dropbear: bump to 2024.85
authorKonstantin Demin <rockdrilla@gmail.com>
Mon, 6 May 2024 13:20:16 +0000 (16:20 +0300)
committerHauke Mehrtens <hauke@hauke-m.de>
Thu, 9 May 2024 17:35:20 +0000 (19:35 +0200)
- update dropbear to latest stable 2024.85;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
32 files changed:
package/network/services/dropbear/Makefile
package/network/services/dropbear/files/dropbear.init
package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch [deleted file]
package/network/services/dropbear/patches/002-fix-y2038-issues.patch [deleted file]
package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch [deleted file]
package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch [deleted file]
package/network/services/dropbear/patches/005-const-parameter-mp_int.patch [deleted file]
package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch [deleted file]
package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch [deleted file]
package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch [deleted file]
package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch [deleted file]
package/network/services/dropbear/patches/010-remove-SO_LINGER.patch [deleted file]
package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch [deleted file]
package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch [deleted file]
package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch [deleted file]
package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch [deleted file]
package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch [deleted file]
package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch [deleted file]
package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch [deleted file]
package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch [deleted file]
package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch [deleted file]
package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch [deleted file]
package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch [deleted file]
package/network/services/dropbear/patches/100-pubkey_path.patch
package/network/services/dropbear/patches/110-change_user.patch
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
package/network/services/dropbear/patches/140-disable_assert.patch
package/network/services/dropbear/patches/160-lto-jobserver.patch
package/network/services/dropbear/patches/600-allow-blank-root-password.patch
package/network/services/dropbear/patches/900-configure-hardening.patch
package/network/services/dropbear/patches/901-bundled-libs-cflags.patch
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

index abb46157ea4f780e10635ef811d50443d5c079b3..3812602b35a3821da73058a88861b3a0f05b30bb 100644 (file)
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2022.83
-PKG_RELEASE:=2
+PKG_VERSION:=2024.85
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
+PKG_HASH:=86b036c433a69d89ce51ebae335d65c47738ccf90d13e5eb0fea832e556da502
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -103,7 +103,7 @@ CONFIGURE_ARGS += \
 ##############################################################################
 #
 #   option,value - add option to localoptions.h
-# !!option,value - replace option in sysoptions.h
+# !!option,value - replace option in src/sysoptions.h
 #
 ##############################################################################
 
@@ -132,7 +132,7 @@ DB_OPT_COMMON = \
 ##############################################################################
 #
 #   option,config,enabled,disabled = add option to localoptions.h
-# !!option,config,enabled,disabled = replace option in sysoptions.h
+# !!option,config,enabled,disabled = replace option in src/sysoptions.h
 #
 #   option := (config) ? enabled : disabled
 #
@@ -164,7 +164,7 @@ TARGET_CFLAGS += -DARGTYPE=3
 xsedx:=$(shell printf '\027')
 
 db_opt_add     =echo '\#define $(1) $(2)' >> $(PKG_BUILD_DIR)/localoptions.h
-db_opt_replace =$(ESED) '/^\#define $(1) .*$$$$/{h;:a;$$$$!n;/^\#.+$$$$/bb;/^$$$$/bb;H;ba;:b;x;s$(xsedx)^.+$$$$$(xsedx)\#define $(1) $(2)$(xsedx)p;x};p' -n $(PKG_BUILD_DIR)/sysoptions.h
+db_opt_replace =$(ESED) '/^\#define $(1) .*$$$$/{h;:a;$$$$!n;/^\#.+$$$$/bb;/^$$$$/bb;H;ba;:b;x;s$(xsedx)^.+$$$$$(xsedx)\#define $(1) $(2)$(xsedx)p;x};p' -n $(PKG_BUILD_DIR)/src/sysoptions.h
 
 define Build/Configure/dropbear_headers
        $(strip $(foreach s,$(DB_OPT_COMMON), \
index 21570987c439b18cb50026bbbc0101e5a51a4f78..708fabd3269af24636ecc470f4027e42c898a719 100755 (executable)
@@ -261,7 +261,7 @@ dropbear_instance()
                esac
 
                local c=0
-               # sysoptions.h
+               # src/sysoptions.h
                local DROPBEAR_MAX_PORTS=10
 
                local a n if_ipaddrs
@@ -341,7 +341,7 @@ dropbear_instance()
                # ref: validate_section_dropbear()
                # default receive window size is 24576 (DEFAULT_RECV_WINDOW in default_options.h)
 
-               # sysoptions.h
+               # src/sysoptions.h
                local MAX_RECV_WINDOW=10485760
                if [ "${RecvWindowSize}" -gt ${MAX_RECV_WINDOW} ] ; then
                        # separate logging is required because syslog misses dropbear's message
diff --git a/package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch b/package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch
deleted file mode 100644 (file)
index ad1a20c..0000000
+++ /dev/null
@@ -1,104 +0,0 @@
-From 36a03132634a17c667c0fac0a8e1519b3d1b71c6 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 28 Nov 2022 21:12:23 +0800
-Subject: Add #if DROPBEAR_RSA guards
-
-Fixes building with DROPBEAR_RSA disabled.
-Closes #197
----
- signkey.c    | 8 +++++++-
- signkey.h    | 2 ++
- sysoptions.h | 5 +----
- 3 files changed, 10 insertions(+), 5 deletions(-)
-
---- a/signkey.c
-+++ b/signkey.c
-@@ -120,6 +120,7 @@ enum signkey_type signkey_type_from_name
- /* Special case for rsa-sha2-256. This could be generalised if more 
-    signature names are added that aren't 1-1 with public key names */
- const char* signature_name_from_type(enum signature_type type, unsigned int *namelen) {
-+#if DROPBEAR_RSA
- #if DROPBEAR_RSA_SHA256
-       if (type == DROPBEAR_SIGNATURE_RSA_SHA256) {
-               if (namelen) {
-@@ -136,11 +137,13 @@ const char* signature_name_from_type(enu
-               return SSH_SIGNKEY_RSA;
-       }
- #endif
-+#endif /* DROPBEAR_RSA */
-       return signkey_name_from_type((enum signkey_type)type, namelen);
- }
- /* Returns DROPBEAR_SIGNATURE_NONE if none match */
- enum signature_type signature_type_from_name(const char* name, unsigned int namelen) {
-+#if DROPBEAR_RSA
- #if DROPBEAR_RSA_SHA256
-       if (namelen == strlen(SSH_SIGNATURE_RSA_SHA256) 
-               && memcmp(name, SSH_SIGNATURE_RSA_SHA256, namelen) == 0) {
-@@ -153,10 +156,11 @@ enum signature_type signature_type_from_
-               return DROPBEAR_SIGNATURE_RSA_SHA1;
-       }
- #endif
-+#endif /* DROPBEAR_RSA */
-       return (enum signature_type)signkey_type_from_name(name, namelen);
- }
--/* Returns the signature type from a key type. Must not be called 
-+/* Returns the signature type from a key type. Must not be called
-    with RSA keytype */
- enum signature_type signature_type_from_signkey(enum signkey_type keytype) {
- #if DROPBEAR_RSA
-@@ -167,6 +171,7 @@ enum signature_type signature_type_from_
- }
- enum signkey_type signkey_type_from_signature(enum signature_type sigtype) {
-+#if DROPBEAR_RSA
- #if DROPBEAR_RSA_SHA256
-       if (sigtype == DROPBEAR_SIGNATURE_RSA_SHA256) {
-               return DROPBEAR_SIGNKEY_RSA;
-@@ -177,6 +182,7 @@ enum signkey_type signkey_type_from_sign
-               return DROPBEAR_SIGNKEY_RSA;
-       }
- #endif
-+#endif /* DROPBEAR_RSA */
-       assert((int)sigtype < (int)DROPBEAR_SIGNKEY_NUM_NAMED);
-       return (enum signkey_type)sigtype;
- }
---- a/signkey.h
-+++ b/signkey.h
-@@ -79,12 +79,14 @@ enum signature_type {
-       DROPBEAR_SIGNATURE_SK_ED25519 = DROPBEAR_SIGNKEY_SK_ED25519,
- #endif
- #endif
-+#if DROPBEAR_RSA
- #if DROPBEAR_RSA_SHA1
-       DROPBEAR_SIGNATURE_RSA_SHA1 = 100, /* ssh-rsa signature (sha1) */
- #endif
- #if DROPBEAR_RSA_SHA256
-       DROPBEAR_SIGNATURE_RSA_SHA256 = 101, /* rsa-sha2-256 signature. has a ssh-rsa key */
- #endif
-+#endif /* DROPBEAR_RSA */
-       DROPBEAR_SIGNATURE_NONE = DROPBEAR_SIGNKEY_NONE,
- };
---- a/sysoptions.h
-+++ b/sysoptions.h
-@@ -137,7 +137,7 @@
- /* Debian doesn't define this in system headers */
- #if !defined(LTM_DESC) && (DROPBEAR_ECC)
--#define LTM_DESC 
-+#define LTM_DESC
- #endif
- #define DROPBEAR_ECC_256 (DROPBEAR_ECC)
-@@ -151,9 +151,6 @@
-  * signing operations slightly slower. */
- #define DROPBEAR_RSA_BLINDING 1
--#ifndef DROPBEAR_RSA_SHA1
--#define DROPBEAR_RSA_SHA1 DROPBEAR_RSA
--#endif
- #ifndef DROPBEAR_RSA_SHA256
- #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
- #endif
diff --git a/package/network/services/dropbear/patches/002-fix-y2038-issues.patch b/package/network/services/dropbear/patches/002-fix-y2038-issues.patch
deleted file mode 100644 (file)
index 0654e3b..0000000
+++ /dev/null
@@ -1,198 +0,0 @@
-From ec2215726cffb976019d08ebf569edd2229e9dba Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Thu, 1 Dec 2022 11:34:43 +0800
-Subject: Fix y2038 issues with time_t conversion
-
-These changes were identified by building with and without
--D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64
-on 32-bit arm, logging warnings to files.
--Wconversion was added to CFLAGS in both builds.
-
-Then a "diff -I Wconversion log1 log2" shows new warnings that appear
-with the 64-bit time_t. There are a few false positives that have been
-fixed for quietness.
-
-struct logininfo and struct wtmp are still problematic, those will
-need to be handled by libc.
----
- common-session.c | 43 +++++++++++++++++++++++++++----------------
- dbutil.c         |  2 +-
- loginrec.c       |  2 ++
- loginrec.h       |  4 ++--
- runopts.h        |  4 ++--
- svr-auth.c       |  2 +-
- 6 files changed, 35 insertions(+), 22 deletions(-)
-
---- a/common-session.c
-+++ b/common-session.c
-@@ -519,15 +519,24 @@ static void send_msg_keepalive() {
-       ses.last_packet_time_idle = old_time_idle;
- }
-+/* Returns the difference in seconds, clamped to LONG_MAX */
-+static long elapsed(time_t now, time_t prev) {
-+      time_t del = now - prev;
-+      if (del > LONG_MAX) {
-+              return LONG_MAX;
-+      }
-+      return (long)del;
-+}
-+
- /* Check all timeouts which are required. Currently these are the time for
-  * user authentication, and the automatic rekeying. */
- static void checktimeouts() {
-       time_t now;
-       now = monotonic_now();
--      
-+
-       if (IS_DROPBEAR_SERVER && ses.connect_time != 0
--              && now - ses.connect_time >= AUTH_TIMEOUT) {
-+              && elapsed(now, ses.connect_time) >= AUTH_TIMEOUT) {
-                       dropbear_close("Timeout before auth");
-       }
-@@ -537,45 +546,47 @@ static void checktimeouts() {
-       }
-       if (!ses.kexstate.sentkexinit
--                      && (now - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT
-+                      && (elapsed(now, ses.kexstate.lastkextime) >= KEX_REKEY_TIMEOUT
-                       || ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)) {
-               TRACE(("rekeying after timeout or max data reached"))
-               send_msg_kexinit();
-       }
--      
-+
-       if (opts.keepalive_secs > 0 && ses.authstate.authdone) {
-               /* Avoid sending keepalives prior to auth - those are
-               not valid pre-auth packet types */
-               /* Send keepalives if we've been idle */
--              if (now - ses.last_packet_time_any_sent >= opts.keepalive_secs) {
-+              if (elapsed(now, ses.last_packet_time_any_sent) >= opts.keepalive_secs) {
-                       send_msg_keepalive();
-               }
-               /* Also send an explicit keepalive message to trigger a response
-               if the remote end hasn't sent us anything */
--              if (now - ses.last_packet_time_keepalive_recv >= opts.keepalive_secs
--                      && now - ses.last_packet_time_keepalive_sent >= opts.keepalive_secs) {
-+              if (elapsed(now, ses.last_packet_time_keepalive_recv) >= opts.keepalive_secs
-+                      && elapsed(now, ses.last_packet_time_keepalive_sent) >= opts.keepalive_secs) {
-                       send_msg_keepalive();
-               }
--              if (now - ses.last_packet_time_keepalive_recv 
-+              if (elapsed(now, ses.last_packet_time_keepalive_recv)
-                       >= opts.keepalive_secs * DEFAULT_KEEPALIVE_LIMIT) {
-                       dropbear_exit("Keepalive timeout");
-               }
-       }
--      if (opts.idle_timeout_secs > 0 
--                      && now - ses.last_packet_time_idle >= opts.idle_timeout_secs) {
-+      if (opts.idle_timeout_secs > 0
-+                      && elapsed(now, ses.last_packet_time_idle) >= opts.idle_timeout_secs) {
-               dropbear_close("Idle timeout");
-       }
- }
--static void update_timeout(long limit, long now, long last_event, long * timeout) {
--      TRACE2(("update_timeout limit %ld, now %ld, last %ld, timeout %ld",
--              limit, now, last_event, *timeout))
-+static void update_timeout(long limit, time_t now, time_t last_event, long * timeout) {
-+      TRACE2(("update_timeout limit %ld, now %llu, last %llu, timeout %ld",
-+              limit,
-+              (unsigned long long)now,
-+              (unsigned long long)last_event, *timeout))
-       if (last_event > 0 && limit > 0) {
--              *timeout = MIN(*timeout, last_event+limit-now);
-+              *timeout = MIN(*timeout, elapsed(now, last_event) + limit);
-               TRACE2(("new timeout %ld", *timeout))
-       }
- }
-@@ -584,7 +595,7 @@ static long select_timeout() {
-       /* determine the minimum timeout that might be required, so
-       as to avoid waking when unneccessary */
-       long timeout = KEX_REKEY_TIMEOUT;
--      long now = monotonic_now();
-+      time_t now = monotonic_now();
-       if (!ses.kexstate.sentkexinit) {
-               update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout);
-@@ -596,7 +607,7 @@ static long select_timeout() {
-       }
-       if (ses.authstate.authdone) {
--              update_timeout(opts.keepalive_secs, now, 
-+              update_timeout(opts.keepalive_secs, now,
-                       MAX(ses.last_packet_time_keepalive_recv, ses.last_packet_time_keepalive_sent),
-                       &timeout);
-       }
---- a/dbutil.c
-+++ b/dbutil.c
-@@ -724,7 +724,7 @@ void gettime_wrapper(struct timespec *no
-       /* Fallback for everything else - this will sometimes go backwards */
-       gettimeofday(&tv, NULL);
-       now->tv_sec = tv.tv_sec;
--      now->tv_nsec = 1000*tv.tv_usec;
-+      now->tv_nsec = 1000*(long)tv.tv_usec;
- }
- /* second-resolution monotonic timestamp */
---- a/loginrec.c
-+++ b/loginrec.c
-@@ -459,6 +459,7 @@ line_abbrevname(char *dst, const char *s
- void
- set_utmp_time(struct logininfo *li, struct utmp *ut)
- {
-+      /* struct utmp in glibc isn't y2038 safe yet */
- # ifdef HAVE_STRUCT_UTMP_UT_TV
-       ut->ut_tv.tv_sec = li->tv_sec;
-       ut->ut_tv.tv_usec = li->tv_usec;
-@@ -1272,6 +1273,7 @@ lastlog_construct(struct logininfo *li,
-       (void)line_stripname(last->ll_line, li->line, sizeof(last->ll_line));
-       strlcpy(last->ll_host, li->hostname,
-               MIN_SIZEOF(last->ll_host, li->hostname));
-+      /* struct lastlog in glibc isn't y2038 safe yet */
-       last->ll_time = li->tv_sec;
- }
---- a/loginrec.h
-+++ b/loginrec.h
-@@ -139,8 +139,8 @@ struct logininfo {
-       /* struct timeval (sys/time.h) isn't always available, if it isn't we'll
-        * use time_t's value as tv_sec and set tv_usec to 0
-        */
--      unsigned int tv_sec;
--      unsigned int tv_usec;
-+      time_t tv_sec;
-+      suseconds_t tv_usec;
-       union login_netinfo hostaddr;       /* caller's host address(es) */
- }; /* struct logininfo */
---- a/runopts.h
-+++ b/runopts.h
-@@ -39,8 +39,8 @@ typedef struct runopts {
-       int listen_fwd_all;
- #endif
-       unsigned int recv_window;
--      time_t keepalive_secs; /* Time between sending keepalives. 0 is off */
--      time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */
-+      long keepalive_secs; /* Time between sending keepalives. 0 is off */
-+      long idle_timeout_secs; /* Exit if no traffic is sent/received in this time */
-       int usingsyslog;
- #ifndef DISABLE_ZLIB
---- a/svr-auth.c
-+++ b/svr-auth.c
-@@ -389,7 +389,7 @@ void send_msg_userauth_failure(int parti
-               Beware of integer overflow if increasing these values */
-               const unsigned int mindelay = 250000000;
-               const unsigned int vardelay = 100000000;
--              unsigned int rand_delay;
-+              suseconds_t rand_delay;
-               struct timespec delay;
-               gettime_wrapper(&delay);
diff --git a/package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch b/package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch
deleted file mode 100644 (file)
index 6789800..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-From c043efb47c3173072fa636ca0da0d19875d4511f Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Tue, 6 Dec 2022 22:34:11 +0800
-Subject: Fix so DROPBEAR_DSS is only forced for fuzzing
-
-Regression from 787391ea3b5af2acf5e3c83372510f0c79477ad7,
-was missing fuzzing conditional
----
- sysoptions.h | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/sysoptions.h
-+++ b/sysoptions.h
-@@ -380,9 +380,11 @@
- #endif
- /* Fuzzing expects all key types to be enabled */
-+#if DROPBEAR_FUZZ
- #if defined(DROPBEAR_DSS)
- #undef DROPBEAR_DSS
- #endif
- #define DROPBEAR_DSS 1
-+#endif
- /* no include guard for this file */
diff --git a/package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch b/package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch
deleted file mode 100644 (file)
index bcb43ae..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-From 860721558837441ab45019858e710a2625ffa46e Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 7 Dec 2022 13:04:10 +0800
-Subject: Allow users's own gid in pty permission check
-
-This allows non-root Dropbear to work even without devpts gid=5 mount
-option on Linux.
----
- sshpty.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- a/sshpty.c
-+++ b/sshpty.c
-@@ -380,7 +380,9 @@ pty_setowner(struct passwd *pw, const ch
-                               tty_name, strerror(errno));
-       }
--      if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
-+      /* Allow either "tty" gid or user's own gid. On Linux with openpty()
-+       * this varies depending on the devpts mount options */
-+      if (st.st_uid != pw->pw_uid || !(st.st_gid == gid || st.st_gid == pw->pw_gid)) {
-               if (chown(tty_name, pw->pw_uid, gid) < 0) {
-                       if (errno == EROFS &&
-                           (st.st_uid == pw->pw_uid || st.st_uid == 0)) {
diff --git a/package/network/services/dropbear/patches/005-const-parameter-mp_int.patch b/package/network/services/dropbear/patches/005-const-parameter-mp_int.patch
deleted file mode 100644 (file)
index 0d23c9c..0000000
+++ /dev/null
@@ -1,123 +0,0 @@
-From 01415ef8269e594a647f67ea0729ca8b590679de Mon Sep 17 00:00:00 2001
-From: Francois Perrad <francois.perrad@gadz.org>
-Date: Thu, 22 Dec 2022 10:19:54 +0100
-Subject: const parameter mp_int
-
----
- bignum.c   | 2 +-
- bignum.h   | 2 +-
- buffer.c   | 2 +-
- buffer.h   | 2 +-
- dbrandom.c | 2 +-
- dbrandom.h | 2 +-
- dbutil.c   | 2 +-
- dbutil.h   | 2 +-
- genrsa.c   | 4 ++--
- 9 files changed, 10 insertions(+), 10 deletions(-)
-
---- a/bignum.c
-+++ b/bignum.c
-@@ -93,7 +93,7 @@ void bytes_to_mp(mp_int *mp, const unsig
- /* hash the ssh representation of the mp_int mp */
- void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, 
--                              hash_state *hs, mp_int *mp) {
-+                              hash_state *hs, const mp_int *mp) {
-       buffer * buf;
-       buf = buf_new(512 + 20); /* max buffer is a 4096 bit key, 
---- a/bignum.h
-+++ b/bignum.h
-@@ -33,6 +33,6 @@ void m_mp_alloc_init_multi(mp_int **mp,
- void m_mp_free_multi(mp_int **mp, ...)  ATTRIB_SENTINEL;
- void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len);
- void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, 
--                              hash_state *hs, mp_int *mp);
-+                              hash_state *hs, const mp_int *mp);
- #endif /* DROPBEAR_BIGNUM_H_ */
---- a/buffer.c
-+++ b/buffer.c
-@@ -299,7 +299,7 @@ void buf_putbytes(buffer *buf, const uns
- /* for our purposes we only need positive (or 0) numbers, so will
-  * fail if we get negative numbers */
--void buf_putmpint(buffer* buf, mp_int * mp) {
-+void buf_putmpint(buffer* buf, const mp_int * mp) {
-       size_t written;
-       unsigned int len, pad = 0;
-       TRACE2(("enter buf_putmpint"))
---- a/buffer.h
-+++ b/buffer.h
-@@ -65,7 +65,7 @@ void buf_putint(buffer* buf, unsigned in
- void buf_putstring(buffer* buf, const char* str, unsigned int len);
- void buf_putbufstring(buffer *buf, const buffer* buf_str);
- void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len);
--void buf_putmpint(buffer* buf, mp_int * mp);
-+void buf_putmpint(buffer* buf, const mp_int * mp);
- int buf_getmpint(buffer* buf, mp_int* mp);
- unsigned int buf_getint(buffer* buf);
---- a/dbrandom.c
-+++ b/dbrandom.c
-@@ -347,7 +347,7 @@ void genrandom(unsigned char* buf, unsig
-  * rand must be an initialised *mp_int for the result.
-  * the result rand satisfies:  0 < rand < max 
-  * */
--void gen_random_mpint(mp_int *max, mp_int *rand) {
-+void gen_random_mpint(const mp_int *max, mp_int *rand) {
-       unsigned char *randbuf = NULL;
-       unsigned int len = 0;
---- a/dbrandom.h
-+++ b/dbrandom.h
-@@ -30,6 +30,6 @@
- void seedrandom(void);
- void genrandom(unsigned char* buf, unsigned int len);
- void addrandom(const unsigned char * buf, unsigned int len);
--void gen_random_mpint(mp_int *max, mp_int *rand);
-+void gen_random_mpint(const mp_int *max, mp_int *rand);
- #endif /* DROPBEAR_RANDOM_H_ */
---- a/dbutil.c
-+++ b/dbutil.c
-@@ -442,7 +442,7 @@ void printhex(const char * label, const
-       }
- }
--void printmpint(const char *label, mp_int *mp) {
-+void printmpint(const char *label, const mp_int *mp) {
-       buffer *buf = buf_new(1000);
-       buf_putmpint(buf, mp);
-       fprintf(stderr, "%d bits ", mp_count_bits(mp));
---- a/dbutil.h
-+++ b/dbutil.h
-@@ -53,7 +53,7 @@ void dropbear_trace3(const char* format,
- void dropbear_trace4(const char* format, ...) ATTRIB_PRINTF(1,2);
- void dropbear_trace5(const char* format, ...) ATTRIB_PRINTF(1,2);
- void printhex(const char * label, const unsigned char * buf, int len);
--void printmpint(const char *label, mp_int *mp);
-+void printmpint(const char *label, const mp_int *mp);
- void debug_start_net(void);
- extern int debug_trace;
- #endif
---- a/genrsa.c
-+++ b/genrsa.c
-@@ -34,7 +34,7 @@
- #if DROPBEAR_RSA
- static void getrsaprime(mp_int* prime, mp_int *primeminus, 
--              mp_int* rsa_e, unsigned int size_bytes);
-+              const mp_int* rsa_e, unsigned int size_bytes);
- /* mostly taken from libtomcrypt's rsa key generation routine */
- dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) {
-@@ -89,7 +89,7 @@ dropbear_rsa_key * gen_rsa_priv_key(unsi
- /* return a prime suitable for p or q */
- static void getrsaprime(mp_int* prime, mp_int *primeminus, 
--              mp_int* rsa_e, unsigned int size_bytes) {
-+              const mp_int* rsa_e, unsigned int size_bytes) {
-       unsigned char *buf;
-       int trials;
diff --git a/package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch b/package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch
deleted file mode 100644 (file)
index c701102..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-From 39d955c49f31fc155e885447ee2be61c869d8c2d Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Tue, 3 Jan 2023 22:05:14 +0800
-Subject: Add missing break in switch
-
-Has no effect on execution, the fallthrough does nothing
-Closes #208
----
- dropbearkey.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/dropbearkey.c
-+++ b/dropbearkey.c
-@@ -139,6 +139,7 @@ static void check_signkey_bits(enum sign
-                               dropbear_exit("DSS keys have a fixed size of 1024 bits\n");
-                               exit(EXIT_FAILURE);
-                       }
-+                      break;
- #endif
-               default:
-                       (void)0; /* quiet, compiler. ecdsa handles checks itself */
diff --git a/package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch b/package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch
deleted file mode 100644 (file)
index 5fcfaad..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-From 7a53c7f0f4b3eb23e002819553cb45558642c01d Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 4 Jan 2023 20:32:23 +0800
-Subject: Fix building only client or server
-
-Regressed when -Wundef was added
-
-Fixes #210
----
- sysoptions.h | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
---- a/sysoptions.h
-+++ b/sysoptions.h
-@@ -10,6 +10,14 @@
- #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
- #define PROGNAME "dropbear"
-+#ifndef DROPBEAR_CLIENT
-+#define DROPBEAR_CLIENT 0
-+#endif
-+
-+#ifndef DROPBEAR_SERVER
-+#define DROPBEAR_SERVER 0
-+#endif
-+
- /* Spec recommends after one hour or 1 gigabyte of data. One hour
-  * is a bit too verbose, so we try 8 hours */
- #ifndef KEX_REKEY_TIMEOUT
diff --git a/package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch b/package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch
deleted file mode 100644 (file)
index 4f67523..0000000
+++ /dev/null
@@ -1,94 +0,0 @@
-From a113381c12a2da3c9b7bd594f47a1b2657bdfdf2 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Sun, 12 Feb 2023 22:44:32 +0800
-Subject: Disable rsa signatures when no rsa hostkey
-
-Otherwise Dropbear will offer RSA as a hostkey signature option, but the
-session will exit with an assertion or NULL pointer dereference once
-that algorithm is negotiated.
-
-This likely regressed in 2020.79 when signature vs key type enums were
-split, for rsa-sha256.
-
-Fixes #219 on github
----
- svr-runopts.c | 21 +++++++++++----------
- 1 file changed, 11 insertions(+), 10 deletions(-)
-
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -505,11 +505,11 @@ static void addportandaddress(const char
-       svr_opts.portcount++;
- }
--static void disablekey(int type) {
-+static void disablekey(enum signature_type type) {
-       int i;
-       TRACE(("Disabling key type %d", type))
-       for (i = 0; sigalgs[i].name != NULL; i++) {
--              if (sigalgs[i].val == type) {
-+              if ((int)sigalgs[i].val == (int)type) {
-                       sigalgs[i].usable = 0;
-                       break;
-               }
-@@ -624,7 +624,8 @@ void load_all_hostkeys() {
- #if DROPBEAR_RSA
-       if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
--              disablekey(DROPBEAR_SIGNKEY_RSA);
-+              disablekey(DROPBEAR_SIGNATURE_RSA_SHA256);
-+              disablekey(DROPBEAR_SIGNATURE_RSA_SHA1);
-       } else {
-               any_keys = 1;
-       }
-@@ -632,7 +633,7 @@ void load_all_hostkeys() {
- #if DROPBEAR_DSS
-       if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
--              disablekey(DROPBEAR_SIGNKEY_DSS);
-+              disablekey(DROPBEAR_SIGNATURE_DSS);
-       } else {
-               any_keys = 1;
-       }
-@@ -666,35 +667,35 @@ void load_all_hostkeys() {
- #if DROPBEAR_ECC_256
-       if (!svr_opts.hostkey->ecckey256
-               && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
--              disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
-+              disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP256);
-       }
- #endif
- #if DROPBEAR_ECC_384
-       if (!svr_opts.hostkey->ecckey384
-               && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
--              disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
-+              disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP384);
-       }
- #endif
- #if DROPBEAR_ECC_521
-       if (!svr_opts.hostkey->ecckey521
-               && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
--              disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
-+              disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP521);
-       }
- #endif
- #endif /* DROPBEAR_ECDSA */
- #if DROPBEAR_ED25519
-       if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) {
--              disablekey(DROPBEAR_SIGNKEY_ED25519);
-+              disablekey(DROPBEAR_SIGNATURE_ED25519);
-       } else {
-               any_keys = 1;
-       }
- #endif
- #if DROPBEAR_SK_ECDSA
--      disablekey(DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256);
-+      disablekey(DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256);
- #endif 
- #if DROPBEAR_SK_ED25519
--      disablekey(DROPBEAR_SIGNKEY_SK_ED25519);
-+      disablekey(DROPBEAR_SIGNATURE_SK_ED25519);
- #endif
-       if (!any_keys) {
diff --git a/package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch b/package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch
deleted file mode 100644 (file)
index e1538a4..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-From 3292b8c6f1e5fcc405fa0f7a20e90a60f74037b2 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Sun, 12 Feb 2023 23:00:00 +0800
-Subject: Use write() rather than fprintf() in segv handler
-
-fprintf isn't guaranteed safe (though hasn't had any problems reported).
----
- svr-main.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/svr-main.c
-+++ b/svr-main.c
-@@ -420,8 +420,12 @@ static void sigchld_handler(int UNUSED(u
- /* catch any segvs */
- static void sigsegv_handler(int UNUSED(unused)) {
--      fprintf(stderr, "Aiee, segfault! You should probably report "
--                      "this as a bug to the developer\n");
-+      int i;
-+      const char *msg = "Aiee, segfault! You should probably report "
-+                      "this as a bug to the developer\n";
-+      i = write(STDERR_FILENO, msg, strlen(msg));
-+      /* ignore short writes */
-+      (void)i;
-       _exit(EXIT_FAILURE);
- }
diff --git a/package/network/services/dropbear/patches/010-remove-SO_LINGER.patch b/package/network/services/dropbear/patches/010-remove-SO_LINGER.patch
deleted file mode 100644 (file)
index 12b1843..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-From 5040f21cb4ee6ade966e60c6d5a3c270d03de1f1 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 1 May 2023 22:05:43 +0800
-Subject: Remove SO_LINGER
-
-It could cause channels to take up to 5 seconds to close(), which would block
-the entire process. On busy TCP forwarding sessions this would result in
-channels seeming stuck and new connections not being accepted.
-
-We don't need to monitor for flushing failures since we can't report errors, so
-SO_LINGER wasn't useful.
-
-Thanks to GektorUA for reporting and testing
-
-Fixes #230
----
- netio.c | 4 ----
- 1 file changed, 4 deletions(-)
-
---- a/netio.c
-+++ b/netio.c
-@@ -472,7 +472,6 @@ int dropbear_listen(const char* address,
-       struct addrinfo hints, *res = NULL, *res0 = NULL;
-       int err;
-       unsigned int nsock;
--      struct linger linger;
-       int val;
-       int sock;
-       uint16_t *allocated_lport_p = NULL;
-@@ -551,9 +550,6 @@ int dropbear_listen(const char* address,
-               val = 1;
-               /* set to reuse, quick timeout */
-               setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val));
--              linger.l_onoff = 1;
--              linger.l_linger = 5;
--              setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger));
- #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
-               if (res->ai_family == AF_INET6) {
diff --git a/package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch b/package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch
deleted file mode 100644 (file)
index d1c1fa4..0000000
+++ /dev/null
@@ -1,147 +0,0 @@
-From fb64db9eac3fdc6434f2dc7b5ea407fe5df76e6f Mon Sep 17 00:00:00 2001
-From: Diederik De Coninck <diederik.deconinck_ext@softathome.com>
-Date: Tue, 11 Apr 2023 15:38:04 +0200
-Subject: Add option to bind to interface
-
----
- netio.c       | 13 +++++++++++--
- netio.h       |  2 +-
- runopts.h     |  1 +
- svr-main.c    |  2 +-
- svr-runopts.c |  9 +++++++++
- svr-tcpfwd.c  |  1 +
- tcp-accept.c  |  2 +-
- tcpfwd.h      |  1 +
- 8 files changed, 26 insertions(+), 5 deletions(-)
-
---- a/netio.c
-+++ b/netio.c
-@@ -467,7 +467,7 @@ int get_sock_port(int sock) {
-  * failure, if errstring wasn't NULL, it'll be a newly malloced error
-  * string.*/
- int dropbear_listen(const char* address, const char* port,
--              int *socks, unsigned int sockcount, char **errstring, int *maxfd) {
-+              int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface) {
-       struct addrinfo hints, *res = NULL, *res0 = NULL;
-       int err;
-@@ -497,7 +497,11 @@ int dropbear_listen(const char* address,
-               TRACE(("dropbear_listen: local loopback"))
-       } else {
-               if (address[0] == '\0') {
--                      TRACE(("dropbear_listen: all interfaces"))
-+                      if (interface) {
-+                              TRACE(("dropbear_listen: %s", interface))
-+                      } else {
-+                              TRACE(("dropbear_listen: all interfaces"))
-+                      }
-                       address = NULL;
-               }
-               hints.ai_flags = AI_PASSIVE;
-@@ -551,6 +555,11 @@ int dropbear_listen(const char* address,
-               /* set to reuse, quick timeout */
-               setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val));
-+              if(interface && setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0) {
-+                      dropbear_log(LOG_WARNING, "Couldn't set SO_BINDTODEVICE");
-+                      TRACE(("Failed setsockopt with errno failure, %d %s", errno, strerror(errno)))
-+              }
-+
- #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
-               if (res->ai_family == AF_INET6) {
-                       int on = 1;
---- a/netio.h
-+++ b/netio.h
-@@ -19,7 +19,7 @@ void get_socket_address(int fd, char **l
- void getaddrstring(struct sockaddr_storage* addr, 
-               char **ret_host, char **ret_port, int host_lookup);
- int dropbear_listen(const char* address, const char* port,
--              int *socks, unsigned int sockcount, char **errstring, int *maxfd);
-+              int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface);
- struct dropbear_progress_connection;
---- a/runopts.h
-+++ b/runopts.h
-@@ -128,6 +128,7 @@ typedef struct svr_runopts {
-       char * pidfile;
-       char * forced_command;
-+      char* interface;
- #if DROPBEAR_PLUGIN 
-       /* malloced */
---- a/svr-main.c
-+++ b/svr-main.c
-@@ -488,7 +488,7 @@ static size_t listensockets(int *socks,
-               nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos], 
-                               sockcount - sockpos,
--                              &errstring, maxfd);
-+                              &errstring, maxfd, svr_opts.interface);
-               if (nsock < 0) {
-                       dropbear_log(LOG_WARNING, "Failed listening on '%s': %s", 
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -98,6 +98,8 @@ static void printhelp(const char * progn
-                                       "               (default port is %s if none specified)\n"
-                                       "-P PidFile     Create pid file PidFile\n"
-                                       "               (default %s)\n"
-+                                      "-l <interface>\n"
-+                                      "               interface to bind on\n"
- #if INETD_MODE
-                                       "-i             Start for inetd\n"
- #endif
-@@ -265,6 +267,9 @@ void svr_getopts(int argc, char ** argv)
-                               case 'P':
-                                       next = &svr_opts.pidfile;
-                                       break;
-+                              case 'l':
-+                                      next = &svr_opts.interface;
-+                                      break;
- #if DO_MOTD
-                               /* motd is displayed by default, -m turns it off */
-                               case 'm':
-@@ -438,6 +443,10 @@ void svr_getopts(int argc, char ** argv)
-               dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
-       }
-+      if (svr_opts.interface) {
-+              dropbear_log(LOG_INFO, "Binding to interface '%s'", svr_opts.interface);
-+      }
-+
-       if (reexec_fd_arg) {
-               if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
-                       || svr_opts.reexec_childpipe < 0) {
---- a/svr-tcpfwd.c
-+++ b/svr-tcpfwd.c
-@@ -205,6 +205,7 @@ static int svr_remotetcpreq(int *allocat
-       tcpinfo->listenport = port;
-       tcpinfo->chantype = &svr_chan_tcpremote;
-       tcpinfo->tcp_type = forwarded;
-+      tcpinfo->interface = svr_opts.interface;
-       tcpinfo->request_listenaddr = request_addr;
-       if (!opts.listen_fwd_all || (strcmp(request_addr, "localhost") == 0) ) {
---- a/tcp-accept.c
-+++ b/tcp-accept.c
-@@ -117,7 +117,7 @@ int listen_tcpfwd(struct TCPListener* tc
-       snprintf(portstring, sizeof(portstring), "%u", tcpinfo->listenport);
-       nsocks = dropbear_listen(tcpinfo->listenaddr, portstring, socks, 
--                      DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd);
-+                      DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd, tcpinfo->interface);
-       if (nsocks < 0) {
-               dropbear_log(LOG_INFO, "TCP forward failed: %s", errstring);
-               m_free(errstring);
---- a/tcpfwd.h
-+++ b/tcpfwd.h
-@@ -42,6 +42,7 @@ struct TCPListener {
-       unsigned int listenport;
-       /* The address that the remote host asked to listen on */
-       char *request_listenaddr;
-+      char* interface;
-       const struct ChanType *chantype;
-       enum {direct, forwarded} tcp_type;
diff --git a/package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch b/package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch
deleted file mode 100644 (file)
index 11f902b..0000000
+++ /dev/null
@@ -1,50 +0,0 @@
-From 031d09b47912b2401f4934667c0b6f857ede61ee Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Tue, 18 Jul 2023 23:20:16 +0800
-Subject: Add ifdef guards for SO_BINDTODEVICE
-
----
- netio.c       | 2 ++
- svr-runopts.c | 4 ++++
- 2 files changed, 6 insertions(+)
-
---- a/netio.c
-+++ b/netio.c
-@@ -555,10 +555,12 @@ int dropbear_listen(const char* address,
-               /* set to reuse, quick timeout */
-               setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val));
-+#ifdef SO_BINDTODEVICE
-               if(interface && setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0) {
-                       dropbear_log(LOG_WARNING, "Couldn't set SO_BINDTODEVICE");
-                       TRACE(("Failed setsockopt with errno failure, %d %s", errno, strerror(errno)))
-               }
-+#endif
- #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY)
-               if (res->ai_family == AF_INET6) {
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -98,8 +98,10 @@ static void printhelp(const char * progn
-                                       "               (default port is %s if none specified)\n"
-                                       "-P PidFile     Create pid file PidFile\n"
-                                       "               (default %s)\n"
-+#ifdef SO_BINDTODEVICE
-                                       "-l <interface>\n"
-                                       "               interface to bind on\n"
-+#endif
- #if INETD_MODE
-                                       "-i             Start for inetd\n"
- #endif
-@@ -267,9 +269,11 @@ void svr_getopts(int argc, char ** argv)
-                               case 'P':
-                                       next = &svr_opts.pidfile;
-                                       break;
-+#ifdef SO_BINDTODEVICE
-                               case 'l':
-                                       next = &svr_opts.interface;
-                                       break;
-+#endif
- #if DO_MOTD
-                               /* motd is displayed by default, -m turns it off */
-                               case 'm':
diff --git a/package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch b/package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch
deleted file mode 100644 (file)
index 531215c..0000000
+++ /dev/null
@@ -1,74 +0,0 @@
-From 62a06cd95f58060a59359f8769c3f35cd680d4fd Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Sun, 23 Jul 2023 21:01:48 +0800
-Subject: Make banner reading failure non-fatal
-
----
- svr-runopts.c | 45 ++++++++++++++++++++++++++++-----------------
- 1 file changed, 28 insertions(+), 17 deletions(-)
-
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -38,6 +38,7 @@ static void printhelp(const char * progn
- static void addportandaddress(const char* spec);
- static void loadhostkey(const char *keyfile, int fatal_duplicate);
- static void addhostkey(const char *keyfile);
-+static void load_banner();
- static void printhelp(const char * progname) {
-@@ -382,23 +383,7 @@ void svr_getopts(int argc, char ** argv)
-       }
-       if (svr_opts.bannerfile) {
--              struct stat buf;
--              if (stat(svr_opts.bannerfile, &buf) != 0) {
--                      dropbear_exit("Error opening banner file '%s'",
--                                      svr_opts.bannerfile);
--              }
--              
--              if (buf.st_size > MAX_BANNER_SIZE) {
--                      dropbear_exit("Banner file too large, max is %d bytes",
--                                      MAX_BANNER_SIZE);
--              }
--
--              svr_opts.banner = buf_new(buf.st_size);
--              if (buf_readfile(svr_opts.banner, svr_opts.bannerfile)!=DROPBEAR_SUCCESS) {
--                      dropbear_exit("Error reading banner file '%s'",
--                                      svr_opts.bannerfile);
--              }
--              buf_setpos(svr_opts.banner, 0);
-+              load_banner();
-       }
- #ifdef HAVE_GETGROUPLIST
-@@ -715,3 +700,29 @@ void load_all_hostkeys() {
-               dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.");
-       }
- }
-+
-+static void load_banner() {
-+      struct stat buf;
-+      if (stat(svr_opts.bannerfile, &buf) != 0) {
-+              dropbear_log(LOG_WARNING, "Error opening banner file '%s'",
-+                              svr_opts.bannerfile);
-+              return;
-+      }
-+
-+      if (buf.st_size > MAX_BANNER_SIZE) {
-+              dropbear_log(LOG_WARNING, "Banner file too large, max is %d bytes",
-+                              MAX_BANNER_SIZE);
-+              return;
-+      }
-+
-+      svr_opts.banner = buf_new(buf.st_size);
-+      if (buf_readfile(svr_opts.banner, svr_opts.bannerfile) != DROPBEAR_SUCCESS) {
-+              dropbear_log(LOG_WARNING, "Error reading banner file '%s'",
-+                              svr_opts.bannerfile);
-+              buf_free(svr_opts.banner);
-+              svr_opts.banner = NULL;
-+              return;
-+      }
-+      buf_setpos(svr_opts.banner, 0);
-+
-+}
diff --git a/package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch b/package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch
deleted file mode 100644 (file)
index ff130f8..0000000
+++ /dev/null
@@ -1,60 +0,0 @@
-From ec26975d442163b66d1646a48e022bc8c2f1607a Mon Sep 17 00:00:00 2001
-From: Sergey Ponomarev <stokito@gmail.com>
-Date: Sun, 27 Aug 2023 00:07:05 +0300
-Subject: dropbearkey.c Ignore unsupported command line options
-
-To generate non interactively a key with OpenSSH the simplest command is:
-
-ssh-keygen -t ed25519 -q -N '' -f ~/.ssh/id_ed25519
-
-The command has two options -q quiet and -N passphrase which aren't supported by the dropbearkey.
-
-To improve interoperability add explicit ignoring of the -q and -N with empty passphrase.
-Also ignore the -v even if the DEBUG_TRACE is not set.
-
-Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
----
- dropbearkey.c | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
---- a/dropbearkey.c
-+++ b/dropbearkey.c
-@@ -159,6 +159,7 @@ int main(int argc, char ** argv) {
-       enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE;
-       char * typetext = NULL;
-       char * sizetext = NULL;
-+      char * passphrase = NULL;
-       unsigned int bits = 0, genbits;
-       int printpub = 0;
-@@ -194,11 +195,16 @@ int main(int argc, char ** argv) {
-                                       printhelp(argv[0]);
-                                       exit(EXIT_SUCCESS);
-                                       break;
--#if DEBUG_TRACE
-                               case 'v':
-+#if DEBUG_TRACE
-                                       debug_trace = DROPBEAR_VERBOSE_LEVEL;
--                                      break;
- #endif
-+                                      break;
-+                              case 'q':
-+                                      break;  /* quiet is default */
-+                              case 'N':
-+                                      next = &passphrase;
-+                                      break;
-                               default:
-                                       fprintf(stderr, "Unknown argument %s\n", argv[i]);
-                                       printhelp(argv[0]);
-@@ -266,6 +272,11 @@ int main(int argc, char ** argv) {
-               check_signkey_bits(keytype, bits);;
-       }
-+      if (passphrase && *passphrase != '\0') {
-+              fprintf(stderr, "Only empty passphrase is supported\n");
-+              exit(EXIT_FAILURE);
-+      }
-+
-       genbits = signkey_generate_get_bits(keytype, bits);
-       fprintf(stderr, "Generating %u bit %s key, this may take a while...\n", genbits, typetext);
-       if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE)
diff --git a/package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch b/package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch
deleted file mode 100644 (file)
index f39417a..0000000
+++ /dev/null
@@ -1,121 +0,0 @@
-From 3b576d95dcf791d7b945e75f639da8f89c1685a2 Mon Sep 17 00:00:00 2001
-From: czurnieden <czurnieden@gmx.de>
-Date: Tue, 9 May 2023 17:17:12 +0200
-Subject: Fix possible integer overflow
-
----
- libtommath/bn_mp_2expt.c                | 4 ++++
- libtommath/bn_mp_grow.c                 | 4 ++++
- libtommath/bn_mp_init_size.c            | 5 +++++
- libtommath/bn_mp_mul_2d.c               | 4 ++++
- libtommath/bn_s_mp_mul_digs.c           | 4 ++++
- libtommath/bn_s_mp_mul_digs_fast.c      | 4 ++++
- libtommath/bn_s_mp_mul_high_digs.c      | 4 ++++
- libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++
- 8 files changed, 33 insertions(+)
-
---- a/libtommath/bn_mp_2expt.c
-+++ b/libtommath/bn_mp_2expt.c
-@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b)
- {
-    mp_err    err;
-+   if (b < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* zero a as per default */
-    mp_zero(a);
---- a/libtommath/bn_mp_grow.c
-+++ b/libtommath/bn_mp_grow.c
-@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size)
-    int     i;
-    mp_digit *tmp;
-+   if (size < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* if the alloc size is smaller alloc more ram */
-    if (a->alloc < size) {
-       /* reallocate the array a->dp
---- a/libtommath/bn_mp_init_size.c
-+++ b/libtommath/bn_mp_init_size.c
-@@ -6,6 +6,11 @@
- /* init an mp_init for a given size */
- mp_err mp_init_size(mp_int *a, int size)
- {
-+
-+   if (size < 0) {
-+      return MP_VAL;
-+   }
-+
-    size = MP_MAX(MP_MIN_PREC, size);
-    /* alloc mem */
---- a/libtommath/bn_mp_mul_2d.c
-+++ b/libtommath/bn_mp_mul_2d.c
-@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b,
-    mp_digit d;
-    mp_err   err;
-+   if (b < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* copy */
-    if (a != c) {
-       if ((err = mp_copy(a, c)) != MP_OKAY) {
---- a/libtommath/bn_s_mp_mul_digs.c
-+++ b/libtommath/bn_s_mp_mul_digs.c
-@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co
-    mp_word r;
-    mp_digit tmpx, *tmpt, *tmpy;
-+   if (digs < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* can we use the fast multiplier? */
-    if ((digs < MP_WARRAY) &&
-        (MP_MIN(a->used, b->used) < MP_MAXFAST)) {
---- a/libtommath/bn_s_mp_mul_digs_fast.c
-+++ b/libtommath/bn_s_mp_mul_digs_fast.c
-@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int *
-    mp_digit W[MP_WARRAY];
-    mp_word  _W;
-+   if (digs < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* grow the destination as required */
-    if (c->alloc < digs) {
-       if ((err = mp_grow(c, digs)) != MP_OKAY) {
---- a/libtommath/bn_s_mp_mul_high_digs.c
-+++ b/libtommath/bn_s_mp_mul_high_digs.c
-@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int *
-    mp_word  r;
-    mp_digit tmpx, *tmpt, *tmpy;
-+   if (digs < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* can we use the fast multiplier? */
-    if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
-        && ((a->used + b->used + 1) < MP_WARRAY)
---- a/libtommath/bn_s_mp_mul_high_digs_fast.c
-+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c
-@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_
-    mp_digit W[MP_WARRAY];
-    mp_word  _W;
-+   if (digs < 0) {
-+      return MP_VAL;
-+   }
-+
-    /* grow the destination as required */
-    pa = a->used + b->used;
-    if (c->alloc < pa) {
diff --git a/package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch b/package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch
deleted file mode 100644 (file)
index b693312..0000000
+++ /dev/null
@@ -1,35 +0,0 @@
-From 3cf8344769eda55e26eee53c1898b2c66544f188 Mon Sep 17 00:00:00 2001
-From: Justin Chen <justin.chen@broadcom.com>
-Date: Fri, 8 Sep 2023 11:35:18 -0700
-Subject: src: svr-tcpfwd: Fix noremotetcp behavior
-
-If noremotetcp is set, we should still reply with
-send_msg_request_failed. This matches the behavior
-of !DROPBEAR_SVR_REMOTETCPFWD.
-
-We were seeing keepalive packets being ignored when
-the "-k" option was used.
----
- svr-tcpfwd.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/svr-tcpfwd.c
-+++ b/svr-tcpfwd.c
-@@ -79,14 +79,14 @@ void recv_msg_global_request_remotetcp()
-       TRACE(("enter recv_msg_global_request_remotetcp"))
-+      reqname = buf_getstring(ses.payload, &namelen);
-+      wantreply = buf_getbool(ses.payload);
-+
-       if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) {
-               TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled"))
-               goto out;
-       }
--      reqname = buf_getstring(ses.payload, &namelen);
--      wantreply = buf_getbool(ses.payload);
--
-       if (namelen > MAX_NAME_LEN) {
-               TRACE(("name len is wrong: %d", namelen))
-               goto out;
diff --git a/package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch b/package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch
deleted file mode 100644 (file)
index 603c61d..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-From e28ba1b9975eab48799aa3ed77d3cd91627d7b27 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Sat, 9 Dec 2023 23:10:41 +0800
-Subject: Don't try to shutdown() a pty
-
-shutdown() of a pty doesn't work (ENOTSOCK), so we should close
-it instead.
-
-This will ensure that PTY controlling terminals are closed when a
-session exits, including when multiple sessions run over a single SSH
-connection.  In the normal case of a single session, the PTY controlling
-terminal would be closed when the Dropbear server process exits anyway.
-
-This possibly fixes #264 on github
-
-It is possible that there could be subtle changes to PTY flushing
-behaviour, though nothing caught by tests at present.
----
- svr-chansession.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/svr-chansession.c
-+++ b/svr-chansession.c
-@@ -910,7 +910,7 @@ static int ptycommand(struct Channel *ch
-               channel->readfd = chansess->master;
-               /* don't need to set stderr here */
-               ses.maxfd = MAX(ses.maxfd, chansess->master);
--              channel->bidir_fd = 1;
-+              channel->bidir_fd = 0;
-               setnonblocking(chansess->master);
diff --git a/package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch b/package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch
deleted file mode 100644 (file)
index 9c70c31..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-From 806586b585806cbe32013bcd3af3847278972060 Mon Sep 17 00:00:00 2001
-From: Sergey Ponomarev <stokito@gmail.com>
-Date: Sun, 10 Dec 2023 10:31:56 +0200
-Subject: dropbearkey: add alias to ssh-keygen
-
-The dropbearkey is partially compatible with ssh-keygen and can be used as an alias.
-
-Closes: #263
----
- dbmulti.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/dbmulti.c
-+++ b/dbmulti.c
-@@ -41,7 +41,8 @@ static int runprog(const char *multipath
-               }
- #endif
- #ifdef DBMULTI_dropbearkey
--              if (strcmp(progname, "dropbearkey") == 0) {
-+              if (strcmp(progname, "dropbearkey") == 0
-+                              || strcmp(progname, "ssh-keygen") == 0) {
-                       return dropbearkey_main(argc, argv);
-               }
- #endif
-@@ -88,7 +89,7 @@ int main(int argc, char ** argv) {
-                       "'dbclient' or 'ssh' - the Dropbear client\n"
- #endif
- #ifdef DBMULTI_dropbearkey
--                      "'dropbearkey' - the key generator\n"
-+                      "'dropbearkey' or 'ssh-keygen' - the key generator\n"
- #endif
- #ifdef DBMULTI_dropbearconvert
-                       "'dropbearconvert' - the key converter\n"
diff --git a/package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch b/package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch
deleted file mode 100644 (file)
index 3544f21..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-From 383cc8c97a9420aad9cf93d88e77ec636b183a9d Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 11 Dec 2023 23:18:09 +0800
-Subject: Allow inetd with non-syslog
-
-An inetd-alike should be able to distinguish stdout and stderr, so
-it's a valid configuration.
-
-Fixes #218 on github
----
- svr-runopts.c | 12 ------------
- 1 file changed, 12 deletions(-)
-
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -443,18 +443,6 @@ void svr_getopts(int argc, char ** argv)
-               }
-       }
--#if INETD_MODE
--      if (svr_opts.inetdmode && (
--              opts.usingsyslog == 0
--#if DEBUG_TRACE
--              || debug_trace
--#endif
--              )) {
--              /* log output goes to stderr which would get sent over the inetd network socket */
--              dropbear_exit("Dropbear inetd mode is incompatible with debug -v or non-syslog");
--      }
--#endif
--
-       if (svr_opts.multiauthmethod && svr_opts.noauthpass) {
-               dropbear_exit("-t and -s are incompatible");
-       }
diff --git a/package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch b/package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch
deleted file mode 100644 (file)
index 8d016fa..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9ac650401ffc2fb05c9328d26e76a5e7ae39152a Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 11 Dec 2023 23:31:22 +0800
-Subject: Fix test for multiuser kernels
-
-getuid() succeeds even on non-multiuser kernels. Instead
-getgroups() is a valid test.
-
-Fixes #214 on github
----
- common-session.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
---- a/common-session.c
-+++ b/common-session.c
-@@ -71,10 +71,13 @@ void common_session_init(int sock_in, in
- #if !DROPBEAR_SVR_MULTIUSER
-       /* A sanity check to prevent an accidental configuration option
-          leaving multiuser systems exposed */
--      errno = 0;
--      getuid();
--      if (errno != ENOSYS) {
--              dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel");
-+      {
-+              int ret;
-+              errno = 0;
-+              ret = getgroups(0, NULL);
-+              if (!(ret == -1 && errno == ENOSYS)) {
-+                      dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel");
-+              }
-       }
- #endif
diff --git a/package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch b/package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch
deleted file mode 100644 (file)
index d490d95..0000000
+++ /dev/null
@@ -1,216 +0,0 @@
-From 6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 20 Nov 2023 14:02:47 +0800
-Subject: Implement Strict KEX mode
-
-As specified by OpenSSH with kex-strict-c-v00@openssh.com and
-kex-strict-s-v00@openssh.com.
----
- cli-session.c    | 11 +++++++++++
- common-algo.c    |  6 ++++++
- common-kex.c     | 26 +++++++++++++++++++++++++-
- kex.h            |  3 +++
- process-packet.c | 34 +++++++++++++++++++---------------
- ssh.h            |  4 ++++
- svr-session.c    |  3 +++
- 7 files changed, 71 insertions(+), 16 deletions(-)
-
---- a/cli-session.c
-+++ b/cli-session.c
-@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NO
- static void recv_msg_service_accept(void);
- static void cli_session_cleanup(void);
- static void recv_msg_global_request_cli(void);
-+static void cli_algos_initialise(void);
- struct clientsession cli_ses; /* GLOBAL */
-@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_o
-       }
-       chaninitialise(cli_chantypes);
-+      cli_algos_initialise();
-       /* Set up cli_ses vars */
-       cli_session_init(proxy_cmd_pid);
-@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, cons
-       fflush(stderr);
- }
-+static void cli_algos_initialise(void) {
-+      algo_type *algo;
-+      for (algo = sshkex; algo->name; algo++) {
-+              if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
-+                      algo->usable = 0;
-+              }
-+      }
-+}
-+
---- a/common-algo.c
-+++ b/common-algo.c
-@@ -308,6 +308,12 @@ algo_type sshkex[] = {
-       {SSH_EXT_INFO_C, 0, NULL, 1, NULL},
- #endif
- #endif
-+#if DROPBEAR_CLIENT
-+      {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
-+#endif
-+#if DROPBEAR_SERVER
-+      {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
-+#endif
-       {NULL, 0, NULL, 0, NULL}
- };
---- a/common-kex.c
-+++ b/common-kex.c
-@@ -183,6 +183,10 @@ void send_msg_newkeys() {
-       gen_new_keys();
-       switch_keys();
-+      if (ses.kexstate.strict_kex) {
-+              ses.transseq = 0;
-+      }
-+
-       TRACE(("leave send_msg_newkeys"))
- }
-@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
-       ses.kexstate.recvnewkeys = 1;
-       switch_keys();
--      
-+
-+      if (ses.kexstate.strict_kex) {
-+              ses.recvseq = 0;
-+      }
-+
-       TRACE(("leave recv_msg_newkeys"))
- }
-@@ -550,6 +558,10 @@ void recv_msg_kexinit() {
-       ses.kexstate.recvkexinit = 1;
-+      if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
-+              dropbear_exit("First packet wasn't kexinit");
-+      }
-+
-       TRACE(("leave recv_msg_kexinit"))
- }
-@@ -859,6 +871,18 @@ static void read_kex_algos() {
-       }
- #endif
-+      if (!ses.kexstate.donefirstkex) {
-+              const char* strict_name;
-+              if (IS_DROPBEAR_CLIENT) {
-+                      strict_name = SSH_STRICT_KEX_S;
-+              } else {
-+                      strict_name = SSH_STRICT_KEX_C;
-+              }
-+              if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
-+                      ses.kexstate.strict_kex = 1;
-+              }
-+      }
-+
-       algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
-       allgood &= goodguess;
-       if (algo == NULL || algo->data == NULL) {
---- a/kex.h
-+++ b/kex.h
-@@ -83,6 +83,9 @@ struct KEXState {
-       unsigned our_first_follows_matches : 1;
-+      /* Boolean indicating that strict kex mode is in use */
-+      unsigned int strict_kex;
-+
-       time_t lastkextime; /* time of the last kex */
-       unsigned int datatrans; /* data transmitted since last kex */
-       unsigned int datarecv; /* data received since last kex */
---- a/process-packet.c
-+++ b/process-packet.c
-@@ -44,6 +44,7 @@ void process_packet() {
-       unsigned char type;
-       unsigned int i;
-+      unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
-       time_t now;
-       TRACE2(("enter process_packet"))
-@@ -54,22 +55,24 @@ void process_packet() {
-       now = monotonic_now();
-       ses.last_packet_time_keepalive_recv = now;
--      /* These packets we can receive at any time */
--      switch(type) {
--              case SSH_MSG_IGNORE:
--                      goto out;
--              case SSH_MSG_DEBUG:
--                      goto out;
--
--              case SSH_MSG_UNIMPLEMENTED:
--                      /* debugging XXX */
--                      TRACE(("SSH_MSG_UNIMPLEMENTED"))
--                      goto out;
--                      
--              case SSH_MSG_DISCONNECT:
--                      /* TODO cleanup? */
--                      dropbear_close("Disconnect received");
-+      if (type == SSH_MSG_DISCONNECT) {
-+              /* Allowed at any time */
-+              dropbear_close("Disconnect received");
-+      }
-+
-+      /* These packets may be received at any time,
-+         except during first kex with strict kex */
-+      if (!first_strict_kex) {
-+              switch(type) {
-+                      case SSH_MSG_IGNORE:
-+                              goto out;
-+                      case SSH_MSG_DEBUG:
-+                              goto out;
-+                      case SSH_MSG_UNIMPLEMENTED:
-+                              TRACE(("SSH_MSG_UNIMPLEMENTED"))
-+                              goto out;
-+              }
-       }
-       /* Ignore these packet types so that keepalives don't interfere with
-@@ -98,7 +101,8 @@ void process_packet() {
-                       if (type >= 1 && type <= 49
-                               && type != SSH_MSG_SERVICE_REQUEST
-                               && type != SSH_MSG_SERVICE_ACCEPT
--                              && type != SSH_MSG_KEXINIT)
-+                              && type != SSH_MSG_KEXINIT
-+                              && !first_strict_kex)
-                       {
-                               TRACE(("unknown allowed packet during kexinit"))
-                               recv_unimplemented();
---- a/ssh.h
-+++ b/ssh.h
-@@ -100,6 +100,10 @@
- #define SSH_EXT_INFO_C "ext-info-c"
- #define SSH_SERVER_SIG_ALGS "server-sig-algs"
-+/* OpenSSH strict KEX feature */
-+#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com"
-+#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com"
-+
- /* service types */
- #define SSH_SERVICE_USERAUTH "ssh-userauth"
- #define SSH_SERVICE_USERAUTH_LEN 12
---- a/svr-session.c
-+++ b/svr-session.c
-@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) {
-                       algo->usable = 0;
-               }
- #endif
-+              if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
-+                      algo->usable = 0;
-+              }
-       }
- }
index b1075f84642ce7affb9c93db9e30c87ca4357843..0ecca900b44ca944cb9ecd5d6c62735a27cfb2a9 100644 (file)
@@ -1,5 +1,5 @@
---- a/svr-authpubkey.c
-+++ b/svr-authpubkey.c
+--- a/src/svr-authpubkey.c
++++ b/src/svr-authpubkey.c
 @@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
                const unsigned char* keyblob, unsigned int keybloblen);
  static int checkfileperm(char * filename);
index 04d1df3fdeb2ec3fac02961070617f117eca2cee..9cb073cf940d46779ef99fc98ad891d6b82fbff5 100644 (file)
@@ -1,6 +1,6 @@
---- a/svr-chansession.c
-+++ b/svr-chansession.c
-@@ -985,12 +985,12 @@ static void execchild(const void *user_d
+--- a/src/svr-chansession.c
++++ b/src/svr-chansession.c
+@@ -987,12 +987,12 @@ static void execchild(const void *user_d
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
index a26f33dfbcebca126f344df5c87411dad9d81a7a..de0e5f2725c637f426e17d6eaff43bab374f3ab8 100644 (file)
@@ -1,6 +1,6 @@
---- a/cli-runopts.c
-+++ b/cli-runopts.c
-@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv)
+--- a/src/cli-runopts.c
++++ b/src/cli-runopts.c
+@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv)
                                case 'z':
                                        opts.disable_ip_tos = 1;
                                        break;
index af01573dee58bff144a0dae5c47a26ff9cb29eaa..eb590a3895485ff234f1b447bd741eccf51c14b4 100644 (file)
@@ -1,5 +1,5 @@
---- a/dbutil.h
-+++ b/dbutil.h
+--- a/src/dbutil.h
++++ b/src/dbutil.h
 @@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
index fd80b986ae2de6154e1c2f6878d75c30876f618d..1f3b298f3527bde3007d620d094952df6510fdbc 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -220,17 +220,17 @@ dropbearkey: $(dropbearkeyobjs)
  dropbearconvert: $(dropbearconvertobjs)
  
  dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -22,7 +22,7 @@
  
  
  # multi-binary compilation.
-@@ -221,7 +221,7 @@ ifeq ($(MULTI),1)
+@@ -241,7 +241,7 @@ ifeq ($(MULTI),1)
  endif
  
  dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
index 07ae0227631ede181e88542636a3640d668406fa..e72458dd6e346c0e963a3df1d768c8166984f16b 100644 (file)
@@ -1,5 +1,5 @@
---- a/svr-auth.c
-+++ b/svr-auth.c
+--- a/src/svr-auth.c
++++ b/src/svr-auth.c
 @@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
                                AUTH_METHOD_NONE_LEN) == 0) {
                TRACE(("recv_msg_userauth_request: 'none' request"))
index 5dc84849befdc86f62137261e03192bb7bc20849..746694f48dcf635646a74b53e7d46a410a41987c 100644 (file)
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
+@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
        AC_MSG_NOTICE(Checking for available hardened build flags:)
index a9a441ce76e69cf37ebedb132b289fd2dbdc46f3..4da01c9edb074e0bd1616d59b7eceb8ca22f860a 100644 (file)
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -45,11 +45,8 @@ fi
+@@ -44,11 +44,8 @@ fi
  # LTM_CFLAGS is given to ./configure by the user, 
  # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
  DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
index 059177a1c58174d0e7304554f94b6d0f40181f34..43dd1426b1082befeb376b91a2d2709eb906c8f3 100644 (file)
@@ -19,8 +19,8 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
  signkey.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)
 
---- a/signkey.c
-+++ b/signkey.c
+--- a/src/signkey.c
++++ b/src/signkey.c
 @@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
        sigtype = signature_type_from_name(type_name, type_name_len);
        m_free(type_name);