From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 04 Jul 2022 14:19:19 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o8L2q-005XSf-72 for lore@lore.pengutronix.de; Mon, 04 Jul 2022 14:19:19 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1o8L2s-0003Os-UZ; Mon, 04 Jul 2022 14:19:18 +0200 Received: from mail.thorsis.com ([92.198.35.195]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1o8L29-0002w0-0L for ptxdist@pengutronix.de; Mon, 04 Jul 2022 14:18:34 +0200 Received: from adahl by ada.ifak-system.com with local (Exim 4.92) (envelope-from ) id 1o8L27-0006CS-67; Mon, 04 Jul 2022 14:18:31 +0200 From: Alexander Dahl To: ptxdist@pengutronix.de Date: Mon, 4 Jul 2022 14:18:24 +0200 Message-Id: <20220704121831.23787-2-ada@thorsis.com> In-Reply-To: <20220704121831.23787-1-ada@thorsis.com> References: <20220704121831.23787-1-ada@thorsis.com> Content-Transfer-Encoding: 8bit X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=4.0 tests=AWL,BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH 1/8] dropbear: version bump 2020.81 -> 2022.82 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Ian Abbott , Bruno Thomsen Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Noteworthy pieces from a longer list of changes and fixes: - New server support for U2F/FIDO keys (explicitly disabled for now) - Removed Twofish cipher - Dropbear now re-executes itself rather than just forking for each connection - A missing home directory is now non-fatal, starting in / instead Link: https://matt.ucc.asn.au/dropbear/CHANGES Signed-off-by: Alexander Dahl --- rules/dropbear.in | 23 ----------------------- rules/dropbear.make | 25 +++++++------------------ 2 files changed, 7 insertions(+), 41 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index 8ae2d788b..553e0268c 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -169,29 +169,6 @@ config DROPBEAR_AES256 algorithm that may be used by U.S. Government organizations (and others) to protect sensitive information. - -config DROPBEAR_TWOFISH128 - bool - prompt "Twofish128" - help - Another great algorithm designed by Bruce Schneier. - This block cipher was designed as a successor to - the 64-bit Blowfish block cipher. - Twofish combines a 16-round Feistel network with a - bijective f function made by four key-dependent - 8x8-bit S-boxes. - -config DROPBEAR_TWOFISH256 - bool - prompt "Twofish256" - help - Another great algorithm designed by Bruce Schneier. - This block cipher was designed as a successor to - the 64-bit Blowfish block cipher. - Twofish combines a 16-round Feistel network with a - bijective f function made by four key-dependent - 8x8-bit S-boxes. - config DROPBEAR_CBC_CIPHERS bool prompt "CBC mode ciphers" diff --git a/rules/dropbear.make b/rules/dropbear.make index cb949d761..3a434e2c8 100644 --- a/rules/dropbear.make +++ b/rules/dropbear.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear # # Paths and names # -DROPBEAR_VERSION := 2020.81 -DROPBEAR_MD5 := a07438a6159a24c61f98f1bce2d479c0 +DROPBEAR_VERSION := 2022.82 +DROPBEAR_MD5 := 7a4a5f2c6d23ff2e6627c97d7c1aeceb DROPBEAR := dropbear-$(DROPBEAR_VERSION) DROPBEAR_SUFFIX := tar.bz2 DROPBEAR_URL := https://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) @@ -42,6 +42,7 @@ DROPBEAR_CONF_TOOL := autoconf DROPBEAR_CONF_OPT := \ $(CROSS_AUTOCONF_USR) \ --enable-harden \ + --disable-werror \ $(GLOBAL_LARGE_FILE_OPTION) \ --$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \ --disable-pam \ @@ -126,22 +127,6 @@ else @echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS) endif -ifdef PTXCONF_DROPBEAR_TWOFISH256 - @echo "ptxdist: enabling twofish256" - @echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS) -else - @echo "ptxdist: disabling twofish256" - @echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS) -endif - -ifdef PTXCONF_DROPBEAR_TWOFISH128 - @echo "ptxdist: enabling twofish128" - @echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS) -else - @echo "ptxdist: disabling twofish128" - @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) -endif - # ciphers ifdef PTXCONF_DROPBEAR_CBC_CIPHERS @echo "ptxdist: enabling cbc ciphers" @@ -217,6 +202,10 @@ else @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) endif + @echo "ptxdist: disabling u2f security key support" + @echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) + @echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS) + # key exchange algorithm ifdef PTXCONF_DROPBEAR_ECDH @echo "ptxdist: enabling ecdh" -- 2.30.2