Re: [ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te
Hello Ian, Am Donnerstag, 30. Juni 2022, 16:19:53 CEST schrieb Ian Abbott: > On 30/06/2022 12:57, Alexander Dahl wrote: > > Hello, > > > > trying to build dropbear as part of a ptxdist based embedded BSP for an > > armv5te target, more precisely I try to upgrade dropbear from 2020.81 to > > 2022.82, the previous version builds fine, the new one fails to build. > > > > Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/ > > gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized > > > > According to config.log … Invocation command line was > > > >$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -- > > > > libdir=/usr/lib --build=x86_64-host-linux-gnu > > --host=arm-v5te-linux-gnueabi -- enable-harden --enable-largefile > > --disable-zlib --disable-pam --enable-openpty --enable-syslog > > --enable-shadow --disable-plugin --disable-fuzz --enable- bundled-libtom > > --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp > > --disable-wtmpx --disable-loginfunc --disable-pututline > > --disable-pututxline> > > And localoptions.h was set to this: > >/* localoptions.h created by ptxdist */ > >#define DROPBEAR_X11FWD 0 > >#define DROPBEAR_CLI_LOCALTCPFWD 1 > >#define DROPBEAR_CLI_REMOTETCPFWD 1 > >#define DROPBEAR_SVR_LOCALTCPFWD 1 > >#define DROPBEAR_SVR_REMOTETCPFWD 1 > >#define DROPBEAR_SVR_AGENTFWD 0 > >#define DROPBEAR_CLI_AGENTFWD 0 > >#define DROPBEAR_AES128 1 > >#define DROPBEAR_3DES 0 > >#define DROPBEAR_AES256 1 > >#define DROPBEAR_ENABLE_CBC_MODE 0 > >#define DROPBEAR_ENABLE_CTR_MODE 1 > >#define DROPBEAR_SHA1_HMAC 0 > >#define DROPBEAR_DH_GROUP1 0 > >#define DROPBEAR_DH_GROUP14_SHA1 0 > >#define DROPBEAR_SHA1_96_HMAC 0 > >#define DROPBEAR_SHA2_256_HMAC 1 > >#define DROPBEAR_SHA2_512_HMAC 1 > >#define DROPBEAR_DSS 0 > >#define DROPBEAR_RSA 1 > >#define DROPBEAR_ECDSA 0 > >#define DROPBEAR_ECDH 0 > >#define DROPBEAR_CURVE25519 0 > >#define DROPBEAR_SVR_PASSWORD_AUTH 1 > >#define DROPBEAR_CLI_PASSWORD_AUTH 1 > >#define DROPBEAR_SVR_PUBKEY_AUTH 1 > >#define DROPBEAR_CLI_PUBKEY_AUTH 1 > > > > The compile error is like this: > >arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign > >-fno-strict- > > > > overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 > > -I./libtomcrypt/ src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I. > > -DDROPBEAR_SERVER - > > DDROPBEAR_CLIENT signkey.c -o signkey.o > > > >In file included from signkey.c:31:0: > >sk-ecdsa.h:11:44: error: unknown type name 'ecc_key' > >signkey.c: In function 'buf_get_pub_key': > >signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' > >undeclared > > > > (first use in this function) > > > >signkey.c:318:17: note: each undeclared identifier is reported only > >once for> > > each function it appears in > > > >signkey.c: In function 'buf_verify': > >signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' > >undeclared > > > > (first use in this function) > > > >signkey.c:689:3: error: unknown type name 'ecc_key' > >signkey.c:689:20: error: 'ecc_key' undeclared (first use in this > >function) > >signkey.c:689:29: error: expected expression before ')' token > > > > make[1]: *** [Makefile:154: signkey.o] Error 1 > > > > I looked into the dropbear code, and sk-ecdsa.h includes "includes.h" > > which > > itself includes "tomcrypt.h" and in some file of that 'ecc_key' is > > defined, so I don't know why the compiler complains here. > > > > Did not look into the other errors however. > > > > Any ideas? > > I think the problem occurs when DROPBEAR_SK_ECDSA is 1 and > DROPBEAR_ECDSA is 0. The upstream maintainers can determine whether > this combination should be supported or not. Exactly. All three other combinations of these two bits build fine though. > The ptxdist rules for dropbear 2020.81 (the current version in ptxdist) > did not configure DROPBEAR_SK_ECDSA in "localoptions.h", so > DROPBEAR_SK_ECDSA gets defined with the default value 1 in > "default_options_guard.h" (generated from "default_options.h"). > > As a temporary measure, you can change ptxdist's "dropbear.make" to > forcibly configure DROPBEAR_SK_ECDSA to 0 by adding these lines in the > appropriate place before the `@$(call touch)` line in the > `$(STATEDIR)/dropbear.prepare` rules: > > @echo "ptxdist: disabling sk_ecdsa" > @echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > > You could also add these lines to forcibly configure DROPBEAR_SK_ED25519 > to 0 (not needed to fix the build, but it should reduce the executable > size): > > @echo "ptxdist: disabling sk_ed25519" > @echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS) This is what I prepared in my upcoming patch series. Will send it to ptxdist mailing list next week. > (Ideally, extra configuration options
