dropbear: update to 2014.63

Upstream changelog:
https://matt.ucc.asn.au/dropbear/CHANGES

This adds elliptic curve cryptography (ECC) support as an option, disabled
by default.

dropbear mips 34kc uClibc binary size:
before: 161,672 bytes
after, without ECC (default): 164,968
after, with ECC: 198,008

Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>

SVN-Revision: 40297

package/network/services/dropbear/Config.in

@@ -0,0 +1,27 @@
+menu "Configuration"
+	depends on PACKAGE_dropbear
+
+config DROPBEAR_ECC
+	bool "Elliptic curve cryptography (ECC)"
+	default n
+	help
+		Enables elliptic curve cryptography (ECC) support in key exchange and public key
+		authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256
+		  ecdh-sha2-nistp384
+		  ecdh-sha2-nistp521
+		  curve25519-sha256@libssh.org
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256
+		  ecdsa-sha2-nistp384
+		  ecdsa-sha2-nistp521
+
+		Does not generate ECC host keys by default (ECC key exchange will not be used,
+		only ECC public key auth).
+
+		Increases binary size by about 36 kB (MIPS).
+
+endmenu

package/network/services/dropbear/Makefile

@@ -8,26 +8,32 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2013.59
+PKG_VERSION:=2014.63
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	http://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9
+PKG_MD5SUM:=7066bb9a2da708f3ed06314fdc9c47fd
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
 
 PKG_BUILD_PARALLEL:=1
 
+PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC
+
 include $(INCLUDE_DIR)/package.mk
 
 define Package/dropbear/Default
   URL:=http://matt.ucc.asn.au/dropbear/
 endef
 
+define Package/dropbear/config
+	source "$(SOURCE)/Config.in"
+endef
+
 define Package/dropbear
   $(call Package/dropbear/Default)
   SECTION:=net
@@ -72,6 +78,20 @@ CONFIGURE_ARGS += \
 TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	# Enforce that all replacements are made, otherwise options.h has changed
+	# format and this logic is broken.
+	for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \
+	  awk 'BEGIN { rc = 1 } \
+	       /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
+	       { print } \
+	       END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
+	       >$(PKG_BUILD_DIR)/options.h.new && \
+	  mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
+	done
+endef
+
 define Build/Compile
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
 		$(TARGET_CONFIGURE_OPTS) \

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al
+@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al
  		goto out;
  	}
  
@@ -33,7 +33,7 @@
  	if (authfile == NULL) {
  		goto out;
  	}
-@@ -372,26 +376,35 @@ static int checkpubkeyperms() {
+@@ -371,26 +375,35 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  

package/network/services/dropbear/patches/120-openwrt_options.patch

@@ -1,6 +1,6 @@
 --- a/options.h
 +++ b/options.h
-@@ -38,7 +38,7 @@
+@@ -41,7 +41,7 @@
   * Both of these flags can be defined at once, don't compile without at least
   * one of them. */
  #define NON_INETD_MODE
@@ -9,16 +9,7 @@
  
  /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
   * perhaps 20% slower for pubkey operations (it is probably worth experimenting
-@@ -49,7 +49,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
--/*#define DROPBEAR_SMALL_CODE*/
-+#define DROPBEAR_SMALL_CODE
- 
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
-@@ -78,7 +78,7 @@ much traffic. */
+@@ -81,7 +81,7 @@ much traffic. */
  
  /* Enable "Netcat mode" option. This will forward standard input/output
   * to a remote TCP-forwarded connection */
@@ -27,7 +18,7 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
-@@ -92,8 +92,8 @@ much traffic. */
+@@ -95,8 +95,8 @@ much traffic. */
  #define DROPBEAR_AES256
  /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
  /*#define DROPBEAR_BLOWFISH*/
@@ -38,7 +29,7 @@
  
  /* Enable "Counter Mode" for ciphers. This is more secure than normal
   * CBC mode against certain attacks. This adds around 1kB to binary 
-@@ -119,7 +119,7 @@ much traffic. */
+@@ -122,7 +122,7 @@ much traffic. */
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
  #define DROPBEAR_SHA1_HMAC
@@ -47,7 +38,7 @@
  /*#define DROPBEAR_SHA2_256_HMAC*/
  /*#define DROPBEAR_SHA2_512_HMAC*/
  #define DROPBEAR_MD5_HMAC
-@@ -157,7 +157,7 @@ much traffic. */
+@@ -175,7 +175,7 @@ much traffic. */
  
  /* Whether to print the message of the day (MOTD). This doesn't add much code
   * size */
@@ -56,7 +47,7 @@
  
  /* The MOTD file path */
  #ifndef MOTD_FILENAME
-@@ -195,7 +195,7 @@ much traffic. */
+@@ -213,7 +213,7 @@ much traffic. */
   * note that it will be provided for all "hidden" client-interactive
   * style prompts - if you want something more sophisticated, use 
   * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/

package/network/services/dropbear/patches/150-dbconvert_standalone.patch

@@ -9,6 +9,6 @@
 +#define DROPBEAR_CLIENT
 +#endif
 +
- /******************************************************************
-  * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
-  * parts are to allow for commandline -DDROPBEAR_XXX options etc.
+ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
+  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
+ 

package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch

@@ -1,29 +0,0 @@
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac
- 		loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \
- 		listener.h fake-rfc2553.h
- 
--dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ 
-+dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)
- dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS)
- dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS)
- dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS)
-@@ -78,7 +78,7 @@ STRIP=@STRIP@
- INSTALL=@INSTALL@
- CPPFLAGS=@CPPFLAGS@
- CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@
--LIBS+=@LIBS@
-+LIBS+=@CRYPTLIB@ @LIBS@
- LDFLAGS=@LDFLAGS@
- 
- EXEEXT=@EXEEXT@
-@@ -168,7 +168,7 @@ scp: $(SCPOBJS)  $(HEADERS) Makefile
- # multi-binary compilation.
- MULTIOBJS=
- ifeq ($(MULTI),1)
--	MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ 
-+	MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs)))
- 	CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI
- endif
- 

package/network/services/dropbear/patches/500-set-default-path.patch

@@ -1,6 +1,6 @@
 --- a/options.h
 +++ b/options.h
-@@ -301,7 +301,7 @@ be overridden at runtime with -I. 0 disa
+@@ -318,7 +318,7 @@ be overridden at runtime with -I. 0 disa
  #define DEFAULT_IDLE_TIMEOUT 0
  
  /* The default path. This will often get replaced by the shell */