[ptxdist] [PATCH v3 0/5] dropbear: version bump 2019.78 -> 2020.81

[ptxdist] [PATCH v3 0/5] dropbear: version bump 2019.78 -> 2020.81

[Alexander Dahl]

Hei hei,

this is the version bump for the dropbear SSH server split in five
patches for easier review.

- 1/5 fixes the license information

- 2/5 removes deprecated, weak, or later removed options

- 3/5 updates comments in kconfig and make file, first is for user,
  second for easier maintenance of the ptxdist package (I used that when
  reviewing what changed in dropbear from 2019.78 to 2020.79)

- 4/5 is a version bump with quite some upstream changes, including the
  fix for CVE-2018-20685.

- 5/5 is a second version bump, combining two more versions with
  regression fixes and other minor fixes, which I put in a second commit
  for easier review. This might also be squashed?

Software itself briefly tested on armv7a aka sama5d27.

v2 -> v3:
- Added patch 2/5 to remove blowfish option, which would otherwise break
  build after version bump to 2020.79. (Michael Olbrich)

v1 -> v2:
- Removed patch stack with patch 3/4.

Greets
Alex

Alexander Dahl (5):
  dropbear: Consider licenses of bundled libs
  dropbear: Remove deprecated options
  dropbear: Revise comments
  dropbear: version bump 2019.78 -> 2020.79
  dropbear: version bump 2020.79 -> 2020.81

 .../0001-configure-Fix-disable-fuzz.patch     | 47 ----------------
 patches/dropbear-2019.78/autogen.sh           |  1 -
 patches/dropbear-2019.78/series               |  4 --
 rules/dropbear.in                             | 39 ++-----------
 rules/dropbear.make                           | 55 +++++++------------
 5 files changed, 25 insertions(+), 121 deletions(-)
 delete mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 delete mode 120000 patches/dropbear-2019.78/autogen.sh
 delete mode 100644 patches/dropbear-2019.78/series


base-commit: 8617870454388edf0f0728a92f3f188edbc14986
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 1/5] dropbear: Consider licenses of bundled libs

[Alexander Dahl]

Since 673655b40733 ("dropbear: clean up the rule file and add bugfix")
it's explicitly stated, bundled libtomcrypt and libtommath are used in
the ptxdist dropbear package.  Before very likely also the bundled libs
were used, because no separate packages exist in ptxdist.  So the
dropbear package should consider the licenses of the bundled libs.

As of dropbear 2019.78, dropbear itself states in its 'LICENSE' file
those libs are public domain, but in fact those libs are dual licensed
public_domain and WTFPL, as their license files state.

Adding hashes for the bundled libs will help detect future changes, as
long as the dropbear package uses the bundled variant of that libs.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index d52efa396..acd9ef5f9 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -23,9 +23,12 @@ DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
-DROPBEAR_LICENSE	:= MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short
+DROPBEAR_LICENSE	:= \
+	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
 DROPBEAR_LICENSE_FILES	:= \
 	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
+	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
+	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
 
 # ----------------------------------------------------------------------------
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 2/5] dropbear: Remove deprecated options

[Alexander Dahl]

All those options are cryptographically weak, already broken, or will be
removed in the next version anyways.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.in   | 29 -----------------------------
 rules/dropbear.make | 25 -------------------------
 2 files changed, 54 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index 62a4a8427..d23f9b17f 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -170,17 +170,6 @@ config DROPBEAR_AES256
 	  (and others) to protect sensitive information.
 
 
-config DROPBEAR_BLOWFISH
-	bool
-	prompt "Blowfish"
-	help
-	  Blowfish, by Bruce Schneier, combines a Feistel network,
-	  key-dependent S-Boxes, with a non-invertible f function.
-	  This block cipher iterates a simple encryption function
-	  16 times.
-	  Blowfish was designed with a variable key length ranging
-	  from 32 bits to 448 bits.
-
 config DROPBEAR_TWOFISH128
 	bool
 	prompt "Twofish128"
@@ -271,14 +260,6 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
-config DROPBEAR_MD5
-	bool
-	prompt "md5"
-	help
-	  MD5 was developed by Professor Ronald L. Rivest in 1994.
-	  Its 128 bit (16 byte) message digest makes it a faster
-	  implementation than SHA-1.
-
 comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
 
 config DROPBEAR_RSA
@@ -291,16 +272,6 @@ config DROPBEAR_RSA
 	  conjectured (but not proven) to be equivalent to the
 	  Integer Factorisation Problem (IFP).
 
