| Message ID | 1524844735-3508-1-git-send-email-koen.vandeputte@ncentric.com |
|---|---|
| State | Superseded |
| Delegated to: | John Crispin |
| Headers | show |
| Series | [LEDE-DEV] dropbear: bump to 2018.76 | expand |
On 04/27/2018 05:58 PM, Koen Vandeputte wrote: > Config moved from option.h to localoptions.h > refreshed all patches > > deleted upstreamed patches: > - 010-runtime-maxauthtries.patch > - 610-skip-default-keys-in-custom-runs.patch > > introduced new patch: > - 610-disable-ec-by-default.patch > > This patch adds the EC definitions which are altered by the Makefile when > (de)selecting EC options. > > Tested on both LE (arm) and BE (mips) architectures. > Tested with all dropbear menuoptions on/off Please post the size of the binary and the ipkg with and without this patch. I think it compiles the math library by default with O2 or O3 and not with Os can you check this too please. Hauke > > Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> > --- > package/network/services/dropbear/Makefile | 28 ++--- > .../patches/010-runtime-maxauthtries.patch | 130 --------------------- > .../dropbear/patches/100-pubkey_path.patch | 28 +++-- > .../dropbear/patches/110-change_user.patch | 2 +- > .../dropbear/patches/120-openwrt_options.patch | 94 ++------------- > .../dropbear/patches/130-ssh_ignore_x_args.patch | 4 +- > .../patches/150-dbconvert_standalone.patch | 21 ++-- > .../patches/600-allow-blank-root-password.patch | 2 +- > .../patches/610-disable-ec-by-default.patch | 10 ++ > .../610-skip-default-keys-in-custom-runs.patch | 18 --- > 10 files changed, 62 insertions(+), 275 deletions(-) > delete mode 100644 package/network/services/dropbear/patches/010-runtime-maxauthtries.patch > create mode 100644 package/network/services/dropbear/patches/610-disable-ec-by-default.patch > delete mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch > > diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile > index 21ac09f72452..e89043531f78 100644 > --- a/package/network/services/dropbear/Makefile > +++ b/package/network/services/dropbear/Makefile > @@ -8,14 +8,14 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=dropbear > -PKG_VERSION:=2017.75 > -PKG_RELEASE:=5 > +PKG_VERSION:=2018.76 > +PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 > PKG_SOURCE_URL:= \ > http://matt.ucc.asn.au/dropbear/releases/ \ > https://dropbear.nl/mirror/releases/ > -PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c > +PKG_HASH:=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65 > > PKG_LICENSE:=MIT > PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE > @@ -57,7 +57,7 @@ endef > > define Package/dropbear/conffiles > /etc/dropbear/dropbear_rsa_host_key > -/etc/config/dropbear > +/etc/config/dropbear > endef > > define Package/dropbearconvert > @@ -89,24 +89,24 @@ define Build/Configure > $(Build/Configure/Default) > > $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \ > - $(PKG_BUILD_DIR)/options.h > + $(PKG_BUILD_DIR)/default_options.h > > awk 'BEGIN { rc = 1 } \ > - /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ > + /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),#define 'DROPBEAR_CURVE25519' 1,#define 'DROPBEAR_CURVE25519' 0)"; rc = 0 } \ > { print } \ > - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ > - >$(PKG_BUILD_DIR)/options.h.new && \ > - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h > + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \ > + >$(PKG_BUILD_DIR)/localoptions.h.new && \ > + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h > > - # Enforce that all replacements are made, otherwise options.h has changed > + # Enforce that all replacements are made, otherwise localoptions.h has changed > # format and this logic is broken. > for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ > awk 'BEGIN { rc = 1 } \ > - /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ > + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),#define '$$$$OPTION' 1,#define '$$$$OPTION' 0)"; rc = 0 } \ > { print } \ > - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ > - >$(PKG_BUILD_DIR)/options.h.new && \ > - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ > + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \ > + >$(PKG_BUILD_DIR)/localoptions.h.new && \ > + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h || exit 1; \ > done > > # remove protocol idented software version number > diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch > deleted file mode 100644 > index 26db3181f2d8..000000000000 > --- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch > +++ /dev/null > @@ -1,130 +0,0 @@ > -From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001 > -From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> > -Date: Mon, 29 May 2017 10:25:09 +0100 > -Subject: [PATCH] dropbear server: support -T max auth tries > - > -Add support for '-T n' for a run-time specification for maximum number > -of authentication attempts where 'n' is between 1 and compile time > -option MAX_AUTH_TRIES. > - > -A default number of tries can be specified at compile time using > -'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for > -backwards compatibility. > - > -Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> > ---- > - options.h | 7 +++++++ > - runopts.h | 1 + > - svr-auth.c | 2 +- > - svr-runopts.c | 17 +++++++++++++++++ > - 4 files changed, 26 insertions(+), 1 deletion(-) > - > -diff --git a/options.h b/options.h > -index 0c51bb1..4d22704 100644 > ---- a/options.h > -+++ b/options.h > -@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */ > - #define MAX_AUTH_TRIES 10 > - #endif > - > -+/* Default maximum number of failed authentication tries. > -+ * defaults to MAX_AUTH_TRIES */ > -+ > -+#ifndef DEFAULT_AUTH_TRIES > -+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES > -+#endif > -+ > - /* The default file to store the daemon's process ID, for shutdown > - scripts etc. This can be overridden with the -P flag */ > - #ifndef DROPBEAR_PIDFILE > -diff --git a/runopts.h b/runopts.h > -index f7c869d..2f7da63 100644 > ---- a/runopts.h > -+++ b/runopts.h > -@@ -96,6 +96,7 @@ typedef struct svr_runopts { > - int noauthpass; > - int norootpass; > - int allowblankpass; > -+ unsigned int maxauthtries; > - > - #ifdef ENABLE_SVR_REMOTETCPFWD > - int noremotetcp; > -diff --git a/svr-auth.c b/svr-auth.c > -index 577ea88..6a7ce0b 100644 > ---- a/svr-auth.c > -+++ b/svr-auth.c > -@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { > - ses.authstate.failcount++; > - } > - > -- if (ses.authstate.failcount >= MAX_AUTH_TRIES) { > -+ if (ses.authstate.failcount >= svr_opts.maxauthtries) { > - char * userstr; > - /* XXX - send disconnect ? */ > - TRACE(("Max auth tries reached, exiting")) > -diff --git a/svr-runopts.c b/svr-runopts.c > -index 8f60059..1e7440f 100644 > ---- a/svr-runopts.c > -+++ b/svr-runopts.c > -@@ -73,6 +73,7 @@ static void printhelp(const char * progname) { > - "-g Disable password logins for root\n" > - "-B Allow blank password logins\n" > - #endif > -+ "-T <1 to %d> Maximum authentication tries (default %d)\n" > - #ifdef ENABLE_SVR_LOCALTCPFWD > - "-j Disable local port forwarding\n" > - #endif > -@@ -106,6 +107,7 @@ static void printhelp(const char * progname) { > - #ifdef DROPBEAR_ECDSA > - ECDSA_PRIV_FILENAME, > - #endif > -+ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES, > - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, > - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); > - } > -@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) { > - char* recv_window_arg = NULL; > - char* keepalive_arg = NULL; > - char* idle_timeout_arg = NULL; > -+ char* maxauthtries_arg = NULL; > - char* keyfile = NULL; > - char c; > - > -@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) { > - svr_opts.noauthpass = 0; > - svr_opts.norootpass = 0; > - svr_opts.allowblankpass = 0; > -+ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES; > - svr_opts.inetdmode = 0; > - svr_opts.portcount = 0; > - svr_opts.hostkey = NULL; > -@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) { > - case 'I': > - next = &idle_timeout_arg; > - break; > -+ case 'T': > -+ next = &maxauthtries_arg; > -+ break; > - #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) > - case 's': > - svr_opts.noauthpass = 1; > -@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) { > - dropbear_exit("Bad recv window '%s'", recv_window_arg); > - } > - } > -+ > -+ if (maxauthtries_arg) { > -+ unsigned int val = 0; > -+ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE || > -+ val == 0 || val > MAX_AUTH_TRIES) { > -+ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg); > -+ } > -+ svr_opts.maxauthtries = val; > -+ } > -+ > - > - if (keepalive_arg) { > - unsigned int val; > --- > -2.7.4 > - > diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch > index 401c7e1ba564..6672b7633fe7 