[Bug 3351] RSA SHA256 certificates no longer work
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Oct 8 23:45:17 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3351
--- Comment #7 from denisenkom at gmail.com ---
Adding my findings about difference between 7.4 and 8.8
On 7.4 when this condition is executed:
if (ssh == NULL || ssh->kex->server_sig_algs == NULL ||
(key->type != KEY_RSA && key->type != KEY_RSA_CERT) ||
(key->type == KEY_RSA_CERT && (ssh->compat &
SSH_BUG_SIGTYPE))) {
/* Filter base key signature alg against our
configuration */
return match_list(sshkey_ssh_name(key),
options.pubkey_accepted_algos, NULL);
}
the ssh->compat is equal 0x4000006, which is causing "ssh->compat &
SSH_BUG_SIGTYPE" to be true, and therefore execution enters that if and
then match_list returns false, causing rejection.
On 8.8 the ssh->compat is equal 0x4000000, therefore if is bypassed.
Then this section:
oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
while ((cp = strsep(&allowed, ",")) != NULL) {
if (sshkey_type_from_name(cp) != key->type)
continue;
tmp = match_list(sshkey_sigalg_by_name(cp),
server_sig_algs, NULL);
if (tmp != NULL)
alg = xstrdup(cp);
free(tmp);
if (alg != NULL)
break;
}
Which passes.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list