mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-24 07:46:48 +00:00
65256aee23
- update dropbear to latest stable 2022.82; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - use $(AUTORELEASE) in PKG_RELEASE - use https for all uris - refresh all patches - rewrite patches: - 100-pubkey_path.patch - 130-ssh_ignore_x_args.patch binary/pkg size changes: - ath79/generic, mips: - binary: 215112 -> 219228 (+4116) - pkg: 111914 -> 113404 (+1490) - ath79/tiny, mips: - binary: 172501 -> 172485 (-16) - pkg: 89871 -> 90904 (+1033) Tested-by: Stijn Segers <foss@volatilesystems.org> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
39 lines
1.4 KiB
Diff
39 lines
1.4 KiB
Diff
From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
|
|
Date: Wed, 1 Jul 2020 11:38:33 +0200
|
|
Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
|
|
vs sha256") has added strict checking of pubkey algorithms which made
|
|
keys with SHA-256 hashing algorithm unusable as they still reuse the
|
|
`ssh-rsa` public key format. So fix this by disabling the check for
|
|
rsa-sha2-256 pubkeys.
|
|
|
|
Ref: https://tools.ietf.org/html/rfc8332#section-3
|
|
Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
|
|
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
---
|
|
signkey.c | 8 ++++++--
|
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
--- a/signkey.c
|
|
+++ b/signkey.c
|
|
@@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k
|
|
sigtype = signature_type_from_name(type_name, type_name_len);
|
|
m_free(type_name);
|
|
|
|
- if (expect_sigtype != sigtype) {
|
|
- dropbear_exit("Non-matching signing type");
|
|
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
|
|
+ dropbear_exit("No signature type");
|
|
+ }
|
|
+
|
|
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
|
|
+ dropbear_exit("Non-matching signing type");
|
|
}
|
|
|
|
keytype = signkey_type_from_signature(sigtype);
|