[LEDE-DEV] [PATCH v2] dropbear: bump to 2018.76
Hauke Mehrtens
hauke at hauke-m.de
Wed May 2 12:36:23 PDT 2018
On 05/02/2018 05:37 PM, Koen Vandeputte wrote:
> Config moved from option.h to localoptions.h
> refreshed all patches
>
> deleted upstreamed patches:
> - 010-runtime-maxauthtries.patch
> - 610-skip-default-keys-in-custom-runs.patch
>
> introduced new patch:
> - 610-disable-ec-by-default.patch
>
> This patch adds the EC definitions which are altered by the Makefile when
> (de)selecting EC options.
>
> Tested on both LE (arm) and BE (mips) architectures.
> Tested with all dropbear menuoptions on/off
>
> Binary sizes in bytes:
>
> 2017.75
> -------
>
> Openwrt default : 172405
> Openwrt default IPK : 86512
>
> Openwrt default + ECC + zlib: 197301
> Openwrt default IPK + ECC + zlib: 98709
>
> 2018.76
> -------
>
> Openwrt default : 277260
> Openwrt default IPK : 130534
>
> Openwrt default + ECC + zlib: 322928
> Openwrt default IPK + ECC + zlib: 149187
>
> Signed-off-by: Koen Vandeputte <koen.vandeputte at ncentric.com>
> ---
I think the size increase is too big, someone should investigate what
happened here and try to reduce the size of the new version.
>
> V2:
> --> Added binary sizes
> --> Disabled 2 more options (DROPBEAR_USE_PASSWORD_ENV & DROPBEAR_SFTPSERVER)
>
> Skipped adding the sftp server as a menuconfig option, as it's not integrated into dropbear itself
>
> Binary size seems to have exploded compared to the previous version.
> Checking all configfile options and the buildoptions for Configure, I cannot pinpoint the rootcause for this massive increase.
>
> The libtom's seem to be build using Os.
>
>
>
>
> package/network/services/dropbear/Makefile | 28 ++---
> .../patches/010-runtime-maxauthtries.patch | 130 ---------------------
> .../dropbear/patches/100-pubkey_path.patch | 28 +++--
> .../dropbear/patches/110-change_user.patch | 2 +-
> .../dropbear/patches/120-openwrt_options.patch | 96 +++------------
> .../dropbear/patches/130-ssh_ignore_x_args.patch | 4 +-
> .../patches/150-dbconvert_standalone.patch | 21 ++--
> .../patches/600-allow-blank-root-password.patch | 2 +-
> .../patches/610-disable-ec-by-default.patch | 10 ++
> .../610-skip-default-keys-in-custom-runs.patch | 18 ---
> 10 files changed, 64 insertions(+), 275 deletions(-)
> delete mode 100644 package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
> create mode 100644 package/network/services/dropbear/patches/610-disable-ec-by-default.patch
> delete mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
>
> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
> index 21ac09f72452..e89043531f78 100644
> --- a/package/network/services/dropbear/Makefile
> +++ b/package/network/services/dropbear/Makefile
> @@ -8,14 +8,14 @@
> include $(TOPDIR)/rules.mk
>
> PKG_NAME:=dropbear
> -PKG_VERSION:=2017.75
> -PKG_RELEASE:=5
> +PKG_VERSION:=2018.76
> +PKG_RELEASE:=1
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> PKG_SOURCE_URL:= \
> http://matt.ucc.asn.au/dropbear/releases/ \
> https://dropbear.nl/mirror/releases/
> -PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c
> +PKG_HASH:=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65
>
> PKG_LICENSE:=MIT
> PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
> @@ -57,7 +57,7 @@ endef
>
> define Package/dropbear/conffiles
> /etc/dropbear/dropbear_rsa_host_key
> -/etc/config/dropbear
> +/etc/config/dropbear
> endef
>
> define Package/dropbearconvert
> @@ -89,24 +89,24 @@ define Build/Configure
> $(Build/Configure/Default)
>
> $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \
> - $(PKG_BUILD_DIR)/options.h
> + $(PKG_BUILD_DIR)/default_options.h
>
> awk 'BEGIN { rc = 1 } \
> - /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
> + /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),#define 'DROPBEAR_CURVE25519' 1,#define 'DROPBEAR_CURVE25519' 0)"; rc = 0 } \
> { print } \
> - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
> - >$(PKG_BUILD_DIR)/options.h.new && \
> - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
> + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \
> + >$(PKG_BUILD_DIR)/localoptions.h.new && \
> + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h
>
> - # Enforce that all replacements are made, otherwise options.h has changed
> + # Enforce that all replacements are made, otherwise localoptions.h has changed
> # format and this logic is broken.
> for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
> awk 'BEGIN { rc = 1 } \
> - /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
> + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),#define '$$$$OPTION' 1,#define '$$$$OPTION' 0)"; rc = 0 } \
> { print } \
> - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
> - >$(PKG_BUILD_DIR)/options.h.new && \
> - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
> + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \
> + >$(PKG_BUILD_DIR)/localoptions.h.new && \
> + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h || exit 1; \
> done
>
> # remove protocol idented software version number
> diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
> deleted file mode 100644
> index 26db3181f2d8..000000000000
> --- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
> +++ /dev/null
> @@ -1,130 +0,0 @@
> -From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001
> -From: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
> -Date: Mon, 29 May 2017 10:25:09 +0100
> -Subject: [PATCH] dropbear server: support -T max auth tries
> -
> -Add support for '-T n' for a run-time specification for maximum number
> -of authentication attempts where 'n' is between 1 and compile time
> -option MAX_AUTH_TRIES.
> -
> -A default number of tries can be specified at compile time using
> -'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
> -backwards compatibility.
> -
> -Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
> ----
> - options.h | 7 +++++++
> - runopts.h | 1 +
> - svr-auth.c | 2 +-
> - svr-runopts.c | 17 +++++++++++++++++
> - 4 files changed, 26 insertions(+), 1 deletion(-)
> -
> -diff --git a/options.h b/options.h
> -index 0c51bb1..4d22704 100644
> ---- a/options.h
> -+++ b/options.h
> -@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */
> - #define MAX_AUTH_TRIES 10
> - #endif
> -
> -+/* Default maximum number of failed authentication tries.
> -+ * defaults to MAX_AUTH_TRIES */
> -+
> -+#ifndef DEFAULT_AUTH_TRIES
> -+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
> -+#endif
> -+
> - /* The default file to store the daemon's process ID, for shutdown
> - scripts etc. This can be overridden with the -P flag */
> - #ifndef DROPBEAR_PIDFILE
> -diff --git a/runopts.h b/runopts.h
> -index f7c869d..2f7da63 100644
> ---- a/runopts.h
> -+++ b/runopts.h
> -@@ -96,6 +96,7 @@ typedef struct svr_runopts {
> - int noauthpass;
> - int norootpass;
> - int allowblankpass;
> -+ unsigned int maxauthtries;
> -
> - #ifdef ENABLE_SVR_REMOTETCPFWD
> - int noremotetcp;
> -diff --git a/svr-auth.c b/svr-auth.c
> -index 577ea88..6a7ce0b 100644
> ---- a/svr-auth.c
> -+++ b/svr-auth.c
> -@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
> - ses.authstate.failcount++;
> - }
> -
> -- if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
> -+ if (ses.authstate.failcount >= svr_opts.maxauthtries) {
> - char * userstr;
> - /* XXX - send disconnect ? */
> - TRACE(("Max auth tries reached, exiting"))
> -diff --git a/svr-runopts.c b/svr-runopts.c
> -index 8f60059..1e7440f 100644
> ---- a/svr-runopts.c
> -+++ b/svr-runopts.c
> -@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
> - "-g Disable password logins for root\n"
> - "-B Allow blank password logins\n"
> - #endif
> -+ "-T <1 to %d> Maximum authentication tries (default %d)\n"
> - #ifdef ENABLE_SVR_LOCALTCPFWD
> - "-j Disable local port forwarding\n"
> - #endif
> -@@ -106,6 +107,7 @@ static void printhelp(const char * progname) {
> - #ifdef DROPBEAR_ECDSA
> - ECDSA_PRIV_FILENAME,
> - #endif
> -+ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
> - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
> - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
> - }
> -@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) {
> - char* recv_window_arg = NULL;
> - char* keepalive_arg = NULL;
> - char* idle_timeout_arg = NULL;
> -+ char* maxauthtries_arg = NULL;
> - char* keyfile = NULL;
> - char c;
> -
> -@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) {
> - svr_opts.noauthpass = 0;
> - svr_opts.norootpass = 0;
> - svr_opts.allowblankpass = 0;
> -+ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
> - svr_opts.inetdmode = 0;
> - svr_opts.portcount = 0;
> - svr_opts.hostkey = NULL;
> -@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) {
> - case 'I':
> - next = &idle_timeout_arg;
> - break;
> -+ case 'T':
> -+ next = &maxauthtries_arg;
> -+ break;
> - #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
> - case 's':
> - svr_opts.noauthpass = 1;
> -@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) {
> - dropbear_exit("Bad recv window '%s'", recv_window_arg);
> - }
> - }
> -+
> -+ if (maxauthtries_arg) {
> -+ unsigned int val = 0;
> -+ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
> -+ val == 0 || val > MAX_AUTH_TRIES) {
> -+ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
> -+ }
> -+ svr_opts.maxauthtries = val;
> -+ }
> -+
> -
> - if (keepalive_arg) {
> - unsigned int val;
> ---
> -2.7.4
> -
> diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
> index 401c7e1ba564..6672b7633fe7 100644
> --- a/package/network/services/dropbear/patches/100-pubkey_path.patch
> +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
> @@ -1,6 +1,6 @@
> --- a/svr-authpubkey.c
> +++ b/svr-authpubkey.c
> -@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
> +@@ -320,14 +320,20 @@ static int checkpubkey(const char* algo,
> goto out;
> }
>
> @@ -29,7 +29,7 @@
>
> /* open the file as the authenticating user. */
> origuid = getuid();
> -@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
> +@@ -404,26 +410,35 @@ static int checkpubkeyperms() {
> goto out;
> }
>
> @@ -42,17 +42,6 @@
> - if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> - goto out;
> - }
> --
> -- /* check ~/.ssh */
> -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
> -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> -- goto out;
> -- }
> --
> -- /* now check ~/.ssh/authorized_keys */
> -- strncat(filename, "/authorized_keys", 16);
> -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> -- goto out;
> + if (ses.authstate.pw_uid == 0) {
> + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
> + goto out;
> @@ -70,13 +59,22 @@
> + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> + goto out;
> + }
> -+
> +
> +- /* check ~/.ssh */
> +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
> +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> +- goto out;
> +- }
> + /* check ~/.ssh */
> + strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
> + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> + goto out;
> + }
> -+
> +
> +- /* now check ~/.ssh/authorized_keys */
> +- strncat(filename, "/authorized_keys", 16);
> +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> +- goto out;
> + /* now check ~/.ssh/authorized_keys */
> + strncat(filename, "/authorized_keys", 16);
> + if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
> index 4b5c1cb51bb1..5f0c5a99161a 100644
> --- a/package/network/services/dropbear/patches/110-change_user.patch
> +++ b/package/network/services/dropbear/patches/110-change_user.patch
> @@ -1,6 +1,6 @@
> --- a/svr-chansession.c
> +++ b/svr-chansession.c
> -@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
> +@@ -935,12 +935,12 @@ static void execchild(const void *user_d
> /* We can only change uid/gid as root ... */
> if (getuid() == 0) {
>
> diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
> index 7f47a7430479..c00de5d8175f 100644
> --- a/package/network/services/dropbear/patches/120-openwrt_options.patch
> +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
> @@ -1,82 +1,14 @@
> ---- a/options.h
> -+++ b/options.h
> -@@ -41,7 +41,7 @@
> - * Both of these flags can be defined at once, don't compile without at least
> - * one of them. */
> - #define NON_INETD_MODE
> --#define INETD_MODE
> -+/*#define INETD_MODE*/
> -
> - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
> - * perhaps 20% slower for pubkey operations (it is probably worth experimenting
> -@@ -81,7 +81,7 @@ much traffic. */
> -
> - /* Enable "Netcat mode" option. This will forward standard input/output
> - * to a remote TCP-forwarded connection */
> --#define ENABLE_CLI_NETCAT
> -+/*#define ENABLE_CLI_NETCAT*/
> -
> - /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
> - #define ENABLE_USER_ALGO_LIST
> -@@ -91,16 +91,16 @@ much traffic. */
> - * Including multiple keysize variants the same cipher
> - * (eg AES256 as well as AES128) will result in a minimal size increase.*/
> - #define DROPBEAR_AES128
> --#define DROPBEAR_3DES
> -+/*#define DROPBEAR_3DES*/
> - #define DROPBEAR_AES256
> - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
> - /*#define DROPBEAR_BLOWFISH*/
> --#define DROPBEAR_TWOFISH256
> --#define DROPBEAR_TWOFISH128
> -+/*#define DROPBEAR_TWOFISH256*/
> -+/*#define DROPBEAR_TWOFISH128*/
> -
> - /* Enable CBC mode for ciphers. This has security issues though
> - * is the most compatible with older SSH implementations */
> --#define DROPBEAR_ENABLE_CBC_MODE
> -+/*#define DROPBEAR_ENABLE_CBC_MODE*/
> -
> - /* Enable "Counter Mode" for ciphers. This is more secure than normal
> - * CBC mode against certain attacks. It is recommended for security
> -@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
> - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
> - * which are not the standard form. */
> - #define DROPBEAR_SHA1_HMAC
> --#define DROPBEAR_SHA1_96_HMAC
> -+/*#define DROPBEAR_SHA1_96_HMAC*/
> - #define DROPBEAR_SHA2_256_HMAC
> --#define DROPBEAR_SHA2_512_HMAC
> --#define DROPBEAR_MD5_HMAC
> -+/*#define DROPBEAR_SHA2_512_HMAC*/
> -+/*#define DROPBEAR_MD5_HMAC*/
> -
> - /* You can also disable integrity. Don't bother disabling this if you're
> - * still using a cipher, it's relatively cheap. If you disable this it's dead
> -@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
> - * Removing either of these won't save very much space.
> - * SSH2 RFC Draft requires dss, recommends rsa */
> - #define DROPBEAR_RSA
> --#define DROPBEAR_DSS
> -+/*#define DROPBEAR_DSS*/
> - /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
> - * code (either ECDSA or ECDH) increases binary size - around 30kB
> - * on x86-64 */
> -@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
> -
> - /* Whether to print the message of the day (MOTD). This doesn't add much code
> - * size */
> --#define DO_MOTD
> -+/*#define DO_MOTD*/
> -
> - /* The MOTD file path */
> - #ifndef MOTD_FILENAME
> -@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
> - * note that it will be provided for all "hidden" client-interactive
> - * style prompts - if you want something more sophisticated, use
> - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
> --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
> -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
> -
> - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
> - * a helper program for the ssh client. The helper program should be
> +--- /dev/null
> ++++ b/localoptions.h
> +@@ -0,0 +1,11 @@
> ++/* OpenWrt defined options */
> ++
> ++#define INETD_MODE 0
> ++#define ENABLE_CLI_NETCAT 0
> ++#define DROPBEAR_CLI_PROXYCMD 0
> ++#define DROPBEAR_3DES 0
> ++#define DROPBEAR_ENABLE_CBC_MODE 0
> ++#define DROPBEAR_SHA1_96_HMAC 0
> ++#define DROPBEAR_DSS 0
> ++#define DROPBEAR_USE_PASSWORD_ENV 0
> ++#define DROPBEAR_SFTPSERVER 0
> diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> index ab09c2f3dc3a..5e736320cc75 100644
> --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> @@ -1,6 +1,6 @@
> --- a/cli-runopts.c
> +++ b/cli-runopts.c
> -@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
> +@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
> debug_trace = 1;
> break;
> #endif
> @@ -8,4 +8,4 @@
> + break;
> case 'F':
> case 'e':
> - #ifndef ENABLE_USER_ALGO_LIST
> + #if !DROPBEAR_USER_ALGO_LIST
> diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> index ccc2cb792598..100a42530fe6 100644
> --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> @@ -1,14 +1,11 @@
> ---- a/options.h
> -+++ b/options.h
> -@@ -5,6 +5,11 @@
> - #ifndef DROPBEAR_OPTIONS_H_
> - #define DROPBEAR_OPTIONS_H_
> -
> +--- a/localoptions.h
> ++++ b/localoptions.h
> +@@ -9,3 +9,8 @@
> + #define DROPBEAR_DSS 0
> + #define DROPBEAR_USE_PASSWORD_ENV 0
> + #define DROPBEAR_SFTPSERVER 0
> ++
> +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
> -+#define DROPBEAR_SERVER
> -+#define DROPBEAR_CLIENT
> ++ #define DROPBEAR_SERVER 1
> ++ #define DROPBEAR_CLIENT 1
> +#endif
> -+
> - /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
> - * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
> -
> diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> index 7c67b086bbac..223c94767a02 100644
> --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> @@ -1,6 +1,6 @@
> --- a/svr-auth.c
> +++ b/svr-auth.c
> -@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
> +@@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
> AUTH_METHOD_NONE_LEN) == 0) {
> TRACE(("recv_msg_userauth_request: 'none' request"))
> if (valid_user
> diff --git a/package/network/services/dropbear/patches/610-disable-ec-by-default.patch b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch
> new file mode 100644
> index 000000000000..6367f6ab7503
> --- /dev/null
> +++ b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch
> @@ -0,0 +1,10 @@
> +--- a/localoptions.h
> ++++ b/localoptions.h
> +@@ -14,3 +14,7 @@
> + #define DROPBEAR_SERVER 1
> + #define DROPBEAR_CLIENT 1
> + #endif
> ++
> ++#define DROPBEAR_CURVE25519 0
> ++#define DROPBEAR_ECDSA 0
> ++#define DROPBEAR_ECDH 0
> diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
> deleted file mode 100644
> index a555a9e49856..000000000000
> --- a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
> +++ /dev/null
> @@ -1,18 +0,0 @@
> ---- a/svr-runopts.c
> -+++ b/svr-runopts.c
> -@@ -505,6 +505,7 @@ void load_all_hostkeys() {
> - m_free(hostkey_file);
> - }
> -
> -+ if (svr_opts.num_hostkey_files <= 0) {
> - #ifdef DROPBEAR_RSA
> - loadhostkey(RSA_PRIV_FILENAME, 0);
> - #endif
> -@@ -516,6 +517,7 @@ void load_all_hostkeys() {
> - #ifdef DROPBEAR_ECDSA
> - loadhostkey(ECDSA_PRIV_FILENAME, 0);
> - #endif
> -+ }
> -
> - #ifdef DROPBEAR_DELAY_HOSTKEY
> - if (svr_opts.delay_hostkey) {
>
More information about the Lede-dev
mailing list