pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/dropbear
Module Name: pkgsrc
Committed By: wiz
Date: Wed Dec 20 17:09:36 UTC 2023
Modified Files:
pkgsrc/security/dropbear: Makefile distinfo
pkgsrc/security/dropbear/patches: patch-configure
Added Files:
pkgsrc/security/dropbear/patches: patch-cli-session.c
patch-common-algo.c patch-common-kex.c patch-kex.h
patch-process-packet.c patch-ssh.h patch-svr-session.c
Log Message:
dropbear: update to 2022.83nb1.
Include terrapin fix and bump PKGREVISION to make clear this
is not 2022.83.
2022.83 - 14 November 2022
Features and Changes:
Note >> for compatibility/configuration changes
- >> Disable DROPBEAR_DSS by default
It is only 1024 bit and uses sha1, most distros disable it by default already.
- Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
>> RSA with sha1 will be disabled in a future release (rsa keys will continue
to work OK, with sha256 signatures used instead).
- Add option for requiring both password and pubkey (-t)
Patch from Jackkal
- Add 'no-touch-required' and 'verify-required' options for sk keys
Patch from Egor Duda
- >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
and DROPBEAR_SK_ED25519 options.
- Add 'permitopen' option for authorized_keys to restrict forwarded ports
Patch from Tuomas Haikarainen
- >> Added LTM_CFLAGS configure argument to set flags for building
bundled libtommath. This also restores the previous arguments used
in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
key generation, which regressed in 2022.82.
There is a tradeoff with code size, so -Os can be used if required.
https://github.com/mkj/dropbear/issues/174
Reported by David Bernard
- Add '-z' flag to disable setting QoS traffic class. This may be necessary
to work with broken networks or network drivers, exposed after changes to use
AF21 in 2022.82
https://github.com/mkj/dropbear/issues/193
Reported by yuhongwei380, patch from Petr Štetiar
- Allow overriding user shells with COMPAT_USER_SHELLS
Based on a patch from Matt Robinson
- Improve permission error message
Patch from k-kurematsu
- >> Remove HMAC_MD5 entirely
Regression fixes from 2022.82:
- Fix X11 build
- Fix build warning
- Fix compilation when disabling pubkey authentication
Patch from MaxMougg
- Fix MAX_UNAUTH_CLIENTS regression
Reported by ptpt52
- Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
https://github.com/mkj/dropbear/issues/174
Suggested by Steffen Jaeckel
- Fix Dropbear plugin support
https://github.com/mkj/dropbear/issues/194
Reported by Struan Bartlett
Other fixes:
- Fix long standing incorrect compression size check. Dropbear
(client or server) would erroneously exit with
"bad packet, oversized decompressed"
when receiving a compressed packet of exactly the maximum size.
- Fix missing setsid() removed in 2020.79
https://github.com/mkj/dropbear/issues/180
Reported and debugged by m5jt and David Bernard
- Try keyboard-interactive auth before password, in dbclient.
This was unintentionally changed back in 2013
https://github.com/mkj/dropbear/pull/190
Patch from Michele Giacomoli
- Drain the terminal when reading the fingerprint confirmation response
https://github.com/mkj/dropbear/pull/191
Patch from Michele Giacomoli
- Fix utx wtmp variable typo. This has been wrong for a long time but
only recently became a problem when wtmp was detected.
https://github.com/mkj/dropbear/pull/189
Patch from Michele Giacomoli
- Improve configure test for hardening options.
Fixes building on AIX
https://github.com/mkj/dropbear/issues/158
- Fix debian/dropbear.init newline
From wulei-student
Infrastructure:
- Test off-by-default compile options
- Set -Wundef to catch typos in #if statements
2022.82 - 1 April 2022
Features and Changes:
Note >> for compatibility/configuration changes
- Implemented OpenSSH format private key handling for dropbearconvert.
Keys can be read in OpenSSH format or the old PEM format.
>> Keys are now written in OpenSSH format rather than PEM.
ED25519 support is now correct. DSS keys are still PEM format.
- Use SHA256 for key fingerprints
- >> Reworked -v verbose printing, specifying multiple times will increase
verbosity. -vvvv is equivalent to the old DEBUG_TRACE -v level, it
can be configured at compile time in localoptions.h (see default_options.h)
Lower -v options can be used to check connection progress or algorithm
negotiation.
Thanks to Hans Harder for the implementation
localoptions.h DEBUG_TRACE should be set to 4 for the same result as the
previous DEBUG_TRACE 1.
