From 1a4b7ee28bf7413af6513fb45ad0d0736048f866 Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Sun, 16 Dec 2018 17:11:34 -0800 Subject: reset upstream subtrees to yocto 2.6 Reset the following subtrees on thud HEAD: poky: 87e3a9739d meta-openembedded: 6094ae18c8 meta-security: 31dc4e7532 meta-raspberrypi: a48743dc36 meta-xilinx: c42016e2e6 Also re-apply backports that didn't make it into thud: poky: 17726d0 systemd-systemctl-native: handle Install wildcards meta-openembedded: 4321a5d libtinyxml2: update to 7.0.1 042f0a3 libcereal: Add native and nativesdk classes e23284f libcereal: Allow empty package 030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG 179a1b9 gtest: update to 1.8.1 Squashed OpenBMC subtree compatibility updates: meta-aspeed: Brad Bishop (1): aspeed: add yocto 2.6 compatibility meta-ibm: Brad Bishop (1): ibm: prepare for yocto 2.6 meta-ingrasys: Brad Bishop (1): ingrasys: set layer compatibility to yocto 2.6 meta-openpower: Brad Bishop (1): openpower: set layer compatibility to yocto 2.6 meta-phosphor: Brad Bishop (3): phosphor: set layer compatibility to thud phosphor: libgpg-error: drop patches phosphor: react to fitimage artifact rename Ed Tanous (4): Dropbear: upgrade options for latest upgrade yocto2.6: update openssl options busybox: remove upstream watchdog patch systemd: Rebase CONFIG_CGROUP_BPF patch Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7 Signed-off-by: Brad Bishop --- poky/meta/recipes-core/dropbear/dropbear.inc | 14 +- .../0001-urandom-xauth-changes-to-options.h.patch | 16 +- .../dropbear/dropbear/0003-configure.patch | 43 ---- .../dropbear/dropbear/0004-fix-2kb-keys.patch | 19 -- .../dropbear/0005-dropbear-enable-pam.patch | 40 ++-- .../0006-dropbear-configuration-file.patch | 23 +- .../dropbear/0007-dropbear-fix-for-x32-abi.patch | 140 ------------ .../dropbear/dropbear/CVE-2018-15599.patch | 236 +++++++++++++++++++++ .../dropbear/dropbear/dropbear.default | 2 + .../fix-libtomcrypt-libtommath-ordering.patch | 49 ----- .../meta/recipes-core/dropbear/dropbear_2017.75.bb | 5 - .../meta/recipes-core/dropbear/dropbear_2018.76.bb | 5 + 12 files changed, 300 insertions(+), 292 deletions(-) delete mode 100644 poky/meta/recipes-core/dropbear/dropbear/0003-configure.patch delete mode 100644 poky/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch delete mode 100644 poky/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch create mode 100644 poky/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch create mode 100644 poky/meta/recipes-core/dropbear/dropbear/dropbear.default delete mode 100644 poky/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch delete mode 100644 poky/meta/recipes-core/dropbear/dropbear_2017.75.bb create mode 100644 poky/meta/recipes-core/dropbear/dropbear_2018.76.bb (limited to 'poky/meta/recipes-core/dropbear') diff --git a/poky/meta/recipes-core/dropbear/dropbear.inc b/poky/meta/recipes-core/dropbear/dropbear.inc index b6b436c58..d92a2f399 100644 --- a/poky/meta/recipes-core/dropbear/dropbear.inc +++ b/poky/meta/recipes-core/dropbear/dropbear.inc @@ -7,21 +7,19 @@ SECTION = "console/network" LICENSE = "MIT & BSD-3-Clause & BSD-2-Clause & PD" LIC_FILES_CHKSUM = "file://LICENSE;md5=a5ec40cafba26fc4396d0b550f824e01" -DEPENDS = "zlib" +DEPENDS = "zlib virtual/crypt" RPROVIDES_${PN} = "ssh sshd" DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \ + file://CVE-2018-15599.patch \ file://0001-urandom-xauth-changes-to-options.h.patch \ - file://0003-configure.patch \ - file://0004-fix-2kb-keys.patch \ - file://0007-dropbear-fix-for-x32-abi.patch \ - file://fix-libtomcrypt-libtommath-ordering.patch \ file://init \ file://dropbearkey.service \ file://dropbear@.service \ file://dropbear.socket \ + file://dropbear.default \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} " PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \ @@ -52,6 +50,10 @@ PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom EXTRA_OECONF += "\ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--enable-pam', '--disable-pam', d)}" +# This option appends to CFLAGS and LDFLAGS from OE +# This is causing [textrel] QA warning +EXTRA_OECONF += "--disable-harden" + do_install() { install -d ${D}${sysconfdir} \ ${D}${sysconfdir}/init.d \ @@ -61,6 +63,8 @@ do_install() { ${D}${sbindir} \ ${D}${localstatedir} + install -m 0644 ${WORKDIR}/dropbear.default ${D}${sysconfdir}/default/dropbear + install -m 0755 dropbearmulti ${D}${sbindir}/ ln -s ${sbindir}/dropbearmulti ${D}${bindir}/dbclient diff --git a/poky/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/poky/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index dc9d5782e..684641dcb 100644 --- a/poky/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/poky/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch @@ -2,20 +2,20 @@ Subject: [PATCH 1/6] urandom-xauth-changes-to-options.h Upstream-Status: Inappropriate [configuration] --- - options.h | 2 +- + default_options.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/options.h b/options.h -index 7d06322..71a21c2 100644 ---- a/options.h -+++ b/options.h -@@ -247,7 +247,7 @@ much traffic. */ +diff --git a/default_options.h b/default_options.h +index 3b75eb8..1fd8082 100644 +--- a/default_options.h ++++ b/default_options.h +@@ -243,7 +243,7 @@ Homedir is prepended unless path begins with / */ + /* The command to invoke for xauth when using X11 forwarding. * "-q" for quiet */ - #ifndef XAUTH_COMMAND -#define XAUTH_COMMAND "/usr/bin/xauth -q" +#define XAUTH_COMMAND "xauth -q" - #endif + /* if you want to enable running an sftp server (such as the one included with -- diff --git a/poky/meta/recipes-core/dropbear/dropbear/0003-configure.patch b/poky/meta/recipes-core/dropbear/dropbear/0003-configure.patch deleted file mode 100644 index 8469a50ef..000000000 --- a/poky/meta/recipes-core/dropbear/dropbear/0003-configure.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 58dd24a80ca0f400d0761afd9ce2b7f684fc9125 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Eric=20B=C3=A9nard?= -Date: Thu, 25 Apr 2013 00:27:25 +0200 -Subject: [PATCH] configure: add a variable to allow openpty check to be cached - -Upstream-Status: Submitted [ https://github.com/mkj/dropbear/pull/48 ] - -Signed-off-by: Dengke Du ---- - configure.ac | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 893b904..245408d 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -177,15 +177,20 @@ AC_ARG_ENABLE(openpty, - AC_MSG_NOTICE(Not using openpty) - else - AC_MSG_NOTICE(Using openpty if available) -- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) -+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) - fi - ], - [ - AC_MSG_NOTICE(Using openpty if available) -- AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) -+ AC_SEARCH_LIBS(openpty, util, [dropbear_cv_func_have_openpty=yes]) - ] - ) -- -+ -+if test "x$dropbear_cv_func_have_openpty" = "xyes"; then -+ AC_DEFINE(HAVE_OPENPTY,,Have openpty() function) -+ no_ptc_check=yes -+ no_ptmx_check=yes -+fi - - AC_ARG_ENABLE(syslog, - [ --disable-syslog Don't include syslog support], --- -2.8.1 - diff --git a/poky/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch b/poky/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch deleted file mode 100644 index 60c6a29d6..000000000 --- a/poky/meta/recipes-core/dropbear/dropbear/0004-fix-2kb-keys.patch +++ /dev/null @@ -1,19 +0,0 @@ -Subject: [PATCH 4/6] fix 2kb keys - -Upstream-Status: Inappropriate [configuration] ---- - kex.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: dropbear-2017.75/kex.h -=================================================================== ---- dropbear-2017.75.orig/kex.h -+++ dropbear-2017.75/kex.h -@@ -106,6 +106,6 @@ int curve25519_donna(unsigned char *out, - #endif - - --#define MAX_KEXHASHBUF 2000 -+#define MAX_KEXHASHBUF 3000 - - #endif /* DROPBEAR_KEX_H_ */ diff --git a/poky/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch b/poky/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch index 539cb12e9..857681520 100644 --- a/poky/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch +++ b/poky/meta/recipes-core/dropbear/dropbear/0005-dropbear-enable-pam.patch @@ -3,7 +3,7 @@ From: Jussi Kukkonen Date: Wed, 2 Dec 2015 11:36:02 +0200 Subject: Enable pam -We need modify file option.h besides enabling pam in +We need modify file default_options.h besides enabling pam in configure if we want dropbear to support pam. Upstream-Status: Pending @@ -11,26 +11,32 @@ Upstream-Status: Pending Signed-off-by: Xiaofeng Yan Signed-off-by: Jussi Kukkonen --- - options.h | 4 ++-- + default_options.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/options.h b/options.h -index 94261f6..90bfe2f 100644 ---- a/options.h -+++ b/options.h -@@ -208,10 +208,10 @@ If you test it please contact the Dropbear author */ +diff --git a/default_options.h b/default_options.h +index 3b75eb8..8617cd0 100644 +--- a/default_options.h ++++ b/default_options.h +@@ -179,7 +179,7 @@ group1 in Dropbear server too */ - /* This requires crypt() */ - #ifdef HAVE_CRYPT --#define ENABLE_SVR_PASSWORD_AUTH -+/*#define ENABLE_SVR_PASSWORD_AUTH*/ - #endif - /* PAM requires ./configure --enable-pam */ --/*#define ENABLE_SVR_PAM_AUTH */ -+#define ENABLE_SVR_PAM_AUTH - #define ENABLE_SVR_PUBKEY_AUTH + /* Authentication Types - at least one required. + RFC Draft requires pubkey auth, and recommends password */ +-#define DROPBEAR_SVR_PASSWORD_AUTH 1 ++#define DROPBEAR_SVR_PASSWORD_AUTH 0 + + /* Note: PAM auth is quite simple and only works for PAM modules which just do + * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). +@@ -187,7 +187,7 @@ group1 in Dropbear server too */ + * but there's an interface via a PAM module. It won't work for more complex + * PAM challenge/response. + * You can't enable both PASSWORD and PAM. */ +-#define DROPBEAR_SVR_PAM_AUTH 0 ++#define DROPBEAR_SVR_PAM_AUTH 1 + + /* ~/.ssh/authorized_keys authentication */ + #define DROPBEAR_SVR_PUBKEY_AUTH 1 - /* Whether to take public key options in -- 2.1.4 diff --git a/poky/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch b/poky/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch index fa4c8d0a6..deed78ffb 100644 --- a/poky/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch +++ b/poky/meta/recipes-core/dropbear/dropbear/0006-dropbear-configuration-file.patch @@ -1,4 +1,7 @@ -Subject: [PATCH 6/6] dropbear configuration file +From e3a5db1b6d3f6382a15b2266458c26c645a10f18 Mon Sep 17 00:00:00 2001 +From: Mingli Yu +Date: Thu, 6 Sep 2018 15:54:00 +0800 +Subject: [PATCH] dropbear configuration file dropbear: Change the path ("/etc/pam.d/sshd" as default) to find a pam configuration file \ to "/etc/pam.d/dropbear for dropbear when enabling pam supporting" @@ -7,12 +10,17 @@ Upstream-Status: Inappropriate [configuration] Signed-off-by: Maxin B. John Signed-off-by: Xiaofeng Yan +Signed-off-by: Mingli Yu --- -diff -Naur dropbear-2013.60-orig/svr-authpam.c dropbear-2013.60/svr-authpam.c ---- dropbear-2013.60-orig/svr-authpam.c 2013-10-16 16:34:53.000000000 +0200 -+++ dropbear-2013.60/svr-authpam.c 2013-10-21 17:04:04.969416055 +0200 -@@ -211,7 +211,7 @@ - userData.passwd = password; + svr-authpam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/svr-authpam.c b/svr-authpam.c +index d201bc9..165ec5c 100644 +--- a/svr-authpam.c ++++ b/svr-authpam.c +@@ -223,7 +223,7 @@ void svr_auth_pam(int valid_user) { + } /* Init pam */ - if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { @@ -20,3 +28,6 @@ diff -Naur dropbear-2013.60-orig/svr-authpam.c dropbear-2013.60/svr-authpam.c dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; +-- +2.7.4 + diff --git a/poky/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch b/poky/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch deleted file mode 100644 index 60b302b5c..000000000 --- a/poky/meta/recipes-core/dropbear/dropbear/0007-dropbear-fix-for-x32-abi.patch +++ /dev/null @@ -1,140 +0,0 @@ -Upstream-Status: Pending - -The dropbearkey utility built in x32 abi format, when generating ssh -keys, was getting lost in the infinite loop. - -This patch fixes the issue by fixing types of variables and -parameters of functions used in the code, which were getting -undesired size, when compiled with the x32 abi toolchain. - -2013/05/23 -Received this fix from H J Lu. - -Signed-off-by: Nitin A Kamble - -# HG changeset patch -# User H.J. Lu -# Date 1369344079 25200 -# Node ID a10a1c46b857cc8a3923c3bb6d1504aa25b6052f -# Parent e76614145aea67f66e4a4257685c771efba21aa1 -Typdef mp_digit to unsigned long long for MP_64BIT - -When GCC is used with MP_64BIT, we should typedef mp_digit to unsigned -long long instead of unsigned long since for x32, unsigned long is -32-bit and unsigned long long is 64-bit and it is safe to use unsigned -long long for 64-bit integer with GCC. - -diff -r e76614145aea -r a10a1c46b857 libtommath/tommath.h ---- a/libtommath/tommath.h Thu Apr 18 22:57:47 2013 +0800 -+++ b/libtommath/tommath.h Thu May 23 14:21:19 2013 -0700 -@@ -73,7 +73,7 @@ - typedef signed long long long64; - #endif - -- typedef unsigned long mp_digit; -+ typedef unsigned long long mp_digit; - typedef unsigned long mp_word __attribute__ ((mode(TI))); - - #define DIGIT_BIT 60 -# HG changeset patch -# User H.J. Lu -# Date 1369344241 25200 -# Node ID c7555a4cb7ded3a88409ba85f4027baa7af5f536 -# Parent a10a1c46b857cc8a3923c3bb6d1504aa25b6052f -Cast to mp_digit when updating *rho - -There is - -int -mp_montgomery_setup (mp_int * n, mp_digit * rho) - -We should cast to mp_digit instead of unsigned long when updating -*rho since mp_digit may be unsigned long long and unsigned long long -may be different from unsigned long, like in x32. - -diff -r a10a1c46b857 -r c7555a4cb7de libtommath/bn_mp_montgomery_setup.c ---- a/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:21:19 2013 -0700 -+++ b/libtommath/bn_mp_montgomery_setup.c Thu May 23 14:24:01 2013 -0700 -@@ -48,7 +48,7 @@ - #endif - - /* rho = -1/m mod b */ -- *rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK; -+ *rho = (mp_digit)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MASK; - - return MP_OKAY; - } -# HG changeset patch -# User H.J. Lu -# Date 1369344541 25200 -# Node ID 7c656e7071a6412688b2f30a529a9afac6c7bf5a -# Parent c7555a4cb7ded3a88409ba85f4027baa7af5f536 -Define LTC_FAST_TYPE to unsigned long long for __x86_64__ - -We should define LTC_FAST_TYPE to unsigned long long instead of unsigned -long if __x86_64__ to support x32 where unsigned long long is 64-bit -and unsigned long is 32-bit. - -diff -r c7555a4cb7de -r 7c656e7071a6 libtomcrypt/src/headers/tomcrypt_cfg.h ---- a/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:24:01 2013 -0700 -+++ b/libtomcrypt/src/headers/tomcrypt_cfg.h Thu May 23 14:29:01 2013 -0700 -@@ -74,7 +74,7 @@ - #define ENDIAN_LITTLE - #define ENDIAN_64BITWORD - #define LTC_FAST -- #define LTC_FAST_TYPE unsigned long -+ #define LTC_FAST_TYPE unsigned long long - #endif - - /* detect PPC32 */ -# HG changeset patch -# User H.J. Lu -# Date 1369344730 25200 -# Node ID a7d4690158fae4ede2c4e5b56233e83730bf38ee -# Parent 7c656e7071a6412688b2f30a529a9afac6c7bf5a -Use unsigned long long aas unsigned 64-bit integer for x86-64 GCC - -We should use unsigned long long instead of unsigned long as unsigned -64-bit integer for x86-64 GCC to support x32 where unsigned long is -32-bit. - -diff -r 7c656e7071a6 -r a7d4690158fa libtomcrypt/src/headers/tomcrypt_macros.h ---- a/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:29:01 2013 -0700 -+++ b/libtomcrypt/src/headers/tomcrypt_macros.h Thu May 23 14:32:10 2013 -0700 -@@ -343,7 +343,7 @@ - /* 64-bit Rotates */ - #if !defined(__STRICT_ANSI__) && defined(__GNUC__) && defined(__x86_64__) && !defined(LTC_NO_ASM) - --static inline unsigned long ROL64(unsigned long word, int i) -+static inline unsigned long long ROL64(unsigned long long word, int i) - { - asm("rolq %%cl,%0" - :"=r" (word) -@@ -351,7 +351,7 @@ - return word; - } - --static inline unsigned long ROR64(unsigned long word, int i) -+static inline unsigned long long ROR64(unsigned long long word, int i) - { - asm("rorq %%cl,%0" - :"=r" (word) -@@ -361,7 +361,7 @@ - - #ifndef LTC_NO_ROLC - --static inline unsigned long ROL64c(unsigned long word, const int i) -+static inline unsigned long long ROL64c(unsigned long long word, const int i) - { - asm("rolq %2,%0" - :"=r" (word) -@@ -369,7 +369,7 @@ - return word; - } - --static inline unsigned long ROR64c(unsigned long word, const int i) -+static inline unsigned long long ROR64c(unsigned long long word, const int i) - { - asm("rorq %2,%0" - :"=r" (word) - diff --git a/poky/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch b/poky/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch new file mode 100644 index 000000000..912545c95 --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/CVE-2018-15599.patch @@ -0,0 +1,236 @@ +From 256e2abb8150f9fea33cd026597dbe70f0379296 Mon Sep 17 00:00:00 2001 +From: Matt Johnston +Date: Thu, 23 Aug 2018 23:43:12 +0800 +Subject: [PATCH] Wait to fail invalid usernames + +Wait to fail invalid usernames + +Upstream-Status: Backport [https://secure.ucc.asn.au/hg/dropbear/rev/5d2d1021ca00] +CVE: CVE-2018-15599 +Signed-off-by: Mingli Yu +--- + auth.h | 6 +++--- + svr-auth.c | 19 +++++-------------- + svr-authpam.c | 26 ++++++++++++++++++++++---- + svr-authpasswd.c | 27 ++++++++++++++------------- + svr-authpubkey.c | 11 ++++++++++- + 5 files changed, 54 insertions(+), 35 deletions(-) + +diff --git a/auth.h b/auth.h +index da498f5..98f5468 100644 +--- a/auth.h ++++ b/auth.h +@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void); + void send_msg_userauth_failure(int partial, int incrfail); + void send_msg_userauth_success(void); + void send_msg_userauth_banner(const buffer *msg); +-void svr_auth_password(void); +-void svr_auth_pubkey(void); +-void svr_auth_pam(void); ++void svr_auth_password(int valid_user); ++void svr_auth_pubkey(int valid_user); ++void svr_auth_pam(int valid_user); + + #if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT + int svr_pubkey_allows_agentfwd(void); +diff --git a/svr-auth.c b/svr-auth.c +index 64d97aa..1f364ca 100644 +--- a/svr-auth.c ++++ b/svr-auth.c +@@ -149,10 +149,8 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PASSWORD_LEN && + strncmp(methodname, AUTH_METHOD_PASSWORD, + AUTH_METHOD_PASSWORD_LEN) == 0) { +- if (valid_user) { +- svr_auth_password(); +- goto out; +- } ++ svr_auth_password(valid_user); ++ goto out; + } + } + #endif +@@ -164,10 +162,8 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PASSWORD_LEN && + strncmp(methodname, AUTH_METHOD_PASSWORD, + AUTH_METHOD_PASSWORD_LEN) == 0) { +- if (valid_user) { +- svr_auth_pam(); +- goto out; +- } ++ svr_auth_pam(valid_user); ++ goto out; + } + } + #endif +@@ -177,12 +173,7 @@ void recv_msg_userauth_request() { + if (methodlen == AUTH_METHOD_PUBKEY_LEN && + strncmp(methodname, AUTH_METHOD_PUBKEY, + AUTH_METHOD_PUBKEY_LEN) == 0) { +- if (valid_user) { +- svr_auth_pubkey(); +- } else { +- /* pubkey has no failure delay */ +- send_msg_userauth_failure(0, 0); +- } ++ svr_auth_pubkey(valid_user); + goto out; + } + #endif +diff --git a/svr-authpam.c b/svr-authpam.c +index 05e4f3e..d201bc9 100644 +--- a/svr-authpam.c ++++ b/svr-authpam.c +@@ -178,13 +178,14 @@ pamConvFunc(int num_msg, + * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it + * gets very messy trying to send the interactive challenges, and read the + * interactive responses, over the network. */ +-void svr_auth_pam() { ++void svr_auth_pam(int valid_user) { + + struct UserDataS userData = {NULL, NULL}; + struct pam_conv pamConv = { + pamConvFunc, + &userData /* submitted to pamvConvFunc as appdata_ptr */ + }; ++ const char* printable_user = NULL; + + pam_handle_t* pamHandlep = NULL; + +@@ -204,12 +205,23 @@ void svr_auth_pam() { + + password = buf_getstring(ses.payload, &passwordlen); + ++ /* We run the PAM conversation regardless of whether the username is valid ++ in case the conversation function has an inherent delay. ++ Use ses.authstate.username rather than ses.authstate.pw_name. ++ After PAM succeeds we then check the valid_user flag too */ ++ + /* used to pass data to the PAM conversation function - don't bother with + * strdup() etc since these are touched only by our own conversation + * function (above) which takes care of it */ +- userData.user = ses.authstate.pw_name; ++ userData.user = ses.authstate.username; + userData.passwd = password; + ++ if (ses.authstate.pw_name) { ++ printable_user = ses.authstate.pw_name; ++ } else { ++ printable_user = ""; ++ } ++ + /* Init pam */ + if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { + dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", +@@ -242,7 +254,7 @@ void svr_auth_pam() { + rc, pam_strerror(pamHandlep, rc)); + dropbear_log(LOG_WARNING, + "Bad PAM password attempt for '%s' from %s", +- ses.authstate.pw_name, ++ printable_user, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + goto cleanup; +@@ -253,12 +265,18 @@ void svr_auth_pam() { + rc, pam_strerror(pamHandlep, rc)); + dropbear_log(LOG_WARNING, + "Bad PAM password attempt for '%s' from %s", +- ses.authstate.pw_name, ++ printable_user, + svr_ses.addrstring); + send_msg_userauth_failure(0, 1); + goto cleanup; + } + ++ if (!valid_user) { ++ /* PAM auth succeeded but the username isn't allowed in for another reason ++ (checkusername() failed) */ ++ send_msg_userauth_failure(0, 1); ++ } ++ + /* successful authentication */ + dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s", + ses.authstate.pw_name, +diff --git a/svr-authpasswd.c b/svr-authpasswd.c +index bdee2aa..69c7d8a 100644 +--- a/svr-authpasswd.c ++++ b/svr-authpasswd.c +@@ -48,22 +48,14 @@ static int constant_time_strcmp(const char* a, const char* b) { + + /* Process a password auth request, sending success or failure messages as + * appropriate */ +-void svr_auth_password() { ++void svr_auth_password(int valid_user) { + + char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ + char * testcrypt = NULL; /* crypt generated from the user's password sent */ +- char * password; ++ char * password = NULL; + unsigned int passwordlen; +- + unsigned int changepw; + +- passwdcrypt = ses.authstate.pw_passwd; +- +-#ifdef DEBUG_HACKCRYPT +- /* debugging crypt for non-root testing with shadows */ +- passwdcrypt = DEBUG_HACKCRYPT; +-#endif +- + /* check if client wants to change password */ + changepw = buf_getbool(ses.payload); + if (changepw) { +@@ -73,12 +65,21 @@ void svr_auth_password() { + } + + password = buf_getstring(ses.payload, &passwordlen); +- +- /* the first bytes of passwdcrypt are the salt */ +- testcrypt = crypt(password, passwdcrypt); ++ if (valid_user) { ++ /* the first bytes of passwdcrypt are the salt */ ++ passwdcrypt = ses.authstate.pw_passwd; ++ testcrypt = crypt(password, passwdcrypt); ++ } + m_burn(password, passwordlen); + m_free(password); + ++ /* After we have got the payload contents we can exit if the username ++ is invalid. Invalid users have already been logged. */ ++ if (!valid_user) { ++ send_msg_userauth_failure(0, 1); ++ return; ++ } ++ + if (testcrypt == NULL) { + /* crypt() with an invalid salt like "!!" */ + dropbear_log(LOG_WARNING, "User account '%s' is locked", +diff --git a/svr-authpubkey.c b/svr-authpubkey.c +index aa6087c..ff481c8 100644 +--- a/svr-authpubkey.c ++++ b/svr-authpubkey.c +@@ -79,7 +79,7 @@ static int checkfileperm(char * filename); + + /* process a pubkey auth request, sending success or failure message as + * appropriate */ +-void svr_auth_pubkey() { ++void svr_auth_pubkey(int valid_user) { + + unsigned char testkey; /* whether we're just checking if a key is usable */ + char* algo = NULL; /* pubkey algo */ +@@ -102,6 +102,15 @@ void svr_auth_pubkey() { + keybloblen = buf_getint(ses.payload); + keyblob = buf_getptr(ses.payload, keybloblen); + ++ if (!valid_user) { ++ /* Return failure once we have read the contents of the packet ++ required to validate a public key. ++ Avoids blind user enumeration though it isn't possible to prevent ++ testing for user existence if the public key is known */ ++ send_msg_userauth_failure(0, 0); ++ goto out; ++ } ++ + /* check if the key is valid */ + if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) { + send_msg_userauth_failure(0, 0); diff --git a/poky/meta/recipes-core/dropbear/dropbear/dropbear.default b/poky/meta/recipes-core/dropbear/dropbear/dropbear.default new file mode 100644 index 000000000..522453a86 --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear/dropbear.default @@ -0,0 +1,2 @@ +# Disallow root logins by default +DROPBEAR_EXTRA_ARGS="-w" diff --git a/poky/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch b/poky/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch deleted file mode 100644 index 2b05e1893..000000000 --- a/poky/meta/recipes-core/dropbear/dropbear/fix-libtomcrypt-libtommath-ordering.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f37fa9a41f248fa41dd74a41c66cb41a291c03d2 Mon Sep 17 00:00:00 2001 -From: Andre McCurdy -Date: Fri, 16 Sep 2016 12:18:23 -0700 -Subject: [PATCH] fix libtomcrypt/libtommath ordering - -To prevent build failures when using system libtom libraries and -linking with --as-needed, LIBTOM_LIBS should be in the order --ltomcrypt -ltommath, not the other way around, ie libs should be -prepended to LIBTOM_LIBS as they are found, not appended. - -Note that LIBTOM_LIBS is not used when linking with the bundled -libtom libs. - -Upstream-Status: Backport [ https://github.com/mkj/dropbear/commit/f9e6bc2aecab0f4b5b529e07a92cc63c8a66cd4b ] - -Signed-off-by: Andre McCurdy -Signed-off-by: Dengke Du ---- - configure.ac | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 245408d..d624853 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -393,16 +393,16 @@ AC_ARG_ENABLE(bundled-libtom, - AC_MSG_NOTICE(Forcing bundled libtom*) - else - BUNDLED_LIBTOM=0 -- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", -+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", - [AC_MSG_ERROR([Missing system libtommath and --disable-bundled-libtom was specified])] ) -- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", -+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", - [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) - fi - ], - [ - BUNDLED_LIBTOM=0 -- AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", BUNDLED_LIBTOM=1) -- AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", BUNDLED_LIBTOM=1) -+ AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="-ltommath $LIBTOM_LIBS", BUNDLED_LIBTOM=1) -+ AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="-ltomcrypt $LIBTOM_LIBS", BUNDLED_LIBTOM=1) - ] - ) - --- -2.8.1 - diff --git a/poky/meta/recipes-core/dropbear/dropbear_2017.75.bb b/poky/meta/recipes-core/dropbear/dropbear_2017.75.bb deleted file mode 100644 index cfb0d199b..000000000 --- a/poky/meta/recipes-core/dropbear/dropbear_2017.75.bb +++ /dev/null @@ -1,5 +0,0 @@ -require dropbear.inc - -SRC_URI[md5sum] = "e57e9b9d25705dcb073ba15c416424fd" -SRC_URI[sha256sum] = "6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c" - diff --git a/poky/meta/recipes-core/dropbear/dropbear_2018.76.bb b/poky/meta/recipes-core/dropbear/dropbear_2018.76.bb new file mode 100644 index 000000000..36a58d5ce --- /dev/null +++ b/poky/meta/recipes-core/dropbear/dropbear_2018.76.bb @@ -0,0 +1,5 @@ +require dropbear.inc + +SRC_URI[md5sum] = "c3912f7fcdcc57c99937e4a79480d2c2" +SRC_URI[sha256sum] = "f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65" + -- cgit v1.2.3