diff options
Diffstat (limited to 'package/network/services/dropbear')
7 files changed, 16 insertions, 414 deletions
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 12a836be37..35958d332c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2014.65 -PKG_RELEASE:=2 +PKG_VERSION:=2015.67 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_MD5SUM:=1918604238817385a156840fa2c39490 +PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE diff --git a/package/network/services/dropbear/patches/001-dont_send_SSH_MSG_IMPLEMENTED.patch b/package/network/services/dropbear/patches/001-dont_send_SSH_MSG_IMPLEMENTED.patch deleted file mode 100644 index fe222f5c50..0000000000 --- a/package/network/services/dropbear/patches/001-dont_send_SSH_MSG_IMPLEMENTED.patch +++ /dev/null @@ -1,58 +0,0 @@ - -# HG changeset patch -# User Matt Johnston <matt@ucc.asn.au> -# Date 1407937727 -28800 -# Node ID f7f6c15b0ec30b0def69c9ccbb3dc4eb97374abc -# Parent 02821319ab1f1208b7ab5de4af82a562c386d40d -Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses - -diff -r 02821319ab1f -r f7f6c15b0ec3 cli-session.c ---- a/cli-session.c Fri Aug 08 21:53:47 2014 +0800 -+++ b/cli-session.c Wed Aug 13 21:48:47 2014 +0800 -@@ -73,6 +73,8 @@ - #ifdef ENABLE_CLI_REMOTETCPFWD - {SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */ - {SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */ -+#else -+ {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */ - #endif - {0, 0} /* End */ - }; -diff -r 02821319ab1f -r f7f6c15b0ec3 common-session.c ---- a/common-session.c Fri Aug 08 21:53:47 2014 +0800 -+++ b/common-session.c Wed Aug 13 21:48:47 2014 +0800 -@@ -394,6 +394,11 @@ - return pos+1; - } - -+void ignore_recv_msg_request_failure() { -+ // Do nothing -+ TRACE(("Ignored msg_request_failure")) -+} -+ - static void send_msg_keepalive() { - CHECKCLEARTOWRITE(); - time_t old_time_idle = ses.last_packet_time_idle; -diff -r 02821319ab1f -r f7f6c15b0ec3 session.h ---- a/session.h Fri Aug 08 21:53:47 2014 +0800 -+++ b/session.h Wed Aug 13 21:48:47 2014 +0800 -@@ -47,6 +47,7 @@ - void session_cleanup(); - void send_session_identification(); - void send_msg_ignore(); -+void ignore_recv_msg_request_failure(); - - void update_channel_prio(); - -diff -r 02821319ab1f -r f7f6c15b0ec3 svr-session.c ---- a/svr-session.c Fri Aug 08 21:53:47 2014 +0800 -+++ b/svr-session.c Wed Aug 13 21:48:47 2014 +0800 -@@ -58,6 +58,7 @@ - {SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open}, - {SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof}, - {SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close}, -+ {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */ - #ifdef USING_LISTENERS - {SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation}, - {SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure}, - diff --git a/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch b/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch deleted file mode 100644 index b8cb2d0698..0000000000 --- a/package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch +++ /dev/null @@ -1,333 +0,0 @@ - -# HG changeset patch -# User Matt Johnston <matt@ucc.asn.au> -# Date 1408460936 -28800 -# Node ID 0bb16232e7c4162daa43e8618521cf453847ac16 -# Parent 939944f0fca9b2dcdf8470bb24efcc37a3843e8b -Make keepalive handling more robust, this should now match what OpenSSH does - -diff -r 939944f0fca9 -r 0bb16232e7c4 LICENSE ---- a/LICENSE Wed Aug 13 22:07:43 2014 +0800 -+++ b/LICENSE Tue Aug 19 23:08:56 2014 +0800 -@@ -8,7 +8,7 @@ - Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the - same license: - --Copyright (c) 2002-2013 Matt Johnston -+Copyright (c) 2002-2014 Matt Johnston - Portions copyright (c) 2004 Mihnea Stoenescu - All rights reserved. - -diff -r 939944f0fca9 -r 0bb16232e7c4 auth.h ---- a/auth.h Wed Aug 13 22:07:43 2014 +0800 -+++ b/auth.h Tue Aug 19 23:08:56 2014 +0800 -@@ -106,7 +106,7 @@ - valid */ - unsigned int failcount; /* Number of (failed) authentication attempts.*/ - unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for -- client and server (though has differing [obvious] -+ client and server (though has differing - meanings). */ - unsigned perm_warn : 1; /* Server only, set if bad permissions on - ~/.ssh/authorized_keys have already been -diff -r 939944f0fca9 -r 0bb16232e7c4 channel.h ---- a/channel.h Wed Aug 13 22:07:43 2014 +0800 -+++ b/channel.h Tue Aug 19 23:08:56 2014 +0800 -@@ -105,6 +105,9 @@ - void setchannelfds(fd_set *readfd, fd_set *writefd); - void channelio(fd_set *readfd, fd_set *writefd); - struct Channel* getchannel(); -+/* Returns an arbitrary channel that is in a ready state - not -+being initialised and no EOF in either direction. NULL if none. */ -+struct Channel* get_any_ready_channel(); - - void recv_msg_channel_open(); - void recv_msg_channel_request(); -@@ -128,8 +131,10 @@ - void recv_msg_channel_open_confirmation(); - void recv_msg_channel_open_failure(); - #endif -+void start_send_channel_request(struct Channel *channel, unsigned char *type); - - void send_msg_request_success(); - void send_msg_request_failure(); - -+ - #endif /* _CHANNEL_H_ */ -diff -r 939944f0fca9 -r 0bb16232e7c4 chansession.h ---- a/chansession.h Wed Aug 13 22:07:43 2014 +0800 -+++ b/chansession.h Tue Aug 19 23:08:56 2014 +0800 -@@ -89,7 +89,6 @@ - #ifdef ENABLE_CLI_NETCAT - void cli_send_netcat_request(); - #endif --void cli_start_send_channel_request(struct Channel *channel, unsigned char *type); - - void svr_chansessinitialise(); - extern const struct ChanType svrchansess; -diff -r 939944f0fca9 -r 0bb16232e7c4 cli-agentfwd.c ---- a/cli-agentfwd.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/cli-agentfwd.c Tue Aug 19 23:08:56 2014 +0800 -@@ -234,7 +234,7 @@ - return; - } - -- cli_start_send_channel_request(channel, "auth-agent-req@openssh.com"); -+ start_send_channel_request(channel, "auth-agent-req@openssh.com"); - /* Don't want replies */ - buf_putbyte(ses.writepayload, 0); - encrypt_packet(); -diff -r 939944f0fca9 -r 0bb16232e7c4 cli-chansession.c ---- a/cli-chansession.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/cli-chansession.c Tue Aug 19 23:08:56 2014 +0800 -@@ -92,17 +92,6 @@ - } - } - --void cli_start_send_channel_request(struct Channel *channel, -- unsigned char *type) { -- -- CHECKCLEARTOWRITE(); -- buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST); -- buf_putint(ses.writepayload, channel->remotechan); -- -- buf_putstring(ses.writepayload, type, strlen(type)); -- --} -- - /* Taken from OpenSSH's sshtty.c: - * RCSID("OpenBSD: sshtty.c,v 1.5 2003/09/19 17:43:35 markus Exp "); */ - static void cli_tty_setup() { -@@ -287,7 +276,7 @@ - - TRACE(("enter send_chansess_pty_req")) - -- cli_start_send_channel_request(channel, "pty-req"); -+ start_send_channel_request(channel, "pty-req"); - - /* Don't want replies */ - buf_putbyte(ses.writepayload, 0); -@@ -330,7 +319,7 @@ - reqtype = "shell"; - } - -- cli_start_send_channel_request(channel, reqtype); -+ start_send_channel_request(channel, reqtype); - - /* XXX TODO */ - buf_putbyte(ses.writepayload, 0); /* Don't want replies */ -diff -r 939944f0fca9 -r 0bb16232e7c4 cli-session.c ---- a/cli-session.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/cli-session.c Tue Aug 19 23:08:56 2014 +0800 -@@ -70,11 +70,15 @@ - {SSH_MSG_USERAUTH_BANNER, recv_msg_userauth_banner}, /* client */ - {SSH_MSG_USERAUTH_SPECIFIC_60, recv_msg_userauth_specific_60}, /* client */ - {SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli}, -+ {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response}, -+ {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response}, - #ifdef ENABLE_CLI_REMOTETCPFWD - {SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */ - {SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */ - #else -- {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */ -+ /* For keepalive */ -+ {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, -+ {SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, - #endif - {0, 0} /* End */ - }; -diff -r 939944f0fca9 -r 0bb16232e7c4 common-channel.c ---- a/common-channel.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/common-channel.c Tue Aug 19 23:08:56 2014 +0800 -@@ -627,7 +627,12 @@ - && !channel->close_handler_done) { - channel->type->reqhandler(channel); - } else { -- send_msg_channel_failure(channel); -+ int wantreply; -+ buf_eatstring(ses.payload); -+ wantreply = buf_getbool(ses.payload); -+ if (wantreply) { -+ send_msg_channel_failure(channel); -+ } - } - - TRACE(("leave recv_msg_channel_request")) -@@ -1134,3 +1139,30 @@ - buf_putbyte(ses.writepayload, SSH_MSG_REQUEST_FAILURE); - encrypt_packet(); - } -+ -+struct Channel* get_any_ready_channel() { -+ if (ses.chancount == 0) { -+ return NULL; -+ } -+ size_t i; -+ for (i = 0; i < ses.chansize; i++) { -+ struct Channel *chan = ses.channels[i]; -+ if (chan -+ && !(chan->sent_eof || chan->recv_eof) -+ && !(chan->await_open || chan->initconn)) { -+ return chan; -+ } -+ } -+ return NULL; -+} -+ -+void start_send_channel_request(struct Channel *channel, -+ unsigned char *type) { -+ -+ CHECKCLEARTOWRITE(); -+ buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST); -+ buf_putint(ses.writepayload, channel->remotechan); -+ -+ buf_putstring(ses.writepayload, type, strlen(type)); -+ -+} -diff -r 939944f0fca9 -r 0bb16232e7c4 common-session.c ---- a/common-session.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/common-session.c Tue Aug 19 23:08:56 2014 +0800 -@@ -394,19 +394,30 @@ - return pos+1; - } - --void ignore_recv_msg_request_failure() { -+void ignore_recv_response() { - // Do nothing -- TRACE(("Ignored msg_request_failure")) -+ TRACE(("Ignored msg_request_response")) - } - - static void send_msg_keepalive() { - CHECKCLEARTOWRITE(); - time_t old_time_idle = ses.last_packet_time_idle; -- /* Try to force a response from the other end. Some peers will -- reply with SSH_MSG_REQUEST_FAILURE, some will reply with SSH_MSG_UNIMPLEMENTED */ -- buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST); -- /* A short string */ -- buf_putstring(ses.writepayload, "k@dropbear.nl", 0); -+ -+ struct Channel *chan = get_any_ready_channel(); -+ -+ if (chan) { -+ /* Channel requests are preferable, more implementations -+ handle them than SSH_MSG_GLOBAL_REQUEST */ -+ TRACE(("keepalive channel request %d", chan->index)) -+ start_send_channel_request(chan, DROPBEAR_KEEPALIVE_STRING); -+ } else { -+ TRACE(("keepalive global request")) -+ /* Some peers will reply with SSH_MSG_REQUEST_FAILURE, -+ some will reply with SSH_MSG_UNIMPLEMENTED, some will exit. */ -+ buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST); -+ buf_putstring(ses.writepayload, DROPBEAR_KEEPALIVE_STRING, -+ strlen(DROPBEAR_KEEPALIVE_STRING)); -+ } - buf_putbyte(ses.writepayload, 1); /* want_reply */ - encrypt_packet(); - -@@ -435,7 +446,10 @@ - send_msg_kexinit(); - } - -- if (opts.keepalive_secs > 0) { -+ if (opts.keepalive_secs > 0 && ses.authstate.authdone) { -+ /* Avoid sending keepalives prior to auth - those are -+ not valid pre-auth packet types */ -+ - /* Send keepalives if we've been idle */ - if (now - ses.last_packet_time_any_sent >= opts.keepalive_secs) { - send_msg_keepalive(); -diff -r 939944f0fca9 -r 0bb16232e7c4 session.h ---- a/session.h Wed Aug 13 22:07:43 2014 +0800 -+++ b/session.h Tue Aug 19 23:08:56 2014 +0800 -@@ -47,7 +47,7 @@ - void session_cleanup(); - void send_session_identification(); - void send_msg_ignore(); --void ignore_recv_msg_request_failure(); -+void ignore_recv_response(); - - void update_channel_prio(); - -diff -r 939944f0fca9 -r 0bb16232e7c4 svr-chansession.c ---- a/svr-chansession.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/svr-chansession.c Tue Aug 19 23:08:56 2014 +0800 -@@ -53,6 +53,7 @@ - static void closechansess(struct Channel *channel); - static int newchansess(struct Channel *channel); - static void chansessionrequest(struct Channel *channel); -+static int sesscheckclose(struct Channel *channel); - - static void send_exitsignalstatus(struct Channel *channel); - static void send_msg_chansess_exitstatus(struct Channel * channel, -@@ -61,6 +62,14 @@ - struct ChanSess * chansess); - static void get_termmodes(struct ChanSess *chansess); - -+const struct ChanType svrchansess = { -+ 0, /* sepfds */ -+ "session", /* name */ -+ newchansess, /* inithandler */ -+ sesscheckclose, /* checkclosehandler */ -+ chansessionrequest, /* reqhandler */ -+ closechansess, /* closehandler */ -+}; - - /* required to clear environment */ - extern char** environ; -@@ -968,16 +977,6 @@ - dropbear_exit("Child failed"); - } - --const struct ChanType svrchansess = { -- 0, /* sepfds */ -- "session", /* name */ -- newchansess, /* inithandler */ -- sesscheckclose, /* checkclosehandler */ -- chansessionrequest, /* reqhandler */ -- closechansess, /* closehandler */ --}; -- -- - /* Set up the general chansession environment, in particular child-exit - * handling */ - void svr_chansessinitialise() { -diff -r 939944f0fca9 -r 0bb16232e7c4 svr-main.c ---- a/svr-main.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/svr-main.c Tue Aug 19 23:08:56 2014 +0800 -@@ -409,7 +409,7 @@ - size_t sockpos = 0; - int nsock; - -- TRACE(("listensockets: %d to try\n", svr_opts.portcount)) -+ TRACE(("listensockets: %d to try", svr_opts.portcount)) - - for (i = 0; i < svr_opts.portcount; i++) { - -diff -r 939944f0fca9 -r 0bb16232e7c4 svr-session.c ---- a/svr-session.c Wed Aug 13 22:07:43 2014 +0800 -+++ b/svr-session.c Tue Aug 19 23:08:56 2014 +0800 -@@ -58,7 +58,10 @@ - {SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open}, - {SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof}, - {SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close}, -- {SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */ -+ {SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response}, -+ {SSH_MSG_CHANNEL_FAILURE, ignore_recv_response}, -+ {SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */ -+ {SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */ - #ifdef USING_LISTENERS - {SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation}, - {SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure}, -diff -r 939944f0fca9 -r 0bb16232e7c4 sysoptions.h ---- a/sysoptions.h Wed Aug 13 22:07:43 2014 +0800 -+++ b/sysoptions.h Tue Aug 19 23:08:56 2014 +0800 -@@ -257,4 +257,7 @@ - #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS - #endif - -+/* Use this string since some implementations might special-case it */ -+#define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com" -+ - /* no include guard for this file */ - diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 44bfe14c3d..7982af6315 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -902,12 +902,12 @@ static void execchild(void *user_data) { +@@ -920,12 +920,12 @@ static void execchild(void *user_data) { /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index 1b5c5cb1e8..48dae73b1f 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -18,27 +18,20 @@ /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ #define ENABLE_USER_ALGO_LIST -@@ -95,8 +95,8 @@ much traffic. */ - #define DROPBEAR_AES256 - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ - /*#define DROPBEAR_BLOWFISH*/ --#define DROPBEAR_TWOFISH256 --#define DROPBEAR_TWOFISH128 -+/*#define DROPBEAR_TWOFISH256 -+#define DROPBEAR_TWOFISH128*/ - - /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary -@@ -122,7 +122,7 @@ much traffic. */ +@@ -126,9 +126,9 @@ much traffic. */ * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ #define DROPBEAR_SHA1_HMAC -#define DROPBEAR_SHA1_96_HMAC +-#define DROPBEAR_SHA2_256_HMAC +-#define DROPBEAR_SHA2_512_HMAC +/*#define DROPBEAR_SHA1_96_HMAC*/ - /*#define DROPBEAR_SHA2_256_HMAC*/ - /*#define DROPBEAR_SHA2_512_HMAC*/ ++/*#define DROPBEAR_SHA2_256_HMAC*/ ++/*#define DROPBEAR_SHA2_512_HMAC*/ #define DROPBEAR_MD5_HMAC -@@ -175,7 +175,7 @@ much traffic. */ + + /* You can also disable integrity. Don't bother disabling this if you're +@@ -184,7 +184,7 @@ much traffic. */ /* Whether to print the message of the day (MOTD). This doesn't add much code * size */ @@ -47,7 +40,7 @@ /* The MOTD file path */ #ifndef MOTD_FILENAME -@@ -213,7 +213,7 @@ much traffic. */ +@@ -226,7 +226,7 @@ much traffic. */ * note that it will be provided for all "hidden" client-interactive * style prompts - if you want something more sophisticated, use * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch index 0a5e8ba9a0..edb29093ae 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch @@ -1,6 +1,6 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -312,6 +312,10 @@ void cli_getopts(int argc, char ** argv) +@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv) debug_trace = 1; break; #endif @@ -11,7 +11,7 @@ case 'F': case 'e': #ifndef ENABLE_USER_ALGO_LIST -@@ -329,7 +333,6 @@ void cli_getopts(int argc, char ** argv) +@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv) print_version(); exit(EXIT_SUCCESS); break; diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch index f4cbdeea44..e2add9415f 100644 --- a/package/network/services/dropbear/patches/500-set-default-path.patch +++ b/package/network/services/dropbear/patches/500-set-default-path.patch @@ -1,6 +1,6 @@ --- a/options.h +++ b/options.h -@@ -323,7 +323,7 @@ be overridden at runtime with -I. 0 disa +@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa #define DEFAULT_IDLE_TIMEOUT 0 /* The default path. This will often get replaced by the shell */ |