From 994d9934727884c3f86027c607954631125ab002 Mon Sep 17 00:00:00 2001
From: Fredrik Fornwall <fredrik@fornwall.net>
Date: Mon, 25 Mar 2019 00:02:09 +0100
Subject: [PATCH] dropbear: Update from 2018.76 to 2019.77

---
 ...280613f5ab4ee86c14c779739070e5784dfe.patch | 52 +++++++++++++
 packages/dropbear/build.sh                    |  6 +-
 packages/dropbear/common-session.c.patch      | 25 +++++-
 packages/dropbear/default_options.h.patch     | 21 +++--
 packages/dropbear/svr-agentfwd.c.patch        | 13 ----
 packages/dropbear/svr-authpasswd.c.patch      | 76 +++++++++----------
 6 files changed, 125 insertions(+), 68 deletions(-)
 create mode 100644 packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch

diff --git a/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch b/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch
new file mode 100644
index 0000000000..5ba1efb020
--- /dev/null
+++ b/packages/dropbear/7bc6280613f5ab4ee86c14c779739070e5784dfe.patch
@@ -0,0 +1,52 @@
+From 7bc6280613f5ab4ee86c14c779739070e5784dfe Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Sun, 24 Mar 2019 20:41:02 +0800
+Subject: [PATCH] Fix regression where TTY modes weren't reset for client
+
+---
+ cli-chansession.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/cli-chansession.c b/cli-chansession.c
+index 8b72e279..cfd3401b 100644
+--- a/cli-chansession.c
++++ b/cli-chansession.c
+@@ -35,7 +35,7 @@
+ #include "chansession.h"
+ #include "agentfwd.h"
+ 
+-static void cli_cleanupchansess(const struct Channel *channel);
++static void cli_closechansess(const struct Channel *channel);
+ static int cli_initchansess(struct Channel *channel);
+ static void cli_chansessreq(struct Channel *channel);
+ static void send_chansess_pty_req(const struct Channel *channel);
+@@ -51,8 +51,8 @@ const struct ChanType clichansess = {
+ 	cli_initchansess, /* inithandler */
+ 	NULL, /* checkclosehandler */
+ 	cli_chansessreq, /* reqhandler */
+-	NULL, /* closehandler */
+-	cli_cleanupchansess, /* cleanup */
++	cli_closechansess, /* closehandler */
++	NULL, /* cleanup */
+ };
+ 
+ static void cli_chansessreq(struct Channel *channel) {
+@@ -84,7 +84,7 @@ static void cli_chansessreq(struct Channel *channel) {
+ 	
+ 
+ /* If the main session goes, we close it up */
+-static void cli_cleanupchansess(const struct Channel *UNUSED(channel)) {
++static void cli_closechansess(const struct Channel *UNUSED(channel)) {
+ 	cli_tty_cleanup(); /* Restore tty modes etc */
+ 
+ 	/* This channel hasn't gone yet, so we have > 1 */
+@@ -388,8 +388,8 @@ static const struct ChanType cli_chan_netcat = {
+ 	cli_init_netcat, /* inithandler */
+ 	NULL,
+ 	NULL,
++	cli_closechansess,
+ 	NULL,
+-	cli_cleanupchansess
+ };
+ 
+ void cli_send_netcat_request() {
diff --git a/packages/dropbear/build.sh b/packages/dropbear/build.sh
index 13ed6e214c..300e8b2b92 100644
--- a/packages/dropbear/build.sh
+++ b/packages/dropbear/build.sh
@@ -1,10 +1,10 @@
 TERMUX_PKG_HOMEPAGE=https://matt.ucc.asn.au/dropbear/dropbear.html
 TERMUX_PKG_DESCRIPTION="Small SSH server and client"
 TERMUX_PKG_LICENSE="BSD"
-TERMUX_PKG_VERSION=2018.76
-TERMUX_PKG_REVISION=6
+TERMUX_PKG_VERSION=2019.77
+TERMUX_PKG_REVISION=1
+TERMUX_PKG_SHA256=d91f78ebe633be1d071fd1b7e5535b9693794048b019e9f4bea257e1992b458d
 TERMUX_PKG_SRCURL=https://matt.ucc.asn.au/dropbear/releases/dropbear-${TERMUX_PKG_VERSION}.tar.bz2
-TERMUX_PKG_SHA256=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65
 TERMUX_PKG_DEPENDS="termux-auth"
 TERMUX_PKG_CONFLICTS="openssh"
 TERMUX_PKG_BUILD_IN_SRC="yes"
diff --git a/packages/dropbear/common-session.c.patch b/packages/dropbear/common-session.c.patch
index e318add71f..bb40f1350b 100644
--- a/packages/dropbear/common-session.c.patch
+++ b/packages/dropbear/common-session.c.patch
@@ -1,7 +1,24 @@
-diff -uNr dropbear-2018.76/common-session.c dropbear-2018.76.mod/common-session.c
---- dropbear-2018.76/common-session.c	2018-02-27 16:25:10.000000000 +0200
-+++ dropbear-2018.76.mod/common-session.c	2018-04-21 13:49:06.633742995 +0300
-@@ -570,7 +570,7 @@
+diff -u -r ../dropbear-2019.77/common-session.c ./common-session.c
+--- ../dropbear-2019.77/common-session.c	2019-03-23 13:46:29.000000000 +0000
++++ ./common-session.c	2019-03-24 22:46:36.558021934 +0000
+@@ -68,16 +68,6 @@
+ 	/* Sets it to lowdelay */
+ 	update_channel_prio();
+ 
+-#if !DROPBEAR_SVR_MULTIUSER
+-	/* A sanity check to prevent an accidental configuration option
+-	   leaving multiuser systems exposed */
+-	errno = 0;
+-	getuid();
+-	if (errno != ENOSYS) {
+-		dropbear_exit("Non-multiuser Dropbear requires a non-multiuser kernel");
+-	}
+-#endif
+-
+ 	now = monotonic_now();
+ 	ses.connect_time = now;
+ 	ses.last_packet_time_keepalive_recv = now;
+@@ -600,7 +590,7 @@
  const char* get_user_shell() {
  	/* an empty shell should be interpreted as "/bin/sh" */
  	if (ses.authstate.pw_shell[0] == '\0') {
diff --git a/packages/dropbear/default_options.h.patch b/packages/dropbear/default_options.h.patch
index 6cbdafe04b..f6a42bba60 100644
--- a/packages/dropbear/default_options.h.patch
+++ b/packages/dropbear/default_options.h.patch
@@ -1,6 +1,6 @@
-diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_options.h
---- dropbear-2018.76/default_options.h	2018-02-27 16:25:10.000000000 +0200
-+++ dropbear-2018.76.mod/default_options.h	2018-10-21 14:11:01.838918022 +0300
+diff -u -r ../dropbear-2019.77/default_options.h ./default_options.h
+--- ../dropbear-2019.77/default_options.h	2019-03-23 13:46:29.000000000 +0000
++++ ./default_options.h	2019-03-24 22:37:39.284638278 +0000
 @@ -13,15 +13,15 @@
  