- Added server support for U2F/FIDO keys (ecdsa-sk and ed25519-sk) in
authorized_keys. no-touch-required option isn't allowed yet.
Thanks to Egor Duda for the implementation
- autoconf output (configure script etc) is now committed to version control.
>> It isn't necessary to run "autoconf" any more on a checkout.
- sha1 will be omitted from the build if KEX/signing/MAC algorithms don't
require it. Instead sha256 is used for random number generation.
See sysoptions.h to see which algorithms require which hashes.
- Set SSH_PUBKEYINFO environment variable based on the authorized_keys
entry used for auth. The first word of the comment after the key is used
(must only have characters a-z A-Z 0-9 .,_-+@)
Patch from Hans Harder, modified by Matt Johnston
- Let dbclient multihop mode be used with '-J'.
Patch from Hans Harder
- Allow home-directory relative paths ~/path for various settings
and command line options.
*_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PATH MOTD_FILENAME
Thanks to Begley Brothers Inc
>> The default DROPBEAR_DEFAULT_CLI_AUTHKEY has now changed, it now needs
a tilde prefix.
- LANG environment variable is carried over from the Dropbear server process
From Maxim Kochetkov
- Add /usr/sbin and /sbin to $PATH when logging in as root.
Patch from Raphaël Hertzog
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
- Added client option "-o DisableTrivialAuth". It disallows a server immediately
giving successful authentication (without presenting any password/pubkey prompt).
This avoids a UI confusion issue where it may appear that the user is accepting
a SSH agent prompt from their local machine, but are actually accepting a prompt
sent immediately by the remote server.
CVE-2021-36369 though the description there is a bit confused. It only applies
to Dropbear as a client.
Thanks to Manfred Kaiser from Austrian MilCERT
- Add -q client option to hide remote banner, from Hans Harder
- Add -e option to pass all server environment variables to child processes.
This should be used with caution.
Patch from Roland Vollgraf (github #118)
- >> Use DSCP for QoS traffic classes. Priority (tty) traffic is now set to
AF21 "interactive". Previously TOS classes were used, they are not used by
modern traffic classifiers. Non-tty traffic is left at default priority.
- >> Disable dh-group1 key exchange by default. It has been disabled server
side by default since 2018.
- >> Removed Twofish cipher
Fixes:
- Fix flushing channel data when pty was allocated (github #85)
Data wasn't completely transmitted at channel close.
Reported and initial patch thanks to Yousong Zhou
- Dropbear now re-executes itself rather than just forking for each connection
(only on Linux). This allows ASLR to randomise address space for each
connection as a security mitigation. It should not have any visible impact
- if there are any performance impacts in the wild please report it.
- Check authorized_keys permissions as the user, fixes NFS squash root.
Patch from Chris Dragan (github #107)
- A missing home directory is now non-fatal, starting in / instead
- Fixed IPv6 [address]:port parsing for dbclient -b
Reported by Fabio Molinari
- Improve error logging so that they are logged on the server rather than being
sent to the client over the connection
- Max window size is increased to 10MB, more graceful fallback if it's invalid.
- Fix correctness of Dropbear's handling of global requests.
Patch from Dirkjan Bussink
- Fix some small bugs found by fuzzers, null pointer dereference crash and leaks
(post authentication)
- $HOME variable is used before /etc/passwd when expanding paths such as
~/.ssh/id_dropbear (for the client). Patch from Matt Robinson
- C89 build fixes from Guillaume Picquet
Infrastructure:
- Improvements to fuzzers. Added post-auth fuzzer, and a mutator that can
handle the structure of SSH packet streams. Added cifuzz to run on commits
and pull requests.
Thanks to OSS-Fuzz for the tools/clusters and reward funding.
- Dropbear source tarballs generated by release.sh are now reproducible from a
Git or Mercurial checkout, they will be identical on any system. Tested
on ubuntu and macos.
- Added some integration testing using pytest. Currently this has tests
for various channel handling edge cases, ASLR fork randomisation,
dropbearconvert, and SSH_PUBKEYINFO
- Set up github actions. This runs the pytest suite and other checks.
- build matrix includes c89, dropbearmulti, bundled libtom, macos, DEBUG_TRACE
- test for configure script regeneration
- build a tarball for external reproducibility
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 pkgsrc/security/dropbear/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/security/dropbear/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/security/dropbear/patches/patch-cli-session.c \
pkgsrc/security/dropbear/patches/patch-common-algo.c \
pkgsrc/security/dropbear/patches/patch-common-kex.c \
pkgsrc/security/dropbear/patches/patch-kex.h \
pkgsrc/security/dropbear/patches/patch-process-packet.c \
pkgsrc/security/dropbear/patches/patch-ssh.h \
pkgsrc/security/dropbear/patches/patch-svr-session.c
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/dropbear/patches/patch-configure
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/dropbear/Makefile
diff -u pkgsrc/security/dropbear/Makefile:1.38 pkgsrc/security/dropbear/Makefile:1.39
--- pkgsrc/security/dropbear/Makefile:1.38 Thu May 25 21:28:09 2023
+++ pkgsrc/security/dropbear/Makefile Wed Dec 20 17:09:35 2023
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.38 2023/05/25 21:28:09 wiz Exp $
+# $NetBSD: Makefile,v 1.39 2023/12/20 17:09:35 wiz Exp $
-DISTNAME= dropbear-2020.81
+DISTNAME= dropbear-2022.83
+PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= https://matt.ucc.asn.au/dropbear/releases/
EXTRACT_SUFX= .tar.bz2
Index: pkgsrc/security/dropbear/distinfo
diff -u pkgsrc/security/dropbear/distinfo:1.29 pkgsrc/security/dropbear/distinfo:1.30
--- pkgsrc/security/dropbear/distinfo:1.29 Tue Oct 26 11:17:03 2021
+++ pkgsrc/security/dropbear/distinfo Wed Dec 20 17:09:35 2023
@@ -1,7 +1,14 @@
-$NetBSD: distinfo,v 1.29 2021/10/26 11:17:03 nia Exp $
+$NetBSD: distinfo,v 1.30 2023/12/20 17:09:35 wiz Exp $
-BLAKE2s (dropbear-2020.81.tar.bz2) = c8b6f5a9c588a6b6998fb3c6b5cf77407a560452b812e00c21daf5144d369855
-SHA512 (dropbear-2020.81.tar.bz2) = 2fa9d4d7dcb1c81281f5e47c8a99b7300eb46b3bb605daaec956404eae9124879a8bbbef521dea6da8b3643f3dc6f7f5005e265bfcaba97e89812f5642c294da
-Size (dropbear-2020.81.tar.bz2) = 2289644 bytes
-SHA1 (patch-configure) = 95c82b951d16a5cca92a3d4d7ef67b7eb5f47540
+BLAKE2s (dropbear-2022.83.tar.bz2) = 71657e1f82711df54fc15b4aedf48e4bc6f3b79dc67e1016aec6711863e09fb1
+SHA512 (dropbear-2022.83.tar.bz2) = c63afa615d64b0c8c5e739c758eb8ae277ecc36a4223b766bf562702de69910904cbc3ea98d22989df478ae419e1f81057fe1ee09616c80cb859f58f44175422
+Size (dropbear-2022.83.tar.bz2) = 2322904 bytes
+SHA1 (patch-cli-session.c) = c994f83283c38ae966a32cb97432305d2ae61ec5
+SHA1 (patch-common-algo.c) = aca565c1bb2329466fa3e06c4602ae7750744099
+SHA1 (patch-common-kex.c) = dfa5fdec1e62913db6475ba656f92cd4df46be78
+SHA1 (patch-configure) = b17f647043b212adda53aad7fb8dc7e639be9494
SHA1 (patch-default__options.h) = ef38d09e20b9d74abdd118901a4fc30459eb0dcb
+SHA1 (patch-kex.h) = 5a59be28ca209d8da26554fdeb2fdb5b84ddaf7c
+SHA1 (patch-process-packet.c) = 5f9a2c7e150786cb1cf974ffe3a294891e3b3e3e
+SHA1 (patch-ssh.h) = 9e830d59e26d5411713629fb4e716265eee85efe
+SHA1 (patch-svr-session.c) = 8cefae13d159e48b0834885167dfde79cd36e216
Index: pkgsrc/security/dropbear/patches/patch-configure
diff -u pkgsrc/security/dropbear/patches/patch-configure:1.1 pkgsrc/security/dropbear/patches/patch-configure:1.2
--- pkgsrc/security/dropbear/patches/patch-configure:1.1 Tue May 16 21:54:21 2017
+++ pkgsrc/security/dropbear/patches/patch-configure Wed Dec 20 17:09:36 2023
@@ -1,12 +1,12 @@
-$NetBSD: patch-configure,v 1.1 2017/05/16 21:54:21 snj Exp $
+$NetBSD: patch-configure,v 1.2 2023/12/20 17:09:36 wiz Exp $
this test for the system libtomcrypt needs -ltommath.
---- configure.orig 2017-04-25 21:47:13.570580493 -0700
-+++ configure 2017-04-25 21:47:30.336185297 -0700
-@@ -5963,7 +5963,7 @@ if ${ac_cv_lib_tomcrypt_register_cipher+
- $as_echo_n "(cached) " >&6
- else
+--- configure.orig 2022-11-14 14:30:00.000000000 +0000
++++ configure
+@@ -7701,7 +7701,7 @@ then :
+ printf %s "(cached) " >&6
+ else $as_nop
ac_check_lib_save_LIBS=$LIBS
-LIBS="-ltomcrypt $LIBS"
+LIBS="-ltomcrypt -ltommath $LIBS"
Added files:
Index: pkgsrc/security/dropbear/patches/patch-cli-session.c
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-cli-session.c:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-cli-session.c Wed Dec 20 17:09:36 2023
@@ -0,0 +1,36 @@
+$NetBSD: patch-cli-session.c,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- cli-session.c.orig 2022-11-14 14:30:00.000000000 +0000
++++ cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NO
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+
+ struct clientsession cli_ses; /* GLOBAL */
+
+@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_o
+ }
+
+ chaninitialise(cli_chantypes);
++ cli_algos_initialise();
+
+ /* Set up cli_ses vars */
+ cli_session_init(proxy_cmd_pid);
+@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, cons
+ fflush(stderr);
+ }
+
++static void cli_algos_initialise(void) {
++ algo_type *algo;
++ for (algo = sshkex; algo->name; algo++) {
++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++ algo->usable = 0;
++ }
++ }
++}
++
Index: pkgsrc/security/dropbear/patches/patch-common-algo.c
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-common-algo.c:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-common-algo.c Wed Dec 20 17:09:36 2023
@@ -0,0 +1,20 @@
+$NetBSD: patch-common-algo.c,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- common-algo.c.orig 2022-11-14 14:30:00.000000000 +0000
++++ common-algo.c
+@@ -308,6 +308,12 @@ algo_type sshkex[] = {
+ {SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
+ #endif
++#if DROPBEAR_CLIENT
++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
++#endif
+ {NULL, 0, NULL, 0, NULL}
+ };
+
Index: pkgsrc/security/dropbear/patches/patch-common-kex.c
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-common-kex.c:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-common-kex.c Wed Dec 20 17:09:36 2023
@@ -0,0 +1,61 @@
+$NetBSD: patch-common-kex.c,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- common-kex.c.orig 2022-11-14 14:30:00.000000000 +0000
++++ common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+ gen_new_keys();
+ switch_keys();
+
++ if (ses.kexstate.strict_kex) {
++ ses.transseq = 0;
++ }
++
+ TRACE(("leave send_msg_newkeys"))
+ }
+
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+
+ ses.kexstate.recvnewkeys = 1;
+ switch_keys();
+-
++
++ if (ses.kexstate.strict_kex) {
++ ses.recvseq = 0;
++ }
++
+ TRACE(("leave recv_msg_newkeys"))
+ }
+
+@@ -550,6 +558,10 @@ void recv_msg_kexinit() {
+
+ ses.kexstate.recvkexinit = 1;
+
++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) {
++ dropbear_exit("First packet wasn't kexinit");
++ }
++
+ TRACE(("leave recv_msg_kexinit"))
+ }
+
+@@ -859,6 +871,18 @@ static void read_kex_algos() {
+ }
+ #endif
+
++ if (!ses.kexstate.donefirstkex) {
++ const char* strict_name;
++ if (IS_DROPBEAR_CLIENT) {
++ strict_name = SSH_STRICT_KEX_S;
++ } else {
++ strict_name = SSH_STRICT_KEX_C;
++ }
++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) {
++ ses.kexstate.strict_kex = 1;
++ }
++ }
++
+ algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess);
+ allgood &= goodguess;
+ if (algo == NULL || algo->data == NULL) {
Index: pkgsrc/security/dropbear/patches/patch-kex.h
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-kex.h:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-kex.h Wed Dec 20 17:09:36 2023
@@ -0,0 +1,17 @@
