From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mout.kundenserver.de ([217.72.192.74]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kaoJl-0006jS-Rl for ptxdist@pengutronix.de; Fri, 06 Nov 2020 00:05:23 +0100 Received: from methusalix.internal.home.lespocky.de ([109.250.111.52]) by mrelayeu.kundenserver.de (mreue106 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MTzKW-1kkGW21YzS-00Qx3U for ; Fri, 06 Nov 2020 00:05:20 +0100 Received: from falbala.internal.home.lespocky.de ([192.168.243.94]) by methusalix.internal.home.lespocky.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1kaoJd-0006ji-K1 for ptxdist@pengutronix.de; Fri, 06 Nov 2020 00:05:18 +0100 Date: Fri, 6 Nov 2020 00:05:11 +0100 From: Alexander Dahl Message-ID: <20201105230510.cbd2x2oiu2fwllid@falbala.internal.home.lespocky.de> References: <20201105081302.6770-1-ada@thorsis.com> <20201105081302.6770-4-ada@thorsis.com> MIME-Version: 1.0 In-Reply-To: <20201105081302.6770-4-ada@thorsis.com> Subject: Re: [ptxdist] [PATCH 3/4] dropbear: version bump 2019.78 -> 2020.79 List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: multipart/mixed; boundary="===============1298715889==" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de --===============1298715889== Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7rosalfugxsa6k46" Content-Disposition: inline --7rosalfugxsa6k46 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hei hei, On Thu, Nov 05, 2020 at 09:13:01AM +0100, Alexander Dahl wrote: > Noteworthy changes (not all options accessible through ptxdist menu): >=20 > - added support for ed25519 hostkeys and authorized_keys > - added support for chacha20-poly1305 authenticated cipher > - added support for and rsa-sha2 signatures > - disabled some options by default (kconfig defaults adapted accordingly) > - fix idle detection clashing with keepalives > - scp fix for CVE-2018-20685 where a server could modify name of output > files > - Call fsync() is called on parent directory when writing key files to > ensure they are flushed >=20 > One especially important change: >=20 > > Use getrandom() call on Linux to ensure sufficient entropy has been > > gathered at startup. Dropbear now avoids reading from the random > > source at startup, instead waiting until the first connection. It is > > possible that some platforms were running without enough entropy > > previously, those could potentially block at first boot generating > > host keys. The dropbear "-R" option is one way to avoid that. >=20 > On older toolchains/kernel headers/kernels without getrandom() support, > dropbear should behave like before. >=20 > The curve25519 implementation was replaced with the one by TweetNaCl, > which induced a change in 'LICENSE' summary. The old implementation was > licensed BSD-3-Clause and the new is public domain. >=20 > The bundled libtommath changed its license from dual license (public > domain || WTFPL) to 'Unlicense' which is also a public domain license, > but with a differently worded license text and an actual SPDX > identifier. >=20 > Signed-off-by: Alexander Dahl > --- > rules/dropbear.in | 2 +- > rules/dropbear.make | 11 ++++++----- > 2 files changed, 7 insertions(+), 6 deletions(-) When reworking this patch today in the morning I forgot to remove the 2019.78 patch series. The one patch in there had gone upstream with 2020.79 and can be dropped. I'll send a v2 tomorrow. A >=20 > diff --git a/rules/dropbear.in b/rules/dropbear.in > index d01f2c73e..dbe1a34bc 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -116,6 +116,7 @@ comment "features" > config DROPBEAR_DIS_X11 > bool > prompt "disable X11 Forwarding" > + default y > help > X11 forwarding means passing X11 (graphical interface) > information over the SSH connection. > @@ -149,7 +150,6 @@ config DROPBEAR_AES128 > config DROPBEAR_3DES > bool > prompt "3DES" > - default y > help > DES is an IBM algorithm designed during the 1970s. > In 1976, NIST has officially adopted it as an encryption > diff --git a/rules/dropbear.make b/rules/dropbear.make > index 4f55fac48..1907bc0ae 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -16,19 +16,19 @@ PACKAGES-$(PTXCONF_DROPBEAR) +=3D dropbear > # > # Paths and names > # > -DROPBEAR_VERSION :=3D 2019.78 > -DROPBEAR_MD5 :=3D a972c85ed678ad0fdcb7844e1294fb54 > +DROPBEAR_VERSION :=3D 2020.79 > +DROPBEAR_MD5 :=3D 830a7bf6349ac52a39c487d061efb352 > DROPBEAR :=3D dropbear-$(DROPBEAR_VERSION) > DROPBEAR_SUFFIX :=3D tar.bz2 > DROPBEAR_URL :=3D http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).= $(DROPBEAR_SUFFIX) > DROPBEAR_SOURCE :=3D $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX) > DROPBEAR_DIR :=3D $(BUILDDIR)/$(DROPBEAR) > DROPBEAR_LICENSE :=3D \ > - MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain = OR WTFPL) > + MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain= OR WTFPL) AND Unlicense > DROPBEAR_LICENSE_FILES :=3D \ > - file://LICENSE;md5=3Da5ec40cafba26fc4396d0b550f824e01 \ > + file://LICENSE;md5=3Dda58928b5d844c6667963cb5a109272d \ > file://libtomcrypt/LICENSE;md5=3D71baacc459522324ef3e2b9e052e8180 \ > - file://libtommath/LICENSE;md5=3Df72771f4af5e8c382974750f9f8701ad \ > + file://libtommath/LICENSE;md5=3D23e7e0a32e53a2b1d35f5fd9ef053402 \ > file://loginrec.c;startline=3D1;endline=3D26;md5=3D0d785ee11fab1cead2c7= fee9c35574f1 > =20 > # ----------------------------------------------------------------------= ------ > @@ -48,6 +48,7 @@ DROPBEAR_CONF_OPT :=3D \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \ > --enable-shadow \ > + --disable-plugin \ > --disable-fuzz \ > --enable-bundled-libtom \ > --$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \ > --=20 > 2.27.0 >=20 >=20 > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request= @pengutronix.de --=20 /"\ ASCII RIBBON | =BBWith the first link, the chain is forged. The first \ / CAMPAIGN | speech censured, the first thought forbidden, the X AGAINST | first freedom denied, chains us all irrevocably.=AB / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie) --7rosalfugxsa6k46 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEwo7muQJjlc+Prwj6NK3NAHIhXMYFAl+khSIACgkQNK3NAHIh XMaWLg//aJ6YL6OeJqFZ2BiT2BLMAi8nCXqMlamANUOoiGyyGObSbhckhKBuEXLb Tnd5egOvsU//8hb+PUtrPTZsVuUQQ/owOHP23/AvKHTTV+yFTmQGlZ/gawCBPXu1 +hCZ6NGyxYvKoR0juSIIzOJkjhmpdJvrFZIsPti+iG7KhUXe5YFvLDWubFR4opcQ jo2myGMHIgeza1tTMlOJVzJ6WPKbRdRio+w4v/OcYyUgdT1PN2PsAtSGaCqosPjg AYRh8pKf5lOeOd+n1xGMi66Cm+an+9AuQRldhws76QGBNMlrREGu5OPjbvgphYCZ cUvHYbn9wnKjX23RrHwnTCIR00gi9LEaGNYCG6HVtj/3mz/uIFZJpGDVPQkh4U3A yr0s54s1nE0aMZevpfsGtVFZvT2TOCzHoG1WWuNaiboSxKrnn020v/oQ8azIhthZ 56iWJh3oL9oaDy+VRJXa3H577rY4JdITKB2+nmbLDyNRRgf9gU9n0y8d1JedUjHn zsgF9UhD4G6t8sbyanyttSjXmAyD6SVUhIRZitm9bUrW+5cuVKGgwCE+0VJYb7DG kWtfJCyUVEXTwb2aXMWVWh17dFAKQvktZB7ODt/zv+bwyL8cL0CMu0Xl25kRSMuS NyPOgVh07to5dx4r1TCniqtBApVyrdKQ+XYQg7tcQStOiz6fiBw= =jnDy -----END PGP SIGNATURE----- --7rosalfugxsa6k46-- --===============1298715889== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de --===============1298715889==--