From patchwork Tue Oct 13 12:54:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1381573 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=tJ7NBOZ0; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=s7Fi+uhg; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C9bD14w76z9sRR for ; Tue, 13 Oct 2020 23:57:05 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=ResOw5V8EWL3egGkIsb3ctzmcj1f8pN/TTHVOvZ8vkY=; b=tJ7NBOZ0GXK3gP/c992/5cFfb csLZiBcs+56AYSstGkcJwBjV8K9YsWLJW8SJy37GL1hWw8xUHXkvcu1O4Mk6Nr3dH9KMq/UJCrJTL MlnM91aq2JpX8K8RLpvwmJroJ//4mxA6297xnVmimCFIljGkeK9L98k+tSCYFZkwoNkWO2+Bzcehc e1dcrUCKGJSBgE5ILRpMm6HiAn4zHQFK/jrgLP4Xs0GIsE65XziskV2PdzcZEOsHt+lQX0u14Bszh /TNxjcD6f3rTI1TU7P4moFBbK4ReymYHkJlhPFEUZ69mX18Ob+M7JBkG5SicSI5GfowF+IoyRF1tL UE+BQjYcQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJq0-0000SN-VK; Tue, 13 Oct 2020 12:55:33 +0000 Received: from mail-ed1-x542.google.com ([2a00:1450:4864:20::542]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJpw-0000Qe-F9 for openwrt-devel@lists.openwrt.org; Tue, 13 Oct 2020 12:55:29 +0000 Received: by mail-ed1-x542.google.com with SMTP id x1so20804124eds.1 for ; Tue, 13 Oct 2020 05:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bztFpz8vIfwwpgFXoZpMW6edJCkkyIL9gwugakVrJQ4=; b=s7Fi+uhg9nu3YDpGXEsMfM3oeOzhWHH8V94KDp9jHWo8K8wXW+27jnY81Bgtpg/job Kxveyn8GYeY7NVb5HKYRIvkfTTQfaag3LBLhjzuAKOPcDymiB+UnSaQLlZyPZ3RANJD7 aqHBuPCJhfROFOcgk34MLDnificIAdm6mntnm+7R0/arKasuLfTRJmgJaktHUWXtSf/A 4o2c84PAzBu8S9/f90taUv7A/j7z5h6PJ3jwHasg5HdZuhjRgYlUKRBejoWAr/Bno6Uo OQ2Lc6RWYqv+/H5FuJtaSWoKm7AYW/yFNuPjXFk9tCvk5Kt73MlkSl3BUDnK7qoZ1pM7 jOng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bztFpz8vIfwwpgFXoZpMW6edJCkkyIL9gwugakVrJQ4=; b=cNOfCJ2b+IPQ/7kvQ7Q7TJ8M8QlZ0e5j9ubtl3Xvy2jvxQZCyPlG5DyypqzyWakZ09 wEIeDde01BZ07BU3NfdRx1N7WcouiTPXILtepuV5ewu/p4kLyZzzOEJXrn4UYduPMvEj e+x+OaECNZSjWzQ+E26//826Oh3xn+rRFLiv24ovBz8CldiyO2bftko6IFL7m3JPCJqs WWAO//SqBHWEX2+cq4OkbqRjN38ExonB9BUWSMrsD652IRkctQ5AL8M8g/7EHNvHW9PL BU57PfUMSFIwkVqVdnLldVsS/msRc7Ab2zPqfu6JOdpvd4ckCF5ZCUOhLDfOZ0gRfSlq mwZA== X-Gm-Message-State: AOAM530o9woFWzyo0fmAQkiXEKbWLXCfOBeBaQXaDh3vt77n11Bk04OR U0WXwL0UoC+LWDZvTpueUd1vbOAJ/g== X-Google-Smtp-Source: ABdhPJxpmfmTk1G79l44TtKayIfirKpQnVi65u398/42kVRaf+opfufBIFEG8nHNnXRmSoCNoZufNA== X-Received: by 2002:a50:d517:: with SMTP id u23mr20033221edi.338.1602593726591; Tue, 13 Oct 2020 05:55:26 -0700 (PDT) Received: from presler.lan (a95-93-122-112.cpe.netcabo.pt. [95.93.122.112]) by smtp.gmail.com with ESMTPSA id o13sm12199666ejr.120.2020.10.13.05.55.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Oct 2020 05:55:26 -0700 (PDT) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH 1/3] dropbear: create a submenu for public key algorithms Date: Tue, 13 Oct 2020 13:54:10 +0100 Message-Id: <20201013125411.114995-2-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201013125411.114995-1-rsalvaterra@gmail.com> References: <20201013125411.114995-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201013_085528_527031_F6313BCE X-CRM114-Status: GOOD ( 18.39 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:542 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the public key algorithms (s)he requires (e.g., disabling RSA and keeping only Ed25519). The default selection maintains the current functionality. Additionally, make sure at least one public key algorithm is selected, lest the build would fail. Dropbear executable sizes (ath79, -O2): RSA + Ed25519: 210101 bytes RSA only: 197765 bytes Ed25519 only: 189637 bytes Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 27 ++++++++++++++----- package/network/services/dropbear/Makefile | 23 +++++++++++----- .../dropbear/files/dropbear.failsafe.ecc | 8 ++++++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++++++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 ++++++---- 6 files changed, 63 insertions(+), 17 deletions(-) create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 6aa5a7e4e1..d2771eca93 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,14 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +menu "Public key algorithm selection" + +config DROPBEAR_RSA + bool "RSA support" default y help - This enables the following key exchange algorithm: - curve25519-sha256@libssh.org - - Increases binary size by about 4 kB (MIPS). + Enable support for the RSA public key algorithm. config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" @@ -58,6 +57,13 @@ config DROPBEAR_ED25519 Increases binary size by about 12 kB (MIPS). +config DROPBEAR_AUTOSEL_PK + def_bool y + depends on !(DROPBEAR_ECC || DROPBEAR_ED25519) + select DROPBEAR_RSA + +endmenu + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_CURVE25519 + bool "Curve25519 support" + default y + help + This enables the following key exchange algorithm: + curve25519-sha256@libssh.org + + Increases binary size by about 4 kB (MIPS). + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 6c97d3e77b..2ab2cd396d 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -29,7 +29,7 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ - CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP @@ -67,9 +67,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -107,6 +107,9 @@ define Build/Configure echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h @@ -169,10 +172,18 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit - $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear - $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) - touch $(1)/etc/dropbear/dropbear_rsa_host_key + +ifdef CONFIG_DROPBEAR_ED25519 + $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_ECC + $(INSTALL_DATA) ./files/dropbear.failsafe.ecc $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_RSA + $(INSTALL_DATA) ./files/dropbear.failsafe.rsa $(1)/lib/preinit/99_10_failsafe_dropbear +endif + + $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key,) + $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key,) + $(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key,) endef define Package/dropbearconvert/install diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc b/package/network/services/dropbear/files/dropbear.failsafe.ecc new file mode 100755 index 0000000000..924938bd55 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519 b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 new file mode 100755 index 0000000000..46b4918014 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe.rsa similarity index 100% rename from package/network/services/dropbear/files/dropbear.failsafe rename to package/network/services/dropbear/files/dropbear.failsafe.rsa diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index afa0ebb310..b2846ea87b 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -19,22 +19,26 @@ Signed-off-by: Petr Štetiar signkey.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -diff --git a/signkey.c b/signkey.c -index 92fe6a242cd0..d16ab174d83a 100644 --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, +@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- if (expect_sigtype != sigtype) { -- dropbear_exit("Non-matching signing type"); ++#if DROPBEAR_RSA + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); + } + + if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#else + if (expect_sigtype != sigtype) { +- dropbear_exit("Non-matching signing type"); + dropbear_exit("Non-matching signing type"); } ++#endif keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS From patchwork Tue Oct 13 12:54:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1381572 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=ConrjQwS; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=kxBpHmYg; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C9bCz64LVz9sRR for ; Tue, 13 Oct 2020 23:57:03 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=C/ZI5JHL+3DczeHduqB7FICxGsuNTJy0abUM+FAFxUM=; b=ConrjQwSNjH7d/PJIEjiAffzb BHWIjvBeJSXlJjCY6qRu7ySRtI9FZNOyFaOWxbumkl5PBuONGcFsbXmeIjacUgTxFHDg5cWwVQjA+ ips9BRNJyJeZRRblqhZI4sxMgU4fXnaUgEUMKWs95XkdO8c0FngsKSzBK2eq4WkPNn15DpXP73Vig qDeQRqz1xRJFNnZ2epZUSMZbOug8vKfnA84SaAXhAKTz69U3aqFtHg7Wo1uX4yeidzb5Y7SigzF2I 6CJGGX5dEtRrbDL+MleJsuKdyOYnsJFs9WAOPVZKi41xH1AdWmcLIJSzc7/mRtXuTy99JKmorFTA1 QwpWLiqsQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJq4-0000TC-B3; Tue, 13 Oct 2020 12:55:36 +0000 Received: from mail-ej1-x642.google.com ([2a00:1450:4864:20::642]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJpx-0000Qn-4o for openwrt-devel@lists.openwrt.org; Tue, 13 Oct 2020 12:55:31 +0000 Received: by mail-ej1-x642.google.com with SMTP id u21so28123824eja.2 for ; Tue, 13 Oct 2020 05:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/YeV8Jr+VUwDxy/Sc30lHrvIbXB47x38AqOczmttfvc=; b=kxBpHmYgxcVRac1R5pXj7KGup86FrbG2w7+eL7neXtE2QxdiM5JEfCQVut1C8ZuAGl rQetBJyyaB28TUwF/WYtKM7W1xqgq19SgPBWeZzl72VryBfsDQn+UzzKUwP+nigRtmJV mu6QUL+Rl8ThELKpkmGyGyVBz0fH2lsNPPuaO33L9VnmEeE2SjDWQ3Zu47GpB6Y+UIPY 4lEbYhv/MJtBE06dQkoi7wv3rT3KRF3yJjG8rBp9e4fQh/M0ntPVp2tppnaM4lr00ykn homJ1caC12HtYG/o2AnXFodYbAH+4V/EPXgeoWMG94gKUwhBGJX8gmjwiq45XX7qr2cr psKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/YeV8Jr+VUwDxy/Sc30lHrvIbXB47x38AqOczmttfvc=; b=E7kYLQhvVTTJWT2UV3Tb0K4tEGn0fCiECrydWa3mf8fXfHNJdmRk9Mp2aprdzdDR3H cFzZrwbg1Q/GJRfni0LrC5Wx4zscEkVCsX1YQN3aPhIlkBcqI5FOR0ByTckCHTysl+nX 30NBtH2HZOe39oHJA2UzQCp++2t7fIWvrPDXGOnKHtmFajmeuhtowmqPZquDeODN4qEK p7KHrEZFyr17tU9JBuIFlJrynhA0G7G+LSJHvtccqj6oPToK6Smx79qKjoeX8xi/LCIo 3UQbhIccj8/RSmBaCWqGdC+4BV3xvyfvV7RbT3v7FxFcERUVhTmT9V3KMKYzHSwuUpj3 dXGg== X-Gm-Message-State: AOAM531IplAToTJIpXGZY88TniTpA7VL4vw6YpX3DKK34dqFR7B3T1p/ vQPUFrTAA3eu6DEVziSW9kkyy+Lprw== X-Google-Smtp-Source: ABdhPJwiNCj+4RIVydKcN0eQPmN9T5/Dg3dWzH73o6Ds2M2YHJj4bTJGEzlXJIntCnYcnZ/y1FVbPQ== X-Received: by 2002:a17:906:3455:: with SMTP id d21mr35276912ejb.89.1602593727642; Tue, 13 Oct 2020 05:55:27 -0700 (PDT) Received: from presler.lan (a95-93-122-112.cpe.netcabo.pt. [95.93.122.112]) by smtp.gmail.com with ESMTPSA id o13sm12199666ejr.120.2020.10.13.05.55.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Oct 2020 05:55:27 -0700 (PDT) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH 2/3] dropbear: create a submenu for encryption algorithms Date: Tue, 13 Oct 2020 13:54:11 +0100 Message-Id: <20201013125411.114995-3-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201013125411.114995-2-rsalvaterra@gmail.com> References: <20201013125411.114995-1-rsalvaterra@gmail.com> <20201013125411.114995-2-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201013_085529_211099_F6B40C6A X-CRM114-Status: GOOD ( 12.61 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:642 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 21 +++++++++++++++++++++ package/network/services/dropbear/Makefile | 12 +++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d2771eca93..9cea6242a6 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2ab2cd396d..768058718c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -121,6 +121,12 @@ define Build/Configure echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h From patchwork Tue Oct 13 12:54:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1381571 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=j9HUSwX/; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=k27+Z5nK; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C9bCy2N9bz9sRk for ; Tue, 13 Oct 2020 23:57:02 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=f+fQDQEcys7AJ+ac2BWbgGX9dcqX3fHJ5vza3jj+uQw=; b=j9HUSwX/G+oAXA68auC67j9dW 8gjLG+dYoW1Nqj4q8mczAj/e+Cwqioy4Ub/WlTovO5JZibc9zl0tesgrRZLxkG90XKyXcV8wwBIlq +Fntt6dnf54LiwRvUR+LVHQZOicR+swaq65qnVHlE+Gyw/kgvB6pVZkVDbBG1Ncuxz/QNmLqdeIYA ANSuypirWp35f/RoKViRWiUOs2sbX9/cgwPF+q9hSNCLYbfkH2XHsCWJlaurCMJ7hv1wogCahF/fN cT4ui4e1OCeaJXM6ISWIMrZCqLB7o/bK0vO+EvQ+9tFu6BIWEpb2pFJSug7LYv/iuonwnbvI0UQ7V 7ay/v3HcA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJq6-0000Tq-S8; Tue, 13 Oct 2020 12:55:38 +0000 Received: from mail-ed1-x544.google.com ([2a00:1450:4864:20::544]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSJpy-0000RB-5H for openwrt-devel@lists.openwrt.org; Tue, 13 Oct 2020 12:55:32 +0000 Received: by mail-ed1-x544.google.com with SMTP id g4so20839411edk.0 for ; Tue, 13 Oct 2020 05:55:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bkA7ntPUCHhruOUye8YSikGYB/DkypdIiOW1c7aitMs=; b=k27+Z5nKCCivsqkHWMam1t0Nbe7xPHszd3KuZuSkT9BNQn9iMjvvwCQZstvC5kcMgx JOxbmWTyfVPIzqt2+gXKhv0PQpqgyNjmlcdX5o6af9L6GdAjSvDa3E1X72P9CfO0uBXz Ns9iuqXG/anQL4l/15/Q60vBd+DFdnXxdIwpF203N/sa0cp3Qre2qCS2Qn+FhG78rJXU 2pMFMz43HYbgLMARqWNnIG11oVqum9QImvXprmZMc3fVGv/4h+Q+ry15g2N5nbkXqWI3 HJCLvyI6ycsEwk6SRSv4FWGr7ucEQmQIHiftjr3c1GrEobANywyh+Dmt0SyII4vj20tW oszg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bkA7ntPUCHhruOUye8YSikGYB/DkypdIiOW1c7aitMs=; b=IobvCeiFBYnqoysnCNU6qgsP5A/VVj/oKw6+3GmSbE9TvJTbbbRAsDvTlQlIlRE/GB VvQLm2TbKC6Weiak1tKqjPQ4xlqHD1jSxVKCZQwjbjGrNcVXdFXlJRnc/VGhNTmldlIs LeohS4q6Vy1olsCCj0i9/FBl+juD+Mw5LivkS2F25CVyCfXKqd8VPxgUXiy7PslQH5XH aXTJNswfuRMbLwcpSCNAHWDNA9AsWuoTf6tVX+792RUGkGoMjvu6HLLgRuEgJZfHskc5 2zAbCUyZ0Tqb/AyIMU4dDkRp80kDWRoEXOORK/05XVc6pUAkgckPRbPDWGzbEAXxqUQ6 8vgQ== X-Gm-Message-State: AOAM531vrOUWifBIqeqIC0qtTbBpkYRIbv2fAGWn29Yel4eqP7NmN2bn XSyFvH6u+yfQmvBi2FTpK4zDrYiBZQ== X-Google-Smtp-Source: ABdhPJzrJlZequ4kI33VGjAlJytkBe6nZbBaJLaJdM7a/6yehZFUClBcNKnCmgCrRoFoC+w/H53e9Q== X-Received: by 2002:a05:6402:782:: with SMTP id d2mr3306106edy.131.1602593728497; Tue, 13 Oct 2020 05:55:28 -0700 (PDT) Received: from presler.lan (a95-93-122-112.cpe.netcabo.pt. [95.93.122.112]) by smtp.gmail.com with ESMTPSA id o13sm12199666ejr.120.2020.10.13.05.55.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Oct 2020 05:55:28 -0700 (PDT) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH 3/3] dropbear: create a submenu for key exchange algorithms Date: Tue, 13 Oct 2020 13:54:12 +0100 Message-Id: <20201013125411.114995-4-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201013125411.114995-3-rsalvaterra@gmail.com> References: <20201013125411.114995-1-rsalvaterra@gmail.com> <20201013125411.114995-2-rsalvaterra@gmail.com> <20201013125411.114995-3-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201013_085530_260395_F0E0BC16 X-CRM114-Status: GOOD ( 11.83 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:544 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality. Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 12 ++++++++++++ package/network/services/dropbear/Makefile | 13 ++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 9cea6242a6..066dab0a9b 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 768058718c..d0b0dbf3dc 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \ CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -110,9 +111,6 @@ define Build/Configure echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h - echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ - $(PKG_BUILD_DIR)/localoptions.h - for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ $(PKG_BUILD_DIR)/localoptions.h; \ @@ -130,6 +128,15 @@ define Build/Configure echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + # remove protocol idented software version number $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h