From 994d9934727884c3f86027c607954631125ab002 Mon Sep 17 00:00:00 2001 From: Fredrik Fornwall Date: Mon, 25 Mar 2019 00:02:09 +0100 Subject: [PATCH] dropbear: Update from 2018.76 to 2019.77 --- ...280613f5ab4ee86c14c779739070e5784dfe.patch | 52 +++++++++++++ packages/dropbear/build.sh | 6 +- packages/dropbear/common-session.c.patch | 25 +++++- packages/dropbear/default_options.h.patch | 21 +++-- packages/dropbear/svr-agentfwd.c.patch | 13 ---- packages/dropbear/svr-authpasswd.c.patch | 76 +++++++++---------- 6 files changed, 125 insertions(+), 68 deletions(-) create mode 100644 packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch diff --git a/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch b/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch new file mode 100644 index 000000000..5ba1efb02 --- /dev/null +++ b/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch @@ -0,0 +1,52 @@ +From 7bc6280613f5ab4ee86c14c779739070e5784dfe Mon Sep 17 00:00:00 2001 +From: Matt Johnston +Date: Sun, 24 Mar 2019 20:41:02 +0800 +Subject: [PATCH] Fix regression where TTY modes weren't reset for client + +--- + cli-chansession.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/cli-chansession.c b/cli-chansession.c +index 8b72e279..cfd3401b 100644 +--- a/cli-chansession.c ++++ b/cli-chansession.c +@@ -35,7 +35,7 @@ + #include "chansession.h" + #include "agentfwd.h" + +-static void cli_cleanupchansess(const struct Channel *channel); ++static void cli_closechansess(const struct Channel *channel); + static int cli_initchansess(struct Channel *channel); + static void cli_chansessreq(struct Channel *channel); + static void send_chansess_pty_req(const struct Channel *channel); +@@ -51,8 +51,8 @@ const struct ChanType clichansess = { + cli_initchansess, /* inithandler */ + NULL, /* checkclosehandler */ + cli_chansessreq, /* reqhandler */ +- NULL, /* closehandler */ +- cli_cleanupchansess, /* cleanup */ ++ cli_closechansess, /* closehandler */ ++ NULL, /* cleanup */ + }; + + static void cli_chansessreq(struct Channel *channel) { +@@ -84,7 +84,7 @@ static void cli_chansessreq(struct Channel *channel) { + + + /* If the main session goes, we close it up */ +-static void cli_cleanupchansess(const struct Channel *UNUSED(channel)) { ++static void cli_closechansess(const struct Channel *UNUSED(channel)) { + cli_tty_cleanup(); /* Restore tty modes etc */ + + /* This channel hasn't gone yet, so we have > 1 */ +@@ -388,8 +388,8 @@ static const struct ChanType cli_chan_netcat = { + cli_init_netcat, /* inithandler */ + NULL, + NULL, ++ cli_closechansess, + NULL, +- cli_cleanupchansess + }; + + void cli_send_netcat_request() { diff --git a/packages/dropbear/build.sh b/packages/dropbear/build.sh index 13ed6e214..300e8b2b9 100644 --- a/packages/dropbear/build.sh +++ b/packages/dropbear/build.sh @@ -1,10 +1,10 @@ TERMUX_PKG_HOMEPAGE=https://matt.ucc.asn.au/dropbear/dropbear.html TERMUX_PKG_DESCRIPTION="Small SSH server and client" TERMUX_PKG_LICENSE="BSD" -TERMUX_PKG_VERSION=2018.76 -TERMUX_PKG_REVISION=6 +TERMUX_PKG_VERSION=2019.77 +TERMUX_PKG_REVISION=1 +TERMUX_PKG_SHA256=d91f78ebe633be1d071fd1b7e5535b9693794048b019e9f4bea257e1992b458d TERMUX_PKG_SRCURL=https://matt.ucc.asn.au/dropbear/releases/dropbear-${TERMUX_PKG_VERSION}.tar.bz2 -TERMUX_PKG_SHA256=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65 TERMUX_PKG_DEPENDS="termux-auth" TERMUX_PKG_CONFLICTS="openssh" TERMUX_PKG_BUILD_IN_SRC="yes" diff --git a/packages/dropbear/common-session.c.patch b/packages/dropbear/common-session.c.patch index e318add71..bb40f1350 100644 --- a/packages/dropbear/common-session.c.patch +++ b/packages/dropbear/common-session.c.patch @@ -1,7 +1,24 @@ -diff -uNr dropbear-2018.76/common-session.c dropbear-2018.76.mod/common-session.c ---- dropbear-2018.76/common-session.c 2018-02-27 16:25:10.000000000 +0200 -+++ dropbear-2018.76.mod/common-session.c 2018-04-21 13:49:06.633742995 +0300 -@@ -570,7 +570,7 @@ +diff -u -r ../dropbear-2019.77/common-session.c ./common-session.c +--- ../dropbear-2019.77/common-session.c 2019-03-23 13:46:29.000000000 +0000 ++++ ./common-session.c 2019-03-24 22:46:36.558021934 +0000 +@@ -68,16 +68,6 @@ + /* Sets it to lowdelay */ + update_channel_prio(); + +-#if !DROPBEAR_SVR_MULTIUSER +- /* A sanity check to prevent an accidental configuration option +- leaving multiuser systems exposed */ +- errno = 0; +- getuid(); +- if (errno != ENOSYS) { +- dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel"); +- } +-#endif +- + now = monotonic_now(); + ses.connect_time = now; + ses.last_packet_time_keepalive_recv = now; +@@ -600,7 +590,7 @@ const char* get_user_shell() { /* an empty shell should be interpreted as "/bin/sh" */ if (ses.authstate.pw_shell[0] == '\0') { diff --git a/packages/dropbear/default_options.h.patch b/packages/dropbear/default_options.h.patch index 6cbdafe04..f6a42bba6 100644 --- a/packages/dropbear/default_options.h.patch +++ b/packages/dropbear/default_options.h.patch @@ -1,6 +1,6 @@ -diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_options.h ---- dropbear-2018.76/default_options.h 2018-02-27 16:25:10.000000000 +0200 -+++ dropbear-2018.76.mod/default_options.h 2018-10-21 14:11:01.838918022 +0300 +diff -u -r ../dropbear-2019.77/default_options.h ./default_options.h +--- ../dropbear-2019.77/default_options.h 2019-03-23 13:46:29.000000000 +0000 ++++ ./default_options.h 2019-03-24 22:37:39.284638278 +0000 @@ -13,15 +13,15 @@ IMPORTANT: Some options will require "make clean" after changes */ @@ -39,7 +39,16 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option /* Authentication Types - at least one required. RFC Draft requires pubkey auth, and recommends password */ -@@ -222,7 +222,7 @@ +@@ -199,7 +199,7 @@ + /* Set this to 0 if your system does not have multiple user support. + (Linux kernel CONFIG_MULTIUSER option) + The resulting binary will not run on a normal system. */ +-#define DROPBEAR_SVR_MULTIUSER 1 ++#define DROPBEAR_SVR_MULTIUSER 0 + + /* Client authentication options */ + #define DROPBEAR_CLI_PASSWORD_AUTH 1 +@@ -227,7 +227,7 @@ /* Set this to use PRNGD or EGD instead of /dev/urandom */ #define DROPBEAR_USE_PRNGD 0 @@ -48,7 +57,7 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option /* Specify the number of clients we will allow to be connected but * not yet authenticated. After this limit, connections are rejected */ -@@ -239,22 +239,22 @@ +@@ -244,22 +244,22 @@ /* The default file to store the daemon's process ID, for shutdown scripts etc. This can be overridden with the -P flag */ @@ -75,7 +84,7 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option /* Whether to log commands executed by a client. This only logs the * (single) command sent to the server, not what a user did in a -@@ -290,6 +290,6 @@ +@@ -295,6 +295,6 @@ #define DEFAULT_IDLE_TIMEOUT 0 /* The default path. This will often get replaced by the shell */ diff --git a/packages/dropbear/svr-agentfwd.c.patch b/packages/dropbear/svr-agentfwd.c.patch index 59309f723..aabb871cc 100644 --- a/packages/dropbear/svr-agentfwd.c.patch +++ b/packages/dropbear/svr-agentfwd.c.patch @@ -10,16 +10,3 @@ diff -uNr dropbear-2018.76/svr-agentfwd.c dropbear-2018.76.mod/svr-agentfwd.c static int send_msg_channel_open_agent(int fd); static int bindagent(int fd, struct ChanSess * chansess); -@@ -218,10 +218,12 @@ - /* drop to user privs to make the dir/file */ - uid = getuid(); - gid = getgid(); -+ /* - if ((setegid(ses.authstate.pw_gid)) < 0 || - (seteuid(ses.authstate.pw_uid)) < 0) { - dropbear_exit("Failed to set euid"); - } -+ */ - - memset((void*)&addr, 0x0, sizeof(addr)); - addr.sun_family = AF_UNIX; diff --git a/packages/dropbear/svr-authpasswd.c.patch b/packages/dropbear/svr-authpasswd.c.patch index 829d08d85..ed322025e 100644 --- a/packages/dropbear/svr-authpasswd.c.patch +++ b/packages/dropbear/svr-authpasswd.c.patch @@ -1,7 +1,7 @@ -diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd.c ---- dropbear-2018.76/svr-authpasswd.c 2018-02-27 16:25:12.000000000 +0200 -+++ dropbear-2018.76.mod/svr-authpasswd.c 2018-10-21 14:05:37.774231619 +0300 -@@ -33,36 +33,13 @@ +diff -u -r ../dropbear-2019.77/svr-authpasswd.c ./svr-authpasswd.c +--- ../dropbear-2019.77/svr-authpasswd.c 2019-03-23 13:46:29.000000000 +0000 ++++ ./svr-authpasswd.c 2019-03-24 22:40:59.586161245 +0000 +@@ -33,28 +33,13 @@ #if DROPBEAR_SVR_PASSWORD_AUTH @@ -21,37 +21,46 @@ diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd. /* Process a password auth request, sending success or failure messages as * appropriate */ - void svr_auth_password() { + void svr_auth_password(int valid_user) { - - char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ - char * testcrypt = NULL; /* crypt generated from the user's password sent */ -- char * password; +- char * password = NULL; - unsigned int passwordlen; -- - unsigned int changepw; -- -- passwdcrypt = ses.authstate.pw_passwd; -- --#ifdef DEBUG_HACKCRYPT -- /* debugging crypt for non-root testing with shadows */ -- passwdcrypt = DEBUG_HACKCRYPT; --#endif -+ char *password; -+ unsigned int changepw, passwordlen; ++ char *password; ++ unsigned int changepw, passwordlen; /* check if client wants to change password */ changepw = buf_getbool(ses.payload); -@@ -72,43 +49,23 @@ - return; +@@ -65,47 +50,9 @@ } -- password = buf_getstring(ses.payload, &passwordlen); -- -- /* the first bytes of passwdcrypt are the salt */ -- testcrypt = crypt(password, passwdcrypt); + password = buf_getstring(ses.payload, &passwordlen); +- if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) { +- /* the first bytes of passwdcrypt are the salt */ +- passwdcrypt = ses.authstate.pw_passwd; +- testcrypt = crypt(password, passwdcrypt); +- } - m_burn(password, passwordlen); - m_free(password); - +- /* After we have got the payload contents we can exit if the username +- is invalid. Invalid users have already been logged. */ +- if (!valid_user) { +- send_msg_userauth_failure(0, 1); +- return; +- } +- +- if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) { +- dropbear_log(LOG_WARNING, +- "Too-long password attempt for '%s' from %s", +- ses.authstate.pw_name, +- svr_ses.addrstring); +- send_msg_userauth_failure(0, 1); +- return; +- } +- - if (testcrypt == NULL) { - /* crypt() with an invalid salt like "!!" */ - dropbear_log(LOG_WARNING, "User account '%s' is locked", @@ -67,27 +76,10 @@ diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd. - send_msg_userauth_failure(0, 1); - return; - } -+ password = buf_getstring(ses.payload, &passwordlen); - if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) { -+ /* check if password is valid */ -+ if (termux_auth(ses.authstate.pw_name, password)) { ++ /* check if password is valid */ ++ if (termux_auth(ses.authstate.pw_name, password)) { /* successful authentication */ -- dropbear_log(LOG_NOTICE, -+ dropbear_log(LOG_NOTICE, + dropbear_log(LOG_NOTICE, "Password auth succeeded for '%s' from %s", - ses.authstate.pw_name, - svr_ses.addrstring); - send_msg_userauth_success(); -- } else { -+ } else { - dropbear_log(LOG_WARNING, - "Bad password attempt for '%s' from %s", - ses.authstate.pw_name, - svr_ses.addrstring); - send_msg_userauth_failure(0, 1); -- } -+ } - } - - #endif