From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 29 Jul 2022 08:26:01 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oHJRh-003G5N-KQ for lore@lore.pengutronix.de; Fri, 29 Jul 2022 08:26:01 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1oHJRg-0000x4-Hr; Fri, 29 Jul 2022 08:26:00 +0200 Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oHJPG-00062g-5c; Fri, 29 Jul 2022 08:23:30 +0200 Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtp (Exim 4.94.2) (envelope-from ) id 1oHJPF-000SNN-FN; Fri, 29 Jul 2022 08:23:29 +0200 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.94.2) (envelope-from ) id 1oHJPE-00A2DR-Nd; Fri, 29 Jul 2022 08:23:28 +0200 From: Michael Olbrich To: ptxdist@pengutronix.de Date: Fri, 29 Jul 2022 08:23:28 +0200 Message-Id: <20220729062328.2391753-1-m.olbrich@pengutronix.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220704121831.23787-2-ada@thorsis.com> References: <20220704121831.23787-2-ada@thorsis.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: Re: [ptxdist] [APPLIED] dropbear: version bump 2020.81 -> 2022.82 X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Cc: Alexander Dahl Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Thanks, applied as fe0bcfd2aed916620677d63432defec21e72d523. Michael [sent from post-receive hook] On Fri, 29 Jul 2022 08:23:28 +0200, Alexander Dahl wrote: > Noteworthy pieces from a longer list of changes and fixes: > > - New server support for U2F/FIDO keys (explicitly disabled for now) > - Removed Twofish cipher > - Dropbear now re-executes itself rather than just forking for each connection > - A missing home directory is now non-fatal, starting in / instead > > Link: https://matt.ucc.asn.au/dropbear/CHANGES > Signed-off-by: Alexander Dahl > Message-Id: <20220704121831.23787-2-ada@thorsis.com> > [mol: disable broken x11 forwarding] > Signed-off-by: Michael Olbrich > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index 8ae2d788bd27..0e726c70ef35 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -115,7 +115,8 @@ comment "features" > > config DROPBEAR_DIS_X11 > bool > - prompt "disable X11 Forwarding" > + # X11 forwarding fails to build > + #prompt "disable X11 Forwarding" > default y > help > X11 forwarding means passing X11 (graphical interface) > @@ -169,29 +170,6 @@ config DROPBEAR_AES256 > algorithm that may be used by U.S. Government organizations > (and others) to protect sensitive information. > > - > -config DROPBEAR_TWOFISH128 > - bool > - prompt "Twofish128" > - help > - Another great algorithm designed by Bruce Schneier. > - This block cipher was designed as a successor to > - the 64-bit Blowfish block cipher. > - Twofish combines a 16-round Feistel network with a > - bijective f function made by four key-dependent > - 8x8-bit S-boxes. > - > -config DROPBEAR_TWOFISH256 > - bool > - prompt "Twofish256" > - help > - Another great algorithm designed by Bruce Schneier. > - This block cipher was designed as a successor to > - the 64-bit Blowfish block cipher. > - Twofish combines a 16-round Feistel network with a > - bijective f function made by four key-dependent > - 8x8-bit S-boxes. > - > config DROPBEAR_CBC_CIPHERS > bool > prompt "CBC mode ciphers" > diff --git a/rules/dropbear.make b/rules/dropbear.make > index cb949d761693..3a434e2c8d37 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_DROPBEAR) += dropbear > # > # Paths and names > # > -DROPBEAR_VERSION := 2020.81 > -DROPBEAR_MD5 := a07438a6159a24c61f98f1bce2d479c0 > +DROPBEAR_VERSION := 2022.82 > +DROPBEAR_MD5 := 7a4a5f2c6d23ff2e6627c97d7c1aeceb > DROPBEAR := dropbear-$(DROPBEAR_VERSION) > DROPBEAR_SUFFIX := tar.bz2 > DROPBEAR_URL := https://matt.ucc.asn.au/dropbear/releases/$(DROPBEAR).$(DROPBEAR_SUFFIX) > @@ -42,6 +42,7 @@ DROPBEAR_CONF_TOOL := autoconf > DROPBEAR_CONF_OPT := \ > $(CROSS_AUTOCONF_USR) \ > --enable-harden \ > + --disable-werror \ > $(GLOBAL_LARGE_FILE_OPTION) \ > --$(call ptx/endis, PTXCONF_DROPBEAR_ZLIB)-zlib \ > --disable-pam \ > @@ -126,22 +127,6 @@ else > @echo "#define DROPBEAR_AES256 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > -ifdef PTXCONF_DROPBEAR_TWOFISH256 > - @echo "ptxdist: enabling twofish256" > - @echo "#define DROPBEAR_TWOFISH256 1" >> $(DROPBEAR_LOCALOPTIONS) > -else > - @echo "ptxdist: disabling twofish256" > - @echo "#define DROPBEAR_TWOFISH256 0" >> $(DROPBEAR_LOCALOPTIONS) > -endif > - > -ifdef PTXCONF_DROPBEAR_TWOFISH128 > - @echo "ptxdist: enabling twofish128" > - @echo "#define DROPBEAR_TWOFISH128 1" >> $(DROPBEAR_LOCALOPTIONS) > -else > - @echo "ptxdist: disabling twofish128" > - @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) > -endif > - > # ciphers > ifdef PTXCONF_DROPBEAR_CBC_CIPHERS > @echo "ptxdist: enabling cbc ciphers" > @@ -217,6 +202,10 @@ else > @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > + @echo "ptxdist: disabling u2f security key support" > + @echo "#define DROPBEAR_SK_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > + @echo "#define DROPBEAR_SK_ED25519 0" >> $(DROPBEAR_LOCALOPTIONS) > + > # key exchange algorithm > ifdef PTXCONF_DROPBEAR_ECDH > @echo "ptxdist: enabling ecdh"