diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index e13b6c2145b..a3bb3117127 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2024.86 +PKG_VERSION:=2025.88 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e +PKG_HASH:=783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE diff --git a/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch new file mode 100644 index 00000000000..bde2dda066b --- /dev/null +++ b/package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch @@ -0,0 +1,69 @@ +Author: Konstantin Demin +Subject: Fix proxycmd without netcat + +Fixes commit e5a0ef27c227 "Execute multihop commands directly, no shell" + +Forwarded: https://github.com/mkj/dropbear/pull/363 + + src/cli-main.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/cli-main.c b/src/cli-main.c +index 2fafa88900..0a052a3512 100644 +--- a/src/cli-main.c ++++ b/src/cli-main.c +@@ -77,7 +77,11 @@ int main(int argc, char ** argv) { + } + + #if DROPBEAR_CLI_PROXYCMD +- if (cli_opts.proxycmd || cli_opts.proxyexec) { ++ if (cli_opts.proxycmd ++#if DROPBEAR_CLI_MULTIHOP ++ || cli_opts.proxyexec ++#endif ++ ) { + cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); + if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || + signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || +@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) { + dropbear_exit("Failed to run '%s'\n", cmd); + } + ++#if DROPBEAR_CLI_MULTIHOP + static void exec_proxy_cmd(const void *unused) { + (void)unused; + run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd); + dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]); + } ++#endif + + static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + char * cmd_arg = NULL; +@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + cmd_arg = m_malloc(shell_cmdlen); + snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd); + exec_fn = shell_proxy_cmd; ++#if DROPBEAR_CLI_MULTIHOP + } else { + /* No shell */ + exec_fn = exec_proxy_cmd; ++#endif + } + + ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out); +@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { + cleanup: + m_free(cli_opts.proxycmd); + m_free(cmd_arg); ++#if DROPBEAR_CLI_MULTIHOP + if (cli_opts.proxyexec) { + char **a = NULL; + for (a = cli_opts.proxyexec; *a; a++) { +@@ -166,6 +175,7 @@ cleanup: + } + m_free(cli_opts.proxyexec); + } ++#endif + } + + static void kill_proxy_sighandler(int UNUSED(signo)) { diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 0ecca900b44..307762fec01 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,106 +1,51 @@ --- a/src/svr-authpubkey.c +++ b/src/svr-authpubkey.c -@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons - const unsigned char* keyblob, unsigned int keybloblen); - static int checkfileperm(char * filename); - -+static const char * const global_authkeys_dir = "/etc/dropbear"; -+static const int n_global_authkeys_dir = 14; /* + 1 extra byte */ -+static const char * const user_authkeys_dir = ".ssh"; -+static const int n_user_authkeys_dir = 5; /* + 1 extra byte */ -+static const char * const authkeys_file = "authorized_keys"; -+static const int n_authkeys_file = 16; /* + 1 extra byte */ +@@ -435,20 +435,45 @@ out: + /* Returns the full path to the user's authorized_keys file in an + * allocated string which caller must free. */ + static char *authorized_keys_filepath() { ++ static const char * const global_authkeys_dir = "/etc/dropbear"; ++ /* strlen(global_authkeys_dir) */ ++ #define n_global_authkeys_dir 13 ++ static const char * const authkeys_file = "authorized_keys"; ++ /* strlen(authkeys_file) */ ++ #define n_authkeys_file 15 + - /* process a pubkey auth request, sending success or failure message as - * appropriate */ - void svr_auth_pubkey(int valid_user) { -@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal - if (checkpubkeyperms() == DROPBEAR_FAILURE) { - TRACE(("bad authorized_keys permissions, or file doesn't exist")) - } else { -- /* we don't need to check pw and pw_dir for validity, since -- * its been done in checkpubkeyperms. */ -- len = strlen(ses.authstate.pw_dir); -- /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- filename = m_malloc(len + 22); -- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", -- ses.authstate.pw_dir); -+ if (ses.authstate.pw_uid == 0) { -+ len = n_global_authkeys_dir + n_authkeys_file; -+ filename = m_malloc(len); -+ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); -+ } else { -+ /* we don't need to check pw and pw_dir for validity, since -+ * its been done in checkpubkeyperms. */ -+ len = strlen(ses.authstate.pw_dir); -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ len += n_user_authkeys_dir + n_authkeys_file + 1; -+ filename = m_malloc(len); -+ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, -+ user_authkeys_dir, authkeys_file); -+ } - - authfile = fopen(filename, "r"); - if (!authfile) { -@@ -543,27 +557,41 @@ static int checkpubkeyperms() { - goto out; - } - -- /* allocate max required pathname storage, -- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -- len += 22; -- filename = m_malloc(len); -- strlcpy(filename, ses.authstate.pw_dir, len); -+ if (ses.authstate.pw_uid == 0) { -+ if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) { -+ goto out; -+ } - -- /* check ~ */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -+ len = n_global_authkeys_dir + n_authkeys_file; -+ filename = m_malloc(len); - -- /* check ~/.ssh */ -- strlcat(filename, "/.ssh", len); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -+ snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file); -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } -+ } else { -+ /* check ~ */ -+ if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) { -+ goto out; -+ } - -- /* now check ~/.ssh/authorized_keys */ -- strlcat(filename, "/authorized_keys", len); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -+ /* allocate max required pathname storage, -+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ -+ len += n_user_authkeys_dir + n_authkeys_file + 1; -+ filename = m_malloc(len); + size_t len = 0; + char *pathname = NULL, *dir = NULL; +- const char *filename = "authorized_keys"; + -+ /* check ~/.ssh */ -+ snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir); -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } ++ /* OpenWrt-specific: ++ use OpenWrt' global authorized keys directory if: ++ 1. logging as uid 0 (typically root) ++ 2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified ++ */ ++ while (1) { ++ if (ses.authstate.pw_uid != 0) break; ++ if (svr_opts.authorized_keys_dir[0] == '/') break; + -+ /* now check ~/.ssh/authorized_keys */ -+ snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir, -+ user_authkeys_dir, authkeys_file); -+ if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -+ goto out; -+ } - } ++ len = n_global_authkeys_dir + n_authkeys_file + 2; ++ pathname = m_malloc(len); ++ snprintf(pathname, len, "%s/%s", global_authkeys_dir, authkeys_file); ++ return pathname; ++ } - /* file looks ok, return success */ + dir = expand_homedir_path_home(svr_opts.authorized_keys_dir, + ses.authstate.pw_dir); + + /* allocate max required pathname storage, + * = dir + "/" + "authorized_keys" + '\0' */; +- len = strlen(dir) + strlen(filename) + 2; ++ len = strlen(dir) + n_authkeys_file + 2; + pathname = m_malloc(len); +- snprintf(pathname, len, "%s/%s", dir, filename); ++ snprintf(pathname, len, "%s/%s", dir, authkeys_file); + m_free(dir); + return pathname; ++ ++ /* not needed anymore */ ++ #undef n_global_authkeys_dir ++ #undef n_authkeys_file + } + + /* Checks whether a specified publickey (and associated algorithm) is an diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index eb590a38954..6c3811be5cb 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,6 +1,6 @@ --- a/src/dbutil.h +++ b/src/dbutil.h -@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c +@@ -81,7 +81,11 @@ int m_snprintf(char *str, size_t size, c #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} /* Dropbear assertion */ diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch index 1f3b298f352..676e9883b46 100644 --- a/package/network/services/dropbear/patches/160-lto-jobserver.patch +++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch @@ -1,6 +1,6 @@ --- a/Makefile.in +++ b/Makefile.in -@@ -220,17 +220,17 @@ dropbearkey: $(dropbearkeyobjs) +@@ -222,17 +222,17 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile @@ -22,7 +22,7 @@ # multi-binary compilation. -@@ -241,7 +241,7 @@ ifeq ($(MULTI),1) +@@ -243,7 +243,7 @@ ifeq ($(MULTI),1) endif dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch index 43dd1426b10..c317ed7d4cc 100644 --- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch +++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch @@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar --- a/src/signkey.c +++ b/src/signkey.c -@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k +@@ -656,10 +656,18 @@ int buf_verify(buffer * buf, sign_key *k sigtype = signature_type_from_name(type_name, type_name_len); m_free(type_name);