Hello Ian, Am Donnerstag, 30. Juni 2022, 16:19:53 CEST schrieb Ian Abbott: > On 30/06/2022 12:57, Alexander Dahl wrote: > > Hello, > > > > trying to build dropbear as part of a ptxdist based embedded BSP for an > > armv5te target, more precisely I try to upgrade dropbear from 2020.81 to > > 2022.82, the previous version builds fine, the new one fails to build. > > > > Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/ > > gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized > > > > According to config.log … Invocation command line was > > > > $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -- > > > > libdir=/usr/lib --build=x86_64-host-linux-gnu > > --host=arm-v5te-linux-gnueabi -- enable-harden --enable-largefile > > --disable-zlib --disable-pam --enable-openpty --enable-syslog > > --enable-shadow --disable-plugin --disable-fuzz --enable- bundled-libtom > > --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp > > --disable-wtmpx --disable-loginfunc --disable-pututline > > --disable-pututxline> > > And localoptions.h was set to this: > > /* localoptions.h created by ptxdist */ > > #define DROPBEAR_X11FWD 0 > > #define DROPBEAR_CLI_LOCALTCPFWD 1 > > #define DROPBEAR_CLI_REMOTETCPFWD 1 > > #define DROPBEAR_SVR_LOCALTCPFWD 1 > > #define DROPBEAR_SVR_REMOTETCPFWD 1 > > #define DROPBEAR_SVR_AGENTFWD 0 > > #define DROPBEAR_CLI_AGENTFWD 0 > > #define DROPBEAR_AES128 1 > > #define DROPBEAR_3DES 0 > > #define DROPBEAR_AES256 1 > > #define DROPBEAR_ENABLE_CBC_MODE 0 > > #define DROPBEAR_ENABLE_CTR_MODE 1 > > #define DROPBEAR_SHA1_HMAC 0 > > #define DROPBEAR_DH_GROUP1 0 > > #define DROPBEAR_DH_GROUP14_SHA1 0 > > #define DROPBEAR_SHA1_96_HMAC 0 > > #define DROPBEAR_SHA2_256_HMAC 1 > > #define DROPBEAR_SHA2_512_HMAC 1 > > #define DROPBEAR_DSS 0 > > #define DROPBEAR_RSA 1 > > #define DROPBEAR_ECDSA 0 > > #define DROPBEAR_ECDH 0 > > #define DROPBEAR_CURVE25519 0 > > #define DROPBEAR_SVR_PASSWORD_AUTH 1 > > #define DROPBEAR_CLI_PASSWORD_AUTH 1 > > #define DROPBEAR_SVR_PUBKEY_AUTH 1 > > #define DROPBEAR_CLI_PUBKEY_AUTH 1 > > > > The compile error is like this: > > arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign > > -fno-strict- > > > > overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 > > -I./libtomcrypt/ src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I. > > -DDROPBEAR_SERVER - > > DDROPBEAR_CLIENT signkey.c -o signkey.o > > > > In file included from signkey.c:31:0: > > sk-ecdsa.h:11:44: error: unknown type name 'ecc_key' > > signkey.c: In function 'buf_get_pub_key': > > signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' > > undeclared > > > > (first use in this function) > > > > signkey.c:318:17: note: each undeclared identifier is reported only > > once for> > > each function it appears in > > > > signkey.c: In function 'buf_verify': > > signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' > > undeclared > > > > (first use in this function) > > > > signkey.c:689:3: error: unknown type name 'ecc_key' > > signkey.c:689:20: error: 'ecc_key' undeclared (first use in this > > function) > > signkey.c:689:29: error: expected expression before ')' token > > > > make[1]: *** [Makefile:154: signkey.o] Error 1 > > > > I looked into the dropbear code, and sk-ecdsa.h includes "includes.h" > > which > > itself includes "tomcrypt.h" and in some file of that 'ecc_key' is > > defined, so I don't know why the compiler complains here. > > > > Did not look into the other errors however. > > > > Any ideas? > > I think the problem occurs when DROPBEAR_SK_ECDSA is 1 and > DROPBEAR_ECDSA is 0. The upstream maintainers can determine whether > this combination should be supported or not.
Exactly. All three other combinations of these two bits build fine though. > The ptxdist rules for dropbear 2020.81 (the current version in ptxdist) > did not configure DROPBEAR_SK_ECDSA in "localoptions.h", so > DROPBEAR_SK_ECDSA gets defined with the default value 1 in > "default_options_guard.h" (generated from "default_options.h"). > > As a temporary measure, you can change ptxdist's "dropbear.make" to > forcibly configure DROPBEAR_SK_ECDSA to 0 by adding these lines in the > appropriate place before the `@$(call touch)` line in the > `$(STATEDIR)/dropbear.prepare` rules: > > @echo "ptxdist: disabling sk_ecdsa" > @echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > > You could also add these lines to forcibly configure DROPBEAR_SK_ED25519 > to 0 (not needed to fix the build, but it should reduce the executable > size): > > @echo "ptxdist: disabling sk_ed25519" > @echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS) This is what I prepared in my upcoming patch series. Will send it to ptxdist mailing list next week. > (Ideally, extra configuration options for the new features should be > added to ptxdist's "dropbear.in", and should automatically select > DROPBEAR_ECDSA when DROPBEAR_SK_ECDSA is configured.) (This is a new feature. I think we can postpone this u2f security device support until someone actually needs it.) > Alternatively, you could just select the DROPBEAR_ECSDA option in the > configuration anyway, but that will increase the size of the dropbear > executable. Thanks for your input. I'll Cc you on that patch series then if you don't mind. Have a nice weekend Alex