[openwrt/openwrt] dropbear: make rsa-sha2-256 pubkeys usable again

[LEDE Commits]

ynezz pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/4e57fd5adaf0c937da1e947f32dfa9ae513637a5

commit 4e57fd5adaf0c937da1e947f32dfa9ae513637a5
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Wed Jul 1 12:29:44 2020 +0200

    dropbear: make rsa-sha2-256 pubkeys usable again
    
    Upstream in commit 972d723484d8 ("split signkey_type and signature_type
    for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
    which made keys with SHA-256 hashing algorithm unusable as they still
    reuse the `ssh-rsa` public key format. So fix this by disabling the
    check for `rsa-sha2-256` pubkeys.
    
    Ref: https://tools.ietf.org/html/rfc8332#section-3
    Fixes: d4c80f5b172e ("dropbear: bump to 2020.80")
    Tested-by: Russell Senior <russell at personaltelco.net>
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
---
 ...0-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 40 ++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
new file mode 100644
index 0000000000..afa0ebb310
--- /dev/null
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -0,0 +1,40 @@
+From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz at true.cz>
+Date: Wed, 1 Jul 2020 11:38:33 +0200
+Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
+vs sha256") has added strict checking of pubkey algorithms which made
+keys with SHA-256 hashing algorithm unusable as they still reuse the
+`ssh-rsa` public key format. So fix this by disabling the check for
+rsa-sha2-256 pubkeys.
+
+Ref: https://tools.ietf.org/html/rfc8332#section-3
+Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
+Signed-off-by: Petr Štetiar <ynezz at true.cz>
+---
+ signkey.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/signkey.c b/signkey.c
+index 92fe6a242cd0..d16ab174d83a 100644
+--- a/signkey.c
++++ b/signkey.c
+@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
+ 	sigtype = signature_type_from_name(type_name, type_name_len);
+ 	m_free(type_name);
+ 
+-	if (expect_sigtype != sigtype) {
+-			dropbear_exit("Non-matching signing type");
++	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
++		dropbear_exit("No signature type");
++	}
++
++	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
+ 	}
+ 
+ 	keytype = signkey_type_from_signature(sigtype);