kex: Only advertise allowed signature types

Previously, if the client supported rsa-sha2-256 or rsa-sha2-512, the server would advertise the extensions as supported without checking its own list of allowed algorithms. Now the server will only advertise allowed signature algorithms. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-06-12 18:00:34 +02:00 · 2019-06-12 18:00:34 +02:00 · 53ae2502f4
--- a/src/kex.c
+++ b/src/kex.c
@ -454,12 +454,30 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
            hostkeys = session->next_crypto->client_kex.methods[SSH_HOSTKEYS];
            ok = ssh_match_group(hostkeys, "rsa-sha2-512");
            if (ok) {
+                /* Check if rsa-sha2-512 is allowed by config */
+                if (session->opts.wanted_methods[SSH_HOSTKEYS] != NULL) {
+                    char *is_allowed =
+                        ssh_find_matching(session->opts.wanted_methods[SSH_HOSTKEYS],
+                                          "rsa-sha2-512");
+                    if (is_allowed != NULL) {
                        session->extensions |= SSH_EXT_SIG_RSA_SHA512;
                    }
+                    SAFE_FREE(is_allowed);
+                }
+            }
            ok = ssh_match_group(hostkeys, "rsa-sha2-256");
            if (ok) {
+                /* Check if rsa-sha2-256 is allowed by config */
+                if (session->opts.wanted_methods[SSH_HOSTKEYS] != NULL) {
+                    char *is_allowed =
+                        ssh_find_matching(session->opts.wanted_methods[SSH_HOSTKEYS],
+                                          "rsa-sha2-256");
+                    if (is_allowed != NULL) {
                        session->extensions |= SSH_EXT_SIG_RSA_SHA256;
                    }
+                    SAFE_FREE(is_allowed);
+                }
+            }

            /*
             * Ensure that the client preference is honored for the case