dropbear: update to 2015.67

fixes dbclient login into OpenSSH 6.8p1
error: "Bad hostkey signature"

reported on irc, replicated with Arch Linux

Signed-off-by: Dirk Neukirchen <[email protected]>

SVN-Revision: 45493

package/network/services/dropbear/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2014.65
-PKG_RELEASE:=2
+PKG_VERSION:=2015.67
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	http://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=1918604238817385a156840fa2c39490
+PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE

package/network/services/dropbear/patches/001-dont_send_SSH_MSG_IMPLEMENTED.patch

@@ -1,58 +0,0 @@
-
-# HG changeset patch
-# User Matt Johnston <[email protected]>
-# Date 1407937727 -28800
-# Node ID f7f6c15b0ec30b0def69c9ccbb3dc4eb97374abc
-# Parent  02821319ab1f1208b7ab5de4af82a562c386d40d
-Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses
-
-diff -r 02821319ab1f -r f7f6c15b0ec3 cli-session.c
---- a/cli-session.c	Fri Aug 08 21:53:47 2014 +0800
-+++ b/cli-session.c	Wed Aug 13 21:48:47 2014 +0800
-@@ -73,6 +73,8 @@
- #ifdef  ENABLE_CLI_REMOTETCPFWD
- 	{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
- 	{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
-+#else
-+	{SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
- #endif
- 	{0, 0} /* End */
- };
-diff -r 02821319ab1f -r f7f6c15b0ec3 common-session.c
---- a/common-session.c	Fri Aug 08 21:53:47 2014 +0800
-+++ b/common-session.c	Wed Aug 13 21:48:47 2014 +0800
-@@ -394,6 +394,11 @@
- 	return pos+1;
- }
- 
-+void ignore_recv_msg_request_failure() {
-+	// Do nothing
-+	TRACE(("Ignored msg_request_failure"))
-+}
-+
- static void send_msg_keepalive() {
- 	CHECKCLEARTOWRITE();
- 	time_t old_time_idle = ses.last_packet_time_idle;
-diff -r 02821319ab1f -r f7f6c15b0ec3 session.h
---- a/session.h	Fri Aug 08 21:53:47 2014 +0800
-+++ b/session.h	Wed Aug 13 21:48:47 2014 +0800
-@@ -47,6 +47,7 @@
- void session_cleanup();
- void send_session_identification();
- void send_msg_ignore();
-+void ignore_recv_msg_request_failure();
- 
- void update_channel_prio();
- 
-diff -r 02821319ab1f -r f7f6c15b0ec3 svr-session.c
---- a/svr-session.c	Fri Aug 08 21:53:47 2014 +0800
-+++ b/svr-session.c	Wed Aug 13 21:48:47 2014 +0800
-@@ -58,6 +58,7 @@
- 	{SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
- 	{SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
- 	{SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
-+	{SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
- #ifdef USING_LISTENERS
- 	{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
- 	{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
-

package/network/services/dropbear/patches/002-match_keepalive_to_OpenSSH.patch

@@ -1,333 +0,0 @@
-
-# HG changeset patch
-# User Matt Johnston <[email protected]>
-# Date 1408460936 -28800
-# Node ID 0bb16232e7c4162daa43e8618521cf453847ac16
-# Parent  939944f0fca9b2dcdf8470bb24efcc37a3843e8b
-Make keepalive handling more robust, this should now match what OpenSSH does
-
-diff -r 939944f0fca9 -r 0bb16232e7c4 LICENSE
---- a/LICENSE	Wed Aug 13 22:07:43 2014 +0800
-+++ b/LICENSE	Tue Aug 19 23:08:56 2014 +0800
-@@ -8,7 +8,7 @@
- Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the
- same license:
- 
--Copyright (c) 2002-2013 Matt Johnston
-+Copyright (c) 2002-2014 Matt Johnston
- Portions copyright (c) 2004 Mihnea Stoenescu
- All rights reserved.
- 
-diff -r 939944f0fca9 -r 0bb16232e7c4 auth.h
---- a/auth.h	Wed Aug 13 22:07:43 2014 +0800
-+++ b/auth.h	Tue Aug 19 23:08:56 2014 +0800
-@@ -106,7 +106,7 @@
- 								valid */
- 	unsigned int failcount; /* Number of (failed) authentication attempts.*/
- 	unsigned authdone : 1; /* 0 if we haven't authed, 1 if we have. Applies for
--							  client and server (though has differing [obvious]
-+							  client and server (though has differing 
- 							  meanings). */
- 	unsigned perm_warn : 1; /* Server only, set if bad permissions on 
- 							   ~/.ssh/authorized_keys have already been
-diff -r 939944f0fca9 -r 0bb16232e7c4 channel.h
---- a/channel.h	Wed Aug 13 22:07:43 2014 +0800
-+++ b/channel.h	Tue Aug 19 23:08:56 2014 +0800
-@@ -105,6 +105,9 @@
- void setchannelfds(fd_set *readfd, fd_set *writefd);
- void channelio(fd_set *readfd, fd_set *writefd);
- struct Channel* getchannel();
-+/* Returns an arbitrary channel that is in a ready state - not
-+being initialised and no EOF in either direction. NULL if none. */
-+struct Channel* get_any_ready_channel();
- 
- void recv_msg_channel_open();
- void recv_msg_channel_request();
-@@ -128,8 +131,10 @@
- void recv_msg_channel_open_confirmation();
- void recv_msg_channel_open_failure();
- #endif
-+void start_send_channel_request(struct Channel *channel, unsigned char *type);
- 
- void send_msg_request_success();
- void send_msg_request_failure();
- 
-+
- #endif /* _CHANNEL_H_ */
-diff -r 939944f0fca9 -r 0bb16232e7c4 chansession.h
---- a/chansession.h	Wed Aug 13 22:07:43 2014 +0800
-+++ b/chansession.h	Tue Aug 19 23:08:56 2014 +0800
-@@ -89,7 +89,6 @@
- #ifdef ENABLE_CLI_NETCAT
- void cli_send_netcat_request();
- #endif
--void cli_start_send_channel_request(struct Channel *channel, unsigned char *type);
- 
- void svr_chansessinitialise();
- extern const struct ChanType svrchansess;
-diff -r 939944f0fca9 -r 0bb16232e7c4 cli-agentfwd.c
---- a/cli-agentfwd.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/cli-agentfwd.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -234,7 +234,7 @@
- 		return;
- 	}
- 	
--	cli_start_send_channel_request(channel, "[email protected]");
-+	start_send_channel_request(channel, "[email protected]");
- 	/* Don't want replies */
- 	buf_putbyte(ses.writepayload, 0);
- 	encrypt_packet();
-diff -r 939944f0fca9 -r 0bb16232e7c4 cli-chansession.c
---- a/cli-chansession.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/cli-chansession.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -92,17 +92,6 @@
- 	}
- }
- 
--void cli_start_send_channel_request(struct Channel *channel, 
--		unsigned char *type) {
--
--	CHECKCLEARTOWRITE();
--	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
--	buf_putint(ses.writepayload, channel->remotechan);
--
--	buf_putstring(ses.writepayload, type, strlen(type));
--
--}
--
- /* Taken from OpenSSH's sshtty.c:
-  * RCSID("OpenBSD: sshtty.c,v 1.5 2003/09/19 17:43:35 markus Exp "); */
- static void cli_tty_setup() {
-@@ -287,7 +276,7 @@
- 
- 	TRACE(("enter send_chansess_pty_req"))
- 
--	cli_start_send_channel_request(channel, "pty-req");
-+	start_send_channel_request(channel, "pty-req");
- 
- 	/* Don't want replies */
- 	buf_putbyte(ses.writepayload, 0);
-@@ -330,7 +319,7 @@
- 		reqtype = "shell";
- 	}
- 
--	cli_start_send_channel_request(channel, reqtype);
-+	start_send_channel_request(channel, reqtype);
- 
- 	/* XXX TODO */
- 	buf_putbyte(ses.writepayload, 0); /* Don't want replies */
-diff -r 939944f0fca9 -r 0bb16232e7c4 cli-session.c
---- a/cli-session.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/cli-session.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -70,11 +70,15 @@
- 	{SSH_MSG_USERAUTH_BANNER, recv_msg_userauth_banner}, /* client */
- 	{SSH_MSG_USERAUTH_SPECIFIC_60, recv_msg_userauth_specific_60}, /* client */
- 	{SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
-+	{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
-+	{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
- #ifdef  ENABLE_CLI_REMOTETCPFWD
- 	{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
- 	{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
- #else
--	{SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
-+	/* For keepalive */
-+	{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response},
-+	{SSH_MSG_REQUEST_FAILURE, ignore_recv_response},
- #endif
- 	{0, 0} /* End */
- };
-diff -r 939944f0fca9 -r 0bb16232e7c4 common-channel.c
---- a/common-channel.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/common-channel.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -627,7 +627,12 @@
- 			&& !channel->close_handler_done) {
- 		channel->type->reqhandler(channel);
- 	} else {
--		send_msg_channel_failure(channel);
-+		int wantreply;
-+		buf_eatstring(ses.payload);
-+		wantreply = buf_getbool(ses.payload);
-+		if (wantreply) {
-+			send_msg_channel_failure(channel);
-+		}
- 	}
- 
- 	TRACE(("leave recv_msg_channel_request"))
-@@ -1134,3 +1139,30 @@
- 	buf_putbyte(ses.writepayload, SSH_MSG_REQUEST_FAILURE);
- 	encrypt_packet();
- }
-+
-+struct Channel* get_any_ready_channel() {
-+	if (ses.chancount == 0) {
-+		return NULL;
-+	}
-+	size_t i;
-+	for (i = 0; i < ses.chansize; i++) {
-+		struct Channel *chan = ses.channels[i];
-+		if (chan
-+				&& !(chan->sent_eof || chan->recv_eof)
-+				&& !(chan->await_open || chan->initconn)) {
-+			return chan;
-+		}
-+	}
-+	return NULL;
-+}
-+
-+void start_send_channel_request(struct Channel *channel, 
-+		unsigned char *type) {
-+
-+	CHECKCLEARTOWRITE();
-+	buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST);
-+	buf_putint(ses.writepayload, channel->remotechan);
-+
-+	buf_putstring(ses.writepayload, type, strlen(type));
-+
-+}
-diff -r 939944f0fca9 -r 0bb16232e7c4 common-session.c
---- a/common-session.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/common-session.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -394,19 +394,30 @@
- 	return pos+1;
- }
- 
--void ignore_recv_msg_request_failure() {
-+void ignore_recv_response() {
- 	// Do nothing
--	TRACE(("Ignored msg_request_failure"))
-+	TRACE(("Ignored msg_request_response"))
- }
- 
- static void send_msg_keepalive() {
- 	CHECKCLEARTOWRITE();
- 	time_t old_time_idle = ses.last_packet_time_idle;
--	/* Try to force a response from the other end. Some peers will
--	reply with SSH_MSG_REQUEST_FAILURE, some will reply with SSH_MSG_UNIMPLEMENTED */
--	buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST);
--	/* A short string */
--	buf_putstring(ses.writepayload, "[email protected]", 0);
-+
-+	struct Channel *chan = get_any_ready_channel();
-+
-+	if (chan) {
-+		/* Channel requests are preferable, more implementations
-+		handle them than SSH_MSG_GLOBAL_REQUEST */
-+		TRACE(("keepalive channel request %d", chan->index))
-+		start_send_channel_request(chan, DROPBEAR_KEEPALIVE_STRING);
-+	} else {
-+		TRACE(("keepalive global request"))
-+		/* Some peers will reply with SSH_MSG_REQUEST_FAILURE, 
-+		some will reply with SSH_MSG_UNIMPLEMENTED, some will exit. */
-+		buf_putbyte(ses.writepayload, SSH_MSG_GLOBAL_REQUEST); 
-+		buf_putstring(ses.writepayload, DROPBEAR_KEEPALIVE_STRING,
-+			strlen(DROPBEAR_KEEPALIVE_STRING));
-+	}
- 	buf_putbyte(ses.writepayload, 1); /* want_reply */
- 	encrypt_packet();
- 
-@@ -435,7 +446,10 @@
- 		send_msg_kexinit();
- 	}
- 	
--	if (opts.keepalive_secs > 0) {
-+	if (opts.keepalive_secs > 0 && ses.authstate.authdone) {
-+		/* Avoid sending keepalives prior to auth - those are
-+		not valid pre-auth packet types */
-+
- 		/* Send keepalives if we've been idle */
- 		if (now - ses.last_packet_time_any_sent >= opts.keepalive_secs) {
- 			send_msg_keepalive();
-diff -r 939944f0fca9 -r 0bb16232e7c4 session.h
---- a/session.h	Wed Aug 13 22:07:43 2014 +0800
-+++ b/session.h	Tue Aug 19 23:08:56 2014 +0800
-@@ -47,7 +47,7 @@
- void session_cleanup();
- void send_session_identification();
- void send_msg_ignore();
--void ignore_recv_msg_request_failure();
-+void ignore_recv_response();
- 
- void update_channel_prio();
- 
-diff -r 939944f0fca9 -r 0bb16232e7c4 svr-chansession.c
---- a/svr-chansession.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/svr-chansession.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -53,6 +53,7 @@
- static void closechansess(struct Channel *channel);
- static int newchansess(struct Channel *channel);
- static void chansessionrequest(struct Channel *channel);
-+static int sesscheckclose(struct Channel *channel);
- 
- static void send_exitsignalstatus(struct Channel *channel);
- static void send_msg_chansess_exitstatus(struct Channel * channel,
-@@ -61,6 +62,14 @@
- 		struct ChanSess * chansess);
- static void get_termmodes(struct ChanSess *chansess);
- 
-+const struct ChanType svrchansess = {
-+	0, /* sepfds */
-+	"session", /* name */
-+	newchansess, /* inithandler */
-+	sesscheckclose, /* checkclosehandler */
-+	chansessionrequest, /* reqhandler */
-+	closechansess, /* closehandler */
-+};
- 
- /* required to clear environment */
- extern char** environ;
-@@ -968,16 +977,6 @@
- 	dropbear_exit("Child failed");
- }
- 
--const struct ChanType svrchansess = {
--	0, /* sepfds */
--	"session", /* name */
--	newchansess, /* inithandler */
--	sesscheckclose, /* checkclosehandler */
--	chansessionrequest, /* reqhandler */
--	closechansess, /* closehandler */
--};
--
--
- /* Set up the general chansession environment, in particular child-exit
-  * handling */
- void svr_chansessinitialise() {
-diff -r 939944f0fca9 -r 0bb16232e7c4 svr-main.c
---- a/svr-main.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/svr-main.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -409,7 +409,7 @@
- 	size_t sockpos = 0;
- 	int nsock;
- 
--	TRACE(("listensockets: %d to try\n", svr_opts.portcount))
-+	TRACE(("listensockets: %d to try", svr_opts.portcount))
- 
- 	for (i = 0; i < svr_opts.portcount; i++) {
- 
-diff -r 939944f0fca9 -r 0bb16232e7c4 svr-session.c
---- a/svr-session.c	Wed Aug 13 22:07:43 2014 +0800
-+++ b/svr-session.c	Tue Aug 19 23:08:56 2014 +0800
-@@ -58,7 +58,10 @@
- 	{SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
- 	{SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
- 	{SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
--	{SSH_MSG_REQUEST_FAILURE, ignore_recv_msg_request_failure}, /* for keepalive */
-+	{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
-+	{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
-+	{SSH_MSG_REQUEST_FAILURE, ignore_recv_response}, /* for keepalive */
-+	{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response}, /* client */
- #ifdef USING_LISTENERS
- 	{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
- 	{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
-diff -r 939944f0fca9 -r 0bb16232e7c4 sysoptions.h
---- a/sysoptions.h	Wed Aug 13 22:07:43 2014 +0800
-+++ b/sysoptions.h	Tue Aug 19 23:08:56 2014 +0800
-@@ -257,4 +257,7 @@
- #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
- #endif
- 
-+/* Use this string since some implementations might special-case it */
-+#define DROPBEAR_KEEPALIVE_STRING "[email protected]"
-+
- /* no include guard for this file */
-

package/network/services/dropbear/patches/110-change_user.patch

@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -902,12 +902,12 @@ static void execchild(void *user_data) {
+@@ -920,12 +920,12 @@ static void execchild(void *user_data) {
  	/* We can only change uid/gid as root ... */
  	if (getuid() == 0) {
  

package/network/services/dropbear/patches/120-openwrt_options.patch

@@ -18,27 +18,20 @@
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
-@@ -95,8 +95,8 @@ much traffic. */
- #define DROPBEAR_AES256
- /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
- /*#define DROPBEAR_BLOWFISH*/
--#define DROPBEAR_TWOFISH256
--#define DROPBEAR_TWOFISH128
-+/*#define DROPBEAR_TWOFISH256
-+#define DROPBEAR_TWOFISH128*/
- 
- /* Enable "Counter Mode" for ciphers. This is more secure than normal
-  * CBC mode against certain attacks. This adds around 1kB to binary 
-@@ -122,7 +122,7 @@ much traffic. */
+@@ -126,9 +126,9 @@ much traffic. */
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
  #define DROPBEAR_SHA1_HMAC
 -#define DROPBEAR_SHA1_96_HMAC
+-#define DROPBEAR_SHA2_256_HMAC
+-#define DROPBEAR_SHA2_512_HMAC
 +/*#define DROPBEAR_SHA1_96_HMAC*/
- /*#define DROPBEAR_SHA2_256_HMAC*/
- /*#define DROPBEAR_SHA2_512_HMAC*/
++/*#define DROPBEAR_SHA2_256_HMAC*/
++/*#define DROPBEAR_SHA2_512_HMAC*/
  #define DROPBEAR_MD5_HMAC
-@@ -175,7 +175,7 @@ much traffic. */
+ 
+ /* You can also disable integrity. Don't bother disabling this if you're
+@@ -184,7 +184,7 @@ much traffic. */
  
  /* Whether to print the message of the day (MOTD). This doesn't add much code
   * size */
@@ -47,7 +40,7 @@
  
  /* The MOTD file path */
  #ifndef MOTD_FILENAME
-@@ -213,7 +213,7 @@ much traffic. */
+@@ -226,7 +226,7 @@ much traffic. */
   * note that it will be provided for all "hidden" client-interactive
   * style prompts - if you want something more sophisticated, use 
   * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/

package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch

@@ -1,6 +1,6 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -312,6 +312,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv)
  					debug_trace = 1;
  					break;
  #endif
@@ -11,7 +11,7 @@
  				case 'F':
  				case 'e':
  #ifndef ENABLE_USER_ALGO_LIST
-@@ -329,7 +333,6 @@ void cli_getopts(int argc, char ** argv)
+@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv)
  					print_version();
  					exit(EXIT_SUCCESS);
  					break;

package/network/services/dropbear/patches/500-set-default-path.patch

@@ -1,6 +1,6 @@
 --- a/options.h
 +++ b/options.h
-@@ -323,7 +323,7 @@ be overridden at runtime with -I. 0 disa
+@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa
  #define DEFAULT_IDLE_TIMEOUT 0
  
  /* The default path. This will often get replaced by the shell */