+$NetBSD: patch-kex.h,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- kex.h.orig 2022-11-14 14:30:00.000000000 +0000
++++ kex.h
+@@ -83,6 +83,9 @@ struct KEXState {
+
+ unsigned our_first_follows_matches : 1;
+
++ /* Boolean indicating that strict kex mode is in use */
++ unsigned int strict_kex;
++
+ time_t lastkextime; /* time of the last kex */
+ unsigned int datatrans; /* data transmitted since last kex */
+ unsigned int datarecv; /* data received since last kex */
Index: pkgsrc/security/dropbear/patches/patch-process-packet.c
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-process-packet.c:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-process-packet.c Wed Dec 20 17:09:36 2023
@@ -0,0 +1,64 @@
+$NetBSD: patch-process-packet.c,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- process-packet.c.orig 2022-11-14 14:30:00.000000000 +0000
++++ process-packet.c
+@@ -44,6 +44,7 @@ void process_packet() {
+
+ unsigned char type;
+ unsigned int i;
++ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex;
+ time_t now;
+
+ TRACE2(("enter process_packet"))
+@@ -54,22 +55,24 @@ void process_packet() {
+ now = monotonic_now();
+ ses.last_packet_time_keepalive_recv = now;
+
+- /* These packets we can receive at any time */
+- switch(type) {
+
+- case SSH_MSG_IGNORE:
+- goto out;
+- case SSH_MSG_DEBUG:
+- goto out;
++ if (type == SSH_MSG_DISCONNECT) {
++ /* Allowed at any time */
++ dropbear_close("Disconnect received");
++ }
+
+- case SSH_MSG_UNIMPLEMENTED:
+- /* debugging XXX */
+- TRACE(("SSH_MSG_UNIMPLEMENTED"))
+- goto out;
+-
+- case SSH_MSG_DISCONNECT:
+- /* TODO cleanup? */
+- dropbear_close("Disconnect received");
++ /* These packets may be received at any time,
++ except during first kex with strict kex */
++ if (!first_strict_kex) {
++ switch(type) {
++ case SSH_MSG_IGNORE:
++ goto out;
++ case SSH_MSG_DEBUG:
++ goto out;
++ case SSH_MSG_UNIMPLEMENTED:
++ TRACE(("SSH_MSG_UNIMPLEMENTED"))
++ goto out;
++ }
+ }
+
+ /* Ignore these packet types so that keepalives don't interfere with
+@@ -98,7 +101,8 @@ void process_packet() {
+ if (type >= 1 && type <= 49
+ && type != SSH_MSG_SERVICE_REQUEST
+ && type != SSH_MSG_SERVICE_ACCEPT
+- && type != SSH_MSG_KEXINIT)
++ && type != SSH_MSG_KEXINIT
++ && !first_strict_kex)
+ {
+ TRACE(("unknown allowed packet during kexinit"))
+ recv_unimplemented();
Index: pkgsrc/security/dropbear/patches/patch-ssh.h
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-ssh.h:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-ssh.h Wed Dec 20 17:09:36 2023
@@ -0,0 +1,18 @@
+$NetBSD: patch-ssh.h,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- ssh.h.orig 2022-11-14 14:30:00.000000000 +0000
++++ ssh.h
+@@ -100,6 +100,10 @@
+ #define SSH_EXT_INFO_C "ext-info-c"
+ #define SSH_SERVER_SIG_ALGS "server-sig-algs"
+
++/* OpenSSH strict KEX feature */
++#define SSH_STRICT_KEX_S "kex-strict-s-v00%openssh.com@localhost"
++#define SSH_STRICT_KEX_C "kex-strict-c-v00%openssh.com@localhost"
++
+ /* service types */
+ #define SSH_SERVICE_USERAUTH "ssh-userauth"
+ #define SSH_SERVICE_USERAUTH_LEN 12
Index: pkgsrc/security/dropbear/patches/patch-svr-session.c
diff -u /dev/null pkgsrc/security/dropbear/patches/patch-svr-session.c:1.1
--- /dev/null Wed Dec 20 17:09:36 2023
+++ pkgsrc/security/dropbear/patches/patch-svr-session.c Wed Dec 20 17:09:36 2023
@@ -0,0 +1,17 @@
+$NetBSD: patch-svr-session.c,v 1.1 2023/12/20 17:09:36 wiz Exp $
+
+Terrapin fix
+https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
+
+--- svr-session.c.orig 2022-11-14 14:30:00.000000000 +0000
++++ svr-session.c
+@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) {
+ algo->usable = 0;
+ }
+ #endif
++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) {
++ algo->usable = 0;
++ }
+ }
+ }
+
Home |
Main Index |
Thread Index |
Old Index