b00c1a30c3
Includes a few security updates and enables Curve25519 support. Fixes #223
438 lines
15 KiB
Diff
438 lines
15 KiB
Diff
From: Matthias Schiffer <mschiffer@universe-factory.net>
|
|
Date: Mon, 22 Aug 2016 19:14:52 +0200
|
|
Subject: dropbear: update to LEDE 277f85c21ae0ede4e15e66cbd801b9fb502531df
|
|
|
|
Includes a few security updates and enables Curve25519 support.
|
|
|
|
The patches 600-allow-blank-root-password.patch and
|
|
610-skip-default-keys-in-custom-runs.patch are left out for now to avoid
|
|
allowing password-less root login.
|
|
|
|
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
|
|
index e2a7610..7c2edd7 100644
|
|
--- a/package/network/services/dropbear/Config.in
|
|
+++ b/package/network/services/dropbear/Config.in
|
|
@@ -1,6 +1,15 @@
|
|
menu "Configuration"
|
|
depends on PACKAGE_dropbear
|
|
|
|
+config DROPBEAR_CURVE25519
|
|
+ bool "Curve25519 support"
|
|
+ default y
|
|
+ help
|
|
+ This enables the following key exchange algorithm:
|
|
+ curve25519-sha256@libssh.org
|
|
+
|
|
+ Increases binary size by about 13 kB uncompressed (MIPS).
|
|
+
|
|
config DROPBEAR_ECC
|
|
bool "Elliptic curve cryptography (ECC)"
|
|
default n
|
|
@@ -12,7 +21,6 @@ config DROPBEAR_ECC
|
|
ecdh-sha2-nistp256
|
|
ecdh-sha2-nistp384
|
|
ecdh-sha2-nistp521
|
|
- curve25519-sha256@libssh.org
|
|
|
|
Public key algorithms:
|
|
ecdsa-sha2-nistp256
|
|
@@ -22,6 +30,21 @@ config DROPBEAR_ECC
|
|
Does not generate ECC host keys by default (ECC key exchange will not be used,
|
|
only ECC public key auth).
|
|
|
|
- Increases binary size by about 36 kB (MIPS).
|
|
+ Increases binary size by about 23 kB (MIPS).
|
|
+
|
|
+config DROPBEAR_UTMP
|
|
+ bool "Utmp support"
|
|
+ default n
|
|
+ depends on BUSYBOX_CONFIG_FEATURE_UTMP
|
|
+ help
|
|
+ This enables dropbear utmp support, the file /var/run/utmp is used to
|
|
+ track who is currently logged in.
|
|
+
|
|
+config DROPBEAR_PUTUTLINE
|
|
+ bool "Pututline support"
|
|
+ default n
|
|
+ depends on DROPBEAR_UTMP
|
|
+ help
|
|
+ Dropbear will use pututline() to write the utmp structure into the utmp file.
|
|
|
|
endmenu
|
|
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
|
|
index 35958d3..36bcb4a 100644
|
|
--- a/package/network/services/dropbear/Makefile
|
|
+++ b/package/network/services/dropbear/Makefile
|
|
@@ -1,5 +1,5 @@
|
|
#
|
|
-# Copyright (C) 2006-2014 OpenWrt.org
|
|
+# Copyright (C) 2006-2016 OpenWrt.org
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
@@ -8,14 +8,14 @@
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=dropbear
|
|
-PKG_VERSION:=2015.67
|
|
+PKG_VERSION:=2016.74
|
|
PKG_RELEASE:=1
|
|
|
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
|
|
PKG_SOURCE_URL:= \
|
|
http://matt.ucc.asn.au/dropbear/releases/ \
|
|
https://dropbear.nl/mirror/releases/
|
|
-PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6
|
|
+PKG_MD5SUM:=9ad0172731e0f16623937804643b5bd8
|
|
|
|
PKG_LICENSE:=MIT
|
|
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
|
|
@@ -23,10 +23,14 @@ PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
|
|
PKG_BUILD_PARALLEL:=1
|
|
PKG_USE_MIPS16:=0
|
|
|
|
-PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC
|
|
+PKG_CONFIG_DEPENDS:=CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_CURVE25519
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
+ifneq ($(DUMP),1)
|
|
+ STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) echo $(CONFIG_TARGET_INIT_PATH) | md5s)
|
|
+endif
|
|
+
|
|
define Package/dropbear/Default
|
|
URL:=http://matt.ucc.asn.au/dropbear/
|
|
endef
|
|
@@ -48,7 +52,6 @@ endef
|
|
|
|
define Package/dropbear/conffiles
|
|
/etc/dropbear/dropbear_rsa_host_key
|
|
-/etc/dropbear/dropbear_dss_host_key
|
|
/etc/config/dropbear
|
|
endef
|
|
|
|
@@ -65,25 +68,35 @@ CONFIGURE_ARGS += \
|
|
--enable-syslog \
|
|
$(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \
|
|
--disable-lastlog \
|
|
- --disable-utmp \
|
|
--disable-utmpx \
|
|
+ $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
|
|
--disable-wtmp \
|
|
--disable-wtmpx \
|
|
--disable-loginfunc \
|
|
- --disable-pututline \
|
|
+ $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
|
|
--disable-pututxline \
|
|
--disable-zlib \
|
|
--enable-bundled-libtom
|
|
|
|
-TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
|
|
+TARGET_CFLAGS += -DDEFAULT_PATH=\\\"$(CONFIG_TARGET_INIT_PATH)\\\" -DARGTYPE=3 -ffunction-sections -fdata-sections
|
|
TARGET_LDFLAGS += -Wl,--gc-sections
|
|
|
|
define Build/Configure
|
|
$(Build/Configure/Default)
|
|
|
|
+ $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(CONFIG_TARGET_INIT_PATH)",g' \
|
|
+ $(PKG_BUILD_DIR)/options.h
|
|
+
|
|
+ awk 'BEGIN { rc = 1 } \
|
|
+ /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
|
|
+ { print } \
|
|
+ END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
|
|
+ >$(PKG_BUILD_DIR)/options.h.new && \
|
|
+ mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
|
|
+
|
|
# Enforce that all replacements are made, otherwise options.h has changed
|
|
# format and this logic is broken.
|
|
- for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \
|
|
+ for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
|
|
awk 'BEGIN { rc = 1 } \
|
|
/'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
|
|
{ print } \
|
|
@@ -91,6 +104,9 @@ define Build/Configure
|
|
>$(PKG_BUILD_DIR)/options.h.new && \
|
|
mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
|
|
done
|
|
+
|
|
+ # Enforce rebuild of svr-chansession.c
|
|
+ rm -f $(PKG_BUILD_DIR)/svr-chansession.o
|
|
endef
|
|
|
|
define Build/Compile
|
|
@@ -118,7 +134,6 @@ define Package/dropbear/install
|
|
$(INSTALL_DIR) $(1)/usr/lib/opkg/info
|
|
$(INSTALL_DIR) $(1)/etc/dropbear
|
|
touch $(1)/etc/dropbear/dropbear_rsa_host_key
|
|
- touch $(1)/etc/dropbear/dropbear_dss_host_key
|
|
endef
|
|
|
|
define Package/dropbearconvert/install
|
|
diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
|
|
index 6de0142..1653efb 100755
|
|
--- a/package/network/services/dropbear/files/dropbear.init
|
|
+++ b/package/network/services/dropbear/files/dropbear.init
|
|
@@ -37,7 +37,6 @@ validate_section_dropbear()
|
|
'RootPasswordAuth:bool:1' \
|
|
'RootLogin:bool:1' \
|
|
'rsakeyfile:file' \
|
|
- 'dsskeyfile:file' \
|
|
'BannerFile:file' \
|
|
'Port:list(port):22' \
|
|
'SSHKeepAlive:uinteger:300' \
|
|
@@ -49,7 +48,7 @@ dropbear_instance()
|
|
{
|
|
local PasswordAuth enable Interface GatewayPorts \
|
|
RootPasswordAuth RootLogin rsakeyfile \
|
|
- dsskeyfile BannerFile Port SSHKeepAlive IdleTimeout \
|
|
+ BannerFile Port SSHKeepAlive IdleTimeout \
|
|
mdns ipaddrs
|
|
|
|
validate_section_dropbear "${1}" || {
|
|
@@ -75,18 +74,18 @@ dropbear_instance()
|
|
[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
|
|
[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
|
|
[ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}"
|
|
- [ -n "${dsskeyfile}" ] && procd_append_param command -d "${dsskeyfile}"
|
|
[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
|
|
append_ports "${ipaddrs}" "${Port}"
|
|
[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
|
|
[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
|
|
[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
|
|
+ procd_set_param respawn
|
|
procd_close_instance
|
|
}
|
|
|
|
keygen()
|
|
{
|
|
- for keytype in rsa dss; do
|
|
+ for keytype in rsa; do
|
|
# check for keys
|
|
key=dropbear/dropbear_${keytype}_host_key
|
|
[ -f /tmp/$key -o -s /etc/$key ] || {
|
|
@@ -107,10 +106,15 @@ keygen()
|
|
chmod 0700 /etc/dropbear
|
|
}
|
|
|
|
+load_interfaces()
|
|
+{
|
|
+ config_get interface "$1" Interface
|
|
+ interfaces=" ${interface} ${interfaces}"
|
|
+}
|
|
+
|
|
start_service()
|
|
{
|
|
- [ -s /etc/dropbear/dropbear_rsa_host_key -a \
|
|
- -s /etc/dropbear/dropbear_dss_host_key ] || keygen
|
|
+ [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen
|
|
|
|
. /lib/functions.sh
|
|
. /lib/functions/network.sh
|
|
@@ -121,7 +125,19 @@ start_service()
|
|
|
|
service_triggers()
|
|
{
|
|
- procd_add_reload_trigger "dropbear"
|
|
+ local interfaces
|
|
+
|
|
+ procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
|
|
+
|
|
+ config_load "${NAME}"
|
|
+ config_foreach load_interfaces dropbear
|
|
+
|
|
+ [ -n "${interfaces}" ] & {
|
|
+ for n in $interfaces ; do
|
|
+ procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
|
|
+ done
|
|
+ }
|
|
+
|
|
procd_add_validation validate_section_dropbear
|
|
}
|
|
|
|
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
|
|
index 456874b..41fdc1a 100644
|
|
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
|
|
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
|
|
@@ -1,6 +1,6 @@
|
|
--- a/svr-authpubkey.c
|
|
+++ b/svr-authpubkey.c
|
|
-@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al
|
|
+@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
|
|
goto out;
|
|
}
|
|
|
|
@@ -33,7 +33,7 @@
|
|
if (authfile == NULL) {
|
|
goto out;
|
|
}
|
|
-@@ -371,26 +375,35 @@ static int checkpubkeyperms() {
|
|
+@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
|
|
goto out;
|
|
}
|
|
|
|
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
|
|
index 7982af6..4b5c1cb 100644
|
|
--- a/package/network/services/dropbear/patches/110-change_user.patch
|
|
+++ b/package/network/services/dropbear/patches/110-change_user.patch
|
|
@@ -1,6 +1,6 @@
|
|
--- a/svr-chansession.c
|
|
+++ b/svr-chansession.c
|
|
-@@ -920,12 +920,12 @@ static void execchild(void *user_data) {
|
|
+@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
|
|
/* We can only change uid/gid as root ... */
|
|
if (getuid() == 0) {
|
|
|
|
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
|
|
index 48dae73..f16aaf0 100644
|
|
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
|
|
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
|
|
@@ -18,7 +18,28 @@
|
|
|
|
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
|
|
#define ENABLE_USER_ALGO_LIST
|
|
-@@ -126,9 +126,9 @@ much traffic. */
|
|
+@@ -91,16 +91,16 @@ much traffic. */
|
|
+ * Including multiple keysize variants the same cipher
|
|
+ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
|
|
+ #define DROPBEAR_AES128
|
|
+-#define DROPBEAR_3DES
|
|
++/*#define DROPBEAR_3DES*/
|
|
+ #define DROPBEAR_AES256
|
|
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
|
|
+ /*#define DROPBEAR_BLOWFISH*/
|
|
+-#define DROPBEAR_TWOFISH256
|
|
+-#define DROPBEAR_TWOFISH128
|
|
++/*#define DROPBEAR_TWOFISH256*/
|
|
++/*#define DROPBEAR_TWOFISH128*/
|
|
+
|
|
+ /* Enable CBC mode for ciphers. This has security issues though
|
|
+ * is the most compatible with older SSH implementations */
|
|
+-#define DROPBEAR_ENABLE_CBC_MODE
|
|
++/*#define DROPBEAR_ENABLE_CBC_MODE*/
|
|
+
|
|
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
|
|
+ * CBC mode against certain attacks. It is recommended for security
|
|
+@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
|
|
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
|
|
* which are not the standard form. */
|
|
#define DROPBEAR_SHA1_HMAC
|
|
@@ -31,7 +52,16 @@
|
|
#define DROPBEAR_MD5_HMAC
|
|
|
|
/* You can also disable integrity. Don't bother disabling this if you're
|
|
-@@ -184,7 +184,7 @@ much traffic. */
|
|
+@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
|
|
+ * Removing either of these won't save very much space.
|
|
+ * SSH2 RFC Draft requires dss, recommends rsa */
|
|
+ #define DROPBEAR_RSA
|
|
+-#define DROPBEAR_DSS
|
|
++/*#define DROPBEAR_DSS*/
|
|
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
|
|
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
|
|
+ * on x86-64 */
|
|
+@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
|
|
|
|
/* Whether to print the message of the day (MOTD). This doesn't add much code
|
|
* size */
|
|
@@ -40,7 +70,7 @@
|
|
|
|
/* The MOTD file path */
|
|
#ifndef MOTD_FILENAME
|
|
-@@ -226,7 +226,7 @@ much traffic. */
|
|
+@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
|
|
* note that it will be provided for all "hidden" client-interactive
|
|
* style prompts - if you want something more sophisticated, use
|
|
* SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
|
|
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
|
|
deleted file mode 100644
|
|
index edb2909..0000000
|
|
--- a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
|
|
+++ /dev/null
|
|
@@ -1,21 +0,0 @@
|
|
---- a/cli-runopts.c
|
|
-+++ b/cli-runopts.c
|
|
-@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv)
|
|
- debug_trace = 1;
|
|
- break;
|
|
- #endif
|
|
-+ case 'o':
|
|
-+ next = &dummy;
|
|
-+ case 'x':
|
|
-+ break;
|
|
- case 'F':
|
|
- case 'e':
|
|
- #ifndef ENABLE_USER_ALGO_LIST
|
|
-@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv)
|
|
- print_version();
|
|
- exit(EXIT_SUCCESS);
|
|
- break;
|
|
-- case 'o':
|
|
- case 'b':
|
|
- next = &dummy;
|
|
- default:
|
|
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
|
|
new file mode 100644
|
|
index 0000000..ab09c2f
|
|
--- /dev/null
|
|
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
|
|
@@ -0,0 +1,11 @@
|
|
+--- a/cli-runopts.c
|
|
++++ b/cli-runopts.c
|
|
+@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
|
|
+ debug_trace = 1;
|
|
+ break;
|
|
+ #endif
|
|
++ case 'x':
|
|
++ break;
|
|
+ case 'F':
|
|
+ case 'e':
|
|
+ #ifndef ENABLE_USER_ALGO_LIST
|
|
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
|
|
index 0717228..78b54ac 100644
|
|
--- a/package/network/services/dropbear/patches/140-disable_assert.patch
|
|
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
|
|
@@ -1,6 +1,6 @@
|
|
--- a/dbutil.h
|
|
+++ b/dbutil.h
|
|
-@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
|
|
+@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig
|
|
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
|
|
|
|
/* Dropbear assertion */
|
|
diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
|
|
index 367dc2c..ccc2cb7 100644
|
|
--- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
|
|
+++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
|
|
@@ -1,8 +1,8 @@
|
|
--- a/options.h
|
|
+++ b/options.h
|
|
@@ -5,6 +5,11 @@
|
|
- #ifndef _OPTIONS_H_
|
|
- #define _OPTIONS_H_
|
|
+ #ifndef DROPBEAR_OPTIONS_H_
|
|
+ #define DROPBEAR_OPTIONS_H_
|
|
|
|
+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
|
|
+#define DROPBEAR_SERVER
|
|
diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch
|
|
index e2add94..da6b9ae 100644
|
|
--- a/package/network/services/dropbear/patches/500-set-default-path.patch
|
|
+++ b/package/network/services/dropbear/patches/500-set-default-path.patch
|
|
@@ -1,11 +1,12 @@
|
|
--- a/options.h
|
|
+++ b/options.h
|
|
-@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa
|
|
+@@ -352,7 +352,9 @@ be overridden at runtime with -I. 0 disa
|
|
#define DEFAULT_IDLE_TIMEOUT 0
|
|
|
|
/* The default path. This will often get replaced by the shell */
|
|
--#define DEFAULT_PATH "/usr/bin:/bin"
|
|
-+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin"
|
|
++#ifndef DEFAULT_PATH
|
|
+ #define DEFAULT_PATH "/usr/bin:/bin"
|
|
++#endif
|
|
|
|
/* Some other defines (that mostly should be left alone) are defined
|
|
* in sysoptions.h */
|