[ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes

[ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes

[Alexander Dahl]

Hei hei,

main incentive of this patch series is the version bump in the second
patch, I pushed that along with me quite a while, but got time for
that now. I had to patch the configure.ac to pin down the 'fuzz'
option and send that upstream, but got no feedback yet.

The license issue covers the remarks from Michael Olbrich from last
year and the feedback from Roland Hieber from this week, thanks guys.

The third patch on whether DSA key should be default on is something
we changed in our own BSPs and carry quite a while now, you might like
that or just drop it.

Greets
Alex

Alexander Dahl (3):
  dropbear: Add license information
  dropbear: version bump 2017.75 -> 2019.78
  dropbear: Disable default selection of DSS

 .../0001-configure-Fix-disable-fuzz.patch     |  47 +++++++
 patches/dropbear-2019.78/autogen.sh           |   1 +
 patches/dropbear-2019.78/series               |   4 +
 rules/dropbear.in                             |   3 +-
 rules/dropbear.make                           | 133 ++++++++++--------
 5 files changed, 126 insertions(+), 62 deletions(-)
 create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 create mode 120000 patches/dropbear-2019.78/autogen.sh
 create mode 100644 patches/dropbear-2019.78/series

-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 1/3] dropbear: Add license information

[Alexander Dahl]

The parts written for dropbear itself are MIT licensed, as are those
imported from PuTTY. Some parts come from OpenSSH with BSD 2 clause,
some parts are in the public domain. curve25519 parts from Google are
BSD 3 clause licensed. Everything is explained in the file 'LICENSE'.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    Changes since (implicit) v1:
      - Added SSH-short as identifier for sshpty.[ch] (Roland Hieber)
      - Added loginrec.c which contains the BSD-2-Clause text (Michael Olbrich)

 rules/dropbear.make | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index 9b7173387..a3b867817 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -23,6 +23,10 @@ DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
+DROPBEAR_LICENSE	:= MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short
+DROPBEAR_LICENSE_FILES	:= \
+	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
+	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
 
 # ----------------------------------------------------------------------------
 # Prepare
-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78

[Alexander Dahl]

The major change with 2018.76 was in configuration, moving from editing
'options.h' to adding things to 'localoptions.h'. The latter file must
be created in the extracted sources, a pragmatic approach was used to
add the defines, as seen in the buildroot project.

All options were compared to 'default_options.h' and 'sysoptions.h' from
the dropbear source. Not all options are in default_options, e.g. the
deprecated md5 hmac. A warning for that one was added.

Various things were fixed and improved in dropbear, changes notable:

+ 2019.78 / 2019.77
  - Fix 2018.76 regressions
  - Improve failure delay consistency
  - Change handling of failed authentication to avoid disclosing valid
    usernames, CVE-2018-15599.

+ 2018.76
  - Enable hardening build flags
  - New key exchange options
  - Improved DSS and RSA pubkey validation
  - Fix null pointer crash on malformed keys
  - Update curve25519-donna implementation

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    Just omitting --disable-fuzz wouldn't require that patch, it just pins down
    what is the default anyway, but for that the patch is needed.

 .../0001-configure-Fix-disable-fuzz.patch     |  47 +++++++
 patches/dropbear-2019.78/autogen.sh           |   1 +
 patches/dropbear-2019.78/series               |   4 +
 rules/dropbear.make                           | 129 ++++++++++--------
 4 files changed, 121 insertions(+), 60 deletions(-)
 create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 create mode 120000 patches/dropbear-2019.78/autogen.sh
 create mode 100644 patches/dropbear-2019.78/series

diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
new file mode 100644
index 000000000..03aec183a
--- /dev/null
+++ b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
@@ -0,0 +1,47 @@
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 11 Mar 2020 10:50:45 +0100
+Subject: [PATCH] configure: Fix --disable-fuzz
+
+When explicitly passing --disable-fuzz to ./configure fuzz was actually
+enabled.
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+---
+
+Notes:
+    Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html
+
+ configure.ac | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7199d7cb2300..104d60cfaf53 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow,
+ AC_ARG_ENABLE(fuzz,
+ 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
+ 	[
+-		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
+-		AC_MSG_NOTICE(Enabling fuzzing)
+-		DROPBEAR_FUZZ=1
+-		# libfuzzer needs linking with c++ libraries
+-		AC_PROG_CXX
++		if test "x$enableval" = "xyes"; then
++            AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
++            AC_MSG_NOTICE(Enabling fuzzing)
++            DROPBEAR_FUZZ=1
++            # libfuzzer needs linking with c++ libraries
++            AC_PROG_CXX
++        else
++            AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
++            AC_MSG_NOTICE(Disabling fuzzing)
++            DROPBEAR_FUZZ=0
++        fi
+ 	],
+ 	[
+ 		AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
++		AC_MSG_NOTICE(Disabling fuzzing)
+ 		DROPBEAR_FUZZ=0
+ 	]
+ 
diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh
new file mode 120000
index 000000000..9f8a4cb7d
--- /dev/null
+++ b/patches/dropbear-2019.78/autogen.sh
@@ -0,0 +1 @@
+../autogen.sh
\ No newline at end of file
diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series
new file mode 100644
index 000000000..3e5a5247e
--- /dev/null
+++ b/patches/dropbear-2019.78/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-configure-Fix-disable-fuzz.patch
+# c03ca050bdd0c61ac96e5bd22c9d0947  - git-ptx-patches magic
diff --git a/rules/dropbear.make b/rules/dropbear.make
index a3b867817..8d80ed295 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
 #
 # Paths and names
 #
-DROPBEAR_VERSION	:= 2017.75
-DROPBEAR_MD5		:= e57e9b9d25705dcb073ba15c416424fd
+DROPBEAR_VERSION	:= 2019.78
+DROPBEAR_MD5		:= a972c85ed678ad0fdcb7844e1294fb54
 DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
 DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
@@ -38,12 +38,14 @@ DROPBEAR_LICENSE_FILES	:= \
 DROPBEAR_CONF_TOOL	:= autoconf
 DROPBEAR_CONF_OPT 	:= \
 	$(CROSS_AUTOCONF_USR) \
+	--enable-harden \
 	$(GLOBAL_LARGE_FILE_OPTION) \
 	--$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \
 	--disable-pam \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \
 	--enable-shadow \
+	--disable-fuzz \
 	--enable-bundled-libtom \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_UTMP)-utmp \
@@ -54,206 +56,213 @@ DROPBEAR_CONF_OPT 	:= \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTLINE)-pututline \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTXLINE)-pututxline
 
+DROPBEAR_LOCALOPTIONS	:= $(DROPBEAR_DIR)/localoptions.h
+
 $(STATEDIR)/dropbear.prepare:
 	@$(call targetinfo)
 	@$(call world/prepare, DROPBEAR)
 
+	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
+
 ifdef PTXCONF_DROPBEAR_DIS_X11
 	@echo "ptxdist: disabling x11 forwarding"
-	$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD)
+	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: enabling x11 forwarding"
-	$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD)
+	@echo "#define DROPBEAR_X11FWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_TCP
 	@echo "ptxdist: disabling tcp"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD)
+	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: enabling tcp"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD)
+	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_AGENT
 	@echo "ptxdist: disabling agent"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD)
+	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: enabling agent"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD)
+	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 
 ifdef PTXCONF_DROPBEAR_AES128
 	@echo "ptxdist: enabling aes128"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128)
+	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling aes128"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128)
+	@echo "#define DROPBEAR_AES128 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_3DES
 	@echo "ptxdist: enabling 3des"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES)
+	@echo "#define DROPBEAR_3DES 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling 3des"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES)
+	@echo "#define DROPBEAR_3DES 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_AES256
 	@echo "ptxdist: enabling aes256"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256)
+	@echo "#define DROPBEAR_AES256 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling aes256"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256)
+	@echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_BLOWFISH
 	@echo "ptxdist: enabling blowfish"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH)
+	@echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling blowfish"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH)
+	@echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_TWOFISH256
 	@echo "ptxdist: enabling twofish256"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256)
+	@echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling twofish256"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256)
+	@echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_TWOFISH128
 	@echo "ptxdist: enabling twofish128"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128)
+	@echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling twofish128"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128)
+	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
 	@echo "ptxdist: enabling cbc ciphers"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE)
+	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling cbc ciphers"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE)
+	@echo "#define DROPBEAR_ENABLE_CBC_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+
 ifdef PTXCONF_DROPBEAR_CTR_CIPHERS
 	@echo "ptxdist: enabling ctr ciphers"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE)
+	@echo "#define DROPBEAR_ENABLE_CTR_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling ctr ciphers"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE)
+	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_SHA1
 	@echo "ptxdist: enabling sha1"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC)
+	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling sha1"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC)
+	@echo "#define DROPBEAR_SHA1_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_SHA1_96
 	@echo "ptxdist: enabling sha1-96"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC)
+	@echo "#define DROPBEAR_SHA1_96_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling sha1-96"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC)
+	@echo "#define DROPBEAR_SHA1_96_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_SHA256
 	@echo "ptxdist: enabling sha256"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC)
+	@echo "#define DROPBEAR_SHA2_256_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling sha256"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC)
+	@echo "#define DROPBEAR_SHA2_256_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_SHA512
 	@echo "ptxdist: enabling sha512"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC)
+	@echo "#define DROPBEAR_SHA2_512_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling sha512"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC)
+	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_MD5
 	@echo "ptxdist: enabling md5"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC)
+	@echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!"
+	@echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling md5"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC)
+	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA)
+	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling rsa"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA)
+	@echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_DSS
 	@echo "ptxdist: enabling dss"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS)
+	@echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling dss"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS)
+	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_ECDSA
 	@echo "ptxdist: enabling ecdsa"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA)
+	@echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling ecdsa"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA)
+	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_ECDH
 	@echo "ptxdist: enabling ecdh"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH)
+	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling ecdh"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH)
+	@echo "#define DROPBEAR_ECDH 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_CURVE25519
 	@echo "ptxdist: enabling curve25519"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519)
+	@echo "#define DROPBEAR_CURVE25519 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling curve25519"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519)
+	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+
 ifdef PTXCONF_DROPBEAR_PASSWD
 	@echo "ptxdist: enabling passwd"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH)
+	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling passwd"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH)
+	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 ifdef PTXCONF_DROPBEAR_PUBKEY
 	@echo "ptxdist: enabling pubkey"
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH)
-	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH)
+	@echo "#define DROPBEAR_SVR_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
 else
 	@echo "ptxdist: disabling pubkey"
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH)
-	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH)
+	@echo "#define DROPBEAR_SVR_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
+	@echo "#define DROPBEAR_CLI_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
 	@$(call touch)
-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS

[Alexander Dahl]

While this might be not 100% conforming to ssh standard (?), it is
common practice.  DSA is considered weak [1] and e.g. OpenSSH deprecated
it with the 7.0 release back in 2015 [2].

dropbear states in its source: “DSS may be necessary to connect to some
systems though is not recommended for new keys”.

Furthermore: requiring both RSA _and_ DSS host keys, increases time to
generate keys a lot, making this unfortunate in bootstrapping embedded
targets.

[1] https://security.stackexchange.com/a/112818/43663
[2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    Consider this patch RFC, or just apply or drop it at will.

 rules/dropbear.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index fa6f283f1..107a11caf 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft
 config DROPBEAR_RSA
 	bool
 	prompt "rsa"
+	default y
 	help
 	  RSA was announced in 1978. The security of the RSA system
 	  is based upon the RSA Problem (RSAP). This problem is
@@ -293,7 +294,6 @@ config DROPBEAR_RSA
 config DROPBEAR_DSS
 	bool
 	prompt "dss"
-	default y
 	help
 	  DSS stands for Digital Signature Standard.
 	  DSS employs the ElGamal and Schnorr PK systems to produce
@@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR
 	default y
 	select DROPBEAR_DROPBEAR_KEY
 	select DROPBEAR_RSA
-	select DROPBEAR_DSS
 	select BUSYBOX_START_STOP_DAEMON if BUSYBOX
 	help
 	  Installs the dropbar server in /usr/sbin/dropbear on the target
-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [1/3] dropbear: Add license information

[Michael Olbrich]

Thanks, applied.

