netutils/dropbear: initial Dropbear SSH server port for NuttX

fsutils/passwd/passwd_append.c

@@ -69,7 +69,7 @@ int passwd_append(FAR const char *username, FAR const char *password)
     {
       int errcode = errno;
       DEBUGASSERT(errcode > 0);
-      return errcode;
+      return -errcode;
     }
 
   /* The format of the password file is:

netutils/dropbear/.gitignore

@@ -0,0 +1,6 @@
+/dropbear
+/*.zip
+*.o
+.built
+.depend
+Make.dep

netutils/dropbear/CMakeLists.txt

@@ -0,0 +1,212 @@
+# ##############################################################################
+# apps/netutils/dropbear/CMakeLists.txt
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more contributor
+# license agreements.  See the NOTICE file distributed with this work for
+# additional information regarding copyright ownership.  The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License.  You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations under
+# the License.
+#
+# ##############################################################################
+
+if(CONFIG_NETUTILS_DROPBEAR)
+
+  set(DROPBEAR_COMMIT "${CONFIG_NETUTILS_DROPBEAR_COMMIT}")
+  string(REPLACE "\"" "" DROPBEAR_COMMIT "${DROPBEAR_COMMIT}")
+
+  set(DROPBEAR_ZIP "${DROPBEAR_COMMIT}.zip")
+  set(DROPBEAR_URL "https://github.com/mkj/dropbear/archive")
+  set(DROPBEAR_UNPACKNAME "dropbear")
+
+  if(NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/${DROPBEAR_UNPACKNAME}")
+    if(NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/${DROPBEAR_ZIP}")
+      message(STATUS "Downloading Dropbear: ${DROPBEAR_URL}/${DROPBEAR_ZIP}")
+      file(DOWNLOAD "${DROPBEAR_URL}/${DROPBEAR_ZIP}"
+           "${CMAKE_CURRENT_SOURCE_DIR}/${DROPBEAR_ZIP}")
+    endif()
+    message(STATUS "Unpacking Dropbear: ${DROPBEAR_ZIP}")
+    execute_process(
+      COMMAND unzip -q -o "${DROPBEAR_ZIP}"
+      WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+      RESULT_VARIABLE result)
+    if(result EQUAL 0)
+      file(RENAME "${CMAKE_CURRENT_SOURCE_DIR}/dropbear-${DROPBEAR_COMMIT}"
+           "${CMAKE_CURRENT_SOURCE_DIR}/${DROPBEAR_UNPACKNAME}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0001-use-nuttx-unused-macro.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0002-use-nuttx-ecdsa-hostkey-sign.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0003-guard-environ-declaration-for-nuttx.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0004-fix-nuttx-compile-warnings.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0005-use-nuttx-sha256-hmac.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0006-use-nuttx-chachapoly-state.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+      execute_process(
+        COMMAND
+          patch -s -N -l -p1 -d "${DROPBEAR_UNPACKNAME}" -i
+          "${CMAKE_CURRENT_SOURCE_DIR}/patch/0007-use-nuttx-passwd-auth.patch"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}")
+    endif()
+  endif()
+
+  set(PROGNAME "${CONFIG_NETUTILS_DROPBEAR_PROGNAME}")
+  string(REPLACE "\"" "" PROGNAME "${PROGNAME}")
+
+  set(DROPBEAR_SRCS
+      dropbear_nshsession.c
+      port/nuttx_auth.c
+      port/nuttx_compat.c
+      port/dropbear_chachapoly.c
+      port/dropbear_crypto.c
+      port/dropbear_curve25519.c
+      port/dropbear_ltc_aes.c
+      port/dropbear_ltc_hmac_sha256.c
+      port/dropbear_ltc_sha256.c
+      port/dropbear_utils.c
+      port/nuttx_hostkey.c
+      dropbear/src/dbutil.c
+      dropbear/src/buffer.c
+      dropbear/src/dbhelpers.c
+      dropbear/src/bignum.c
+      dropbear/src/signkey.c
+      dropbear/src/dbrandom.c
+      dropbear/src/queue.c
+      dropbear/src/atomicio.c
+      dropbear/src/compat.c
+      dropbear/src/fake-rfc2553.c
+      dropbear/src/ltc_prng.c
+      dropbear/src/ecc.c
+      dropbear/src/ecdsa.c
+      dropbear/src/crypto_desc.c
+      dropbear/src/dbmalloc.c
+      dropbear/src/gensignkey.c
+      dropbear/src/common-session.c
+      dropbear/src/packet.c
+      dropbear/src/common-algo.c
+      dropbear/src/common-kex.c
+      dropbear/src/common-channel.c
+      dropbear/src/common-chansession.c
+      dropbear/src/termcodes.c
+      dropbear/src/tcp-accept.c
+      dropbear/src/listener.c
+      dropbear/src/process-packet.c
+      dropbear/src/common-runopts.c
+      dropbear/src/circbuffer.c
+      dropbear/src/list.c
+      dropbear/src/netio.c
+      dropbear/src/gcm.c
+      dropbear/src/kex-x25519.c
+      dropbear/src/svr-kex.c
+      dropbear/src/svr-auth.c
+      dropbear/src/svr-authpasswd.c
+      dropbear/src/svr-session.c
+      dropbear/src/svr-service.c
+      dropbear/src/svr-runopts.c
+      dropbear/src/svr-tcpfwd.c
+      dropbear/src/svr-authpam.c)
+
+  file(GLOB LIBTOMMATH_SRCS CONFIGURE_DEPENDS
+       "${CMAKE_CURRENT_SOURCE_DIR}/dropbear/libtommath/*.c")
+  list(APPEND DROPBEAR_SRCS ${LIBTOMMATH_SRCS})
+
+  file(GLOB_RECURSE LIBTOMCRYPT_SRCS CONFIGURE_DEPENDS
+       "${CMAKE_CURRENT_SOURCE_DIR}/dropbear/libtomcrypt/src/*.c")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_make_key\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_encrypt_key\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_decrypt_key\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_shared_secret\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_sign_hash\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_verify_hash\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/pk/ecc/ecc_test\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/ciphers/aes/aes\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/ciphers/aes/aes_tab\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/mac/hmac/hmac_done\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/mac/hmac/hmac_init\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/mac/hmac/hmac_process\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/mac/poly1305/.*\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/encauth/chachapoly/.*\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/prngs/chacha20\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/stream/chacha/.*\\.c$")
+  list(FILTER LIBTOMCRYPT_SRCS EXCLUDE REGEX ".*/hashes/sha2/sha256\\.c$")
+  list(APPEND DROPBEAR_SRCS ${LIBTOMCRYPT_SRCS})
+
+  nuttx_add_application(
+    NAME
+    ${PROGNAME}
+    SRCS
+    ${DROPBEAR_SRCS}
+    dropbear_main.c
+    STACKSIZE
+    ${CONFIG_NETUTILS_DROPBEAR_STACKSIZE}
+    PRIORITY
+    ${CONFIG_NETUTILS_DROPBEAR_PRIORITY}
+    DEPENDS
+    ${DROPBEAR_UNPACKNAME})
+
+  target_include_directories(
+    ${PROGNAME}
+    PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}
+            ${CMAKE_CURRENT_SOURCE_DIR}/port
+            ${CMAKE_CURRENT_SOURCE_DIR}/dropbear
+            ${CMAKE_CURRENT_SOURCE_DIR}/dropbear/src
+            ${CMAKE_CURRENT_SOURCE_DIR}/dropbear/libtomcrypt/src/headers
+            ${CMAKE_CURRENT_SOURCE_DIR}/dropbear/libtommath
+            ${CMAKE_CURRENT_SOURCE_DIR}/../../nshlib)
+
+  if(CONFIG_NETUTILS_DROPBEAR_COMPRESSION)
+    target_include_directories(
+      ${PROGNAME} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../system/zlib/zlib)
+  endif()
+
+  target_compile_definitions(
+    ${PROGNAME}
+    PRIVATE LOCALOPTIONS_H_EXISTS=1 DROPBEAR_NUTTX=1
+            DROPBEAR_NUTTX_CHACHAPOLY=1 DROPBEAR_NUTTX_HMAC_SHA256=1
+            DROPBEAR_NUTTX_PASSWD=1 DROPBEAR_NUTTX_SHA256=1)
+
+  set_source_files_properties(
+    dropbear_nshsession.c
+    PROPERTIES COMPILE_DEFINITIONS
+               "Channel=dropbear_channel;ChanType=dropbear_chantype")
+
+  # LTC_SOURCE must be set only for libtomcrypt sources.
+  set_source_files_properties(${LIBTOMCRYPT_SRCS} PROPERTIES COMPILE_DEFINITIONS
+                                                             LTC_SOURCE=1)
+
+  target_compile_options(${PROGNAME} PRIVATE -Wno-pointer-sign -Wno-format)
+
+  target_sources(apps PRIVATE ${DROPBEAR_SRCS})
+
+endif()

netutils/dropbear/Kconfig

@@ -0,0 +1,121 @@
+#
+# For a description of the syntax of this configuration file,
+# see the file kconfig-language.txt in the NuttX tools repository.
+#
+
+menuconfig NETUTILS_DROPBEAR
+	tristate "Dropbear SSH server"
+	default n
+	depends on NET && NET_TCP
+	depends on !DISABLE_PSEUDOFS_OPERATIONS
+	depends on !DISABLE_PTHREAD
+	depends on SCHED_WAITPID
+	depends on NSH_LIBRARY
+	depends on FSUTILS_PASSWD
+	depends on PSEUDOTERM
+	depends on SERIAL
+	depends on ARCH_HAVE_RNG
+	depends on DEV_RANDOM
+	depends on DEV_URANDOM
+	depends on LIBC_NETDB
+	depends on LIBC_GAISTRERROR
+	select CRYPTO
+	select CRYPTO_RANDOM_POOL
+	---help---
+		Enable a minimal Dropbear SSH server port for NuttX.  This initial
+		port is based on the ESP-IDF MCU test port and provides a single
+		foreground SSH server process with SSH sessions backed by NSH.
+
+if NETUTILS_DROPBEAR
+
+config NETUTILS_DROPBEAR_STACKSIZE
+	int "Dropbear main stack size"
+	default 65536
+	---help---
+		Stack size for the Dropbear server built-in.
+		This is architecture-specific, so adjust it according to your setup.
+
+config NETUTILS_DROPBEAR_PRIORITY
+	int "Dropbear main priority"
+	default 100
+
+config NETUTILS_DROPBEAR_SHELL_PRIORITY
+	int "Dropbear NSH session priority"
+	default 100
+
+config NETUTILS_DROPBEAR_PROGNAME
+	string "Dropbear program name"
+	default "dropbear"
+	---help---
+		This is the name of the program that will be used when the NSH ELF
+		program is installed.
+
+config NETUTILS_DROPBEAR_LISTEN_RETRIES
+	int "Dropbear listen retries"
+	default 0
+	---help---
+		Number of times to retry listen setup when no listen socket could
+		be opened.  Zero means to retry forever.
+
+config NETUTILS_DROPBEAR_LISTEN_RETRY_MAX
+	int "Dropbear maximum listen retry interval"
+	default 120
+	range 1 3600
+	---help---
+		Maximum number of seconds to wait between listen setup retries.
+		The retry delay starts at one second and doubles until it reaches
+		this value.
+
+config NETUTILS_DROPBEAR_SHELL_STACKSIZE
+	int "Dropbear NSH session task stack size"
+	default 8192
+
+config NETUTILS_DROPBEAR_PORT
+	int "Dropbear listen port"
+	default 2222
+
+config NETUTILS_DROPBEAR_HOSTKEY_PATH
+	string "Dropbear ECDSA P-256 host key path"
+	default "/etc/dropbear/dropbear_ecdsa_host_key"
+	---help---
+		Path to the persistent ECDSA P-256 host key used by the Dropbear
+		server.  The file stores the private scalar and public point in a
+		NuttX-specific text format:
+		nuttx-ecdsa-p256-v1:d_hex:x_hex:y_hex
+
+config NETUTILS_DROPBEAR_GENERATE_HOSTKEY
+	bool "Generate host key if missing"
+	default y
+	---help---
+		Generate an ECDSA P-256 host key with NuttX crypto on first boot
+		when NETUTILS_DROPBEAR_HOSTKEY_PATH does not exist.  Product builds
+		can disable this and provision the host key externally.
+
+config NETUTILS_DROPBEAR_COMPRESSION
+	bool "Enable SSH compression (zlib)"
+	default n
+	depends on LIB_ZLIB
+	---help---
+		Enable zlib compression for SSH sessions.  Requires the zlib
+		library (LIB_ZLIB).  When disabled, Dropbear is built with
+		DISABLE_ZLIB and negotiates no compression.
+
+		WARNING: each session allocates a zlib deflate state of about
+		256 KiB (DROPBEAR_ZLIB_WINDOW_BITS=15, DROPBEAR_ZLIB_MEM_LEVEL=8),
+		and the state is allocated even for the delayed zlib@openssh.com
+		method, right after key exchange.
+
+config NETUTILS_DROPBEAR_SYSLOG
+	bool "Log via syslog"
+	default n
+	---help---
+		Route Dropbear log messages through syslog().  When disabled,
+		Dropbear is built with DISABLE_SYSLOG.
+
+config NETUTILS_DROPBEAR_COMMIT
+	string "Dropbear upstream commit"
+	default "75f699bfe2c234418056776c4d9f651a07a76de6"
+	---help---
+		Upstream Dropbear revision used by the ESP-IDF validation repo.
+
+endif

netutils/dropbear/Make.defs

@@ -0,0 +1,25 @@
+############################################################################
+# apps/netutils/dropbear/Make.defs
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.  The
+# ASF licenses this file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance with the
+# License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+############################################################################
+
+ifneq ($(CONFIG_NETUTILS_DROPBEAR),)
+CONFIGURED_APPS += $(APPDIR)/netutils/dropbear
+endif