298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

dropbear: bump to 2019.78

Browse Source
This commit is contained in:
lean 2020-03-22 18:35:41 +08:00
parent a6c59c9fb3
commit aadf217f55
20 changed files with 391 additions and 567 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/base-files/Makefile
View File

@ -12,7 +12,7 @@ include $(INCLUDE_DIR)/version.mk
include $(INCLUDE_DIR)/feeds.mk include $(INCLUDE_DIR)/feeds.mk
PKG_NAME:=base-files PKG_NAME:=base-files
PKG_RELEASE:=199 PKG_RELEASE:=200
PKG_FLAGS:=nonshared PKG_FLAGS:=nonshared
PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/ PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/

17
package/base-files/files/sbin/sysupgrade
View File

@ -2,6 +2,7 @@
. /lib/functions.sh . /lib/functions.sh
. /lib/functions/system.sh . /lib/functions/system.sh
. /usr/share/libubox/jshn.sh
# initialize defaults # initialize defaults
export MTD_CONFIG_ARGS="" export MTD_CONFIG_ARGS=""
@ -368,9 +369,15 @@ if [ -n "$FAILSAFE" ]; then
printf '%s\x00%s\x00%s' "$RAM_ROOT" "$IMAGE" "$COMMAND" >/tmp/sysupgrade printf '%s\x00%s\x00%s' "$RAM_ROOT" "$IMAGE" "$COMMAND" >/tmp/sysupgrade
lock -u /tmp/.failsafe lock -u /tmp/.failsafe
else else
ubus call system sysupgrade "{ json_init
\"prefix\": $(json_string "$RAM_ROOT"), json_add_string prefix "$RAM_ROOT"
\"path\": $(json_string "$IMAGE"), json_add_string path "$IMAGE"
\"command\": $(json_string "$COMMAND") [ $FORCE -eq 1 ] && json_add_boolean force 1
}" [ $SAVE_CONFIG -eq 1 ] && json_add_string backup "$CONF_TAR"
json_add_string command "$COMMAND"
json_add_object options
json_add_int save_partitions "$SAVE_PARTITIONS"
json_close_object
ubus call system sysupgrade "$(json_dump)"
fi fi

66
package/base-files/files/usr/libexec/validate_firmware_image Executable file
View File

@ -0,0 +1,66 @@
#!/bin/sh
. /lib/functions.sh
. /lib/functions/system.sh
. /usr/share/libubox/jshn.sh
include /lib/upgrade
VALID=1
FORCEABLE=1
ALLOW_BACKUP=1
# Mark image as invalid but still possible to install
notify_firmware_invalid() {
VALID=0
}
# Mark image as broken (impossible to install)
notify_firmware_broken() {
VALID=0
FORCEABLE=0
}
# Mark image as incompatible with preserving a backup
notify_firmware_no_backup() {
ALLOW_BACKUP=0
}
# Add result of validation test
notify_firmware_test_result() {
local old_ns
json_set_namespace validate_firmware_image old_ns
json_add_boolean "$1" "$2"
json_set_namespace $old_ns
}
err_to_bool() {
[ "$1" -ne 0 ] && echo 0 || echo 1
}
fwtool_check_signature "$1" >&2
FWTOOL_SIGNATURE=$?
[ "$FWTOOL_SIGNATURE" -ne 0 ] && notify_firmware_invalid
fwtool_check_image "$1" >&2
FWTOOL_DEVICE_MATCH=$?
[ "$FWTOOL_DEVICE_MATCH" -ne 0 ] && notify_firmware_invalid
json_set_namespace validate_firmware_image old_ns
json_init
json_add_object "tests"
json_add_boolean fwtool_signature "$(err_to_bool $FWTOOL_SIGNATURE)"
json_add_boolean fwtool_device_match "$(err_to_bool $FWTOOL_DEVICE_MATCH)"
# Call platform_check_image() here so it can add its test
# results and still mark image properly.
json_set_namespace $old_ns
platform_check_image "$1" >&2 || notify_firmware_invalid
json_set_namespace validate_firmware_image old_ns
json_close_object
json_add_boolean valid "$VALID"
json_add_boolean forceable "$FORCEABLE"
json_add_boolean allow_backup "$ALLOW_BACKUP"
json_dump -i
json_set_namespace $old_ns

35
package/network/services/dropbear/Config.in
View File

@ -8,29 +8,46 @@ config DROPBEAR_CURVE25519
This enables the following key exchange algorithm: This enables the following key exchange algorithm:
curve25519-sha256@libssh.org curve25519-sha256@libssh.org
Increases binary size by about 13 kB uncompressed (MIPS). Increases binary size by about 8 kB uncompressed (MIPS).
config DROPBEAR_ECC config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)" bool "Elliptic curve cryptography (ECC)"
default n default n
help help
Enables elliptic curve cryptography (ECC) support in key exchange and public key Enables basic support for elliptic curve cryptography (ECC)
authentication. in key exchange and public key authentication.
Key exchange algorithms: Key exchange algorithms:
ecdh-sha2-nistp256 ecdh-sha2-nistp256
Public key algorithms:
ecdsa-sha2-nistp256
Increases binary size by about 24 kB (MIPS).
If full ECC support is required, also select DROPBEAR_ECC_FULL.
config DROPBEAR_ECC_FULL
bool "Elliptic curve cryptography (ECC), full support"
default n
depends on DROPBEAR_ECC
help
Enables full support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384 ecdh-sha2-nistp384
ecdh-sha2-nistp521 ecdh-sha2-nistp521
Public key algorithms: Public key algorithms:
ecdsa-sha2-nistp256 ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384 ecdsa-sha2-nistp384
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521
Does not generate ECC host keys by default (ECC key exchange will not be used, (*) - basic ECC support; provided by DROPBEAR_ECC.
only ECC public key auth).
Increases binary size by about 23 kB (MIPS). Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ZLIB config DROPBEAR_ZLIB
bool "Enable compression" bool "Enable compression"
@ -56,4 +73,8 @@ config DROPBEAR_PUTUTLINE
help help
Dropbear will use pututline() to write the utmp structure into the utmp file. Dropbear will use pututline() to write the utmp structure into the utmp file.
config DROPBEAR_DBCLIENT
bool "Build dropbear with dbclient"
default y
endmenu endmenu

66
package/network/services/dropbear/Makefile
View File

@ -8,26 +8,29 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear PKG_NAME:=dropbear
PKG_VERSION:=2017.75 PKG_VERSION:=2019.78
PKG_RELEASE:=9 PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \ http://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/ https://dropbear.nl/mirror/releases/
PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c PKG_HASH:=525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4
PKG_LICENSE:=MIT PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
PKG_ASLR_PIE_REGULAR:=1
PKG_USE_MIPS16:=0 PKG_USE_MIPS16:=0
PKG_FIXUP:=autoreconf
PKG_CONFIG_DEPENDS:= \ PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -60,6 +63,7 @@ define Package/dropbear/description
endef endef
define Package/dropbear/conffiles define Package/dropbear/conffiles
$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
/etc/config/dropbear /etc/config/dropbear
endef endef
@ -69,6 +73,7 @@ define Package/dropbearconvert
SECTION:=utils SECTION:=utils
CATEGORY:=Utilities CATEGORY:=Utilities
TITLE:=Utility for converting SSH keys TITLE:=Utility for converting SSH keys
DEPENDS:= +DROPBEAR_ZLIB:zlib
endef endef
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
@ -90,41 +95,51 @@ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto
TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver
define Build/Configure define Build/Configure
: > $(PKG_BUILD_DIR)/localoptions.h
$(Build/Configure/Default) $(Build/Configure/Default)
$(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \ echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
$(PKG_BUILD_DIR)/options.h $(PKG_BUILD_DIR)/localoptions.h
awk 'BEGIN { rc = 1 } \ echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
/'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ $(PKG_BUILD_DIR)/localoptions.h
{ print } \
END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
>$(PKG_BUILD_DIR)/options.h.new && \
mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
# Enforce that all replacements are made, otherwise options.h has changed
# format and this logic is broken.
for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
awk 'BEGIN { rc = 1 } \ echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \
/'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ $(PKG_BUILD_DIR)/localoptions.h; \
{ print } \
END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
>$(PKG_BUILD_DIR)/options.h.new && \
mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
done done
# remove protocol idented software version number # remove protocol idented software version number
$(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \ $(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \
$(PKG_BUILD_DIR)/sysoptions.h $(PKG_BUILD_DIR)/sysoptions.h
# disable legacy/unsafe methods and unused functionality
for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \
DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \
DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \
echo "#define $$$$OPTION 0" >> \
$(PKG_BUILD_DIR)/localoptions.h; \
done
# enable nistp384 and nistp521 only if full ECC support was requested
for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
$(PKG_BUILD_DIR)/sysoptions.h; \
done
# Enforce rebuild of svr-chansession.c # Enforce rebuild of svr-chansession.c
rm -f $(PKG_BUILD_DIR)/svr-chansession.o rm -f $(PKG_BUILD_DIR)/svr-chansession.o
# Rebuild them on config change
+$(MAKE) -C $(PKG_BUILD_DIR)/libtomcrypt clean
+$(MAKE) -C $(PKG_BUILD_DIR)/libtommath clean
endef endef
define Build/Compile define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \ $(TARGET_CONFIGURE_OPTS) \
PROGRAMS="dropbear dbclient dropbearkey scp" \ PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey scp" \
MULTI=1 SCPPROGRESS=1 MULTI=1 SCPPROGRESS=1
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \ $(TARGET_CONFIGURE_OPTS) \
@ -135,7 +150,7 @@ define Package/dropbear/install
$(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear $(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear
$(INSTALL_DIR) $(1)/usr/bin $(INSTALL_DIR) $(1)/usr/bin
$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient $(if $(CONFIG_DROPBEAR_DBCLIENT),$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient,)
$(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey $(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear $(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear
@ -143,6 +158,9 @@ define Package/dropbear/install
$(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear $(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear
$(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/usr/lib/opkg/info
$(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/etc/dropbear
$(INSTALL_DIR) $(1)/lib/preinit
$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
touch $(1)/etc/dropbear/dropbear_rsa_host_key touch $(1)/etc/dropbear/dropbear_rsa_host_key
endef endef

8
package/network/services/dropbear/files/dropbear.failsafe Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
failsafe_dropbear () {
dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
}
boot_hook_add failsafe failsafe_dropbear

132
package/network/services/dropbear/files/dropbear.init
View File

@ -12,6 +12,91 @@ PIDCOUNT=0
EXTRA_COMMANDS="killclients" EXTRA_COMMANDS="killclients"
EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself" EXTRA_HELP=" killclients Kill ${NAME} processes except servers and yourself"
_dropbearkey()
{
/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&-
}
# $1 - host key file name
hk_verify()
{
[ -f "$1" ] || return 1
[ -s "$1" ] || return 2
_dropbearkey -y -f "$1" || return 3
return 0
}
# $1 - hk_verify() return code
hk_errmsg()
{
case "$1" in
0) ;;
1) echo "file does not exist" ;;
2) echo "file has zero length" ;;
3) echo "file is not valid host key or not supported" ;;
*) echo "unknown error" ;;
esac
}
# $1 - config option
# $2 - host key file name
hk_config()
{
local x m
hk_verify "$2"; x=$?
case "$x" in
0) procd_append_param command -r "$2"
;;
*) m=$(hk_errmsg "$x")
logger -t "${NAME}" -p daemon.warn \
"option '$1', value '$2': $m, skipping"
;;
esac
}
# $1 - host key file name
hk_config__keyfile()
{
hk_config 'keyfile' "$1"
}
hk_generate_as_needed()
{
local kdir kgen ktype tdir kcount tfile
kdir='/etc/dropbear'
kgen=''
for ktype in ecdsa rsa; do
hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue
kgen="${kgen} ${ktype}"
done
[ -z "${kgen}" ] && return
tdir=$(mktemp -d); chmod 0700 "${tdir}"
kcount=0
for ktype in ${kgen}; do
tfile="${tdir}/dropbear_${ktype}_host_key"
if ! _dropbearkey -t ${ktype} -f "${tfile}"; then
# unsupported key type
rm -f "${tfile}"
continue
fi
kcount=$((kcount+1))
done
if [ ${kcount} -ne 0 ]; then
mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}"
mv -f "${tdir}/"* "${kdir}/"
fi
rm -rf "${tdir}"
}
append_ports() append_ports()
{ {
local ipaddrs="$1" local ipaddrs="$1"
@ -29,7 +114,7 @@ append_ports()
validate_section_dropbear() validate_section_dropbear()
{ {
uci_validate_section dropbear dropbear "${1}" \ uci_load_validate dropbear dropbear "$1" "$2" \
'PasswordAuth:bool:1' \ 'PasswordAuth:bool:1' \
'enable:bool:1' \ 'enable:bool:1' \
'Interface:string' \ 'Interface:string' \
@ -37,8 +122,9 @@ validate_section_dropbear()
'RootPasswordAuth:bool:1' \ 'RootPasswordAuth:bool:1' \
'RootLogin:bool:1' \ 'RootLogin:bool:1' \
'rsakeyfile:file' \ 'rsakeyfile:file' \
'keyfile:list(file)' \
'BannerFile:file' \ 'BannerFile:file' \
'Port:list(port):22' \ 'Port:port:22' \
'SSHKeepAlive:uinteger:300' \ 'SSHKeepAlive:uinteger:300' \
'IdleTimeout:uinteger:0' \ 'IdleTimeout:uinteger:0' \
'MaxAuthTries:uinteger:3' \ 'MaxAuthTries:uinteger:3' \
@ -48,12 +134,9 @@ validate_section_dropbear()
dropbear_instance() dropbear_instance()
{ {
local PasswordAuth enable Interface GatewayPorts \ local ipaddrs
RootPasswordAuth RootLogin rsakeyfile \
BannerFile Port SSHKeepAlive IdleTimeout \
MaxAuthTries RecvWindowSize mdns ipaddrs
validate_section_dropbear "${1}" || { [ "$2" = 0 ] || {
echo "validation failed" echo "validation failed"
return 1 return 1
} }
@ -77,7 +160,13 @@ dropbear_instance()
[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
[ "${RootLogin}" -eq 0 ] && procd_append_param command -w [ "${RootLogin}" -eq 0 ] && procd_append_param command -w
[ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}" if [ -n "${rsakeyfile}" ]; then
logger -t ${NAME} -p daemon.warn \
"option 'rsakeyfile' is considered to be deprecated and" \
"will be removed in future releases, use 'keyfile' instead"
hk_config 'rsakeyfile' "${rsakeyfile}"
fi
config_list_foreach "$1" "keyfile" hk_config__keyfile
[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}" [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
append_ports "${ipaddrs}" "${Port}" append_ports "${ipaddrs}" "${Port}"
[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}" [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
@ -90,29 +179,6 @@ dropbear_instance()
procd_close_instance procd_close_instance
} }
keygen()
{
for keytype in rsa; do
# check for keys
key=dropbear/dropbear_${keytype}_host_key
[ -f /tmp/$key -o -s /etc/$key ] || {
# generate missing keys
mkdir -p /tmp/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $keytype -f /tmp/$key 2>&- >&- && exec /etc/rc.common "$initscript" start
} &
exit 0
}
done
lock /tmp/.switch2jffs
mkdir -p /etc/dropbear
mv /tmp/dropbear/dropbear_* /etc/dropbear/
lock -u /tmp/.switch2jffs
chown root /etc/dropbear
chmod 0700 /etc/dropbear
}
load_interfaces() load_interfaces()
{ {
config_get interface "$1" Interface config_get interface "$1" Interface
@ -129,13 +195,13 @@ boot()
start_service() start_service()
{ {
[ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen hk_generate_as_needed
. /lib/functions.sh . /lib/functions.sh
. /lib/functions/network.sh . /lib/functions/network.sh
config_load "${NAME}" config_load "${NAME}"
config_foreach dropbear_instance dropbear config_foreach validate_section_dropbear dropbear dropbear_instance
} }
service_triggers() service_triggers()

130
package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
View File

@ -1,130 +0,0 @@
From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Date: Mon, 29 May 2017 10:25:09 +0100
Subject: [PATCH] dropbear server: support -T max auth tries
Add support for '-T n' for a run-time specification for maximum number
of authentication attempts where 'n' is between 1 and compile time
option MAX_AUTH_TRIES.
A default number of tries can be specified at compile time using
'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
backwards compatibility.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
---
options.h | 7 +++++++
runopts.h | 1 +
svr-auth.c | 2 +-
svr-runopts.c | 17 +++++++++++++++++
4 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/options.h b/options.h
index 0c51bb1..4d22704 100644
--- a/options.h
+++ b/options.h
@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */
#define MAX_AUTH_TRIES 10
#endif
+/* Default maximum number of failed authentication tries.
+ * defaults to MAX_AUTH_TRIES */
+
+#ifndef DEFAULT_AUTH_TRIES
+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
+#endif
+
/* The default file to store the daemon's process ID, for shutdown
scripts etc. This can be overridden with the -P flag */
#ifndef DROPBEAR_PIDFILE
diff --git a/runopts.h b/runopts.h
index f7c869d..2f7da63 100644
--- a/runopts.h
+++ b/runopts.h
@@ -96,6 +96,7 @@ typedef struct svr_runopts {
int noauthpass;
int norootpass;
int allowblankpass;
+ unsigned int maxauthtries;
#ifdef ENABLE_SVR_REMOTETCPFWD
int noremotetcp;
diff --git a/svr-auth.c b/svr-auth.c
index 577ea88..6a7ce0b 100644
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
ses.authstate.failcount++;
}
- if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
+ if (ses.authstate.failcount >= svr_opts.maxauthtries) {
char * userstr;
/* XXX - send disconnect ? */
TRACE(("Max auth tries reached, exiting"))
diff --git a/svr-runopts.c b/svr-runopts.c
index 8f60059..1e7440f 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
"-g Disable password logins for root\n"
"-B Allow blank password logins\n"
#endif
+ "-T <1 to %d> Maximum authentication tries (default %d)\n"
#ifdef ENABLE_SVR_LOCALTCPFWD
"-j Disable local port forwarding\n"
#endif
@@ -106,6 +107,7 @@ static void printhelp(const char * progname) {
#ifdef DROPBEAR_ECDSA
ECDSA_PRIV_FILENAME,
#endif
+ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
}
@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) {
char* recv_window_arg = NULL;
char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL;
+ char* maxauthtries_arg = NULL;
char* keyfile = NULL;
char c;
@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.noauthpass = 0;
svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0;
+ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
svr_opts.inetdmode = 0;
svr_opts.portcount = 0;
svr_opts.hostkey = NULL;
@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) {
case 'I':
next = &idle_timeout_arg;
break;
+ case 'T':
+ next = &maxauthtries_arg;
+ break;
#if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
case 's':
svr_opts.noauthpass = 1;
@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) {
dropbear_exit("Bad recv window '%s'", recv_window_arg);
}
}
+
+ if (maxauthtries_arg) {
+ unsigned int val = 0;
+ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
+ val == 0 || val > MAX_AUTH_TRIES) {
+ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
+ }
+ svr_opts.maxauthtries = val;
+ }
+
if (keepalive_arg) {
unsigned int val;
--
2.7.4

221
package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch
View File

@ -1,221 +0,0 @@
From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@ucc.asn.au>
Date: Thu, 23 Aug 2018 23:43:12 +0800
Subject: [PATCH 2/2] Wait to fail invalid usernames
---
auth.h | 6 +++---
svr-auth.c | 19 +++++--------------
svr-authpam.c | 26 ++++++++++++++++++++++----
svr-authpasswd.c | 27 ++++++++++++++-------------
svr-authpubkey.c | 11 ++++++++++-
5 files changed, 54 insertions(+), 35 deletions(-)
--- a/auth.h
+++ b/auth.h
@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void);
void send_msg_userauth_failure(int partial, int incrfail);
void send_msg_userauth_success(void);
void send_msg_userauth_banner(buffer *msg);
-void svr_auth_password(void);
-void svr_auth_pubkey(void);
-void svr_auth_pam(void);
+void svr_auth_password(int valid_user);
+void svr_auth_pubkey(int valid_user);
+void svr_auth_pam(int valid_user);
#ifdef ENABLE_SVR_PUBKEY_OPTIONS
int svr_pubkey_allows_agentfwd(void);
--- a/svr-auth.c
+++ b/svr-auth.c
@@ -176,10 +176,8 @@ void recv_msg_userauth_request() {
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
strncmp(methodname, AUTH_METHOD_PASSWORD,
AUTH_METHOD_PASSWORD_LEN) == 0) {
- if (valid_user) {
- svr_auth_password();
- goto out;
- }
+ svr_auth_password(valid_user);
+ goto out;
}
}
#endif
@@ -191,10 +189,8 @@ void recv_msg_userauth_request() {
if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
strncmp(methodname, AUTH_METHOD_PASSWORD,
AUTH_METHOD_PASSWORD_LEN) == 0) {
- if (valid_user) {
- svr_auth_pam();
- goto out;
- }
+ svr_auth_pam(valid_user);
+ goto out;
}
}
#endif
@@ -204,12 +200,7 @@ void recv_msg_userauth_request() {
if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
strncmp(methodname, AUTH_METHOD_PUBKEY,
AUTH_METHOD_PUBKEY_LEN) == 0) {
- if (valid_user) {
- svr_auth_pubkey();
- } else {
- /* pubkey has no failure delay */
- send_msg_userauth_failure(0, 0);
- }
+ svr_auth_pubkey(valid_user);
goto out;
}
#endif
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -178,13 +178,14 @@ pamConvFunc(int num_msg,
* Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
* gets very messy trying to send the interactive challenges, and read the
* interactive responses, over the network. */
-void svr_auth_pam() {
+void svr_auth_pam(int valid_user) {
struct UserDataS userData = {NULL, NULL};
struct pam_conv pamConv = {
pamConvFunc,
&userData /* submitted to pamvConvFunc as appdata_ptr */
};
+ const char* printable_user = NULL;
pam_handle_t* pamHandlep = NULL;
@@ -204,12 +205,23 @@ void svr_auth_pam() {
password = buf_getstring(ses.payload, &passwordlen);
+ /* We run the PAM conversation regardless of whether the username is valid
+ in case the conversation function has an inherent delay.
+ Use ses.authstate.username rather than ses.authstate.pw_name.
+ After PAM succeeds we then check the valid_user flag too */
+
/* used to pass data to the PAM conversation function - don't bother with
* strdup() etc since these are touched only by our own conversation
* function (above) which takes care of it */
- userData.user = ses.authstate.pw_name;
+ userData.user = ses.authstate.username;
userData.passwd = password;
+ if (ses.authstate.pw_name) {
+ printable_user = ses.authstate.pw_name;
+ } else {
+ printable_user = "<invalid username>";
+ }
+
/* Init pam */
if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s",
@@ -236,7 +248,7 @@ void svr_auth_pam() {
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"Bad PAM password attempt for '%s' from %s",
- ses.authstate.pw_name,
+ printable_user,
svr_ses.addrstring);
send_msg_userauth_failure(0, 1);
goto cleanup;
@@ -247,12 +259,18 @@ void svr_auth_pam() {
rc, pam_strerror(pamHandlep, rc));
dropbear_log(LOG_WARNING,
"Bad PAM password attempt for '%s' from %s",
- ses.authstate.pw_name,
+ printable_user,
svr_ses.addrstring);
send_msg_userauth_failure(0, 1);
goto cleanup;
}
+ if (!valid_user) {
+ /* PAM auth succeeded but the username isn't allowed in for another reason
+ (checkusername() failed) */
+ send_msg_userauth_failure(0, 1);
+ }
+
/* successful authentication */
dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
ses.authstate.pw_name,
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -48,22 +48,14 @@ static int constant_time_strcmp(const ch
/* Process a password auth request, sending success or failure messages as
* appropriate */
-void svr_auth_password() {
+void svr_auth_password(int valid_user) {
char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
char * testcrypt = NULL; /* crypt generated from the user's password sent */
- char * password;
+ char * password = NULL;
unsigned int passwordlen;
-
unsigned int changepw;
- passwdcrypt = ses.authstate.pw_passwd;
-
-#ifdef DEBUG_HACKCRYPT
- /* debugging crypt for non-root testing with shadows */
- passwdcrypt = DEBUG_HACKCRYPT;
-#endif
-
/* check if client wants to change password */
changepw = buf_getbool(ses.payload);
if (changepw) {
@@ -73,12 +65,21 @@ void svr_auth_password() {
}
password = buf_getstring(ses.payload, &passwordlen);
-
- /* the first bytes of passwdcrypt are the salt */
- testcrypt = crypt(password, passwdcrypt);
+ if (valid_user) {
+ /* the first bytes of passwdcrypt are the salt */
+ passwdcrypt = ses.authstate.pw_passwd;
+ testcrypt = crypt(password, passwdcrypt);
+ }
m_burn(password, passwordlen);
m_free(password);
+ /* After we have got the payload contents we can exit if the username
+ is invalid. Invalid users have already been logged. */
+ if (!valid_user) {
+ send_msg_userauth_failure(0, 1);
+ return;
+ }
+
if (testcrypt == NULL) {
/* crypt() with an invalid salt like "!!" */
dropbear_log(LOG_WARNING, "User account '%s' is locked",
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -79,7 +79,7 @@ static int checkfileperm(char * filename
/* process a pubkey auth request, sending success or failure message as
* appropriate */
-void svr_auth_pubkey() {
+void svr_auth_pubkey(int valid_user) {
unsigned char testkey; /* whether we're just checking if a key is usable */
char* algo = NULL; /* pubkey algo */
@@ -102,6 +102,15 @@ void svr_auth_pubkey() {
keybloblen = buf_getint(ses.payload);
keyblob = buf_getptr(ses.payload, keybloblen);
+ if (!valid_user) {
+ /* Return failure once we have read the contents of the packet
+ required to validate a public key.
+ Avoids blind user enumeration though it isn't possible to prevent
+ testing for user existence if the public key is known */
+ send_msg_userauth_failure(0, 0);
+ goto out;
+ }
+
/* check if the key is valid */
if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
send_msg_userauth_failure(0, 0);

45
package/network/services/dropbear/patches/100-pubkey_path.patch
View File

@ -1,6 +1,6 @@
--- a/svr-authpubkey.c --- a/svr-authpubkey.c
+++ b/svr-authpubkey.c +++ b/svr-authpubkey.c
@@ -229,14 +229,20 @@ static int checkpubkey(char* algo, unsig @@ -338,14 +338,19 @@ static int checkpubkey(const char* algo,
goto out; goto out;
} }
@ -25,34 +25,23 @@
+ filename = m_malloc(30); + filename = m_malloc(30);
+ strncpy(filename, "/etc/dropbear/authorized_keys", 30); + strncpy(filename, "/etc/dropbear/authorized_keys", 30);
+ } + }
+
#if DROPBEAR_SVR_MULTIUSER
/* open the file as the authenticating user. */ /* open the file as the authenticating user. */
origuid = getuid(); @@ -426,27 +431,36 @@ static int checkpubkeyperms() {
@@ -405,26 +411,35 @@ static int checkpubkeyperms() {
goto out; goto out;
} }
- /* allocate max required pathname storage, - /* allocate max required pathname storage,
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ - * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
- filename = m_malloc(len + 22); - len += 22;
- strncpy(filename, ses.authstate.pw_dir, len+1); - filename = m_malloc(len);
- strlcpy(filename, ses.authstate.pw_dir, len);
- -
- /* check ~ */ - /* check ~ */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out; - goto out;
- } - }
-
- /* check ~/.ssh */
- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-
- /* now check ~/.ssh/authorized_keys */
- strncat(filename, "/authorized_keys", 16);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
+ if (ses.authstate.pw_uid == 0) { + if (ses.authstate.pw_uid == 0) {
+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
@ -63,22 +52,32 @@
+ } else { + } else {
+ /* allocate max required pathname storage, + /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ + * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ filename = m_malloc(len + 22); + len += 22;
+ strncpy(filename, ses.authstate.pw_dir, len+1); + filename = m_malloc(len);
+ strlcpy(filename, ses.authstate.pw_dir, len);
+ +
+ /* check ~ */ + /* check ~ */
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
+ } + }
+
- /* check ~/.ssh */
- strlcat(filename, "/.ssh", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
+ /* check ~/.ssh */ + /* check ~/.ssh */
+ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ + strlcat(filename, "/.ssh", len);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
+ } + }
+
- /* now check ~/.ssh/authorized_keys */
- strlcat(filename, "/authorized_keys", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
+ /* now check ~/.ssh/authorized_keys */ + /* now check ~/.ssh/authorized_keys */
+ strncat(filename, "/authorized_keys", 16); + strlcat(filename, "/authorized_keys", len);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out; + goto out;
+ } + }

2
package/network/services/dropbear/patches/110-change_user.patch
View File

@ -1,6 +1,6 @@
--- a/svr-chansession.c --- a/svr-chansession.c
+++ b/svr-chansession.c +++ b/svr-chansession.c
@@ -922,12 +922,12 @@ static void execchild(void *user_data) { @@ -953,12 +953,12 @@ static void execchild(const void *user_d
/* We can only change uid/gid as root ... */ /* We can only change uid/gid as root ... */
if (getuid() == 0) { if (getuid() == 0) {

82
package/network/services/dropbear/patches/120-openwrt_options.patch
View File

@ -1,82 +0,0 @@
--- a/options.h
+++ b/options.h
@@ -41,7 +41,7 @@
* Both of these flags can be defined at once, don't compile without at least
* one of them. */
#define NON_INETD_MODE
-#define INETD_MODE
+/*#define INETD_MODE*/
/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
* perhaps 20% slower for pubkey operations (it is probably worth experimenting
@@ -81,7 +81,7 @@ much traffic. */
/* Enable "Netcat mode" option. This will forward standard input/output
* to a remote TCP-forwarded connection */
-#define ENABLE_CLI_NETCAT
+/*#define ENABLE_CLI_NETCAT*/
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
#define ENABLE_USER_ALGO_LIST
@@ -91,16 +91,16 @@ much traffic. */
* Including multiple keysize variants the same cipher
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
#define DROPBEAR_AES128
-#define DROPBEAR_3DES
+/*#define DROPBEAR_3DES*/
#define DROPBEAR_AES256
/* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
/*#define DROPBEAR_BLOWFISH*/
-#define DROPBEAR_TWOFISH256
-#define DROPBEAR_TWOFISH128
+/*#define DROPBEAR_TWOFISH256*/
+/*#define DROPBEAR_TWOFISH128*/
/* Enable CBC mode for ciphers. This has security issues though
* is the most compatible with older SSH implementations */
-#define DROPBEAR_ENABLE_CBC_MODE
+/*#define DROPBEAR_ENABLE_CBC_MODE*/
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. It is recommended for security
@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
-#define DROPBEAR_SHA1_96_HMAC
+/*#define DROPBEAR_SHA1_96_HMAC*/
#define DROPBEAR_SHA2_256_HMAC
-#define DROPBEAR_SHA2_512_HMAC
-#define DROPBEAR_MD5_HMAC
+/*#define DROPBEAR_SHA2_512_HMAC*/
+/*#define DROPBEAR_MD5_HMAC*/
/* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. If you disable this it's dead
@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
* Removing either of these won't save very much space.
* SSH2 RFC Draft requires dss, recommends rsa */
#define DROPBEAR_RSA
-#define DROPBEAR_DSS
+/*#define DROPBEAR_DSS*/
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
* code (either ECDSA or ECDH) increases binary size - around 30kB
* on x86-64 */
@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
/* Whether to print the message of the day (MOTD). This doesn't add much code
* size */
-#define DO_MOTD
+/*#define DO_MOTD*/
/* The MOTD file path */
#ifndef MOTD_FILENAME
@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
* note that it will be provided for all "hidden" client-interactive
* style prompts - if you want something more sophisticated, use
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
* a helper program for the ssh client. The helper program should be

4
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
View File

@ -1,6 +1,6 @@
--- a/cli-runopts.c --- a/cli-runopts.c
+++ b/cli-runopts.c +++ b/cli-runopts.c
@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) @@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
debug_trace = 1; debug_trace = 1;
break; break;
#endif #endif
@ -8,4 +8,4 @@
+ break; + break;
case 'F': case 'F':
case 'e': case 'e':
#ifndef ENABLE_USER_ALGO_LIST #if !DROPBEAR_USER_ALGO_LIST

2
package/network/services/dropbear/patches/140-disable_assert.patch
View File

@ -1,6 +1,6 @@
--- a/dbutil.h --- a/dbutil.h
+++ b/dbutil.h +++ b/dbutil.h
@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig @@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
/* Dropbear assertion */ /* Dropbear assertion */

14
package/network/services/dropbear/patches/150-dbconvert_standalone.patch
View File

@ -1,14 +0,0 @@
--- a/options.h
+++ b/options.h
@@ -5,6 +5,11 @@
#ifndef DROPBEAR_OPTIONS_H_
#define DROPBEAR_OPTIONS_H_
+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
+#define DROPBEAR_SERVER
+#define DROPBEAR_CLIENT
+#endif
+
/* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
* parts are to allow for commandline -DDROPBEAR_XXX options etc. */

8
package/network/services/dropbear/patches/160-lto-jobserver.patch
View File

@ -1,6 +1,6 @@
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -163,17 +163,17 @@ dropbearkey: $(dropbearkeyobjs) @@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs)
dropbearconvert: $(dropbearconvertobjs) dropbearconvert: $(dropbearconvertobjs)
dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@ -12,8 +12,8 @@
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) + +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) - $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) + +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
# scp doesn't use the libs so is special. # scp doesn't use the libs so is special.
scp: $(SCPOBJS) $(HEADERS) Makefile scp: $(SCPOBJS) $(HEADERS) Makefile
@ -22,7 +22,7 @@
# multi-binary compilation. # multi-binary compilation.
@@ -184,7 +184,7 @@ ifeq ($(MULTI),1) @@ -210,7 +210,7 @@ ifeq ($(MULTI),1)
endif endif
dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile

2
package/network/services/dropbear/patches/600-allow-blank-root-password.patch
View File

@ -1,6 +1,6 @@
--- a/svr-auth.c --- a/svr-auth.c
+++ b/svr-auth.c +++ b/svr-auth.c
@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { @@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) { AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request")) TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user if (valid_user

18
package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
View File

@ -1,18 +0,0 @@
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -505,6 +505,7 @@ void load_all_hostkeys() {
m_free(hostkey_file);
}
+ if (svr_opts.num_hostkey_files <= 0) {
#ifdef DROPBEAR_RSA
loadhostkey(RSA_PRIV_FILENAME, 0);
#endif
@@ -516,6 +517,7 @@ void load_all_hostkeys() {
#ifdef DROPBEAR_ECDSA
loadhostkey(ECDSA_PRIV_FILENAME, 0);
#endif
+ }
#ifdef DROPBEAR_DELAY_HOSTKEY
if (svr_opts.delay_hostkey) {

56
package/network/services/dropbear/patches/900-configure-hardening.patch Normal file
View File

@ -0,0 +1,56 @@
--- a/configure.ac
+++ b/configure.ac
@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
- # relocation flags don't make sense for static builds
- if test "$STATIC" -ne 1; then
- # pie
- DB_TRYADDCFLAGS([-fPIE])
-
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-pie"
- LDFLAGS="$LDFLAGS $TESTFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- LDFLAGS="$OLDLDFLAGS"
- TESTFLAGS="-pie"
- LDFLAGS="$LDFLAGS $TESTFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- ]
- )
- # readonly elf relocation sections (relro)
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
- LDFLAGS="$LDFLAGS $TESTFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- fi # non-static
- # stack protector. -strong is good but only in gcc 4.9 or later
- OLDCFLAGS="$CFLAGS"
- TESTFLAGS="-fstack-protector-strong"
- CFLAGS="$CFLAGS $TESTFLAGS"
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- CFLAGS="$OLDCFLAGS"
- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
- CFLAGS="$CFLAGS $TESTFLAGS"
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
- )
- ]
- )
- # FORTIFY_SOURCE
- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
# Spectre v2 mitigations
DB_TRYADDCFLAGS([-mfunction-return=thunk])

48
package/network/services/dropbear/patches/901-bundled-libs-cflags.patch Normal file
View File

@ -0,0 +1,48 @@
--- a/libtomcrypt/makefile_include.mk
+++ b/libtomcrypt/makefile_include.mk
@@ -75,6 +75,13 @@ endif
LTC_CFLAGS += -Wno-type-limits
+ifdef OPENWRT_BUILD
+ ifeq (-Os,$(filter -Os,$(CFLAGS)))
+ LTC_CFLAGS += -DLTC_SMALL_CODE
+ endif
+else
+ ### ! OPENWRT_BUILD
+
ifdef LTC_DEBUG
$(info Debug build)
# compile for DEBUGGING (required for ccmalloc checking!!!)
@@ -102,6 +109,9 @@ endif
endif # COMPILE_SMALL
endif # COMPILE_DEBUG
+ ### ! OPENWRT_BUILD
+endif
+
ifneq ($(findstring clang,$(CC)),)
LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
--- a/libtommath/makefile_include.mk
+++ b/libtommath/makefile_include.mk
@@ -37,6 +37,9 @@ CFLAGS += -Wsystem-headers -Wdeclaration
CFLAGS += -Wstrict-prototypes -Wpointer-arith
endif
+ifndef OPENWRT_BUILD
+ ### ! OPENWRT_BUILD
+
ifdef COMPILE_DEBUG
#debug
CFLAGS += -g3
@@ -58,6 +61,9 @@ endif
endif # COMPILE_SIZE
endif # COMPILE_DEBUG
+ ### ! OPENWRT_BUILD
+endif
+
ifneq ($(findstring clang,$(CC)),)
CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
endif