Michael

[sent from post-receive hook]

On Fri, 27 Mar 2020 10:52:13 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> The parts written for dropbear itself are MIT licensed, as are those
> imported from PuTTY. Some parts come from OpenSSH with BSD 2 clause,
> some parts are in the public domain. curve25519 parts from Google are
> BSD 3 clause licensed. Everything is explained in the file 'LICENSE'.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
> 
> Notes:
>     Changes since (implicit) v1:
>       - Added SSH-short as identifier for sshpty.[ch] (Roland Hieber)
>       - Added loginrec.c which contains the BSD-2-Clause text (Michael Olbrich)
> 
>  rules/dropbear.make | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index 9b7173387..a3b867817 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -23,6 +23,10 @@ DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
> +DROPBEAR_LICENSE	:= MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short
> +DROPBEAR_LICENSE_FILES	:= \
> +	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
> +	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
>  
>  # ----------------------------------------------------------------------------
>  # Prepare
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [2/3] dropbear: version bump 2017.75 -> 2019.78

[Michael Olbrich]

Thanks, applied.

Michael

[sent from post-receive hook]

On Fri, 27 Mar 2020 10:52:14 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> The major change with 2018.76 was in configuration, moving from editing
> 'options.h' to adding things to 'localoptions.h'. The latter file must
> be created in the extracted sources, a pragmatic approach was used to
> add the defines, as seen in the buildroot project.
> 
> All options were compared to 'default_options.h' and 'sysoptions.h' from
> the dropbear source. Not all options are in default_options, e.g. the
> deprecated md5 hmac. A warning for that one was added.
> 
> Various things were fixed and improved in dropbear, changes notable:
> 
> + 2019.78 / 2019.77
>   - Fix 2018.76 regressions
>   - Improve failure delay consistency
>   - Change handling of failed authentication to avoid disclosing valid
>     usernames, CVE-2018-15599.
> 
> + 2018.76
>   - Enable hardening build flags
>   - New key exchange options
>   - Improved DSS and RSA pubkey validation
>   - Fix null pointer crash on malformed keys
>   - Update curve25519-donna implementation
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
> 
> Notes:
>     Just omitting --disable-fuzz wouldn't require that patch, it just pins down
>     what is the default anyway, but for that the patch is needed.
> 
>  .../0001-configure-Fix-disable-fuzz.patch     |  47 +++++++
>  patches/dropbear-2019.78/autogen.sh           |   1 +
>  patches/dropbear-2019.78/series               |   4 +
>  rules/dropbear.make                           | 129 ++++++++++--------
>  4 files changed, 121 insertions(+), 60 deletions(-)
>  create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
>  create mode 120000 patches/dropbear-2019.78/autogen.sh
>  create mode 100644 patches/dropbear-2019.78/series
> 
> diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
> new file mode 100644
> index 000000000..03aec183a
> --- /dev/null
> +++ b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
> @@ -0,0 +1,47 @@
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 11 Mar 2020 10:50:45 +0100
> +Subject: [PATCH] configure: Fix --disable-fuzz
> +
> +When explicitly passing --disable-fuzz to ./configure fuzz was actually
> +enabled.
> +
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
> +---
> +
> +Notes:
> +    Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html
> +
> + configure.ac | 17 ++++++++++++-----
> + 1 file changed, 12 insertions(+), 5 deletions(-)
> +
> +diff --git a/configure.ac b/configure.ac
> +index 7199d7cb2300..104d60cfaf53 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow,
> + AC_ARG_ENABLE(fuzz,
> + 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
> + 	[
> +-		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
> +-		AC_MSG_NOTICE(Enabling fuzzing)
> +-		DROPBEAR_FUZZ=1
> +-		# libfuzzer needs linking with c++ libraries
> +-		AC_PROG_CXX
> ++		if test "x$enableval" = "xyes"; then
> ++            AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
> ++            AC_MSG_NOTICE(Enabling fuzzing)
> ++            DROPBEAR_FUZZ=1
> ++            # libfuzzer needs linking with c++ libraries
> ++            AC_PROG_CXX
> ++        else
> ++            AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
> ++            AC_MSG_NOTICE(Disabling fuzzing)
> ++            DROPBEAR_FUZZ=0
> ++        fi
> + 	],
> + 	[
> + 		AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
> ++		AC_MSG_NOTICE(Disabling fuzzing)
> + 		DROPBEAR_FUZZ=0
> + 	]
> + 
> diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh
> new file mode 120000
> index 000000000..9f8a4cb7d
> --- /dev/null
> +++ b/patches/dropbear-2019.78/autogen.sh
> @@ -0,0 +1 @@
> +../autogen.sh
> \ No newline at end of file
> diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series
> new file mode 100644
> index 000000000..3e5a5247e
> --- /dev/null
> +++ b/patches/dropbear-2019.78/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-configure-Fix-disable-fuzz.patch
> +# c03ca050bdd0c61ac96e5bd22c9d0947  - git-ptx-patches magic
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index a3b867817..8d80ed295 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
>  #
>  # Paths and names
>  #
> -DROPBEAR_VERSION	:= 2017.75
> -DROPBEAR_MD5		:= e57e9b9d25705dcb073ba15c416424fd
> +DROPBEAR_VERSION	:= 2019.78
> +DROPBEAR_MD5		:= a972c85ed678ad0fdcb7844e1294fb54
>  DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
>  DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
> @@ -38,12 +38,14 @@ DROPBEAR_LICENSE_FILES	:= \
>  DROPBEAR_CONF_TOOL	:= autoconf
>  DROPBEAR_CONF_OPT 	:= \
>  	$(CROSS_AUTOCONF_USR) \
> +	--enable-harden \
>  	$(GLOBAL_LARGE_FILE_OPTION) \
>  	--$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \
>  	--disable-pam \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \
>  	--enable-shadow \
> +	--disable-fuzz \
>  	--enable-bundled-libtom \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_UTMP)-utmp \
> @@ -54,206 +56,213 @@ DROPBEAR_CONF_OPT 	:= \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTLINE)-pututline \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTXLINE)-pututxline
>  
> +DROPBEAR_LOCALOPTIONS	:= $(DROPBEAR_DIR)/localoptions.h
> +
>  $(STATEDIR)/dropbear.prepare:
>  	@$(call targetinfo)
>  	@$(call world/prepare, DROPBEAR)
>  
> +	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
> +
>  ifdef PTXCONF_DROPBEAR_DIS_X11
>  	@echo "ptxdist: disabling x11 forwarding"
> -	$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD)
> +	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: enabling x11 forwarding"
> -	$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD)
> +	@echo "#define DROPBEAR_X11FWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_TCP
