merge

--HG--
branch : coverity

.hgsigs

@@ -18,3 +18,4 @@ a687f835236c7025b5cb2968fe9c4ebc4a49f0ea 0 iQIcBAABCgAGBQJVxg62AAoJEPSYMBLCC7qsC
 ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA
 af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe
 5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL
+926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW

.hgtags

@@ -50,3 +50,4 @@ cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67
 809feaa9408f036734129c77f2b3c7e779d4f099 DROPBEAR_2015.68
 1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69
 79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70
+9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71

CHANGES

@@ -1,3 +1,18 @@
+2015.71 - 3 December 2015
+
+- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
+
+- Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to
+  Frank Stollenwerk for reporting and investigation
+
+- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev
+
+- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert,
+  broke in 2015.70
+
+- Fix server race condition that could cause sessions to hang on exit,
+  https://github.com/robotframework/SSHLibrary/issues/128
+
 2015.70 - 26 November 2015
 
 - Fix server password authentication on Linux, broke in 2015.69

cli-kex.c

@@ -190,7 +190,7 @@ static void ask_to_confirm(unsigned char* keyblob, unsigned int keybloblen,
 
 	fp = sign_key_fingerprint(keyblob, keybloblen);
 	if (cli_opts.always_accept_key) {
-		fprintf(stderr, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n",
+		dropbear_log(LOG_INFO, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n",
 				cli_opts.remotehost,
 				algoname,
 				fp);
@@ -290,7 +290,7 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) {
 	int ret;
 
 	if (cli_opts.no_hostkey_check) {
-		fprintf(stderr, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost);
+		dropbear_log(LOG_INFO, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost);
 		return;
 	}
 

cli-main.c

@@ -36,7 +36,8 @@ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) A
 static void cli_dropbear_log(int priority, const char* format, va_list param);
 
 #ifdef ENABLE_CLI_PROXYCMD
-static void cli_proxy_cmd(int *sock_in, int *sock_out);
+static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out);
+static void kill_proxy_sighandler(int signo);
 #endif
 
 #if defined(DBMULTI_dbclient) || !defined(DROPBEAR_MULTI)
@@ -59,6 +60,12 @@ int main(int argc, char ** argv) {
 
 	cli_getopts(argc, argv);
 
+#ifndef DISABLE_SYSLOG
+	if (opts.usingsyslog) {
+		startsyslog("dbclient");
+	}
+#endif
+
 	TRACE(("user='%s' host='%s' port='%s'", cli_opts.username,
 				cli_opts.remotehost, cli_opts.remoteport))
 
@@ -66,10 +73,16 @@ int main(int argc, char ** argv) {
 		dropbear_exit("signal() error");
 	}
 
+	pid_t proxy_cmd_pid = 0;
 #ifdef ENABLE_CLI_PROXYCMD
 	if (cli_opts.proxycmd) {
-		cli_proxy_cmd(&sock_in, &sock_out);
+		cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
 		m_free(cli_opts.proxycmd);
+		if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+			signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+			signal(SIGHUP, kill_proxy_sighandler) == SIG_ERR) {
+			dropbear_exit("signal() error");
+		}
 	} else
 #endif
 	{
@@ -77,7 +90,7 @@ int main(int argc, char ** argv) {
 		sock_in = sock_out = -1;
 	}
 
-	cli_session(sock_in, sock_out, progress);
+	cli_session(sock_in, sock_out, progress, proxy_cmd_pid);
 
 	/* not reached */
 	return -1;
@@ -111,13 +124,19 @@ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
 	exit(exitcode);
 }
 
-static void cli_dropbear_log(int UNUSED(priority), 
+static void cli_dropbear_log(int priority,
 		const char* format, va_list param) {
 
 	char printbuf[1024];
 
 	vsnprintf(printbuf, sizeof(printbuf), format, param);
 
+#ifndef DISABLE_SYSLOG
+	if (opts.usingsyslog) {
+		syslog(priority, "%s", printbuf);
+	}
+#endif
+
 	fprintf(stderr, "%s: %s\n", cli_opts.progname, printbuf);
 	fflush(stderr);
 }
@@ -132,16 +151,21 @@ static void exec_proxy_cmd(void *user_data_cmd) {
 }
 
 #ifdef ENABLE_CLI_PROXYCMD
-static void cli_proxy_cmd(int *sock_in, int *sock_out) {
+static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
 	int ret;
 
 	fill_passwd(cli_opts.own_user);
 
 	ret = spawn_command(exec_proxy_cmd, cli_opts.proxycmd,
-			sock_out, sock_in, NULL, NULL);
+			sock_out, sock_in, NULL, pid_out);
 	if (ret == DROPBEAR_FAILURE) {
 		dropbear_exit("Failed running proxy command");
 		*sock_in = *sock_out = -1;
 	}
 }
+
+static void kill_proxy_sighandler(int UNUSED(signo)) {
+	kill_proxy_command();
+	_exit(1);
+}
 #endif /* ENABLE_CLI_PROXYCMD */

cli-runopts.c

@@ -46,6 +46,7 @@ static void addforward(const char* str, m_list *fwdlist);
 #ifdef ENABLE_CLI_NETCAT
 static void add_netcat(const char *str);
 #endif
+static void add_extendedopt(const char *str);
 
 static void printhelp() {
 
@@ -64,6 +65,7 @@ static void printhelp() {
 					"-y    Always accept remote host key if unknown\n"
 					"-y -y Don't perform any remote host key checking (caution)\n"
 					"-s    Request a subsystem (use by external sftp)\n"
+					"-o option     Set option in OpenSSH-like format ('-o help' to list options)\n"
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 					"-i <identityfile>   (multiple allowed, default %s)\n"
 #endif
@@ -106,6 +108,7 @@ void cli_getopts(int argc, char ** argv) {
 	unsigned int i, j;
 	char ** next = 0;
 	enum {
+		OPT_EXTENDED_OPTIONS,
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 		OPT_AUTHKEY,
 #endif
@@ -145,6 +148,9 @@ void cli_getopts(int argc, char ** argv) {
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 	cli_opts.privkeys = list_new();
 #endif
+#ifdef ENABLE_CLI_ANYTCPFWD
+	cli_opts.exit_on_fwd_failure = 0;
+#endif
 #ifdef ENABLE_CLI_LOCALTCPFWD
 	cli_opts.localfwds = list_new();
 	opts.listen_fwd_all = 0;
@@ -166,6 +172,9 @@ void cli_getopts(int argc, char ** argv) {
 #ifdef ENABLE_USER_ALGO_LIST
 	opts.cipher_list = NULL;
 	opts.mac_list = NULL;
+#endif
+#ifndef DISABLE_SYSLOG
+	opts.usingsyslog = 0;
 #endif
 	/* not yet
 	opts.ipv4 = 1;
@@ -224,6 +233,9 @@ void cli_getopts(int argc, char ** argv) {
 				case 's':
 					cli_opts.is_subsystem = 1;
 					break;
+				case 'o':
+					opt = OPT_EXTENDED_OPTIONS;
+					break;
 #ifdef ENABLE_CLI_LOCALTCPFWD
 				case 'L':
 					opt = OPT_LOCALTCPFWD;
@@ -301,7 +313,6 @@ void cli_getopts(int argc, char ** argv) {
 					print_version();
 					exit(EXIT_SUCCESS);
 					break;
-				case 'o':
 				case 'b':
 					next = &dummy;
 				default:
@@ -321,6 +332,11 @@ void cli_getopts(int argc, char ** argv) {
 				dropbear_exit("Missing argument");
 		}
 
+		if (opt == OPT_EXTENDED_OPTIONS) {
+			TRACE(("opt extended"))
+			add_extendedopt(&argv[i][j]);
+		}
+		else
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 		if (opt == OPT_AUTHKEY) {
 			TRACE(("opt authkey"))
@@ -475,7 +491,7 @@ static void loadidentityfile(const char* filename, int warnfail) {
 	keytype = DROPBEAR_SIGNKEY_ANY;
 	if ( readhostkey(filename, key, &keytype) != DROPBEAR_SUCCESS ) {
 		if (warnfail) {
-			fprintf(stderr, "Failed loading keyfile '%s'\n", filename);
+			dropbear_log(LOG_WARNING, "Failed loading keyfile '%s'\n", filename);
 		}
 		sign_key_free(key);
 	} else {
@@ -806,3 +822,64 @@ badport:
 	dropbear_exit("Bad TCP port in '%s'", origstr);
 }
 #endif
+
+static int match_extendedopt(const char** strptr, const char *optname) {
+	int optlen = strlen(optname);
+	const char *str = *strptr;
+
+	if (strncasecmp(str, optname, optlen) != 0) {
+		return DROPBEAR_FAILURE;
+	}
+
+	str += optlen;
+
+	if (*str == '=') {
+		*strptr = str+1;
+		return DROPBEAR_SUCCESS;
+	} else {
+		return DROPBEAR_FAILURE;
+	}
+
+}
+
+static int parse_flag_value(const char *value) {
+	if (strcmp(value, "yes") == 0 || strcmp(value, "true") == 0) {
+		return 1;
+	} else if (strcmp(value, "no") == 0 || strcmp(value, "false") == 0) {
+		return 0;
+	}
+
+	dropbear_exit("Bad yes/no argument '%s'", value);
+}
+
+static void add_extendedopt(const char* origstr) {
+	const char *optstr = origstr;
+
+	if (strcmp(origstr, "help") == 0) {
+		dropbear_log(LOG_INFO, "Available options:\n"
+#ifdef ENABLE_CLI_ANYTCPFWD
+			"\tExitOnForwardFailure\n"
+#endif
+#ifndef DISABLE_SYSLOG
+			"\tUseSyslog\n"
+#endif
+		);
+		exit(EXIT_SUCCESS);
+	}
+
+#ifdef ENABLE_CLI_ANYTCPFWD
+	if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) {
+		cli_opts.exit_on_fwd_failure = parse_flag_value(optstr);
+		return;
+	}
+#endif
+
+#ifndef DISABLE_SYSLOG
+	if (match_extendedopt(&optstr, "UseSyslog") == DROPBEAR_SUCCESS) {
+		opts.usingsyslog = parse_flag_value(optstr);
+		return;
+	}
+#endif
+
+	dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+}

cli-session.c

@@ -41,7 +41,7 @@
 
 static void cli_remoteclosed() ATTRIB_NORETURN;
 static void cli_sessionloop();
-static void cli_session_init();
+static void cli_session_init(pid_t proxy_cmd_pid);
 static void cli_finished() ATTRIB_NORETURN;
 static void recv_msg_service_accept(void);
 static void cli_session_cleanup(void);
@@ -104,7 +104,7 @@ void cli_connected(int result, int sock, void* userdata, const char *errstring)
 	update_channel_prio();
 }
 
-void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) {
+void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) {
 
 	common_session_init(sock_in, sock_out);
 
@@ -115,8 +115,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
 	chaninitialise(cli_chantypes);
 
 	/* Set up cli_ses vars */
-	cli_session_init();
-
+	cli_session_init(proxy_cmd_pid);
 
 	/* Ready to go */
 	sessinitdone = 1;
@@ -140,7 +139,7 @@ static void cli_send_kex_first_guess() {
 }
 #endif
 
-static void cli_session_init() {
+static void cli_session_init(pid_t proxy_cmd_pid) {
 
 	cli_ses.state = STATE_NOTHING;
 	cli_ses.kex_state = KEX_NOTHING;
@@ -159,6 +158,8 @@ static void cli_session_init() {
 
 	cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a
 									  specific exit status */
+	cli_ses.proxy_cmd_pid = proxy_cmd_pid;
+	TRACE(("proxy command PID='%d'", proxy_cmd_pid));
 
 	/* Auth */
 	cli_ses.lastprivkey = NULL;
@@ -268,6 +269,11 @@ static void cli_sessionloop() {
 			return;
 
 		case USERAUTH_SUCCESS_RCVD:
+#ifndef DISABLE_SYSLOG
+			if (opts.usingsyslog) {
+				dropbear_log(LOG_INFO, "Authentication succeeded.");
+			}
+#endif
 
 #ifdef DROPBEAR_NONE_CIPHER
 			if (cli_ses.cipher_none_after_auth)
@@ -334,12 +340,25 @@ static void cli_sessionloop() {
 
 }
 
+void kill_proxy_command(void) {
+	/*
+	 * Send SIGHUP to proxy command if used. We don't wait() in
+	 * case it hangs and instead rely on init to reap the child
+	 */
+	if (cli_ses.proxy_cmd_pid > 1) {
+		TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid));
+		kill(cli_ses.proxy_cmd_pid, SIGHUP);
+	}
+}
+
 static void cli_session_cleanup(void) {
 
 	if (!sessinitdone) {
 		return;
 	}
 
+	kill_proxy_command();
+
 	/* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if
 	 * we don't revert the flags */
 	fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags);

cli-tcpfwd.c

@@ -60,6 +60,23 @@ static const struct ChanType cli_chan_tcplocal = {
 };
 #endif
 
+#ifdef ENABLE_CLI_ANYTCPFWD
+static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2);
+void fwd_failed(const char* format, ...)
+{
+	va_list param;
+	va_start(param, format);
+
+	if (cli_opts.exit_on_fwd_failure) {
+		_dropbear_exit(EXIT_FAILURE, format, param);
+	} else {
+		_dropbear_log(LOG_WARNING, format, param);
+	}
+
+	va_end(param);
+}
+#endif
+
 #ifdef ENABLE_CLI_LOCALTCPFWD
 void setup_localtcp() {
 	m_list_elem *iter;
@@ -75,7 +92,7 @@ void setup_localtcp() {
 				fwd->connectaddr,
 				fwd->connectport);
 		if (ret == DROPBEAR_FAILURE) {
-			dropbear_log(LOG_WARNING, "Failed local port forward %s:%d:%s:%d",
+			fwd_failed("Failed local port forward %s:%d:%s:%d",
 					fwd->listenaddr,
 					fwd->listenport,
 					fwd->connectaddr,
@@ -181,7 +198,10 @@ void cli_recv_msg_request_failure() {
 		struct TCPFwdEntry *fwd = (struct TCPFwdEntry*)iter->item;
 		if (!fwd->have_reply) {
 			fwd->have_reply = 1;
-			dropbear_log(LOG_WARNING, "Remote TCP forward request failed (port %d -> %s:%d)", fwd->listenport, fwd->connectaddr, fwd->connectport);
+			fwd_failed("Remote TCP forward request failed (port %d -> %s:%d)",
+					fwd->listenport,
+					fwd->connectaddr,
+					fwd->connectport);
 			return;
 		}
 	}

common-algo.c

@@ -249,7 +249,8 @@ algo_type sshhostkey[] = {
 };
 
 static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
-static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
+static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
+static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
 
 /* These can't be const since dropbear_ecc_fill_dp() fills out
  ecc_curve at runtime */
@@ -285,7 +286,8 @@ algo_type sshkex[] = {
 	{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
 #endif
 #endif
-	{"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL},
+	{"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
+	{"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
 	{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
 #ifdef USE_KEXGUESS2
 	{KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},

dbclient.1

@@ -127,6 +127,22 @@ Specify a comma separated list of ciphers to enable. Use \fI-c help\fR to list p
 .B \-m \fIMAClist
 Specify a comma separated list of authentication MACs to enable. Use \fI-m help\fR to list possibilities.
 .TP
+.B \-o \fIoption
+Can be used to give options in the format used by OpenSSH config file. This is
+useful for specifying options for which there is no separate command-line flag.
+For full details of the options listed below, and their possible values, see
+ssh_config(5).
+
+For now following options have been implemented:
+.RS
+.TP
+.B ExitOnForwardFailure
+Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be “yes” or “no”.  The default is “no”.
+.TP
+.B UseSyslog
+Send dbclient log messages to syslog in addition to stderr.
+.RE
+.TP
 .B \-s 
 The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp client can be used eg \fIsftp -S dbclient user@host\fR
 .TP

dbutil.c

@@ -84,9 +84,9 @@ int debug_trace = 0;
 #endif
 
 #ifndef DISABLE_SYSLOG
-void startsyslog() {
+void startsyslog(const char *ident) {
 
-	openlog(PROGNAME, LOG_PID, LOG_AUTHPRIV);
+	openlog(ident, LOG_PID, LOG_AUTHPRIV);
 
 }
 #endif /* DISABLE_SYSLOG */

dbutil.h

@@ -31,7 +31,7 @@
 #include "queue.h"
 
 #ifndef DISABLE_SYSLOG
-void startsyslog();
+void startsyslog(const char *ident);
 #endif
 
 #ifdef __GNUC__

debian/changelog

@@ -1,3 +1,9 @@
+dropbear (2015.71-0.1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Matt Johnston <matt@ucc.asn.au>  Thu, 3 Dec 2015 22:52:58 +0800
+
 dropbear (2015.70-0.1) unstable; urgency=low
 
   * New upstream release.

runopts.h

@@ -40,6 +40,7 @@ typedef struct runopts {
 	unsigned int recv_window;
 	time_t keepalive_secs; /* Time between sending keepalives. 0 is off */
 	time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */
+	int usingsyslog;
 
 #ifndef DISABLE_ZLIB
 	/* TODO: add a commandline flag. Currently this is on by default if compression
@@ -70,9 +71,9 @@ typedef struct svr_runopts {
 	char * bannerfile;
 
 	int forkbg;
-	int usingsyslog;
 
-	/* ports is an array of the portcount listening ports */
+	/* ports and addresses are arrays of the portcount 
+	listening ports. strings are malloced. */
 	char *ports[DROPBEAR_MAX_PORTS];
 	unsigned int portcount;
 	char *addresses[DROPBEAR_MAX_PORTS];
@@ -139,6 +140,9 @@ typedef struct cli_runopts {
 #ifdef ENABLE_CLI_PUBKEY_AUTH
 	m_list *privkeys; /* Keys to use for public-key auth */
 #endif
+#ifdef ENABLE_CLI_ANYTCPFWD
+	int exit_on_fwd_failure;
+#endif
 #ifdef ENABLE_CLI_REMOTETCPFWD
 	m_list * remotefwds;
 #endif

session.h

@@ -61,9 +61,10 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_N
 void svr_dropbear_log(int priority, const char* format, va_list param);
 
 /* Client */
-void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN;
+void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) ATTRIB_NORETURN;
 void cli_connected(int result, int sock, void* userdata, const char *errstring);
 void cleantext(char* dirtytext);
+void kill_proxy_command();
 
 /* crypto parameters that are stored individually for transmit and receive */
 struct key_context_directional {
@@ -304,6 +305,7 @@ struct clientsession {
 	struct AgentkeyList *agentkeys; /* Keys to use for public-key auth */
 #endif
 
+	pid_t proxy_cmd_pid;
 };
 
 /* Global structs storing the state */

svr-main.c

@@ -145,7 +145,7 @@ void main_noinetd() {
 	if (svr_opts.forkbg) {
 		int closefds = 0;
 #ifndef DEBUG_TRACE
-		if (!svr_opts.usingsyslog) {
+		if (!opts.usingsyslog) {
 			closefds = 1;
 		}
 #endif
@@ -367,8 +367,8 @@ static void commonsetup() {
 
 	struct sigaction sa_chld;
 #ifndef DISABLE_SYSLOG
-	if (svr_opts.usingsyslog) {
-		startsyslog();
+	if (opts.usingsyslog) {
+		startsyslog(PROGNAME);
 	}
 #endif
 

svr-runopts.c

@@ -33,7 +33,7 @@
 svr_runopts svr_opts; /* GLOBAL */
 
 static void printhelp(const char * progname);
-static void addportandaddress(char* spec);
+static void addportandaddress(const char* spec);
 static void loadhostkey(const char *keyfile, int fatal_duplicate);
 static void addhostkey(const char *keyfile);
 
@@ -158,7 +158,7 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.domotd = 1;
 #endif
 #ifndef DISABLE_SYSLOG
-	svr_opts.usingsyslog = 1;
+	opts.usingsyslog = 1;
 #endif
 	opts.recv_window = DEFAULT_RECV_WINDOW;
 	opts.keepalive_secs = DEFAULT_KEEPALIVE;
@@ -189,7 +189,7 @@ void svr_getopts(int argc, char ** argv) {
 					break;
 #ifndef DISABLE_SYSLOG
 				case 'E':
-					svr_opts.usingsyslog = 0;
+					opts.usingsyslog = 0;
 					break;
 #endif
 #ifdef ENABLE_SVR_LOCALTCPFWD
@@ -348,54 +348,56 @@ void svr_getopts(int argc, char ** argv) {
 	}
 }
 
-static void addportandaddress(char* spec) {
-
-	char *myspec = NULL;
+static void addportandaddress(const char* spec) {
+	char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL;
 
 	if (svr_opts.portcount < DROPBEAR_MAX_PORTS) {
 
 		/* We don't free it, it becomes part of the runopt state */
-		myspec = m_strdup(spec);
+		spec_copy = m_strdup(spec);
+		myspec = spec_copy;
 
 		if (myspec[0] == '[') {
 			myspec++;
-			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']');
-			if (svr_opts.ports[svr_opts.portcount] == NULL) {
+			port = strchr(myspec, ']');
+			if (!port) {
 				/* Unmatched [ -> exit */
 				dropbear_exit("Bad listen address");
 			}
-			svr_opts.ports[svr_opts.portcount][0] = '\0';
-			svr_opts.ports[svr_opts.portcount]++;
-			if (svr_opts.ports[svr_opts.portcount][0] != ':') {
+			port[0] = '\0';
+			port++;
+			if (port[0] != ':') {
 				/* Missing port -> exit */
 				dropbear_exit("Missing port");
 			}
 		} else {
 			/* search for ':', that separates address and port */
-			svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':');
+			port = strrchr(myspec, ':');
 		}
 
-		if (svr_opts.ports[svr_opts.portcount] == NULL) {
+		if (!port) {
 			/* no ':' -> the whole string specifies just a port */
-			svr_opts.ports[svr_opts.portcount] = myspec;
+			port = myspec;
 		} else {
 			/* Split the address/port */
-			svr_opts.ports[svr_opts.portcount][0] = '\0'; 
-			svr_opts.ports[svr_opts.portcount]++;
-			svr_opts.addresses[svr_opts.portcount] = myspec;
+			port[0] = '\0'; 
+			port++;
+			address = myspec;
 		}
 
-		if (svr_opts.addresses[svr_opts.portcount] == NULL) {
+		if (!address) {
 			/* no address given -> fill in the default address */
-			svr_opts.addresses[svr_opts.portcount] = m_strdup(DROPBEAR_DEFADDRESS);
+			address = DROPBEAR_DEFADDRESS;
 		}
 
-		if (svr_opts.ports[svr_opts.portcount][0] == '\0') {
+		if (port[0] == '\0') {
 			/* empty port -> exit */
 			dropbear_exit("Bad port");
 		}
-
+		svr_opts.ports[svr_opts.portcount] = m_strdup(port);
+		svr_opts.addresses[svr_opts.portcount] = m_strdup(address);
 		svr_opts.portcount++;
+		m_free(spec_copy);
 	}
 }
 

svr-session.c

@@ -204,7 +204,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param) {
 	vsnprintf(printbuf, sizeof(printbuf), format, param);
 
 #ifndef DISABLE_SYSLOG
-	if (svr_opts.usingsyslog) {
+	if (opts.usingsyslog) {
 		syslog(priority, "%s", printbuf);
 	}
 #endif
@@ -215,8 +215,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param) {
 	havetrace = debug_trace;
 #endif
 
-	if (!svr_opts.usingsyslog || havetrace)
-	{
+	if (!opts.usingsyslog || havetrace) {
 		struct tm * local_tm = NULL;
 		timesec = time(NULL);
 		local_tm = localtime(&timesec);

sysoptions.h

@@ -4,7 +4,7 @@
  *******************************************************************/
 
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2015.70"
+#define DROPBEAR_VERSION "2015.71"
 #endif
 
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION