include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=2022.82
-PKG_RELEASE:=5
+PKG_VERSION:=2022.83
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
+PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
DEFAULT_PATH|"$(TARGET_INIT_PATH)" \
!!LOCAL_IDENT|"SSH-2.0-dropbear" \
DROPBEAR_CLI_NETCAT|0 \
+ !!DROPBEAR_DSS|0 \
DROPBEAR_DSS|0 \
DO_MOTD|0 \
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
+ IGNORE_SPEED=1 \
PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \
MULTI=1 SCPPROGRESS=1
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
+ IGNORE_SPEED=1 \
PROGRAMS="dropbearconvert"
endef
+++ /dev/null
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 8 Jun 2022 21:26:20 +0800
-Subject: Fix MAX_UNAUTH_CLIENTS regression
-
-Since re-exec change in 2022.82 Dropbear count
-treat authenticated sessions towards the unauthenticated
-session limit. This is fixed by passing the childpipe FD
-through to the re-execed process.
----
- runopts.h | 5 +++--
- svr-main.c | 21 +++++++++++----------
- svr-runopts.c | 15 ++++++++++++---
- 3 files changed, 26 insertions(+), 15 deletions(-)
-
---- a/runopts.h
-+++ b/runopts.h
-@@ -79,8 +79,9 @@ typedef struct svr_runopts {
- char *addresses[DROPBEAR_MAX_PORTS];
-
- int inetdmode;
-- /* Hidden "-2" flag indicates it's re-executing itself */
-- int reexec_child;
-+ /* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself,
-+ stores the childpipe preauth file descriptor. Set to -1 otherwise. */
-+ int reexec_childpipe;
-
- /* Flags indicating whether to use ipv4 and ipv6 */
- /* not used yet
---- a/svr-main.c
-+++ b/svr-main.c
-@@ -71,7 +71,7 @@ int main(int argc, char ** argv)
- #endif
-
- #if DROPBEAR_DO_REEXEC
-- if (svr_opts.reexec_child) {
-+ if (svr_opts.reexec_childpipe >= 0) {
- #ifdef PR_SET_NAME
- /* Fix the "Name:" in /proc/pid/status, otherwise it's
- a FD number from fexecve.
-@@ -102,7 +102,7 @@ static void main_inetd() {
-
- seedrandom();
-
-- if (!svr_opts.reexec_child) {
-+ if (svr_opts.reexec_childpipe < 0) {
- /* In case our inetd was lax in logging source addresses */
- get_socket_address(0, NULL, NULL, &host, &port, 0);
- dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
-@@ -115,10 +115,8 @@ static void main_inetd() {
- setsid();
- }
-
-- /* Start service program
-- * -1 is a dummy childpipe, just something we can close() without
-- * mattering. */
-- svr_session(0, -1);
-+ /* -1 for childpipe in the inetd case is discarded */
-+ svr_session(0, svr_opts.reexec_childpipe);
-
- /* notreached */
- }
-@@ -347,9 +345,10 @@ static void main_noinetd(int argc, char
-
- if (execfd >= 0) {
- #if DROPBEAR_DO_REEXEC
-- /* Add "-2" to the args and re-execute ourself. */
-- char **new_argv = m_malloc(sizeof(char*) * (argc+3));
-- int pos0 = 0, new_argc = argc+1;
-+ /* Add "-2 childpipe[1]" to the args and re-execute ourself. */
-+ char **new_argv = m_malloc(sizeof(char*) * (argc+4));
-+ char buf[10];
-+ int pos0 = 0, new_argc = argc+2;
-
- /* We need to specially handle "dropbearmulti dropbear". */
- if (multipath) {
-@@ -359,7 +358,9 @@ static void main_noinetd(int argc, char
- }
-
- memcpy(&new_argv[pos0], argv, sizeof(char*) * argc);
-- new_argv[new_argc-1] = "-2";
-+ new_argv[new_argc-2] = "-2";
-+ snprintf(buf, sizeof(buf), "%d", childpipe[1]);
-+ new_argv[new_argc-1] = buf;
- new_argv[new_argc] = NULL;
-
- if ((dup2(childsock, STDIN_FILENO) < 0)) {
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -138,6 +138,7 @@ void svr_getopts(int argc, char ** argv)
- char* keepalive_arg = NULL;
- char* idle_timeout_arg = NULL;
- char* maxauthtries_arg = NULL;
-+ char* reexec_fd_arg = NULL;
- char* keyfile = NULL;
- char c;
- #if DROPBEAR_PLUGIN
-@@ -175,6 +176,7 @@ void svr_getopts(int argc, char ** argv)
- svr_opts.pubkey_plugin_options = NULL;
- #endif
- svr_opts.pass_on_env = 0;
-+ svr_opts.reexec_childpipe = -1;
-
- #ifndef DISABLE_ZLIB
- opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
-@@ -250,12 +252,12 @@ void svr_getopts(int argc, char ** argv)
- #if DROPBEAR_DO_REEXEC && NON_INETD_MODE
- /* For internal use by re-exec */
- case '2':
-- svr_opts.reexec_child = 1;
-+ next = &reexec_fd_arg;
- break;
- #endif
- case 'p':
-- nextisport = 1;
-- break;
-+ nextisport = 1;
-+ break;
- case 'P':
- next = &svr_opts.pidfile;
- break;
-@@ -426,6 +428,13 @@ void svr_getopts(int argc, char ** argv)
- dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
- }
-
-+ if (reexec_fd_arg) {
-+ if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
-+ || svr_opts.reexec_childpipe < 0) {
-+ dropbear_exit("Bad -2");
-+ }
-+ }
-+
- #if INETD_MODE
- if (svr_opts.inetdmode && (
- opts.usingsyslog == 0
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
-@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
const unsigned char* keyblob, unsigned int keybloblen);
static int checkfileperm(char * filename);
/* process a pubkey auth request, sending success or failure message as
* appropriate */
void svr_auth_pubkey(int valid_user) {
-@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal
if (checkpubkeyperms() == DROPBEAR_FAILURE) {
TRACE(("bad authorized_keys permissions, or file doesn't exist"))
} else {
authfile = fopen(filename, "r");
if (!authfile) {
-@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
+@@ -543,27 +557,41 @@ static int checkpubkeyperms() {
goto out;
}
--- a/cli-runopts.c
+++ b/cli-runopts.c
-@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
- case 'b':
- next = &bind_arg;
+@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv)
+ case 'z':
+ opts.disable_ip_tos = 1;
break;
+ case 'x':
+ /* compatibility with openssh cli
--- a/configure.ac
+++ b/configure.ac
-@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
+@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
-
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-pie"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- LDFLAGS="$OLDLDFLAGS"
- TESTFLAGS="-pie"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- ]
- # readonly elf relocation sections (relro)
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
-- LDFLAGS="$LDFLAGS $TESTFLAGS"
-- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- LDFLAGS="$TESTFLAGS $LDFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- fi # non-static
- # stack protector. -strong is good but only in gcc 4.9 or later
- OLDCFLAGS="$CFLAGS"
- TESTFLAGS="-fstack-protector-strong"
-- CFLAGS="$CFLAGS $TESTFLAGS"
-- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- CFLAGS="$TESTFLAGS $CFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- CFLAGS="$OLDCFLAGS"
- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
-- CFLAGS="$CFLAGS $TESTFLAGS"
-- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
-- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+- CFLAGS="$TESTFLAGS $CFLAGS"
+- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
- )
- ]
- )
- # FORTIFY_SOURCE
- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
-
+-
# Spectre v2 mitigations
DB_TRYADDCFLAGS([-mfunction-return=thunk])
+ DB_TRYADDCFLAGS([-mindirect-branch=thunk])
---- a/libtomcrypt/makefile_include.mk
-+++ b/libtomcrypt/makefile_include.mk
-@@ -94,6 +94,13 @@ endif
+--- a/configure.ac
++++ b/configure.ac
+@@ -45,11 +45,8 @@ fi
+ # LTM_CFLAGS is given to ./configure by the user,
+ # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
+ DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
+-if test -z "$DROPBEAR_LTM_CFLAGS"; then
+- DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
+-fi
+-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
+-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
++AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS')
++AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string)
+ AC_SUBST(DROPBEAR_LTM_CFLAGS)
- LTC_CFLAGS += -Wno-type-limits
+ AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
+--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
++++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
+@@ -7,8 +7,10 @@
-+ifdef OPENWRT_BUILD
-+ ifeq (-Os,$(filter -Os,$(CFLAGS)))
-+ LTC_CFLAGS += -DLTC_SMALL_CODE
-+ endif
-+else
-+ ### ! OPENWRT_BUILD
-+
- ifdef LTC_DEBUG
- $(info Debug build)
- # compile for DEBUGGING (required for ccmalloc checking!!!)
-@@ -121,6 +128,9 @@ endif
- endif # COMPILE_SMALL
- endif # COMPILE_DEBUG
+ /* Use small code where possible */
+ #if DROPBEAR_SMALL_CODE
++#ifndef LTC_SMALL_CODE
+ #define LTC_SMALL_CODE
+ #endif
++#endif
-+ ### ! OPENWRT_BUILD
-+endif
-+
-
- ifneq ($(findstring clang,$(CC)),)
- LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
---- a/libtommath/makefile_include.mk
-+++ b/libtommath/makefile_include.mk
-@@ -70,6 +70,9 @@ else
- LTM_CFLAGS += -Wsystem-headers
- endif
-
-+ifndef OPENWRT_BUILD
-+ ### ! OPENWRT_BUILD
-+
- ifdef COMPILE_DEBUG
- #debug
- LTM_CFLAGS += -g3
-@@ -90,6 +93,9 @@ endif
-
- endif # COMPILE_SIZE
-
-+ ### ! OPENWRT_BUILD
-+endif
-+
- ifneq ($(findstring clang,$(CC)),)
- LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
- endif
+ /* Fewer entries needed */
+ #define TAB_SIZE 5
projects / openwrt / openwrt.git / commitdiff