[ptxdist] [PATCH v2 0/4] dropbear: version bump 2019.78 -> 2020.81

[ptxdist] [PATCH v2 0/4] dropbear: version bump 2019.78 -> 2020.81

[Alexander Dahl]

Hei hei,

this is the version bump for the dropbear SSH server split in four
patches for easier review.

- 1/4 fixes the license information

- 2/4 updates comments in kconfig and make file, first is for user,
  second for easier maintenance of the ptxdist package (I used that when
  reviewing what changed in dropbear from 2019.78 to 2020.79)

- 3/4 is a version bump with quite some upstream changes, including the
  fix for CVE-2018-20685.

- 4/4 is a second version bump, combining two more versions with
  regression fixes and other minor fixes, which I put in a second commit
  for easier review. This might also be squashed?

Software itself briefly tested on armv7a aka sama5d27.

v1 -> v2:
- Removed patch stack with patch 3/4.

Greets
Alex

Alexander Dahl (4):
  dropbear: Consider licenses of bundled libs
  dropbear: Revise comments
  dropbear: version bump 2019.78 -> 2020.79
  dropbear: version bump 2020.79 -> 2020.81

 .../0001-configure-Fix-disable-fuzz.patch     | 47 -------------------
 patches/dropbear-2019.78/autogen.sh           |  1 -
 patches/dropbear-2019.78/series               |  4 --
 rules/dropbear.in                             | 14 +++---
 rules/dropbear.make                           | 30 +++++++-----
 5 files changed, 27 insertions(+), 69 deletions(-)
 delete mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 delete mode 120000 patches/dropbear-2019.78/autogen.sh
 delete mode 100644 patches/dropbear-2019.78/series


base-commit: 8617870454388edf0f0728a92f3f188edbc14986
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 1/4] dropbear: Consider licenses of bundled libs

[Alexander Dahl]

Since 673655b40733 ("dropbear: clean up the rule file and add bugfix")
it's explicitly stated, bundled libtomcrypt and libtommath are used in
the ptxdist dropbear package.  Before very likely also the bundled libs
were used, because no separate packages exist in ptxdist.  So the
dropbear package should consider the licenses of the bundled libs.

As of dropbear 2019.78, dropbear itself states in its 'LICENSE' file
those libs are public domain, but in fact those libs are dual licensed
public_domain and WTFPL, as their license files state.

Adding hashes for the bundled libs will help detect future changes, as
long as the dropbear package uses the bundled variant of that libs.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index d52efa396..acd9ef5f9 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -23,9 +23,12 @@ DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
-DROPBEAR_LICENSE	:= MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short
+DROPBEAR_LICENSE	:= \
+	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
 DROPBEAR_LICENSE_FILES	:= \
 	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
+	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
+	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
 
 # ----------------------------------------------------------------------------
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 2/4] dropbear: Revise comments

[Alexander Dahl]

Add more section markers and update recommendations based on upstream's
'default_options.h' file.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.in   | 12 +++++++-----
 rules/dropbear.make | 18 +++++++++++-------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index 62a4a8427..d01f2c73e 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS
 	  CBC mode against certain attacks. This adds around 1kB to binary
 	  size and is recommended for most cases.
 
-comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
+comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
 
 config DROPBEAR_SHA1
 	bool
@@ -273,13 +273,13 @@ config DROPBEAR_SHA512
 
 config DROPBEAR_MD5
 	bool
-	prompt "md5"
+	prompt "md5 (not recommended!)"
 	help
 	  MD5 was developed by Professor Ronald L. Rivest in 1994.
 	  Its 128 bit (16 byte) message digest makes it a faster
 	  implementation than SHA-1.
 
-comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
+comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
 
 config DROPBEAR_RSA
 	bool
@@ -293,7 +293,7 @@ config DROPBEAR_RSA
 
 config DROPBEAR_DSS
 	bool
-	prompt "dss"
+	prompt "dss (not recommended!)"
 	help
 	  DSS stands for Digital Signature Standard.
 	  DSS employs the ElGamal and Schnorr PK systems to produce
@@ -308,6 +308,8 @@ config DROPBEAR_ECDSA
 	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
 	  ECDSA is significantly faster than RSA or DSS.
 
+comment "Key exchange algorithm ---"
+
 config DROPBEAR_ECDH
 	bool
 	prompt "ecdh"
@@ -377,7 +379,7 @@ config DROPBEAR_SCP
 comment "OpenSSH scp is selected!"
 	depends on OPENSSH_SCP
 
-comment "runtime options   ---"
+comment "runtime options        ---"
 
 config DROPBEAR_STARTSCRIPT
 	bool
diff --git a/rules/dropbear.make b/rules/dropbear.make
index acd9ef5f9..4f55fac48 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
 
 	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
 
+# features
 ifdef PTXCONF_DROPBEAR_DIS_X11
 	@echo "ptxdist: disabling x11 forwarding"
 	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
@@ -76,13 +77,13 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_TCP
-	@echo "ptxdist: disabling tcp"
+	@echo "ptxdist: disabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling tcp"
+	@echo "ptxdist: enabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -90,16 +91,16 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_AGENT
-	@echo "ptxdist: disabling agent"
+	@echo "ptxdist: disabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling agent"
+	@echo "ptxdist: enabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# encryption
 ifdef PTXCONF_DROPBEAR_AES128
 	@echo "ptxdist: enabling aes128"
 	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -148,6 +149,7 @@ else
 	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# ciphers
 ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
 	@echo "ptxdist: enabling cbc ciphers"
 	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -165,6 +167,7 @@ else
 	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# integrity
 ifdef PTXCONF_DROPBEAR_SHA1
 	@echo "ptxdist: enabling sha1"
 	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -210,7 +213,7 @@ else
 	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# host key / public key
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
 	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -235,6 +238,7 @@ else
 	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# key exchange algorithm
 ifdef PTXCONF_DROPBEAR_ECDH
 	@echo "ptxdist: enabling ecdh"
 	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -251,7 +255,7 @@ else
 	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# authentication types
 ifdef PTXCONF_DROPBEAR_PASSWD
 	@echo "ptxdist: enabling passwd"
 	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 3/4] dropbear: version bump 2019.78 -> 2020.79

[Alexander Dahl]

Noteworthy changes (not all options accessible through ptxdist menu):

- added support for ed25519 hostkeys and authorized_keys
- added support for chacha20-poly1305 authenticated cipher
- added support for and rsa-sha2 signatures
- disabled some options by default (kconfig defaults adapted accordingly)
- fix idle detection clashing with keepalives
- scp fix for CVE-2018-20685 where a server could modify name of output
  files
- Call fsync() is called on parent directory when writing key files to
  ensure they are flushed

One especially important change:

> Use getrandom() call on Linux to ensure sufficient entropy has been
> gathered at startup.  Dropbear now avoids reading from the random
> source at startup, instead waiting until the first connection. It is
> possible that some platforms were running without enough entropy
> previously, those could potentially block at first boot generating
> host keys.  The dropbear "-R" option is one way to avoid that.

On older toolchains/kernel headers/kernels without getrandom() support,
dropbear should behave like before.

The curve25519 implementation was replaced with the one by TweetNaCl,
which induced a change in 'LICENSE' summary.  The old implementation was
licensed BSD-3-Clause and the new is public domain.

The bundled libtommath changed its license from dual license (public
domain || WTFPL) to 'Unlicense' which is also a public domain license,
but with a differently worded license text and an actual SPDX
identifier.

The patch stack was dropped, the one patch was integrated upstream.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2:
    - Remove patch stack

 .../0001-configure-Fix-disable-fuzz.patch     | 47 -------------------
 patches/dropbear-2019.78/autogen.sh           |  1 -
 patches/dropbear-2019.78/series               |  4 --
 rules/dropbear.in                             |  2 +-
 rules/dropbear.make                           | 11 +++--
 5 files changed, 7 insertions(+), 58 deletions(-)
 delete mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 delete mode 120000 patches/dropbear-2019.78/autogen.sh
 delete mode 100644 patches/dropbear-2019.78/series

diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
deleted file mode 100644
index 03aec183a..000000000
--- a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Alexander Dahl <ada@thorsis.com>
-Date: Wed, 11 Mar 2020 10:50:45 +0100
-Subject: [PATCH] configure: Fix --disable-fuzz
-
-When explicitly passing --disable-fuzz to ./configure fuzz was actually
-enabled.
-
-Signed-off-by: Alexander Dahl <ada@thorsis.com>
----
-
-Notes:
-    Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html
-
- configure.ac | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 7199d7cb2300..104d60cfaf53 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow,
- AC_ARG_ENABLE(fuzz,
- 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
- 	[
--		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
--		AC_MSG_NOTICE(Enabling fuzzing)
--		DROPBEAR_FUZZ=1
--		# libfuzzer needs linking with c++ libraries
--		AC_PROG_CXX
-+		if test "x$enableval" = "xyes"; then
-+            AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
-+            AC_MSG_NOTICE(Enabling fuzzing)
-+            DROPBEAR_FUZZ=1
-+            # libfuzzer needs linking with c++ libraries
-+            AC_PROG_CXX
-+        else
-+            AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
-+            AC_MSG_NOTICE(Disabling fuzzing)
-+            DROPBEAR_FUZZ=0
-+        fi
- 	],
- 	[
- 		AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
-+		AC_MSG_NOTICE(Disabling fuzzing)
- 		DROPBEAR_FUZZ=0
- 	]
- 
diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh
deleted file mode 120000
index 9f8a4cb7d..000000000
--- a/patches/dropbear-2019.78/autogen.sh
+++ /dev/null
@@ -1 +0,0 @@
-../autogen.sh
\ No newline at end of file
diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series
deleted file mode 100644
index 3e5a5247e..000000000
--- a/patches/dropbear-2019.78/series
+++ /dev/null
@@ -1,4 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-configure-Fix-disable-fuzz.patch
-# c03ca050bdd0c61ac96e5bd22c9d0947  - git-ptx-patches magic
diff --git a/rules/dropbear.in b/rules/dropbear.in
index d01f2c73e..dbe1a34bc 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -116,6 +116,7 @@ comment "features"
 config DROPBEAR_DIS_X11
 	bool
 	prompt "disable X11 Forwarding"
+	default y
 	help
 	  X11 forwarding means passing X11 (graphical interface)
 	  information over the SSH connection.
@@ -149,7 +150,6 @@ config DROPBEAR_AES128
 config DROPBEAR_3DES
 	bool
 	prompt "3DES"
-	default y
 	help
 	  DES is an IBM algorithm designed during the 1970s.
 	  In 1976, NIST has officially adopted it as an encryption
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 4f55fac48..1907bc0ae 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -16,19 +16,19 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
 #
 # Paths and names
 #
-DROPBEAR_VERSION	:= 2019.78
-DROPBEAR_MD5		:= a972c85ed678ad0fdcb7844e1294fb54
+DROPBEAR_VERSION	:= 2020.79
+DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
 DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
 DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
 DROPBEAR_LICENSE	:= \
-	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
+	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
 DROPBEAR_LICENSE_FILES	:= \
-	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
+	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
 	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
-	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
+	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
 
 # ----------------------------------------------------------------------------
@@ -48,6 +48,7 @@ DROPBEAR_CONF_OPT 	:= \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \
 	--enable-shadow \
+	--disable-plugin \
 	--disable-fuzz \
 	--enable-bundled-libtom \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v2 4/4] dropbear: version bump 2020.79 -> 2020.81

[Alexander Dahl]

Changes in LICENSE file:

- updated copyright years
- pointed to licenses of bundled libs, instead of just stating their
  license

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index 1907bc0ae..47fed4938 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
 #
 # Paths and names
 #
-DROPBEAR_VERSION	:= 2020.79
-DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
+DROPBEAR_VERSION	:= 2020.81
+DROPBEAR_MD5		:= a07438a6159a24c61f98f1bce2d479c0
 DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
 DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
@@ -26,7 +26,7 @@ DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
 DROPBEAR_LICENSE	:= \
 	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
 DROPBEAR_LICENSE_FILES	:= \
-	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
+	file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
 	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
 	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 2/4] dropbear: Revise comments

[Michael Olbrich]

On Fri, Nov 06, 2020 at 07:58:09AM +0100, Alexander Dahl wrote:
> Add more section markers and update recommendations based on upstream's
> 'default_options.h' file.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
>  rules/dropbear.in   | 12 +++++++-----
>  rules/dropbear.make | 18 +++++++++++-------
>  2 files changed, 18 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 62a4a8427..d01f2c73e 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS
>  	  CBC mode against certain attacks. This adds around 1kB to binary
>  	  size and is recommended for most cases.
>  
> -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
> +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
>  
>  config DROPBEAR_SHA1
>  	bool
> @@ -273,13 +273,13 @@ config DROPBEAR_SHA512
>  
>  config DROPBEAR_MD5
>  	bool
> -	prompt "md5"
> +	prompt "md5 (not recommended!)"
>  	help
>  	  MD5 was developed by Professor Ronald L. Rivest in 1994.
>  	  Its 128 bit (16 byte) message digest makes it a faster
>  	  implementation than SHA-1.
>  
> -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
> +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
>  
>  config DROPBEAR_RSA
>  	bool
> @@ -293,7 +293,7 @@ config DROPBEAR_RSA
>  
>  config DROPBEAR_DSS
>  	bool
> -	prompt "dss"
> +	prompt "dss (not recommended!)"

Hmm, I'll take the patch as is, unless some other issues pop up. But what
do you think about removing the DES and MD5 options entirely? I mean doing
ssh with either is really pointless.

Michael

>  	help
>  	  DSS stands for Digital Signature Standard.
>  	  DSS employs the ElGamal and Schnorr PK systems to produce
> @@ -308,6 +308,8 @@ config DROPBEAR_ECDSA
>  	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
>  	  ECDSA is significantly faster than RSA or DSS.
>  
> +comment "Key exchange algorithm ---"
> +
>  config DROPBEAR_ECDH
>  	bool
>  	prompt "ecdh"
> @@ -377,7 +379,7 @@ config DROPBEAR_SCP
>  comment "OpenSSH scp is selected!"
>  	depends on OPENSSH_SCP
>  
> -comment "runtime options   ---"
> +comment "runtime options        ---"
>  
>  config DROPBEAR_STARTSCRIPT
>  	bool
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index acd9ef5f9..4f55fac48 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
>  
>  	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
>  
> +# features
>  ifdef PTXCONF_DROPBEAR_DIS_X11
>  	@echo "ptxdist: disabling x11 forwarding"
>  	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -76,13 +77,13 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_TCP
> -	@echo "ptxdist: disabling tcp"
> +	@echo "ptxdist: disabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling tcp"
> +	@echo "ptxdist: enabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -90,16 +91,16 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_AGENT
> -	@echo "ptxdist: disabling agent"
> +	@echo "ptxdist: disabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling agent"
> +	@echo "ptxdist: enabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# encryption
>  ifdef PTXCONF_DROPBEAR_AES128
>  	@echo "ptxdist: enabling aes128"
>  	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -148,6 +149,7 @@ else
>  	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# ciphers
>  ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
>  	@echo "ptxdist: enabling cbc ciphers"
>  	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -165,6 +167,7 @@ else
>  	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# integrity
>  ifdef PTXCONF_DROPBEAR_SHA1
>  	@echo "ptxdist: enabling sha1"
>  	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -210,7 +213,7 @@ else
>  	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# host key / public key
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
>  	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -235,6 +238,7 @@ else
>  	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# key exchange algorithm
>  ifdef PTXCONF_DROPBEAR_ECDH
>  	@echo "ptxdist: enabling ecdh"
>  	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -251,7 +255,7 @@ else
>  	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# authentication types
>  ifdef PTXCONF_DROPBEAR_PASSWD
>  	@echo "ptxdist: enabling passwd"
>  	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 4/4] dropbear: version bump 2020.79 -> 2020.81

