Added policy option to allow host key subsets and/or reorderings.

test/docker/expected_results/openssh_8.0p1_custom_policy_test18.json

@@ -0,0 +1,8 @@
+{
+    "errors": [],
+    "host": "localhost",
+    "passed": true,
+    "policy": "Docker policy: test18 (version 1)",
+    "port": 2222,
+    "warnings": []
+}

test/docker/expected_results/openssh_8.0p1_custom_policy_test18.txt

@@ -0,0 +1,3 @@
+Host:   localhost:2222
+Policy: Docker policy: test18 (version 1)
+Result: ✔ Passed

test/docker/policies/policy_test18.txt

@@ -0,0 +1,17 @@
+#
+# Docker policy: test18
+#
+
+name = "Docker policy: test18"
+version = 1
+allow_algorithm_subset_and_reordering = false
+allow_hostkey_subset_and_reordering = true
+allow_larger_keys = false
+banner = "SSH-2.0-OpenSSH_8.0"
+compressions = none, zlib@openssh.com
+host keys = ssh-rsa, rsa-sha2-256, rsa-sha2-512, ecdsa-sha2-nistp256, ssh-ed25519, x
+key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1
+ciphers = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
+macs = umac-64-etm@openssh.com, umac-128-etm@openssh.com, hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, umac-64@openssh.com, umac-128@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1
+host_key_sizes = {"ssh-rsa": {"hostkey_size": 3072}, "rsa-sha2-256": {"hostkey_size": 3072}, "rsa-sha2-512": {"hostkey_size": 3072}, "ssh-ed25519": {"hostkey_size": 256}}
+dh_modulus_sizes = {"diffie-hellman-group-exchange-sha256": 4096}

test/test_policy.py

@@ -60,9 +60,6 @@ class TestPolicy:
             except ValueError:
                 assert False, "version field of %s policy is not parseable as an integer." % policy_name
 
-            # Ensure no extra fields are present.
-            assert len(required_fields) == len(BUILTIN_POLICIES[policy_name])
-
             # Ensure that the changelog field is a string and non-empty.
             assert type(BUILTIN_POLICIES[policy_name]['changelog']) is str
             assert len(BUILTIN_POLICIES[policy_name]['changelog']) > 0
@@ -158,7 +155,7 @@ ciphers = cipher_alg1, cipher_alg2, cipher_alg3
 macs = mac_alg1, mac_alg2, mac_alg3'''
 
         policy = self.Policy(policy_data=policy_data)
-        assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nAllow Algorithm Subset and/or Reordering: False\nBanner: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nOptional Host Keys: {undefined}\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3\nHost Key Sizes: {undefined}\nDH Modulus Sizes: {undefined}\nServer Policy: True"
+        assert str(policy) == "Name: [Test Policy]\nVersion: [1]\nAllow Algorithm Subset and/or Reordering: False\nAllow Host Key Subset and/or Reordering: False\nBanner: {undefined}\nCompressions: comp_alg1\nHost Keys: key_alg1\nOptional Host Keys: {undefined}\nKey Exchanges: kex_alg1, kex_alg2\nCiphers: cipher_alg1, cipher_alg2, cipher_alg3\nMACs: mac_alg1, mac_alg2, mac_alg3\nHost Key Sizes: {undefined}\nDH Modulus Sizes: {undefined}\nServer Policy: True"
 
 
     def test_policy_invalid_1(self):
@@ -305,7 +302,7 @@ macs = mac_alg1, mac_alg2, mac_alg3'''
         pol_data = pol_data.replace(date.today().strftime('%Y/%m/%d'), '[todays date]')
 
         # Instead of writing out the entire expected policy--line by line--just check that it has the expected hash.
-        assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == 'fb84bce442cff2bce9bf653d6373a8a938e3bfcfbd1e876f51a08c1842df3cff'
+        assert hashlib.sha256(pol_data.encode('ascii')).hexdigest() == '3862e56ea60c1ecba6dffbf724216c4391b6fe00a790b0075617477d4addf761'
 
 
     def test_policy_evaluate_passing_1(self):