diff options
author | James <> | 2013-03-17 12:16:37 +0000 |
---|---|---|
committer | James <> | 2013-03-17 12:16:37 +0000 |
commit | 27b76ab0671089c47506615a796a261e993896a7 (patch) | |
tree | 61213d67e7fa87b20356b23798558e2c4212c42f /package/network/services/dropbear/patches/.svn/text-base | |
download | trunk-36060-27b76ab0671089c47506615a796a261e993896a7.tar.gz trunk-36060-27b76ab0671089c47506615a796a261e993896a7.tar.bz2 trunk-36060-27b76ab0671089c47506615a796a261e993896a7.zip |
Diffstat (limited to 'package/network/services/dropbear/patches/.svn/text-base')
9 files changed, 281 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base new file mode 100644 index 0000000..c1802f5 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base @@ -0,0 +1,91 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); +- +- /* open the file */ +- authfile = fopen(filename, "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } + if (authfile == NULL) { + goto out; + } +@@ -372,26 +376,35 @@ static int checkpubkeyperms() { + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + } + + /* file looks ok, return success */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base new file mode 100644 index 0000000..a354eda --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base @@ -0,0 +1,18 @@ +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -891,12 +891,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +- if ((setgid(ses.authstate.pw_gid) < 0) || ++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || + (initgroups(ses.authstate.pw_name, +- ses.authstate.pw_gid) < 0)) { ++ ses.authstate.pw_gid) < 0))) { + dropbear_exit("Error changing user group"); + } +- if (setuid(ses.authstate.pw_uid) < 0) { ++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { + dropbear_exit("Error changing user"); + } + } else { diff --git a/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base new file mode 100644 index 0000000..977f631 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base @@ -0,0 +1,72 @@ +--- a/options.h ++++ b/options.h +@@ -38,7 +38,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -49,7 +49,7 @@ + several kB in binary size however will make the symmetrical ciphers and hashes + slower, perhaps by 50%. Recommended for small systems that aren't doing + much traffic. */ +-/*#define DROPBEAR_SMALL_CODE*/ ++#define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ + #define ENABLE_X11FWD +@@ -78,7 +78,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Encryption - at least one required. + * Protocol RFC requires 3DES and recommends AES128 for interoperability. +@@ -89,8 +89,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256 ++#define DROPBEAR_TWOFISH128*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. This adds around 1kB to binary +@@ -110,7 +110,7 @@ much traffic. */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -144,11 +144,11 @@ much traffic. */ + #endif + + /* Whether to do reverse DNS lookups. */ +-#define DO_HOST_LOOKUP ++/*#define DO_HOST_LOOKUP*/ + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -192,7 +192,7 @@ much traffic. */ + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base new file mode 100644 index 0000000..93647a9 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base @@ -0,0 +1,21 @@ +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) + debug_trace = 1; + break; + #endif ++ case 'o': ++ next = &dummy; ++ case 'x': ++ break; + case 'F': + case 'e': + case 'c': +@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) + #ifndef ENABLE_CLI_LOCALTCPFWD + case 'L': + #endif +- case 'o': + case 'b': + next = &dummy; + default: diff --git a/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base new file mode 100644 index 0000000..e00184a --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base @@ -0,0 +1,14 @@ +--- a/dbutil.h ++++ b/dbutil.h +@@ -93,6 +93,10 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) ++#ifndef DROPBEAR_ASSERT_ENABLED ++#define DROPBEAR_ASSERT_ENABLED 0 ++#endif ++ ++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) + + #endif /* _DBUTIL_H_ */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base new file mode 100644 index 0000000..3e0b008 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef _OPTIONS_H_ + #define _OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /****************************************************************** + * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. diff --git a/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base new file mode 100644 index 0000000..57eb967 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base @@ -0,0 +1,29 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac + loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ + listener.h fake-rfc2553.h + +-dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ ++dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) + dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) + dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) + dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) +@@ -77,7 +77,7 @@ STRIP=@STRIP@ + INSTALL=@INSTALL@ + CPPFLAGS=@CPPFLAGS@ + CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ +-LIBS+=@LIBS@ ++LIBS+=@CRYPTLIB@ @LIBS@ + LDFLAGS=@LDFLAGS@ + + EXEEXT=@EXEEXT@ +@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile + # multi-binary compilation. + MULTIOBJS= + ifeq ($(MULTI),1) +- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ ++ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) + CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI + endif + diff --git a/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base new file mode 100644 index 0000000..7da435a --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base @@ -0,0 +1,11 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -325,7 +325,7 @@ static void addportandaddress(char* spec + myspec = m_strdup(spec); + + /* search for ':', that separates address and port */ +- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); ++ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + + if (svr_opts.ports[svr_opts.portcount] == NULL) { + /* no ':' -> the whole string specifies just a port */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base new file mode 100644 index 0000000..0bd3ffc --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base @@ -0,0 +1,11 @@ +--- a/options.h ++++ b/options.h +@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" ++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */ |