Hi folks, dropbear 2014.63 is already out. Can someone please review these patches? Here is an updated patch for 2014.63: https://lists.openwrt.org/pipermail/openwrt-devel/2014-February/024058.html http://patchwork.openwrt.org/patch/4931/
On Wed, Feb 19, 2014 at 1:22 AM, Catalin Patulea <c...@vv.carleton.ca> wrote: > Can I get another round of review on this? > > On Sat, Feb 15, 2014 at 9:08 PM, Catalin Patulea <c...@vv.carleton.ca> wrote: >> Upstream changelog: >> https://matt.ucc.asn.au/dropbear/CHANGES >> >> This adds elliptic curve cryptography (ECC) support as an option, disabled >> by default. >> >> dropbear mips 34kc uClibc binary size: >> before: 161,672 bytes >> after, without ECC (default): 164,968 >> after, with ECC: 198,008 >> >> Signed-off-by: Catalin Patulea <c...@vv.carleton.ca> >> --- >> package/network/services/dropbear/Config.in | 27 >> ++++++++++++++++++++ >> package/network/services/dropbear/Makefile | 24 +++++++++++++++-- >> .../dropbear/patches/100-pubkey_path.patch | 4 +-- >> .../dropbear/patches/110-change_user.patch | 2 +- >> .../dropbear/patches/120-openwrt_options.patch | 21 +++++---------- >> .../dropbear/patches/140-disable_assert.patch | 2 +- >> .../patches/150-dbconvert_standalone.patch | 6 ++--- >> .../dropbear/patches/200-lcrypt_bsdfix.patch | 8 +++--- >> .../dropbear/patches/500-set-default-path.patch | 2 +- >> 9 files changed, 67 insertions(+), 29 deletions(-) >> create mode 100644 package/network/services/dropbear/Config.in >> >> diff --git a/package/network/services/dropbear/Config.in >> b/package/network/services/dropbear/Config.in >> new file mode 100644 >> index 0000000..e2a7610 >> --- /dev/null >> +++ b/package/network/services/dropbear/Config.in >> @@ -0,0 +1,27 @@ >> +menu "Configuration" >> + depends on PACKAGE_dropbear >> + >> +config DROPBEAR_ECC >> + bool "Elliptic curve cryptography (ECC)" >> + default n >> + help >> + Enables elliptic curve cryptography (ECC) support in key >> exchange and public key >> + authentication. >> + >> + Key exchange algorithms: >> + ecdh-sha2-nistp256 >> + ecdh-sha2-nistp384 >> + ecdh-sha2-nistp521 >> + curve25519-sha...@libssh.org >> + >> + Public key algorithms: >> + ecdsa-sha2-nistp256 >> + ecdsa-sha2-nistp384 >> + ecdsa-sha2-nistp521 >> + >> + Does not generate ECC host keys by default (ECC key exchange >> will not be used, >> + only ECC public key auth). >> + >> + Increases binary size by about 36 kB (MIPS). >> + >> +endmenu >> diff --git a/package/network/services/dropbear/Makefile >> b/package/network/services/dropbear/Makefile >> index 02be761..c7d0a96 100644 >> --- a/package/network/services/dropbear/Makefile >> +++ b/package/network/services/dropbear/Makefile >> @@ -8,26 +8,32 @@ >> include $(TOPDIR)/rules.mk >> >> PKG_NAME:=dropbear >> -PKG_VERSION:=2013.59 >> +PKG_VERSION:=2013.62 >> PKG_RELEASE:=1 >> >> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 >> PKG_SOURCE_URL:= \ >> http://matt.ucc.asn.au/dropbear/releases/ \ >> https://dropbear.nl/mirror/releases/ >> -PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9 >> +PKG_MD5SUM:=ca2c7932a1399cf361f795aaa3843998 >> >> PKG_LICENSE:=MIT >> PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE >> >> PKG_BUILD_PARALLEL:=1 >> >> +PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC >> + >> include $(INCLUDE_DIR)/package.mk >> >> define Package/dropbear/Default >> URL:=http://matt.ucc.asn.au/dropbear/ >> endef >> >> +define Package/dropbear/config >> + source "$(SOURCE)/Config.in" >> +endef >> + >> define Package/dropbear >> $(call Package/dropbear/Default) >> SECTION:=net >> @@ -72,6 +78,20 @@ CONFIGURE_ARGS += \ >> TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections >> TARGET_LDFLAGS += -Wl,--gc-sections >> >> +define Build/Prepare >> + $(call Build/Prepare/Default) >> + # Enforce that all replacements are made, otherwise options.h has >> changed >> + # format and this logic is broken. >> + for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \ >> + awk 'BEGIN { rc = 1 } \ >> + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// >> )#define '$$$$OPTION'"; rc = 0 } \ >> + { print } \ >> + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ >> + >$(PKG_BUILD_DIR)/options.h.new && \ >> + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || >> exit 1; \ >> + done >> +endef >> + >> define Build/Compile >> +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ >> $(TARGET_CONFIGURE_OPTS) \ >> diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch >> b/package/network/services/dropbear/patches/100-pubkey_path.patch >> index c1802f5..456874b 100644 >> --- a/package/network/services/dropbear/patches/100-pubkey_path.patch >> +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch >> @@ -1,6 +1,6 @@ >> --- a/svr-authpubkey.c >> +++ b/svr-authpubkey.c >> -@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al >> +@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al >> goto out; >> } >> >> @@ -33,7 +33,7 @@ >> if (authfile == NULL) { >> goto out; >> } >> -@@ -372,26 +376,35 @@ static int checkpubkeyperms() { >> +@@ -371,26 +375,35 @@ static int checkpubkeyperms() { >> goto out; >> } >> >> diff --git a/package/network/services/dropbear/patches/110-change_user.patch >> b/package/network/services/dropbear/patches/110-change_user.patch >> index 48228ea..fa608e7 100644 >> --- a/package/network/services/dropbear/patches/110-change_user.patch >> +++ b/package/network/services/dropbear/patches/110-change_user.patch >> @@ -1,6 +1,6 @@ >> --- a/svr-chansession.c >> +++ b/svr-chansession.c >> -@@ -889,12 +889,12 @@ static void execchild(void *user_data) { >> +@@ -890,12 +890,12 @@ static void execchild(void *user_data) { >> /* We can only change uid/gid as root ... */ >> if (getuid() == 0) { >> >> diff --git >> a/package/network/services/dropbear/patches/120-openwrt_options.patch >> b/package/network/services/dropbear/patches/120-openwrt_options.patch >> index 9300a27..1b5c5cb 100644 >> --- a/package/network/services/dropbear/patches/120-openwrt_options.patch >> +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch >> @@ -1,6 +1,6 @@ >> --- a/options.h >> +++ b/options.h >> -@@ -38,7 +38,7 @@ >> +@@ -41,7 +41,7 @@ >> * Both of these flags can be defined at once, don't compile without at >> least >> * one of them. */ >> #define NON_INETD_MODE >> @@ -9,16 +9,7 @@ >> >> /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but >> is >> * perhaps 20% slower for pubkey operations (it is probably worth >> experimenting >> -@@ -49,7 +49,7 @@ >> - several kB in binary size however will make the symmetrical ciphers and >> hashes >> - slower, perhaps by 50%. Recommended for small systems that aren't doing >> - much traffic. */ >> --/*#define DROPBEAR_SMALL_CODE*/ >> -+#define DROPBEAR_SMALL_CODE >> - >> - /* Enable X11 Forwarding - server only */ >> - #define ENABLE_X11FWD >> -@@ -78,7 +78,7 @@ much traffic. */ >> +@@ -81,7 +81,7 @@ much traffic. */ >> >> /* Enable "Netcat mode" option. This will forward standard input/output >> * to a remote TCP-forwarded connection */ >> @@ -27,7 +18,7 @@ >> >> /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at >> runtime */ >> #define ENABLE_USER_ALGO_LIST >> -@@ -92,8 +92,8 @@ much traffic. */ >> +@@ -95,8 +95,8 @@ much traffic. */ >> #define DROPBEAR_AES256 >> /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ >> /*#define DROPBEAR_BLOWFISH*/ >> @@ -38,7 +29,7 @@ >> >> /* Enable "Counter Mode" for ciphers. This is more secure than normal >> * CBC mode against certain attacks. This adds around 1kB to binary >> -@@ -119,7 +119,7 @@ much traffic. */ >> +@@ -122,7 +122,7 @@ much traffic. */ >> * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, >> * which are not the standard form. */ >> #define DROPBEAR_SHA1_HMAC >> @@ -47,7 +38,7 @@ >> /*#define DROPBEAR_SHA2_256_HMAC*/ >> /*#define DROPBEAR_SHA2_512_HMAC*/ >> #define DROPBEAR_MD5_HMAC >> -@@ -157,7 +157,7 @@ much traffic. */ >> +@@ -175,7 +175,7 @@ much traffic. */ >> >> /* Whether to print the message of the day (MOTD). This doesn't add much >> code >> * size */ >> @@ -56,7 +47,7 @@ >> >> /* The MOTD file path */ >> #ifndef MOTD_FILENAME >> -@@ -195,7 +195,7 @@ much traffic. */ >> +@@ -213,7 +213,7 @@ much traffic. */ >> * note that it will be provided for all "hidden" client-interactive >> * style prompts - if you want something more sophisticated, use >> * SSH_ASKPASS instead. Comment out this var to remove this >> functionality.*/ >> diff --git >> a/package/network/services/dropbear/patches/140-disable_assert.patch >> b/package/network/services/dropbear/patches/140-disable_assert.patch >> index edc7547..0717228 100644 >> --- a/package/network/services/dropbear/patches/140-disable_assert.patch >> +++ b/package/network/services/dropbear/patches/140-disable_assert.patch >> @@ -1,6 +1,6 @@ >> --- a/dbutil.h >> +++ b/dbutil.h >> -@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig >> +@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig >> #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} >> >> /* Dropbear assertion */ >> diff --git >> a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch >> b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch >> index 3e0b008..367dc2c 100644 >> --- >> a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch >> +++ >> b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch >> @@ -9,6 +9,6 @@ >> +#define DROPBEAR_CLIENT >> +#endif >> + >> - /****************************************************************** >> - * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... >> #endif" >> - * parts are to allow for commandline -DDROPBEAR_XXX options etc. >> + /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... >> #endif" >> + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ >> + >> diff --git >> a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch >> b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch >> index a5697e2..940e428 100644 >> --- a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch >> +++ b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch >> @@ -1,15 +1,15 @@ >> --- a/Makefile.in >> +++ b/Makefile.in >> -@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac >> +@@ -58,7 +58,7 @@ HEADERS=options.h dbutil.h session.h pac >> loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ >> - listener.h fake-rfc2553.h >> + listener.h fake-rfc2553.h ecc.h ecdsa.h >> >> -dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ >> +dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) >> dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) >> dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) >> dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) >> -@@ -78,7 +78,7 @@ STRIP=@STRIP@ >> +@@ -81,7 +81,7 @@ STRIP=@STRIP@ >> INSTALL=@INSTALL@ >> CPPFLAGS=@CPPFLAGS@ >> CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ >> @@ -18,7 +18,7 @@ >> LDFLAGS=@LDFLAGS@ >> >> EXEEXT=@EXEEXT@ >> -@@ -168,7 +168,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile >> +@@ -171,7 +171,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile >> # multi-binary compilation. >> MULTIOBJS= >> ifeq ($(MULTI),1) >> diff --git >> a/package/network/services/dropbear/patches/500-set-default-path.patch >> b/package/network/services/dropbear/patches/500-set-default-path.patch >> index 702ad6c..cf1634a 100644 >> --- a/package/network/services/dropbear/patches/500-set-default-path.patch >> +++ b/package/network/services/dropbear/patches/500-set-default-path.patch >> @@ -1,6 +1,6 @@ >> --- a/options.h >> +++ b/options.h >> -@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa >> +@@ -319,7 +319,7 @@ be overridden at runtime with -I. 0 disa >> #define DEFAULT_IDLE_TIMEOUT 0 >> >> /* The default path. This will often get replaced by the shell */ >> -- >> 1.7.9.5 >> _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
