FelipeMdeO opened a new pull request, #3640: URL: https://github.com/apache/nuttx-apps/pull/3640
## Summary Replace Dropbear's bundled libtomcrypt HMAC modules with an adapter that computes the `hmac-sha2-256` packet MAC through the NuttX crypto device (`/dev/crypto`) using `CRYPTO_SHA2_256_HMAC` sessions: `hmac_init` opens the session with the MAC key, `hmac_process` feeds data with `COP_FLAG_UPDATE` and `hmac_done` reads the tag and frees the session. This PR is: https://github.com/espressif/esp-hal-3rdparty/pull/13 The upstream Dropbear `hmac_state` is reused as-is, so no source patch is needed: the existing `hash` field keeps the hash index and the `/dev/crypto` session id is stored in the otherwise unused `md` buffer. The bundled `hmac_init.c`/`hmac_process.c`/`hmac_done.c` are dropped from the build and `NETUTILS_DROPBEAR` depends on `CRYPTO_CRYPTODEV` and `CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO`. Only the HMAC is offloaded, not the plain SHA-256 hash: Dropbear's key derivation (`hashkeys()` in `common-kex.c`) `memcpy`-clones a partially-updated `hash_state`, which a kernel crypto session cannot represent, so the SHA-256 descriptor stays on libtomcrypt. Depends on #3636 (chacha20-poly1305 offload); this PR shares the Dropbear Kconfig/Makefile/CMakeLists and will be rebased on top once that merges. Opened as a draft to register the work. ## Impact - **Users**: none unless `NETUTILS_DROPBEAR` is enabled; ## Testing `sim:dropbear` on the NuttX simulator. Dropbear is started by NSH, a user is created, and a host OpenSSH client connects forcing `hmac-sha2-256` as the MAC (with `aes128-ctr`, so the HMAC runs on every packet): console Board side: ``` $ ./nuttx dropbear: listening on port 2222 nsh> useradd admin nuttx2026 nsh> [6] Jun 01 00:00:15 connection from 172.17.0.2:53752 [6] Jun 01 00:00:15 Password auth succeeded for 'admin' from 172.17.0.2:53752 [6] Jun 01 00:00:15 NSH exec started: uname -a; ps ``` console PC side: ``` $ ssh -p 2222 -c aes128-ctr -m hmac-sha2-256 [email protected] 'uname -a' debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none NuttX 12.6.0-RC1 sim sim ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
