From patchwork Tue Dec 15 16:59:40 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1416585 X-Patchwork-Delegate: rsalvaterra@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=ApFcOK1F; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=qBQ8mYZ9; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CwPh009Tqz9s1l for ; Wed, 16 Dec 2020 04:02:24 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=IrRwxGBmRc9CUu+MIn4qtKmCbpNVXLy3jRCdyfzce1A=; b=ApFcOK1F7XfURvf0gCLy8CMe4 5k2CZxjWoFbs3Z2Lc/50G50NbZyUgq6auAp5kT7HJadVR2KQeqsfU7fgpyVgKx7kPn13cev3239CU Mej7AzY7lhYeWXBzdwbFloyAnLRTgbC1KhcBkOG5ftWDv2B7/S5Fmup//0wmnOk9uKzYSM7HZLUTa ODi3p2tIBypnb7O4AIm5cm0f85cb1YAtARRh6BmvzzOJNqfrQZrb0mhZudndu9UBlp5UqXnKGMeu6 W08hKzQnMfqKEWlC2DPvUHJ6kXVWfMNR0AtMXp27amAw7Cuin/Grmf3B3C1t++5LyKc2NrFaGsLVM RjCpnBQfQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg5-0001X4-Il; Tue, 15 Dec 2020 16:59:57 +0000 Received: from mail-qv1-xf32.google.com ([2607:f8b0:4864:20::f32]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg1-0001VI-BB for openwrt-devel@lists.openwrt.org; Tue, 15 Dec 2020 16:59:54 +0000 Received: by mail-qv1-xf32.google.com with SMTP id h16so5460257qvu.8 for ; Tue, 15 Dec 2020 08:59:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=cvsljT29UxITeUTI1lIUL0oWIWc8/wwT28hNxHiY5kI=; b=qBQ8mYZ9HPJVFkszlfxPo/ur0TSzYIGALPllpZLPBpwVv/xEeOP4njm1oAYfDA0N+F Vuloj3yJGtWD/K60MtVLzF9E9OaDelgVlxNOtXQ7m38dQbQkQ742o25fUxlyhSajPSAz iibLMa+S+58CyQdUHaXM+uCzya6nzvexIGkX2YVWUMpJl2j6XW0FHYytwj7Yi7j7NoYE P/DM81/u63eHLKS5Nv+83f/3vdnRpei6PhLOXlGZ6Fg4Qr/mqRFkZ5tmbIM0K00gMzbt szO99iC0tO8SBjpqd3fJuZ3HLSvrwSHWEcDK9oH0kFOfYOBHqXw7Pg8IF2TaXDqCXP/j ocKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=cvsljT29UxITeUTI1lIUL0oWIWc8/wwT28hNxHiY5kI=; b=iCXYNWH5jrdOaJHNWY87ejGAOxyRwNHXfQKfRO7h6vhwQpbZyuQxRABLKr2HMF6Joj krEQD9ObpQkYFYVh8lmysvFsrst6zISs7Gw83azxO5VGloObSN2QwOxjONv6u9m6vIvl 1KZ7DBRQLoRAcHjae/hq3qico36A9JD+qF/ZeM+lzJ4ZPzs85exqIFE/7or+WpuR5SWP txjkuw0n4hn7EUsHPkw2jHGagATwOOLeALaR0xeRu1rbn0bqDgHcDuIzGD02i6TV6o/E XAH29uNWrUIT4K/cNmhw6AFCAKZPjOaFPMOcNGBOXk0Xdu+0nZYLzCqDrfTTd09UU5Vw erEA== X-Gm-Message-State: AOAM533FIndk+xxKVgnFpyJLgetQMnNbDRho6qU+zNKT/i2qtLlU28in PHRmOtvg+tRuwtVN1mJjY+uHvmpACw== X-Google-Smtp-Source: ABdhPJwHuECKwEkEWJvm90PvQUF15adKhiJV8QjOQWGf+5Q+RS6HY5sYLu5CL9E4QxnKJGgApd8msg== X-Received: by 2002:ad4:52c3:: with SMTP id p3mr38960982qvs.52.1608051591361; Tue, 15 Dec 2020 08:59:51 -0800 (PST) Received: from presler.lan (a95-94-74-213.cpe.netcabo.pt. [95.94.74.213]) by smtp.gmail.com with ESMTPSA id n9sm16110388qti.75.2020.12.15.08.59.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Dec 2020 08:59:51 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v4 1/3] dropbear: create a submenu for public key algorithms Date: Tue, 15 Dec 2020 16:59:40 +0000 Message-Id: <20201215165942.2194-2-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201215165942.2194-1-rsalvaterra@gmail.com> References: <20201215165942.2194-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201215_115953_442797_89A895A6 X-CRM114-Status: GOOD ( 17.36 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:f32 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the public key algorithms (s)he requires (e.g., disabling RSA and keeping only Ed25519). The default selection maintains the current