ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-01-31 10:57:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,634 Commits 5 Branches 63 Tags 14 MiB
38d7da5fe5
Commit Graph

97 Commits

Author SHA1 Message Date
Dirkjan Bussink
38d7da5fe5
Fix handling of replies to global requests (#112) 
The current code assumes that all global requests want / need a reply.
This isn't always true and the request itself indicates if it wants a
reply or not.

It causes a specific problem with hostkeys-00@openssh.com messages.
These are sent by OpenSSH after authentication to inform the client of
potential other host keys for the host. This can be used to add a new
type of host key or to rotate host keys.

The initial information message from the server is sent as a global
request, but with want_reply set to false. This means that the server
doesn't expect an answer to this message. Instead the client needs to
send a prove request as a reply if it wants to receive proof of
ownership for the host keys.

The bug doesn't cause any current problems with due to how OpenSSH
treats receiving the failure message. It instead treats it as a
keepalive message and further ignores it.

Arguably this is a protocol violation though of Dropbear and it is only
accidental that it doesn't cause a problem with OpenSSH.

The bug was found when adding host keys support to libssh, which is more
strict protocol wise and treats the unexpected failure message an error,
also see https://gitlab.com/libssh/libssh-mirror/-/merge_requests/145
for more information.

The fix here is to honor the want_reply flag in the global request and
to only send a reply if the other side expects a reply.
 2020-12-10 23:13:13 +08:00
Matt Johnston
33eba22966 Add fuzzer-client_nomaths, fix client fuzzer 
--HG--
branch : fuzz
 2020-10-18 15:08:54 +08:00
Matt Johnston
282fc81981 Get client fuzzer building and starting (fails straight away) 
--HG--
branch : fuzz
 2020-10-18 12:17:39 +08:00
Matt Johnston
6a3bc73a78 fix typo 2020-05-26 20:15:00 +08:00
Matt Johnston
5acee497bf ext-info handling for server-sig-algs 
only client side is handled
 2020-05-19 00:31:41 +08:00
Matt Johnston
fe992bf4ea Split ChanType closehandler() and cleanup() so that dbclient doesn't 
lose exit status messages
 2018-11-14 22:57:56 +08:00
François Perrad
2e836bb553 more linting (#58) 
* const parameter

* fix indentation
 2018-02-26 21:31:15 +08:00
Matt Johnston
a1aa161527 make signal flags volatile, simplify handling 2018-02-14 23:06:01 +08:00
Matt Johnston
c81e530d3c missed saving a file removing none cipher 2018-02-09 23:58:13 +08:00
Francois Perrad
5f76e4c1ed when pointer, use NULL instead of 0 2017-06-02 18:14:31 +02:00
Ben Gardner
100cbc5f3f Use DROPBEAR_PATH_DEVNULL instead of undefined _PATH_DEVNULL 2016-05-25 09:52:23 -05:00
Matt Johnston
32a28d0d9c Convert #ifdef to #if, other build changes 2016-05-04 15:33:40 +02:00
Matt Johnston
c830d30553 merge 2016-03-16 22:53:27 +08:00
Francois Perrad
3e20c442de fix empty C prototypes 2016-03-16 22:41:20 +08:00
Matt Johnston
6b5c6af613 ignore return value from fcntl() 2016-03-15 23:03:43 +08:00
Konstantin Tokarev
3cb278c35c Support syslog logging in dbclient. 2015-12-15 16:52:53 +03:00
Konstantin Tokarev
960364d953 Client: kill proxy command when exiting application. 2015-12-03 16:22:29 +03:00
Matt Johnston
1a4db21fe4 buf_getstring and buf_putstring now use non-unsigned char* 2015-06-04 23:08:50 +08:00
Matt Johnston
e7ac4c1ab3 Merge pull request #13 from gazoo74/fix-warnings 
Fix warnings
 2015-06-04 22:25:28 +08:00
Gaël PORTAY
7928d83b02 Turn cleantext()'s dirtytext argument into char * 2015-05-05 20:39:13 +02:00
Gaël PORTAY
224b16b247 Fix pointer differ in signess warnings [-Werror=pointer-sign] 2015-05-05 20:39:13 +02:00
Matt Johnston
0e1dee828a Make sure kexfirstinitialise is called early enough 2015-05-03 00:00:35 +08:00
Matt Johnston
31e379c300 merge from default 
--HG--
branch : fastopen
 2015-02-28 09:06:40 +08:00
Matt Johnston
1809f741cb Add more ATTRIB_NORETURN annotations, from Thorsten Horstmann 2015-02-24 22:36:20 +08:00
Matt Johnston
364a53577e Move generic network routines to netio.c 
--HG--
branch : fastopen
 2015-02-20 23:16:38 +08:00
Matt Johnston
1b1997bf2d Update priority once the socket is open 
--HG--
branch : fastopen
 2015-02-20 22:13:53 +08:00
Matt Johnston
76a3eb393c In theory TFO should work. Needs platform cleanup and testing 
--HG--
branch : fastopen
 2015-02-19 00:32:00 +08:00
Matt Johnston
755c1458f0 async connections working 
--HG--
branch : fastopen
 2015-02-18 22:46:15 +08:00
Matt Johnston
6d2d3669f3 Make keepalive handling more robust, this should now match what OpenSSH does 2014-08-19 23:08:56 +08:00
Matt Johnston
10eb218fb0 Don't send SSH_MSG_UNIMPLEMENTED for keepalive responses 2014-08-13 21:48:47 +08:00
Matt Johnston
50a5d3756f Send a failure response if a client receives a global request 2014-07-08 21:59:36 +08:00
Matt Johnston
61cecbb337 DROPBEAR_CLI_AUTH_IMMEDIATE fixed, now enabled by default 2014-01-17 21:39:27 +08:00
Matt Johnston
cbe63bbabe rename random.h to dbrandom.h since some OSes have a system random.h 
--HG--
rename : random.c => dbrandom.c
rename : random.h => dbrandom.h
 2013-11-14 22:05:47 +08:00
Matt Johnston
de1deaf0bd use oldstyle comments 2013-11-14 22:03:30 +08:00
Matt Johnston
04518e9e80 merge in HEAD 
--HG--
branch : ecc
 2013-05-21 12:09:35 +08:00
Matt Johnston
95a21c8fd7 ecdsa is working 
--HG--
branch : ecc
 2013-05-03 23:07:48 +08:00
Matt Johnston
7f091e7019 start on ecdsa keys 
--HG--
branch : ecc
 2013-04-09 00:36:04 +08:00
Matt Johnston
2fdb5fd6ce setup tcp after requesting a channel - might hide some DNS latency 2013-04-04 07:51:13 +08:00
Matt Johnston
7f42096d0f Take transmit and receive keys into use separately 2013-04-04 00:18:50 +08:00
Matt Johnston
286fa93a8d fix leftover kexguess debugging 2013-04-03 07:34:18 +08:00
Matt Johnston
1a16da38d5 merge kexguess branch 2013-04-03 00:49:24 +08:00
Matt Johnston
cbd3d5e3a5 Put some #ifdef options around first-follows options in case they 
need to be disabled

--HG--
branch : kexguess
 2013-04-03 00:43:31 +08:00
Matt Johnston
78fbed8c3e Don't usually need to recalculate dh_e for the repeated kexdh_init packet 
--HG--
branch : kexguess
 2013-04-03 00:32:55 +08:00
Matt Johnston
ff2aa20565 Be a bit more careful about when we want to use CLI_AUTH_IMMEDIATE 
Only use it if we have pubkeys to try, or we have $DROPBEAR_PASSWORD set
 2013-04-02 00:11:53 +08:00
Matt Johnston
90b5691183 Run the cleanup handler also when we close due to TCP connection being closed 2013-04-01 22:26:55 +08:00
Matt Johnston
e5072c6b12 merge from head roundtrip changes 
--HG--
branch : kexguess
 2013-04-01 00:13:41 +08:00
Matt Johnston
90cf7f012c Move the more verbose TRACE() statements into TRACE2() 2013-04-01 00:07:26 +08:00
Matt Johnston
36526700a9 Don't bother waiting for a ssh-connection service reply - the server 
will disconnect if it wasn't accepted
 2013-03-31 21:38:17 +08:00
Matt Johnston
32294978a3 merge 
--HG--
branch : kexguess
 2013-03-31 00:41:15 +08:00
Matt Johnston
a0e931005b send out our kexinit packet before blocking to read the SSH version string 2013-03-31 00:40:00 +08:00