>  	@echo "ptxdist: disabling tcp"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD)
> +	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: enabling tcp"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD)
> +	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_AGENT
>  	@echo "ptxdist: disabling agent"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD)
> +	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: enabling agent"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD)
> +	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  
>  ifdef PTXCONF_DROPBEAR_AES128
>  	@echo "ptxdist: enabling aes128"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128)
> +	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling aes128"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128)
> +	@echo "#define DROPBEAR_AES128 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_3DES
>  	@echo "ptxdist: enabling 3des"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES)
> +	@echo "#define DROPBEAR_3DES 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling 3des"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES)
> +	@echo "#define DROPBEAR_3DES 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_AES256
>  	@echo "ptxdist: enabling aes256"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256)
> +	@echo "#define DROPBEAR_AES256 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling aes256"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256)
> +	@echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_BLOWFISH
>  	@echo "ptxdist: enabling blowfish"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH)
> +	@echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling blowfish"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH)
> +	@echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_TWOFISH256
>  	@echo "ptxdist: enabling twofish256"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256)
> +	@echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling twofish256"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256)
> +	@echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_TWOFISH128
>  	@echo "ptxdist: enabling twofish128"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128)
> +	@echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling twofish128"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128)
> +	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
>  	@echo "ptxdist: enabling cbc ciphers"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE)
> +	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling cbc ciphers"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE)
> +	@echo "#define DROPBEAR_ENABLE_CBC_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +
>  ifdef PTXCONF_DROPBEAR_CTR_CIPHERS
>  	@echo "ptxdist: enabling ctr ciphers"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE)
> +	@echo "#define DROPBEAR_ENABLE_CTR_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling ctr ciphers"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE)
> +	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_SHA1
>  	@echo "ptxdist: enabling sha1"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC)
> +	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling sha1"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC)
> +	@echo "#define DROPBEAR_SHA1_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_SHA1_96
>  	@echo "ptxdist: enabling sha1-96"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC)
> +	@echo "#define DROPBEAR_SHA1_96_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling sha1-96"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC)
> +	@echo "#define DROPBEAR_SHA1_96_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_SHA256
>  	@echo "ptxdist: enabling sha256"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC)
> +	@echo "#define DROPBEAR_SHA2_256_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling sha256"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC)
> +	@echo "#define DROPBEAR_SHA2_256_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_SHA512
>  	@echo "ptxdist: enabling sha512"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC)
> +	@echo "#define DROPBEAR_SHA2_512_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling sha512"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC)
> +	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_MD5
>  	@echo "ptxdist: enabling md5"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC)
> +	@echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!"
> +	@echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling md5"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC)
> +	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA)
> +	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling rsa"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA)
> +	@echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DSS
>  	@echo "ptxdist: enabling dss"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS)
> +	@echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling dss"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS)
> +	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_ECDSA
>  	@echo "ptxdist: enabling ecdsa"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA)
> +	@echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling ecdsa"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA)
> +	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_ECDH
>  	@echo "ptxdist: enabling ecdh"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH)
> +	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling ecdh"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH)
> +	@echo "#define DROPBEAR_ECDH 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_CURVE25519
>  	@echo "ptxdist: enabling curve25519"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519)
> +	@echo "#define DROPBEAR_CURVE25519 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling curve25519"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519)
> +	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +
>  ifdef PTXCONF_DROPBEAR_PASSWD
>  	@echo "ptxdist: enabling passwd"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH)
> +	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling passwd"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH)
> +	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_PUBKEY
>  	@echo "ptxdist: enabling pubkey"
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH)
> -	@$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH)
> +	@echo "#define DROPBEAR_SVR_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
>  else
>  	@echo "ptxdist: disabling pubkey"
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH)
> -	@$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH)
> +	@echo "#define DROPBEAR_SVR_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
> +	@echo "#define DROPBEAR_CLI_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
>  	@$(call touch)
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [3/3] dropbear: Disable default selection of DSS

[Michael Olbrich]

Thanks, applied.

Michael

[sent from post-receive hook]

On Fri, 27 Mar 2020 10:52:15 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> While this might be not 100% conforming to ssh standard (?), it is
> common practice.  DSA is considered weak [1] and e.g. OpenSSH deprecated
> it with the 7.0 release back in 2015 [2].
> 
> dropbear states in its source: “DSS may be necessary to connect to some
> systems though is not recommended for new keys”.
> 
> Furthermore: requiring both RSA _and_ DSS host keys, increases time to
> generate keys a lot, making this unfortunate in bootstrapping embedded
> targets.
> 
> [1] https://security.stackexchange.com/a/112818/43663
> [2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
> 
> Notes:
>     Consider this patch RFC, or just apply or drop it at will.
> 
>  rules/dropbear.in | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index fa6f283f1..107a11caf 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft
>  config DROPBEAR_RSA
>  	bool
>  	prompt "rsa"
> +	default y
>  	help
>  	  RSA was announced in 1978. The security of the RSA system
>  	  is based upon the RSA Problem (RSAP). This problem is
> @@ -293,7 +294,6 @@ config DROPBEAR_RSA
>  config DROPBEAR_DSS
>  	bool
>  	prompt "dss"
> -	default y
>  	help
>  	  DSS stands for Digital Signature Standard.
>  	  DSS employs the ElGamal and Schnorr PK systems to produce
> @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR
>  	default y
>  	select DROPBEAR_DROPBEAR_KEY
>  	select DROPBEAR_RSA
> -	select DROPBEAR_DSS
>  	select BUSYBOX_START_STOP_DAEMON if BUSYBOX
>  	help
>  	  Installs the dropbar server in /usr/sbin/dropbear on the target
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de