From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Fri, 05 Nov 2021 16:48:16 +0100
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1mj1Rw-0001Em-FE
	for lore@lore.pengutronix.de; Fri, 05 Nov 2021 16:48:16 +0100
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1mj1Rw-0007YK-20; Fri, 05 Nov 2021 16:48:16 +0100
Received: from mail.thorsis.com ([92.198.35.195])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <ada@thorsis.com>)
 id 1mj1RO-0007Xq-SN; Fri, 05 Nov 2021 16:47:43 +0100
Received: from localhost (localhost [127.0.0.1])
 by mail.thorsis.com (Postfix) with ESMTP id AF50FE5C;
 Fri,  5 Nov 2021 16:47:41 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.thorsis.com
Received: from mail.thorsis.com ([127.0.0.1])
 by localhost (mail.thorsis.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vlBnEFdXOQKp; Fri,  5 Nov 2021 16:47:41 +0100 (CET)
Received: by mail.thorsis.com (Postfix, from userid 109)
 id 68F2D2986; Fri,  5 Nov 2021 16:47:40 +0100 (CET)
Received: from adahl by ada.ifak-system.com with local (Exim 4.92)
 (envelope-from <ada@thorsis.com>)
 id 1mj1RG-0005DE-NB; Fri, 05 Nov 2021 16:47:34 +0100
From: Alexander Dahl <ada@thorsis.com>
To: ptxdist@pengutronix.de
Date: Fri,  5 Nov 2021 16:47:27 +0100
Message-Id: <20211105154734.19983-2-ada@thorsis.com>
In-Reply-To: <20211105154734.19983-1-ada@thorsis.com>
References: <20211105154734.19983-1-ada@thorsis.com>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.ext.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Subject: [ptxdist] [PATCH v3 1/8] dropbear: Remove host/public key DSS
 support
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: Denis Osterland-Heim <denis.osterland@diehl.com>,
 Michael Olbrich <m.olbrich@pengutronix.de>,
 Bruno Thomsen <bruno.thomsen@gmail.com>,
 Alexander Stein <alexander.stein@systec-electronic.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

DSS option was removed already from ptxdist, it is not recommended for
new keys.  In dropbear however, it was still default enabled, this is
disabled through localoptions.h now.

Fixes: 01ac7cc409b5 ("dropbear: Remove deprecated options")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - complete rework
    - still adapts comments in menus
    - completely removes DSS key support

 projectroot/etc/init.d/dropbear    | 6 +-----
 projectroot/etc/rc.once.d/dropbear | 5 -----
 rules/dropbear.in                  | 4 ++--
 rules/dropbear.make                | 3 +++
 4 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/projectroot/etc/init.d/dropbear b/projectroot/etc/init.d/dropbear
index 1edda1116..4d6530bdc 100644
--- a/projectroot/etc/init.d/dropbear
+++ b/projectroot/etc/init.d/dropbear
@@ -10,21 +10,17 @@ DROPBEAR_EXTRA_ARGS=
 # test ! -h /var/service/dropbear || exit 0
 
 DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
 test -n "$DROPBEAR_RSAKEY" || \
   DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
 test -n "$DROPBEAR_KEYTYPES" || \
-  DROPBEAR_KEYTYPES="rsa dss"
+  DROPBEAR_KEYTYPES="rsa"
 
 dropbear_start() {
 
     KEY_ARGS=""
-    test -f $DROPBEAR_DSSKEY && KEY_ARGS="$KEY_ARGS -d $DROPBEAR_DSSKEY"
     test -f $DROPBEAR_RSAKEY && KEY_ARGS="$KEY_ARGS -r $DROPBEAR_RSAKEY"
 
     echo -n "starting dropbear..."
diff --git a/projectroot/etc/rc.once.d/dropbear b/projectroot/etc/rc.once.d/dropbear
index a126b26db..451236097 100644
--- a/projectroot/etc/rc.once.d/dropbear
+++ b/projectroot/etc/rc.once.d/dropbear
@@ -3,12 +3,9 @@
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
 DROPBEAR_RSAKEY_DEFAULT="@KEYDIR@/dropbear_rsa_host_key"
-DROPBEAR_DSSKEY_DEFAULT="@KEYDIR@/dropbear_dss_host_key"
 
 test -n "$DROPBEAR_RSAKEY" || \
   DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
-test -n "$DROPBEAR_DSSKEY" || \
-  DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
 
 gen_key() {
 
@@ -29,5 +26,3 @@ gen_key() {
 }
 
 [ -e "$DROPBEAR_RSAKEY" ] || gen_key rsa "$DROPBEAR_RSAKEY"
-[ -e "$DROPBEAR_DSSKEY" ] || gen_key dss "$DROPBEAR_DSSKEY"
-
diff --git a/rules/dropbear.in b/rules/dropbear.in
index 507ee8e7f..8ae2d788b 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -260,7 +260,7 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
-comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
+comment "Hostkey/public key algorithms, at least one required ---"
 
 config DROPBEAR_RSA
 	bool
@@ -277,7 +277,7 @@ config DROPBEAR_ECDSA
 	prompt "ecdsa"
 	help
 	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
-	  ECDSA is significantly faster than RSA or DSS.
+	  ECDSA is significantly faster than RSA.
 
 comment "Key exchange algorithm ---"
 
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 536c9176a..c4577fed2 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -198,6 +198,9 @@ else
 endif
 
 # host key / public key
+	@echo "ptxdist: disabling dss"
+	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
+
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
 	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de