diff options
| author | Konstantin Demin <rockdrilla@gmail.com> | 2024-05-06 16:20:16 +0300 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2024-05-09 19:35:20 +0200 |
| commit | f230d00e64187ad7c2d91dc8275e9fba28bb9df5 (patch) | |
| tree | efb19021a23f8b92ea1a9e9a0ba8c612f600706b | |
| parent | 9001014a24e4211a83246653b96721b79f4a92f7 (diff) | |
| download | openwrt-f230d00e64187ad7c2d91dc8275e9fba28bb9df5.tar.gz openwrt-f230d00e64187ad7c2d91dc8275e9fba28bb9df5.tar.bz2 openwrt-f230d00e64187ad7c2d91dc8275e9fba28bb9df5.zip | |
dropbear: bump to 2024.85
- update dropbear to latest stable 2024.85;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
32 files changed, 26 insertions, 1545 deletions
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index abb46157ea..3812602b35 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2022.83 -PKG_RELEASE:=2 +PKG_VERSION:=2024.85 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b +PKG_HASH:=86b036c433a69d89ce51ebae335d65c47738ccf90d13e5eb0fea832e556da502 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -103,7 +103,7 @@ CONFIGURE_ARGS += \ ############################################################################## # # option,value - add option to localoptions.h -# !!option,value - replace option in sysoptions.h +# !!option,value - replace option in src/sysoptions.h # ############################################################################## @@ -132,7 +132,7 @@ DB_OPT_COMMON = \ ############################################################################## # # option,config,enabled,disabled = add option to localoptions.h -# !!option,config,enabled,disabled = replace option in sysoptions.h +# !!option,config,enabled,disabled = replace option in src/sysoptions.h # # option := (config) ? enabled : disabled # @@ -164,7 +164,7 @@ TARGET_CFLAGS += -DARGTYPE=3 xsedx:=$(shell printf '\027') db_opt_add =echo '\#define $(1) $(2)' >> $(PKG_BUILD_DIR)/localoptions.h -db_opt_replace =$(ESED) '/^\#define $(1) .*$$$$/{h;:a;$$$$!n;/^\#.+$$$$/bb;/^$$$$/bb;H;ba;:b;x;s$(xsedx)^.+$$$$$(xsedx)\#define $(1) $(2)$(xsedx)p;x};p' -n $(PKG_BUILD_DIR)/sysoptions.h +db_opt_replace =$(ESED) '/^\#define $(1) .*$$$$/{h;:a;$$$$!n;/^\#.+$$$$/bb;/^$$$$/bb;H;ba;:b;x;s$(xsedx)^.+$$$$$(xsedx)\#define $(1) $(2)$(xsedx)p;x};p' -n $(PKG_BUILD_DIR)/src/sysoptions.h define Build/Configure/dropbear_headers $(strip $(foreach s,$(DB_OPT_COMMON), \ diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init index 21570987c4..708fabd326 100755 --- a/package/network/services/dropbear/files/dropbear.init +++ b/package/network/services/dropbear/files/dropbear.init @@ -261,7 +261,7 @@ dropbear_instance() esac local c=0 - # sysoptions.h + # src/sysoptions.h local DROPBEAR_MAX_PORTS=10 local a n if_ipaddrs @@ -341,7 +341,7 @@ dropbear_instance() # ref: validate_section_dropbear() # default receive window size is 24576 (DEFAULT_RECV_WINDOW in default_options.h) - # sysoptions.h + # src/sysoptions.h local MAX_RECV_WINDOW=10485760 if [ "${RecvWindowSize}" -gt ${MAX_RECV_WINDOW} ] ; then # separate logging is required because syslog misses dropbear's message diff --git a/package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch b/package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch deleted file mode 100644 index ad1a20c520..0000000000 --- a/package/network/services/dropbear/patches/001-add-if-DROPBEAR_RSA-guards.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 36a03132634a17c667c0fac0a8e1519b3d1b71c6 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Mon, 28 Nov 2022 21:12:23 +0800 -Subject: Add #if DROPBEAR_RSA guards - -Fixes building with DROPBEAR_RSA disabled. -Closes #197 ---- - signkey.c | 8 +++++++- - signkey.h | 2 ++ - sysoptions.h | 5 +---- - 3 files changed, 10 insertions(+), 5 deletions(-) - ---- a/signkey.c -+++ b/signkey.c -@@ -120,6 +120,7 @@ enum signkey_type signkey_type_from_name - /* Special case for rsa-sha2-256. This could be generalised if more - signature names are added that aren't 1-1 with public key names */ - const char* signature_name_from_type(enum signature_type type, unsigned int *namelen) { -+#if DROPBEAR_RSA - #if DROPBEAR_RSA_SHA256 - if (type == DROPBEAR_SIGNATURE_RSA_SHA256) { - if (namelen) { -@@ -136,11 +137,13 @@ const char* signature_name_from_type(enu - return SSH_SIGNKEY_RSA; - } - #endif -+#endif /* DROPBEAR_RSA */ - return signkey_name_from_type((enum signkey_type)type, namelen); - } - - /* Returns DROPBEAR_SIGNATURE_NONE if none match */ - enum signature_type signature_type_from_name(const char* name, unsigned int namelen) { -+#if DROPBEAR_RSA - #if DROPBEAR_RSA_SHA256 - if (namelen == strlen(SSH_SIGNATURE_RSA_SHA256) - && memcmp(name, SSH_SIGNATURE_RSA_SHA256, namelen) == 0) { -@@ -153,10 +156,11 @@ enum signature_type signature_type_from_ - return DROPBEAR_SIGNATURE_RSA_SHA1; - } - #endif -+#endif /* DROPBEAR_RSA */ - return (enum signature_type)signkey_type_from_name(name, namelen); - } - --/* Returns the signature type from a key type. Must not be called -+/* Returns the signature type from a key type. Must not be called - with RSA keytype */ - enum signature_type signature_type_from_signkey(enum signkey_type keytype) { - #if DROPBEAR_RSA -@@ -167,6 +171,7 @@ enum signature_type signature_type_from_ - } - - enum signkey_type signkey_type_from_signature(enum signature_type sigtype) { -+#if DROPBEAR_RSA - #if DROPBEAR_RSA_SHA256 - if (sigtype == DROPBEAR_SIGNATURE_RSA_SHA256) { - return DROPBEAR_SIGNKEY_RSA; -@@ -177,6 +182,7 @@ enum signkey_type signkey_type_from_sign - return DROPBEAR_SIGNKEY_RSA; - } - #endif -+#endif /* DROPBEAR_RSA */ - assert((int)sigtype < (int)DROPBEAR_SIGNKEY_NUM_NAMED); - return (enum signkey_type)sigtype; - } ---- a/signkey.h -+++ b/signkey.h -@@ -79,12 +79,14 @@ enum signature_type { - DROPBEAR_SIGNATURE_SK_ED25519 = DROPBEAR_SIGNKEY_SK_ED25519, - #endif - #endif -+#if DROPBEAR_RSA - #if DROPBEAR_RSA_SHA1 - DROPBEAR_SIGNATURE_RSA_SHA1 = 100, /* ssh-rsa signature (sha1) */ - #endif - #if DROPBEAR_RSA_SHA256 - DROPBEAR_SIGNATURE_RSA_SHA256 = 101, /* rsa-sha2-256 signature. has a ssh-rsa key */ - #endif -+#endif /* DROPBEAR_RSA */ - DROPBEAR_SIGNATURE_NONE = DROPBEAR_SIGNKEY_NONE, - }; - ---- a/sysoptions.h -+++ b/sysoptions.h -@@ -137,7 +137,7 @@ - - /* Debian doesn't define this in system headers */ - #if !defined(LTM_DESC) && (DROPBEAR_ECC) --#define LTM_DESC -+#define LTM_DESC - #endif - - #define DROPBEAR_ECC_256 (DROPBEAR_ECC) -@@ -151,9 +151,6 @@ - * signing operations slightly slower. */ - #define DROPBEAR_RSA_BLINDING 1 - --#ifndef DROPBEAR_RSA_SHA1 --#define DROPBEAR_RSA_SHA1 DROPBEAR_RSA --#endif - #ifndef DROPBEAR_RSA_SHA256 - #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA - #endif diff --git a/package/network/services/dropbear/patches/002-fix-y2038-issues.patch b/package/network/services/dropbear/patches/002-fix-y2038-issues.patch deleted file mode 100644 index 0654e3b98b..0000000000 --- a/package/network/services/dropbear/patches/002-fix-y2038-issues.patch +++ /dev/null @@ -1,198 +0,0 @@ -From ec2215726cffb976019d08ebf569edd2229e9dba Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Thu, 1 Dec 2022 11:34:43 +0800 -Subject: Fix y2038 issues with time_t conversion - -These changes were identified by building with and without --D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64 -on 32-bit arm, logging warnings to files. --Wconversion was added to CFLAGS in both builds. - -Then a "diff -I Wconversion log1 log2" shows new warnings that appear -with the 64-bit time_t. There are a few false positives that have been -fixed for quietness. - -struct logininfo and struct wtmp are still problematic, those will -need to be handled by libc. ---- - common-session.c | 43 +++++++++++++++++++++++++++---------------- - dbutil.c | 2 +- - loginrec.c | 2 ++ - loginrec.h | 4 ++-- - runopts.h | 4 ++-- - svr-auth.c | 2 +- - 6 files changed, 35 insertions(+), 22 deletions(-) - ---- a/common-session.c -+++ b/common-session.c -@@ -519,15 +519,24 @@ static void send_msg_keepalive() { - ses.last_packet_time_idle = old_time_idle; - } - -+/* Returns the difference in seconds, clamped to LONG_MAX */ -+static long elapsed(time_t now, time_t prev) { -+ time_t del = now - prev; -+ if (del > LONG_MAX) { -+ return LONG_MAX; -+ } -+ return (long)del; -+} -+ - /* Check all timeouts which are required. Currently these are the time for - * user authentication, and the automatic rekeying. */ - static void checktimeouts() { - - time_t now; - now = monotonic_now(); -- -+ - if (IS_DROPBEAR_SERVER && ses.connect_time != 0 -- && now - ses.connect_time >= AUTH_TIMEOUT) { -+ && elapsed(now, ses.connect_time) >= AUTH_TIMEOUT) { - dropbear_close("Timeout before auth"); - } - -@@ -537,45 +546,47 @@ static void checktimeouts() { - } - - if (!ses.kexstate.sentkexinit -- && (now - ses.kexstate.lastkextime >= KEX_REKEY_TIMEOUT -+ && (elapsed(now, ses.kexstate.lastkextime) >= KEX_REKEY_TIMEOUT - || ses.kexstate.datarecv+ses.kexstate.datatrans >= KEX_REKEY_DATA)) { - TRACE(("rekeying after timeout or max data reached")) - send_msg_kexinit(); - } -- -+ - if (opts.keepalive_secs > 0 && ses.authstate.authdone) { - /* Avoid sending keepalives prior to auth - those are - not valid pre-auth packet types */ - - /* Send keepalives if we've been idle */ -- if (now - ses.last_packet_time_any_sent >= opts.keepalive_secs) { -+ if (elapsed(now, ses.last_packet_time_any_sent) >= opts.keepalive_secs) { - send_msg_keepalive(); - } - - /* Also send an explicit keepalive message to trigger a response - if the remote end hasn't sent us anything */ -- if (now - ses.last_packet_time_keepalive_recv >= opts.keepalive_secs -- && now - ses.last_packet_time_keepalive_sent >= opts.keepalive_secs) { -+ if (elapsed(now, ses.last_packet_time_keepalive_recv) >= opts.keepalive_secs -+ && elapsed(now, ses.last_packet_time_keepalive_sent) >= opts.keepalive_secs) { - send_msg_keepalive(); - } - -- if (now - ses.last_packet_time_keepalive_recv -+ if (elapsed(now, ses.last_packet_time_keepalive_recv) - >= opts.keepalive_secs * DEFAULT_KEEPALIVE_LIMIT) { - dropbear_exit("Keepalive timeout"); - } - } - -- if (opts.idle_timeout_secs > 0 -- && now - ses.last_packet_time_idle >= opts.idle_timeout_secs) { -+ if (opts.idle_timeout_secs > 0 -+ && elapsed(now, ses.last_packet_time_idle) >= opts.idle_timeout_secs) { - dropbear_close("Idle timeout"); - } - } - --static void update_timeout(long limit, long now, long last_event, long * timeout) { -- TRACE2(("update_timeout limit %ld, now %ld, last %ld, timeout %ld", -- limit, now, last_event, *timeout)) -+static void update_timeout(long limit, time_t now, time_t last_event, long * timeout) { -+ TRACE2(("update_timeout limit %ld, now %llu, last %llu, timeout %ld", -+ limit, -+ (unsigned long long)now, -+ (unsigned long long)last_event, *timeout)) - if (last_event > 0 && limit > 0) { -- *timeout = MIN(*timeout, last_event+limit-now); -+ *timeout = MIN(*timeout, elapsed(now, last_event) + limit); - TRACE2(("new timeout %ld", *timeout)) - } - } -@@ -584,7 +595,7 @@ static long select_timeout() { - /* determine the minimum timeout that might be required, so - as to avoid waking when unneccessary */ - long timeout = KEX_REKEY_TIMEOUT; -- long now = monotonic_now(); -+ time_t now = monotonic_now(); - - if (!ses.kexstate.sentkexinit) { - update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout); -@@ -596,7 +607,7 @@ static long select_timeout() { - } - - if (ses.authstate.authdone) { -- update_timeout(opts.keepalive_secs, now, -+ update_timeout(opts.keepalive_secs, now, - MAX(ses.last_packet_time_keepalive_recv, ses.last_packet_time_keepalive_sent), - &timeout); - } ---- a/dbutil.c -+++ b/dbutil.c -@@ -724,7 +724,7 @@ void gettime_wrapper(struct timespec *no - /* Fallback for everything else - this will sometimes go backwards */ - gettimeofday(&tv, NULL); - now->tv_sec = tv.tv_sec; -- now->tv_nsec = 1000*tv.tv_usec; -+ now->tv_nsec = 1000*(long)tv.tv_usec; - } - - /* second-resolution monotonic timestamp */ ---- a/loginrec.c -+++ b/loginrec.c -@@ -459,6 +459,7 @@ line_abbrevname(char *dst, const char *s - void - set_utmp_time(struct logininfo *li, struct utmp *ut) - { -+ /* struct utmp in glibc isn't y2038 safe yet */ - # ifdef HAVE_STRUCT_UTMP_UT_TV - ut->ut_tv.tv_sec = li->tv_sec; - ut->ut_tv.tv_usec = li->tv_usec; -@@ -1272,6 +1273,7 @@ lastlog_construct(struct logininfo *li, - (void)line_stripname(last->ll_line, li->line, sizeof(last->ll_line)); - strlcpy(last->ll_host, li->hostname, - MIN_SIZEOF(last->ll_host, li->hostname)); -+ /* struct lastlog in glibc isn't y2038 safe yet */ - last->ll_time = li->tv_sec; - } - ---- a/loginrec.h -+++ b/loginrec.h -@@ -139,8 +139,8 @@ struct logininfo { - /* struct timeval (sys/time.h) isn't always available, if it isn't we'll - * use time_t's value as tv_sec and set tv_usec to 0 - */ -- unsigned int tv_sec; -- unsigned int tv_usec; -+ time_t tv_sec; -+ suseconds_t tv_usec; - union login_netinfo hostaddr; /* caller's host address(es) */ - }; /* struct logininfo */ - ---- a/runopts.h -+++ b/runopts.h -@@ -39,8 +39,8 @@ typedef struct runopts { - int listen_fwd_all; - #endif - unsigned int recv_window; -- time_t keepalive_secs; /* Time between sending keepalives. 0 is off */ -- time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */ -+ long keepalive_secs; /* Time between sending keepalives. 0 is off */ -+ long idle_timeout_secs; /* Exit if no traffic is sent/received in this time */ - int usingsyslog; - - #ifndef DISABLE_ZLIB ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -389,7 +389,7 @@ void send_msg_userauth_failure(int parti - Beware of integer overflow if increasing these values */ - const unsigned int mindelay = 250000000; - const unsigned int vardelay = 100000000; -- unsigned int rand_delay; -+ suseconds_t rand_delay; - struct timespec delay; - - gettime_wrapper(&delay); diff --git a/package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch b/package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch deleted file mode 100644 index 6789800e12..0000000000 --- a/package/network/services/dropbear/patches/003-fix-DROPBEAR_DSS.patch +++ /dev/null @@ -1,25 +0,0 @@ -From c043efb47c3173072fa636ca0da0d19875d4511f Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Tue, 6 Dec 2022 22:34:11 +0800 -Subject: Fix so DROPBEAR_DSS is only forced for fuzzing - -Regression from 787391ea3b5af2acf5e3c83372510f0c79477ad7, -was missing fuzzing conditional ---- - sysoptions.h | 2 ++ - 1 file changed, 2 insertions(+) - ---- a/sysoptions.h -+++ b/sysoptions.h -@@ -380,9 +380,11 @@ - #endif - - /* Fuzzing expects all key types to be enabled */ -+#if DROPBEAR_FUZZ - #if defined(DROPBEAR_DSS) - #undef DROPBEAR_DSS - #endif - #define DROPBEAR_DSS 1 -+#endif - - /* no include guard for this file */ diff --git a/package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch b/package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch deleted file mode 100644 index bcb43aed2a..0000000000 --- a/package/network/services/dropbear/patches/004-allow-users-s-own-gid-in-pty-permission-check.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 860721558837441ab45019858e710a2625ffa46e Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Wed, 7 Dec 2022 13:04:10 +0800 -Subject: Allow users's own gid in pty permission check - -This allows non-root Dropbear to work even without devpts gid=5 mount -option on Linux. ---- - sshpty.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/sshpty.c -+++ b/sshpty.c -@@ -380,7 +380,9 @@ pty_setowner(struct passwd *pw, const ch - tty_name, strerror(errno)); - } - -- if (st.st_uid != pw->pw_uid || st.st_gid != gid) { -+ /* Allow either "tty" gid or user's own gid. On Linux with openpty() -+ * this varies depending on the devpts mount options */ -+ if (st.st_uid != pw->pw_uid || !(st.st_gid == gid || st.st_gid == pw->pw_gid)) { - if (chown(tty_name, pw->pw_uid, gid) < 0) { - if (errno == EROFS && - (st.st_uid == pw->pw_uid || st.st_uid == 0)) { diff --git a/package/network/services/dropbear/patches/005-const-parameter-mp_int.patch b/package/network/services/dropbear/patches/005-const-parameter-mp_int.patch deleted file mode 100644 index 0d23c9c416..0000000000 --- a/package/network/services/dropbear/patches/005-const-parameter-mp_int.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 01415ef8269e594a647f67ea0729ca8b590679de Mon Sep 17 00:00:00 2001 -From: Francois Perrad <francois.perrad@gadz.org> -Date: Thu, 22 Dec 2022 10:19:54 +0100 -Subject: const parameter mp_int - ---- - bignum.c | 2 +- - bignum.h | 2 +- - buffer.c | 2 +- - buffer.h | 2 +- - dbrandom.c | 2 +- - dbrandom.h | 2 +- - dbutil.c | 2 +- - dbutil.h | 2 +- - genrsa.c | 4 ++-- - 9 files changed, 10 insertions(+), 10 deletions(-) - ---- a/bignum.c -+++ b/bignum.c -@@ -93,7 +93,7 @@ void bytes_to_mp(mp_int *mp, const unsig - - /* hash the ssh representation of the mp_int mp */ - void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, -- hash_state *hs, mp_int *mp) { -+ hash_state *hs, const mp_int *mp) { - buffer * buf; - - buf = buf_new(512 + 20); /* max buffer is a 4096 bit key, ---- a/bignum.h -+++ b/bignum.h -@@ -33,6 +33,6 @@ void m_mp_alloc_init_multi(mp_int **mp, - void m_mp_free_multi(mp_int **mp, ...) ATTRIB_SENTINEL; - void bytes_to_mp(mp_int *mp, const unsigned char* bytes, unsigned int len); - void hash_process_mp(const struct ltc_hash_descriptor *hash_desc, -- hash_state *hs, mp_int *mp); -+ hash_state *hs, const mp_int *mp); - - #endif /* DROPBEAR_BIGNUM_H_ */ ---- a/buffer.c -+++ b/buffer.c -@@ -299,7 +299,7 @@ void buf_putbytes(buffer *buf, const uns - - /* for our purposes we only need positive (or 0) numbers, so will - * fail if we get negative numbers */ --void buf_putmpint(buffer* buf, mp_int * mp) { -+void buf_putmpint(buffer* buf, const mp_int * mp) { - size_t written; - unsigned int len, pad = 0; - TRACE2(("enter buf_putmpint")) ---- a/buffer.h -+++ b/buffer.h -@@ -65,7 +65,7 @@ void buf_putint(buffer* buf, unsigned in - void buf_putstring(buffer* buf, const char* str, unsigned int len); - void buf_putbufstring(buffer *buf, const buffer* buf_str); - void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len); --void buf_putmpint(buffer* buf, mp_int * mp); -+void buf_putmpint(buffer* buf, const mp_int * mp); - int buf_getmpint(buffer* buf, mp_int* mp); - unsigned int buf_getint(buffer* buf); - ---- a/dbrandom.c -+++ b/dbrandom.c -@@ -347,7 +347,7 @@ void genrandom(unsigned char* buf, unsig - * rand must be an initialised *mp_int for the result. - * the result rand satisfies: 0 < rand < max - * */ --void gen_random_mpint(mp_int *max, mp_int *rand) { -+void gen_random_mpint(const mp_int *max, mp_int *rand) { - - unsigned char *randbuf = NULL; - unsigned int len = 0; ---- a/dbrandom.h -+++ b/dbrandom.h -@@ -30,6 +30,6 @@ - void seedrandom(void); - void genrandom(unsigned char* buf, unsigned int len); - void addrandom(const unsigned char * buf, unsigned int len); --void gen_random_mpint(mp_int *max, mp_int *rand); -+void gen_random_mpint(const mp_int *max, mp_int *rand); - - #endif /* DROPBEAR_RANDOM_H_ */ ---- a/dbutil.c -+++ b/dbutil.c -@@ -442,7 +442,7 @@ void printhex(const char * label, const - } - } - --void printmpint(const char *label, mp_int *mp) { -+void printmpint(const char *label, const mp_int *mp) { - buffer *buf = buf_new(1000); - buf_putmpint(buf, mp); - fprintf(stderr, "%d bits ", mp_count_bits(mp)); ---- a/dbutil.h -+++ b/dbutil.h -@@ -53,7 +53,7 @@ void dropbear_trace3(const char* format, - void dropbear_trace4(const char* format, ...) ATTRIB_PRINTF(1,2); - void dropbear_trace5(const char* format, ...) ATTRIB_PRINTF(1,2); - void printhex(const char * label, const unsigned char * buf, int len); --void printmpint(const char *label, mp_int *mp); -+void printmpint(const char *label, const mp_int *mp); - void debug_start_net(void); - extern int debug_trace; - #endif ---- a/genrsa.c -+++ b/genrsa.c -@@ -34,7 +34,7 @@ - #if DROPBEAR_RSA - - static void getrsaprime(mp_int* prime, mp_int *primeminus, -- mp_int* rsa_e, unsigned int size_bytes); -+ const mp_int* rsa_e, unsigned int size_bytes); - - /* mostly taken from libtomcrypt's rsa key generation routine */ - dropbear_rsa_key * gen_rsa_priv_key(unsigned int size) { -@@ -89,7 +89,7 @@ dropbear_rsa_key * gen_rsa_priv_key(unsi - - /* return a prime suitable for p or q */ - static void getrsaprime(mp_int* prime, mp_int *primeminus, -- mp_int* rsa_e, unsigned int size_bytes) { -+ const mp_int* rsa_e, unsigned int size_bytes) { - - unsigned char *buf; - int trials; diff --git a/package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch b/package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch deleted file mode 100644 index c7011021c1..0000000000 --- a/package/network/services/dropbear/patches/006-dropbearkey-add-missing-break-in-switch.patch +++ /dev/null @@ -1,21 +0,0 @@ -From 39d955c49f31fc155e885447ee2be61c869d8c2d Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Tue, 3 Jan 2023 22:05:14 +0800 -Subject: Add missing break in switch - -Has no effect on execution, the fallthrough does nothing -Closes #208 ---- - dropbearkey.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/dropbearkey.c -+++ b/dropbearkey.c -@@ -139,6 +139,7 @@ static void check_signkey_bits(enum sign - dropbear_exit("DSS keys have a fixed size of 1024 bits\n"); - exit(EXIT_FAILURE); - } -+ break; - #endif - default: - (void)0; /* quiet, compiler. ecdsa handles checks itself */ diff --git a/package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch b/package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch deleted file mode 100644 index 5fcfaad180..0000000000 --- a/package/network/services/dropbear/patches/007-fix-building-only-client-or-server.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 7a53c7f0f4b3eb23e002819553cb45558642c01d Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Wed, 4 Jan 2023 20:32:23 +0800 -Subject: Fix building only client or server - -Regressed when -Wundef was added - -Fixes #210 ---- - sysoptions.h | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/sysoptions.h -+++ b/sysoptions.h -@@ -10,6 +10,14 @@ - #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION - #define PROGNAME "dropbear" - -+#ifndef DROPBEAR_CLIENT -+#define DROPBEAR_CLIENT 0 -+#endif -+ -+#ifndef DROPBEAR_SERVER -+#define DROPBEAR_SERVER 0 -+#endif -+ - /* Spec recommends after one hour or 1 gigabyte of data. One hour - * is a bit too verbose, so we try 8 hours */ - #ifndef KEX_REKEY_TIMEOUT diff --git a/package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch b/package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch deleted file mode 100644 index 4f675234ff..0000000000 --- a/package/network/services/dropbear/patches/008-disable-rsa-signatures-when-no-rsa-hostkey.patch +++ /dev/null @@ -1,94 +0,0 @@ -From a113381c12a2da3c9b7bd594f47a1b2657bdfdf2 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Sun, 12 Feb 2023 22:44:32 +0800 -Subject: Disable rsa signatures when no rsa hostkey - -Otherwise Dropbear will offer RSA as a hostkey signature option, but the -session will exit with an assertion or NULL pointer dereference once -that algorithm is negotiated. - -This likely regressed in 2020.79 when signature vs key type enums were -split, for rsa-sha256. - -Fixes #219 on github ---- - svr-runopts.c | 21 +++++++++++---------- - 1 file changed, 11 insertions(+), 10 deletions(-) - ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -505,11 +505,11 @@ static void addportandaddress(const char - svr_opts.portcount++; - } - --static void disablekey(int type) { -+static void disablekey(enum signature_type type) { - int i; - TRACE(("Disabling key type %d", type)) - for (i = 0; sigalgs[i].name != NULL; i++) { -- if (sigalgs[i].val == type) { -+ if ((int)sigalgs[i].val == (int)type) { - sigalgs[i].usable = 0; - break; - } -@@ -624,7 +624,8 @@ void load_all_hostkeys() { - - #if DROPBEAR_RSA - if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) { -- disablekey(DROPBEAR_SIGNKEY_RSA); -+ disablekey(DROPBEAR_SIGNATURE_RSA_SHA256); -+ disablekey(DROPBEAR_SIGNATURE_RSA_SHA1); - } else { - any_keys = 1; - } -@@ -632,7 +633,7 @@ void load_all_hostkeys() { - - #if DROPBEAR_DSS - if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) { -- disablekey(DROPBEAR_SIGNKEY_DSS); -+ disablekey(DROPBEAR_SIGNATURE_DSS); - } else { - any_keys = 1; - } -@@ -666,35 +667,35 @@ void load_all_hostkeys() { - #if DROPBEAR_ECC_256 - if (!svr_opts.hostkey->ecckey256 - && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) { -- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256); -+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP256); - } - #endif - #if DROPBEAR_ECC_384 - if (!svr_opts.hostkey->ecckey384 - && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) { -- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384); -+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP384); - } - #endif - #if DROPBEAR_ECC_521 - if (!svr_opts.hostkey->ecckey521 - && (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) { -- disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521); -+ disablekey(DROPBEAR_SIGNATURE_ECDSA_NISTP521); - } - #endif - #endif /* DROPBEAR_ECDSA */ - - #if DROPBEAR_ED25519 - if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) { -- disablekey(DROPBEAR_SIGNKEY_ED25519); -+ disablekey(DROPBEAR_SIGNATURE_ED25519); - } else { - any_keys = 1; - } - #endif - #if DROPBEAR_SK_ECDSA -- disablekey(DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256); -+ disablekey(DROPBEAR_SIGNATURE_SK_ECDSA_NISTP256); - #endif - #if DROPBEAR_SK_ED25519 -- disablekey(DROPBEAR_SIGNKEY_SK_ED25519); -+ disablekey(DROPBEAR_SIGNATURE_SK_ED25519); - #endif - - if (!any_keys) { diff --git a/package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch b/package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch deleted file mode 100644 index e1538a4c1f..0000000000 --- a/package/network/services/dropbear/patches/009-use-write-rather-than-fprintf-in-segv-handler.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3292b8c6f1e5fcc405fa0f7a20e90a60f74037b2 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Sun, 12 Feb 2023 23:00:00 +0800 -Subject: Use write() rather than fprintf() in segv handler - -fprintf isn't guaranteed safe (though hasn't had any problems reported). ---- - svr-main.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/svr-main.c -+++ b/svr-main.c -@@ -420,8 +420,12 @@ static void sigchld_handler(int UNUSED(u - - /* catch any segvs */ - static void sigsegv_handler(int UNUSED(unused)) { -- fprintf(stderr, "Aiee, segfault! You should probably report " -- "this as a bug to the developer\n"); -+ int i; -+ const char *msg = "Aiee, segfault! You should probably report " -+ "this as a bug to the developer\n"; -+ i = write(STDERR_FILENO, msg, strlen(msg)); -+ /* ignore short writes */ -+ (void)i; - _exit(EXIT_FAILURE); - } - diff --git a/package/network/services/dropbear/patches/010-remove-SO_LINGER.patch b/package/network/services/dropbear/patches/010-remove-SO_LINGER.patch deleted file mode 100644 index 12b1843ee2..0000000000 --- a/package/network/services/dropbear/patches/010-remove-SO_LINGER.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 5040f21cb4ee6ade966e60c6d5a3c270d03de1f1 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Mon, 1 May 2023 22:05:43 +0800 -Subject: Remove SO_LINGER - -It could cause channels to take up to 5 seconds to close(), which would block -the entire process. On busy TCP forwarding sessions this would result in -channels seeming stuck and new connections not being accepted. - -We don't need to monitor for flushing failures since we can't report errors, so -SO_LINGER wasn't useful. - -Thanks to GektorUA for reporting and testing - -Fixes #230 ---- - netio.c | 4 ---- - 1 file changed, 4 deletions(-) - ---- a/netio.c -+++ b/netio.c -@@ -472,7 +472,6 @@ int dropbear_listen(const char* address, - struct addrinfo hints, *res = NULL, *res0 = NULL; - int err; - unsigned int nsock; -- struct linger linger; - int val; - int sock; - uint16_t *allocated_lport_p = NULL; -@@ -551,9 +550,6 @@ int dropbear_listen(const char* address, - val = 1; - /* set to reuse, quick timeout */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); -- linger.l_onoff = 1; -- linger.l_linger = 5; -- setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); - - #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) - if (res->ai_family == AF_INET6) { diff --git a/package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch b/package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch deleted file mode 100644 index d1c1fa4cce..0000000000 --- a/package/network/services/dropbear/patches/011-add-option-to-bind-to-interface.patch +++ /dev/null @@ -1,147 +0,0 @@ -From fb64db9eac3fdc6434f2dc7b5ea407fe5df76e6f Mon Sep 17 00:00:00 2001 -From: Diederik De Coninck <diederik.deconinck_ext@softathome.com> -Date: Tue, 11 Apr 2023 15:38:04 +0200 -Subject: Add option to bind to interface - ---- - netio.c | 13 +++++++++++-- - netio.h | 2 +- - runopts.h | 1 + - svr-main.c | 2 +- - svr-runopts.c | 9 +++++++++ - svr-tcpfwd.c | 1 + - tcp-accept.c | 2 +- - tcpfwd.h | 1 + - 8 files changed, 26 insertions(+), 5 deletions(-) - ---- a/netio.c -+++ b/netio.c -@@ -467,7 +467,7 @@ int get_sock_port(int sock) { - * failure, if errstring wasn't NULL, it'll be a newly malloced error - * string.*/ - int dropbear_listen(const char* address, const char* port, -- int *socks, unsigned int sockcount, char **errstring, int *maxfd) { -+ int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface) { - - struct addrinfo hints, *res = NULL, *res0 = NULL; - int err; -@@ -497,7 +497,11 @@ int dropbear_listen(const char* address, - TRACE(("dropbear_listen: local loopback")) - } else { - if (address[0] == '\0') { -- TRACE(("dropbear_listen: all interfaces")) -+ if (interface) { -+ TRACE(("dropbear_listen: %s", interface)) -+ } else { -+ TRACE(("dropbear_listen: all interfaces")) -+ } - address = NULL; - } - hints.ai_flags = AI_PASSIVE; -@@ -551,6 +555,11 @@ int dropbear_listen(const char* address, - /* set to reuse, quick timeout */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); - -+ if(interface && setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0) { -+ dropbear_log(LOG_WARNING, "Couldn't set SO_BINDTODEVICE"); -+ TRACE(("Failed setsockopt with errno failure, %d %s", errno, strerror(errno))) -+ } -+ - #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) - if (res->ai_family == AF_INET6) { - int on = 1; ---- a/netio.h -+++ b/netio.h -@@ -19,7 +19,7 @@ void get_socket_address(int fd, char **l - void getaddrstring(struct sockaddr_storage* addr, - char **ret_host, char **ret_port, int host_lookup); - int dropbear_listen(const char* address, const char* port, -- int *socks, unsigned int sockcount, char **errstring, int *maxfd); -+ int *socks, unsigned int sockcount, char **errstring, int *maxfd, const char* interface); - - struct dropbear_progress_connection; - ---- a/runopts.h -+++ b/runopts.h -@@ -128,6 +128,7 @@ typedef struct svr_runopts { - char * pidfile; - - char * forced_command; -+ char* interface; - - #if DROPBEAR_PLUGIN - /* malloced */ ---- a/svr-main.c -+++ b/svr-main.c -@@ -488,7 +488,7 @@ static size_t listensockets(int *socks, - - nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos], - sockcount - sockpos, -- &errstring, maxfd); -+ &errstring, maxfd, svr_opts.interface); - - if (nsock < 0) { - dropbear_log(LOG_WARNING, "Failed listening on '%s': %s", ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -98,6 +98,8 @@ static void printhelp(const char * progn - " (default port is %s if none specified)\n" - "-P PidFile Create pid file PidFile\n" - " (default %s)\n" -+ "-l <interface>\n" -+ " interface to bind on\n" - #if INETD_MODE - "-i Start for inetd\n" - #endif -@@ -265,6 +267,9 @@ void svr_getopts(int argc, char ** argv) - case 'P': - next = &svr_opts.pidfile; - break; -+ case 'l': -+ next = &svr_opts.interface; -+ break; - #if DO_MOTD - /* motd is displayed by default, -m turns it off */ - case 'm': -@@ -438,6 +443,10 @@ void svr_getopts(int argc, char ** argv) - dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command); - } - -+ if (svr_opts.interface) { -+ dropbear_log(LOG_INFO, "Binding to interface '%s'", svr_opts.interface); -+ } -+ - if (reexec_fd_arg) { - if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE - || svr_opts.reexec_childpipe < 0) { ---- a/svr-tcpfwd.c -+++ b/svr-tcpfwd.c -@@ -205,6 +205,7 @@ static int svr_remotetcpreq(int *allocat - tcpinfo->listenport = port; - tcpinfo->chantype = &svr_chan_tcpremote; - tcpinfo->tcp_type = forwarded; -+ tcpinfo->interface = svr_opts.interface; - - tcpinfo->request_listenaddr = request_addr; - if (!opts.listen_fwd_all || (strcmp(request_addr, "localhost") == 0) ) { ---- a/tcp-accept.c -+++ b/tcp-accept.c -@@ -117,7 +117,7 @@ int listen_tcpfwd(struct TCPListener* tc - snprintf(portstring, sizeof(portstring), "%u", tcpinfo->listenport); - - nsocks = dropbear_listen(tcpinfo->listenaddr, portstring, socks, -- DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd); -+ DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd, tcpinfo->interface); - if (nsocks < 0) { - dropbear_log(LOG_INFO, "TCP forward failed: %s", errstring); - m_free(errstring); ---- a/tcpfwd.h -+++ b/tcpfwd.h -@@ -42,6 +42,7 @@ struct TCPListener { - unsigned int listenport; - /* The address that the remote host asked to listen on */ - char *request_listenaddr; -+ char* interface; - - const struct ChanType *chantype; - enum {direct, forwarded} tcp_type; diff --git a/package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch b/package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch deleted file mode 100644 index 11f902bf90..0000000000 --- a/package/network/services/dropbear/patches/012-add-ifdef-guards-for-SO_BINDTODEVICE.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 031d09b47912b2401f4934667c0b6f857ede61ee Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Tue, 18 Jul 2023 23:20:16 +0800 -Subject: Add ifdef guards for SO_BINDTODEVICE - ---- - netio.c | 2 ++ - svr-runopts.c | 4 ++++ - 2 files changed, 6 insertions(+) - ---- a/netio.c -+++ b/netio.c -@@ -555,10 +555,12 @@ int dropbear_listen(const char* address, - /* set to reuse, quick timeout */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); - -+#ifdef SO_BINDTODEVICE - if(interface && setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, interface, strlen(interface)) < 0) { - dropbear_log(LOG_WARNING, "Couldn't set SO_BINDTODEVICE"); - TRACE(("Failed setsockopt with errno failure, %d %s", errno, strerror(errno))) - } -+#endif - - #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) - if (res->ai_family == AF_INET6) { ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -98,8 +98,10 @@ static void printhelp(const char * progn - " (default port is %s if none specified)\n" - "-P PidFile Create pid file PidFile\n" - " (default %s)\n" -+#ifdef SO_BINDTODEVICE - "-l <interface>\n" - " interface to bind on\n" -+#endif - #if INETD_MODE - "-i Start for inetd\n" - #endif -@@ -267,9 +269,11 @@ void svr_getopts(int argc, char ** argv) - case 'P': - next = &svr_opts.pidfile; - break; -+#ifdef SO_BINDTODEVICE - case 'l': - next = &svr_opts.interface; - break; -+#endif - #if DO_MOTD - /* motd is displayed by default, -m turns it off */ - case 'm': diff --git a/package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch b/package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch deleted file mode 100644 index 531215c757..0000000000 --- a/package/network/services/dropbear/patches/013-make-banner-reading-failure-non-fatal.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 62a06cd95f58060a59359f8769c3f35cd680d4fd Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Sun, 23 Jul 2023 21:01:48 +0800 -Subject: Make banner reading failure non-fatal - ---- - svr-runopts.c | 45 ++++++++++++++++++++++++++++----------------- - 1 file changed, 28 insertions(+), 17 deletions(-) - ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -38,6 +38,7 @@ static void printhelp(const char * progn - static void addportandaddress(const char* spec); - static void loadhostkey(const char *keyfile, int fatal_duplicate); - static void addhostkey(const char *keyfile); -+static void load_banner(); - - static void printhelp(const char * progname) { - -@@ -382,23 +383,7 @@ void svr_getopts(int argc, char ** argv) - } - - if (svr_opts.bannerfile) { -- struct stat buf; -- if (stat(svr_opts.bannerfile, &buf) != 0) { -- dropbear_exit("Error opening banner file '%s'", -- svr_opts.bannerfile); -- } -- -- if (buf.st_size > MAX_BANNER_SIZE) { -- dropbear_exit("Banner file too large, max is %d bytes", -- MAX_BANNER_SIZE); -- } -- -- svr_opts.banner = buf_new(buf.st_size); -- if (buf_readfile(svr_opts.banner, svr_opts.bannerfile)!=DROPBEAR_SUCCESS) { -- dropbear_exit("Error reading banner file '%s'", -- svr_opts.bannerfile); -- } -- buf_setpos(svr_opts.banner, 0); -+ load_banner(); - } - - #ifdef HAVE_GETGROUPLIST -@@ -715,3 +700,29 @@ void load_all_hostkeys() { - dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey."); - } - } -+ -+static void load_banner() { -+ struct stat buf; -+ if (stat(svr_opts.bannerfile, &buf) != 0) { -+ dropbear_log(LOG_WARNING, "Error opening banner file '%s'", -+ svr_opts.bannerfile); -+ return; -+ } -+ -+ if (buf.st_size > MAX_BANNER_SIZE) { -+ dropbear_log(LOG_WARNING, "Banner file too large, max is %d bytes", -+ MAX_BANNER_SIZE); -+ return; -+ } -+ -+ svr_opts.banner = buf_new(buf.st_size); -+ if (buf_readfile(svr_opts.banner, svr_opts.bannerfile) != DROPBEAR_SUCCESS) { -+ dropbear_log(LOG_WARNING, "Error reading banner file '%s'", -+ svr_opts.bannerfile); -+ buf_free(svr_opts.banner); -+ svr_opts.banner = NULL; -+ return; -+ } -+ buf_setpos(svr_opts.banner, 0); -+ -+} diff --git a/package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch b/package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch deleted file mode 100644 index ff130f8be0..0000000000 --- a/package/network/services/dropbear/patches/014-dropbearkey-ignore-unsupported-command-line-option.patch +++ /dev/null @@ -1,60 +0,0 @@ -From ec26975d442163b66d1646a48e022bc8c2f1607a Mon Sep 17 00:00:00 2001 -From: Sergey Ponomarev <stokito@gmail.com> -Date: Sun, 27 Aug 2023 00:07:05 +0300 -Subject: dropbearkey.c Ignore unsupported command line options - -To generate non interactively a key with OpenSSH the simplest command is: - -ssh-keygen -t ed25519 -q -N '' -f ~/.ssh/id_ed25519 - -The command has two options -q quiet and -N passphrase which aren't supported by the dropbearkey. - -To improve interoperability add explicit ignoring of the -q and -N with empty passphrase. -Also ignore the -v even if the DEBUG_TRACE is not set. - -Signed-off-by: Sergey Ponomarev <stokito@gmail.com> ---- - dropbearkey.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - ---- a/dropbearkey.c -+++ b/dropbearkey.c -@@ -159,6 +159,7 @@ int main(int argc, char ** argv) { - enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE; - char * typetext = NULL; - char * sizetext = NULL; -+ char * passphrase = NULL; - unsigned int bits = 0, genbits; - int printpub = 0; - -@@ -194,11 +195,16 @@ int main(int argc, char ** argv) { - printhelp(argv[0]); - exit(EXIT_SUCCESS); - break; --#if DEBUG_TRACE - case 'v': -+#if DEBUG_TRACE - debug_trace = DROPBEAR_VERBOSE_LEVEL; -- break; - #endif -+ break; -+ case 'q': -+ break; /* quiet is default */ -+ case 'N': -+ next = &passphrase; -+ break; - default: - fprintf(stderr, "Unknown argument %s\n", argv[i]); - printhelp(argv[0]); -@@ -266,6 +272,11 @@ int main(int argc, char ** argv) { - check_signkey_bits(keytype, bits);; - } - -+ if (passphrase && *passphrase != '\0') { -+ fprintf(stderr, "Only empty passphrase is supported\n"); -+ exit(EXIT_FAILURE); -+ } -+ - genbits = signkey_generate_get_bits(keytype, bits); - fprintf(stderr, "Generating %u bit %s key, this may take a while...\n", genbits, typetext); - if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE) diff --git a/package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch b/package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch deleted file mode 100644 index f39417adb7..0000000000 --- a/package/network/services/dropbear/patches/015-libtommath-fix-possible-integer-overflow.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 3b576d95dcf791d7b945e75f639da8f89c1685a2 Mon Sep 17 00:00:00 2001 -From: czurnieden <czurnieden@gmx.de> -Date: Tue, 9 May 2023 17:17:12 +0200 -Subject: Fix possible integer overflow - ---- - libtommath/bn_mp_2expt.c | 4 ++++ - libtommath/bn_mp_grow.c | 4 ++++ - libtommath/bn_mp_init_size.c | 5 +++++ - libtommath/bn_mp_mul_2d.c | 4 ++++ - libtommath/bn_s_mp_mul_digs.c | 4 ++++ - libtommath/bn_s_mp_mul_digs_fast.c | 4 ++++ - libtommath/bn_s_mp_mul_high_digs.c | 4 ++++ - libtommath/bn_s_mp_mul_high_digs_fast.c | 4 ++++ - 8 files changed, 33 insertions(+) - ---- a/libtommath/bn_mp_2expt.c -+++ b/libtommath/bn_mp_2expt.c -@@ -12,6 +12,10 @@ mp_err mp_2expt(mp_int *a, int b) - { - mp_err err; - -+ if (b < 0) { -+ return MP_VAL; -+ } -+ - /* zero a as per default */ - mp_zero(a); - ---- a/libtommath/bn_mp_grow.c -+++ b/libtommath/bn_mp_grow.c -@@ -9,6 +9,10 @@ mp_err mp_grow(mp_int *a, int size) - int i; - mp_digit *tmp; - -+ if (size < 0) { -+ return MP_VAL; -+ } -+ - /* if the alloc size is smaller alloc more ram */ - if (a->alloc < size) { - /* reallocate the array a->dp ---- a/libtommath/bn_mp_init_size.c -+++ b/libtommath/bn_mp_init_size.c -@@ -6,6 +6,11 @@ - /* init an mp_init for a given size */ - mp_err mp_init_size(mp_int *a, int size) - { -+ -+ if (size < 0) { -+ return MP_VAL; -+ } -+ - size = MP_MAX(MP_MIN_PREC, size); - - /* alloc mem */ ---- a/libtommath/bn_mp_mul_2d.c -+++ b/libtommath/bn_mp_mul_2d.c -@@ -9,6 +9,10 @@ mp_err mp_mul_2d(const mp_int *a, int b, - mp_digit d; - mp_err err; - -+ if (b < 0) { -+ return MP_VAL; -+ } -+ - /* copy */ - if (a != c) { - if ((err = mp_copy(a, c)) != MP_OKAY) { ---- a/libtommath/bn_s_mp_mul_digs.c -+++ b/libtommath/bn_s_mp_mul_digs.c -@@ -16,6 +16,10 @@ mp_err s_mp_mul_digs(const mp_int *a, co - mp_word r; - mp_digit tmpx, *tmpt, *tmpy; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* can we use the fast multiplier? */ - if ((digs < MP_WARRAY) && - (MP_MIN(a->used, b->used) < MP_MAXFAST)) { ---- a/libtommath/bn_s_mp_mul_digs_fast.c -+++ b/libtommath/bn_s_mp_mul_digs_fast.c -@@ -26,6 +26,10 @@ mp_err s_mp_mul_digs_fast(const mp_int * - mp_digit W[MP_WARRAY]; - mp_word _W; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* grow the destination as required */ - if (c->alloc < digs) { - if ((err = mp_grow(c, digs)) != MP_OKAY) { ---- a/libtommath/bn_s_mp_mul_high_digs.c -+++ b/libtommath/bn_s_mp_mul_high_digs.c -@@ -15,6 +15,10 @@ mp_err s_mp_mul_high_digs(const mp_int * - mp_word r; - mp_digit tmpx, *tmpt, *tmpy; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* can we use the fast multiplier? */ - if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST) - && ((a->used + b->used + 1) < MP_WARRAY) ---- a/libtommath/bn_s_mp_mul_high_digs_fast.c -+++ b/libtommath/bn_s_mp_mul_high_digs_fast.c -@@ -19,6 +19,10 @@ mp_err s_mp_mul_high_digs_fast(const mp_ - mp_digit W[MP_WARRAY]; - mp_word _W; - -+ if (digs < 0) { -+ return MP_VAL; -+ } -+ - /* grow the destination as required */ - pa = a->used + b->used; - if (c->alloc < pa) { diff --git a/package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch b/package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch deleted file mode 100644 index b6933120e6..0000000000 --- a/package/network/services/dropbear/patches/016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3cf8344769eda55e26eee53c1898b2c66544f188 Mon Sep 17 00:00:00 2001 -From: Justin Chen <justin.chen@broadcom.com> -Date: Fri, 8 Sep 2023 11:35:18 -0700 -Subject: src: svr-tcpfwd: Fix noremotetcp behavior - -If noremotetcp is set, we should still reply with -send_msg_request_failed. This matches the behavior -of !DROPBEAR_SVR_REMOTETCPFWD. - -We were seeing keepalive packets being ignored when -the "-k" option was used. ---- - svr-tcpfwd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/svr-tcpfwd.c -+++ b/svr-tcpfwd.c -@@ -79,14 +79,14 @@ void recv_msg_global_request_remotetcp() - - TRACE(("enter recv_msg_global_request_remotetcp")) - -+ reqname = buf_getstring(ses.payload, &namelen); -+ wantreply = buf_getbool(ses.payload); -+ - if (svr_opts.noremotetcp || !svr_pubkey_allows_tcpfwd()) { - TRACE(("leave recv_msg_global_request_remotetcp: remote tcp forwarding disabled")) - goto out; - } - -- reqname = buf_getstring(ses.payload, &namelen); -- wantreply = buf_getbool(ses.payload); -- - if (namelen > MAX_NAME_LEN) { - TRACE(("name len is wrong: %d", namelen)) - goto out; diff --git a/package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch b/package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch deleted file mode 100644 index 603c61d6fb..0000000000 --- a/package/network/services/dropbear/patches/017-Don-t-try-to-shutdown-a-pty.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e28ba1b9975eab48799aa3ed77d3cd91627d7b27 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Sat, 9 Dec 2023 23:10:41 +0800 -Subject: Don't try to shutdown() a pty - -shutdown() of a pty doesn't work (ENOTSOCK), so we should close -it instead. - -This will ensure that PTY controlling terminals are closed when a -session exits, including when multiple sessions run over a single SSH -connection. In the normal case of a single session, the PTY controlling -terminal would be closed when the Dropbear server process exits anyway. - -This possibly fixes #264 on github - -It is possible that there could be subtle changes to PTY flushing -behaviour, though nothing caught by tests at present. ---- - svr-chansession.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/svr-chansession.c -+++ b/svr-chansession.c -@@ -910,7 +910,7 @@ static int ptycommand(struct Channel *ch - channel->readfd = chansess->master; - /* don't need to set stderr here */ - ses.maxfd = MAX(ses.maxfd, chansess->master); -- channel->bidir_fd = 1; -+ channel->bidir_fd = 0; - - setnonblocking(chansess->master); - diff --git a/package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch b/package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch deleted file mode 100644 index 9c70c3141c..0000000000 --- a/package/network/services/dropbear/patches/018-dropbearkey-add-alias-to-ssh-keygen.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 806586b585806cbe32013bcd3af3847278972060 Mon Sep 17 00:00:00 2001 -From: Sergey Ponomarev <stokito@gmail.com> -Date: Sun, 10 Dec 2023 10:31:56 +0200 -Subject: dropbearkey: add alias to ssh-keygen - -The dropbearkey is partially compatible with ssh-keygen and can be used as an alias. - -Closes: #263 ---- - dbmulti.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - ---- a/dbmulti.c -+++ b/dbmulti.c -@@ -41,7 +41,8 @@ static int runprog(const char *multipath - } - #endif - #ifdef DBMULTI_dropbearkey -- if (strcmp(progname, "dropbearkey") == 0) { -+ if (strcmp(progname, "dropbearkey") == 0 -+ || strcmp(progname, "ssh-keygen") == 0) { - return dropbearkey_main(argc, argv); - } - #endif -@@ -88,7 +89,7 @@ int main(int argc, char ** argv) { - "'dbclient' or 'ssh' - the Dropbear client\n" - #endif - #ifdef DBMULTI_dropbearkey -- "'dropbearkey' - the key generator\n" -+ "'dropbearkey' or 'ssh-keygen' - the key generator\n" - #endif - #ifdef DBMULTI_dropbearconvert - "'dropbearconvert' - the key converter\n" diff --git a/package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch b/package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch deleted file mode 100644 index 3544f2123c..0000000000 --- a/package/network/services/dropbear/patches/019-Allow-inetd-with-non-syslog.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 383cc8c97a9420aad9cf93d88e77ec636b183a9d Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Mon, 11 Dec 2023 23:18:09 +0800 -Subject: Allow inetd with non-syslog - -An inetd-alike should be able to distinguish stdout and stderr, so -it's a valid configuration. - -Fixes #218 on github ---- - svr-runopts.c | 12 ------------ - 1 file changed, 12 deletions(-) - ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -443,18 +443,6 @@ void svr_getopts(int argc, char ** argv) - } - } - --#if INETD_MODE -- if (svr_opts.inetdmode && ( -- opts.usingsyslog == 0 --#if DEBUG_TRACE -- || debug_trace --#endif -- )) { -- /* log output goes to stderr which would get sent over the inetd network socket */ -- dropbear_exit("Dropbear inetd mode is incompatible with debug -v or non-syslog"); -- } --#endif -- - if (svr_opts.multiauthmethod && svr_opts.noauthpass) { - dropbear_exit("-t and -s are incompatible"); - } diff --git a/package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch b/package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch deleted file mode 100644 index 8d016faa9c..0000000000 --- a/package/network/services/dropbear/patches/020-Fix-test-for-multiuser-kernels.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 9ac650401ffc2fb05c9328d26e76a5e7ae39152a Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Mon, 11 Dec 2023 23:31:22 +0800 -Subject: Fix test for multiuser kernels - -getuid() succeeds even on non-multiuser kernels. Instead -getgroups() is a valid test. - -Fixes #214 on github ---- - common-session.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - ---- a/common-session.c -+++ b/common-session.c -@@ -71,10 +71,13 @@ void common_session_init(int sock_in, in - #if !DROPBEAR_SVR_MULTIUSER - /* A sanity check to prevent an accidental configuration option - leaving multiuser systems exposed */ -- errno = 0; -- getuid(); -- if (errno != ENOSYS) { -- dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel"); -+ { -+ int ret; -+ errno = 0; -+ ret = getgroups(0, NULL); -+ if (!(ret == -1 && errno == ENOSYS)) { -+ dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel"); -+ } - } - #endif - diff --git a/package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch b/package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch deleted file mode 100644 index d490d9545a..0000000000 --- a/package/network/services/dropbear/patches/021-Implement-Strict-KEX-mode.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 Mon Sep 17 00:00:00 2001 -From: Matt Johnston <matt@ucc.asn.au> -Date: Mon, 20 Nov 2023 14:02:47 +0800 -Subject: Implement Strict KEX mode - -As specified by OpenSSH with kex-strict-c-v00@openssh.com and -kex-strict-s-v00@openssh.com. ---- - cli-session.c | 11 +++++++++++ - common-algo.c | 6 ++++++ - common-kex.c | 26 +++++++++++++++++++++++++- - kex.h | 3 +++ - process-packet.c | 34 +++++++++++++++++++--------------- - ssh.h | 4 ++++ - svr-session.c | 3 +++ - 7 files changed, 71 insertions(+), 16 deletions(-) - ---- a/cli-session.c -+++ b/cli-session.c -@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NO - static void recv_msg_service_accept(void); - static void cli_session_cleanup(void); - static void recv_msg_global_request_cli(void); -+static void cli_algos_initialise(void); - - struct clientsession cli_ses; /* GLOBAL */ - -@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_o - } - - chaninitialise(cli_chantypes); -+ cli_algos_initialise(); - - /* Set up cli_ses vars */ - cli_session_init(proxy_cmd_pid); -@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, cons - fflush(stderr); - } - -+static void cli_algos_initialise(void) { -+ algo_type *algo; -+ for (algo = sshkex; algo->name; algo++) { -+ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) { -+ algo->usable = 0; -+ } -+ } -+} -+ ---- a/common-algo.c -+++ b/common-algo.c -@@ -308,6 +308,12 @@ algo_type sshkex[] = { - {SSH_EXT_INFO_C, 0, NULL, 1, NULL}, - #endif - #endif -+#if DROPBEAR_CLIENT -+ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL}, -+#endif -+#if DROPBEAR_SERVER -+ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL}, -+#endif - {NULL, 0, NULL, 0, NULL} - }; - ---- a/common-kex.c -+++ b/common-kex.c -@@ -183,6 +183,10 @@ void send_msg_newkeys() { - gen_new_keys(); - switch_keys(); - -+ if (ses.kexstate.strict_kex) { -+ ses.transseq = 0; -+ } -+ - TRACE(("leave send_msg_newkeys")) - } - -@@ -193,7 +197,11 @@ void recv_msg_newkeys() { - - ses.kexstate.recvnewkeys = 1; - switch_keys(); -- -+ -+ if (ses.kexstate.strict_kex) { -+ ses.recvseq = 0; -+ } -+ - TRACE(("leave recv_msg_newkeys")) - } - -@@ -550,6 +558,10 @@ void recv_msg_kexinit() { - - ses.kexstate.recvkexinit = 1; - -+ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) { -+ dropbear_exit("First packet wasn't kexinit"); -+ } -+ - TRACE(("leave recv_msg_kexinit")) - } - -@@ -859,6 +871,18 @@ static void read_kex_algos() { - } - #endif - -+ if (!ses.kexstate.donefirstkex) { -+ const char* strict_name; -+ if (IS_DROPBEAR_CLIENT) { -+ strict_name = SSH_STRICT_KEX_S; -+ } else { -+ strict_name = SSH_STRICT_KEX_C; -+ } -+ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) { -+ ses.kexstate.strict_kex = 1; -+ } -+ } -+ - algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess); - allgood &= goodguess; - if (algo == NULL || algo->data == NULL) { ---- a/kex.h -+++ b/kex.h -@@ -83,6 +83,9 @@ struct KEXState { - - unsigned our_first_follows_matches : 1; - -+ /* Boolean indicating that strict kex mode is in use */ -+ unsigned int strict_kex; -+ - time_t lastkextime; /* time of the last kex */ - unsigned int datatrans; /* data transmitted since last kex */ - unsigned int datarecv; /* data received since last kex */ ---- a/process-packet.c -+++ b/process-packet.c -@@ -44,6 +44,7 @@ void process_packet() { - - unsigned char type; - unsigned int i; -+ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex; - time_t now; - - TRACE2(("enter process_packet")) -@@ -54,22 +55,24 @@ void process_packet() { - now = monotonic_now(); - ses.last_packet_time_keepalive_recv = now; - -- /* These packets we can receive at any time */ -- switch(type) { - -- case SSH_MSG_IGNORE: -- goto out; -- case SSH_MSG_DEBUG: -- goto out; -- -- case SSH_MSG_UNIMPLEMENTED: -- /* debugging XXX */ -- TRACE(("SSH_MSG_UNIMPLEMENTED")) -- goto out; -- -- case SSH_MSG_DISCONNECT: -- /* TODO cleanup? */ -- dropbear_close("Disconnect received"); -+ if (type == SSH_MSG_DISCONNECT) { -+ /* Allowed at any time */ -+ dropbear_close("Disconnect received"); -+ } -+ -+ /* These packets may be received at any time, -+ except during first kex with strict kex */ -+ if (!first_strict_kex) { -+ switch(type) { -+ case SSH_MSG_IGNORE: -+ goto out; -+ case SSH_MSG_DEBUG: -+ goto out; -+ case SSH_MSG_UNIMPLEMENTED: -+ TRACE(("SSH_MSG_UNIMPLEMENTED")) -+ goto out; -+ } - } - - /* Ignore these packet types so that keepalives don't interfere with -@@ -98,7 +101,8 @@ void process_packet() { - if (type >= 1 && type <= 49 - && type != SSH_MSG_SERVICE_REQUEST - && type != SSH_MSG_SERVICE_ACCEPT -- && type != SSH_MSG_KEXINIT) -+ && type != SSH_MSG_KEXINIT -+ && !first_strict_kex) - { - TRACE(("unknown allowed packet during kexinit")) - recv_unimplemented(); ---- a/ssh.h -+++ b/ssh.h -@@ -100,6 +100,10 @@ - #define SSH_EXT_INFO_C "ext-info-c" - #define SSH_SERVER_SIG_ALGS "server-sig-algs" - -+/* OpenSSH strict KEX feature */ -+#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com" -+#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com" -+ - /* service types */ - #define SSH_SERVICE_USERAUTH "ssh-userauth" - #define SSH_SERVICE_USERAUTH_LEN 12 ---- a/svr-session.c -+++ b/svr-session.c -@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) { - algo->usable = 0; - } - #endif -+ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) { -+ algo->usable = 0; -+ } - } - } - diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index b1075f8464..0ecca900b4 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,5 +1,5 @@ ---- a/svr-authpubkey.c -+++ b/svr-authpubkey.c +--- a/src/svr-authpubkey.c ++++ b/src/svr-authpubkey.c @@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons const unsigned char* keyblob, unsigned int keybloblen); static int checkfileperm(char * filename); diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 04d1df3fde..9cb073cf94 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ ---- a/svr-chansession.c -+++ b/svr-chansession.c -@@ -985,12 +985,12 @@ static void execchild(const void *user_d +--- a/src/svr-chansession.c ++++ b/src/svr-chansession.c +@@ -987,12 +987,12 @@ static void execchild(const void *user_d /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index a26f33dfbc..de0e5f2725 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,6 +1,6 @@ ---- a/cli-runopts.c -+++ b/cli-runopts.c -@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv) +--- a/src/cli-runopts.c ++++ b/src/cli-runopts.c +@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv) case 'z': opts.disable_ip_tos = 1; break; diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index af01573dee..eb590a3895 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,5 +1,5 @@ ---- a/dbutil.h -+++ b/dbutil.h +--- a/src/dbutil.h ++++ b/src/dbutil.h @@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index fd80b986ae..1f3b298f35 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,6 +1,6 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -220,17 +220,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -221,7 +221,7 @@ ifeq ($(MULTI),1) +@@ -241,7 +241,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch index 07ae022763..e72458dd6e 100644 --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -1,5 +1,5 @@ ---- a/svr-auth.c -+++ b/svr-auth.c +--- a/src/svr-auth.c ++++ b/src/svr-auth.c @@ -124,7 +124,7 @@ void recv_msg_userauth_request() { AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch index 5dc84849be..746694f48d 100644 --- a/package/network/services/dropbear/patches/900-configure-hardening.patch +++ b/package/network/services/dropbear/patches/900-configure-hardening.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden, +@@ -86,54 +86,6 @@ AC_ARG_ENABLE(harden, if test "$hardenbuild" -eq 1; then AC_MSG_NOTICE(Checking for available hardened build flags:) diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch index a9a441ce76..4da01c9edb 100644 --- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch +++ b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -45,11 +45,8 @@ fi +@@ -44,11 +44,8 @@ fi # LTM_CFLAGS is given to ./configure by the user, # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS" diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index 059177a1c5..43dd1426b1 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -19,8 +19,8 @@ Signed-off-by: Petr Štetiar <ynezz@true.cz> signkey.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) ---- a/signkey.c -+++ b/signkey.c +--- a/src/signkey.c ++++ b/src/signkey.c @@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name); |