package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

   1 From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
   3 Date: Wed, 1 Jul 2020 11:38:33 +0200
   4 Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
  10 vs sha256") has added strict checking of pubkey algorithms which made
  11 keys with SHA-256 hashing algorithm unusable as they still reuse the
  12 `ssh-rsa` public key format. So fix this by disabling the check for
  13 rsa-sha2-256 pubkeys.
  14
  15 Ref: https://tools.ietf.org/html/rfc8332#section-3
  16 Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
  17 Signed-off-by: Petr Štetiar <ynezz@true.cz>
  18 ---
  19  signkey.c | 8 ++++++--
  20  1 file changed, 6 insertions(+), 2 deletions(-)
  21
  22 diff --git a/signkey.c b/signkey.c
  23 index 92fe6a242cd0..d16ab174d83a 100644
  24 --- a/signkey.c
  25 +++ b/signkey.c
  26 @@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
  27         sigtype = signature_type_from_name(type_name, type_name_len);
  28         m_free(type_name);
  29
  30 -       if (expect_sigtype != sigtype) {
  31 -                       dropbear_exit("Non-matching signing type");
  32 +       if (sigtype == DROPBEAR_SIGNATURE_NONE) {
  33 +               dropbear_exit("No signature type");
  34 +       }
  35 +
  36 +       if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
  37 +               dropbear_exit("Non-matching signing type");
  38         }
  39
  40         keytype = signkey_type_from_signature(sigtype);