Commit Graph

90 Commits

Author SHA1 Message Date
Hans Dedecker
751e6ab8e6 dropbear: fix compilation for uClibc
Backport patches which fix compile issue for uClibc-ng :

dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
        ^~~~~~~~~
        genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
                                    ^~~~~~~~~~~~~
                                    SOCK_NONBLOCK

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-24 22:36:21 +02:00
Konstantin Demin
29e170dbaa dropbear: bump to 2020.79
- drop patches (applied upstream):
  * 010-backport-change-address-logging.patch
  * 020-backport-ed25519-support.patch
  * 021-backport-chacha20-poly1305-support.patch
- backport patches:
  * 010-backport-disable-toom-and-karatsuba.patch:
    reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
  because they are disabled in upstream too:
  * DROPBEAR_3DES
  * DROPBEAR_ENABLE_CBC_MODE
  * DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
  upstream has (accidentally) switched it to 0 in release 2019.77,
  but reverted back in release 2020.79.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-06-21 21:33:23 +02:00
Vladislav Grishenko
f166cf9ca0 dropbear: add ed25519 and chacha20-poly1305
- add Ed25519 support (backport):
  * DROPBEAR_ED25519 option for ssh-ed25519,
  * disabled by default
- add Chacha20-Poly1305 support (backport):
  * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com,
  * enabled by default
- update feature costs in binary size

Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
2020-05-30 21:27:10 +02:00
Kevin Darbyshire-Bryant
82df192a01 dropbear: backport add ip address to exit without auth messages
201e359 Handle early exit when addrstring isn't set
fa4c464 Improve address logging on early exit messages (#83)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 10:56:52 +01:00
John Crispin
a3dd95ef63 dropbear: fix compile error
Fixes: 0da193ee69 ("dropbear: move failsafe code out of base-files")
Signed-off-by: John Crispin <john@phrozen.org>
2020-01-15 21:31:12 +01:00
Kyle Copperfield
0da193ee69 dropbear: move failsafe code out of base-files
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:04:06 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Matt Merhar
3d7f76383f dropbear: add missing zlib dependency for dropbearconvert
If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage
due to an undeclared dependency on libz.so.1.

As is already done for the main dropbear package, conditionally add a
dependency on zlib.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2020-01-05 19:36:45 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Rosy Song
524810ce6d dropbear: allow build without dbclient
This can save ~16KBytes size for the ipk

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-04-18 22:34:19 +02:00
Hans Dedecker
80568e5854 dropbear: bump to 2019.78
Fix dbclient regression in 2019.77. After exiting the terminal would be left
in a bad state. Reported by Ryan Woodsmall

drop patch applied upstream:
	010-tty-modes-werent-reset-for-client.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-07 20:32:55 +02:00
Konstantin Demin
01964148c6 dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:35 +01:00
Konstantin Demin
5eb7864aad dropbear: rewrite init script startup logic to handle both host key files
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
6145e59881 dropbear: change type of config option "Port" to scalar type "port"
it was never used anywhere, even LuCI works with "Port" as scalar type.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
5d27b10c61 dropbear: introduce config option "keyfile" (replacement for "rsakeyfile")
* option "keyfile" is more generic than "rsakeyfile".
* option "rsakeyfile" is considered to be deprecated and should be removed
  in future releases.
* warn user (in syslog) if option "rsakeyfile" is used
* better check options ("rsakeyfile" and "keyfile"): don't append
  "-r keyfile" to command line if file is absent (doesn't exist or empty),
  warn user (in syslog) about such files

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:34 +01:00
Konstantin Demin
efc533cc2f dropbear: add initial support for ECC host key
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
c40a84cc15 dropbear: fix regression where TTY modes weren't reset for client
cherry-pick upstream commit 7bc6280613f5ab4ee86c14c779739070e5784dfe

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
ddf1a06326 dropbear: honour CFLAGS while building bundled libtomcrypt/libtommath
Felix Fietkau pointed out that bundled libtomcrypt/libtommath do funny stuff with CFLAGS.
fix this with checking environment variable OPENWRT_BUILD in both libs.
change in dropbear binary size is drastical: 221621 -> 164277.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
9c3bfd0906 dropbear: fix hardening flags during configure
compiler complains about messed up CFLAGS in build log:
  <command-line>: warning: "_FORTIFY_SOURCE" redefined
  <command-line>: note: this is the location of the previous definition

and then linker fails:
  mips-openwrt-linux-musl-gcc [...] -o dropbearmulti [...]
  collect2: fatal error: ld terminated with signal 11 [Segmentation fault]
  compilation terminated.
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans0.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans1.ltrans.o: relocation R_MIPS_HI16 against `ses' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans2.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  [...]
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  make[3]: *** [Makefile:198: dropbearmulti] Error 1
  make[3]: *** Deleting file 'dropbearmulti'
  make[3]: Leaving directory '/build_dir/target-mips_24kc_musl/dropbear-2018.76'
  make[2]: *** [Makefile:158: /build_dir/target-mips_24kc_musl/dropbear-2018.76/.built] Error 2
  make[2]: Leaving directory '/package/network/services/dropbear'

This FTBFS issue was caused by hardening flags set up by dropbear's configure script.

By default, Dropbear offers hardening via CFLAGS and LDFLAGS,
but this may break or confuse OpenWrt settings.

Remove most Dropbear's hardening settings in favour of precise build,
but preserve Spectre v2 mitigations:
* -mfunction-return=thunk
* -mindirect-branch=thunk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
a1099edf32 dropbear: bump to 2019.77
- drop patches applied upstream:
  * 010-runtime-maxauthtries.patch
  * 020-Wait-to-fail-invalid-usernames.patch
  * 150-dbconvert_standalone.patch
  * 610-skip-default-keys-in-custom-runs.patch
- refresh patches
- move OpenWrt configuration from patch to Build/Configure recipe,
  thus drop patch 120-openwrt_options.patch

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:32 +01:00
Jeffery To
d13e86d4c2 procd: Add wrapper for uci_validate_section()
This adds a wrapper (uci_load_validate) for uci_validate_section() that
allows callers (through a callback function) to access the values set by
uci_validate_section(), without having to manually declare a
(potentially long) list of local variables.

The callback function receives two arguments when called, the config
section name and the return value of uci_validate_section().

If no callback function is given, then the wrapper exits with the value
returned by uci_validate_section().

This also updates several init scripts to use the new wrapper function.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-01-22 09:05:59 +01:00
Hans Dedecker
83109450ce dropbear: fix dropbear startup issue
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2018-12-18 19:43:22 +01:00
Rosen Penev
7651e254d5 dropbear: Install /etc/config as 600
/etc/config/dropbear is used by the init script which only runs as root.

Small whitespace change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Hans Dedecker
2211ee0037 dropbear: backport upstream fix for CVE-2018-15599
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-24 15:25:26 +02:00
Christian Schoenebeck
1e177844bc dropbear: close all active clients on shutdown
Override the default shutdown action (stop) and close all processes
of dropbear

Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.

This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.

Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
2018-07-16 08:40:51 +02:00
Felix Fietkau
47b42137ce dropbear: compile with LTO enabled
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00
Yousong Zhou
c4aadbdaf6 dropbear: let opkg manage symlinks of ssh, scp
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-06-25 15:21:24 +08:00
Stijn Tintel
1c308bbbf5 dropbear: add option to set receive window size
The default receive window size in dropbear is hardcoded to 24576 byte
to limit memory usage. This value was chosen for 100Mbps networks, and
limits the throughput of scp on faster networks. It also severely limits
scp throughput on high-latency links.

Add an option to set the receive window size so that people can improve
performance without having to recompile dropbear.

Setting the window size to the highest value supported by dropbear
improves throughput from my build machine to an APU2 on the same LAN
from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency
from 320KB/s to 7.5MB/s.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-02-18 02:59:57 +01:00
Martin Schiller
65d62b5f4f dropbear: disable MD5 HMAC and switch to sha1 fingerprints
As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.

By disabling the MD5 HMAC support dropbear  will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-12-12 22:24:17 +01:00
Alexander Couzens
c61a239514
add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-17 02:24:35 +01:00
Hans Dedecker
834c93e00b dropbear: fix PKG_CONFIG_DEPENDS
Add CONFIG_DROPBEAR_UTMP, CONFIG_DROPBEAR_PUTUTLINE to PKG_CONFIG_DEPENDS

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-06 09:38:00 +02:00
Marcin Jurkowski
a816e1eac7 dropbear: make ssh compression support configurable
Adds config option to enable compression support which is usefull
when using a terminal sessions over a slow link. Impact on binary
size is negligible but additional 60 kB (uncompressed) is needed for
a shared zlib library.

Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
2017-09-28 21:47:16 +02:00
John Crispin
12930fc045 Revert "dropbear: Link ssh and scp command to /bin instead of /usr/bin"
This reverts commit f7528ed0a8.

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-31 21:09:13 +02:00
Rosen Penev
f7528ed0a8 dropbear: Link ssh and scp command to /bin instead of /usr/bin
ssh and scp commands interfere with OpenSSH when installed in /usr/bin .

One use case is when installing dropbear to get root access when only OpenSSH is available (OpenSSH disallows root password logins). Once dropbear installs, it replaces OpenSSH's executables, even when removed with opkg. OpenSSH must be reinstalled to get them back.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-08-31 19:14:43 +02:00
Stijn Tintel
6371159b4a dropbear: add option to set max auth tries
Add a uci option to set the new max auth tries paramater in dropbear.
Set the default to 3, as 10 seems excessive.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Kevin Darbyshire-Bryant
9aaf3d3501 dropbear: server support option '-T' max auth tries
Add support for '-T n' for a run-time specification for maximum number
of authentication attempts where 'n' is between 1 and compile time
option MAX_AUTH_TRIES.

A default number of tries can be specified at compile time using
'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
backwards compatibility.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-28 02:18:20 +02:00
Kevin Darbyshire-Bryant
8f4085e2fd dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-16 12:05:25 +02:00
Kevin Darbyshire-Bryant
6e10fc74fd dropbear: bump to 2017.75
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user.  Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c

- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink.  Dropbear parsed authorized_keys as root, even if it were a
symlink.  The fix is to switch to user permissions when opening
authorized_keys

A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123

Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-05-21 23:56:17 +02:00
Hans Dedecker
e5bbead1a8 dropbear: fix procd interface trigger install
Install procd interface triggers only for interfaces which are enabled
so dropbear instances running on (an) enabled interface(s) are not
restarted due to an interface trigger of an interface which is disabled.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-04-26 21:29:16 +02:00
Stijn Tintel
27040dbf89 dropbear: bump PKG_RELEASE
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-02-17 12:18:58 +01:00
Joseph C. Sible
0bf85ef048 dropbear: enable SHA256 HMACs
The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.

Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
2017-02-10 11:05:57 +01:00
Felix Fietkau
84bd74057f build: use mkhash to replace various quirky md5sum/openssl calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-05 11:09:12 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Dario Ernst
866b7bad00 dropbear: clean up default PATH handling in makefile
Harmonise handling of DEFAULT_PATH by removing the patch introducing #ifndef
guards around the path, and only using one means to set the path in the
makefile.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-12-14 10:37:01 +01:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Kevin Darbyshire-Bryant
96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Karl Palsson
a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Jo-Philipp Wich
4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Felix Fietkau
8299737428 dropbear: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Dario Ernst
4d1c75c601 dropbear: Fix incorrect CONFIG_TARGET_INIT_PATH.
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-05-24 16:31:17 +02:00