From d4dfb566e27e4c67c86d163262719dfa52406a59 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 9 Jan 2024 03:40:01 +0300 Subject: [PATCH] dropbear: bump to 2022.83 - update dropbear to latest stable 2022.83; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - drop patches: - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch - rework patches: - 901-bundled-libs-cflags.patch - refresh remaining patches Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Makefile | 9 +- ...01-fix-MAX_UNAUTH_CLIENTS-regression.patch | 134 ------------------ .../dropbear/patches/100-pubkey_path.patch | 6 +- .../patches/130-ssh_ignore_x_args.patch | 6 +- .../patches/900-configure-hardening.patch | 35 ++--- .../patches/901-bundled-libs-cflags.patch | 71 ++++------ 6 files changed, 56 insertions(+), 205 deletions(-) delete mode 100644 package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index e98e995ba7..5339bbd108 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2022.82 -PKG_RELEASE:=5 +PKG_VERSION:=2022.83 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1 +PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -114,6 +114,7 @@ DB_OPT_COMMON = \ DEFAULT_PATH|"$(TARGET_INIT_PATH)" \ !!LOCAL_IDENT|"SSH-2.0-dropbear" \ DROPBEAR_CLI_NETCAT|0 \ + !!DROPBEAR_DSS|0 \ DROPBEAR_DSS|0 \ DO_MOTD|0 \ @@ -181,10 +182,12 @@ endef define Build/Compile +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ + IGNORE_SPEED=1 \ PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \ MULTI=1 SCPPROGRESS=1 +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ $(TARGET_CONFIGURE_OPTS) \ + IGNORE_SPEED=1 \ PROGRAMS="dropbearconvert" endef diff --git a/package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch b/package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch deleted file mode 100644 index e0dca544ec..0000000000 --- a/package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch +++ /dev/null @@ -1,134 +0,0 @@ -From: Matt Johnston -Date: Wed, 8 Jun 2022 21:26:20 +0800 -Subject: Fix MAX_UNAUTH_CLIENTS regression - -Since re-exec change in 2022.82 Dropbear count -treat authenticated sessions towards the unauthenticated -session limit. This is fixed by passing the childpipe FD -through to the re-execed process. ---- - runopts.h | 5 +++-- - svr-main.c | 21 +++++++++++---------- - svr-runopts.c | 15 ++++++++++++--- - 3 files changed, 26 insertions(+), 15 deletions(-) - ---- a/runopts.h -+++ b/runopts.h -@@ -79,8 +79,9 @@ typedef struct svr_runopts { - char *addresses[DROPBEAR_MAX_PORTS]; - - int inetdmode; -- /* Hidden "-2" flag indicates it's re-executing itself */ -- int reexec_child; -+ /* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself, -+ stores the childpipe preauth file descriptor. Set to -1 otherwise. */ -+ int reexec_childpipe; - - /* Flags indicating whether to use ipv4 and ipv6 */ - /* not used yet ---- a/svr-main.c -+++ b/svr-main.c -@@ -71,7 +71,7 @@ int main(int argc, char ** argv) - #endif - - #if DROPBEAR_DO_REEXEC -- if (svr_opts.reexec_child) { -+ if (svr_opts.reexec_childpipe >= 0) { - #ifdef PR_SET_NAME - /* Fix the "Name:" in /proc/pid/status, otherwise it's - a FD number from fexecve. -@@ -102,7 +102,7 @@ static void main_inetd() { - - seedrandom(); - -- if (!svr_opts.reexec_child) { -+ if (svr_opts.reexec_childpipe < 0) { - /* In case our inetd was lax in logging source addresses */ - get_socket_address(0, NULL, NULL, &host, &port, 0); - dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port); -@@ -115,10 +115,8 @@ static void main_inetd() { - setsid(); - } - -- /* Start service program -- * -1 is a dummy childpipe, just something we can close() without -- * mattering. */ -- svr_session(0, -1); -+ /* -1 for childpipe in the inetd case is discarded */ -+ svr_session(0, svr_opts.reexec_childpipe); - - /* notreached */ - } -@@ -347,9 +345,10 @@ static void main_noinetd(int argc, char - - if (execfd >= 0) { - #if DROPBEAR_DO_REEXEC -- /* Add "-2" to the args and re-execute ourself. */ -- char **new_argv = m_malloc(sizeof(char*) * (argc+3)); -- int pos0 = 0, new_argc = argc+1; -+ /* Add "-2 childpipe[1]" to the args and re-execute ourself. */ -+ char **new_argv = m_malloc(sizeof(char*) * (argc+4)); -+ char buf[10]; -+ int pos0 = 0, new_argc = argc+2; - - /* We need to specially handle "dropbearmulti dropbear". */ - if (multipath) { -@@ -359,7 +358,9 @@ static void main_noinetd(int argc, char - } - - memcpy(&new_argv[pos0], argv, sizeof(char*) * argc); -- new_argv[new_argc-1] = "-2"; -+ new_argv[new_argc-2] = "-2"; -+ snprintf(buf, sizeof(buf), "%d", childpipe[1]); -+ new_argv[new_argc-1] = buf; - new_argv[new_argc] = NULL; - - if ((dup2(childsock, STDIN_FILENO) < 0)) { ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -138,6 +138,7 @@ void svr_getopts(int argc, char ** argv) - char* keepalive_arg = NULL; - char* idle_timeout_arg = NULL; - char* maxauthtries_arg = NULL; -+ char* reexec_fd_arg = NULL; - char* keyfile = NULL; - char c; - #if DROPBEAR_PLUGIN -@@ -175,6 +176,7 @@ void svr_getopts(int argc, char ** argv) - svr_opts.pubkey_plugin_options = NULL; - #endif - svr_opts.pass_on_env = 0; -+ svr_opts.reexec_childpipe = -1; - - #ifndef DISABLE_ZLIB - opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; -@@ -250,12 +252,12 @@ void svr_getopts(int argc, char ** argv) - #if DROPBEAR_DO_REEXEC && NON_INETD_MODE - /* For internal use by re-exec */ - case '2': -- svr_opts.reexec_child = 1; -+ next = &reexec_fd_arg; - break; - #endif - case 'p': -- nextisport = 1; -- break; -+ nextisport = 1; -+ break; - case 'P': - next = &svr_opts.pidfile; - break; -@@ -426,6 +428,13 @@ void svr_getopts(int argc, char ** argv) - dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command); - } - -+ if (reexec_fd_arg) { -+ if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE -+ || svr_opts.reexec_childpipe < 0) { -+ dropbear_exit("Bad -2"); -+ } -+ } -+ - #if INETD_MODE - if (svr_opts.inetdmode && ( - opts.usingsyslog == 0 diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 0403198062..b1075f8464 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons +@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons const unsigned char* keyblob, unsigned int keybloblen); static int checkfileperm(char * filename); @@ -14,7 +14,7 @@ /* process a pubkey auth request, sending success or failure message as * appropriate */ void svr_auth_pubkey(int valid_user) { -@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal +@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal if (checkpubkeyperms() == DROPBEAR_FAILURE) { TRACE(("bad authorized_keys permissions, or file doesn't exist")) } else { @@ -44,7 +44,7 @@ authfile = fopen(filename, "r"); if (!authfile) { -@@ -520,27 +534,41 @@ static int checkpubkeyperms() { +@@ -543,27 +557,41 @@ static int checkpubkeyperms() { goto out; } diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index d7f589801d..a26f33dfbc 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,8 +1,8 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv) - case 'b': - next = &bind_arg; +@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv) + case 'z': + opts.disable_ip_tos = 1; break; + case 'x': + /* compatibility with openssh cli diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch index 4f806f8b25..5dc84849be 100644 --- a/package/network/services/dropbear/patches/900-configure-hardening.patch +++ b/package/network/services/dropbear/patches/900-configure-hardening.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden, +@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden, if test "$hardenbuild" -eq 1; then AC_MSG_NOTICE(Checking for available hardened build flags:) @@ -11,15 +11,15 @@ - - OLDLDFLAGS="$LDFLAGS" - TESTFLAGS="-Wl,-pie" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- LDFLAGS="$TESTFLAGS $LDFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [ - LDFLAGS="$OLDLDFLAGS" - TESTFLAGS="-pie" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- LDFLAGS="$TESTFLAGS $LDFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] - ) - ] @@ -27,30 +27,31 @@ - # readonly elf relocation sections (relro) - OLDLDFLAGS="$LDFLAGS" - TESTFLAGS="-Wl,-z,now -Wl,-z,relro" -- LDFLAGS="$LDFLAGS $TESTFLAGS" -- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- LDFLAGS="$TESTFLAGS $LDFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ] - ) - fi # non-static - # stack protector. -strong is good but only in gcc 4.9 or later - OLDCFLAGS="$CFLAGS" - TESTFLAGS="-fstack-protector-strong" -- CFLAGS="$CFLAGS $TESTFLAGS" -- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- CFLAGS="$TESTFLAGS $CFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [ - CFLAGS="$OLDCFLAGS" - TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4" -- CFLAGS="$CFLAGS $TESTFLAGS" -- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], -- [AC_MSG_NOTICE([Setting $TESTFLAGS])], +- CFLAGS="$TESTFLAGS $CFLAGS" +- AC_LINK_IFELSE([AC_LANG_PROGRAM([])], +- [AC_MSG_NOTICE([Setting $TESTFLAGS])], - [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ] - ) - ] - ) - # FORTIFY_SOURCE - DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2]) - +- # Spectre v2 mitigations DB_TRYADDCFLAGS([-mfunction-return=thunk]) + DB_TRYADDCFLAGS([-mindirect-branch=thunk]) diff --git a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch index 2432b4ef72..a9a441ce76 100644 --- a/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch +++ b/package/network/services/dropbear/patches/901-bundled-libs-cflags.patch @@ -1,48 +1,29 @@ ---- a/libtomcrypt/makefile_include.mk -+++ b/libtomcrypt/makefile_include.mk -@@ -94,6 +94,13 @@ endif +--- a/configure.ac ++++ b/configure.ac +@@ -45,11 +45,8 @@ fi + # LTM_CFLAGS is given to ./configure by the user, + # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in + DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS" +-if test -z "$DROPBEAR_LTM_CFLAGS"; then +- DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer" +-fi +-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS) +-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer) ++AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS') ++AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string) + AC_SUBST(DROPBEAR_LTM_CFLAGS) - LTC_CFLAGS += -Wno-type-limits + AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign]) +--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h ++++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h +@@ -7,8 +7,10 @@ -+ifdef OPENWRT_BUILD -+ ifeq (-Os,$(filter -Os,$(CFLAGS))) -+ LTC_CFLAGS += -DLTC_SMALL_CODE -+ endif -+else -+ ### ! OPENWRT_BUILD -+ - ifdef LTC_DEBUG - $(info Debug build) - # compile for DEBUGGING (required for ccmalloc checking!!!) -@@ -121,6 +128,9 @@ endif - endif # COMPILE_SMALL - endif # COMPILE_DEBUG + /* Use small code where possible */ + #if DROPBEAR_SMALL_CODE ++#ifndef LTC_SMALL_CODE + #define LTC_SMALL_CODE + #endif ++#endif -+ ### ! OPENWRT_BUILD -+endif -+ - - ifneq ($(findstring clang,$(CC)),) - LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers ---- a/libtommath/makefile_include.mk -+++ b/libtommath/makefile_include.mk -@@ -70,6 +70,9 @@ else - LTM_CFLAGS += -Wsystem-headers - endif - -+ifndef OPENWRT_BUILD -+ ### ! OPENWRT_BUILD -+ - ifdef COMPILE_DEBUG - #debug - LTM_CFLAGS += -g3 -@@ -90,6 +93,9 @@ endif - - endif # COMPILE_SIZE - -+ ### ! OPENWRT_BUILD -+endif -+ - ifneq ($(findstring clang,$(CC)),) - LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header - endif + /* Fewer entries needed */ + #define TAB_SIZE 5 -- 2.30.2