openwrt/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
Konstantin Demin f230d00e64 dropbear: bump to 2024.85
- update dropbear to latest stable 2024.85;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-05-09 19:35:20 +02:00

45 lines
1.5 KiB
Diff

From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Wed, 1 Jul 2020 11:38:33 +0200
Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
vs sha256") has added strict checking of pubkey algorithms which made
keys with SHA-256 hashing algorithm unusable as they still reuse the
`ssh-rsa` public key format. So fix this by disabling the check for
rsa-sha2-256 pubkeys.
Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
signkey.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/src/signkey.c
+++ b/src/signkey.c
@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
- if (expect_sigtype != sigtype) {
- dropbear_exit("Non-matching signing type");
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
}
+#if DROPBEAR_RSA
+#if DROPBEAR_RSA_SHA256
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
+ dropbear_exit("Non-matching signing type");
+ }
+#endif
+#endif
+
keytype = signkey_type_from_signature(sigtype);
#if DROPBEAR_DSS
if (keytype == DROPBEAR_SIGNKEY_DSS) {