[Bug 3351] RSA SHA256 certificates no longer work

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Oct 8 23:45:17 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3351

--- Comment #7 from denisenkom at gmail.com ---
Adding my findings about difference between 7.4 and 8.8

On 7.4 when this condition is executed:
        if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
            (key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
            (key->type == KEY_RSA_CERT && (ssh->compat &
SSH_BUG_SIGTYPE))) {
                /* Filter base key signature alg against our
configuration */
                return match_list(sshkey_ssh_name(key),
                    options.pubkey_accepted_algos, NULL);
        }

the ssh->compat is equal 0x4000006, which is causing "ssh->compat &
SSH_BUG_SIGTYPE" to be true, and therefore execution enters that if and
then match_list returns false, causing rejection.


On 8.8 the ssh->compat is equal 0x4000000, therefore if is bypassed.
Then this section:
        oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
        while ((cp = strsep(&allowed, ",")) != NULL) {
                if (sshkey_type_from_name(cp) != key->type)
                        continue;
                tmp = match_list(sshkey_sigalg_by_name(cp),
                    server_sig_algs, NULL);
                if (tmp != NULL)
                        alg = xstrdup(cp);
                free(tmp);
                if (alg != NULL)
                        break;
        }
Which passes.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list