domenico/openwrt-armor-g5
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit
Some checks failed
Build Kernel / Build all affected Kernels (push) Has been cancelled
Details
Build all core packages / Build all core packages for selected target (push) Has been cancelled
Details
Build and Push prebuilt tools container / Build and Push all prebuilt containers (push) Has been cancelled
Details
Build Toolchains / Build Toolchains for each target (push) Has been cancelled
Details
Build host tools / Build host tools for linux and macos based systems (push) Has been cancelled
Details
Coverity scan build / Coverity x86/64 build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
domenico
2025-06-24 12:51:15 +02:00
commit 27c9d80f51
10493 changed files with 1885777 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

196
package/network/services/dropbear/Config.in Normal file
View File

@@ -0,0 +1,196 @@
menu "Configuration"
depends on PACKAGE_dropbear
config DROPBEAR_CURVE25519
bool "Curve25519 support"
default y
help
This enables the following key exchange algorithm:
curve25519-sha256@libssh.org
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ECC
bool "Elliptic curve cryptography (ECC)"
help
Enables basic support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256
Public key algorithms:
ecdsa-sha2-nistp256
Increases binary size by about 24 kB (MIPS).
Note: select DROPBEAR_ECC_FULL if full ECC support is required.
config DROPBEAR_ECC_FULL
bool "Elliptic curve cryptography (ECC), full support"
depends on DROPBEAR_ECC
help
Enables full support for elliptic curve cryptography (ECC)
in key exchange and public key authentication.
Key exchange algorithms:
ecdh-sha2-nistp256 (*)
ecdh-sha2-nistp384
ecdh-sha2-nistp521
Public key algorithms:
ecdsa-sha2-nistp256 (*)
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
(*) - basic ECC support; provided by DROPBEAR_ECC.
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_ED25519
bool "Ed25519 support"
default y if !SMALL_FLASH
help
This enables the following public key algorithm:
ssh-ed25519
Increases binary size by about 12 kB (MIPS).
config DROPBEAR_CHACHA20POLY1305
bool "Chacha20-Poly1305 support"
default y
help
This enables the following authenticated encryption cipher:
chacha20-poly1305@openssh.com
Increases binary size by about 4 kB (MIPS).
config DROPBEAR_U2F
bool "U2F/FIDO support"
default y
help
This option itself doesn't enable any support for U2F/FIDO
but subordinate options do:
- DROPBEAR_ECDSA_SK - ecdsa-sk keys support
depends on DROPBEAR_ECC ("Elliptic curve cryptography (ECC)")
- DROPBEAR_ED25519_SK - ed25519-sk keys support
depends on DROPBEAR_ED25519 ("Ed25519 support")
config DROPBEAR_ECDSA_SK
bool "ECDSA-SK support"
default y
depends on DROPBEAR_U2F && DROPBEAR_ECC
help
This enables the following public key algorithm:
sk-ecdsa-sha2-nistp256@openssh.com
config DROPBEAR_ED25519_SK
bool "Ed25519-SK support"
default y
depends on DROPBEAR_U2F && DROPBEAR_ED25519
help
This enables the following public key algorithm:
sk-ssh-ed25519@openssh.com
config DROPBEAR_ZLIB
bool "Enable compression"
help
Enables compression using shared zlib library.
Increases binary size by about 0.1 kB (MIPS) and requires
additional 62 kB (MIPS) for a shared zlib library.
config DROPBEAR_UTMP
bool "Utmp support"
depends on BUSYBOX_CONFIG_FEATURE_UTMP
help
This enables dropbear utmp support, the file /var/run/utmp is
used to track who is currently logged in.
config DROPBEAR_PUTUTLINE
bool "Pututline support"
depends on DROPBEAR_UTMP
help
Dropbear will use pututline() to write the utmp structure into
the utmp file.
config DROPBEAR_DBCLIENT
bool "Build dropbear with dbclient"
default y
config DROPBEAR_ASKPASS
bool "Enable askpass helper support"
depends on DROPBEAR_DBCLIENT
help
This enables support for ssh-askpass helper in dropbear client
in order to authenticate on remote hosts.
Increases binary size by about 0.1 kB (MIPS).
config DROPBEAR_DBCLIENT_AGENTFORWARD
bool "Enable agent forwarding in dbclient [LEGACY/SECURITY]"
default y
depends on DROPBEAR_DBCLIENT
help
Increases binary size by about 0.1 kB (MIPS).
Security notes:
SSH agent forwarding might cause security issues (locally and
on the jump machine).
Hovewer, it's enabled by default for compatibility with
previous OpenWrt/dropbear releases.
Consider DISABLING this option if you're building own OpenWrt
image.
Also see DROPBEAR_AGENTFORWARD (agent forwarding in dropbear
server itself).
config DROPBEAR_SCP
bool "Build dropbear with scp"
default y
config DROPBEAR_AGENTFORWARD
bool "Enable agent forwarding [LEGACY/SECURITY]"
default y
help
Increases binary size by about 0.1 kB (MIPS).
Security notes:
SSH agent forwarding might cause security issues (locally and
on the jump machine).
Hovewer, it's enabled by default for compatibility with
previous OpenWrt/dropbear releases.
Consider DISABLING this option if you're building own OpenWrt
image.
Also see DROPBEAR_DBCLIENT_AGENTFORWARD (agent forwarding in
dropbear client) if DROPBEAR_DBCLIENT is selected.
config DROPBEAR_MODERN_ONLY
bool "Use modern crypto only [BREAKS COMPATIBILITY]"
select DROPBEAR_ED25519
select DROPBEAR_CURVE25519
select DROPBEAR_CHACHA20POLY1305
help
This option enables:
- Chacha20-Poly1305
- Curve25519
- Ed25519
and disables:
- AES
- RSA
Reduces binary size by about 64 kB (MIPS) from default
configuration.
Consider enabling this option if you're building own OpenWrt
image and using modern SSH software everywhere.
endmenu

239
package/network/services/dropbear/Makefile Normal file
View File

@@ -0,0 +1,239 @@
#
# Copyright (C) 2006-2020 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
PKG_VERSION:=2024.85
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
PKG_HASH:=86b036c433a69d89ce51ebae335d65c47738ccf90d13e5eb0fea832e556da502
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
PKG_CPE_ID:=cpe:/a:dropbear_ssh_project:dropbear_ssh
PKG_BUILD_PARALLEL:=1
PKG_ASLR_PIE_REGULAR:=1
PKG_BUILD_FLAGS:=no-mips16 gc-sections lto
PKG_FIXUP:=autoreconf
PKG_FLAGS:=nonshared
PKG_CONFIG_DEPENDS:= \
CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
CONFIG_DROPBEAR_U2F CONFIG_DROPBEAR_ECDSA_SK CONFIG_DROPBEAR_ED25519_SK \
CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS \
CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD CONFIG_DROPBEAR_AGENTFORWARD \
CONFIG_DROPBEAR_MODERN_ONLY
include $(INCLUDE_DIR)/package.mk
ifneq ($(DUMP),1)
STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell echo $(CONFIG_TARGET_INIT_PATH) | $(MKHASH) md5)
endif
define Package/dropbear/Default
URL:=https://matt.ucc.asn.au/dropbear/
endef
define Package/dropbear/config
source "$(SOURCE)/Config.in"
endef
define Package/dropbear
$(call Package/dropbear/Default)
SECTION:=net
CATEGORY:=Base system
TITLE:=Small SSH2 client/server
DEPENDS:= +DROPBEAR_ZLIB:zlib
ALTERNATIVES:=100:/usr/bin/ssh-keygen:/usr/sbin/dropbear
$(if $(CONFIG_DROPBEAR_SCP),ALTERNATIVES+= \
100:/usr/bin/scp:/usr/sbin/dropbear,)
$(if $(CONFIG_DROPBEAR_DBCLIENT),ALTERNATIVES+= \
100:/usr/bin/ssh:/usr/sbin/dropbear,)
endef
define Package/dropbear/description
A small SSH2 server/client designed for small memory environments.
endef
define Package/dropbear/conffiles
/etc/config/dropbear
/etc/dropbear/authorized_keys
/etc/dropbear/dropbear_ecdsa_host_key
/etc/dropbear/dropbear_ed25519_host_key
/etc/dropbear/dropbear_rsa_host_key
endef
define Package/dropbearconvert
$(call Package/dropbear/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE:=Utility for converting SSH keys
DEPENDS:= +DROPBEAR_ZLIB:zlib
endef
CONFIGURE_ARGS += \
--disable-pam \
--enable-openpty \
--enable-syslog \
--disable-lastlog \
--disable-utmpx \
$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
--disable-wtmp \
--disable-wtmpx \
--disable-loginfunc \
$(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
--disable-pututxline \
$(if $(CONFIG_DROPBEAR_ZLIB),,--disable-zlib) \
--enable-bundled-libtom
##############################################################################
#
# option,value - add option to localoptions.h
# !!option,value - replace option in src/sysoptions.h
#
##############################################################################
# adjust allowed shell list (if getusershell(3) is missing):
# - COMPAT_USER_SHELLS
# remove protocol idented software version number:
# - LOCAL_IDENT
# disable legacy/unsafe methods and unused functionality:
# - DROPBEAR_CLI_NETCAT
# - DROPBEAR_DSS
# - DO_MOTD
# - DROPBEAR_DH_GROUP14_SHA1
# - DROPBEAR_SHA1_HMAC
DB_OPT_COMMON = \
!!LOCAL_IDENT,"SSH-2.0-dropbear" \
COMPAT_USER_SHELLS,"/bin/ash","/bin/sh" \
DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
DEFAULT_ROOT_PATH,"$(TARGET_INIT_PATH)" \
DROPBEAR_DSS,0 \
DROPBEAR_CLI_NETCAT,0 \
DO_MOTD,0 \
DROPBEAR_DH_GROUP14_SHA1,0 \
DROPBEAR_SHA1_HMAC,0 \
##############################################################################
#
# option,config,enabled,disabled = add option to localoptions.h
# !!option,config,enabled,disabled = replace option in src/sysoptions.h
#
# option := (config) ? enabled : disabled
#
##############################################################################
DB_OPT_CONFIG = \
!!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_FULL,1,0 \
!!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_FULL,1,0 \
DROPBEAR_CURVE25519,CONFIG_DROPBEAR_CURVE25519,1,0 \
DROPBEAR_CHACHA20POLY1305,CONFIG_DROPBEAR_CHACHA20POLY1305,1,0 \
DROPBEAR_ED25519,CONFIG_DROPBEAR_ED25519,1,0 \
DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECC,1,0 \
DROPBEAR_ECDH,CONFIG_DROPBEAR_ECC,1,0 \
DROPBEAR_SK_KEYS,CONFIG_DROPBEAR_U2F,1,0 \
DROPBEAR_SK_ECDSA,CONFIG_DROPBEAR_ECDSA_SK,1,0 \
DROPBEAR_SK_ED25519,CONFIG_DROPBEAR_ED25519_SK,1,0 \
DROPBEAR_CLI_ASKPASS_HELPER,CONFIG_DROPBEAR_ASKPASS,1,0 \
DROPBEAR_CLI_AGENTFWD,CONFIG_DROPBEAR_DBCLIENT_AGENTFORWARD,1,0 \
DROPBEAR_SVR_AGENTFWD,CONFIG_DROPBEAR_AGENTFORWARD,1,0 \
DROPBEAR_AES128,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
DROPBEAR_AES256,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
DROPBEAR_ENABLE_CTR_MODE,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
DROPBEAR_RSA,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
DROPBEAR_RSA_SHA1,CONFIG_DROPBEAR_MODERN_ONLY,0,1 \
TARGET_CFLAGS += -DARGTYPE=3
xsedx:=$(shell printf '\027')
db_opt_add =echo '\#define $(1) $(2)' >> $(PKG_BUILD_DIR)/localoptions.h
db_opt_replace =$(ESED) '/^\#define $(1) .*$$$$/{h;:a;$$$$!n;/^\#.+$$$$/bb;/^$$$$/bb;H;ba;:b;x;s$(xsedx)^.+$$$$$(xsedx)\#define $(1) $(2)$(xsedx)p;x};p' -n $(PKG_BUILD_DIR)/src/sysoptions.h
define Build/Configure/dropbear_headers
$(strip $(foreach s,$(DB_OPT_COMMON), \
$(if $(filter !!%,$(word 1,$(subst $(comma),$(space),$(s)))), \
$(call db_opt_replace,$(patsubst !!%,%,$(word 1,$(subst $(comma),$(space),$(s)))),$(subst $(space),$(comma),$(wordlist 2,$(words $(subst $(comma),$(space),$(s))),$(subst $(comma),$(space),$(s))))), \
$(call db_opt_add,$(word 1,$(subst $(comma),$(space),$(s))),$(subst $(space),$(comma),$(wordlist 2,$(words $(subst $(comma),$(space),$(s))),$(subst $(comma),$(space),$(s))))) \
) ; \
))
$(strip $(foreach s,$(DB_OPT_CONFIG), \
$(if $(filter !!%,$(word 1,$(subst $(comma),$(space),$(s)))), \
$(call db_opt_replace,$(patsubst !!%,%,$(word 1,$(subst $(comma),$(space),$(s)))),$(if $($(word 2,$(subst $(comma),$(space),$(s)))),$(word 3,$(subst $(comma),$(space),$(s))),$(word 4,$(subst $(comma),$(space),$(s))))), \
$(call db_opt_add,$(word 1,$(subst $(comma),$(space),$(s))),$(if $($(word 2,$(subst $(comma),$(space),$(s)))),$(word 3,$(subst $(comma),$(space),$(s))),$(word 4,$(subst $(comma),$(space),$(s))))) \
) ; \
))
endef
define Build/Configure/dropbear_objects
grep -ERZl -e '($(subst $(space),|,$(strip $(sort $(patsubst !!%,%,$(foreach s,$(DB_OPT_COMMON) $(DB_OPT_CONFIG),$(word 1,$(subst $(comma),$(space),$(s)))))))))' \
$(PKG_BUILD_DIR)/ | sed -zE 's/^(.+)\.[^.]+$$$$/\1.o/' | sort -uV | xargs -0 -r rm -fv || :
endef
define Build/Configure
rm -f $(PKG_BUILD_DIR)/localoptions.h
$(Build/Configure/Default)
: > $(PKG_BUILD_DIR)/localoptions.h
$(Build/Configure/dropbear_headers)
# Enforce rebuild of files depending on configured options
$(Build/Configure/dropbear_objects)
# Rebuild them on config change
+$(MAKE) -C $(PKG_BUILD_DIR)/libtomcrypt clean
+$(MAKE) -C $(PKG_BUILD_DIR)/libtommath clean
endef
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
IGNORE_SPEED=1 \
PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \
MULTI=1 SCPPROGRESS=1
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
IGNORE_SPEED=1 \
PROGRAMS="dropbearconvert"
endef
define Package/dropbear/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear
$(INSTALL_DIR) $(1)/usr/bin
$(if $(CONFIG_DROPBEAR_DBCLIENT),$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient,)
$(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear
$(INSTALL_DIR) $(1)/etc/dropbear
$(INSTALL_DIR) $(1)/lib/preinit
$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
$(foreach f,$(filter /etc/dropbear/%,$(Package/dropbear/conffiles)),$(if $(wildcard $(TOPDIR)/files/$(f)),chmod 0600 $(TOPDIR)/files/$(f) || :; ))
endef
define Package/dropbearconvert/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearconvert $(1)/usr/bin/dropbearconvert
endef
$(eval $(call BuildPackage,dropbear))
$(eval $(call BuildPackage,dropbearconvert))

5
package/network/services/dropbear/files/dropbear.config Normal file
View File

@@ -0,0 +1,5 @@
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
# option BannerFile '/etc/banner'

61
package/network/services/dropbear/files/dropbear.failsafe Executable file
View File

@@ -0,0 +1,61 @@
#!/bin/sh
_dropbear()
{
/usr/sbin/dropbear "$@" </dev/null >/dev/null 2>&1
}
_dropbearkey()
{
/usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
}
_ensurekey()
{
_dropbearkey -y -f "$1" && return
rm -f "$1"
_dropbearkey -f "$@" || {
rm -f "$1"
return 1
}
}
ktype_all='ed25519 ecdsa rsa'
failsafe_dropbear () {
local kargs kcount ktype tkey
kargs=
kcount=0
for ktype in ${ktype_all} ; do
tkey="/tmp/dropbear_failsafe_${ktype}_host_key"
case "${ktype}" in
ed25519) _ensurekey "${tkey}" -t ed25519 ;;
ecdsa) _ensurekey "${tkey}" -t ecdsa -s 256 ;;
rsa) _ensurekey "${tkey}" -t rsa -s 1024 ;;
*)
echo "unknown key type: ${ktype}" >&2
continue
;;
esac
[ -s "${tkey}" ] || {
rm -f "${tkey}"
continue
}
chmod 0400 "${tkey}"
kargs="${kargs}${kargs:+ }-r ${tkey}"
kcount=$((kcount+1))
done
[ "${kcount}" != 0 ] || {
echo 'DROPBEAR IS BROKEN' >&2
return 1
}
_dropbear ${kargs}
}
boot_hook_add failsafe failsafe_dropbear

474
package/network/services/dropbear/files/dropbear.init Executable file
View File

@@ -0,0 +1,474 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho
START=19
STOP=50
USE_PROCD=1
PROG=/usr/sbin/dropbear
NAME=dropbear
PIDCOUNT=0
extra_command "killclients" "Kill ${NAME} processes except servers and yourself"
# most of time real_stat() will be failing
# due to missing "stat" binary (by default)
real_stat() { env stat -L "$@" 2>/dev/null ; }
dumb_stat() { ls -Ldln "$1" | tr -s '\t ' ' ' ; }
stat_perm() { real_stat -c '%A' "$1" || dumb_stat "$1" | cut -d ' ' -f 1 ; }
stat_owner() { real_stat -c '%u' "$1" || dumb_stat "$1" | cut -d ' ' -f 3 ; }
_dropbearkey()
{
/usr/bin/dropbearkey "$@" </dev/null >/dev/null 2>&1
}
# $1 - file name (host key or config)
file_verify()
{
[ -f "$1" ] || return 1
# checking file ownership
[ "$(stat_owner "$1")" = "0" ] || {
chown 0 "$1"
[ "$(stat_owner "$1")" = "0" ] || return 2
}
# checking file permissions
[ "$(stat_perm "$1")" = "-rw-------" ] || {
chmod 0600 "$1"
[ "$(stat_perm "$1")" = "-rw-------" ] || return 3
}
# file is host key or not?
# if $2 is empty string - file is "host key"
# if $2 is non-empty string - file is "config"
[ -z "$2" ] || return 0
# checking file contents (finally)
[ -s "$1" ] || return 4
_dropbearkey -y -f "$1" || return 5
return 0
}
# $1 - file_verify() return code
file_errmsg()
{
case "$1" in
0) ;;
1) echo "file does not exist" ;;
2) echo "file has wrong owner (must be owned by root)" ;;
3) echo "file has wrong permissions (must not have group/other write bit)" ;;
4) echo "file has zero length" ;;
5) echo "file is not valid host key or not supported" ;;
*) echo "unknown error" ;;
esac
}
# $1 - config option
# $2 - host key file name
hk_config()
{
local x m
file_verify "$2" ; x=$?
if [ "$x" = 0 ] ; then
procd_append_param command -r "$2"
return
fi
m=$(file_errmsg "$x")
logger -s -t "${NAME}" -p daemon.warn \
"Option '$1', skipping '$2': $m"
}
# $1 - host key file name
hk_config__keyfile() { hk_config keyfile "$1" ; }
ktype_all='ed25519 ecdsa rsa'
hk_generate_as_needed()
{
local hk_cfg_dir kgen ktype kfile hk_tmp_dir
hk_cfg_dir='/etc/dropbear'
[ -d "${hk_cfg_dir}" ] || mkdir -p "${hk_cfg_dir}"
kgen=
for ktype in ${ktype_all} ; do
kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
if file_verify "${kfile}" ; then continue ; fi
kgen="${kgen}${kgen:+ }${ktype}"
done
# all keys are sane?
[ -n "${kgen}" ] || return 0
hk_tmp_dir=$(mktemp -d)
# system in bad state?
[ -n "${hk_tmp_dir}" ] || return 1
chmod 0700 "${hk_tmp_dir}"
for ktype in ${kgen} ; do
kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
if ! _dropbearkey -t ${ktype} -f "${kfile}" ; then
# unsupported key type
rm -f "${kfile}"
continue
fi
chmod 0600 "${kfile}"
done
kgen=
for ktype in ${ktype_all} ; do
kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || continue
kgen="${kgen}${kgen:+ }${ktype}"
done
if [ -n "${kgen}" ] ; then
for ktype in ${kgen} ; do
kfile="${hk_tmp_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || continue
mv -f "${kfile}" "${hk_cfg_dir}/"
done
fi
rm -rf "${hk_tmp_dir}"
# cleanup empty files
for ktype in ${ktype_all} ; do
kfile="${hk_cfg_dir}/dropbear_${ktype}_host_key"
[ -s "${kfile}" ] || rm -f "${kfile}"
done
}
# $1 - list with whitespace-separated elements
normalize_list()
{
printf '%s' "$1" | tr -s ' \r\n\t' ' ' | sed -E 's/^ //;s/ $//'
}
warn_multiple_interfaces()
{
logger -t "${NAME}" -p daemon.warn \
"Option '$1' should specify SINGLE interface but instead it lists interfaces: $2"
logger -t "${NAME}" -p daemon.warn \
"Consider creating per-interface instances instead!"
}
validate_section_dropbear()
{
uci_load_validate dropbear dropbear "$1" "$2" \
'PasswordAuth:bool:1' \
'enable:bool:1' \
'DirectInterface:string' \
'Interface:string' \
'GatewayPorts:bool:0' \
'ForceCommand:string' \
'RootPasswordAuth:bool:1' \
'RootLogin:bool:1' \
'rsakeyfile:file' \
'keyfile:list(file)' \
'BannerFile:file' \
'Port:port:22' \
'SSHKeepAlive:uinteger:300' \
'IdleTimeout:uinteger:0' \
'MaxAuthTries:uinteger:3' \
'RecvWindowSize:uinteger:262144' \
'mdns:bool:1'
}
dropbear_instance()
{
[ "$2" = 0 ] || {
echo "validation failed"
return 1
}
[ "${enable}" = "1" ] || return 1
local iface ndev ipaddrs
# 'DirectInterface' should specify single interface
# but end users may misinterpret this setting
DirectInterface=$(normalize_list "${DirectInterface}")
# 'Interface' should specify single interface
# but end users are often misinterpret this setting
Interface=$(normalize_list "${Interface}")
if [ -n "${Interface}" ] ; then
if [ -n "${DirectInterface}" ] ; then
logger -t "${NAME}" -p daemon.warn \
"Option 'DirectInterface' takes precedence over 'Interface'"
else
logger -t "${NAME}" -p daemon.info \
"Option 'Interface' binds to address(es) but not to interface"
logger -t "${NAME}" -p daemon.info \
"Consider using option 'DirectInterface' to bind directly to interface"
fi
fi
# handle 'DirectInterface'
iface=$(echo "${DirectInterface}" | awk '{print $1}')
case "${DirectInterface}" in
*\ *)
warn_multiple_interfaces DirectInterface "${DirectInterface}"
logger -t "${NAME}" -p daemon.warn \
"Using network interface '${iface}' for direct binding"
;;
esac
while [ -n "${iface}" ] ; do
# if network is available (even during boot) - proceed
if network_is_up "${iface}" ; then break ; fi
# skip during boot
[ -z "${BOOT}" ] || return 0
logger -t "${NAME}" -p daemon.crit \
"Network interface '${iface}' is not available!"
return 1
done
while [ -n "${iface}" ] ; do
# ${iface} is logical (higher level) interface name
# ${ndev} is 'real' interface name
# e.g.: if ${iface} is 'lan' (default LAN interface) then ${ndev} is 'br-lan'
network_get_device ndev "${iface}"
