Re: [ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te

[Alexander Dahl <ada@thorsis.com>]

Hello Ian,

Am Donnerstag, 30. Juni 2022, 16:19:53 CEST schrieb Ian Abbott:
> On 30/06/2022 12:57, Alexander Dahl wrote:
> > Hello,
> > 
> > trying to build dropbear as part of a ptxdist based embedded BSP for an
> > armv5te target, more precisely I try to upgrade dropbear from 2020.81 to
> > 2022.82, the previous version builds fine, the new one fails to build.
> > 
> > Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/
> > gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized
> > 
> > According to config.log … Invocation command line was
> > 
> >    $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --
> > 
> > libdir=/usr/lib --build=x86_64-host-linux-gnu
> > --host=arm-v5te-linux-gnueabi -- enable-harden --enable-largefile
> > --disable-zlib --disable-pam --enable-openpty --enable-syslog
> > --enable-shadow --disable-plugin --disable-fuzz --enable- bundled-libtom
> > --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp
> > --disable-wtmpx --disable-loginfunc --disable-pututline
> > --disable-pututxline> 
> > And localoptions.h was set to this:
> >    /* localoptions.h created by ptxdist */
> >    #define DROPBEAR_X11FWD 0
> >    #define DROPBEAR_CLI_LOCALTCPFWD 1
> >    #define DROPBEAR_CLI_REMOTETCPFWD 1
> >    #define DROPBEAR_SVR_LOCALTCPFWD 1
> >    #define DROPBEAR_SVR_REMOTETCPFWD 1
> >    #define DROPBEAR_SVR_AGENTFWD 0
> >    #define DROPBEAR_CLI_AGENTFWD 0
> >    #define DROPBEAR_AES128 1
> >    #define DROPBEAR_3DES 0
> >    #define DROPBEAR_AES256 1
> >    #define DROPBEAR_ENABLE_CBC_MODE 0
> >    #define DROPBEAR_ENABLE_CTR_MODE 1
> >    #define DROPBEAR_SHA1_HMAC 0
> >    #define DROPBEAR_DH_GROUP1 0
> >    #define DROPBEAR_DH_GROUP14_SHA1 0
> >    #define DROPBEAR_SHA1_96_HMAC 0
> >    #define DROPBEAR_SHA2_256_HMAC 1
> >    #define DROPBEAR_SHA2_512_HMAC 1
> >    #define DROPBEAR_DSS 0
> >    #define DROPBEAR_RSA 1
> >    #define DROPBEAR_ECDSA 0
> >    #define DROPBEAR_ECDH 0
> >    #define DROPBEAR_CURVE25519 0
> >    #define DROPBEAR_SVR_PASSWORD_AUTH 1
> >    #define DROPBEAR_CLI_PASSWORD_AUTH 1
> >    #define DROPBEAR_SVR_PUBKEY_AUTH 1
> >    #define DROPBEAR_CLI_PUBKEY_AUTH 1
> > 
> > The compile error is like this:
> >    arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign
> >    -fno-strict-
> > 
> > overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 
> > -I./libtomcrypt/ src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I.
> > -DDROPBEAR_SERVER -
> > DDROPBEAR_CLIENT signkey.c -o signkey.o
> > 
> >    In file included from signkey.c:31:0:
> >    sk-ecdsa.h:11:44: error: unknown type name 'ecc_key'
> >    signkey.c: In function 'buf_get_pub_key':
> >    signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256'
> >    undeclared
> > 
> > (first use in this function)
> > 
> >    signkey.c:318:17: note: each undeclared identifier is reported only
> >    once for> 
> > each function it appears in
> > 
> >    signkey.c: In function 'buf_verify':
> >    signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256'
> >    undeclared
> > 
> > (first use in this function)
> > 
> >    signkey.c:689:3: error: unknown type name 'ecc_key'
> >    signkey.c:689:20: error: 'ecc_key' undeclared (first use in this
> >    function)
> >    signkey.c:689:29: error: expected expression before ')' token
> > 
> > make[1]: *** [Makefile:154: signkey.o] Error 1
> > 
> > I looked into the dropbear code, and sk-ecdsa.h includes "includes.h"
> > which
> > itself includes "tomcrypt.h" and in some file of that 'ecc_key' is
> > defined, so I don't know why the compiler complains here.
> > 
> > Did not look into the other errors however.
> > 
> > Any ideas?
> 
> I think the problem occurs when DROPBEAR_SK_ECDSA is 1 and
> DROPBEAR_ECDSA is 0.  The upstream maintainers can determine whether
> this combination should be supported or not.

Exactly.  All three other combinations of these two bits build fine though.

> The ptxdist rules for dropbear 2020.81 (the current version in ptxdist)
> did not configure DROPBEAR_SK_ECDSA in "localoptions.h", so
> DROPBEAR_SK_ECDSA gets defined with the default value 1 in
> "default_options_guard.h" (generated from "default_options.h").
> 
> As a temporary measure, you can change ptxdist's "dropbear.make" to
> forcibly configure DROPBEAR_SK_ECDSA to 0 by adding these lines in the
> appropriate place before the `@$(call touch)` line in the
> `$(STATEDIR)/dropbear.prepare` rules:
> 
> 	@echo "ptxdist: disabling sk_ecdsa"
> 	@echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
> 
> You could also add these lines to forcibly configure DROPBEAR_SK_ED25519
> to 0 (not needed to fix the build, but it should reduce the executable
> size):
> 
> 	@echo "ptxdist: disabling sk_ed25519"
> 	@echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS)

This is what I prepared in my upcoming patch series.  Will send it to ptxdist 
mailing list next week.

> (Ideally, extra configuration options for the new features should be
> added to ptxdist's "dropbear.in", and should automatically select
> DROPBEAR_ECDSA when DROPBEAR_SK_ECDSA is configured.)

(This is a new feature.  I think we can postpone this u2f security device 
support until someone actually needs it.)

> Alternatively, you could just select the DROPBEAR_ECSDA option in the
> configuration anyway, but that will increase the size of the dropbear
> executable.

Thanks for your input.  I'll Cc you on that patch series then if you don't 
mind.

Have a nice weekend
Alex