From patchwork Tue Dec 15 16:59:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1416585 X-Patchwork-Delegate: rsalvaterra@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=ApFcOK1F; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=qBQ8mYZ9; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CwPh009Tqz9s1l for ; Wed, 16 Dec 2020 04:02:24 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=IrRwxGBmRc9CUu+MIn4qtKmCbpNVXLy3jRCdyfzce1A=; b=ApFcOK1F7XfURvf0gCLy8CMe4 5k2CZxjWoFbs3Z2Lc/50G50NbZyUgq6auAp5kT7HJadVR2KQeqsfU7fgpyVgKx7kPn13cev3239CU Mej7AzY7lhYeWXBzdwbFloyAnLRTgbC1KhcBkOG5ftWDv2B7/S5Fmup//0wmnOk9uKzYSM7HZLUTa ODi3p2tIBypnb7O4AIm5cm0f85cb1YAtARRh6BmvzzOJNqfrQZrb0mhZudndu9UBlp5UqXnKGMeu6 W08hKzQnMfqKEWlC2DPvUHJ6kXVWfMNR0AtMXp27amAw7Cuin/Grmf3B3C1t++5LyKc2NrFaGsLVM RjCpnBQfQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg5-0001X4-Il; Tue, 15 Dec 2020 16:59:57 +0000 Received: from mail-qv1-xf32.google.com ([2607:f8b0:4864:20::f32]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg1-0001VI-BB for openwrt-devel@lists.openwrt.org; Tue, 15 Dec 2020 16:59:54 +0000 Received: by mail-qv1-xf32.google.com with SMTP id h16so5460257qvu.8 for ; Tue, 15 Dec 2020 08:59:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cvsljT29UxITeUTI1lIUL0oWIWc8/wwT28hNxHiY5kI=; b=qBQ8mYZ9HPJVFkszlfxPo/ur0TSzYIGALPllpZLPBpwVv/xEeOP4njm1oAYfDA0N+F Vuloj3yJGtWD/K60MtVLzF9E9OaDelgVlxNOtXQ7m38dQbQkQ742o25fUxlyhSajPSAz iibLMa+S+58CyQdUHaXM+uCzya6nzvexIGkX2YVWUMpJl2j6XW0FHYytwj7Yi7j7NoYE P/DM81/u63eHLKS5Nv+83f/3vdnRpei6PhLOXlGZ6Fg4Qr/mqRFkZ5tmbIM0K00gMzbt szO99iC0tO8SBjpqd3fJuZ3HLSvrwSHWEcDK9oH0kFOfYOBHqXw7Pg8IF2TaXDqCXP/j ocKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cvsljT29UxITeUTI1lIUL0oWIWc8/wwT28hNxHiY5kI=; b=iCXYNWH5jrdOaJHNWY87ejGAOxyRwNHXfQKfRO7h6vhwQpbZyuQxRABLKr2HMF6Joj krEQD9ObpQkYFYVh8lmysvFsrst6zISs7Gw83azxO5VGloObSN2QwOxjONv6u9m6vIvl 1KZ7DBRQLoRAcHjae/hq3qico36A9JD+qF/ZeM+lzJ4ZPzs85exqIFE/7or+WpuR5SWP txjkuw0n4hn7EUsHPkw2jHGagATwOOLeALaR0xeRu1rbn0bqDgHcDuIzGD02i6TV6o/E XAH29uNWrUIT4K/cNmhw6AFCAKZPjOaFPMOcNGBOXk0Xdu+0nZYLzCqDrfTTd09UU5Vw erEA== X-Gm-Message-State: AOAM533FIndk+xxKVgnFpyJLgetQMnNbDRho6qU+zNKT/i2qtLlU28in PHRmOtvg+tRuwtVN1mJjY+uHvmpACw== X-Google-Smtp-Source: ABdhPJwHuECKwEkEWJvm90PvQUF15adKhiJV8QjOQWGf+5Q+RS6HY5sYLu5CL9E4QxnKJGgApd8msg== X-Received: by 2002:ad4:52c3:: with SMTP id p3mr38960982qvs.52.1608051591361; Tue, 15 Dec 2020 08:59:51 -0800 (PST) Received: from presler.lan (a95-94-74-213.cpe.netcabo.pt. [95.94.74.213]) by smtp.gmail.com with ESMTPSA id n9sm16110388qti.75.2020.12.15.08.59.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Dec 2020 08:59:51 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v4 1/3] dropbear: create a submenu for public key algorithms Date: Tue, 15 Dec 2020 16:59:40 +0000 Message-Id: <20201215165942.2194-2-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201215165942.2194-1-rsalvaterra@gmail.com> References: <20201215165942.2194-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201215_115953_442797_89A895A6 X-CRM114-Status: GOOD ( 17.36 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:f32 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the public key algorithms (s)he requires (e.g., disabling RSA and keeping only Ed25519). The default selection maintains the current functionality. Additionally, make sure at least one public key algorithm is selected, lest the build would fail. Dropbear executable sizes (ath79, -O2): RSA + Ed25519: 210101 bytes RSA only: 197765 bytes Ed25519 only: 189637 bytes Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 27 ++++++++++++++----- package/network/services/dropbear/Makefile | 23 +++++++++++----- .../dropbear/files/dropbear.failsafe.ecc | 8 ++++++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++++++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 12 ++++++--- 6 files changed, 62 insertions(+), 16 deletions(-) create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) mode change 100755 => 100644 diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 15000eff53..5b7be04ade 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,14 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +menu "Public key algorithm selection" + +config DROPBEAR_RSA + bool "RSA support" default y help - This enables the following key exchange algorithm: - curve25519-sha256@libssh.org - - Increases binary size by about 4 kB (MIPS). + Enable support for the RSA public key algorithm. config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" @@ -58,6 +57,13 @@ config DROPBEAR_ED25519 Increases binary size by about 12 kB (MIPS). +config DROPBEAR_AUTOSEL_PK + def_bool y + depends on !(DROPBEAR_ECC || DROPBEAR_ED25519) + select DROPBEAR_RSA + +endmenu + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_CURVE25519 + bool "Curve25519 support" + default y + help + This enables the following key exchange algorithm: + curve25519-sha256@libssh.org + + Increases binary size by about 4 kB (MIPS). + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8bbb26f829..d0b6a4b7ea 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,7 +32,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS + CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ + CONFIG_DROPBEAR_RSA include $(INCLUDE_DIR)/package.mk @@ -67,9 +68,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -137,7 +138,7 @@ DB_OPT_CONFIG = \ !!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \ !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \ - + DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver @@ -199,10 +200,18 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit - $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear - $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) - touch $(1)/etc/dropbear/dropbear_rsa_host_key + +ifdef CONFIG_DROPBEAR_ED25519 + $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_ECC + $(INSTALL_DATA) ./files/dropbear.failsafe.ecc $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_RSA + $(INSTALL_DATA) ./files/dropbear.failsafe.rsa $(1)/lib/preinit/99_10_failsafe_dropbear +endif + + $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key,) + $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key,) + $(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key,) endef define Package/dropbearconvert/install diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc b/package/network/services/dropbear/files/dropbear.failsafe.ecc new file mode 100644 index 0000000000..924938bd55 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519 b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 new file mode 100644 index 0000000000..46b4918014 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe.rsa old mode 100755 new mode 100644 similarity index 100% rename from package/network/services/dropbear/files/dropbear.failsafe rename to package/network/services/dropbear/files/dropbear.failsafe.rsa diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index b774a38b1a..b2846ea87b 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,18 +21,24 @@ Signed-off-by: Petr Štetiar --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k +@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- if (expect_sigtype != sigtype) { -- dropbear_exit("Non-matching signing type"); ++#if DROPBEAR_RSA + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); + } + + if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#else + if (expect_sigtype != sigtype) { +- dropbear_exit("Non-matching signing type"); + dropbear_exit("Non-matching signing type"); } ++#endif keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS