openssh bugs - Mar 2016 - [Bug 2547] New: ssh-ext-info: missing server signature algorithms

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

            Bug ID: 2547
           Summary: ssh-ext-info: missing server signature algorithms
           Product: Portable OpenSSH
           Version: 7.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mb at smartftp.com

In the "server-sig-algs" extension the server sends to the client,
sshd
only includes the rsa signature algorithms [1]:
    (r = sshpkt_put_cstring(ssh, "rsa-sha2-256,rsa-sha2-512")) != 0 ||

However, it should include all signature algorithms (including
ecdsa-sha2-*, ssh-ed25519, etc) it supports.

This is what the RFC [2] says:
    string      "server-sig-algs"

  This extension is sent by the server only, and contains a list of
  signature algorithms that the server is able to process as part of a
  "publickey" request.

You may have incorrectly assumed that there is only 1 signature
algorithm for the omitted public key algorithms. For example for ECDSA
private keys there are at least two known signature algorithms:
ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp256 (from rfc6187)

References:
[1] https://github.com/openssh/openssh-portable/blob/master/kex.c#L344
[2] https://tools.ietf.org/html/draft-ssh-ext-info-05#section-3.1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

Mat <mb at smartftp.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mb at smartftp.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

--- Comment #1 from Mat <mb at smartftp.com> ---
Correction:
The following example is incorrect:
"You may have incorrectly assumed that there is only 1 signature
algorithm for the omitted public key algorithms. For example for ECDSA
private keys there are at least two known signature algorithms:
ecdsa-sha2-nistp256
x509v3-ecdsa-sha2-nistp256 (from rfc6187)"

Both public key formats use the same signature algorithm.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
             Blocks|                            |2594

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks - I've committed a fix for this.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

Nuno Goncalves <nunojpg at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nunojpg at gmail.com
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED

--- Comment #3 from Nuno Goncalves <nunojpg at gmail.com> ---
I believe the commit to fix this have created a regression:

OpenSSH 7.3p1:
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

OpenSSH 7.4p1:
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>

This former two algs, which worked, are now no longer list as supported
and the client ends up using ssh-rsa.

I've tried to hardcode at least rsa-sha2-256 back again and it works on
the client.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

Nuno Goncalves <nunojpg at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |MOVED

--- Comment #4 from Nuno Goncalves <nunojpg at gmail.com> ---
Filled as new bug under #2680.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2547

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after release of OpenSSH 7.7.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.