100644 > --- a/package/network/services/dropbear/patches/100-pubkey_path.patch > +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch > @@ -1,6 +1,6 @@ > --- a/svr-authpubkey.c > +++ b/svr-authpubkey.c > -@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig > +@@ -320,14 +320,20 @@ static int checkpubkey(const char* algo, > goto out; > } > > @@ -29,7 +29,7 @@ > > /* open the file as the authenticating user. */ > origuid = getuid(); > -@@ -396,26 +402,35 @@ static int checkpubkeyperms() { > +@@ -404,26 +410,35 @@ static int checkpubkeyperms() { > goto out; > } > > @@ -42,17 +42,6 @@ > - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > - goto out; > - } > -- > -- /* check ~/.ssh */ > -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ > -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > -- goto out; > -- } > -- > -- /* now check ~/.ssh/authorized_keys */ > -- strncat(filename, "/authorized_keys", 16); > -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > -- goto out; > + if (ses.authstate.pw_uid == 0) { > + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { > + goto out; > @@ -70,13 +59,22 @@ > + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > + goto out; > + } > -+ > + > +- /* check ~/.ssh */ > +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ > +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > +- goto out; > +- } > + /* check ~/.ssh */ > + strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ > + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > + goto out; > + } > -+ > + > +- /* now check ~/.ssh/authorized_keys */ > +- strncat(filename, "/authorized_keys", 16); > +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > +- goto out; > + /* now check ~/.ssh/authorized_keys */ > + strncat(filename, "/authorized_keys", 16); > + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { > diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch > index 4b5c1cb51bb1..5f0c5a99161a 100644 > --- a/package/network/services/dropbear/patches/110-change_user.patch > +++ b/package/network/services/dropbear/patches/110-change_user.patch > @@ -1,6 +1,6 @@ > --- a/svr-chansession.c > +++ b/svr-chansession.c > -@@ -922,12 +922,12 @@ static void execchild(void *user_data) { > +@@ -935,12 +935,12 @@ static void execchild(const void *user_d > /* We can only change uid/gid as root ... */ > if (getuid() == 0) { > > diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch > index 7f47a7430479..b35c0398fdb3 100644 > --- a/package/network/services/dropbear/patches/120-openwrt_options.patch > +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch > @@ -1,82 +1,12 @@ > ---- a/options.h > -+++ b/options.h > -@@ -41,7 +41,7 @@ > - * Both of these flags can be defined at once, don't compile without at least > - * one of them. */ > - #define NON_INETD_MODE > --#define INETD_MODE > -+/*#define INETD_MODE*/ > - > - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is > - * perhaps 20% slower for pubkey operations (it is probably worth experimenting > -@@ -81,7 +81,7 @@ much traffic. */ > - > - /* Enable "Netcat mode" option. This will forward standard input/output > - * to a remote TCP-forwarded connection */ > --#define ENABLE_CLI_NETCAT > -+/*#define ENABLE_CLI_NETCAT*/ > - > - /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ > - #define ENABLE_USER_ALGO_LIST > -@@ -91,16 +91,16 @@ much traffic. */ > - * Including multiple keysize variants the same cipher > - * (eg AES256 as well as AES128) will result in a minimal size increase.*/ > - #define DROPBEAR_AES128 > --#define DROPBEAR_3DES > -+/*#define DROPBEAR_3DES*/ > - #define DROPBEAR_AES256 > - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ > - /*#define DROPBEAR_BLOWFISH*/ > --#define DROPBEAR_TWOFISH256 > --#define DROPBEAR_TWOFISH128 > -+/*#define DROPBEAR_TWOFISH256*/ > -+/*#define DROPBEAR_TWOFISH128*/ > - > - /* Enable CBC mode for ciphers. This has security issues though > - * is the most compatible with older SSH implementations */ > --#define DROPBEAR_ENABLE_CBC_MODE > -+/*#define DROPBEAR_ENABLE_CBC_MODE*/ > - > - /* Enable "Counter Mode" for ciphers. This is more secure than normal > - * CBC mode against certain attacks. It is recommended for security > -@@ -131,10 +131,10 @@ If you test it please contact the Dropbe > - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, > - * which are not the standard form. */ > - #define DROPBEAR_SHA1_HMAC > --#define DROPBEAR_SHA1_96_HMAC > -+/*#define DROPBEAR_SHA1_96_HMAC*/ > - #define DROPBEAR_SHA2_256_HMAC > --#define DROPBEAR_SHA2_512_HMAC > --#define DROPBEAR_MD5_HMAC > -+/*#define DROPBEAR_SHA2_512_HMAC*/ > -+/*#define DROPBEAR_MD5_HMAC*/ > - > - /* You can also disable integrity. Don't bother disabling this if you're > - * still using a cipher, it's relatively cheap. If you disable this it's dead > -@@ -146,7 +146,7 @@ If you test it please contact the Dropbe > - * Removing either of these won't save very much space. > - * SSH2 RFC Draft requires dss, recommends rsa */ > - #define DROPBEAR_RSA > --#define DROPBEAR_DSS > -+/*#define DROPBEAR_DSS*/ > - /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC > - * code (either ECDSA or ECDH) increases binary size - around 30kB > - * on x86-64 */ > -@@ -194,7 +194,7 @@ If you test it please contact the Dropbe > - > - /* Whether to print the message of the day (MOTD). This doesn't add much code > - * size */ > --#define DO_MOTD > -+/*#define DO_MOTD*/ > - > - /* The MOTD file path */ > - #ifndef MOTD_FILENAME > -@@ -242,7 +242,7 @@ Homedir is prepended unless path begins > - * note that it will be provided for all "hidden" client-interactive > - * style prompts - if you want something more sophisticated, use > - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ > --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" > -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ > - > - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of > - * a helper program for the ssh client. The helper program should be > +--- /dev/null > ++++ b/localoptions.h > +@@ -0,0 +1,9 @@ > ++/* OpenWrt defined options */ > ++ > ++#define INETD_MODE 0 > ++#define ENABLE_CLI_NETCAT 0 > ++#define DROPBEAR_3DES 0 > ++#define DROPBEAR_ENABLE_CBC_MODE 0 > ++#define DROPBEAR_SHA1_96_HMAC 0 > ++#define DROPBEAR_DSS 0 > ++#define DROPBEAR_USE_PASSWORD_ENV 0 > diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch > index ab09c2f3dc3a..5e736320cc75 100644 > --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch > +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch > @@ -1,6 +1,6 @@ > --- a/cli-runopts.c > +++ b/cli-runopts.c > -@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) > +@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) > debug_trace = 1; > break; > #endif > @@ -8,4 +8,4 @@ > + break; > case 'F': > case 'e': > - #ifndef ENABLE_USER_ALGO_LIST > + #if !DROPBEAR_USER_ALGO_LIST > diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > index ccc2cb792598..974b440d49f6 100644 > --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch > @@ -1,14 +1,11 @@ > ---- a/options.h > -+++ b/options.h > -@@ -5,6 +5,11 @@ > - #ifndef DROPBEAR_OPTIONS_H_ > - #define DROPBEAR_OPTIONS_H_ > - > +--- a/localoptions.h > ++++ b/localoptions.h > +@@ -7,3 +7,8 @@ > + #define DROPBEAR_SHA1_96_HMAC 0 > + #define DROPBEAR_DSS 0 > + #define DROPBEAR_USE_PASSWORD_ENV 0 > ++ > +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) > -+#define DROPBEAR_SERVER > -+#define DROPBEAR_CLIENT > ++ #define DROPBEAR_SERVER 1 > ++ #define DROPBEAR_CLIENT 1 > +#endif > -+ > - /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" > - * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ > - > diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch > index 7c67b086bbac..223c94767a02 100644 > --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch > +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch > @@ -1,6 +1,6 @@ > --- a/svr-auth.c > +++ b/svr-auth.c > -@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { > +@@ -122,7 +122,7 @@ void recv_msg_userauth_request() { > AUTH_METHOD_NONE_LEN) == 0) { > TRACE(("recv_msg_userauth_request: 'none' request")) > if (valid_user > diff --git a/package/network/services/dropbear/patches/610-disable-ec-by-default.patch b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch > new file mode 100644 > index 000000000000..cb9761b73506 > --- /dev/null > +++ b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch > @@ -0,0 +1,10 @@ > +--- a/localoptions.h > ++++ b/localoptions.h > +@@ -12,3 +12,7 @@ > + #define DROPBEAR_SERVER 1 > + #define DROPBEAR_CLIENT 1 > + #endif > ++ > ++#define DROPBEAR_CURVE25519 0 > ++#define DROPBEAR_ECDSA 0 > ++#define DROPBEAR_ECDH 0 > diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch > deleted file mode 100644 > index a555a9e49856..000000000000 > --- a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch > +++ /dev/null > @@ -1,18 +0,0 @@ > ---- a/svr-runopts.c > -+++ b/svr-runopts.c > -@@ -505,6 +505,7 @@ void load_all_hostkeys() { > - m_free(hostkey_file); > - } > - > -+ if (svr_opts.num_hostkey_files <= 0) { > - #ifdef DROPBEAR_RSA > - loadhostkey(RSA_PRIV_FILENAME, 0); > - #endif > -@@ -516,6 +517,7 @@ void load_all_hostkeys() { > - #ifdef DROPBEAR_ECDSA > - loadhostkey(ECDSA_PRIV_FILENAME, 0); > - #endif > -+ } > - > - #ifdef DROPBEAR_DELAY_HOSTKEY > - if (svr_opts.delay_hostkey) { >
On 2018-04-28 15:47, Hauke Mehrtens wrote: > On 04/27/2018 05:58 PM, Koen Vandeputte wrote: >> Config moved from option.h to localoptions.h >> refreshed all patches >> >> deleted upstreamed patches: >> - 010-runtime-maxauthtries.patch >> - 610-skip-default-keys-in-custom-runs.patch >> >> introduced new patch: >> - 610-disable-ec-by-default.patch >> >> This patch adds the EC definitions which are altered by the Makefile when >> (de)selecting EC options. >> >> Tested on both LE (arm) and BE (mips) architectures. >> Tested with all dropbear menuoptions on/off > Please post the size of the binary and the ipkg with and without this patch. > > I think it compiles the math library by default with O2 or O3 and not > with Os can you check this too please. > > Hauke Hi Hauke, Thank you for reviewing. Libtom stuff compiles using Os afaict from the Makefiles. The default binary size has indeed increases 'a bit' [1] Inspecting the default dropbear config in detail shows some new options have appeared which are enabled by default (like an SFTP server) I'll disable all unneeded stuff by default, and add new config options for useful new stuff (like this sftp server feature) V2 coming up .. Koen [1] size in bytes, -Os 2017.75 ------- Openwrt default : 172405 Openwrt default IPK : 86512 Openwrt default + ECC & zlib: 197301 Openwrt default IPK + ECC & zlib: 98709 2018.76 ------- Openwrt default : 277260 Openwrt default IPK : 131115 Openwrt default + ECC & zlib: 327024 Openwrt default IPK + ECC & zlib: 150072
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 21ac09f72452..e89043531f78 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2017.75 -PKG_RELEASE:=5 +PKG_VERSION:=2018.76 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ http://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c +PKG_HASH:=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65 PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -57,7 +57,7 @@ endef define Package/dropbear/conffiles /etc/dropbear/dropbear_rsa_host_key -/etc/config/dropbear +/etc/config/dropbear endef define Package/dropbearconvert @@ -89,24 +89,24 @@ define Build/Configure $(Build/Configure/Default) $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \ - $(PKG_BUILD_DIR)/options.h + $(PKG_BUILD_DIR)/default_options.h awk 'BEGIN { rc = 1 } \ - /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \ + /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),#define 'DROPBEAR_CURVE25519' 1,#define 'DROPBEAR_CURVE25519' 0)"; rc = 0 } \ { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ - >$(PKG_BUILD_DIR)/options.h.new && \ - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \ + >$(PKG_BUILD_DIR)/localoptions.h.new && \ + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h - # Enforce that all replacements are made, otherwise options.h has changed + # Enforce that all replacements are made, otherwise localoptions.h has changed # format and this logic is broken. for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ awk 'BEGIN { rc = 1 } \ - /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \ + /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),#define '$$$$OPTION' 1,#define '$$$$OPTION' 0)"; rc = 0 } \ { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \ - >$(PKG_BUILD_DIR)/options.h.new && \ - mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \ + END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \ + >$(PKG_BUILD_DIR)/localoptions.h.new && \ + mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h || exit 1; \ done # remove protocol idented software version number diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch deleted file mode 100644 index 26db3181f2d8..000000000000 --- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> -Date: Mon, 29 May 2017 10:25:09 +0100 -Subject: [PATCH] dropbear server: support -T max auth tries - -Add support for '-T n' for a run-time specification for maximum number -of authentication attempts where 'n' is between 1 and compile time -option MAX_AUTH_TRIES. - -A default number of tries can be specified at compile time using -'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for -backwards compatibility. - -Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> ---- - options.h | 7 +++++++ - runopts.h | 1 + - svr-auth.c | 2 +- - svr-runopts.c | 17 +++++++++++++++++ - 4 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/options.h b/options.h -index 0c51bb1..4d22704 100644 ---- a/options.h -+++ b/options.h -@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */ - #define MAX_AUTH_TRIES 10 - #endif - -+/* Default maximum number of failed authentication tries. -+ * defaults to MAX_AUTH_TRIES */ -+ -+#ifndef DEFAULT_AUTH_TRIES -+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES -+#endif -+ - /* The default file to store the daemon's process ID, for shutdown - scripts etc. This can be overridden with the -P flag */ - #ifndef DROPBEAR_PIDFILE -diff --git a/runopts.h b/runopts.h -index f7c869d..2f7da63 100644 ---- a/runopts.h -+++ b/runopts.h -@@ -96,6 +96,7 @@ typedef struct svr_runopts { - int noauthpass; - int norootpass; - int allowblankpass; -+ unsigned int maxauthtries; - - #ifdef ENABLE_SVR_REMOTETCPFWD - int noremotetcp; -diff --git a/svr-auth.c b/svr-auth.c -index 577ea88..6a7ce0b 100644 ---- a/svr-auth.c -+++ b/svr-auth.c -@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) { - ses.authstate.failcount++; - } - -- if (ses.authstate.failcount >= MAX_AUTH_TRIES) { -+ if (ses.authstate.failcount >= svr_opts.maxauthtries) { - char * userstr; - /* XXX - send disconnect ? */ - TRACE(("Max auth tries reached, exiting")) -diff --git a/svr-runopts.c b/svr-runopts.c -index 8f60059..1e7440f 100644 ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -73,6 +73,7 @@ static void printhelp(const char * progname) { - "-g Disable password logins for root\n" - "-B Allow blank password logins\n" - #endif -+ "-T <1 to %d> Maximum authentication tries (default %d)\n" - #ifdef ENABLE_SVR_LOCALTCPFWD - "-j Disable local port forwarding\n" - #endif -@@ -106,6 +107,7 @@ static void printhelp(const char * progname) { - #ifdef DROPBEAR_ECDSA - ECDSA_PRIV_FILENAME, - #endif -+ MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES, - DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); - } -@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) { - char* recv_window_arg = NULL; - char* keepalive_arg = NULL; - char* idle_timeout_arg = NULL; -+ char* maxauthtries_arg = NULL; - char* keyfile = NULL; - char c; - -@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) { - svr_opts.noauthpass = 0; - svr_opts.norootpass = 0; - svr_opts.allowblankpass = 0; -+ svr_opts.maxauthtries = DEFAULT_AUTH_TRIES; - svr_opts.inetdmode = 0; - svr_opts.portcount = 0; - svr_opts.hostkey = NULL; -@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) { - case 'I': - next = &idle_timeout_arg; - break; -+ case 'T': -+ next = &maxauthtries_arg; -+ break; - #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) - case 's': - svr_opts.noauthpass = 1; -@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) { - dropbear_exit("Bad recv window '%s'", recv_window_arg); - } - } -+ -+ if (maxauthtries_arg) { -+ unsigned int val = 0; -+ if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE || -+ val == 0 || val > MAX_AUTH_TRIES) { -+ dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg); -+ } -+ svr_opts.maxauthtries = val; -+ } -+ - - if (keepalive_arg) { - unsigned int val; --- -2.7.4 - diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index 401c7e1ba564..6672b7633fe7 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -1,6 +1,6 @@ --- a/svr-authpubkey.c +++ b/svr-authpubkey.c -@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig +@@ -320,14 +320,20 @@ static int checkpubkey(const char* algo, goto out; } @@ -29,7 +29,7 @@ /* open the file as the authenticating user. */ origuid = getuid(); -@@ -396,26 +402,35 @@ static int checkpubkeyperms() { +@@ -404,26 +410,35 @@ static int checkpubkeyperms() { goto out; } @@ -42,17 +42,6 @@ - if (checkfileperm(filename) != DROPBEAR_SUCCESS) { - goto out; - } -- -- /* check ~/.ssh */ -- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; -- } -- -- /* now check ~/.ssh/authorized_keys */ -- strncat(filename, "/authorized_keys", 16); -- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { -- goto out; + if (ses.authstate.pw_uid == 0) { + if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) { + goto out; @@ -70,13 +59,22 @@ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* check ~/.ssh */ +- strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; +- } + /* check ~/.ssh */ + strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */ + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { + goto out; + } -+ + +- /* now check ~/.ssh/authorized_keys */ +- strncat(filename, "/authorized_keys", 16); +- if (checkfileperm(filename) != DROPBEAR_SUCCESS) { +- goto out; + /* now check ~/.ssh/authorized_keys */ + strncat(filename, "/authorized_keys", 16); + if (checkfileperm(filename) != DROPBEAR_SUCCESS) { diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch index 4b5c1cb51bb1..5f0c5a99161a 100644 --- a/package/network/services/dropbear/patches/110-change_user.patch +++ b/package/network/services/dropbear/patches/110-change_user.patch @@ -1,6 +1,6 @@ --- a/svr-chansession.c +++ b/svr-chansession.c -@@ -922,12 +922,12 @@ static void execchild(void *user_data) { +@@ -935,12 +935,12 @@ static void execchild(const void *user_d /* We can only change uid/gid as root ... */ if (getuid() == 0) { diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch index 7f47a7430479..b35c0398fdb3 100644 --- a/package/network/services/dropbear/patches/120-openwrt_options.patch +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch @@ -1,82 +1,12 @@ ---- a/options.h -+++ b/options.h -@@ -41,7 +41,7 @@ - * Both of these flags can be defined at once, don't compile without at least - * one of them. */ - #define NON_INETD_MODE --#define INETD_MODE -+/*#define INETD_MODE*/ - - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is - * perhaps 20% slower for pubkey operations (it is probably worth experimenting -@@ -81,7 +81,7 @@ much traffic. */ - - /* Enable "Netcat mode" option. This will forward standard input/output - * to a remote TCP-forwarded connection */ --#define ENABLE_CLI_NETCAT -+/*#define ENABLE_CLI_NETCAT*/ - - /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ - #define ENABLE_USER_ALGO_LIST -@@ -91,16 +91,16 @@ much traffic. */ - * Including multiple keysize variants the same cipher - * (eg AES256 as well as AES128) will result in a minimal size increase.*/ - #define DROPBEAR_AES128 --#define DROPBEAR_3DES -+/*#define DROPBEAR_3DES*/ - #define DROPBEAR_AES256 - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ - /*#define DROPBEAR_BLOWFISH*/ --#define DROPBEAR_TWOFISH256 --#define DROPBEAR_TWOFISH128 -+/*#define DROPBEAR_TWOFISH256*/ -+/*#define DROPBEAR_TWOFISH128*/ - - /* Enable CBC mode for ciphers. This has security issues though - * is the most compatible with older SSH implementations */ --#define DROPBEAR_ENABLE_CBC_MODE -+/*#define DROPBEAR_ENABLE_CBC_MODE*/ - - /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. It is recommended for security -@@ -131,10 +131,10 @@ If you test it please contact the Dropbe - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, - * which are not the standard form. */ - #define DROPBEAR_SHA1_HMAC --#define DROPBEAR_SHA1_96_HMAC -+/*#define DROPBEAR_SHA1_96_HMAC*/ - #define DROPBEAR_SHA2_256_HMAC --#define DROPBEAR_SHA2_512_HMAC --#define DROPBEAR_MD5_HMAC -+/*#define DROPBEAR_SHA2_512_HMAC*/ -+/*#define DROPBEAR_MD5_HMAC*/ - - /* You can also disable integrity. Don't bother disabling this if you're - * still using a cipher, it's relatively cheap. If you disable this it's dead -@@ -146,7 +146,7 @@ If you test it please contact the Dropbe - * Removing either of these won't save very much space. - * SSH2 RFC Draft requires dss, recommends rsa */ - #define DROPBEAR_RSA --#define DROPBEAR_DSS -+/*#define DROPBEAR_DSS*/ - /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC - * code (either ECDSA or ECDH) increases binary size - around 30kB - * on x86-64 */ -@@ -194,7 +194,7 @@ If you test it please contact the Dropbe - - /* Whether to print the message of the day (MOTD). This doesn't add much code - * size */ --#define DO_MOTD -+/*#define DO_MOTD*/ - - /* The MOTD file path */ - #ifndef MOTD_FILENAME -@@ -242,7 +242,7 @@ Homedir is prepended unless path begins - * note that it will be provided for all "hidden" client-interactive - * style prompts - if you want something more sophisticated, use - * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/ - - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of - * a helper program for the ssh client. The helper program should be +--- /dev/null ++++ b/localoptions.h +@@ -0,0 +1,9 @@ ++/* OpenWrt defined options */ ++ ++#define INETD_MODE 0 ++#define ENABLE_CLI_NETCAT 0 ++#define DROPBEAR_3DES 0 ++#define DROPBEAR_ENABLE_CBC_MODE 0 ++#define DROPBEAR_SHA1_96_HMAC 0 ++#define DROPBEAR_DSS 0 ++#define DROPBEAR_USE_PASSWORD_ENV 0 diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch index ab09c2f3dc3a..5e736320cc75 100644 --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch @@ -1,6 +1,6 @@ --- a/cli-runopts.c +++ b/cli-runopts.c -@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv) +@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv) debug_trace = 1; break; #endif @@ -8,4 +8,4 @@ + break; case 'F': case 'e': - #ifndef ENABLE_USER_ALGO_LIST + #if !DROPBEAR_USER_ALGO_LIST diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch index ccc2cb792598..974b440d49f6 100644 --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch @@ -1,14 +1,11 @@ ---- a/options.h -+++ b/options.h -@@ -5,6 +5,11 @@ - #ifndef DROPBEAR_OPTIONS_H_ - #define DROPBEAR_OPTIONS_H_ - +--- a/localoptions.h ++++ b/localoptions.h +@@ -7,3 +7,8 @@ + #define DROPBEAR_SHA1_96_HMAC 0 + #define DROPBEAR_DSS 0 + #define DROPBEAR_USE_PASSWORD_ENV 0 ++ +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER) -+#define DROPBEAR_SERVER -+#define DROPBEAR_CLIENT ++ #define DROPBEAR_SERVER 1 ++ #define DROPBEAR_CLIENT 1 +#endif -+ - /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" - * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ - diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch index 7c67b086bbac..223c94767a02 100644 --- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch +++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch @@ -1,6 +1,6 @@ --- a/svr-auth.c +++ b/svr-auth.c -@@ -149,7 +149,7 @@ void recv_msg_userauth_request() { +@@ -122,7 +122,7 @@ void recv_msg_userauth_request() { AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) if (valid_user diff --git a/package/network/services/dropbear/patches/610-disable-ec-by-default.patch b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch new file mode 100644 index 000000000000..cb9761b73506 --- /dev/null +++ b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch @@ -0,0 +1,10 @@ +--- a/localoptions.h ++++ b/localoptions.h +@@ -12,3 +12,7 @@ + #define DROPBEAR_SERVER 1 + #define DROPBEAR_CLIENT 1 + #endif ++ ++#define DROPBEAR_CURVE25519 0 ++#define DROPBEAR_ECDSA 0 ++#define DROPBEAR_ECDH 0 diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch deleted file mode 100644 index a555a9e49856..000000000000 --- a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- a/svr-runopts.c -+++ b/svr-runopts.c -@@ -505,6 +505,7 @@ void load_all_hostkeys() { - m_free(hostkey_file); - } - -+ if (svr_opts.num_hostkey_files <= 0) { - #ifdef DROPBEAR_RSA - loadhostkey(RSA_PRIV_FILENAME, 0); - #endif -@@ -516,6 +517,7 @@ void load_all_hostkeys() { - #ifdef DROPBEAR_ECDSA - loadhostkey(ECDSA_PRIV_FILENAME, 0); - #endif -+ } - - #ifdef DROPBEAR_DELAY_HOSTKEY - if (svr_opts.delay_hostkey) {
Config moved from option.h to localoptions.h refreshed all patches deleted upstreamed patches: - 010-runtime-maxauthtries.patch - 610-skip-default-keys-in-custom-runs.patch introduced new patch: - 610-disable-ec-by-default.patch This patch adds the EC definitions which are altered by the Makefile when (de)selecting EC options. Tested on both LE (arm) and BE (mips) architectures. Tested with all dropbear menuoptions on/off Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> --- package/network/services/dropbear/Makefile | 28 ++--- .../patches/010-runtime-maxauthtries.patch | 130 --------------------- .../dropbear/patches/100-pubkey_path.patch | 28 +++-- .../dropbear/patches/110-change_user.patch | 2 +- .../dropbear/patches/120-openwrt_options.patch | 94 ++------------- .../dropbear/patches/130-ssh_ignore_x_args.patch | 4 +- .../patches/150-dbconvert_standalone.patch | 21 ++-- .../patches/600-allow-blank-root-password.patch | 2 +- .../patches/610-disable-ec-by-default.patch | 10 ++ .../610-skip-default-keys-in-custom-runs.patch | 18 --- 10 files changed, 62 insertions(+), 275 deletions(-) delete mode 100644 package/network/services/dropbear/patches/010-runtime-maxauthtries.patch create mode 100644 package/network/services/dropbear/patches/610-disable-ec-by-default.patch delete mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch