merge up to date

--HG--
branch : fuzz

INSTALL

@@ -22,7 +22,11 @@ recompiling - bad things will happen otherwise)
 
 See MULTI for instructions on making all-in-one binaries.
 
-If you want to compile statically, add "STATIC=1" to the make command-line.
+If you want to compile statically use ./configure --enable-static
+
+By default Dropbear adds various build flags that improve robustness 
+against programming bugs (good for security) - if these cause problems
+they can be disabled with ./configure --disable-harden
 
 Binaries can be stripped with "make strip"
 

Makefile.in

@@ -2,12 +2,11 @@
 # @configure_input@
 
 # invocation:
-# make PROGRAMS="dropbear dbclient scp" MULTI=1 STATIC=1 SCPPROGRESS=1
+# make PROGRAMS="dropbear dbclient scp" MULTI=1 SCPPROGRESS=1
 #
-# to make a multiple-program statically linked binary "staticdropbearmulti".
+# to make a multiple-program binary "dropbearmulti".
 # This example will include dropbear, scp, dropbearkey, dropbearconvert, and
 # dbclient functionality, and includes the progress-bar functionality in scp.
-# Hopefully that seems intuitive.
 
 ifndef PROGRAMS
 	PROGRAMS=dropbear dbclient dropbearkey dropbearconvert
@@ -35,7 +34,7 @@ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
 		atomicio.o compat.o fake-rfc2553.o \
 		ltc_prng.o ecc.o ecdsa.o crypto_desc.o \
 		dbmalloc.o \
-		gensignkey.o gendss.o genrsa.o 
+		gensignkey.o gendss.o genrsa.o
 
 SVROBJS=svr-kex.o svr-auth.o sshpty.o \
 		svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \
@@ -99,6 +98,8 @@ LDFLAGS=@LDFLAGS@
 
 EXEEXT=@EXEEXT@
 
+STATIC=@STATIC@
+
 # whether we're building client, server, or both for the common objects.
 # evilness so we detect 'dropbear' by itself as a word
 space:= $(empty) $(empty)
@@ -120,7 +121,7 @@ ifeq ($(STATIC), 1)
 endif
 
 ifeq ($(MULTI), 1)
-	TARGETS=dropbearmulti
+	TARGETS=dropbearmulti$(EXEEXT)
 else
 	TARGETS=$(PROGRAMS)
 endif
@@ -137,14 +138,14 @@ strip: $(TARGETS)
 
 install: $(addprefix inst_, $(TARGETS))
 
-insmultidropbear: dropbearmulti
+insmultidropbear: dropbearmulti$(EXEEXT)
 	$(INSTALL) -d $(DESTDIR)$(sbindir)
 	-rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT)
 	-ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) 
 	$(INSTALL) -d $(DESTDIR)$(mandir)/man8
 	$(INSTALL) -m 644 $(srcdir)/dropbear.8  $(DESTDIR)$(mandir)/man8/dropbear.8
 
-insmulti%: dropbearmulti
+insmulti%: dropbearmulti$(EXEEXT)
 	$(INSTALL) -d $(DESTDIR)$(bindir)
 	-rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) 
 	-ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) 
@@ -224,8 +225,9 @@ sizes: dropbear
 clean: ltc-clean ltm-clean thisclean
 
 thisclean:
-	-rm -f dropbear dbclient dropbearkey dropbearconvert scp scp-progress \
-			dropbearmulti *.o *.da *.bb *.bbg *.prof 
+	-rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \
+			dropbearconvert$(EXEEXT) scp$(EXEEXT) scp-progress$(EXEEXT) \
+			dropbearmulti$(EXEEXT) *.o *.da *.bb *.bbg *.prof
 
 distclean: clean tidy
 	-rm -f config.h

configure.ac

@@ -33,9 +33,20 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
     [AC_MSG_RESULT(no); CFLAGS="$OLDCFLAGS" ]
     )
 
