From 1684c010ef9634133ba9a8375408dc9aa338dc6e Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Sun, 21 Apr 2019 13:55:01 +0800 Subject: [PATCH] Revert "dropbear: allow build without dbclient" This reverts commit 5446d77b69521f94a618006d6966be005b2e3cd3. --- package/kernel/mt76/Makefile | 32 ++- package/network/services/dropbear/Config.in | 35 +-- package/network/services/dropbear/Makefile | 58 ++--- .../services/dropbear/files/dropbear.init | 132 +++-------- .../patches/010-runtime-maxauthtries.patch | 130 +++++++++++ .../020-Wait-to-fail-invalid-usernames.patch | 221 ++++++++++++++++++ .../dropbear/patches/100-pubkey_path.patch | 45 ++-- .../dropbear/patches/110-change_user.patch | 2 +- .../patches/120-openwrt_options.patch | 82 +++++++ .../patches/130-ssh_ignore_x_args.patch | 4 +- .../dropbear/patches/140-disable_assert.patch | 2 +- .../patches/150-dbconvert_standalone.patch | 14 ++ .../dropbear/patches/160-lto-jobserver.patch | 8 +- .../600-allow-blank-root-password.patch | 2 +- ...610-skip-default-keys-in-custom-runs.patch | 18 ++ .../patches/900-configure-hardening.patch | 56 ----- .../patches/901-bundled-libs-cflags.patch | 48 ---- 17 files changed, 587 insertions(+), 302 deletions(-) create mode 100644 package/network/services/dropbear/patches/010-runtime-maxauthtries.patch create mode 100644 package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch create mode 100644 package/network/services/dropbear/patches/120-openwrt_options.patch create mode 100644 package/network/services/dropbear/patches/150-dbconvert_standalone.patch create mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch delete mode 100644 package/network/services/dropbear/patches/900-configure-hardening.patch delete mode 100644 package/network/services/dropbear/patches/901-bundled-libs-cflags.patch diff --git a/package/kernel/mt76/Makefile b/package/kernel/mt76/Makefile index 43a6cb9ed..a7452dc04 100644 --- a/package/kernel/mt76/Makefile +++ b/package/kernel/mt76/Makefile @@ -6,11 +6,11 @@ PKG_RELEASE=1 PKG_LICENSE:=GPLv2 PKG_LICENSE_FILES:= -PKG_SOURCE_URL:=https://github.com/openwrt/mt76 +PKG_SOURCE_URL:=https://github.com/MeIsReallyBa/mt76 PKG_SOURCE_PROTO:=git -PKG_SOURCE_DATE:=2019-03-27 -PKG_SOURCE_VERSION:=a11b67348aeb2d3175c5995c747e7fc050c7df60 -PKG_MIRROR_HASH:=6ea603308fa568c8ab39eddd86d9c8110a10aa93971348f52ceda0e5bd423ec6 +PKG_SOURCE_DATE:=2019-04-08 +PKG_SOURCE_VERSION:=879ca1466193153b5ee47e2789645a9b6c4404fc +PKG_MIRROR_HASH:= PKG_MAINTAINER:=Felix Fietkau PKG_BUILD_PARALLEL:=1 @@ -23,7 +23,8 @@ PKG_CONFIG_DEPENDS += \ CONFIG_PACKAGE_kmod-mt76x2-common \ CONFIG_PACKAGE_kmod-mt76x2 \ CONFIG_PACKAGE_kmod-mt76x2u \ - CONFIG_PACKAGE_kmod-mt7603 + CONFIG_PACKAGE_kmod-mt7603 \ + CONFIG_PACKAGE_kmod-mt7615 STAMP_CONFIGURED_DEPENDS := $(STAGING_DIR)/usr/include/mac80211-backport/backport/autoconf.h @@ -129,6 +130,15 @@ define KernelPackage/mt76x2 AUTOLOAD:=$(call AutoProbe,mt76x2e) endef +define KernelPackage/mt7615 + $(KernelPackage/mt76-default) + TITLE:=MediaTek MT7615 wireless driver + DEPENDS+=@PCI_SUPPORT +kmod-mt76-core + FILES:=\ + $(PKG_BUILD_DIR)/mt7615/mt7615e.ko + AUTOLOAD:=$(call AutoProbe,mt7615e) +endef + define KernelPackage/mt7603 $(KernelPackage/mt76-default) TITLE:=MediaTek MT7603 wireless driver @@ -178,6 +188,9 @@ endif ifdef CONFIG_PACKAGE_kmod-mt76x2u PKG_MAKE_FLAGS += CONFIG_MT76x2U=m endif +ifdef CONFIG_PACKAGE_kmod-mt7615 + PKG_MAKE_FLAGS += CONFIG_MT7615E=m +endif ifdef CONFIG_PACKAGE_kmod-mt7603 PKG_MAKE_FLAGS += CONFIG_MT7603E=m endif @@ -221,6 +234,12 @@ define KernelPackage/mt76x2u/install ln -sf ../mt7662_rom_patch.bin $(1)/lib/firmware/mediatek/mt7662u_rom_patch.bin endef +define KernelPackage/mt7615/install +$(INSTALL_DIR) $(1)/lib/firmware +cp $(PKG_BUILD_DIR)/firmware/mt7615_rom_patch.bin $(PKG_BUILD_DIR)/firmware/mt7615_n9.bin $(PKG_BUILD_DIR)/firmware/mt7615_cr4.bin \ +$(1)/lib/firmware/ +endef + define KernelPackage/mt7603/install $(INSTALL_DIR) $(1)/lib/firmware cp $(if $(CONFIG_TARGET_ramips_mt76x8), \ @@ -243,5 +262,6 @@ $(eval $(call KernelPackage,mt76x0u)) $(eval $(call KernelPackage,mt76x2-common)) $(eval $(call KernelPackage,mt76x2u)) $(eval $(call KernelPackage,mt76x2)) +$(eval $(call KernelPackage,mt7615)) $(eval $(call KernelPackage,mt7603)) -$(eval $(call KernelPackage,mt76)) +$(eval $(call KernelPackage,mt76)) \ No newline at end of file diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 61a04ec87..ca0af9d5e 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -8,46 +8,29 @@ config DROPBEAR_CURVE25519 This enables the following key exchange algorithm: curve25519-sha256@libssh.org - Increases binary size by about 8 kB uncompressed (MIPS). + Increases binary size by about 13 kB uncompressed (MIPS). config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" default n help - Enables basic support for elliptic curve cryptography (ECC) - in key exchange and public key authentication. + Enables elliptic curve cryptography (ECC) support in key exchange and public key + authentication. Key exchange algorithms: ecdh-sha2-nistp256 - - Public key algorithms: - ecdsa-sha2-nistp256 - - Increases binary size by about 24 kB (MIPS). - - If full ECC support is required, also select DROPBEAR_ECC_FULL. - -config DROPBEAR_ECC_FULL - bool "Elliptic curve cryptography (ECC), full support" - default n - depends on DROPBEAR_ECC - help - Enables full support for elliptic curve cryptography (ECC) - in key exchange and public key authentication. - - Key exchange algorithms: - ecdh-sha2-nistp256 (*) ecdh-sha2-nistp384 ecdh-sha2-nistp521 Public key algorithms: - ecdsa-sha2-nistp256 (*) + ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 - (*) - basic ECC support; provided by DROPBEAR_ECC. + Does not generate ECC host keys by default (ECC key exchange will not be used, + only ECC public key auth). - Increases binary size by about 4 kB (MIPS). + Increases binary size by about 23 kB (MIPS). config DROPBEAR_ZLIB bool "Enable compression" @@ -73,8 +56,4 @@ config DROPBEAR_PUTUTLINE help Dropbear will use pututline() to write the utmp structure into the utmp file. -config DROPBEAR_DBCLIENT - bool "Build dropbear with dbclient" - default y - endmenu diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 63204042f..0ed7199e6 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2019.78 -PKG_RELEASE:=2 +PKG_VERSION:=2017.75 +PKG_RELEASE:=9 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4 +PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -23,13 +23,11 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 -PKG_FIXUP:=autoreconf PKG_CONFIG_DEPENDS:= \ - CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ + CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT + CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE include $(INCLUDE_DIR)/package.mk @@ -62,7 +60,6 @@ define Package/dropbear/description endef define Package/dropbear/conffiles -$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) /etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -93,39 +90,33 @@ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver define Build/Configure - : > $(PKG_BUILD_DIR)/localoptions.h - $(Build/Configure/Default) - echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ - $(PKG_BUILD_DIR)/localoptions.h + $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \ + $(PKG_BUILD_DIR)/options.h - echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ - $(PKG_BUILD_DIR)/localoptions.h + awk 'BEGIN { rc = 1 } \ + /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ + { print } \ + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ + >$(PKG_BUILD_DIR)/options.h.new && \ + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h + # Enforce that all replacements are made, otherwise options.h has changed + # format and this logic is broken. for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ - echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ - $(PKG_BUILD_DIR)/localoptions.h; \ + awk 'BEGIN { rc = 1 } \ + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ + { print } \ + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ + >$(PKG_BUILD_DIR)/options.h.new && \ + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ done # remove protocol idented software version number - $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \ + $(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h - # disable legacy/unsafe methods and unused functionality - for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \ - DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \ - DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \ - echo "#define $$$$OPTION 0" >> \ - $(PKG_BUILD_DIR)/localoptions.h; \ - done - - # enable nistp384 and nistp521 only if full ECC support was requested - for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \ - $(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \ - $(PKG_BUILD_DIR)/sysoptions.h; \ - done - # Enforce rebuild of svr-chansession.c rm -f $(PKG_BUILD_DIR)/svr-chansession.o endef @@ -133,7 +124,7 @@ endef define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ - PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey scp" \ + PROGRAMS="dropbear dbclient dropbearkey scp" \ MULTI=1 SCPPROGRESS=1 +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ @@ -144,7 +135,7 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear $(INSTALL_DIR) $(1)/usr/bin - $(if $(CONFIG_DROPBEAR_DBCLIENT),$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient,) + $(LN) ../sbin/dropbear $(1)/usr/bin/dbclient $(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear @@ -152,7 +143,6 @@ define Package/dropbear/install $(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) touch $(1)/etc/dropbear/dropbear_rsa_host_key endef diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init index 173ab0928..eef2643c1 100755 --- a/package/network/services/dropbear/files/dropbear.init +++ b/package/network/services/dropbear/files/dropbear.init @@ -12,91 +12,6 @@ PIDCOUNT=0 EXTRA_COMMANDS="killclients" EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself" -_dropbearkey() -{ - /usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&- -} - -# $1 - host key file name -hk_verify() -{ - [ -f "$1" ] || return 1 - [ -s "$1" ] || return 2 - _dropbearkey -y -f "$1" || return 3 - return 0 -} - -# $1 - hk_verify() return code -hk_errmsg() -{ - case "$1" in - 0) ;; - 1) echo "file does not exist" ;; - 2) echo "file has zero length" ;; - 3) echo "file is not valid host key or not supported" ;; - *) echo "unknown error" ;; - esac -} - -# $1 - config option -# $2 - host key file name -hk_config() -{ - local x m - hk_verify "$2"; x=$? - case "$x" in - 0) procd_append_param command -r "$2" - ;; - *) m=$(hk_errmsg "$x") - logger -t "${NAME}" -p daemon.warn \ - "option '$1', value '$2': $m, skipping" - ;; - esac -} - -# $1 - host key file name -hk_config__keyfile() -{ - hk_config 'keyfile' "$1" -} - -hk_generate_as_needed() -{ - local kdir kgen ktype tdir kcount tfile - kdir='/etc/dropbear' - - kgen='' - for ktype in ecdsa rsa; do - hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue - - kgen="${kgen} ${ktype}" - done - - [ -z "${kgen}" ] && return - - tdir=$(mktemp -d); chmod 0700 "${tdir}" - - kcount=0 - for ktype in ${kgen}; do - tfile="${tdir}/dropbear_${ktype}_host_key" - - if ! _dropbearkey -t ${ktype} -f "${tfile}"; then - # unsupported key type - rm -f "${tfile}" - continue - fi - - kcount=$((kcount+1)) - done - - if [ ${kcount} -ne 0 ]; then - mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}" - mv -f "${tdir}/"* "${kdir}/" - fi - - rm -rf "${tdir}" -} - append_ports() { local ipaddrs="$1" @@ -114,7 +29,7 @@ append_ports() validate_section_dropbear() { - uci_load_validate dropbear dropbear "$1" "$2" \ + uci_validate_section dropbear dropbear "${1}" \ 'PasswordAuth:bool:1' \ 'enable:bool:1' \ 'Interface:string' \ @@ -122,9 +37,8 @@ validate_section_dropbear() 'RootPasswordAuth:bool:1' \ 'RootLogin:bool:1' \ 'rsakeyfile:file' \ - 'keyfile:list(file)' \ 'BannerFile:file' \ - 'Port:port:22' \ + 'Port:list(port):22' \ 'SSHKeepAlive:uinteger:300' \ 'IdleTimeout:uinteger:0' \ 'MaxAuthTries:uinteger:3' \ @@ -134,9 +48,12 @@ validate_section_dropbear() dropbear_instance() { - local ipaddrs + local PasswordAuth enable Interface GatewayPorts \ + RootPasswordAuth RootLogin rsakeyfile \ + BannerFile Port SSHKeepAlive IdleTimeout \ + MaxAuthTries RecvWindowSize mdns ipaddrs - [ "$2" = 0 ] || { + validate_section_dropbear "${1}" || { echo "validation failed" return 1 } @@ -160,13 +77,7 @@ dropbear_instance() [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g [ "${RootLogin}" -eq 0 ] && procd_append_param command -w - if [ -n "${rsakeyfile}" ]; then - logger -t ${NAME} -p daemon.warn \ - "option 'rsakeyfile' is considered to be deprecated and" \ - "will be removed in future releases, use 'keyfile' instead" - hk_config 'rsakeyfile' "${rsakeyfile}" - fi - config_list_foreach "$1" "keyfile" hk_config__keyfile + [ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}" [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}" append_ports "${ipaddrs}" "${Port}" [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}" @@ -179,6 +90,29 @@ dropbear_instance() procd_close_instance } +keygen() +{ + for keytype in rsa; do + # check for keys + key=dropbear/dropbear_${keytype}_host_key + [ -f /tmp/$key -o -s /etc/$key ] || { + # generate missing keys + mkdir -p /tmp/dropbear + [ -x /usr/bin/dropbearkey ] && { + /usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start + } & + exit 0 + } + done + + lock /tmp/.switch2jffs + mkdir -p /etc/dropbear + mv /tmp/dropbear/dropbear_* /etc/dropbear/ + lock -u /tmp/.switch2jffs + chown root /etc/dropbear + chmod 0700 /etc/dropbear +} + load_interfaces() { config_get interface "$1" Interface @@ -195,13 +129,13 @@ boot() start_service() { - hk_generate_as_needed + [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen . /lib/functions.sh . /lib/functions/network.sh config_load "${NAME}" - config_foreach validate_section_dropbear dropbear dropbear_instance + config_foreach dropbear_instance dropbear } service_triggers() diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch new file mode 100644 index 000000000..26db3181f --- /dev/null +++ b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch @@ -0,0 +1,130 @@ +From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001 +From: Kevin Darbyshire-Bryant +Date: Mon, 29 May 2017 10:25:09 +0100 +Subject: [PATCH] dropbear server: support -T max auth tries + +Add support for '-T n' for a run-time specification for maximum number +of authentication attempts where 'n' is between 1 and compile time +option MAX_AUTH_TRIES. + +A default number of tries can be specified at compile time using +'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for +backwards compatibility. + +Signed-off-by: Kevin Darbyshire-Bryant +--- + options.h | 7 +++++++ + runopts.h | 1 + + svr-auth.c | 2 +- + svr-runopts.c | 17 +++++++++++++++++ + 4 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/options.h b/options.h +index 0c51bb1..4d22704 100644 +--- a/options.h ++++ b/options.h +@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */ + #define MAX_AUTH_TRIES 10 + #endif + ++/* Default maximum number of failed authentication tries. ++ * defaults to MAX_AUTH_TRIES */ ++ ++#ifndef DEFAULT_AUTH_TRIES ++#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES ++#endif ++ + /* The default file to store the daemon's process ID, for shutdown + scripts etc. This can be overridden with the -P flag */ + #ifndef DROPBEAR_PIDFILE +diff --git a/runopts.h b/runopts.h +index f7c869d..2f7da63 100644 +--- a/runopts.h ++++ b/runopts.h +@@ -96,6 +96,7 @@ typedef struct svr_runopts { + int noauthpass; + int norootpass; + int allowblankpass; ++ unsigned int maxauthtries; + + #ifdef ENABLE_SVR_REMOTETCPFWD + int noremotetcp; +diff --git a/svr-auth.c b/svr-auth.c +index 577ea88..6a7ce0b 100644 +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { + ses.authstate.failcount++; + } + +- if (ses.authstate.failcount >= MAX_AUTH_TRIES) { ++ if (ses.authstate.failcount >= svr_opts.maxauthtries) { + char * userstr; + /* XXX - send disconnect ? */ + TRACE(("Max auth tries reached, exiting")) +diff --git a/svr-runopts.c b/svr-runopts.c +index 8f60059..1e7440f 100644 +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -73,6 +73,7 @@ static void printhelp(const char * progname) { + "-g Disable password logins for root\n" + "-B Allow blank password logins\n" + #endif ++ "-T <1 to %d> Maximum authentication tries (default %d)\n" + #ifdef ENABLE_SVR_LOCALTCPFWD + "-j Disable local port forwarding\n" + #endif +@@ -106,6 +107,7 @@ static void printhelp(const char * progname) { + #ifdef DROPBEAR_ECDSA + ECDSA_PRIV_FILENAME, + #endif ++ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES, + DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, + DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); + } +@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) { + char* recv_window_arg = NULL; + char* keepalive_arg = NULL; + char* idle_timeout_arg = NULL; ++ char* maxauthtries_arg = NULL; + char* keyfile = NULL; + char c; + +@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) { + svr_opts.noauthpass = 0; + svr_opts.norootpass = 0; + svr_opts.allowblankpass = 0; ++ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES; + svr_opts.inetdmode = 0; + svr_opts.portcount = 0; + svr_opts.hostkey = NULL; +@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) { + case 'I': + next = &idle_timeout_arg; + break; ++ case 'T': ++ next = &maxauthtries_arg; ++ break; + #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) + case 's': + svr_opts.noauthpass = 1; +@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) { + dropbear_exit("Bad recv window '%s'", recv_window_arg); + } + } ++ ++ if (maxauthtries_arg) { ++ unsigned int val = 0; ++ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE || ++ val == 0 || val > MAX_AUTH_TRIES) { ++ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg); ++ } ++ svr_opts.maxauthtries = val; ++ } ++ + + if (keepalive_arg) { + unsigned int val; +-- +2.7.4 + diff --git a/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch b/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch new file mode 100644 index 000000000..593dca930 --- /dev/null +++ b/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch @@ -0,0 +1,221 @@ +From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001 +From: Matt Johnston +Date: Thu, 23 Aug 2018 23:43:12 +0800 +Subject: [PATCH 2/2] Wait to fail invalid usernames + +--- + auth.h | 6 +++--- + svr-auth.c | 19 +++++-------------- + svr-authpam.c | 26 ++++++++++++++++++++++---- + svr-authpasswd.c | 27 ++++++++++++++------------- + svr-authpubkey.c | 11 ++++++++++- + 5 files changed, 54 insertions(+), 35 deletions(-) + +--- a/auth.h ++++ b/auth.h +@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void); + void send_msg_userauth_failure(int partial, int incrfail); + void send_msg_userauth_success(void); + void send_msg_userauth_banner(buffer *msg); +-void svr_auth_password(void); +-void svr_auth_pubkey(void); +-void svr_auth_pam(void); ++void svr_auth_password(int valid_user); ++void svr_auth_pubkey(int valid_user); ++void svr_auth_pam(int valid_user); + + #ifdef ENABLE_SVR_PUBKEY_OPTIONS + int svr_pubkey_allows_agentfwd(void); +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -176,10 +176,8 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PASSWORD_LEN && + strncmp(methodname, AUTH_METHOD_PASSWORD, + AUTH_METHOD_PASSWORD_LEN) == 0) { +- if (valid_user) { +- svr_auth_password(); +- goto out; +- } ++ svr_auth_password(valid_user); ++ goto out; + } + } + #endif +@@ -191,10 +189,8 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PASSWORD_LEN && + strncmp(methodname, AUTH_METHOD_PASSWORD, + AUTH_METHOD_PASSWORD_LEN) == 0) { +- if (valid_user) { +- svr_auth_pam(); +- goto out; +- } ++ svr_auth_pam(valid_user); ++ goto out; + } + } + #endif +@@ -204,12 +200,7 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PUBKEY_LEN && + strncmp(methodname, AUTH_METHOD_PUBKEY, + AUTH_METHOD_PUBKEY_LEN) == 0) { +- if (valid_user) { +- svr_auth_pubkey(); +- } else { +- /* pubkey has no failure delay */ +- send_msg_userauth_failure(0, 0); +- } ++ svr_auth_pubkey(valid_user); + goto out; + } + #endif +--- a/svr-authpam.c ++++ b/svr-authpam.c +@@ -178,13 +178,14 @@ pamConvFunc(int num_msg, + * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it + * gets very messy trying to send the interactive challenges, and read the + * interactive responses, over the network. */ +-void svr_auth_pam() { ++void svr_auth_pam(int valid_user) { + + struct UserDataS userData = {NULL, NULL}; + struct pam_conv pamConv = { + pamConvFunc, + &userData /* submitted to pamvConvFunc as appdata_ptr */ + }; ++ const char* printable_user = NULL; + + pam_handle_t* pamHandlep = NULL; + +@@ -204,12 +205,23 @@ void svr_auth_pam() { + + password = buf_getstring(ses.payload, &passwordlen); + ++ /* We run the PAM conversation regardless of whether the username is valid ++ in case the conversation function has an inherent delay. ++ Use ses.authstate.username rather than ses.authstate.pw_name. ++ After PAM succeeds we then check the valid_user flag too */ ++ + /* used to pass data to the PAM conversation function - don't bother with + * strdup() etc since these are touched only by our own conversation + * function (above) which takes care of it */ +- userData.user = ses.authstate.pw_name; ++ userData.user = ses.authstate.username; + userData.passwd = password; + ++ if (ses.authstate.pw_name) { ++ printable_user = ses.authstate.pw_name; ++ } else { ++ printable_user = ""; ++ } ++ + /* Init pam */ + if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { + dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", +@@ -236,7 +248,7 @@ void svr_auth_pam() { + rc, pam_strerror(pamHandlep, rc)); + dropbear_log(LOG_WARNING, + "Bad PAM password attempt for '%s' from %s", +- ses.authstate.pw_name, ++ printable_user, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + goto cleanup; +@@ -247,12 +259,18 @@ void svr_auth_pam() { + rc, pam_strerror(pamHandlep, rc)); + dropbear_log(LOG_WARNING, + "Bad PAM password attempt for '%s' from %s", +- ses.authstate.pw_name, ++ printable_user, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + goto cleanup; + } + ++ if (!valid_user) { ++ /* PAM auth succeeded but the username isn't allowed in for another reason ++ (checkusername() failed) */ ++ send_msg_userauth_failure(0, 1); ++ } ++ + /* successful authentication */ + dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", + ses.authstate.pw_name, +--- a/svr-authpasswd.c ++++ b/svr-authpasswd.c +@@ -48,22 +48,14 @@ static int constant_time_strcmp(const ch + + /* Process a password auth request, sending success or failure messages as + * appropriate */ +-void svr_auth_password() { ++void svr_auth_password(int valid_user) { + + char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ + char * testcrypt = NULL; /* crypt generated from the user's password sent */ +- char * password; ++ char * password = NULL; + unsigned int passwordlen; +- + unsigned int changepw; + +- passwdcrypt = ses.authstate.pw_passwd; +- +-#ifdef DEBUG_HACKCRYPT +- /* debugging crypt for non-root testing with shadows */ +- passwdcrypt = DEBUG_HACKCRYPT; +-#endif +- + /* check if client wants to change password */ + changepw = buf_getbool(ses.payload); + if (changepw) { +@@ -73,12 +65,21 @@ void svr_auth_password() { + } + + password = buf_getstring(ses.payload, &passwordlen); +- +- /* the first bytes of passwdcrypt are the salt */ +- testcrypt = crypt(password, passwdcrypt); ++ if (valid_user) { ++ /* the first bytes of passwdcrypt are the salt */ ++ passwdcrypt = ses.authstate.pw_passwd; ++ testcrypt = crypt(password, passwdcrypt); ++ } + m_burn(password, passwordlen); + m_free(password); + ++ /* After we have got the payload contents we can exit if the username ++ is invalid. Invalid users have already been logged. */ ++ if (!valid_user) { ++ send_msg_userauth_failure(0, 1); ++ return; ++ } ++ + if (testcrypt == NULL) { + /* crypt() with an invalid salt like "!!" */ + dropbear_log(LOG_WARNING, "User account '%s' is locked", +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -79,7 +79,7 @@ static int checkfileperm(char * filename + + /* process a pubkey auth request, sending success or failure message as + * appropriate */ +-void svr_auth_pubkey() { ++void svr_auth_pubkey(int valid_user) { + + unsigned char testkey; /* whether we're just checking if a key is usable */ + char* algo = NULL; /* pubkey algo */ +@@ -102,6 +102,15 @@ void svr_auth_pubkey() { + keybloblen = buf_getint(ses.payload); + keyblob = buf_getptr(ses.payload, keybloblen); + ++ if (!valid_user) { ++ /* Return failure once we have read the contents of the packet ++ required to validate a public key. ++ Avoids blind user enumeration though it isn't possible to prevent ++ testing for user existence if the public key is known */ ++ send_msg_userauth_failure(0, 0); ++ goto out; ++ } ++ + /* check if the key is valid */ + if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { + send_msg_userauth_failure(0, 0); diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 732d84078..274d3af46 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -338,14 +338,19 @@ static int checkpubkey(const char* algo, +@@ -229,14 +229,20 @@ static int checkpubkey(char* algo, unsig goto out; } @@ -25,23 +25,34 @@ + filename = m_malloc(30); + strncpy(filename, "/etc/dropbear/authorized_keys", 30); + } ++ - #if DROPBEAR_SVR_MULTIUSER /* open the file as the authenticating user. */ -@@ -426,27 +431,36 @@ static int checkpubkeyperms() { + origuid = getuid(); +@@ -405,26 +411,35 @@ static int checkpubkeyperms() { goto out; } - /* allocate max required pathname storage, - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- len += 22; -- filename = m_malloc(len); -- strlcpy(filename, ses.authstate.pw_dir, len); +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); - - /* check ~ */ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; + if (ses.authstate.pw_uid == 0) { + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + goto out; @@ -52,32 +63,22 @@ + } else { + /* allocate max required pathname storage, + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ len += 22; -+ filename = m_malloc(len); -+ strlcpy(filename, ses.authstate.pw_dir, len); ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); + + /* check ~ */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } - -- /* check ~/.ssh */ -- strlcat(filename, "/.ssh", len); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } ++ + /* check ~/.ssh */ -+ strlcat(filename, "/.ssh", len); ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } - -- /* now check ~/.ssh/authorized_keys */ -- strlcat(filename, "/authorized_keys", len); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; ++ + /* now check ~/.ssh/authorized_keys */ -+ strlcat(filename, "/authorized_keys", len); ++ strncat(filename, "/authorized_keys", 16); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 27e7fbaf4..4b5c1cb51 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -953,12 +953,12 @@ static void execchild(const void *user_d +@@ -922,12 +922,12 @@ static void execchild(void *user_data) { /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch new file mode 100644 index 000000000..7f47a7430 --- /dev/null +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -0,0 +1,82 @@ +--- a/options.h ++++ b/options.h +@@ -41,7 +41,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -81,7 +81,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ + #define ENABLE_USER_ALGO_LIST +@@ -91,16 +91,16 @@ much traffic. */ + * Including multiple keysize variants the same cipher + * (eg AES256 as well as AES128) will result in a minimal size increase.*/ + #define DROPBEAR_AES128 +-#define DROPBEAR_3DES ++/*#define DROPBEAR_3DES*/ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE ++/*#define DROPBEAR_ENABLE_CBC_MODE*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security +@@ -131,10 +131,10 @@ If you test it please contact the Dropbe + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_SHA2_256_HMAC +-#define DROPBEAR_SHA2_512_HMAC +-#define DROPBEAR_MD5_HMAC ++/*#define DROPBEAR_SHA2_512_HMAC*/ ++/*#define DROPBEAR_MD5_HMAC*/ + + /* You can also disable integrity. Don't bother disabling this if you're + * still using a cipher, it's relatively cheap. If you disable this it's dead +@@ -146,7 +146,7 @@ If you test it please contact the Dropbe + * Removing either of these won't save very much space. + * SSH2 RFC Draft requires dss, recommends rsa */ + #define DROPBEAR_RSA +-#define DROPBEAR_DSS ++/*#define DROPBEAR_DSS*/ + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC + * code (either ECDSA or ECDH) increases binary size - around 30kB + * on x86-64 */ +@@ -194,7 +194,7 @@ If you test it please contact the Dropbe + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -242,7 +242,7 @@ Homedir is prepended unless path begins + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index 5e736320c..ab09c2f3d 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,6 +1,6 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) +@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) debug_trace = 1; break; #endif @@ -8,4 +8,4 @@ + break; case 'F': case 'e': - #if !DROPBEAR_USER_ALGO_LIST + #ifndef ENABLE_USER_ALGO_LIST diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index 8c3ae7f11..78b54acfa 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,6 +1,6 @@ --- a/dbutil.h +++ b/dbutil.h -@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig +@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} /* Dropbear assertion */ diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch new file mode 100644 index 000000000..ccc2cb792 --- /dev/null +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef DROPBEAR_OPTIONS_H_ + #define DROPBEAR_OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ + diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index 02765335d..bb9449283 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,6 +1,6 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -163,17 +163,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile @@ -12,8 +12,8 @@ + +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile -- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) -+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) +- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) ++ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) # scp doesn't use the libs so is special. scp: $(SCPOBJS) $(HEADERS) Makefile @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -210,7 +210,7 @@ ifeq ($(MULTI),1) +@@ -184,7 +184,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch index b138862ca..7c67b086b 100644 --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -1,6 +1,6 @@ --- a/svr-auth.c +++ b/svr-auth.c -@@ -125,7 +125,7 @@ void recv_msg_userauth_request() { +@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) if (valid_user diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch new file mode 100644 index 000000000..a555a9e49 --- /dev/null +++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch @@ -0,0 +1,18 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -505,6 +505,7 @@ void load_all_hostkeys() { + m_free(hostkey_file); + } + ++ if (svr_opts.num_hostkey_files <= 0) { + #ifdef DROPBEAR_RSA + loadhostkey(RSA_PRIV_FILENAME, 0); + #endif +@@ -516,6 +517,7 @@ void load_all_hostkeys() { + #ifdef DROPBEAR_ECDSA + loadhostkey(ECDSA_PRIV_FILENAME, 0); + #endif ++ } + + #ifdef DROPBEAR_DELAY_HOSTKEY + if (svr_opts.delay_hostkey) { diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch deleted file mode 100644 index ab1361f6a..000000000 --- a/package/network/services/dropbear/patches/900-configure-hardening.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden, - - if test "$hardenbuild" -eq 1; then - AC_MSG_NOTICE(Checking for available hardened build flags:) -- # relocation flags don't make sense for static builds -- if test "$STATIC" -ne 1; then -- # pie -- DB_TRYADDCFLAGS([-fPIE]) -- -- OLDLDFLAGS="$LDFLAGS" -- TESTFLAGS="-Wl,-pie" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], -- [ -- LDFLAGS="$OLDLDFLAGS" -- TESTFLAGS="-pie" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], -- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] -- ) -- ] -- ) -- # readonly elf relocation sections (relro) -- OLDLDFLAGS="$LDFLAGS" -- TESTFLAGS="-Wl,-z,now -Wl,-z,relro" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], -- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] -- ) -- fi # non-static -- # stack protector. -strong is good but only in gcc 4.9 or later -- OLDCFLAGS="$CFLAGS" -- TESTFLAGS="-fstack-protector-strong" -- CFLAGS="$CFLAGS $TESTFLAGS" -- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], -- [ -- CFLAGS="$OLDCFLAGS" -- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" -- CFLAGS="$CFLAGS $TESTFLAGS" -- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], -- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] -- ) -- ] -- ) -- # FORTIFY_SOURCE -- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2]) - - # Spectre v2 mitigations - DB_TRYADDCFLAGS([-mfunction-return=thunk]) diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch deleted file mode 100644 index 033aee3a0..000000000 --- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch +++ /dev/null @@ -1,48 +0,0 @@ ---- a/libtomcrypt/makefile_include.mk -+++ b/libtomcrypt/makefile_include.mk -@@ -75,6 +75,13 @@ endif - - LTC_CFLAGS += -Wno-type-limits - -+ifdef OPENWRT_BUILD -+ ifeq (-Os,$(filter -Os,$(CFLAGS))) -+ LTC_CFLAGS += -DLTC_SMALL_CODE -+ endif -+else -+ ### ! OPENWRT_BUILD -+ - ifdef LTC_DEBUG - $(info Debug build) - # compile for DEBUGGING (required for ccmalloc checking!!!) -@@ -102,6 +109,9 @@ endif - endif # COMPILE_SMALL - endif # COMPILE_DEBUG - -+ ### ! OPENWRT_BUILD -+endif -+ - - ifneq ($(findstring clang,$(CC)),) - LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers ---- a/libtommath/makefile_include.mk -+++ b/libtommath/makefile_include.mk -@@ -37,6 +37,9 @@ CFLAGS += -Wsystem-headers -Wdeclaration - CFLAGS += -Wstrict-prototypes -Wpointer-arith - endif - -+ifndef OPENWRT_BUILD -+ ### ! OPENWRT_BUILD -+ - ifdef COMPILE_DEBUG - #debug - CFLAGS += -g3 -@@ -58,6 +61,9 @@ endif - endif # COMPILE_SIZE - endif # COMPILE_DEBUG - -+ ### ! OPENWRT_BUILD -+endif -+ - ifneq ($(findstring clang,$(CC)),) - CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header - endif