* [ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes
@ 2020-03-11 13:24 Alexander Dahl
2020-03-11 13:24 ` [ptxdist] [PATCH 1/3] dropbear: Add license information Alexander Dahl
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Alexander Dahl @ 2020-03-11 13:24 UTC (permalink / raw)
To: ptxdist
Hei hei,
main incentive of this patch series is the version bump in the second
patch, I pushed that along with me quite a while, but got time for
that now. I had to patch the configure.ac to pin down the 'fuzz'
option and send that upstream, but got no feedback yet.
The license issue covers the remarks from Michael Olbrich from last
year and the feedback from Roland Hieber from this week, thanks guys.
The third patch on whether DSA key should be default on is something
we changed in our own BSPs and carry quite a while now, you might like
that or just drop it.
Greets
Alex
Alexander Dahl (3):
dropbear: Add license information
dropbear: version bump 2017.75 -> 2019.78
dropbear: Disable default selection of DSS
.../0001-configure-Fix-disable-fuzz.patch | 47 +++++++
patches/dropbear-2019.78/autogen.sh | 1 +
patches/dropbear-2019.78/series | 4 +
rules/dropbear.in | 3 +-
rules/dropbear.make | 133 ++++++++++--------
5 files changed, 126 insertions(+), 62 deletions(-)
create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
create mode 120000 patches/dropbear-2019.78/autogen.sh
create mode 100644 patches/dropbear-2019.78/series
--
2.20.1
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 7+ messages in thread* [ptxdist] [PATCH 1/3] dropbear: Add license information 2020-03-11 13:24 [ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes Alexander Dahl @ 2020-03-11 13:24 ` Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [1/3] " Michael Olbrich 2020-03-11 13:24 ` [ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78 Alexander Dahl 2020-03-11 13:24 ` [ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS Alexander Dahl 2 siblings, 1 reply; 7+ messages in thread From: Alexander Dahl @ 2020-03-11 13:24 UTC (permalink / raw) To: ptxdist The parts written for dropbear itself are MIT licensed, as are those imported from PuTTY. Some parts come from OpenSSH with BSD 2 clause, some parts are in the public domain. curve25519 parts from Google are BSD 3 clause licensed. Everything is explained in the file 'LICENSE'. Signed-off-by: Alexander Dahl <ada@thorsis.com> --- Notes: Changes since (implicit) v1: - Added SSH-short as identifier for sshpty.[ch] (Roland Hieber) - Added loginrec.c which contains the BSD-2-Clause text (Michael Olbrich) rules/dropbear.make | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/dropbear.make b/rules/dropbear.make index 9b7173387..a3b867817 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -23,6 +23,10 @@ DROPBEAR_SUFFIX := tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) DROPBEAR_SOURCE := $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX) DROPBEAR_DIR := $(BUILDDIR)/$(DROPBEAR) +DROPBEAR_LICENSE := MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short +DROPBEAR_LICENSE_FILES := \ + file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \ + file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1 # ---------------------------------------------------------------------------- # Prepare -- 2.20.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] [1/3] dropbear: Add license information 2020-03-11 13:24 ` [ptxdist] [PATCH 1/3] dropbear: Add license information Alexander Dahl @ 2020-03-27 9:52 ` Michael Olbrich 0 siblings, 0 replies; 7+ messages in thread From: Michael Olbrich @ 2020-03-27 9:52 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied. Michael [sent from post-receive hook] On Fri, 27 Mar 2020 10:52:13 +0100, Alexander Dahl <ada@thorsis.com> wrote: > The parts written for dropbear itself are MIT licensed, as are those > imported from PuTTY. Some parts come from OpenSSH with BSD 2 clause, > some parts are in the public domain. curve25519 parts from Google are > BSD 3 clause licensed. Everything is explained in the file 'LICENSE'. > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > > Notes: > Changes since (implicit) v1: > - Added SSH-short as identifier for sshpty.[ch] (Roland Hieber) > - Added loginrec.c which contains the BSD-2-Clause text (Michael Olbrich) > > rules/dropbear.make | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/rules/dropbear.make b/rules/dropbear.make > index 9b7173387..a3b867817 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -23,6 +23,10 @@ DROPBEAR_SUFFIX := tar.bz2 > DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) > DROPBEAR_SOURCE := $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX) > DROPBEAR_DIR := $(BUILDDIR)/$(DROPBEAR) > +DROPBEAR_LICENSE := MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short > +DROPBEAR_LICENSE_FILES := \ > + file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \ > + file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1 > > # ---------------------------------------------------------------------------- > # Prepare > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* [ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78 2020-03-11 13:24 [ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes Alexander Dahl 2020-03-11 13:24 ` [ptxdist] [PATCH 1/3] dropbear: Add license information Alexander Dahl @ 2020-03-11 13:24 ` Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [2/3] " Michael Olbrich 2020-03-11 13:24 ` [ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS Alexander Dahl 2 siblings, 1 reply; 7+ messages in thread From: Alexander Dahl @ 2020-03-11 13:24 UTC (permalink / raw) To: ptxdist The major change with 2018.76 was in configuration, moving from editing 'options.h' to adding things to 'localoptions.h'. The latter file must be created in the extracted sources, a pragmatic approach was used to add the defines, as seen in the buildroot project. All options were compared to 'default_options.h' and 'sysoptions.h' from the dropbear source. Not all options are in default_options, e.g. the deprecated md5 hmac. A warning for that one was added. Various things were fixed and improved in dropbear, changes notable: + 2019.78 / 2019.77 - Fix 2018.76 regressions - Improve failure delay consistency - Change handling of failed authentication to avoid disclosing valid usernames, CVE-2018-15599. + 2018.76 - Enable hardening build flags - New key exchange options - Improved DSS and RSA pubkey validation - Fix null pointer crash on malformed keys - Update curve25519-donna implementation Signed-off-by: Alexander Dahl <ada@thorsis.com> --- Notes: Just omitting --disable-fuzz wouldn't require that patch, it just pins down what is the default anyway, but for that the patch is needed. .../0001-configure-Fix-disable-fuzz.patch | 47 +++++++ patches/dropbear-2019.78/autogen.sh | 1 + patches/dropbear-2019.78/series | 4 + rules/dropbear.make | 129 ++++++++++-------- 4 files changed, 121 insertions(+), 60 deletions(-) create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch create mode 120000 patches/dropbear-2019.78/autogen.sh create mode 100644 patches/dropbear-2019.78/series diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch new file mode 100644 index 000000000..03aec183a --- /dev/null +++ b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch @@ -0,0 +1,47 @@ +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 11 Mar 2020 10:50:45 +0100 +Subject: [PATCH] configure: Fix --disable-fuzz + +When explicitly passing --disable-fuzz to ./configure fuzz was actually +enabled. + +Signed-off-by: Alexander Dahl <ada@thorsis.com> +--- + +Notes: + Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html + + configure.ac | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 7199d7cb2300..104d60cfaf53 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow, + AC_ARG_ENABLE(fuzz, + [ --enable-fuzz Build fuzzing. Not recommended for deployment.], + [ +- AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing) +- AC_MSG_NOTICE(Enabling fuzzing) +- DROPBEAR_FUZZ=1 +- # libfuzzer needs linking with c++ libraries +- AC_PROG_CXX ++ if test "x$enableval" = "xyes"; then ++ AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing) ++ AC_MSG_NOTICE(Enabling fuzzing) ++ DROPBEAR_FUZZ=1 ++ # libfuzzer needs linking with c++ libraries ++ AC_PROG_CXX ++ else ++ AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing) ++ AC_MSG_NOTICE(Disabling fuzzing) ++ DROPBEAR_FUZZ=0 ++ fi + ], + [ + AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing) ++ AC_MSG_NOTICE(Disabling fuzzing) + DROPBEAR_FUZZ=0 + ] + diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh new file mode 120000 index 000000000..9f8a4cb7d --- /dev/null +++ b/patches/dropbear-2019.78/autogen.sh @@ -0,0 +1 @@ +../autogen.sh \ No newline at end of file diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series new file mode 100644 index 000000000..3e5a5247e --- /dev/null +++ b/patches/dropbear-2019.78/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-configure-Fix-disable-fuzz.patch +# c03ca050bdd0c61ac96e5bd22c9d0947 - git-ptx-patches magic diff --git a/rules/dropbear.make b/rules/dropbear.make index a3b867817..8d80ed295 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2017.75 -DROPBEAR_MD5 := e57e9b9d25705dcb073ba15c416424fd +DROPBEAR_VERSION := 2019.78 +DROPBEAR_MD5 := a972c85ed678ad0fdcb7844e1294fb54 DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX := tar.bz2 DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -38,12 +38,14 @@ DROPBEAR_LICENSE_FILES := \ DROPBEAR_CONF_TOOL := autoconf DROPBEAR_CONF_OPT := \ $(CROSS_AUTOCONF_USR) \ + --enable-harden \ $(GLOBAL_LARGE_FILE_OPTION) \ --$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \ --disable-pam \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \ --enable-shadow \ + --disable-fuzz \ --enable-bundled-libtom \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_UTMP)-utmp \ @@ -54,206 +56,213 @@ DROPBEAR_CONF_OPT := \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTLINE)-pututline \ --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTXLINE)-pututxline +DROPBEAR_LOCALOPTIONS := $(DROPBEAR_DIR)/localoptions.h + $(STATEDIR)/dropbear.prepare: @$(call targetinfo) @$(call world/prepare, DROPBEAR) + @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS) + ifdef PTXCONF_DROPBEAR_DIS_X11 @echo "ptxdist: disabling x11 forwarding" - $(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD) + @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: enabling x11 forwarding" - $(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD) + @echo "#define DROPBEAR_X11FWD 1" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_DIS_TCP @echo "ptxdist: disabling tcp" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD) + @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: enabling tcp" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD) + @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_SVR_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_DIS_AGENT @echo "ptxdist: disabling agent" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD) + @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: enabling agent" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD) + @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_AES128 @echo "ptxdist: enabling aes128" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128) + @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling aes128" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128) + @echo "#define DROPBEAR_AES128 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_3DES @echo "ptxdist: enabling 3des" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES) + @echo "#define DROPBEAR_3DES 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling 3des" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES) + @echo "#define DROPBEAR_3DES 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_AES256 @echo "ptxdist: enabling aes256" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256) + @echo "#define DROPBEAR_AES256 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling aes256" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256) + @echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_BLOWFISH @echo "ptxdist: enabling blowfish" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH) + @echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling blowfish" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH) + @echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_TWOFISH256 @echo "ptxdist: enabling twofish256" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256) + @echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling twofish256" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256) + @echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_TWOFISH128 @echo "ptxdist: enabling twofish128" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) + @echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling twofish128" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) + @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_CBC_CIPHERS @echo "ptxdist: enabling cbc ciphers" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) + @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling cbc ciphers" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) + @echo "#define DROPBEAR_ENABLE_CBC_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) endif + ifdef PTXCONF_DROPBEAR_CTR_CIPHERS @echo "ptxdist: enabling ctr ciphers" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) + @echo "#define DROPBEAR_ENABLE_CTR_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling ctr ciphers" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) + @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_SHA1 @echo "ptxdist: enabling sha1" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC) + @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling sha1" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC) + @echo "#define DROPBEAR_SHA1_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_SHA1_96 @echo "ptxdist: enabling sha1-96" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC) + @echo "#define DROPBEAR_SHA1_96_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling sha1-96" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC) + @echo "#define DROPBEAR_SHA1_96_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_SHA256 @echo "ptxdist: enabling sha256" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC) + @echo "#define DROPBEAR_SHA2_256_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling sha256" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC) + @echo "#define DROPBEAR_SHA2_256_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_SHA512 @echo "ptxdist: enabling sha512" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC) + @echo "#define DROPBEAR_SHA2_512_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling sha512" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC) + @echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_MD5 @echo "ptxdist: enabling md5" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC) + @echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!" + @echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling md5" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC) + @echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_RSA @echo "ptxdist: enabling rsa" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA) + @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling rsa" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA) + @echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_DSS @echo "ptxdist: enabling dss" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS) + @echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling dss" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS) + @echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_ECDSA @echo "ptxdist: enabling ecdsa" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) + @echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling ecdsa" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) + @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_ECDH @echo "ptxdist: enabling ecdh" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) + @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling ecdh" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) + @echo "#define DROPBEAR_ECDH 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_CURVE25519 @echo "ptxdist: enabling curve25519" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) + @echo "#define DROPBEAR_CURVE25519 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling curve25519" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) + @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS) endif + ifdef PTXCONF_DROPBEAR_PASSWD @echo "ptxdist: enabling passwd" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH) + @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling passwd" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH) + @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) endif ifdef PTXCONF_DROPBEAR_PUBKEY @echo "ptxdist: enabling pubkey" - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH) - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH) + @echo "#define DROPBEAR_SVR_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) else @echo "ptxdist: disabling pubkey" - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH) - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH) + @echo "#define DROPBEAR_SVR_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_CLI_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) endif @$(call touch) -- 2.20.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] [2/3] dropbear: version bump 2017.75 -> 2019.78 2020-03-11 13:24 ` [ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78 Alexander Dahl @ 2020-03-27 9:52 ` Michael Olbrich 0 siblings, 0 replies; 7+ messages in thread From: Michael Olbrich @ 2020-03-27 9:52 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied. Michael [sent from post-receive hook] On Fri, 27 Mar 2020 10:52:14 +0100, Alexander Dahl <ada@thorsis.com> wrote: > The major change with 2018.76 was in configuration, moving from editing > 'options.h' to adding things to 'localoptions.h'. The latter file must > be created in the extracted sources, a pragmatic approach was used to > add the defines, as seen in the buildroot project. > > All options were compared to 'default_options.h' and 'sysoptions.h' from > the dropbear source. Not all options are in default_options, e.g. the > deprecated md5 hmac. A warning for that one was added. > > Various things were fixed and improved in dropbear, changes notable: > > + 2019.78 / 2019.77 > - Fix 2018.76 regressions > - Improve failure delay consistency > - Change handling of failed authentication to avoid disclosing valid > usernames, CVE-2018-15599. > > + 2018.76 > - Enable hardening build flags > - New key exchange options > - Improved DSS and RSA pubkey validation > - Fix null pointer crash on malformed keys > - Update curve25519-donna implementation > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > > Notes: > Just omitting --disable-fuzz wouldn't require that patch, it just pins down > what is the default anyway, but for that the patch is needed. > > .../0001-configure-Fix-disable-fuzz.patch | 47 +++++++ > patches/dropbear-2019.78/autogen.sh | 1 + > patches/dropbear-2019.78/series | 4 + > rules/dropbear.make | 129 ++++++++++-------- > 4 files changed, 121 insertions(+), 60 deletions(-) > create mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch > create mode 120000 patches/dropbear-2019.78/autogen.sh > create mode 100644 patches/dropbear-2019.78/series > > diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch > new file mode 100644 > index 000000000..03aec183a > --- /dev/null > +++ b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch > @@ -0,0 +1,47 @@ > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 11 Mar 2020 10:50:45 +0100 > +Subject: [PATCH] configure: Fix --disable-fuzz > + > +When explicitly passing --disable-fuzz to ./configure fuzz was actually > +enabled. > + > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > +--- > + > +Notes: > + Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html > + > + configure.ac | 17 ++++++++++++----- > + 1 file changed, 12 insertions(+), 5 deletions(-) > + > +diff --git a/configure.ac b/configure.ac > +index 7199d7cb2300..104d60cfaf53 100644 > +--- a/configure.ac > ++++ b/configure.ac > +@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow, > + AC_ARG_ENABLE(fuzz, > + [ --enable-fuzz Build fuzzing. Not recommended for deployment.], > + [ > +- AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing) > +- AC_MSG_NOTICE(Enabling fuzzing) > +- DROPBEAR_FUZZ=1 > +- # libfuzzer needs linking with c++ libraries > +- AC_PROG_CXX > ++ if test "x$enableval" = "xyes"; then > ++ AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing) > ++ AC_MSG_NOTICE(Enabling fuzzing) > ++ DROPBEAR_FUZZ=1 > ++ # libfuzzer needs linking with c++ libraries > ++ AC_PROG_CXX > ++ else > ++ AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing) > ++ AC_MSG_NOTICE(Disabling fuzzing) > ++ DROPBEAR_FUZZ=0 > ++ fi > + ], > + [ > + AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing) > ++ AC_MSG_NOTICE(Disabling fuzzing) > + DROPBEAR_FUZZ=0 > + ] > + > diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh > new file mode 120000 > index 000000000..9f8a4cb7d > --- /dev/null > +++ b/patches/dropbear-2019.78/autogen.sh > @@ -0,0 +1 @@ > +../autogen.sh > \ No newline at end of file > diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series > new file mode 100644 > index 000000000..3e5a5247e > --- /dev/null > +++ b/patches/dropbear-2019.78/series > @@ -0,0 +1,4 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-configure-Fix-disable-fuzz.patch > +# c03ca050bdd0c61ac96e5bd22c9d0947 - git-ptx-patches magic > diff --git a/rules/dropbear.make b/rules/dropbear.make > index a3b867817..8d80ed295 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear > # > # Paths and names > # > -DROPBEAR_VERSION := 2017.75 > -DROPBEAR_MD5 := e57e9b9d25705dcb073ba15c416424fd > +DROPBEAR_VERSION := 2019.78 > +DROPBEAR_MD5 := a972c85ed678ad0fdcb7844e1294fb54 > DROPBEAR := dropbear-$(DROPBEAR_VERSION) > DROPBEAR_SUFFIX := tar.bz2 > DROPBEAR_URL := http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) > @@ -38,12 +38,14 @@ DROPBEAR_LICENSE_FILES := \ > DROPBEAR_CONF_TOOL := autoconf > DROPBEAR_CONF_OPT := \ > $(CROSS_AUTOCONF_USR) \ > + --enable-harden \ > $(GLOBAL_LARGE_FILE_OPTION) \ > --$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \ > --disable-pam \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \ > --enable-shadow \ > + --disable-fuzz \ > --enable-bundled-libtom \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_UTMP)-utmp \ > @@ -54,206 +56,213 @@ DROPBEAR_CONF_OPT := \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTLINE)-pututline \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_PUTUTXLINE)-pututxline > > +DROPBEAR_LOCALOPTIONS := $(DROPBEAR_DIR)/localoptions.h > + > $(STATEDIR)/dropbear.prepare: > @$(call targetinfo) > @$(call world/prepare, DROPBEAR) > > + @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS) > + > ifdef PTXCONF_DROPBEAR_DIS_X11 > @echo "ptxdist: disabling x11 forwarding" > - $(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD) > + @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: enabling x11 forwarding" > - $(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_X11FWD) > + @echo "#define DROPBEAR_X11FWD 1" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_DIS_TCP > @echo "ptxdist: disabling tcp" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD) > + @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: enabling tcp" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_LOCALTCPFWD) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_REMOTETCPFWD) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_LOCALTCPFWD) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_REMOTETCPFWD) > + @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_SVR_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_DIS_AGENT > @echo "ptxdist: disabling agent" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD) > + @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: enabling agent" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_AGENTFWD) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_AGENTFWD) > + @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > endif > > > ifdef PTXCONF_DROPBEAR_AES128 > @echo "ptxdist: enabling aes128" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128) > + @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling aes128" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES128) > + @echo "#define DROPBEAR_AES128 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_3DES > @echo "ptxdist: enabling 3des" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES) > + @echo "#define DROPBEAR_3DES 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling 3des" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_3DES) > + @echo "#define DROPBEAR_3DES 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_AES256 > @echo "ptxdist: enabling aes256" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256) > + @echo "#define DROPBEAR_AES256 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling aes256" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_AES256) > + @echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_BLOWFISH > @echo "ptxdist: enabling blowfish" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH) > + @echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling blowfish" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_BLOWFISH) > + @echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_TWOFISH256 > @echo "ptxdist: enabling twofish256" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256) > + @echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling twofish256" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH256) > + @echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_TWOFISH128 > @echo "ptxdist: enabling twofish128" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) > + @echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling twofish128" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_TWOFISH128) > + @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_CBC_CIPHERS > @echo "ptxdist: enabling cbc ciphers" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) > + @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling cbc ciphers" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CBC_MODE) > + @echo "#define DROPBEAR_ENABLE_CBC_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > + > ifdef PTXCONF_DROPBEAR_CTR_CIPHERS > @echo "ptxdist: enabling ctr ciphers" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) > + @echo "#define DROPBEAR_ENABLE_CTR_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling ctr ciphers" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ENABLE_CTR_MODE) > + @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_SHA1 > @echo "ptxdist: enabling sha1" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC) > + @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling sha1" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_HMAC) > + @echo "#define DROPBEAR_SHA1_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_SHA1_96 > @echo "ptxdist: enabling sha1-96" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC) > + @echo "#define DROPBEAR_SHA1_96_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling sha1-96" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA1_96_HMAC) > + @echo "#define DROPBEAR_SHA1_96_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_SHA256 > @echo "ptxdist: enabling sha256" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC) > + @echo "#define DROPBEAR_SHA2_256_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling sha256" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_256_HMAC) > + @echo "#define DROPBEAR_SHA2_256_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_SHA512 > @echo "ptxdist: enabling sha512" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC) > + @echo "#define DROPBEAR_SHA2_512_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling sha512" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_SHA2_512_HMAC) > + @echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_MD5 > @echo "ptxdist: enabling md5" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC) > + @echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!" > + @echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling md5" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_MD5_HMAC) > + @echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > > ifdef PTXCONF_DROPBEAR_RSA > @echo "ptxdist: enabling rsa" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA) > + @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling rsa" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_RSA) > + @echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_DSS > @echo "ptxdist: enabling dss" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS) > + @echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling dss" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_DSS) > + @echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_ECDSA > @echo "ptxdist: enabling ecdsa" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) > + @echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling ecdsa" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDSA) > + @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_ECDH > @echo "ptxdist: enabling ecdh" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) > + @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling ecdh" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_ECDH) > + @echo "#define DROPBEAR_ECDH 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_CURVE25519 > @echo "ptxdist: enabling curve25519" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) > + @echo "#define DROPBEAR_CURVE25519 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling curve25519" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,DROPBEAR_CURVE25519) > + @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > + > ifdef PTXCONF_DROPBEAR_PASSWD > @echo "ptxdist: enabling passwd" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH) > + @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling passwd" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PASSWORD_AUTH) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PASSWORD_AUTH) > + @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_PASSWORD_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > ifdef PTXCONF_DROPBEAR_PUBKEY > @echo "ptxdist: enabling pubkey" > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH) > - @$(call enable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH) > + @echo "#define DROPBEAR_SVR_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_PUBKEY_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) > else > @echo "ptxdist: disabling pubkey" > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_SVR_PUBKEY_AUTH) > - @$(call disable_c, $(DROPBEAR_DIR)/options.h,ENABLE_CLI_PUBKEY_AUTH) > + @echo "#define DROPBEAR_SVR_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_CLI_PUBKEY_AUTH 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > @$(call touch) > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* [ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS 2020-03-11 13:24 [ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes Alexander Dahl 2020-03-11 13:24 ` [ptxdist] [PATCH 1/3] dropbear: Add license information Alexander Dahl 2020-03-11 13:24 ` [ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78 Alexander Dahl @ 2020-03-11 13:24 ` Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [3/3] " Michael Olbrich 2 siblings, 1 reply; 7+ messages in thread From: Alexander Dahl @ 2020-03-11 13:24 UTC (permalink / raw) To: ptxdist While this might be not 100% conforming to ssh standard (?), it is common practice. DSA is considered weak [1] and e.g. OpenSSH deprecated it with the 7.0 release back in 2015 [2]. dropbear states in its source: “DSS may be necessary to connect to some systems though is not recommended for new keys”. Furthermore: requiring both RSA _and_ DSS host keys, increases time to generate keys a lot, making this unfortunate in bootstrapping embedded targets. [1] https://security.stackexchange.com/a/112818/43663 [2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html Signed-off-by: Alexander Dahl <ada@thorsis.com> --- Notes: Consider this patch RFC, or just apply or drop it at will. rules/dropbear.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index fa6f283f1..107a11caf 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft config DROPBEAR_RSA bool prompt "rsa" + default y help RSA was announced in 1978. The security of the RSA system is based upon the RSA Problem (RSAP). This problem is @@ -293,7 +294,6 @@ config DROPBEAR_RSA config DROPBEAR_DSS bool prompt "dss" - default y help DSS stands for Digital Signature Standard. DSS employs the ElGamal and Schnorr PK systems to produce @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR default y select DROPBEAR_DROPBEAR_KEY select DROPBEAR_RSA - select DROPBEAR_DSS select BUSYBOX_START_STOP_DAEMON if BUSYBOX help Installs the dropbar server in /usr/sbin/dropbear on the target -- 2.20.1 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [ptxdist] [3/3] dropbear: Disable default selection of DSS 2020-03-11 13:24 ` [ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS Alexander Dahl @ 2020-03-27 9:52 ` Michael Olbrich 0 siblings, 0 replies; 7+ messages in thread From: Michael Olbrich @ 2020-03-27 9:52 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied. Michael [sent from post-receive hook] On Fri, 27 Mar 2020 10:52:15 +0100, Alexander Dahl <ada@thorsis.com> wrote: > While this might be not 100% conforming to ssh standard (?), it is > common practice. DSA is considered weak [1] and e.g. OpenSSH deprecated > it with the 7.0 release back in 2015 [2]. > > dropbear states in its source: “DSS may be necessary to connect to some > systems though is not recommended for new keys”. > > Furthermore: requiring both RSA _and_ DSS host keys, increases time to > generate keys a lot, making this unfortunate in bootstrapping embedded > targets. > > [1] https://security.stackexchange.com/a/112818/43663 > [2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > > Notes: > Consider this patch RFC, or just apply or drop it at will. > > rules/dropbear.in | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index fa6f283f1..107a11caf 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft > config DROPBEAR_RSA > bool > prompt "rsa" > + default y > help > RSA was announced in 1978. The security of the RSA system > is based upon the RSA Problem (RSAP). This problem is > @@ -293,7 +294,6 @@ config DROPBEAR_RSA > config DROPBEAR_DSS > bool > prompt "dss" > - default y > help > DSS stands for Digital Signature Standard. > DSS employs the ElGamal and Schnorr PK systems to produce > @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR > default y > select DROPBEAR_DROPBEAR_KEY > select DROPBEAR_RSA > - select DROPBEAR_DSS > select BUSYBOX_START_STOP_DAEMON if BUSYBOX > help > Installs the dropbar server in /usr/sbin/dropbear on the target > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-03-27 9:52 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-03-11 13:24 [ptxdist] [PATCH 0/3] dropbear: Upgrade plus collected changes Alexander Dahl 2020-03-11 13:24 ` [ptxdist] [PATCH 1/3] dropbear: Add license information Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [1/3] " Michael Olbrich 2020-03-11 13:24 ` [ptxdist] [PATCH 2/3] dropbear: version bump 2017.75 -> 2019.78 Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [2/3] " Michael Olbrich 2020-03-11 13:24 ` [ptxdist] [PATCH 3/3] dropbear: Disable default selection of DSS Alexander Dahl 2020-03-27 9:52 ` [ptxdist] [3/3] " Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox