dropbear: bump to 2022.83
authorKonstantin Demin <rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committerRui Salvaterra <rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Makefile
package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch [deleted file]
package/network/services/dropbear/patches/100-pubkey_path.patch
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
package/network/services/dropbear/patches/900-configure-hardening.patch
package/network/services/dropbear/patches/901-bundled-libs-cflags.patch

index e98e995ba7b9a3f310e216eb2305a99d2c7cff07..5339bbd1087eb518265f43fd6378e69aedbd7c37 100644 (file)
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2022.82
-PKG_RELEASE:=5
+PKG_VERSION:=2022.83
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
+PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -114,6 +114,7 @@ DB_OPT_COMMON = \
        DEFAULT_PATH|"$(TARGET_INIT_PATH)" \
        !!LOCAL_IDENT|"SSH-2.0-dropbear" \
        DROPBEAR_CLI_NETCAT|0 \
+       !!DROPBEAR_DSS|0 \
        DROPBEAR_DSS|0 \
        DO_MOTD|0 \
 
@@ -181,10 +182,12 @@ endef
 define Build/Compile
        +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
                $(TARGET_CONFIGURE_OPTS) \
+               IGNORE_SPEED=1 \
                PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \
                MULTI=1 SCPPROGRESS=1
        +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
                $(TARGET_CONFIGURE_OPTS) \
+               IGNORE_SPEED=1 \
                PROGRAMS="dropbearconvert"
 endef
 
diff --git a/package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch b/package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch
deleted file mode 100644 (file)
index e0dca54..0000000
+++ /dev/null
@@ -1,134 +0,0 @@
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 8 Jun 2022 21:26:20 +0800
-Subject: Fix MAX_UNAUTH_CLIENTS regression
-
-Since re-exec change in 2022.82 Dropbear count
-treat authenticated sessions towards the unauthenticated
-session limit. This is fixed by passing the childpipe FD
-through to the re-execed process.
----
- runopts.h     |  5 +++--
- svr-main.c    | 21 +++++++++++----------
- svr-runopts.c | 15 ++++++++++++---
- 3 files changed, 26 insertions(+), 15 deletions(-)
-
---- a/runopts.h
-+++ b/runopts.h
-@@ -79,8 +79,9 @@ typedef struct svr_runopts {
-       char *addresses[DROPBEAR_MAX_PORTS];
-       int inetdmode;
--      /* Hidden "-2" flag indicates it's re-executing itself */
--      int reexec_child;
-+      /* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself,
-+         stores the childpipe preauth file descriptor. Set to -1 otherwise. */
-+      int reexec_childpipe;
-       /* Flags indicating whether to use ipv4 and ipv6 */
-       /* not used yet
---- a/svr-main.c
-+++ b/svr-main.c
-@@ -71,7 +71,7 @@ int main(int argc, char ** argv)
- #endif
- #if DROPBEAR_DO_REEXEC
--      if (svr_opts.reexec_child) {
-+      if (svr_opts.reexec_childpipe >= 0) {
- #ifdef PR_SET_NAME
-               /* Fix the "Name:" in /proc/pid/status, otherwise it's
-               a FD number from fexecve.
-@@ -102,7 +102,7 @@ static void main_inetd() {
-       seedrandom();
--      if (!svr_opts.reexec_child) {
-+      if (svr_opts.reexec_childpipe < 0) {
-               /* In case our inetd was lax in logging source addresses */
-               get_socket_address(0, NULL, NULL, &host, &port, 0);
-                       dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
-@@ -115,10 +115,8 @@ static void main_inetd() {
-               setsid();
-       }
--      /* Start service program 
--       * -1 is a dummy childpipe, just something we can close() without 
--       * mattering. */
--      svr_session(0, -1);
-+      /* -1 for childpipe in the inetd case is discarded */
-+      svr_session(0, svr_opts.reexec_childpipe);
-       /* notreached */
- }
-@@ -347,9 +345,10 @@ static void main_noinetd(int argc, char
-                               if (execfd >= 0) {
- #if DROPBEAR_DO_REEXEC
--                                      /* Add "-2" to the args and re-execute ourself. */
--                                      char **new_argv = m_malloc(sizeof(char*) * (argc+3));
--                                      int pos0 = 0, new_argc = argc+1;
-+                                      /* Add "-2 childpipe[1]" to the args and re-execute ourself. */
-+                                      char **new_argv = m_malloc(sizeof(char*) * (argc+4));
-+                                      char buf[10];
-+                                      int pos0 = 0, new_argc = argc+2;
-                                       /* We need to specially handle "dropbearmulti dropbear". */
-                                       if (multipath) {
-@@ -359,7 +358,9 @@ static void main_noinetd(int argc, char
-                                       }
-                                       memcpy(&new_argv[pos0], argv, sizeof(char*) * argc);
--                                      new_argv[new_argc-1] = "-2";
-+                                      new_argv[new_argc-2] = "-2";
-+                                      snprintf(buf, sizeof(buf), "%d", childpipe[1]);
-+                                      new_argv[new_argc-1] = buf;
-                                       new_argv[new_argc] = NULL;
-                                       if ((dup2(childsock, STDIN_FILENO) < 0)) {
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -138,6 +138,7 @@ void svr_getopts(int argc, char ** argv)
-       char* keepalive_arg = NULL;
-       char* idle_timeout_arg = NULL;
-       char* maxauthtries_arg = NULL;
-+      char* reexec_fd_arg = NULL;
-       char* keyfile = NULL;
-       char c;
- #if DROPBEAR_PLUGIN
-@@ -175,6 +176,7 @@ void svr_getopts(int argc, char ** argv)
-         svr_opts.pubkey_plugin_options = NULL;
- #endif
-       svr_opts.pass_on_env = 0;
-+      svr_opts.reexec_childpipe = -1;
- #ifndef DISABLE_ZLIB
-       opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
-@@ -250,12 +252,12 @@ void svr_getopts(int argc, char ** argv)
- #if DROPBEAR_DO_REEXEC && NON_INETD_MODE
-                               /* For internal use by re-exec */
-                               case '2':
--                                      svr_opts.reexec_child = 1;
-+                                      next = &reexec_fd_arg;
-                                       break;
- #endif
-                               case 'p':
--                                nextisport = 1;
--                                break;
-+                                      nextisport = 1;
-+                                      break;
-                               case 'P':
-                                       next = &svr_opts.pidfile;
-                                       break;
-@@ -426,6 +428,13 @@ void svr_getopts(int argc, char ** argv)
-               dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
-       }
-+      if (reexec_fd_arg) {
-+              if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
-+                      || svr_opts.reexec_childpipe < 0) {
-+                      dropbear_exit("Bad -2");
-+              }
-+      }
-+
- #if INETD_MODE
-       if (svr_opts.inetdmode && (
-               opts.usingsyslog == 0
index 0403198062f3162306e59b9ecafca42f00e9ede3..b1075f84642ce7affb9c93db9e30c87ca4357843 100644 (file)
@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
                const unsigned char* keyblob, unsigned int keybloblen);
  static int checkfileperm(char * filename);
  
@@ -14,7 +14,7 @@
  /* process a pubkey auth request, sending success or failure message as
   * appropriate */
  void svr_auth_pubkey(int valid_user) {
-@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal
        if (checkpubkeyperms() == DROPBEAR_FAILURE) {
                TRACE(("bad authorized_keys permissions, or file doesn't exist"))
        } else {
@@ -44,7 +44,7 @@
  
                authfile = fopen(filename, "r");
                if (!authfile) {
-@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
+@@ -543,27 +557,41 @@ static int checkpubkeyperms() {
                goto out;
        }
  
index d7f589801dce2b3c6856d564e39d48916b9928c8..a26f33dfbcebca126f344df5c87411dad9d81a7a 100644 (file)
@@ -1,8 +1,8 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
-                               case 'b':
-                                       next = &bind_arg;
+@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv)
+                               case 'z':
+                                       opts.disable_ip_tos = 1;
                                        break;
 +                              case 'x':
 +                                      /* compatibility with openssh cli
index 4f806f8b2511f7d157448dcc562a46f31e0b1a9d..5dc84849befdc86f62137261e03192bb7bc20849 100644 (file)
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
+@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
        AC_MSG_NOTICE(Checking for available hardened build flags:)
 -
 -              OLDLDFLAGS="$LDFLAGS"
 -              TESTFLAGS="-Wl,-pie"
--              LDFLAGS="$LDFLAGS $TESTFLAGS"
--              AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--                      [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-              LDFLAGS="$TESTFLAGS $LDFLAGS"
+-              AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-                      [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -                      [
 -                              LDFLAGS="$OLDLDFLAGS"
 -                              TESTFLAGS="-pie"
--                              LDFLAGS="$LDFLAGS $TESTFLAGS"
--                              AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--                                      [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-                              LDFLAGS="$TESTFLAGS $LDFLAGS"
+-                              AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-                                      [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -                                      [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -                                      )
 -                      ]
 -              # readonly elf relocation sections (relro)
 -              OLDLDFLAGS="$LDFLAGS"
 -              TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
--              LDFLAGS="$LDFLAGS $TESTFLAGS"
--              AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--                      [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-              LDFLAGS="$TESTFLAGS $LDFLAGS"
+-              AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-                      [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -                      [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -                      )
 -      fi # non-static
 -      # stack protector. -strong is good but only in gcc 4.9 or later
 -      OLDCFLAGS="$CFLAGS"
 -      TESTFLAGS="-fstack-protector-strong"
--      CFLAGS="$CFLAGS $TESTFLAGS"
--      AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
--          [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-      CFLAGS="$TESTFLAGS $CFLAGS"
+-      AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-          [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -          [
 -                      CFLAGS="$OLDCFLAGS"
 -                      TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
--                      CFLAGS="$CFLAGS $TESTFLAGS"
--                      AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
--                          [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-                      CFLAGS="$TESTFLAGS $CFLAGS"
+-                      AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-                          [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -                          [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
 -                          )
 -          ]
 -          )
 -      # FORTIFY_SOURCE
 -      DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+-
        # Spectre v2 mitigations
        DB_TRYADDCFLAGS([-mfunction-return=thunk])
+       DB_TRYADDCFLAGS([-mindirect-branch=thunk])
index 2432b4ef72eae73f55575014284bdeae6562f18b..a9a441ce76e69cf37ebedb132b289fd2dbdc46f3 100644 (file)
@@ -1,48 +1,29 @@
---- a/libtomcrypt/makefile_include.mk
-+++ b/libtomcrypt/makefile_include.mk
-@@ -94,6 +94,13 @@ endif
+--- a/configure.ac
++++ b/configure.ac
+@@ -45,11 +45,8 @@ fi
+ # LTM_CFLAGS is given to ./configure by the user, 
+ # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
+ DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
+-if test -z "$DROPBEAR_LTM_CFLAGS"; then
+-      DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
+-fi
+-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
+-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
++AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS')
++AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string)
+ AC_SUBST(DROPBEAR_LTM_CFLAGS)
  
- LTC_CFLAGS += -Wno-type-limits
+ AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
+--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
++++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
+@@ -7,8 +7,10 @@
  
-+ifdef OPENWRT_BUILD
-+  ifeq (-Os,$(filter -Os,$(CFLAGS)))
-+    LTC_CFLAGS += -DLTC_SMALL_CODE
-+  endif
-+else
-+  ### ! OPENWRT_BUILD
-+
- ifdef LTC_DEBUG
- $(info Debug build)
- # compile for DEBUGGING (required for ccmalloc checking!!!)
-@@ -121,6 +128,9 @@ endif
- endif # COMPILE_SMALL
- endif # COMPILE_DEBUG
+ /* Use small code where possible */
+ #if DROPBEAR_SMALL_CODE
++#ifndef LTC_SMALL_CODE
+ #define LTC_SMALL_CODE
+ #endif
++#endif
  
-+  ### ! OPENWRT_BUILD
-+endif
-+
- ifneq ($(findstring clang,$(CC)),)
- LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
---- a/libtommath/makefile_include.mk
-+++ b/libtommath/makefile_include.mk
-@@ -70,6 +70,9 @@ else
- LTM_CFLAGS += -Wsystem-headers
- endif
-+ifndef OPENWRT_BUILD
-+  ### ! OPENWRT_BUILD
-+
- ifdef COMPILE_DEBUG
- #debug
- LTM_CFLAGS += -g3
-@@ -90,6 +93,9 @@ endif
- endif # COMPILE_SIZE
-+  ### ! OPENWRT_BUILD
-+endif
-+
- ifneq ($(findstring clang,$(CC)),)
- LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
- endif
+ /* Fewer entries needed */
+ #define TAB_SIZE      5