[Bug 2680] Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Jul 20 23:08:56 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2680
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |---
Status|RESOLVED |REOPENED
--- Comment #6 from Jakub Jelen <jjelen at redhat.com> ---
Although the patch looks reasonable and I considered it as a resolved
issue, it is not as the current master (openssh 7.5) still reports:
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>
The problem is in the order of the checks in the condition
"!include_sigonly && kt->sigonly". With the following patch I can see
the correct list offered by the server again:
diff --git a/sshkey.c b/sshkey.c
--- a/sshkey.c
+++ b/sshkey.c
@@ -203,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, int
include_sigonly, char sep)
for (kt = keytypes; kt->type != -1; kt++) {
if (kt->name == NULL)
continue;
- if (!include_sigonly && kt->sigonly)
+ if (include_sigonly && !kt->sigonly)
continue;
if ((certs_only && !kt->cert) || (plain_only &&
kt->cert))
continue;
The correct list:
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list