Skip to content

Instantly share code, notes, and snippets.

@segfault-bilibili

segfault-bilibili/fix-compile-and-remove-unnecessary.patch

Created July 25, 2022 20:57
Show Gist options
  • Save segfault-bilibili/4840c5c34deddc28053b10c69ea02c97 to your computer and use it in GitHub Desktop.
Save segfault-bilibili/4840c5c34deddc28053b10c69ea02c97 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fix-compile-and-remove-unnecessary.patch
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 8bbb26f829..8456703eef 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=2020.81
+PKG_VERSION:=2022.82
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
http://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b
+PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -133,6 +133,7 @@ DB_OPT_CONFIG = \
DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
+ DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index af3fbb336b..b5dbc9833f 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,33 +1,33 @@
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
- goto out;
- }
-
-- /* we don't need to check pw and pw_dir for validity, since
-- * its been done in checkpubkeyperms. */
-- len = strlen(ses.authstate.pw_dir);
-- /* allocate max required pathname storage,
-- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-- filename = m_malloc(len + 22);
-- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-- ses.authstate.pw_dir);
-+ if (ses.authstate.pw_uid != 0) {
-+ /* we don't need to check pw and pw_dir for validity, since
-+ * its been done in checkpubkeyperms. */
-+ len = strlen(ses.authstate.pw_dir);
-+ /* allocate max required pathname storage,
-+ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+ filename = m_malloc(len + 22);
-+ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+ ses.authstate.pw_dir);
-+ } else {
-+ filename = m_malloc(30);
-+ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-+ }
+ if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ } else {
+- /* we don't need to check pw and pw_dir for validity, since
+- * its been done in checkpubkeyperms. */
+- len = strlen(ses.authstate.pw_dir);
+- /* allocate max required pathname storage,
+- * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+- filename = m_malloc(len + 22);
+- snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+- ses.authstate.pw_dir);
++ if (ses.authstate.pw_uid != 0) {
++ /* we don't need to check pw and pw_dir for validity, since
++ * its been done in checkpubkeyperms. */
++ len = strlen(ses.authstate.pw_dir);
++ /* allocate max required pathname storage,
++ * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++ filename = m_malloc(len + 22);
++ snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++ ses.authstate.pw_dir);
++ } else {
++ filename = m_malloc(30);
++ strncpy(filename, "/etc/dropbear/authorized_keys", 30);
++ }
- #if DROPBEAR_SVR_MULTIUSER
- /* open the file as the authenticating user. */
+ authfile = fopen(filename, "r");
+ if (!authfile) {
@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
goto out;
}
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
deleted file mode 100644
index b774a38b1a..0000000000
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
-Date: Wed, 1 Jul 2020 11:38:33 +0200
-Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
-vs sha256") has added strict checking of pubkey algorithms which made
-keys with SHA-256 hashing algorithm unusable as they still reuse the
-`ssh-rsa` public key format. So fix this by disabling the check for
-rsa-sha2-256 pubkeys.
-
-Ref: https://tools.ietf.org/html/rfc8332#section-3
-Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
-Signed-off-by: Petr Štetiar <ynezz@true.cz>
----
- signkey.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
---- a/signkey.c
-+++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
- sigtype = signature_type_from_name(type_name, type_name_len);
- m_free(type_name);
-
-- if (expect_sigtype != sigtype) {
-- dropbear_exit("Non-matching signing type");
-+ if (sigtype == DROPBEAR_SIGNATURE_NONE) {
-+ dropbear_exit("No signature type");
-+ }
-+
-+ if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
-+ dropbear_exit("Non-matching signing type");
- }
-
- keytype = signkey_type_from_signature(sigtype);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment