|
|
@@ -0,0 +1,40 @@
|
|
|
+From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
|
|
|
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <[email protected]>
|
|
|
+Date: Wed, 1 Jul 2020 11:38:33 +0200
|
|
|
+Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
|
|
|
+MIME-Version: 1.0
|
|
|
+Content-Type: text/plain; charset=UTF-8
|
|
|
+Content-Transfer-Encoding: 8bit
|
|
|
+
|
|
|
+Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
|
|
|
+vs sha256") has added strict checking of pubkey algorithms which made
|
|
|
+keys with SHA-256 hashing algorithm unusable as they still reuse the
|
|
|
+`ssh-rsa` public key format. So fix this by disabling the check for
|
|
|
+rsa-sha2-256 pubkeys.
|
|
|
+
|
|
|
+Ref: https://tools.ietf.org/html/rfc8332#section-3
|
|
|
+Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
|
|
|
+Signed-off-by: Petr Štetiar <[email protected]>
|
|
|
+---
|
|
|
+ signkey.c | 8 ++++++--
|
|
|
+ 1 file changed, 6 insertions(+), 2 deletions(-)
|
|
|
+
|
|
|
+diff --git a/signkey.c b/signkey.c
|
|
|
+index 92fe6a242cd0..d16ab174d83a 100644
|
|
|
+--- a/signkey.c
|
|
|
++++ b/signkey.c
|
|
|
+@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
|
|
|
+ sigtype = signature_type_from_name(type_name, type_name_len);
|
|
|
+ m_free(type_name);
|
|
|
+
|
|
|
+- if (expect_sigtype != sigtype) {
|
|
|
+- dropbear_exit("Non-matching signing type");
|
|
|
++ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
|
|
|
++ dropbear_exit("No signature type");
|
|
|
++ }
|
|
|
++
|
|
|
++ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
|
|
|
++ dropbear_exit("Non-matching signing type");
|
|
|
+ }
|
|
|
+
|
|
|
+ keytype = signkey_type_from_signature(sigtype);
|
Petr Štetiar