ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-06-26 18:17:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: ClearML:DROPBEAR_2022.83
Branches Tags
ClearML:master ClearML:main ClearML:maemo ClearML:matt-sk ClearML:coverity
ClearML:DROPBEAR_CLEARML_2024.86 ClearML:sync_DROPBEAR_2024.86 ClearML:DROPBEAR_CLEARML_2023.02 ClearML:DROPBEAR_2022.83 ClearML:maemo-0.52-2 ClearML:DROPBEAR_2022.82 ClearML:DROPBEAR_2020.81 ClearML:DROPBEAR_2020.80 ClearML:DROPBEAR_2020.79 ClearML:DROPBEAR_2019.78 ClearML:DROPBEAR_2019.77 ClearML:DROPBEAR_2018.76 ClearML:DROPBEAR_2017.75 ClearML:DROPBEAR_2016.74 ClearML:DROPBEAR_2016.73 ClearML:DROPBEAR_2016.72 ClearML:DROPBEAR_2015.71 ClearML:DROPBEAR_2015.70 ClearML:DROPBEAR_2015.69 ClearML:DROPBEAR_2015.68 ClearML:DROPBEAR_2015.67 ClearML:DROPBEAR_2014.66 ClearML:DROPBEAR_2014.65 ClearML:DROPBEAR_2014.64 ClearML:DROPBEAR_2014.63 ClearML:DROPBEAR_2013.62 ClearML:DROPBEAR_2013.61test ClearML:DROPBEAR_2013.60 ClearML:DROPBEAR_2013.59 ClearML:DROPBEAR_2013.58 ClearML:DROPBEAR_2013.57 ClearML:DROPBEAR_2013.56 ClearML:DROPBEAR_2012.55 ClearML:DROPBEAR_2011.54 ClearML:DROPBEAR_0.53.1 ClearML:DROPBEAR_0.53 ClearML:DROPBEAR_0.52 ClearML:DROPBEAR_0.51 ClearML:DROPBEAR_0.50 ClearML:DROPBEAR_0.49 ClearML:libtommath-0.40 ClearML:libtomcrypt-1.16 ClearML:DROPBEAR_0.48.1 ClearML:DROPBEAR_0.48 ClearML:libtommath-0.35 ClearML:libtomcrypt-1.05 ClearML:DROPBEAR_0.47 ClearML:LTC_DB_0.47 ClearML:DROPBEAR_0.46 ClearML:LTC_DB_0.46 ClearML:LTC_1.05 ClearML:LTM_DB_0.47 ClearML:LTM_DB_0.46 ClearML:LTM_0.35 ClearML:DROPBEAR_0.45 ClearML:DROPBEAR_0.44 ClearML:LTC_DB_0.44 ClearML:LTM_DB_0.44 ClearML:DROPBEAR_0.44test4 ClearML:DROPBEAR_0.44test3 ClearML:DROPBEAR_0.44test2 ClearML:DROPBEAR_0.44test1 ClearML:ltm-0.30-orig
..
compare: ClearML:maemo
Branches Tags
ClearML:master ClearML:main ClearML:maemo ClearML:matt-sk ClearML:coverity
ClearML:DROPBEAR_CLEARML_2024.86 ClearML:sync_DROPBEAR_2024.86 ClearML:DROPBEAR_CLEARML_2023.02 ClearML:DROPBEAR_2022.83 ClearML:maemo-0.52-2 ClearML:DROPBEAR_2022.82 ClearML:DROPBEAR_2020.81 ClearML:DROPBEAR_2020.80 ClearML:DROPBEAR_2020.79 ClearML:DROPBEAR_2019.78 ClearML:DROPBEAR_2019.77 ClearML:DROPBEAR_2018.76 ClearML:DROPBEAR_2017.75 ClearML:DROPBEAR_2016.74 ClearML:DROPBEAR_2016.73 ClearML:DROPBEAR_2016.72 ClearML:DROPBEAR_2015.71 ClearML:DROPBEAR_2015.70 ClearML:DROPBEAR_2015.69 ClearML:DROPBEAR_2015.68 ClearML:DROPBEAR_2015.67 ClearML:DROPBEAR_2014.66 ClearML:DROPBEAR_2014.65 ClearML:DROPBEAR_2014.64 ClearML:DROPBEAR_2014.63 ClearML:DROPBEAR_2013.62 ClearML:DROPBEAR_2013.61test ClearML:DROPBEAR_2013.60 ClearML:DROPBEAR_2013.59 ClearML:DROPBEAR_2013.58 ClearML:DROPBEAR_2013.57 ClearML:DROPBEAR_2013.56 ClearML:DROPBEAR_2012.55 ClearML:DROPBEAR_2011.54 ClearML:DROPBEAR_0.53.1 ClearML:DROPBEAR_0.53 ClearML:DROPBEAR_0.52 ClearML:DROPBEAR_0.51 ClearML:DROPBEAR_0.50 ClearML:DROPBEAR_0.49 ClearML:libtommath-0.40 ClearML:libtomcrypt-1.16 ClearML:DROPBEAR_0.48.1 ClearML:DROPBEAR_0.48 ClearML:libtommath-0.35 ClearML:libtomcrypt-1.05 ClearML:DROPBEAR_0.47 ClearML:LTC_DB_0.47 ClearML:DROPBEAR_0.46 ClearML:LTC_DB_0.46 ClearML:LTC_1.05 ClearML:LTM_DB_0.47 ClearML:LTM_DB_0.46 ClearML:LTM_0.35 ClearML:DROPBEAR_0.45 ClearML:DROPBEAR_0.44 ClearML:LTC_DB_0.44 ClearML:LTM_DB_0.44 ClearML:DROPBEAR_0.44test4 ClearML:DROPBEAR_0.44test3 ClearML:DROPBEAR_0.44test2 ClearML:DROPBEAR_0.44test1 ClearML:ltm-0.30-orig

1 Commits
DROPBEAR_2 ... maemo

Author SHA1 Message Date
Matt Johnston
4e1b9c8280 Import Maemo changes from 0.52-2 
Taken from source tarball
http://maemo.org/packages/source/view/fremantle_extras-devel_free_source/dropbear/0.52-2/
 2022-09-23 18:38:58 +08:00
59 changed files with 3558 additions and 4978 deletions
Expand all files Collapse all files

2
.github/workflows/autoconf.yml vendored
View File

@@ -8,7 +8,7 @@ on:
- master
jobs:
autoconf:
runs-on: 'ubuntu-22.04'
runs-on: 'ubuntu-20.04'
steps:
- name: deps

31
.github/workflows/build.yml vendored
View File

@@ -9,7 +9,7 @@ on:
- master
jobs:
build:
runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
runs-on: ${{ matrix.os || 'ubuntu-20.04' }}
strategy:
matrix:
# XXX uncomment the line below to work with act, see https://github.com/nektos/act/issues/996
@@ -50,12 +50,11 @@ jobs:
- name: c89
extracflags: -std=c89 -Wdeclaration-after-statement
- name: macos 12
os: macos-12
- name: macos 10.15
os: macos-10.15
cc: clang
# OS X says daemon() and utmp are deprecated.
# OS X tests for undefined TARGET_OS_EMBEDDED in libc headers
extracflags: -Wno-deprecated-declarations -Wno-undef
# OS X says daemon() and utmp are deprecated
extracflags: -Wno-deprecated-declarations
runcheck: 'no'
apt: 'no'
# fails with:
@@ -65,7 +64,7 @@ jobs:
- name: macos 11
os: macos-11
cc: clang
extracflags: -Wno-deprecated-declarations -Wno-undef
extracflags: -Wno-deprecated-declarations
runcheck: 'no'
apt: 'no'
ranlib: ranlib -no_warning_for_no_symbols
@@ -75,11 +74,6 @@ jobs:
localoptions: |
#define DEBUG_TRACE 5
# Check off-by-default options don't bitrot
- name: nondefault options
nondefault: 1
configure_flags: --enable-pam
# # Fuzzers run standalone. A bit superfluous with cifuzz, but
# # good to run the whole corpus to keep it working.
# - name: fuzzing with address sanitizer
@@ -121,7 +115,7 @@ jobs:
if: ${{ matrix.apt != 'no' }}
run: |
sudo apt-get -y update
sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv libpam0g-dev $CC
sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv $CC
- uses: actions/checkout@v2
@@ -135,19 +129,8 @@ jobs:
- name: localoptions
run: |
echo "$LOCALOPTIONS" > localoptions.h
echo "#define DROPBEAR_DSS 1" >> localoptions.h
cat localoptions.h
- name: nondefault
if: ${{ matrix.nondefault }}
run: |
# Turn on anything that's off by default. Rough but seems sufficient
grep ' 0$' default_options.h | sed 's/0$/1/' > localoptions.h
# PAM clashes with password
echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> localoptions.h
# 1 second timeout is too short
sed -i "s/DEFAULT_IDLE_TIMEOUT 1/DEFAULT_IDLE_TIMEOUT 99/" localoptions.h
- name: make
run: make -j3

