Created attachment 191192 [details] patch Changes: * switch to https, * new options for kex. Because of fixed Spectre variant 2, this needs MFH. Builds fine in Poudriere on 10.4-RELEASE. Changelog of Dropbear itself: https://matt.ucc.asn.au/dropbear/CHANGES
Looks good. http://pkg.awarnach.mathstat.dal.ca/data/latest-per-pkg/dropbear/2018.76/ Are you OK if we do some re-ordering to conform to https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/book.html#porting-order ? https://reviews.freebsd.org/D14829
(In reply to Joseph Mingrone from comment #1) Sure.
A commit references this bug: Author: jrm Date: Tue Mar 27 18:50:25 UTC 2018 New revision: 465733 URL: https://svnweb.freebsd.org/changeset/ports/465733 Log: security/dropbear: Update to version 2018.76 PR: 226339 Submitted by: pkubaj@anongoth.pl (maintainer) Differential Revision: https://reviews.freebsd.org/D14829 Changes: head/security/dropbear/Makefile head/security/dropbear/distinfo head/security/dropbear/files/patch-configure head/security/dropbear/pkg-descr head/security/dropbear/pkg-plist
Committed. Thanks.
(In reply to Joseph Mingrone from comment #4) Unfortunately with either i386 or amb64 FreeBSD11.1Stable r330133M with clang 5.0.1 or gcc7, I get the result (from the i386 attempt). /session.h:78:3: error: unknown type name 'symmetric_CBC'; did you mean 'symmetric_key'? symmetric_CBC cbc; ^~~~~~~~~~~~~ symmetric_key ./libtomcrypt/src/headers/tomcrypt_cipher.h:217:3: note: 'symmetric_key' declared here } symmetric_key; ^ 7 errors generated. These are the same CFLAGS used for 2017.75, as for 2018.76 CFLAGS= -O2 -pipe -Wl,-m,elf_i386_fbsd -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -g0 -ggdb0 -DSTRIP_FBSDID -UDEBUGGING -UEBUGGING -UDEBUG -fno-math-errno -Wl,--hash-style=sysv -fPIE -fPIC -Wl,--strip-debug -Wl,--build-id=md5 -fomit-frame-pointer -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -march=c3-2 -fno-strict-aliasing I appreciate your maintaining twofish along with other 75 settings, as they greatly aid consistency :)
Assign to committer resolving. Re-open pending MFH
(In reply to dewayne from comment #5) Could you post what options you use? It should work fine when you use right options, ie. if you disable everything, it won't work :) Ports are meant to be the way to customize things for those who know what they want, if you're not sure what to change, just use package (or a port with default options).
(In reply to Piotr Kubaj from comment #7) I've reverted to an earlier dropbear (.75). Your options b2# make __MAKE_CONF=/dev/null -C /usr/ports/security/dropbear showconfig | grep =on SMALL_CODE=on: Make binary smaller in exchange for 50% performance hit AES128=on: Enable AES128-based encryption AES256=on: Enable AES256-based encryption TWOFISH256=on: Enable Twofish256-based encryption TWOFISH128=on: Enable Twofish128-based encryption RSA=on: Enable RSA public key support SHA2_256=on: Enable SHA2_256 MAC SHA2_512=on: Enable SHA2_512 MAC CTR=on: Use CTR mode for ciphers (more secure) My options - notable are CBC and ECDSA b2# make -C /usr/ports/security/dropbear -DUSE_CORE2 showconfig | grep =on SMALL_CODE=on: Make binary smaller in exchange for 50% performance hit AES256=on: Enable AES256-based encryption TWOFISH256=on: Enable Twofish256-based encryption ECDSA=on: Enable ECDSA public key support RSA=on: Enable RSA public key support SHA2_256=on: Enable SHA2_256 MAC SHA2_512=on: Enable SHA2_512 MAC CBC=on: Use CBC mode for ciphers (less secure)
(In reply to dewayne from comment #8) It looks like there's a bug in Dropbear. You can work it around by compiling with both CBC and CTR.
(In reply to Piotr Kubaj from comment #9) Thanks Piotr for tracking down the problem, you are correct. I attempted to investigate the source, to no avail. Perhaps we should leave this "open" until the bug is fixed, or that upstream mandate CTR (which doesn't appear to be their mode of operation)?
(In reply to dewayne from comment #10) Sure, no problem for me.
Created attachment 195503 [details] patch to mark CBC option broken Let's just mark the CBC option as broken and close the bug. Look good?
LGTM.
A commit references this bug: Author: swills Date: Fri Jul 27 21:01:50 UTC 2018 New revision: 475463 URL: https://svnweb.freebsd.org/changeset/ports/475463 Log: security/dropbear: mark CBC option broken PR: 226339 Approved by: Piotr Kubaj <pkubaj@anongoth.pl> (maintainer) Changes: head/security/dropbear/Makefile
Committed, thanks!
(In reply to Steve Wills from comment #15) How does this "FIX" the problem. To retain functionality, it would be better to link the CTR as required for the CBC option to be selected; which works.