Validate the host key signature algorithm name in DoKexDhReply().

The client-side KEXDH_REPLY path was parsing the signature blob name and
skipping over it without checking that it matched the negotiated host key
algorithm. That allowed an RSA server to negotiate rsa-sha2-256 or
rsa-sha2-512 but send a signature blob labeled ssh-rsa instead.

Fix this by comparing the signature blob name against the expected
signature type derived from handshake->pubKeyId before verifying the
signature bytes.

Add regress coverage that drives an in-memory client/server handshake,
rewrites the server's first KEXDH_REPLY on the wire, and verifies the
client rejects rsa-sha2-256 and rsa-sha2-512 replies whose signature blob
name is downgraded to ssh-rsa.

F-2077

Author: LinuxJedi

src/internal.c

@@ -5761,6 +5761,9 @@ static int KeyAgree_client(WOLFSSH* ssh, byte hashId, const byte* f, word32 fSz)
 }
 
 
+static INLINE byte SigTypeForId(byte id);
+
+
 static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
 {
     struct wolfSSH_sigKeyBlock *sigKeyBlock_ptr = NULL;
@@ -6010,9 +6013,10 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
 #ifndef WOLFSSH_NO_RSA
         int tmpIdx = begin - sigSz;
 #endif
-            /* Skip past the sig name. Check it, though. Other SSH
-             * implementations do the verify based on the name, despite what
-             * was agreed upon. XXX*/
+            const char* expectedSigName =
+                    IdToName(SigTypeForId(ssh->handshake->pubKeyId));
+            word32 expectedSigNameSz = (word32)WSTRLEN(expectedSigName);
+
             begin = 0;
             ret = GetUint32(&scratch, sig, sigSz, &begin);
             if (ret == WS_SUCCESS) {
@@ -6023,6 +6027,15 @@ static int DoKexDhReply(WOLFSSH* ssh, byte* buf, word32 len, word32* idx)
                     ret = WS_PARSE_E;
                 }
             }
+            if (ret == WS_SUCCESS) {
+                if (scratch != expectedSigNameSz ||
+                        WMEMCMP(sig + begin, expectedSigName, scratch) != 0) {
+                    WLOG(WS_LOG_DEBUG,
+                            "signature name %.*s did not match negotiated %s",
+                            (int)scratch, sig + begin, expectedSigName);
+                    ret = WS_PARSE_E;
+                }
+            }
             if (ret == WS_SUCCESS) {
                 begin += scratch;
                 ret = GetUint32(&scratch, sig, sigSz, &begin);
@@ -10569,7 +10582,6 @@ static int PreparePacket(WOLFSSH* ssh, word32 payloadSz)
     return ret;
 }
 
-
 static int BundlePacket(WOLFSSH* ssh)
 {
     byte* output = NULL;