build failure with recent dropbear 2022.82 on ptxdist for arm-v5te
Hello, trying to build dropbear as part of a ptxdist based embedded BSP for an armv5te target, more precisely I try to upgrade dropbear from 2020.81 to 2022.82, the previous version builds fine, the new one fails to build. Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/ gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized According to config.log … Invocation command line was $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var -- libdir=/usr/lib --build=x86_64-host-linux-gnu --host=arm-v5te-linux-gnueabi -- enable-harden --enable-largefile --disable-zlib --disable-pam --enable-openpty --enable-syslog --enable-shadow --disable-plugin --disable-fuzz --enable- bundled-libtom --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx --disable-loginfunc --disable-pututline --disable-pututxline And localoptions.h was set to this: /* localoptions.h created by ptxdist */ #define DROPBEAR_X11FWD 0 #define DROPBEAR_CLI_LOCALTCPFWD 1 #define DROPBEAR_CLI_REMOTETCPFWD 1 #define DROPBEAR_SVR_LOCALTCPFWD 1 #define DROPBEAR_SVR_REMOTETCPFWD 1 #define DROPBEAR_SVR_AGENTFWD 0 #define DROPBEAR_CLI_AGENTFWD 0 #define DROPBEAR_AES128 1 #define DROPBEAR_3DES 0 #define DROPBEAR_AES256 1 #define DROPBEAR_ENABLE_CBC_MODE 0 #define DROPBEAR_ENABLE_CTR_MODE 1 #define DROPBEAR_SHA1_HMAC 0 #define DROPBEAR_DH_GROUP1 0 #define DROPBEAR_DH_GROUP14_SHA1 0 #define DROPBEAR_SHA1_96_HMAC 0 #define DROPBEAR_SHA2_256_HMAC 1 #define DROPBEAR_SHA2_512_HMAC 1 #define DROPBEAR_DSS 0 #define DROPBEAR_RSA 1 #define DROPBEAR_ECDSA 0 #define DROPBEAR_ECDH 0 #define DROPBEAR_CURVE25519 0 #define DROPBEAR_SVR_PASSWORD_AUTH 1 #define DROPBEAR_CLI_PASSWORD_AUTH 1 #define DROPBEAR_SVR_PUBKEY_AUTH 1 #define DROPBEAR_CLI_PUBKEY_AUTH 1 The compile error is like this: arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign -fno-strict- overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 -I./libtomcrypt/ src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I. -DDROPBEAR_SERVER - DDROPBEAR_CLIENT signkey.c -o signkey.o In file included from signkey.c:31:0: sk-ecdsa.h:11:44: error: unknown type name 'ecc_key' signkey.c: In function 'buf_get_pub_key': signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared (first use in this function) signkey.c:318:17: note: each undeclared identifier is reported only once for each function it appears in signkey.c: In function 'buf_verify': signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared (first use in this function) signkey.c:689:3: error: unknown type name 'ecc_key' signkey.c:689:20: error: 'ecc_key' undeclared (first use in this function) signkey.c:689:29: error: expected expression before ')' token make[1]: *** [Makefile:154: signkey.o] Error 1 I looked into the dropbear code, and sk-ecdsa.h includes "includes.h" which itself includes "tomcrypt.h" and in some file of that 'ecc_key' is defined, so I don't know why the compiler complains here. Did not look into the other errors however. Any ideas? Greets Alex
Dropbear 2022.82
Hi all, Dropbear 2022.82 is released at last, with various improvements and some relatively minor fixes. Thanks to everyone who provided code, bug reports, suggestions and other help. Releases can be downloaded from https://matt.ucc.asn.au/dropbear/dropbear.html It looks like the Dropbear Mercurial repository (hg.ucc.asn.au) isn't getting used much any more. Perhaps it is finally time to move the canonical source to git/github. If anyone is still using the Mercurial repo please let me know. Cheers, Matt 2022.82 - 1 April 2022 Features and Changes: Note >> for compatibility/configuration changes - Implemented OpenSSH format private key handling for dropbearconvert. Keys can be read in OpenSSH format or the old PEM format. >> Keys are now written in OpenSSH format rather than PEM. ED25519 support is now correct. DSS keys are still PEM format. - Use SHA256 for key fingerprints - >> Reworked -v verbose printing, specifying multiple times will increase verbosity. - is equivalent to the old DEBUG_TRACE -v level, it can be configured at compile time in localoptions.h (see default_options.h) Lower -v options can be used to check connection progress or algorithm negotiation. Thanks to Hans Harder for the implementation localoptions.h DEBUG_TRACE should be set to 4 for the same result as the previous DEBUG_TRACE 1. - Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in authorized_keys. no-touch-required option isn't allowed yet. Thanks to Egor Duda for the implementation - autoconf output (configure script etc) is now committed to version control. >> It isn't necessary to run "autoconf" any more on a checkout. - sha1 will be omitted from the build if KEX/signing/MAC algorithms don't require it. Instead sha256 is used for random number generation. See sysoptions.h to see which algorithms require which hashes. - Set SSH_PUBKEYINFO environment variable based on the authorized_keys entry used for auth. The first word of the comment after the key is used (must only have characters a-z A-Z 0-9 .,_-+@) Patch from Hans Harder, modified by Matt Johnston - Let dbclient multihop mode be used with '-J'. Patch from Hans Harder - Allow home-directory relative paths ~/path for various settings and command line options. *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME Thanks to Begley Brothers Inc >> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs a tilde prefix. - LANG environment variable is carried over from the Dropbear server process From Maxim Kochetkov - Add /usr/sbin and /sbin to $PATH when logging in as root. Patch from Raphaël Hertzog https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403 - Added client option "-o DisableTrivialAuth". This can be used to prevent the server immediately accepting successful authentication (before any auth request) which could cause UI confusion and security issues with agent forwarding - it isn't clear which host is prompting to use a key. Thanks to Manfred Kaiser from Austrian MilCERT - Add -q client option to hide remote banner, from Hans Harder - Add -e option to pass all server environment variables to child processes. This should be used with caution. Patch from Roland Vollgraf (github #118) - >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to AF21 "interactive". Previously TOS classes were used, they are not used by modern traffic classifiers. Non-tty traffic is left at default priority. - >> Disable dh-group1 key exchange by default. It has been disabled server side by default since 2018. - >> Removed Twofish cipher - Dropbear now re-executes itself rather than just forking for each connection (only on Linux). This allows ASLR to randomise address space for each connection as a security mitigation. It should not have any visible impact - if there are any performance impacts in the wild please report it. Fixes: - Fix flushing channel data when pty was allocated (github #85) Data wasn't completely transmitted at channel close. Reported and initial patch thanks to Yousong Zhou - Check authorized_keys permissions as the user, fixes NFS squash root. Patch from Chris Dragan (github #107) - A missing home directory is now non-fatal, starting in / instead - Fixed IPv6 [address]:port parsing for dbclient -b Reported by Fabio Molinari - Improve error logging so that they are logged on the server rather than being sent to the client over the connection - Max window size is increased to 10MB, more graceful fallback if it's invalid. - Fix correctness of Dropbear's handling of global requests. Patch from Dirkjan Bussink - Fix some small bugs found by fuzzers, null pointer dereference crash and leaks (post authentication) - $HOME variable is used before /etc/passwd when expanding paths such as ~/.ssh/
