3 files changed, 25 insertions, 8 deletions

diff --git a/include/libssh/session.h b/include/libssh/session.h
index 86540bbf..5761fa2d 100644
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@@ -91,10 +91,11 @@ enum ssh_pending_call_e {
 #define SSH_OPT_FLAG_GSSAPI_AUTH 0x8
 
 /* extensions flags */
+/* negotiation enabled */
+#define SSH_EXT_NEGOTIATION     0x01
 /* server-sig-algs extension */
-#define SSH_EXT_SIG_RSA_SHA256  0x01
-#define SSH_EXT_SIG_RSA_SHA512  0x02
-#define SSH_EXT_ALL             SSH_EXT_SIG_RSA_SHA256 | SSH_EXT_SIG_RSA_SHA512
+#define SSH_EXT_SIG_RSA_SHA256  0x02
+#define SSH_EXT_SIG_RSA_SHA512  0x04
 
 /* members that are common to ssh_session and ssh_bind */
 struct ssh_common_struct {
diff --git a/src/kex.c b/src/kex.c
index c2e02ff6..58c52642 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -541,13 +541,29 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit)
         ok = ssh_match_group(session->next_crypto->client_kex.methods[SSH_KEX],
                              KEX_EXTENSION_CLIENT);
         if (ok) {
+            const char *hostkeys = NULL;
+
+            /* The client supports extension negotiation */
+            session->extensions |= SSH_EXT_NEGOTIATION;
             /*
-             * Enable all the supported extensions and when the time comes
-             * (after NEWKEYS) send them to the client.
+             * RFC 8332 Section 3.1: Use for Server Authentication
+             * Check what algorithms were provided in the SSH_HOSTKEYS list
+             * by the client and enable the respective extensions to provide
+             * correct signature in the next packet if RSA is negotiated
              */
+            hostkeys = session->next_crypto->client_kex.methods[SSH_HOSTKEYS];
+            ok = ssh_match_group(hostkeys, "rsa-sha2-512");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA512;
+            }
+            ok = ssh_match_group(hostkeys, "rsa-sha2-256");
+            if (ok) {
+                session->extensions |= SSH_EXT_SIG_RSA_SHA256;
+            }
             SSH_LOG(SSH_LOG_DEBUG, "The client supports extension "
-                    "negotiation: enabling all extensions");
-            session->extensions = SSH_EXT_ALL;
+                    "negotiation. Enabled signature algorithms: %s%s",
+                    session->extensions & SSH_EXT_SIG_RSA_SHA256 ? "SHA256" : "",
+                    session->extensions & SSH_EXT_SIG_RSA_SHA512 ? " SHA512" : "");
         }
 
         /*
diff --git a/src/server.c b/src/server.c
index c3e92ba6..a586964f 100644
--- a/src/server.c
+++ b/src/server.c
@@ -496,7 +496,7 @@ static void ssh_server_connection_callback(ssh_session session){
                  * our supported extensions now. This is the first message after
                  * sending NEWKEYS message and after turning on crypto.
                  */
-                if (session->extensions &&
+                if (session->extensions & SSH_EXT_NEGOTIATION &&
                     session->session_state != SSH_SESSION_STATE_AUTHENTICATED) {
                     ssh_server_send_extensions(session);
                 }