From: Konstantin Demin Date: Mon, 25 Mar 2019 18:40:38 +0000 (+0300) Subject: dropbear: bump to 2019.77 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=a1099ed;p=openwrt%2Fstaging%2Fthess.git dropbear: bump to 2019.77 - drop patches applied upstream: * 010-runtime-maxauthtries.patch * 020-Wait-to-fail-invalid-usernames.patch * 150-dbconvert_standalone.patch * 610-skip-default-keys-in-custom-runs.patch - refresh patches - move OpenWrt configuration from patch to Build/Configure recipe, thus drop patch 120-openwrt_options.patch Signed-off-by: Konstantin Demin --- diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 0ed7199e68..768cc813fa 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2017.75 -PKG_RELEASE:=9 +PKG_VERSION:=2019.77 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c +PKG_HASH:=d91f78ebe633be1d071fd1b7e5535b9693794048b019e9f4bea257e1992b458d PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -23,6 +23,7 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 +PKG_FIXUP:=autoreconf PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ @@ -90,33 +91,33 @@ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver define Build/Configure + : > $(PKG_BUILD_DIR)/localoptions.h + $(Build/Configure/Default) - $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \ - $(PKG_BUILD_DIR)/options.h + echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ + $(PKG_BUILD_DIR)/localoptions.h - awk 'BEGIN { rc = 1 } \ - /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ - >$(PKG_BUILD_DIR)/options.h.new && \ - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h - # Enforce that all replacements are made, otherwise options.h has changed - # format and this logic is broken. for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ - awk 'BEGIN { rc = 1 } \ - /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ - >$(PKG_BUILD_DIR)/options.h.new && \ - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ + echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ + $(PKG_BUILD_DIR)/localoptions.h; \ done # remove protocol idented software version number - $(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \ + $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h + # disable legacy/unsafe methods and unused functionality + for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \ + DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \ + DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \ + echo "#define $$$$OPTION 0" >> \ + $(PKG_BUILD_DIR)/localoptions.h; \ + done + # Enforce rebuild of svr-chansession.c rm -f $(PKG_BUILD_DIR)/svr-chansession.o endef diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch deleted file mode 100644 index 26db3181f2..0000000000 --- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant -Date: Mon, 29 May 2017 10:25:09 +0100 -Subject: [PATCH] dropbear server: support -T max auth tries - -Add support for '-T n' for a run-time specification for maximum number -of authentication attempts where 'n' is between 1 and compile time -option MAX_AUTH_TRIES. - -A default number of tries can be specified at compile time using -'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for -backwards compatibility. - -Signed-off-by: Kevin Darbyshire-Bryant ---- - options.h | 7 +++++++ - runopts.h | 1 + - svr-auth.c | 2 +- - svr-runopts.c | 17 +++++++++++++++++ - 4 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/options.h b/options.h -index 0c51bb1..4d22704 100644 ---- a/options.h -+++ b/options.h -@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */ - #define MAX_AUTH_TRIES 10 - #endif - -+/* Default maximum number of failed authentication tries. -+ * defaults to MAX_AUTH_TRIES */ -+ -+#ifndef DEFAULT_AUTH_TRIES -+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES -+#endif -+ - /* The default file to store the daemon's process ID, for shutdown - scripts etc. This can be overridden with the -P flag */ - #ifndef DROPBEAR_PIDFILE -diff --git a/runopts.h b/runopts.h -index f7c869d..2f7da63 100644 ---- a/runopts.h -+++ b/runopts.h -@@ -96,6 +96,7 @@ typedef struct svr_runopts { - int noauthpass; - int norootpass; - int allowblankpass; -+ unsigned int maxauthtries; - - #ifdef ENABLE_SVR_REMOTETCPFWD - int noremotetcp; -diff --git a/svr-auth.c b/svr-auth.c -index 577ea88..6a7ce0b 100644 ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { - ses.authstate.failcount++; - } - -- if (ses.authstate.failcount >= MAX_AUTH_TRIES) { -+ if (ses.authstate.failcount >= svr_opts.maxauthtries) { - char * userstr; - /* XXX - send disconnect ? */ - TRACE(("Max auth tries reached, exiting")) -diff --git a/svr-runopts.c b/svr-runopts.c -index 8f60059..1e7440f 100644 ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -73,6 +73,7 @@ static void printhelp(const char * progname) { - "-g Disable password logins for root\n" - "-B Allow blank password logins\n" - #endif -+ "-T <1 to %d> Maximum authentication tries (default %d)\n" - #ifdef ENABLE_SVR_LOCALTCPFWD - "-j Disable local port forwarding\n" - #endif -@@ -106,6 +107,7 @@ static void printhelp(const char * progname) { - #ifdef DROPBEAR_ECDSA - ECDSA_PRIV_FILENAME, - #endif -+ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES, - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); - } -@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) { - char* recv_window_arg = NULL; - char* keepalive_arg = NULL; - char* idle_timeout_arg = NULL; -+ char* maxauthtries_arg = NULL; - char* keyfile = NULL; - char c; - -@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) { - svr_opts.noauthpass = 0; - svr_opts.norootpass = 0; - svr_opts.allowblankpass = 0; -+ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES; - svr_opts.inetdmode = 0; - svr_opts.portcount = 0; - svr_opts.hostkey = NULL; -@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) { - case 'I': - next = &idle_timeout_arg; - break; -+ case 'T': -+ next = &maxauthtries_arg; -+ break; - #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) - case 's': - svr_opts.noauthpass = 1; -@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) { - dropbear_exit("Bad recv window '%s'", recv_window_arg); - } - } -+ -+ if (maxauthtries_arg) { -+ unsigned int val = 0; -+ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE || -+ val == 0 || val > MAX_AUTH_TRIES) { -+ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg); -+ } -+ svr_opts.maxauthtries = val; -+ } -+ - - if (keepalive_arg) { - unsigned int val; --- -2.7.4 - diff --git a/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch b/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch deleted file mode 100644 index 593dca930d..0000000000 --- a/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch +++ /dev/null @@ -1,221 +0,0 @@ -From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001 -From: Matt Johnston -Date: Thu, 23 Aug 2018 23:43:12 +0800 -Subject: [PATCH 2/2] Wait to fail invalid usernames - ---- - auth.h | 6 +++--- - svr-auth.c | 19 +++++-------------- - svr-authpam.c | 26 ++++++++++++++++++++++---- - svr-authpasswd.c | 27 ++++++++++++++------------- - svr-authpubkey.c | 11 ++++++++++- - 5 files changed, 54 insertions(+), 35 deletions(-) - ---- a/auth.h -+++ b/auth.h -@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void); - void send_msg_userauth_failure(int partial, int incrfail); - void send_msg_userauth_success(void); - void send_msg_userauth_banner(buffer *msg); --void svr_auth_password(void); --void svr_auth_pubkey(void); --void svr_auth_pam(void); -+void svr_auth_password(int valid_user); -+void svr_auth_pubkey(int valid_user); -+void svr_auth_pam(int valid_user); - - #ifdef ENABLE_SVR_PUBKEY_OPTIONS - int svr_pubkey_allows_agentfwd(void); ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -176,10 +176,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_password(); -- goto out; -- } -+ svr_auth_password(valid_user); -+ goto out; - } - } - #endif -@@ -191,10 +189,8 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { -- if (valid_user) { -- svr_auth_pam(); -- goto out; -- } -+ svr_auth_pam(valid_user); -+ goto out; - } - } - #endif -@@ -204,12 +200,7 @@ void recv_msg_userauth_request() { - if (methodlen == AUTH_METHOD_PUBKEY_LEN && - strncmp(methodname, AUTH_METHOD_PUBKEY, - AUTH_METHOD_PUBKEY_LEN) == 0) { -- if (valid_user) { -- svr_auth_pubkey(); -- } else { -- /* pubkey has no failure delay */ -- send_msg_userauth_failure(0, 0); -- } -+ svr_auth_pubkey(valid_user); - goto out; - } - #endif ---- a/svr-authpam.c -+++ b/svr-authpam.c -@@ -178,13 +178,14 @@ pamConvFunc(int num_msg, - * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it - * gets very messy trying to send the interactive challenges, and read the - * interactive responses, over the network. */ --void svr_auth_pam() { -+void svr_auth_pam(int valid_user) { - - struct UserDataS userData = {NULL, NULL}; - struct pam_conv pamConv = { - pamConvFunc, - &userData /* submitted to pamvConvFunc as appdata_ptr */ - }; -+ const char* printable_user = NULL; - - pam_handle_t* pamHandlep = NULL; - -@@ -204,12 +205,23 @@ void svr_auth_pam() { - - password = buf_getstring(ses.payload, &passwordlen); - -+ /* We run the PAM conversation regardless of whether the username is valid -+ in case the conversation function has an inherent delay. -+ Use ses.authstate.username rather than ses.authstate.pw_name. -+ After PAM succeeds we then check the valid_user flag too */ -+ - /* used to pass data to the PAM conversation function - don't bother with - * strdup() etc since these are touched only by our own conversation - * function (above) which takes care of it */ -- userData.user = ses.authstate.pw_name; -+ userData.user = ses.authstate.username; - userData.passwd = password; - -+ if (ses.authstate.pw_name) { -+ printable_user = ses.authstate.pw_name; -+ } else { -+ printable_user = ""; -+ } -+ - /* Init pam */ - if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", -@@ -236,7 +248,7 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; -@@ -247,12 +259,18 @@ void svr_auth_pam() { - rc, pam_strerror(pamHandlep, rc)); - dropbear_log(LOG_WARNING, - "Bad PAM password attempt for '%s' from %s", -- ses.authstate.pw_name, -+ printable_user, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); - goto cleanup; - } - -+ if (!valid_user) { -+ /* PAM auth succeeded but the username isn't allowed in for another reason -+ (checkusername() failed) */ -+ send_msg_userauth_failure(0, 1); -+ } -+ - /* successful authentication */ - dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", - ses.authstate.pw_name, ---- a/svr-authpasswd.c -+++ b/svr-authpasswd.c -@@ -48,22 +48,14 @@ static int constant_time_strcmp(const ch - - /* Process a password auth request, sending success or failure messages as - * appropriate */ --void svr_auth_password() { -+void svr_auth_password(int valid_user) { - - char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ - char * testcrypt = NULL; /* crypt generated from the user's password sent */ -- char * password; -+ char * password = NULL; - unsigned int passwordlen; -- - unsigned int changepw; - -- passwdcrypt = ses.authstate.pw_passwd; -- --#ifdef DEBUG_HACKCRYPT -- /* debugging crypt for non-root testing with shadows */ -- passwdcrypt = DEBUG_HACKCRYPT; --#endif -- - /* check if client wants to change password */ - changepw = buf_getbool(ses.payload); - if (changepw) { -@@ -73,12 +65,21 @@ void svr_auth_password() { - } - - password = buf_getstring(ses.payload, &passwordlen); -- -- /* the first bytes of passwdcrypt are the salt */ -- testcrypt = crypt(password, passwdcrypt); -+ if (valid_user) { -+ /* the first bytes of passwdcrypt are the salt */ -+ passwdcrypt = ses.authstate.pw_passwd; -+ testcrypt = crypt(password, passwdcrypt); -+ } - m_burn(password, passwordlen); - m_free(password); - -+ /* After we have got the payload contents we can exit if the username -+ is invalid. Invalid users have already been logged. */ -+ if (!valid_user) { -+ send_msg_userauth_failure(0, 1); -+ return; -+ } -+ - if (testcrypt == NULL) { - /* crypt() with an invalid salt like "!!" */ - dropbear_log(LOG_WARNING, "User account '%s' is locked", ---- a/svr-authpubkey.c -+++ b/svr-authpubkey.c -@@ -79,7 +79,7 @@ static int checkfileperm(char * filename - - /* process a pubkey auth request, sending success or failure message as - * appropriate */ --void svr_auth_pubkey() { -+void svr_auth_pubkey(int valid_user) { - - unsigned char testkey; /* whether we're just checking if a key is usable */ - char* algo = NULL; /* pubkey algo */ -@@ -102,6 +102,15 @@ void svr_auth_pubkey() { - keybloblen = buf_getint(ses.payload); - keyblob = buf_getptr(ses.payload, keybloblen); - -+ if (!valid_user) { -+ /* Return failure once we have read the contents of the packet -+ required to validate a public key. -+ Avoids blind user enumeration though it isn't possible to prevent -+ testing for user existence if the public key is known */ -+ send_msg_userauth_failure(0, 0); -+ goto out; -+ } -+ - /* check if the key is valid */ - if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { - send_msg_userauth_failure(0, 0); diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 274d3af46a..732d84078f 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -229,14 +229,20 @@ static int checkpubkey(char* algo, unsig +@@ -338,14 +338,19 @@ static int checkpubkey(const char* algo, goto out; } @@ -25,34 +25,23 @@ + filename = m_malloc(30); + strncpy(filename, "/etc/dropbear/authorized_keys", 30); + } -+ + #if DROPBEAR_SVR_MULTIUSER /* open the file as the authenticating user. */ - origuid = getuid(); -@@ -405,26 +411,35 @@ static int checkpubkeyperms() { +@@ -426,27 +431,36 @@ static int checkpubkeyperms() { goto out; } - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- strncpy(filename, ses.authstate.pw_dir, len+1); +- len += 22; +- filename = m_malloc(len); +- strlcpy(filename, ses.authstate.pw_dir, len); - - /* check ~ */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } -- -- /* check ~/.ssh */ -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -- -- /* now check ~/.ssh/authorized_keys */ -- strncat(filename, "/authorized_keys", 16); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; + if (ses.authstate.pw_uid == 0) { + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + goto out; @@ -63,22 +52,32 @@ + } else { + /* allocate max required pathname storage, + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ filename = m_malloc(len + 22); -+ strncpy(filename, ses.authstate.pw_dir, len+1); ++ len += 22; ++ filename = m_malloc(len); ++ strlcpy(filename, ses.authstate.pw_dir, len); + + /* check ~ */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* check ~/.ssh */ +- strlcat(filename, "/.ssh", len); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } + /* check ~/.ssh */ -+ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ strlcat(filename, "/.ssh", len); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* now check ~/.ssh/authorized_keys */ +- strlcat(filename, "/authorized_keys", len); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; + /* now check ~/.ssh/authorized_keys */ -+ strncat(filename, "/authorized_keys", 16); ++ strlcat(filename, "/authorized_keys", len); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 4b5c1cb51b..27e7fbaf4f 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -922,12 +922,12 @@ static void execchild(void *user_data) { +@@ -953,12 +953,12 @@ static void execchild(const void *user_d /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch deleted file mode 100644 index 7f47a74304..0000000000 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ /dev/null @@ -1,82 +0,0 @@ ---- a/options.h -+++ b/options.h -@@ -41,7 +41,7 @@ - * Both of these flags can be defined at once, don't compile without at least - * one of them. */ - #define NON_INETD_MODE --#define INETD_MODE -+/*#define INETD_MODE*/ - - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting -@@ -81,7 +81,7 @@ much traffic. */ - - /* Enable "Netcat mode" option. This will forward standard input/output - * to a remote TCP-forwarded connection */ --#define ENABLE_CLI_NETCAT -+/*#define ENABLE_CLI_NETCAT*/ - - /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ - #define ENABLE_USER_ALGO_LIST -@@ -91,16 +91,16 @@ much traffic. */ - * Including multiple keysize variants the same cipher - * (eg AES256 as well as AES128) will result in a minimal size increase.*/ - #define DROPBEAR_AES128 --#define DROPBEAR_3DES -+/*#define DROPBEAR_3DES*/ - #define DROPBEAR_AES256 - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ - /*#define DROPBEAR_BLOWFISH*/ --#define DROPBEAR_TWOFISH256 --#define DROPBEAR_TWOFISH128 -+/*#define DROPBEAR_TWOFISH256*/ -+/*#define DROPBEAR_TWOFISH128*/ - - /* Enable CBC mode for ciphers. This has security issues though - * is the most compatible with older SSH implementations */ --#define DROPBEAR_ENABLE_CBC_MODE -+/*#define DROPBEAR_ENABLE_CBC_MODE*/ - - /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. It is recommended for security -@@ -131,10 +131,10 @@ If you test it please contact the Dropbe - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, - * which are not the standard form. */ - #define DROPBEAR_SHA1_HMAC --#define DROPBEAR_SHA1_96_HMAC -+/*#define DROPBEAR_SHA1_96_HMAC*/ - #define DROPBEAR_SHA2_256_HMAC --#define DROPBEAR_SHA2_512_HMAC --#define DROPBEAR_MD5_HMAC -+/*#define DROPBEAR_SHA2_512_HMAC*/ -+/*#define DROPBEAR_MD5_HMAC*/ - - /* You can also disable integrity. Don't bother disabling this if you're - * still using a cipher, it's relatively cheap. If you disable this it's dead -@@ -146,7 +146,7 @@ If you test it please contact the Dropbe - * Removing either of these won't save very much space. - * SSH2 RFC Draft requires dss, recommends rsa */ - #define DROPBEAR_RSA --#define DROPBEAR_DSS -+/*#define DROPBEAR_DSS*/ - /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC - * code (either ECDSA or ECDH) increases binary size - around 30kB - * on x86-64 */ -@@ -194,7 +194,7 @@ If you test it please contact the Dropbe - - /* Whether to print the message of the day (MOTD). This doesn't add much code - * size */ --#define DO_MOTD -+/*#define DO_MOTD*/ - - /* The MOTD file path */ - #ifndef MOTD_FILENAME -@@ -242,7 +242,7 @@ Homedir is prepended unless path begins - * note that it will be provided for all "hidden" client-interactive - * style prompts - if you want something more sophisticated, use - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ - - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of - * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index ab09c2f3dc..5e736320cc 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,6 +1,6 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) +@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) debug_trace = 1; break; #endif @@ -8,4 +8,4 @@ + break; case 'F': case 'e': - #ifndef ENABLE_USER_ALGO_LIST + #if !DROPBEAR_USER_ALGO_LIST diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index 78b54acfa0..8c3ae7f119 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,6 +1,6 @@ --- a/dbutil.h +++ b/dbutil.h -@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig +@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} /* Dropbear assertion */ diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch deleted file mode 100644 index ccc2cb7925..0000000000 --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/options.h -+++ b/options.h -@@ -5,6 +5,11 @@ - #ifndef DROPBEAR_OPTIONS_H_ - #define DROPBEAR_OPTIONS_H_ - -+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) -+#define DROPBEAR_SERVER -+#define DROPBEAR_CLIENT -+#endif -+ - /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" - * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ - diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index bb94492833..02765335d3 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,6 +1,6 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -163,17 +163,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile @@ -12,8 +12,8 @@ + +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile -- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) -+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) +- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) ++ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) # scp doesn't use the libs so is special. scp: $(SCPOBJS) $(HEADERS) Makefile @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -184,7 +184,7 @@ ifeq ($(MULTI),1) +@@ -210,7 +210,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch index 7c67b086bb..b138862ca3 100644 --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -1,6 +1,6 @@ --- a/svr-auth.c +++ b/svr-auth.c -@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { +@@ -125,7 +125,7 @@ void recv_msg_userauth_request() { AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) if (valid_user diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch deleted file mode 100644 index a555a9e498..0000000000 --- a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -505,6 +505,7 @@ void load_all_hostkeys() { - m_free(hostkey_file); - } - -+ if (svr_opts.num_hostkey_files <= 0) { - #ifdef DROPBEAR_RSA - loadhostkey(RSA_PRIV_FILENAME, 0); - #endif -@@ -516,6 +517,7 @@ void load_all_hostkeys() { - #ifdef DROPBEAR_ECDSA - loadhostkey(ECDSA_PRIV_FILENAME, 0); - #endif -+ } - - #ifdef DROPBEAR_DELAY_HOSTKEY - if (svr_opts.delay_hostkey) {