[ -z "${ndev}" ] || break
logger -t "${NAME}" -p daemon.crit \
"Missing network device for network interface '${iface}'!"
return 1
done
if [ -n "${iface}" ] ; then
logger -t "${NAME}" -p daemon.info \
"Using network interface '${iface}' (network device '${ndev}') for direct binding"
fi
# handle 'Interface'
while [ -z "${iface}" ] ; do
[ -n "${Interface}" ] || break
# skip during boot
[ -z "${BOOT}" ] || return 0
case "${Interface}" in
*\ *)
warn_multiple_interfaces Interface "${Interface}"
;;
esac
local c=0
# src/sysoptions.h
local DROPBEAR_MAX_PORTS=10
local a n if_ipaddrs
for n in ${Interface} ; do
[ -n "$n" ] || continue
if_ipaddrs=
network_get_ipaddrs_all if_ipaddrs "$n"
[ -n "${if_ipaddrs}" ] || {
logger -s -t "${NAME}" -p daemon.err \
"Network interface '$n' has no suitable IP address(es)!"
continue
}
[ $c -le ${DROPBEAR_MAX_PORTS} ] || {
logger -s -t "${NAME}" -p daemon.err \
"Network interface '$n' is NOT listened due to option limit exceed!"
continue
}
for a in ${if_ipaddrs} ; do
[ -n "$a" ] || continue
c=$((c+1))
if [ $c -le ${DROPBEAR_MAX_PORTS} ] ; then
ipaddrs="${ipaddrs} $a"
continue
fi
logger -t "${NAME}" -p daemon.err \
"Endpoint '$a:${Port}' on network interface '$n' is NOT listened due to option limit exceed!"
done
done
break
done
PIDCOUNT="$(( ${PIDCOUNT} + 1))"
local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
procd_open_instance
procd_set_param command "$PROG" -F -P "$pid_file"
if [ -n "${iface}" ] ; then
# if ${iface} is non-empty then ${ndev} is non-empty too
procd_append_param command -l "${ndev}" -p "${Port}"
else
if [ -z "${ipaddrs}" ] ; then
procd_append_param command -p "${Port}"
else
local a
for a in ${ipaddrs} ; do
[ -n "$a" ] || continue
procd_append_param command -p "$a:${Port}"
done
fi
fi
[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
[ -n "${ForceCommand}" ] && procd_append_param command -c "${ForceCommand}"
[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
config_list_foreach "$1" 'keyfile' hk_config__keyfile
if [ -n "${rsakeyfile}" ]; then
logger -s -t "${NAME}" -p daemon.crit \
"Option 'rsakeyfile' is considered to be DEPRECATED and will be REMOVED in future releases, use 'keyfile' list instead"
sed -i.before-upgrade -E -e 's/option(\s+)rsakeyfile/list keyfile/' \
"/etc/config/${NAME}"
logger -s -t "${NAME}" -p daemon.crit \
"Auto-transition 'option rsakeyfile' => 'list keyfile' in /etc/config/${NAME} is done, please verify your configuration"
hk_config 'rsakeyfile' "${rsakeyfile}"
fi
[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
[ "${RecvWindowSize}" -gt 0 ] && {
# NB: OpenWrt increases receive window size to increase throughput on high latency links
# ref: validate_section_dropbear()
# default receive window size is 24576 (DEFAULT_RECV_WINDOW in default_options.h)
# src/sysoptions.h
local MAX_RECV_WINDOW=10485760
if [ "${RecvWindowSize}" -gt ${MAX_RECV_WINDOW} ] ; then
# separate logging is required because syslog misses dropbear's message
# Bad recv window '${RecvWindowSize}', using ${MAX_RECV_WINDOW}
# it's probably dropbear issue but we should handle this and notify user
logger -s -t "${NAME}" -p daemon.warn \
"Option 'RecvWindowSize' is too high (${RecvWindowSize}), limiting to ${MAX_RECV_WINDOW}"
RecvWindowSize=${MAX_RECV_WINDOW}
fi
procd_append_param command -W "${RecvWindowSize}"
}
[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
procd_set_param respawn
procd_close_instance
}
load_interfaces()
{
local enable
config_get enable "$1" enable 1
[ "${enable}" = "1" ] || return 0
local direct_iface iface
config_get direct_iface "$1" DirectInterface
direct_iface=$(normalize_list "${direct_iface}")
# 'DirectInterface' takes precedence over 'Interface'
if [ -n "${direct_iface}" ] ; then
iface=$(echo "${direct_iface}" | awk '{print $1}')
else
config_get iface "$1" Interface
iface=$(normalize_list "${iface}")
fi
interfaces="${interfaces} ${iface}"
}
boot()
{
BOOT=1
start "$@"
}
start_service()
{
hk_generate_as_needed
file_verify /etc/dropbear/authorized_keys config
. /lib/functions.sh
. /lib/functions/network.sh
config_load "${NAME}"
config_foreach validate_section_dropbear dropbear dropbear_instance
}
service_triggers()
{
local interfaces
procd_add_config_trigger "config.change" "${NAME}" /etc/init.d/dropbear reload
config_load "${NAME}"
config_foreach load_interfaces "${NAME}"
[ -n "${interfaces}" ] && {
local n
for n in $(printf '%s\n' ${interfaces} | sort -u) ; do
procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
done
}
procd_add_validation validate_section_dropbear
}
shutdown() {
# close all open connections
killall dropbear
}
killclients()
{
local ignore=''
local server
local pid
# if this script is run from inside a client session, then ignore that session
pid="$$"
while [ "${pid}" -ne 0 ]
do
# get parent process id
pid=$(cut -d ' ' -f 4 "/proc/${pid}/stat")
[ "${pid}" -eq 0 ] && break
# check if client connection
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
append ignore "${pid}"
break
}
done
# get all server pids that should be ignored
for server in $(cat /var/run/${NAME}.*.pid)
do
append ignore "${server}"
done
# get all running pids and kill client connections
local skip
for pid in $(pidof "${NAME}")
do
# check if correct program, otherwise process next pid
grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
continue
}
# check if pid should be ignored (servers, ourself)
skip=0
for server in ${ignore}
do
if [ "${pid}" = "${server}" ]
then
skip=1
break
fi
done
[ "${skip}" -ne 0 ] && continue
# kill process
echo "${initscript}: Killing ${pid}..."
kill -KILL ${pid}
done
}

106
package/network/services/dropbear/patches/100-pubkey_path.patch Normal file
View File

@@ -0,0 +1,106 @@
--- a/src/svr-authpubkey.c
+++ b/src/svr-authpubkey.c
@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
const unsigned char* keyblob, unsigned int keybloblen);
static int checkfileperm(char * filename);
+static const char * const global_authkeys_dir = "/etc/dropbear";
+static const int n_global_authkeys_dir = 14; /* + 1 extra byte */
+static const char * const user_authkeys_dir = ".ssh";
+static const int n_user_authkeys_dir = 5; /* + 1 extra byte */
+static const char * const authkeys_file = "authorized_keys";
+static const int n_authkeys_file = 16; /* + 1 extra byte */
+
/* process a pubkey auth request, sending success or failure message as
* appropriate */
void svr_auth_pubkey(int valid_user) {
@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal
if (checkpubkeyperms() == DROPBEAR_FAILURE) {
TRACE(("bad authorized_keys permissions, or file doesn't exist"))
} else {
- /* we don't need to check pw and pw_dir for validity, since
- * its been done in checkpubkeyperms. */
- len = strlen(ses.authstate.pw_dir);
- /* allocate max required pathname storage,
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
- filename = m_malloc(len + 22);
- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
- ses.authstate.pw_dir);
+ if (ses.authstate.pw_uid == 0) {
+ len = n_global_authkeys_dir + n_authkeys_file;
+ filename = m_malloc(len);
+ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ } else {
+ /* we don't need to check pw and pw_dir for validity, since
+ * its been done in checkpubkeyperms. */
+ len = strlen(ses.authstate.pw_dir);
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ len += n_user_authkeys_dir + n_authkeys_file + 1;
+ filename = m_malloc(len);
+ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
+ user_authkeys_dir, authkeys_file);
+ }
authfile = fopen(filename, "r");
if (!authfile) {
@@ -543,27 +557,41 @@ static int checkpubkeyperms() {
goto out;
}
- /* allocate max required pathname storage,
- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
- len += 22;
- filename = m_malloc(len);
- strlcpy(filename, ses.authstate.pw_dir, len);
+ if (ses.authstate.pw_uid == 0) {
+ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
- /* check ~ */
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
+ len = n_global_authkeys_dir + n_authkeys_file;
+ filename = m_malloc(len);
- /* check ~/.ssh */
- strlcat(filename, "/.ssh", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
- }
+ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+ } else {
+ /* check ~ */
+ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
- /* now check ~/.ssh/authorized_keys */
- strlcat(filename, "/authorized_keys", len);
- if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
- goto out;
+ /* allocate max required pathname storage,
+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+ len += n_user_authkeys_dir + n_authkeys_file + 1;
+ filename = m_malloc(len);
+
+ /* check ~/.ssh */
+ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
+
+ /* now check ~/.ssh/authorized_keys */
+ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
+ user_authkeys_dir, authkeys_file);
+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+ goto out;
+ }
}
/* file looks ok, return success */

18
package/network/services/dropbear/patches/110-change_user.patch Normal file
View File

@@ -0,0 +1,18 @@
--- a/src/svr-chansession.c
+++ b/src/svr-chansession.c
@@ -987,12 +987,12 @@ static void execchild(const void *user_d
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
- if ((setgid(ses.authstate.pw_gid) < 0) ||
+ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
(initgroups(ses.authstate.pw_name,
- ses.authstate.pw_gid) < 0)) {
+ ses.authstate.pw_gid) < 0))) {
dropbear_exit("Error changing user group");
}
- if (setuid(ses.authstate.pw_uid) < 0) {
+ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
dropbear_exit("Error changing user");
}
} else {

13
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch Normal file
View File

@@ -0,0 +1,13 @@
--- a/src/cli-runopts.c
+++ b/src/cli-runopts.c
@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv)
case 'z':
opts.disable_ip_tos = 1;
break;
+ case 'x':
+ /* compatibility with openssh cli
+ * ("-x" disables X11 forwarding) */
+ break;
default:
fprintf(stderr,
"WARNING: Ignoring unknown option -%c\n", c);

15
package/network/services/dropbear/patches/140-disable_assert.patch Normal file
View File

@@ -0,0 +1,15 @@
--- a/src/dbutil.h
+++ b/src/dbutil.h
@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
#define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
/* Dropbear assertion */
-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
+#ifndef DROPBEAR_ASSERT_ENABLED
+#define DROPBEAR_ASSERT_ENABLED 0
+#endif
+
+#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
/* Returns 0 if a and b have the same contents */
int constant_time_memcmp(const void* a, const void *b, size_t n);

33
package/network/services/dropbear/patches/160-lto-jobserver.patch Normal file
View File

@@ -0,0 +1,33 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -220,17 +220,17 @@ dropbearkey: $(dropbearkeyobjs)
dropbearconvert: $(dropbearconvertobjs)
dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile
- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
# scp doesn't use the libs so is special.
scp: $(SCPOBJS) $(HEADERS) Makefile
- $(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
+ +$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
# multi-binary compilation.
@@ -241,7 +241,7 @@ ifeq ($(MULTI),1)
endif
dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
- $(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+ +$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
multibinary: dropbearmulti$(EXEEXT)

11
package/network/services/dropbear/patches/600-allow-blank-root-password.patch Normal file
View File

@@ -0,0 +1,11 @@
--- a/src/svr-auth.c
+++ b/src/svr-auth.c
@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user
- && svr_opts.allowblankpass
+ && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
&& !svr_opts.noauthpass
&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0)
&& ses.authstate.pw_passwd[0] == '\0')

57
package/network/services/dropbear/patches/900-configure-hardening.patch Normal file
View File

@@ -0,0 +1,57 @@
--- a/configure.ac
+++ b/configure.ac
@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden,
if test "$hardenbuild" -eq 1; then
AC_MSG_NOTICE(Checking for available hardened build flags:)
- # relocation flags don't make sense for static builds
- if test "$STATIC" -ne 1; then
- # pie
- DB_TRYADDCFLAGS([-fPIE])
-
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-pie"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- LDFLAGS="$OLDLDFLAGS"
- TESTFLAGS="-pie"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- ]
- )
- # readonly elf relocation sections (relro)
- OLDLDFLAGS="$LDFLAGS"
- TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
- LDFLAGS="$TESTFLAGS $LDFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
- )
- fi # non-static
- # stack protector. -strong is good but only in gcc 4.9 or later
- OLDCFLAGS="$CFLAGS"
- TESTFLAGS="-fstack-protector-strong"
- CFLAGS="$TESTFLAGS $CFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [
- CFLAGS="$OLDCFLAGS"
- TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
- CFLAGS="$TESTFLAGS $CFLAGS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
- [AC_MSG_NOTICE([Setting $TESTFLAGS])],
- [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
- )
- ]
- )
- # FORTIFY_SOURCE
- DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
-
# Spectre v2 mitigations
DB_TRYADDCFLAGS([-mfunction-return=thunk])
DB_TRYADDCFLAGS([-mindirect-branch=thunk])

29
package/network/services/dropbear/patches/901-bundled-libs-cflags.patch Normal file
View File

@@ -0,0 +1,29 @@
--- a/configure.ac
+++ b/configure.ac
@@ -44,11 +44,8 @@ fi
# LTM_CFLAGS is given to ./configure by the user,
# DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
-if test -z "$DROPBEAR_LTM_CFLAGS"; then
- DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
-fi
-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
+AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS')
+AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string)
AC_SUBST(DROPBEAR_LTM_CFLAGS)
AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
+++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
@@ -7,8 +7,10 @@
/* Use small code where possible */
#if DROPBEAR_SMALL_CODE
+#ifndef LTC_SMALL_CODE
#define LTC_SMALL_CODE
#endif
+#endif
/* Fewer entries needed */
#define TAB_SIZE 5

44
package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch Normal file
View File

@@ -0,0 +1,44 @@
From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Wed, 1 Jul 2020 11:38:33 +0200
Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
vs sha256") has added strict checking of pubkey algorithms which made
keys with SHA-256 hashing algorithm unusable as they still reuse the
`ssh-rsa` public key format. So fix this by disabling the check for
rsa-sha2-256 pubkeys.
Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
signkey.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/src/signkey.c
+++ b/src/signkey.c
@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
sigtype = signature_type_from_name(type_name, type_name_len);
m_free(type_name);
- if (expect_sigtype != sigtype) {
- dropbear_exit("Non-matching signing type");
+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
+ dropbear_exit("No signature type");
}
+#if DROPBEAR_RSA
+#if DROPBEAR_RSA_SHA256
+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
+ dropbear_exit("Non-matching signing type");
+ }
+#endif
+#endif
+
keytype = signkey_type_from_signature(sigtype);
#if DROPBEAR_DSS
if (keytype == DROPBEAR_SIGNKEY_DSS) {