[ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te

[ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te

[Alexander Dahl]

Hello,

trying to build dropbear as part of a ptxdist based embedded BSP for an 
armv5te target, more precisely I try to upgrade dropbear from 2020.81 to 
2022.82, the previous version builds fine, the new one fails to build.

Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/
gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized

According to config.log … Invocation command line was

  $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --
libdir=/usr/lib --build=x86_64-host-linux-gnu --host=arm-v5te-linux-gnueabi --
enable-harden --enable-largefile --disable-zlib --disable-pam --enable-openpty 
--enable-syslog --enable-shadow --disable-plugin --disable-fuzz --enable-
bundled-libtom --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp 
--disable-wtmpx --disable-loginfunc --disable-pututline --disable-pututxline

And localoptions.h was set to this:

  /* localoptions.h created by ptxdist */
  #define DROPBEAR_X11FWD 0
  #define DROPBEAR_CLI_LOCALTCPFWD 1
  #define DROPBEAR_CLI_REMOTETCPFWD 1
  #define DROPBEAR_SVR_LOCALTCPFWD 1
  #define DROPBEAR_SVR_REMOTETCPFWD 1
  #define DROPBEAR_SVR_AGENTFWD 0
  #define DROPBEAR_CLI_AGENTFWD 0
  #define DROPBEAR_AES128 1
  #define DROPBEAR_3DES 0
  #define DROPBEAR_AES256 1
  #define DROPBEAR_ENABLE_CBC_MODE 0
  #define DROPBEAR_ENABLE_CTR_MODE 1
  #define DROPBEAR_SHA1_HMAC 0
  #define DROPBEAR_DH_GROUP1 0
  #define DROPBEAR_DH_GROUP14_SHA1 0
  #define DROPBEAR_SHA1_96_HMAC 0
  #define DROPBEAR_SHA2_256_HMAC 1
  #define DROPBEAR_SHA2_512_HMAC 1
  #define DROPBEAR_DSS 0
  #define DROPBEAR_RSA 1
  #define DROPBEAR_ECDSA 0
  #define DROPBEAR_ECDH 0
  #define DROPBEAR_CURVE25519 0
  #define DROPBEAR_SVR_PASSWORD_AUTH 1
  #define DROPBEAR_CLI_PASSWORD_AUTH 1
  #define DROPBEAR_SVR_PUBKEY_AUTH 1
  #define DROPBEAR_CLI_PUBKEY_AUTH 1

The compile error is like this:

  arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign -fno-strict-
overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2  -I./libtomcrypt/
src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I. -DDROPBEAR_SERVER -
DDROPBEAR_CLIENT signkey.c -o signkey.o
  In file included from signkey.c:31:0:
  sk-ecdsa.h:11:44: error: unknown type name 'ecc_key'
  signkey.c: In function 'buf_get_pub_key':
  signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared   
(first use in this function)
  signkey.c:318:17: note: each undeclared identifier is reported only once for   
each function it appears in
  signkey.c: In function 'buf_verify':
  signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared   
(first use in this function)
  signkey.c:689:3: error: unknown type name 'ecc_key'
  signkey.c:689:20: error: 'ecc_key' undeclared (first use in this function)
  signkey.c:689:29: error: expected expression before ')' token
make[1]: *** [Makefile:154: signkey.o] Error 1

I looked into the dropbear code, and sk-ecdsa.h includes "includes.h" which 
itself includes "tomcrypt.h" and in some file of that 'ecc_key' is defined, so 
I don't know why the compiler complains here.  

Did not look into the other errors however.

Any ideas?

Greets
Alex

Re: [ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te

[Ian Abbott]

On 30/06/2022 12:57, Alexander Dahl wrote:
> Hello,
> 
> trying to build dropbear as part of a ptxdist based embedded BSP for an
> armv5te target, more precisely I try to upgrade dropbear from 2020.81 to
> 2022.82, the previous version builds fine, the new one fails to build.
> 
> Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/
> gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized
> 
> According to config.log … Invocation command line was
> 
>    $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --
> libdir=/usr/lib --build=x86_64-host-linux-gnu --host=arm-v5te-linux-gnueabi --
> enable-harden --enable-largefile --disable-zlib --disable-pam --enable-openpty
> --enable-syslog --enable-shadow --disable-plugin --disable-fuzz --enable-
> bundled-libtom --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp
> --disable-wtmpx --disable-loginfunc --disable-pututline --disable-pututxline
> 
> And localoptions.h was set to this:
> 
>    /* localoptions.h created by ptxdist */
>    #define DROPBEAR_X11FWD 0
>    #define DROPBEAR_CLI_LOCALTCPFWD 1
>    #define DROPBEAR_CLI_REMOTETCPFWD 1
>    #define DROPBEAR_SVR_LOCALTCPFWD 1
>    #define DROPBEAR_SVR_REMOTETCPFWD 1
>    #define DROPBEAR_SVR_AGENTFWD 0
>    #define DROPBEAR_CLI_AGENTFWD 0
>    #define DROPBEAR_AES128 1
>    #define DROPBEAR_3DES 0
>    #define DROPBEAR_AES256 1
>    #define DROPBEAR_ENABLE_CBC_MODE 0
>    #define DROPBEAR_ENABLE_CTR_MODE 1
>    #define DROPBEAR_SHA1_HMAC 0
>    #define DROPBEAR_DH_GROUP1 0
>    #define DROPBEAR_DH_GROUP14_SHA1 0
>    #define DROPBEAR_SHA1_96_HMAC 0
>    #define DROPBEAR_SHA2_256_HMAC 1
>    #define DROPBEAR_SHA2_512_HMAC 1
>    #define DROPBEAR_DSS 0
>    #define DROPBEAR_RSA 1
>    #define DROPBEAR_ECDSA 0
>    #define DROPBEAR_ECDH 0
>    #define DROPBEAR_CURVE25519 0
>    #define DROPBEAR_SVR_PASSWORD_AUTH 1
>    #define DROPBEAR_CLI_PASSWORD_AUTH 1
>    #define DROPBEAR_SVR_PUBKEY_AUTH 1
>    #define DROPBEAR_CLI_PUBKEY_AUTH 1
> 
> The compile error is like this:
> 
>    arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign -fno-strict-
> overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2  -I./libtomcrypt/
> src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I. -DDROPBEAR_SERVER -
> DDROPBEAR_CLIENT signkey.c -o signkey.o
>    In file included from signkey.c:31:0:
>    sk-ecdsa.h:11:44: error: unknown type name 'ecc_key'
>    signkey.c: In function 'buf_get_pub_key':
>    signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared
> (first use in this function)
>    signkey.c:318:17: note: each undeclared identifier is reported only once for
> each function it appears in
>    signkey.c: In function 'buf_verify':
>    signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256' undeclared
> (first use in this function)
>    signkey.c:689:3: error: unknown type name 'ecc_key'
>    signkey.c:689:20: error: 'ecc_key' undeclared (first use in this function)
>    signkey.c:689:29: error: expected expression before ')' token
> make[1]: *** [Makefile:154: signkey.o] Error 1
> 
> I looked into the dropbear code, and sk-ecdsa.h includes "includes.h" which
> itself includes "tomcrypt.h" and in some file of that 'ecc_key' is defined, so
> I don't know why the compiler complains here.
> 
> Did not look into the other errors however.
> 
> Any ideas?

I think the problem occurs when DROPBEAR_SK_ECDSA is 1 and 
DROPBEAR_ECDSA is 0.  The upstream maintainers can determine whether 
this combination should be supported or not.

The ptxdist rules for dropbear 2020.81 (the current version in ptxdist) 
did not configure DROPBEAR_SK_ECDSA in "localoptions.h", so 
DROPBEAR_SK_ECDSA gets defined with the default value 1 in 
"default_options_guard.h" (generated from "default_options.h").

