diff options
author | Matt Johnston <matt@ucc.asn.au> | 2023-02-12 22:44:32 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2023-02-12 22:44:32 +0800 |
commit | a113381c12a2da3c9b7bd594f47a1b2657bdfdf2 (patch) | |
tree | c605f7f92ec78ea7e9f72655ced341930d648d28 | |
parent | 9defeb477aebf0eb575885eb1fd4a4330ce52531 (diff) | |
download | dropbear-a113381c12a2da3c9b7bd594f47a1b2657bdfdf2.tar.gz |
Disable rsa signatures when no rsa hostkey
Otherwise Dropbear will offer RSA as a hostkey signature option, but the
session will exit with an assertion or NULL pointer dereference once
that algorithm is negotiated.
This likely regressed in 2020.79 when signature vs key type enums were
split, for rsa-sha256.
Fixes #219 on github
-rw-r--r-- | svr-runopts.c | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/svr-runopts.c b/svr-runopts.c index cb92595..48d6cbf 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -505,11 +505,11 @@ static void addportandaddress(const char* spec) { svr_opts.portcount++; } -static void disablekey(int type) { +static void disablekey(enum signature_type type) { int i; TRACE(("Disabling key type %d", type)) for (i = 0; sigalgs[i].name != NULL; i++) { - if (sigalgs[i].val == type) { + if ((int)sigalgs[i].val == (int)type) { sigalgs[i].usable = 0; break; } @@ -624,7 +624,8 @@ void load_all_hostkeys() { #if DROPBEAR_RSA if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) { - disablekey(DROPBEAR_SIGNKEY_RSA); + disablekey(DROPBEAR_SIGNATURE_RSA_SHA256); + disablekey(DROPBEAR_SIGNATURE_RSA_SHA1); } else { any_keys = 1; } @@ -632,7 +633,7 @@ void load_all_hostkeys() { #if DROPBEAR_DSS if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) { - disablekey(DROPBEAR_SIGNKEY_DSS); + disablekey(DROPBEAR_SIGNATURE_DSS); } else { any_keys = 1; } @@ -666,35 +667,35 @@ void load_all_hostkeys() { #if DROPBEAR_ECC_256 if (!svr_opts.hostkey->ecckey256 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) { - disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); + disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP256); } #endif #if DROPBEAR_ECC_384 if (!svr_opts.hostkey->ecckey384 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) { - disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); + disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP384); } #endif #if DROPBEAR_ECC_521 if (!svr_opts.hostkey->ecckey521 && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) { - disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); + disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP521); } #endif #endif /* DROPBEAR_ECDSA */ #if DROPBEAR_ED25519 if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) { - disablekey(DROPBEAR_SIGNKEY_ED25519); + disablekey(DROPBEAR_SIGNATURE_ED25519); } else { any_keys = 1; } #endif #if DROPBEAR_SK_ECDSA - disablekey(DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256); + disablekey(DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256); #endif #if DROPBEAR_SK_ED25519 - disablekey(DROPBEAR_SIGNKEY_SK_ED25519); + disablekey(DROPBEAR_SIGNATURE_SK_ED25519); #endif if (!any_keys) { |