diff options
author | James <> | 2013-03-17 12:16:37 +0000 |
---|---|---|
committer | James <> | 2013-03-17 12:16:37 +0000 |
commit | 27b76ab0671089c47506615a796a261e993896a7 (patch) | |
tree | 61213d67e7fa87b20356b23798558e2c4212c42f /package/network/services/dropbear/patches | |
download | trunk-36060-27b76ab0671089c47506615a796a261e993896a7.tar.gz trunk-36060-27b76ab0671089c47506615a796a261e993896a7.tar.bz2 trunk-36060-27b76ab0671089c47506615a796a261e993896a7.zip |
Diffstat (limited to 'package/network/services/dropbear/patches')
23 files changed, 916 insertions, 0 deletions
diff --git a/package/network/services/dropbear/patches/.svn/entries b/package/network/services/dropbear/patches/.svn/entries new file mode 100644 index 0000000..4ed7e24 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/entries @@ -0,0 +1,334 @@ +10 + +dir +36060 +svn://svn.openwrt.org/openwrt/trunk/package/network/services/dropbear/patches +svn://svn.openwrt.org/openwrt + + + +2012-12-04T16:40:17.503431Z +34496 +florian + + + + + + + + + + + + + + +3c298f89-4303-0410-b956-a3cf2f4a3e73 + +150-dbconvert_standalone.patch +file + + + + +2013-03-17T12:13:19.000000Z +490bc116a67cb88d34a52e7c001d0d5b +2010-03-26T14:28:14.286264Z +20460 +juhosg +has-props + + + + + + + + + + + + + + + + + + + + +428 + +110-change_user.patch +file + + + + +2013-03-17T12:13:19.000000Z +548064938765048619a9b2dc51e528f2 +2012-12-04T16:40:17.503431Z +34496 +florian +has-props + + + + + + + + + + + + + + + + + + + + +650 + +130-ssh_ignore_o_and_x_args.patch +file + + + + +2013-03-17T12:13:19.000000Z +d2d006c283731c07f60a744fec073059 +2011-03-02T14:20:51.200331Z +25830 +kaloz +has-props + + + + + + + + + + + + + + + + + + + + +436 + +140-disable_assert.patch +file + + + + +2013-03-17T12:13:19.000000Z +b3f0c44716e9012c0ee2dcdb77398cb2 +2012-12-04T16:40:17.503431Z +34496 +florian + + + + + + + + + + + + + + + + + + + + + +492 + +100-pubkey_path.patch +file + + + + +2013-03-17T12:13:19.000000Z +2801ed1078c9b1e4cc3125dc59d46b80 +2010-03-26T14:28:14.286264Z +20460 +juhosg +has-props + + + + + + + + + + + + + + + + + + + + +2688 + +120-openwrt_options.patch +file + + + + +2013-03-17T12:13:19.000000Z +509184b0f5878fe1126e47181606aec8 +2012-12-04T16:40:17.503431Z +34496 +florian + + + + + + + + + + + + + + + + + + + + + +2625 + +500-set-default-path.patch +file + + + + +2013-03-17T12:13:19.000000Z +4af5dda35dadf543cc6eac9e13900c83 +2012-07-05T16:44:05.821154Z +32620 +jow + + + + + + + + + + + + + + + + + + + + + +381 + +200-lcrypt_bsdfix.patch +file + + + + +2013-03-17T12:13:19.000000Z +247abfb50081f54104be13a60c8bf83d +2011-11-27T05:30:40.263917Z +29340 +nbd + + + + + + + + + + + + + + + + + + + + + +1001 + +300-ipv6_addr_port_split.patch +file + + + + +2013-03-17T12:13:19.000000Z +adb6edd1738c0e03f247ab1d08feda24 +2011-07-31T12:05:54.493748Z +27843 +jow + + + + + + + + + + + + + + + + + + + + + +425 + diff --git a/package/network/services/dropbear/patches/.svn/prop-base/100-pubkey_path.patch.svn-base b/package/network/services/dropbear/patches/.svn/prop-base/100-pubkey_path.patch.svn-base new file mode 100644 index 0000000..bdbd305 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/prop-base/100-pubkey_path.patch.svn-base @@ -0,0 +1,5 @@ +K 13 +svn:eol-style +V 6 +native +END diff --git a/package/network/services/dropbear/patches/.svn/prop-base/110-change_user.patch.svn-base b/package/network/services/dropbear/patches/.svn/prop-base/110-change_user.patch.svn-base new file mode 100644 index 0000000..bdbd305 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/prop-base/110-change_user.patch.svn-base @@ -0,0 +1,5 @@ +K 13 +svn:eol-style +V 6 +native +END diff --git a/package/network/services/dropbear/patches/.svn/prop-base/130-ssh_ignore_o_and_x_args.patch.svn-base b/package/network/services/dropbear/patches/.svn/prop-base/130-ssh_ignore_o_and_x_args.patch.svn-base new file mode 100644 index 0000000..bdbd305 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/prop-base/130-ssh_ignore_o_and_x_args.patch.svn-base @@ -0,0 +1,5 @@ +K 13 +svn:eol-style +V 6 +native +END diff --git a/package/network/services/dropbear/patches/.svn/prop-base/150-dbconvert_standalone.patch.svn-base b/package/network/services/dropbear/patches/.svn/prop-base/150-dbconvert_standalone.patch.svn-base new file mode 100644 index 0000000..bdbd305 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/prop-base/150-dbconvert_standalone.patch.svn-base @@ -0,0 +1,5 @@ +K 13 +svn:eol-style +V 6 +native +END diff --git a/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base new file mode 100644 index 0000000..c1802f5 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/100-pubkey_path.patch.svn-base @@ -0,0 +1,91 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); +- +- /* open the file */ +- authfile = fopen(filename, "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } + if (authfile == NULL) { + goto out; + } +@@ -372,26 +376,35 @@ static int checkpubkeyperms() { + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + } + + /* file looks ok, return success */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base new file mode 100644 index 0000000..a354eda --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/110-change_user.patch.svn-base @@ -0,0 +1,18 @@ +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -891,12 +891,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +- if ((setgid(ses.authstate.pw_gid) < 0) || ++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || + (initgroups(ses.authstate.pw_name, +- ses.authstate.pw_gid) < 0)) { ++ ses.authstate.pw_gid) < 0))) { + dropbear_exit("Error changing user group"); + } +- if (setuid(ses.authstate.pw_uid) < 0) { ++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { + dropbear_exit("Error changing user"); + } + } else { diff --git a/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base new file mode 100644 index 0000000..977f631 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/120-openwrt_options.patch.svn-base @@ -0,0 +1,72 @@ +--- a/options.h ++++ b/options.h +@@ -38,7 +38,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -49,7 +49,7 @@ + several kB in binary size however will make the symmetrical ciphers and hashes + slower, perhaps by 50%. Recommended for small systems that aren't doing + much traffic. */ +-/*#define DROPBEAR_SMALL_CODE*/ ++#define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ + #define ENABLE_X11FWD +@@ -78,7 +78,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Encryption - at least one required. + * Protocol RFC requires 3DES and recommends AES128 for interoperability. +@@ -89,8 +89,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256 ++#define DROPBEAR_TWOFISH128*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. This adds around 1kB to binary +@@ -110,7 +110,7 @@ much traffic. */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -144,11 +144,11 @@ much traffic. */ + #endif + + /* Whether to do reverse DNS lookups. */ +-#define DO_HOST_LOOKUP ++/*#define DO_HOST_LOOKUP*/ + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -192,7 +192,7 @@ much traffic. */ + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base new file mode 100644 index 0000000..93647a9 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/130-ssh_ignore_o_and_x_args.patch.svn-base @@ -0,0 +1,21 @@ +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) + debug_trace = 1; + break; + #endif ++ case 'o': ++ next = &dummy; ++ case 'x': ++ break; + case 'F': + case 'e': + case 'c': +@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) + #ifndef ENABLE_CLI_LOCALTCPFWD + case 'L': + #endif +- case 'o': + case 'b': + next = &dummy; + default: diff --git a/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base new file mode 100644 index 0000000..e00184a --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/140-disable_assert.patch.svn-base @@ -0,0 +1,14 @@ +--- a/dbutil.h ++++ b/dbutil.h +@@ -93,6 +93,10 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) ++#ifndef DROPBEAR_ASSERT_ENABLED ++#define DROPBEAR_ASSERT_ENABLED 0 ++#endif ++ ++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) + + #endif /* _DBUTIL_H_ */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base new file mode 100644 index 0000000..3e0b008 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/150-dbconvert_standalone.patch.svn-base @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef _OPTIONS_H_ + #define _OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /****************************************************************** + * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. diff --git a/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base new file mode 100644 index 0000000..57eb967 --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/200-lcrypt_bsdfix.patch.svn-base @@ -0,0 +1,29 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac + loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ + listener.h fake-rfc2553.h + +-dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ ++dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) + dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) + dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) + dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) +@@ -77,7 +77,7 @@ STRIP=@STRIP@ + INSTALL=@INSTALL@ + CPPFLAGS=@CPPFLAGS@ + CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ +-LIBS+=@LIBS@ ++LIBS+=@CRYPTLIB@ @LIBS@ + LDFLAGS=@LDFLAGS@ + + EXEEXT=@EXEEXT@ +@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile + # multi-binary compilation. + MULTIOBJS= + ifeq ($(MULTI),1) +- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ ++ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) + CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI + endif + diff --git a/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base new file mode 100644 index 0000000..7da435a --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/300-ipv6_addr_port_split.patch.svn-base @@ -0,0 +1,11 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -325,7 +325,7 @@ static void addportandaddress(char* spec + myspec = m_strdup(spec); + + /* search for ':', that separates address and port */ +- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); ++ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + + if (svr_opts.ports[svr_opts.portcount] == NULL) { + /* no ':' -> the whole string specifies just a port */ diff --git a/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base b/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base new file mode 100644 index 0000000..0bd3ffc --- /dev/null +++ b/package/network/services/dropbear/patches/.svn/text-base/500-set-default-path.patch.svn-base @@ -0,0 +1,11 @@ +--- a/options.h ++++ b/options.h +@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" ++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */ diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch new file mode 100644 index 0000000..c1802f5 --- /dev/null +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -0,0 +1,91 @@ +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -209,17 +209,21 @@ static int checkpubkey(unsigned char* al + goto out; + } + +- /* we don't need to check pw and pw_dir for validity, since +- * its been done in checkpubkeyperms. */ +- len = strlen(ses.authstate.pw_dir); +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", +- ses.authstate.pw_dir); +- +- /* open the file */ +- authfile = fopen(filename, "r"); ++ if (ses.authstate.pw_uid != 0) { ++ /* we don't need to check pw and pw_dir for validity, since ++ * its been done in checkpubkeyperms. */ ++ len = strlen(ses.authstate.pw_dir); ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", ++ ses.authstate.pw_dir); ++ ++ /* open the file */ ++ authfile = fopen(filename, "r"); ++ } else { ++ authfile = fopen("/etc/dropbear/authorized_keys","r"); ++ } + if (authfile == NULL) { + goto out; + } +@@ -372,26 +376,35 @@ static int checkpubkeyperms() { + goto out; + } + +- /* allocate max required pathname storage, +- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ +- filename = m_malloc(len + 22); +- strncpy(filename, ses.authstate.pw_dir, len+1); +- +- /* check ~ */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } +- +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; ++ if (ses.authstate.pw_uid == 0) { ++ if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ } else { ++ /* allocate max required pathname storage, ++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ ++ filename = m_malloc(len + 22); ++ strncpy(filename, ses.authstate.pw_dir, len+1); ++ ++ /* check ~ */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* check ~/.ssh */ ++ strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } ++ ++ /* now check ~/.ssh/authorized_keys */ ++ strncat(filename, "/authorized_keys", 16); ++ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { ++ goto out; ++ } + } + + /* file looks ok, return success */ diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch new file mode 100644 index 0000000..a354eda --- /dev/null +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -0,0 +1,18 @@ +--- a/svr-chansession.c ++++ b/svr-chansession.c +@@ -891,12 +891,12 @@ static void execchild(void *user_data) { + /* We can only change uid/gid as root ... */ + if (getuid() == 0) { + +- if ((setgid(ses.authstate.pw_gid) < 0) || ++ if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) || + (initgroups(ses.authstate.pw_name, +- ses.authstate.pw_gid) < 0)) { ++ ses.authstate.pw_gid) < 0))) { + dropbear_exit("Error changing user group"); + } +- if (setuid(ses.authstate.pw_uid) < 0) { ++ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) { + dropbear_exit("Error changing user"); + } + } else { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch new file mode 100644 index 0000000..977f631 --- /dev/null +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -0,0 +1,72 @@ +--- a/options.h ++++ b/options.h +@@ -38,7 +38,7 @@ + * Both of these flags can be defined at once, don't compile without at least + * one of them. */ + #define NON_INETD_MODE +-#define INETD_MODE ++/*#define INETD_MODE*/ + + /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is + * perhaps 20% slower for pubkey operations (it is probably worth experimenting +@@ -49,7 +49,7 @@ + several kB in binary size however will make the symmetrical ciphers and hashes + slower, perhaps by 50%. Recommended for small systems that aren't doing + much traffic. */ +-/*#define DROPBEAR_SMALL_CODE*/ ++#define DROPBEAR_SMALL_CODE + + /* Enable X11 Forwarding - server only */ + #define ENABLE_X11FWD +@@ -78,7 +78,7 @@ much traffic. */ + + /* Enable "Netcat mode" option. This will forward standard input/output + * to a remote TCP-forwarded connection */ +-#define ENABLE_CLI_NETCAT ++/*#define ENABLE_CLI_NETCAT*/ + + /* Encryption - at least one required. + * Protocol RFC requires 3DES and recommends AES128 for interoperability. +@@ -89,8 +89,8 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256 ++#define DROPBEAR_TWOFISH128*/ + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. This adds around 1kB to binary +@@ -110,7 +110,7 @@ much traffic. */ + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ + #define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ + #define DROPBEAR_MD5_HMAC + + /* Hostkey/public key algorithms - at least one required, these are used +@@ -144,11 +144,11 @@ much traffic. */ + #endif + + /* Whether to do reverse DNS lookups. */ +-#define DO_HOST_LOOKUP ++/*#define DO_HOST_LOOKUP*/ + + /* Whether to print the message of the day (MOTD). This doesn't add much code + * size */ +-#define DO_MOTD ++/*#define DO_MOTD*/ + + /* The MOTD file path */ + #ifndef MOTD_FILENAME +@@ -192,7 +192,7 @@ much traffic. */ + * note that it will be provided for all "hidden" client-interactive + * style prompts - if you want something more sophisticated, use + * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ +-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" ++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ + + /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of + * a helper program for the ssh client. The helper program should be diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch new file mode 100644 index 0000000..93647a9 --- /dev/null +++ b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch @@ -0,0 +1,21 @@ +--- a/cli-runopts.c ++++ b/cli-runopts.c +@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv) + debug_trace = 1; + break; + #endif ++ case 'o': ++ next = &dummy; ++ case 'x': ++ break; + case 'F': + case 'e': + case 'c': +@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv) + #ifndef ENABLE_CLI_LOCALTCPFWD + case 'L': + #endif +- case 'o': + case 'b': + next = &dummy; + default: diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch new file mode 100644 index 0000000..e00184a --- /dev/null +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -0,0 +1,14 @@ +--- a/dbutil.h ++++ b/dbutil.h +@@ -93,6 +93,10 @@ int m_str_to_uint(const char* str, unsig + #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} + + /* Dropbear assertion */ +-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) ++#ifndef DROPBEAR_ASSERT_ENABLED ++#define DROPBEAR_ASSERT_ENABLED 0 ++#endif ++ ++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) + + #endif /* _DBUTIL_H_ */ diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch new file mode 100644 index 0000000..3e0b008 --- /dev/null +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -0,0 +1,14 @@ +--- a/options.h ++++ b/options.h +@@ -5,6 +5,11 @@ + #ifndef _OPTIONS_H_ + #define _OPTIONS_H_ + ++#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) ++#define DROPBEAR_SERVER ++#define DROPBEAR_CLIENT ++#endif ++ + /****************************************************************** + * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" + * parts are to allow for commandline -DDROPBEAR_XXX options etc. diff --git a/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch new file mode 100644 index 0000000..57eb967 --- /dev/null +++ b/package/network/services/dropbear/patches/200-lcrypt_bsdfix.patch @@ -0,0 +1,29 @@ +--- a/Makefile.in ++++ b/Makefile.in +@@ -56,7 +56,7 @@ HEADERS=options.h dbutil.h session.h pac + loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ + listener.h fake-rfc2553.h + +-dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ ++dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) + dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) + dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) + dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) +@@ -77,7 +77,7 @@ STRIP=@STRIP@ + INSTALL=@INSTALL@ + CPPFLAGS=@CPPFLAGS@ + CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@ +-LIBS+=@LIBS@ ++LIBS+=@CRYPTLIB@ @LIBS@ + LDFLAGS=@LDFLAGS@ + + EXEEXT=@EXEEXT@ +@@ -169,7 +169,7 @@ scp: $(SCPOBJS) $(HEADERS) Makefile + # multi-binary compilation. + MULTIOBJS= + ifeq ($(MULTI),1) +- MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ ++ MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) + CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI + endif + diff --git a/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch b/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch new file mode 100644 index 0000000..7da435a --- /dev/null +++ b/package/network/services/dropbear/patches/300-ipv6_addr_port_split.patch @@ -0,0 +1,11 @@ +--- a/svr-runopts.c ++++ b/svr-runopts.c +@@ -325,7 +325,7 @@ static void addportandaddress(char* spec + myspec = m_strdup(spec); + + /* search for ':', that separates address and port */ +- svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':'); ++ svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + + if (svr_opts.ports[svr_opts.portcount] == NULL) { + /* no ':' -> the whole string specifies just a port */ diff --git a/package/network/services/dropbear/patches/500-set-default-path.patch b/package/network/services/dropbear/patches/500-set-default-path.patch new file mode 100644 index 0000000..0bd3ffc --- /dev/null +++ b/package/network/services/dropbear/patches/500-set-default-path.patch @@ -0,0 +1,11 @@ +--- a/options.h ++++ b/options.h +@@ -297,7 +297,7 @@ be overridden at runtime with -I. 0 disa + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" ++#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin" + + /* Some other defines (that mostly should be left alone) are defined + * in sysoptions.h */ |