From 65256aee23a5104eb0c78411fdc73640c0b757ea Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Thu, 7 Apr 2022 11:33:08 +0300 Subject: [PATCH] dropbear: bump to 2022.82 - update dropbear to latest stable 2022.82; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - use $(AUTORELEASE) in PKG_RELEASE - use https for all uris - refresh all patches - rewrite patches: - 100-pubkey_path.patch - 130-ssh_ignore_x_args.patch binary/pkg size changes: - ath79/generic, mips: - binary: 215112 -> 219228 (+4116) - pkg: 111914 -> 113404 (+1490) - ath79/tiny, mips: - binary: 172501 -> 172485 (-16) - pkg: 89871 -> 90904 (+1033) Tested-by: Stijn Segers Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Makefile | 12 +- .../dropbear/patches/100-pubkey_path.patch | 116 ++++++++++-------- .../dropbear/patches/110-change_user.patch | 2 +- .../patches/130-ssh_ignore_x_args.patch | 14 ++- .../dropbear/patches/140-disable_assert.patch | 2 +- .../dropbear/patches/160-lto-jobserver.patch | 4 +- .../600-allow-blank-root-password.patch | 2 +- .../patches/900-configure-hardening.patch | 2 +- ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 2 +- 9 files changed, 90 insertions(+), 66 deletions(-) diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index d518de3f70..eaf14c5533 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2020.81 -PKG_RELEASE:=2 +PKG_VERSION:=2022.82 +PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ - http://matt.ucc.asn.au/dropbear/releases/ \ + https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b +PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -42,7 +42,7 @@ ifneq ($(DUMP),1) endif define Package/dropbear/Default - URL:=http://matt.ucc.asn.au/dropbear/ + URL:=https://matt.ucc.asn.au/dropbear/ endef define Package/dropbear/config @@ -130,8 +130,10 @@ DB_OPT_COMMON = \ DB_OPT_CONFIG = \ DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \ DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \ + DROPBEAR_SK_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \ DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \ DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \ + DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \ DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \ !!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \ !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index af3fbb336b..0403198062 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,34 +1,50 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal - goto out; - } +@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons + const unsigned char* keyblob, unsigned int keybloblen); + static int checkfileperm(char * filename); -- /* we don't need to check pw and pw_dir for validity, since -- * its been done in checkpubkeyperms. */ -- len = strlen(ses.authstate.pw_dir); -- /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -- ses.authstate.pw_dir); -+ if (ses.authstate.pw_uid != 0) { -+ /* we don't need to check pw and pw_dir for validity, since -+ * its been done in checkpubkeyperms. */ -+ len = strlen(ses.authstate.pw_dir); -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ filename = m_malloc(len + 22); -+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -+ ses.authstate.pw_dir); -+ } else { -+ filename = m_malloc(30); -+ strncpy(filename, "/etc/dropbear/authorized_keys", 30); -+ } ++static const char * const global_authkeys_dir = "/etc/dropbear"; ++static const int n_global_authkeys_dir = 14; /* + 1 extra byte */ ++static const char * const user_authkeys_dir = ".ssh"; ++static const int n_user_authkeys_dir = 5; /* + 1 extra byte */ ++static const char * const authkeys_file = "authorized_keys"; ++static const int n_authkeys_file = 16; /* + 1 extra byte */ ++ + /* process a pubkey auth request, sending success or failure message as + * appropriate */ + void svr_auth_pubkey(int valid_user) { +@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal + if (checkpubkeyperms() == DROPBEAR_FAILURE) { + TRACE(("bad authorized_keys permissions, or file doesn't exist")) + } else { +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); ++ if (ses.authstate.pw_uid == 0) { ++ len = n_global_authkeys_dir + n_authkeys_file; ++ filename = m_malloc(len); ++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); ++ } else { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ len += n_user_authkeys_dir + n_authkeys_file + 1; ++ filename = m_malloc(len); ++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, ++ user_authkeys_dir, authkeys_file); ++ } - #if DROPBEAR_SVR_MULTIUSER - /* open the file as the authenticating user. */ -@@ -474,27 +479,36 @@ static int checkpubkeyperms() { + authfile = fopen(filename, "r"); + if (!authfile) { +@@ -520,27 +534,41 @@ static int checkpubkeyperms() { goto out; } @@ -37,47 +53,51 @@ - len += 22; - filename = m_malloc(len); - strlcpy(filename, ses.authstate.pw_dir, len); -- ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + - /* check ~ */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } -+ if (ses.authstate.pw_uid == 0) { -+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ } else { -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ len += 22; ++ len = n_global_authkeys_dir + n_authkeys_file; + filename = m_malloc(len); -+ strlcpy(filename, ses.authstate.pw_dir, len); -+ -+ /* check ~ */ -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } - /* check ~/.ssh */ - strlcat(filename, "/.ssh", len); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } -+ /* check ~/.ssh */ -+ strlcat(filename, "/.ssh", len); ++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } ++ } else { ++ /* check ~ */ ++ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) { ++ goto out; ++ } - /* now check ~/.ssh/authorized_keys */ - strlcat(filename, "/authorized_keys", len); - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ len += n_user_authkeys_dir + n_authkeys_file + 1; ++ filename = m_malloc(len); ++ ++ /* check ~/.ssh */ ++ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ + /* now check ~/.ssh/authorized_keys */ -+ strlcat(filename, "/authorized_keys", len); ++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, ++ user_authkeys_dir, authkeys_file); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 1dd67948af..04d1df3fde 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -954,12 +954,12 @@ static void execchild(const void *user_d +@@ -985,12 +985,12 @@ static void execchild(const void *user_d /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index 5e736320cc..d7f589801d 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,11 +1,13 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) - debug_trace = 1; +@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv) + case 'b': + next = &bind_arg; break; - #endif + case 'x': ++ /* compatibility with openssh cli ++ * ("-x" disables X11 forwarding) */ + break; - case 'F': - case 'e': - #if !DROPBEAR_USER_ALGO_LIST + default: + fprintf(stderr, + "WARNING: Ignoring unknown option -%c\n", c); diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index 8c3ae7f119..af01573dee 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,6 +1,6 @@ --- a/dbutil.h +++ b/dbutil.h -@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig +@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} /* Dropbear assertion */ diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index 1ba7dd6f44..fd80b986ae 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,6 +1,6 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -219,7 +219,7 @@ ifeq ($(MULTI),1) +@@ -221,7 +221,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch index b138862ca3..07ae022763 100644 --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -1,6 +1,6 @@ --- a/svr-auth.c +++ b/svr-auth.c -@@ -125,7 +125,7 @@ void recv_msg_userauth_request() { +@@ -124,7 +124,7 @@ void recv_msg_userauth_request() { AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) if (valid_user diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch index ab1361f6ae..4f806f8b25 100644 --- a/package/network/services/dropbear/patches/900-configure-hardening.patch +++ b/package/network/services/dropbear/patches/900-configure-hardening.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden, +@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden, if test "$hardenbuild" -eq 1; then AC_MSG_NOTICE(Checking for available hardened build flags:) diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index b774a38b1a..f078814403 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,7 +21,7 @@ Signed-off-by: Petr Å tetiar --- a/signkey.c +++ b/signkey.c -@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k +@@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); -- 2.30.2