FelipeMdeO opened a new pull request, #3636:
URL: https://github.com/apache/nuttx-apps/pull/3636

   ## Summary
   
   This PR replaces Dropbear's bundled libtomcrypt chacha20-poly1305 
implementation with an adapter that drives the NuttX crypto device 
(`/dev/crypto`), so the `[email protected]` cipher runs on the 
kernel crypto framework (which may be hardware accelerated) and the bundled 
implementation is dropped from the build.
   
   The NuttX crypto backend is a hard requirement of the port:
   `NETUTILS_DROPBEAR` now selects `CRYPTO_CRYPTODEV`,
   `CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO` and `CRYPTO_SW_AES` (and depends on
   `ALLOW_BSD_COMPONENTS`, since the kernel crypto framework is BSD licensed).
   The bundled `src/chachapoly.c` is unconditionally removed from the build and
   a small patch (`0005`) switches the cipher state to plain key storage. The
   kernel crypto backend also exports `ecc_make_key`, which collides with
   libtomcrypt's unused plain wrapper at link time; the wrapper is renamed via
   a compile definition.
   
   Uses `CRYPTO_CHACHA20_DJB` introduced by apache/nuttx#19403 (already merged).
   
   ## Impact
   
   - **Users**: enabling `NETUTILS_DROPBEAR` now requires the kernel crypto
     device (selected automatically); the cipher implementation moves to the
     kernel, reducing application code size. On-wire behavior is unchanged.
   - **Build**: Kconfig selects for the crypto backend, Make/CMake source list
     adjustments and a new source patch; no changes to other Dropbear
     functionality.
   
   ## Testing
   
   Host: Ubuntu 24.04 (aarch64), GCC 13.3.0
   Target: NuttX simulator, `sim:dropbear` configuration (apache/nuttx#19405),
   built against current nuttx and nuttx-apps masters (which already include
   apache/nuttx#19403 and apache/nuttx-apps#3631).
   
   ```console
   $ ./nuttx
   dropbear [6:100]
   NuttShell (NSH) NuttX-12.6.0-RC1
   nsh> [6] Jun 01 00:00:00 using NuttX passwd auth at /tmp/passwd
   dropbear: listening on port 2222
   nsh> useradd admin nuttx2026
   nsh> [6] Jun 01 00:00:15 connection from 172.17.0.2:58064
   [6] Jun 01 00:00:15 Password auth succeeded for 'admin' from 172.17.0.2:58064
   [6] Jun 01 00:00:15 NSH exec started: uname -a; ps
   [6] Jun 01 00:00:15 NSH session wait failed: Unknown error 10
   [6] Jun 01 00:00:15 Exit (admin) from <172.17.0.2:58064>: Disconnect received
   ```
   
   (The `session wait failed` line is pre-existing port behavior on this sim
   configuration — `waitpid()` returns ECHILD without `SCHED_CHILD_STATUS` —
   and is unrelated to this change; the remote command output is delivered
   normally.)
   
   Host side, with a real OpenSSH client forcing the cipher:
   
   ```console
   $ ssh -v -p 2222 -c [email protected] [email protected] 'uname -a; 
ps'
   ...
   debug1: kex: server->client cipher: [email protected] MAC: 
<implicit> compression: none
   debug1: kex: client->server cipher: [email protected] MAC: 
<implicit> compression: none
   ...
   NuttX  12.6.0-RC1 f388c2c086 Jul 12 2026 20:38:22 sim sim
     TID   PID  PPID PRI POLICY   TYPE    NPX STATE    EVENT     SIGMASK        
    STACK COMMAND
       0     0     0   0 FIFO     Kthread   - Ready              
0000000000000000 0069584 Idle_Task
       ...
       6     6     5 100 FIFO     Task      - Ready              
0000000000000000 0130984 dropbear
       7     7     6 100 FIFO     Task      - Running            
0000000000000000 0073616 dropbear_exec -c uname
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to