From d93da0d0169b2ca90b888e4bb782c259e5ddf2fe Mon Sep 17 00:00:00 2001 From: Andrew Cameron Date: Thu, 18 Jun 2020 08:25:43 -0500 Subject: [PATCH 01/11] ath79: add support for TP-Link CPE610 v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TP-Link CPE610 v2 is an outdoor wireless CPE for 5 GHz with one Ethernet port based on Atheros AR9344 Specifications: - 560/450/225 MHz (CPU/DDR/AHB) - 1x 10/100 Mbps Ethernet - 64 MB of DDR2 RAM - 8 MB of SPI-NOR Flash - 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal reflector - Power, LAN, WLAN5G green LEDs - 3x green RSSI LEDs Flashing instructions: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron --- .../ath79/dts/ar9344_tplink_cpe610-v2.dts | 34 ++++++++++++++++ .../generic/base-files/etc/board.d/01_leds | 3 ++ .../generic/base-files/etc/board.d/02_network | 1 + target/linux/ath79/image/generic-tp-link.mk | 10 +++++ tools/firmware-utils/src/tplink-safeloader.c | 40 +++++++++++++++++++ 5 files changed, 88 insertions(+) create mode 100644 target/linux/ath79/dts/ar9344_tplink_cpe610-v2.dts diff --git a/target/linux/ath79/dts/ar9344_tplink_cpe610-v2.dts b/target/linux/ath79/dts/ar9344_tplink_cpe610-v2.dts new file mode 100644 index 0000000000..c00f21a51e --- /dev/null +++ b/target/linux/ath79/dts/ar9344_tplink_cpe610-v2.dts @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT +/dts-v1/; + +#include "ar9344_tplink_cpe.dtsi" + +/ { + model = "TP-Link CPE610 v2"; + compatible = "tplink,cpe610-v2", "qca,ar9344"; + + aliases { + led-boot = &led_lan; + led-failsafe = &led_lan; + led-upgrade = &led_lan; + }; + + leds { + compatible = "gpio-leds"; + + led_lan: lan { + label = "tp-link:green:lan"; + gpios = <&gpio 11 GPIO_ACTIVE_LOW>; + }; + + wlan5g { + label = "tp-link:green:wlan5g"; + gpios = <&gpio 13 GPIO_ACTIVE_LOW>; + linux,default-trigger = "phy0tpt"; + }; + }; +}; + +ð1 { + compatible = "syscon", "simple-mfd"; +}; diff --git a/target/linux/ath79/generic/base-files/etc/board.d/01_leds b/target/linux/ath79/generic/base-files/etc/board.d/01_leds index 8029cf7b5e..be0c3b1217 100755 --- a/target/linux/ath79/generic/base-files/etc/board.d/01_leds +++ b/target/linux/ath79/generic/base-files/etc/board.d/01_leds @@ -243,6 +243,9 @@ tplink,cpe510-v3) ucidef_set_led_rssi "rssihigh" "RSSIHIGH" "tp-link:green:link4" "wlan0" "76" "100" "-75" "13" ;; tplink,cpe610-v1|\ +tplink,cpe610-v2) + ucidef_set_led_netdev "lan" "LAN" "tp-link:green:lan" "eth0" + ;; tplink,tl-wr902ac-v1) ucidef_set_led_netdev "lan" "LAN" "tp-link:green:lan" "eth0" ucidef_set_led_netdev "internet" "Internet" "tp-link:green:internet" "eth0" diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network b/target/linux/ath79/generic/base-files/etc/board.d/02_network index f2ba49764b..02245031fa 100755 --- a/target/linux/ath79/generic/base-files/etc/board.d/02_network +++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network @@ -39,6 +39,7 @@ ath79_setup_interfaces() tplink,cpe510-v2|\ tplink,cpe510-v3|\ tplink,cpe610-v1|\ + tplink,cpe610-v2|\ tplink,re350k-v1|\ tplink,re355-v1|\ tplink,re450-v1|\ diff --git a/target/linux/ath79/image/generic-tp-link.mk b/target/linux/ath79/image/generic-tp-link.mk index bd7eb3fc76..967eb2a7c3 100644 --- a/target/linux/ath79/image/generic-tp-link.mk +++ b/target/linux/ath79/image/generic-tp-link.mk @@ -352,6 +352,16 @@ define Device/tplink_cpe610-v1 endef TARGET_DEVICES += tplink_cpe610-v1 +define Device/tplink_cpe610-v2 + $(Device/tplink-safeloader-okli) + SOC := ar9344 + IMAGE_SIZE := 7680k + DEVICE_MODEL := CPE610 + DEVICE_VARIANT := v2 + TPLINK_BOARD_ID := CPE610V2 +endef +TARGET_DEVICES += tplink_cpe610-v2 + define Device/tplink_re350k-v1 $(Device/tplink-safeloader) SOC := qca9558 diff --git a/tools/firmware-utils/src/tplink-safeloader.c b/tools/firmware-utils/src/tplink-safeloader.c index f0e777124c..f2e4a7ce9a 100644 --- a/tools/firmware-utils/src/tplink-safeloader.c +++ b/tools/firmware-utils/src/tplink-safeloader.c @@ -474,6 +474,46 @@ static struct device_info boards[] = { .last_sysupgrade_partition = "support-list", }, + /** Firmware layout for the CPE610V2 */ + { + .id = "CPE610V2", + .vendor = "CPE610(TP-LINK|UN|N300-5|00000000):2.0\r\n", + .support_list = + "SupportList:\r\n" + "CPE610(TP-LINK|EU|N300-5|00000000):2.0\r\n" + "CPE610(TP-LINK|EU|N300-5|45550000):2.0\r\n" + "CPE610(TP-LINK|EU|N300-5|55530000):2.0\r\n" + "CPE610(TP-LINK|UN|N300-5|00000000):2.0\r\n" + "CPE610(TP-LINK|UN|N300-5|45550000):2.0\r\n" + "CPE610(TP-LINK|UN|N300-5|55530000):2.0\r\n" + "CPE610(TP-LINK|US|N300-5|55530000):2.0\r\n" + "CPE610(TP-LINK|UN|N300-5):2.0\r\n" + "CPE610(TP-LINK|EU|N300-5):2.0\r\n" + "CPE610(TP-LINK|US|N300-5):2.0\r\n", + .support_trail = '\xff', + .soft_ver = NULL, + + .partitions = { + {"fs-uboot", 0x00000, 0x20000}, + {"partition-table", 0x20000, 0x02000}, + {"default-mac", 0x30000, 0x00020}, + {"product-info", 0x31100, 0x00100}, + {"signature", 0x32000, 0x00400}, + {"os-image", 0x40000, 0x200000}, + {"file-system", 0x240000, 0x570000}, + {"soft-version", 0x7b0000, 0x00100}, + {"support-list", 0x7b1000, 0x00400}, + {"user-config", 0x7c0000, 0x10000}, + {"default-config", 0x7d0000, 0x10000}, + {"log", 0x7e0000, 0x10000}, + {"radio", 0x7f0000, 0x10000}, + {NULL, 0, 0} + }, + + .first_sysupgrade_partition = "os-image", + .last_sysupgrade_partition = "support-list", + }, + { .id = "WBS210", .vendor = "CPE510(TP-LINK|UN|N300-5):1.0\r\n", From 5aae0c786221f3d1cbb33bc08bdc1c9e7957f4ca Mon Sep 17 00:00:00 2001 From: INAGAKI Hiroshi Date: Sat, 16 May 2020 15:14:18 +0900 Subject: [PATCH 02/11] ramips: add label-mac-device for ELECOM WRC-GST devices Update the dtsi for ELECOM WRC-1900GST and WRC-2533GST to add label-mac-device alias. Signed-off-by: INAGAKI Hiroshi [WRC-1900GST] Acked-by: NOGUCHI Hiroshi [split patch, adjust commit title/message] Signed-off-by: Adrian Schmutzler --- target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi index 567552d8d5..3bfdbe398c 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi @@ -11,6 +11,7 @@ led-failsafe = &led_power_green; led-running = &led_power_green; led-upgrade = &led_power_green; + label-mac-device = &wan; }; chosen { @@ -92,7 +93,7 @@ &switch0 { ports { - port@0 { + wan: port@0 { status = "okay"; label = "wan"; mtd-mac-address = <&factory 0xe006>; From b5ae70d0530d1a733816f921ae0fe4dd58251fbb Mon Sep 17 00:00:00 2001 From: INAGAKI Hiroshi Date: Sat, 16 May 2020 15:14:18 +0900 Subject: [PATCH 03/11] ramips: increase SPI frequency for ELECOM WRC-GST devices Increase the SPI frequency for ELECOM WRC-1900GST and WRC-2533GST to 40 MHz by updating the common DTSI file. Signed-off-by: INAGAKI Hiroshi [WRC-1900GST] Acked-by: NOGUCHI Hiroshi [split patch, adjust commit title/message] Signed-off-by: Adrian Schmutzler --- target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi index 3bfdbe398c..03fe467578 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi @@ -127,7 +127,7 @@ flash@0 { compatible = "jedec,spi-nor"; reg = <0>; - spi-max-frequency = <10000000>; + spi-max-frequency = <40000000>; partitions { compatible = "fixed-partitions"; From 39f2f9b1bf719ff11a4497cbfa6de4e3380e35bc Mon Sep 17 00:00:00 2001 From: INAGAKI Hiroshi Date: Tue, 25 Jun 2019 22:20:44 +0900 Subject: [PATCH 04/11] ramips: add MT7615 wireless support for ELECOM WRC-GST devices ELECOM WRC-1900GST and WRC-2533GST have two MT7615 chips for 2.4/5 GHz wireless. Signed-off-by: INAGAKI Hiroshi [WRC-1900GST] Acked-by: NOGUCHI Hiroshi --- .../ramips/dts/mt7621_elecom_wrc-gst.dtsi | 29 ++++++++++++++++++- target/linux/ramips/image/mt7621.mk | 2 ++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi index 03fe467578..43f31cf2b6 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi @@ -194,7 +194,34 @@ &pcie { status = "okay"; - /* WRC-xxxxGST has MT7615 for 2.4/5 GHz wifi, but it's not supported */ +}; + +&pcie0 { + wifi@0,0 { + compatible = "mediatek,mt76"; + reg = <0x0000 0 0 0 0>; + mediatek,mtd-eeprom = <&factory 0x0000>; + ieee80211-freq-limit = <2400000 2500000>; + + led { + led-sources = <0>; + led-active-low; + }; + }; +}; + +&pcie1 { + wifi@0,0 { + compatible = "mediatek,mt76"; + reg = <0x0000 0 0 0 0>; + mediatek,mtd-eeprom = <&factory 0x8000>; + ieee80211-freq-limit = <5000000 6000000>; + + led { + led-sources = <0>; + led-active-low; + }; + }; }; &xhci { diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk index ff4dca91b8..848a0785fb 100644 --- a/target/linux/ramips/image/mt7621.mk +++ b/target/linux/ramips/image/mt7621.mk @@ -291,6 +291,7 @@ define Device/elecom_wrc-1900gst IMAGES += factory.bin IMAGE/factory.bin := $$(sysupgrade_bin) | check-size | \ elecom-gst-factory WRC-1900GST 0.00 + DEVICE_PACKAGES := kmod-mt7615e kmod-mt7615-firmware wpad-basic endef TARGET_DEVICES += elecom_wrc-1900gst @@ -302,6 +303,7 @@ define Device/elecom_wrc-2533gst IMAGES += factory.bin IMAGE/factory.bin := $$(sysupgrade_bin) | check-size | \ elecom-gst-factory WRC-2533GST 0.00 + DEVICE_PACKAGES := kmod-mt7615e kmod-mt7615-firmware wpad-basic endef TARGET_DEVICES += elecom_wrc-2533gst From 3a8d65010d999275a583c42064b60ab9a3cdce84 Mon Sep 17 00:00:00 2001 From: INAGAKI Hiroshi Date: Sat, 16 May 2020 17:39:26 +0900 Subject: [PATCH 05/11] ramips: add support for ELECOM WRC-2533GST2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ELECOM WRC-2533GST2 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 256 MiB - Flash : SPI-NOR 32 MiB - WLAN : 2.4/5 GHz 4T4R (2x MediaTek MT7615) - Ethernet : 10/100/1000 Mbps x5 - Switch : MediaTek MT7530 (SoC) - LED/keys : 4x/6x (2x buttons, 1x slide-switch) - UART : through-hole on PCB - J4: 3.3V, GND, TX, RX from ethernet port side - 57600n8 - Power : 12VDC, 1.5A Flash instruction using factory image: 1. Boot WRC-2533GST2 normally 2. Access to "http://192.168.2.1/" and open firmware update page ("ファームウェア更新") 3. Select the OpenWrt factory image and click apply ("適用") button 4. Wait ~150 seconds to complete flashing Signed-off-by: INAGAKI Hiroshi --- .../ramips/dts/mt7621_elecom_wrc-1900gst.dts | 32 +++++++++++++++ .../ramips/dts/mt7621_elecom_wrc-2533gst.dts | 32 +++++++++++++++ .../ramips/dts/mt7621_elecom_wrc-2533gst2.dts | 41 +++++++++++++++++++ .../ramips/dts/mt7621_elecom_wrc-gst.dtsi | 32 +-------------- target/linux/ramips/image/mt7621.mk | 12 ++++++ 5 files changed, 118 insertions(+), 31 deletions(-) create mode 100644 target/linux/ramips/dts/mt7621_elecom_wrc-2533gst2.dts diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-1900gst.dts b/target/linux/ramips/dts/mt7621_elecom_wrc-1900gst.dts index 7cbf2cd803..4b99cee31e 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-1900gst.dts +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-1900gst.dts @@ -7,3 +7,35 @@ compatible = "elecom,wrc-1900gst", "mediatek,mt7621-soc"; model = "ELECOM WRC-1900GST"; }; + +&partitions { + partition@50000 { + compatible = "denx,uimage"; + label = "firmware"; + reg = <0x50000 0xb00000>; + }; + + partition@b50000 { + label = "tm_pattern"; + reg = <0xb50000 0x380000>; + read-only; + }; + + partition@ed0000 { + label = "tm_key"; + reg = <0xed0000 0x80000>; + read-only; + }; + + partition@f50000 { + label = "art_block"; + reg = <0xf50000 0x30000>; + read-only; + }; + + partition@f80000 { + label = "user_data"; + reg = <0xf80000 0x80000>; + read-only; + }; +}; diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst.dts b/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst.dts index aa15674b43..6158cf196a 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst.dts +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst.dts @@ -6,3 +6,35 @@ compatible = "elecom,wrc-2533gst", "mediatek,mt7621-soc"; model = "ELECOM WRC-2533GST"; }; + +&partitions { + partition@50000 { + compatible = "denx,uimage"; + label = "firmware"; + reg = <0x50000 0xb00000>; + }; + + partition@b50000 { + label = "tm_pattern"; + reg = <0xb50000 0x380000>; + read-only; + }; + + partition@ed0000 { + label = "tm_key"; + reg = <0xed0000 0x80000>; + read-only; + }; + + partition@f50000 { + label = "art_block"; + reg = <0xf50000 0x30000>; + read-only; + }; + + partition@f80000 { + label = "user_data"; + reg = <0xf80000 0x80000>; + read-only; + }; +}; diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst2.dts b/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst2.dts new file mode 100644 index 0000000000..01f32e9b20 --- /dev/null +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-2533gst2.dts @@ -0,0 +1,41 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT +/dts-v1/; + +#include "mt7621_elecom_wrc-gst.dtsi" + +/ { + compatible = "elecom,wrc-2533gst2", "mediatek,mt7621-soc"; + model = "ELECOM WRC-2533GST2"; +}; + +&partitions { + partition@50000 { + compatible = "denx,uimage"; + label = "firmware"; + reg = <0x50000 0x1800000>; + }; + + partition@1850000 { + label = "tm_pattern"; + reg = <0x1850000 0x400000>; + read-only; + }; + + partition@1c50000 { + label = "tm_key"; + reg = <0x1c50000 0x100000>; + read-only; + }; + + partition@1d50000 { + label = "nvram"; + reg = <0x1d50000 0xb0000>; + read-only; + }; + + partition@1e00000 { + label = "user_data"; + reg = <0x1e00000 0x200000>; + read-only; + }; +}; diff --git a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi index 43f31cf2b6..c28ba7d973 100644 --- a/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi +++ b/target/linux/ramips/dts/mt7621_elecom_wrc-gst.dtsi @@ -129,7 +129,7 @@ reg = <0>; spi-max-frequency = <40000000>; - partitions { + partitions: partitions { compatible = "fixed-partitions"; #address-cells = <1>; #size-cells = <1>; @@ -151,36 +151,6 @@ reg = <0x40000 0x10000>; read-only; }; - - partition@50000 { - compatible = "denx,uimage"; - label = "firmware"; - reg = <0x50000 0xb00000>; - }; - - partition@b50000 { - label = "tm_pattern"; - reg = <0xb50000 0x380000>; - read-only; - }; - - partition@ed0000 { - label = "tm_key"; - reg = <0xed0000 0x80000>; - read-only; - }; - - partition@f50000 { - label = "art_block"; - reg = <0xf50000 0x30000>; - read-only; - }; - - partition@f80000 { - label = "user_data"; - reg = <0xf80000 0x80000>; - read-only; - }; }; }; }; diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk index 848a0785fb..d6423f81d9 100644 --- a/target/linux/ramips/image/mt7621.mk +++ b/target/linux/ramips/image/mt7621.mk @@ -307,6 +307,18 @@ define Device/elecom_wrc-2533gst endef TARGET_DEVICES += elecom_wrc-2533gst +define Device/elecom_wrc-2533gst2 + $(Device/uimage-lzma-loader) + IMAGE_SIZE := 24576k + DEVICE_VENDOR := ELECOM + DEVICE_MODEL := WRC-2533GST2 + IMAGES += factory.bin + IMAGE/factory.bin := $$(sysupgrade_bin) | check-size | \ + elecom-gst-factory WRC-2533GST2 0.00 + DEVICE_PACKAGES := kmod-mt7615e kmod-mt7615-firmware wpad-basic +endef +TARGET_DEVICES += elecom_wrc-2533gst2 + define Device/firefly_firewrt IMAGE_SIZE := 16064k DEVICE_VENDOR := Firefly From 708c6772f629a857a7d13a0ca65d6093746da8c3 Mon Sep 17 00:00:00 2001 From: Lech Perczak Date: Sat, 20 Jun 2020 18:16:11 +0200 Subject: [PATCH 06/11] ath79: fix input type for TP-Link TL-WR902AC v1 mode switch Inputs assigned to "mode select" switch on the side of the device were missing linux,input-type property. This would cause them do incorrectly generate EV_KEY events. Fix this by setting the linux,input-type = property on them. Signed-off-by: Lech Perczak --- target/linux/ath79/dts/qca9531_tplink_tl-wr902ac-v1.dts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/target/linux/ath79/dts/qca9531_tplink_tl-wr902ac-v1.dts b/target/linux/ath79/dts/qca9531_tplink_tl-wr902ac-v1.dts index 9eca13d82b..4f5a29cfa0 100644 --- a/target/linux/ath79/dts/qca9531_tplink_tl-wr902ac-v1.dts +++ b/target/linux/ath79/dts/qca9531_tplink_tl-wr902ac-v1.dts @@ -77,12 +77,14 @@ sw1 { label = "Mode switch 1"; + linux,input-type = ; linux,code = ; gpios = <&gpio 17 GPIO_ACTIVE_LOW>; }; sw2 { label = "Mode switch 2"; + linux,input-type = ; linux,code = ; gpios = <&gpio 14 GPIO_ACTIVE_LOW>; }; From 340de1d1545f6da3f21b06a23bb8288da6d992be Mon Sep 17 00:00:00 2001 From: Adrian Schmutzler Date: Thu, 18 Jun 2020 11:48:58 +0200 Subject: [PATCH 07/11] lantiq: fritz7312: set maximum speed to 100 mbit on 5.4 The fritz 7312 does not support 1000 gbit. Advertising it makes it worse. Some NIC will change to 1000 gibt and turn off and on again for ever. The previous patch in 36f628910b8b was only applied to the 4.19 file, so let's just make it consistent with this patch. Cc: Alexander Couzens Signed-off-by: Adrian Schmutzler --- .../files-5.4/arch/mips/boot/dts/lantiq/ar9_avm_fritz7312.dts | 1 + 1 file changed, 1 insertion(+) diff --git a/target/linux/lantiq/files-5.4/arch/mips/boot/dts/lantiq/ar9_avm_fritz7312.dts b/target/linux/lantiq/files-5.4/arch/mips/boot/dts/lantiq/ar9_avm_fritz7312.dts index aa825abd9f..0f635127f8 100644 --- a/target/linux/lantiq/files-5.4/arch/mips/boot/dts/lantiq/ar9_avm_fritz7312.dts +++ b/target/linux/lantiq/files-5.4/arch/mips/boot/dts/lantiq/ar9_avm_fritz7312.dts @@ -108,6 +108,7 @@ phy0: ethernet-phy@0 { reg = <0>; reset-gpios = <&gpio 34 GPIO_ACTIVE_LOW>; + max-speed = <100>; }; }; }; From 29e170dbaac0091d09ae52157cd2f1f26a9c8ca4 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Sun, 21 Jun 2020 15:36:47 +0300 Subject: [PATCH 08/11] dropbear: bump to 2020.79 - drop patches (applied upstream): * 010-backport-change-address-logging.patch * 020-backport-ed25519-support.patch * 021-backport-chacha20-poly1305-support.patch - backport patches: * 010-backport-disable-toom-and-karatsuba.patch: reduce dropbear binary size (about ~8Kb). - refresh patches. - don't bother anymore with following config options because they are disabled in upstream too: * DROPBEAR_3DES * DROPBEAR_ENABLE_CBC_MODE * DROPBEAR_SHA1_96_HMAC - explicitly disable DO_MOTD as it was before commit a1099ed: upstream has (accidentally) switched it to 0 in release 2019.77, but reverted back in release 2020.79. Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Makefile | 9 +- .../010-backport-change-address-logging.patch | 119 - ...-backport-disable-toom-and-karatsuba.patch | 17 + .../020-backport-ed25519-support.patch | 2890 ----------------- ...1-backport-chacha20-poly1305-support.patch | 693 ---- .../dropbear/patches/100-pubkey_path.patch | 4 +- .../dropbear/patches/110-change_user.patch | 2 +- .../dropbear/patches/160-lto-jobserver.patch | 8 +- .../patches/901-bundled-libs-cflags.patch | 16 +- 9 files changed, 36 insertions(+), 3722 deletions(-) delete mode 100644 package/network/services/dropbear/patches/010-backport-change-address-logging.patch create mode 100644 package/network/services/dropbear/patches/010-backport-disable-toom-and-karatsuba.patch delete mode 100644 package/network/services/dropbear/patches/020-backport-ed25519-support.patch delete mode 100644 package/network/services/dropbear/patches/021-backport-chacha20-poly1305-support.patch diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 8de0739d56..8031a0c62a 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2019.78 -PKG_RELEASE:=5 +PKG_VERSION:=2020.79 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4 +PKG_HASH:=084f00546b1610a3422a0773e2c04cbe1a220d984209e033b548b49f379cc441 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -124,8 +124,7 @@ define Build/Configure # disable legacy/unsafe methods and unused functionality for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \ - DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \ - DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \ + DROPBEAR_DSS DROPBEAR_USE_PASSWORD_ENV DO_MOTD ; do \ echo "#define $$$$OPTION 0" >> \ $(PKG_BUILD_DIR)/localoptions.h; \ done diff --git a/package/network/services/dropbear/patches/010-backport-change-address-logging.patch b/package/network/services/dropbear/patches/010-backport-change-address-logging.patch deleted file mode 100644 index 2b99f81ad5..0000000000 --- a/package/network/services/dropbear/patches/010-backport-change-address-logging.patch +++ /dev/null @@ -1,119 +0,0 @@ -From c153b3612b7c9f24a0f5af43618a646545ed6e22 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant -Date: Mon, 30 Sep 2019 12:42:13 +0100 -Subject: [PATCH] Improve address logging on early exit messages - -Change 'Early exit' and 'Exit before auth' messages to include the IP -address & port as part of the message. - -This allows log scanning utilities such as 'fail2ban' to obtain the -offending IP address as part of the failure event instead of extracting -the PID from the message and then scanning the log again for match -'child connection from' messages - -Signed-off-by: Kevin Darbyshire-Bryant ---- - svr-auth.c | 18 +++++++----------- - svr-session.c | 20 ++++++++++++++------ - 2 files changed, 21 insertions(+), 17 deletions(-) - ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -241,8 +241,7 @@ static int checkusername(const char *use - } - - if (strlen(username) != userlen) { -- dropbear_exit("Attempted username with a null byte from %s", -- svr_ses.addrstring); -+ dropbear_exit("Attempted username with a null byte"); - } - - if (ses.authstate.username == NULL) { -@@ -252,8 +251,7 @@ static int checkusername(const char *use - } else { - /* check username hasn't changed */ - if (strcmp(username, ses.authstate.username) != 0) { -- dropbear_exit("Client trying multiple usernames from %s", -- svr_ses.addrstring); -+ dropbear_exit("Client trying multiple usernames"); - } - } - -@@ -268,8 +266,7 @@ static int checkusername(const char *use - if (!ses.authstate.pw_name) { - TRACE(("leave checkusername: user '%s' doesn't exist", username)) - dropbear_log(LOG_WARNING, -- "Login attempt for nonexistent user from %s", -- svr_ses.addrstring); -+ "Login attempt for nonexistent user"); - ses.authstate.checkusername_failed = 1; - return DROPBEAR_FAILURE; - } -@@ -279,9 +276,8 @@ static int checkusername(const char *use - if (!(DROPBEAR_SVR_MULTIUSER && uid == 0) && uid != ses.authstate.pw_uid) { - TRACE(("running as nonroot, only server uid is allowed")) - dropbear_log(LOG_WARNING, -- "Login attempt with wrong user %s from %s", -- ses.authstate.pw_name, -- svr_ses.addrstring); -+ "Login attempt with wrong user %s", -+ ses.authstate.pw_name); - ses.authstate.checkusername_failed = 1; - return DROPBEAR_FAILURE; - } -@@ -440,8 +436,8 @@ void send_msg_userauth_failure(int parti - } else { - userstr = ses.authstate.pw_name; - } -- dropbear_exit("Max auth tries reached - user '%s' from %s", -- userstr, svr_ses.addrstring); -+ dropbear_exit("Max auth tries reached - user '%s'", -+ userstr); - } - - TRACE(("leave send_msg_userauth_failure")) ---- a/svr-session.c -+++ b/svr-session.c -@@ -149,28 +149,36 @@ void svr_session(int sock, int childpipe - void svr_dropbear_exit(int exitcode, const char* format, va_list param) { - char exitmsg[150]; - char fullmsg[300]; -+ char fromaddr[60]; - int i; - - /* Render the formatted exit message */ - vsnprintf(exitmsg, sizeof(exitmsg), format, param); - -+ /* svr_ses.addrstring may not be set for some early exits, or for -+ the listener process */ -+ fromaddr[0] = '\0'; -+ if (svr_ses.addrstring) { -+ snprintf(fromaddr, sizeof(fromaddr), " from <%s>", svr_ses.addrstring); -+ } -+ - /* Add the prefix depending on session/auth state */ - if (!ses.init_done) { - /* before session init */ -- snprintf(fullmsg, sizeof(fullmsg), "Early exit: %s", exitmsg); -+ snprintf(fullmsg, sizeof(fullmsg), "Early exit%s: %s", fromaddr, exitmsg); - } else if (ses.authstate.authdone) { - /* user has authenticated */ - snprintf(fullmsg, sizeof(fullmsg), -- "Exit (%s): %s", -- ses.authstate.pw_name, exitmsg); -+ "Exit (%s)%s: %s", -+ ses.authstate.pw_name, fromaddr, exitmsg); - } else if (ses.authstate.pw_name) { - /* we have a potential user */ - snprintf(fullmsg, sizeof(fullmsg), -- "Exit before auth (user '%s', %u fails): %s", -- ses.authstate.pw_name, ses.authstate.failcount, exitmsg); -+ "Exit before auth%s: (user '%s', %u fails): %s", -+ fromaddr, ses.authstate.pw_name, ses.authstate.failcount, exitmsg); - } else { - /* before userauth */ -- snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg); -+ snprintf(fullmsg, sizeof(fullmsg), "Exit before auth%s: %s", fromaddr, exitmsg); - } - - dropbear_log(LOG_INFO, "%s", fullmsg); diff --git a/package/network/services/dropbear/patches/010-backport-disable-toom-and-karatsuba.patch b/package/network/services/dropbear/patches/010-backport-disable-toom-and-karatsuba.patch new file mode 100644 index 0000000000..9af291eb01 --- /dev/null +++ b/package/network/services/dropbear/patches/010-backport-disable-toom-and-karatsuba.patch @@ -0,0 +1,17 @@ +From: Matt Johnston +Date: Thu, 18 Jun 2020 19:12:07 +0800 +Subject: Disable toom and karatsuba for new libtommath + +--- a/libtommath/tommath_class.h ++++ b/libtommath/tommath_class.h +@@ -1312,6 +1312,10 @@ + #undef BN_MP_KARATSUBA_SQR_C + #undef BN_MP_TOOM_MUL_C + #undef BN_MP_TOOM_SQR_C ++#undef BN_S_MP_KARATSUBA_MUL_C ++#undef BN_S_MP_KARATSUBA_SQR_C ++#undef BN_S_MP_TOOM_MUL_C ++#undef BN_S_MP_TOOM_SQR_C + + #include "dbmalloc.h" + #define MP_MALLOC m_malloc diff --git a/package/network/services/dropbear/patches/020-backport-ed25519-support.patch b/package/network/services/dropbear/patches/020-backport-ed25519-support.patch deleted file mode 100644 index 00a3bbbee1..0000000000 --- a/package/network/services/dropbear/patches/020-backport-ed25519-support.patch +++ /dev/null @@ -1,2890 +0,0 @@ -From 3d12521735e7ef7e48be217af0f27d68e23050a7 Mon Sep 17 00:00:00 2001 -From: Vladislav Grishenko -Date: Wed, 11 Mar 2020 21:09:45 +0500 -Subject: [PATCH] Add Ed25519 support (#91) - -* Add support for Ed25519 as a public key type - -Ed25519 is a elliptic curve signature scheme that offers -better security than ECDSA and DSA and good performance. It may be -used for both user and host keys. - -OpenSSH key import and fuzzer are not supported yet. - -Initially inspired by Peter Szabo. - -* Add curve25519 and ed25519 fuzzers - -* Add import and export of Ed25519 keys ---- - .travis.yml | 1 + - FUZZER-NOTES.md | 3 + - LICENSE | 71 ++-- - Makefile.in | 12 +- - README | 1 + - cli-kex.c | 2 +- - common-algo.c | 3 + - common-kex.c | 14 +- - curve25519-donna.c | 860 ----------------------------------------- - curve25519.c | 502 ++++++++++++++++++++++++ - curve25519.h | 37 ++ - default_options.h | 7 +- - dropbear.8 | 6 +- - dropbearkey.c | 25 ++ - ed25519.c | 184 +++++++++ - ed25519.h | 54 +++ - filelist.txt | 4 + - fuzz-common.c | 8 + - fuzz-hostkeys.c | 10 + - fuzzer-kexcurve25519.c | 72 ++++ - gened25519.c | 47 +++ - gened25519.h | 36 ++ - gensignkey.c | 10 + - keyimport.c | 158 +++++++- - signkey.c | 60 ++- - signkey.h | 7 + - ssh.h | 2 + - svr-kex.c | 8 +- - svr-runopts.c | 24 ++ - sysoptions.h | 7 +- - 30 files changed, 1289 insertions(+), 946 deletions(-) - delete mode 100644 curve25519-donna.c - create mode 100644 curve25519.c - create mode 100644 curve25519.h - create mode 100644 ed25519.c - create mode 100644 ed25519.h - create mode 100644 fuzzer-kexcurve25519.c - create mode 100644 gened25519.c - create mode 100644 gened25519.h - -diff --git a/.travis.yml b/.travis.yml -index 9bcbce4..99499c8 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -57,6 +57,7 @@ script: - - ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256 - - ~/inst/bin/dropbearkey -t ecdsa -f testec384 -s 384 - - ~/inst/bin/dropbearkey -t ecdsa -f testec521 -s 521 -+ - ~/inst/bin/dropbearkey -t ed25519 -f tested25519 - - test -z $DO_FUZZ || ./fuzzers_test.sh - - branches: -diff --git a/FUZZER-NOTES.md b/FUZZER-NOTES.md -index 7b88238..4967eba 100644 ---- a/FUZZER-NOTES.md -+++ b/FUZZER-NOTES.md -@@ -72,3 +72,6 @@ Current fuzzers are - - - [fuzzer-kexecdh](fuzzer-kexecdh.c) - test Elliptic Curve Diffie-Hellman key exchange like fuzzer-kexdh. - This is testing libtommath ECC routines. -+ -+- [fuzzer-kexcurve25519](fuzzer-kexcurve25519.c) - test Curve25519 Elliptic Curve Diffie-Hellman key exchange -+ like fuzzer-kexecdh. This is testing `dropbear_curve25519_scalarmult()` and other libtommath routines. -diff --git a/LICENSE b/LICENSE -index c400d94..a4849ff 100644 ---- a/LICENSE -+++ b/LICENSE -@@ -90,52 +90,25 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - - ===== - --curve25519-donna: -- --/* Copyright 2008, Google Inc. -- * All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions are -- * met: -- * -- * * Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * * Redistributions in binary form must reproduce the above -- * copyright notice, this list of conditions and the following disclaimer -- * in the documentation and/or other materials provided with the -- * distribution. -- * * Neither the name of Google Inc. nor the names of its -- * contributors may be used to endorse or promote products derived from -- * this software without specific prior written permission. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- * curve25519-donna: Curve25519 elliptic curve, public key function -- * -- * http://code.google.com/p/curve25519-donna/ -- * -- * Adam Langley -- * -- * Derived from public domain C code by Daniel J. Bernstein -- * -- * More information about curve25519 can be found here -- * http://cr.yp.to/ecdh.html -- * -- * djb's sample implementation of curve25519 is written in a special assembly -- * language called qhasm and uses the floating point registers. -- * -- * This is, almost, a clean room reimplementation from the curve25519 paper. It -- * uses many of the tricks described therein. Only the crecip function is taken -- * from the sample implementation. -- */ -+crypto25519.c: -+crypto26619.h: -+ -+Modified TweetNaCl version 20140427, a self-contained public-domain C library. -+https://tweetnacl.cr.yp.to/ -+ -+Contributors (alphabetical order) -+Daniel J. Bernstein, University of Illinois at Chicago and Technische -+Universiteit Eindhoven -+Bernard van Gastel, Radboud Universiteit Nijmegen -+Wesley Janssen, Radboud Universiteit Nijmegen -+Tanja Lange, Technische Universiteit Eindhoven -+Peter Schwabe, Radboud Universiteit Nijmegen -+Sjaak Smetsers, Radboud Universiteit Nijmegen -+ -+Acknowledgments -+This work was supported by the U.S. National Science Foundation under grant -+1018836. "Any opinions, findings, and conclusions or recommendations expressed -+in this material are those of the author(s) and do not necessarily reflect the -+views of the National Science Foundation." -+This work was supported by the Netherlands Organisation for Scientific -+Research (NWO) under grant 639.073.005 and Veni 2013 project 13114. -diff --git a/Makefile.in b/Makefile.in -index bc55b7d..aaf7b3b 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -36,8 +36,9 @@ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \ - queue.o \ - atomicio.o compat.o fake-rfc2553.o \ - ltc_prng.o ecc.o ecdsa.o crypto_desc.o \ -+ curve25519.o ed25519.o \ - dbmalloc.o \ -- gensignkey.o gendss.o genrsa.o -+ gensignkey.o gendss.o genrsa.o gened25519.o - - SVROBJS=svr-kex.o svr-auth.o sshpty.o \ - svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ -@@ -52,7 +53,7 @@ CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ - CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ - common-channel.o common-chansession.o termcodes.o loginrec.o \ - tcp-accept.o listener.o process-packet.o dh_groups.o \ -- common-runopts.o circbuffer.o curve25519-donna.o list.o netio.o -+ common-runopts.o circbuffer.o list.o netio.o - - KEYOBJS=dropbearkey.o - -@@ -264,7 +265,7 @@ tidy: - ## Fuzzing targets - - # list of fuzz targets --FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths fuzzer-kexdh fuzzer-kexecdh -+FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 - - FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS)) - -@@ -303,6 +304,9 @@ fuzzer-kexdh: fuzzer-kexdh.o fuzz-harness.o - fuzzer-kexecdh: fuzzer-kexecdh.o fuzz-harness.o - $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ - -+fuzzer-kexcurve25519: fuzzer-kexcurve25519.o fuzz-harness.o -+ $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(svrfuzzobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ -+ - fuzzer-%.options: Makefile - echo "[libfuzzer]" > $@ - echo "max_len = 50000" >> $@ -@@ -313,7 +317,9 @@ fuzz-hostkeys: - dropbearkey -t rsa -f keyr - dropbearkey -t dss -f keyd - dropbearkey -t ecdsa -size 256 -f keye -+ dropbearkey -t ed25519 -f keyed25519 - echo > hostkeys.c - /usr/bin/xxd -i -a keyr >> hostkeys.c - /usr/bin/xxd -i -a keye >> hostkeys.c - /usr/bin/xxd -i -a keyd >> hostkeys.c -+ /usr/bin/xxd -i -a keyed25519 >> hostkeys.c -diff --git a/README b/README -index b8a6fd2..d197ec7 100644 ---- a/README -+++ b/README -@@ -55,6 +55,7 @@ To run the server, you need to generate server keys, this is one-off: - ./dropbearkey -t rsa -f dropbear_rsa_host_key - ./dropbearkey -t dss -f dropbear_dss_host_key - ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key -+./dropbearkey -t ed25519 -f dropbear_ed25519_host_key - - or alternatively convert OpenSSH keys to Dropbear: - ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key -diff --git a/cli-kex.c b/cli-kex.c -index b02cfc7..7cefb5f 100644 ---- a/cli-kex.c -+++ b/cli-kex.c -@@ -81,7 +81,7 @@ void send_msg_kexdh_init() { - } - cli_ses.curve25519_param = gen_kexcurve25519_param(); - } -- buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN); -+ buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN); - break; - #endif - } -diff --git a/common-algo.c b/common-algo.c -index 2f896ab..558aad2 100644 ---- a/common-algo.c -+++ b/common-algo.c -@@ -222,6 +222,9 @@ algo_type ssh_nocompress[] = { - }; - - algo_type sshhostkey[] = { -+#if DROPBEAR_ED25519 -+ {"ssh-ed25519", DROPBEAR_SIGNKEY_ED25519, NULL, 1, NULL}, -+#endif - #if DROPBEAR_ECDSA - #if DROPBEAR_ECC_256 - {"ecdsa-sha2-nistp256", DROPBEAR_SIGNKEY_ECDSA_NISTP256, NULL, 1, NULL}, -diff --git a/common-kex.c b/common-kex.c -index d4933dd..16b7e27 100644 ---- a/common-kex.c -+++ b/common-kex.c -@@ -36,6 +36,7 @@ - #include "dbrandom.h" - #include "runopts.h" - #include "ecc.h" -+#include "curve25519.h" - #include "crypto_desc.h" - - static void kexinitialise(void); -@@ -703,23 +704,18 @@ void kexecdh_comb_key(struct kex_ecdh_param *param, buffer *pub_them, - #endif /* DROPBEAR_ECDH */ - - #if DROPBEAR_CURVE25519 --struct kex_curve25519_param *gen_kexcurve25519_param () { -+struct kex_curve25519_param *gen_kexcurve25519_param() { - /* Per http://cr.yp.to/ecdh.html */ - struct kex_curve25519_param *param = m_malloc(sizeof(*param)); - const unsigned char basepoint[32] = {9}; - - genrandom(param->priv, CURVE25519_LEN); -- param->priv[0] &= 248; -- param->priv[31] &= 127; -- param->priv[31] |= 64; -- -- curve25519_donna(param->pub, param->priv, basepoint); -+ dropbear_curve25519_scalarmult(param->pub, param->priv, basepoint); - - return param; - } - --void free_kexcurve25519_param(struct kex_curve25519_param *param) --{ -+void free_kexcurve25519_param(struct kex_curve25519_param *param) { - m_burn(param->priv, CURVE25519_LEN); - m_free(param); - } -@@ -736,7 +732,7 @@ void kexcurve25519_comb_key(const struct kex_curve25519_param *param, const buff - dropbear_exit("Bad curve25519"); - } - -- curve25519_donna(out, param->priv, buf_pub_them->data); -+ dropbear_curve25519_scalarmult(out, param->priv, buf_pub_them->data); - - if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) { - dropbear_exit("Bad curve25519"); -diff --git a/curve25519-donna.c b/curve25519-donna.c -deleted file mode 100644 -index ef0b6d1..0000000 ---- a/curve25519-donna.c -+++ /dev/null -@@ -1,860 +0,0 @@ --/* Copyright 2008, Google Inc. -- * All rights reserved. -- * -- * Redistribution and use in source and binary forms, with or without -- * modification, are permitted provided that the following conditions are -- * met: -- * -- * * Redistributions of source code must retain the above copyright -- * notice, this list of conditions and the following disclaimer. -- * * Redistributions in binary form must reproduce the above -- * copyright notice, this list of conditions and the following disclaimer -- * in the documentation and/or other materials provided with the -- * distribution. -- * * Neither the name of Google Inc. nor the names of its -- * contributors may be used to endorse or promote products derived from -- * this software without specific prior written permission. -- * -- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- * -- * curve25519-donna: Curve25519 elliptic curve, public key function -- * -- * http://code.google.com/p/curve25519-donna/ -- * -- * Adam Langley -- * -- * Derived from public domain C code by Daniel J. Bernstein -- * -- * More information about curve25519 can be found here -- * http://cr.yp.to/ecdh.html -- * -- * djb's sample implementation of curve25519 is written in a special assembly -- * language called qhasm and uses the floating point registers. -- * -- * This is, almost, a clean room reimplementation from the curve25519 paper. It -- * uses many of the tricks described therein. Only the crecip function is taken -- * from the sample implementation. */ -- --#include --#include -- --#ifdef _MSC_VER --#define inline __inline --#endif -- --typedef uint8_t u8; --typedef int32_t s32; --typedef int64_t limb; -- --/* Field element representation: -- * -- * Field elements are written as an array of signed, 64-bit limbs, least -- * significant first. The value of the field element is: -- * x[0] + 2^26·x[1] + x^51·x[2] + 2^102·x[3] + ... -- * -- * i.e. the limbs are 26, 25, 26, 25, ... bits wide. */ -- --/* Sum two numbers: output += in */ --static void fsum(limb *output, const limb *in) { -- unsigned i; -- for (i = 0; i < 10; i += 2) { -- output[0+i] = output[0+i] + in[0+i]; -- output[1+i] = output[1+i] + in[1+i]; -- } --} -- --/* Find the difference of two numbers: output = in - output -- * (note the order of the arguments!). */ --static void fdifference(limb *output, const limb *in) { -- unsigned i; -- for (i = 0; i < 10; ++i) { -- output[i] = in[i] - output[i]; -- } --} -- --/* Multiply a number by a scalar: output = in * scalar */ --static void fscalar_product(limb *output, const limb *in, const limb scalar) { -- unsigned i; -- for (i = 0; i < 10; ++i) { -- output[i] = in[i] * scalar; -- } --} -- --/* Multiply two numbers: output = in2 * in -- * -- * output must be distinct to both inputs. The inputs are reduced coefficient -- * form, the output is not. -- * -- * output[x] <= 14 * the largest product of the input limbs. */ --static void fproduct(limb *output, const limb *in2, const limb *in) { -- output[0] = ((limb) ((s32) in2[0])) * ((s32) in[0]); -- output[1] = ((limb) ((s32) in2[0])) * ((s32) in[1]) + -- ((limb) ((s32) in2[1])) * ((s32) in[0]); -- output[2] = 2 * ((limb) ((s32) in2[1])) * ((s32) in[1]) + -- ((limb) ((s32) in2[0])) * ((s32) in[2]) + -- ((limb) ((s32) in2[2])) * ((s32) in[0]); -- output[3] = ((limb) ((s32) in2[1])) * ((s32) in[2]) + -- ((limb) ((s32) in2[2])) * ((s32) in[1]) + -- ((limb) ((s32) in2[0])) * ((s32) in[3]) + -- ((limb) ((s32) in2[3])) * ((s32) in[0]); -- output[4] = ((limb) ((s32) in2[2])) * ((s32) in[2]) + -- 2 * (((limb) ((s32) in2[1])) * ((s32) in[3]) + -- ((limb) ((s32) in2[3])) * ((s32) in[1])) + -- ((limb) ((s32) in2[0])) * ((s32) in[4]) + -- ((limb) ((s32) in2[4])) * ((s32) in[0]); -- output[5] = ((limb) ((s32) in2[2])) * ((s32) in[3]) + -- ((limb) ((s32) in2[3])) * ((s32) in[2]) + -- ((limb) ((s32) in2[1])) * ((s32) in[4]) + -- ((limb) ((s32) in2[4])) * ((s32) in[1]) + -- ((limb) ((s32) in2[0])) * ((s32) in[5]) + -- ((limb) ((s32) in2[5])) * ((s32) in[0]); -- output[6] = 2 * (((limb) ((s32) in2[3])) * ((s32) in[3]) + -- ((limb) ((s32) in2[1])) * ((s32) in[5]) + -- ((limb) ((s32) in2[5])) * ((s32) in[1])) + -- ((limb) ((s32) in2[2])) * ((s32) in[4]) + -- ((limb) ((s32) in2[4])) * ((s32) in[2]) + -- ((limb) ((s32) in2[0])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[0]); -- output[7] = ((limb) ((s32) in2[3])) * ((s32) in[4]) + -- ((limb) ((s32) in2[4])) * ((s32) in[3]) + -- ((limb) ((s32) in2[2])) * ((s32) in[5]) + -- ((limb) ((s32) in2[5])) * ((s32) in[2]) + -- ((limb) ((s32) in2[1])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[1]) + -- ((limb) ((s32) in2[0])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[0]); -- output[8] = ((limb) ((s32) in2[4])) * ((s32) in[4]) + -- 