Module algorithms

Expand description

Algorithm-override surface for SSH negotiation (PRD §5.8.6, M17).

This module exposes the four moving pieces a downstream CLI needs to honour KexAlgorithms, Ciphers, MACs, and HostKeyAlgorithms from ~/.ssh/config (FR-76) plus the matching CLI overrides (--kex, --ciphers, --macs, --host-key-algorithms — FR-77):

apply_overrides parses an OpenSSH-format override string — algo,algo (replace), +algo (append), -algo (remove), ^algo (front-load) — against a base list and returns the resulting algorithm preference.
DENYLIST + apply_denylist enforce FR-78’s permanent block on broken algorithms (DSA, 3DES, Arcfour, SHA-1 HMAC < 96 bits, SSH-1) regardless of override.
anvil_default_kex / anvil_default_ciphers / anvil_default_macs / anvil_default_host_keys return the curated default that’s used as the base for +/-/^ overrides.
all_supported returns the Catalogue surfaced by gitway list-algorithms (FR-79) — every name russh accepts, tagged with is_default and denylisted flags.

§Trust model

Russh 0.59 silently drops unknown algorithm names at negotiation time — there is no error, no log. This module validates user input before it reaches russh: an unknown algorithm in an override surfaces an AnvilError::invalid_config with a tips-thinking hint pointing at gitway list-algorithms.

The denylist is enforced after every override transformation so a user-supplied +ssh-dss cannot bypass FR-78 by smuggling a banned algorithm through an ^ move.

Structs§

AlgEntry: One entry in the Catalogue returned by all_supported.
Catalogue: Full catalogue of every algorithm Gitway can negotiate, grouped by AlgCategory. Returned by all_supported and consumed by gitway list-algorithms.

Enums§

AlgCategory: Algorithm category — the four ssh_config(5) directive families Gitway plumbs through to russh. Matches the four CLI flags --kex / --ciphers / --macs / --host-key-algorithms.

Constants§

DENYLIST: Permanent denylist — algorithms refused regardless of any override.

Functions§

all_supported: Returns the full Catalogue of algorithms russh advertises plus the flags gitway list-algorithms needs to render the operator- facing view.
anvil_default_ciphers: Returns Anvil’s curated default cipher preference.
anvil_default_host_keys: Returns Anvil’s curated default host-key algorithm preference.
anvil_default_kex: Returns Anvil’s curated default key-exchange algorithm preference. Used as the base when an override carries a +/-/^ prefix.
anvil_default_macs: Returns Anvil’s curated default MAC preference.
apply_denylist: Filters a list of algorithm names through is_denylisted, preserving the order of the surviving entries.
apply_overrides: Applies an OpenSSH-format KexAlgorithms/etc. override string to base, returning the resulting algorithm list.
is_denylisted: Returns true iff alg is on the permanent denylist (DENYLIST). Comparison is case-insensitive ASCII.