Created
July 25, 2022 20:57
-
-
Save segfault-bilibili/4840c5c34deddc28053b10c69ea02c97 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile | |
index 8bbb26f829..8456703eef 100644 | |
--- a/package/network/services/dropbear/Makefile | |
+++ b/package/network/services/dropbear/Makefile | |
@@ -8,14 +8,14 @@ | |
include $(TOPDIR)/rules.mk | |
PKG_NAME:=dropbear | |
-PKG_VERSION:=2020.81 | |
+PKG_VERSION:=2022.82 | |
PKG_RELEASE:=2 | |
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 | |
PKG_SOURCE_URL:= \ | |
http://matt.ucc.asn.au/dropbear/releases/ \ | |
https://dropbear.nl/mirror/releases/ | |
-PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b | |
+PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1 | |
PKG_LICENSE:=MIT | |
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE | |
@@ -133,6 +133,7 @@ DB_OPT_CONFIG = \ | |
DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \ | |
DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \ | |
DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \ | |
+ DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \ | |
DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \ | |
!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \ | |
!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \ | |
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch | |
index af3fbb336b..b5dbc9833f 100644 | |
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch | |
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch | |
@@ -1,33 +1,33 @@ | |
--- a/svr-authpubkey.c | |
+++ b/svr-authpubkey.c | |
@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal | |
- goto out; | |
- } | |
- | |
-- /* we don't need to check pw and pw_dir for validity, since | |
-- * its been done in checkpubkeyperms. */ | |
-- len = strlen(ses.authstate.pw_dir); | |
-- /* allocate max required pathname storage, | |
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ | |
-- filename = m_malloc(len + 22); | |
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", | |
-- ses.authstate.pw_dir); | |
-+ if (ses.authstate.pw_uid != 0) { | |
-+ /* we don't need to check pw and pw_dir for validity, since | |
-+ * its been done in checkpubkeyperms. */ | |
-+ len = strlen(ses.authstate.pw_dir); | |
-+ /* allocate max required pathname storage, | |
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ | |
-+ filename = m_malloc(len + 22); | |
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", | |
-+ ses.authstate.pw_dir); | |
-+ } else { | |
-+ filename = m_malloc(30); | |
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30); | |
-+ } | |
+ if (checkpubkeyperms() == DROPBEAR_FAILURE) { | |
+ TRACE(("bad authorized_keys permissions, or file doesn't exist")) | |
+ } else { | |
+- /* we don't need to check pw and pw_dir for validity, since | |
+- * its been done in checkpubkeyperms. */ | |
+- len = strlen(ses.authstate.pw_dir); | |
+- /* allocate max required pathname storage, | |
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ | |
+- filename = m_malloc(len + 22); | |
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys", | |
+- ses.authstate.pw_dir); | |
++ if (ses.authstate.pw_uid != 0) { | |
++ /* we don't need to check pw and pw_dir for validity, since | |
++ * its been done in checkpubkeyperms. */ | |
++ len = strlen(ses.authstate.pw_dir); | |
++ /* allocate max required pathname storage, | |
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */ | |
++ filename = m_malloc(len + 22); | |
++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys", | |
++ ses.authstate.pw_dir); | |
++ } else { | |
++ filename = m_malloc(30); | |
++ strncpy(filename, "/etc/dropbear/authorized_keys", 30); | |
++ } | |
- #if DROPBEAR_SVR_MULTIUSER | |
- /* open the file as the authenticating user. */ | |
+ authfile = fopen(filename, "r"); | |
+ if (!authfile) { | |
@@ -474,27 +479,36 @@ static int checkpubkeyperms() { | |
goto out; | |
} | |
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | |
deleted file mode 100644 | |
index b774a38b1a..0000000000 | |
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch | |
+++ /dev/null | |
@@ -1,38 +0,0 @@ | |
-From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001 | |
-From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz> | |
-Date: Wed, 1 Jul 2020 11:38:33 +0200 | |
-Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys | |
-MIME-Version: 1.0 | |
-Content-Type: text/plain; charset=UTF-8 | |
-Content-Transfer-Encoding: 8bit | |
- | |
-Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1 | |
-vs sha256") has added strict checking of pubkey algorithms which made | |
-keys with SHA-256 hashing algorithm unusable as they still reuse the | |
-`ssh-rsa` public key format. So fix this by disabling the check for | |
-rsa-sha2-256 pubkeys. | |
- | |
-Ref: https://tools.ietf.org/html/rfc8332#section-3 | |
-Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256") | |
-Signed-off-by: Petr Štetiar <ynezz@true.cz> | |
---- | |
- signkey.c | 8 ++++++-- | |
- 1 file changed, 6 insertions(+), 2 deletions(-) | |
- | |
---- a/signkey.c | |
-+++ b/signkey.c | |
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k | |
- sigtype = signature_type_from_name(type_name, type_name_len); | |
- m_free(type_name); | |
- | |
-- if (expect_sigtype != sigtype) { | |
-- dropbear_exit("Non-matching signing type"); | |
-+ if (sigtype == DROPBEAR_SIGNATURE_NONE) { | |
-+ dropbear_exit("No signature type"); | |
-+ } | |
-+ | |
-+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) { | |
-+ dropbear_exit("Non-matching signing type"); | |
- } | |
- | |
- keytype = signkey_type_from_signature(sigtype); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment