diff --git a/.travis.yml b/.travis.yml index 3247917..6be9d66 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,9 @@ compiler: - gcc script: - - autoconf && autoheader && ./configure --enable-bundled-libtom CFLAGS="-O2 -Wall -Wno-pointer-sign" --prefix=$HOME/inst && make install MULTI=1 + - autoconf && autoheader && ./configure $BUNDLEDLIBTOM CFLAGS="-O2 -Wall -Wno-pointer-sign" --prefix=$HOME/inst + - test "$NOWRITEV" && sed -i s/HAVE_WRITEV/DONT_HAVE_WRITEV/ config.h || true + - make install - ~/inst/bin/dropbearkey -t rsa -f testrsa - ~/inst/bin/dropbearkey -t dss -f testdss - ~/inst/bin/dropbearkey -t ecdsa -f testec256 -s 256 @@ -19,6 +21,10 @@ env: # The next declration is the encrypted COVERITY_SCAN_TOKEN, created # via the "travis encrypt" command using the project repo's public key - secure: "F4rKQrHK/u58vPo3F9+x0WYXAeMFJvvtH9BIGZqx9yw8bUnL+gk0Ge9wnHHTXRcgCTqoc7B35uMS5njpH+Su/esVjrLAq85f/AmQctlRpmApwGK9LyxkIvx3UJN0nqfeeDXA90/8FUZ+n/qnCydXmYCEgqSaBCNydDxW1oqYUIc=" + - BUNDLEDLIBTOM=--disable-bundled-libtom + - BUNDLEDLIBTOM=--enable-bundled-libtom + - MULTI=1 + - NOWRITEV=1 addons: coverity_scan: diff --git a/CHANGES b/CHANGES index 75e46fe..2fe5477 100644 --- a/CHANGES +++ b/CHANGES @@ -1,19 +1,32 @@ -- Improve efficiency of writing data to local program/pipes, measured 30% for - connections to localhost +- Improve efficiency of writing data to local program/pipes, measured 30% increase + increase in throughput for connections to localhost - Use TCP Fast Open on Linux if available. saves a round trip at connection to hosts that have previously been connected. Needs a recent Linux kernel and possibly "sysctl -w net.ipv4.tcp_fastopen=3" + Client side is disabled by default pending further compatibility testing + with networks and systems. - Forwarded TCP ports connect asynchronously and retry with other available - addresses (IPv4 or IPv6) + addresses (IPv4 or IPv6, round robin IPs) - Free memory before exiting, patch from Thorsten Horstmann. Useful for Dropbear ports to embedded systems and for checking memory leaks with valgrind. Only partially implemented for client side. +- Fix all compile warnings, patch from Gaƫl Portay + (note that configure with -Werror may not be successful on some platforms + such as OS X and some configuration options may result in unused variable + warnings) + - Fix small ECC memory leaks +- Tighten validation of Diffie-Hellman parameters, from Florent Daigniere of + Matt Consulting. Odds of bad values are around 2**-512 -- improbable. + +- Twofish-ctr cipher is supported though disabled by default + + 2015.67 - Wednesday 28 January 2015 - Call fsync() after generating private keys to ensure they aren't lost if a diff --git a/LICENSE b/LICENSE index 828b9af..c400d94 100644 --- a/LICENSE +++ b/LICENSE @@ -8,7 +8,7 @@ The majority of code is written by Matt Johnston, under the license below. Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the same license: -Copyright (c) 2002-2014 Matt Johnston +Copyright (c) 2002-2015 Matt Johnston Portions copyright (c) 2004 Mihnea Stoenescu All rights reserved. diff --git a/algo.h b/algo.h index 5b7b874..49c4f41 100644 --- a/algo.h +++ b/algo.h @@ -35,7 +35,7 @@ struct Algo_Type { - const unsigned char *name; /* identifying name */ + const char *name; /* identifying name */ char val; /* a value for this cipher, or -1 for invalid */ const void *data; /* algorithm specific data */ char usable; /* whether we can use this algorithm */ diff --git a/auth.h b/auth.h index 78397ed..250a7f7 100644 --- a/auth.h +++ b/auth.h @@ -133,7 +133,7 @@ struct PubKeyOptions { int no_x11_forwarding_flag; int no_pty_flag; /* "command=" option. */ - unsigned char * forced_command; + char * forced_command; }; #endif diff --git a/buffer.c b/buffer.c index d043bdb..1e5a864 100644 --- a/buffer.c +++ b/buffer.c @@ -203,10 +203,10 @@ unsigned char* buf_getwriteptr(buffer* buf, unsigned int len) { /* Return a null-terminated string, it is malloced, so must be free()ed * Note that the string isn't checked for null bytes, hence the retlen * may be longer than what is returned by strlen */ -unsigned char* buf_getstring(buffer* buf, unsigned int *retlen) { +char* buf_getstring(buffer* buf, unsigned int *retlen) { unsigned int len; - unsigned char* ret; + char* ret; len = buf_getint(buf); if (len > MAX_STRING_LEN) { dropbear_exit("String too long"); @@ -262,16 +262,16 @@ void buf_putint(buffer* buf, int unsigned val) { } /* put a SSH style string into the buffer, increasing buffer len if required */ -void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len) { +void buf_putstring(buffer* buf, const char* str, unsigned int len) { buf_putint(buf, len); - buf_putbytes(buf, str, len); + buf_putbytes(buf, (const unsigned char*)str, len); } /* puts an entire buffer as a SSH string. ignore pos of buf_str. */ void buf_putbufstring(buffer *buf, const buffer* buf_str) { - buf_putstring(buf, buf_str->data, buf_str->len); + buf_putstring(buf, (const char*)buf_str->data, buf_str->len); } /* put the set of len bytes into the buffer, incrementing the pos, increasing diff --git a/buffer.h b/buffer.h index 6ab53d7..c32b84b 100644 --- a/buffer.h +++ b/buffer.h @@ -56,11 +56,11 @@ unsigned char buf_getbool(buffer* buf); void buf_putbyte(buffer* buf, unsigned char val); unsigned char* buf_getptr(buffer* buf, unsigned int len); unsigned char* buf_getwriteptr(buffer* buf, unsigned int len); -unsigned char* buf_getstring(buffer* buf, unsigned int *retlen); +char* buf_getstring(buffer* buf, unsigned int *retlen); buffer * buf_getstringbuf(buffer *buf); void buf_eatstring(buffer *buf); void buf_putint(buffer* buf, unsigned int val); -void buf_putstring(buffer* buf, const unsigned char* str, unsigned int len); +void buf_putstring(buffer* buf, const char* str, unsigned int len); void buf_putbufstring(buffer *buf, const buffer* buf_str); void buf_putbytes(buffer *buf, const unsigned char *bytes, unsigned int len); void buf_putmpint(buffer* buf, mp_int * mp); diff --git a/channel.h b/channel.h index d16cb03..c73fbe8 100644 --- a/channel.h +++ b/channel.h @@ -135,7 +135,7 @@ int send_msg_channel_open_init(int fd, const struct ChanType *type); void recv_msg_channel_open_confirmation(); void recv_msg_channel_open_failure(); #endif -void start_send_channel_request(struct Channel *channel, unsigned char *type); +void start_send_channel_request(struct Channel *channel, char *type); void send_msg_request_success(); void send_msg_request_failure(); diff --git a/chansession.h b/chansession.h index 3dd58ac..6eb8c76 100644 --- a/chansession.h +++ b/chansession.h @@ -39,14 +39,14 @@ struct exitinfo { struct ChanSess { - unsigned char * cmd; /* command to exec */ + char * cmd; /* command to exec */ pid_t pid; /* child process pid */ /* pty details */ int master; /* the master terminal fd*/ int slave; - unsigned char * tty; - unsigned char * term; + char * tty; + char * term; /* exit details */ struct exitinfo exit; diff --git a/circbuffer.c b/circbuffer.c index 949fa84..c0c8641 100644 --- a/circbuffer.c +++ b/circbuffer.c @@ -67,23 +67,6 @@ unsigned int cbuf_getavail(circbuffer * cbuf) { } -unsigned int cbuf_readlen(circbuffer *cbuf) { - - dropbear_assert(((2*cbuf->size)+cbuf->writepos-cbuf->readpos)%cbuf->size == cbuf->used%cbuf->size); - dropbear_assert(((2*cbuf->size)+cbuf->readpos-cbuf->writepos)%cbuf->size == (cbuf->size-cbuf->used)%cbuf->size); - - if (cbuf->used == 0) { - TRACE(("cbuf_readlen: unused buffer")) - return 0; - } - - if (cbuf->readpos < cbuf->writepos) { - return cbuf->writepos - cbuf->readpos; - } - - return cbuf->size - cbuf->readpos; -} - unsigned int cbuf_writelen(circbuffer *cbuf) { dropbear_assert(cbuf->used <= cbuf->size); @@ -102,14 +85,6 @@ unsigned int cbuf_writelen(circbuffer *cbuf) { return cbuf->size - cbuf->writepos; } -unsigned char* cbuf_readptr(circbuffer *cbuf, unsigned int len) { - if (len > cbuf_readlen(cbuf)) { - dropbear_exit("Bad cbuf read"); - } - - return &cbuf->data[cbuf->readpos]; -} - void cbuf_readptrs(circbuffer *cbuf, unsigned char **p1, unsigned int *len1, unsigned char **p2, unsigned int *len2) { @@ -146,12 +121,6 @@ void cbuf_incrwrite(circbuffer *cbuf, unsigned int len) { void cbuf_incrread(circbuffer *cbuf, unsigned int len) { -#if 0 - if (len > cbuf_readlen(cbuf)) { - dropbear_exit("Bad cbuf read"); - } -#endif - dropbear_assert(cbuf->used >= len); cbuf->used -= len; cbuf->readpos = (cbuf->readpos + len) % cbuf->size; diff --git a/circbuffer.h b/circbuffer.h index 81bb91d..744a2c1 100644 --- a/circbuffer.h +++ b/circbuffer.h @@ -40,10 +40,9 @@ void cbuf_free(circbuffer * cbuf); unsigned int cbuf_getused(circbuffer * cbuf); /* how much data stored */ unsigned int cbuf_getavail(circbuffer * cbuf); /* how much we can write */ -unsigned int cbuf_readlen(circbuffer *cbuf); /* max linear read len */ unsigned int cbuf_writelen(circbuffer *cbuf); /* max linear write len */ -unsigned char* cbuf_readptr(circbuffer *cbuf, unsigned int len); +/* returns pointers to the two portions of the circular buffer that can be read */ void cbuf_readptrs(circbuffer *cbuf, unsigned char **p1, unsigned int *len1, unsigned char **p2, unsigned int *len2); diff --git a/cli-auth.c b/cli-auth.c index 70ace65..3f3677a 100644 --- a/cli-auth.c +++ b/cli-auth.c @@ -43,9 +43,9 @@ void cli_auth_getmethods() { TRACE(("enter cli_auth_getmethods")) CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); - buf_putstring(ses.writepayload, cli_opts.username, + buf_putstring(ses.writepayload, cli_opts.username, strlen(cli_opts.username)); - buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, + buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, SSH_SERVICE_CONNECTION_LEN); buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ @@ -75,7 +75,7 @@ void cli_auth_getmethods() { void recv_msg_userauth_banner() { - unsigned char* banner = NULL; + char* banner = NULL; unsigned int bannerlen; unsigned int i, linecount; @@ -151,8 +151,8 @@ void recv_msg_userauth_specific_60() { void recv_msg_userauth_failure() { - unsigned char * methods = NULL; - unsigned char * tok = NULL; + char * methods = NULL; + char * tok = NULL; unsigned int methlen = 0; unsigned int partial = 0; unsigned int i = 0; diff --git a/cli-authinteract.c b/cli-authinteract.c index a06c9ca..49d65a7 100644 --- a/cli-authinteract.c +++ b/cli-authinteract.c @@ -31,10 +31,10 @@ #ifdef ENABLE_CLI_INTERACT_AUTH -static unsigned char* get_response(unsigned char* prompt) +static char* get_response(char* prompt) { FILE* tty = NULL; - unsigned char* response = NULL; + char* response = NULL; /* not a password, but a reasonable limit */ char buf[DROPBEAR_MAX_CLI_PASS]; char* ret = NULL; @@ -50,13 +50,13 @@ static unsigned char* get_response(unsigned char* prompt) } if (ret == NULL) { - response = (unsigned char*)m_strdup(""); + response = m_strdup(""); } else { unsigned int buflen = strlen(buf); /* fgets includes newlines */ if (buflen > 0 && buf[buflen-1] == '\n') buf[buflen-1] = '\0'; - response = (unsigned char*)m_strdup(buf); + response = m_strdup(buf); } m_burn(buf, sizeof(buf)); @@ -66,14 +66,14 @@ static unsigned char* get_response(unsigned char* prompt) void recv_msg_userauth_info_request() { - unsigned char *name = NULL; - unsigned char *instruction = NULL; + char *name = NULL; + char *instruction = NULL; unsigned int num_prompts = 0; unsigned int i; - unsigned char *prompt = NULL; + char *prompt = NULL; unsigned int echo = 0; - unsigned char *response = NULL; + char *response = NULL; TRACE(("enter recv_msg_recv_userauth_info_request")) @@ -121,7 +121,7 @@ void recv_msg_userauth_info_request() { echo = buf_getbool(ses.payload); if (!echo) { - unsigned char* p = getpass_or_cancel(prompt); + char* p = getpass_or_cancel(prompt); response = m_strdup(p); m_burn(p, strlen(p)); } else { @@ -153,7 +153,7 @@ void cli_auth_interactive() { strlen(cli_opts.username)); /* service name */ - buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, + buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, SSH_SERVICE_CONNECTION_LEN); /* method */ diff --git a/cli-authpasswd.c b/cli-authpasswd.c index 1e0bd41..3cf49a2 100644 --- a/cli-authpasswd.c +++ b/cli-authpasswd.c @@ -143,10 +143,10 @@ void cli_auth_password() { buf_putstring(ses.writepayload, cli_opts.username, strlen(cli_opts.username)); - buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, + buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, SSH_SERVICE_CONNECTION_LEN); - buf_putstring(ses.writepayload, AUTH_METHOD_PASSWORD, + buf_putstring(ses.writepayload, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); buf_putbyte(ses.writepayload, 0); /* FALSE - so says the spec */ diff --git a/cli-authpubkey.c b/cli-authpubkey.c index cdef36e..d53178e 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -141,7 +141,7 @@ void cli_buf_put_sign(buffer* buf, sign_key *key, int type, static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { const char *algoname = NULL; - int algolen; + unsigned int algolen; buffer* sigbuf = NULL; TRACE(("enter send_msg_userauth_pubkey")) @@ -152,10 +152,10 @@ static void send_msg_userauth_pubkey(sign_key *key, int type, int realsign) { buf_putstring(ses.writepayload, cli_opts.username, strlen(cli_opts.username)); - buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, + buf_putstring(ses.writepayload, SSH_SERVICE_CONNECTION, SSH_SERVICE_CONNECTION_LEN); - buf_putstring(ses.writepayload, AUTH_METHOD_PUBKEY, + buf_putstring(ses.writepayload, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); buf_putbyte(ses.writepayload, realsign); diff --git a/cli-chansession.c b/cli-chansession.c index 57457d2..5e00149 100644 --- a/cli-chansession.c +++ b/cli-chansession.c @@ -56,7 +56,7 @@ const struct ChanType clichansess = { static void cli_chansessreq(struct Channel *channel) { - unsigned char* type = NULL; + char* type = NULL; int wantreply; TRACE(("enter cli_chansessreq")) @@ -272,7 +272,7 @@ void cli_chansess_winchange() { static void send_chansess_pty_req(struct Channel *channel) { - unsigned char* term = NULL; + char* term = NULL; TRACE(("enter send_chansess_pty_req")) @@ -305,7 +305,7 @@ static void send_chansess_pty_req(struct Channel *channel) { static void send_chansess_shell_req(struct Channel *channel) { - unsigned char* reqtype = NULL; + char* reqtype = NULL; TRACE(("enter send_chansess_shell_req")) @@ -392,7 +392,7 @@ static const struct ChanType cli_chan_netcat = { void cli_send_netcat_request() { - const unsigned char* source_host = "127.0.0.1"; + const char* source_host = "127.0.0.1"; const int source_port = 22; TRACE(("enter cli_send_netcat_request")) @@ -403,7 +403,7 @@ void cli_send_netcat_request() { dropbear_exit("Couldn't open initial channel"); } - buf_putstring(ses.writepayload, cli_opts.netcat_host, + buf_putstring(ses.writepayload, cli_opts.netcat_host, strlen(cli_opts.netcat_host)); buf_putint(ses.writepayload, cli_opts.netcat_port); diff --git a/cli-kex.c b/cli-kex.c index a590157..07ee431 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -79,7 +79,7 @@ void send_msg_kexdh_init() { } cli_ses.curve25519_param = gen_kexcurve25519_param(); } - buf_putstring(ses.writepayload, cli_ses.curve25519_param->pub, CURVE25519_LEN); + buf_putstring(ses.writepayload, (const char*)cli_ses.curve25519_param->pub, CURVE25519_LEN); #endif break; } @@ -322,7 +322,7 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) { } /* Compare hostnames */ - if (strncmp(cli_opts.remotehost, buf_getptr(line, hostlen), + if (strncmp(cli_opts.remotehost, (const char *) buf_getptr(line, hostlen), hostlen) != 0) { continue; } @@ -334,7 +334,7 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) { continue; } - if (strncmp(buf_getptr(line, algolen), algoname, algolen) != 0) { + if (strncmp((const char *) buf_getptr(line, algolen), algoname, algolen) != 0) { TRACE(("algo doesn't match")) continue; } @@ -346,7 +346,7 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) { } /* Now we're at the interesting hostkey */ - ret = cmp_base64_key(keyblob, keybloblen, algoname, algolen, + ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algoname, algolen, line, &fingerprint); if (ret == DROPBEAR_SUCCESS) { @@ -382,9 +382,9 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) { fseek(hostsfile, 0, SEEK_END); /* In case it wasn't opened append */ buf_setpos(line, 0); buf_setlen(line, 0); - buf_putbytes(line, cli_opts.remotehost, hostlen); + buf_putbytes(line, (const unsigned char *) cli_opts.remotehost, hostlen); buf_putbyte(line, ' '); - buf_putbytes(line, algoname, algolen); + buf_putbytes(line, (const unsigned char *) algoname, algolen); buf_putbyte(line, ' '); len = line->size - line->pos; /* The only failure with base64 is buffer_overflow, but buf_getwriteptr diff --git a/cli-runopts.c b/cli-runopts.c index 467776b..5bd4c55 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -447,7 +447,7 @@ void cli_getopts(int argc, char ** argv) { } #endif -#ifdef DROPBEAR_DEFAULT_CLI_AUTHKEY +#if defined(DROPBEAR_DEFAULT_CLI_AUTHKEY) && defined(ENABLE_CLI_PUBKEY_AUTH) { char *expand_path = expand_tilde(DROPBEAR_DEFAULT_CLI_AUTHKEY); loadidentityfile(expand_path, 0); @@ -498,11 +498,14 @@ multihop_passthrough_args() { m_list_elem *iter; /* Fill out -i, -y, -W options that make sense for all * the intermediate processes */ +#ifdef ENABLE_CLI_PUBKEY_AUTH for (iter = cli_opts.privkeys->first; iter; iter = iter->next) { sign_key * key = (sign_key*)iter->item; len += 3 + strlen(key->filename); } +#endif /* ENABLE_CLI_PUBKEY_AUTH */ + len += 30; /* space for -W , terminator. */ ret = m_malloc(len); total = 0; @@ -524,6 +527,7 @@ multihop_passthrough_args() { total += written; } +#ifdef ENABLE_CLI_PUBKEY_AUTH for (iter = cli_opts.privkeys->first; iter; iter = iter->next) { sign_key * key = (sign_key*)iter->item; @@ -532,6 +536,7 @@ multihop_passthrough_args() { dropbear_assert((unsigned int)written < size); total += written; } +#endif /* ENABLE_CLI_PUBKEY_AUTH */ /* if args were passed, total will be not zero, and it will have a space at the end, so remove that */ if (total > 0) diff --git a/cli-session.c b/cli-session.c index 815f5b6..10244a7 100644 --- a/cli-session.c +++ b/cli-session.c @@ -124,6 +124,8 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection /* Exchange identification */ send_session_identification(); + kexfirstinitialise(); /* initialise the kex state */ + send_msg_kexinit(); session_loop(cli_sessionloop); @@ -372,10 +374,10 @@ static void cli_remoteclosed() { /* Operates in-place turning dirty (untrusted potentially containing control * characters) text into clean text. * Note: this is safe only with ascii - other charsets could have problems. */ -void cleantext(unsigned char* dirtytext) { +void cleantext(char* dirtytext) { unsigned int i, j; - unsigned char c; + char c; j = 0; for (i = 0; dirtytext[i] != '\0'; i++) { diff --git a/common-algo.c b/common-algo.c index a3e9d78..002ae66 100644 --- a/common-algo.c +++ b/common-algo.c @@ -144,12 +144,15 @@ algo_type sshciphers[] = { #ifdef DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif +#ifdef DROPBEAR_TWOFISH_CTR +/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */ #ifdef DROPBEAR_TWOFISH256 {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr}, #endif #ifdef DROPBEAR_TWOFISH128 {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr}, #endif +#endif /* DROPBEAR_TWOFISH_CTR */ #endif /* DROPBEAR_ENABLE_CTR_MODE */ #ifdef DROPBEAR_ENABLE_CBC_MODE @@ -322,10 +325,10 @@ void buf_put_algolist(buffer * buf, algo_type localalgos[]) { buf_putbyte(algolist, ','); donefirst = 1; len = strlen(localalgos[i].name); - buf_putbytes(algolist, localalgos[i].name, len); + buf_putbytes(algolist, (const unsigned char *) localalgos[i].name, len); } } - buf_putstring(buf, algolist->data, algolist->len); + buf_putstring(buf, (const char*)algolist->data, algolist->len); buf_free(algolist); } @@ -338,12 +341,12 @@ algo_type * buf_match_algo(buffer* buf, algo_type localalgos[], enum kexguess2_used *kexguess2, int *goodguess) { - unsigned char * algolist = NULL; - const unsigned char *remotenames[MAX_PROPOSED_ALGO], *localnames[MAX_PROPOSED_ALGO]; + char * algolist = NULL; + const char *remotenames[MAX_PROPOSED_ALGO], *localnames[MAX_PROPOSED_ALGO]; unsigned int len; unsigned int remotecount, localcount, clicount, servcount, i, j; algo_type * ret = NULL; - const unsigned char **clinames, **servnames; + const char **clinames, **servnames; if (goodguess) { *goodguess = 0; @@ -488,7 +491,7 @@ algolist_string(algo_type algos[]) buf_setpos(b, b->len); buf_putbyte(b, '\0'); buf_setpos(b, 4); - ret_list = m_strdup(buf_getptr(b, b->len - b->pos)); + ret_list = m_strdup((const char *) buf_getptr(b, b->len - b->pos)); buf_free(b); return ret_list; } diff --git a/common-channel.c b/common-channel.c index 6dce497..abe5941 100644 --- a/common-channel.c +++ b/common-channel.c @@ -38,7 +38,7 @@ #include "netio.h" static void send_msg_channel_open_failure(unsigned int remotechan, int reason, - const unsigned char *text, const unsigned char *lang); + const char *text, const char *lang); static void send_msg_channel_open_confirmation(struct Channel* channel, unsigned int recvwindow, unsigned int recvmaxpacket); @@ -434,10 +434,36 @@ static void send_msg_channel_eof(struct Channel *channel) { TRACE(("leave send_msg_channel_eof")) } -/* Called to write data out to the local side of the channel. - Writes the circular buffer contents and also the "moredata" buffer - if not null. Will ignore EAGAIN */ -static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, +#ifndef HAVE_WRITEV +static void writechannel_fallback(struct Channel* channel, int fd, circbuffer *cbuf, + const unsigned char *UNUSED(moredata), unsigned int *morelen) { + + unsigned char *circ_p1, *circ_p2; + unsigned int circ_len1, circ_len2; + ssize_t written; + + if (morelen) { + /* fallback doesn't consume moredata */ + *morelen = 0; + } + + /* Write the first portion of the circular buffer */ + cbuf_readptrs(cbuf, &circ_p1, &circ_len1, &circ_p2, &circ_len2); + written = write(fd, circ_p1, circ_len1); + if (written < 0) { + if (errno != EINTR && errno != EAGAIN) { + TRACE(("channel IO write error fd %d %s", fd, strerror(errno))) + close_chan_fd(channel, fd, SHUT_WR); + } + } else { + cbuf_incrread(cbuf, written); + channel->recvdonelen += written; + } +} +#endif /* !HAVE_WRITEV */ + +#ifdef HAVE_WRITEV +static void writechannel_writev(struct Channel* channel, int fd, circbuffer *cbuf, const unsigned char *moredata, unsigned int *morelen) { struct iovec iov[3]; @@ -445,9 +471,7 @@ static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, unsigned int circ_len1, circ_len2; int io_count = 0; - int written; - - TRACE(("enter writechannel fd %d", fd)) + ssize_t written; cbuf_readptrs(cbuf, &circ_p1, &circ_len1, &circ_p2, &circ_len2); @@ -502,24 +526,19 @@ static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, channel->recvdonelen += written; } -#if 0 +} +#endif /* HAVE_WRITEV */ - maxlen = cbuf_readlen(cbuf); - - /* Write the data out */ - len = write(fd, cbuf_readptr(cbuf, maxlen), maxlen); - if (len <= 0) { - TRACE(("errno %d len %d", errno, len)) - if (len < 0 && errno != EINTR) { - close_chan_fd(channel, fd, SHUT_WR); - } - TRACE(("leave writechannel: len <= 0")) - return; - } - TRACE(("writechannel wrote %d", len)) - - cbuf_incrread(cbuf, len); - channel->recvdonelen += len; +/* Called to write data out to the local side of the channel. + Writes the circular buffer contents and also the "moredata" buffer + if not null. Will ignore EAGAIN */ +static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, + const unsigned char *moredata, unsigned int *morelen) { + TRACE(("enter writechannel fd %d", fd)) +#ifdef HAVE_WRITEV + writechannel_writev(channel, fd, cbuf, moredata, morelen); +#else + writechannel_fallback(channel, fd, cbuf, moredata, morelen); #endif /* Window adjust handling */ @@ -537,6 +556,7 @@ static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, TRACE(("leave writechannel")) } + /* Set the file descriptors for the main select in session.c * This avoid channels which don't have any window available, are closed, etc*/ void setchannelfds(fd_set *readfds, fd_set *writefds, int allow_reads) { @@ -901,7 +921,7 @@ static void send_msg_channel_window_adjust(struct Channel* channel, /* Handle a new channel request, performing any channel-type-specific setup */ void recv_msg_channel_open() { - unsigned char *type; + char *type; unsigned int typelen; unsigned int remotechan, transwindow, transmaxpacket; struct Channel *channel; @@ -1019,7 +1039,7 @@ void send_msg_channel_success(struct Channel *channel) { /* Send a channel open failure message, with a corresponding reason * code (usually resource shortage or unknown chan type) */ static void send_msg_channel_open_failure(unsigned int remotechan, - int reason, const unsigned char *text, const unsigned char *lang) { + int reason, const char *text, const char *lang) { TRACE(("enter send_msg_channel_open_failure")) CHECKCLEARTOWRITE(); @@ -1027,8 +1047,8 @@ static void send_msg_channel_open_failure(unsigned int remotechan, buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_OPEN_FAILURE); buf_putint(ses.writepayload, remotechan); buf_putint(ses.writepayload, reason); - buf_putstring(ses.writepayload, text, strlen((char*)text)); - buf_putstring(ses.writepayload, lang, strlen((char*)lang)); + buf_putstring(ses.writepayload, text, strlen(text)); + buf_putstring(ses.writepayload, lang, strlen(lang)); encrypt_packet(); TRACE(("leave send_msg_channel_open_failure")) @@ -1224,7 +1244,7 @@ struct Channel* get_any_ready_channel() { } void start_send_channel_request(struct Channel *channel, - unsigned char *type) { + char *type) { CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_CHANNEL_REQUEST); diff --git a/common-kex.c b/common-kex.c index 0e477da..2907715 100644 --- a/common-kex.c +++ b/common-kex.c @@ -511,7 +511,7 @@ void recv_msg_kexinit() { /* start the kex hash */ local_ident_len = strlen(LOCAL_IDENT); - remote_ident_len = strlen((char*)ses.remoteident); + remote_ident_len = strlen(ses.remoteident); kexhashbuf_len = local_ident_len + remote_ident_len + ses.transkexinit->len + ses.payload->len @@ -525,18 +525,17 @@ void recv_msg_kexinit() { read_kex_algos(); /* V_C, the client's version string (CR and NL excluded) */ - buf_putstring(ses.kexhashbuf, - (unsigned char*)LOCAL_IDENT, local_ident_len); + buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len); /* V_S, the server's version string (CR and NL excluded) */ buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len); /* I_C, the payload of the client's SSH_MSG_KEXINIT */ buf_putstring(ses.kexhashbuf, - ses.transkexinit->data, ses.transkexinit->len); + (const char*)ses.transkexinit->data, ses.transkexinit->len); /* I_S, the payload of the server's SSH_MSG_KEXINIT */ buf_setpos(ses.payload, ses.payload_beginning); buf_putstring(ses.kexhashbuf, - buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), + (const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), ses.payload->len-ses.payload->pos); ses.requirenext = SSH_MSG_KEXDH_REPLY; } else { @@ -547,18 +546,17 @@ void recv_msg_kexinit() { /* V_C, the client's version string (CR and NL excluded) */ buf_putstring(ses.kexhashbuf, ses.remoteident, remote_ident_len); /* V_S, the server's version string (CR and NL excluded) */ - buf_putstring(ses.kexhashbuf, - (unsigned char*)LOCAL_IDENT, local_ident_len); + buf_putstring(ses.kexhashbuf, LOCAL_IDENT, local_ident_len); /* I_C, the payload of the client's SSH_MSG_KEXINIT */ buf_setpos(ses.payload, ses.payload_beginning); buf_putstring(ses.kexhashbuf, - buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), + (const char*)buf_getptr(ses.payload, ses.payload->len-ses.payload->pos), ses.payload->len-ses.payload->pos); /* I_S, the payload of the server's SSH_MSG_KEXINIT */ buf_putstring(ses.kexhashbuf, - ses.transkexinit->data, ses.transkexinit->len); + (const char*)ses.transkexinit->data, ses.transkexinit->len); ses.requirenext = SSH_MSG_KEXDH_INIT; } @@ -783,9 +781,9 @@ void kexcurve25519_comb_key(struct kex_curve25519_param *param, buffer *buf_pub_ /* K_S, the host key */ buf_put_pub_key(ses.kexhashbuf, hostkey, ses.newkeys->algo_hostkey); /* Q_C, client's ephemeral public key octet string */ - buf_putstring(ses.kexhashbuf, Q_C, CURVE25519_LEN); + buf_putstring(ses.kexhashbuf, (const char*)Q_C, CURVE25519_LEN); /* Q_S, server's ephemeral public key octet string */ - buf_putstring(ses.kexhashbuf, Q_S, CURVE25519_LEN); + buf_putstring(ses.kexhashbuf, (const char*)Q_S, CURVE25519_LEN); /* K, the shared secret */ buf_putmpint(ses.kexhashbuf, ses.dh_K); diff --git a/common-session.c b/common-session.c index 44e7030..8ec7516 100644 --- a/common-session.c +++ b/common-session.c @@ -1,7 +1,7 @@ /* * Dropbear - a SSH2 server * - * Copyright (c) 2002,2003 Matt Johnston + * Copyright (c) Matt Johnston * All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy @@ -90,8 +90,6 @@ void common_session_init(int sock_in, int sock_out) { ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[0]); ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[1]); - kexfirstinitialise(); /* initialise the kex state */ - ses.writepayload = buf_new(TRANS_MAX_PAYLOAD_LEN); ses.transseq = 0; @@ -280,7 +278,7 @@ void session_cleanup() { return; } - /* Beware of changing order of functions here. */ + /* BEWARE of changing order of functions here. */ /* Must be before extra_session_cleanup() */ chancleanup(); @@ -289,7 +287,7 @@ void session_cleanup() { ses.extra_session_cleanup(); } - /* After these are freed most functions will exit */ + /* After these are freed most functions will fail */ #ifdef DROPBEAR_CLEANUP /* listeners call cleanup functions, this should occur before other session state is freed. */ @@ -329,7 +327,7 @@ void session_cleanup() { void send_session_identification() { buffer *writebuf = buf_new(strlen(LOCAL_IDENT "\r\n") + 1); - buf_putbytes(writebuf, LOCAL_IDENT "\r\n", strlen(LOCAL_IDENT "\r\n")); + buf_putbytes(writebuf, (const unsigned char *) LOCAL_IDENT "\r\n", strlen(LOCAL_IDENT "\r\n")); writebuf_enqueue(writebuf, 0); } diff --git a/configure.ac b/configure.ac index b0e85e5..6ae8c32 100644 --- a/configure.ac +++ b/configure.ac @@ -265,7 +265,7 @@ AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage #include #include ]], - [[ struct sockaddr_storage s; ]])], + [[ if (sizeof(struct sockaddr_storage)) return 0 ]])], [ ac_cv_have_struct_sockaddr_storage="yes" ], [ ac_cv_have_struct_sockaddr_storage="no" ] ) @@ -279,7 +279,7 @@ AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ #include #include ]], - [[ struct sockaddr_in6 s; s.sin6_family = 0; ]])], + [[ if (sizeof(struct sockaddr_in6)) return 0 ]])], [ ac_cv_have_struct_sockaddr_in6="yes" ], [ ac_cv_have_struct_sockaddr_in6="no" ] ) @@ -293,7 +293,7 @@ AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ #include #include ]], - [[ struct in6_addr s; s.s6_addr[0] = 0; ]])], + [[ if (sizeof(struct in6_addr)) return 0 ]])], [ ac_cv_have_struct_in6_addr="yes" ], [ ac_cv_have_struct_in6_addr="no" ] ) @@ -308,7 +308,7 @@ AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ #include #include ]], - [[ struct addrinfo s; s.ai_flags = AI_PASSIVE; ]])], + [[ if (sizeof(struct addrinfo)) return 0 ]])], [ ac_cv_have_struct_addrinfo="yes" ], [ ac_cv_have_struct_addrinfo="no" ] ) diff --git a/dbrandom.c b/dbrandom.c index cf280f4..02e7803 100644 --- a/dbrandom.c +++ b/dbrandom.c @@ -141,7 +141,7 @@ out: return ret; } -void addrandom(char * buf, unsigned int len) +void addrandom(unsigned char * buf, unsigned int len) { hash_state hs; diff --git a/dbrandom.h b/dbrandom.h index 3434f69..6e262f3 100644 --- a/dbrandom.h +++ b/dbrandom.h @@ -29,7 +29,7 @@ void seedrandom(); void genrandom(unsigned char* buf, unsigned int len); -void addrandom(char * buf, unsigned int len); +void addrandom(unsigned char * buf, unsigned int len); void gen_random_mpint(mp_int *max, mp_int *rand); #endif /* DROPBEAR_RANDOM_H_ */ diff --git a/dss.c b/dss.c index d4c4407..b771ec0 100644 --- a/dss.c +++ b/dss.c @@ -165,7 +165,7 @@ int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) { DEF_MP_INT(val3); DEF_MP_INT(val4); char * string = NULL; - int stringlen; + unsigned int stringlen; TRACE(("enter buf_dss_verify")) dropbear_assert(key != NULL); @@ -186,7 +186,7 @@ int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) { /* create the signature - s' and r' are the received signatures in buf */ /* w = (s')-1 mod q */ /* let val1 = s' */ - bytes_to_mp(&val1, &string[SHA1_HASH_SIZE], SHA1_HASH_SIZE); + bytes_to_mp(&val1, (const unsigned char*) &string[SHA1_HASH_SIZE], SHA1_HASH_SIZE); if (mp_cmp(&val1, key->q) != MP_LT) { TRACE(("verify failed, s' >= q")) @@ -208,7 +208,7 @@ int buf_dss_verify(buffer* buf, dropbear_dss_key *key, buffer *data_buf) { /* u2 = ((r')w) mod q */ /* let val1 = r' */ - bytes_to_mp(&val1, &string[0], SHA1_HASH_SIZE); + bytes_to_mp(&val1, (const unsigned char*) &string[0], SHA1_HASH_SIZE); if (mp_cmp(&val1, key->q) != MP_LT) { TRACE(("verify failed, r' >= q")) goto out; diff --git a/ecc.h b/ecc.h index 703c717..93f85cf 100644 --- a/ecc.h +++ b/ecc.h @@ -12,7 +12,7 @@ struct dropbear_ecc_curve { int ltc_size; /* to match the byte sizes in ltc_ecc_sets[] */ const ltc_ecc_set_type *dp; /* curve domain parameters */ const struct ltc_hash_descriptor *hash_desc; - const unsigned char *name; + const char *name; }; extern struct dropbear_ecc_curve ecc_curve_nistp256; diff --git a/ecdsa.c b/ecdsa.c index 4fee796..5568131 100644 --- a/ecdsa.c +++ b/ecdsa.c @@ -83,9 +83,9 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* buf) { ecc_key *new_key = NULL; /* string "ecdsa-sha2-[identifier]" */ - key_ident = buf_getstring(buf, &key_ident_len); + key_ident = (unsigned char*)buf_getstring(buf, &key_ident_len); /* string "[identifier]" */ - identifier = buf_getstring(buf, &identifier_len); + identifier = (unsigned char*)buf_getstring(buf, &identifier_len); if (key_ident_len != identifier_len + strlen("ecdsa-sha2-")) { TRACE(("Bad identifier lengths")) @@ -140,10 +140,10 @@ ecc_key *buf_get_ecdsa_priv_key(buffer *buf) { void buf_put_ecdsa_pub_key(buffer *buf, ecc_key *key) { struct dropbear_ecc_curve *curve = NULL; - unsigned char key_ident[30]; + char key_ident[30]; curve = curve_for_dp(key->dp); - snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); + snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); buf_putstring(buf, key_ident, strlen(key_ident)); buf_putstring(buf, curve->name, strlen(curve->name)); buf_put_ecc_raw_pubkey_string(buf, key); @@ -161,7 +161,7 @@ void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) { hash_state hs; unsigned char hash[64]; void *e = NULL, *p = NULL, *s = NULL, *r; - unsigned char key_ident[30]; + char key_ident[30]; buffer *sigbuf = NULL; TRACE(("buf_put_ecdsa_sign")) @@ -222,7 +222,7 @@ void buf_put_ecdsa_sign(buffer *buf, ecc_key *key, buffer *data_buf) { } } - snprintf((char*)key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); + snprintf(key_ident, sizeof(key_ident), "ecdsa-sha2-%s", curve->name); buf_putstring(buf, key_ident, strlen(key_ident)); /* enough for nistp521 */ sigbuf = buf_new(200); diff --git a/gendss.c b/gendss.c index 21d13a0..783e25f 100644 --- a/gendss.c +++ b/gendss.c @@ -67,7 +67,7 @@ dropbear_dss_key * gen_dss_priv_key(unsigned int size) { static void getq(dropbear_dss_key *key) { - char buf[QSIZE]; + unsigned char buf[QSIZE]; /* 160 bit prime */ genrandom(buf, QSIZE); diff --git a/keyimport.c b/keyimport.c index 8a0d525..d45914f 100644 --- a/keyimport.c +++ b/keyimport.c @@ -193,7 +193,7 @@ out: static void base64_encode_fp(FILE * fp, unsigned char *data, int datalen, int cpl) { - char out[100]; + unsigned char out[100]; int n; unsigned long outlen; int rawcpl; @@ -445,7 +445,7 @@ static struct openssh_key *load_openssh_key(const char *filename) ret->keyblob_size); } outlen = ret->keyblob_size - ret->keyblob_len; - if (base64_decode(buffer, len, + if (base64_decode((const unsigned char *)buffer, len, ret->keyblob + ret->keyblob_len, &outlen) != CRYPT_OK){ errmsg = "Error decoding base64"; goto error; @@ -507,7 +507,7 @@ static sign_key *openssh_read(const char *filename, char * UNUSED(passphrase)) int i, num_integers = 0; sign_key *retval = NULL; char *errmsg; - char *modptr = NULL; + unsigned char *modptr = NULL; int modlen = -9999; enum signkey_type type; @@ -646,12 +646,12 @@ static sign_key *openssh_read(const char *filename, char * UNUSED(passphrase)) */ if (i == 1) { /* Save the details for after we deal with number 2. */ - modptr = (char *)p; + modptr = p; modlen = len; } else if (i >= 2 && i <= 5) { - buf_putstring(blobbuf, p, len); + buf_putstring(blobbuf, (const char*)p, len); if (i == 2) { - buf_putstring(blobbuf, modptr, modlen); + buf_putstring(blobbuf, (const char*)modptr, modlen); } } } else if (key->type == OSSH_DSA) { @@ -659,7 +659,7 @@ static sign_key *openssh_read(const char *filename, char * UNUSED(passphrase)) * OpenSSH key order is p, q, g, y, x, * we want the same. */ - buf_putstring(blobbuf, p, len); + buf_putstring(blobbuf, (const char*)p, len); } /* Skip past the number. */ @@ -1043,7 +1043,7 @@ static int openssh_write(const char *filename, sign_key *key, int curve_oid_len = 0; const void* curve_oid = NULL; unsigned long pubkey_size = 2*curve_size+1; - unsigned int k_size; + int k_size; int err = 0; /* version. less than 10 bytes */ diff --git a/libtomcrypt/src/ciphers/aes/aes.c b/libtomcrypt/src/ciphers/aes/aes.c index 74798e8..55f6333 100644 --- a/libtomcrypt/src/ciphers/aes/aes.c +++ b/libtomcrypt/src/ciphers/aes/aes.c @@ -122,9 +122,10 @@ static ulong32 setup_mix2(ulong32 temp) */ int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *skey) { - int i, j; + int i; ulong32 temp, *rk; #ifndef ENCRYPT_ONLY + int j; ulong32 *rrk; #endif LTC_ARGCHK(key != NULL); @@ -148,7 +149,9 @@ int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *s LOAD32H(rk[2], key + 8); LOAD32H(rk[3], key + 12); if (keylen == 16) { + #ifndef ENCRYPT_ONLY j = 44; + #endif for (;;) { temp = rk[3]; rk[4] = rk[0] ^ setup_mix(temp) ^ rcon[i]; @@ -161,7 +164,9 @@ int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *s rk += 4; } } else if (keylen == 24) { + #ifndef ENCRYPT_ONLY j = 52; + #endif LOAD32H(rk[4], key + 16); LOAD32H(rk[5], key + 20); for (;;) { @@ -182,7 +187,9 @@ int SETUP(const unsigned char *key, int keylen, int num_rounds, symmetric_key *s rk += 6; } } else if (keylen == 32) { + #ifndef ENCRYPT_ONLY j = 60; + #endif LOAD32H(rk[4], key + 16); LOAD32H(rk[5], key + 20); LOAD32H(rk[6], key + 24); @@ -728,6 +735,7 @@ int ECB_TEST(void) */ void ECB_DONE(symmetric_key *skey) { + (void)skey; } diff --git a/libtomcrypt/src/ciphers/des.c b/libtomcrypt/src/ciphers/des.c index e505b14..6005e84 100644 --- a/libtomcrypt/src/ciphers/des.c +++ b/libtomcrypt/src/ciphers/des.c @@ -1871,6 +1871,7 @@ void des_done(symmetric_key *skey) */ void des3_done(symmetric_key *skey) { + (void)skey; } diff --git a/libtomcrypt/src/ciphers/twofish/twofish.c b/libtomcrypt/src/ciphers/twofish/twofish.c index 9e6d0d4..8f81bdd 100644 --- a/libtomcrypt/src/ciphers/twofish/twofish.c +++ b/libtomcrypt/src/ciphers/twofish/twofish.c @@ -684,6 +684,7 @@ int twofish_test(void) */ void twofish_done(symmetric_key *skey) { + (void)skey; } /** diff --git a/libtomcrypt/src/hashes/helper/hash_file.c b/libtomcrypt/src/hashes/helper/hash_file.c index a92025c..df31606 100644 --- a/libtomcrypt/src/hashes/helper/hash_file.c +++ b/libtomcrypt/src/hashes/helper/hash_file.c @@ -25,6 +25,7 @@ int hash_file(int hash, const char *fname, unsigned char *out, unsigned long *outlen) { #ifdef LTC_NO_FILE + (void)hash; (void)fname; (void)out; (void)outlen; return CRYPT_NOP; #else FILE *in; diff --git a/libtomcrypt/src/hashes/helper/hash_filehandle.c b/libtomcrypt/src/hashes/helper/hash_filehandle.c index be2cbf9..03155ea 100644 --- a/libtomcrypt/src/hashes/helper/hash_filehandle.c +++ b/libtomcrypt/src/hashes/helper/hash_filehandle.c @@ -26,6 +26,7 @@ int hash_filehandle(int hash, FILE *in, unsigned char *out, unsigned long *outlen) { #ifdef LTC_NO_FILE + (void)hash; (void)in; (void)out; (void)outlen; return CRYPT_NOP; #else hash_state md; diff --git a/libtomcrypt/src/mac/hmac/hmac_file.c b/libtomcrypt/src/mac/hmac/hmac_file.c index b296320..d7c40b1 100644 --- a/libtomcrypt/src/mac/hmac/hmac_file.c +++ b/libtomcrypt/src/mac/hmac/hmac_file.c @@ -32,6 +32,7 @@ int hmac_file(int hash, const char *fname, unsigned char *out, unsigned long *outlen) { #ifdef LTC_NO_FILE + (void)hash; (void)fname; (void)key; (void)keylen; (void)out; (void)outlen; return CRYPT_NOP; #else hmac_state hmac; diff --git a/libtomcrypt/src/misc/crypt/crypt_argchk.c b/libtomcrypt/src/misc/crypt/crypt_argchk.c index c6675ef..a6d2a48 100644 --- a/libtomcrypt/src/misc/crypt/crypt_argchk.c +++ b/libtomcrypt/src/misc/crypt/crypt_argchk.c @@ -21,7 +21,7 @@ void crypt_argchk(char *v, char *s, int d) { fprintf(stderr, "LTC_ARGCHK '%s' failure on line %d of file %s\n", v, d, s); - (void)raise(SIGABRT); + abort(); } #endif diff --git a/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c b/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c index b94a50c..8cbcdf3 100644 --- a/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c +++ b/libtomcrypt/src/pk/ecc/ltc_ecc_mulmod_timing.c @@ -40,7 +40,7 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map) int i, j, err; void *mu, *mp; unsigned long buf; - int first, bitbuf, bitcpy, bitcnt, mode, digidx; + int bitcnt, mode, digidx; LTC_ARGCHK(k != NULL); LTC_ARGCHK(G != NULL); @@ -98,8 +98,6 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map) bitcnt = 1; buf = 0; digidx = mp_get_digit_count(k) - 1; - bitcpy = bitbuf = 0; - first = 1; /* perform ops */ for (;;) { diff --git a/netio.c b/netio.c index 1564f2f..74eea7b 100644 --- a/netio.c +++ b/netio.c @@ -70,7 +70,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { struct addrinfo *r; int res = 0; int fastopen = 0; -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN struct msghdr message; #endif @@ -91,33 +91,36 @@ static void connect_try_next(struct dropbear_progress_connection *c) { set_piggyback_ack(c->sock); #endif -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN fastopen = (c->writequeue != NULL); - memset(&message, 0x0, sizeof(message)); - message.msg_name = r->ai_addr; - message.msg_namelen = r->ai_addrlen; - - if (c->writequeue) { + if (fastopen) { + memset(&message, 0x0, sizeof(message)); + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; /* 6 is arbitrary, enough to hold initial packets */ - int iovlen = 6; /* Linux msg_iovlen is a size_t */ + unsigned int iovlen = 6; /* Linux msg_iovlen is a size_t */ struct iovec iov[6]; packet_queue_to_iovec(c->writequeue, iov, &iovlen); message.msg_iov = iov; message.msg_iovlen = iovlen; res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0 && errno != EINPROGRESS) { - m_free(c->errstring); - c->errstring = m_strdup(strerror(errno)); - /* Not entirely sure which kind of errors are normal - 2.6.32 seems to - return EPIPE for any (nonblocking?) sendmsg(). just fall back */ - TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); - /* No kernel MSG_FASTOPEN support. Fall back below */ - fastopen = 0; - /* Set to NULL to avoid trying again */ - c->writequeue = NULL; + /* Returns EINPROGRESS if FASTOPEN wasn't available */ + if (res < 0) { + if (errno != EINPROGRESS) { + m_free(c->errstring); + c->errstring = m_strdup(strerror(errno)); + /* Not entirely sure which kind of errors are normal - 2.6.32 seems to + return EPIPE for any (nonblocking?) sendmsg(). just fall back */ + TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); + /* No kernel MSG_FASTOPEN support. Fall back below */ + fastopen = 0; + /* Set to NULL to avoid trying again */ + c->writequeue = NULL; + } + } else { + packet_queue_consume(c->writequeue, res); } - packet_queue_consume(c->writequeue, res); } #endif @@ -165,7 +168,7 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons memset(&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; + hints.ai_family = AF_UNSPEC; err = getaddrinfo(remotehost, remoteport, &hints, &c->res); if (err) { @@ -310,7 +313,7 @@ void set_sock_nodelay(int sock) { setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); } -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN void set_listen_fast_open(int sock) { int qlen = MAX(MAX_UNAUTH_PER_IP, 5); if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { diff --git a/netio.h b/netio.h index 5d9f799..b413bdc 100644 --- a/netio.h +++ b/netio.h @@ -48,7 +48,7 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count); void packet_queue_consume(struct Queue *queue, ssize_t written); -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN /* Try for any Linux builds, will fall back if the kernel doesn't support it */ void set_listen_fast_open(int sock); /* Define values which may be supported by the kernel even if the libc is too old */ diff --git a/options.h b/options.h index e2d69a9..41cc129 100644 --- a/options.h +++ b/options.h @@ -103,10 +103,15 @@ much traffic. */ #define DROPBEAR_ENABLE_CBC_MODE /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary - * size and is recommended for most cases */ + * CBC mode against certain attacks. It is recommended for security + * and forwards compatibility */ #define DROPBEAR_ENABLE_CTR_MODE +/* Twofish counter mode is disabled by default because it +has not been tested for interoperability with other SSH implementations. +If you test it please contact the Dropbear author */ +/* #define DROPBEAR_TWOFISH_CTR */ + /* You can compile with no encryption if you want. In some circumstances * this could be safe security-wise, though make sure you know what * you're doing. Anyone can see everything that goes over the wire, so diff --git a/packet.c b/packet.c index 1d1be84..19b5759 100644 --- a/packet.c +++ b/packet.c @@ -61,6 +61,10 @@ void write_packet() { /* 50 is somewhat arbitrary */ unsigned int iov_count = 50; struct iovec iov[50]; +#else + int len; + buffer* writebuf; + int packet_type; #endif TRACE2(("enter write_packet")) @@ -97,6 +101,8 @@ void write_packet() { * a cleartext packet_type indicator */ packet_type = writebuf->data[writebuf->len-1]; len = writebuf->len - 1 - writebuf->pos; + TRACE2(("write_packet type %d len %d/%d", packet_type, + len, writebuf->len-1)) dropbear_assert(len > 0); /* Try to write as much as possible */ written = write(ses.sock_out, buf_getptr(writebuf, len), len); diff --git a/scp.c b/scp.c index 710d9d2..5a71292 100644 --- a/scp.c +++ b/scp.c @@ -96,7 +96,7 @@ int verbose_mode = 0; int showprogress = 1; /* This is the program to execute for the secured connection. ("ssh" or -S) */ -char *ssh_program = _PATH_SSH_PROGRAM; +char *ssh_program = DROPBEAR_PATH_SSH_PROGRAM; /* This is used to store the pid of ssh_program */ pid_t do_cmd_pid = -1; diff --git a/session.h b/session.h index 0059d94..99c96cb 100644 --- a/session.h +++ b/session.h @@ -63,7 +63,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN; void cli_connected(int result, int sock, void* userdata, const char *errstring); -void cleantext(unsigned char* dirtytext); +void cleantext(char* dirtytext); /* crypto parameters that are stored individually for transmit and receive */ struct key_context_directional { @@ -115,7 +115,7 @@ struct sshsession { /* remotehost will be initially NULL as we delay * reading the remote version string. it will be set * by the time any recv_() packet methods are called */ - unsigned char *remoteident; + char *remoteident; int maxfd; /* the maximum file descriptor to check with select() */ diff --git a/signkey.c b/signkey.c index 10a63f2..ac5d887 100644 --- a/signkey.c +++ b/signkey.c @@ -138,7 +138,7 @@ signkey_key_ptr(sign_key *key, enum signkey_type type) { * on return is set to the type read (useful when type = _ANY) */ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { - unsigned char* ident; + char *ident; unsigned int len; enum signkey_type keytype; int ret = DROPBEAR_FAILURE; @@ -209,7 +209,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { * on return is set to the type read (useful when type = _ANY) */ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) { - unsigned char* ident; + char *ident; unsigned int len; enum signkey_type keytype; int ret = DROPBEAR_FAILURE; @@ -515,7 +515,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signkey_type type, * signature blob */ int buf_verify(buffer * buf, sign_key *key, buffer *data_buf) { - unsigned char * type_name = NULL; + char *type_name = NULL; unsigned int type_name_len = 0; enum signkey_type type; diff --git a/svr-auth.c b/svr-auth.c index 89760ef..87330ac 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -36,7 +36,7 @@ #include "dbrandom.h" static void authclear(); -static int checkusername(unsigned char *username, unsigned int userlen); +static int checkusername(char *username, unsigned int userlen); /* initialise the first time for a session, resetting all parameters */ void svr_authinitialise() { @@ -100,7 +100,7 @@ void send_msg_userauth_banner(buffer *banner) { * checking, and handle success or failure */ void recv_msg_userauth_request() { - unsigned char *username = NULL, *servicename = NULL, *methodname = NULL; + char *username = NULL, *servicename = NULL, *methodname = NULL; unsigned int userlen, servicelen, methodlen; int valid_user = 0; @@ -227,7 +227,7 @@ out: /* Check that the username exists and isn't disallowed (root), and has a valid shell. * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ -static int checkusername(unsigned char *username, unsigned int userlen) { +static int checkusername(char *username, unsigned int userlen) { char* listshell = NULL; char* usershell = NULL; @@ -333,14 +333,14 @@ void send_msg_userauth_failure(int partial, int incrfail) { typebuf = buf_new(30); /* long enough for PUBKEY and PASSWORD */ if (ses.authstate.authtypes & AUTH_TYPE_PUBKEY) { - buf_putbytes(typebuf, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); + buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN); if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { buf_putbyte(typebuf, ','); } } if (ses.authstate.authtypes & AUTH_TYPE_PASSWORD) { - buf_putbytes(typebuf, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); + buf_putbytes(typebuf, (const unsigned char *)AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN); } buf_putbufstring(ses.writepayload, typebuf); diff --git a/svr-authpam.c b/svr-authpam.c index 0b1d69f..101017c 100644 --- a/svr-authpam.c +++ b/svr-authpam.c @@ -188,7 +188,7 @@ void svr_auth_pam() { pam_handle_t* pamHandlep = NULL; - unsigned char * password = NULL; + char * password = NULL; unsigned int passwordlen; int rc = PAM_SUCCESS; diff --git a/svr-authpasswd.c b/svr-authpasswd.c index 7a5a121..9852ac6 100644 --- a/svr-authpasswd.c +++ b/svr-authpasswd.c @@ -33,6 +33,8 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +/* not constant time when strings are differing lengths. + string content isn't leaked, and crypt hashes are predictable length. */ static int constant_time_strcmp(const char* a, const char* b) { size_t la = strlen(a); size_t lb = strlen(b); @@ -50,7 +52,7 @@ void svr_auth_password() { char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ char * testcrypt = NULL; /* crypt generated from the user's password sent */ - unsigned char * password; + char * password; unsigned int passwordlen; unsigned int changepw; @@ -73,7 +75,7 @@ void svr_auth_password() { password = buf_getstring(ses.payload, &passwordlen); /* the first bytes of passwdcrypt are the salt */ - testcrypt = crypt((char*)password, passwdcrypt); + testcrypt = crypt(password, passwdcrypt); m_burn(password, passwordlen); m_free(password); diff --git a/svr-authpubkey.c b/svr-authpubkey.c index e8af319..89d77ed 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -70,10 +70,10 @@ #define MIN_AUTHKEYS_LINE 10 /* "ssh-rsa AB" - short but doesn't matter */ #define MAX_AUTHKEYS_LINE 4200 /* max length of a line in authkeys */ -static int checkpubkey(unsigned char* algo, unsigned int algolen, +static int checkpubkey(char* algo, unsigned int algolen, unsigned char* keyblob, unsigned int keybloblen); static int checkpubkeyperms(); -static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen, +static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen, unsigned char* keyblob, unsigned int keybloblen); static int checkfileperm(char * filename); @@ -82,7 +82,7 @@ static int checkfileperm(char * filename); void svr_auth_pubkey() { unsigned char testkey; /* whether we're just checking if a key is usable */ - unsigned char* algo = NULL; /* pubkey algo */ + char* algo = NULL; /* pubkey algo */ unsigned int algolen; unsigned char* keyblob = NULL; unsigned int keybloblen; @@ -173,7 +173,7 @@ out: /* Reply that the key is valid for auth, this is sent when the user sends * a straight copy of their pubkey to test, to avoid having to perform * expensive signing operations with a worthless key */ -static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen, +static void send_msg_userauth_pk_ok(char* algo, unsigned int algolen, unsigned char* keyblob, unsigned int keybloblen) { TRACE(("enter send_msg_userauth_pk_ok")) @@ -181,7 +181,7 @@ static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen, buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_PK_OK); buf_putstring(ses.writepayload, algo, algolen); - buf_putstring(ses.writepayload, keyblob, keybloblen); + buf_putstring(ses.writepayload, (const char*)keyblob, keybloblen); encrypt_packet(); TRACE(("leave send_msg_userauth_pk_ok")) @@ -191,7 +191,7 @@ static void send_msg_userauth_pk_ok(unsigned char* algo, unsigned int algolen, /* Checks whether a specified publickey (and associated algorithm) is an * acceptable key for authentication */ /* Returns DROPBEAR_SUCCESS if key is ok for auth, DROPBEAR_FAILURE otherwise */ -static int checkpubkey(unsigned char* algo, unsigned int algolen, +static int checkpubkey(char* algo, unsigned int algolen, unsigned char* keyblob, unsigned int keybloblen) { FILE * authfile = NULL; @@ -260,9 +260,9 @@ static int checkpubkey(unsigned char* algo, unsigned int algolen, /* check the key type - will fail if there are options */ TRACE(("a line!")) - if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) { + if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { int is_comment = 0; - char *options_start = NULL; + unsigned char *options_start = NULL; int options_len = 0; int escape, quoted; @@ -308,7 +308,7 @@ static int checkpubkey(unsigned char* algo, unsigned int algolen, if (line->pos + algolen+3 > line->len) { continue; } - if (strncmp(buf_getptr(line, algolen), algo, algolen) != 0) { + if (strncmp((const char *) buf_getptr(line, algolen), algo, algolen) != 0) { continue; } } @@ -330,7 +330,7 @@ static int checkpubkey(unsigned char* algo, unsigned int algolen, TRACE(("checkpubkey: line pos = %d len = %d", line->pos, line->len)) - ret = cmp_base64_key(keyblob, keybloblen, algo, algolen, line, NULL); + ret = cmp_base64_key(keyblob, keybloblen, (const unsigned char *) algo, algolen, line, NULL); if (ret == DROPBEAR_SUCCESS && options_buf) { ret = svr_add_pubkey_options(options_buf, line_num, filename); diff --git a/svr-authpubkeyoptions.c b/svr-authpubkeyoptions.c index 71d7c14..c296141 100644 --- a/svr-authpubkeyoptions.c +++ b/svr-authpubkeyoptions.c @@ -120,7 +120,7 @@ static int match_option(buffer *options_buf, const char *opt_name) { if (options_buf->len - options_buf->pos < len) { return DROPBEAR_FAILURE; } - if (strncasecmp(buf_getptr(options_buf, len), opt_name, len) == 0) { + if (strncasecmp((const char *) buf_getptr(options_buf, len), opt_name, len) == 0) { buf_incrpos(options_buf, len); return DROPBEAR_SUCCESS; } diff --git a/svr-chansession.c b/svr-chansession.c index 5bed8fc..e44299e 100644 --- a/svr-chansession.c +++ b/svr-chansession.c @@ -343,7 +343,7 @@ static void closechansess(struct Channel *channel) { * or x11/authagent forwarding. These are passed to appropriate handlers */ static void chansessionrequest(struct Channel *channel) { - unsigned char * type = NULL; + char * type = NULL; unsigned int typelen; unsigned char wantreply; int ret = 1; @@ -406,7 +406,7 @@ out: static int sessionsignal(struct ChanSess *chansess) { int sig = 0; - unsigned char* signame = NULL; + char* signame = NULL; int i; if (chansess->pid == 0) { @@ -557,7 +557,7 @@ static void get_termmodes(struct ChanSess *chansess) { static int sessionpty(struct ChanSess * chansess) { unsigned int termlen; - unsigned char namebuf[65]; + char namebuf[65]; struct passwd * pw = NULL; TRACE(("enter sessionpty")) @@ -583,7 +583,7 @@ static int sessionpty(struct ChanSess * chansess) { return DROPBEAR_FAILURE; } - chansess->tty = (char*)m_strdup(namebuf); + chansess->tty = m_strdup(namebuf); if (!chansess->tty) { dropbear_exit("Out of memory"); /* TODO disconnect */ } @@ -603,6 +603,7 @@ static int sessionpty(struct ChanSess * chansess) { return DROPBEAR_SUCCESS; } +#ifndef USE_VFORK static void make_connection_string(struct ChanSess *chansess) { char *local_ip, *local_port, *remote_ip, *remote_port; size_t len; @@ -624,6 +625,7 @@ static void make_connection_string(struct ChanSess *chansess) { m_free(remote_ip); m_free(remote_port); } +#endif /* Handle a command request from the client. This is used for both shell * and command-execution requests, and passes the command to diff --git a/svr-kex.c b/svr-kex.c index 6cc5433..96f4508 100644 --- a/svr-kex.c +++ b/svr-kex.c @@ -247,7 +247,7 @@ static void send_msg_kexdh_reply(mp_int *dh_e, buffer *ecdh_qs) { { struct kex_curve25519_param *param = gen_kexcurve25519_param(); kexcurve25519_comb_key(param, ecdh_qs, svr_opts.hostkey); - buf_putstring(ses.writepayload, param->pub, CURVE25519_LEN); + buf_putstring(ses.writepayload, (const char*)param->pub, CURVE25519_LEN); free_kexcurve25519_param(param); } #endif diff --git a/svr-main.c b/svr-main.c index 5234086..cc59332 100644 --- a/svr-main.c +++ b/svr-main.c @@ -429,7 +429,7 @@ static size_t listensockets(int *socks, size_t sockcount, int *maxfd) { for (n = 0; n < (unsigned int)nsock; n++) { int sock = socks[sockpos + n]; set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY); -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN set_listen_fast_open(sock); #endif } diff --git a/svr-service.c b/svr-service.c index 9c5e580..1f72ea5 100644 --- a/svr-service.c +++ b/svr-service.c @@ -30,13 +30,13 @@ #include "ssh.h" #include "auth.h" -static void send_msg_service_accept(unsigned char *name, int len); +static void send_msg_service_accept(char *name, int len); /* processes a SSH_MSG_SERVICE_REQUEST, returning 0 if finished, * 1 if not */ void recv_msg_service_request() { - unsigned char * name; + char * name; unsigned int len; TRACE(("enter recv_msg_service_request")) @@ -73,7 +73,7 @@ void recv_msg_service_request() { } -static void send_msg_service_accept(unsigned char *name, int len) { +static void send_msg_service_accept(char *name, int len) { TRACE(("accepting service %s", name)) diff --git a/svr-session.c b/svr-session.c index 8485905..d638d59 100644 --- a/svr-session.c +++ b/svr-session.c @@ -138,6 +138,8 @@ void svr_session(int sock, int childpipe) { /* exchange identification, version etc */ send_session_identification(); + + kexfirstinitialise(); /* initialise the kex state */ /* start off with key exchange */ send_msg_kexinit(); diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index b3928bc..d2f1427 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -65,7 +65,7 @@ static const struct ChanType svr_chan_tcpremote = { * similar to the request-switching in chansession.c */ void recv_msg_global_request_remotetcp() { - unsigned char* reqname = NULL; + char* reqname = NULL; unsigned int namelen; unsigned int wantreply = 0; int ret = DROPBEAR_FAILURE; @@ -120,7 +120,7 @@ static int matchtcp(void* typedata1, void* typedata2) { static int svr_cancelremotetcp() { int ret = DROPBEAR_FAILURE; - unsigned char * bindaddr = NULL; + char * bindaddr = NULL; unsigned int addrlen; unsigned int port; struct Listener * listener = NULL; @@ -155,7 +155,7 @@ out: static int svr_remotetcpreq() { int ret = DROPBEAR_FAILURE; - unsigned char * request_addr = NULL; + char * request_addr = NULL; unsigned int addrlen; struct TCPListener *tcpinfo = NULL; unsigned int port; @@ -232,12 +232,12 @@ const struct ChanType svr_chan_tcpdirect = { * address */ static int newtcpdirect(struct Channel * channel) { - unsigned char* desthost = NULL; + char* desthost = NULL; unsigned int destport; - unsigned char* orighost = NULL; + char* orighost = NULL; unsigned int origport; char portstring[NI_MAXSERV]; - int len; + unsigned int len; int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; TRACE(("newtcpdirect channel %d", channel->index)) diff --git a/svr-x11fwd.c b/svr-x11fwd.c index 6400c06..144ec0b 100644 --- a/svr-x11fwd.c +++ b/svr-x11fwd.c @@ -107,7 +107,7 @@ static void x11accept(struct Listener* listener, int sock) { int fd; struct sockaddr_in addr; - int len; + socklen_t len; int ret; struct ChanSess * chansess = (struct ChanSess *)(listener->typedata); diff --git a/sysoptions.h b/sysoptions.h index 11dc10d..185c8e6 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -262,9 +262,12 @@ /* Use this string since some implementations might special-case it */ #define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com" -/* Linux will attempt TCP fast open, falling back if not supported by the kernel */ +/* Linux will attempt TCP fast open, falling back if not supported by the kernel. + * Currently server is enabled but client is disabled by default until there + * is further compatibility testing */ #ifdef __linux__ -#define DROPBEAR_TCP_FAST_OPEN 1 +#define DROPBEAR_SERVER_TCP_FAST_OPEN +/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */ #endif /* no include guard for this file */ diff --git a/tcp-accept.c b/tcp-accept.c index 35be32d..4456920 100644 --- a/tcp-accept.c +++ b/tcp-accept.c @@ -75,7 +75,7 @@ static void tcp_acceptor(struct Listener *listener, int sock) { } if (send_msg_channel_open_init(fd, tcpinfo->chantype) == DROPBEAR_SUCCESS) { - unsigned char* addr = NULL; + char* addr = NULL; unsigned int port = 0; if (tcpinfo->tcp_type == direct) { diff --git a/tcpfwd.h b/tcpfwd.h index 51a1575..64139f0 100644 --- a/tcpfwd.h +++ b/tcpfwd.h @@ -31,16 +31,16 @@ struct TCPListener { /* For a direct-tcpip request, it's the addr/port we want the other * end to connect to */ - unsigned char *sendaddr; + char *sendaddr; unsigned int sendport; /* This is the address/port that we listen on. The address has special * meanings as per the rfc, "" for all interfaces, "localhost" for * localhost, or a normal interface name. */ - unsigned char *listenaddr; + char *listenaddr; unsigned int listenport; /* The address that the remote host asked to listen on */ - unsigned char *request_listenaddr; + char *request_listenaddr; const struct ChanType *chantype; enum {direct, forwarded} tcp_type; @@ -48,9 +48,9 @@ struct TCPListener { /* A forwarding entry */ struct TCPFwdEntry { - const unsigned char* connectaddr; + const char *connectaddr; unsigned int connectport; - const unsigned char* listenaddr; + const char *listenaddr; unsigned int listenport; unsigned int have_reply; /* is set to 1 after a reply has been received when setting up the forwarding */