[Bug 2680] Regression in server-sig-algs offer in 7.4p1 (Deprecation of SHA1 is not being enforced)

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2680

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED

--- Comment #6 from Jakub Jelen <jjelen at redhat.com> ---
Although the patch looks reasonable and I considered it as a resolved
issue, it is not as the current master (openssh 7.5) still reports:

debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null>

The problem is in the order of the checks in the condition
"!include_sigonly && kt->sigonly". With the following patch I can see
the correct list offered by the server again:

diff --git a/sshkey.c b/sshkey.c
--- a/sshkey.c
+++ b/sshkey.c
@@ -203,7 +203,7 @@ sshkey_alg_list(int certs_only, int plain_only, int
include_sigonly, char sep)
        for (kt = keytypes; kt->type != -1; kt++) {
                if (kt->name == NULL)
                        continue;
-               if (!include_sigonly && kt->sigonly)
+               if (include_sigonly && !kt->sigonly)
                        continue;
                if ((certs_only && !kt->cert) || (plain_only &&
kt->cert))
                        continue;

The correct list:

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.