[openwrt/openwrt] dropbear: bump to 2022.82
LEDE Commits
lede-commits at lists.infradead.org
Sat Apr 9 10:40:38 PDT 2022
hauke pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/65256aee23a5104eb0c78411fdc73640c0b757ea
commit 65256aee23a5104eb0c78411fdc73640c0b757ea
Author: Konstantin Demin <rockdrilla at gmail.com>
AuthorDate: Thu Apr 7 11:33:08 2022 +0300
dropbear: bump to 2022.82
- update dropbear to latest stable 2022.82;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
- 100-pubkey_path.patch
- 130-ssh_ignore_x_args.patch
binary/pkg size changes:
- ath79/generic, mips:
- binary: 215112 -> 219228 (+4116)
- pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
- binary: 172501 -> 172485 (-16)
- pkg: 89871 -> 90904 (+1033)
Tested-by: Stijn Segers <foss at volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla at gmail.com>
---
package/network/services/dropbear/Makefile | 12 ++-
.../dropbear/patches/100-pubkey_path.patch | 116 ++++++++++++---------
.../dropbear/patches/110-change_user.patch | 2 +-
.../dropbear/patches/130-ssh_ignore_x_args.patch | 14 +--
.../dropbear/patches/140-disable_assert.patch | 2 +-
.../dropbear/patches/160-lto-jobserver.patch | 4 +-
.../patches/600-allow-blank-root-password.patch | 2 +-
.../dropbear/patches/900-configure-hardening.patch | 2 +-
...0-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 2 +-
9 files changed, 90 insertions(+), 66 deletions(-)
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index d518de3f70..eaf14c5533 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=2020.81
-PKG_RELEASE:=2
+PKG_VERSION:=2022.82
+PKG_RELEASE:=$(AUTORELEASE)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
- http://matt.ucc.asn.au/dropbear/releases/ \
+ https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b
+PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -42,7 +42,7 @@ ifneq ($(DUMP),1)
endif
define Package/dropbear/Default
- URL:=http://matt.ucc.asn.au/dropbear/
+ URL:=https://matt.ucc.asn.au/dropbear/
endef
define Package/dropbear/config
@@ -130,8 +130,10 @@ DB_OPT_COMMON = \
DB_OPT_CONFIG = \
DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \
DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
+ DROPBEAR_SK_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
+ DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index af3fbb336b..0403198062 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,34 +1,50 @@
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
-@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
- goto out;
- }
+@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+ const unsigned char* keyblob, unsigned int keybloblen);
+ static int checkfileperm(char * filename);
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw_dir);
-- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw_dir);
-+ if (ses.authstate.pw_uid != 0) {
-+ /* we don't need to check pw and pw_dir for validity, since
-+ * its been done in checkpubkeyperms. */
-+ len = strlen(ses.authstate.pw_dir);
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ filename = m_malloc(len + 22);
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+ ses.authstate.pw_dir);
-+ } else {
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-+ }
++static const char * const global_authkeys_dir = "/etc/dropbear";
++static const int n_global_authkeys_dir = 14; /* + 1 extra byte */
++static const char * const user_authkeys_dir = ".ssh";
++static const int n_user_authkeys_dir = 5; /* + 1 extra byte */
++static const char * const authkeys_file = "authorized_keys";
++static const int n_authkeys_file = 16; /* + 1 extra byte */
++
+ /* process a pubkey auth request, sending success or failure message as
+ * appropriate */
+ void svr_auth_pubkey(int valid_user) {
+@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+ if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ } else {
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw_dir);
++ if (ses.authstate.pw_uid == 0) {
++ len = n_global_authkeys_dir + n_authkeys_file;
++ filename = m_malloc(len);
++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
++ } else {
++ /* we don't need to check pw and pw_dir for validity, since
++ * its been done in checkpubkeyperms. */
++ len = strlen(ses.authstate.pw_dir);
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ len += n_user_authkeys_dir + n_authkeys_file + 1;
++ filename = m_malloc(len);
++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++ user_authkeys_dir, authkeys_file);
++ }
- #if DROPBEAR_SVR_MULTIUSER
- /* open the file as the authenticating user. */
-@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+ authfile = fopen(filename, "r");
+ if (!authfile) {
+@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
goto out;
}
@@ -37,47 +53,51 @@
- len += 22;
- filename = m_malloc(len);
- strlcpy(filename, ses.authstate.pw_dir, len);
--
++ if (ses.authstate.pw_uid == 0) {
++ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
+
- /* check ~ */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-+ if (ses.authstate.pw_uid == 0) {
-+ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
-+ } else {
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ len += 22;
++ len = n_global_authkeys_dir + n_authkeys_file;
+ filename = m_malloc(len);
-+ strlcpy(filename, ses.authstate.pw_dir, len);
-+
-+ /* check ~ */
-+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+ goto out;
-+ }
- /* check ~/.ssh */
- strlcat(filename, "/.ssh", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
-+ /* check ~/.ssh */
-+ strlcat(filename, "/.ssh", len);
++ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
++ } else {
++ /* check ~ */
++ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
- /* now check ~/.ssh/authorized_keys */
- strlcat(filename, "/authorized_keys", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ len += n_user_authkeys_dir + n_authkeys_file + 1;
++ filename = m_malloc(len);
++
++ /* check ~/.ssh */
++ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++
+ /* now check ~/.ssh/authorized_keys */
-+ strlcat(filename, "/authorized_keys", len);
++ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++ user_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
index 1dd67948af..04d1df3fde 100644
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
--- a/svr-chansession.c
+++ b/svr-chansession.c
-@@ -954,12 +954,12 @@ static void execchild(const void *user_d
+@@ -985,12 +985,12 @@ static void execchild(const void *user_d
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
index 5e736320cc..d7f589801d 100644
--- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
@@ -1,11 +1,13 @@
--- a/cli-runopts.c
+++ b/cli-runopts.c
-@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
- debug_trace = 1;
+@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
+ case 'b':
+ next = &bind_arg;
break;
- #endif
+ case 'x':
++ /* compatibility with openssh cli
++ * ("-x" disables X11 forwarding) */
+ break;
- case 'F':
- case 'e':
- #if !DROPBEAR_USER_ALGO_LIST
+ default:
+ fprintf(stderr,
+ "WARNING: Ignoring unknown option -%c\n", c);
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
index 8c3ae7f119..af01573dee 100644
--- a/package/network/services/dropbear/patches/140-disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
@@ -1,6 +1,6 @@
--- a/dbutil.h
+++ b/dbutil.h
-@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
/* Dropbear assertion */
diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch
index 1ba7dd6f44..fd80b986ae 100644
--- a/package/network/services/dropbear/patches/160-lto-jobserver.patch
+++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch
@@ -1,6 +1,6 @@
--- a/Makefile.in
+++ b/Makefile.in
-@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs)
dropbearconvert: $(dropbearconvertobjs)
dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -22,7 +22,7 @@
# multi-binary compilation.
-@@ -219,7 +219,7 @@ ifeq ($(MULTI),1)
+@@ -221,7 +221,7 @@ ifeq ($(MULTI),1)
endif
dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
index b138862ca3..07ae022763 100644
--- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -1,6 +1,6 @@
--- a/svr-auth.c
+++ b/svr-auth.c
-@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
index ab1361f6ae..4f806f8b25 100644
--- a/package/network/services/dropbear/patches/900-configure-hardening.patch
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
-@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index b774a38b1a..f078814403 100644
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz at true.cz>
--- a/signkey.c
+++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
More information about the lede-commits
mailing list