From: jow Date: Thu, 28 Jul 2011 14:18:09 +0000 (+0000) Subject: [backfire] sync dropbear with trunk (#9819) X-Git-Url: http://git.ozo.com/?p=openwrt-10.03%2F.git;a=commitdiff_plain;h=671a610677a5c456232083e92e2248150e4076ba;hp=c4d237f459113af5f306b78a0d22f5c4abf28546 [backfire] sync dropbear with trunk (#9819) git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@27817 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- diff --git a/package/dropbear/Makefile b/package/dropbear/Makefile index 5a6ab3bba..3fba1347e 100644 --- a/package/dropbear/Makefile +++ b/package/dropbear/Makefile @@ -8,14 +8,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=0.52 -PKG_RELEASE:=4 +PKG_VERSION:=0.53.1 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ -PKG_MD5SUM:=1c69ec674481d7745452f68f2ea5597e +PKG_MD5SUM:=6b8d901859d9b8a18e2f6bfe0a892a03 + +PKG_BUILD_PARALLEL:=1 include $(INCLUDE_DIR)/package.mk @@ -61,7 +63,11 @@ CONFIGURE_ARGS += \ --disable-loginfunc \ --disable-pututline \ --disable-pututxline \ - --disable-zlib + --disable-zlib \ + --enable-bundled-libtom + +TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections define Build/Configure $(SED) 's,^/\* #define PKG_MULTI.*,#define PKG_MULTI,g' $(PKG_BUILD_DIR)/options.h @@ -70,12 +76,12 @@ define Build/Configure endef define Build/Compile - $(MAKE) -C $(PKG_BUILD_DIR) \ + $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ LD="$(TARGET_CC)" \ PROGRAMS="dropbear dbclient dropbearkey scp" \ MULTI=1 SCPPROGRESS=1 - $(MAKE) -C $(PKG_BUILD_DIR) \ + $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ LD="$(TARGET_CC)" \ PROGRAMS="dropbearconvert" diff --git a/package/dropbear/files/dropbear.config b/package/dropbear/files/dropbear.config index 492d2a174..2139ba0bb 100644 --- a/package/dropbear/files/dropbear.config +++ b/package/dropbear/files/dropbear.config @@ -1,4 +1,5 @@ config dropbear option PasswordAuth 'on' + option RootPasswordAuth 'on' option Port '22' # option BannerFile '/etc/banner' diff --git a/package/dropbear/files/dropbear.init b/package/dropbear/files/dropbear.init index 6250636fc..aa7e07dd6 100755 --- a/package/dropbear/files/dropbear.init +++ b/package/dropbear/files/dropbear.init @@ -26,31 +26,37 @@ dropbear_start() # increase pid file count to handle multiple instances correctly PIDCOUNT="$(( ${PIDCOUNT} + 1))" - # prepare parameters + # prepare parameters (initialise with pid file) + local args="-P /var/run/${NAME}.${PIDCOUNT}.pid" + local val # A) password authentication - local nopasswd - local passauth - config_get_bool passauth "${section}" PasswordAuth 1 - [ "${passauth}" -eq 0 ] && nopasswd=1 - # B) listen port - local port - config_get port "${section}" Port + config_get_bool val "${section}" PasswordAuth 1 + [ "${val}" -eq 0 ] && append args "-s" + # B) listen interface and port + local interface + local address + config_get interface "${section}" Interface + config_get address "${interface}" ipaddr + config_get val "${section}" Port + val="${address:+${address}:}${val}" + [ -n "${val}" ] && append args "-p ${val}" # C) banner file - local bannerfile - config_get bannerfile "${section}" BannerFile - [ -f "$bannerfile" ] || bannerfile='' + config_get val "${section}" BannerFile + [ -f "${val}" ] && append args "-b ${val}" # D) gatewayports - local gatewayports - config_get_bool gatewayports "${section}" GatewayPorts 0 - [ "${gatewayports}" -eq 1 ] || gatewayports='' + config_get_bool val "${section}" GatewayPorts 0 + [ "${val}" -eq 1 ] && append args "-a" # E) root password authentication - local norootpasswd - local rootpassauth - config_get_bool rootpassauth "${section}" RootPasswordAuth 1 - [ "${rootpassauth}" -eq 0 ] && norootpasswd=1 - # concatenate parameters - local args - args="${nopasswd:+-s }${norootpasswd:+-g }${port:+-p ${port} }${bannerfile:+-b $bannerfile }${gatewayports:+-a }-P /var/run/${NAME}.${PIDCOUNT}.pid" + config_get_bool val "${section}" RootPasswordAuth 1 + [ "${val}" -eq 0 ] && append args "-g" + # F) root login + config_get_bool val "${section}" RootLogin 1 + [ "${val}" -eq 0 ] && append args "-w" + # G) host keys + config_get val "${section}" rsakeyfile + [ -f "${val}" ] && append args "-r ${val}" + config_get val "${section}" dsskeyfile + [ -f "${val}" ] && append args "-d ${val}" # execute program and return its exit code [ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}" @@ -86,6 +92,8 @@ start() [ -s /etc/dropbear/dropbear_rsa_host_key -a \ -s /etc/dropbear/dropbear_dss_host_key ] || keygen + include /lib/network + scan_interfaces config_load "${NAME}" config_foreach dropbear_start dropbear } diff --git a/package/dropbear/patches/110-change_user.patch b/package/dropbear/patches/110-change_user.patch index 964229bd7..f003c276c 100644 --- a/package/dropbear/patches/110-change_user.patch +++ b/package/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -852,12 +852,12 @@ static void execchild(void *user_data) { +@@ -881,12 +881,12 @@ static void execchild(void *user_data) { /* We can only change uid/gid as root ... */ if (getuid() == 0) { @@ -9,10 +9,10 @@ (initgroups(ses.authstate.pw_name, - ses.authstate.pw_gid) < 0)) { + ses.authstate.pw_gid) < 0))) { - dropbear_exit("error changing user group"); + dropbear_exit("Error changing user group"); } - if (setuid(ses.authstate.pw_uid) < 0) { + if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { - dropbear_exit("error changing user"); + dropbear_exit("Error changing user"); } } else { diff --git a/package/dropbear/patches/120-openwrt_options.patch b/package/dropbear/patches/120-openwrt_options.patch new file mode 100644 index 000000000..d1745e1e8 --- /dev/null +++ b/package/dropbear/patches/120-openwrt_options.patch @@ -0,0 +1,67 @@ +--- a/options.h ++++ b/options.h +@@ -38,7 +38,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -49,7 +49,7 @@ + several kB in binary size however will make the symmetrical ciphers and hashes + slower, perhaps by 50%. Recommended for small systems that aren't doing + much traffic. */ +-/*#define DROPBEAR_SMALL_CODE*/ ++#define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ + #define ENABLE_X11FWD +@@ -78,7 +78,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Encryption - at least one required. + * Protocol RFC requires 3DES and recommends AES128 for interoperability. +@@ -89,8 +89,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256 ++#define DROPBEAR_TWOFISH128*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. This adds around 1kB to binary +@@ -110,7 +110,7 @@ much traffic. */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -148,7 +148,7 @@ much traffic. */ + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -185,7 +185,7 @@ much traffic. */ + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch index 7c4306c36..93647a99e 100644 --- a/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch +++ b/package/dropbear/patches/130-ssh_ignore_o_and_x_args.patch @@ -1,6 +1,6 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -271,6 +271,10 @@ void cli_getopts(int argc, char ** argv) +@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) debug_trace = 1; break; #endif @@ -11,7 +11,7 @@ case 'F': case 'e': case 'c': -@@ -282,7 +286,6 @@ void cli_getopts(int argc, char ** argv) +@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) #ifndef ENABLE_CLI_LOCALTCPFWD case 'L': #endif diff --git a/package/dropbear/patches/200-lcrypt_bsdfix.patch b/package/dropbear/patches/200-lcrypt_bsdfix.patch new file mode 100644 index 000000000..bbd6644dd --- /dev/null +++ b/package/dropbear/patches/200-lcrypt_bsdfix.patch @@ -0,0 +1,20 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -28,7 +28,7 @@ COMMONOBJS=dbutil.o buffer.o \ + queue.o \ + atomicio.o compat.o fake-rfc2553.o + +-SVROBJS=@CRYPTLIB@ svr-kex.o svr-algo.o svr-auth.o sshpty.o \ ++SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ + svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ + svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ + svr-tcpfwd.o svr-authpam.o +@@ -77,7 +77,7 @@ STRIP=@STRIP@ + INSTALL=@INSTALL@ + CPPFLAGS=@CPPFLAGS@ + CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ +-LIBS+=@LIBS@ ++LIBS+=@CRYPTLIB@ @LIBS@ + LDFLAGS=@LDFLAGS@ + + EXEEXT=@EXEEXT@