From b00c1a30c3b94a8cc32b1126e66e1cb7c46d3e6c Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Mon, 22 Aug 2016 19:23:15 +0200 Subject: [PATCH] dropbear: update to LEDE 277f85c21ae0ede4e15e66cbd801b9fb502531df Includes a few security updates and enables Curve25519 support. Fixes #223 --- ...85c21ae0ede4e15e66cbd801b9fb502531df.patch | 437 ++++++++++++++++++ 1 file changed, 437 insertions(+) create mode 100644 patches/openwrt/0119-dropbear-update-to-LEDE-277f85c21ae0ede4e15e66cbd801b9fb502531df.patch diff --git a/patches/openwrt/0119-dropbear-update-to-LEDE-277f85c21ae0ede4e15e66cbd801b9fb502531df.patch b/patches/openwrt/0119-dropbear-update-to-LEDE-277f85c21ae0ede4e15e66cbd801b9fb502531df.patch new file mode 100644 index 00000000..1dbc25cc --- /dev/null +++ b/patches/openwrt/0119-dropbear-update-to-LEDE-277f85c21ae0ede4e15e66cbd801b9fb502531df.patch @@ -0,0 +1,437 @@ +From: Matthias Schiffer +Date: Mon, 22 Aug 2016 19:14:52 +0200 +Subject: dropbear: update to LEDE 277f85c21ae0ede4e15e66cbd801b9fb502531df + +Includes a few security updates and enables Curve25519 support. + +The patches 600-allow-blank-root-password.patch and +610-skip-default-keys-in-custom-runs.patch are left out for now to avoid +allowing password-less root login. + +diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in +index e2a7610..7c2edd7 100644 +--- a/package/network/services/dropbear/Config.in ++++ b/package/network/services/dropbear/Config.in +@@ -1,6 +1,15 @@ + menu "Configuration" + depends on PACKAGE_dropbear + ++config DROPBEAR_CURVE25519 ++ bool "Curve25519 support" ++ default y ++ help ++ This enables the following key exchange algorithm: ++ curve25519-sha256@libssh.org ++ ++ Increases binary size by about 13 kB uncompressed (MIPS). ++ + config DROPBEAR_ECC + bool "Elliptic curve cryptography (ECC)" + default n +@@ -12,7 +21,6 @@ config DROPBEAR_ECC + ecdh-sha2-nistp256 + ecdh-sha2-nistp384 + ecdh-sha2-nistp521 +- curve25519-sha256@libssh.org + + Public key algorithms: + ecdsa-sha2-nistp256 +@@ -22,6 +30,21 @@ config DROPBEAR_ECC + Does not generate ECC host keys by default (ECC key exchange will not be used, + only ECC public key auth). + +- Increases binary size by about 36 kB (MIPS). ++ Increases binary size by about 23 kB (MIPS). ++ ++config DROPBEAR_UTMP ++ bool "Utmp support" ++ default n ++ depends on BUSYBOX_CONFIG_FEATURE_UTMP ++ help ++ This enables dropbear utmp support, the file /var/run/utmp is used to ++ track who is currently logged in. ++ ++config DROPBEAR_PUTUTLINE ++ bool "Pututline support" ++ default n ++ depends on DROPBEAR_UTMP ++ help ++ Dropbear will use pututline() to write the utmp structure into the utmp file. + + endmenu +diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile +index 35958d3..36bcb4a 100644 +--- a/package/network/services/dropbear/Makefile ++++ b/package/network/services/dropbear/Makefile +@@ -1,5 +1,5 @@ + # +-# Copyright (C) 2006-2014 OpenWrt.org ++# Copyright (C) 2006-2016 OpenWrt.org + # + # This is free software, licensed under the GNU General Public License v2. + # See /LICENSE for more information. +@@ -8,14 +8,14 @@ + include $(TOPDIR)/rules.mk + + PKG_NAME:=dropbear +-PKG_VERSION:=2015.67 ++PKG_VERSION:=2016.74 + PKG_RELEASE:=1 + + PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 + PKG_SOURCE_URL:= \ + http://matt.ucc.asn.au/dropbear/releases/ \ + https://dropbear.nl/mirror/releases/ +-PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6 ++PKG_MD5SUM:=9ad0172731e0f16623937804643b5bd8 + + PKG_LICENSE:=MIT + PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE +@@ -23,10 +23,14 @@ PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE + PKG_BUILD_PARALLEL:=1 + PKG_USE_MIPS16:=0 + +-PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC ++PKG_CONFIG_DEPENDS:=CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_CURVE25519 + + include $(INCLUDE_DIR)/package.mk + ++ifneq ($(DUMP),1) ++ STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) echo $(CONFIG_TARGET_INIT_PATH) | md5s) ++endif ++ + define Package/dropbear/Default + URL:=http://matt.ucc.asn.au/dropbear/ + endef +@@ -48,7 +52,6 @@ endef + + define Package/dropbear/conffiles + /etc/dropbear/dropbear_rsa_host_key +-/etc/dropbear/dropbear_dss_host_key + /etc/config/dropbear + endef + +@@ -65,25 +68,35 @@ CONFIGURE_ARGS += \ + --enable-syslog \ + $(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \ + --disable-lastlog \ +- --disable-utmp \ + --disable-utmpx \ ++ $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \ + --disable-wtmp \ + --disable-wtmpx \ + --disable-loginfunc \ +- --disable-pututline \ ++ $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \ + --disable-pututxline \ + --disable-zlib \ + --enable-bundled-libtom + +-TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections ++TARGET_CFLAGS += -DDEFAULT_PATH=\\\"$(CONFIG_TARGET_INIT_PATH)\\\" -DARGTYPE=3 -ffunction-sections -fdata-sections + TARGET_LDFLAGS += -Wl,--gc-sections + + define Build/Configure + $(Build/Configure/Default) + ++ $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(CONFIG_TARGET_INIT_PATH)",g' \ ++ $(PKG_BUILD_DIR)/options.h ++ ++ awk 'BEGIN { rc = 1 } \ ++ /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ ++ { print } \ ++ END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ ++ >$(PKG_BUILD_DIR)/options.h.new && \ ++ mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h ++ + # Enforce that all replacements are made, otherwise options.h has changed + # format and this logic is broken. +- for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \ ++ for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ + awk 'BEGIN { rc = 1 } \ + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ + { print } \ +@@ -91,6 +104,9 @@ define Build/Configure + >$(PKG_BUILD_DIR)/options.h.new && \ + mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ + done ++ ++ # Enforce rebuild of svr-chansession.c ++ rm -f $(PKG_BUILD_DIR)/svr-chansession.o + endef + + define Build/Compile +@@ -118,7 +134,6 @@ define Package/dropbear/install + $(INSTALL_DIR) $(1)/usr/lib/opkg/info + $(INSTALL_DIR) $(1)/etc/dropbear + touch $(1)/etc/dropbear/dropbear_rsa_host_key +- touch $(1)/etc/dropbear/dropbear_dss_host_key + endef + + define Package/dropbearconvert/install +diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init +index 6de0142..1653efb 100755 +--- a/package/network/services/dropbear/files/dropbear.init ++++ b/package/network/services/dropbear/files/dropbear.init +@@ -37,7 +37,6 @@ validate_section_dropbear() + 'RootPasswordAuth:bool:1' \ + 'RootLogin:bool:1' \ + 'rsakeyfile:file' \ +- 'dsskeyfile:file' \ + 'BannerFile:file' \ + 'Port:list(port):22' \ + 'SSHKeepAlive:uinteger:300' \ +@@ -49,7 +48,7 @@ dropbear_instance() + { + local PasswordAuth enable Interface GatewayPorts \ + RootPasswordAuth RootLogin rsakeyfile \ +- dsskeyfile BannerFile Port SSHKeepAlive IdleTimeout \ ++ BannerFile Port SSHKeepAlive IdleTimeout \ + mdns ipaddrs + + validate_section_dropbear "${1}" || { +@@ -75,18 +74,18 @@ dropbear_instance() + [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g + [ "${RootLogin}" -eq 0 ] && procd_append_param command -w + [ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}" +- [ -n "${dsskeyfile}" ] && procd_append_param command -d "${dsskeyfile}" + [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}" + append_ports "${ipaddrs}" "${Port}" + [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}" + [ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}" + [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear" ++ procd_set_param respawn + procd_close_instance + } + + keygen() + { +- for keytype in rsa dss; do ++ for keytype in rsa; do + # check for keys + key=dropbear/dropbear_${keytype}_host_key + [ -f /tmp/$key -o -s /etc/$key ] || { +@@ -107,10 +106,15 @@ keygen() + chmod 0700 /etc/dropbear + } + ++load_interfaces() ++{ ++ config_get interface "$1" Interface ++ interfaces=" ${interface} ${interfaces}" ++} ++ + start_service() + { +- [ -s /etc/dropbear/dropbear_rsa_host_key -a \ +- -s /etc/dropbear/dropbear_dss_host_key ] || keygen ++ [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen + + . /lib/functions.sh + . /lib/functions/network.sh +@@ -121,7 +125,19 @@ start_service() + + service_triggers() + { +- procd_add_reload_trigger "dropbear" ++ local interfaces ++ ++ procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload ++ ++ config_load "${NAME}" ++ config_foreach load_interfaces dropbear ++ ++ [ -n "${interfaces}" ] & { ++ for n in $interfaces ; do ++ procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload ++ done ++ } ++ + procd_add_validation validate_section_dropbear + } + +diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch +index 456874b..41fdc1a 100644 +--- a/package/network/services/dropbear/patches/100-pubkey_path.patch ++++ b/package/network/services/dropbear/patches/100-pubkey_path.patch +@@ -1,6 +1,6 @@ + --- a/svr-authpubkey.c + +++ b/svr-authpubkey.c +-@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al ++@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig + goto out; + } + +@@ -33,7 +33,7 @@ + if (authfile == NULL) { + goto out; + } +-@@ -371,26 +375,35 @@ static int checkpubkeyperms() { ++@@ -381,26 +385,35 @@ static int checkpubkeyperms() { + goto out; + } + +diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch +index 7982af6..4b5c1cb 100644 +--- a/package/network/services/dropbear/patches/110-change_user.patch ++++ b/package/network/services/dropbear/patches/110-change_user.patch +@@ -1,6 +1,6 @@ + --- a/svr-chansession.c + +++ b/svr-chansession.c +-@@ -920,12 +920,12 @@ static void execchild(void *user_data) { ++@@ -922,12 +922,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch +index 48dae73..f16aaf0 100644 +--- a/package/network/services/dropbear/patches/120-openwrt_options.patch ++++ b/package/network/services/dropbear/patches/120-openwrt_options.patch +@@ -18,7 +18,28 @@ + + /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ + #define ENABLE_USER_ALGO_LIST +-@@ -126,9 +126,9 @@ much traffic. */ ++@@ -91,16 +91,16 @@ much traffic. */ ++ * Including multiple keysize variants the same cipher ++ * (eg AES256 as well as AES128) will result in a minimal size increase.*/ ++ #define DROPBEAR_AES128 ++-#define DROPBEAR_3DES +++/*#define DROPBEAR_3DES*/ ++ #define DROPBEAR_AES256 ++ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ ++ /*#define DROPBEAR_BLOWFISH*/ ++-#define DROPBEAR_TWOFISH256 ++-#define DROPBEAR_TWOFISH128 +++/*#define DROPBEAR_TWOFISH256*/ +++/*#define DROPBEAR_TWOFISH128*/ ++ ++ /* Enable CBC mode for ciphers. This has security issues though ++ * is the most compatible with older SSH implementations */ ++-#define DROPBEAR_ENABLE_CBC_MODE +++/*#define DROPBEAR_ENABLE_CBC_MODE*/ ++ ++ /* Enable "Counter Mode" for ciphers. This is more secure than normal ++ * CBC mode against certain attacks. It is recommended for security ++@@ -131,9 +131,9 @@ If you test it please contact the Dropbe + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +@@ -31,7 +52,16 @@ + #define DROPBEAR_MD5_HMAC + + /* You can also disable integrity. Don't bother disabling this if you're +-@@ -184,7 +184,7 @@ much traffic. */ ++@@ -146,7 +146,7 @@ If you test it please contact the Dropbe ++ * Removing either of these won't save very much space. ++ * SSH2 RFC Draft requires dss, recommends rsa */ ++ #define DROPBEAR_RSA ++-#define DROPBEAR_DSS +++/*#define DROPBEAR_DSS*/ ++ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC ++ * code (either ECDSA or ECDH) increases binary size - around 30kB ++ * on x86-64 */ ++@@ -194,7 +194,7 @@ If you test it please contact the Dropbe + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +@@ -40,7 +70,7 @@ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +-@@ -226,7 +226,7 @@ much traffic. */ ++@@ -242,7 +242,7 @@ Homedir is prepended unless path begins + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch +deleted file mode 100644 +index edb2909..0000000 +--- a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch ++++ /dev/null +@@ -1,21 +0,0 @@ +---- a/cli-runopts.c +-+++ b/cli-runopts.c +-@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv) +- debug_trace = 1; +- break; +- #endif +-+ case 'o': +-+ next = &dummy; +-+ case 'x': +-+ break; +- case 'F': +- case 'e': +- #ifndef ENABLE_USER_ALGO_LIST +-@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv) +- print_version(); +- exit(EXIT_SUCCESS); +- break; +-- case 'o': +- case 'b': +- next = &dummy; +- default: +diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +new file mode 100644 +index 0000000..ab09c2f +--- /dev/null ++++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +@@ -0,0 +1,11 @@ ++--- a/cli-runopts.c +++++ b/cli-runopts.c ++@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) ++ debug_trace = 1; ++ break; ++ #endif +++ case 'x': +++ break; ++ case 'F': ++ case 'e': ++ #ifndef ENABLE_USER_ALGO_LIST +diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch +index 0717228..78b54ac 100644 +--- a/package/network/services/dropbear/patches/140-disable_assert.patch ++++ b/package/network/services/dropbear/patches/140-disable_assert.patch +@@ -1,6 +1,6 @@ + --- a/dbutil.h + +++ b/dbutil.h +-@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig ++@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch +index 367dc2c..ccc2cb7 100644 +--- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch ++++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch +@@ -1,8 +1,8 @@ + --- a/options.h + +++ b/options.h + @@ -5,6 +5,11 @@ +- #ifndef _OPTIONS_H_ +- #define _OPTIONS_H_ ++ #ifndef DROPBEAR_OPTIONS_H_ ++ #define DROPBEAR_OPTIONS_H_ + + +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) + +#define DROPBEAR_SERVER +diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch +index e2add94..da6b9ae 100644 +--- a/package/network/services/dropbear/patches/500-set-default-path.patch ++++ b/package/network/services/dropbear/patches/500-set-default-path.patch +@@ -1,11 +1,12 @@ + --- a/options.h + +++ b/options.h +-@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa ++@@ -352,7 +352,9 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +--#define DEFAULT_PATH "/usr/bin:/bin" +-+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" +++#ifndef DEFAULT_PATH ++ #define DEFAULT_PATH "/usr/bin:/bin" +++#endif + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */