[OpenWrt-Devel] [PATCHv2] dropbear: update to 2013.62

Catalin Patulea Sat, 15 Feb 2014 18:09:07 -0800

Upstream changelog:
https://matt.ucc.asn.au/dropbear/CHANGES


This adds elliptic curve cryptography (ECC) support as an option, disabled
by default.

dropbear mips 34kc uClibc binary size:
before: 161,672 bytes
after, without ECC (default): 164,968
after, with ECC: 198,008

Signed-off-by: Catalin Patulea <c...@vv.carleton.ca>
---
 package/network/services/dropbear/Config.in        |   27 ++++++++++++++++++++
 package/network/services/dropbear/Makefile         |   24 +++++++++++++++--
 .../dropbear/patches/100-pubkey_path.patch         |    4 +--
 .../dropbear/patches/110-change_user.patch         |    2 +-
 .../dropbear/patches/120-openwrt_options.patch     |   21 +++++----------
 .../dropbear/patches/140-disable_assert.patch      |    2 +-
 .../patches/150-dbconvert_standalone.patch         |    6 ++---
 .../dropbear/patches/200-lcrypt_bsdfix.patch       |    8 +++---
 .../dropbear/patches/500-set-default-path.patch    |    2 +-
 9 files changed, 67 insertions(+), 29 deletions(-)
 create mode 100644 package/network/services/dropbear/Config.in

diff --git a/package/network/services/dropbear/Config.in 
b/package/network/services/dropbear/Config.in
new file mode 100644
index 0000000..e2a7610
--- /dev/null
+++ b/package/network/services/dropbear/Config.in
@@ -0,0 +1,27 @@
+menu "Configuration"
+       depends on PACKAGE_dropbear
+
+config DROPBEAR_ECC
+       bool "Elliptic curve cryptography (ECC)"
+       default n
+       help
+               Enables elliptic curve cryptography (ECC) support in key 
exchange and public key
+               authentication.
+
+               Key exchange algorithms:
+                 ecdh-sha2-nistp256
+                 ecdh-sha2-nistp384
+                 ecdh-sha2-nistp521
+                 curve25519-sha...@libssh.org
+
+               Public key algorithms:
+                 ecdsa-sha2-nistp256
+                 ecdsa-sha2-nistp384
+                 ecdsa-sha2-nistp521
+
+               Does not generate ECC host keys by default (ECC key exchange 
will not be used,
+               only ECC public key auth).
+
+               Increases binary size by about 36 kB (MIPS).
+
+endmenu
diff --git a/package/network/services/dropbear/Makefile 
b/package/network/services/dropbear/Makefile
index 02be761..c7d0a96 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,26 +8,32 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2013.59
+PKG_VERSION:=2013.62
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        http://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9
+PKG_MD5SUM:=ca2c7932a1399cf361f795aaa3843998
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
 
 PKG_BUILD_PARALLEL:=1
 
+PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/dropbear/Default
   URL:=http://matt.ucc.asn.au/dropbear/
 endef
 
+define Package/dropbear/config
+       source "$(SOURCE)/Config.in"
+endef
+
 define Package/dropbear
   $(call Package/dropbear/Default)
   SECTION:=net
@@ -72,6 +78,20 @@ CONFIGURE_ARGS += \
 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
+define Build/Prepare
+       $(call Build/Prepare/Default)
+       # Enforce that all replacements are made, otherwise options.h has 
changed
+       # format and this logic is broken.
+       for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \
+         awk 'BEGIN { rc = 1 } \
+              /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// 
)#define '$$$$OPTION'"; rc = 0 } \
+              { print } \
+              END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
+              >$(PKG_BUILD_DIR)/options.h.new && \
+         mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 
1; \
+       done
+endef
+
 define Build/Compile
        +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
                $(TARGET_CONFIGURE_OPTS) \
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch 
b/package/network/services/dropbear/patches/100-pubkey_path.patch
index c1802f5..456874b 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al
+@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al
                goto out;
        }
  
@@ -33,7 +33,7 @@
        if (authfile == NULL) {
                goto out;
        }
-@@ -372,26 +376,35 @@ static int checkpubkeyperms() {
+@@ -371,26 +375,35 @@ static int checkpubkeyperms() {
                goto out;
        }
  
diff --git a/package/network/services/dropbear/patches/110-change_user.patch 
b/package/network/services/dropbear/patches/110-change_user.patch
index 48228ea..fa608e7 100644
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -889,12 +889,12 @@ static void execchild(void *user_data) {
+@@ -890,12 +890,12 @@ static void execchild(void *user_data) {
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
diff --git 
a/package/network/services/dropbear/patches/120-openwrt_options.patch 
b/package/network/services/dropbear/patches/120-openwrt_options.patch
index 9300a27..1b5c5cb 100644
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -1,6 +1,6 @@
 --- a/options.h
 +++ b/options.h
-@@ -38,7 +38,7 @@
+@@ -41,7 +41,7 @@
   * Both of these flags can be defined at once, don't compile without at least
   * one of them. */
  #define NON_INETD_MODE
@@ -9,16 +9,7 @@
  
  /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
   * perhaps 20% slower for pubkey operations (it is probably worth 
experimenting
-@@ -49,7 +49,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
--/*#define DROPBEAR_SMALL_CODE*/
-+#define DROPBEAR_SMALL_CODE
- 
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
-@@ -78,7 +78,7 @@ much traffic. */
+@@ -81,7 +81,7 @@ much traffic. */
  
  /* Enable "Netcat mode" option. This will forward standard input/output
   * to a remote TCP-forwarded connection */
@@ -27,7 +18,7 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
-@@ -92,8 +92,8 @@ much traffic. */
+@@ -95,8 +95,8 @@ much traffic. */
  #define DROPBEAR_AES256
  /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
  /*#define DROPBEAR_BLOWFISH*/
@@ -38,7 +29,7 @@
  
  /* Enable "Counter Mode" for ciphers. This is more secure than normal
   * CBC mode against certain attacks. This adds around 1kB to binary 
-@@ -119,7 +119,7 @@ much traffic. */
+@@ -122,7 +122,7 @@ much traffic. */
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
  #define DROPBEAR_SHA1_HMAC
@@ -47,7 +38,7 @@
  /*#define DROPBEAR_SHA2_256_HMAC*/
  /*#define DROPBEAR_SHA2_512_HMAC*/
  #define DROPBEAR_MD5_HMAC
-@@ -157,7 +157,7 @@ much traffic. */
+@@ -175,7 +175,7 @@ much traffic. */
  
  /* Whether to print the message of the day (MOTD). This doesn't add much code
   * size */
@@ -56,7 +47,7 @@
  
  /* The MOTD file path */
  #ifndef MOTD_FILENAME
-@@ -195,7 +195,7 @@ much traffic. */
+@@ -213,7 +213,7 @@ much traffic. */
   * note that it will be provided for all "hidden" client-interactive
   * style prompts - if you want something more sophisticated, use 
   * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch 
b/package/network/services/dropbear/patches/140-disable_assert.patch
index edc7547..0717228 100644
--- a/package/network/services/dropbear/patches/140-disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
diff --git 
a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch 
b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
index 3e0b008..367dc2c 100644
--- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
+++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
@@ -9,6 +9,6 @@
 +#define DROPBEAR_CLIENT
 +#endif
 +
- /******************************************************************
-  * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
-  * parts are to allow for commandline -DDROPBEAR_XXX options etc.
+ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
+  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
+ 
diff --git a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch 
b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch
index a5697e2..940e428 100644
--- a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch
+++ b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch
@@ -1,15 +1,15 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac
+@@ -58,7 +58,7 @@ HEADERS=options.h dbutil.h session.h pac
                loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \
-               listener.h fake-rfc2553.h
+               listener.h fake-rfc2553.h ecc.h ecdsa.h
  
 -dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ 
 +dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
  dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
  dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS)
  dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS)
-@@ -78,7 +78,7 @@ STRIP=@STRIP@
+@@ -81,7 +81,7 @@ STRIP=@STRIP@
  INSTALL=@INSTALL@
  CPPFLAGS=@CPPFLAGS@
  CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@
@@ -18,7 +18,7 @@
  LDFLAGS=@LDFLAGS@
  
  EXEEXT=@EXEEXT@
-@@ -168,7 +168,7 @@ scp: $(SCPOBJS)  $(HEADERS) Makefile
+@@ -171,7 +171,7 @@ scp: $(SCPOBJS)  $(HEADERS) Makefile
  # multi-binary compilation.
  MULTIOBJS=
  ifeq ($(MULTI),1)
diff --git 
a/package/network/services/dropbear/patches/500-set-default-path.patch 
b/package/network/services/dropbear/patches/500-set-default-path.patch
index 702ad6c..cf1634a 100644
--- a/package/network/services/dropbear/patches/500-set-default-path.patch
+++ b/package/network/services/dropbear/patches/500-set-default-path.patch
@@ -1,6 +1,6 @@
 --- a/options.h
 +++ b/options.h
-@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa
+@@ -319,7 +319,7 @@ be overridden at runtime with -I. 0 disa
  #define DEFAULT_IDLE_TIMEOUT 0
  
  /* The default path. This will often get replaced by the shell */
-- 
1.7.9.5
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCHv2] dropbear: update to 2013.62

Reply via email to