2 * (((limb) ((s32) in2[3])) * ((s32) in[5]) + -- ((limb) ((s32) in2[5])) * ((s32) in[3]) + -- ((limb) ((s32) in2[1])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[1])) + -- ((limb) ((s32) in2[2])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[2]) + -- ((limb) ((s32) in2[0])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[0]); -- output[9] = ((limb) ((s32) in2[4])) * ((s32) in[5]) + -- ((limb) ((s32) in2[5])) * ((s32) in[4]) + -- ((limb) ((s32) in2[3])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[3]) + -- ((limb) ((s32) in2[2])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[2]) + -- ((limb) ((s32) in2[1])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[1]) + -- ((limb) ((s32) in2[0])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[0]); -- output[10] = 2 * (((limb) ((s32) in2[5])) * ((s32) in[5]) + -- ((limb) ((s32) in2[3])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[3]) + -- ((limb) ((s32) in2[1])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[1])) + -- ((limb) ((s32) in2[4])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[4]) + -- ((limb) ((s32) in2[2])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[2]); -- output[11] = ((limb) ((s32) in2[5])) * ((s32) in[6]) + -- ((limb) ((s32) in2[6])) * ((s32) in[5]) + -- ((limb) ((s32) in2[4])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[4]) + -- ((limb) ((s32) in2[3])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[3]) + -- ((limb) ((s32) in2[2])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[2]); -- output[12] = ((limb) ((s32) in2[6])) * ((s32) in[6]) + -- 2 * (((limb) ((s32) in2[5])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[5]) + -- ((limb) ((s32) in2[3])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[3])) + -- ((limb) ((s32) in2[4])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[4]); -- output[13] = ((limb) ((s32) in2[6])) * ((s32) in[7]) + -- ((limb) ((s32) in2[7])) * ((s32) in[6]) + -- ((limb) ((s32) in2[5])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[5]) + -- ((limb) ((s32) in2[4])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[4]); -- output[14] = 2 * (((limb) ((s32) in2[7])) * ((s32) in[7]) + -- ((limb) ((s32) in2[5])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[5])) + -- ((limb) ((s32) in2[6])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[6]); -- output[15] = ((limb) ((s32) in2[7])) * ((s32) in[8]) + -- ((limb) ((s32) in2[8])) * ((s32) in[7]) + -- ((limb) ((s32) in2[6])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[6]); -- output[16] = ((limb) ((s32) in2[8])) * ((s32) in[8]) + -- 2 * (((limb) ((s32) in2[7])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[7])); -- output[17] = ((limb) ((s32) in2[8])) * ((s32) in[9]) + -- ((limb) ((s32) in2[9])) * ((s32) in[8]); -- output[18] = 2 * ((limb) ((s32) in2[9])) * ((s32) in[9]); --} -- --/* Reduce a long form to a short form by taking the input mod 2^255 - 19. -- * -- * On entry: |output[i]| < 14*2^54 -- * On exit: |output[0..8]| < 280*2^54 */ --static void freduce_degree(limb *output) { -- /* Each of these shifts and adds ends up multiplying the value by 19. -- * -- * For output[0..8], the absolute entry value is < 14*2^54 and we add, at -- * most, 19*14*2^54 thus, on exit, |output[0..8]| < 280*2^54. */ -- output[8] += output[18] << 4; -- output[8] += output[18] << 1; -- output[8] += output[18]; -- output[7] += output[17] << 4; -- output[7] += output[17] << 1; -- output[7] += output[17]; -- output[6] += output[16] << 4; -- output[6] += output[16] << 1; -- output[6] += output[16]; -- output[5] += output[15] << 4; -- output[5] += output[15] << 1; -- output[5] += output[15]; -- output[4] += output[14] << 4; -- output[4] += output[14] << 1; -- output[4] += output[14]; -- output[3] += output[13] << 4; -- output[3] += output[13] << 1; -- output[3] += output[13]; -- output[2] += output[12] << 4; -- output[2] += output[12] << 1; -- output[2] += output[12]; -- output[1] += output[11] << 4; -- output[1] += output[11] << 1; -- output[1] += output[11]; -- output[0] += output[10] << 4; -- output[0] += output[10] << 1; -- output[0] += output[10]; --} -- --#if (-1 & 3) != 3 --#error "This code only works on a two's complement system" --#endif -- --/* return v / 2^26, using only shifts and adds. -- * -- * On entry: v can take any value. */ --static inline limb --div_by_2_26(const limb v) --{ -- /* High word of v; no shift needed. */ -- const uint32_t highword = (uint32_t) (((uint64_t) v) >> 32); -- /* Set to all 1s if v was negative; else set to 0s. */ -- const int32_t sign = ((int32_t) highword) >> 31; -- /* Set to 0x3ffffff if v was negative; else set to 0. */ -- const int32_t roundoff = ((uint32_t) sign) >> 6; -- /* Should return v / (1<<26) */ -- return (v + roundoff) >> 26; --} -- --/* return v / (2^25), using only shifts and adds. -- * -- * On entry: v can take any value. */ --static inline limb --div_by_2_25(const limb v) --{ -- /* High word of v; no shift needed*/ -- const uint32_t highword = (uint32_t) (((uint64_t) v) >> 32); -- /* Set to all 1s if v was negative; else set to 0s. */ -- const int32_t sign = ((int32_t) highword) >> 31; -- /* Set to 0x1ffffff if v was negative; else set to 0. */ -- const int32_t roundoff = ((uint32_t) sign) >> 7; -- /* Should return v / (1<<25) */ -- return (v + roundoff) >> 25; --} -- --/* Reduce all coefficients of the short form input so that |x| < 2^26. -- * -- * On entry: |output[i]| < 280*2^54 */ --static void freduce_coefficients(limb *output) { -- unsigned i; -- -- output[10] = 0; -- -- for (i = 0; i < 10; i += 2) { -- limb over = div_by_2_26(output[i]); -- /* The entry condition (that |output[i]| < 280*2^54) means that over is, at -- * most, 280*2^28 in the first iteration of this loop. This is added to the -- * next limb and we can approximate the resulting bound of that limb by -- * 281*2^54. */ -- output[i] -= over << 26; -- output[i+1] += over; -- -- /* For the first iteration, |output[i+1]| < 281*2^54, thus |over| < -- * 281*2^29. When this is added to the next limb, the resulting bound can -- * be approximated as 281*2^54. -- * -- * For subsequent iterations of the loop, 281*2^54 remains a conservative -- * bound and no overflow occurs. */ -- over = div_by_2_25(output[i+1]); -- output[i+1] -= over << 25; -- output[i+2] += over; -- } -- /* Now |output[10]| < 281*2^29 and all other coefficients are reduced. */ -- output[0] += output[10] << 4; -- output[0] += output[10] << 1; -- output[0] += output[10]; -- -- output[10] = 0; -- -- /* Now output[1..9] are reduced, and |output[0]| < 2^26 + 19*281*2^29 -- * So |over| will be no more than 2^16. */ -- { -- limb over = div_by_2_26(output[0]); -- output[0] -= over << 26; -- output[1] += over; -- } -- -- /* Now output[0,2..9] are reduced, and |output[1]| < 2^25 + 2^16 < 2^26. The -- * bound on |output[1]| is sufficient to meet our needs. */ --} -- --/* A helpful wrapper around fproduct: output = in * in2. -- * -- * On entry: |in[i]| < 2^27 and |in2[i]| < 2^27. -- * -- * output must be distinct to both inputs. The output is reduced degree -- * (indeed, one need only provide storage for 10 limbs) and |output[i]| < 2^26. */ --static void --fmul(limb *output, const limb *in, const limb *in2) { -- limb t[19]; -- fproduct(t, in, in2); -- /* |t[i]| < 14*2^54 */ -- freduce_degree(t); -- freduce_coefficients(t); -- /* |t[i]| < 2^26 */ -- memcpy(output, t, sizeof(limb) * 10); --} -- --/* Square a number: output = in**2 -- * -- * output must be distinct from the input. The inputs are reduced coefficient -- * form, the output is not. -- * -- * output[x] <= 14 * the largest product of the input limbs. */ --static void fsquare_inner(limb *output, const limb *in) { -- output[0] = ((limb) ((s32) in[0])) * ((s32) in[0]); -- output[1] = 2 * ((limb) ((s32) in[0])) * ((s32) in[1]); -- output[2] = 2 * (((limb) ((s32) in[1])) * ((s32) in[1]) + -- ((limb) ((s32) in[0])) * ((s32) in[2])); -- output[3] = 2 * (((limb) ((s32) in[1])) * ((s32) in[2]) + -- ((limb) ((s32) in[0])) * ((s32) in[3])); -- output[4] = ((limb) ((s32) in[2])) * ((s32) in[2]) + -- 4 * ((limb) ((s32) in[1])) * ((s32) in[3]) + -- 2 * ((limb) ((s32) in[0])) * ((s32) in[4]); -- output[5] = 2 * (((limb) ((s32) in[2])) * ((s32) in[3]) + -- ((limb) ((s32) in[1])) * ((s32) in[4]) + -- ((limb) ((s32) in[0])) * ((s32) in[5])); -- output[6] = 2 * (((limb) ((s32) in[3])) * ((s32) in[3]) + -- ((limb) ((s32) in[2])) * ((s32) in[4]) + -- ((limb) ((s32) in[0])) * ((s32) in[6]) + -- 2 * ((limb) ((s32) in[1])) * ((s32) in[5])); -- output[7] = 2 * (((limb) ((s32) in[3])) * ((s32) in[4]) + -- ((limb) ((s32) in[2])) * ((s32) in[5]) + -- ((limb) ((s32) in[1])) * ((s32) in[6]) + -- ((limb) ((s32) in[0])) * ((s32) in[7])); -- output[8] = ((limb) ((s32) in[4])) * ((s32) in[4]) + -- 2 * (((limb) ((s32) in[2])) * ((s32) in[6]) + -- ((limb) ((s32) in[0])) * ((s32) in[8]) + -- 2 * (((limb) ((s32) in[1])) * ((s32) in[7]) + -- ((limb) ((s32) in[3])) * ((s32) in[5]))); -- output[9] = 2 * (((limb) ((s32) in[4])) * ((s32) in[5]) + -- ((limb) ((s32) in[3])) * ((s32) in[6]) + -- ((limb) ((s32) in[2])) * ((s32) in[7]) + -- ((limb) ((s32) in[1])) * ((s32) in[8]) + -- ((limb) ((s32) in[0])) * ((s32) in[9])); -- output[10] = 2 * (((limb) ((s32) in[5])) * ((s32) in[5]) + -- ((limb) ((s32) in[4])) * ((s32) in[6]) + -- ((limb) ((s32) in[2])) * ((s32) in[8]) + -- 2 * (((limb) ((s32) in[3])) * ((s32) in[7]) + -- ((limb) ((s32) in[1])) * ((s32) in[9]))); -- output[11] = 2 * (((limb) ((s32) in[5])) * ((s32) in[6]) + -- ((limb) ((s32) in[4])) * ((s32) in[7]) + -- ((limb) ((s32) in[3])) * ((s32) in[8]) + -- ((limb) ((s32) in[2])) * ((s32) in[9])); -- output[12] = ((limb) ((s32) in[6])) * ((s32) in[6]) + -- 2 * (((limb) ((s32) in[4])) * ((s32) in[8]) + -- 2 * (((limb) ((s32) in[5])) * ((s32) in[7]) + -- ((limb) ((s32) in[3])) * ((s32) in[9]))); -- output[13] = 2 * (((limb) ((s32) in[6])) * ((s32) in[7]) + -- ((limb) ((s32) in[5])) * ((s32) in[8]) + -- ((limb) ((s32) in[4])) * ((s32) in[9])); -- output[14] = 2 * (((limb) ((s32) in[7])) * ((s32) in[7]) + -- ((limb) ((s32) in[6])) * ((s32) in[8]) + -- 2 * ((limb) ((s32) in[5])) * ((s32) in[9])); -- output[15] = 2 * (((limb) ((s32) in[7])) * ((s32) in[8]) + -- ((limb) ((s32) in[6])) * ((s32) in[9])); -- output[16] = ((limb) ((s32) in[8])) * ((s32) in[8]) + -- 4 * ((limb) ((s32) in[7])) * ((s32) in[9]); -- output[17] = 2 * ((limb) ((s32) in[8])) * ((s32) in[9]); -- output[18] = 2 * ((limb) ((s32) in[9])) * ((s32) in[9]); --} -- --/* fsquare sets output = in^2. -- * -- * On entry: The |in| argument is in reduced coefficients form and |in[i]| < -- * 2^27. -- * -- * On exit: The |output| argument is in reduced coefficients form (indeed, one -- * need only provide storage for 10 limbs) and |out[i]| < 2^26. */ --static void --fsquare(limb *output, const limb *in) { -- limb t[19]; -- fsquare_inner(t, in); -- /* |t[i]| < 14*2^54 because the largest product of two limbs will be < -- * 2^(27+27) and fsquare_inner adds together, at most, 14 of those -- * products. */ -- freduce_degree(t); -- freduce_coefficients(t); -- /* |t[i]| < 2^26 */ -- memcpy(output, t, sizeof(limb) * 10); --} -- --/* Take a little-endian, 32-byte number and expand it into polynomial form */ --static void --fexpand(limb *output, const u8 *input) { --#define F(n,start,shift,mask) \ -- output[n] = ((((limb) input[start + 0]) | \ -- ((limb) input[start + 1]) << 8 | \ -- ((limb) input[start + 2]) << 16 | \ -- ((limb) input[start + 3]) << 24) >> shift) & mask; -- F(0, 0, 0, 0x3ffffff); -- F(1, 3, 2, 0x1ffffff); -- F(2, 6, 3, 0x3ffffff); -- F(3, 9, 5, 0x1ffffff); -- F(4, 12, 6, 0x3ffffff); -- F(5, 16, 0, 0x1ffffff); -- F(6, 19, 1, 0x3ffffff); -- F(7, 22, 3, 0x1ffffff); -- F(8, 25, 4, 0x3ffffff); -- F(9, 28, 6, 0x1ffffff); --#undef F --} -- --#if (-32 >> 1) != -16 --#error "This code only works when >> does sign-extension on negative numbers" --#endif -- --/* s32_eq returns 0xffffffff iff a == b and zero otherwise. */ --static s32 s32_eq(s32 a, s32 b) { -- a = ~(a ^ b); -- a &= a << 16; -- a &= a << 8; -- a &= a << 4; -- a &= a << 2; -- a &= a << 1; -- return a >> 31; --} -- --/* s32_gte returns 0xffffffff if a >= b and zero otherwise, where a and b are -- * both non-negative. */ --static s32 s32_gte(s32 a, s32 b) { -- a -= b; -- /* a >= 0 iff a >= b. */ -- return ~(a >> 31); --} -- --/* Take a fully reduced polynomial form number and contract it into a -- * little-endian, 32-byte array. -- * -- * On entry: |input_limbs[i]| < 2^26 */ --static void --fcontract(u8 *output, limb *input_limbs) { -- int i; -- int j; -- s32 input[10]; -- s32 mask; -- -- /* |input_limbs[i]| < 2^26, so it's valid to convert to an s32. */ -- for (i = 0; i < 10; i++) { -- input[i] = input_limbs[i]; -- } -- -- for (j = 0; j < 2; ++j) { -- for (i = 0; i < 9; ++i) { -- if ((i & 1) == 1) { -- /* This calculation is a time-invariant way to make input[i] -- * non-negative by borrowing from the next-larger limb. */ -- const s32 mask = input[i] >> 31; -- const s32 carry = -((input[i] & mask) >> 25); -- input[i] = input[i] + (carry << 25); -- input[i+1] = input[i+1] - carry; -- } else { -- const s32 mask = input[i] >> 31; -- const s32 carry = -((input[i] & mask) >> 26); -- input[i] = input[i] + (carry << 26); -- input[i+1] = input[i+1] - carry; -- } -- } -- -- /* There's no greater limb for input[9] to borrow from, but we can multiply -- * by 19 and borrow from input[0], which is valid mod 2^255-19. */ -- { -- const s32 mask = input[9] >> 31; -- const s32 carry = -((input[9] & mask) >> 25); -- input[9] = input[9] + (carry << 25); -- input[0] = input[0] - (carry * 19); -- } -- -- /* After the first iteration, input[1..9] are non-negative and fit within -- * 25 or 26 bits, depending on position. However, input[0] may be -- * negative. */ -- } -- -- /* The first borrow-propagation pass above ended with every limb -- except (possibly) input[0] non-negative. -- -- If input[0] was negative after the first pass, then it was because of a -- carry from input[9]. On entry, input[9] < 2^26 so the carry was, at most, -- one, since (2**26-1) >> 25 = 1. Thus input[0] >= -19. -- -- In the second pass, each limb is decreased by at most one. Thus the second -- borrow-propagation pass could only have wrapped around to decrease -- input[0] again if the first pass left input[0] negative *and* input[1] -- through input[9] were all zero. In that case, input[1] is now 2^25 - 1, -- and this last borrow-propagation step will leave input[1] non-negative. */ -- { -- const s32 mask = input[0] >> 31; -- const s32 carry = -((input[0] & mask) >> 26); -- input[0] = input[0] + (carry << 26); -- input[1] = input[1] - carry; -- } -- -- /* All input[i] are now non-negative. However, there might be values between -- * 2^25 and 2^26 in a limb which is, nominally, 25 bits wide. */ -- for (j = 0; j < 2; j++) { -- for (i = 0; i < 9; i++) { -- if ((i & 1) == 1) { -- const s32 carry = input[i] >> 25; -- input[i] &= 0x1ffffff; -- input[i+1] += carry; -- } else { -- const s32 carry = input[i] >> 26; -- input[i] &= 0x3ffffff; -- input[i+1] += carry; -- } -- } -- -- { -- const s32 carry = input[9] >> 25; -- input[9] &= 0x1ffffff; -- input[0] += 19*carry; -- } -- } -- -- /* If the first carry-chain pass, just above, ended up with a carry from -- * input[9], and that caused input[0] to be out-of-bounds, then input[0] was -- * < 2^26 + 2*19, because the carry was, at most, two. -- * -- * If the second pass carried from input[9] again then input[0] is < 2*19 and -- * the input[9] -> input[0] carry didn't push input[0] out of bounds. */ -- -- /* It still remains the case that input might be between 2^255-19 and 2^255. -- * In this case, input[1..9] must take their maximum value and input[0] must -- * be >= (2^255-19) & 0x3ffffff, which is 0x3ffffed. */ -- mask = s32_gte(input[0], 0x3ffffed); -- for (i = 1; i < 10; i++) { -- if ((i & 1) == 1) { -- mask &= s32_eq(input[i], 0x1ffffff); -- } else { -- mask &= s32_eq(input[i], 0x3ffffff); -- } -- } -- -- /* mask is either 0xffffffff (if input >= 2^255-19) and zero otherwise. Thus -- * this conditionally subtracts 2^255-19. */ -- input[0] -= mask & 0x3ffffed; -- -- for (i = 1; i < 10; i++) { -- if ((i & 1) == 1) { -- input[i] -= mask & 0x1ffffff; -- } else { -- input[i] -= mask & 0x3ffffff; -- } -- } -- -- input[1] <<= 2; -- input[2] <<= 3; -- input[3] <<= 5; -- input[4] <<= 6; -- input[6] <<= 1; -- input[7] <<= 3; -- input[8] <<= 4; -- input[9] <<= 6; --#define F(i, s) \ -- output[s+0] |= input[i] & 0xff; \ -- output[s+1] = (input[i] >> 8) & 0xff; \ -- output[s+2] = (input[i] >> 16) & 0xff; \ -- output[s+3] = (input[i] >> 24) & 0xff; -- output[0] = 0; -- output[16] = 0; -- F(0,0); -- F(1,3); -- F(2,6); -- F(3,9); -- F(4,12); -- F(5,16); -- F(6,19); -- F(7,22); -- F(8,25); -- F(9,28); --#undef F --} -- --/* Input: Q, Q', Q-Q' -- * Output: 2Q, Q+Q' -- * -- * x2 z3: long form -- * x3 z3: long form -- * x z: short form, destroyed -- * xprime zprime: short form, destroyed -- * qmqp: short form, preserved -- * -- * On entry and exit, the absolute value of the limbs of all inputs and outputs -- * are < 2^26. */ --static void fmonty(limb *x2, limb *z2, /* output 2Q */ -- limb *x3, limb *z3, /* output Q + Q' */ -- limb *x, limb *z, /* input Q */ -- limb *xprime, limb *zprime, /* input Q' */ -- const limb *qmqp /* input Q - Q' */) { -- limb origx[10], origxprime[10], zzz[19], xx[19], zz[19], xxprime[19], -- zzprime[19], zzzprime[19], xxxprime[19]; -- -- memcpy(origx, x, 10 * sizeof(limb)); -- fsum(x, z); -- /* |x[i]| < 2^27 */ -- fdifference(z, origx); /* does x - z */ -- /* |z[i]| < 2^27 */ -- -- memcpy(origxprime, xprime, sizeof(limb) * 10); -- fsum(xprime, zprime); -- /* |xprime[i]| < 2^27 */ -- fdifference(zprime, origxprime); -- /* |zprime[i]| < 2^27 */ -- fproduct(xxprime, xprime, z); -- /* |xxprime[i]| < 14*2^54: the largest product of two limbs will be < -- * 2^(27+27) and fproduct adds together, at most, 14 of those products. -- * (Approximating that to 2^58 doesn't work out.) */ -- fproduct(zzprime, x, zprime); -- /* |zzprime[i]| < 14*2^54 */ -- freduce_degree(xxprime); -- freduce_coefficients(xxprime); -- /* |xxprime[i]| < 2^26 */ -- freduce_degree(zzprime); -- freduce_coefficients(zzprime); -- /* |zzprime[i]| < 2^26 */ -- memcpy(origxprime, xxprime, sizeof(limb) * 10); -- fsum(xxprime, zzprime); -- /* |xxprime[i]| < 2^27 */ -- fdifference(zzprime, origxprime); -- /* |zzprime[i]| < 2^27 */ -- fsquare(xxxprime, xxprime); -- /* |xxxprime[i]| < 2^26 */ -- fsquare(zzzprime, zzprime); -- /* |zzzprime[i]| < 2^26 */ -- fproduct(zzprime, zzzprime, qmqp); -- /* |zzprime[i]| < 14*2^52 */ -- freduce_degree(zzprime); -- freduce_coefficients(zzprime); -- /* |zzprime[i]| < 2^26 */ -- memcpy(x3, xxxprime, sizeof(limb) * 10); -- memcpy(z3, zzprime, sizeof(limb) * 10); -- -- fsquare(xx, x); -- /* |xx[i]| < 2^26 */ -- fsquare(zz, z); -- /* |zz[i]| < 2^26 */ -- fproduct(x2, xx, zz); -- /* |x2[i]| < 14*2^52 */ -- freduce_degree(x2); -- freduce_coefficients(x2); -- /* |x2[i]| < 2^26 */ -- fdifference(zz, xx); /* does zz = xx - zz */ -- /* |zz[i]| < 2^27 */ -- memset(zzz + 10, 0, sizeof(limb) * 9); -- fscalar_product(zzz, zz, 121665); -- /* |zzz[i]| < 2^(27+17) */ -- /* No need to call freduce_degree here: -- fscalar_product doesn't increase the degree of its input. */ -- freduce_coefficients(zzz); -- /* |zzz[i]| < 2^26 */ -- fsum(zzz, xx); -- /* |zzz[i]| < 2^27 */ -- fproduct(z2, zz, zzz); -- /* |z2[i]| < 14*2^(26+27) */ -- freduce_degree(z2); -- freduce_coefficients(z2); -- /* |z2|i| < 2^26 */ --} -- --/* Conditionally swap two reduced-form limb arrays if 'iswap' is 1, but leave -- * them unchanged if 