merge from main

--HG-- branch : fuzz
2025-03-03 10:41:39 +00:00 · 2018-02-28 21:28:59 +08:00 · 2018-02-28 21:28:59 +08:00 · 9bbce01e1b
commit 9bbce01e1b
parent 5df73215f8 bbe02dc3cf
13 changed files with 70 additions and 22 deletions
--- a/.hgsigs
+++ b/.hgsigs
@ -23,3 +23,4 @@ fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzu
 70705edee9dd29cd3d410f19fbd15cc3489313e2 0 iQIcBAABCgAGBQJW7CQRAAoJEESTFJTynGdzTj0QAJL38CKSZthBAeI9c6B+IlwIeT6kPZaPqk1pkycCTWOe87NiNU9abrsF+JrjTuRQiO1EpM2IvfQEIXTijUcMxvld3PnzrZDDv6UvBLtOkn3i++HSVRO0MOuTKI8gFDEPUxRtcaCKXEbqYnf1OTK25FT09Vb//qP9mK1thvlLJmbV+D2a9MkMK66rom1d1h+347IsuwsM+ycHjB80VVAQLA7VYLC5YIwmL17dSmcQLvetfikAMwwmUE+KES4qiLSaqOcAWcKcU67RZzgMMv5o0rESlQmv1nj0mHZtHoUR71sd21emPaRXLOr0oT5YogWUphKq2qVthRn2B06+vd3hPdtn92CmJw9j7zT2jl4OeSjNm9qfAajsRzHIANssFxkGAb7w/LxcMoO29JC+01iUUJMdOVm+4Ns6wGI7qxssWPKdB+VbQUDlHrXLR+sopO524uhkYoWB6DVfTj4R6tImaHtj5/VXON0lsYaLGj8cSH60emL6nNQ0lYV/bSlk6l0s+0x3uXGZnp9oKA+vqMzHfG3vJeMm6KUqtFVjUsYx+q8nHm5/SlWxj1EwnkH8s8ELKZAUXjd76nWEwJ7JFRNRSQWvjOUh3/rsOo4JopzZXPsjCjm+Vql9TG0X6hB21noai32oD5RvfhtR/NX6sXNS5TKZz/j/cMsMnAAsSKb6W7Jm
 9030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787
 5c9207ceedaea794f958224c19214d66af6e2d56 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlkdtooACgkQRJMUlPKcZ3P6ZxAAmLy/buZB/d96DJF/pViRWt/fWdjQFC4MqWfeSLW02OZ8Qkm1vPL3ln6WPHC2thy3xZWVg2uan3pLk/XXnsIFu8Q7r1EAfFFpvlMUmdl7asE8V6ilaeqmiI7bIvGMFbf4cZkQliLjiFkJX56tFHRCNi+rb7WgRuru3/GzPXUq2AvXZvFpFJgik0B72TxVlmCKeBRZq1FvP0UhAH48RJWYJksdEyzh2paMfjX9ZO5Q2SFFrmPw6k2ArdJFC1AYcgceZC84y06RKJ0WiSntUPlEUXgQbQVVWbtQDhjfJXMr/beuroNdT/vsRraLVkAzvhaDXNnHlAJNLQxci+AcLpnzZhxMW+ax7RRtrpXGxRN4cs0lBGUcSkaDybFqMYXwEjXAE8w6fdJRWCIlxctkAW/iNEO4kAG97hI2Qwcw5oU2Ymnv09zyGR+XJE35pJqPulJHExdwanJHvmjH0QF7TNFS82yxS5dKnP954cj3Lu9SWGYWjxQJRmLtOwb+lqqol4VTxG7Ois4uef9/Tpp9skeMZXVeNlpn2wrp6iFcX3uiiVDg9VKkl3ig6UqCiqQSuiIN87RXwUOeHXlCnW3adz3Xei0ziBrwLSql7lBIHGEAlUUNmJ3CrR8IwQtcynGEMKfNIeZ/XK+uNlm9cJIqZf1fzqc8KexlyS9AS0i/kiYZTr4=
+2f0c3f3361d3ea4eb9129ed8810699fda7e7a8ee 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlqVb+IACgkQRJMUlPKcZ3OENA//R9HsOUJQB2QZjRgAvqgLn2AMLUvmWb2etTZEc3Nps957Fw1F4kjh6VGfIpWuytfsDx1W8qRx09ikTdb3YteMWCuX8/aFreSPrioYmzrAEcxkZdA7B/jciqU0iXuHiJ9saKk5TR70aNp+iRy0hjAgiYEsVMF9YKHzULOJcHr70x9XVKquubQkwNqJA+/b2JbK2j46wM5nVK/alGSI2kMmEzXmAHQxsvf1OLMvgH8ou/l0xsg/CuFEK299XKfZAbsFEXrjuoWZ1aSa6rTeOWsWli5T+czyyJHI4Eu0Sz/gaR8+MPhJSYes8YjvzEdv32rRMDVOdBq4e+HoTgFt/THYABP6/R1H5fX3Lm4K8u9F9SwJbb/YKRAIrfWDob8ApnGFHk2dyYO20Fskbbg6b1pC7ulDWsufu8lYkQyMlTc3dR6P4eTB6mKO4x+gMG6tIYZ60fiULoEnMJCgegPtevmz+TG1rzdjh3ljiw9Dxz5lNtL+W7sBKKHwhyG0u+bavgmvBMKNL/rdHEM+0yCIz1U6Lb8sVaST1E4zbdm7cWHbSozBij3G0GBSkLFEq7ZLlh8wco9rELRh0Y9fFsWY9j6H/PTOu0GfHrYluFb9WGywHAquQY8j2croRx+MrvTbR1wZrbevPNm9gqk3vgOiDWu7KwxLLqcj+dEQ7tccptVYtbM=
--- a/.hgtags
+++ b/.hgtags
@ -55,3 +55,4 @@ cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67
 309e1c4a87682b6ca7d80b8555a1db416c3cb7ac DROPBEAR_2016.73
 0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb DROPBEAR_2016.74
 c31276613181c5cff7854e7ef586ace03424e55e DROPBEAR_2017.75
+1c66ca4f3791c82501c88e7637312182c7294978 DROPBEAR_2018.76
--- a/41
+++ b/41
@ -1,6 +1,7 @@
-Upcoming...
+2018.76 - 27 February 2018

- IMPORTANT:
+> > > Configuration/compatibility changes
+  IMPORTANT
  Custom configuration is now specified in local_options.h rather than options.h
  Available options and defaults can be seen in default_options.h

@ -9,10 +10,10 @@ Upcoming...
  be put in localoptions.h

 - "configure --enable-static" should now be used instead of "make STATIC=1"
+  This will avoid 'hardened build' flags that conflict with static binaries

- Add group14-256 and group16 key exchange options
-
- Set hardened build flags by default if supported by the compiler.
+- Set 'hardened build' flags by default if supported by the compiler.
+  These can be disabled with configure --disable-harden if needed.
  -Wl,-pie
  -Wl,-z,now -Wl,-z,relro
  -fstack-protector-strong
@ -21,9 +22,24 @@ Upcoming...
  -mfunction-return=thunk
  -mindirect-branch=thunk

-  These can be disabled with configure --disable-harden if needed
  Spectre patch from Loganaden Velvindron

+- "dropbear -r" option for hostkeys no longer attempts to load the default
+  hostkey paths as well. If desired these can be specified manually. 
+  Patch from CamVan Nguyen
+
+- group1-sha1 key exchange is disabled in the server by default since
+  the fixed 1024-bit group may be susceptible to attacks
+
+- twofish ciphers are now disabled in the default configuration
+
+- Default generated ECDSA key size is now 256 (rather than 521) 
+  for better interoperability
+
+- Minimum RSA key length has been increased to 1024 bits
+
+> > > Other features and fixes
+
 - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant

 - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket.
@ -31,18 +47,25 @@ Upcoming...

 - Add "-c forced_command" option. Patch from Jeremy Kerr

+- Restricted group -G option added with patch from stellarpower
+
 - Support server-chosen TCP forwarding ports, patch from houseofkodai

 - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port]
  Patch from houseofkodai

- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
+- Makefile will now rebuild object files when header files are modified

- Minimum RSA key length has been increased to 1024 bits
+- Add group14-256 and group16 key exchange options
+
+- curve25519-sha256 also supported without @libssh.org suffix
+
+- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
+  This fixes building with some recent versions of clang

 - Set PAM_RHOST which is needed by modules such as pam_abl

- Improvements to DSS public key validation, found by OSS-Fuzz. 
+- Improvements to DSS and RSA public key validation, found by OSS-Fuzz. 

 - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz

--- a/Makefile.in
+++ b/Makefile.in
@ -19,6 +19,7 @@ LIBTOM_LIBS=@LIBTOM_LIBS@

 ifeq (@BUNDLED_LIBTOM@, 1)
 LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) 
+LIBTOM_CLEAN=ltc-clean ltm-clean
 CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/
 LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM)
 endif
@ -226,7 +227,7 @@ ltm-clean:
 sizes: dropbear
 	objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn

-clean: ltc-clean ltm-clean thisclean
+clean: $(LIBTOM_CLEAN) thisclean

 thisclean:
 	-rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \
--- a/4
+++ b/4
@ -8,8 +8,8 @@ which performs multiple tasks, to save disk space)

 SMALL has some tips on creating small binaries.

-See TODO for a few of the things I know need looking at, and please contact
-me if you have any questions/bugs found/features/ideas/comments etc :)
+Please contact me if you have any questions/bugs found/features/ideas/comments etc :)
+There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear

 Matt Johnston
 matt@ucc.asn.au
--- a/configure.ac
+++ b/configure.ac
@ -339,9 +339,9 @@ AC_SUBST(DROPBEAR_FUZZ)
 # Checks for header files.
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h \
-	string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h \
-	pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h \
+AC_CHECK_HEADERS([netinet/in.h netinet/tcp.h \
+	crypt.h \
+	pty.h libutil.h libgen.h inttypes.h stropts.h utmp.h \
 	utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h \
 	pam/pam_appl.h netinet/in_systm.h sys/uio.h linux/pkt_sched.h])

@ -498,7 +498,6 @@ AC_CHECK_FUNCS(mach_absolute_time)

 AC_CHECK_FUNCS(explicit_bzero memset_s)

-
 AC_ARG_ENABLE(bundled-libtom,
 [  --enable-bundled-libtom       Force using bundled libtomcrypt/libtommath even if a system version exists.
  --disable-bundled-libtom      Force using system libtomcrypt/libtommath, fail if it does not exist.
@ -794,7 +793,9 @@ fi
 AC_PROG_GCC_TRADITIONAL
 AC_FUNC_MEMCMP
 AC_FUNC_SELECT_ARGTYPES
-AC_CHECK_FUNCS([dup2 getpass getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev])
+AC_CHECK_FUNCS([getpass getspnam getusershell putenv])
+AC_CHECK_FUNCS([clearenv strlcpy strlcat daemon basename _getpty getaddrinfo ])
+AC_CHECK_FUNCS([freeaddrinfo getnameinfo fork writev getgrouplist])

 AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))

--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+dropbear (2018.76-0.1) unstable; urgency=low
+
+  * New upstream release.
+
+ -- Matt Johnston <matt@ucc.asn.au>  Tue, 27 Feb 2018 22:51:57 +0800
+
 dropbear (2017.75-0.1) unstable; urgency=low

  * New upstream release.
--- a/debian/dropbear.docs
+++ b/debian/dropbear.docs
@ -1,4 +1,3 @@
 README
-TODO
 debian/README.runit
 debian/README.Debian.diet
--- a/runopts.h
+++ b/runopts.h
@ -92,8 +92,14 @@ typedef struct svr_runopts {
 #endif

 	int norootlogin;
+
+#ifdef HAVE_GETGROUPLIST
+	/* restrict_group is the group name if group restriction was enabled, 
+	NULL otherwise */
 	char *restrict_group;
+	/* restrict_group_gid is only valid if restrict_group is set */
 	gid_t restrict_group_gid;
+#endif

 	int noauthpass;
 	int norootpass;
--- a/svr-auth.c
+++ b/svr-auth.c
@ -197,6 +197,7 @@ out:
 	m_free(methodname);
 }

