From patchwork Fri Jul 17 14:14:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1331173 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=IsnPtCUZ; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=jq/z6Uw2; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B7Y9X6T7hz9s1x for ; Sat, 18 Jul 2020 00:17:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=ILGdzgehBVlmy8Q2auJ7mUqOMgo48NJzAqd2AD2iYso=; b=IsnPtCUZsba5+XGzGgAjsPWxY+ mDcpA2naxqnYzTXDX/tRN0DQku6LDewvmN/cuR1LISK5biphIEe+A4uECv0a2cFHY3VeaoSiNPS+x 87TJGQJzKA7C0cHy/NXYlZ9MnqEloS8Bx4jeesBq9N88pulUnkiFAL7MuutPnK8ONOZC6nvIorLxW FEGZfVv07YQ0L7yy3U9xOfX8KsuXXLdKeam6FpoLKkQ29CMbd4zgdNAGLit4a0pGa7QXzm9HXNcLM cJirwWCEQ/szXCKeDWRZTuW2Mgy5OUzf8gcn5H8t0LIOt5yuXNvdWjKp0ZkPIR9hcZpWEQeVE4CVs IXBYl8hw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jwR8X-000132-RE; Fri, 17 Jul 2020 14:14:53 +0000 Received: from mail-pf1-x441.google.com ([2607:f8b0:4864:20::441]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jwR8U-00011u-SO for openwrt-devel@lists.openwrt.org; Fri, 17 Jul 2020 14:14:51 +0000 Received: by mail-pf1-x441.google.com with SMTP id a24so5448666pfc.10 for ; Fri, 17 Jul 2020 07:14:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=XYbL4PNMfP+H3K0vhOhshqGY6coPs3BiC5Yq8vJVQo0=; b=jq/z6Uw2R2135PCHK6ZR+eZCljeVMWaZRLnBJ9ReAUSZQR2C6pyBcVrHr47jHdn7V7 Zcxevtw3hu6i9HUKFkoE6IULiArpmdDqiBEsa4y5iH079HzpR/tVraAWlMt29ZGWBY4G yg8/746ft28TuqnzwDXvsuiv8P458a0GUQ682afQfK1ZGaJS6BhUM/E/AYOxEbIANdJU 2obJucD3PuIvyMwTFn9sYjBow8fn3md3bdEGwHJ2nuKZ+8v/xw8vuTlRml9hwn5a3Exk VDwpTJfUIw7YuD02xC4BN4tqZbY/uIQw1VRHZsyBC5xXry9VZJbjX561TT+rV19mdcMS QoKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=XYbL4PNMfP+H3K0vhOhshqGY6coPs3BiC5Yq8vJVQo0=; b=r9iaQSvKighzq6ObY8lr4fLW/XRO/Co1wQsttYFN/50blxE4PY0en3vMz7dwOUxMYI BmGXP/cI1T5IepTuXYhHKl4HsneFhrB1wrhmLHomId0c4LtxG8ucxFi9+5vR/60/UbiI 7hO3l/2Z7gHhhsykZLVacszcpCpf1NCgepNCP+595U3gVrdKxNMY14FNn9W+R6yiNi0/ ngEPWYooiTt//Dw1FRGf1ASfsGhe7FAr7YNQklrCi+QFJYtg0HxPrE5bxxIuqv10WYkk F6kdqY7PIHH3tSH4YLRzTYLB0YnHEas7k9scGpgEpiZTYAJ9LeftHAo8Yysk9CPdmL5h 422g== X-Gm-Message-State: AOAM532U682+u8FYES2wAE+wmuZeDbWmQ172ooLIexYt/mwoGQPQuXox dhEsEps2C1LrDHIQHIdVbYT5H5s= X-Google-Smtp-Source: ABdhPJzG9gCnIogBwiseLpzdreol2VL69lm9kIYszaIPUrCtMVLXDpEBvd2+Wk3mH1XwFbQ/i/0Lug== X-Received: by 2002:a05:6a00:2bc:: with SMTP id q28mr8309072pfs.250.1594995286539; Fri, 17 Jul 2020 07:14:46 -0700 (PDT) Received: from presler.lan (a109-49-8-134.cpe.netcabo.pt. [109.49.8.134]) by smtp.gmail.com with ESMTPSA id h1sm8110901pgn.41.2020.07.17.07.14.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2020 07:14:45 -0700 (PDT) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH] dropbear: allow disabling the RSA public key algorithm Date: Fri, 17 Jul 2020 15:14:35 +0100 Message-Id: <20200717141435.211714-1-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200717_101450_952641_23748CBD X-CRM114-Status: UNSURE ( 9.86 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:441 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to disable the RSA algorithm in Dropbear, if not required. (RSA is still enabled by default, of course, due to its ubiquity.) Size comparison of the dropbear executable (cortex-a9+neon)… RSA + Ed25519: 182804 bytes Ed25519 only: 166356 bytes … which amounts to over 16 kiB of savings. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 7 +++++++ package/network/services/dropbear/Makefile | 7 +++++-- ...0-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 +++++++++----- 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 3de4189e08..0ac84ee206 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,6 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear +config DROPBEAR_RSA + bool "RSA support" + default y + help + The ubiquitous RSA public key algorithm. + Keep enabled, unless you're 100 % sure you don't need it! + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 0a9b5c0a99..d216eaf299 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -28,7 +28,7 @@ PKG_FIXUP:=autoreconf PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ - CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT @@ -64,9 +64,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -104,6 +104,9 @@ define Build/Configure echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index afa0ebb310..b2846ea87b 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -19,22 +19,26 @@ Signed-off-by: Petr Štetiar signkey.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) -diff --git a/signkey.c b/signkey.c -index 92fe6a242cd0..d16ab174d83a 100644 --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype, +@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- if (expect_sigtype != sigtype) { -- dropbear_exit("Non-matching signing type"); ++#if DROPBEAR_RSA + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); + } + + if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#else + if (expect_sigtype != sigtype) { +- dropbear_exit("Non-matching signing type"); + dropbear_exit("Non-matching signing type"); } ++#endif keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS