From patchwork Sun Nov 15 19:55:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1400545 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=jlitBO8G; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=Z8LBa2t5; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CZ2zs6wx5z9sSs for ; Mon, 16 Nov 2020 06:57:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=/DRuv/DCDBxHN5+lPtQ6qhiW5OhQLbwbU6g1oGVYzdQ=; b=jlitBO8GAI8Jto+TiN7RU1QX6 UZYThMCWoMu2J1mA5yqo5ihtyR6s8ln9whJ0fki+KJ/WYZJ/pJ14mFXzYM9XINHYBmA/VRq9oZ+Pk cvcY2DP0cLTcyNXI7bQDAxiEN0pCDuPFYvSL35DftIMoQl6ZknN7rkx869J2pWMAq+IYsLoy/oQts Ig9mnuuCi6/3lxMxOSH1qK50rqICQlSRyPL2xru2d5KiCUzKNq8NxPUi2EMTkIs62Hc8LQs9O8Dsc kkRyFl4BxJ7cy33YoxasSWxA/j+XqWanmX2Slsxx1PxGOpdM+Yi3Uvv3nliR4paT4y3e4fdO0FmaH uYHMp9qWg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7i-0003UJ-Vp; Sun, 15 Nov 2020 19:55:43 +0000 Received: from mail-qv1-xf42.google.com ([2607:f8b0:4864:20::f42]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7d-0003Ru-9t for openwrt-devel@lists.openwrt.org; Sun, 15 Nov 2020 19:55:38 +0000 Received: by mail-qv1-xf42.google.com with SMTP id v20so4369788qvx.4 for ; Sun, 15 Nov 2020 11:55:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=4uUcMPdj0s2qEUG25qEka9YznO0i0p9r4Bw+2wrVmgQ=; b=Z8LBa2t5wUiCFraip/ilKsvckjwYfMmzfR8NA1o5/RBFscoivDZRlaokAdaVmdR5Qv PIpF72s+l06V2oUtiEYrfT5+lf5TigWgs3P4Ligi/jDxP2dssPRg6+vqLkIWA89Iv5tY zlOCpi6cZX8EMfYT+hDvw0tAL/NGvTAF2eUntSUTqZa5Brw9RnYiNzPcblfLH3DJMP0e 9LdykdtEcQFKzc2yq9cLO22vNa11YGsvXNYLCQQYx5ACzIJ3KJYQRkRqVLhyNOaq3aQD Y4A4QFW+O69uCzCUWrzZ5m1FsB/pUjmnvM5yEpw6LwpiNK3Hc91JoXrqz7yNZKxJ0Q5A XvQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=4uUcMPdj0s2qEUG25qEka9YznO0i0p9r4Bw+2wrVmgQ=; b=FZ3fSRJT4yRlzx3ccbqUyTb2/0RJY/50A5ktFSRzmwUib7rfGiXQGcESEcg1bhJuC9 o2HfN+Nf8TFYbvkSppYLaO8WDJLUEKxd43j7l93iPbSNod8AGpgmCjjNxeBnbCVFnEtE CZvWx5AHTs49spsdw1wYlEr36GkisnyNxilEycQezchr7Ic4SG9Oe295u095YGOmebsK 7wy/endBqJN18rr0HNnbYhAUUtnGgRkggGuXHiZ6OfAhBlyNey+pWH7vzoEkgfvbeb0+ PvDeYXpgoeQ0btztGeuS7jW4HTM2mc+F7bl8MKpwASVgQr2kmgR7LWpEEVDVSBYbN1ZF 1OZQ== X-Gm-Message-State: AOAM530E5gO2yh7+kGKOmvhLXeQbTWrgGx36uTz7ihulaXsEss6b1KPK kgZ2hf5IwxHwBC7PTLR7J4clmxocgntk X-Google-Smtp-Source: ABdhPJyNqAGuqpR9bJvxOMjFdSi4nR4W/hBrLwyhxH+so2RE8I9oSqZquf1fvcmckLEoYgiVooa2lA== X-Received: by 2002:a05:6214:54f:: with SMTP id ci15mr12456049qvb.49.1605470133897; Sun, 15 Nov 2020 11:55:33 -0800 (PST) Received: from presler.lan (a95-94-69-32.cpe.netcabo.pt. [95.94.69.32]) by smtp.gmail.com with ESMTPSA id 203sm10861148qkd.25.2020.11.15.11.55.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Nov 2020 11:55:33 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v3 1/3] dropbear: create a submenu for public key algorithms Date: Sun, 15 Nov 2020 19:55:21 +0000 Message-Id: <20201115195523.29448-2-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201115195523.29448-1-rsalvaterra@gmail.com> References: <20201115195523.29448-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201115_145537_400090_3B910501 X-CRM114-Status: GOOD ( 17.73 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:f42 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the public key algorithms (s)he requires (e.g., disabling RSA and keeping only Ed25519). The default selection maintains the current functionality. Additionally, make sure at least one public key algorithm is selected, lest the build would fail. Dropbear executable sizes (ath79, -O2): RSA + Ed25519: 210101 bytes RSA only: 197765 bytes Ed25519 only: 189637 bytes Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 27 ++++++++++++++----- package/network/services/dropbear/Makefile | 23 +++++++++++----- .../dropbear/files/dropbear.failsafe.ecc | 8 ++++++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++++++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 12 ++++++--- 6 files changed, 63 insertions(+), 15 deletions(-) create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) mode change 100755 => 100644 diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 6aa5a7e4e1..d2771eca93 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,14 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +menu "Public key algorithm selection" + +config DROPBEAR_RSA + bool "RSA support" default y help - This enables the following key exchange algorithm: - curve25519-sha256@libssh.org - - Increases binary size by about 4 kB (MIPS). + Enable support for the RSA public key algorithm. config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" @@ -58,6 +57,13 @@ config DROPBEAR_ED25519 Increases binary size by about 12 kB (MIPS). +config DROPBEAR_AUTOSEL_PK + def_bool y + depends on !(DROPBEAR_ECC || DROPBEAR_ED25519) + select DROPBEAR_RSA + +endmenu + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_CURVE25519 + bool "Curve25519 support" + default y + help + This enables the following key exchange algorithm: + curve25519-sha256@libssh.org + + Increases binary size by about 4 kB (MIPS). + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8520426382..7087d96b87 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -29,7 +29,7 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ - CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP @@ -67,9 +67,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -107,6 +107,9 @@ define Build/Configure echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h @@ -169,10 +172,18 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit - $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear - $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) - touch $(1)/etc/dropbear/dropbear_rsa_host_key + +ifdef CONFIG_DROPBEAR_ED25519 + $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_ECC + $(INSTALL_DATA) ./files/dropbear.failsafe.ecc $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_RSA + $(INSTALL_DATA) ./files/dropbear.failsafe.rsa $(1)/lib/preinit/99_10_failsafe_dropbear +endif + + $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key,) + $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key,) + $(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key,) endef define Package/dropbearconvert/install diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc b/package/network/services/dropbear/files/dropbear.failsafe.ecc new file mode 100644 index 0000000000..924938bd55 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519 b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 new file mode 100644 index 0000000000..46b4918014 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe.rsa old mode 100755 new mode 100644 similarity index 100% rename from package/network/services/dropbear/files/dropbear.failsafe rename to package/network/services/dropbear/files/dropbear.failsafe.rsa diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index b774a38b1a..b2846ea87b 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,18 +21,24 @@ Signed-off-by: Petr Štetiar --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k +@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- if (expect_sigtype != sigtype) { -- dropbear_exit("Non-matching signing type"); ++#if DROPBEAR_RSA + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); + } + + if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#else + if (expect_sigtype != sigtype) { +- dropbear_exit("Non-matching signing type"); + dropbear_exit("Non-matching signing type"); } ++#endif keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS From patchwork Sun Nov 15 19:55:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1400544 