On 04/27/2018 05:58 PM, Koen Vandeputte wrote:
> Config moved from option.h to localoptions.h
> refreshed all patches
> 
> deleted upstreamed patches:
> - 010-runtime-maxauthtries.patch
> - 610-skip-default-keys-in-custom-runs.patch
> 
> introduced new patch:
> - 610-disable-ec-by-default.patch
> 
> This patch adds the EC definitions which are altered by the Makefile when
> (de)selecting EC options.
> 
> Tested on both LE (arm) and BE (mips) architectures.
> Tested with all dropbear menuoptions on/off

Please post the size of the binary and the ipkg with and without this patch.

I think it compiles the math library by default with O2 or O3 and not
with Os can you check this too please.

Hauke
> 
> Signed-off-by: Koen Vandeputte <koen.vandepu...@ncentric.com>
> ---
>  package/network/services/dropbear/Makefile         |  28 ++---
>  .../patches/010-runtime-maxauthtries.patch         | 130 
> ---------------------
>  .../dropbear/patches/100-pubkey_path.patch         |  28 +++--
>  .../dropbear/patches/110-change_user.patch         |   2 +-
>  .../dropbear/patches/120-openwrt_options.patch     |  94 ++-------------
>  .../dropbear/patches/130-ssh_ignore_x_args.patch   |   4 +-
>  .../patches/150-dbconvert_standalone.patch         |  21 ++--
>  .../patches/600-allow-blank-root-password.patch    |   2 +-
>  .../patches/610-disable-ec-by-default.patch        |  10 ++
>  .../610-skip-default-keys-in-custom-runs.patch     |  18 ---
>  10 files changed, 62 insertions(+), 275 deletions(-)
>  delete mode 100644 
> package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
>  create mode 100644 
> package/network/services/dropbear/patches/610-disable-ec-by-default.patch
>  delete mode 100644 
> package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
> 
> diff --git a/package/network/services/dropbear/Makefile 
> b/package/network/services/dropbear/Makefile
> index 21ac09f72452..e89043531f78 100644
> --- a/package/network/services/dropbear/Makefile
> +++ b/package/network/services/dropbear/Makefile
> @@ -8,14 +8,14 @@
>  include $(TOPDIR)/rules.mk
>  
>  PKG_NAME:=dropbear
> -PKG_VERSION:=2017.75
> -PKG_RELEASE:=5
> +PKG_VERSION:=2018.76
> +PKG_RELEASE:=1
>  
>  PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
>  PKG_SOURCE_URL:= \
>       http://matt.ucc.asn.au/dropbear/releases/ \
>       https://dropbear.nl/mirror/releases/
> -PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c
> +PKG_HASH:=f2fb9167eca8cf93456a5fc1d4faf709902a3ab70dd44e352f3acbc3ffdaea65
>  
>  PKG_LICENSE:=MIT
>  PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
> @@ -57,7 +57,7 @@ endef
>  
>  define Package/dropbear/conffiles
>  /etc/dropbear/dropbear_rsa_host_key
> -/etc/config/dropbear 
> +/etc/config/dropbear
>  endef
>  
>  define Package/dropbearconvert
> @@ -89,24 +89,24 @@ define Build/Configure
>       $(Build/Configure/Default)
>  
>       $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH 
> "$(TARGET_INIT_PATH)",g' \
> -             $(PKG_BUILD_DIR)/options.h
> +             $(PKG_BUILD_DIR)/default_options.h
>  
>       awk 'BEGIN { rc = 1 } \
> -          /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if 
> $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
> +          /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if 
> $(CONFIG_DROPBEAR_CURVE25519),#define 'DROPBEAR_CURVE25519' 1,#define 
> 'DROPBEAR_CURVE25519' 0)"; rc = 0 } \
>            { print } \
> -          END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
> -          >$(PKG_BUILD_DIR)/options.h.new && \
> -     mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
> +          END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \
> +          >$(PKG_BUILD_DIR)/localoptions.h.new && \
> +     mv $(PKG_BUILD_DIR)/localoptions.h.new $(PKG_BUILD_DIR)/localoptions.h
>  
> -     # Enforce that all replacements are made, otherwise options.h has 
> changed
> +     # Enforce that all replacements are made, otherwise localoptions.h has 
> changed
>       # format and this logic is broken.
>       for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
>         awk 'BEGIN { rc = 1 } \
> -            /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// 
> )#define '$$$$OPTION'"; rc = 0 } \
> +            /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),#define 
> '$$$$OPTION' 1,#define '$$$$OPTION' 0)"; rc = 0 } \
>              { print } \
> -            END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
> -            >$(PKG_BUILD_DIR)/options.h.new && \
> -       mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 
> 1; \
> +            END { exit(rc) }' $(PKG_BUILD_DIR)/localoptions.h \
> +            >$(PKG_BUILD_DIR)/localoptions.h.new && \
> +       mv $(PKG_BUILD_DIR)/localoptions.h.new 
> $(PKG_BUILD_DIR)/localoptions.h || exit 1; \
>       done
>  
>       # remove protocol idented software version number
> diff --git 
> a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch 
> b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
> deleted file mode 100644
> index 26db3181f2d8..000000000000
> --- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
> +++ /dev/null
> @@ -1,130 +0,0 @@
> -From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001
> -From: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk>
> -Date: Mon, 29 May 2017 10:25:09 +0100
> -Subject: [PATCH] dropbear server: support -T max auth tries
> -
> -Add support for '-T n' for a run-time specification for maximum number
> -of authentication attempts where 'n' is between 1 and compile time
> -option MAX_AUTH_TRIES.
> -
> -A default number of tries can be specified at compile time using
> -'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
> -backwards compatibility.
> -
> -Signed-off-by: Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk>
> ----
> - options.h     |  7 +++++++
> - runopts.h     |  1 +
> - svr-auth.c    |  2 +-
> - svr-runopts.c | 17 +++++++++++++++++
> - 4 files changed, 26 insertions(+), 1 deletion(-)
> -
> -diff --git a/options.h b/options.h
> -index 0c51bb1..4d22704 100644
> ---- a/options.h
> -+++ b/options.h
> -@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */
> - #define MAX_AUTH_TRIES 10
> - #endif
> - 
> -+/* Default maximum number of failed authentication tries.
> -+ * defaults to MAX_AUTH_TRIES */
> -+
> -+#ifndef DEFAULT_AUTH_TRIES
> -+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
> -+#endif
> -+
> - /* The default file to store the daemon's process ID, for shutdown
> -    scripts etc. This can be overridden with the -P flag */
> - #ifndef DROPBEAR_PIDFILE
> -diff --git a/runopts.h b/runopts.h
> -index f7c869d..2f7da63 100644
> ---- a/runopts.h
> -+++ b/runopts.h
> -@@ -96,6 +96,7 @@ typedef struct svr_runopts {
> -     int noauthpass;
> -     int norootpass;
> -     int allowblankpass;
> -+    unsigned int maxauthtries;
> - 
> - #ifdef ENABLE_SVR_REMOTETCPFWD
> -     int noremotetcp;
> -diff --git a/svr-auth.c b/svr-auth.c
> -index 577ea88..6a7ce0b 100644
> ---- a/svr-auth.c
> -+++ b/svr-auth.c
> -@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int 
> incrfail) {
> -             ses.authstate.failcount++;
> -     }
> - 
> --    if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
> -+    if (ses.authstate.failcount >= svr_opts.maxauthtries) {
> -             char * userstr;
> -             /* XXX - send disconnect ? */
> -             TRACE(("Max auth tries reached, exiting"))
> -diff --git a/svr-runopts.c b/svr-runopts.c
> -index 8f60059..1e7440f 100644
> ---- a/svr-runopts.c
> -+++ b/svr-runopts.c
> -@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
> -                                     "-g             Disable password logins 
> for root\n"
> -                                     "-B             Allow blank password 
> logins\n"
> - #endif
> -+                                    "-T <1 to %d>   Maximum authentication 
> tries (default %d)\n"
> - #ifdef ENABLE_SVR_LOCALTCPFWD
> -                                     "-j             Disable local port 
> forwarding\n"
> - #endif
> -@@ -106,6 +107,7 @@ static void printhelp(const char * progname) {
> - #ifdef DROPBEAR_ECDSA
> -                                     ECDSA_PRIV_FILENAME,
> - #endif
> -+                                    MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
> -                                     DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, 
> DROPBEAR_PIDFILE,
> -                                     DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, 
> DEFAULT_IDLE_TIMEOUT);
> - }
> -@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) {
> -     char* recv_window_arg = NULL;
> -     char* keepalive_arg = NULL;
> -     char* idle_timeout_arg = NULL;
> -+    char* maxauthtries_arg = NULL;
> -     char* keyfile = NULL;
> -     char c;
> - 
> -@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) {
> -     svr_opts.noauthpass = 0;
> -     svr_opts.norootpass = 0;
> -     svr_opts.allowblankpass = 0;
> -+    svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
> -     svr_opts.inetdmode = 0;
> -     svr_opts.portcount = 0;
> -     svr_opts.hostkey = NULL;
> -@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) {
> -                             case 'I':
> -                                     next = &idle_timeout_arg;
> -                                     break;
> -+                            case 'T':
> -+                                    next = &maxauthtries_arg;
> -+                                    break;
> - #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
> -                             case 's':
> -                                     svr_opts.noauthpass = 1;
> -@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) {
> -                     dropbear_exit("Bad recv window '%s'", recv_window_arg);
> -             }
> -     }
> -+
> -+    if (maxauthtries_arg) {
> -+            unsigned int val = 0;
> -+            if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
> -+                    val == 0 || val > MAX_AUTH_TRIES) {
> -+                    dropbear_exit("Bad maxauthtries '%s'", 
> maxauthtries_arg);
> -+            }
> -+            svr_opts.maxauthtries = val;
> -+    }
> -+
> -     
> -     if (keepalive_arg) {
> -             unsigned int val;
> --- 
> -2.7.4
> -
> diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch 
> b/package/network/services/dropbear/patches/100-pubkey_path.patch
> index 401c7e1ba564..6672b7633fe7 100644
> --- a/package/network/services/dropbear/patches/100-pubkey_path.patch
> +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
> @@ -1,6 +1,6 @@
>  --- a/svr-authpubkey.c
>  +++ b/svr-authpubkey.c
> -@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
> +@@ -320,14 +320,20 @@ static int checkpubkey(const char* algo,
>               goto out;
>       }
>   
> @@ -29,7 +29,7 @@
>   
>       /* open the file as the authenticating user. */
>       origuid = getuid();
> -@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
> +@@ -404,26 +410,35 @@ static int checkpubkeyperms() {
>               goto out;
>       }
>   
> @@ -42,17 +42,6 @@
>  -    if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
>  -            goto out;
>  -    }
> --
> --    /* check ~/.ssh */
> --    strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
> --    if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> --            goto out;
> --    }
> --
> --    /* now check ~/.ssh/authorized_keys */
> --    strncat(filename, "/authorized_keys", 16);
> --    if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> --            goto out;
>  +    if (ses.authstate.pw_uid == 0) {
>  +            if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
>  +                    goto out;
> @@ -70,13 +59,22 @@
>  +            if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
>  +                    goto out;
>  +            }
> -+
> + 
> +-    /* check ~/.ssh */
> +-    strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
> +-    if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> +-            goto out;
> +-    }
>  +            /* check ~/.ssh */
>  +            strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
>  +            if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
>  +                    goto out;
>  +            }
> -+
> + 
> +-    /* now check ~/.ssh/authorized_keys */
> +-    strncat(filename, "/authorized_keys", 16);
> +-    if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> +-            goto out;
>  +            /* now check ~/.ssh/authorized_keys */
>  +            strncat(filename, "/authorized_keys", 16);
>  +            if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
> diff --git a/package/network/services/dropbear/patches/110-change_user.patch 
> b/package/network/services/dropbear/patches/110-change_user.patch
> index 4b5c1cb51bb1..5f0c5a99161a 100644
> --- a/package/network/services/dropbear/patches/110-change_user.patch
> +++ b/package/network/services/dropbear/patches/110-change_user.patch
> @@ -1,6 +1,6 @@
>  --- a/svr-chansession.c
>  +++ b/svr-chansession.c
> -@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
> +@@ -935,12 +935,12 @@ static void execchild(const void *user_d
>       /* We can only change uid/gid as root ... */
>       if (getuid() == 0) {
>   
> diff --git 
> a/package/network/services/dropbear/patches/120-openwrt_options.patch 
> b/package/network/services/dropbear/patches/120-openwrt_options.patch
> index 7f47a7430479..b35c0398fdb3 100644
> --- a/package/network/services/dropbear/patches/120-openwrt_options.patch
> +++ b/package/network/services/dropbear/patches/120-openwrt_options.patch
> @@ -1,82 +1,12 @@
> ---- a/options.h
> -+++ b/options.h
> -@@ -41,7 +41,7 @@
> -  * Both of these flags can be defined at once, don't compile without at 
> least
> -  * one of them. */
> - #define NON_INETD_MODE
> --#define INETD_MODE
> -+/*#define INETD_MODE*/
> - 
> - /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
> -  * perhaps 20% slower for pubkey operations (it is probably worth 
> experimenting
> -@@ -81,7 +81,7 @@ much traffic. */
> - 
> - /* Enable "Netcat mode" option. This will forward standard input/output
> -  * to a remote TCP-forwarded connection */
> --#define ENABLE_CLI_NETCAT
> -+/*#define ENABLE_CLI_NETCAT*/
> - 
> - /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime 
> */
> - #define ENABLE_USER_ALGO_LIST
> -@@ -91,16 +91,16 @@ much traffic. */
> -  * Including multiple keysize variants the same cipher 
> -  * (eg AES256 as well as AES128) will result in a minimal size increase.*/
> - #define DROPBEAR_AES128
> --#define DROPBEAR_3DES
> -+/*#define DROPBEAR_3DES*/
> - #define DROPBEAR_AES256
> - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
> - /*#define DROPBEAR_BLOWFISH*/
> --#define DROPBEAR_TWOFISH256
> --#define DROPBEAR_TWOFISH128
> -+/*#define DROPBEAR_TWOFISH256*/
> -+/*#define DROPBEAR_TWOFISH128*/
> - 
> - /* Enable CBC mode for ciphers. This has security issues though
> -  * is the most compatible with older SSH implementations */
> --#define DROPBEAR_ENABLE_CBC_MODE
> -+/*#define DROPBEAR_ENABLE_CBC_MODE*/
> - 
> - /* Enable "Counter Mode" for ciphers. This is more secure than normal
> -  * CBC mode against certain attacks. It is recommended for security
> -@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
> -  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
> -  * which are not the standard form. */
> - #define DROPBEAR_SHA1_HMAC
> --#define DROPBEAR_SHA1_96_HMAC
> -+/*#define DROPBEAR_SHA1_96_HMAC*/
> - #define DROPBEAR_SHA2_256_HMAC
> --#define DROPBEAR_SHA2_512_HMAC
> --#define DROPBEAR_MD5_HMAC
> -+/*#define DROPBEAR_SHA2_512_HMAC*/
> -+/*#define DROPBEAR_MD5_HMAC*/
> - 
> - /* You can also disable integrity. Don't bother disabling this if you're
> -  * still using a cipher, it's relatively cheap. If you disable this it's 
> dead
> -@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
> -  * Removing either of these won't save very much space.
> -  * SSH2 RFC Draft requires dss, recommends rsa */
> - #define DROPBEAR_RSA
> --#define DROPBEAR_DSS
> -+/*#define DROPBEAR_DSS*/
> - /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
> -  * code (either ECDSA or ECDH) increases binary size - around 30kB
> -  * on x86-64 */
> -@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
> - 
> - /* Whether to print the message of the day (MOTD). This doesn't add much 
> code
> -  * size */
> --#define DO_MOTD
> -+/*#define DO_MOTD*/
> - 
> - /* The MOTD file path */
> - #ifndef MOTD_FILENAME
> -@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
> -  * note that it will be provided for all "hidden" client-interactive
> -  * style prompts - if you want something more sophisticated, use 
> -  * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
> --#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
> -+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
> - 
> - /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
> -  * a helper program for the ssh client. The helper program should be
> +--- /dev/null
> ++++ b/localoptions.h
> +@@ -0,0 +1,9 @@
> ++/* OpenWrt defined options */
> ++
> ++#define INETD_MODE 0
> ++#define ENABLE_CLI_NETCAT 0
> ++#define DROPBEAR_3DES 0
> ++#define DROPBEAR_ENABLE_CBC_MODE 0
> ++#define DROPBEAR_SHA1_96_HMAC 0
> ++#define DROPBEAR_DSS 0
> ++#define DROPBEAR_USE_PASSWORD_ENV 0
> diff --git 
> a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch 
> b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> index ab09c2f3dc3a..5e736320cc75 100644
> --- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> +++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
> @@ -1,6 +1,6 @@
>  --- a/cli-runopts.c
>  +++ b/cli-runopts.c
> -@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
> +@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
>                                       debug_trace = 1;
>                                       break;
>   #endif
> @@ -8,4 +8,4 @@
>  +                                    break;
>                               case 'F':
>                               case 'e':
> - #ifndef ENABLE_USER_ALGO_LIST
> + #if !DROPBEAR_USER_ALGO_LIST
> diff --git 
> a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch 
> b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> index ccc2cb792598..974b440d49f6 100644
> --- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> +++ b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
> @@ -1,14 +1,11 @@
> ---- a/options.h
> -+++ b/options.h
> -@@ -5,6 +5,11 @@
> - #ifndef DROPBEAR_OPTIONS_H_
> - #define DROPBEAR_OPTIONS_H_
> - 
> +--- a/localoptions.h
> ++++ b/localoptions.h
> +@@ -7,3 +7,8 @@
> + #define DROPBEAR_SHA1_96_HMAC 0
> + #define DROPBEAR_DSS 0
> + #define DROPBEAR_USE_PASSWORD_ENV 0
> ++
>  +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
> -+#define DROPBEAR_SERVER
> -+#define DROPBEAR_CLIENT
> ++    #define DROPBEAR_SERVER 1
> ++    #define DROPBEAR_CLIENT 1
>  +#endif
> -+
> - /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... 
> #endif"
> -  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
> - 
> diff --git 
> a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
>  
> b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> index 7c67b086bbac..223c94767a02 100644
> --- 
> a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> +++ 
> b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
> @@ -1,6 +1,6 @@
>  --- a/svr-auth.c
>  +++ b/svr-auth.c
> -@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
> +@@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
>                               AUTH_METHOD_NONE_LEN) == 0) {
>               TRACE(("recv_msg_userauth_request: 'none' request"))
>               if (valid_user
> diff --git 
> a/package/network/services/dropbear/patches/610-disable-ec-by-default.patch 
> b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch
> new file mode 100644
> index 000000000000..cb9761b73506
> --- /dev/null
> +++ 
> b/package/network/services/dropbear/patches/610-disable-ec-by-default.patch
> @@ -0,0 +1,10 @@
> +--- a/localoptions.h
> ++++ b/localoptions.h
> +@@ -12,3 +12,7 @@
> +     #define DROPBEAR_SERVER 1
> +     #define DROPBEAR_CLIENT 1
> + #endif
> ++
> ++#define DROPBEAR_CURVE25519 0
> ++#define DROPBEAR_ECDSA 0
> ++#define DROPBEAR_ECDH 0
> diff --git 
> a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
>  
> b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
> deleted file mode 100644
> index a555a9e49856..000000000000
> --- 
> a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
> +++ /dev/null
> @@ -1,18 +0,0 @@
> ---- a/svr-runopts.c
> -+++ b/svr-runopts.c
> -@@ -505,6 +505,7 @@ void load_all_hostkeys() {
> -             m_free(hostkey_file);
> -     }
> - 
> -+    if (svr_opts.num_hostkey_files <= 0) {
> - #ifdef DROPBEAR_RSA
> -     loadhostkey(RSA_PRIV_FILENAME, 0);
> - #endif
> -@@ -516,6 +517,7 @@ void load_all_hostkeys() {
> - #ifdef DROPBEAR_ECDSA
> -     loadhostkey(ECDSA_PRIV_FILENAME, 0);
> - #endif
> -+    }
> - 
> - #ifdef DROPBEAR_DELAY_HOSTKEY
> -     if (svr_opts.delay_hostkey) {
> 


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Reply via email to