Mercurial > dropbear
annotate release.sh @ 1855:35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
* Implement server-side support for sk-ecdsa U2F-backed keys
* Fix out-of-bounds read on normal ecdsa-sha2-[identifier] keys
* Fix one more potential out-of-bounds read
* Check if nistp256 curve is used in sk-ecdsa-sha2- key
It's the only allowed curve per PROTOCOL.u2f specification
* Implement server-side support for sk-ed25519 FIDO2-backed keys
* Keys with type sk-* make no sense as host keys, so they should be
disabled
* fix typo
* Make sk-ecdsa call buf_ecdsa_verify
This reduces code duplication, the SK code just handles the
different message format.
* Reduce sk specific code
The application id can be stored in signkey, then we don't need
to call sk-specific functions from svr-authpubkey
* Remove debugging output, which causes compilation errors with DEBUG_TRACE disabled
* Proper cleanup of sk_app
Co-authored-by: Matt Johnston <[email protected]>
author | egor-duda <egor-duda@users.noreply.github.com> |
---|---|
date | Sat, 22 Jan 2022 16:53:04 +0300 |
parents | 209711833f15 |
children | 6110afb6f581 |
rev | line source |
---|---|
948
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 #!/bin/sh |
1812
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
2 |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
3 set -e |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
4 |
948
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 VERSION=$(echo '#include "sysoptions.h"\necho DROPBEAR_VERSION' | cpp - | sh) |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 echo Releasing version "$VERSION" ... |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 if ! head -n1 CHANGES | grep -q $VERSION ; then |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 echo "CHANGES needs updating" |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 exit 1 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 fi |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 if ! head -n1 debian/changelog | grep -q $VERSION ; then |
1007 | 13 echo "debian/changelog needs updating" |
948
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 exit 1 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 fi |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 head -n1 CHANGES |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 |
1812
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
19 if tar --version | grep -q 'GNU tar'; then |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
20 TAR=tar |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
21 else |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
22 TAR=gtar |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
23 fi |
948
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 RELDIR=$PWD/../dropbear-$VERSION |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 ARCHIVE=${RELDIR}.tar.bz2 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 if test -e $RELDIR; then |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
28 echo "$RELDIR exists" |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 exit 1 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 fi |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 if test -e $ARCHIVE; then |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 echo "$ARCHIVE exists" |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 exit 1 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 fi |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
37 hg archive "$RELDIR" || exit 2 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 |
1137
40434003bd96
remove .hgtags from release
Matt Johnston <matt@ucc.asn.au>
parents:
1010
diff
changeset
|
39 rm "$RELDIR/.hgtags" |
1817
209711833f15
Don't include .hg_archival.txt in tarballs. They're now reproducible.
Matt Johnston <matt@ucc.asn.au>
parents:
1814
diff
changeset
|
40 # .hg_archival.txt seems to differ between hg versions, isn't good for reproducibility |
209711833f15
Don't include .hg_archival.txt in tarballs. They're now reproducible.
Matt Johnston <matt@ucc.asn.au>
parents:
1814
diff
changeset
|
41 rm "$RELDIR/.hg_archival.txt" |
1137
40434003bd96
remove .hgtags from release
Matt Johnston <matt@ucc.asn.au>
parents:
1010
diff
changeset
|
42 |
1812
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
43 RELDATE=$(head -n1 CHANGES | cut -d - -f 2) |
1814
f78e67527731
Add configure script to version control. Set timezone for release tarball
Matt Johnston <matt@ucc.asn.au>
parents:
1812
diff
changeset
|
44 # timezone keeps it consistent, choose a plausible release time |
f78e67527731
Add configure script to version control. Set timezone for release tarball
Matt Johnston <matt@ucc.asn.au>
parents:
1812
diff
changeset
|
45 RELTIME="22:30:00 +0800" |
1812
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
46 |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
47 # from https://reproducible-builds.org/docs/archives/ |
552bb9b4f16a
Make releases tarballs more deterministic
Matt Johnston <matt@ucc.asn.au>
parents:
1720
diff
changeset
|
48 TAROPTS="--sort=name --owner=0 --group=0 --numeric-owner" |
1814
f78e67527731
Add configure script to version control. Set timezone for release tarball
Matt Johnston <matt@ucc.asn.au>
parents:
1812
diff
changeset
|
49 (cd "$RELDIR/.." && $TAR cjf $ARCHIVE $TAROPTS --mtime="$RELDATE $RELTIME" `basename "$RELDIR"`) || exit 2 |
948
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 |
f92eb625c48d
- Don't use multichar constants since recent gcc complains
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 ls -l $ARCHIVE |
1645 | 52 openssl sha256 $ARCHIVE |
1183
d10468395a49
release.sh reminds how to sign
Matt Johnston <matt@ucc.asn.au>
parents:
1137
diff
changeset
|
53 echo Done to |
d10468395a49
release.sh reminds how to sign
Matt Johnston <matt@ucc.asn.au>
parents:
1137
diff
changeset
|
54 echo "$ARCHIVE" |
d10468395a49
release.sh reminds how to sign
Matt Johnston <matt@ucc.asn.au>
parents:
1137
diff
changeset
|
55 echo Sign it with |
d10468395a49
release.sh reminds how to sign
Matt Johnston <matt@ucc.asn.au>
parents:
1137
diff
changeset
|
56 echo gpg2 --detach-sign -a -u F29C6773 "$ARCHIVE" |