diff --git a/packages/dropbear/build.sh b/packages/dropbear/build.sh index 503dd4d464..b3b67991f9 100644 --- a/packages/dropbear/build.sh +++ b/packages/dropbear/build.sh @@ -2,9 +2,9 @@ TERMUX_PKG_HOMEPAGE=https://matt.ucc.asn.au/dropbear/dropbear.html TERMUX_PKG_DESCRIPTION="Small SSH server and client" TERMUX_PKG_LICENSE="MIT" TERMUX_PKG_MAINTAINER="@termux" -TERMUX_PKG_VERSION=2022.82 +TERMUX_PKG_VERSION=2022.83 TERMUX_PKG_SRCURL=https://matt.ucc.asn.au/dropbear/releases/dropbear-${TERMUX_PKG_VERSION}.tar.bz2 -TERMUX_PKG_SHA256=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1 +TERMUX_PKG_SHA256=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b TERMUX_PKG_DEPENDS="termux-auth, zlib" TERMUX_PKG_SUGGESTS="openssh-sftp-server" TERMUX_PKG_CONFLICTS="openssh" @@ -28,7 +28,7 @@ termux_step_create_debscripts() { { echo "#!$TERMUX_PREFIX/bin/sh" echo "mkdir -p $TERMUX_PREFIX/etc/dropbear" - echo "for a in rsa dss ecdsa ed25519; do" + echo "for a in rsa ecdsa ed25519; do" echo " KEYFILE=$TERMUX_PREFIX/etc/dropbear/dropbear_\${a}_host_key" echo " test ! -f \$KEYFILE && dropbearkey -t \$a -f \$KEYFILE" echo "done" diff --git a/packages/dropbear/compat.c.patch b/packages/dropbear/compat.c.patch index 9b734cba57..e73b06fefa 100644 --- a/packages/dropbear/compat.c.patch +++ b/packages/dropbear/compat.c.patch @@ -1,15 +1,6 @@ diff -uNr dropbear-2018.76/compat.c dropbear-2018.76.mod/compat.c --- dropbear-2018.76/compat.c 2018-02-27 16:25:10.000000000 +0200 +++ dropbear-2018.76.mod/compat.c 2018-04-21 13:47:36.443738351 +0300 -@@ -232,7 +232,7 @@ - - static char **initshells() { - /* don't touch this list. */ -- static const char *okshells[] = { "/bin/sh", "/bin/csh", NULL }; -+ static const char *okshells[] = { "@TERMUX_PREFIX@/bin/sh", "@TERMUX_PREFIX@/bin/csh", NULL }; - register char **sp, *cp; - register FILE *fp; - struct stat statb; @@ -244,7 +244,7 @@ if (strings != NULL) free(strings); diff --git a/packages/dropbear/svr-authpasswd.c.patch b/packages/dropbear/svr-authpasswd.c.patch index b5d0ed7be3..b7f9080c37 100644 --- a/packages/dropbear/svr-authpasswd.c.patch +++ b/packages/dropbear/svr-authpasswd.c.patch @@ -33,51 +33,19 @@ diff -u -r ../dropbear-2019.77/svr-authpasswd.c ./svr-authpasswd.c /* check if client wants to change password */ changepw = buf_getbool(ses.payload); -@@ -65,47 +50,14 @@ +@@ -65,6 +50,7 @@ } password = buf_getstring(ses.payload, &passwordlen); -- if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) { -- /* the first bytes of passwdcrypt are the salt */ -- passwdcrypt = ses.authstate.pw_passwd; -- testcrypt = crypt(password, passwdcrypt); -- } -- m_burn(password, passwordlen); -- m_free(password); -- -- /* After we have got the payload contents we can exit if the username -- is invalid. Invalid users have already been logged. */ -- if (!valid_user) { -- send_msg_userauth_failure(0, 1); -- return; -- } -- -- if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) { -- dropbear_log(LOG_WARNING, -- "Too-long password attempt for '%s' from %s", -- ses.authstate.pw_name, -- svr_ses.addrstring); -- send_msg_userauth_failure(0, 1); -- return; -- } -- -- if (testcrypt == NULL) { -- /* crypt() with an invalid salt like "!!" */ -- dropbear_log(LOG_WARNING, "User account '%s' is locked", -- ses.authstate.pw_name); -- send_msg_userauth_failure(0, 1); -- return; -- } -- -- /* check for empty password */ -- if (passwdcrypt[0] == '\0') { -- dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", -- ses.authstate.pw_name); -- send_msg_userauth_failure(0, 1); -- return; -- } ++#ifndef __ANDROID__ + if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) { + /* the first bytes of passwdcrypt are the salt */ + passwdcrypt = ses.authstate.pw_passwd; +@@ -106,6 +92,15 @@ + } -- if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) { + if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) { ++#else /* __ANDROID__ */ + /* check if password is valid */ + if (termux_auth(ses.authstate.pw_name, password)) { + if (!ses.authstate.pw_name) { @@ -85,6 +53,7 @@ diff -u -r ../dropbear-2019.77/svr-authpasswd.c ./svr-authpasswd.c + send_msg_userauth_failure(0, 1); + return; + } - /* successful authentication */ - dropbear_log(LOG_NOTICE, - "Password auth succeeded for '%s' from %s", ++#endif /* __ANDROID__ */ + if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PASSWORD)) { + /* successful password authentication, but extra auth required */ + dropbear_log(LOG_NOTICE, diff --git a/packages/dropbear/sysoptions.h.patch b/packages/dropbear/sysoptions.h.patch index d2964e887a..9f650bc15f 100644 --- a/packages/dropbear/sysoptions.h.patch +++ b/packages/dropbear/sysoptions.h.patch @@ -10,6 +10,15 @@ diff -uNr dropbear-2018.76/sysoptions.h dropbear-2018.76.mod/sysoptions.h #define DROPBEAR_ESCAPE_CHAR '~' +@@ -85,7 +85,7 @@ + -DCOMPAT_USER_SHELLS='"/bin/sh","/apps/bin/sh","/data/bin/zsh"' + */ + #ifndef COMPAT_USER_SHELLS +-#define COMPAT_USER_SHELLS "/bin/sh","/bin/csh" ++#define COMPAT_USER_SHELLS "@TERMUX_PREFIX@/bin/sh","@TERMUX_PREFIX@/bin/csh" + #endif + + #define DROPBEAR_ESCAPE_CHAR '~' @@ -233,10 +233,6 @@ #error "DROPBEAR_SVR_PATM_AUTH requires PAM headers. Perhaps ./configure --enable-pam ?" #endif @@ -21,3 +30,16 @@ diff -uNr dropbear-2018.76/sysoptions.h dropbear-2018.76.mod/sysoptions.h #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH) #error "At least one server authentication type must be enabled. DROPBEAR_SVR_PUBKEY_AUTH and DROPBEAR_SVR_PASSWORD_AUTH are recommended." #endif +@@ -382,10 +378,12 @@ + #define DROPBEAR_MULTI 0 + #endif + ++#ifndef __ANDROID__ + /* Fuzzing expects all key types to be enabled */ + #if defined(DROPBEAR_DSS) + #undef DROPBEAR_DSS + #endif + #define DROPBEAR_DSS 1 ++#endif + + /* no include guard for this file */