include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=0.45
-PKG_RELEASE:=4
-PKG_MD5SUM:=2bcc46e4c239aec982bf36a723dd0b0e
+PKG_VERSION:=0.47
+PKG_RELEASE:=1
+PKG_MD5SUM:=cf634614d52278d44dfd9c224a438bf2
PKG_SOURCE_URL:=http://matt.ucc.asn.au/dropbear/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
--- /dev/null
+diff -urN dropbear.old/svr-authpubkey.c dropbear.dev/svr-authpubkey.c
+--- dropbear.old/svr-authpubkey.c 2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-authpubkey.c 2005-12-12 01:35:32.139358750 +0100
+@@ -155,7 +155,6 @@
+ unsigned char* keyblob, unsigned int keybloblen) {
+
+ FILE * authfile = NULL;
+- char * filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ buffer * line = NULL;
+ unsigned int len, pos;
+@@ -176,17 +175,8 @@
+ goto out;
+ }
+
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw->pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw->pw_dir);
+-
+ /* open the file */
+- authfile = fopen(filename, "r");
++ authfile = fopen("/etc/dropbear/authorized_keys", "r");
+ if (authfile == NULL) {
+ goto out;
+ }
+@@ -247,7 +237,6 @@
+ if (line) {
+ buf_free(line);
+ }
+- m_free(filename);
+ TRACE(("leave checkpubkey: ret=%d", ret))
+ return ret;
+ }
+@@ -255,12 +244,11 @@
+
+ /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
+ * DROPBEAR_FAILURE otherwise.
+- * Checks that the user's homedir, ~/.ssh, and
+- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
++ * Checks that /etc/dropbear and /etc/dropbear/authorized_keys
++ * are all owned by either root or the user, and are
+ * g-w, o-w */
+ static int checkpubkeyperms() {
+
+- char* filename = NULL;
+ int ret = DROPBEAR_FAILURE;
+ unsigned int len;
+
+@@ -274,25 +262,11 @@
+ goto out;
+ }
+
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
+-
+- /* check ~ */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+- goto out;
+- }
+-
+- /* check ~/.ssh */
+- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+- /* now check ~/.ssh/authorized_keys */
+- strncat(filename, "/authorized_keys", 16);
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+@@ -300,7 +274,6 @@
+ ret = DROPBEAR_SUCCESS;
+
+ out:
+- m_free(filename);
+
+ TRACE(("leave checkpubkeyperms"))
+ return ret;
--- /dev/null
+diff -urN dropbear.old/svr-chansession.c dropbear.dev/svr-chansession.c
+--- dropbear.old/svr-chansession.c 2005-12-09 06:42:33.000000000 +0100
++++ dropbear.dev/svr-chansession.c 2005-12-12 01:42:38.982034750 +0100
+@@ -860,12 +860,12 @@
+ /* We can only change uid/gid as root ... */
+ if (getuid() == 0) {
+
+- if ((setgid(ses.authstate.pw->pw_gid) < 0) ||
++ if ((ses.authstate.pw->pw_gid != 0) && ((setgid(ses.authstate.pw->pw_gid) < 0) ||
+ (initgroups(ses.authstate.pw->pw_name,
+- ses.authstate.pw->pw_gid) < 0)) {
++ ses.authstate.pw->pw_gid) < 0))) {
+ dropbear_exit("error changing user group");
+ }
+- if (setuid(ses.authstate.pw->pw_uid) < 0) {
++ if ((ses.authstate.pw->pw_uid != 0) && (setuid(ses.authstate.pw->pw_uid) < 0)) {
+ dropbear_exit("error changing user");
+ }
+ } else {
--- /dev/null
+diff -urN dropbear-0.45.old/cli-kex.c dropbear-0.45/cli-kex.c
+--- dropbear-0.45.old/cli-kex.c 2005-03-07 05:27:01.000000000 +0100
++++ dropbear-0.45/cli-kex.c 2005-03-25 11:13:57.000000000 +0100
+@@ -119,7 +119,7 @@
+ char response = 'z';
+
+ fp = sign_key_fingerprint(keyblob, keybloblen);
+- fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n",
++ fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n) ",
+ cli_opts.remotehost,
+ fp);
+
--- /dev/null
+diff -urN dropbear-0.45.old/scp.c dropbear-0.45/scp.c
+--- dropbear-0.45.old/scp.c 2005-03-07 05:27:02.000000000 +0100
++++ dropbear-0.45/scp.c 2005-03-25 11:28:22.000000000 +0100
+@@ -249,9 +249,9 @@
+
+ args.list = NULL;
+ addargs(&args, "ssh"); /* overwritten with ssh_program */
+- addargs(&args, "-x");
+- addargs(&args, "-oForwardAgent no");
+- addargs(&args, "-oClearAllForwardings yes");
++// addargs(&args, "-x");
++// addargs(&args, "-oForwardAgent no");
++// addargs(&args, "-oClearAllForwardings yes");
+
+ fflag = tflag = 0;
+ while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
--- /dev/null
+diff -urN dropbear-0.45.old/options.h dropbear-0.45/options.h
+--- dropbear-0.45.old/options.h 2005-03-14 17:12:22.000000000 +0100
++++ dropbear-0.45/options.h 2005-03-14 17:13:49.000000000 +0100
+@@ -143,7 +143,7 @@
+ * however significantly reduce the security of your ssh connections
+ * if the PRNG state becomes guessable - make sure you know what you are
+ * doing if you change this. */
+-#define DROPBEAR_RANDOM_DEV "/dev/random"
++#define DROPBEAR_RANDOM_DEV "/dev/urandom"
+
+ /* prngd must be manually set up to produce output */
+ /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
+++ /dev/null
---- dropbear-0.45.old/svr-authpubkey.c 2005-09-27 12:45:20.863639072 +0200
-+++ dropbear-0.45/svr-authpubkey.c 2005-09-27 13:15:09.066790872 +0200
-@@ -176,14 +176,10 @@
- goto out;
- }
-
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw->pw_dir);
- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw->pw_dir);
-+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-
- /* open the file */
- authfile = fopen(filename, "r");
-@@ -255,43 +251,33 @@
-
- /* Returns DROPBEAR_SUCCESS if file permissions for pubkeys are ok,
- * DROPBEAR_FAILURE otherwise.
-- * Checks that the user's homedir, ~/.ssh, and
-- * ~/.ssh/authorized_keys are all owned by either root or the user, and are
-+ * Checks that /etc, /etc/dropbear and /etc/dropbear/authorized_keys
-+ * are all owned by either root or the user, and are
- * g-w, o-w */
- static int checkpubkeyperms() {
-
- char* filename = NULL;
- int ret = DROPBEAR_FAILURE;
-- unsigned int len;
-
- TRACE(("enter checkpubkeyperms"))
-
-- assert(ses.authstate.pw);
-- if (ses.authstate.pw->pw_dir == NULL) {
-- goto out;
-- }
--
-- if ((len = strlen(ses.authstate.pw->pw_dir)) == 0) {
-- goto out;
-- }
--
- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- strncpy(filename, ses.authstate.pw->pw_dir, len+1);
-+ * = "/etc/dropbear/authorized_keys" + '\0' = 30 */
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc", 4); /* strlen("/etc") == 4 */
-
-- /* check ~ */
-+ /* check /etc */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-
-- /* check ~/.ssh */
-- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
-+ /* check /etc/dropbear */
-+ strncat(filename, "/dropbear", 9); /* strlen("/dropbear") == 9 */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-
-- /* now check ~/.ssh/authorized_keys */
-+ /* now check /etc/dropbear/authorized_keys */
- strncat(filename, "/authorized_keys", 16);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
+++ /dev/null
---- dropbear-0.44.old/svr-chansession.c 2005-02-03 02:29:44.000000000 +0100
-+++ dropbear-0.44/svr-chansession.c 2005-02-03 02:31:05.000000000 +0100
-@@ -860,10 +860,10 @@
- /* We can only change uid/gid as root ... */
- if (getuid() == 0) {
-
-- if ((setgid(ses.authstate.pw->pw_gid) < 0) ||
-+ if ((ses.authstate.pw->pw_uid != 0) && ((setgid(ses.authstate.pw->pw_gid) < 0) ||
- (initgroups(ses.authstate.pw->pw_name,
- ses.authstate.pw->pw_gid) < 0) ||
-- (setuid(ses.authstate.pw->pw_uid) < 0)) {
-+ (setuid(ses.authstate.pw->pw_uid) < 0))) {
- dropbear_exit("error changing user");
- }
- } else {
+++ /dev/null
-diff -urN dropbear-0.45.old/cli-kex.c dropbear-0.45/cli-kex.c
---- dropbear-0.45.old/cli-kex.c 2005-03-07 05:27:01.000000000 +0100
-+++ dropbear-0.45/cli-kex.c 2005-03-25 11:13:57.000000000 +0100
-@@ -119,7 +119,7 @@
- char response = 'z';
-
- fp = sign_key_fingerprint(keyblob, keybloblen);
-- fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n)\n",
-+ fprintf(stderr, "\nHost '%s' is not in the trusted hosts file.\n(fingerprint %s)\nDo you want to continue connecting? (y/n) ",
- cli_opts.remotehost,
- fp);
-
+++ /dev/null
-diff -urN dropbear-0.45.old/scp.c dropbear-0.45/scp.c
---- dropbear-0.45.old/scp.c 2005-03-07 05:27:02.000000000 +0100
-+++ dropbear-0.45/scp.c 2005-03-25 11:28:22.000000000 +0100
-@@ -249,9 +249,9 @@
-
- args.list = NULL;
- addargs(&args, "ssh"); /* overwritten with ssh_program */
-- addargs(&args, "-x");
-- addargs(&args, "-oForwardAgent no");
-- addargs(&args, "-oClearAllForwardings yes");
-+// addargs(&args, "-x");
-+// addargs(&args, "-oForwardAgent no");
-+// addargs(&args, "-oClearAllForwardings yes");
-
- fflag = tflag = 0;
- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q1246S:o:F:")) != -1)
+++ /dev/null
-diff -urN dropbear-0.45.old/options.h dropbear-0.45/options.h
---- dropbear-0.45.old/options.h 2005-03-14 17:12:22.000000000 +0100
-+++ dropbear-0.45/options.h 2005-03-14 17:13:49.000000000 +0100
-@@ -143,7 +143,7 @@
- * however significantly reduce the security of your ssh connections
- * if the PRNG state becomes guessable - make sure you know what you are
- * doing if you change this. */
--#define DROPBEAR_RANDOM_DEV "/dev/random"
-+#define DROPBEAR_RANDOM_DEV "/dev/urandom"
-
- /* prngd must be manually set up to produce output */
- /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
projects / openwrt / svn-archive / openwrt.git / commitdiff