diff mbox series

[v3,1/3] dropbear: create a submenu for public key algorithms

Message ID 20201115195523.29448-2-rsalvaterra@gmail.com
State New
Headers show
Series dropbear: overhaul the crypto algorithm selection | expand

Commit Message

Rui Salvaterra Nov. 15, 2020, 7:55 p.m. UTC
This allows the user to select only the public key algorithms (s)he requires
(e.g., disabling RSA and keeping only Ed25519). The default selection maintains
the current functionality.

Additionally, make sure at least one public key algorithm is selected, lest the
build would fail.

Dropbear executable sizes (ath79, -O2):

	RSA + Ed25519:	210101 bytes
	RSA only:	197765 bytes
	Ed25519 only:	189637 bytes

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
---
 package/network/services/dropbear/Config.in   | 27 ++++++++++++++-----
 package/network/services/dropbear/Makefile    | 23 +++++++++++-----
 .../dropbear/files/dropbear.failsafe.ecc      |  8 ++++++
 .../dropbear/files/dropbear.failsafe.ed25519  |  8 ++++++
 ...ropbear.failsafe => dropbear.failsafe.rsa} |  0
 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 12 ++++++---
 6 files changed, 63 insertions(+), 15 deletions(-)
 create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ecc
 create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ed25519
 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%)
 mode change 100755 => 100644
diff mbox series

Patch

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 6aa5a7e4e1..d2771eca93 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -1,14 +1,13 @@ 
 menu "Configuration"
 	depends on PACKAGE_dropbear
 
-config DROPBEAR_CURVE25519
-	bool "Curve25519 support"
+menu "Public key algorithm selection"
+
+config DROPBEAR_RSA
+	bool "RSA support"
 	default y
 	help
-		This enables the following key exchange algorithm:
-		  curve25519-sha256@libssh.org
-
-		Increases binary size by about 4 kB (MIPS).
+		Enable support for the RSA public key algorithm.
 
 config DROPBEAR_ECC
 	bool "Elliptic curve cryptography (ECC)"
@@ -58,6 +57,13 @@  config DROPBEAR_ED25519
 
 		Increases binary size by about 12 kB (MIPS).
 
+config DROPBEAR_AUTOSEL_PK
+	def_bool y
+	depends on !(DROPBEAR_ECC || DROPBEAR_ED25519)
+	select DROPBEAR_RSA
+
+endmenu
+
 config DROPBEAR_CHACHA20POLY1305
 	bool "Chacha20-Poly1305 support"
 	default y
@@ -67,6 +73,15 @@  config DROPBEAR_CHACHA20POLY1305
 
 		Increases binary size by about 4 kB (MIPS).
 
+config DROPBEAR_CURVE25519
+	bool "Curve25519 support"
+	default y
+	help
+		This enables the following key exchange algorithm:
+		  curve25519-sha256@libssh.org
+
+		Increases binary size by about 4 kB (MIPS).
+
 config DROPBEAR_ZLIB
 	bool "Enable compression"
 	default n
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8520426382..7087d96b87 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -29,7 +29,7 @@  PKG_FLAGS:=nonshared
 
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
-	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+	CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
 	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP
@@ -67,9 +67,9 @@  define Package/dropbear/description
 endef
 
 define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key)
 $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
 $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
-/etc/dropbear/dropbear_rsa_host_key
 /etc/config/dropbear
 endef
 
@@ -107,6 +107,9 @@  define Build/Configure
 	echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
+	echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
 	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
@@ -169,10 +172,18 @@  define Package/dropbear/install
 	$(INSTALL_DIR) $(1)/usr/lib/opkg/info
 	$(INSTALL_DIR) $(1)/etc/dropbear
 	$(INSTALL_DIR) $(1)/lib/preinit
-	$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
-	$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key)
-	$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
-	touch $(1)/etc/dropbear/dropbear_rsa_host_key
+
+ifdef CONFIG_DROPBEAR_ED25519
+	$(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear
+else ifdef CONFIG_DROPBEAR_ECC
+	$(INSTALL_DATA) ./files/dropbear.failsafe.ecc $(1)/lib/preinit/99_10_failsafe_dropbear
+else ifdef CONFIG_DROPBEAR_RSA
+	$(INSTALL_DATA) ./files/dropbear.failsafe.rsa $(1)/lib/preinit/99_10_failsafe_dropbear
+endif
+
+	$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key,)
+	$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key,)
+	$(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key,)
 endef
 
 define Package/dropbearconvert/install
diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc b/package/network/services/dropbear/files/dropbear.failsafe.ecc
new file mode 100644
index 0000000000..924938bd55
--- /dev/null
+++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc
@@ -0,0 +1,8 @@ 
+#!/bin/sh
+
+failsafe_dropbear () {
+	dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+}
+
+boot_hook_add failsafe failsafe_dropbear
diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519 b/package/network/services/dropbear/files/dropbear.failsafe.ed25519
new file mode 100644
index 0000000000..46b4918014
--- /dev/null
+++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519
@@ -0,0 +1,8 @@ 
+#!/bin/sh
+
+failsafe_dropbear () {
+	dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+}
+
+boot_hook_add failsafe failsafe_dropbear
diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe.rsa
old mode 100755
new mode 100644
similarity index 100%
rename from package/network/services/dropbear/files/dropbear.failsafe
rename to package/network/services/dropbear/files/dropbear.failsafe.rsa
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index b774a38b1a..b2846ea87b 100644
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -21,18 +21,24 @@  Signed-off-by: Petr Štetiar <ynezz@true.cz>
 
 --- a/signkey.c
 +++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k
  	sigtype = signature_type_from_name(type_name, type_name_len);
  	m_free(type_name);
  
--	if (expect_sigtype != sigtype) {
--			dropbear_exit("Non-matching signing type");
++#if DROPBEAR_RSA
 +	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
 +		dropbear_exit("No signature type");
 +	}
 +
 +	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
++	}
++#else
+ 	if (expect_sigtype != sigtype) {
+-			dropbear_exit("Non-matching signing type");
 +		dropbear_exit("Non-matching signing type");
  	}
++#endif
  
  	keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS