Initial commit

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -0,0 +1,86 @@
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
+ 		goto out;
+ 	}
+ 
+-	/* we don't need to check pw and pw_dir for validity, since
+-	 * its been done in checkpubkeyperms. */
+-	len = strlen(ses.authstate.pw_dir);
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	filename = m_malloc(len + 22);
+-	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
+-				ses.authstate.pw_dir);
++	if (ses.authstate.pw_uid != 0) {
++		/* we don't need to check pw and pw_dir for validity, since
++		 * its been done in checkpubkeyperms. */
++		len = strlen(ses.authstate.pw_dir);
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		filename = m_malloc(len + 22);
++		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++					ses.authstate.pw_dir);
++	} else {
++		filename = m_malloc(30);
++		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
++	}
+ 
+ #if DROPBEAR_SVR_MULTIUSER
+ 	/* open the file as the authenticating user. */
+@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+ 		goto out;
+ 	}
+ 
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	len += 22;
+-	filename = m_malloc(len);
+-	strlcpy(filename, ses.authstate.pw_dir, len);
+-
+-	/* check ~ */
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++	if (ses.authstate.pw_uid == 0) {
++		if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++		if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++	} else {
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		len += 22;
++		filename = m_malloc(len);
++		strlcpy(filename, ses.authstate.pw_dir, len);
++
++		/* check ~ */
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* check ~/.ssh */
+-	strlcat(filename, "/.ssh", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++		/* check ~/.ssh */
++		strlcat(filename, "/.ssh", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* now check ~/.ssh/authorized_keys */
+-	strlcat(filename, "/authorized_keys", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
++		/* now check ~/.ssh/authorized_keys */
++		strlcat(filename, "/authorized_keys", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 	}
+ 
+ 	/* file looks ok, return success */

package/network/services/dropbear/patches/110-change_user.patch

@@ -0,0 +1,18 @@
+--- a/svr-chansession.c
++++ b/svr-chansession.c
+@@ -954,12 +954,12 @@ static void execchild(const void *user_d
+ 	/* We can only change uid/gid as root ... */
+ 	if (getuid() == 0) {
+ 
+-		if ((setgid(ses.authstate.pw_gid) < 0) ||
++		if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
+ 			(initgroups(ses.authstate.pw_name, 
+-						ses.authstate.pw_gid) < 0)) {
++						ses.authstate.pw_gid) < 0))) {
+ 			dropbear_exit("Error changing user group");
+ 		}
+-		if (setuid(ses.authstate.pw_uid) < 0) {
++		if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
+ 			dropbear_exit("Error changing user");
+ 		}
+ 	} else {

package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch

@@ -0,0 +1,11 @@
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
+ 					debug_trace = 1;
+ 					break;
+ #endif
++				case 'x':
++					break;
+ 				case 'F':
+ 				case 'e':
+ #if !DROPBEAR_USER_ALGO_LIST

package/network/services/dropbear/patches/140-disable_assert.patch

@@ -0,0 +1,15 @@
+--- a/dbutil.h
++++ b/dbutil.h
+@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+ #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
+ 
+ /* Dropbear assertion */
+-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
++#ifndef DROPBEAR_ASSERT_ENABLED
++#define DROPBEAR_ASSERT_ENABLED 0
++#endif
++
++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
+ 
+ /* Returns 0 if a and b have the same contents */
+ int constant_time_memcmp(const void* a, const void *b, size_t n);

package/network/services/dropbear/patches/160-lto-jobserver.patch

@@ -0,0 +1,33 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs)
+ dropbearconvert: $(dropbearconvertobjs)
+ 
+ dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
+ 
+ dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ # scp doesn't use the libs so is special.
+ scp: $(SCPOBJS)  $(HEADERS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
+ 
+ 
+ # multi-binary compilation.
+@@ -219,7 +219,7 @@ ifeq ($(MULTI),1)
+ endif
+ 
+ dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
++	+$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+ 
+ multibinary: dropbearmulti$(EXEEXT)
+ 

package/network/services/dropbear/patches/600-allow-blank-root-password.patch

@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 

package/network/services/dropbear/patches/900-configure-hardening.patch

@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+ 
+ if test "$hardenbuild" -eq 1; then
+ 	AC_MSG_NOTICE(Checking for available hardened build flags:)
+-	# relocation flags don't make sense for static builds
+-	if test "$STATIC" -ne 1; then
+-		# pie
+-		DB_TRYADDCFLAGS([-fPIE])
+-
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-pie"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[
+-				LDFLAGS="$OLDLDFLAGS"
+-				TESTFLAGS="-pie"
+-				LDFLAGS="$LDFLAGS $TESTFLAGS"
+-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-					)
+-			]
+-			)
+-		# readonly elf relocation sections (relro)
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-			)
+-	fi # non-static
+-	# stack protector. -strong is good but only in gcc 4.9 or later
+-	OLDCFLAGS="$CFLAGS"
+-	TESTFLAGS="-fstack-protector-strong"
+-	CFLAGS="$CFLAGS $TESTFLAGS"
+-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-	    [
+-			CFLAGS="$OLDCFLAGS"
+-			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+-			CFLAGS="$CFLAGS $TESTFLAGS"
+-			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+-			    )
+-	    ]
+-	    )
+-	# FORTIFY_SOURCE
+-	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+ 
+ 	# Spectre v2 mitigations
+ 	DB_TRYADDCFLAGS([-mfunction-return=thunk])

package/network/services/dropbear/patches/901-bundled-libs-cflags.patch

@@ -0,0 +1,48 @@
+--- a/libtomcrypt/makefile_include.mk
++++ b/libtomcrypt/makefile_include.mk
+@@ -94,6 +94,13 @@ endif
+ 
+ LTC_CFLAGS += -Wno-type-limits
+ 
++ifdef OPENWRT_BUILD
++  ifeq (-Os,$(filter -Os,$(CFLAGS)))
++    LTC_CFLAGS += -DLTC_SMALL_CODE
++  endif
++else
++  ### ! OPENWRT_BUILD
++
+ ifdef LTC_DEBUG
+ $(info Debug build)
+ # compile for DEBUGGING (required for ccmalloc checking!!!)
+@@ -121,6 +128,9 @@ endif
+ endif # COMPILE_SMALL
+ endif # COMPILE_DEBUG
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ 
+ ifneq ($(findstring clang,$(CC)),)
+ LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
+--- a/libtommath/makefile_include.mk
++++ b/libtommath/makefile_include.mk
+@@ -70,6 +70,9 @@ else
+ LTM_CFLAGS += -Wsystem-headers
+ endif
+ 
++ifndef OPENWRT_BUILD
++  ### ! OPENWRT_BUILD
++
+ ifdef COMPILE_DEBUG
+ #debug
+ LTM_CFLAGS += -g3
+@@ -90,6 +93,9 @@ endif
+ 
+ endif # COMPILE_SIZE
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ ifneq ($(findstring clang,$(CC)),)
+ LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
+ endif

package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

@@ -0,0 +1,38 @@
+From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 1 Jul 2020 11:38:33 +0200
+Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
+vs sha256") has added strict checking of pubkey algorithms which made
+keys with SHA-256 hashing algorithm unusable as they still reuse the
+`ssh-rsa` public key format. So fix this by disabling the check for
+rsa-sha2-256 pubkeys.
+
+Ref: https://tools.ietf.org/html/rfc8332#section-3
+Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ signkey.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/signkey.c
++++ b/signkey.c
+@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+ 	sigtype = signature_type_from_name(type_name, type_name_len);
+ 	m_free(type_name);
+ 
+-	if (expect_sigtype != sigtype) {
+-			dropbear_exit("Non-matching signing type");
++	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
++		dropbear_exit("No signature type");
++	}
++
++	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
+ 	}
+ 
+ 	keytype = signkey_type_from_signature(sigtype);