This allows the user to select only the public key algorithms (s)he requires
(e.g., disabling RSA and keeping only Ed25519). The default selection maintains
the current functionality.
Additionally, make sure at least one public key algorithm is selected, lest the
build would fail.
Dropbear executable sizes (ath79, -O2):
RSA + Ed25519: 210101 bytes
RSA only: 197765 bytes
Ed25519 only: 189637 bytes
Signed-off-by: Rui Salvaterra <rsalvate...@gmail.com>
---
package/network/services/dropbear/Config.in | 27 ++++++++++++++-----
package/network/services/dropbear/Makefile | 23 +++++++++++-----
.../dropbear/files/dropbear.failsafe.ecc | 8 ++++++
.../dropbear/files/dropbear.failsafe.ed25519 | 8 ++++++
...ropbear.failsafe => dropbear.failsafe.rsa} | 0
...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 ++++++----
6 files changed, 63 insertions(+), 17 deletions(-)
create mode 100755
package/network/services/dropbear/files/dropbear.failsafe.ecc
create mode 100755
package/network/services/dropbear/files/dropbear.failsafe.ed25519
rename package/network/services/dropbear/files/{dropbear.failsafe =>
dropbear.failsafe.rsa} (100%)
diff --git a/package/network/services/dropbear/Config.in
b/package/network/services/dropbear/Config.in
index 6aa5a7e4e1..d2771eca93 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -1,14 +1,13 @@
menu "Configuration"
depends on PACKAGE_dropbear
-config DROPBEAR_CURVE25519
- bool "Curve25519 support"
+menu "Public key algorithm selection"
+
+config DROPBEAR_RSA
+ bool "RSA support"
default y
help
- This enables the following key exchange algorithm:
- curve25519-sha...@libssh.org
-
- Increases binary size by about 4 kB (MIPS).
+ Enable support for the RSA public key algorithm.
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
@@ -58,6 +57,13 @@ config DROPBEAR_ED25519
Increases binary size by about 12 kB (MIPS).
+config DROPBEAR_AUTOSEL_PK
+ def_bool y
+ depends on !(DROPBEAR_ECC || DROPBEAR_ED25519)
+ select DROPBEAR_RSA
+
+endmenu
+
config DROPBEAR_CHACHA20POLY1305
bool "Chacha20-Poly1305 support"
default y
@@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305
Increases binary size by about 4 kB (MIPS).
+config DROPBEAR_CURVE25519
+ bool "Curve25519 support"
+ default y
+ help
+ This enables the following key exchange algorithm:
+ curve25519-sha...@libssh.org
+
+ Increases binary size by about 4 kB (MIPS).
+
config DROPBEAR_ZLIB
bool "Enable compression"
default n
diff --git a/package/network/services/dropbear/Makefile
b/package/network/services/dropbear/Makefile
index 6c97d3e77b..2ab2cd396d 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -29,7 +29,7 @@ PKG_FLAGS:=nonshared
PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
- CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP
@@ -67,9 +67,9 @@ define Package/dropbear/description
endef
define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key)
$(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
-/etc/dropbear/dropbear_rsa_host_key
/etc/config/dropbear
endef
@@ -107,6 +107,9 @@ define Build/Configure
echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
$(PKG_BUILD_DIR)/localoptions.h
+ echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
+ $(PKG_BUILD_DIR)/localoptions.h
+
echo '#define DROPBEAR_CURVE25519 $(if
$(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
$(PKG_BUILD_DIR)/localoptions.h
@@ -169,10 +172,18 @@ define Package/dropbear/install
$(INSTALL_DIR) $(1)/usr/lib/opkg/info
$(INSTALL_DIR) $(1)/etc/dropbear
$(INSTALL_DIR) $(1)/lib/preinit
- $(INSTALL_DATA) ./files/dropbear.failsafe
$(1)/lib/preinit/99_10_failsafe_dropbear
- $(if $(CONFIG_DROPBEAR_ED25519),touch
$(1)/etc/dropbear/dropbear_ed25519_host_key)
- $(if $(CONFIG_DROPBEAR_ECC),touch
$(1)/etc/dropbear/dropbear_ecdsa_host_key)
- touch $(1)/etc/dropbear/dropbear_rsa_host_key
+
+ifdef CONFIG_DROPBEAR_ED25519
+ $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519
$(1)/lib/preinit/99_10_failsafe_dropbear
+else ifdef CONFIG_DROPBEAR_ECC
+ $(INSTALL_DATA) ./files/dropbear.failsafe.ecc
$(1)/lib/preinit/99_10_failsafe_dropbear
+else ifdef CONFIG_DROPBEAR_RSA
+ $(INSTALL_DATA) ./files/dropbear.failsafe.rsa
$(1)/lib/preinit/99_10_failsafe_dropbear
+endif
+
+ $(if $(CONFIG_DROPBEAR_ED25519),touch
$(1)/etc/dropbear/dropbear_ed25519_host_key,)
+ $(if $(CONFIG_DROPBEAR_ECC),touch
$(1)/etc/dropbear/dropbear_ecdsa_host_key,)
+ $(if $(CONFIG_DROPBEAR_RSA),touch
$(1)/etc/dropbear/dropbear_rsa_host_key,)
endef
define Package/dropbearconvert/install
diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ecc
b/package/network/services/dropbear/files/dropbear.failsafe.ecc
new file mode 100755
index 0000000000..924938bd55
--- /dev/null
+++ b/package/network/services/dropbear/files/dropbear.failsafe.ecc
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+failsafe_dropbear () {
+ dropbearkey -t ecdsa -s 256 -f /tmp/dropbear_failsafe_host_key
+ dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+}
+
+boot_hook_add failsafe failsafe_dropbear
diff --git a/package/network/services/dropbear/files/dropbear.failsafe.ed25519
b/package/network/services/dropbear/files/dropbear.failsafe.ed25519
new file mode 100755
index 0000000000..46b4918014
--- /dev/null
+++ b/package/network/services/dropbear/files/dropbear.failsafe.ed25519
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+failsafe_dropbear () {
+ dropbearkey -t ed25519 -f /tmp/dropbear_failsafe_host_key
+ dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+}
+
+boot_hook_add failsafe failsafe_dropbear
diff --git a/package/network/services/dropbear/files/dropbear.failsafe
b/package/network/services/dropbear/files/dropbear.failsafe.rsa
similarity index 100%
rename from package/network/services/dropbear/files/dropbear.failsafe
rename to package/network/services/dropbear/files/dropbear.failsafe.rsa
diff --git
a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index afa0ebb310..b2846ea87b 100644
---
a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++
b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -19,22 +19,26 @@ Signed-off-by: Petr Štetiar <yn...@true.cz>
signkey.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
-diff --git a/signkey.c b/signkey.c
-index 92fe6a242cd0..d16ab174d83a 100644
--- a/signkey.c
+++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum
signature_type expect_sigtype,
+@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
-- if (expect_sigtype != sigtype) {
-- dropbear_exit("Non-matching signing type");
++#if DROPBEAR_RSA
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
+ }
+
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) &&
(expect_sigtype != sigtype)) {
++ dropbear_exit("Non-matching signing type");
++ }
++#else
+ if (expect_sigtype != sigtype) {
+- dropbear_exit("Non-matching signing type");
+ dropbear_exit("Non-matching signing type");
}
++#endif
keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
--
2.28.0
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