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=npbIRgPS; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=X6MFJtQs; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CZ2zr3TQnz9sSn for ; Mon, 16 Nov 2020 06:57:28 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=93iS18q45fryNPYO0scPl7+AjpRJ2cyu+sLF7Z7al1A=; b=npbIRgPSZs8ohRsY8/ix+4arw uk7oa5oCLHppUIuMtmrjnsGDHA3S4ouDKtYsj6N/IF6ZnJ0SEYsuiqwI7d78wL3ozvd0FLSpKfRr3 LPQ8hT7p+e2o+gQeleWSw8gbwI3KiFkioS9XUFlDDO3uqt8bJ6iTuYrxhbxGiEIH6mu9DeJQEZcBJ OtKXwNx0bScxwPfEDgTvbHHOn0Ze6DayywAuueqUyfU3dcXkWAbUGmlKD3BShYY5H1CdjXFUF4QeG Z2uHagHz0eMasrqHv19v9CX+smPYkRLGF4kcosZ4iWP1cX6BoxrxLN/vVxEPd/W4+OO/XZ6bRDbdq t+MzdPvtw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7h-0003Tx-92; Sun, 15 Nov 2020 19:55:41 +0000 Received: from mail-qk1-x743.google.com ([2607:f8b0:4864:20::743]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7c-0003S5-RO for openwrt-devel@lists.openwrt.org; Sun, 15 Nov 2020 19:55:37 +0000 Received: by mail-qk1-x743.google.com with SMTP id r7so14721504qkf.3 for ; Sun, 15 Nov 2020 11:55:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=h45j9K8eSk74k7Z7mAhkDRrzAAfR3RAI6FBtfxiXcfc=; b=X6MFJtQsczgOPrewaS/8ymBsBIEqnOHdoR/1eAtM15Q3GV4BYtl/+M69zavkZGFEPQ BtSSCWkhe2FKJV2rgSDzn2Ha9gRhuHwhMcpk61xpMuvZxcutg7YFhW767+eJCuJobTqi 20EN7okS/yVHKRhbbGLKRr3M2B9NV1rXMFHGduj+VTZ4/LWIc9M5qjGLG0tdPzqI1Sp4 YAYN+qn/wn3UEd6RdpKOkegMov9kQfjtUzCEH2R1Xiwh2aUSwrX4GiTuufl9u/ashUbf 6mVbcnmgTEbWd/7yobWvp8HJIl1iCQAaj68Fa7WP/mtdo4Mou7O6RZ5QZbKG71YIH56f Owqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=h45j9K8eSk74k7Z7mAhkDRrzAAfR3RAI6FBtfxiXcfc=; b=md0xXHPlxQPT8x64DH3RDVcIx+uAPCo2ztC6f5vtVfbjv4aCIzzmfNh9qIfMERcLvf g0qQx3RiOQ5KXAit0mK80HBDOxUQoRLybcJvDyV6mi9u1FL8zNX5oQkkl/0fYazx2A+3 AtL/bDJLYK7XzdZdByjdslhskswwYPzZIItXK+4bXq0ClgW8JpBcnGYE+Y5cua99u3oG AVODPH9yVGKpIUGbUBW5e3FrItyj8PxI7bg9RtppkM7if5eBDZZN4BuTBVmhbNE3iSex CZpFpRygic5Nmei5G4Vrw/60bYNzaV3Mcp4WqCkxVaPHDJmjF4pmafNxykrah6Lp0eFh l0jw== X-Gm-Message-State: AOAM5301xYcxH333qNLxjBUY9GSEi7xKMJdYONaHtLtwuTwjou0eg9dX Ck3X9KyYB/v7L0QfNh8rUu2mcF6o+LlG X-Google-Smtp-Source: ABdhPJzO2DatwGsqRUoCJOd/jwnz6uJEKDqER6GQdb2V4FAzwd72MT/CZTyA1pJrBpsTviuD3FCEHA== X-Received: by 2002:a37:9f08:: with SMTP id i8mr11923811qke.65.1605470134971; Sun, 15 Nov 2020 11:55:34 -0800 (PST) Received: from presler.lan (a95-94-69-32.cpe.netcabo.pt. [95.94.69.32]) by smtp.gmail.com with ESMTPSA id 203sm10861148qkd.25.2020.11.15.11.55.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Nov 2020 11:55:34 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v3 2/3] dropbear: create a submenu for encryption algorithms Date: Sun, 15 Nov 2020 19:55:22 +0000 Message-Id: <20201115195523.29448-3-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201115195523.29448-1-rsalvaterra@gmail.com> References: <20201115195523.29448-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201115_145537_025462_F6207DC7 X-CRM114-Status: GOOD ( 12.80 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:743 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 21 +++++++++++++++++++++ package/network/services/dropbear/Makefile | 12 +++++++++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d2771eca93..9cea6242a6 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 7087d96b87..a91c8d93e4 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -121,6 +121,12 @@ define Build/Configure echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h From patchwork Sun Nov 15 19:55:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1400543 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=I6yIJIL1; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=UwJVDNns; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CZ2zh2rCFz9sSn for ; Mon, 16 Nov 2020 06:57:20 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=LmJUIPvDcdmpyCHzB8NHtKYOEzOJ+dmMIgB0RCP4voU=; b=I6yIJIL1VxhvAYv04vPy2OVx3 dE4mXkWNhJYMBIAwrH2/OmA2XajzZ+5Ruhp2Jc5fht3OCiYqW6XV59J2iDotdHNyzhxYhQANUWMaP 3IRCIubNt6WZpgfGkM/Y66H21sF1DQjpibdgL/HmmIJsLin8v03SYV7gezBMIKxwQkLFWsKs/FzPB H5fSWhAbmzwnu1XQY4MjAg+bubdaA78gxPfFZxBb9BIwVTtwgUZjb1KLSV9zGvr3IyXlXK8yjiq4N clorxKPVWqlolmgCvoAHJeJamG5VbauJMuaYAB027P1A1Tk7Jwuk4698f9FoS/kSjMjOMPd9xNBBm htjGe4ZIg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7k-0003Ue-BK; Sun, 15 Nov 2020 19:55:44 +0000 Received: from mail-qt1-x843.google.com ([2607:f8b0:4864:20::843]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1keO7e-0003SV-0F for openwrt-devel@lists.openwrt.org; Sun, 15 Nov 2020 19:55:38 +0000 Received: by mail-qt1-x843.google.com with SMTP id g15so11192115qtq.13 for ; Sun, 15 Nov 2020 11:55:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=D1MgNlOpnfdAUxvDhUAOz8fKQD7qWCosIc62uwrFbc0=; b=UwJVDNnsMu/LZ040vFhKTWCfDUzfIyYDRZQpizuqBG9/hMupH/t0sR/C/gkHw3c7Sz XXQ+q/wA5KPR2hFG4i5vjOJk8fJ9c9Ssm+rBnb94VaFm5HWPp0QBv7qJqKfLsablwCgj CdJKV1G5zZ3MHEOgttTuNh5J/EOiqAxVKrGbIbtzzaAvcp92BQqV0Kcr1tT+cbFtiGG0 PkSsa+Rq0Ta3Ftde6UIw8cyFGyWhvdxchYXivHdHvu3JC17R/tK4lhd8fIf6VKXasd/C MhMIyiLx1Zp0DZq0lN3kBq4m2R/2gf4bPWlODZ4YRgd5SoUhJLf7M53IuosPtwHG672Y eINg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D1MgNlOpnfdAUxvDhUAOz8fKQD7qWCosIc62uwrFbc0=; b=dDNkE0nEift3z5SrX//lQygJzm4YxQAOJ3L73GkdMzQ13upf/3VOFq+0NKXycGRTSD 9nk+rK4JPlN0Qgi0uVkopbohGYGAJ2JsLLspMqn1A9BCA/9Yjc2ysIheapgxIKIOWzxi o8U771SQW5nyWjnKUzcxLkwlOj3qcLmDgfs/fWYgfXUWS4zNFyR7yMnHYlwP2PtnE/SC BOvA0C/RjjRGUTyYt1JhFWSaihCqId1KF8cxLBu35jjfft6ARy2eS2bGAIuUlFi5Zu75 iEQGzhUU/SMqib0dsbAPHS9MbRYiH/4HxevapxmHxcIryl2BSrxC31KzHOrWd4sA/nqi vHEg== X-Gm-Message-State: AOAM530984ZMVWvLOQZhRO5C5avR+xwDoCU6N5qhGAy0fa/dyFnL8VPo rrjrU2XRTpoIUQBaJZ1UHcqGaIiRw/qQ X-Google-Smtp-Source: ABdhPJwbJOHkhHT5Q8J4bUZy7kF9UbAr6cLdPtokRJehN6iEEJiOKyJYJnvwSriyi2BskQsi3pod+g== X-Received: by 2002:ac8:7686:: with SMTP id g6mr11196365qtr.125.1605470136109; Sun, 15 Nov 2020 11:55:36 -0800 (PST) Received: from presler.lan (a95-94-69-32.cpe.netcabo.pt. [95.94.69.32]) by smtp.gmail.com with ESMTPSA id 203sm10861148qkd.25.2020.11.15.11.55.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Nov 2020 11:55:35 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v3 3/3] dropbear: create a submenu for key exchange algorithms Date: Sun, 15 Nov 2020 19:55:23 +0000 Message-Id: <20201115195523.29448-4-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201115195523.29448-1-rsalvaterra@gmail.com> References: <20201115195523.29448-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201115_145538_079641_C60574E4 X-CRM114-Status: GOOD ( 12.24 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:843 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality. Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 12 ++++++++++++ package/network/services/dropbear/Makefile | 13 ++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 9cea6242a6..066dab0a9b 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index a91c8d93e4..b77c96579e 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \ CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -110,9 +111,6 @@ define Build/Configure echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h - echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ - $(PKG_BUILD_DIR)/localoptions.h - for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ $(PKG_BUILD_DIR)/localoptions.h; \ @@ -130,6 +128,15 @@ define Build/Configure echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + # remove protocol idented software version number $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h