+#ifdef HAVE_GETGROUPLIST
 /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
 static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) {
 	int ngroups, i, ret;
@ -230,7 +231,7 @@ static int check_group_membership(gid_t check_gid, const char* username, gid_t u

 	return match;
 }
-
+#endif

 /* Check that the username exists and isn't disallowed (root), and has a valid shell.
 * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */
@ -300,6 +301,7 @@ static int checkusername(const char *username, unsigned int userlen) {
 	}

 	/* check for login restricted to certain group if desired */
+#ifdef HAVE_GETGROUPLIST
 	if (svr_opts.restrict_group) {
 		if (check_group_membership(svr_opts.restrict_group_gid,
 				ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) {
@ -310,6 +312,7 @@ static int checkusername(const char *username, unsigned int userlen) {
 			return DROPBEAR_FAILURE;
 		}
 	}
+#endif HAVE_GETGROUPLIST

 	TRACE(("shell is %s", ses.authstate.pw_shell))

--- a/svr-runopts.c
+++ b/svr-runopts.c
@ -70,7 +70,9 @@ static void printhelp(const char * progname) {
 					"-m		Don't display the motd on login\n"
 #endif
 					"-w		Disallow root logins\n"
+#ifdef HAVE_GETGROUPLIST
 					"-G		Restrict logins to members of specified group\n"
+#endif
 #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
 					"-s		Disable password logins\n"
 					"-g		Disable password logins for root\n"
@ -135,8 +137,10 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.forced_command = NULL;
 	svr_opts.forkbg = 1;
 	svr_opts.norootlogin = 0;
+#ifdef HAVE_GETGROUPLIST
 	svr_opts.restrict_group = NULL;
 	svr_opts.restrict_group_gid = 0;
+#endif
 	svr_opts.noauthpass = 0;
 	svr_opts.norootpass = 0;
 	svr_opts.allowblankpass = 0;
@ -235,9 +239,11 @@ void svr_getopts(int argc, char ** argv) {
 				case 'w':
 					svr_opts.norootlogin = 1;
 					break;
+#ifdef HAVE_GETGROUPLIST
 				case 'G':
 					next = &svr_opts.restrict_group;
 					break;
+#endif
 				case 'W':
 					next = &recv_window_arg;
 					break;
@ -340,6 +346,7 @@ void svr_getopts(int argc, char ** argv) {
 		buf_setpos(svr_opts.banner, 0);
 	}

+#ifdef HAVE_GETGROUPLIST
 	if (svr_opts.restrict_group) {
 		struct group *restrictedgroup = getgrnam(svr_opts.restrict_group);

@ -348,8 +355,8 @@ void svr_getopts(int argc, char ** argv) {
 		} else {
 			dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group);
 		}
-
 	}
+#endif
 	
 	if (recv_window_arg) {
 		opts.recv_window = atol(recv_window_arg);
--- a/svr-tcpfwd.c
+++ b/svr-tcpfwd.c
@ -86,7 +86,7 @@ void recv_msg_global_request_remotetcp() {
 	}

 	if (strcmp("tcpip-forward", reqname) == 0) {
-		int allocated_listen_port;
+		int allocated_listen_port = 0;
 		ret = svr_remotetcpreq(&allocated_listen_port);
 		/* client expects-port-number-to-make-use-of-server-allocated-ports */
 		if (DROPBEAR_SUCCESS == ret) {
--- a/sysoptions.h
+++ b/sysoptions.h
@ -4,7 +4,7 @@
 *******************************************************************/

 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2017.75"
+#define DROPBEAR_VERSION "2018.76"
 #endif

 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION