aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dropbear/patches
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/services/dropbear/patches')
-rw-r--r--package/network/services/dropbear/patches/100-pubkey_path.patch91
-rw-r--r--package/network/services/dropbear/patches/110-change_user.patch18
-rw-r--r--package/network/services/dropbear/patches/120-openwrt_options.patch81
-rw-r--r--package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch21
-rw-r--r--package/network/services/dropbear/patches/140-disable_assert.patch15
-rw-r--r--package/network/services/dropbear/patches/150-dbconvert_standalone.patch14
-rw-r--r--package/network/services/dropbear/patches/500-set-default-path.patch11
-rw-r--r--package/network/services/dropbear/patches/600-allow-blank-root-password.patch11
-rw-r--r--package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch18
9 files changed, 280 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
new file mode 100644
index 0000000..41fdc1a
--- /dev/null
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -0,0 +1,91 @@
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
+ goto out;
+ }
+
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw_dir);
+-
+- /* open the file */
+- authfile = fopen(filename, "r");
++ if (ses.authstate.pw_uid != 0) {
++ /* we don't need to check pw and pw_dir for validity, since
++ * its been done in checkpubkeyperms. */
++ len = strlen(ses.authstate.pw_dir);
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ filename = m_malloc(len + 22);
++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++ ses.authstate.pw_dir);
++
++ /* open the file */
++ authfile = fopen(filename, "r");
++ } else {
++ authfile = fopen("/etc/dropbear/authorized_keys","r");
++ }
+ if (authfile == NULL) {
+ goto out;
+ }
+@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
+ goto out;
+ }
+
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- strncpy(filename, ses.authstate.pw_dir, len+1);
+-
+- /* check ~ */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+- goto out;
+- }
+-
+- /* check ~/.ssh */
+- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+- goto out;
+- }
+-
+- /* now check ~/.ssh/authorized_keys */
+- strncat(filename, "/authorized_keys", 16);
+- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+- goto out;
++ if (ses.authstate.pw_uid == 0) {
++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++ } else {
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ filename = m_malloc(len + 22);
++ strncpy(filename, ses.authstate.pw_dir, len+1);
++
++ /* check ~ */
++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++
++ /* check ~/.ssh */
++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
++
++ /* now check ~/.ssh/authorized_keys */
++ strncat(filename, "/authorized_keys", 16);
++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++ goto out;
++ }
+ }
+
+ /* file looks ok, return success */
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
new file mode 100644
index 0000000..4b5c1cb
--- /dev/null
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -0,0 +1,18 @@
+--- a/svr-chansession.c
++++ b/svr-chansession.c
+@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
+ /* We can only change uid/gid as root ... */
+ if (getuid() == 0) {
+
+- if ((setgid(ses.authstate.pw_gid) < 0) ||
++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
+ (initgroups(ses.authstate.pw_name,
+- ses.authstate.pw_gid) < 0)) {
++ ses.authstate.pw_gid) < 0))) {
+ dropbear_exit("Error changing user group");
+ }
+- if (setuid(ses.authstate.pw_uid) < 0) {
++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
+ dropbear_exit("Error changing user");
+ }
+ } else {
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
new file mode 100644
index 0000000..87118ef
--- /dev/null
+++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
@@ -0,0 +1,81 @@
+--- a/options.h
++++ b/options.h
+@@ -41,7 +41,7 @@
+ * Both of these flags can be defined at once, don't compile without at least
+ * one of them. */
+ #define NON_INETD_MODE
+-#define INETD_MODE
++/*#define INETD_MODE*/
+
+ /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+ * perhaps 20% slower for pubkey operations (it is probably worth experimenting
+@@ -81,7 +81,7 @@ much traffic. */
+
+ /* Enable "Netcat mode" option. This will forward standard input/output
+ * to a remote TCP-forwarded connection */
+-#define ENABLE_CLI_NETCAT
++/*#define ENABLE_CLI_NETCAT*/
+
+ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
+ #define ENABLE_USER_ALGO_LIST
+@@ -91,16 +91,16 @@ much traffic. */
+ * Including multiple keysize variants the same cipher
+ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ #define DROPBEAR_AES128
+-#define DROPBEAR_3DES
++/*#define DROPBEAR_3DES*/
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+
+ /* Enable CBC mode for ciphers. This has security issues though
+ * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE
++/*#define DROPBEAR_ENABLE_CBC_MODE*/
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. It is recommended for security
+@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
+ * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
+ * which are not the standard form. */
+ #define DROPBEAR_SHA1_HMAC
+-#define DROPBEAR_SHA1_96_HMAC
+-#define DROPBEAR_SHA2_256_HMAC
+-#define DROPBEAR_SHA2_512_HMAC
++/*#define DROPBEAR_SHA1_96_HMAC*/
++/*#define DROPBEAR_SHA2_256_HMAC*/
++/*#define DROPBEAR_SHA2_512_HMAC*/
+ #define DROPBEAR_MD5_HMAC
+
+ /* You can also disable integrity. Don't bother disabling this if you're
+@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
+ * Removing either of these won't save very much space.
+ * SSH2 RFC Draft requires dss, recommends rsa */
+ #define DROPBEAR_RSA
+-#define DROPBEAR_DSS
++/*#define DROPBEAR_DSS*/
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
+@@ -189,7 +189,7 @@ If you test it please contact the Dropbe
+
+ /* Whether to print the message of the day (MOTD). This doesn't add much code
+ * size */
+-#define DO_MOTD
++/*#define DO_MOTD*/
+
+ /* The MOTD file path */
+ #ifndef MOTD_FILENAME
+@@ -231,7 +231,7 @@ Homedir is prepended unless path begins
+ * note that it will be provided for all "hidden" client-interactive
+ * style prompts - if you want something more sophisticated, use
+ * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
+-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
+
+ /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
new file mode 100644
index 0000000..edb2909
--- /dev/null
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
@@ -0,0 +1,21 @@
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv)
+ debug_trace = 1;
+ break;
+ #endif
++ case 'o':
++ next = &dummy;
++ case 'x':
++ break;
+ case 'F':
+ case 'e':
+ #ifndef ENABLE_USER_ALGO_LIST
+@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv)
+ print_version();
+ exit(EXIT_SUCCESS);
+ break;
+- case 'o':
+ case 'b':
+ next = &dummy;
+ default:
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
new file mode 100644
index 0000000..667d69c
--- /dev/null
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
@@ -0,0 +1,15 @@
+--- a/dbutil.h
++++ b/dbutil.h
+@@ -88,7 +88,11 @@ int m_str_to_uint(const char* str, unsig
+ #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
+
+ /* Dropbear assertion */
+-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
++#ifndef DROPBEAR_ASSERT_ENABLED
++#define DROPBEAR_ASSERT_ENABLED 0
++#endif
++
++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
+
+ /* Returns 0 if a and b have the same contents */
+ int constant_time_memcmp(const void* a, const void *b, size_t n);
diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
new file mode 100644
index 0000000..ccc2cb7
--- /dev/null
+++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
@@ -0,0 +1,14 @@
+--- a/options.h
++++ b/options.h
+@@ -5,6 +5,11 @@
+ #ifndef DROPBEAR_OPTIONS_H_
+ #define DROPBEAR_OPTIONS_H_
+
++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
++#define DROPBEAR_SERVER
++#define DROPBEAR_CLIENT
++#endif
++
+ /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
+ * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
+
diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch
new file mode 100644
index 0000000..f6880ef
--- /dev/null
+++ b/package/network/services/dropbear/patches/500-set-default-path.patch
@@ -0,0 +1,11 @@
+--- a/options.h
++++ b/options.h
+@@ -341,7 +341,7 @@ be overridden at runtime with -I. 0 disa
+ #define DEFAULT_IDLE_TIMEOUT 0
+
+ /* The default path. This will often get replaced by the shell */
+-#define DEFAULT_PATH "/usr/bin:/bin"
++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin"
+
+ /* Some other defines (that mostly should be left alone) are defined
+ * in sysoptions.h */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644
index 0000000..7c67b08
--- /dev/null
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+ AUTH_METHOD_NONE_LEN) == 0) {
+ TRACE(("recv_msg_userauth_request: 'none' request"))
+ if (valid_user
+- && svr_opts.allowblankpass
++ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ && !svr_opts.noauthpass
+ && !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
+ && ses.authstate.pw_passwd[0] == '\0')
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644
index 0000000..ee6d273
--- /dev/null
+++ b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -475,6 +475,7 @@ void load_all_hostkeys() {
+ m_free(hostkey_file);
+ }
+
++ if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+ loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -486,6 +487,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+ loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++ }
+
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+ if (svr_opts.delay_hostkey) {