0067-dropbear-update-to-LEDE-277f85c21ae0ede4e15e66cbd801b9fb502531df.patch 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437
  1. From: Matthias Schiffer <mschiffer@universe-factory.net>
  2. Date: Mon, 22 Aug 2016 19:14:52 +0200
  3. Subject: dropbear: update to LEDE 277f85c21ae0ede4e15e66cbd801b9fb502531df
  4. Includes a few security updates and enables Curve25519 support.
  5. The patches 600-allow-blank-root-password.patch and
  6. 610-skip-default-keys-in-custom-runs.patch are left out for now to avoid
  7. allowing password-less root login.
  8. diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
  9. index e2a7610..7c2edd7 100644
  10. --- a/package/network/services/dropbear/Config.in
  11. +++ b/package/network/services/dropbear/Config.in
  12. @@ -1,6 +1,15 @@
  13. menu "Configuration"
  14. depends on PACKAGE_dropbear
  15. +config DROPBEAR_CURVE25519
  16. + bool "Curve25519 support"
  17. + default y
  18. + help
  19. + This enables the following key exchange algorithm:
  20. + curve25519-sha256@libssh.org
  21. +
  22. + Increases binary size by about 13 kB uncompressed (MIPS).
  23. +
  24. config DROPBEAR_ECC
  25. bool "Elliptic curve cryptography (ECC)"
  26. default n
  27. @@ -12,7 +21,6 @@ config DROPBEAR_ECC
  28. ecdh-sha2-nistp256
  29. ecdh-sha2-nistp384
  30. ecdh-sha2-nistp521
  31. - curve25519-sha256@libssh.org
  32. Public key algorithms:
  33. ecdsa-sha2-nistp256
  34. @@ -22,6 +30,21 @@ config DROPBEAR_ECC
  35. Does not generate ECC host keys by default (ECC key exchange will not be used,
  36. only ECC public key auth).
  37. - Increases binary size by about 36 kB (MIPS).
  38. + Increases binary size by about 23 kB (MIPS).
  39. +
  40. +config DROPBEAR_UTMP
  41. + bool "Utmp support"
  42. + default n
  43. + depends on BUSYBOX_CONFIG_FEATURE_UTMP
  44. + help
  45. + This enables dropbear utmp support, the file /var/run/utmp is used to
  46. + track who is currently logged in.
  47. +
  48. +config DROPBEAR_PUTUTLINE
  49. + bool "Pututline support"
  50. + default n
  51. + depends on DROPBEAR_UTMP
  52. + help
  53. + Dropbear will use pututline() to write the utmp structure into the utmp file.
  54. endmenu
  55. diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
  56. index 35958d3..36bcb4a 100644
  57. --- a/package/network/services/dropbear/Makefile
  58. +++ b/package/network/services/dropbear/Makefile
  59. @@ -1,5 +1,5 @@
  60. #
  61. -# Copyright (C) 2006-2014 OpenWrt.org
  62. +# Copyright (C) 2006-2016 OpenWrt.org
  63. #
  64. # This is free software, licensed under the GNU General Public License v2.
  65. # See /LICENSE for more information.
  66. @@ -8,14 +8,14 @@
  67. include $(TOPDIR)/rules.mk
  68. PKG_NAME:=dropbear
  69. -PKG_VERSION:=2015.67
  70. +PKG_VERSION:=2016.74
  71. PKG_RELEASE:=1
  72. PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
  73. PKG_SOURCE_URL:= \
  74. http://matt.ucc.asn.au/dropbear/releases/ \
  75. https://dropbear.nl/mirror/releases/
  76. -PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6
  77. +PKG_MD5SUM:=9ad0172731e0f16623937804643b5bd8
  78. PKG_LICENSE:=MIT
  79. PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
  80. @@ -23,10 +23,14 @@ PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
  81. PKG_BUILD_PARALLEL:=1
  82. PKG_USE_MIPS16:=0
  83. -PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC
  84. +PKG_CONFIG_DEPENDS:=CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_CURVE25519
  85. include $(INCLUDE_DIR)/package.mk
  86. +ifneq ($(DUMP),1)
  87. + STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) echo $(CONFIG_TARGET_INIT_PATH) | md5s)
  88. +endif
  89. +
  90. define Package/dropbear/Default
  91. URL:=http://matt.ucc.asn.au/dropbear/
  92. endef
  93. @@ -48,7 +52,6 @@ endef
  94. define Package/dropbear/conffiles
  95. /etc/dropbear/dropbear_rsa_host_key
  96. -/etc/dropbear/dropbear_dss_host_key
  97. /etc/config/dropbear
  98. endef
  99. @@ -65,25 +68,35 @@ CONFIGURE_ARGS += \
  100. --enable-syslog \
  101. $(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \
  102. --disable-lastlog \
  103. - --disable-utmp \
  104. --disable-utmpx \
  105. + $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
  106. --disable-wtmp \
  107. --disable-wtmpx \
  108. --disable-loginfunc \
  109. - --disable-pututline \
  110. + $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
  111. --disable-pututxline \
  112. --disable-zlib \
  113. --enable-bundled-libtom
  114. -TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
  115. +TARGET_CFLAGS += -DDEFAULT_PATH=\\\"$(CONFIG_TARGET_INIT_PATH)\\\" -DARGTYPE=3 -ffunction-sections -fdata-sections
  116. TARGET_LDFLAGS += -Wl,--gc-sections
  117. define Build/Configure
  118. $(Build/Configure/Default)
  119. + $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(CONFIG_TARGET_INIT_PATH)",g' \
  120. + $(PKG_BUILD_DIR)/options.h
  121. +
  122. + awk 'BEGIN { rc = 1 } \
  123. + /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
  124. + { print } \
  125. + END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
  126. + >$(PKG_BUILD_DIR)/options.h.new && \
  127. + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
  128. +
  129. # Enforce that all replacements are made, otherwise options.h has changed
  130. # format and this logic is broken.
  131. - for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \
  132. + for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
  133. awk 'BEGIN { rc = 1 } \
  134. /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
  135. { print } \
  136. @@ -91,6 +104,9 @@ define Build/Configure
  137. >$(PKG_BUILD_DIR)/options.h.new && \
  138. mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
  139. done
  140. +
  141. + # Enforce rebuild of svr-chansession.c
  142. + rm -f $(PKG_BUILD_DIR)/svr-chansession.o
  143. endef
  144. define Build/Compile
  145. @@ -118,7 +134,6 @@ define Package/dropbear/install
  146. $(INSTALL_DIR) $(1)/usr/lib/opkg/info
  147. $(INSTALL_DIR) $(1)/etc/dropbear
  148. touch $(1)/etc/dropbear/dropbear_rsa_host_key
  149. - touch $(1)/etc/dropbear/dropbear_dss_host_key
  150. endef
  151. define Package/dropbearconvert/install
  152. diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
  153. index 6de0142..1653efb 100755
  154. --- a/package/network/services/dropbear/files/dropbear.init
  155. +++ b/package/network/services/dropbear/files/dropbear.init
  156. @@ -37,7 +37,6 @@ validate_section_dropbear()
  157. 'RootPasswordAuth:bool:1' \
  158. 'RootLogin:bool:1' \
  159. 'rsakeyfile:file' \
  160. - 'dsskeyfile:file' \
  161. 'BannerFile:file' \
  162. 'Port:list(port):22' \
  163. 'SSHKeepAlive:uinteger:300' \
  164. @@ -49,7 +48,7 @@ dropbear_instance()
  165. {
  166. local PasswordAuth enable Interface GatewayPorts \
  167. RootPasswordAuth RootLogin rsakeyfile \
  168. - dsskeyfile BannerFile Port SSHKeepAlive IdleTimeout \
  169. + BannerFile Port SSHKeepAlive IdleTimeout \
  170. mdns ipaddrs
  171. validate_section_dropbear "${1}" || {
  172. @@ -75,18 +74,18 @@ dropbear_instance()
  173. [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
  174. [ "${RootLogin}" -eq 0 ] && procd_append_param command -w
  175. [ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}"
  176. - [ -n "${dsskeyfile}" ] && procd_append_param command -d "${dsskeyfile}"
  177. [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
  178. append_ports "${ipaddrs}" "${Port}"
  179. [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
  180. [ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
  181. [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
  182. + procd_set_param respawn
  183. procd_close_instance
  184. }
  185. keygen()
  186. {
  187. - for keytype in rsa dss; do
  188. + for keytype in rsa; do
  189. # check for keys
  190. key=dropbear/dropbear_${keytype}_host_key
  191. [ -f /tmp/$key -o -s /etc/$key ] || {
  192. @@ -107,10 +106,15 @@ keygen()
  193. chmod 0700 /etc/dropbear
  194. }
  195. +load_interfaces()
  196. +{
  197. + config_get interface "$1" Interface
  198. + interfaces=" ${interface} ${interfaces}"
  199. +}
  200. +
  201. start_service()
  202. {
  203. - [ -s /etc/dropbear/dropbear_rsa_host_key -a \
  204. - -s /etc/dropbear/dropbear_dss_host_key ] || keygen
  205. + [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen
  206. . /lib/functions.sh
  207. . /lib/functions/network.sh
  208. @@ -121,7 +125,19 @@ start_service()
  209. service_triggers()
  210. {
  211. - procd_add_reload_trigger "dropbear"
  212. + local interfaces
  213. +
  214. + procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
  215. +
  216. + config_load "${NAME}"
  217. + config_foreach load_interfaces dropbear
  218. +
  219. + [ -n "${interfaces}" ] & {
  220. + for n in $interfaces ; do
  221. + procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
  222. + done
  223. + }
  224. +
  225. procd_add_validation validate_section_dropbear
  226. }
  227. diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
  228. index 456874b..41fdc1a 100644
  229. --- a/package/network/services/dropbear/patches/100-pubkey_path.patch
  230. +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
  231. @@ -1,6 +1,6 @@
  232. --- a/svr-authpubkey.c
  233. +++ b/svr-authpubkey.c
  234. -@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al
  235. +@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
  236. goto out;
  237. }
  238. @@ -33,7 +33,7 @@
  239. if (authfile == NULL) {
  240. goto out;
  241. }
  242. -@@ -371,26 +375,35 @@ static int checkpubkeyperms() {
  243. +@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
  244. goto out;
  245. }
  246. diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
  247. index 7982af6..4b5c1cb 100644
  248. --- a/package/network/services/dropbear/patches/110-change_user.patch
  249. +++ b/package/network/services/dropbear/patches/110-change_user.patch
  250. @@ -1,6 +1,6 @@
  251. --- a/svr-chansession.c
  252. +++ b/svr-chansession.c
  253. -@@ -920,12 +920,12 @@ static void execchild(void *user_data) {
  254. +@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
  255. /* We can only change uid/gid as root ... */
  256. if (getuid() == 0) {
  257. diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
  258. index 48dae73..f16aaf0 100644
  259. --- a/package/network/services/dropbear/patches/120-openwrt_options.patch
  260. +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
  261. @@ -18,7 +18,28 @@
  262. /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  263. #define ENABLE_USER_ALGO_LIST
  264. -@@ -126,9 +126,9 @@ much traffic. */
  265. +@@ -91,16 +91,16 @@ much traffic. */
  266. + * Including multiple keysize variants the same cipher
  267. + * (eg AES256 as well as AES128) will result in a minimal size increase.*/
  268. + #define DROPBEAR_AES128
  269. +-#define DROPBEAR_3DES
  270. ++/*#define DROPBEAR_3DES*/
  271. + #define DROPBEAR_AES256
  272. + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
  273. + /*#define DROPBEAR_BLOWFISH*/
  274. +-#define DROPBEAR_TWOFISH256
  275. +-#define DROPBEAR_TWOFISH128
  276. ++/*#define DROPBEAR_TWOFISH256*/
  277. ++/*#define DROPBEAR_TWOFISH128*/
  278. +
  279. + /* Enable CBC mode for ciphers. This has security issues though
  280. + * is the most compatible with older SSH implementations */
  281. +-#define DROPBEAR_ENABLE_CBC_MODE
  282. ++/*#define DROPBEAR_ENABLE_CBC_MODE*/
  283. +
  284. + /* Enable "Counter Mode" for ciphers. This is more secure than normal
  285. + * CBC mode against certain attacks. It is recommended for security
  286. +@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
  287. * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
  288. * which are not the standard form. */
  289. #define DROPBEAR_SHA1_HMAC
  290. @@ -31,7 +52,16 @@
  291. #define DROPBEAR_MD5_HMAC
  292. /* You can also disable integrity. Don't bother disabling this if you're
  293. -@@ -184,7 +184,7 @@ much traffic. */
  294. +@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
  295. + * Removing either of these won't save very much space.
  296. + * SSH2 RFC Draft requires dss, recommends rsa */
  297. + #define DROPBEAR_RSA
  298. +-#define DROPBEAR_DSS
  299. ++/*#define DROPBEAR_DSS*/
  300. + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
  301. + * code (either ECDSA or ECDH) increases binary size - around 30kB
  302. + * on x86-64 */
  303. +@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
  304. /* Whether to print the message of the day (MOTD). This doesn't add much code
  305. * size */
  306. @@ -40,7 +70,7 @@
  307. /* The MOTD file path */
  308. #ifndef MOTD_FILENAME
  309. -@@ -226,7 +226,7 @@ much traffic. */
  310. +@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
  311. * note that it will be provided for all "hidden" client-interactive
  312. * style prompts - if you want something more sophisticated, use
  313. * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
  314. diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
  315. deleted file mode 100644
  316. index edb2909..0000000
  317. --- a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
  318. +++ /dev/null
  319. @@ -1,21 +0,0 @@
  320. ---- a/cli-runopts.c
  321. -+++ b/cli-runopts.c
  322. -@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv)
  323. - debug_trace = 1;
  324. - break;
  325. - #endif
  326. -+ case 'o':
  327. -+ next = &dummy;
  328. -+ case 'x':
  329. -+ break;
  330. - case 'F':
  331. - case 'e':
  332. - #ifndef ENABLE_USER_ALGO_LIST
  333. -@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv)
  334. - print_version();
  335. - exit(EXIT_SUCCESS);
  336. - break;
  337. -- case 'o':
  338. - case 'b':
  339. - next = &dummy;
  340. - default:
  341. diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
  342. new file mode 100644
  343. index 0000000..ab09c2f
  344. --- /dev/null
  345. +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
  346. @@ -0,0 +1,11 @@
  347. +--- a/cli-runopts.c
  348. ++++ b/cli-runopts.c
  349. +@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
  350. + debug_trace = 1;
  351. + break;
  352. + #endif
  353. ++ case 'x':
  354. ++ break;
  355. + case 'F':
  356. + case 'e':
  357. + #ifndef ENABLE_USER_ALGO_LIST
  358. diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
  359. index 0717228..78b54ac 100644
  360. --- a/package/network/services/dropbear/patches/140-disable_assert.patch
  361. +++ b/package/network/services/dropbear/patches/140-disable_assert.patch
  362. @@ -1,6 +1,6 @@
  363. --- a/dbutil.h
  364. +++ b/dbutil.h
  365. -@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
  366. +@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig
  367. #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  368. /* Dropbear assertion */
  369. diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
  370. index 367dc2c..ccc2cb7 100644
  371. --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
  372. +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
  373. @@ -1,8 +1,8 @@
  374. --- a/options.h
  375. +++ b/options.h
  376. @@ -5,6 +5,11 @@
  377. - #ifndef _OPTIONS_H_
  378. - #define _OPTIONS_H_
  379. + #ifndef DROPBEAR_OPTIONS_H_
  380. + #define DROPBEAR_OPTIONS_H_
  381. +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
  382. +#define DROPBEAR_SERVER
  383. diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch
  384. index e2add94..da6b9ae 100644
  385. --- a/package/network/services/dropbear/patches/500-set-default-path.patch
  386. +++ b/package/network/services/dropbear/patches/500-set-default-path.patch
  387. @@ -1,11 +1,12 @@
  388. --- a/options.h
  389. +++ b/options.h
  390. -@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa
  391. +@@ -352,7 +352,9 @@ be overridden at runtime with -I. 0 disa
  392. #define DEFAULT_IDLE_TIMEOUT 0
  393. /* The default path. This will often get replaced by the shell */
  394. --#define DEFAULT_PATH "/usr/bin:/bin"
  395. -+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin"
  396. ++#ifndef DEFAULT_PATH
  397. + #define DEFAULT_PATH "/usr/bin:/bin"
  398. ++#endif
  399. /* Some other defines (that mostly should be left alone) are defined
  400. * in sysoptions.h */