From 58296a95f1c8d987a4b6834aa5998a2ba1d3f1c5 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Wed, 8 Aug 2007 15:57:50 +0000
Subject: [PATCH] Make dropbearkey only generate 1024 bit keys

--HG--
extra : convert_revision : 8a7db1e2fdc5636abb338adb636babc32f465739
---
 CHANGES       | 4 ++++
 dropbearkey.c | 8 ++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7239fbde..27aa5cf0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -21,6 +21,10 @@
 - Add -K <keepalive_time> argument, ensuring that data is transmitted
   over the connection at least every N seconds.
 
+- dropbearkey will no longer generate DSS keys of sizes other than 1024
+  bits, as required by the DSS specification. (Other sizes are still
+  accepted for use to provide backwards compatibility).
+
 0.49 - Fri 23 February 2007
 
 - Security: dbclient previously would prompt to confirm a 
diff --git a/dropbearkey.c b/dropbearkey.c
index 24333818..aff809f3 100644
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -75,6 +75,7 @@ static void printhelp(char * progname) {
 #endif
 					"-f filename	Use filename for the secret key\n"
 					"-s bits	Key size in bits, should be a multiple of 8 (optional)\n"
+					"           (DSS has a fixed size of 1024 bits)\n"
 					"-y		Just print the publickey and fingerprint for the\n		private key in <filename>.\n"
 #ifdef DEBUG_TRACE
 					"-v		verbose\n"
@@ -187,8 +188,11 @@ int main(int argc, char ** argv) {
 			fprintf(stderr, "Bits must be an integer\n");
 			exit(EXIT_FAILURE);
 		}
-	
-		if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
+		
+		if (keytype == DROPBEAR_SIGNKEY_DSS && bits != 1024) {
+			fprintf(stderr, "DSS keys have a fixed size of 1024 bits\n");
+			exit(EXIT_FAILURE);			
+		} else if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
 			fprintf(stderr, "Bits must satisfy 512 <= bits <= 4096, and be a"
 					" multiple of 8\n");
 			exit(EXIT_FAILURE);
-- 
GitLab