netutils/dropbear: initial Dropbear SSH server port for NuttX

[FelipeMdeO]

Summary

This PR adds two related changes that together bring up an SSH server
on the ESP32-C3 DevKit board using the Dropbear application:

boards/risc-v/esp32c3/esp32c3-devkit/configs/dropbear

A new dropbear defconfig is introduced for the ESP32-C3 DevKit board.
It wires up the Dropbear SSH server application together with:

• Wi-Fi STA mode with DHCP client (WAPI tooling included for link
  bring-up at boot).
• urandom device for key material.
• SPIFFS on SPI flash (/data mountpoint) to persist the host key and
  the password database.
• FSUTILS_PASSWD pointing to /data/passwd as the credential store,
  replacing a previous Dropbear-specific password-file path.
• ECDSA host key stored at /data/dropbear_ecdsa_host_key.
• NSH autostart of the dropbear task on every boot.
• PTY support and Ctrl-C signal delivery enabled for interactive
  sessions.
• CONFIG_NETUTILS_DROPBEAR_STACKSIZE pinned to 65536 bytes; the
  default 32 KiB overflows during key exchange on this RISC-V target.
• CONFIG_NETUTILS_DROPBEAR_LISTEN_RETRY_MAX=120 so the daemon keeps
  retrying until the Wi-Fi link is fully up.

Wi-Fi credentials (myssid / mypasswd) are placeholders and must be
set via menuconfig before flashing.

crypto: expose ChaCha20 stream helpers

Dropbear uses the chacha20-poly1305@openssh.com cipher, which requires
a stateful, multi-call ChaCha20 stream interface rather than the single-
block interface currently exposed by crypto/chachapoly.c. Three helpers
and a context struct are added:

• struct chacha20_stream_ctx — opaque wrapper around chacha_ctx.
• chacha20_stream_setkey() — initialise the key.
• chacha20_stream_ivctr64() — set IV and 64-bit counter.
• chacha20_stream_crypt() — encrypt/decrypt an arbitrary-length buffer.

All three functions are thin wrappers over the existing chacha_*
primitives; no new algorithm code is introduced.

Impact

• New board configuration: the dropbear defconfig is additive and
  does not affect any existing configuration.
• New public API: three functions and one struct are added to
  include/crypto/chachapoly.h. The change is purely additive; existing
  users of chacha20_setkey / chacha20_crypt are unaffected.
• Build: no impact on boards or configurations that do not select
  CONFIG_NETUTILS_DROPBEAR.
• Security: host keys and credentials live on a SPIFFS partition
  under /data; they are generated at first run and persist across
  reboots. Wi-Fi credentials must be provisioned by the user before
  flashing.

Testing

Host: Linux x86_64, GCC RISC-V toolchain
Board: ESP32-C3 DevKit (rev 0.4)

Build:

./tools/configure.sh esp32c3-devkit:dropbear
make -j$(nproc)
make flash ESPTOOL_PORT=/dev/ttyUSB0

First-time user provisioning (serial console):

The NuttX passwd file lives on SPIFFS (/data/passwd) and is empty on a
fresh flash. Before the first SSH login, create a user from the NSH
serial console:

nsh> useradd root <password>

The ECDSA host key is generated automatically on first boot.

Boot log shows Dropbear listening after Wi-Fi association:

NuttShell (NSH) NuttX-12.6.0
nsh> loaded ECDSA P-256 host key from /data/dropbear_ecdsa_host_key
     using NuttX passwd auth at /data/passwd
     dropbear: listening on port 2222

SSH connection from the host:

$ ssh -p 2222 root@<board-ip>
root@<board-ip>'s password: <password>
NuttShell (NSH) NuttX-12.6.0
nsh>

[acassis]

@FelipeMdeO nice work! Kudos!!!

Some suggestions to improve this PR:

• many of these patches are just to fix the UNUSED()s, moving it from function parameters to inside at the end of the function, please talk with the original author, maybe he accepts to move it to the end of the function;

[acassis]

Why to use it instead of doing like Telnet does: "nsh_session(pstate, NSH_LOGIN_TELNET, argc, argv);" ?

[FelipeMdeO]

Hello Alan, nsh_dropbearstart() mirrors nsh_telnetstart() (nsh_telnetd.c), not nsh_telnetmain(). This is a bit tricky, but let me try to explain.

SSH can't reuse the nsh_session() path: unlike Telnet's line protocol, each SSH connection multiplexes channels and the shell must run on a PTY (for SIGINT/Ctrl-C, window size, raw mode). So the per-session NSH is spawned inside the Dropbear app (dropbear_nshsession.c) over a PTY pair, with no equivalent nsh_session() call at the nshlib layer.

We have this diff "approach" because telnet can hand the socket straight to nsh_session() because it's a plain-text line protocol while SSH transfer data uses encrypted data.

[acassis]

I think these variable could be controlled from Kconfig definitions

[FelipeMdeO]

Hello Alan, good point. Most of that DISABLE_* block isn't really configurable, for example: DISABLE_PAM, DISABLE_LASTLOG, but other configs can be controlled by user, like CONFIG_LIB_ZLIB.
I will move to Kconfig what can be controlled by user.

[acassis]

Some of these definitions cannot be hard-code, i.e.: HAVE_STRUCT_SOCKADDR_IN6, HAVE_STRUCT_SOCKADDR_IN6, could be disabled if IPv6 support on NuttX is not enabled.

[FelipeMdeO]

About HAVE_STRUCT_SOCKADDR_IN6:
The fake-rfc2553.h dropbear file has the source code below:

#ifndef HAVE_STRUCT_IN6_ADDR
struct in6_addr {
	u_int8_t	s6_addr[16];
};
#endif /* !HAVE_STRUCT_IN6_ADDR */

The issue is that the nuttx has the same struct in6_addr, so I need "disable" this code sector to be able compile.

Look NuttX file netinet/in.h, it always define s6_addr:

#define s6_addr               in6_u.u6_addr8
#define s6_addr16             in6_u.u6_addr16
#define s6_addr32             in6_u.u6_addr32

I am using this macro equal 1 because s6_addr always exist in nuttx.

[FelipeMdeO]

I am reviewing your comments and doing improvement in the source code, I will ping you all to review again in the next days. tks.

[FelipeMdeO]

@FelipeMdeO nice work! Kudos!!!

Some suggestions to improve this PR:

* many of these patches are just to fix the UNUSED()s, moving it from function parameters to inside at the end of the function, please talk with the original author, maybe he accepts to move it to the end of the function;

Hello @acassis, @xiaoxiang781216. Could you please confirm whether you would like me to contact the original author? I am concerned about his position regarding Xiaoxiang’s PR: mkj/dropbear#437

[FelipeMdeO]

Guys, I opened the following discussion in the dropbear's repo: mkj/dropbear#440

[mkj]

Good work getting it going! I suspect there are probably a few more cleanup edge cases that need dealing with, upstream Dropbear relies on exit() cleanup a fair bit. At least most of the postauth code should be in your own dropbear_nshsession.c to handle specially there.

I've added a few notes about upstream parts.

I don't think UNUSED() changes make sense to go upstream. It seems like it would be simpler to #undef UNUSED somewhere in an appropriate nuttx-dropbear header file? (Not sure where the NuttX definition comes from)

[mkj]

This can go upstream

[FelipeMdeO]

Thank you for catch that.
I opened a PR : mkj/dropbear#448

[mkj]

session_cleanup() should be OK to clean up the session in the clean exit case (the fuzzer tests for leaks), but memory won't be freed when dropbear_exit() occurs for an error case. Those error cases can readily be triggered by network traffic.

Dropbear's fuzzing harness had the same problem. As a usable hack it sets DROPBEAR_TRACKING_MALLOC and then the harness calls m_malloc_free_epoch().
https://github.com/mkj/dropbear/blob/master/FUZZER-NOTES.md#malloc-wrapper

I don't want to add any more complexity/API like that to upstream Dropbear (it was never intended as a library), but you might be to patch something similar in the NuttX wrapper? If NuttX has arena allocators (or similar) that might be another option.

[FelipeMdeO]

Hello mkj, nice catch.
This type of problem is critical.

NuttX has "tools" to handle memory properly but I will follow your suggestion to use DROPBEAR_TRACKING_MALLOC because it is more simple to apply.

You can check fix in commit sha: 7f37a59d8fef9648fadf8418ea36e76ae047454f

[mkj]

Suggested change

	#define dropbear_main dropbear_multi_entry
	#include "dbutil.h"
	#undef dropbear_main
	#undef dropbear_main
	#include "dbutil.h"

[FelipeMdeO]

Sorry, I can't apply this change.

I tried this change and unfortunately it breaks the build. See Below:

CC:  inode/fs_inoderemove.c <command-line>: error: conflicting types for 'dropbear_main'; have 'int(int,  char **)'
dropbear_main.c:258:5: note: in expansion of macro 'main'
  258 | int main(int argc, FAR char *argv[])
      |     ^~~~
In file included from dropbear_main.c:24:
/Users/felipemouradeoliveira/nuttxspace/apps/netutils/dropbear/dropbear/src/dbutil.h:110:5: note: previous declaration of 'dropbear_main' with type 'int(int,  char **, const char *)'
  110 | int dropbear_main(int argc, char ** argv, const char * multipath);
      |     ^~~~~~~~~~~~~

The NuttX build system injects -Dmain=dropbear_main at compile time, but dbutil.h already declares dropbear_main with a different signature (3 args: argc, argv, multipath). That causes a conflicting types error when int main(int argc, ...) gets expanded.

The #define dropbear_main dropbear_multi_entry before the include is a trick to silently rename that declaration to dropbear_multi_entry during preprocessing, so the 3-arg version stays out of the way.

[acassis]

Good work getting it going! I suspect there are probably a few more cleanup edge cases that need dealing with, upstream Dropbear relies on exit() cleanup a fair bit. At least most of the postauth code should be in your own dropbear_nshsession.c to handle specially there.

I've added a few notes about upstream parts.

I don't think UNUSED() changes make sense to go upstream. It seems like it would be simpler to #undef UNUSED somewhere in an appropriate nuttx-dropbear header file? (Not sure where the NuttX definition comes from)

Hi @mkj thank you very much for your review and suggestions.

I think undefining UNUSED macro and defining it again could work, but could we agree at least in moving the UNUSED from been used in the function prototype and move it to end of the function, like here:

https://github.com/apache/nuttx/blob/master/drivers/syslog/syslog_channel.c#L304

This way works better for old compilers (that don't know about attribute((unused)) ), since NuttX is used for retro-computing as well (not only microcontrollers).

[mkj]

I'm not keen on changing Dropbear's style. On other compilers Dropbear makes it a no-op.

#ifdef UNUSED 
#elif defined(__GNUC__) 
# define UNUSED(x) UNUSED_ ## x __attribute__((unused)) 
#elif defined(__LCLINT__) 
# define UNUSED(x) /*@unused@*/ x 
#else 
# define UNUSED(x) x 
#endif

[xiaoxiang781216]

Guys, I opened the following discussion in the dropbear's repo: mkj/dropbear#440

@FelipeMdeO I try a porting in the last week but doesn't require so many patch/hack to dropbear code base. So could you split the real change require to port dropbear from the pure improvement?

[acassis]

Guys, I opened the following discussion in the dropbear's repo: mkj/dropbear#440

@FelipeMdeO I try a porting in the last week but doesn't require so many patch/hack to dropbear code base. So could you split the real change require to port dropbear from the pure improvement?

Yes, I think we don't need to change the UNUSED() macro neither its position, since it won't be included into NuttX code base, but just compiled as external app.

[FelipeMdeO]

Guys, I opened the following discussion in the dropbear's repo: mkj/dropbear#440

@FelipeMdeO I try a porting in the last week but doesn't require so many patch/hack to dropbear code base. So could you split the real change require to port dropbear from the pure improvement?

Yes, I think we don't need to change the UNUSED() macro neither its position, since it won't be included into NuttX code base, but just compiled as external app.

I tried the #undef UNUSED approach but it doesn't work in our setup. The problem is that dropbear_nshsession.c includes both Dropbear headers and nsh_console.h, which uses UNUSED() in a function body. I cannot find other solution.

[FelipeMdeO]

@FelipeMdeO I try a porting in the last week but doesn't require so many patch/hack to dropbear code base. So could you split the real change require to port dropbear from the pure improvement?

Hello @xiaoxiang781216,

A significant portion of the changes (patches 0003–0005) are dedicated to replacing Dropbear's built-in crypto with NuttX's crypto libraries. Specifically: SHA-256/HMAC uses NuttX's mbedtls digest API, ChaCha20-Poly1305 uses NuttX's libtomcrypt state types directly, and password authentication delegates to NuttX's PAM/shadow stack.

In other words the port will be more simple if we use crypto libs from Dropbear instead NuttX libs, but we decided use NuttX libs.
I am updating the patch descriptions to make each change clearer and easier to review.