diff options
author | Matt Johnston <matt@ucc.asn.au> | 2022-03-24 13:42:08 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2022-03-24 13:42:08 +0800 |
commit | 5af2b90518cc0a7014467e29da6f3f9efbc7dfe1 (patch) | |
tree | 64209b762bd6ef10ba84abda3c02f6f230023adf | |
parent | 683c0dc0e1c1ff656fc42f4d9c8ab25fe839d476 (diff) | |
download | dropbear-5af2b90518cc0a7014467e29da6f3f9efbc7dfe1.tar.gz |
Revert "Don't include sk keys at all in KEX list"
This reverts git commit f972813ecdc7bb981d25b5a63638bd158f1c8e72.
The sk algorithms need to remain in the sigalgs list so that they
are included in the server-sig-algs ext-info message sent by
the server. RFC8308 for server-sig-algs requires that all algorithms are
listed (though OpenSSH client 8.4p1 tested doesn't require that)
-rw-r--r-- | common-algo.c | 6 | ||||
-rw-r--r-- | svr-runopts.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/common-algo.c b/common-algo.c index 275969e..b9ad4ae 100644 --- a/common-algo.c +++ b/common-algo.c @@ -239,6 +239,9 @@ algo_type ssh_nocompress[] = { algo_type sigalgs[] = { #if DROPBEAR_ED25519 {"ssh-ed25519", DROPBEAR_SIGNATURE_ED25519, NULL, 1, NULL}, +#if DROPBEAR_SK_ED25519 + {"sk-ssh-ed25519@openssh.com", DROPBEAR_SIGNATURE_SK_ED25519, NULL, 1, NULL}, +#endif #endif #if DROPBEAR_ECDSA #if DROPBEAR_ECC_256 @@ -250,6 +253,9 @@ algo_type sigalgs[] = { #if DROPBEAR_ECC_521 {"ecdsa-sha2-nistp521", DROPBEAR_SIGNATURE_ECDSA_NISTP521, NULL, 1, NULL}, #endif +#if DROPBEAR_SK_ECDSA + {"sk-ecdsa-sha2-nistp256@openssh.com", DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256, NULL, 1, NULL}, +#endif #endif #if DROPBEAR_RSA #if DROPBEAR_RSA_SHA256 diff --git a/svr-runopts.c b/svr-runopts.c index ada2e08..ac43db1 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -687,6 +687,12 @@ void load_all_hostkeys() { any_keys = 1; } #endif +#if DROPBEAR_SK_ECDSA + disablekey(DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256); +#endif +#if DROPBEAR_SK_ED25519 + disablekey(DROPBEAR_SIGNKEY_SK_ED25519); +#endif if (!any_keys) { dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey."); |