2
.github/workflows/tarball.yml vendored
View File

@@ -5,7 +5,7 @@ on:
- master
jobs:
tarball:
runs-on: 'ubuntu-22.04'
runs-on: 'ubuntu-20.04'
steps:
- uses: actions/checkout@v2

116
CHANGES
View File

@@ -1,108 +1,3 @@
2022.83 - 14 November 2022
Features and Changes:
Note >> for compatibility/configuration changes
- >> Disable DROPBEAR_DSS by default
It is only 1024 bit and uses sha1, most distros disable it by default already.
- Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
>> RSA with sha1 will be disabled in a future release (rsa keys will continue
to work OK, with sha256 signatures used instead).
- Add option for requiring both password and pubkey (-t)
Patch from Jackkal
- Add 'no-touch-required' and 'verify-required' options for sk keys
Patch from Egor Duda
- >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
and DROPBEAR_SK_ED25519 options.
- Add 'permitopen' option for authorized_keys to restrict forwarded ports
Patch from Tuomas Haikarainen
- >> Added LTM_CFLAGS configure argument to set flags for building
bundled libtommath. This also restores the previous arguments used
in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
key generation, which regressed in 2022.82.
There is a tradeoff with code size, so -Os can be used if required.
https://github.com/mkj/dropbear/issues/174
Reported by David Bernard
- Add '-z' flag to disable setting QoS traffic class. This may be necessary
to work with broken networks or network drivers, exposed after changes to use
AF21 in 2022.82
https://github.com/mkj/dropbear/issues/193
Reported by yuhongwei380, patch from Petr Štetiar
- Allow overriding user shells with COMPAT_USER_SHELLS
Based on a patch from Matt Robinson
- Improve permission error message
Patch from k-kurematsu
- >> Remove HMAC_MD5 entirely
Regression fixes from 2022.82:
- Fix X11 build
- Fix build warning
- Fix compilation when disabling pubkey authentication
Patch from MaxMougg
- Fix MAX_UNAUTH_CLIENTS regression
Reported by ptpt52
- Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
https://github.com/mkj/dropbear/issues/174
Suggested by Steffen Jaeckel
- Fix Dropbear plugin support
https://github.com/mkj/dropbear/issues/194
Reported by Struan Bartlett
Other fixes:
- Fix long standing incorrect compression size check. Dropbear
(client or server) would erroneously exit with
"bad packet, oversized decompressed"
when receiving a compressed packet of exactly the maximum size.
- Fix missing setsid() removed in 2020.79
https://github.com/mkj/dropbear/issues/180
Reported and debugged by m5jt and David Bernard
- Try keyboard-interactive auth before password, in dbclient.
This was unintentionally changed back in 2013
https://github.com/mkj/dropbear/pull/190
Patch from Michele Giacomoli
- Drain the terminal when reading the fingerprint confirmation response
https://github.com/mkj/dropbear/pull/191
Patch from Michele Giacomoli
- Fix utx wtmp variable typo. This has been wrong for a long time but
only recently became a problem when wtmp was detected.
https://github.com/mkj/dropbear/pull/189
Patch from Michele Giacomoli
- Improve configure test for hardening options.
Fixes building on AIX
https://github.com/mkj/dropbear/issues/158
- Fix debian/dropbear.init newline
From wulei-student
Infrastructure:
- Test off-by-default compile options
- Set -Wundef to catch typos in #if statements
2022.82 - 1 April 2022
Features and Changes:
@@ -159,13 +54,10 @@ Features and Changes:
Patch from Raphaël Hertzog
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
- Added client option "-o DisableTrivialAuth". It disallows a server immediately
giving successful authentication (without presenting any password/pubkey prompt).
This avoids a UI confusion issue where it may appear that the user is accepting
a SSH agent prompt from their local machine, but are actually accepting a prompt
sent immediately by the remote server.
CVE-2021-36369 though the description there is a bit confused. It only applies
to Dropbear as a client.
- Added client option "-o DisableTrivialAuth". This can be used to prevent
the server immediately accepting successful authentication (before any auth
request) which could cause UI confusion and security issues with agent
forwarding - it isn't clear which host is prompting to use a key.
Thanks to Manfred Kaiser from Austrian MilCERT
- Add -q client option to hide remote banner, from Hans Harder