+STATIC=0
+AC_ARG_ENABLE(static,
+	[  --enable-static         Build static binaries],
+	[
+		if test "x$enableval" = "xyes"; then
+			STATIC=1
+			AC_MSG_NOTICE(Static Build)
+		fi
+	], [])
+AC_SUBST(STATIC)
+
 hardenbuild=1
 AC_ARG_ENABLE(harden,
-	[  --disable-harden          Don't set hardened build flags],
+	[  --disable-harden        Don't set hardened build flags],
 	[
 		if test "x$enableval" = "xno"; then
 			hardenbuild=0
@@ -45,37 +56,40 @@ AC_ARG_ENABLE(harden,
 
 if test "$hardenbuild" -eq 1; then
 	AC_MSG_NOTICE(Checking for available hardened build flags:)
-	# pie
-	OLDCFLAGS="$CFLAGS"
-	TESTFLAGS="-fPIE"
-	CFLAGS="$CFLAGS $TESTFLAGS"
-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
-	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
-	    )
-	OLDLDFLAGS="$LDFLAGS"
-	TESTFLAGS="-Wl,-pie"
-	LDFLAGS="$LDFLAGS $TESTFLAGS"
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
-		[
-			LDFLAGS="$OLDLDFLAGS"
-			TESTFLAGS="-pie"
-			LDFLAGS="$LDFLAGS $TESTFLAGS"
-			AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-				[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
-				[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
-				)
-		]
-	    )
-	# readonly elf relocation sections (relro)
-	OLDLDFLAGS="$LDFLAGS"
-	TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
-	LDFLAGS="$LDFLAGS $TESTFLAGS"
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
-	    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
-	    )
+	# relocation flags don't make sense for static builds
+	if test "$STATIC" -ne 1; then
+		# pie
+		OLDCFLAGS="$CFLAGS"
+		TESTFLAGS="-fPIE"
+		CFLAGS="$CFLAGS $TESTFLAGS"
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+			)
+		OLDLDFLAGS="$LDFLAGS"
+		TESTFLAGS="-Wl,-pie"
+		LDFLAGS="$LDFLAGS $TESTFLAGS"
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			[
+				LDFLAGS="$OLDLDFLAGS"
+				TESTFLAGS="-pie"
+				LDFLAGS="$LDFLAGS $TESTFLAGS"
+				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+					)
+			]
+			)
+		# readonly elf relocation sections (relro)
+		OLDLDFLAGS="$LDFLAGS"
+		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+		LDFLAGS="$LDFLAGS $TESTFLAGS"
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+			)
+	fi # non-static
 	# stack protector. -strong is good but only in gcc 4.9 or later
 	OLDCFLAGS="$CFLAGS"
 	TESTFLAGS="-fstack-protector-strong"
@@ -230,7 +244,7 @@ AC_ARG_WITH(pam,
 
 
 AC_ARG_ENABLE(pam,
-	[  --enable-pam          Try to include PAM support],
+	[  --enable-pam            Try to include PAM support],
 	[
 		if test "x$enableval" = "xyes"; then
 			AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***]))
@@ -827,6 +841,7 @@ AS_MKDIR_P(libtomcrypt/src/modes/ecb)
 AS_MKDIR_P(libtomcrypt/src/modes/ofb)
 AS_MKDIR_P(libtomcrypt/src/modes/f8)
 AS_MKDIR_P(libtomcrypt/src/modes/lrw)
+AS_MKDIR_P(libtomcrypt/src/modes/xts)
 AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/bit)
 AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/boolean)
 AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/choice)

dbutil.c

@@ -514,7 +514,7 @@ out:
 void m_close(int fd) {
 	int val;
 
-	if (fd == -1) {
+	if (fd < 0) {
 		return;
 	}
 

default_options.h

@@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is
 used if it exists. Options defined there will override any options in this
 file (#ifndef guards added by ifndef_wrapper.sh).
 
-Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS
 
 IMPORTANT: Many options will require "make clean" after changes */
 
@@ -198,6 +198,13 @@ If you test it please contact the Dropbear author */
 #define DROPBEAR_ECDSA 1
 #endif
 
+/* RSA must be >=1024 */
+#ifndef DROPBEAR_DEFAULT_RSA_SIZE
+#define DROPBEAR_DEFAULT_RSA_SIZE 2048
+#endif
+/* DSS is always 1024 */
+/* ECDSA defaults to largest size configured, usually 521 */
+
 /* Add runtime flag "-R" to generate hostkeys as-needed when the first 
    connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
@@ -373,7 +380,8 @@ Homedir is prepended unless path begins with / */
 #define MAX_UNAUTH_CLIENTS 30
 #endif
 
-/* Maximum number of failed authentication tries (server option) */
+/* Default maximum number of failed authentication tries (server option) */
+/* -T runtime option overrides */
 #ifndef MAX_AUTH_TRIES
 #define MAX_AUTH_TRIES 10
 #endif

default_options.h.in

@@ -10,7 +10,7 @@ Local customisation should be added to localoptions.h which is
 used if it exists. Options defined there will override any options in this
 file (#ifndef guards added by ifndef_wrapper.sh).
 
-Options can also be defined with -DDROPBEAR_XXX Makefile CFLAGS
+Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS
 
 IMPORTANT: Many options will require "make clean" after changes */
 
@@ -130,6 +130,11 @@ If you test it please contact the Dropbear author */
  * on x86-64 */
 #define DROPBEAR_ECDSA 1
 
+/* RSA must be >=1024 */
+#define DROPBEAR_DEFAULT_RSA_SIZE 2048
+/* DSS is always 1024 */
+/* ECDSA defaults to largest size configured, usually 521 */
+
 /* Add runtime flag "-R" to generate hostkeys as-needed when the first 
    connection using that key type occurs.
    This avoids the need to otherwise run "dropbearkey" and avoids some problems
@@ -253,7 +258,8 @@ Homedir is prepended unless path begins with / */
  * come from many IPs */
 #define MAX_UNAUTH_CLIENTS 30
 
-/* Maximum number of failed authentication tries (server option) */
+/* Default maximum number of failed authentication tries (server option) */
+/* -T server option overrides */
 #define MAX_AUTH_TRIES 10
 
 /* The default file to store the daemon's process ID, for shutdown

dropbear.8

@@ -91,6 +91,9 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
 .B \-I \fIidle_timeout
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
+.B \-T \fImax_authentication_attempts
+Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)
+.TP
 .B \-c \fIforced_command
 Disregard the command provided by the user and always run \fIforced_command\fR. This also
 overrides any authorized_keys command= option.

dropbearkey.c

@@ -139,7 +139,7 @@ int main(int argc, char ** argv) {
 	enum signkey_type keytype = DROPBEAR_SIGNKEY_NONE;
 	char * typetext = NULL;
 	char * sizetext = NULL;
-	unsigned int bits = 0;
+	unsigned int bits = 0, genbits;
 	int printpub = 0;
 
 	crypto_init();
@@ -240,7 +240,8 @@ int main(int argc, char ** argv) {
 		check_signkey_bits(keytype, bits);;
 	}
 
-	fprintf(stderr, "Generating key, this may take a while...\n");
+	genbits = signkey_generate_get_bits(keytype, bits);
+	fprintf(stderr, "Generating %d bit %s key, this may take a while...\n", genbits, typetext);
 	if (signkey_generate(keytype, bits, filename, 0) == DROPBEAR_FAILURE)
 	{
 		dropbear_exit("Failed to generate key.\n");

gensignkey.c

@@ -7,9 +7,6 @@
 #include "signkey.h"
 #include "dbrandom.h"
 
-#define RSA_DEFAULT_SIZE 2048
-#define DSS_DEFAULT_SIZE 1024
-
 /* Returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 static int buf_writefile(buffer * buf, const char * filename) {
 	int ret = DROPBEAR_FAILURE;
@@ -55,11 +52,12 @@ static int get_default_bits(enum signkey_type keytype)
 	switch (keytype) {
 #if DROPBEAR_RSA
 		case DROPBEAR_SIGNKEY_RSA:
-			return RSA_DEFAULT_SIZE;
+			return DROPBEAR_DEFAULT_RSA_SIZE;
 #endif
 #if DROPBEAR_DSS
 		case DROPBEAR_SIGNKEY_DSS:
-			return DSS_DEFAULT_SIZE;
+			/* DSS for SSH only defines 1024 bits */
+			return 1024;
 #endif
 #if DROPBEAR_ECDSA
 		case DROPBEAR_SIGNKEY_ECDSA_KEYGEN:
@@ -76,6 +74,14 @@ static int get_default_bits(enum signkey_type keytype)
 	}
 }
 
+int signkey_generate_get_bits(enum signkey_type keytype, int bits) {
+	if (bits == 0)
+	{
+		bits = get_default_bits(keytype);
+	}
+	return bits;
+}
+
 /* if skip_exist is set it will silently return if the key file exists */
 int signkey_generate(enum signkey_type keytype, int bits, const char* filename, int skip_exist)
 {
@@ -83,10 +89,7 @@ int signkey_generate(enum signkey_type keytype, int bits, const char* filename,
 	buffer *buf = NULL;
 	char *fn_temp = NULL;
 	int ret = DROPBEAR_FAILURE;
-	if (bits == 0)
-	{
-		bits = get_default_bits(keytype);
-	}
+	bits = signkey_generate_get_bits(keytype, bits);
 
 	/* now we can generate the key */
 	key = new_sign_key();

gensignkey.h

@@ -4,5 +4,6 @@
 #include "signkey.h"
 
 int signkey_generate(enum signkey_type type, int bits, const char* filename, int skip_exist);
+int signkey_generate_get_bits(enum signkey_type keytype, int bits);
 
 #endif

libtomcrypt/Makefile.in

@@ -9,7 +9,8 @@ VERSION=1.17
 PLATFORM := $(shell uname | sed -e 's/_.*//')
 
 
-srcdir=.
+VPATH=@srcdir@
+srcdir=@srcdir@
 
 # Compiler and Linker Names
 #CC=gcc

libtommath/Makefile.in

@@ -2,7 +2,8 @@
 #
 #Tom St Denis
 
-srcdir=.
+VPATH=@srcdir@
+srcdir=@srcdir@
 
 # So that libtommath can include Dropbear headers for options and m_burn()
 CFLAGS += -I$(srcdir) -I../libtomcrypt/src/headers/ -I$(srcdir)/../libtomcrypt/src/headers/ -I../ -I$(srcdir)/../
@@ -26,8 +27,6 @@ endif
 
 coverage: LIBNAME:=-Wl,--whole-archive $(LIBNAME)  -Wl,--no-whole-archive
 
-include makefile.include
-
 LCOV_ARGS=--directory .
 
 #START_INS

options.h

@@ -2,6 +2,8 @@
 #define DROPBEAR_OPTIONS_H
 
 /* 
+            > > > Don't edit this file any more! < < <
+            
 Local compile-time configuration should be defined in localoptions.h
 See default_options.h.in for a description of the available options.
 */

runopts.h

@@ -96,6 +96,7 @@ typedef struct svr_runopts {
 	int noauthpass;
 	int norootpass;
 	int allowblankpass;
+	unsigned int maxauthtries;
 
 #if DROPBEAR_SVR_REMOTETCPFWD
 	int noremotetcp;

svr-auth.c

@@ -368,7 +368,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
 		ses.authstate.failcount++;
 	}
 
-	if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
+	if (ses.authstate.failcount >= svr_opts.maxauthtries) {
 		char * userstr;
 		/* XXX - send disconnect ? */
 		TRACE(("Max auth tries reached, exiting"))

svr-authpubkey.c

@@ -196,7 +196,7 @@ static int checkpubkey_line(buffer* line, int line_num, char* filename,
 	int ret = DROPBEAR_FAILURE;
 
 	if (line->len < MIN_AUTHKEYS_LINE || line->len > MAX_AUTHKEYS_LINE) {
-		TRACE(("checkpubkey: bad line length %d", line->len))
+		TRACE(("checkpubkey_line: bad line length %d", line->len))
 		return DROPBEAR_FAILURE;
 	}
 
@@ -261,7 +261,7 @@ static int checkpubkey_line(buffer* line, int line_num, char* filename,
 	
 	/* check for space (' ') character */
 	if (buf_getbyte(line) != ' ') {
-		TRACE(("checkpubkey: space character expected, isn't there"))
+		TRACE(("checkpubkey_line: space character expected, isn't there"))
 		goto out;
 	}
 
@@ -273,7 +273,7 @@ static int checkpubkey_line(buffer* line, int line_num, char* filename,
 	buf_setpos(line, pos);
 	buf_setlen(line, line->pos + len);
 
-	TRACE(("checkpubkey: line pos = %d len = %d", line->pos, line->len))
+	TRACE(("checkpubkey_line: line pos = %d len = %d", line->pos, line->len))
 
 	ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL);
 
@@ -361,8 +361,8 @@ static int checkpubkey(char* algo, unsigned int algolen,
 		}
 		line_num++;
 
-		if (checkpubkey_line(line, line_num, filename,
-				algo, algolen, keyblob, keybloblen) == DROPBEAR_SUCCESS) {
+		ret = checkpubkey_line(line, line_num, filename, algo, algolen, keyblob, keybloblen);
+		if (ret == DROPBEAR_SUCCESS) {
 			break;
 		}
 

svr-runopts.c

@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
 					"-g		Disable password logins for root\n"
 					"-B		Allow blank password logins\n"
 #endif
+					"-T		Maximum authentication tries (default %d)\n"
 #if DROPBEAR_SVR_LOCALTCPFWD
 					"-j		Disable local port forwarding\n"
 #endif
@@ -107,6 +108,7 @@ static void printhelp(const char * progname) {
 #if DROPBEAR_ECDSA
 					ECDSA_PRIV_FILENAME,
 #endif
+					MAX_AUTH_TRIES,
 					DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
 }
@@ -119,6 +121,7 @@ void svr_getopts(int argc, char ** argv) {
 	char* recv_window_arg = NULL;
 	char* keepalive_arg = NULL;
 	char* idle_timeout_arg = NULL;
+	char* maxauthtries_arg = NULL;
 	char* keyfile = NULL;
 	char c;
 
@@ -132,6 +135,7 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.noauthpass = 0;
 	svr_opts.norootpass = 0;
 	svr_opts.allowblankpass = 0;
+	svr_opts.maxauthtries = MAX_AUTH_TRIES;
 	svr_opts.inetdmode = 0;
 	svr_opts.portcount = 0;
 	svr_opts.hostkey = NULL;
@@ -235,6 +239,9 @@ void svr_getopts(int argc, char ** argv) {
 				case 'I':
 					next = &idle_timeout_arg;
 					break;
+				case 'T':
+					next = &maxauthtries_arg;
+					break;
 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
 				case 's':
 					svr_opts.noauthpass = 1;
@@ -331,6 +338,16 @@ void svr_getopts(int argc, char ** argv) {
 			dropbear_exit("Bad recv window '%s'", recv_window_arg);
 		}
 	}
+
+	if (maxauthtries_arg) {
+		unsigned int val = 0;
+		if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE 
+			|| val == 0) {
+			dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
+		}
+		svr_opts.maxauthtries = val;
+	}
+
 	
 	if (keepalive_arg) {
 		unsigned int val;

sysoptions.h

@@ -235,11 +235,13 @@
 #define DROPBEAR_VFORK 1
 #endif
 
+#ifndef DROPBEAR_LISTEN_BACKLOG
 #if MAX_UNAUTH_CLIENTS > MAX_CHANNELS
 #define DROPBEAR_LISTEN_BACKLOG MAX_UNAUTH_CLIENTS
 #else
 #define DROPBEAR_LISTEN_BACKLOG MAX_CHANNELS
 #endif
+#endif
 
 #ifndef DROPBEAR_NONE_CIPHER
 #define DROPBEAR_NONE_CIPHER 0