ping
On Mon, Feb 24, 2014 at 1:02 AM, Catalin Patulea <c...@vv.carleton.ca> wrote: > Upstream changelog: > https://matt.ucc.asn.au/dropbear/CHANGES > > This adds elliptic curve cryptography (ECC) support as an option, disabled > by default. > > dropbear mips 34kc uClibc binary size: > before: 161,672 bytes > after, without ECC (default): 164,968 > after, with ECC: 198,008 > > Signed-off-by: Catalin Patulea <c...@vv.carleton.ca> > --- > package/network/services/dropbear/Config.in | 27 ++++++++++++++++++ > package/network/services/dropbear/Makefile | 24 ++++++++++++++-- > .../dropbear/patches/100-pubkey_path.patch | 4 +-- > .../dropbear/patches/110-change_user.patch | 2 +- > .../dropbear/patches/120-openwrt_options.patch | 21 ++++---------- > .../dropbear/patches/140-disable_assert.patch | 2 +- > .../patches/150-dbconvert_standalone.patch | 6 ++-- > .../dropbear/patches/200-lcrypt_bsdfix.patch | 29 > -------------------- > .../dropbear/patches/500-set-default-path.patch | 2 +- > 9 files changed, 63 insertions(+), 54 deletions(-) > create mode 100644 package/network/services/dropbear/Config.in > delete mode 100644 > package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch > > diff --git a/package/network/services/dropbear/Config.in > b/package/network/services/dropbear/Config.in > new file mode 100644 > index 0000000..e2a7610 > --- /dev/null > +++ b/package/network/services/dropbear/Config.in > @@ -0,0 +1,27 @@ > +menu "Configuration" > + depends on PACKAGE_dropbear > + > +config DROPBEAR_ECC > + bool "Elliptic curve cryptography (ECC)" > + default n > + help > + Enables elliptic curve cryptography (ECC) support in key > exchange and public key > + authentication. > + > + Key exchange algorithms: > + ecdh-sha2-nistp256 > + ecdh-sha2-nistp384 > + ecdh-sha2-nistp521 > + curve25519-sha...@libssh.org > + > + Public key algorithms: > + ecdsa-sha2-nistp256 > + ecdsa-sha2-nistp384 > + ecdsa-sha2-nistp521 > + > + Does not generate ECC host keys by default (ECC key exchange > will not be used, > + only ECC public key auth). > + > + Increases binary size by about 36 kB (MIPS). > + > +endmenu > diff --git a/package/network/services/dropbear/Makefile > b/package/network/services/dropbear/Makefile > index 02be761..692199e 100644 > --- a/package/network/services/dropbear/Makefile > +++ b/package/network/services/dropbear/Makefile > @@ -8,26 +8,32 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=dropbear > -PKG_VERSION:=2013.59 > +PKG_VERSION:=2014.63 > PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 > PKG_SOURCE_URL:= \ > http://matt.ucc.asn.au/dropbear/releases/ \ > https://dropbear.nl/mirror/releases/ > -PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9 > +PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd > > PKG_LICENSE:=MIT > PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE > > PKG_BUILD_PARALLEL:=1 > > +PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC > + > include $(INCLUDE_DIR)/package.mk > > define Package/dropbear/Default > URL:=http://matt.ucc.asn.au/dropbear/ > endef > > +define Package/dropbear/config > + source "$(SOURCE)/Config.in" > +endef > + > define Package/dropbear > $(call Package/dropbear/Default) > SECTION:=net > @@ -72,6 +78,20 @@ CONFIGURE_ARGS += \ > TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections > TARGET_LDFLAGS += -Wl,--gc-sections > > +define Build/Prepare > + $(call Build/Prepare/Default) > + # Enforce that all replacements are made, otherwise options.h has > changed > + # format and this logic is broken. > + for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \ > + awk 'BEGIN { rc = 1 } \ > + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// > )#define '$$$$OPTION'"; rc = 0 } \ > + { print } \ > + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ > + >$(PKG_BUILD_DIR)/options.h.new && \ > + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || > exit 1; \ > + done > +endef > + > define Build/Compile > +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ > $(TARGET_CONFIGURE_OPTS) \ > diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch > b/package/network/services/dropbear/patches/100-pubkey_path.patch > index c1802f5..456874b 100644 > --- a/package/network/services/dropbear/patches/100-pubkey_path.patch > +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch > @@ -1,6 +1,6 @@ > --- a/svr-authpubkey.c > +++ b/svr-authpubkey.c > -@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al > +@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al > goto out; > } > > @@ -33,7 +33,7 @@ > if (authfile == NULL) { > goto out; > } > -@@ -372,26 +376,35 @@ static int checkpubkeyperms() { > +@@ -371,26 +375,35 @@ static int checkpubkeyperms() { > goto out; > } > > diff --git a/package/network/services/dropbear/patches/110-change_user.patch > b/package/network/services/dropbear/patches/110-change_user.patch > index 48228ea..659e257 100644 > --- a/package/network/services/dropbear/patches/110-change_user.patch > +++ b/package/network/services/dropbear/patches/110-change_user.patch > @@ -1,6 +1,6 @@ > --- a/svr-chansession.c > +++ b/svr-chansession.c > -@@ -889,12 +889,12 @@ static void execchild(void *user_data) { > +@@ -894,12 +894,12 @@ static void execchild(void *user_data) { > /* We can only change uid/gid as root ... */ > if (getuid() == 0) { > > diff --git > a/package/network/services/dropbear/patches/120-openwrt_options.patch > b/package/network/services/dropbear/patches/120-openwrt_options.patch > index 9300a27..1b5c5cb 100644 > --- a/package/network/services/dropbear/patches/120-openwrt_options.patch > +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch > @@ -1,6 +1,6 @@ > --- a/options.h > +++ b/options.h > -@@ -38,7 +38,7 @@ > +@@ -41,7 +41,7 @@ > * Both of these flags can be defined at once, don't compile without at > least > * one of them. */ > #define NON_INETD_MODE > @@ -9,16 +9,7 @@ > > /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is > * perhaps 20% slower for pubkey operations (it is probably worth > experimenting > -@@ -49,7 +49,7 @@ > - several kB in binary size however will make the symmetrical ciphers and > hashes > - slower, perhaps by 50%. Recommended for small systems that aren't doing > - much traffic. */ > --/*#define DROPBEAR_SMALL_CODE*/ > -+#define DROPBEAR_SMALL_CODE > - > - /* Enable X11 Forwarding - server only */ > - #define ENABLE_X11FWD > -@@ -78,7 +78,7 @@ much traffic. */ > +@@ -81,7 +81,7 @@ much traffic. */ > > /* Enable "Netcat mode" option. This will forward standard input/output > * to a remote TCP-forwarded connection */ > @@ -27,7 +18,7 @@ > > /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime > */ > #define ENABLE_USER_ALGO_LIST > -@@ -92,8 +92,8 @@ much traffic. */ > +@@ -95,8 +95,8 @@ much traffic. */ > #define DROPBEAR_AES256 > /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ > /*#define DROPBEAR_BLOWFISH*/ > @@ -38,7 +29,7 @@ > > /* Enable "Counter Mode" for ciphers. This is more secure than normal > * CBC mode against certain attacks. This adds around 1kB to binary > -@@ -119,7 +119,7 @@ much traffic. */ > +@@ -122,7 +122,7 @@ much traffic. */ > * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, > * which are not the standard form. */ > #define DROPBEAR_SHA1_HMAC > @@ -47,7 +38,7 @@ > /*#define DROPBEAR_SHA2_256_HMAC*/ > /*#define DROPBEAR_SHA2_512_HMAC*/ > #define DROPBEAR_MD5_HMAC > -@@ -157,7 +157,7 @@ much traffic. */ > +@@ -175,7 +175,7 @@ much traffic. */ > > /* Whether to print the message of the day (MOTD). This doesn't add much > code > * size */ > @@ -56,7 +47,7 @@ > > /* The MOTD file path */ > #ifndef MOTD_FILENAME > -@@ -195,7 +195,7 @@ much traffic. */ > +@@ -213,7 +213,7 @@ much traffic. */ > * note that it will be provided for all "hidden" client-interactive > * style prompts - if you want something more sophisticated, use > * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ > diff --git > a/package/network/services/dropbear/patches/140-disable_assert.patch > b/package/network/services/dropbear/patches/140-disable_assert.patch > index edc7547..0717228 100644 > --- a/package/network/services/dropbear/patches/140-disable_assert.patch > +++ b/package/network/services/dropbear/patches/140-disable_assert.patch > @@ -1,6 +1,6 @@ > --- a/dbutil.h > +++ b/dbutil.h > -@@ -92,7 +92,11 @@ int m_str_to_uint(const char* str, unsig > +@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig > #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} > > /* Dropbear assertion */ > diff --git > a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > index 3e0b008..367dc2c 100644 > --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > @@ -9,6 +9,6 @@ > +#define DROPBEAR_CLIENT > +#endif > + > - /****************************************************************** > - * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... > #endif" > - * parts are to allow for commandline -DDROPBEAR_XXX options etc. > + /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... > #endif" > + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ > + > diff --git > a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch > b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch > deleted file mode 100644 > index a5697e2..0000000 > --- a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch > +++ /dev/null > @@ -1,29 +0,0 @@ > ---- a/Makefile.in > -+++ b/Makefile.in > -@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac > - loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ > - listener.h fake-rfc2553.h > - > --dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ > -+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) > - dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) > - dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) > - dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) > -@@ -78,7 +78,7 @@ STRIP=@STRIP@ > - INSTALL=@INSTALL@ > - CPPFLAGS=@CPPFLAGS@ > - CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ > --LIBS+=@LIBS@ > -+LIBS+=@CRYPTLIB@ @LIBS@ > - LDFLAGS=@LDFLAGS@ > - > - EXEEXT=@EXEEXT@ > -@@ -168,7 +168,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile > - # multi-binary compilation. > - MULTIOBJS= > - ifeq ($(MULTI),1) > -- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), > $($(prog)objs))) @CRYPTLIB@ > -+ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), > $($(prog)objs))) > - CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI > - endif > - > diff --git > a/package/network/services/dropbear/patches/500-set-default-path.patch > b/package/network/services/dropbear/patches/500-set-default-path.patch > index 702ad6c..4eea57d 100644 > --- a/package/network/services/dropbear/patches/500-set-default-path.patch > +++ b/package/network/services/dropbear/patches/500-set-default-path.patch > @@ -1,6 +1,6 @@ > --- a/options.h > +++ b/options.h > -@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa > +@@ -318,7 +318,7 @@ be overridden at runtime with -I. 0 disa > #define DEFAULT_IDLE_TIMEOUT 0 > > /* The default path. This will often get replaced by the shell */ > -- > 1.7.9.5 > _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