As a temporary measure, you can change ptxdist's "dropbear.make" to 
forcibly configure DROPBEAR_SK_ECDSA to 0 by adding these lines in the 
appropriate place before the `@$(call touch)` line in the 
`$(STATEDIR)/dropbear.prepare` rules:

	@echo "ptxdist: disabling sk_ecdsa"
	@echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)

You could also add these lines to forcibly configure DROPBEAR_SK_ED25519 
to 0 (not needed to fix the build, but it should reduce the executable 
size):

	@echo "ptxdist: disabling sk_ed25519"
	@echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS)

(Ideally, extra configuration options for the new features should be 
added to ptxdist's "dropbear.in", and should automatically select 
DROPBEAR_ECDSA when DROPBEAR_SK_ECDSA is configured.)

Alternatively, you could just select the DROPBEAR_ECSDA option in the 
configuration anyway, but that will increase the size of the dropbear 
executable.

-- 
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-

Re: [ptxdist] build failure with recent dropbear 2022.82 on ptxdist for arm-v5te

[Alexander Dahl]

Hello Ian,

Am Donnerstag, 30. Juni 2022, 16:19:53 CEST schrieb Ian Abbott:
> On 30/06/2022 12:57, Alexander Dahl wrote:
> > Hello,
> > 
> > trying to build dropbear as part of a ptxdist based embedded BSP for an
> > armv5te target, more precisely I try to upgrade dropbear from 2020.81 to
> > 2022.82, the previous version builds fine, the new one fails to build.
> > 
> > Cross toolchain is OSELAS.Toolchain-2016.06.1/arm-v5te-linux-gnueabi/
> > gcc-5.4.0-glibc-2.23-binutils-2.26-kernel-4.6-sanitized
> > 
> > According to config.log … Invocation command line was
> > 
> >    $ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --
> > 
> > libdir=/usr/lib --build=x86_64-host-linux-gnu
> > --host=arm-v5te-linux-gnueabi -- enable-harden --enable-largefile
> > --disable-zlib --disable-pam --enable-openpty --enable-syslog
> > --enable-shadow --disable-plugin --disable-fuzz --enable- bundled-libtom
> > --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp
> > --disable-wtmpx --disable-loginfunc --disable-pututline
> > --disable-pututxline> 
> > And localoptions.h was set to this:
> >    /* localoptions.h created by ptxdist */
> >    #define DROPBEAR_X11FWD 0
> >    #define DROPBEAR_CLI_LOCALTCPFWD 1
> >    #define DROPBEAR_CLI_REMOTETCPFWD 1
> >    #define DROPBEAR_SVR_LOCALTCPFWD 1
> >    #define DROPBEAR_SVR_REMOTETCPFWD 1
> >    #define DROPBEAR_SVR_AGENTFWD 0
> >    #define DROPBEAR_CLI_AGENTFWD 0
> >    #define DROPBEAR_AES128 1
> >    #define DROPBEAR_3DES 0
> >    #define DROPBEAR_AES256 1
> >    #define DROPBEAR_ENABLE_CBC_MODE 0
> >    #define DROPBEAR_ENABLE_CTR_MODE 1
> >    #define DROPBEAR_SHA1_HMAC 0
> >    #define DROPBEAR_DH_GROUP1 0
> >    #define DROPBEAR_DH_GROUP14_SHA1 0
> >    #define DROPBEAR_SHA1_96_HMAC 0
> >    #define DROPBEAR_SHA2_256_HMAC 1
> >    #define DROPBEAR_SHA2_512_HMAC 1
> >    #define DROPBEAR_DSS 0
> >    #define DROPBEAR_RSA 1
> >    #define DROPBEAR_ECDSA 0
> >    #define DROPBEAR_ECDH 0
> >    #define DROPBEAR_CURVE25519 0
> >    #define DROPBEAR_SVR_PASSWORD_AUTH 1
> >    #define DROPBEAR_CLI_PASSWORD_AUTH 1
> >    #define DROPBEAR_SVR_PUBKEY_AUTH 1
> >    #define DROPBEAR_CLI_PUBKEY_AUTH 1
> > 
> > The compile error is like this:
> >    arm-v5te-linux-gnueabi-gcc -c -Os -W -Wall -Wno-pointer-sign
> >    -fno-strict-
> > 
> > overflow -fPIE -fstack-protector-strong -D_FORTIFY_SOURCE=2 
> > -I./libtomcrypt/ src/headers/ -DLOCALOPTIONS_H_EXISTS -I. -I.
> > -DDROPBEAR_SERVER -
> > DDROPBEAR_CLIENT signkey.c -o signkey.o
> > 
> >    In file included from signkey.c:31:0:
> >    sk-ecdsa.h:11:44: error: unknown type name 'ecc_key'
> >    signkey.c: In function 'buf_get_pub_key':
> >    signkey.c:318:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256'
> >    undeclared
> > 
> > (first use in this function)
> > 
> >    signkey.c:318:17: note: each undeclared identifier is reported only
> >    once for> 
> > each function it appears in
> > 
> >    signkey.c: In function 'buf_verify':
> >    signkey.c:688:17: error: 'DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256'
> >    undeclared
> > 
> > (first use in this function)
> > 
> >    signkey.c:689:3: error: unknown type name 'ecc_key'
> >    signkey.c:689:20: error: 'ecc_key' undeclared (first use in this
> >    function)
> >    signkey.c:689:29: error: expected expression before ')' token
> > 
> > make[1]: *** [Makefile:154: signkey.o] Error 1
> > 
> > I looked into the dropbear code, and sk-ecdsa.h includes "includes.h"
> > which
> > itself includes "tomcrypt.h" and in some file of that 'ecc_key' is
> > defined, so I don't know why the compiler complains here.
> > 
> > Did not look into the other errors however.
> > 
> > Any ideas?
> 
> I think the problem occurs when DROPBEAR_SK_ECDSA is 1 and
> DROPBEAR_ECDSA is 0.  The upstream maintainers can determine whether
> this combination should be supported or not.

Exactly.  All three other combinations of these two bits build fine though.

> The ptxdist rules for dropbear 2020.81 (the current version in ptxdist)
> did not configure DROPBEAR_SK_ECDSA in "localoptions.h", so
> DROPBEAR_SK_ECDSA gets defined with the default value 1 in
> "default_options_guard.h" (generated from "default_options.h").
> 
> As a temporary measure, you can change ptxdist's "dropbear.make" to
> forcibly configure DROPBEAR_SK_ECDSA to 0 by adding these lines in the
> appropriate place before the `@$(call touch)` line in the
> `$(STATEDIR)/dropbear.prepare` rules:
> 
> 	@echo "ptxdist: disabling sk_ecdsa"
> 	@echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
> 
> You could also add these lines to forcibly configure DROPBEAR_SK_ED25519
> to 0 (not needed to fix the build, but it should reduce the executable
> size):
> 
> 	@echo "ptxdist: disabling sk_ed25519"
> 	@echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS)

This is what I prepared in my upcoming patch series.  Will send it to ptxdist 
mailing list next week.

> (Ideally, extra configuration options for the new features should be
> added to ptxdist's "dropbear.in", and should automatically select
> DROPBEAR_ECDSA when DROPBEAR_SK_ECDSA is configured.)

(This is a new feature.  I think we can postpone this u2f security device 
support until someone actually needs it.)

> Alternatively, you could just select the DROPBEAR_ECSDA option in the
> configuration anyway, but that will increase the size of the dropbear
> executable.

Thanks for your input.  I'll Cc you on that patch series then if you don't 
mind.

Have a nice weekend
Alex