server: Correctly handle extensions

If the server had an RSA host key, it provided unconditionally SHA2
signatures without consulting the client proposed list of supported host
keys.

This commit implements more fine-grained detection of the extension
to provide the client with valid signatures according to RFC 8332
Section 3.1.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>

include/libssh/session.h

@@ -91,10 +91,11 @@ enum ssh_pending_call_e {
 #define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
 
 /* extensions flags */
+/* negotiation enabled */
+#define SSH_EXT_NEGOTIATION     0x01
 /* server-sig-algs extension */
-#define SSH_EXT_SIG_RSA_SHA256  0x01
+#define SSH_EXT_SIG_RSA_SHA256  0x02
-#define SSH_EXT_SIG_RSA_SHA512  0x02
+#define SSH_EXT_SIG_RSA_SHA512  0x04
-#define SSH_EXT_ALL             SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512
 
 /* members that are common to ssh_session and ssh_bind */
 struct ssh_common_struct {

src/kex.c

@@ -541,13 +541,29 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
         ok = ssh_match_group(session->next_crypto->client_kex.methods[SSH_KEX],
                              KEX_EXTENSION_CLIENT);
         if (ok) {
+            const char *hostkeys = NULL;
+
+            /* The client supports extension negotiation */
+            session->extensions |= SSH_EXT_NEGOTIATION;
             /*
-             * Enable all the supported extensions and when the time comes
+             * RFC 8332 Section 3.1: Use for Server Authentication
-             * (after NEWKEYS) send them to the client.
+             * Check what algorithms were provided in the SSH_HOSTKEYS list
+             * by the client and enable the respective extensions to provide
+             * correct signature in the next packet if RSA is negotiated
              */
+            hostkeys = session->next_crypto->client_kex.methods[SSH_HOSTKEYS];
+            ok = ssh_match_group(hostkeys, "rsa-sha2-512");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA512;
+            }
+            ok = ssh_match_group(hostkeys, "rsa-sha2-256");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA256;
+            }
             SSH_LOG(SSH_LOG_DEBUG, "The client supports extension "
-                    "negotiation: enabling all extensions");
+                    "negotiation. Enabled signature algorithms: %s%s",
-            session->extensions = SSH_EXT_ALL;
+                    session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",
+                    session->extensions & SSH_EXT_SIG_RSA_SHA512 ? " SHA512" : "");
         }
 
         /*

src/server.c

@@ -496,7 +496,7 @@ static void ssh_server_connection_callback(ssh_session session){
                  * our supported extensions now. This is the first message after
                  * sending NEWKEYS message and after turning on crypto.
                  */
-                if (session->extensions &&
+                if (session->extensions & SSH_EXT_NEGOTIATION &&
                     session->session_state != SSH_SESSION_STATE_AUTHENTICATED) {
                     ssh_server_send_extensions(session);
                 }