3 files changed, 108 insertions, 3 deletions

diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
index a34e9ee4..b85960ff 100644
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@@ -517,6 +517,7 @@ LIBSSH_API int ssh_key_cmp(const ssh_key k1,
                            const ssh_key k2,
                            enum ssh_keycmp_e what);
 
+LIBSSH_API int ssh_knownhosts_algorithms(ssh_session session);
 LIBSSH_API int ssh_pki_generate(enum ssh_keytypes_e type, int parameter,
         ssh_key *pkey);
 LIBSSH_API int ssh_pki_import_privkey_base64(const char *b64_key,
diff --git a/src/known_hosts.c b/src/known_hosts.c
index ded36a90..2d90a41d 100644
--- a/src/known_hosts.c
+++ b/src/known_hosts.c
@@ -647,6 +647,83 @@ int ssh_write_knownhost(ssh_session session) {
     return 0;
 }
 
+/**
+ * @brief Check which kind of host keys should be preferred for connection
+ *        by reading the known_hosts file.
+ *
+ * @param[in]  session  The SSH session to use.
+ *
+ * @returns Bitfield of supported SSH hostkey algorithms
+ *					SSH_ERROR on error
+ */
+int ssh_knownhosts_algorithms(ssh_session session) {
+  FILE *file = NULL;
+  char **tokens;
+  char *host;
+  char *hostport;
+  const char *type;
+  int match;
+  int ret = 0;
+
+  if (session->opts.knownhosts == NULL) {
+    if (ssh_options_apply(session) < 0) {
+      ssh_set_error(session, SSH_REQUEST_DENIED,
+          "Can't find a known_hosts file");
+      return SSH_ERROR;
+    }
+  }
+
+  if (session->opts.host == NULL) {
+    return 0;
+  }
+
+  host = ssh_lowercase(session->opts.host);
+  hostport = ssh_hostport(host, session->opts.port);
+  if (host == NULL || hostport == NULL) {
+    ssh_set_error_oom(session);
+    SAFE_FREE(host);
+    SAFE_FREE(hostport);
+
+    return SSH_ERROR;
+  }
+
+  do {
+    tokens = ssh_get_knownhost_line(&file,
+    		session->opts.knownhosts, &type);
+
+    /* End of file, return the current state */
+    if (tokens == NULL) {
+      break;
+    }
+    match = match_hashed_host(host, tokens[0]);
+    if (match == 0){
+    	match = match_hostname(hostport, tokens[0], strlen(tokens[0]));
+    }
+    if (match == 0) {
+      match = match_hostname(host, tokens[0], strlen(tokens[0]));
+    }
+    if (match == 0) {
+      match = match_hashed_host(hostport, tokens[0]);
+    }
+    if (match) {
+      /* We got a match. Now check the key type */
+    	SSH_LOG(SSH_LOG_DEBUG, "server %s:%d has %s in known_hosts",
+    							host, session->opts.port, type);
+    	ret |= 1 << ssh_key_type_from_name(type);
+    }
+    tokens_free(tokens);
+  } while (1);
+
+  SAFE_FREE(host);
+  SAFE_FREE(hostport);
+  if (file != NULL) {
+    fclose(file);
+  }
+
+  /* Return the current state at end of file */
+  return ret;
+}
+
 /** @} */
 
 /* vim: set ts=4 sw=4 et cindent: */
diff --git a/tests/client/torture_knownhosts.c b/tests/client/torture_knownhosts.c
index ad8c8114..69f0d7dc 100644
--- a/tests/client/torture_knownhosts.c
+++ b/tests/client/torture_knownhosts.c
@@ -134,7 +134,6 @@ static void torture_knownhosts_fail(void **state) {
 
     rc = ssh_is_server_known(session);
     assert_true(rc == SSH_SERVER_KNOWN_CHANGED);
-
 }
 
 static void torture_knownhosts_other(void **state) {
@@ -161,7 +160,6 @@ static void torture_knownhosts_other(void **state) {
 
     rc = ssh_is_server_known(session);
     assert_true(rc == SSH_SERVER_FOUND_OTHER);
-
 }
 
 static void torture_knownhosts_conflict(void **state) {
@@ -209,16 +207,45 @@ static void torture_knownhosts_conflict(void **state) {
 
     rc = ssh_is_server_known(session);
     assert_true(rc == SSH_SERVER_KNOWN_OK);
+}
+
+static void torture_knownhosts_precheck(void **state) {
+    ssh_session session = *state;
+    FILE *file;
+    int rc;
+    int dsa;
+    int rsa;
 
+    rc = ssh_options_set(session, SSH_OPTIONS_HOST, "localhost");
+    assert_true(rc == SSH_OK);
 
+    rc = ssh_options_set(session, SSH_OPTIONS_KNOWNHOSTS, KNOWNHOSTFILES);
+    assert_true(rc == SSH_OK);
+
+    file = fopen(KNOWNHOSTFILES, "w");
+    assert_true(file != NULL);
+    fprintf(file, "localhost ssh-rsa %s\n", BADRSA);
+    fprintf(file, "localhost ssh-dss %s\n", BADDSA);
+    fclose(file);
+
+    rc = ssh_knownhosts_algorithms(session);
+    assert_true(rc != SSH_ERROR);
+    dsa = 1 << SSH_KEYTYPE_DSS;
+    rsa = 1 << SSH_KEYTYPE_RSA;
+    assert_true(rc & dsa);
+    assert_true(rc & rsa);
+    /* nothing else than dsa and rsa */
+    assert_true((rc & (dsa | rsa)) == rc);
 }
+
 int torture_run_tests(void) {
     int rc;
     const UnitTest tests[] = {
         unit_test_setup_teardown(torture_knownhosts_port, setup, teardown),
         unit_test_setup_teardown(torture_knownhosts_fail, setup, teardown),
         unit_test_setup_teardown(torture_knownhosts_other, setup, teardown),
-        unit_test_setup_teardown(torture_knownhosts_conflict, setup, teardown)
+        unit_test_setup_teardown(torture_knownhosts_conflict, setup, teardown),
+        unit_test_setup_teardown(torture_knownhosts_precheck, setup, teardown)
     };
 
     ssh_init();