functionality. Additionally, make sure at least one public key algorithm is selected, lest the build would fail. Dropbear executable sizes (ath79, -O2): RSA + Ed25519: 210101 bytes RSA only: 197765 bytes Ed25519 only: 189637 bytes Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 27 ++++++++++++++----- package/network/services/dropbear/Makefile | 23 +++++++++++----- .../dropbear/files/dropbear.failsafe.ecc | 8 ++++++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++++++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 12 ++++++--- 6 files changed, 62 insertions(+), 16 deletions(-) create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100644 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) mode change 100755 => 100644 diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 15000eff53..5b7be04ade 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,14 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +menu "Public key algorithm selection" + +config DROPBEAR_RSA + bool "RSA support" default y help - This enables the following key exchange algorithm: - curve25519-sha256@libssh.org - - Increases binary size by about 4 kB (MIPS). + Enable support for the RSA public key algorithm. config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" @@ -58,6 +57,13 @@ config DROPBEAR_ED25519 Increases binary size by about 12 kB (MIPS). +config DROPBEAR_AUTOSEL_PK + def_bool y + depends on !(DROPBEAR_ECC || DROPBEAR_ED25519) + select DROPBEAR_RSA + +endmenu + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_CURVE25519 + bool "Curve25519 support" + default y + help + This enables the following key exchange algorithm: + curve25519-sha256@libssh.org + + Increases binary size by about 4 kB (MIPS). + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8bbb26f829..d0b6a4b7ea 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,7 +32,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS + CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ + CONFIG_DROPBEAR_RSA include $(INCLUDE_DIR)/package.mk @@ -67,9 +68,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -137,7 +138,7 @@ DB_OPT_CONFIG = \ !!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \ !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \ - + DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver @@ -199,10 +200,18 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit - $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear - $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) - touch $(1)/etc/dropbear/dropbear_rsa_host_key + +ifdef CONFIG_DROPBEAR_ED25519 + $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_ECC + $(INSTALL_DATA) ./files/dropbear.failsafe.ecc $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_RSA + $(INSTALL_DATA) ./files/dropbear.failsafe.rsa $(1)/lib/preinit/99_10_failsafe_dropbear +endif + + $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key,) + $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key,) + $(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key,) endef define Package/dropbearconvert/install diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc b/package/network/services/dropbear/files/dropbear.failsafe.ecc new file mode 100644 index 0000000000..924938bd55 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519 b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 new file mode 100644 index 0000000000..46b4918014 --- /dev/null +++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519 @@ -0,0 +1,8 @@ +#!/bin/sh + +failsafe_dropbear () { + dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key + dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1 +} + +boot_hook_add failsafe failsafe_dropbear diff --git a/package/network/services/dropbear/files/dropbear.failsafe b/package/network/services/dropbear/files/dropbear.failsafe.rsa old mode 100755 new mode 100644 similarity index 100% rename from package/network/services/dropbear/files/dropbear.failsafe rename to package/network/services/dropbear/files/dropbear.failsafe.rsa diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index b774a38b1a..b2846ea87b 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,18 +21,24 @@ Signed-off-by: Petr Štetiar --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k +@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- if (expect_sigtype != sigtype) { -- dropbear_exit("Non-matching signing type"); ++#if DROPBEAR_RSA + if (sigtype == DROPBEAR_SIGNATURE_NONE) { + dropbear_exit("No signature type"); + } + + if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { ++ dropbear_exit("Non-matching signing type"); ++ } ++#else + if (expect_sigtype != sigtype) { +- dropbear_exit("Non-matching signing type"); + dropbear_exit("Non-matching signing type"); } ++#endif keytype = signkey_type_from_signature(sigtype); + #if DROPBEAR_DSS From patchwork Tue Dec 15 16:59:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1416582 X-Patchwork-Delegate: rsalvaterra@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=MAvGBoBA; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=K80H1diS; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CwPgQ5zRyz9s1l for ; Wed, 16 Dec 2020 04:01:54 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=qXZFdB/O5Fa5orFYcL17wk6oatXrT2S9sRKe872+QrU=; b=MAvGBoBAdhovHT3PvsJs1rjGw 7BiOvU9Bp4qFwY3rOggKQqxvRHOINgN+Tzf7p0yXsGEDqa8JbbM2kpfFGLRqdCgqpUuxSytxBv0vG l/bcev+sBM3r2GFeybAE4N0a70AZfoffjmLL8p0i6yKFwifIzoL0IoT9g0vBLtFrQkxoRTmSiOk0y UwZpbiMCKXzaoV9AIu10y8bq0/EBTGZMHb6riAMHc3CwNeSXB8hhlcHL2LpZEFal4dtUNZuzQLSdC opsDpfWyCTHDXpcFdi8J3AWDmtufk4cSRvEZGwfJmc3ZcX66XLiaNneP1GHf17xfHnAaK8/B3dM9k q4IYo/Iug==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg9-0001Y9-8R; Tue, 15 Dec 2020 17:00:01 +0000 Received: from mail-qk1-x742.google.com ([2607:f8b0:4864:20::742]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg2-0001VQ-DM for openwrt-devel@lists.openwrt.org; Tue, 15 Dec 2020 16:59:55 +0000 Received: by mail-qk1-x742.google.com with SMTP id b64so15782331qkc.12 for ; Tue, 15 Dec 2020 08:59:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=b90bNc1TmYSxvaye5ylqnAoksK9kiiQNHZYsl9hVsz0=; b=K80H1diSDC192DrHAWISmtJtULTmv/EBCRusb0tvczGn8/YHRhRtrt9OsrEKfielhU yp09I+5Q5NPZ6Fw54zcYEoB+b4wUqc93qrjwTdFW0EDvqhvlpkwfIH5pDvhRIZVATF4f m9vSXqUmt5ZX0nsVf8bqP7bHZ94vHXb62g46DH1Z5Vx6akDPRoi6hdqSDpr1uWYlD4M5 vUn7GRSi6q4I9QDkranRQsSFkJ9hGTet3yJDCPOEQy9iIeMqCq/g1enkAs6hK9aJrcdm l7bJWeSEjxm82V9YC/ENFJbdl99rjFzClhvcJSzCNcXCeZSbqf6dVwavP6jFgLGIzwjD 3epw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=b90bNc1TmYSxvaye5ylqnAoksK9kiiQNHZYsl9hVsz0=; b=maofSaJxS9Nh61W7KRPUZeJjNl+zvyn51wiX02gIJ9UxueZgFgvXmF/fuWaLorIMwn viK7xs7KqXHz/JPPV4ZLI1g2YBtm6aPO8iXeXd/7oDDUxXvM4uve6YBt7i0CwWG8prEO IwrkTH4VG9ihnF3Ddc/e5vs60jO+kco4yMx9eUOi/jgcA1BaH5G4POcREU4LDgNnLZ0V rE7ya8Ig1fgVd1egzNmjwWwrqmownMOD31EON4Q7XG2GHFklFBPmTAKCc5kCIogZpNOT uG4nmMkOv15wVt7FdK/kyh4qY1p3XdARLRBLBLz1yjXHr1PUgV6pFRpkD9Ff16TpIRfA ISaw== X-Gm-Message-State: AOAM5329LN2caR2HVCajluf8D+/tLd5lqiLp4K80wppy/ycm0gtzp1fH jx4FOSOytzSJsbTfhS+Tqz/1CHWU+A== X-Google-Smtp-Source: ABdhPJyk7q8TVOiOm3xJBt/kV5D9SMf59mXGaKXYh/38ssTyiwN293d4j7ZSnBMRzlokd5r2W6IZAQ== X-Received: by 2002:a37:8ec7:: with SMTP id q190mr39243198qkd.258.1608051592412; Tue, 15 Dec 2020 08:59:52 -0800 (PST) Received: from presler.lan (a95-94-74-213.cpe.netcabo.pt. [95.94.74.213]) by smtp.gmail.com with ESMTPSA id n9sm16110388qti.75.2020.12.15.08.59.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Dec 2020 08:59:52 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v4 2/3] dropbear: create a submenu for encryption algorithms Date: Tue, 15 Dec 2020 16:59:41 +0000 Message-Id: <20201215165942.2194-3-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201215165942.2194-1-rsalvaterra@gmail.com> References: <20201215165942.2194-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201215_115954_516479_E7CF20D7 X-CRM114-Status: GOOD ( 13.06 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:742 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 21 +++++++++++++++++++++ package/network/services/dropbear/Makefile | 4 +++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 5b7be04ade..6d2b4cdfae 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index d0b6a4b7ea..1d131455a2 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -33,7 +33,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ - CONFIG_DROPBEAR_RSA + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 include $(INCLUDE_DIR)/package.mk @@ -139,6 +139,8 @@ DB_OPT_CONFIG = \ !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \ DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \ + DROPBEAR_AES128|CONFIG_DROPBEAR_AES128|1|0 \ + DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver From patchwork Tue Dec 15 16:59:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1416584 X-Patchwork-Delegate: rsalvaterra@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=1OTft0IL; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=g9Inwfqp; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CwPgh1Pxhz9s1l for ; Wed, 16 Dec 2020 04:02:08 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=jpVqVIOieYVIMpkXg/B+TIbtkto0KxUPfQ/kjlVukHE=; b=1OTft0ILZdFehG5zEVvsBGUcy A0GbuTKr63KUQs91aFtx8MQVYTlRmUCporLwhZ6Qs8TaP5cWvbpOfL9R9sRiswK1oqugfSxU/L8hP x5cTbK8TfH/v/8qzGa000ISInz50UsExIue+wjK+EjhJhMuRR7/PZfABtUmc9VuGPHXIzO5SPjSvM kD7JnK6oynUOy9mCqABFUIH/G6uZLThCXYEXQttIqTRCIM48GbIUAh+4EoDKmR6Mx/CYoKXPoCRpj suaKyaphwfrleMAPsI5M5rdzqNJqBLOGGNi05Oqis7a7FDYC9SwaQaqjXv9Kqv94xoPMbs/cU822v yr1nOCyRA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDgD-0001Zm-VK; Tue, 15 Dec 2020 17:00:06 +0000 Received: from mail-qv1-xf44.google.com ([2607:f8b0:4864:20::f44]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kpDg3-0001Vx-Ex for openwrt-devel@lists.openwrt.org; Tue, 15 Dec 2020 16:59:56 +0000 Received: by mail-qv1-xf44.google.com with SMTP id u16so9882544qvl.7 for ; Tue, 15 Dec 2020 08:59:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=pwNijvsYtN2tZb8fecS4Q42Zy8uLh8/eYp4iue2hnVk=; b=g9InwfqpOdLvNBaI0BLsSFudmam7/VWG17GLofAK+LqEE5vIIfEScryP0wvj4JBj0N LLYN/Sst++7Mow+EfV/cGyJcWZjcXuVpaxkSYXy0hS86sdssYvQ/7PmMhiRlcbMouEy9 R1I1LKgbh0vy5BvhhuVOEH35H4t0JOgPpAbnGSofnj0nCk2PfAsx4MMgb0FoeVfum9td EKJazUWZkzTBhwZePH7mGVZH5nLxanvSOQl5JXfKPE8mxoCcs9gh8nSLjDFwlRydGUQS wqZL7g8YqBrmmO2w2SFSFPZ6HpmR5H9HNIb6+WXQnhrJax0cCzAKn56JMcM8+DwJQC9E pUhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pwNijvsYtN2tZb8fecS4Q42Zy8uLh8/eYp4iue2hnVk=; b=HWHwhSDrWgnzfFr3aYkyBFKPxg52gHsfMtcEzlh01q7ZytNdygDE9AQbwxl3i6mm46 MEs+cP7CohmjGjSWlHUznmu7+DxPI5Q9hQtDpsGVTrWiXNDB6Up7buA+5BYDbPtDI1a/ tK3hbPFMoWtd3FSYVHRiS9xwq/J91bg1Mq8H4s2g6md5IvmCsGnVhz8mTau48q+AHDwY y4FaoWc0EQlh4W/P5N5NSIwyg6IEFCMPmScNxqvV578YaamN53yZFjVYJqaFPHU9t0X7 Sduan1G3FCbWjF+LfeG2mWVwYeeMmQuRnOLzK/qubBAEZdssfTFQb4dNaIe0pKBHn3GU kyIw== X-Gm-Message-State: AOAM530s9mpMuA4s2FhoxJs5FZpV45tsLiBiuMzS/FvzWlz3x2YG8j88 sFOlY44nX8XTNydLe2ZKG8VG0DEN8g== X-Google-Smtp-Source: ABdhPJz6oPPaxID0kKdEglnoixtbpD6FLzGgNO7+E0RkoL65N+L8mS3DWXq4aKJSHs6HCHqKwNgN6Q== X-Received: by 2002:a0c:dc13:: with SMTP id s19mr17113497qvk.26.1608051593610; Tue, 15 Dec 2020 08:59:53 -0800 (PST) Received: from presler.lan (a95-94-74-213.cpe.netcabo.pt. [95.94.74.213]) by smtp.gmail.com with ESMTPSA id n9sm16110388qti.75.2020.12.15.08.59.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Dec 2020 08:59:53 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Subject: [PATCH v4 3/3] dropbear: create a submenu for key exchange algorithms Date: Tue, 15 Dec 2020 16:59:42 +0000 Message-Id: <20201215165942.2194-4-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201215165942.2194-1-rsalvaterra@gmail.com> References: <20201215165942.2194-1-rsalvaterra@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201215_115955_546762_0807F599 X-CRM114-Status: GOOD ( 12.29 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:f44 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Rui Salvaterra Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality. Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 17 +++++++++++++++++ package/network/services/dropbear/Makefile | 7 +++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 6d2b4cdfae..b0ad21f907 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,13 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_KEX + def_bool y + depends on !(DROPBEAR_DH_GROUP14_SHA1 || DROPBEAR_CURVE25519) + select DROPBEAR_DH_GROUP14_SHA256 + +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 1d131455a2..7a6cc96f94 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -33,7 +33,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \ - CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + DROPBEAR_DH_GROUP14_SHA1 DROPBEAR_DH_GROUP14_SHA256 include $(INCLUDE_DIR)/package.mk @@ -140,7 +141,9 @@ DB_OPT_CONFIG = \ DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \ DROPBEAR_RSA|CONFIG_DROPBEAR_RSA|1|0 \ DROPBEAR_AES128|CONFIG_DROPBEAR_AES128|1|0 \ - DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 + DROPBEAR_AES256|CONFIG_DROPBEAR_AES256|1|0 \ + DROPBEAR_DH_GROUP14_SHA1|CONFIG_DROPBEAR_DH_GROUP14_SHA1|1|0 \ + DROPBEAR_DH_GROUP14_SHA256|CONFIG_DROPBEAR_DH_GROUP14_SHA256|1|0 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver