aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/dropbear
Commit message (Collapse)AuthorAgeFilesLines
* build: introduce $(MKHASH)Leonardo Mörlein2021-05-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before this commit, it was assumed that mkhash is in the PATH. While this was fine for the normal build workflow, this led to some issues if make TOPDIR="$(pwd)" -C "$pkgdir" compile was called manually. In most of the cases, I just saw warnings like this: make: Entering directory '/home/.../package/gluon-status-page' bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found bash: line 1: mkhash: command not found [...] While these were only warnings and the package still compiled sucessfully, I also observed that some package even fail to build because of this. After applying this commit, the variable $(MKHASH) is introduced. This variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the correct path. Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
* dropbear: bump package versionKonstantin Demin2020-12-111-1/+1
| | | | | | | | Bump package version after previous changes. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* dropbear: add ssh-askpass support in configurationKonstantin Demin2020-12-112-1/+12
| | | | | | | | | | binary size cost is much less than 1k. tested on ath79/generic: bin: 215128 -> 215132 (+4b) ipk: 111183 -> 111494 (+311b) Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: roll up recipes into mapping listsKonstantin Demin2020-12-111-24/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | this commit removes manual recipes for options and introduces mapping lists: - DB_OPT_COMMON holds option mappings which are common for all builds; - DB_OPT_CONFIG holds option mappings which are depend on config settings. DB_OPT_COMMON is space-separated list of 'words', each of them is in format: 'header_option|value' 'header_option' is added with value 'value' to 'localoptions.h'. if 'header_option' is preceded by two exclamation marks ('!!') then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'. in short: option|value - add option to localoptions.h !!option|value - replace option in sysoptions.h DB_OPT_CONFIG is space-separated list of 'words', each of them is in format: 'header_option|config_variable|value_enabled|value_disabled' 'header_option' is handled likewise in DB_OPT_COMMON. if 'config_variable' is enabled (technically: not disabled) then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise. in short: option|config|enabled|disabled = add option to localoptions.h !!option|config|enabled|disabled = replace option in sysoptions.h option := (config) ? enabled : disabled If you're not sure that option's value doesn't have '|' within - add your recipe manually right after '$(Build/Configure/dropbear_headers)' and write some words about your decision. PS about two exclamation marks: early idea was to use one exclamation mark to denote such header options but then i thought single exclamation mark may be overlooked by mistake. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: rework recipes that configure buildKonstantin Demin2020-12-111-22/+17
| | | | | | | | - add two helper functions to avoid mistakes with choice of correct header file to work with - update rules accordingly Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: reorder options in Configure recipeKonstantin Demin2020-12-111-11/+11
| | | | | | | put static options at first place, then place configurable options. also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: enable back DROPBEAR_USE_PASSWORD_ENVKonstantin Demin2020-12-111-2/+1
| | | | | | | | | | | | | this option was disabled in 2011 and these long nine years showed us that change was definitely wrong. binary size cost is much less than 1k. tested on ath79/generic: bin: 215128 -> 215128 (no change) ipk: 111108 -> 111183 (+75b) Fixes: 3c801b3dc0359 ("tune some more options by default to decrease size") Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: update to 2.81Hans Dedecker2020-11-154-9/+7
| | | | | | | | Update dropbear to latest stable 2.81; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES Refresh patches Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: use new extra_command wrapperFlorian Eckert2020-11-022-3/+3
| | | | | | Use new `extra_command` wrapper to fix the alignement. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* dropbear: Enable Ed25519 for normal devicesPaul Spooren2020-09-062-3/+4
| | | | | | | | | | | | | | | | | | | | The Ed25519 key pairs are much shorter than RSA pairs and are supported by default in OpenSSH. Looking at websites explaining how to create new SSH keys, many suggest using Ed25519 rather than RSA, however consider the former as not yet widely established. OpenWrt likely has a positive influence on that development. As enabling Ed25519 is a compile time option, it is currently not possible to install the feature via `opkg` nor select that option in an ImageBuilder. Due to the size impact of **12kB** the option should only be enabled for devices with `!SMALL_FLASH`. This approach seems cleaner than splitting `dropbear` into two packages like `dropbear` and `dropbear-ed25519`. Signed-off-by: Paul Spooren <mail@aparcar.org>
* dropbear: allow disabling support for scpRui Salvaterra2020-08-152-4/+10
| | | | | | | | | | | | | If not needed, disabling scp allows for a nice size reduction. Dropbear executable size comparison: 153621 bytes (baseline) 133077 bytes (without scp) In other words, we trim a total of 20544 bytes. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* dropbear: fix ssh alternative when dbclient isn't builtRui Salvaterra2020-08-121-3/+3
| | | | | | | The ssh symlink was still being created even when dbclient was disabled in the build configuration. Fix this annoyance. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* dropbear: make rsa-sha2-256 pubkeys usable againPetr Štetiar2020-07-071-0/+40
| | | | | | | | | | | | | Upstream in commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256") has added strict checking of pubkey algorithms which made keys with SHA-256 hashing algorithm unusable as they still reuse the `ssh-rsa` public key format. So fix this by disabling the check for `rsa-sha2-256` pubkeys. Ref: https://tools.ietf.org/html/rfc8332#section-3 Fixes: d4c80f5b172e ("dropbear: bump to 2020.80") Tested-by: Russell Senior <russell@personaltelco.net> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* dropbear: bump to 2020.80Hans Dedecker2020-06-304-78/+2
| | | | | | | | | - drop patches (applied upstream) * 001-backport_GNU_SOURCE-for-random.patch * 002-backport-move-GNU_SOURCE-earlier.patch * 010-backport-disable-toom-and-karatsuba.patch Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: init: replace backticks with $()Rui Salvaterra2020-06-301-3/+3
| | | | | | | | This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> [add commit description] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* dropbear: fix compilation for uClibcHans Dedecker2020-06-242-0/+59
| | | | | | | | | | | | | | | Backport patches which fix compile issue for uClibc-ng : dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration] ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK); ^~~~~~~~~ genrandom dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'? ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK); ^~~~~~~~~~~~~ SOCK_NONBLOCK Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: bump to 2020.79Konstantin Demin2020-06-219-3722/+36
| | | | | | | | | | | | | | | | | | | | | - drop patches (applied upstream): * 010-backport-change-address-logging.patch * 020-backport-ed25519-support.patch * 021-backport-chacha20-poly1305-support.patch - backport patches: * 010-backport-disable-toom-and-karatsuba.patch: reduce dropbear binary size (about ~8Kb). - refresh patches. - don't bother anymore with following config options because they are disabled in upstream too: * DROPBEAR_3DES * DROPBEAR_ENABLE_CBC_MODE * DROPBEAR_SHA1_96_HMAC - explicitly disable DO_MOTD as it was before commit a1099ed: upstream has (accidentally) switched it to 0 in release 2019.77, but reverted back in release 2020.79. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: add ed25519 and chacha20-poly1305Vladislav Grishenko2020-05-305-3/+3613
| | | | | | | | | | | | - add Ed25519 support (backport): * DROPBEAR_ED25519 option for ssh-ed25519, * disabled by default - add Chacha20-Poly1305 support (backport): * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com, * enabled by default - update feature costs in binary size Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
* dropbear: backport add ip address to exit without auth messagesKevin Darbyshire-Bryant2020-04-052-1/+120
| | | | | | | 201e359 Handle early exit when addrstring isn't set fa4c464 Improve address logging on early exit messages (#83) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dropbear: fix compile errorJohn Crispin2020-01-151-1/+2
| | | | | Fixes: 0da193ee6943 ("dropbear: move failsafe code out of base-files") Signed-off-by: John Crispin <john@phrozen.org>
* dropbear: move failsafe code out of base-filesKyle Copperfield2020-01-152-1/+10
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Failsafe code of dropbear should be in the dropbear package not the base-files package. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* dropbear: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 18% uncompressed and 17% compressed on MIPS BE. old: 164,261 /usr/sbin/dropbear 85,648 dropbear_2019.78-2_mips_24kc.ipk new: 194,492 /usr/sbin/dropbear 100,309 dropbear_2019.78-2_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* dropbear: add missing zlib dependency for dropbearconvertMatt Merhar2020-01-051-0/+1
| | | | | | | | | | If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage due to an undeclared dependency on libz.so.1. As is already done for the main dropbear package, conditionally add a dependency on zlib. Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
* dropbear: rebuild libs on config changeYousong Zhou2019-11-011-0/+4
| | | | | | | | | Required as dependency on dropbear config headers is not tracked in dropbear build system Fixes FS#2275 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dropbear: allow build without dbclientRosy Song2019-04-182-4/+9
| | | | | | This can save ~16KBytes size for the ipk Signed-off-by: Rosy Song <rosysong@rosinson.com>
* dropbear: bump to 2019.78Hans Dedecker2019-04-072-48/+2
| | | | | | | | | | Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad state. Reported by Ryan Woodsmall drop patch applied upstream: 010-tty-modes-werent-reset-for-client.patch Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: split ECC support to basic and fullKonstantin Demin2019-03-252-8/+31
| | | | | | | | | | - limit ECC support to ec*-sha2-nistp256: * DROPBEAR_ECC now provides only basic support for ECC - provide full ECC support as an option: * DROPBEAR_ECC_FULL brings back support for ec{dh,dsa}-sha2-nistp{384,521} - update feature costs in binary size Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: rewrite init script startup logic to handle both host key filesKonstantin Demin2019-03-251-24/+38
| | | | Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: change type of config option "Port" to scalar type "port"Konstantin Demin2019-03-251-1/+1
| | | | | | it was never used anywhere, even LuCI works with "Port" as scalar type. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: introduce config option "keyfile" (replacement for "rsakeyfile")Konstantin Demin2019-03-251-1/+56
| | | | | | | | | | | | * option "keyfile" is more generic than "rsakeyfile". * option "rsakeyfile" is considered to be deprecated and should be removed in future releases. * warn user (in syslog) if option "rsakeyfile" is used * better check options ("rsakeyfile" and "keyfile"): don't append "-r keyfile" to command line if file is absent (doesn't exist or empty), warn user (in syslog) about such files Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: add initial support for ECC host keyKonstantin Demin2019-03-251-0/+2
| | | | Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: fix regression where TTY modes weren't reset for clientKonstantin Demin2019-03-251-0/+46
| | | | | | cherry-pick upstream commit 7bc6280613f5ab4ee86c14c779739070e5784dfe Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: honour CFLAGS while building bundled libtomcrypt/libtommathKonstantin Demin2019-03-251-0/+48
| | | | | | | | Felix Fietkau pointed out that bundled libtomcrypt/libtommath do funny stuff with CFLAGS. fix this with checking environment variable OPENWRT_BUILD in both libs. change in dropbear binary size is drastical: 221621 -> 164277. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: fix hardening flags during configureKonstantin Demin2019-03-251-0/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | compiler complains about messed up CFLAGS in build log: <command-line>: warning: "_FORTIFY_SOURCE" redefined <command-line>: note: this is the location of the previous definition and then linker fails: mips-openwrt-linux-musl-gcc [...] -o dropbearmulti [...] collect2: fatal error: ld terminated with signal 11 [Segmentation fault] compilation terminated. /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans0.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans1.ltrans.o: relocation R_MIPS_HI16 against `ses' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans2.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550 [...] /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550 make[3]: *** [Makefile:198: dropbearmulti] Error 1 make[3]: *** Deleting file 'dropbearmulti' make[3]: Leaving directory '/build_dir/target-mips_24kc_musl/dropbear-2018.76' make[2]: *** [Makefile:158: /build_dir/target-mips_24kc_musl/dropbear-2018.76/.built] Error 2 make[2]: Leaving directory '/package/network/services/dropbear' This FTBFS issue was caused by hardening flags set up by dropbear's configure script. By default, Dropbear offers hardening via CFLAGS and LDFLAGS, but this may break or confuse OpenWrt settings. Remove most Dropbear's hardening settings in favour of precise build, but preserve Spectre v2 mitigations: * -mfunction-return=thunk * -mindirect-branch=thunk Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* dropbear: bump to 2019.77Konstantin Demin2019-03-2512-517/+52
| | | | | | | | | | | | | - drop patches applied upstream: * 010-runtime-maxauthtries.patch * 020-Wait-to-fail-invalid-usernames.patch * 150-dbconvert_standalone.patch * 610-skip-default-keys-in-custom-runs.patch - refresh patches - move OpenWrt configuration from patch to Build/Configure recipe, thus drop patch 120-openwrt_options.patch Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
* procd: Add wrapper for uci_validate_section()Jeffery To2019-01-221-7/+4
| | | | | | | | | | | | | | | | | This adds a wrapper (uci_load_validate) for uci_validate_section() that allows callers (through a callback function) to access the values set by uci_validate_section(), without having to manually declare a (potentially long) list of local variables. The callback function receives two arguments when called, the config section name and the return value of uci_validate_section(). If no callback function is given, then the wrapper exits with the value returned by uci_validate_section(). This also updates several init scripts to use the new wrapper function. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* dropbear: fix dropbear startup issueHans Dedecker2018-12-182-2/+10
| | | | | | | | | | | | | | | Interface triggers are installed by the dropbear init script in case an interface is configured for a given dropbear uci section. As dropbear is started after network the interface trigger event can be missed during a small window; this is especially the case if lan is specified as interface. Fix this by starting dropbear before network so no interface trigger is missed. As dropbear is started earlier than netifd add a boot function to avoid the usage of network.sh functions as call to such functions will fail at boottime. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* dropbear: Install /etc/config as 600Rosen Penev2018-09-191-3/+3
| | | | | | | | /etc/config/dropbear is used by the init script which only runs as root. Small whitespace change. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* dropbear: backport upstream fix for CVE-2018-15599Hans Dedecker2018-08-243-3/+224
| | | | | | | | | | CVE description : The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: close all active clients on shutdownChristian Schoenebeck2018-07-161-0/+5
| | | | | | | | | | | | | | | | | | | | Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com>
* dropbear: compile with LTO enabledFelix Fietkau2018-07-132-2/+35
| | | | | | Reduces size of the .ipk on MIPS from 87k to 84k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dropbear: let opkg manage symlinks of ssh, scpYousong Zhou2018-06-251-3/+5
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* dropbear: add option to set receive window sizeStijn Tintel2018-02-181-1/+4
| | | | | | | | | | | | | | | | | The default receive window size in dropbear is hardcoded to 24576 byte to limit memory usage. This value was chosen for 100Mbps networks, and limits the throughput of scp on faster networks. It also severely limits scp throughput on high-latency links. Add an option to set the receive window size so that people can improve performance without having to recompile dropbear. Setting the window size to the highest value supported by dropbear improves throughput from my build machine to an APU2 on the same LAN from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency from 320KB/s to 7.5MB/s. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* dropbear: disable MD5 HMAC and switch to sha1 fingerprintsMartin Schiller2017-12-122-3/+5
| | | | | | | | | | | | As MD5 is known weak for many years and more and more penetration test tools complain about enabled MD5 HMAC I think it's time to drop it. By disabling the MD5 HMAC support dropbear will also automatically use SHA1 for fingerprints. This shouldn't be a problem too. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* dropbear: fix PKG_CONFIG_DEPENDSHans Dedecker2017-10-061-1/+4
| | | | | | Add CONFIG_DROPBEAR_UTMP, CONFIG_DROPBEAR_PUTUTLINE to PKG_CONFIG_DEPENDS Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: make ssh compression support configurableMarcin Jurkowski2017-09-282-3/+13
| | | | | | | | | Adds config option to enable compression support which is usefull when using a terminal sessions over a slow link. Impact on binary size is negligible but additional 60 kB (uncompressed) is needed for a shared zlib library. Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
* Revert "dropbear: Link ssh and scp command to /bin instead of /usr/bin"John Crispin2017-08-311-3/+3
| | | | | | This reverts commit f7528ed0a8586434e18e9007b1bf0d05a18d6418. Signed-off-by: John Crispin <john@phrozen.org>
* dropbear: Link ssh and scp command to /bin instead of /usr/binRosen Penev2017-08-311-3/+3
| | | | | | | | ssh and scp commands interfere with OpenSSH when installed in /usr/bin . One use case is when installing dropbear to get root access when only OpenSSH is available (OpenSSH disallows root password logins). Once dropbear installs, it replaces OpenSSH's executables, even when removed with opkg. OpenSSH must be reinstalled to get them back. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* dropbear: add option to set max auth triesStijn Tintel2017-06-282-2/+4
| | | | | | | Add a uci option to set the new max auth tries paramater in dropbear. Set the default to 3, as 10 seems excessive. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>