2
INSTALL
View File

@@ -58,7 +58,7 @@ Compiling for uClibc should be the same as normal, just set CC to the magic
uClibc toolchain compiler (ie export CC=i386-uclibc-gcc or whatever).
You can use "make STATIC=1" to make statically linked binaries, and it is
advisable to strip the binaries too. If you're looking to make a small binary,
you should remove unneeded ciphers and algorithms, by editing localoptions.h
you should remove unneeded ciphers and MD5, by editing localoptions.h
It is possible to compile zlib in, by copying zlib.h and zconf.h into a
subdirectory (ie zlibincludes), and

2
Makefile.in
View File

@@ -43,7 +43,7 @@ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
SVROBJS=svr-kex.o svr-auth.o sshpty.o \
svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \
svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
svr-tcpfwd.o svr-authpam.o
svr-tcpfwd.o svr-authpam.o @CRYPTLIB@
CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
cli-session.o cli-runopts.o cli-chansession.o \

2
README
View File

@@ -8,8 +8,6 @@ which performs multiple tasks, to save disk space)
SMALL has some tips on creating small binaries.
A mirror of the Dropbear website and tarballs is available at https://dropbear.nl/mirror/
Please contact me if you have any questions/bugs found/features/ideas/comments etc :)
There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear

6
SMALL
View File

@@ -47,10 +47,4 @@ deciding.
Of course using small C libraries such as uClibc and dietlibc can also help.
---
Libtommath has its own default CFLAGS to improve speed. You can use
./configure LTM_CFLAGS=-Os
to reduce size at the expense of speed.
If you have any queries, mail me and I'll see if I can help.

18
auth.h
View File

@@ -28,7 +28,6 @@
#include "includes.h"
#include "signkey.h"
#include "chansession.h"
#include "list.h"
void svr_authinitialise(void);
@@ -46,7 +45,6 @@ int svr_pubkey_allows_agentfwd(void);
int svr_pubkey_allows_tcpfwd(void);
int svr_pubkey_allows_x11fwd(void);
int svr_pubkey_allows_pty(void);
int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port);
void svr_pubkey_set_forced_command(struct ChanSess *chansess);
void svr_pubkey_options_cleanup(void);
int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename);
@@ -56,9 +54,6 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
#define svr_pubkey_allows_tcpfwd() 1
#define svr_pubkey_allows_x11fwd() 1
#define svr_pubkey_allows_pty() 1
static inline int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port)
{ (void)host; (void)port; return 1; }
static inline void svr_pubkey_set_forced_command(struct ChanSess *chansess) { }
static inline void svr_pubkey_options_cleanup(void) { }
#define svr_add_pubkey_options(x,y,z) DROPBEAR_SUCCESS
@@ -98,7 +93,6 @@ void cli_auth_pubkey_cleanup(void);
#define AUTH_METHOD_INTERACT "keyboard-interactive"
#define AUTH_METHOD_INTERACT_LEN 20
#define PUBKEY_OPTIONS_ANY_PORT UINT_MAX
/* This structure is shared between server and client - it contains
@@ -145,18 +139,6 @@ struct PubKeyOptions {
int no_pty_flag;
/* "command=" option. */
char * forced_command;
/* "permitopen=" option */
m_list *permit_open_destinations;
#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
int no_touch_required_flag;
int verify_required_flag;
#endif
};
struct PermitTCPFwdEntry {
char *host;
unsigned int port;
};
#endif

24
cli-auth.c
View File

@@ -296,6 +296,18 @@ int cli_auth_try() {
}
#endif
#if DROPBEAR_CLI_PASSWORD_AUTH
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
} else {
cli_auth_password();
finished = 1;
cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
}
}
#endif
#if DROPBEAR_CLI_INTERACT_AUTH
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
@@ -310,18 +322,6 @@ int cli_auth_try() {
}
#endif
#if DROPBEAR_CLI_PASSWORD_AUTH
if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
} else {
cli_auth_password();
finished = 1;
cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
}
}
#endif
TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype))
if (finished) {

2
cli-kex.c
View File

@@ -229,8 +229,6 @@ static void ask_to_confirm(const unsigned char* keyblob, unsigned int keybloblen
fclose(tty);
} else {
response = getc(stdin);
/* flush stdin buffer */
while ((getchar()) != '\n');
}
if (response == 'y') {

4
cli-runopts.c
View File

@@ -83,7 +83,6 @@ static void printhelp() {
"-W <receive_window_buffer> (default %d, larger may be faster, max 10MB)\n"
"-K <keepalive> (0 is never, default %d)\n"
"-I <idle_timeout> (0 is never, default %d)\n"
"-z disable QoS\n"
#if DROPBEAR_CLI_NETCAT
"-B <endhost:endport> Netcat-alike forwarding\n"
#endif
@@ -326,9 +325,6 @@ void cli_getopts(int argc, char ** argv) {
case 'b':
next = &bind_arg;
break;
case 'z':
opts.disable_ip_tos = 1;
break;
default:
fprintf(stderr,
"WARNING: Ignoring unknown option -%c\n", c);

7
common-algo.c
View File

@@ -114,6 +114,10 @@ static const struct dropbear_hash dropbear_sha2_256 =
static const struct dropbear_hash dropbear_sha2_512 =
{&sha512_desc, 64, 64};
#endif
#if DROPBEAR_MD5_HMAC
static const struct dropbear_hash dropbear_md5 =
{&md5_desc, 16, 16};
#endif
const struct dropbear_hash dropbear_nohash =
{NULL, 16, 0}; /* used initially */
@@ -181,6 +185,9 @@ algo_type sshhashes[] = {
#endif
#if DROPBEAR_SHA2_512_HMAC
{"hmac-sha2-512", 0, &dropbear_sha2_512, 1, NULL},
#endif
#if DROPBEAR_MD5_HMAC
{"hmac-md5", 0, (void*)&dropbear_md5, 1, NULL},
#endif
{NULL, 0, NULL, 0, NULL}
};

3
compat.c
View File

@@ -231,7 +231,8 @@ void setusershell() {
}
static char **initshells() {
static const char *okshells[] = { COMPAT_USER_SHELLS, NULL };
/* don't touch this list. */
static const char *okshells[] = { "/bin/sh", "/bin/csh", NULL };
register char **sp, *cp;
register FILE *fp;
struct stat statb;

42
config.guess vendored
View File

@@ -4,7 +4,7 @@
# shellcheck disable=SC2006,SC2268 # see below for rationale
timestamp='2022-09-17'
timestamp='2022-01-09'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -966,12 +966,6 @@ EOF
GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
;;
x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
;;
*:[Mm]anagarm:*:*)
GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
;;
*:Minix:*:*)
GUESS=$UNAME_MACHINE-unknown-minix
;;
@@ -1042,7 +1036,7 @@ EOF
k1om:Linux:*:*)
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
;;
loongarch32:Linux:*:* | loongarch64:Linux:*:*)
loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*)
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
;;
m32r*:Linux:*:*)
@@ -1157,27 +1151,16 @@ EOF
;;
x86_64:Linux:*:*)
set_cc_for_build
CPU=$UNAME_MACHINE
LIBCABI=$LIBC
if test "$CC_FOR_BUILD" != no_compiler_found; then
ABI=64
sed 's/^ //' << EOF > "$dummy.c"
#ifdef __i386__
ABI=x86
#else
#ifdef __ILP32__
ABI=x32
#endif
#endif
EOF
cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
eval "$cc_set_abi"
case $ABI in
x86) CPU=i686 ;;
x32) LIBCABI=${LIBC}x32 ;;
esac
if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \
(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_X32 >/dev/null
then
LIBCABI=${LIBC}x32
fi
fi
GUESS=$CPU-pc-linux-$LIBCABI
GUESS=$UNAME_MACHINE-pc-linux-$LIBCABI
;;
xtensa*:Linux:*:*)
GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
@@ -1384,11 +1367,8 @@ EOF
BePC:Haiku:*:*) # Haiku running on Intel PC compatible.
GUESS=i586-pc-haiku
;;
ppc:Haiku:*:*) # Haiku running on Apple PowerPC
GUESS=powerpc-apple-haiku
;;
*:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat)
GUESS=$UNAME_MACHINE-unknown-haiku
x86_64:Haiku:*:*)
GUESS=x86_64-unknown-haiku
;;
SX-4:SUPER-UX:*:*)
GUESS=sx4-nec-superux$UNAME_RELEASE

17
config.h.in
View File

@@ -180,6 +180,9 @@
/* Define to 1 if you have the <mach/mach_time.h> header file. */
#undef HAVE_MACH_MACH_TIME_H
/* Define to 1 if you have the <memory.h> header file. */
#undef HAVE_MEMORY_H
/* Define to 1 if you have the `memset_s' function. */
#undef HAVE_MEMSET_S
@@ -234,9 +237,6 @@
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
/* Define to 1 if you have the <stdio.h> header file. */
#undef HAVE_STDIO_H
/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
@@ -417,14 +417,17 @@
/* Define to the type of arg 5 for `select'. */
#undef SELECT_TYPE_ARG5
/* Define to 1 if all of the C90 standard headers exist (not just the ones
required in a freestanding environment). This macro is provided for
backward compatibility; new code need not use it. */
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
/* Use /dev/ptmx */
#undef USE_DEV_PTMX
/* Enable large inode numbers on Mac OS X 10.5. */
#ifndef _DARWIN_USE_64_BIT_INODE
# define _DARWIN_USE_64_BIT_INODE 1
#endif
/* Number of bits in a file offset, on hosts where this is settable. */
#undef _FILE_OFFSET_BITS
@@ -443,7 +446,7 @@
/* Define to `int' if <sys/types.h> does not define. */
#undef mode_t
/* Define as a signed integer type capable of holding a process identifier. */
/* Define to `int' if <sys/types.h> does not define. */
#undef pid_t
/* Define to `unsigned int' if <sys/types.h> does not define. */

29
config.sub vendored
View File

@@ -4,7 +4,7 @@
# shellcheck disable=SC2006,SC2268 # see below for rationale
timestamp='2022-09-17'
timestamp='2022-01-03'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -145,7 +145,7 @@ case $1 in
nto-qnx* | linux-* | uclinux-uclibc* \
| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
| storm-chaos* | os2-emx* | rtmk-nova*)
basic_machine=$field1
basic_os=$maybe_os
;;
@@ -1207,7 +1207,7 @@ case $cpu-$vendor in
| k1om \
| le32 | le64 \
| lm32 \
| loongarch32 | loongarch64 \
| loongarch32 | loongarch64 | loongarchx32 \
| m32c | m32r | m32rle \
| m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \
| m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \
@@ -1341,10 +1341,6 @@ EOF
kernel=linux
os=`echo "$basic_os" | sed -e 's|linux|gnu|'`
;;
managarm*)
kernel=managarm
os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'`
;;
*)
kernel=
os=$basic_os
@@ -1758,7 +1754,7 @@ case $os in
| onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
| midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
| nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
| fiwix* | mlibc* )
| fiwix* )
;;
# This one is extra strict with allowed versions
sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1766,9 +1762,6 @@ case $os in
;;
none)
;;
kernel* )
# Restricted further below
;;
*)
echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
exit 1
@@ -1779,26 +1772,16 @@ esac
# (given a valid OS), if there is a kernel.
case $kernel-$os in
linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \
| linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* )
| linux-musl* | linux-relibc* | linux-uclibc* )
;;
uclinux-uclibc* )
;;
managarm-mlibc* | managarm-kernel* )
;;
-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* )
# These are just libc implementations, not actual OSes, and thus
# require a kernel.
echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
exit 1
;;
-kernel* )
echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
exit 1
;;
*-kernel* )
echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
exit 1
;;
kfreebsd*-gnu* | kopensolaris*-gnu*)
;;
vxworks-simlinux | vxworks-simwindows | vxworks-spe)