  IMPORTANT: Some options will require "make clean" after changes */
@@ -39,7 +39,16 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option
  
  /* Authentication Types - at least one required.
     RFC Draft requires pubkey auth, and recommends password */
-@@ -222,7 +222,7 @@
+@@ -199,7 +199,7 @@
+ /* Set this to 0 if your system does not have multiple user support.
+    (Linux kernel CONFIG_MULTIUSER option)
+    The resulting binary will not run on a normal system. */
+-#define DROPBEAR_SVR_MULTIUSER 1
++#define DROPBEAR_SVR_MULTIUSER 0
+ 
+ /* Client authentication options */
+ #define DROPBEAR_CLI_PASSWORD_AUTH 1
+@@ -227,7 +227,7 @@
  
  /* Set this to use PRNGD or EGD instead of /dev/urandom */
  #define DROPBEAR_USE_PRNGD 0
@@ -48,7 +57,7 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option
  
  /* Specify the number of clients we will allow to be connected but
   * not yet authenticated. After this limit, connections are rejected */
-@@ -239,22 +239,22 @@
+@@ -244,22 +244,22 @@
  
  /* The default file to store the daemon's process ID, for shutdown
     scripts etc. This can be overridden with the -P flag */
@@ -75,7 +84,7 @@ diff -uNr dropbear-2018.76/default_options.h dropbear-2018.76.mod/default_option
  
  /* Whether to log commands executed by a client. This only logs the 
   * (single) command sent to the server, not what a user did in a 
-@@ -290,6 +290,6 @@
+@@ -295,6 +295,6 @@
  #define DEFAULT_IDLE_TIMEOUT 0
  
  /* The default path. This will often get replaced by the shell */
diff --git a/packages/dropbear/svr-agentfwd.c.patch b/packages/dropbear/svr-agentfwd.c.patch
index 59309f723e..aabb871cc0 100644
--- a/packages/dropbear/svr-agentfwd.c.patch
+++ b/packages/dropbear/svr-agentfwd.c.patch
@@ -10,16 +10,3 @@ diff -uNr dropbear-2018.76/svr-agentfwd.c dropbear-2018.76.mod/svr-agentfwd.c
  
  static int send_msg_channel_open_agent(int fd);
  static int bindagent(int fd, struct ChanSess * chansess);
-@@ -218,10 +218,12 @@
- 	/* drop to user privs to make the dir/file */
- 	uid = getuid();
- 	gid = getgid();
-+	/*
- 	if ((setegid(ses.authstate.pw_gid)) < 0 ||
- 		(seteuid(ses.authstate.pw_uid)) < 0) {
- 		dropbear_exit("Failed to set euid");
- 	}
-+	*/
- 
- 	memset((void*)&addr, 0x0, sizeof(addr));
- 	addr.sun_family = AF_UNIX;
diff --git a/packages/dropbear/svr-authpasswd.c.patch b/packages/dropbear/svr-authpasswd.c.patch
index 829d08d85d..ed322025ee 100644
--- a/packages/dropbear/svr-authpasswd.c.patch
+++ b/packages/dropbear/svr-authpasswd.c.patch
@@ -1,7 +1,7 @@
-diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd.c
---- dropbear-2018.76/svr-authpasswd.c	2018-02-27 16:25:12.000000000 +0200
-+++ dropbear-2018.76.mod/svr-authpasswd.c	2018-10-21 14:05:37.774231619 +0300
-@@ -33,36 +33,13 @@
+diff -u -r ../dropbear-2019.77/svr-authpasswd.c ./svr-authpasswd.c
+--- ../dropbear-2019.77/svr-authpasswd.c	2019-03-23 13:46:29.000000000 +0000
++++ ./svr-authpasswd.c	2019-03-24 22:40:59.586161245 +0000
+@@ -33,28 +33,13 @@
  
  #if DROPBEAR_SVR_PASSWORD_AUTH
  
@@ -21,37 +21,46 @@ diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd.
  
  /* Process a password auth request, sending success or failure messages as
   * appropriate */
- void svr_auth_password() {
+ void svr_auth_password(int valid_user) {
 -	
 -	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
 -	char * testcrypt = NULL; /* crypt generated from the user's password sent */
--	char * password;
+-	char * password = NULL;
 -	unsigned int passwordlen;
--
 -	unsigned int changepw;
--
--	passwdcrypt = ses.authstate.pw_passwd;
--
--#ifdef DEBUG_HACKCRYPT
--	/* debugging crypt for non-root testing with shadows */
--	passwdcrypt = DEBUG_HACKCRYPT;
--#endif
-+    char *password;
-+    unsigned int changepw, passwordlen;
++	char *password;
++	unsigned int changepw, passwordlen;
  
  	/* check if client wants to change password */
  	changepw = buf_getbool(ses.payload);
-@@ -72,43 +49,23 @@
- 		return;
+@@ -65,47 +50,9 @@
  	}
  
--	password = buf_getstring(ses.payload, &passwordlen);
--
--	/* the first bytes of passwdcrypt are the salt */
--	testcrypt = crypt(password, passwdcrypt);
+ 	password = buf_getstring(ses.payload, &passwordlen);
+-	if (valid_user && passwordlen <= DROPBEAR_MAX_PASSWORD_LEN) {
+-		/* the first bytes of passwdcrypt are the salt */
+-		passwdcrypt = ses.authstate.pw_passwd;
+-		testcrypt = crypt(password, passwdcrypt);
+-	}
 -	m_burn(password, passwordlen);
 -	m_free(password);
 -
+-	/* After we have got the payload contents we can exit if the username
+-	is invalid. Invalid users have already been logged. */
+-	if (!valid_user) {
+-		send_msg_userauth_failure(0, 1);
+-		return;
+-	}
+-
+-	if (passwordlen > DROPBEAR_MAX_PASSWORD_LEN) {
+-		dropbear_log(LOG_WARNING,
+-				"Too-long password attempt for '%s' from %s",
+-				ses.authstate.pw_name,
+-				svr_ses.addrstring);
+-		send_msg_userauth_failure(0, 1);
+-		return;
+-	}
+-
 -	if (testcrypt == NULL) {
 -		/* crypt() with an invalid salt like "!!" */
 -		dropbear_log(LOG_WARNING, "User account '%s' is locked",
@@ -67,27 +76,10 @@ diff -uNr dropbear-2018.76/svr-authpasswd.c dropbear-2018.76.mod/svr-authpasswd.
 -		send_msg_userauth_failure(0, 1);
 -		return;
 -	}
-+    password = buf_getstring(ses.payload, &passwordlen);
  
 -	if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
-+    /* check if password is valid */
-+    if (termux_auth(ses.authstate.pw_name, password)) {
++	/* check if password is valid */
++	if (termux_auth(ses.authstate.pw_name, password)) {
  		/* successful authentication */
--		dropbear_log(LOG_NOTICE, 
-+		dropbear_log(LOG_NOTICE,
+ 		dropbear_log(LOG_NOTICE, 
  				"Password auth succeeded for '%s' from %s",
- 				ses.authstate.pw_name,
- 				svr_ses.addrstring);
- 		send_msg_userauth_success();
--	} else {
-+    } else {
- 		dropbear_log(LOG_WARNING,
- 				"Bad password attempt for '%s' from %s",
- 				ses.authstate.pw_name,
- 				svr_ses.addrstring);
- 		send_msg_userauth_failure(0, 1);
--	}
-+    }
- }
- 
- #endif