10 @file{id_dsa} and
+@file{id_rsa} are checked by default.
+
+In libssh 0.10 or newer versions @file{id_rsa}, @file{id_ecdsa} and
+@file{id_ed25519} are checked by default.
 
 The identity file used authenticate with public key.  It may include
 @code{%s} which will be replaced by the user home directory.
@@ -245,6 +248,15 @@ Expected type of @var{value}: string.
 Set the command to be executed in order to connect to server.
 
 Expected type of @var{value}: string.
+@item rsa-min-size
+Set the minimum RSA key size in bits to be accepted by the client for both
+authentication and hostkey verification.  The values under 768 bits are not
+accepted even with this configuration option as they are considered completely
+broken. Setting 0 will revert the value to defaults.  Default is 1024 bits or
+2048 bits in FIPS mode.
+
+Expected type of @var{value}: number.
+
 @item stricthostkeycheck
 Set the parameter @code{StrictHostKeyChecking} to avoid asking about a
 fingerprint.
diff --git a/libguile-ssh/session-func.c b/libguile-ssh/session-func.c
@@ -1,6 +1,6 @@
 /* session-func.c -- Functions for working with SSH session.
  *
- * Copyright (C) 2013-2023 Artyom V. Poptsov <poptsov.artyom@gmail.com>
+ * Copyright (C) 2013-2024 Artyom V. Poptsov <poptsov.artyom@gmail.com>
  *
  * This file is part of Guile-SSH.
  *
@@ -81,6 +81,10 @@ static gssh_symbol_t session_options[] = {
   { "public-key-accepted-types", SSH_OPTIONS_PUBLICKEY_ACCEPTED_TYPES },
 #endif
 
+#if HAVE_LIBSSH_0_10
+  {"rsa-min-size",        SSH_OPTIONS_RSA_MIN_SIZE       },
+#endif
+
   { "callbacks",          GSSH_OPTIONS_CALLBACKS         },
   { NULL,                 -1 }
 };
@@ -399,6 +403,12 @@ set_option (SCM scm_session, gssh_session_t* sd, int type, SCM value)
         break;
 #endif
 
+#if HAVE_LIBSSH_0_10
+    case SSH_OPTIONS_RSA_MIN_SIZE:
+        return set_int32_opt (session, type, value);
+        break;
+#endif
+
     default:
       guile_ssh_error1 ("session-set!",
                         "Operation is not supported yet: %a~%",
diff --git a/tests/session.scm b/tests/session.scm
@@ -116,6 +116,12 @@
      options)
     res))
 
+(unless (>= %libssh-minor-version 10)
+  (test-skip "session-set!, rsa-min-size"))
+(test-assert "session-set!, rsa-min-size"
+  (let ((session (%make-session)))
+    (session-set! session 'rsa-min-size 1024)))
+
 (test-assert "session-set!, invalid values"
   (let ((session (%make-session))
         (options '((host              12345 #t)
