From patchwork Tue Sep 1 19:13:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Spooren X-Patchwork-Id: 1355329 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=aparcar.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=t5n3U5b6; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bgxcx2s79z9sTh for ; Wed, 2 Sep 2020 05:16:17 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=5jIKO9AAQMPmnuYp/fimxq64BjebEKESIuwzTFM/g/E=; b=t5n3U5b61tYNgWFl7+uEdNdYsm A2mk/D9fU5xkbOXgBJBUTQ8vMEWo5zpaMMsA6wxRCetTvM8QBumznR4D7qdHOQkMnzndrKiMk+kYn hv4y4DD3QOmQITYMQJEXxsmmUA0Bs9ljx/2llBNnHy33g5oC7Ad0VixPqz4WmG6eBW3QX9VOJQ5hd N0ksENQRjlSuRarcjw/4d4aHD189eJzkQX+qdkyZL9MGUAJid1GXT2pdsOHJf0MGOFriw2LNCQvJH F8N20M2Qfam9h+yCH00iM9qGQi79nSzXODcW6Oc5jYHESeP40XQZT2M4Mxek1b42BxXQnHO1TuHDt NUKsOE3A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDBjA-0001Ko-Nq; Tue, 01 Sep 2020 19:13:56 +0000 Received: from relay1-d.mail.gandi.net ([217.70.183.193]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kDBj8-0001Io-Fu for openwrt-devel@lists.openwrt.org; Tue, 01 Sep 2020 19:13:55 +0000 X-Originating-IP: 72.234.141.215 Received: from dawn.lan (udp224251uds.hawaiiantel.net [72.234.141.215]) (Authenticated sender: mail@aparcar.org) by relay1-d.mail.gandi.net (Postfix) with ESMTPA id 23DCD240002; Tue, 1 Sep 2020 19:13:46 +0000 (UTC) From: Paul Spooren To: openwrt-devel@lists.openwrt.org Subject: [PATCH v3] dropbear: Enable Ed25519 for normal devices Date: Tue, 1 Sep 2020 09:13:28 -1000 Message-Id: <20200901191327.2361459-1-mail@aparcar.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200901_151354_643780_9F6536F2 X-CRM114-Status: GOOD ( 12.61 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [217.70.183.193 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [217.70.183.193 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paul Spooren Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The Ed25519 key pairs are much shorter than RSA pairs and are supported by default in OpenSSH. Looking at websites explaining how to create new SSH keys, many suggest using Ed25519 rather than RSA, however consider the former as not yet widely established. OpenWrt likely has a positive influence on that development. As enabling Ed25519 is a compile time option, it is currently not possible to install the feature via `opkg` nor select that option in an ImageBuilder. Due to the size impact of **12kB** the option should only be enabled for devices with `!SMALL_FLASH`. This approach seems cleaner than splitting `dropbear` into two packages like `dropbear` and `dropbear-ed25519`. Signed-off-by: Paul Spooren --- v3: * Add PKG_FLAGS:=nonshared to avoid trouble with legacy `tiny` targets package/network/services/dropbear/Config.in | 2 +- package/network/services/dropbear/Makefile | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 108b80376b..6aa5a7e4e1 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL config DROPBEAR_ED25519 bool "Ed25519 support" - default n + default y if !SMALL_FLASH help This enables the following public key algorithm: ssh-ed25519 diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 1cda98bf7e..6c97d3e77b 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2016 OpenWrt.org +# Copyright (C) 2006-2020 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2020.80 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ @@ -25,6 +25,7 @@ PKG_BUILD_PARALLEL:=1 PKG_ASLR_PIE_REGULAR:=1 PKG_USE_MIPS16:=0 PKG_FIXUP:=autoreconf +PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \