FelipeMdeO opened a new pull request, #3636: URL: https://github.com/apache/nuttx-apps/pull/3636
## Summary This PR replaces Dropbear's bundled libtomcrypt chacha20-poly1305 implementation with an adapter that drives the NuttX crypto device (`/dev/crypto`), so the `[email protected]` cipher runs on the kernel crypto framework (which may be hardware accelerated) and the bundled implementation is dropped from the build. The NuttX crypto backend is a hard requirement of the port: `NETUTILS_DROPBEAR` now selects `CRYPTO_CRYPTODEV`, `CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO` and `CRYPTO_SW_AES` (and depends on `ALLOW_BSD_COMPONENTS`, since the kernel crypto framework is BSD licensed). The bundled `src/chachapoly.c` is unconditionally removed from the build and a small patch (`0005`) switches the cipher state to plain key storage. The kernel crypto backend also exports `ecc_make_key`, which collides with libtomcrypt's unused plain wrapper at link time; the wrapper is renamed via a compile definition. Uses `CRYPTO_CHACHA20_DJB` introduced by apache/nuttx#19403 (already merged). ## Impact - **Users**: enabling `NETUTILS_DROPBEAR` now requires the kernel crypto device (selected automatically); the cipher implementation moves to the kernel, reducing application code size. On-wire behavior is unchanged. - **Build**: Kconfig selects for the crypto backend, Make/CMake source list adjustments and a new source patch; no changes to other Dropbear functionality. ## Testing Host: Ubuntu 24.04 (aarch64), GCC 13.3.0 Target: NuttX simulator, `sim:dropbear` configuration (apache/nuttx#19405), built against current nuttx and nuttx-apps masters (which already include apache/nuttx#19403 and apache/nuttx-apps#3631). ```console $ ./nuttx dropbear [6:100] NuttShell (NSH) NuttX-12.6.0-RC1 nsh> [6] Jun 01 00:00:00 using NuttX passwd auth at /tmp/passwd dropbear: listening on port 2222 nsh> useradd admin nuttx2026 nsh> [6] Jun 01 00:00:15 connection from 172.17.0.2:58064 [6] Jun 01 00:00:15 Password auth succeeded for 'admin' from 172.17.0.2:58064 [6] Jun 01 00:00:15 NSH exec started: uname -a; ps [6] Jun 01 00:00:15 NSH session wait failed: Unknown error 10 [6] Jun 01 00:00:15 Exit (admin) from <172.17.0.2:58064>: Disconnect received ``` (The `session wait failed` line is pre-existing port behavior on this sim configuration — `waitpid()` returns ECHILD without `SCHED_CHILD_STATUS` — and is unrelated to this change; the remote command output is delivered normally.) Host side, with a real OpenSSH client forcing the cipher: ```console $ ssh -v -p 2222 -c [email protected] [email protected] 'uname -a; ps' ... debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none ... NuttX 12.6.0-RC1 f388c2c086 Jul 12 2026 20:38:22 sim sim TID PID PPID PRI POLICY TYPE NPX STATE EVENT SIGMASK STACK COMMAND 0 0 0 0 FIFO Kthread - Ready 0000000000000000 0069584 Idle_Task ... 6 6 5 100 FIFO Task - Ready 0000000000000000 0130984 dropbear 7 7 6 100 FIFO Task - Running 0000000000000000 0073616 dropbear_exec -c uname ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
