FelipeMdeO opened a new pull request, #3640:
URL: https://github.com/apache/nuttx-apps/pull/3640

   ## Summary
   
   Replace Dropbear's bundled libtomcrypt HMAC modules with an adapter that
   computes the `hmac-sha2-256` packet MAC through the NuttX crypto device
   (`/dev/crypto`) using `CRYPTO_SHA2_256_HMAC` sessions: `hmac_init` opens the
   session with the MAC key, `hmac_process` feeds data with `COP_FLAG_UPDATE`
   and `hmac_done` reads the tag and frees the session.
   
   This PR is: https://github.com/espressif/esp-hal-3rdparty/pull/13
   
   The upstream Dropbear `hmac_state` is reused as-is, so no source patch is
   needed: the existing `hash` field keeps the hash index and the `/dev/crypto`
   session id is stored in the otherwise unused `md` buffer. The bundled
   `hmac_init.c`/`hmac_process.c`/`hmac_done.c` are dropped from the build and
   `NETUTILS_DROPBEAR` depends on `CRYPTO_CRYPTODEV` and
   `CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO`.
   
   Only the HMAC is offloaded, not the plain SHA-256 hash: Dropbear's key
   derivation (`hashkeys()` in `common-kex.c`) `memcpy`-clones a
   partially-updated `hash_state`, which a kernel crypto session cannot
   represent, so the SHA-256 descriptor stays on libtomcrypt.
   
   Depends on #3636 (chacha20-poly1305 offload); this PR shares the Dropbear
   Kconfig/Makefile/CMakeLists and will be rebased on top once that merges.
   Opened as a draft to register the work.
   
   ## Impact
   
   - **Users**: none unless `NETUTILS_DROPBEAR` is enabled; 
   
   ## Testing
   
   `sim:dropbear` on the NuttX simulator. Dropbear is started by NSH, a user is
   created, and a host OpenSSH client connects forcing `hmac-sha2-256` as the
   MAC (with `aes128-ctr`, so the HMAC runs on every packet):
   
   
   console Board side:
   
   ```
   $ ./nuttx
   dropbear: listening on port 2222
   nsh> useradd admin nuttx2026
   nsh> [6] Jun 01 00:00:15 connection from 172.17.0.2:53752
   [6] Jun 01 00:00:15 Password auth succeeded for 'admin' from 172.17.0.2:53752
   [6] Jun 01 00:00:15 NSH exec started: uname -a; ps
   
   ```
   console PC side:
   
   ```
   $ ssh -p 2222 -c aes128-ctr -m hmac-sha2-256 [email protected] 'uname -a'
   debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 
compression: none
   debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 
compression: none
   NuttX  12.6.0-RC1 sim sim
   
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to