mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-14 00:40:12 +00:00
b5cde26048
critical fixes: - libtommath: possible integer overflow (CVE-2023-36328) - implement Strict KEX mode (CVE-2023-48795) various fixes: - fix DROPBEAR_DSS and DROPBEAR_RSA config options - y2038 issues - remove SO_LINGER socket option - make banner reading failure non-fatal - fix "noremotetcp" behavior - don't try to shutdown a pty - fix test for multiuser kernels adds new features: - option to bind to interface - allow inetd with non-syslog - ignore unsupported command line options with dropbearkey Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
95 lines
2.8 KiB
Diff
95 lines
2.8 KiB
Diff
From a113381c12a2da3c9b7bd594f47a1b2657bdfdf2 Mon Sep 17 00:00:00 2001
|
|
From: Matt Johnston <matt@ucc.asn.au>
|
|
Date: Sun, 12 Feb 2023 22:44:32 +0800
|
|
Subject: Disable rsa signatures when no rsa hostkey
|
|
|
|
Otherwise Dropbear will offer RSA as a hostkey signature option, but the
|
|
session will exit with an assertion or NULL pointer dereference once
|
|
that algorithm is negotiated.
|
|
|
|
This likely regressed in 2020.79 when signature vs key type enums were
|
|
split, for rsa-sha256.
|
|
|
|
Fixes #219 on github
|
|
---
|
|
svr-runopts.c | 21 +++++++++++----------
|
|
1 file changed, 11 insertions(+), 10 deletions(-)
|
|
|
|
--- a/svr-runopts.c
|
|
+++ b/svr-runopts.c
|
|
@@ -505,11 +505,11 @@ static void addportandaddress(const char
|
|
svr_opts.portcount++;
|
|
}
|
|
|
|
-static void disablekey(int type) {
|
|
+static void disablekey(enum signature_type type) {
|
|
int i;
|
|
TRACE(("Disabling key type %d", type))
|
|
for (i = 0; sigalgs[i].name != NULL; i++) {
|
|
- if (sigalgs[i].val == type) {
|
|
+ if ((int)sigalgs[i].val == (int)type) {
|
|
sigalgs[i].usable = 0;
|
|
break;
|
|
}
|
|
@@ -624,7 +624,8 @@ void load_all_hostkeys() {
|
|
|
|
#if DROPBEAR_RSA
|
|
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
|
|
- disablekey(DROPBEAR_SIGNKEY_RSA);
|
|
+ disablekey(DROPBEAR_SIGNATURE_RSA_SHA256);
|
|
+ disablekey(DROPBEAR_SIGNATURE_RSA_SHA1);
|
|
} else {
|
|
any_keys = 1;
|
|
}
|
|
@@ -632,7 +633,7 @@ void load_all_hostkeys() {
|
|
|
|
#if DROPBEAR_DSS
|
|
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
|
|
- disablekey(DROPBEAR_SIGNKEY_DSS);
|
|
+ disablekey(DROPBEAR_SIGNATURE_DSS);
|
|
} else {
|
|
any_keys = 1;
|
|
}
|
|
@@ -666,35 +667,35 @@ void load_all_hostkeys() {
|
|
#if DROPBEAR_ECC_256
|
|
if (!svr_opts.hostkey->ecckey256
|
|
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
|
|
- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
|
|
+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP256);
|
|
}
|
|
#endif
|
|
#if DROPBEAR_ECC_384
|
|
if (!svr_opts.hostkey->ecckey384
|
|
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
|
|
- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
|
|
+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP384);
|
|
}
|
|
#endif
|
|
#if DROPBEAR_ECC_521
|
|
if (!svr_opts.hostkey->ecckey521
|
|
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
|
|
- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
|
|
+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP521);
|
|
}
|
|
#endif
|
|
#endif /* DROPBEAR_ECDSA */
|
|
|
|
#if DROPBEAR_ED25519
|
|
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) {
|
|
- disablekey(DROPBEAR_SIGNKEY_ED25519);
|
|
+ disablekey(DROPBEAR_SIGNATURE_ED25519);
|
|
} else {
|
|
any_keys = 1;
|
|
}
|
|
#endif
|
|
#if DROPBEAR_SK_ECDSA
|
|
- disablekey(DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256);
|
|
+ disablekey(DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256);
|
|
#endif
|
|
#if DROPBEAR_SK_ED25519
|
|
- disablekey(DROPBEAR_SIGNKEY_SK_ED25519);
|
|
+ disablekey(DROPBEAR_SIGNATURE_SK_ED25519);
|
|
#endif
|
|
|
|
if (!any_keys) {
|