Improve dropbear key detection and creation

- If at least one key already exists in /etc/dropbear, use that
  directory without trying to copy OpenSSH keys or generate new ones

- Add (optional) support for ed25519, ignoring failures in case the
  version of dropbear used by the hook does not support that type

dropbear_install

@@ -6,43 +6,61 @@ get_fingerprint() {
 }
 
 display_fingerprints() {
-  local keyfile
+  local keyfile keytype
 
-  for keyfile in "/etc/dropbear/dropbear_rsa_host_key" "/etc/dropbear/dropbear_ecdsa_host_key" ; do
+  for keytype in rsa ecdsa ed25519; do
-      if [ -s "${keyfile}" ] ; then
+    keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
-	  echo "$(basename "${keyfile}") : $(get_fingerprint "${keyfile}")"
+    [ -s "${keyfile}" ] && echo "${keyfile##*/} : $(get_fingerprint "${keyfile}")"
-      fi
   done
 }
 
-copy_openssh_keys() {
+use_dropbear_keys() {
-  local osshrsa="/etc/ssh/ssh_host_rsa_key"
+  local keytype
-  local osshecdsa="/etc/ssh/ssh_host_ecdsa_key"
 
-  local dbpre="/etc/dropbear/dropbear_"
+  for keytype in rsa ecdsa ed25519; do
+    [ -s "/etc/dropbear/dropbear_${keytype}_host_key" ] && return 0
+  done
+
+  return 1
+}
+
+copy_openssh_keys() {
+  local osshkey keytype
+
+  local dbpre="/etc/dropbear/dropbear"
 
   local return_code=1
 
-  if [ -s "$osshrsa" ]; then
+  for keytype in rsa ecdsa ed25519; do
-      dropbearconvert openssh dropbear $osshrsa ${dbpre}rsa_host_key
+    osshkey="/etc/ssh/ssh_host_${keytype}_key"
-      return_code=0
+    [ -s "${osshkey}" ] || continue
+
+    if ! dropbearconvert openssh dropbear "${osshkey}" "${dbpre}_${keytype}_host_key"; then
+      error "failed to convert SSH key ${osshkey}"
+      return 1
     fi
 
-  if [ -s "$osshecdsa" ]; then
-      dropbearconvert openssh dropbear $osshecdsa ${dbpre}ecdsa_host_key
     return_code=0
-  fi
+  done
 
   return $return_code
 }
 
 generate_keys() {
   local keyfile keytype
-  for keytype in rsa ecdsa ; do
+
+  for keytype in rsa ecdsa ed25519; do
     keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
-      if [ ! -s "$keyfile" ]; then
+    [ -s "${keyfile}" ] && continue
-	  echo "Generating ${keytype} host key for dropbear ..."
+
-	  dropbearkey -t "${keytype}" -f "${keyfile}"
+    if dropbearkey -t "${keytype}" -f "${keyfile}"; then
+      echo "Generated ${keytype} host key for dropbear"
+    elif [ "${keytype}" = "ed25519" ]; then
+      # ed25519 key is not supported by all dropbear versions; don't hard fail
+      warning "failed to generate $keytype host key for dropbear"
+    else
+      error "failed to generate ${keytype} host key for dropbear"
+      return 1
     fi
   done
 }
@@ -60,16 +78,14 @@ build ()
   fi
 
   # if TMPDIR is set leave it alone otherwise set
-  [ -z $TMPDIR ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
+  [ -z "$TMPDIR" ] && TMPDIR='/tmp/dropbear_initrd_encrypt'
 
   # check if TMPDIR exsists if not make it
-  [ -d $TMPDIR ] || mkdir -p $TMPDIR
+  [ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"
-
-  umask 0022
 
   [ -d /etc/dropbear ] && mkdir -p /etc/dropbear
 
-  copy_openssh_keys || generate_keys
+  use_dropbear_keys || copy_openssh_keys || generate_keys
   display_fingerprints
 
   add_checked_modules "/drivers/net/"
@@ -99,3 +115,5 @@ will find hooks and shells for remote unlocking a luks root partition,
 among others.
 HELPEOF
 }
+
+# vim: softtabstop=2 shiftwidth=2 expandtab