[Michael Olbrich]

On Fri, Nov 06, 2020 at 07:58:11AM +0100, Alexander Dahl wrote:
> Changes in LICENSE file:
> 
> - updated copyright years
> - pointed to licenses of bundled libs, instead of just stating their
>   license
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>

Hmmm, with PTXCONF_DROPBEAR_BLOWFISH=y building fails with:

crypto_desc.c: In function 'crypto_init':
crypto_desc.c:28:4: error: 'blowfish_desc' undeclared (first use in this function); did you mean 'twofish_desc'?
crypto_desc.c:28:4: note: each undeclared identifier is reported only once for each function it appears in

Michael

> ---
>  rules/dropbear.make | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index 1907bc0ae..47fed4938 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
>  #
>  # Paths and names
>  #
> -DROPBEAR_VERSION	:= 2020.79
> -DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
> +DROPBEAR_VERSION	:= 2020.81
> +DROPBEAR_MD5		:= a07438a6159a24c61f98f1bce2d479c0
>  DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
>  DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
> @@ -26,7 +26,7 @@ DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
>  DROPBEAR_LICENSE	:= \
>  	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
>  DROPBEAR_LICENSE_FILES	:= \
> -	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
> +	file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
>  	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
>  	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
>  	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2 4/4] dropbear: version bump 2020.79 -> 2020.81

[Alexander Dahl]

[-- Attachment #1.1: Type: text/plain, Size: 3058 bytes --]

Hello Michael,

thanks for your review. See below.

On Fri, Nov 13, 2020 at 11:26:01AM +0100, Michael Olbrich wrote:
> On Fri, Nov 06, 2020 at 07:58:11AM +0100, Alexander Dahl wrote:
> > Changes in LICENSE file:
> > 
> > - updated copyright years
> > - pointed to licenses of bundled libs, instead of just stating their
> >   license
> > 
> > Signed-off-by: Alexander Dahl <ada@thorsis.com>
> 
> Hmmm, with PTXCONF_DROPBEAR_BLOWFISH=y building fails with:
> 
> crypto_desc.c: In function 'crypto_init':
> crypto_desc.c:28:4: error: 'blowfish_desc' undeclared (first use in this function); did you mean 'twofish_desc'?
> crypto_desc.c:28:4: note: each undeclared identifier is reported only once for each function it appears in

IIRC dropbear removed blowfish support in one of the last releases. I
have to dig through the changelogs again. This option should be
removed. I'll send a new iteration of the patch series. Maybe I also
remove the DES and MD5 options on the way.

Alex

> 
> Michael
> 
> > ---
> >  rules/dropbear.make | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/rules/dropbear.make b/rules/dropbear.make
> > index 1907bc0ae..47fed4938 100644
> > --- a/rules/dropbear.make
> > +++ b/rules/dropbear.make
> > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
> >  #
> >  # Paths and names
> >  #
> > -DROPBEAR_VERSION	:= 2020.79
> > -DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
> > +DROPBEAR_VERSION	:= 2020.81
> > +DROPBEAR_MD5		:= a07438a6159a24c61f98f1bce2d479c0
> >  DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
> >  DROPBEAR_SUFFIX		:= tar.bz2
> >  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
> > @@ -26,7 +26,7 @@ DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
> >  DROPBEAR_LICENSE	:= \
> >  	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
> >  DROPBEAR_LICENSE_FILES	:= \
> > -	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
> > +	file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
> >  	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
> >  	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
> >  	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
> > -- 
> > 2.27.0
> > 
> > 
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> > 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

-- 
/"\ ASCII RIBBON | »With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.«
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[-- Attachment #2: Type: text/plain, Size: 181 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de