[PATCH v3] dropbear: allow disabling the RSA public key algorithm

Rui Salvaterra rsalvaterra at gmail.com
Sat Jul 18 19:56:29 EDT 2020


This allows the user to disable the RSA algorithm in Dropbear, if not required.
(RSA is still enabled by default, of course, due to its ubiquity.)

Size comparison of the dropbear executable (cortex-a9+neon):

RSA + Ed25519:	182804 bytes
RSA only:	170496 bytes
Ed25519 only:	166356 bytes

Signed-off-by: Rui Salvaterra <rsalvaterra at gmail.com>
---
 package/network/services/dropbear/Config.in        |  7 +++++++
 package/network/services/dropbear/Makefile         |  9 ++++++---
 ...0-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 +++++++++-----
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
index 3de4189e08..0ac84ee206 100644
--- a/package/network/services/dropbear/Config.in
+++ b/package/network/services/dropbear/Config.in
@@ -1,6 +1,13 @@
 menu "Configuration"
 	depends on PACKAGE_dropbear
 
+config DROPBEAR_RSA
+	bool "RSA support"
+	default y
+	help
+		The ubiquitous RSA public key algorithm.
+		Keep enabled, unless you're 100 % sure you don't need it!
+
 config DROPBEAR_CURVE25519
 	bool "Curve25519 support"
 	default y
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 0a9b5c0a99..61e8a3bcb0 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -28,7 +28,7 @@ PKG_FIXUP:=autoreconf
 
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
-	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+	CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
 	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
 	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
 	CONFIG_DROPBEAR_DBCLIENT
@@ -64,9 +64,9 @@ define Package/dropbear/description
 endef
 
 define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key)
 $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
 $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
-/etc/dropbear/dropbear_rsa_host_key
 /etc/config/dropbear
 endef
 
@@ -104,6 +104,9 @@ define Build/Configure
 	echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
+	echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
 	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
 		$(PKG_BUILD_DIR)/localoptions.h
 
@@ -169,7 +172,7 @@ define Package/dropbear/install
 	$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
 	$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key)
 	$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
-	touch $(1)/etc/dropbear/dropbear_rsa_host_key
+	$(if $(CONFIG_DROPBEAR_RSA),touch $(1)/etc/dropbear/dropbear_rsa_host_key)
 endef
 
 define Package/dropbearconvert/install
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index afa0ebb310..b2846ea87b 100644
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -19,22 +19,26 @@ Signed-off-by: Petr Štetiar <ynezz at true.cz>
  signkey.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)
 
-diff --git a/signkey.c b/signkey.c
-index 92fe6a242cd0..d16ab174d83a 100644
 --- a/signkey.c
 +++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
+@@ -657,9 +657,19 @@ int buf_verify(buffer * buf, sign_key *k
  	sigtype = signature_type_from_name(type_name, type_name_len);
  	m_free(type_name);
  
--	if (expect_sigtype != sigtype) {
--			dropbear_exit("Non-matching signing type");
++#if DROPBEAR_RSA
 +	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
 +		dropbear_exit("No signature type");
 +	}
 +
 +	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
++	}
++#else
+ 	if (expect_sigtype != sigtype) {
+-			dropbear_exit("Non-matching signing type");
 +		dropbear_exit("Non-matching signing type");
  	}
++#endif
  
  	keytype = signkey_type_from_signature(sigtype);
+ #if DROPBEAR_DSS
-- 
2.27.0




More information about the openwrt-devel mailing list