openssh bugs - Aug 2023 - [Bug 3356] sshconnect2: SSH_MSG_EXT_INFO implementation seems broken based on RFC 8308

https://bugzilla.mindrot.org/show_bug.cgi?id=3356

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3725
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3725&action=edit
relax reception of 2nd EXT_INFO message

Yes, this is a bug :(

Unfortunately, the 2nd KEX_INFO message is fairly useless anyway
because it happens too late to affect userauth. E.g. it's not possible
to use EXT_INFO to vary server-sig-algs per user which is the one thing
we'd want to be able to do with it currently.

It would be usable for the other options in RFC8308, but IMO they are
either irrelevant to OpenSSH ("elevation"), already implemented
differently in OpenSSH ("zlib at openssh.com") just useless
"no-flow-control" (a peer could just advertise arbitrarily large
channel windows).

The attached patch relaxes reception of the 2nd EXT_INFO message to
allow it at any time during userauth. This makes us bug-compatible with
OpenSSH <9.5, compatible with the spec and potentially usable for
advertising server-sig-algs during userauth (though doing so would be a
separate violation of RFC8308).

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.