server: Correctly handle extensions

If the server had an RSA host key, it provided unconditionally SHA2 signatures without consulting the client proposed list of supported host keys. This commit implements more fine-grained detection of the extension to provide the client with valid signatures according to RFC 8332 Section 3.1. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> (cherry picked from commit 27fe60954c)
2026-02-07 02:39:48 +09:00 · 2019-01-07 18:49:58 +01:00
parent d028b2495d
commit 0acfd81f85
3 changed files with 25 additions and 8 deletions
--- a/src/kex.c
+++ b/src/kex.c
@@ -526,13 +526,29 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
        ok = ssh_match_group(session->next_crypto->client_kex.methods[SSH_KEX],
                             KEX_EXTENSION_CLIENT);
        if (ok) {
+            const char *hostkeys = NULL;
+
+            /* The client supports extension negotiation */
+            session->extensions |= SSH_EXT_NEGOTIATION;
            /*
-             * Enable all the supported extensions and when the time comes
-             * (after NEWKEYS) send them to the client.
+             * RFC 8332 Section 3.1: Use for Server Authentication
+             * Check what algorithms were provided in the SSH_HOSTKEYS list
+             * by the client and enable the respective extensions to provide
+             * correct signature in the next packet if RSA is negotiated
             */
+            hostkeys = session->next_crypto->client_kex.methods[SSH_HOSTKEYS];
+            ok = ssh_match_group(hostkeys, "rsa-sha2-512");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA512;
+            }
+            ok = ssh_match_group(hostkeys, "rsa-sha2-256");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA256;
+            }
            SSH_LOG(SSH_LOG_DEBUG, "The client supports extension "
-                    "negotiation: enabling all extensions");
-            session->extensions = SSH_EXT_ALL;
+                    "negotiation. Enabled signature algorithms: %s%s",
+                    session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",
+                    session->extensions & SSH_EXT_SIG_RSA_SHA512 ? " SHA512" : "");
        }

        /*
--- a/src/server.c
+++ b/src/server.c
@@ -523,7 +523,7 @@ static void ssh_server_connection_callback(ssh_session session){
                 * our supported extensions now. This is the first message after
                 * sending NEWKEYS message and after turning on crypto.
                 */
-                if (session->extensions &&
+                if (session->extensions & SSH_EXT_NEGOTIATION &&
                    session->session_state != SSH_SESSION_STATE_AUTHENTICATED) {
                    ssh_server_send_extensions(session);
                }