-config DROPBEAR_DSS
-	bool
-	prompt "dss"
-	help
-	  DSS stands for Digital Signature Standard.
-	  DSS employs the ElGamal and Schnorr PK systems to produce
-	  a fixed width signature (irrespective of the public/private
-	  key size). In contrast, RSA signature length is a function
-	  of the key length employed.
-
 config DROPBEAR_ECDSA
 	bool
 	prompt "ecdsa"
diff --git a/rules/dropbear.make b/rules/dropbear.make
index acd9ef5f9..9403afd00 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -124,14 +124,6 @@ else
 	@echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-ifdef PTXCONF_DROPBEAR_BLOWFISH
-	@echo "ptxdist: enabling blowfish"
-	@echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS)
-else
-	@echo "ptxdist: disabling blowfish"
-	@echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS)
-endif
-
 ifdef PTXCONF_DROPBEAR_TWOFISH256
 	@echo "ptxdist: enabling twofish256"
 	@echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -201,15 +193,6 @@ else
 	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-ifdef PTXCONF_DROPBEAR_MD5
-	@echo "ptxdist: enabling md5"
-	@echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!"
-	@echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
-else
-	@echo "ptxdist: disabling md5"
-	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
-endif
-
 
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
@@ -219,14 +202,6 @@ else
 	@echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-ifdef PTXCONF_DROPBEAR_DSS
-	@echo "ptxdist: enabling dss"
-	@echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS)
-else
-	@echo "ptxdist: disabling dss"
-	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
-endif
-
 ifdef PTXCONF_DROPBEAR_ECDSA
 	@echo "ptxdist: enabling ecdsa"
 	@echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 3/5] dropbear: Revise comments

[Alexander Dahl]

Add more section markers and update recommendations based on upstream's
'default_options.h' file.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v3:
    - Adapt to new patch 2/5 removing some options

 rules/dropbear.in   |  8 +++++---
 rules/dropbear.make | 18 +++++++++++-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index d23f9b17f..7f777ae64 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -208,7 +208,7 @@ config DROPBEAR_CTR_CIPHERS
 	  CBC mode against certain attacks. This adds around 1kB to binary
 	  size and is recommended for most cases.
 
-comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
+comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
 
 config DROPBEAR_SHA1
 	bool
@@ -260,7 +260,7 @@ config DROPBEAR_SHA512
 	  SHA-1. SHA-2 consists of a set of four hash functions with digests
 	  that are 224, 256, 384 or 512 bits.
 
-comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
+comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
 
 config DROPBEAR_RSA
 	bool
@@ -279,6 +279,8 @@ config DROPBEAR_ECDSA
 	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
 	  ECDSA is significantly faster than RSA or DSS.
 
+comment "Key exchange algorithm ---"
+
 config DROPBEAR_ECDH
 	bool
 	prompt "ecdh"
@@ -348,7 +350,7 @@ config DROPBEAR_SCP
 comment "OpenSSH scp is selected!"
 	depends on OPENSSH_SCP
 
-comment "runtime options   ---"
+comment "runtime options        ---"
 
 config DROPBEAR_STARTSCRIPT
 	bool
diff --git a/rules/dropbear.make b/rules/dropbear.make
index 9403afd00..e422eb4d5 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
 
 	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
 
+# features
 ifdef PTXCONF_DROPBEAR_DIS_X11
 	@echo "ptxdist: disabling x11 forwarding"
 	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
@@ -76,13 +77,13 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_TCP
-	@echo "ptxdist: disabling tcp"
+	@echo "ptxdist: disabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling tcp"
+	@echo "ptxdist: enabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -90,16 +91,16 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_AGENT
-	@echo "ptxdist: disabling agent"
+	@echo "ptxdist: disabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling agent"
+	@echo "ptxdist: enabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# encryption
 ifdef PTXCONF_DROPBEAR_AES128
 	@echo "ptxdist: enabling aes128"
 	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -140,6 +141,7 @@ else
 	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# ciphers
 ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
 	@echo "ptxdist: enabling cbc ciphers"
 	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -157,6 +159,7 @@ else
 	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# integrity
 ifdef PTXCONF_DROPBEAR_SHA1
 	@echo "ptxdist: enabling sha1"
 	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -193,7 +196,7 @@ else
 	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# host key / public key
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
 	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -210,6 +213,7 @@ else
 	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# key exchange algorithm
 ifdef PTXCONF_DROPBEAR_ECDH
 	@echo "ptxdist: enabling ecdh"
 	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -226,7 +230,7 @@ else
 	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# authentication types
 ifdef PTXCONF_DROPBEAR_PASSWD
 	@echo "ptxdist: enabling passwd"
 	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 4/5] dropbear: version bump 2019.78 -> 2020.79

[Alexander Dahl]

Noteworthy changes (not all options accessible through ptxdist menu):

- added support for ed25519 hostkeys and authorized_keys
- added support for chacha20-poly1305 authenticated cipher
- added support for and rsa-sha2 signatures
- disabled some options by default (kconfig defaults adapted accordingly)
- blowfish has been removed
- fix idle detection clashing with keepalives
- scp fix for CVE-2018-20685 where a server could modify name of output
  files
- Call fsync() is called on parent directory when writing key files to
  ensure they are flushed

One especially important change:

> Use getrandom() call on Linux to ensure sufficient entropy has been
> gathered at startup.  Dropbear now avoids reading from the random
> source at startup, instead waiting until the first connection. It is
> possible that some platforms were running without enough entropy
> previously, those could potentially block at first boot generating
> host keys.  The dropbear "-R" option is one way to avoid that.

On older toolchains/kernel headers/kernels without getrandom() support,
dropbear should behave like before.

The curve25519 implementation was replaced with the one by TweetNaCl,
which induced a change in 'LICENSE' summary.  The old implementation was
licensed BSD-3-Clause and the new is public domain.

The bundled libtommath changed its license from dual license (public
domain || WTFPL) to 'Unlicense' which is also a public domain license,
but with a differently worded license text and an actual SPDX
identifier.

The patch stack was dropped, the one patch was integrated upstream.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v3:
    - Reworded commit message
    
    v2:
    - Remove patch stack

 .../0001-configure-Fix-disable-fuzz.patch     | 47 -------------------
 patches/dropbear-2019.78/autogen.sh           |  1 -
 patches/dropbear-2019.78/series               |  4 --
 rules/dropbear.in                             |  2 +-
 rules/dropbear.make                           | 11 +++--
 5 files changed, 7 insertions(+), 58 deletions(-)
 delete mode 100644 patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
 delete mode 120000 patches/dropbear-2019.78/autogen.sh
 delete mode 100644 patches/dropbear-2019.78/series

diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
deleted file mode 100644
index 03aec183a..000000000
--- a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Alexander Dahl <ada@thorsis.com>
-Date: Wed, 11 Mar 2020 10:50:45 +0100
-Subject: [PATCH] configure: Fix --disable-fuzz
-
-When explicitly passing --disable-fuzz to ./configure fuzz was actually
-enabled.
-
-Signed-off-by: Alexander Dahl <ada@thorsis.com>
----
-
-Notes:
-    Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html
-
- configure.ac | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 7199d7cb2300..104d60cfaf53 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow,
- AC_ARG_ENABLE(fuzz,
- 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
- 	[
--		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
--		AC_MSG_NOTICE(Enabling fuzzing)
--		DROPBEAR_FUZZ=1
--		# libfuzzer needs linking with c++ libraries
--		AC_PROG_CXX
-+		if test "x$enableval" = "xyes"; then
-+            AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
-+            AC_MSG_NOTICE(Enabling fuzzing)
-+            DROPBEAR_FUZZ=1
-+            # libfuzzer needs linking with c++ libraries
-+            AC_PROG_CXX
-+        else
-+            AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
-+            AC_MSG_NOTICE(Disabling fuzzing)
-+            DROPBEAR_FUZZ=0
-+        fi
- 	],
- 	[
- 		AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
-+		AC_MSG_NOTICE(Disabling fuzzing)
- 		DROPBEAR_FUZZ=0
- 	]
- 
diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh
deleted file mode 120000
index 9f8a4cb7d..000000000
--- a/patches/dropbear-2019.78/autogen.sh
+++ /dev/null
@@ -1 +0,0 @@
-../autogen.sh
\ No newline at end of file
diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series
deleted file mode 100644
index 3e5a5247e..000000000
--- a/patches/dropbear-2019.78/series
+++ /dev/null
@@ -1,4 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-configure-Fix-disable-fuzz.patch
-# c03ca050bdd0c61ac96e5bd22c9d0947  - git-ptx-patches magic
diff --git a/rules/dropbear.in b/rules/dropbear.in
index 7f777ae64..c0da7e222 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -116,6 +116,7 @@ comment "features"
 config DROPBEAR_DIS_X11
 	bool
 	prompt "disable X11 Forwarding"
+	default y
 	help
 	  X11 forwarding means passing X11 (graphical interface)
 	  information over the SSH connection.
@@ -149,7 +150,6 @@ config DROPBEAR_AES128
 config DROPBEAR_3DES
 	bool
 	prompt "3DES"
-	default y
 	help
 	  DES is an IBM algorithm designed during the 1970s.
 	  In 1976, NIST has officially adopted it as an encryption
diff --git a/rules/dropbear.make b/rules/dropbear.make
index e422eb4d5..a9404592e 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -16,19 +16,19 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
 #
 # Paths and names
 #
-DROPBEAR_VERSION	:= 2019.78
-DROPBEAR_MD5		:= a972c85ed678ad0fdcb7844e1294fb54
+DROPBEAR_VERSION	:= 2020.79
+DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
 DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
 DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
 DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
 DROPBEAR_LICENSE	:= \
-	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
+	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
 DROPBEAR_LICENSE_FILES	:= \
-	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
+	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
 	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
-	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
+	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
 
 # ----------------------------------------------------------------------------
@@ -48,6 +48,7 @@ DROPBEAR_CONF_OPT 	:= \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \
 	--enable-shadow \
+	--disable-plugin \
 	--disable-fuzz \
 	--enable-bundled-libtom \
 	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 5/5] dropbear: version bump 2020.79 -> 2020.81

[Alexander Dahl]

Changes in LICENSE file:

- updated copyright years
- pointed to licenses of bundled libs, instead of just stating their
  license

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.make | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/dropbear.make b/rules/dropbear.make
index a9404592e..6d6e248a2 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
 #
 # Paths and names
 #
-DROPBEAR_VERSION	:= 2020.79
-DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
+DROPBEAR_VERSION	:= 2020.81
+DROPBEAR_MD5		:= a07438a6159a24c61f98f1bce2d479c0
 DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
 DROPBEAR_SUFFIX		:= tar.bz2
 DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
@@ -26,7 +26,7 @@ DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
 DROPBEAR_LICENSE	:= \
 	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
 DROPBEAR_LICENSE_FILES	:= \
-	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
+	file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
 	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
 	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
 	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Consider licenses of bundled libs

[Michael Olbrich]

Thanks, applied as ad7ed6f84920cd90ba058c53b931bfd6202ca9c1.

Michael

[sent from post-receive hook]

On Fri, 20 Nov 2020 08:56:18 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Since 673655b40733 ("dropbear: clean up the rule file and add bugfix")
> it's explicitly stated, bundled libtomcrypt and libtommath are used in
> the ptxdist dropbear package.  Before very likely also the bundled libs
> were used, because no separate packages exist in ptxdist.  So the
> dropbear package should consider the licenses of the bundled libs.
> 
> As of dropbear 2019.78, dropbear itself states in its 'LICENSE' file
> those libs are public domain, but in fact those libs are dual licensed
> public_domain and WTFPL, as their license files state.
> 
> Adding hashes for the bundled libs will help detect future changes, as
> long as the dropbear package uses the bundled variant of that libs.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20201116080552.25031-2-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index d52efa3968e2..acd9ef5f97d6 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -23,9 +23,12 @@ DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
> -DROPBEAR_LICENSE	:= MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short
> +DROPBEAR_LICENSE	:= \
> +	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
>  DROPBEAR_LICENSE_FILES	:= \
>  	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
> +	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
> +	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
>  	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
>  
>  # ----------------------------------------------------------------------------

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Remove deprecated options

[Michael Olbrich]

Thanks, applied as 01ac7cc409b59dfbdcc0e231733d3893c51ee8cc.

Michael

[sent from post-receive hook]

On Fri, 20 Nov 2020 08:56:19 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> All those options are cryptographically weak, already broken, or will be
> removed in the next version anyways.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20201116080552.25031-3-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 62a4a842703a..d23f9b17f02a 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -170,17 +170,6 @@ config DROPBEAR_AES256
>  	  (and others) to protect sensitive information.
>  
>  
> -config DROPBEAR_BLOWFISH
> -	bool
> -	prompt "Blowfish"
> -	help
> -	  Blowfish, by Bruce Schneier, combines a Feistel network,
> -	  key-dependent S-Boxes, with a non-invertible f function.
> -	  This block cipher iterates a simple encryption function
> -	  16 times.
> -	  Blowfish was designed with a variable key length ranging
> -	  from 32 bits to 448 bits.
> -
>  config DROPBEAR_TWOFISH128
>  	bool
>  	prompt "Twofish128"
> @@ -271,14 +260,6 @@ config DROPBEAR_SHA512
>  	  SHA-1. SHA-2 consists of a set of four hash functions with digests
>  	  that are 224, 256, 384 or 512 bits.
>  
> -config DROPBEAR_MD5
> -	bool
> -	prompt "md5"
> -	help
> -	  MD5 was developed by Professor Ronald L. Rivest in 1994.
> -	  Its 128 bit (16 byte) message digest makes it a faster
> -	  implementation than SHA-1.
> -
>  comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
>  
>  config DROPBEAR_RSA
> @@ -291,16 +272,6 @@ config DROPBEAR_RSA
>  	  conjectured (but not proven) to be equivalent to the
>  	  Integer Factorisation Problem (IFP).
>  
> -config DROPBEAR_DSS
> -	bool
> -	prompt "dss"
> -	help
> -	  DSS stands for Digital Signature Standard.
> -	  DSS employs the ElGamal and Schnorr PK systems to produce
> -	  a fixed width signature (irrespective of the public/private
> -	  key size). In contrast, RSA signature length is a function
> -	  of the key length employed.
> -
>  config DROPBEAR_ECDSA
>  	bool
>  	prompt "ecdsa"
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index acd9ef5f97d6..9403afd006d7 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -124,14 +124,6 @@ else
>  	@echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -ifdef PTXCONF_DROPBEAR_BLOWFISH
> -	@echo "ptxdist: enabling blowfish"
> -	@echo "#define DROPBEAR_BLOWFISH 1" >> $(DROPBEAR_LOCALOPTIONS)
> -else
> -	@echo "ptxdist: disabling blowfish"
> -	@echo "#define DROPBEAR_BLOWFISH 0" >> $(DROPBEAR_LOCALOPTIONS)
> -endif
> -
>  ifdef PTXCONF_DROPBEAR_TWOFISH256
>  	@echo "ptxdist: enabling twofish256"
>  	@echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -201,15 +193,6 @@ else
>  	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -ifdef PTXCONF_DROPBEAR_MD5
> -	@echo "ptxdist: enabling md5"
> -	@echo "WARNING: md5 is considered broken and is deactivated in upstream dropbear by default!"
> -	@echo "#define DROPBEAR_MD5_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
> -else
> -	@echo "ptxdist: disabling md5"
> -	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
> -endif
> -
>  
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
> @@ -219,14 +202,6 @@ else
>  	@echo "#define DROPBEAR_RSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -ifdef PTXCONF_DROPBEAR_DSS
> -	@echo "ptxdist: enabling dss"
> -	@echo "#define DROPBEAR_DSS 1" >> $(DROPBEAR_LOCALOPTIONS)
> -else
> -	@echo "ptxdist: disabling dss"
> -	@echo "#define DROPBEAR_DSS 0" >> $(DROPBEAR_LOCALOPTIONS)
> -endif
> -
>  ifdef PTXCONF_DROPBEAR_ECDSA
>  	@echo "ptxdist: enabling ecdsa"
>  	@echo "#define DROPBEAR_ECDSA 1" >> $(DROPBEAR_LOCALOPTIONS)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: Revise comments

[Michael Olbrich]

Thanks, applied as 55129e58359e94cecae7c158d63cbf9d0a44ea6f.

Michael

[sent from post-receive hook]

On Fri, 20 Nov 2020 08:56:20 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Add more section markers and update recommendations based on upstream's
> 'default_options.h' file.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20201116080552.25031-4-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index d23f9b17f02a..7f777ae648fd 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -208,7 +208,7 @@ config DROPBEAR_CTR_CIPHERS
>  	  CBC mode against certain attacks. This adds around 1kB to binary
>  	  size and is recommended for most cases.
>  
> -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
> +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
>  
>  config DROPBEAR_SHA1
>  	bool
> @@ -260,7 +260,7 @@ config DROPBEAR_SHA512
>  	  SHA-1. SHA-2 consists of a set of four hash functions with digests
>  	  that are 224, 256, 384 or 512 bits.
>  
> -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
> +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
>  
>  config DROPBEAR_RSA
>  	bool
> @@ -279,6 +279,8 @@ config DROPBEAR_ECDSA
>  	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
>  	  ECDSA is significantly faster than RSA or DSS.
>  
> +comment "Key exchange algorithm ---"
> +
>  config DROPBEAR_ECDH
>  	bool
>  	prompt "ecdh"
> @@ -348,7 +350,7 @@ config DROPBEAR_SCP
>  comment "OpenSSH scp is selected!"
>  	depends on OPENSSH_SCP
>  
> -comment "runtime options   ---"
> +comment "runtime options        ---"
>  
>  config DROPBEAR_STARTSCRIPT
>  	bool
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index 9403afd006d7..e422eb4d5e1e 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
>  
>  	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
>  
> +# features
>  ifdef PTXCONF_DROPBEAR_DIS_X11
>  	@echo "ptxdist: disabling x11 forwarding"
>  	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -76,13 +77,13 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_TCP
> -	@echo "ptxdist: disabling tcp"
> +	@echo "ptxdist: disabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling tcp"
> +	@echo "ptxdist: enabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -90,16 +91,16 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_AGENT
> -	@echo "ptxdist: disabling agent"
> +	@echo "ptxdist: disabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling agent"
> +	@echo "ptxdist: enabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# encryption
>  ifdef PTXCONF_DROPBEAR_AES128
>  	@echo "ptxdist: enabling aes128"
>  	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -140,6 +141,7 @@ else
>  	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# ciphers
>  ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
>  	@echo "ptxdist: enabling cbc ciphers"
>  	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -157,6 +159,7 @@ else
>  	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# integrity
>  ifdef PTXCONF_DROPBEAR_SHA1
>  	@echo "ptxdist: enabling sha1"
>  	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -193,7 +196,7 @@ else
>  	@echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# host key / public key
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
>  	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -210,6 +213,7 @@ else
>  	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# key exchange algorithm
>  ifdef PTXCONF_DROPBEAR_ECDH
>  	@echo "ptxdist: enabling ecdh"
>  	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -226,7 +230,7 @@ else
>  	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# authentication types
>  ifdef PTXCONF_DROPBEAR_PASSWD
>  	@echo "ptxdist: enabling passwd"
>  	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: version bump 2019.78 -> 2020.79

[Michael Olbrich]

Thanks, applied as 80326bc43e71d1b012b33287d64aa4768a28e00d.

Michael

[sent from post-receive hook]

On Fri, 20 Nov 2020 08:56:21 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Noteworthy changes (not all options accessible through ptxdist menu):
> 
> - added support for ed25519 hostkeys and authorized_keys
> - added support for chacha20-poly1305 authenticated cipher
> - added support for and rsa-sha2 signatures
> - disabled some options by default (kconfig defaults adapted accordingly)
> - blowfish has been removed
> - fix idle detection clashing with keepalives
> - scp fix for CVE-2018-20685 where a server could modify name of output
>   files
> - Call fsync() is called on parent directory when writing key files to
>   ensure they are flushed
> 
> One especially important change:
> 
> > Use getrandom() call on Linux to ensure sufficient entropy has been
> > gathered at startup.  Dropbear now avoids reading from the random
> > source at startup, instead waiting until the first connection. It is
> > possible that some platforms were running without enough entropy
> > previously, those could potentially block at first boot generating
> > host keys.  The dropbear "-R" option is one way to avoid that.
> 
> On older toolchains/kernel headers/kernels without getrandom() support,
> dropbear should behave like before.
> 
> The curve25519 implementation was replaced with the one by TweetNaCl,
> which induced a change in 'LICENSE' summary.  The old implementation was
> licensed BSD-3-Clause and the new is public domain.
> 
> The bundled libtommath changed its license from dual license (public
> domain || WTFPL) to 'Unlicense' which is also a public domain license,
> but with a differently worded license text and an actual SPDX
> identifier.
> 
> The patch stack was dropped, the one patch was integrated upstream.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20201116080552.25031-5-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch b/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
> deleted file mode 100644
> index 03aec183a8c6..000000000000
> --- a/patches/dropbear-2019.78/0001-configure-Fix-disable-fuzz.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From: Alexander Dahl <ada@thorsis.com>
> -Date: Wed, 11 Mar 2020 10:50:45 +0100
> -Subject: [PATCH] configure: Fix --disable-fuzz
> -
> -When explicitly passing --disable-fuzz to ./configure fuzz was actually
> -enabled.
> -
> -Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ----
> -
> -Notes:
> -    Sent upstream: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2020q1/002202.html
> -
> - configure.ac | 17 ++++++++++++-----
> - 1 file changed, 12 insertions(+), 5 deletions(-)
> -
> -diff --git a/configure.ac b/configure.ac
> -index 7199d7cb2300..104d60cfaf53 100644
> ---- a/configure.ac
> -+++ b/configure.ac
> -@@ -326,14 +326,21 @@ AC_ARG_ENABLE(shadow,
> - AC_ARG_ENABLE(fuzz,
> - 	[  --enable-fuzz           Build fuzzing. Not recommended for deployment.],
> - 	[
> --		AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
> --		AC_MSG_NOTICE(Enabling fuzzing)
> --		DROPBEAR_FUZZ=1
> --		# libfuzzer needs linking with c++ libraries
> --		AC_PROG_CXX
> -+		if test "x$enableval" = "xyes"; then
> -+            AC_DEFINE(DROPBEAR_FUZZ, 1, Fuzzing)
> -+            AC_MSG_NOTICE(Enabling fuzzing)
> -+            DROPBEAR_FUZZ=1
> -+            # libfuzzer needs linking with c++ libraries
> -+            AC_PROG_CXX
> -+        else
> -+            AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
> -+            AC_MSG_NOTICE(Disabling fuzzing)
> -+            DROPBEAR_FUZZ=0
> -+        fi
> - 	],
> - 	[
> - 		AC_DEFINE(DROPBEAR_FUZZ, 0, Fuzzing)
> -+		AC_MSG_NOTICE(Disabling fuzzing)
> - 		DROPBEAR_FUZZ=0
> - 	]
> - 
> diff --git a/patches/dropbear-2019.78/autogen.sh b/patches/dropbear-2019.78/autogen.sh
> deleted file mode 120000
> index 9f8a4cb7ddcb..000000000000
> --- a/patches/dropbear-2019.78/autogen.sh
> +++ /dev/null
> @@ -1 +0,0 @@
> -../autogen.sh
> \ No newline at end of file
> diff --git a/patches/dropbear-2019.78/series b/patches/dropbear-2019.78/series
> deleted file mode 100644
> index 3e5a5247e50c..000000000000
> --- a/patches/dropbear-2019.78/series
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-configure-Fix-disable-fuzz.patch
> -# c03ca050bdd0c61ac96e5bd22c9d0947  - git-ptx-patches magic
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 7f777ae648fd..c0da7e222f2d 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -116,6 +116,7 @@ comment "features"
>  config DROPBEAR_DIS_X11
>  	bool
>  	prompt "disable X11 Forwarding"
> +	default y
>  	help
>  	  X11 forwarding means passing X11 (graphical interface)
>  	  information over the SSH connection.
> @@ -149,7 +150,6 @@ config DROPBEAR_AES128
>  config DROPBEAR_3DES
>  	bool
>  	prompt "3DES"
> -	default y
>  	help
>  	  DES is an IBM algorithm designed during the 1970s.
>  	  In 1976, NIST has officially adopted it as an encryption
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index e422eb4d5e1e..a9404592e3af 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -16,19 +16,19 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
>  #
>  # Paths and names
>  #
> -DROPBEAR_VERSION	:= 2019.78
> -DROPBEAR_MD5		:= a972c85ed678ad0fdcb7844e1294fb54
> +DROPBEAR_VERSION	:= 2020.79
> +DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
>  DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
>  DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_SOURCE		:= $(SRCDIR)/$(DROPBEAR).$(DROPBEAR_SUFFIX)
>  DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
>  DROPBEAR_LICENSE	:= \
> -	MIT AND BSD-2-Clause AND BSD-3-Clause AND SSH-short AND (public_domain OR WTFPL)
> +	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
>  DROPBEAR_LICENSE_FILES	:= \
> -	file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01 \
> +	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
>  	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
> -	file://libtommath/LICENSE;md5=f72771f4af5e8c382974750f9f8701ad \
> +	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
>  	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1
>  
>  # ----------------------------------------------------------------------------
> @@ -48,6 +48,7 @@ DROPBEAR_CONF_OPT 	:= \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_OPENPTY)-openpty \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_SYSLOG)-syslog \
>  	--enable-shadow \
> +	--disable-plugin \
>  	--disable-fuzz \
>  	--enable-bundled-libtom \
>  	--$(call ptx/disen, PTXCONF_DROPBEAR_DIS_LASTLOG)-lastlog \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [APPLIED] dropbear: version bump 2020.79 -> 2020.81

[Michael Olbrich]

Thanks, applied as 7be962ef8bf80145b57df5e4f5a8091e8f292f29.

Michael

[sent from post-receive hook]

On Fri, 20 Nov 2020 08:56:22 +0100, Alexander Dahl <ada@thorsis.com> wrote:
> Changes in LICENSE file:
> 
> - updated copyright years
> - pointed to licenses of bundled libs, instead of just stating their
>   license
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20201116080552.25031-6-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index a9404592e3af..6d6e248a2575 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear
>  #
>  # Paths and names
>  #
> -DROPBEAR_VERSION	:= 2020.79
> -DROPBEAR_MD5		:= 830a7bf6349ac52a39c487d061efb352
> +DROPBEAR_VERSION	:= 2020.81
> +DROPBEAR_MD5		:= a07438a6159a24c61f98f1bce2d479c0
>  DROPBEAR		:= dropbear-$(DROPBEAR_VERSION)
>  DROPBEAR_SUFFIX		:= tar.bz2
>  DROPBEAR_URL		:= http://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX)
> @@ -26,7 +26,7 @@ DROPBEAR_DIR		:= $(BUILDDIR)/$(DROPBEAR)
>  DROPBEAR_LICENSE	:= \
>  	MIT AND BSD-2-Clause AND public_domain AND SSH-short AND (public_domain OR WTFPL) AND Unlicense
>  DROPBEAR_LICENSE_FILES	:= \
> -	file://LICENSE;md5=da58928b5d844c6667963cb5a109272d \
> +	file://LICENSE;md5=25cf44512b7bc8966a48b6b1a9b7605f \
>  	file://libtomcrypt/LICENSE;md5=71baacc459522324ef3e2b9e052e8180 \
>  	file://libtommath/LICENSE;md5=23e7e0a32e53a2b1d35f5fd9ef053402 \
>  	file://loginrec.c;startline=1;endline=26;md5=0d785ee11fab1cead2c7fee9c35574f1

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de