From 5d27b10c61171e9974f5db01445acba5181e03b4 Mon Sep 17 00:00:00 2001
From: Konstantin Demin <rockdrilla@gmail.com>
Date: Mon, 25 Mar 2019 21:42:01 +0300
Subject: dropbear: introduce config option "keyfile" (replacement for
 "rsakeyfile")

* option "keyfile" is more generic than "rsakeyfile".
* option "rsakeyfile" is considered to be deprecated and should be removed
  in future releases.
* warn user (in syslog) if option "rsakeyfile" is used
* better check options ("rsakeyfile" and "keyfile"): don't append
  "-r keyfile" to command line if file is absent (doesn't exist or empty),
  warn user (in syslog) about such files

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
---
 .../network/services/dropbear/files/dropbear.init  | 57 +++++++++++++++++++++-
 1 file changed, 56 insertions(+), 1 deletion(-)

(limited to 'package')

diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
index 2ea637ee1a..506f7dac65 100755
--- a/package/network/services/dropbear/files/dropbear.init
+++ b/package/network/services/dropbear/files/dropbear.init
@@ -12,6 +12,54 @@ PIDCOUNT=0
 EXTRA_COMMANDS="killclients"
 EXTRA_HELP="	killclients Kill ${NAME} processes except servers and yourself"
 
+_dropbearkey()
+{
+	/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&-
+}
+
+# $1 - host key file name
+hk_verify()
+{
+	[ -f "$1" ] || return 1
+	[ -s "$1" ] || return 2
+	_dropbearkey -y -f "$1" || return 3
+	return 0
+}
+
+# $1 - hk_verify() return code
+hk_errmsg()
+{
+	case "$1" in
+	0) ;;
+	1) echo "file does not exist" ;;
+	2) echo "file has zero length" ;;
+	3) echo "file is not valid host key or not supported" ;;
+	*) echo "unknown error" ;;
+	esac
+}
+
+# $1 - config option
+# $2 - host key file name
+hk_config()
+{
+	local x m
+	hk_verify "$2"; x=$?
+	case "$x" in
+	0)	procd_append_param command -r "$2"
+		;;
+	*)	m=$(hk_errmsg "$x")
+		logger -t "${NAME}" -p daemon.warn \
+		  "option '$1', value '$2': $m, skipping"
+		;;
+	esac
+}
+
+# $1 - host key file name
+hk_config__keyfile()
+{
+	hk_config 'keyfile' "$1"
+}
+
 append_ports()
 {
 	local ipaddrs="$1"
@@ -37,6 +85,7 @@ validate_section_dropbear()
 		'RootPasswordAuth:bool:1' \
 		'RootLogin:bool:1' \
 		'rsakeyfile:file' \
+		'keyfile:list(file)' \
 		'BannerFile:file' \
 		'Port:list(port):22' \
 		'SSHKeepAlive:uinteger:300' \
@@ -74,7 +123,13 @@ dropbear_instance()
 	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
 	[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
 	[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
-	[ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}"
+	if [ -n "${rsakeyfile}" ]; then
+		logger -t ${NAME} -p daemon.warn \
+			"option 'rsakeyfile' is considered to be deprecated and" \
+			"will be removed in future releases, use 'keyfile' instead"
+		hk_config 'rsakeyfile' "${rsakeyfile}"
+	fi
+	config_list_foreach "$1" "keyfile" hk_config__keyfile
 	[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
 	append_ports "${ipaddrs}" "${Port}"
 	[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
-- 
cgit v1.2.3