Commit Graph

89 Commits

Author SHA1 Message Date
Konstantin Demin
f230d00e64 dropbear: bump to 2024.85
- update dropbear to latest stable 2024.85;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-05-09 19:35:20 +02:00
Sergey Ponomarev
1d4b88265b
dropbear: use ssh-keygen as an alias for dropbearkey
The DropBear's dropbearkey supports limited set of arguments of
OpenSSH ssh-keygen:  -t, -q -N -Y
After the change you can generate a key with the same command.
Still many features of the original OpenSSH ssh-keygen are absent in
the dropbearkey.
If it's needed then users should install openssh-keygen package that
will replace the /usr/bin/ssh-keygen with the full version.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14174
[ wrap commit description to 80 columns ]
Link: https://github.com/openwrt/openwrt/pull/14174
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-05-06 13:41:43 +02:00
Fabrice Fontaine
289f811abb package/network/services/dropbear: fix PKG_CPE_ID
cpe:/a:dropbear_ssh_project:dropbear_ssh is the correct CPE ID for dropbear:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3🅰️dropbear_ssh_project:dropbear_ssh

Fixes: c61a239514 (add PKG_CPE_ID ids to package and tools)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15290
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 23:43:58 +02:00
Konstantin Demin
05100d8651 dropbear: adjust file permissions
runtime:
- adjust ownership/permissions while starting dropbear
build time:
- correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any)

closes #10849

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
c87a192386 dropbear: split U2F/FIDO support
these options allow one to configure U2F/FIDO support in more granular way

inspired by upstream commit aa6559db

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
bf900e02c7 dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
88c8053d47 dropbear: adjust allowed shell list
this takes an effect only if getusershell(3) is missing

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
7f6fcaa3bf dropbear: honor CONFIG_TARGET_INIT_PATH
fixes 65256aee

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
2d9a0be307 dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
fa849fd411 dropbear: better object cleanup
improves b78aae79

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
f2b2293663 dropbear: allow more complex configuration
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
  this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
  which is more likely to be than values with commas;
  use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.

improves e1bd9645

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
b5cde26048 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
d4dfb566e2 dropbear: bump to 2022.83
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Tianling Shen
48ed07bc0b treewide: replace AUTORELEASE with real PKG_RELEASE
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```

then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
	make package/$i/clean
done
```

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-18 11:35:29 +02:00
Andre Heider
07730ff346
treewide: add support for "lto" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".

Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."

Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
da3700988d
treewide: add support for "gc-sections" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".

Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.

Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
5c545bdb36
treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16
Keep backwards compatibility via PKG_USE_MIPS16 for now, as this is
used in all package feeds.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Konstantin Demin
65256aee23 dropbear: bump to 2022.82
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2022-04-09 19:31:31 +02:00
Sven Roederer
5287defa1f dropbear: add config options for agent-forwarding support
* SSH agent forwarding might cause security issues, locally and on the jump
  machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to
  completely disabling it.
* separate options for client and server
* keep it enabled by default

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2021-10-30 16:32:54 +02:00
Fritz D. Ansel
65ee14a118 dropbear: allow to use with xinetd
with xinetd allowed+blocked (ipv6) hosts could be set
what is not possible with stock dropbear package

The file size increased 12 Bytes, so this "opimisation" did not really helped.
Within a compressed storage format it is 0..

ipk: 111.171 -> 111.361 = 190 bytes
bin: 215.128 -> 215.140 =  12 bytes

Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
2021-08-21 15:59:39 +02:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Konstantin Demin
52aa2017d3 dropbear: bump package version
Bump package version after previous changes.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-11 13:48:24 +01:00
Konstantin Demin
228298290e dropbear: add ssh-askpass support in configuration
binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215132 (+4b)
  ipk: 111183 -> 111494 (+311b)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
e1bd9645b6 dropbear: roll up recipes into mapping lists
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.

DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
  'header_option|value'

'header_option' is added with value 'value' to 'localoptions.h'.

if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.

in short:
   option|value - add option to localoptions.h
 !!option|value - replace option in sysoptions.h

DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
  'header_option|config_variable|value_enabled|value_disabled'

'header_option' is handled likewise in DB_OPT_COMMON.

if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.

in short:
   option|config|enabled|disabled = add option to localoptions.h
 !!option|config|enabled|disabled = replace option in sysoptions.h

   option := (config) ? enabled : disabled

If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.

PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
79d5c24724 dropbear: rework recipes that configure build
- add two helper functions to avoid mistakes with
  choice of correct header file to work with
- update rules accordingly

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
42eff7c7e6 dropbear: reorder options in Configure recipe
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
7e122c353a dropbear: enable back DROPBEAR_USE_PASSWORD_ENV
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.

binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215128 (no change)
  ipk: 111108 -> 111183 (+75b)

Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Hans Dedecker
aaf3443e1a dropbear: update to 2.81
Update dropbear to latest stable 2.81; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES

Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-11-15 18:23:47 +01:00
Florian Eckert
42675aa30c dropbear: use new extra_command wrapper
Use new `extra_command` wrapper to fix the alignement.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-11-02 21:32:38 +01:00
Paul Spooren
d0f295837a dropbear: Enable Ed25519 for normal devices
The Ed25519 key pairs are much shorter than RSA pairs and are supported
by default in OpenSSH. Looking at websites explaining how to create new
SSH keys, many suggest using Ed25519 rather than RSA, however consider
the former as not yet widely established. OpenWrt likely has a positive
influence on that development.

As enabling Ed25519 is a compile time option, it is currently not
possible to install the feature via `opkg` nor select that option in an
ImageBuilder.

Due to the size impact of **12kB** the option should only be enabled for
devices with `!SMALL_FLASH`.

This approach seems cleaner than splitting `dropbear` into two packages
like `dropbear` and `dropbear-ed25519`.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-09-06 23:19:20 +02:00
Rui Salvaterra
763ce13b0b dropbear: allow disabling support for scp
If not needed, disabling scp allows for a nice size reduction.

Dropbear executable size comparison:

153621 bytes (baseline)
133077 bytes (without scp)

In other words, we trim a total of 20544 bytes.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-15 20:25:08 +02:00
Rui Salvaterra
e5eeb34a8c dropbear: fix ssh alternative when dbclient isn't built
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-08-12 21:57:37 +02:00
Hans Dedecker
d4c80f5b17 dropbear: bump to 2020.80
- drop patches (applied upstream)
 * 001-backport_GNU_SOURCE-for-random.patch
 * 002-backport-move-GNU_SOURCE-earlier.patch
 * 010-backport-disable-toom-and-karatsuba.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-30 22:13:46 +02:00
Konstantin Demin
29e170dbaa dropbear: bump to 2020.79
- drop patches (applied upstream):
  * 010-backport-change-address-logging.patch
  * 020-backport-ed25519-support.patch
  * 021-backport-chacha20-poly1305-support.patch
- backport patches:
  * 010-backport-disable-toom-and-karatsuba.patch:
    reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
  because they are disabled in upstream too:
  * DROPBEAR_3DES
  * DROPBEAR_ENABLE_CBC_MODE
  * DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
  upstream has (accidentally) switched it to 0 in release 2019.77,
  but reverted back in release 2020.79.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-06-21 21:33:23 +02:00
Vladislav Grishenko
f166cf9ca0 dropbear: add ed25519 and chacha20-poly1305
- add Ed25519 support (backport):
  * DROPBEAR_ED25519 option for ssh-ed25519,
  * disabled by default
- add Chacha20-Poly1305 support (backport):
  * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com,
  * enabled by default
- update feature costs in binary size

Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
2020-05-30 21:27:10 +02:00
Kevin Darbyshire-Bryant
82df192a01 dropbear: backport add ip address to exit without auth messages
201e359 Handle early exit when addrstring isn't set
fa4c464 Improve address logging on early exit messages (#83)

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 10:56:52 +01:00
John Crispin
a3dd95ef63 dropbear: fix compile error
Fixes: 0da193ee69 ("dropbear: move failsafe code out of base-files")
Signed-off-by: John Crispin <john@phrozen.org>
2020-01-15 21:31:12 +01:00
Kyle Copperfield
0da193ee69 dropbear: move failsafe code out of base-files
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:04:06 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Matt Merhar
3d7f76383f dropbear: add missing zlib dependency for dropbearconvert
If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage
due to an undeclared dependency on libz.so.1.

As is already done for the main dropbear package, conditionally add a
dependency on zlib.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2020-01-05 19:36:45 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Rosy Song
524810ce6d dropbear: allow build without dbclient
This can save ~16KBytes size for the ipk

Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-04-18 22:34:19 +02:00
Hans Dedecker
80568e5854 dropbear: bump to 2019.78
Fix dbclient regression in 2019.77. After exiting the terminal would be left
in a bad state. Reported by Ryan Woodsmall

drop patch applied upstream:
	010-tty-modes-werent-reset-for-client.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-07 20:32:55 +02:00
Konstantin Demin
01964148c6 dropbear: split ECC support to basic and full
- limit ECC support to ec*-sha2-nistp256:
  * DROPBEAR_ECC now provides only basic support for ECC
- provide full ECC support as an option:
  * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521}
- update feature costs in binary size

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:35 +01:00
Konstantin Demin
efc533cc2f dropbear: add initial support for ECC host key
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:33 +01:00
Konstantin Demin
a1099edf32 dropbear: bump to 2019.77
- drop patches applied upstream:
  * 010-runtime-maxauthtries.patch
  * 020-Wait-to-fail-invalid-usernames.patch
  * 150-dbconvert_standalone.patch
  * 610-skip-default-keys-in-custom-runs.patch
- refresh patches
- move OpenWrt configuration from patch to Build/Configure recipe,
  thus drop patch 120-openwrt_options.patch

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-03-25 22:25:32 +01:00
Hans Dedecker
83109450ce dropbear: fix dropbear startup issue
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2018-12-18 19:43:22 +01:00
Rosen Penev
7651e254d5 dropbear: Install /etc/config as 600
/etc/config/dropbear is used by the init script which only runs as root.

Small whitespace change.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-09-19 09:41:28 +01:00
Hans Dedecker
2211ee0037 dropbear: backport upstream fix for CVE-2018-15599
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-24 15:25:26 +02:00
Felix Fietkau
47b42137ce dropbear: compile with LTO enabled
Reduces size of the .ipk on MIPS from 87k to 84k

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-13 17:22:53 +02:00