From 58296a95f1c8d987a4b6834aa5998a2ba1d3f1c5 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 8 Aug 2007 15:57:50 +0000 Subject: [PATCH] Make dropbearkey only generate 1024 bit keys --HG-- extra : convert_revision : 8a7db1e2fdc5636abb338adb636babc32f465739 --- CHANGES | 4 ++++ dropbearkey.c | 8 ++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 7239fbd..27aa5cf 100644 --- a/CHANGES +++ b/CHANGES @@ -21,6 +21,10 @@ - Add -K argument, ensuring that data is transmitted over the connection at least every N seconds. +- dropbearkey will no longer generate DSS keys of sizes other than 1024 + bits, as required by the DSS specification. (Other sizes are still + accepted for use to provide backwards compatibility). + 0.49 - Fri 23 February 2007 - Security: dbclient previously would prompt to confirm a diff --git a/dropbearkey.c b/dropbearkey.c index 2433381..aff809f 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -75,6 +75,7 @@ static void printhelp(char * progname) { #endif "-f filename Use filename for the secret key\n" "-s bits Key size in bits, should be a multiple of 8 (optional)\n" + " (DSS has a fixed size of 1024 bits)\n" "-y Just print the publickey and fingerprint for the\n private key in .\n" #ifdef DEBUG_TRACE "-v verbose\n" @@ -187,8 +188,11 @@ int main(int argc, char ** argv) { fprintf(stderr, "Bits must be an integer\n"); exit(EXIT_FAILURE); } - - if (bits < 512 || bits > 4096 || (bits % 8 != 0)) { + + if (keytype == DROPBEAR_SIGNKEY_DSS && bits != 1024) { + fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n"); + exit(EXIT_FAILURE); + } else if (bits < 512 || bits > 4096 || (bits % 8 != 0)) { fprintf(stderr, "Bits must satisfy 512 <= bits <= 4096, and be a" " multiple of 8\n"); exit(EXIT_FAILURE);