ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-03-23 04:25:21 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

dropbear: bump to 2022.82

Browse Source 
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
This commit is contained in:
Konstantin Demin 2022-04-07 11:33:08 +03:00 committed by Hauke Mehrtens
parent c3b7389339
commit 65256aee23
9 changed files with 90 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
package/network/services/dropbear/Makefile
View File

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear PKG_NAME:=dropbear
PKG_VERSION:=2020.81 PKG_VERSION:=2022.82
PKG_RELEASE:=2 PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \ https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/ https://dropbear.nl/mirror/releases/
PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
PKG_LICENSE:=MIT PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@ -42,7 +42,7 @@ ifneq ($(DUMP),1)
endif endif
define Package/dropbear/Default define Package/dropbear/Default
URL:=http://matt.ucc.asn.au/dropbear/ URL:=https://matt.ucc.asn.au/dropbear/
endef endef
define Package/dropbear/config define Package/dropbear/config
@ -130,8 +130,10 @@ DB_OPT_COMMON = \
DB_OPT_CONFIG = \ DB_OPT_CONFIG = \
DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \ DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \
DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \ DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
DROPBEAR_SK_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \ DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \ DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \ DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \ !!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \

116
package/network/services/dropbear/patches/100-pubkey_path.patch
View File

@ -1,34 +1,50 @@
--- a/svr-authpubkey.c --- a/svr-authpubkey.c
+++ b/svr-authpubkey.c +++ b/svr-authpubkey.c
@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal @@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
goto out; const unsigned char* keyblob, unsigned int keybloblen);
} static int checkfileperm(char * filename);
- /* we don't need to check pw and pw_dir for validity, since +static const char * const global_authkeys_dir = "/etc/dropbear";
- * its been done in checkpubkeyperms. */ +static const int n_global_authkeys_dir = 14; /* + 1 extra byte */
- len = strlen(ses.authstate.pw_dir); +static const char * const user_authkeys_dir = ".ssh";
- /* allocate max required pathname storage, +static const int n_user_authkeys_dir = 5; /* + 1 extra byte */
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +static const char * const authkeys_file = "authorized_keys";
- filename = m_malloc(len + 22); +static const int n_authkeys_file = 16; /* + 1 extra byte */
- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +
- ses.authstate.pw_dir); /* process a pubkey auth request, sending success or failure message as
+ if (ses.authstate.pw_uid != 0) { * appropriate */
+ /* we don't need to check pw and pw_dir for validity, since void svr_auth_pubkey(int valid_user) {
+ * its been done in checkpubkeyperms. */ @@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+ len = strlen(ses.authstate.pw_dir); if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ /* allocate max required pathname storage, TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ } else {
+ filename = m_malloc(len + 22); - /* we don't need to check pw and pw_dir for validity, since
+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", - * its been done in checkpubkeyperms. */
+ ses.authstate.pw_dir); - len = strlen(ses.authstate.pw_dir);
+ } else { - /* allocate max required pathname storage,
+ filename = m_malloc(30); - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ strncpy(filename, "/etc/dropbear/authorized_keys", 30); - filename = m_malloc(len + 22);
+ } - snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
- ses.authstate.pw_dir);
+ if (ses.authstate.pw_uid == 0) {
+ len = n_global_authkeys_dir + n_authkeys_file;
+ filename = m_malloc(len);
+ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ } else {
+ /* we don't need to check pw and pw_dir for validity, since
+ * its been done in checkpubkeyperms. */
+ len = strlen(ses.authstate.pw_dir);
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ len += n_user_authkeys_dir + n_authkeys_file + 1;
+ filename = m_malloc(len);
+ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
+ user_authkeys_dir, authkeys_file);
+ }
#if DROPBEAR_SVR_MULTIUSER authfile = fopen(filename, "r");
/* open the file as the authenticating user. */ if (!authfile) {
@@ -474,27 +479,36 @@ static int checkpubkeyperms() { @@ -520,27 +534,41 @@ static int checkpubkeyperms() {
goto out; goto out;
} }
@ -37,47 +53,51 @@
- len += 22; - len += 22;
- filename = m_malloc(len); - filename = m_malloc(len);
- strlcpy(filename, ses.authstate.pw_dir, len); - strlcpy(filename, ses.authstate.pw_dir, len);
- + if (ses.authstate.pw_uid == 0) {
+ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
- /* check ~ */ - /* check ~ */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out; - goto out;
- } - }
+ if (ses.authstate.pw_uid == 0) { + len = n_global_authkeys_dir + n_authkeys_file;
+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+ } else {
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ len += 22;
+ filename = m_malloc(len); + filename = m_malloc(len);
+ strlcpy(filename, ses.authstate.pw_dir, len);
+
+ /* check ~ */
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
- /* check ~/.ssh */ - /* check ~/.ssh */
- strlcat(filename, "/.ssh", len); - strlcat(filename, "/.ssh", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out; - goto out;
- } - }
+ /* check ~/.ssh */ + snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ strlcat(filename, "/.ssh", len);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
+ } + }
+ } else {
+ /* check ~ */
+ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
- /* now check ~/.ssh/authorized_keys */ - /* now check ~/.ssh/authorized_keys */
- strlcat(filename, "/authorized_keys", len); - strlcat(filename, "/authorized_keys", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out; - goto out;
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ len += n_user_authkeys_dir + n_authkeys_file + 1;
+ filename = m_malloc(len);
+
+ /* check ~/.ssh */
+ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+ /* now check ~/.ssh/authorized_keys */ + /* now check ~/.ssh/authorized_keys */
+ strlcat(filename, "/authorized_keys", len); + snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
+ user_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
+ } + }

2
package/network/services/dropbear/patches/110-change_user.patch
View File

@ -1,6 +1,6 @@
--- a/svr-chansession.c --- a/svr-chansession.c
+++ b/svr-chansession.c +++ b/svr-chansession.c
@@ -954,12 +954,12 @@ static void execchild(const void *user_d @@ -985,12 +985,12 @@ static void execchild(const void *user_d
/* We can only change uid/gid as root ... */ /* We can only change uid/gid as root ... */
if (getuid() == 0) { if (getuid() == 0) {

14
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
View File

@ -1,11 +1,13 @@
--- a/cli-runopts.c --- a/cli-runopts.c
+++ b/cli-runopts.c +++ b/cli-runopts.c
@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) @@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
debug_trace = 1; case 'b':
next = &bind_arg;
break; break;
#endif
+ case 'x': + case 'x':
+ /* compatibility with openssh cli
+ * ("-x" disables X11 forwarding) */
+ break; + break;
case 'F': default:
case 'e': fprintf(stderr,
#if !DROPBEAR_USER_ALGO_LIST "WARNING: Ignoring unknown option -%c\n", c);

2
package/network/services/dropbear/patches/140-disable_assert.patch
View File

@ -1,6 +1,6 @@
--- a/dbutil.h --- a/dbutil.h
+++ b/dbutil.h +++ b/dbutil.h
@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig @@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
/* Dropbear assertion */ /* Dropbear assertion */

4
package/network/services/dropbear/patches/160-lto-jobserver.patch
View File

@ -1,6 +1,6 @@
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs) @@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs)
dropbearconvert: $(dropbearconvertobjs) dropbearconvert: $(dropbearconvertobjs)
dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@ -22,7 +22,7 @@
# multi-binary compilation. # multi-binary compilation.
@@ -219,7 +219,7 @@ ifeq ($(MULTI),1) @@ -221,7 +221,7 @@ ifeq ($(MULTI),1)
endif endif
dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile

2
package/network/services/dropbear/patches/600-allow-blank-root-password.patch
View File

@ -1,6 +1,6 @@
--- a/svr-auth.c --- a/svr-auth.c
+++ b/svr-auth.c +++ b/svr-auth.c
@@ -125,7 +125,7 @@ void recv_msg_userauth_request() { @@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) { AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request")) TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user if (valid_user

2
package/network/services/dropbear/patches/900-configure-hardening.patch
View File

@ -1,6 +1,6 @@
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden, @@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:) AC_MSG_NOTICE(Checking for available hardened build flags:)

2
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
View File

@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
--- a/signkey.c --- a/signkey.c
+++ b/signkey.c +++ b/signkey.c
@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k @@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len); sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name); m_free(type_name);