From ad52658be722f2024dd645a1a7228209e8bf7c23 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sat, 29 Mar 2014 16:59:26 +0000 Subject: [PATCH] dropbear: update to 2014.63 Upstream changelog: https://matt.ucc.asn.au/dropbear/CHANGES This adds elliptic curve cryptography (ECC) support as an option, disabled by default. dropbear mips 34kc uClibc binary size: before: 161,672 bytes after, without ECC (default): 164,968 after, with ECC: 198,008 Signed-off-by: Catalin Patulea SVN-Revision: 40297 --- package/network/services/dropbear/Config.in | 27 +++++++++++++++++ package/network/services/dropbear/Makefile | 24 +++++++++++++-- .../dropbear/patches/100-pubkey_path.patch | 4 +-- .../patches/120-openwrt_options.patch | 21 ++++---------- .../patches/150-dbconvert_standalone.patch | 6 ++-- .../dropbear/patches/200-lcrypt_bsdfix.patch | 29 ------------------- .../patches/500-set-default-path.patch | 2 +- 7 files changed, 61 insertions(+), 52 deletions(-) create mode 100644 package/network/services/dropbear/Config.in delete mode 100644 package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in new file mode 100644 index 0000000000..e2a761034f --- /dev/null +++ b/package/network/services/dropbear/Config.in @@ -0,0 +1,27 @@ +menu "Configuration" + depends on PACKAGE_dropbear + +config DROPBEAR_ECC + bool "Elliptic curve cryptography (ECC)" + default n + help + Enables elliptic curve cryptography (ECC) support in key exchange and public key + authentication. + + Key exchange algorithms: + ecdh-sha2-nistp256 + ecdh-sha2-nistp384 + ecdh-sha2-nistp521 + curve25519-sha256@libssh.org + + Public key algorithms: + ecdsa-sha2-nistp256 + ecdsa-sha2-nistp384 + ecdsa-sha2-nistp521 + + Does not generate ECC host keys by default (ECC key exchange will not be used, + only ECC public key auth). + + Increases binary size by about 36 kB (MIPS). + +endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 02be76110f..692199e8aa 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,26 +8,32 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2013.59 +PKG_VERSION:=2014.63 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9 +PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE PKG_BUILD_PARALLEL:=1 +PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC + include $(INCLUDE_DIR)/package.mk define Package/dropbear/Default URL:=http://matt.ucc.asn.au/dropbear/ endef +define Package/dropbear/config + source "$(SOURCE)/Config.in" +endef + define Package/dropbear $(call Package/dropbear/Default) SECTION:=net @@ -72,6 +78,20 @@ CONFIGURE_ARGS += \ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections +define Build/Prepare + $(call Build/Prepare/Default) + # Enforce that all replacements are made, otherwise options.h has changed + # format and this logic is broken. + for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \ + awk 'BEGIN { rc = 1 } \ + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ + { print } \ + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ + >$(PKG_BUILD_DIR)/options.h.new && \ + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ + done +endef + define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index c1802f51e5..456874b730 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al +@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al goto out; } @@ -33,7 +33,7 @@ if (authfile == NULL) { goto out; } -@@ -372,26 +376,35 @@ static int checkpubkeyperms() { +@@ -371,26 +375,35 @@ static int checkpubkeyperms() { goto out; } diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index 9300a27429..1b5c5cb1e8 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -1,6 +1,6 @@ --- a/options.h +++ b/options.h -@@ -38,7 +38,7 @@ +@@ -41,7 +41,7 @@ * Both of these flags can be defined at once, don't compile without at least * one of them. */ #define NON_INETD_MODE @@ -9,16 +9,7 @@ /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is * perhaps 20% slower for pubkey operations (it is probably worth experimenting -@@ -49,7 +49,7 @@ - several kB in binary size however will make the symmetrical ciphers and hashes - slower, perhaps by 50%. Recommended for small systems that aren't doing - much traffic. */ --/*#define DROPBEAR_SMALL_CODE*/ -+#define DROPBEAR_SMALL_CODE - - /* Enable X11 Forwarding - server only */ - #define ENABLE_X11FWD -@@ -78,7 +78,7 @@ much traffic. */ +@@ -81,7 +81,7 @@ much traffic. */ /* Enable "Netcat mode" option. This will forward standard input/output * to a remote TCP-forwarded connection */ @@ -27,7 +18,7 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST -@@ -92,8 +92,8 @@ much traffic. */ +@@ -95,8 +95,8 @@ much traffic. */ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ @@ -38,7 +29,7 @@ /* Enable "Counter Mode" for ciphers. This is more secure than normal * CBC mode against certain attacks. This adds around 1kB to binary -@@ -119,7 +119,7 @@ much traffic. */ +@@ -122,7 +122,7 @@ much traffic. */ * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ #define DROPBEAR_SHA1_HMAC @@ -47,7 +38,7 @@ /*#define DROPBEAR_SHA2_256_HMAC*/ /*#define DROPBEAR_SHA2_512_HMAC*/ #define DROPBEAR_MD5_HMAC -@@ -157,7 +157,7 @@ much traffic. */ +@@ -175,7 +175,7 @@ much traffic. */ /* Whether to print the message of the day (MOTD). This doesn't add much code * size */ @@ -56,7 +47,7 @@ /* The MOTD file path */ #ifndef MOTD_FILENAME -@@ -195,7 +195,7 @@ much traffic. */ +@@ -213,7 +213,7 @@ much traffic. */ * note that it will be provided for all "hidden" client-interactive * style prompts - if you want something more sophisticated, use * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch index 3e0b008552..367dc2c681 100644 --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -9,6 +9,6 @@ +#define DROPBEAR_CLIENT +#endif + - /****************************************************************** - * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" - * parts are to allow for commandline -DDROPBEAR_XXX options etc. + /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ + diff --git a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch deleted file mode 100644 index a5697e25f7..0000000000 --- a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/Makefile.in -+++ b/Makefile.in -@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac - loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ - listener.h fake-rfc2553.h - --dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ -+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) - dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) - dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) - dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) -@@ -78,7 +78,7 @@ STRIP=@STRIP@ - INSTALL=@INSTALL@ - CPPFLAGS=@CPPFLAGS@ - CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ --LIBS+=@LIBS@ -+LIBS+=@CRYPTLIB@ @LIBS@ - LDFLAGS=@LDFLAGS@ - - EXEEXT=@EXEEXT@ -@@ -168,7 +168,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile - # multi-binary compilation. - MULTIOBJS= - ifeq ($(MULTI),1) -- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ -+ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) - CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI - endif - diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch index 702ad6c398..4eea57d5ce 100644 --- a/package/network/services/dropbear/patches/500-set-default-path.patch +++ b/package/network/services/dropbear/patches/500-set-default-path.patch @@ -1,6 +1,6 @@ --- a/options.h +++ b/options.h -@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa +@@ -318,7 +318,7 @@ be overridden at runtime with -I. 0 disa #define DEFAULT_IDLE_TIMEOUT 0 /* The default path. This will often get replaced by the shell */