dropbear: bump to 2022.82
authorKonstantin Demin <rockdrilla@gmail.com>
Thu, 7 Apr 2022 08:33:08 +0000 (11:33 +0300)
committerDaniel Golle <daniel@makrotopia.org>
Sun, 10 Apr 2022 15:26:01 +0000 (16:26 +0100)
- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit 65256aee23a5104eb0c78411fdc73640c0b757ea)

package/network/services/dropbear/Makefile
package/network/services/dropbear/patches/100-pubkey_path.patch
package/network/services/dropbear/patches/110-change_user.patch
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
package/network/services/dropbear/patches/140-disable_assert.patch
package/network/services/dropbear/patches/160-lto-jobserver.patch
package/network/services/dropbear/patches/600-allow-blank-root-password.patch
package/network/services/dropbear/patches/900-configure-hardening.patch
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

index d518de3f702463934fb8ea4ae31cdbd738a0af46..eaf14c5533258165e322da5e124f1c5a31469bdf 100644 (file)
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2020.81
-PKG_RELEASE:=2
+PKG_VERSION:=2022.82
+PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
-       http://matt.ucc.asn.au/dropbear/releases/ \
+       https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b
+PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -42,7 +42,7 @@ ifneq ($(DUMP),1)
 endif
 
 define Package/dropbear/Default
-  URL:=http://matt.ucc.asn.au/dropbear/
+  URL:=https://matt.ucc.asn.au/dropbear/
 endef
 
 define Package/dropbear/config
@@ -130,8 +130,10 @@ DB_OPT_COMMON = \
 DB_OPT_CONFIG = \
        DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \
        DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
+       DROPBEAR_SK_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
        DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
        DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
+       DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
        DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
        !!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
        !!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
index af3fbb336bf6aedeccdbffe04d476d0133112bd2..0403198062f3162306e59b9ecafca42f00e9ede3 100644 (file)
@@ -1,34 +1,50 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
-               goto out;
-       }
+@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+               const unsigned char* keyblob, unsigned int keybloblen);
+ static int checkfileperm(char * filename);
  
--      /* we don't need to check pw and pw_dir for validity, since
--       * its been done in checkpubkeyperms. */
--      len = strlen(ses.authstate.pw_dir);
--      /* allocate max required pathname storage,
--       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--      filename = m_malloc(len + 22);
--      snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
--                              ses.authstate.pw_dir);
-+      if (ses.authstate.pw_uid != 0) {
-+              /* we don't need to check pw and pw_dir for validity, since
-+               * its been done in checkpubkeyperms. */
-+              len = strlen(ses.authstate.pw_dir);
-+              /* allocate max required pathname storage,
-+               * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+              filename = m_malloc(len + 22);
-+              snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+                                      ses.authstate.pw_dir);
-+      } else {
-+              filename = m_malloc(30);
-+              strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-+      }
++static const char * const global_authkeys_dir = "/etc/dropbear";
++static const int        n_global_authkeys_dir = 14; /* + 1 extra byte */
++static const char * const user_authkeys_dir = ".ssh";
++static const int        n_user_authkeys_dir = 5; /* + 1 extra byte */
++static const char * const authkeys_file = "authorized_keys";
++static const int        n_authkeys_file = 16; /* + 1 extra byte */
++
+ /* process a pubkey auth request, sending success or failure message as
+  * appropriate */
+ void svr_auth_pubkey(int valid_user) {
+@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+       if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+               TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+       } else {
+-              /* we don't need to check pw and pw_dir for validity, since
+-               * its been done in checkpubkeyperms. */
+-              len = strlen(ses.authstate.pw_dir);
+-              /* allocate max required pathname storage,
+-               * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-              filename = m_malloc(len + 22);
+-              snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+-                                      ses.authstate.pw_dir);
++              if (ses.authstate.pw_uid == 0) {
++                      len = n_global_authkeys_dir + n_authkeys_file;
++                      filename = m_malloc(len);
++                      snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
++              } else {
++                      /* we don't need to check pw and pw_dir for validity, since
++                       * its been done in checkpubkeyperms. */
++                      len = strlen(ses.authstate.pw_dir);
++                      /* allocate max required pathname storage,
++                       * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++                      len += n_user_authkeys_dir + n_authkeys_file + 1;
++                      filename = m_malloc(len);
++                      snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++                              user_authkeys_dir, authkeys_file);
++              }
  
- #if DROPBEAR_SVR_MULTIUSER
-       /* open the file as the authenticating user. */
-@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+               authfile = fopen(filename, "r");
+               if (!authfile) {
+@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
                goto out;
        }
  
 -      len += 22;
 -      filename = m_malloc(len);
 -      strlcpy(filename, ses.authstate.pw_dir, len);
--
++      if (ses.authstate.pw_uid == 0) {
++              if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
++                      goto out;
++              }
 -      /* check ~ */
 -      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -              goto out;
 -      }
-+      if (ses.authstate.pw_uid == 0) {
-+              if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
-+                      goto out;
-+              }
-+              if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
-+                      goto out;
-+              }
-+      } else {
-+              /* allocate max required pathname storage,
-+               * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+              len += 22;
++              len = n_global_authkeys_dir + n_authkeys_file;
 +              filename = m_malloc(len);
-+              strlcpy(filename, ses.authstate.pw_dir, len);
-+
-+              /* check ~ */
-+              if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+                      goto out;
-+              }
  
 -      /* check ~/.ssh */
 -      strlcat(filename, "/.ssh", len);
 -      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -              goto out;
 -      }
-+              /* check ~/.ssh */
-+              strlcat(filename, "/.ssh", len);
++              snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
 +              if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +                      goto out;
 +              }
++      } else {
++              /* check ~ */
++              if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
++                      goto out;
++              }
  
 -      /* now check ~/.ssh/authorized_keys */
 -      strlcat(filename, "/authorized_keys", len);
 -      if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -              goto out;
++              /* allocate max required pathname storage,
++               * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++              len += n_user_authkeys_dir + n_authkeys_file + 1;
++              filename = m_malloc(len);
++
++              /* check ~/.ssh */
++              snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
++              if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++                      goto out;
++              }
++
 +              /* now check ~/.ssh/authorized_keys */
-+              strlcat(filename, "/authorized_keys", len);
++              snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++                       user_authkeys_dir, authkeys_file);
 +              if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +                      goto out;
 +              }
index 1dd67948af65a669820b09b4ff1373c6ccae1611..04d1df3fdeb2ec3fac02961070617f117eca2cee 100644 (file)
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -954,12 +954,12 @@ static void execchild(const void *user_d
+@@ -985,12 +985,12 @@ static void execchild(const void *user_d
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
index 5e736320cc7520e58d34bc6e60bd4512a057bc8a..d7f589801dce2b3c6856d564e39d48916b9928c8 100644 (file)
@@ -1,11 +1,13 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
-                                       debug_trace = 1;
+@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
+                               case 'b':
+                                       next = &bind_arg;
                                        break;
- #endif
 +                              case 'x':
++                                      /* compatibility with openssh cli
++                                       * ("-x" disables X11 forwarding) */
 +                                      break;
-                               case 'F':
-                               case 'e':
- #if !DROPBEAR_USER_ALGO_LIST
+                               default:
+                                       fprintf(stderr,
+                                               "WARNING: Ignoring unknown option -%c\n", c);
index 8c3ae7f119200c939482cfe8fc3c755e5c6af3ba..af01573dee58bff144a0dae5c47a26ff9cb29eaa 100644 (file)
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
index 1ba7dd6f442254ce69435acb6b062bbf1e0988c4..fd80b986ae2de6154e1c2f6878d75c30876f618d 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs)
  dropbearconvert: $(dropbearconvertobjs)
  
  dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -22,7 +22,7 @@
  
  
  # multi-binary compilation.
-@@ -219,7 +219,7 @@ ifeq ($(MULTI),1)
+@@ -221,7 +221,7 @@ ifeq ($(MULTI),1)
  endif
  
  dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
index b138862ca31878e0b1cc042e7ea4aa2adf6437a7..07ae0227631ede181e88542636a3640d668406fa 100644 (file)
@@ -1,6 +1,6 @@
 --- a/svr-auth.c
 +++ b/svr-auth.c
-@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
                                AUTH_METHOD_NONE_LEN) == 0) {
                TRACE(("recv_msg_userauth_request: 'none' request"))
                if (valid_user
index ab1361f6ae8f9af21b388be099410c87b301d756..4f806f8b2511f7d157448dcc562a46f31e0b1a9d 100644 (file)
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
        AC_MSG_NOTICE(Checking for available hardened build flags:)
index b774a38b1aa6029e7766d5775036cf1105a74fa6..f0788144038c243729ace7d6092f8b74f68ca7ee 100644 (file)
@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz>
 
 --- a/signkey.c
 +++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k
        sigtype = signature_type_from_name(type_name, type_name_len);
        m_free(type_name);