'iswap' is 0. Runs in data-invariant time to avoid -- * side-channel attacks. -- * -- * NOTE that this function requires that 'iswap' be 1 or 0; other values give -- * wrong results. Also, the two limb arrays must be in reduced-coefficient, -- * reduced-degree form: the values in a[10..19] or b[10..19] aren't swapped, -- * and all all values in a[0..9],b[0..9] must have magnitude less than -- * INT32_MAX. */ --static void --swap_conditional(limb a[19], limb b[19], limb iswap) { -- unsigned i; -- const s32 swap = (s32) -iswap; -- -- for (i = 0; i < 10; ++i) { -- const s32 x = swap & ( ((s32)a[i]) ^ ((s32)b[i]) ); -- a[i] = ((s32)a[i]) ^ x; -- b[i] = ((s32)b[i]) ^ x; -- } --} -- --/* Calculates nQ where Q is the x-coordinate of a point on the curve -- * -- * resultx/resultz: the x coordinate of the resulting curve point (short form) -- * n: a little endian, 32-byte number -- * q: a point of the curve (short form) */ --static void --cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q) { -- limb a[19] = {0}, b[19] = {1}, c[19] = {1}, d[19] = {0}; -- limb *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t; -- limb e[19] = {0}, f[19] = {1}, g[19] = {0}, h[19] = {1}; -- limb *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h; -- -- unsigned i, j; -- -- memcpy(nqpqx, q, sizeof(limb) * 10); -- -- for (i = 0; i < 32; ++i) { -- u8 byte = n[31 - i]; -- for (j = 0; j < 8; ++j) { -- const limb bit = byte >> 7; -- -- swap_conditional(nqx, nqpqx, bit); -- swap_conditional(nqz, nqpqz, bit); -- fmonty(nqx2, nqz2, -- nqpqx2, nqpqz2, -- nqx, nqz, -- nqpqx, nqpqz, -- q); -- swap_conditional(nqx2, nqpqx2, bit); -- swap_conditional(nqz2, nqpqz2, bit); -- -- t = nqx; -- nqx = nqx2; -- nqx2 = t; -- t = nqz; -- nqz = nqz2; -- nqz2 = t; -- t = nqpqx; -- nqpqx = nqpqx2; -- nqpqx2 = t; -- t = nqpqz; -- nqpqz = nqpqz2; -- nqpqz2 = t; -- -- byte <<= 1; -- } -- } -- -- memcpy(resultx, nqx, sizeof(limb) * 10); -- memcpy(resultz, nqz, sizeof(limb) * 10); --} -- --/* ----------------------------------------------------------------------------- -- * Shamelessly copied from djb's code -- * ----------------------------------------------------------------------------- */ --static void --crecip(limb *out, const limb *z) { -- limb z2[10]; -- limb z9[10]; -- limb z11[10]; -- limb z2_5_0[10]; -- limb z2_10_0[10]; -- limb z2_20_0[10]; -- limb z2_50_0[10]; -- limb z2_100_0[10]; -- limb t0[10]; -- limb t1[10]; -- int i; -- -- /* 2 */ fsquare(z2,z); -- /* 4 */ fsquare(t1,z2); -- /* 8 */ fsquare(t0,t1); -- /* 9 */ fmul(z9,t0,z); -- /* 11 */ fmul(z11,z9,z2); -- /* 22 */ fsquare(t0,z11); -- /* 2^5 - 2^0 = 31 */ fmul(z2_5_0,t0,z9); -- -- /* 2^6 - 2^1 */ fsquare(t0,z2_5_0); -- /* 2^7 - 2^2 */ fsquare(t1,t0); -- /* 2^8 - 2^3 */ fsquare(t0,t1); -- /* 2^9 - 2^4 */ fsquare(t1,t0); -- /* 2^10 - 2^5 */ fsquare(t0,t1); -- /* 2^10 - 2^0 */ fmul(z2_10_0,t0,z2_5_0); -- -- /* 2^11 - 2^1 */ fsquare(t0,z2_10_0); -- /* 2^12 - 2^2 */ fsquare(t1,t0); -- /* 2^20 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } -- /* 2^20 - 2^0 */ fmul(z2_20_0,t1,z2_10_0); -- -- /* 2^21 - 2^1 */ fsquare(t0,z2_20_0); -- /* 2^22 - 2^2 */ fsquare(t1,t0); -- /* 2^40 - 2^20 */ for (i = 2;i < 20;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } -- /* 2^40 - 2^0 */ fmul(t0,t1,z2_20_0); -- -- /* 2^41 - 2^1 */ fsquare(t1,t0); -- /* 2^42 - 2^2 */ fsquare(t0,t1); -- /* 2^50 - 2^10 */ for (i = 2;i < 10;i += 2) { fsquare(t1,t0); fsquare(t0,t1); } -- /* 2^50 - 2^0 */ fmul(z2_50_0,t0,z2_10_0); -- -- /* 2^51 - 2^1 */ fsquare(t0,z2_50_0); -- /* 2^52 - 2^2 */ fsquare(t1,t0); -- /* 2^100 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } -- /* 2^100 - 2^0 */ fmul(z2_100_0,t1,z2_50_0); -- -- /* 2^101 - 2^1 */ fsquare(t1,z2_100_0); -- /* 2^102 - 2^2 */ fsquare(t0,t1); -- /* 2^200 - 2^100 */ for (i = 2;i < 100;i += 2) { fsquare(t1,t0); fsquare(t0,t1); } -- /* 2^200 - 2^0 */ fmul(t1,t0,z2_100_0); -- -- /* 2^201 - 2^1 */ fsquare(t0,t1); -- /* 2^202 - 2^2 */ fsquare(t1,t0); -- /* 2^250 - 2^50 */ for (i = 2;i < 50;i += 2) { fsquare(t0,t1); fsquare(t1,t0); } -- /* 2^250 - 2^0 */ fmul(t0,t1,z2_50_0); -- -- /* 2^251 - 2^1 */ fsquare(t1,t0); -- /* 2^252 - 2^2 */ fsquare(t0,t1); -- /* 2^253 - 2^3 */ fsquare(t1,t0); -- /* 2^254 - 2^4 */ fsquare(t0,t1); -- /* 2^255 - 2^5 */ fsquare(t1,t0); -- /* 2^255 - 21 */ fmul(out,t1,z11); --} -- --int --curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) { -- limb bp[10], x[10], z[11], zmone[10]; -- uint8_t e[32]; -- int i; -- -- for (i = 0; i < 32; ++i) e[i] = secret[i]; -- e[0] &= 248; -- e[31] &= 127; -- e[31] |= 64; -- -- fexpand(bp, basepoint); -- cmult(x, z, e, bp); -- crecip(zmone, z); -- fmul(z, x, zmone); -- fcontract(mypublic, z); -- return 0; --} -diff --git a/curve25519.c b/curve25519.c -new file mode 100644 -index 0000000..4b83776 ---- /dev/null -+++ b/curve25519.c -@@ -0,0 +1,502 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#include "includes.h" -+#include "dbrandom.h" -+#include "curve25519.h" -+ -+#if DROPBEAR_CURVE25519 || DROPBEAR_ED25519 -+ -+/* Modified TweetNaCl version 20140427, a self-contained public-domain C library. -+ * https://tweetnacl.cr.yp.to/ */ -+ -+#define FOR(i,n) for (i = 0;i < n;++i) -+#define sv static void -+ -+typedef unsigned char u8; -+typedef unsigned long u32; -+typedef unsigned long long u64; -+typedef long long i64; -+typedef i64 gf[16]; -+ -+#if DROPBEAR_CURVE25519 -+static const gf -+ _121665 = {0xDB41,1}; -+#endif /* DROPBEAR_CURVE25519 */ -+#if DROPBEAR_ED25519 -+static const gf -+ gf0, -+ gf1 = {1}, -+ D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406}, -+ X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169}, -+ Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666}; -+#if DROPBEAR_SIGNKEY_VERIFY -+static const gf -+ D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203}, -+ I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83}; -+#endif /* DROPBEAR_SIGNKEY_VERIFY */ -+#endif /* DROPBEAR_ED25519 */ -+ -+#if DROPBEAR_ED25519 -+#if DROPBEAR_SIGNKEY_VERIFY -+static int vn(const u8 *x,const u8 *y,u32 n) -+{ -+ u32 i,d = 0; -+ FOR(i,n) d |= x[i]^y[i]; -+ return (1 & ((d - 1) >> 8)) - 1; -+} -+ -+static int crypto_verify_32(const u8 *x,const u8 *y) -+{ -+ return vn(x,y,32); -+} -+#endif /* DROPBEAR_SIGNKEY_VERIFY */ -+ -+sv set25519(gf r, const gf a) -+{ -+ int i; -+ FOR(i,16) r[i]=a[i]; -+} -+#endif /* DROPBEAR_ED25519 */ -+ -+sv car25519(gf o) -+{ -+ int i; -+ i64 c; -+ FOR(i,16) { -+ o[i]+=(1LL<<16); -+ c=o[i]>>16; -+ o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15); -+ o[i]-=c<<16; -+ } -+} -+ -+sv sel25519(gf p,gf q,int b) -+{ -+ i64 t,i,c=~(b-1); -+ FOR(i,16) { -+ t= c&(p[i]^q[i]); -+ p[i]^=t; -+ q[i]^=t; -+ } -+} -+ -+sv pack25519(u8 *o,const gf n) -+{ -+ int i,j,b; -+ gf m,t; -+ FOR(i,16) t[i]=n[i]; -+ car25519(t); -+ car25519(t); -+ car25519(t); -+ FOR(j,2) { -+ m[0]=t[0]-0xffed; -+ for(i=1;i<15;i++) { -+ m[i]=t[i]-0xffff-((m[i-1]>>16)&1); -+ m[i-1]&=0xffff; -+ } -+ m[15]=t[15]-0x7fff-((m[14]>>16)&1); -+ b=(m[15]>>16)&1; -+ m[14]&=0xffff; -+ sel25519(t,m,1-b); -+ } -+ FOR(i,16) { -+ o[2*i]=t[i]&0xff; -+ o[2*i+1]=t[i]>>8; -+ } -+} -+ -+#if DROPBEAR_ED25519 -+#if DROPBEAR_SIGNKEY_VERIFY -+static int neq25519(const gf a, const gf b) -+{ -+ u8 c[32],d[32]; -+ pack25519(c,a); -+ pack25519(d,b); -+ return crypto_verify_32(c,d); -+} -+#endif /* DROPBEAR_SIGNKEY_VERIFY */ -+ -+static u8 par25519(const gf a) -+{ -+ u8 d[32]; -+ pack25519(d,a); -+ return d[0]&1; -+} -+#endif /* DROPBEAR_ED25519 */ -+ -+sv unpack25519(gf o, const u8 *n) -+{ -+ int i; -+ FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8); -+ o[15]&=0x7fff; -+} -+ -+sv A(gf o,const gf a,const gf b) -+{ -+ int i; -+ FOR(i,16) o[i]=a[i]+b[i]; -+} -+ -+sv Z(gf o,const gf a,const gf b) -+{ -+ int i; -+ FOR(i,16) o[i]=a[i]-b[i]; -+} -+ -+sv M(gf o,const gf a,const gf b) -+{ -+ i64 i,j,t[31]; -+ FOR(i,31) t[i]=0; -+ FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j]; -+ FOR(i,15) t[i]+=38*t[i+16]; -+ FOR(i,16) o[i]=t[i]; -+ car25519(o); -+ car25519(o); -+} -+ -+sv S(gf o,const gf a) -+{ -+ M(o,a,a); -+} -+ -+sv inv25519(gf o,const gf i) -+{ -+ gf c; -+ int a; -+ FOR(a,16) c[a]=i[a]; -+ for(a=253;a>=0;a--) { -+ S(c,c); -+ if(a!=2&&a!=4) M(c,c,i); -+ } -+ FOR(a,16) o[a]=c[a]; -+} -+ -+#if DROPBEAR_ED25519 && DROPBEAR_SIGNKEY_VERIFY -+sv pow2523(gf o,const gf i) -+{ -+ gf c; -+ int a; -+ FOR(a,16) c[a]=i[a]; -+ for(a=250;a>=0;a--) { -+ S(c,c); -+ if(a!=1) M(c,c,i); -+ } -+ FOR(a,16) o[a]=c[a]; -+} -+#endif /* DROPBEAR_ED25519 && DROPBEAR_SIGNKEY_VERIFY */ -+ -+#if DROPBEAR_CURVE25519 -+int dropbear_curve25519_scalarmult(u8 *q,const u8 *n,const u8 *p) -+{ -+ u8 z[32]; -+ i64 x[80],r,i; -+ gf a,b,c,d,e,f; -+ FOR(i,31) z[i]=n[i]; -+ z[31]=(n[31]&127)|64; -+ z[0]&=248; -+ unpack25519(x,p); -+ FOR(i,16) { -+ b[i]=x[i]; -+ d[i]=a[i]=c[i]=0; -+ } -+ a[0]=d[0]=1; -+ for(i=254;i>=0;--i) { -+ r=(z[i>>3]>>(i&7))&1; -+ sel25519(a,b,r); -+ sel25519(c,d,r); -+ A(e,a,c); -+ Z(a,a,c); -+ A(c,b,d); -+ Z(b,b,d); -+ S(d,e); -+ S(f,a); -+ M(a,c,a); -+ M(c,b,e); -+ A(e,a,c); -+ Z(a,a,c); -+ S(b,a); -+ Z(c,d,f); -+ M(a,c,_121665); -+ A(a,a,d); -+ M(c,c,a); -+ M(a,d,f); -+ M(d,b,x); -+ S(b,e); -+ sel25519(a,b,r); -+ sel25519(c,d,r); -+ } -+ FOR(i,16) { -+ x[i+16]=a[i]; -+ x[i+32]=c[i]; -+ x[i+48]=b[i]; -+ x[i+64]=d[i]; -+ } -+ inv25519(x+32,x+32); -+ M(x+16,x+16,x+32); -+ pack25519(q,x+16); -+ return 0; -+} -+#endif /* DROPBEAR_CURVE25519 */ -+ -+#if DROPBEAR_ED25519 -+static int crypto_hash(u8 *out,const u8 *m,u64 n) -+{ -+ hash_state hs; -+ -+ sha512_init(&hs); -+ sha512_process(&hs, m, n); -+ return sha512_done(&hs, out); -+} -+ -+sv add(gf p[4],gf q[4]) -+{ -+ gf a,b,c,d,t,e,f,g,h; -+ -+ Z(a, p[1], p[0]); -+ Z(t, q[1], q[0]); -+ M(a, a, t); -+ A(b, p[0], p[1]); -+ A(t, q[0], q[1]); -+ M(b, b, t); -+ M(c, p[3], q[3]); -+ M(c, c, D2); -+ M(d, p[2], q[2]); -+ A(d, d, d); -+ Z(e, b, a); -+ Z(f, d, c); -+ A(g, d, c); -+ A(h, b, a); -+ -+ M(p[0], e, f); -+ M(p[1], h, g); -+ M(p[2], g, f); -+ M(p[3], e, h); -+} -+ -+sv cswap(gf p[4],gf q[4],u8 b) -+{ -+ int i; -+ FOR(i,4) -+ sel25519(p[i],q[i],b); -+} -+ -+sv pack(u8 *r,gf p[4]) -+{ -+ gf tx, ty, zi; -+ inv25519(zi, p[2]); -+ M(tx, p[0], zi); -+ M(ty, p[1], zi); -+ pack25519(r, ty); -+ r[31] ^= par25519(tx) << 7; -+} -+ -+sv scalarmult(gf p[4],gf q[4],const u8 *s) -+{ -+ int i; -+ set25519(p[0],gf0); -+ set25519(p[1],gf1); -+ set25519(p[2],gf1); -+ set25519(p[3],gf0); -+ for (i = 255;i >= 0;--i) { -+ u8 b = (s[i/8]>>(i&7))&1; -+ cswap(p,q,b); -+ add(q,p); -+ add(p,p); -+ cswap(p,q,b); -+ } -+} -+ -+sv scalarbase(gf p[4],const u8 *s) -+{ -+ gf q[4]; -+ set25519(q[0],X); -+ set25519(q[1],Y); -+ set25519(q[2],gf1); -+ M(q[3],X,Y); -+ scalarmult(p,q,s); -+} -+ -+int dropbear_ed25519_make_key(u8 *pk,u8 *sk) -+{ -+ u8 d[64]; -+ gf p[4]; -+ -+ genrandom(sk, 32); -+ -+ crypto_hash(d, sk, 32); -+ d[0] &= 248; -+ d[31] &= 127; -+ d[31] |= 64; -+ -+ scalarbase(p,d); -+ pack(pk,p); -+ -+ return 0; -+} -+ -+static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; -+ -+sv modL(u8 *r,i64 x[64]) -+{ -+ i64 carry,i,j; -+ for (i = 63;i >= 32;--i) { -+ carry = 0; -+ for (j = i - 32;j < i - 12;++j) { -+ x[j] += carry - 16 * x[i] * L[j - (i - 32)]; -+ carry = (x[j] + 128) >> 8; -+ x[j] -= carry << 8; -+ } -+ x[j] += carry; -+ x[i] = 0; -+ } -+ carry = 0; -+ FOR(j,32) { -+ x[j] += carry - (x[31] >> 4) * L[j]; -+ carry = x[j] >> 8; -+ x[j] &= 255; -+ } -+ FOR(j,32) x[j] -= carry * L[j]; -+ FOR(i,32) { -+ x[i+1] += x[i] >> 8; -+ r[i] = x[i] & 255; -+ } -+} -+ -+sv reduce(u8 *r) -+{ -+ i64 x[64],i; -+ FOR(i,64) x[i] = (u64) r[i]; -+ FOR(i,64) r[i] = 0; -+ modL(r,x); -+} -+ -+int dropbear_ed25519_sign(const u8 *m,u32 mlen,u8 *s,u32 *slen,const u8 *sk, const u8 *pk) -+{ -+ hash_state hs; -+ u8 d[64],h[64],r[64]; -+ i64 x[64]; -+ gf p[4]; -+ u32 i,j; -+ -+ crypto_hash(d, sk, 32); -+ d[0] &= 248; -+ d[31] &= 127; -+ d[31] |= 64; -+ -+ *slen = 64; -+ -+ sha512_init(&hs); -+ sha512_process(&hs,d + 32,32); -+ sha512_process(&hs,m,mlen); -+ sha512_done(&hs,r); -+ reduce(r); -+ scalarbase(p,r); -+ pack(s,p); -+ -+ sha512_init(&hs); -+ sha512_process(&hs,s,32); -+ sha512_process(&hs,pk,32); -+ sha512_process(&hs,m,mlen); -+ sha512_done(&hs,h); -+ reduce(h); -+ -+ FOR(i,64) x[i] = 0; -+ FOR(i,32) x[i] = (u64) r[i]; -+ FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j]; -+ modL(s + 32,x); -+ -+ return 0; -+} -+ -+#if DROPBEAR_SIGNKEY_VERIFY -+static int unpackneg(gf r[4],const u8 p[32]) -+{ -+ gf t, chk, num, den, den2, den4, den6; -+ set25519(r[2],gf1); -+ unpack25519(r[1],p); -+ S(num,r[1]); -+ M(den,num,D); -+ Z(num,num,r[2]); -+ A(den,r[2],den); -+ -+ S(den2,den); -+ S(den4,den2); -+ M(den6,den4,den2); -+ M(t,den6,num); -+ M(t,t,den); -+ -+ pow2523(t,t); -+ M(t,t,num); -+ M(t,t,den); -+ M(t,t,den); -+ M(r[0],t,den); -+ -+ S(chk,r[0]); -+ M(chk,chk,den); -+ if (neq25519(chk, num)) M(r[0],r[0],I); -+ -+ S(chk,r[0]); -+ M(chk,chk,den); -+ if (neq25519(chk, num)) return -1; -+ -+ if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]); -+ -+ M(r[3],r[0],r[1]); -+ return 0; -+} -+ -+int dropbear_ed25519_verify(const u8 *m,u32 mlen,const u8 *s,u32 slen,const u8 *pk) -+{ -+ hash_state hs; -+ u8 t[32],h[64]; -+ gf p[4],q[4]; -+ -+ if (slen < 64) return -1; -+ -+ if (unpackneg(q,pk)) return -1; -+ -+ sha512_init(&hs); -+ sha512_process(&hs,s,32); -+ sha512_process(&hs,pk,32); -+ sha512_process(&hs,m,mlen); -+ sha512_done(&hs,h); -+ -+ reduce(h); -+ scalarmult(p,q,h); -+ -+ scalarbase(q,s + 32); -+ add(p,q); -+ pack(t,p); -+ -+ if (crypto_verify_32(s, t)) -+ return -1; -+ -+ return 0; -+} -+#endif /* DROPBEAR_SIGNKEY_VERIFY */ -+ -+#endif /* DROPBEAR_ED25519 */ -+ -+#endif /* DROPBEAR_CURVE25519 || DROPBEAR_ED25519 */ -diff --git a/curve25519.h b/curve25519.h -new file mode 100644 -index 0000000..7f75aed ---- /dev/null -+++ b/curve25519.h -@@ -0,0 +1,37 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#ifndef DROPBEAR_CURVE25519_H -+#define DROPBEAR_CURVE25519_H -+ -+int dropbear_curve25519_scalarmult(unsigned char *q, const unsigned char *n, const unsigned char *p); -+int dropbear_ed25519_make_key(unsigned char *pk, unsigned char *sk); -+int dropbear_ed25519_sign(const unsigned char *m, unsigned long mlen, -+ unsigned char *s, unsigned long *slen, -+ const unsigned char *sk, const unsigned char *pk); -+int dropbear_ed25519_verify(const unsigned char *m, unsigned long mlen, -+ const unsigned char *s, unsigned long slen, -+ const unsigned char *pk); -+ -+#endif /* DROPBEAR_CURVE25519_H */ -diff --git a/default_options.h b/default_options.h -index 9000fcc..5b232dd 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -22,6 +22,7 @@ IMPORTANT: Some options will require "make clean" after changes */ - #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" - #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" - #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" -+#define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" - - /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens - * on chosen ports and keeps accepting connections. This is the default. -@@ -116,11 +117,15 @@ IMPORTANT: Some options will require "make clean" after changes */ - * code (either ECDSA or ECDH) increases binary size - around 30kB - * on x86-64 */ - #define DROPBEAR_ECDSA 1 -+/* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases -+ binary size - around 7,5kB on x86-64 */ -+#define DROPBEAR_ED25519 1 - - /* RSA must be >=1024 */ - #define DROPBEAR_DEFAULT_RSA_SIZE 2048 - /* DSS is always 1024 */ - /* ECDSA defaults to largest size configured, usually 521 */ -+/* Ed25519 is always 256 */ - - /* Add runtime flag "-R" to generate hostkeys as-needed when the first - connection using that key type occurs. -@@ -143,7 +148,7 @@ IMPORTANT: Some options will require "make clean" after changes */ - * group14 is supported by most implementations. - * group16 provides a greater strength level but is slower and increases binary size - * curve25519 and ecdh algorithms are faster than non-elliptic curve methods -- * curve25519 increases binary size by ~8kB on x86-64 -+ * curve25519 increases binary size by ~2,5kB on x86-64 - * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 - - * Small systems should generally include either curve25519 or ecdh for performance. -diff --git a/dropbear.8 b/dropbear.8 -index 71c955a..345954f 100644 ---- a/dropbear.8 -+++ b/dropbear.8 -@@ -107,7 +107,7 @@ Print the version - Authorized Keys - - ~/.ssh/authorized_keys can be set up to allow remote login with a RSA, --ECDSA, or DSS -+ECDSA, Ed25519 or DSS - key. Each line is of the form - .TP - [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment] -@@ -146,8 +146,8 @@ key authentication. - Host Key Files - - Host key files are read at startup from a standard location, by default --/etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and --/etc/dropbear/dropbear_ecdsa_host_key -+/etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, -+/etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key - - If the -r command line option is specified the default files are not loaded. - Host key files are of the form generated by dropbearkey. -diff --git a/dropbearkey.c b/dropbearkey.c -index dd0e697..f881855 100644 ---- a/dropbearkey.c -+++ b/dropbearkey.c -@@ -43,6 +43,10 @@ - * mp_int y - * mp_int x - * -+ * Ed25519: -+ * string "ssh-ed25519" -+ * string k (32 bytes) + A (32 bytes) -+ * - */ - #include "includes.h" - #include "signkey.h" -@@ -51,6 +55,7 @@ - - #include "genrsa.h" - #include "gendss.h" -+#include "gened25519.h" - #include "ecdsa.h" - #include "crypto_desc.h" - #include "dbrandom.h" -@@ -75,6 +80,9 @@ static void printhelp(char * progname) { - #endif - #if DROPBEAR_ECDSA - " ecdsa\n" -+#endif -+#if DROPBEAR_ED25519 -+ " ed25519\n" - #endif - "-f filename Use filename for the secret key.\n" - " ~/.ssh/id_dropbear is recommended for client keys.\n" -@@ -94,6 +102,9 @@ static void printhelp(char * progname) { - "521 " - #endif - "\n" -+#endif -+#if DROPBEAR_ED25519 -+ " Ed25519 has a fixed size of 256 bits\n" - #endif - "-y Just print the publickey and fingerprint for the\n private key in .\n" - #if DEBUG_TRACE -@@ -106,6 +117,14 @@ static void printhelp(char * progname) { - static void check_signkey_bits(enum signkey_type type, int bits) - { - switch (type) { -+#if DROPBEAR_ED25519 -+ case DROPBEAR_SIGNKEY_ED25519: -+ if (bits != 256) { -+ dropbear_exit("Ed25519 keys have a fixed size of 256 bits\n"); -+ exit(EXIT_FAILURE); -+ } -+ break; -+#endif - #if DROPBEAR_RSA - case DROPBEAR_SIGNKEY_RSA: - if (bits < 512 || bits > 4096 || (bits % 8 != 0)) { -@@ -224,6 +243,12 @@ int main(int argc, char ** argv) { - keytype = DROPBEAR_SIGNKEY_ECDSA_KEYGEN; - } - #endif -+#if DROPBEAR_ED25519 -+ if (strcmp(typetext, "ed25519") == 0) -+ { -+ keytype = DROPBEAR_SIGNKEY_ED25519; -+ } -+#endif - - if (keytype == DROPBEAR_SIGNKEY_NONE) { - fprintf(stderr, "Unknown key type '%s'\n", typetext); -diff --git a/ed25519.c b/ed25519.c -new file mode 100644 -index 0000000..3fb544c ---- /dev/null -+++ b/ed25519.c -@@ -0,0 +1,184 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+/* Perform Ed25519 operations on data, including reading keys, signing and -+ * verification. */ -+ -+#include "includes.h" -+#include "dbutil.h" -+#include "buffer.h" -+#include "ssh.h" -+#include "curve25519.h" -+#include "ed25519.h" -+ -+#if DROPBEAR_ED25519 -+ -+/* Load a public ed25519 key from a buffer, initialising the values. -+ * The key will have the same format as buf_put_ed25519_key. -+ * These should be freed with ed25519_key_free. -+ * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -+int buf_get_ed25519_pub_key(buffer *buf, dropbear_ed25519_key *key) { -+ -+ unsigned int len; -+ -+ TRACE(("enter buf_get_ed25519_pub_key")) -+ dropbear_assert(key != NULL); -+ -+ buf_incrpos(buf, 4+SSH_SIGNKEY_ED25519_LEN); /* int + "ssh-ed25519" */ -+ -+ len = buf_getint(buf); -+ if (len != CURVE25519_LEN || buf->len - buf->pos < len) { -+ TRACE(("leave buf_get_ed25519_pub_key: failure")) -+ return DROPBEAR_FAILURE; -+ } -+ -+ m_burn(key->priv, CURVE25519_LEN); -+ memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); -+ buf_incrpos(buf, CURVE25519_LEN); -+ -+ TRACE(("leave buf_get_ed25519_pub_key: success")) -+ return DROPBEAR_SUCCESS; -+} -+ -+/* Same as buf_get_ed25519_pub_key, but reads private key at the end. -+ * Loads a public and private ed25519 key from a buffer -+ * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -+int buf_get_ed25519_priv_key(buffer *buf, dropbear_ed25519_key *key) { -+ -+ unsigned int len; -+ -+ TRACE(("enter buf_get_ed25519_priv_key")) -+ dropbear_assert(key != NULL); -+ -+ buf_incrpos(buf, 4+SSH_SIGNKEY_ED25519_LEN); /* int + "ssh-ed25519" */ -+ -+ len = buf_getint(buf); -+ if (len != CURVE25519_LEN*2 || buf->len - buf->pos < len) { -+ TRACE(("leave buf_get_ed25519_priv_key: failure")) -+ return DROPBEAR_FAILURE; -+ } -+ -+ memcpy(key->priv, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); -+ buf_incrpos(buf, CURVE25519_LEN); -+ memcpy(key->pub, buf_getptr(buf, CURVE25519_LEN), CURVE25519_LEN); -+ buf_incrpos(buf, CURVE25519_LEN); -+ -+ TRACE(("leave buf_get_ed25519_pub_key: success")) -+ return DROPBEAR_SUCCESS; -+} -+ -+/* Clear and free the memory used by a public or private key */ -+void ed25519_key_free(dropbear_ed25519_key *key) { -+ -+ TRACE2(("enter ed25519_key_free")) -+ -+ if (key == NULL) { -+ TRACE2(("leave ed25519_key_free: key == NULL")) -+ return; -+ } -+ m_burn(key->priv, CURVE25519_LEN); -+ m_free(key); -+ -+ TRACE2(("leave rsa_key_free")) -+} -+ -+/* Put the public ed25519 key into the buffer in the required format */ -+void buf_put_ed25519_pub_key(buffer *buf, const dropbear_ed25519_key *key) { -+ -+ TRACE(("enter buf_put_ed25519_pub_key")) -+ dropbear_assert(key != NULL); -+ -+ buf_putstring(buf, SSH_SIGNKEY_ED25519, SSH_SIGNKEY_ED25519_LEN); -+ buf_putstring(buf, key->pub, CURVE25519_LEN); -+ -+ TRACE(("leave buf_put_ed25519_pub_key")) -+} -+ -+/* Put the public and private ed25519 key into the buffer in the required format */ -+void buf_put_ed25519_priv_key(buffer *buf, const dropbear_ed25519_key *key) { -+ -+ TRACE(("enter buf_put_ed25519_priv_key")) -+ dropbear_assert(key != NULL); -+ -+ buf_putstring(buf, SSH_SIGNKEY_ED25519, SSH_SIGNKEY_ED25519_LEN); -+ buf_putint(buf, CURVE25519_LEN*2); -+ buf_putbytes(buf, key->priv, CURVE25519_LEN); -+ buf_putbytes(buf, key->pub, CURVE25519_LEN); -+ -+ TRACE(("leave buf_put_ed25519_priv_key")) -+} -+ -+/* Sign the data presented with key, writing the signature contents -+ * to the buffer */ -+void buf_put_ed25519_sign(buffer* buf, const dropbear_ed25519_key *key, const buffer *data_buf) { -+ -+ unsigned char s[64]; -+ unsigned long slen = sizeof(s); -+ -+ TRACE(("enter buf_put_ed25519_sign")) -+ dropbear_assert(key != NULL); -+ -+ if (dropbear_ed25519_sign(data_buf->data, data_buf->len, -+ s, &slen, key->priv, key->pub) == 0) { -+ buf_putstring(buf, SSH_SIGNKEY_ED25519, SSH_SIGNKEY_ED25519_LEN); -+ buf_putstring(buf, s, slen); -+ } -+ -+ TRACE(("leave buf_put_ed25519_sign")) -+} -+ -+#if DROPBEAR_SIGNKEY_VERIFY -+/* Verify a signature in buf, made on data by the key given. -+ * Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -+int buf_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf) { -+ -+ int ret = DROPBEAR_FAILURE; -+ unsigned char *s; -+ unsigned long slen; -+ -+ TRACE(("enter buf_ed25519_verify")) -+ dropbear_assert(key != NULL); -+ -+ slen = buf_getint(buf); -+ if (slen != 64 || buf->len - buf->pos < slen) { -+ TRACE(("bad size")) -+ goto out; -+ } -+ s = buf_getptr(buf, slen); -+ -+ if (dropbear_ed25519_verify(data_buf->data, data_buf->len, -+ s, slen, key->pub) == 0) { -+ /* signature is valid */ -+ TRACE(("success!")) -+ ret = DROPBEAR_SUCCESS; -+ } -+ -+out: -+ TRACE(("leave buf_ed25519_verify: ret %d", ret)) -+ return ret; -+} -+ -+#endif /* DROPBEAR_SIGNKEY_VERIFY */ -+ -+#endif /* DROPBEAR_ED25519 */ -diff --git a/ed25519.h b/ed25519.h -new file mode 100644 -index 0000000..16c0d7b ---- /dev/null -+++ b/ed25519.h -@@ -0,0 +1,54 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#ifndef DROPBEAR_ED25519_H_ -+#define DROPBEAR_ED25519_H_ -+ -+#include "includes.h" -+#include "buffer.h" -+ -+#if DROPBEAR_ED25519 -+ -+#define CURVE25519_LEN 32 -+ -+typedef struct { -+ -+ unsigned char priv[CURVE25519_LEN]; -+ unsigned char pub[CURVE25519_LEN]; -+ -+} dropbear_ed25519_key; -+ -+void buf_put_ed25519_sign(buffer* buf, const dropbear_ed25519_key *key, const buffer *data_buf); -+#if DROPBEAR_SIGNKEY_VERIFY -+int buf_ed25519_verify(buffer * buf, const dropbear_ed25519_key *key, const buffer *data_buf); -+#endif -+int buf_get_ed25519_pub_key(buffer* buf, dropbear_ed25519_key *key); -+int buf_get_ed25519_priv_key(buffer* buf, dropbear_ed25519_key *key); -+void buf_put_ed25519_pub_key(buffer* buf, const dropbear_ed25519_key *key); -+void buf_put_ed25519_priv_key(buffer* buf, const dropbear_ed25519_key *key); -+void ed25519_key_free(dropbear_ed25519_key *key); -+ -+#endif /* DROPBEAR_ED25519 */ -+ -+#endif /* DROPBEAR_ED25519_H_ */ -diff --git a/filelist.txt b/filelist.txt -index 8281c14..3b9bb67 100644 ---- a/filelist.txt -+++ b/filelist.txt -@@ -99,6 +99,10 @@ rsa.c RSA asymmetric crypto routines - - dss.c DSS asymmetric crypto routines - -+ed25519.c Ed25519 asymmetric crypto routines -+ -+gened25519.c Ed25519 key generation -+ - gendss.c DSS key generation - - genrsa.c RSA key generation -diff --git a/fuzz-common.c b/fuzz-common.c -index 5c90c45..b1b00f6 100644 ---- a/fuzz-common.c -+++ b/fuzz-common.c -@@ -112,6 +112,14 @@ static void load_fixed_hostkeys(void) { - dropbear_exit("failed fixed ecdsa hostkey"); - } - -+ buf_setlen(b, 0); -+ buf_putbytes(b, keyed25519, keyed25519_len); -+ buf_setpos(b, 0); -+ type = DROPBEAR_SIGNKEY_ED25519; -+ if (buf_get_priv_key(b, svr_opts.hostkey, &type) == DROPBEAR_FAILURE) { -+ dropbear_exit("failed fixed ed25519 hostkey"); -+ } -+ - buf_free(b); - } - -diff --git a/fuzz-hostkeys.c b/fuzz-hostkeys.c -index dc1615d..3fff5cb 100644 ---- a/fuzz-hostkeys.c -+++ b/fuzz-hostkeys.c -@@ -127,3 +127,13 @@ unsigned char keyd[] = { - 0xf9, 0x39 - }; - unsigned int keyd_len = 458; -+unsigned char keyed25519[] = { -+ 0x00, 0x00, 0x00, 0x0b, 0x73, 0x73, 0x68, 0x2d, 0x65, 0x64, 0x32, 0x35, -+ 0x35, 0x31, 0x39, 0x00, 0x00, 0x00, 0x40, 0x10, 0xb3, 0x79, 0x06, 0xe5, -+ 0x9b, 0xe7, 0xe4, 0x6e, 0xec, 0xfe, 0xa5, 0x39, 0x21, 0x7c, 0xf6, 0x66, -+ 0x8c, 0x0b, 0x6a, 0x01, 0x09, 0x05, 0xc7, 0x4f, 0x64, 0xa8, 0x24, 0xd2, -+ 0x8d, 0xbd, 0xdd, 0xc6, 0x3c, 0x99, 0x1b, 0x2d, 0x3e, 0x33, 0x90, 0x19, -+ 0xa4, 0xd5, 0xe9, 0x23, 0xfe, 0x8e, 0xd6, 0xd4, 0xf9, 0xb1, 0x11, 0x69, -+ 0x7c, 0x57, 0x52, 0x0e, 0x41, 0xdb, 0x1b, 0x12, 0x87, 0xfa, 0xc9 -+}; -+unsigned int keyed25519_len = 83; -diff --git a/fuzzer-kexcurve25519.c b/fuzzer-kexcurve25519.c -new file mode 100644 -index 0000000..f2eab14 ---- /dev/null -+++ b/fuzzer-kexcurve25519.c -@@ -0,0 +1,72 @@ -+#include "fuzz.h" -+#include "session.h" -+#include "fuzz-wrapfd.h" -+#include "debug.h" -+#include "runopts.h" -+#include "algo.h" -+#include "bignum.h" -+ -+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { -+ static int once = 0; -+ static struct key_context* keep_newkeys = NULL; -+ /* number of generated parameters is limited by the timeout for the first run. -+ TODO move this to the libfuzzer initialiser function instead if the timeout -+ doesn't apply there */ -+ #define NUM_PARAMS 20 -+ static struct kex_curve25519_param *curve25519_params[NUM_PARAMS]; -+ -+ if (!once) { -+ fuzz_common_setup(); -+ fuzz_svr_setup(); -+ -+ keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); -+ keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256"); -+ keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519; -+ ses.newkeys = keep_newkeys; -+ -+ /* Pre-generate parameters */ -+ int i; -+ for (i = 0; i < NUM_PARAMS; i++) { -+ curve25519_params[i] = gen_kexcurve25519_param(); -+ } -+ -+ once = 1; -+ } -+ -+ if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { -+ return 0; -+ } -+ -+ m_malloc_set_epoch(1); -+ -+ if (setjmp(fuzz.jmp) == 0) { -+ /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() -+ with DROPBEAR_KEX_CURVE25519 */ -+ ses.newkeys = keep_newkeys; -+ -+ /* Choose from the collection of curve25519 params */ -+ unsigned int e = buf_getint(fuzz.input); -+ struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS]; -+ -+ buffer * ecdh_qs = buf_getstringbuf(fuzz.input); -+ -+ ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS); -+ kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey); -+ -+ mp_clear(ses.dh_K); -+ m_free(ses.dh_K); -+ buf_free(ecdh_qs); -+ -+ buf_free(ses.hash); -+ buf_free(ses.session_id); -+ /* kexhashbuf is freed in kexdh_comb_key */ -+ -+ m_malloc_free_epoch(1, 0); -+ } else { -+ m_malloc_free_epoch(1, 1); -+ TRACE(("dropbear_exit longjmped")) -+ /* dropbear_exit jumped here */ -+ } -+ -+ return 0; -+} -diff --git a/gened25519.c b/gened25519.c -new file mode 100644 -index 0000000..a027914 ---- /dev/null -+++ b/gened25519.c -@@ -0,0 +1,47 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#include "includes.h" -+#include "dbutil.h" -+#include "dbrandom.h" -+#include "curve25519.h" -+#include "gened25519.h" -+ -+#if DROPBEAR_ED25519 -+ -+dropbear_ed25519_key * gen_ed25519_priv_key(unsigned int size) { -+ -+ dropbear_ed25519_key *key; -+ -+ if (size != 256) { -+ dropbear_exit("Ed25519 keys have a fixed size of 256 bits"); -+ } -+ -+ key = m_malloc(sizeof(*key)); -+ dropbear_ed25519_make_key(key->pub, key->priv); -+ -+ return key; -+} -+ -+#endif /* DROPBEAR_ED25519 */ -diff --git a/gened25519.h b/gened25519.h -new file mode 100644 -index 0000000..8058310 ---- /dev/null -+++ b/gened25519.h -@@ -0,0 +1,36 @@ -+/* -+ * Dropbear - a SSH2 server -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#ifndef DROPBEAR_GENED25519_H_ -+#define DROPBEAR_GENED25519_H_ -+ -+#include "ed25519.h" -+ -+#if DROPBEAR_ED25519 -+ -+dropbear_ed25519_key * gen_ed25519_priv_key(unsigned int size); -+ -+#endif /* DROPBEAR_ED25519 */ -+ -+#endif /* DROPBEAR_GENED25519_H_ */ -diff --git a/gensignkey.c b/gensignkey.c -index 34b6f5a..674d81f 100644 ---- a/gensignkey.c -+++ b/gensignkey.c -@@ -4,6 +4,7 @@ - #include "ecdsa.h" - #include "genrsa.h" - #include "gendss.h" -+#include "gened25519.h" - #include "signkey.h" - #include "dbrandom.h" - -@@ -68,6 +69,10 @@ static int get_default_bits(enum signkey_type keytype) - return 384; - case DROPBEAR_SIGNKEY_ECDSA_NISTP256: - return 256; -+#endif -+#if DROPBEAR_ED25519 -+ case DROPBEAR_SIGNKEY_ED25519: -+ return 256; - #endif - default: - return 0; -@@ -118,6 +123,11 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename, - *signkey_key_ptr(key, keytype) = ecckey; - } - break; -+#endif -+#if DROPBEAR_ED25519 -+ case DROPBEAR_SIGNKEY_ED25519: -+ key->ed25519key = gen_ed25519_priv_key(bits); -+ break; - #endif - default: - dropbear_exit("Internal error"); -diff --git a/keyimport.c b/keyimport.c -index 7304e58..ad0c530 100644 ---- a/keyimport.c -+++ b/keyimport.c -@@ -35,6 +35,15 @@ - #include "buffer.h" - #include "dbutil.h" - #include "ecc.h" -+#include "ssh.h" -+ -+static const unsigned char OSSH_PKEY_BLOB[] = -+ "openssh-key-v1\0" /* AUTH_MAGIC */ -+ "\0\0\0\4none" /* cipher name*/ -+ "\0\0\0\4none" /* kdf name */ -+ "\0\0\0\0" /* kdf */ -+ "\0\0\0\1"; /* key num */ -+#define OSSH_PKEY_BLOBLEN (sizeof(OSSH_PKEY_BLOB) - 1) - - #if DROPBEAR_ECDSA - static const unsigned char OID_SEC256R1_BLOB[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}; -@@ -352,7 +361,7 @@ struct mpint_pos { void *start; int bytes; }; - * Code to read and write OpenSSH private keys. - */ - --enum { OSSH_DSA, OSSH_RSA, OSSH_EC }; -+enum { OSSH_DSA, OSSH_RSA, OSSH_EC, OSSH_PKEY }; - struct openssh_key { - int type; - int encrypted; -@@ -364,11 +373,12 @@ struct openssh_key { - static struct openssh_key *load_openssh_key(const char *filename) - { - struct openssh_key *ret; -+ buffer *buf = NULL; - FILE *fp = NULL; - char buffer[256]; - char *errmsg = NULL, *p = NULL; - int headers_done; -- unsigned long len, outlen; -+ unsigned long len; - - ret = (struct openssh_key*)m_malloc(sizeof(struct openssh_key)); - ret->keyblob = NULL; -@@ -397,12 +407,15 @@ static struct openssh_key *load_openssh_key(const char *filename) - ret->type = OSSH_DSA; - else if (!strcmp(buffer, "-----BEGIN EC PRIVATE KEY-----\n")) - ret->type = OSSH_EC; -+ else if (!strcmp(buffer, "-----BEGIN OPENSSH PRIVATE KEY-----\n")) -+ ret->type = OSSH_PKEY; - else { - errmsg = "Unrecognised key type"; - goto error; - } - - headers_done = 0; -+ buf = buf_new(0); - while (1) { - if (!fgets(buffer, sizeof(buffer), fp)) { - errmsg = "Unexpected end of file"; -@@ -448,20 +461,31 @@ static struct openssh_key *load_openssh_key(const char *filename) - } else { - headers_done = 1; - len = strlen(buffer); -- outlen = len*4/3; -- if (ret->keyblob_len + outlen > ret->keyblob_size) { -- ret->keyblob_size = ret->keyblob_len + outlen + 256; -- ret->keyblob = (unsigned char*)m_realloc(ret->keyblob, -- ret->keyblob_size); -- } -- outlen = ret->keyblob_size - ret->keyblob_len; -- if (base64_decode((const unsigned char *)buffer, len, -- ret->keyblob + ret->keyblob_len, &outlen) != CRYPT_OK){ -- errmsg = "Error decoding base64"; -- goto error; -- } -- ret->keyblob_len += outlen; -+ buf = buf_resize(buf, buf->size + len); -+ buf_putbytes(buf, buffer, len); -+ } -+ } -+ -+ if (buf && buf->len) { -+ ret->keyblob_size = ret->keyblob_len + buf->len*4/3 + 256; -+ ret->keyblob = (unsigned char*)m_realloc(ret->keyblob, ret->keyblob_size); -+ len = ret->keyblob_size; -+ if (base64_decode((const unsigned char *)buf->data, buf->len, -+ ret->keyblob, &len) != CRYPT_OK){ -+ errmsg = "Error decoding base64"; -+ goto error; -+ } -+ ret->keyblob_len = len; -+ } -+ -+ if (ret->type == OSSH_PKEY) { -+ if (ret->keyblob_len < OSSH_PKEY_BLOBLEN || -+ memcmp(ret->keyblob, OSSH_PKEY_BLOB, OSSH_PKEY_BLOBLEN)) { -+ errmsg = "Error decoding OpenSSH key"; -+ goto error; - } -+ ret->keyblob_len -= OSSH_PKEY_BLOBLEN; -+ memmove(ret->keyblob, ret->keyblob + OSSH_PKEY_BLOBLEN, ret->keyblob_len); - } - - if (ret->keyblob_len == 0 || !ret->keyblob) { -@@ -474,10 +498,18 @@ static struct openssh_key *load_openssh_key(const char *filename) - goto error; - } - -+ if (buf) { -+ buf_burn(buf); -+ buf_free(buf); -+ } - m_burn(buffer, sizeof(buffer)); - return ret; - - error: -+ if (buf) { -+ buf_burn(buf); -+ buf_free(buf); -+ } - m_burn(buffer, sizeof(buffer)); - if (ret) { - if (ret->keyblob) { -@@ -569,6 +601,57 @@ static sign_key *openssh_read(const char *filename, const char * UNUSED(passphra - #endif - } - -+ /* -+ * Now we have a decrypted key blob, which contains OpenSSH -+ * encoded private key. We must now untangle the OpenSSH format. -+ */ -+ if (key->type == OSSH_PKEY) { -+ blobbuf = buf_new(key->keyblob_len); -+ buf_putbytes(blobbuf, key->keyblob, key->keyblob_len); -+ buf_setpos(blobbuf, 0); -+ -+ /* limit length of private key blob */ -+ len = buf_getint(blobbuf); -+ buf_setlen(blobbuf, blobbuf->pos + len); -+ -+ type = DROPBEAR_SIGNKEY_ANY; -+ if (buf_get_pub_key(blobbuf, retkey, &type) -+ != DROPBEAR_SUCCESS) { -+ errmsg = "Error parsing OpenSSH key"; -+ goto ossh_error; -+ } -+ -+ /* restore full length */ -+ buf_setlen(blobbuf, key->keyblob_len); -+ -+ if (type != DROPBEAR_SIGNKEY_NONE) { -+ retkey->type = type; -+ /* limit length of private key blob */ -+ len = buf_getint(blobbuf); -+ buf_setlen(blobbuf, blobbuf->pos + len); -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ buf_incrpos(blobbuf, 8); -+ buf_eatstring(blobbuf); -+ buf_eatstring(blobbuf); -+ buf_incrpos(blobbuf, -SSH_SIGNKEY_ED25519_LEN-4); -+ if (buf_get_ed25519_priv_key(blobbuf, retkey->ed25519key) -+ == DROPBEAR_SUCCESS) { -+ errmsg = NULL; -+ retval = retkey; -+ goto error; -+ } -+ } -+#endif -+ } -+ -+ errmsg = "Unsupported OpenSSH key type"; -+ ossh_error: -+ sign_key_free(retkey); -+ retkey = NULL; -+ goto error; -+ } -+ - /* - * Now we have a decrypted key blob, which contains an ASN.1 - * encoded private key. We must now untangle the ASN.1. -@@ -1129,6 +1212,51 @@ static int openssh_write(const char *filename, sign_key *key, - } - #endif - -+#if DROPBEAR_ED25519 -+ if (key->type == DROPBEAR_SIGNKEY_ED25519) { -+ buffer *buf = buf_new(300); -+ keyblob = buf_new(100); -+ extrablob = buf_new(200); -+ -+ /* private key blob w/o header */ -+ buf_put_priv_key(keyblob, key, key->type); -+ buf_setpos(keyblob, 0); -+ buf_incrpos(keyblob, buf_getint(keyblob)); -+ len = buf_getint(keyblob); -+ -+ /* header */ -+ buf_putbytes(buf, OSSH_PKEY_BLOB, OSSH_PKEY_BLOBLEN); -+ -+ /* public key */ -+ buf_put_pub_key(buf, key, key->type); -+ -+ /* private key */ -+ buf_incrwritepos(extrablob, 4); -+ buf_put_pub_key(extrablob, key, key->type); -+ buf_putstring(extrablob, buf_getptr(keyblob, len), len); -+ /* comment */ -+ buf_putstring(extrablob, "", 0); -+ /* padding to cipher block length */ -+ len = (extrablob->len+8) & ~7; -+ for (i = 1; len - extrablob->len > 0; i++) -+ buf_putbyte(extrablob, i); -+ buf_setpos(extrablob, 0); -+ buf_putbytes(extrablob, "\0\0\0\0\0\0\0\0", 8); -+ buf_putbufstring(buf, extrablob); -+ -+ outlen = len = pos = buf->len; -+ outblob = (unsigned char*)m_malloc(outlen); -+ memcpy(outblob, buf->data, buf->len); -+ -+ buf_burn(buf); -+ buf_free(buf); -+ buf = NULL; -+ -+ header = "-----BEGIN OPENSSH PRIVATE KEY-----\n"; -+ footer = "-----END OPENSSH PRIVATE KEY-----\n"; -+ } -+#endif -+ - /* - * Padding on OpenSSH keys is deterministic. The number of - * padding bytes is always more than zero, and always at most -diff --git a/signkey.c b/signkey.c -index 88f06c7..a0af44a 100644 ---- a/signkey.c -+++ b/signkey.c -@@ -39,8 +39,11 @@ static const char * const signkey_names[DROPBEAR_SIGNKEY_NUM_NAMED] = { - #if DROPBEAR_ECDSA - "ecdsa-sha2-nistp256", - "ecdsa-sha2-nistp384", -- "ecdsa-sha2-nistp521" -+ "ecdsa-sha2-nistp521", - #endif /* DROPBEAR_ECDSA */ -+#if DROPBEAR_ED25519 -+ "ssh-ed25519", -+#endif /* DROPBEAR_ED25519 */ - }; - - /* malloc a new sign_key and set the dss and rsa keys to NULL */ -@@ -107,6 +110,10 @@ Be sure to check both (ret != NULL) and (*ret != NULL) */ - void ** - signkey_key_ptr(sign_key *key, enum signkey_type type) { - switch (type) { -+#if DROPBEAR_ED25519 -+ case DROPBEAR_SIGNKEY_ED25519: -+ return (void**)&key->ed25519key; -+#endif - #if DROPBEAR_ECDSA - #if DROPBEAR_ECC_256 - case DROPBEAR_SIGNKEY_ECDSA_NISTP256: -@@ -200,6 +207,17 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { - } - } - #endif -+#if DROPBEAR_ED25519 -+ if (keytype == DROPBEAR_SIGNKEY_ED25519) { -+ ed25519_key_free(key->ed25519key); -+ key->ed25519key = m_malloc(sizeof(*key->ed25519key)); -+ ret = buf_get_ed25519_pub_key(buf, key->ed25519key); -+ if (ret == DROPBEAR_FAILURE) { -+ m_free(key->ed25519key); -+ key->ed25519key = NULL; -+ } -+ } -+#endif - - TRACE2(("leave buf_get_pub_key")) - -@@ -270,6 +288,17 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) { - } - } - #endif -+#if DROPBEAR_ED25519 -+ if (keytype == DROPBEAR_SIGNKEY_ED25519) { -+ ed25519_key_free(key->ed25519key); -+ key->ed25519key = m_malloc(sizeof(*key->ed25519key)); -+ ret = buf_get_ed25519_priv_key(buf, key->ed25519key); -+ if (ret == DROPBEAR_FAILURE) { -+ m_free(key->ed25519key); -+ key->ed25519key = NULL; -+ } -+ } -+#endif - - TRACE2(("leave buf_get_priv_key")) - -@@ -302,6 +331,11 @@ void buf_put_pub_key(buffer* buf, sign_key *key, enum signkey_type type) { - buf_put_ecdsa_pub_key(pubkeys, *eck); - } - } -+#endif -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ buf_put_ed25519_pub_key(pubkeys, key->ed25519key); -+ } - #endif - if (pubkeys->len == 0) { - dropbear_exit("Bad key types in buf_put_pub_key"); -@@ -341,6 +375,13 @@ void buf_put_priv_key(buffer* buf, sign_key *key, enum signkey_type type) { - return; - } - } -+#endif -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ buf_put_ed25519_priv_key(buf, key->ed25519key); -+ TRACE(("leave buf_put_priv_key: ed25519 done")) -+ return; -+ } - #endif - dropbear_exit("Bad key types in put pub key"); - } -@@ -379,6 +420,10 @@ void sign_key_free(sign_key *key) { - key->ecckey521 = NULL; - } - #endif -+#endif -+#if DROPBEAR_ED25519 -+ ed25519_key_free(key->ed25519key); -+ key->ed25519key = NULL; - #endif - - m_free(key->filename); -@@ -503,6 +548,11 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, - buf_put_ecdsa_sign(sigblob, *eck, data_buf); - } - } -+#endif -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ buf_put_ed25519_sign(sigblob, key->ed25519key, data_buf); -+ } - #endif - if (sigblob->len == 0) { - dropbear_exit("Non-matching signing type"); -@@ -555,6 +605,14 @@ int buf_verify(buffer * buf, sign_key *key, const buffer *data_buf) { - } - } - #endif -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ if (key->ed25519key == NULL) { -+ dropbear_exit("No Ed25519 key to verify signature"); -+ } -+ return buf_ed25519_verify(buf, key->ed25519key, data_buf); -+ } -+#endif - - dropbear_exit("Non-matching signing type"); - return DROPBEAR_FAILURE; -diff --git a/signkey.h b/signkey.h -index 59df3ee..fa39a02 100644 ---- a/signkey.h -+++ b/signkey.h -@@ -28,6 +28,7 @@ - #include "buffer.h" - #include "dss.h" - #include "rsa.h" -+#include "ed25519.h" - - enum signkey_type { - #if DROPBEAR_RSA -@@ -41,6 +42,9 @@ enum signkey_type { - DROPBEAR_SIGNKEY_ECDSA_NISTP384, - DROPBEAR_SIGNKEY_ECDSA_NISTP521, - #endif /* DROPBEAR_ECDSA */ -+#if DROPBEAR_ED25519 -+ DROPBEAR_SIGNKEY_ED25519, -+#endif - DROPBEAR_SIGNKEY_NUM_NAMED, - DROPBEAR_SIGNKEY_ECDSA_KEYGEN = 70, /* just "ecdsa" for keygen */ - DROPBEAR_SIGNKEY_ANY = 80, -@@ -78,6 +82,9 @@ struct SIGN_key { - ecc_key * ecckey521; - #endif - #endif -+#if DROPBEAR_ED25519 -+ dropbear_ed25519_key * ed25519key; -+#endif - }; - - typedef struct SIGN_key sign_key; -diff --git a/ssh.h b/ssh.h -index f40b65a..db723b8 100644 ---- a/ssh.h -+++ b/ssh.h -@@ -105,6 +105,8 @@ - #define SSH_SIGNKEY_DSS_LEN 7 - #define SSH_SIGNKEY_RSA "ssh-rsa" - #define SSH_SIGNKEY_RSA_LEN 7 -+#define SSH_SIGNKEY_ED25519 "ssh-ed25519" -+#define SSH_SIGNKEY_ED25519_LEN 11 - - /* Agent commands. These aren't part of the spec, and are defined - * only on the openssh implementation. */ -diff --git a/svr-kex.c b/svr-kex.c -index 406ad97..af16d2f 100644 ---- a/svr-kex.c -+++ b/svr-kex.c -@@ -122,6 +122,11 @@ static void svr_ensure_hostkey() { - case DROPBEAR_SIGNKEY_ECDSA_NISTP521: - fn = ECDSA_PRIV_FILENAME; - break; -+#endif -+#if DROPBEAR_ED25519 -+ case DROPBEAR_SIGNKEY_ED25519: -+ fn = ED25519_PRIV_FILENAME; -+ break; - #endif - default: - dropbear_assert(0); -@@ -219,7 +224,8 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) { - { - struct kex_curve25519_param *param = gen_kexcurve25519_param(); - kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey); -- buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN); -+ -+ buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN); - free_kexcurve25519_param(param); - } - break; -diff --git a/svr-runopts.c b/svr-runopts.c -index d7a0d5a..d430825 100644 ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -57,6 +57,9 @@ static void printhelp(const char * progname) { - #if DROPBEAR_ECDSA - " ecdsa %s\n" - #endif -+#if DROPBEAR_ED25519 -+ " ed25519 %s\n" -+#endif - #if DROPBEAR_DELAY_HOSTKEY - "-R Create hostkeys as required\n" - #endif -@@ -116,6 +119,9 @@ static void printhelp(const char * progname) { - #endif - #if DROPBEAR_ECDSA - ECDSA_PRIV_FILENAME, -+#endif -+#if DROPBEAR_ED25519 -+ ED25519_PRIV_FILENAME, - #endif - MAX_AUTH_TRIES, - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, -@@ -538,6 +544,13 @@ static void loadhostkey(const char *keyfile, int fatal_duplicate) { - } - #endif - #endif /* DROPBEAR_ECDSA */ -+ -+#if DROPBEAR_ED25519 -+ if (type == DROPBEAR_SIGNKEY_ED25519) { -+ loadhostkey_helper("ed25519", (void**)&read_key->ed25519key, (void**)&svr_opts.hostkey->ed25519key, fatal_duplicate); -+ } -+#endif -+ - sign_key_free(read_key); - TRACE(("leave loadhostkey")) - } -@@ -578,6 +591,9 @@ void load_all_hostkeys() { - - #if DROPBEAR_ECDSA - loadhostkey(ECDSA_PRIV_FILENAME, 0); -+#endif -+#if DROPBEAR_ED25519 -+ loadhostkey(ED25519_PRIV_FILENAME, 0); - #endif - } - -@@ -642,6 +658,14 @@ void load_all_hostkeys() { - #endif - #endif /* DROPBEAR_ECDSA */ - -+#if DROPBEAR_ED25519 -+ if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) { -+ disablekey(DROPBEAR_SIGNKEY_ED25519); -+ } else { -+ any_keys = 1; -+ } -+#endif -+ - if (!any_keys) { - dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey."); - } -diff --git a/sysoptions.h b/sysoptions.h -index cfd5469..2c27caf 100644 ---- a/sysoptions.h -+++ b/sysoptions.h -@@ -145,7 +145,8 @@ If you test it please contact the Dropbear author */ - #define DROPBEAR_SHA384 (DROPBEAR_ECC_384) - /* LTC SHA384 depends on SHA512 */ - #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \ -- || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16)) -+ || (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \ -+ || (DROPBEAR_ED25519)) - #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC) - - #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1)) -@@ -186,7 +187,7 @@ If you test it please contact the Dropbear author */ - /* For a 4096 bit DSS key, empirically determined */ - #define MAX_PRIVKEY_SIZE 1700 - --#define MAX_HOSTKEYS 3 -+#define MAX_HOSTKEYS 4 - - /* The maximum size of the bignum portion of the kexhash buffer */ - /* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ -@@ -252,7 +253,7 @@ If you test it please contact the Dropbear author */ - #error "At least one encryption algorithm must be enabled. AES128 is recommended." - #endif - --#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA) -+#if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA || DROPBEAR_ED25519) - #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended." - #endif - --- -2.17.1 - diff --git a/package/network/services/dropbear/patches/021-backport-chacha20-poly1305-support.patch b/package/network/services/dropbear/patches/021-backport-chacha20-poly1305-support.patch deleted file mode 100644 index 2120b4593e..0000000000 --- a/package/network/services/dropbear/patches/021-backport-chacha20-poly1305-support.patch +++ /dev/null @@ -1,693 +0,0 @@ -From 3cdf9ec918b37c17e12b33e4c244944d1ee836ca Mon Sep 17 00:00:00 2001 -From: Vladislav Grishenko -Date: Mon, 6 Apr 2020 23:28:09 +0500 -Subject: [PATCH] Add Chacha20-Poly1305 authenticated encryption - -* Add general AEAD approach. -* Add chacha20-poly1305@openssh.com algo using LibTomCrypt chacha and - poly1305 routines. - -Chacha20-Poly1305 is generally faster than AES256 on CPU w/o dedicated -AES instructions, having the same key size. -Compiling in will add ~5,5kB to binary size on x86-64. ---- - Makefile.in | 2 +- - algo.h | 8 ++ - chachapoly.c | 148 ++++++++++++++++++++ - chachapoly.h | 44 ++++++ - common-algo.c | 11 +- - common-kex.c | 44 ++++-- - default_options.h | 6 + - libtomcrypt/src/headers/tomcrypt_dropbear.h | 4 + - packet.c | 145 +++++++++++++------ - session.h | 4 + - sysoptions.h | 8 +- - 11 files changed, 368 insertions(+), 56 deletions(-) - create mode 100644 chachapoly.c - create mode 100644 chachapoly.h - -diff --git a/Makefile.in b/Makefile.in -index aaf7b3b..3437cb2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -53,7 +53,7 @@ CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ - CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ - common-channel.o common-chansession.o termcodes.o loginrec.o \ - tcp-accept.o listener.o process-packet.o dh_groups.o \ -- common-runopts.o circbuffer.o list.o netio.o -+ common-runopts.o circbuffer.o list.o netio.o chachapoly.o - - KEYOBJS=dropbearkey.o - -diff --git a/algo.h b/algo.h -index b12fb94..efd0d73 100644 ---- a/algo.h -+++ b/algo.h -@@ -72,6 +72,14 @@ struct dropbear_cipher_mode { - unsigned long len, void *cipher_state); - int (*decrypt)(const unsigned char *ct, unsigned char *pt, - unsigned long len, void *cipher_state); -+ int (*aead_crypt)(unsigned int seq, -+ const unsigned char *in, unsigned char *out, -+ unsigned long len, unsigned long taglen, -+ void *cipher_state, int direction); -+ int (*aead_getlength)(unsigned int seq, -+ const unsigned char *in, unsigned int *outlen, -+ unsigned long len, void *cipher_state); -+ const struct dropbear_hash *aead_mac; - }; - - struct dropbear_hash { -diff --git a/chachapoly.c b/chachapoly.c -new file mode 100644 -index 0000000..8fb06c5 ---- /dev/null -+++ b/chachapoly.c -@@ -0,0 +1,148 @@ -+/* -+ * Dropbear SSH -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * Copyright (c) 2020 by Vladislav Grishenko -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#include "includes.h" -+#include "algo.h" -+#include "dbutil.h" -+#include "chachapoly.h" -+ -+#if DROPBEAR_CHACHA20POLY1305 -+ -+#define CHACHA20_KEY_LEN 32 -+#define CHACHA20_BLOCKSIZE 8 -+#define POLY1305_KEY_LEN 32 -+#define POLY1305_TAG_LEN 16 -+ -+static const struct ltc_cipher_descriptor dummy = {.name = NULL}; -+ -+static const struct dropbear_hash dropbear_chachapoly_mac = -+ {NULL, POLY1305_KEY_LEN, POLY1305_TAG_LEN}; -+ -+const struct dropbear_cipher dropbear_chachapoly = -+ {&dummy, CHACHA20_KEY_LEN*2, CHACHA20_BLOCKSIZE}; -+ -+static int dropbear_chachapoly_start(int UNUSED(cipher), const unsigned char* UNUSED(IV), -+ const unsigned char *key, int keylen, -+ int UNUSED(num_rounds), dropbear_chachapoly_state *state) { -+ int err; -+ -+ TRACE2(("enter dropbear_chachapoly_start")) -+ -+ if (keylen != CHACHA20_KEY_LEN*2) { -+ return CRYPT_ERROR; -+ } -+ -+ if ((err = chacha_setup(&state->chacha, key, -+ CHACHA20_KEY_LEN, 20)) != CRYPT_OK) { -+ return err; -+ } -+ -+ if ((err = chacha_setup(&state->header, key + CHACHA20_KEY_LEN, -+ CHACHA20_KEY_LEN, 20) != CRYPT_OK)) { -+ return err; -+ } -+ -+ TRACE2(("leave dropbear_chachapoly_start")) -+ return CRYPT_OK; -+} -+ -+static int dropbear_chachapoly_crypt(unsigned int seq, -+ const unsigned char *in, unsigned char *out, -+ unsigned long len, unsigned long taglen, -+ dropbear_chachapoly_state *state, int direction) { -+ poly1305_state poly; -+ unsigned char seqbuf[8], key[POLY1305_KEY_LEN], tag[POLY1305_TAG_LEN]; -+ int err; -+ -+ TRACE2(("enter dropbear_chachapoly_crypt")) -+ -+ if (len < 4 || taglen != POLY1305_TAG_LEN) { -+ return CRYPT_ERROR; -+ } -+ -+ STORE64H((uint64_t)seq, seqbuf); -+ chacha_ivctr64(&state->chacha, seqbuf, sizeof(seqbuf), 0); -+ if ((err = chacha_keystream(&state->chacha, key, sizeof(key))) != CRYPT_OK) { -+ return err; -+ } -+ -+ poly1305_init(&poly, key, sizeof(key)); -+ if (direction == LTC_DECRYPT) { -+ poly1305_process(&poly, in, len); -+ poly1305_done(&poly, tag, &taglen); -+ if (constant_time_memcmp(in + len, tag, taglen) != 0) { -+ return CRYPT_ERROR; -+ } -+ } -+ -+ chacha_ivctr64(&state->header, seqbuf, sizeof(seqbuf), 0); -+ if ((err = chacha_crypt(&state->header, in, 4, out)) != CRYPT_OK) { -+ return err; -+ } -+ -+ chacha_ivctr64(&state->chacha, seqbuf, sizeof(seqbuf), 1); -+ if ((err = chacha_crypt(&state->chacha, in + 4, len - 4, out + 4)) != CRYPT_OK) { -+ return err; -+ } -+ -+ if (direction == LTC_ENCRYPT) { -+ poly1305_process(&poly, out, len); -+ poly1305_done(&poly, out + len, &taglen); -+ } -+ -+ TRACE2(("leave dropbear_chachapoly_crypt")) -+ return CRYPT_OK; -+} -+ -+static int dropbear_chachapoly_getlength(unsigned int seq, -+ const unsigned char *in, unsigned int *outlen, -+ unsigned long len, dropbear_chachapoly_state *state) { -+ unsigned char seqbuf[8], buf[4]; -+ int err; -+ -+ TRACE2(("enter dropbear_chachapoly_getlength")) -+ -+ if (len < sizeof(buf)) { -+ return CRYPT_ERROR; -+ } -+ -+ STORE64H((uint64_t)seq, seqbuf); -+ chacha_ivctr64(&state->header, seqbuf, sizeof(seqbuf), 0); -+ if ((err = chacha_crypt(&state->header, in, sizeof(buf), buf)) != CRYPT_OK) { -+ return err; -+ } -+ -+ LOAD32H(*outlen, buf); -+ -+ TRACE2(("leave dropbear_chachapoly_getlength")) -+ return CRYPT_OK; -+} -+ -+const struct dropbear_cipher_mode dropbear_mode_chachapoly = -+ {(void *)dropbear_chachapoly_start, NULL, NULL, -+ (void *)dropbear_chachapoly_crypt, -+ (void *)dropbear_chachapoly_getlength, &dropbear_chachapoly_mac}; -+ -+#endif /* DROPBEAR_CHACHA20POLY1305 */ -diff --git a/chachapoly.h b/chachapoly.h -new file mode 100644 -index 0000000..5a7c5b2 ---- /dev/null -+++ b/chachapoly.h -@@ -0,0 +1,44 @@ -+/* -+ * Dropbear SSH -+ * -+ * Copyright (c) 2002,2003 Matt Johnston -+ * Copyright (c) 2020 by Vladislav Grishenko -+ * All rights reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. */ -+ -+#ifndef DROPBEAR_DROPBEAR_CHACHAPOLY_H_ -+#define DROPBEAR_DROPBEAR_CHACHAPOLY_H_ -+ -+#include "includes.h" -+#include "algo.h" -+ -+#if DROPBEAR_CHACHA20POLY1305 -+ -+typedef struct { -+ chacha_state chacha; -+ chacha_state header; -+} dropbear_chachapoly_state; -+ -+extern const struct dropbear_cipher dropbear_chachapoly; -+extern const struct dropbear_cipher_mode dropbear_mode_chachapoly; -+ -+#endif /* DROPBEAR_CHACHA20POLY1305 */ -+ -+#endif /* DROPBEAR_DROPBEAR_CHACHAPOLY_H_ */ -diff --git a/common-algo.c b/common-algo.c -index 558aad2..1436456 100644 ---- a/common-algo.c -+++ b/common-algo.c -@@ -30,6 +30,7 @@ - #include "dh_groups.h" - #include "ltc_prng.h" - #include "ecc.h" -+#include "chachapoly.h" - - /* This file (algo.c) organises the ciphers which can be used, and is used to - * decide which ciphers/hashes/compression/signing to use during key exchange*/ -@@ -86,11 +87,11 @@ const struct dropbear_cipher dropbear_nocipher = - * about the symmetric_CBC vs symmetric_CTR cipher_state pointer */ - #if DROPBEAR_ENABLE_CBC_MODE - const struct dropbear_cipher_mode dropbear_mode_cbc = -- {(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt}; -+ {(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt, NULL, NULL, NULL}; - #endif /* DROPBEAR_ENABLE_CBC_MODE */ - - const struct dropbear_cipher_mode dropbear_mode_none = -- {void_start, void_cipher, void_cipher}; -+ {void_start, void_cipher, void_cipher, NULL, NULL, NULL}; - - #if DROPBEAR_ENABLE_CTR_MODE - /* a wrapper to make ctr_start and cbc_start look the same */ -@@ -101,7 +102,7 @@ static int dropbear_big_endian_ctr_start(int cipher, - return ctr_start(cipher, IV, key, keylen, num_rounds, CTR_COUNTER_BIG_ENDIAN, ctr); - } - const struct dropbear_cipher_mode dropbear_mode_ctr = -- {(void*)dropbear_big_endian_ctr_start, (void*)ctr_encrypt, (void*)ctr_decrypt}; -+ {(void*)dropbear_big_endian_ctr_start, (void*)ctr_encrypt, (void*)ctr_decrypt, NULL, NULL, NULL}; - #endif /* DROPBEAR_ENABLE_CTR_MODE */ - - /* Mapping of ssh hashes to libtomcrypt hashes, including keysize etc. -@@ -137,6 +138,10 @@ const struct dropbear_hash dropbear_nohash = - * that is also supported by the server will get used. */ - - algo_type sshciphers[] = { -+#if DROPBEAR_CHACHA20POLY1305 -+ {"chacha20-poly1305@openssh.com", 0, &dropbear_chachapoly, 1, &dropbear_mode_chachapoly}, -+#endif -+ - #if DROPBEAR_ENABLE_CTR_MODE - #if DROPBEAR_AES128 - {"aes128-ctr", 0, &dropbear_aes128, 1, &dropbear_mode_ctr}, -diff --git a/common-kex.c b/common-kex.c -index 16b7e27..5e2923f 100644 ---- a/common-kex.c -+++ b/common-kex.c -@@ -329,9 +329,12 @@ static void gen_new_keys() { - hashkeys(S2C_key, sizeof(S2C_key), &hs, 'D'); - - if (ses.newkeys->recv.algo_crypt->cipherdesc != NULL) { -- int recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name); -- if (recv_cipher < 0) -- dropbear_exit("Crypto error"); -+ int recv_cipher = -1; -+ if (ses.newkeys->recv.algo_crypt->cipherdesc->name != NULL) { -+ recv_cipher = find_cipher(ses.newkeys->recv.algo_crypt->cipherdesc->name); -+ if (recv_cipher < 0) -+ dropbear_exit("Crypto error"); -+ } - if (ses.newkeys->recv.crypt_mode->start(recv_cipher, - recv_IV, recv_key, - ses.newkeys->recv.algo_crypt->keysize, 0, -@@ -341,9 +344,12 @@ static void gen_new_keys() { - } - - if (ses.newkeys->trans.algo_crypt->cipherdesc != NULL) { -- int trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name); -- if (trans_cipher < 0) -- dropbear_exit("Crypto error"); -+ int trans_cipher = -1; -+ if (ses.newkeys->trans.algo_crypt->cipherdesc->name != NULL) { -+ trans_cipher = find_cipher(ses.newkeys->trans.algo_crypt->cipherdesc->name); -+ if (trans_cipher < 0) -+ dropbear_exit("Crypto error"); -+ } - if (ses.newkeys->trans.crypt_mode->start(trans_cipher, - trans_IV, trans_key, - ses.newkeys->trans.algo_crypt->keysize, 0, -@@ -868,19 +874,29 @@ static void read_kex_algos() { - - /* mac_algorithms_client_to_server */ - c2s_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL); -+#if DROPBEAR_AEAD_MODE -+ if (((struct dropbear_cipher_mode*)c2s_cipher_algo->mode)->aead_crypt != NULL) { -+ c2s_hash_algo = NULL; -+ } else -+#endif - if (c2s_hash_algo == NULL) { - erralgo = "mac c->s"; - goto error; - } -- TRACE(("hash c2s is %s", c2s_hash_algo->name)) -+ TRACE(("hash c2s is %s", c2s_hash_algo ? c2s_hash_algo->name : "")) - - /* mac_algorithms_server_to_client */ - s2c_hash_algo = buf_match_algo(ses.payload, sshhashes, NULL, NULL); -+#if DROPBEAR_AEAD_MODE -+ if (((struct dropbear_cipher_mode*)s2c_cipher_algo->mode)->aead_crypt != NULL) { -+ s2c_hash_algo = NULL; -+ } else -+#endif - if (s2c_hash_algo == NULL) { - erralgo = "mac s->c"; - goto error; - } -- TRACE(("hash s2c is %s", s2c_hash_algo->name)) -+ TRACE(("hash s2c is %s", s2c_hash_algo ? s2c_hash_algo->name : "")) - - /* compression_algorithms_client_to_server */ - c2s_comp_algo = buf_match_algo(ses.payload, ses.compress_algos, NULL, NULL); -@@ -925,8 +941,14 @@ static void read_kex_algos() { - ses.newkeys->trans.crypt_mode = - (struct dropbear_cipher_mode*)c2s_cipher_algo->mode; - ses.newkeys->recv.algo_mac = -+#if DROPBEAR_AEAD_MODE -+ s2c_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac : -+#endif - (struct dropbear_hash*)s2c_hash_algo->data; - ses.newkeys->trans.algo_mac = -+#if DROPBEAR_AEAD_MODE -+ c2s_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac : -+#endif - (struct dropbear_hash*)c2s_hash_algo->data; - ses.newkeys->recv.algo_comp = s2c_comp_algo->val; - ses.newkeys->trans.algo_comp = c2s_comp_algo->val; -@@ -941,8 +963,14 @@ static void read_kex_algos() { - ses.newkeys->trans.crypt_mode = - (struct dropbear_cipher_mode*)s2c_cipher_algo->mode; - ses.newkeys->recv.algo_mac = -+#if DROPBEAR_AEAD_MODE -+ c2s_hash_algo == NULL ? ses.newkeys->recv.crypt_mode->aead_mac : -+#endif - (struct dropbear_hash*)c2s_hash_algo->data; - ses.newkeys->trans.algo_mac = -+#if DROPBEAR_AEAD_MODE -+ s2c_hash_algo == NULL ? ses.newkeys->trans.crypt_mode->aead_mac : -+#endif - (struct dropbear_hash*)s2c_hash_algo->data; - ses.newkeys->recv.algo_comp = c2s_comp_algo->val; - ses.newkeys->trans.algo_comp = s2c_comp_algo->val; -diff --git a/default_options.h b/default_options.h -index bafbb07..1a2ab10 100644 ---- a/default_options.h -+++ b/default_options.h -@@ -99,6 +99,12 @@ IMPORTANT: Some options will require "make clean" after changes */ - * and forwards compatibility */ - #define DROPBEAR_ENABLE_CTR_MODE 1 - -+/* Enable Chacha20-Poly1305 authenticated encryption mode. This is -+ * generally faster than AES256 on CPU w/o dedicated AES instructions, -+ * having the same key size. -+ * Compiling in will add ~5,5kB to binary size on x86-64 */ -+#define DROPBEAR_CHACHA20POLY1305 1 -+ - /* Message integrity. sha2-256 is recommended as a default, - sha1 for compatibility */ - #define DROPBEAR_SHA1_HMAC 1 -diff --git a/libtomcrypt/src/headers/tomcrypt_dropbear.h b/libtomcrypt/src/headers/tomcrypt_dropbear.h -index b0ce45b..59960e5 100644 ---- a/libtomcrypt/src/headers/tomcrypt_dropbear.h -+++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h -@@ -35,6 +35,10 @@ - #define LTC_CTR_MODE - #endif - -+#if DROPBEAR_CHACHA20POLY1305 -+#define LTC_CHACHA -+#define LTC_POLY1305 -+#endif - - #if DROPBEAR_SHA512 - #define LTC_SHA512 -diff --git a/packet.c b/packet.c -index 9fda0d6..0454726 100644 ---- a/packet.c -+++ b/packet.c -@@ -215,7 +215,7 @@ static int read_packet_init() { - - unsigned int maxlen; - int slen; -- unsigned int len; -+ unsigned int len, plen; - unsigned int blocksize; - unsigned int macsize; - -@@ -254,21 +254,35 @@ static int read_packet_init() { - /* now we have the first block, need to get packet length, so we decrypt - * the first block (only need first 4 bytes) */ - buf_setpos(ses.readbuf, 0); -- if (ses.keys->recv.crypt_mode->decrypt(buf_getptr(ses.readbuf, blocksize), -- buf_getwriteptr(ses.readbuf, blocksize), -- blocksize, -- &ses.keys->recv.cipher_state) != CRYPT_OK) { -- dropbear_exit("Error decrypting"); -+#if DROPBEAR_AEAD_MODE -+ if (ses.keys->recv.crypt_mode->aead_crypt) { -+ if (ses.keys->recv.crypt_mode->aead_getlength(ses.recvseq, -+ buf_getptr(ses.readbuf, blocksize), &plen, -+ blocksize, -+ &ses.keys->recv.cipher_state) != CRYPT_OK) { -+ dropbear_exit("Error decrypting"); -+ } -+ len = plen + 4 + macsize; -+ } else -+#endif -+ { -+ if (ses.keys->recv.crypt_mode->decrypt(buf_getptr(ses.readbuf, blocksize), -+ buf_getwriteptr(ses.readbuf, blocksize), -+ blocksize, -+ &ses.keys->recv.cipher_state) != CRYPT_OK) { -+ dropbear_exit("Error decrypting"); -+ } -+ plen = buf_getint(ses.readbuf) + 4; -+ len = plen + macsize; - } -- len = buf_getint(ses.readbuf) + 4 + macsize; - - TRACE2(("packet size is %u, block %u mac %u", len, blocksize, macsize)) - - - /* check packet length */ - if ((len > RECV_MAX_PACKET_LEN) || -- (len < MIN_PACKET_LEN + macsize) || -- ((len - macsize) % blocksize != 0)) { -+ (plen < blocksize) || -+ (plen % blocksize != 0)) { - dropbear_exit("Integrity error (bad packet size %u)", len); - } - -@@ -294,23 +308,42 @@ void decrypt_packet() { - - ses.kexstate.datarecv += ses.readbuf->len; - -- /* we've already decrypted the first blocksize in read_packet_init */ -- buf_setpos(ses.readbuf, blocksize); -- -- /* decrypt it in-place */ -- len = ses.readbuf->len - macsize - ses.readbuf->pos; -- if (ses.keys->recv.crypt_mode->decrypt( -- buf_getptr(ses.readbuf, len), -- buf_getwriteptr(ses.readbuf, len), -- len, -- &ses.keys->recv.cipher_state) != CRYPT_OK) { -- dropbear_exit("Error decrypting"); -- } -- buf_incrpos(ses.readbuf, len); -+#if DROPBEAR_AEAD_MODE -+ if (ses.keys->recv.crypt_mode->aead_crypt) { -+ /* first blocksize is not decrypted yet */ -+ buf_setpos(ses.readbuf, 0); -+ -+ /* decrypt it in-place */ -+ len = ses.readbuf->len - macsize - ses.readbuf->pos; -+ if (ses.keys->recv.crypt_mode->aead_crypt(ses.recvseq, -+ buf_getptr(ses.readbuf, len + macsize), -+ buf_getwriteptr(ses.readbuf, len), -+ len, macsize, -+ &ses.keys->recv.cipher_state, LTC_DECRYPT) != CRYPT_OK) { -+ dropbear_exit("Error decrypting"); -+ } -+ buf_incrpos(ses.readbuf, len); -+ } else -+#endif -+ { -+ /* we've already decrypted the first blocksize in read_packet_init */ -+ buf_setpos(ses.readbuf, blocksize); -+ -+ /* decrypt it in-place */ -+ len = ses.readbuf->len - macsize - ses.readbuf->pos; -+ if (ses.keys->recv.crypt_mode->decrypt( -+ buf_getptr(ses.readbuf, len), -+ buf_getwriteptr(ses.readbuf, len), -+ len, -+ &ses.keys->recv.cipher_state) != CRYPT_OK) { -+ dropbear_exit("Error decrypting"); -+ } -+ buf_incrpos(ses.readbuf, len); - -- /* check the hmac */ -- if (checkmac() != DROPBEAR_SUCCESS) { -- dropbear_exit("Integrity error"); -+ /* check the hmac */ -+ if (checkmac() != DROPBEAR_SUCCESS) { -+ dropbear_exit("Integrity error"); -+ } - } - - /* get padding length */ -@@ -557,9 +590,16 @@ void encrypt_packet() { - buf_setpos(ses.writepayload, 0); - buf_setlen(ses.writepayload, 0); - -- /* length of padding - packet length must be a multiple of blocksize, -- * with a minimum of 4 bytes of padding */ -- padlen = blocksize - (writebuf->len) % blocksize; -+ /* length of padding - packet length excluding the packetlength uint32 -+ * field in aead mode must be a multiple of blocksize, with a minimum of -+ * 4 bytes of padding */ -+ len = writebuf->len; -+#if DROPBEAR_AEAD_MODE -+ if (ses.keys->trans.crypt_mode->aead_crypt) { -+ len -= 4; -+ } -+#endif -+ padlen = blocksize - len % blocksize; - if (padlen < 4) { - padlen += blocksize; - } -@@ -579,23 +619,42 @@ void encrypt_packet() { - buf_incrlen(writebuf, padlen); - genrandom(buf_getptr(writebuf, padlen), padlen); - -- make_mac(ses.transseq, &ses.keys->trans, writebuf, writebuf->len, mac_bytes); -+#if DROPBEAR_AEAD_MODE -+ if (ses.keys->trans.crypt_mode->aead_crypt) { -+ /* do the actual encryption, in-place */ -+ buf_setpos(writebuf, 0); -+ /* encrypt it in-place*/ -+ len = writebuf->len; -+ buf_incrlen(writebuf, mac_size); -+ if (ses.keys->trans.crypt_mode->aead_crypt(ses.transseq, -+ buf_getptr(writebuf, len), -+ buf_getwriteptr(writebuf, len + mac_size), -+ len, mac_size, -+ &ses.keys->trans.cipher_state, LTC_ENCRYPT) != CRYPT_OK) { -+ dropbear_exit("Error encrypting"); -+ } -+ buf_incrpos(writebuf, len + mac_size); -+ } else -+#endif -+ { -+ make_mac(ses.transseq, &ses.keys->trans, writebuf, writebuf->len, mac_bytes); -+ -+ /* do the actual encryption, in-place */ -+ buf_setpos(writebuf, 0); -+ /* encrypt it in-place*/ -+ len = writebuf->len; -+ if (ses.keys->trans.crypt_mode->encrypt( -+ buf_getptr(writebuf, len), -+ buf_getwriteptr(writebuf, len), -+ len, -+ &ses.keys->trans.cipher_state) != CRYPT_OK) { -+ dropbear_exit("Error encrypting"); -+ } -+ buf_incrpos(writebuf, len); - -- /* do the actual encryption, in-place */ -- buf_setpos(writebuf, 0); -- /* encrypt it in-place*/ -- len = writebuf->len; -- if (ses.keys->trans.crypt_mode->encrypt( -- buf_getptr(writebuf, len), -- buf_getwriteptr(writebuf, len), -- len, -- &ses.keys->trans.cipher_state) != CRYPT_OK) { -- dropbear_exit("Error encrypting"); -+ /* stick the MAC on it */ -+ buf_putbytes(writebuf, mac_bytes, mac_size); - } -- buf_incrpos(writebuf, len); -- -- /* stick the MAC on it */ -- buf_putbytes(writebuf, mac_bytes, mac_size); - - /* Update counts */ - ses.kexstate.datatrans += writebuf->len; -diff --git a/session.h b/session.h -index e436882..a8f8914 100644 ---- a/session.h -+++ b/session.h -@@ -41,6 +41,7 @@ - #include "chansession.h" - #include "dbutil.h" - #include "netio.h" -+#include "chachapoly.h" - - void common_session_init(int sock_in, int sock_out); - void session_loop(void(*loophandler)(void)) ATTRIB_NORETURN; -@@ -80,6 +81,9 @@ struct key_context_directional { - symmetric_CBC cbc; - #if DROPBEAR_ENABLE_CTR_MODE - symmetric_CTR ctr; -+#endif -+#if DROPBEAR_CHACHA20POLY1305 -+ dropbear_chachapoly_state chachapoly; - #endif - } cipher_state; - unsigned char mackey[MAX_MAC_LEN]; -diff --git a/sysoptions.h b/sysoptions.h -index 2c27caf..2432779 100644 ---- a/sysoptions.h -+++ b/sysoptions.h -@@ -92,7 +92,11 @@ - #define MD5_HASH_SIZE 16 - #define MAX_HASH_SIZE 64 /* sha512 */ - -+#if DROPBEAR_CHACHA20POLY1305 -+#define MAX_KEY_LEN 64 /* 2 x 256 bits for chacha20 */ -+#else - #define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */ -+#endif - #define MAX_IV_LEN 20 /* must be same as max blocksize, */ - - #if DROPBEAR_SHA2_512_HMAC -@@ -207,6 +211,8 @@ If you test it please contact the Dropbear author */ - - #define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) - -+#define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305)) -+ - #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) - - #define DROPBEAR_TCP_ACCEPT ((DROPBEAR_CLI_LOCALTCPFWD) || (DROPBEAR_SVR_REMOTETCPFWD)) -@@ -249,7 +255,7 @@ If you test it please contact the Dropbear author */ - #endif - - #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ -- || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128) -+ || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128 || DROPBEAR_CHACHA20POLY1305) - #error "At least one encryption algorithm must be enabled. AES128 is recommended." - #endif - --- -2.17.1 - diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 732d84078f..af3fbb336b 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -338,14 +338,19 @@ static int checkpubkey(const char* algo, +@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal goto out; } @@ -28,7 +28,7 @@ #if DROPBEAR_SVR_MULTIUSER /* open the file as the authenticating user. */ -@@ -426,27 +431,36 @@ static int checkpubkeyperms() { +@@ -474,27 +479,36 @@ static int checkpubkeyperms() { goto out; } diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 27e7fbaf4f..f66b319100 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -953,12 +953,12 @@ static void execchild(const void *user_d +@@ -950,12 +950,12 @@ static void execchild(const void *user_d /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index 02765335d3..dbba613ac3 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,11 +1,11 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -199,17 +199,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile -- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ -+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ +- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS) ++ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS) dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile - $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -210,7 +210,7 @@ ifeq ($(MULTI),1) +@@ -220,7 +220,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch index 033aee3a06..2432b4ef72 100644 --- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch +++ b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch @@ -1,6 +1,6 @@ --- a/libtomcrypt/makefile_include.mk +++ b/libtomcrypt/makefile_include.mk -@@ -75,6 +75,13 @@ endif +@@ -94,6 +94,13 @@ endif LTC_CFLAGS += -Wno-type-limits @@ -14,7 +14,7 @@ ifdef LTC_DEBUG $(info Debug build) # compile for DEBUGGING (required for ccmalloc checking!!!) -@@ -102,6 +109,9 @@ endif +@@ -121,6 +128,9 @@ endif endif # COMPILE_SMALL endif # COMPILE_DEBUG @@ -26,8 +26,8 @@ LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers --- a/libtommath/makefile_include.mk +++ b/libtommath/makefile_include.mk -@@ -37,6 +37,9 @@ CFLAGS += -Wsystem-headers -Wdeclaration - CFLAGS += -Wstrict-prototypes -Wpointer-arith +@@ -70,6 +70,9 @@ else + LTM_CFLAGS += -Wsystem-headers endif +ifndef OPENWRT_BUILD @@ -35,14 +35,14 @@ + ifdef COMPILE_DEBUG #debug - CFLAGS += -g3 -@@ -58,6 +61,9 @@ endif + LTM_CFLAGS += -g3 +@@ -90,6 +93,9 @@ endif + endif # COMPILE_SIZE - endif # COMPILE_DEBUG + ### ! OPENWRT_BUILD +endif + ifneq ($(findstring clang,$(CC)),) - CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header + LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header endif From ceeece9ffaa5a3a336505332c39794d76c08b2ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Wed, 17 Jun 2020 23:48:32 +0200 Subject: [PATCH 09/11] ath79: image: fix initramfs for safeloader devices MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently it's not possible to tftpboot initramfs image on archer-c7-v5 as the image contains tplink-v1-header which leads to: ath> bootm ## Booting image at 81000000 ... Bad Magic Number as U-Boot expects uImage wrapped image. This is caused by following inheritance issue: define Device/Init KERNEL_INITRAMFS = $$(KERNEL) define Device/tplink-v1 KERNEL := kernel-bin | append-dtb | lzma KERNEL_INITRAMFS := kernel-bin | append-dtb | lzma | tplink-v1-header define Device/tplink-safeloader $(Device/tplink-v1) define Device/tplink-safeloader-uimage $(Device/tplink-safeloader) KERNEL := kernel-bin | append-dtb | lzma | uImageArcher lzma define Device/tplink_archer-c7-v5 $(Device/tplink-safeloader-uimage) where tplink-v1 defines KERNEL_INITRAMFS with tplink-v1-header and it's then used by all devices inheriting from tplink-safeloader. Fix this by overriding KERNEL_INITRAMFS to KERNEL variable again. Signed-off-by: Petr Štetiar --- target/linux/ath79/image/common-tp-link.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/target/linux/ath79/image/common-tp-link.mk b/target/linux/ath79/image/common-tp-link.mk index 328eaaed30..81a557df48 100644 --- a/target/linux/ath79/image/common-tp-link.mk +++ b/target/linux/ath79/image/common-tp-link.mk @@ -78,6 +78,7 @@ define Device/tplink-safeloader $(Device/tplink-v1) TPLINK_HWREV := 0x0 KERNEL := kernel-bin | append-dtb | lzma | tplink-v1-header -O + KERNEL_INITRAMFS := $$(KERNEL) IMAGE/sysupgrade.bin := append-rootfs | tplink-safeloader sysupgrade | \ append-metadata | check-size IMAGE/factory.bin := append-rootfs | tplink-safeloader factory @@ -86,6 +87,7 @@ endef define Device/tplink-safeloader-uimage $(Device/tplink-safeloader) KERNEL := kernel-bin | append-dtb | lzma | uImageArcher lzma + KERNEL_INITRAMFS := $$(KERNEL) endef define Device/tplink-safeloader-okli @@ -96,4 +98,5 @@ define Device/tplink-safeloader-okli COMPILE/loader-$(1).elf := loader-okli-compile KERNEL := kernel-bin | append-dtb | lzma | uImage lzma -M 0x4f4b4c49 | \ loader-okli $(1) 12288 + KERNEL_INITRAMFS := $$(KERNEL) endef From e44e60b290fb346a4cdd5ca9b141abbcf61e80fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0tetiar?= Date: Tue, 9 Jun 2020 14:18:25 +0200 Subject: [PATCH 10/11] kernel: bump 5.4 to 5.4.48 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolved merge conflict in the following patches: layerscape: 701-net-0213-dpaa2-eth-Add-CEETM-qdisc-support.patch ramips: 0013-owrt-hack-fix-mt7688-cache-issue.patch Refreshed patches, removed upstreamed patch: bcm63xx: 020-v5.8-mtd-rawnand-brcmnand-fix-hamming-oob-layout.patch Run tested: qemu-x86-64 Build tested: x86/64 Signed-off-by: Petr Štetiar --- include/kernel-version.mk | 4 +- ...vert-702b94bff3c50542a6e4ab9a4f4cef0.patch | 2 +- ...-0027-mm-Remove-the-PFN-busy-warning.patch | 2 +- ...genet-constrain-max-DMA-burst-length.patch | 2 +- ...Better-coalescing-parameter-defaults.patch | 4 +- ...t-Workaround-2-for-Pi4-Ethernet-fail.patch | 8 ++-- ....dtbo-overlays-to-be-built-piecemeal.patch | 2 +- ...40-drm-v3d-The-third-IRQ-is-optional.patch | 2 +- ...reat-dev-bus_dma_mask-as-a-DMA-limit.patch | 4 +- ...ow-.dtbo-overlays-to-be-built-adjust.patch | 2 +- ...CS_HIGH-if-GPIO-descriptors-are-used.patch | 4 +- ...te-SPI_CS_HIGH-warning-to-KERN_DEBUG.patch | 2 +- ...nand-brcmnand-fix-hamming-oob-layout.patch | 40 ------------------- ...-v5.8-spi-rb4xx-null-pointer-bug-fix.patch | 6 +-- ...pdate-driver-to-be-device-tree-aware.patch | 6 +-- .../generic/hack-5.4/221-module_exports.patch | 2 +- .../generic/hack-5.4/902-debloat_proc.patch | 4 +- ...e_mem_map-with-ARCH_PFN_OFFSET-calcu.patch | 2 +- .../pending-5.4/201-extra_optimization.patch | 2 +- .../203-kallsyms_uncompressed.patch | 2 +- ...ng-with-source-address-failed-policy.patch | 2 +- ...msm-use-sdhci_set_clock-instead-of-s.patch | 2 +- .../0001-MIPS-lantiq-add-pcie-driver.patch | 2 +- ...w-workaround-for-EDO-high-speed-mode.patch | 2 +- ...13-dpaa2-eth-Add-CEETM-qdisc-support.patch | 2 +- ...r-Gateworks-PLX-PEX860x-switch-with-.patch | 2 +- ...013-owrt-hack-fix-mt7688-cache-issue.patch | 11 ++--- .../200-pcengines-apu2-reboot.patch | 2 +- 28 files changed, 42 insertions(+), 85 deletions(-) delete mode 100644 target/linux/bcm63xx/patches-5.4/020-v5.8-mtd-rawnand-brcmnand-fix-hamming-oob-layout.patch diff --git a/include/kernel-version.mk b/include/kernel-version.mk index fa62ccbe2a..3bfb4e6827 100644 --- a/include/kernel-version.mk +++ b/include/kernel-version.mk @@ -8,11 +8,11 @@ endif LINUX_VERSION-4.14 = .180 LINUX_VERSION-4.19 = .123 -LINUX_VERSION-5.4 = .46 +LINUX_VERSION-5.4 = .48 LINUX_KERNEL_HASH-4.14.180 = 444ef973d9b6a6ea174e4a9086f0aea980d8575d13302e431ad688f22e27ed0e LINUX_KERNEL_HASH-4.19.123 = a79914d31a8d8c6b0e2bb0f2b143d615fe8a6c4dd2e0f36e97aa20efd69a993f -LINUX_KERNEL_HASH-5.4.46 = 30074ff2f1a2498da391fad73fc0efaa2256416a08fff8835069b1c59ab31b8e +LINUX_KERNEL_HASH-5.4.48 = bf20ddafcd04c114d34654bb10d1eb74f1864f3d14b676c6f0d42d60bbcf1d53 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1)))) sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst -,_,$(subst /,_,$(1))))))) diff --git a/target/linux/bcm27xx/patches-5.4/950-0001-arm-partially-revert-702b94bff3c50542a6e4ab9a4f4cef0.patch b/target/linux/bcm27xx/patches-5.4/950-0001-arm-partially-revert-702b94bff3c50542a6e4ab9a4f4cef0.patch index 3989b90fff..ef3c95e1ca 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0001-arm-partially-revert-702b94bff3c50542a6e4ab9a4f4cef0.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0001-arm-partially-revert-702b94bff3c50542a6e4ab9a4f4cef0.patch @@ -76,7 +76,7 @@ Subject: [PATCH] arm: partially revert --- a/arch/arm/mm/proc-macros.S +++ b/arch/arm/mm/proc-macros.S -@@ -335,6 +335,8 @@ ENTRY(\name\()_cache_fns) +@@ -336,6 +336,8 @@ ENTRY(\name\()_cache_fns) .long \name\()_flush_kern_dcache_area .long \name\()_dma_map_area .long \name\()_dma_unmap_area diff --git a/target/linux/bcm27xx/patches-5.4/950-0027-mm-Remove-the-PFN-busy-warning.patch b/target/linux/bcm27xx/patches-5.4/950-0027-mm-Remove-the-PFN-busy-warning.patch index 508527359f..145e72028a 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0027-mm-Remove-the-PFN-busy-warning.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0027-mm-Remove-the-PFN-busy-warning.patch @@ -14,7 +14,7 @@ Signed-off-by: Eric Anholt --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -8486,8 +8486,6 @@ int alloc_contig_range(unsigned long sta +@@ -8481,8 +8481,6 @@ int alloc_contig_range(unsigned long sta /* Make sure the range is really isolated. */ if (test_pages_isolated(outer_start, end, false)) { diff --git a/target/linux/bcm27xx/patches-5.4/950-0210-bcmgenet-constrain-max-DMA-burst-length.patch b/target/linux/bcm27xx/patches-5.4/950-0210-bcmgenet-constrain-max-DMA-burst-length.patch index 7f065eb630..5f683b506b 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0210-bcmgenet-constrain-max-DMA-burst-length.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0210-bcmgenet-constrain-max-DMA-burst-length.patch @@ -9,7 +9,7 @@ Subject: [PATCH] bcmgenet: constrain max DMA burst length --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.h +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.h -@@ -28,7 +28,7 @@ +@@ -29,7 +29,7 @@ #define ENET_PAD 8 #define ENET_MAX_MTU_SIZE (ETH_DATA_LEN + ETH_HLEN + VLAN_HLEN + \ ENET_BRCM_TAG_LEN + ETH_FCS_LEN + ENET_PAD) diff --git a/target/linux/bcm27xx/patches-5.4/950-0211-bcmgenet-Better-coalescing-parameter-defaults.patch b/target/linux/bcm27xx/patches-5.4/950-0211-bcmgenet-Better-coalescing-parameter-defaults.patch index 5b88f11070..159506bf96 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0211-bcmgenet-Better-coalescing-parameter-defaults.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0211-bcmgenet-Better-coalescing-parameter-defaults.patch @@ -18,7 +18,7 @@ Signed-off-by: Phil Elwell --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -@@ -2148,7 +2148,7 @@ static void bcmgenet_init_tx_ring(struct +@@ -2151,7 +2151,7 @@ static void bcmgenet_init_tx_ring(struct bcmgenet_tdma_ring_writel(priv, index, 0, TDMA_PROD_INDEX); bcmgenet_tdma_ring_writel(priv, index, 0, TDMA_CONS_INDEX); @@ -27,7 +27,7 @@ Signed-off-by: Phil Elwell /* Disable rate control for now */ bcmgenet_tdma_ring_writel(priv, index, flow_period_val, TDMA_FLOW_PERIOD); -@@ -3571,9 +3571,12 @@ static int bcmgenet_probe(struct platfor +@@ -3575,9 +3575,12 @@ static int bcmgenet_probe(struct platfor netif_set_real_num_rx_queues(priv->dev, priv->hw_params->rx_queues + 1); /* Set default coalescing parameters */ diff --git a/target/linux/bcm27xx/patches-5.4/950-0295-net-bcmgenet-Workaround-2-for-Pi4-Ethernet-fail.patch b/target/linux/bcm27xx/patches-5.4/950-0295-net-bcmgenet-Workaround-2-for-Pi4-Ethernet-fail.patch index 7370cfb44a..562312d279 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0295-net-bcmgenet-Workaround-2-for-Pi4-Ethernet-fail.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0295-net-bcmgenet-Workaround-2-for-Pi4-Ethernet-fail.patch @@ -27,9 +27,9 @@ Signed-off-by: Phil Elwell --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -@@ -69,6 +69,10 @@ - #define GENET_RDMA_REG_OFF (priv->hw_params->rdma_offset + \ - TOTAL_DESC * DMA_DESC_SIZE) +@@ -72,6 +72,10 @@ + /* Forward declarations */ + static void bcmgenet_set_rx_mode(struct net_device *dev); +static bool skip_umac_reset = true; +module_param(skip_umac_reset, bool, 0444); @@ -38,7 +38,7 @@ Signed-off-by: Phil Elwell static inline void bcmgenet_writel(u32 value, void __iomem *offset) { /* MIPS chips strapped for BE will automagically configure the -@@ -1994,6 +1998,11 @@ static void reset_umac(struct bcmgenet_p +@@ -1997,6 +2001,11 @@ static void reset_umac(struct bcmgenet_p bcmgenet_rbuf_ctrl_set(priv, 0); udelay(10); diff --git a/target/linux/bcm27xx/patches-5.4/950-0316-kbuild-Allow-.dtbo-overlays-to-be-built-piecemeal.patch b/target/linux/bcm27xx/patches-5.4/950-0316-kbuild-Allow-.dtbo-overlays-to-be-built-piecemeal.patch index 24b11387e6..bb6dad7091 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0316-kbuild-Allow-.dtbo-overlays-to-be-built-piecemeal.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0316-kbuild-Allow-.dtbo-overlays-to-be-built-piecemeal.patch @@ -24,7 +24,7 @@ Signed-off-by: Phil Elwell --- a/Makefile +++ b/Makefile -@@ -1246,6 +1246,9 @@ ifneq ($(dtstree),) +@@ -1242,6 +1242,9 @@ ifneq ($(dtstree),) %.dtb: include/config/kernel.release scripts_dtc $(Q)$(MAKE) $(build)=$(dtstree) $(dtstree)/$@ diff --git a/target/linux/bcm27xx/patches-5.4/950-0340-drm-v3d-The-third-IRQ-is-optional.patch b/target/linux/bcm27xx/patches-5.4/950-0340-drm-v3d-The-third-IRQ-is-optional.patch index 5dac72f9a2..edb4ede525 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0340-drm-v3d-The-third-IRQ-is-optional.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0340-drm-v3d-The-third-IRQ-is-optional.patch @@ -13,7 +13,7 @@ Signed-off-by: Phil Elwell --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c -@@ -3472,7 +3472,7 @@ static int bcmgenet_probe(struct platfor +@@ -3476,7 +3476,7 @@ static int bcmgenet_probe(struct platfor priv = netdev_priv(dev); priv->irq0 = platform_get_irq(pdev, 0); priv->irq1 = platform_get_irq(pdev, 1); diff --git a/target/linux/bcm27xx/patches-5.4/950-0451-dma-mapping-treat-dev-bus_dma_mask-as-a-DMA-limit.patch b/target/linux/bcm27xx/patches-5.4/950-0451-dma-mapping-treat-dev-bus_dma_mask-as-a-DMA-limit.patch index 162a91c530..d968e93153 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0451-dma-mapping-treat-dev-bus_dma_mask-as-a-DMA-limit.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0451-dma-mapping-treat-dev-bus_dma_mask-as-a-DMA-limit.patch @@ -149,7 +149,7 @@ Signed-off-by: Christoph Hellwig --- a/drivers/acpi/arm64/iort.c +++ b/drivers/acpi/arm64/iort.c -@@ -1057,8 +1057,8 @@ static int rc_dma_get_range(struct devic +@@ -1062,8 +1062,8 @@ static int rc_dma_get_range(struct devic */ void iort_dma_setup(struct device *dev, u64 *dma_addr, u64 *dma_size) { @@ -160,7 +160,7 @@ Signed-off-by: Christoph Hellwig /* * If @dev is expected to be DMA-capable then the bus code that created -@@ -1085,19 +1085,13 @@ void iort_dma_setup(struct device *dev, +@@ -1090,19 +1090,13 @@ void iort_dma_setup(struct device *dev, } if (!ret) { diff --git a/target/linux/bcm27xx/patches-5.4/950-0460-Kbuild-Allow-.dtbo-overlays-to-be-built-adjust.patch b/target/linux/bcm27xx/patches-5.4/950-0460-Kbuild-Allow-.dtbo-overlays-to-be-built-adjust.patch index 6f71797a8b..e2e681e033 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0460-Kbuild-Allow-.dtbo-overlays-to-be-built-adjust.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0460-Kbuild-Allow-.dtbo-overlays-to-be-built-adjust.patch @@ -15,7 +15,7 @@ Signed-off-by: Nataliya Korovkina --- a/Makefile +++ b/Makefile -@@ -1246,7 +1246,7 @@ ifneq ($(dtstree),) +@@ -1242,7 +1242,7 @@ ifneq ($(dtstree),) %.dtb: include/config/kernel.release scripts_dtc $(Q)$(MAKE) $(build)=$(dtstree) $(dtstree)/$@ diff --git a/target/linux/bcm27xx/patches-5.4/950-0653-spi-Force-CS_HIGH-if-GPIO-descriptors-are-used.patch b/target/linux/bcm27xx/patches-5.4/950-0653-spi-Force-CS_HIGH-if-GPIO-descriptors-are-used.patch index 43d10486de..9514f90715 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0653-spi-Force-CS_HIGH-if-GPIO-descriptors-are-used.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0653-spi-Force-CS_HIGH-if-GPIO-descriptors-are-used.patch @@ -23,7 +23,7 @@ Signed-off-by: Phil Elwell --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c -@@ -3032,6 +3032,7 @@ static int __spi_validate_bits_per_word( +@@ -3034,6 +3034,7 @@ static int __spi_validate_bits_per_word( */ int spi_setup(struct spi_device *spi) { @@ -31,7 +31,7 @@ Signed-off-by: Phil Elwell unsigned bad_bits, ugly_bits; int status; -@@ -3049,6 +3050,14 @@ int spi_setup(struct spi_device *spi) +@@ -3051,6 +3052,14 @@ int spi_setup(struct spi_device *spi) (SPI_TX_DUAL | SPI_TX_QUAD | SPI_TX_OCTAL | SPI_RX_DUAL | SPI_RX_QUAD | SPI_RX_OCTAL))) return -EINVAL; diff --git a/target/linux/bcm27xx/patches-5.4/950-0697-SQUASH-spi-Demote-SPI_CS_HIGH-warning-to-KERN_DEBUG.patch b/target/linux/bcm27xx/patches-5.4/950-0697-SQUASH-spi-Demote-SPI_CS_HIGH-warning-to-KERN_DEBUG.patch index 2be5524a07..e7958af007 100644 --- a/target/linux/bcm27xx/patches-5.4/950-0697-SQUASH-spi-Demote-SPI_CS_HIGH-warning-to-KERN_DEBUG.patch +++ b/target/linux/bcm27xx/patches-5.4/950-0697-SQUASH-spi-Demote-SPI_CS_HIGH-warning-to-KERN_DEBUG.patch @@ -15,7 +15,7 @@ Signed-off-by: Phil Elwell --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c -@@ -3044,8 +3044,8 @@ int spi_setup(struct spi_device *spi) +@@ -3046,8 +3046,8 @@ int spi_setup(struct spi_device *spi) if (ctlr->use_gpio_descriptors && ctlr->cs_gpiods && ctlr->cs_gpiods[spi->chip_select] && !(spi->mode & SPI_CS_HIGH)) { diff --git a/target/linux/bcm63xx/patches-5.4/020-v5.8-mtd-rawnand-brcmnand-fix-hamming-oob-layout.patch b/target/linux/bcm63xx/patches-5.4/020-v5.8-mtd-rawnand-brcmnand-fix-hamming-oob-layout.patch deleted file mode 100644 index 7e8713ea1d..0000000000 --- a/target/linux/bcm63xx/patches-5.4/020-v5.8-mtd-rawnand-brcmnand-fix-hamming-oob-layout.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 130bbde4809b011faf64f99dddc14b4b01f440c3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= -Date: Tue, 12 May 2020 09:57:32 +0200 -Subject: [PATCH] mtd: rawnand: brcmnand: fix hamming oob layout -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -First 2 bytes are used in large-page nand. - -Fixes: ef5eeea6e911 ("mtd: nand: brcm: switch to mtd_ooblayout_ops") -Cc: stable@vger.kernel.org -Signed-off-by: Álvaro Fernández Rojas -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20200512075733.745374-2-noltari@gmail.com ---- - drivers/mtd/nand/raw/brcmnand/brcmnand.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - ---- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c -+++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c -@@ -1019,11 +1019,14 @@ static int brcmnand_hamming_ooblayout_fr - if (!section) { - /* - * Small-page NAND use byte 6 for BBI while large-page -- * NAND use byte 0. -+ * NAND use bytes 0 and 1. - */ -- if (cfg->page_size > 512) -- oobregion->offset++; -- oobregion->length--; -+ if (cfg->page_size > 512) { -+ oobregion->offset += 2; -+ oobregion->length -= 2; -+ } else { -+ oobregion->length--; -+ } - } - } - diff --git a/target/linux/generic/backport-5.4/825-v5.8-spi-rb4xx-null-pointer-bug-fix.patch b/target/linux/generic/backport-5.4/825-v5.8-spi-rb4xx-null-pointer-bug-fix.patch index 5d762c571c..71e26d50da 100644 --- a/target/linux/generic/backport-5.4/825-v5.8-spi-rb4xx-null-pointer-bug-fix.patch +++ b/target/linux/generic/backport-5.4/825-v5.8-spi-rb4xx-null-pointer-bug-fix.patch @@ -20,11 +20,9 @@ Signed-off-by: Christopher Hill drivers/spi/spi-rb4xx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/drivers/spi/spi-rb4xx.c b/drivers/spi/spi-rb4xx.c -index 4c9620e0d18c..17e1a77dc132 100644 --- a/drivers/spi/spi-rb4xx.c +++ b/drivers/spi/spi-rb4xx.c -@@ -158,6 +158,11 @@ static int rb4xx_spi_probe(struct platform_device *pdev) +@@ -158,6 +158,11 @@ static int rb4xx_spi_probe(struct platfo master->transfer_one = rb4xx_transfer_one; master->set_cs = rb4xx_set_cs; @@ -36,7 +34,7 @@ index 4c9620e0d18c..17e1a77dc132 100644 err = devm_spi_register_master(&pdev->dev, master); if (err) { dev_err(&pdev->dev, "failed to register SPI master\n"); -@@ -168,11 +173,6 @@ static int rb4xx_spi_probe(struct platform_device *pdev) +@@ -168,11 +173,6 @@ static int rb4xx_spi_probe(struct platfo if (err) return err; diff --git a/target/linux/generic/backport-5.4/826-v5.8-spi-rb4xx-update-driver-to-be-device-tree-aware.patch b/target/linux/generic/backport-5.4/826-v5.8-spi-rb4xx-update-driver-to-be-device-tree-aware.patch index 0340c934d8..0ce4f2bb35 100644 --- a/target/linux/generic/backport-5.4/826-v5.8-spi-rb4xx-update-driver-to-be-device-tree-aware.patch +++ b/target/linux/generic/backport-5.4/826-v5.8-spi-rb4xx-update-driver-to-be-device-tree-aware.patch @@ -21,8 +21,6 @@ Signed-off-by: Christopher Hill drivers/spi/spi-rb4xx.c | 9 +++++++++ 1 file changed, 9 insertions(+) -diff --git a/drivers/spi/spi-rb4xx.c b/drivers/spi/spi-rb4xx.c -index 17e1a77dc132..8aa51beb4ff3 100644 --- a/drivers/spi/spi-rb4xx.c +++ b/drivers/spi/spi-rb4xx.c @@ -14,6 +14,7 @@ @@ -33,7 +31,7 @@ index 17e1a77dc132..8aa51beb4ff3 100644 #include -@@ -150,6 +151,7 @@ static int rb4xx_spi_probe(struct platform_device *pdev) +@@ -150,6 +151,7 @@ static int rb4xx_spi_probe(struct platfo if (IS_ERR(ahb_clk)) return PTR_ERR(ahb_clk); @@ -41,7 +39,7 @@ index 17e1a77dc132..8aa51beb4ff3 100644 master->bus_num = 0; master->num_chipselect = 3; master->mode_bits = SPI_TX_DUAL; -@@ -188,11 +190,18 @@ static int rb4xx_spi_remove(struct platform_device *pdev) +@@ -188,11 +190,18 @@ static int rb4xx_spi_remove(struct platf return 0; } diff --git a/target/linux/generic/hack-5.4/221-module_exports.patch b/target/linux/generic/hack-5.4/221-module_exports.patch index ecddc0fbc1..00802bb401 100644 --- a/target/linux/generic/hack-5.4/221-module_exports.patch +++ b/target/linux/generic/hack-5.4/221-module_exports.patch @@ -56,7 +56,7 @@ Signed-off-by: Felix Fietkau } \ \ /* __*init sections */ \ -@@ -865,6 +875,8 @@ +@@ -881,6 +891,8 @@ EXIT_TEXT \ EXIT_DATA \ EXIT_CALL \ diff --git a/target/linux/generic/hack-5.4/902-debloat_proc.patch b/target/linux/generic/hack-5.4/902-debloat_proc.patch index d2acd40e19..2a1106e2a9 100644 --- a/target/linux/generic/hack-5.4/902-debloat_proc.patch +++ b/target/linux/generic/hack-5.4/902-debloat_proc.patch @@ -341,7 +341,7 @@ Signed-off-by: Felix Fietkau --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c -@@ -2844,11 +2844,13 @@ static const struct seq_operations fib_r +@@ -2847,11 +2847,13 @@ static const struct seq_operations fib_r int __net_init fib_proc_init(struct net *net) { @@ -357,7 +357,7 @@ Signed-off-by: Felix Fietkau fib_triestat_seq_show, NULL)) goto out2; -@@ -2859,17 +2861,21 @@ int __net_init fib_proc_init(struct net +@@ -2862,17 +2864,21 @@ int __net_init fib_proc_init(struct net return 0; out3: diff --git a/target/linux/generic/pending-5.4/120-Fix-alloc_node_mem_map-with-ARCH_PFN_OFFSET-calcu.patch b/target/linux/generic/pending-5.4/120-Fix-alloc_node_mem_map-with-ARCH_PFN_OFFSET-calcu.patch index e70b660604..c6c19600f3 100644 --- a/target/linux/generic/pending-5.4/120-Fix-alloc_node_mem_map-with-ARCH_PFN_OFFSET-calcu.patch +++ b/target/linux/generic/pending-5.4/120-Fix-alloc_node_mem_map-with-ARCH_PFN_OFFSET-calcu.patch @@ -71,7 +71,7 @@ Signed-off-by: Tobias Wolf --- a/mm/page_alloc.c +++ b/mm/page_alloc.c -@@ -6860,7 +6860,7 @@ static void __ref alloc_node_mem_map(str +@@ -6855,7 +6855,7 @@ static void __ref alloc_node_mem_map(str mem_map = NODE_DATA(0)->node_mem_map; #if defined(CONFIG_HAVE_MEMBLOCK_NODE_MAP) || defined(CONFIG_FLATMEM) if (page_to_pfn(mem_map) != pgdat->node_start_pfn) diff --git a/target/linux/generic/pending-5.4/201-extra_optimization.patch b/target/linux/generic/pending-5.4/201-extra_optimization.patch index 7c6df53ecc..961ba98fb7 100644 --- a/target/linux/generic/pending-5.4/201-extra_optimization.patch +++ b/target/linux/generic/pending-5.4/201-extra_optimization.patch @@ -14,7 +14,7 @@ Signed-off-by: Felix Fietkau --- a/Makefile +++ b/Makefile -@@ -701,11 +701,11 @@ KBUILD_CFLAGS += $(call cc-disable-warni +@@ -697,11 +697,11 @@ KBUILD_CFLAGS += $(call cc-disable-warni KBUILD_CFLAGS += $(call cc-disable-warning, address-of-packed-member) ifdef CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE diff --git a/target/linux/generic/pending-5.4/203-kallsyms_uncompressed.patch b/target/linux/generic/pending-5.4/203-kallsyms_uncompressed.patch index c977b377b7..c4c13b9695 100644 --- a/target/linux/generic/pending-5.4/203-kallsyms_uncompressed.patch +++ b/target/linux/generic/pending-5.4/203-kallsyms_uncompressed.patch @@ -106,7 +106,7 @@ Signed-off-by: Felix Fietkau } --- a/scripts/link-vmlinux.sh +++ b/scripts/link-vmlinux.sh -@@ -164,6 +164,10 @@ kallsyms() +@@ -160,6 +160,10 @@ kallsyms() kallsymopt="${kallsymopt} --base-relative" fi diff --git a/target/linux/generic/pending-5.4/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch b/target/linux/generic/pending-5.4/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch index 4029bb0433..766abc7489 100644 --- a/target/linux/generic/pending-5.4/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch +++ b/target/linux/generic/pending-5.4/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch @@ -66,7 +66,7 @@ Signed-off-by: Jonas Gorski static void rt_fibinfo_free(struct rtable __rcu **rtp) --- a/net/ipv4/fib_trie.c +++ b/net/ipv4/fib_trie.c -@@ -2592,6 +2592,7 @@ static const char *const rtn_type_names[ +@@ -2595,6 +2595,7 @@ static const char *const rtn_type_names[ [RTN_THROW] = "THROW", [RTN_NAT] = "NAT", [RTN_XRESOLVE] = "XRESOLVE", diff --git a/target/linux/ipq40xx/patches-5.4/400-mmc-sdhci-sdhci-msm-use-sdhci_set_clock-instead-of-s.patch b/target/linux/ipq40xx/patches-5.4/400-mmc-sdhci-sdhci-msm-use-sdhci_set_clock-instead-of-s.patch index 72ec2e9b0d..cf5c44e687 100644 --- a/target/linux/ipq40xx/patches-5.4/400-mmc-sdhci-sdhci-msm-use-sdhci_set_clock-instead-of-s.patch +++ b/target/linux/ipq40xx/patches-5.4/400-mmc-sdhci-sdhci-msm-use-sdhci_set_clock-instead-of-s.patch @@ -14,7 +14,7 @@ Signed-off-by: Robert Marko --- a/drivers/mmc/host/sdhci-msm.c +++ b/drivers/mmc/host/sdhci-msm.c -@@ -1724,7 +1724,7 @@ MODULE_DEVICE_TABLE(of, sdhci_msm_dt_mat +@@ -1730,7 +1730,7 @@ MODULE_DEVICE_TABLE(of, sdhci_msm_dt_mat static const struct sdhci_ops sdhci_msm_ops = { .reset = sdhci_reset, diff --git a/target/linux/lantiq/patches-5.4/0001-MIPS-lantiq-add-pcie-driver.patch b/target/linux/lantiq/patches-5.4/0001-MIPS-lantiq-add-pcie-driver.patch index bd02f0a9f4..cb482bc522 100644 --- a/target/linux/lantiq/patches-5.4/0001-MIPS-lantiq-add-pcie-driver.patch +++ b/target/linux/lantiq/patches-5.4/0001-MIPS-lantiq-add-pcie-driver.patch @@ -5491,7 +5491,7 @@ Signed-off-by: John Crispin unsigned long type); --- a/include/linux/pci_ids.h +++ b/include/linux/pci_ids.h -@@ -1072,6 +1072,12 @@ +@@ -1076,6 +1076,12 @@ #define PCI_DEVICE_ID_SGI_IOC3 0x0003 #define PCI_DEVICE_ID_SGI_LITHIUM 0x1002 diff --git a/target/linux/layerscape/patches-5.4/303-core-0005-nand-raw-workaround-for-EDO-high-speed-mode.patch b/target/linux/layerscape/patches-5.4/303-core-0005-nand-raw-workaround-for-EDO-high-speed-mode.patch index aa4b8d32af..b2a845683e 100644 --- a/target/linux/layerscape/patches-5.4/303-core-0005-nand-raw-workaround-for-EDO-high-speed-mode.patch +++ b/target/linux/layerscape/patches-5.4/303-core-0005-nand-raw-workaround-for-EDO-high-speed-mode.patch @@ -13,7 +13,7 @@ Signed-off-by: Han Xu --- a/drivers/mtd/nand/raw/nand_base.c +++ b/drivers/mtd/nand/raw/nand_base.c -@@ -934,7 +934,8 @@ static int nand_init_data_interface(stru +@@ -940,7 +940,8 @@ static int nand_init_data_interface(stru modes = GENMASK(chip->onfi_timing_mode_default, 0); } diff --git a/target/linux/layerscape/patches-5.4/701-net-0213-dpaa2-eth-Add-CEETM-qdisc-support.patch b/target/linux/layerscape/patches-5.4/701-net-0213-dpaa2-eth-Add-CEETM-qdisc-support.patch index 9246e44d7a..cc8cfb1c29 100644 --- a/target/linux/layerscape/patches-5.4/701-net-0213-dpaa2-eth-Add-CEETM-qdisc-support.patch +++ b/target/linux/layerscape/patches-5.4/701-net-0213-dpaa2-eth-Add-CEETM-qdisc-support.patch @@ -1535,7 +1535,7 @@ Signed-off-by: Camelia Groza int i; - if (type != TC_SETUP_QDISC_MQPRIO) -- return -EINVAL; +- return -EOPNOTSUPP; - mqprio->hw = TC_MQPRIO_HW_OFFLOAD_TCS; num_queues = dpaa2_eth_queue_count(priv); diff --git a/target/linux/octeontx/patches-5.4/0004-PCI-add-quirk-for-Gateworks-PLX-PEX860x-switch-with-.patch b/target/linux/octeontx/patches-5.4/0004-PCI-add-quirk-for-Gateworks-PLX-PEX860x-switch-with-.patch index 9784d88546..5308d3b286 100644 --- a/target/linux/octeontx/patches-5.4/0004-PCI-add-quirk-for-Gateworks-PLX-PEX860x-switch-with-.patch +++ b/target/linux/octeontx/patches-5.4/0004-PCI-add-quirk-for-Gateworks-PLX-PEX860x-switch-with-.patch @@ -22,7 +22,7 @@ Signed-off-by: Tim Harvey #include #include #include -@@ -5564,3 +5565,34 @@ static void apex_pci_fixup_class(struct +@@ -5604,3 +5605,34 @@ static void apex_pci_fixup_class(struct } DECLARE_PCI_FIXUP_CLASS_HEADER(0x1ac1, 0x089a, PCI_CLASS_NOT_DEFINED, 8, apex_pci_fixup_class); diff --git a/target/linux/ramips/patches-5.4/0013-owrt-hack-fix-mt7688-cache-issue.patch b/target/linux/ramips/patches-5.4/0013-owrt-hack-fix-mt7688-cache-issue.patch index 75c93c7e50..6b1cc15158 100644 --- a/target/linux/ramips/patches-5.4/0013-owrt-hack-fix-mt7688-cache-issue.patch +++ b/target/linux/ramips/patches-5.4/0013-owrt-hack-fix-mt7688-cache-issue.patch @@ -10,15 +10,16 @@ Signed-off-by: John Crispin --- a/arch/mips/kernel/setup.c +++ b/arch/mips/kernel/setup.c -@@ -652,7 +652,6 @@ static void __init arch_mem_init(char ** +@@ -652,8 +652,6 @@ static void __init arch_mem_init(char ** memblock_reserve(crashk_res.start, crashk_res.end - crashk_res.start + 1); #endif - device_tree_init(); - sparse_init(); - plat_swiotlb_setup(); - -@@ -760,6 +759,7 @@ void __init setup_arch(char **cmdline_p) +- + /* + * In order to reduce the possibility of kernel panic when failed to + * get IO TLB memory under CONFIG_SWIOTLB, it is better to allocate +@@ -770,6 +768,7 @@ void __init setup_arch(char **cmdline_p) cpu_cache_init(); paging_init(); diff --git a/target/linux/x86/patches-5.4/200-pcengines-apu2-reboot.patch b/target/linux/x86/patches-5.4/200-pcengines-apu2-reboot.patch index 1426140183..bc57806c74 100644 --- a/target/linux/x86/patches-5.4/200-pcengines-apu2-reboot.patch +++ b/target/linux/x86/patches-5.4/200-pcengines-apu2-reboot.patch @@ -1,6 +1,6 @@ --- a/arch/x86/kernel/reboot.c +++ b/arch/x86/kernel/reboot.c -@@ -469,6 +469,16 @@ static const struct dmi_system_id reboot +@@ -477,6 +477,16 @@ static const struct dmi_system_id reboot }, }, From 3f27a6e6402ba52032def578f0944287154a490d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Gonz=C3=A1lez=20Cabanelas?= Date: Sat, 20 Jun 2020 17:44:42 +0200 Subject: [PATCH 11/11] bcm63xx: AV4202N: add missing PCI pinmux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ADB P.DG AV4202N device has a wifi chipset connected via PCI. But the PCI pinmux is missing and without it the wifi won't work properly. Add the pinctrl_pci to enable the missing PCI pins for this device. Signed-off-by: Daniel González Cabanelas --- target/linux/bcm63xx/dts/bcm6368-adb-av4202n.dts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target/linux/bcm63xx/dts/bcm6368-adb-av4202n.dts b/target/linux/bcm63xx/dts/bcm6368-adb-av4202n.dts index 95f98c187d..8e06985fdd 100644 --- a/target/linux/bcm63xx/dts/bcm6368-adb-av4202n.dts +++ b/target/linux/bcm63xx/dts/bcm6368-adb-av4202n.dts @@ -104,6 +104,11 @@ }; }; +&pinctrl { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_pci>; +}; + &uart0 { status = "okay"; };