fix(security): enforce negotiated algorithm in host key signature verification

A server could send a signature blob claiming algorithm "ssh-rsa" (SHA-1)
even when the client negotiated "rsa-sha2-256" or "rsa-sha2-512", causing
the client to verify with the weaker SHA-1 hash. Per RFC 8332 §3.2, the
algorithm identifier in the signature blob must match what was negotiated.

SignatureVerifier.verify() now requires the expected algorithm and rejects
mismatches. Agent session binding uses a separate verifyWithKeyType() path
that validates the sig algorithm is compatible with the host key type,
guarding against cross-type forgery in that context.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: kruton

sshlib/src/main/kotlin/org/connectbot/sshlib/client/AgentProtocolHandler.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -135,7 +135,7 @@ internal class AgentProtocolHandler(
     private val provider: AgentProvider,
     private val sessionInfo: AgentSessionInfo,
     private val bindVerifier: SessionBindVerifier = SessionBindVerifier { hk, sig, data ->
-        SignatureVerifier.verify(hk, sig, data)
+        SignatureVerifier.verifyWithKeyType(hk, sig, data)
     },
 ) {
     companion object {

sshlib/src/main/kotlin/org/connectbot/sshlib/client/SshConnection.kt

@@ -1329,7 +1329,9 @@ class SshConnection(
         }
         serverHostKeyBlob = serverHostKey
 
-        if (!SignatureVerifier.verify(serverHostKey, signature, hash)) {
+        val negotiatedAlg = negotiatedHostKeyAlgorithm
+            ?: throw SshException("No host key algorithm negotiated")
+        if (!SignatureVerifier.verify(serverHostKey, signature, hash, negotiatedAlg)) {
             logger.error("Server signature verification failed")
             throw SshException("Server signature verification failed")
         }

sshlib/src/main/kotlin/org/connectbot/sshlib/crypto/SignatureVerifier.kt

@@ -1,6 +1,6 @@
 /*
  * ConnectBot SSH Library
- * Copyright 2025 Kenny Root
+ * Copyright 2025-2026 Kenny Root
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,10 +23,22 @@ import org.connectbot.sshlib.protocol.SshSignature
 
 internal object SignatureVerifier {
 
-    fun verify(serverHostKey: ByteArray, signatureData: ByteArray, exchangeHash: ByteArray): Boolean {
+    /**
+     * Verifies the server's host key signature during KEX.
+     *
+     * Enforces that the algorithm name in the signature blob matches [expectedAlgorithm]
+     * (the negotiated host key algorithm), per RFC 8332 §3.2.
+     */
+    fun verify(serverHostKey: ByteArray, signatureData: ByteArray, exchangeHash: ByteArray, expectedAlgorithm: String): Boolean {
         val sig = SshSignature(ByteBufferKaitaiStream(signatureData))
         sig._read()
 
+        // RFC 8332 §3.2: reject if the algorithm in the signature blob doesn't match
+        // what was negotiated. Prevents a server from downgrading e.g. rsa-sha2-256 → ssh-rsa.
+        if (sig.algorithmName() != expectedAlgorithm) {
+            return false
+        }
+
         val pubKey = SshPublicKey(ByteBufferKaitaiStream(serverHostKey))
         pubKey._read()
 
@@ -35,4 +47,33 @@ internal object SignatureVerifier {
 
         return algorithm.verify(pubKey, sig, exchangeHash)
     }
+
+    /**
+     * Verifies a signature where the algorithm is self-described in the signature blob
+     * (e.g., agent session binding). The algorithm must be compatible with the key type
+     * of [hostKey].
+     */
+    fun verifyWithKeyType(hostKey: ByteArray, signatureData: ByteArray, data: ByteArray): Boolean {
+        val sig = SshSignature(ByteBufferKaitaiStream(signatureData))
+        sig._read()
+
+        val pubKey = SshPublicKey(ByteBufferKaitaiStream(hostKey))
+        pubKey._read()
+
+        val sigAlgorithm = sig.algorithmName()
+        val keyType = pubKey.algorithmName()
+
+        // Ensure the sig algorithm is compatible with the key type to prevent cross-type forgery.
+        if (!isAlgorithmCompatibleWithKeyType(sigAlgorithm, keyType)) {
+            return false
+        }
+
+        val algorithm = SignatureEntry.fromSshName(sigAlgorithm)?.algorithm ?: return false
+        return algorithm.verify(pubKey, sig, data)
+    }
+
+    private fun isAlgorithmCompatibleWithKeyType(sigAlgorithm: String, keyType: String): Boolean = when (keyType) {
+        "ssh-rsa" -> sigAlgorithm in setOf("ssh-rsa", "rsa-sha2-256", "rsa-sha2-512")
+        else -> sigAlgorithm == keyType
+    }
 }

sshlib/src/test/kotlin/org/connectbot/sshlib/crypto/SignatureVerifierTest.kt

@@ -0,0 +1,135 @@
+/*
+ * ConnectBot SSH Library
+ * Copyright 2025-2026 Kenny Root
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.connectbot.sshlib.crypto
+
+import org.junit.jupiter.api.Test
+import java.io.ByteArrayOutputStream
+import java.io.DataOutputStream
+import java.math.BigInteger
+import java.security.KeyPairGenerator
+import java.security.Signature
+import java.security.interfaces.RSAPublicKey
+import kotlin.test.assertFalse
+import kotlin.test.assertTrue
+
+class SignatureVerifierTest {
+
+    private fun encodeString(out: DataOutputStream, value: ByteArray) {
+        out.writeInt(value.size)
+        out.write(value)
+    }
+
+    private fun encodeString(out: DataOutputStream, value: String) = encodeString(out, value.toByteArray(Charsets.US_ASCII))
+
+    private fun encodeMpint(out: DataOutputStream, value: BigInteger) {
+        val bytes = value.toByteArray()
+        out.writeInt(bytes.size)
+        out.write(bytes)
+    }
+
+    private fun buildRsaHostKey(pub: RSAPublicKey): ByteArray {
+        val buf = ByteArrayOutputStream()
+        val out = DataOutputStream(buf)
+        encodeString(out, "ssh-rsa")
+        encodeMpint(out, pub.publicExponent)
+        encodeMpint(out, pub.modulus)
+        return buf.toByteArray()
+    }
+
+    private fun buildSignatureBlob(algorithmName: String, sigBytes: ByteArray): ByteArray {
+        val buf = ByteArrayOutputStream()
+        val out = DataOutputStream(buf)
+        encodeString(out, algorithmName)
+        encodeString(out, sigBytes)
+        return buf.toByteArray()
+    }
+
+    private fun signData(data: ByteArray, jcaAlgorithm: String, kp: java.security.KeyPair): ByteArray {
+        val sig = Signature.getInstance(jcaAlgorithm)
+        sig.initSign(kp.private)
+        sig.update(data)
+        return sig.sign()
+    }
+
+    @Test
+    fun `accepts rsa-sha2-256 signature when rsa-sha2-256 was negotiated`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        val sigBytes = signData(data, "SHA256withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("rsa-sha2-256", sigBytes)
+
+        assertTrue(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-256"))
+    }
+
+    @Test
+    fun `accepts rsa-sha2-512 signature when rsa-sha2-512 was negotiated`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        val sigBytes = signData(data, "SHA512withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("rsa-sha2-512", sigBytes)
+
+        assertTrue(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-512"))
+    }
+
+    @Test
+    fun `rejects ssh-rsa signature blob when rsa-sha2-256 was negotiated`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        // Server signs correctly with SHA-1, but client negotiated SHA-256
+        val sigBytes = signData(data, "SHA1withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("ssh-rsa", sigBytes)
+
+        assertFalse(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-256"))
+    }
+
+    @Test
+    fun `rejects rsa-sha2-256 signature blob when rsa-sha2-512 was negotiated`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        val sigBytes = signData(data, "SHA256withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("rsa-sha2-256", sigBytes)
+
+        assertFalse(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-512"))
+    }
+
+    @Test
+    fun `rejects rsa-sha2-512 signature blob when rsa-sha2-256 was negotiated`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        val sigBytes = signData(data, "SHA512withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("rsa-sha2-512", sigBytes)
+
+        assertFalse(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-256"))
+    }
+
+    @Test
+    fun `rejects completely wrong algorithm name in signature blob`() {
+        val kp = KeyPairGenerator.getInstance("RSA").apply { initialize(2048) }.generateKeyPair()
+        val data = "exchange hash".toByteArray()
+        val sigBytes = signData(data, "SHA256withRSA", kp)
+        val hostKey = buildRsaHostKey(kp.public as RSAPublicKey)
+        val sigBlob = buildSignatureBlob("unknown-algo", sigBytes)
+
+        assertFalse(SignatureVerifier.verify(hostKey, sigBlob, data, "rsa-sha2-256"))
+    }
+}