include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=0.52
-PKG_RELEASE:=4
+PKG_VERSION:=0.53.1
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \
http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/
-PKG_MD5SUM:=1c69ec674481d7745452f68f2ea5597e
+PKG_MD5SUM:=6b8d901859d9b8a18e2f6bfe0a892a03
+
+PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
--disable-loginfunc \
--disable-pututline \
--disable-pututxline \
- --disable-zlib
+ --disable-zlib \
+ --enable-bundled-libtom
+
+TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
+TARGET_LDFLAGS += -Wl,--gc-sections
define Build/Configure
$(SED) 's,^/\* #define PKG_MULTI.*,#define PKG_MULTI,g' $(PKG_BUILD_DIR)/options.h
endef
define Build/Compile
- $(MAKE) -C $(PKG_BUILD_DIR) \
+ $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
LD="$(TARGET_CC)" \
PROGRAMS="dropbear dbclient dropbearkey scp" \
MULTI=1 SCPPROGRESS=1
- $(MAKE) -C $(PKG_BUILD_DIR) \
+ $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(TARGET_CONFIGURE_OPTS) \
LD="$(TARGET_CC)" \
PROGRAMS="dropbearconvert"
config dropbear
option PasswordAuth 'on'
+ option RootPasswordAuth 'on'
option Port '22'
# option BannerFile '/etc/banner'
# increase pid file count to handle multiple instances correctly
PIDCOUNT="$(( ${PIDCOUNT} + 1))"
- # prepare parameters
+ # prepare parameters (initialise with pid file)
+ local args="-P /var/run/${NAME}.${PIDCOUNT}.pid"
+ local val
# A) password authentication
- local nopasswd
- local passauth
- config_get_bool passauth "${section}" PasswordAuth 1
- [ "${passauth}" -eq 0 ] && nopasswd=1
- # B) listen port
- local port
- config_get port "${section}" Port
+ config_get_bool val "${section}" PasswordAuth 1
+ [ "${val}" -eq 0 ] && append args "-s"
+ # B) listen interface and port
+ local interface
+ local address
+ config_get interface "${section}" Interface
+ config_get address "${interface}" ipaddr
+ config_get val "${section}" Port
+ val="${address:+${address}:}${val}"
+ [ -n "${val}" ] && append args "-p ${val}"
# C) banner file
- local bannerfile
- config_get bannerfile "${section}" BannerFile
- [ -f "$bannerfile" ] || bannerfile=''
+ config_get val "${section}" BannerFile
+ [ -f "${val}" ] && append args "-b ${val}"
# D) gatewayports
- local gatewayports
- config_get_bool gatewayports "${section}" GatewayPorts 0
- [ "${gatewayports}" -eq 1 ] || gatewayports=''
+ config_get_bool val "${section}" GatewayPorts 0
+ [ "${val}" -eq 1 ] && append args "-a"
# E) root password authentication
- local norootpasswd
- local rootpassauth
- config_get_bool rootpassauth "${section}" RootPasswordAuth 1
- [ "${rootpassauth}" -eq 0 ] && norootpasswd=1
- # concatenate parameters
- local args
- args="${nopasswd:+-s }${norootpasswd:+-g }${port:+-p ${port} }${bannerfile:+-b $bannerfile }${gatewayports:+-a }-P /var/run/${NAME}.${PIDCOUNT}.pid"
+ config_get_bool val "${section}" RootPasswordAuth 1
+ [ "${val}" -eq 0 ] && append args "-g"
+ # F) root login
+ config_get_bool val "${section}" RootLogin 1
+ [ "${val}" -eq 0 ] && append args "-w"
+ # G) host keys
+ config_get val "${section}" rsakeyfile
+ [ -f "${val}" ] && append args "-r ${val}"
+ config_get val "${section}" dsskeyfile
+ [ -f "${val}" ] && append args "-d ${val}"
# execute program and return its exit code
[ "${verbosed}" -ne 0 ] && echo "${initscript}: section ${section} starting ${PROG} ${args}"
[ -s /etc/dropbear/dropbear_rsa_host_key -a \
-s /etc/dropbear/dropbear_dss_host_key ] || keygen
+ include /lib/network
+ scan_interfaces
config_load "${NAME}"
config_foreach dropbear_start dropbear
}
--- a/svr-chansession.c
+++ b/svr-chansession.c
-@@ -852,12 +852,12 @@ static void execchild(void *user_data) {
+@@ -881,12 +881,12 @@ static void execchild(void *user_data) {
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
(initgroups(ses.authstate.pw_name,
- ses.authstate.pw_gid) < 0)) {
+ ses.authstate.pw_gid) < 0))) {
- dropbear_exit("error changing user group");
+ dropbear_exit("Error changing user group");
}
- if (setuid(ses.authstate.pw_uid) < 0) {
+ if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
- dropbear_exit("error changing user");
+ dropbear_exit("Error changing user");
}
} else {
--- /dev/null
+--- a/options.h
++++ b/options.h
+@@ -38,7 +38,7 @@
+ * Both of these flags can be defined at once, don't compile without at least
+ * one of them. */
+ #define NON_INETD_MODE
+-#define INETD_MODE
++/*#define INETD_MODE*/
+
+ /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
+ * perhaps 20% slower for pubkey operations (it is probably worth experimenting
+@@ -49,7 +49,7 @@
+ several kB in binary size however will make the symmetrical ciphers and hashes
+ slower, perhaps by 50%. Recommended for small systems that aren't doing
+ much traffic. */
+-/*#define DROPBEAR_SMALL_CODE*/
++#define DROPBEAR_SMALL_CODE
+
+ /* Enable X11 Forwarding - server only */
+ #define ENABLE_X11FWD
+@@ -78,7 +78,7 @@ much traffic. */
+
+ /* Enable "Netcat mode" option. This will forward standard input/output
+ * to a remote TCP-forwarded connection */
+-#define ENABLE_CLI_NETCAT
++/*#define ENABLE_CLI_NETCAT*/
+
+ /* Encryption - at least one required.
+ * Protocol RFC requires 3DES and recommends AES128 for interoperability.
+@@ -89,8 +89,8 @@ much traffic. */
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256
++#define DROPBEAR_TWOFISH128*/
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. This adds around 1kB to binary
+@@ -110,7 +110,7 @@ much traffic. */
+ * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
+ * which are not the standard form. */
+ #define DROPBEAR_SHA1_HMAC
+-#define DROPBEAR_SHA1_96_HMAC
++/*#define DROPBEAR_SHA1_96_HMAC*/
+ #define DROPBEAR_MD5_HMAC
+
+ /* Hostkey/public key algorithms - at least one required, these are used
+@@ -148,7 +148,7 @@ much traffic. */
+
+ /* Whether to print the message of the day (MOTD). This doesn't add much code
+ * size */
+-#define DO_MOTD
++/*#define DO_MOTD*/
+
+ /* The MOTD file path */
+ #ifndef MOTD_FILENAME
+@@ -185,7 +185,7 @@ much traffic. */
+ * note that it will be provided for all "hidden" client-interactive
+ * style prompts - if you want something more sophisticated, use
+ * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
+-#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
++/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
+
+ /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
+ * a helper program for the ssh client. The helper program should be
--- a/cli-runopts.c
+++ b/cli-runopts.c
-@@ -271,6 +271,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -287,6 +287,10 @@ void cli_getopts(int argc, char ** argv)
debug_trace = 1;
break;
#endif
case 'F':
case 'e':
case 'c':
-@@ -282,7 +286,6 @@ void cli_getopts(int argc, char ** argv)
+@@ -298,7 +302,6 @@ void cli_getopts(int argc, char ** argv)
#ifndef ENABLE_CLI_LOCALTCPFWD
case 'L':
#endif
--- /dev/null
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -28,7 +28,7 @@ COMMONOBJS=dbutil.o buffer.o \
+ queue.o \
+ atomicio.o compat.o fake-rfc2553.o
+
+-SVROBJS=@CRYPTLIB@ svr-kex.o svr-algo.o svr-auth.o sshpty.o \
++SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
+ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \
+ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
+ svr-tcpfwd.o svr-authpam.o
+@@ -77,7 +77,7 @@ STRIP=@STRIP@
+ INSTALL=@INSTALL@
+ CPPFLAGS=@CPPFLAGS@
+ CFLAGS+=-I. -I$(srcdir) $(CPPFLAGS) @CFLAGS@
+-LIBS+=@LIBS@
++LIBS+=@CRYPTLIB@ @LIBS@
+ LDFLAGS=@LDFLAGS@
+
+ EXEEXT=@EXEEXT@