diff options
author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2019-06-12 18:00:34 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-13 16:28:23 +0200 |
commit | 53ae2502f44f8fb8a34b620a7c6cbb53d80ed150 (patch) | |
tree | 0a1330e7722c84d2eed77bbd061f1e19baa176a8 /src/kex.c | |
parent | 1b7146e28f6816055d5b05861376eda39aa205c4 (diff) | |
download | libssh-53ae2502f44f8fb8a34b620a7c6cbb53d80ed150.tar.gz libssh-53ae2502f44f8fb8a34b620a7c6cbb53d80ed150.tar.xz libssh-53ae2502f44f8fb8a34b620a7c6cbb53d80ed150.zip |
kex: Only advertise allowed signature types
Previously, if the client supported rsa-sha2-256 or rsa-sha2-512, the
server would advertise the extensions as supported without checking its
own list of allowed algorithms. Now the server will only advertise
allowed signature algorithms.
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Diffstat (limited to 'src/kex.c')
-rw-r--r-- | src/kex.c | 22 |
1 files changed, 20 insertions, 2 deletions
@@ -454,11 +454,29 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit) hostkeys = session->next_crypto->client_kex.methods[SSH_HOSTKEYS]; ok = ssh_match_group(hostkeys, "rsa-sha2-512"); if (ok) { - session->extensions |= SSH_EXT_SIG_RSA_SHA512; + /* Check if rsa-sha2-512 is allowed by config */ + if (session->opts.wanted_methods[SSH_HOSTKEYS] != NULL) { + char *is_allowed = + ssh_find_matching(session->opts.wanted_methods[SSH_HOSTKEYS], + "rsa-sha2-512"); + if (is_allowed != NULL) { + session->extensions |= SSH_EXT_SIG_RSA_SHA512; + } + SAFE_FREE(is_allowed); + } } ok = ssh_match_group(hostkeys, "rsa-sha2-256"); if (ok) { - session->extensions |= SSH_EXT_SIG_RSA_SHA256; + /* Check if rsa-sha2-256 is allowed by config */ + if (session->opts.wanted_methods[SSH_HOSTKEYS] != NULL) { + char *is_allowed = + ssh_find_matching(session->opts.wanted_methods[SSH_HOSTKEYS], + "rsa-sha2-256"); + if (is_allowed != NULL) { + session->extensions |= SSH_EXT_SIG_RSA_SHA256; + } + SAFE_FREE(is_allowed); + } } /* |