7230
configure vendored
View File

File diff suppressed because it is too large Load Diff

79
configure.ac
View File

@@ -23,15 +23,15 @@ AC_PROG_CC
if test -z "$LD" ; then
LD=$CC
fi
AC_SUBST(LD)
AC_SUBST(LD)
AC_DEFUN(DB_TRYADDCFLAGS,
AC_DEFUN(DB_TRYADDCFLAGS,
[{
OLDFLAGS="$CFLAGS"
TESTFLAGS="$1"
CFLAGS="$TESTFLAGS $CFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDFLAGS" ]
)
}])
@@ -42,25 +42,12 @@ if test -z "$ORIGCFLAGS" && test "$GCC" = "yes"; then
CFLAGS="-Os -W -Wall"
fi
# LTM_CFLAGS is given to ./configure by the user,
# DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
if test -z "$DROPBEAR_LTM_CFLAGS"; then
DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
fi
AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
AC_SUBST(DROPBEAR_LTM_CFLAGS)
AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
DB_TRYADDCFLAGS([-Wno-pointer-sign])
AC_MSG_NOTICE([Checking if compiler '$CC' supports -fno-strict-overflow])
DB_TRYADDCFLAGS([-fno-strict-overflow])
AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wundef])
DB_TRYADDCFLAGS([-Wundef])
# needed for various extensions. define early before autoconf tests
AC_DEFINE([_GNU_SOURCE], [], [Use GNU extensions if glibc])
@@ -94,15 +81,15 @@ if test "$hardenbuild" -eq 1; then
OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-pie"
LDFLAGS="$TESTFLAGS $LDFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[
LDFLAGS="$OLDLDFLAGS"
TESTFLAGS="-pie"
LDFLAGS="$TESTFLAGS $LDFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
)
]
@@ -110,24 +97,24 @@ if test "$hardenbuild" -eq 1; then
# readonly elf relocation sections (relro)
OLDLDFLAGS="$LDFLAGS"
TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
LDFLAGS="$TESTFLAGS $LDFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
LDFLAGS="$LDFLAGS $TESTFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
)
fi # non-static
# stack protector. -strong is good but only in gcc 4.9 or later
OLDCFLAGS="$CFLAGS"
TESTFLAGS="-fstack-protector-strong"
CFLAGS="$TESTFLAGS $CFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[
CFLAGS="$OLDCFLAGS"
TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
CFLAGS="$TESTFLAGS $CFLAGS"
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
CFLAGS="$CFLAGS $TESTFLAGS"
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_NOTICE([Setting $TESTFLAGS])],
[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
)
]
@@ -187,7 +174,7 @@ case "$host" in
# OpenSSH thinks it's broken. If it isn't, let me know.
AC_DEFINE(BROKEN_GETADDRINFO,1,Broken getaddrinfo)
;;
*-*-hpux*)
LIBS="$LIBS -lsec"
# It's probably broken.
@@ -204,7 +191,7 @@ AC_CHECK_TOOL(STRIP, strip, :)
AC_CHECK_TOOL(INSTALL, install, :)
dnl Can't use login() or logout() with uclibc
AC_CHECK_DECL(__UCLIBC__,
AC_CHECK_DECL(__UCLIBC__,
[
no_loginfunc_check=1
AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.])
@@ -212,14 +199,14 @@ AC_CHECK_DECL(__UCLIBC__,
dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt
dnl but we don't want link all binaries to -lcrypt, just dropbear server.
dnl OS X doesn't need -lcrypt
dnl OS X doesn't need -lcrypt
AC_CHECK_FUNC(crypt, found_crypt_func=here)
AC_CHECK_LIB(crypt, crypt,
AC_CHECK_LIB(crypt, crypt,
[
CRYPTLIB="-lcrypt"
found_crypt_func=here
])
AC_SUBST(CRYPTLIB)
AC_SUBST(CRYPTLIB)
if test "t$found_crypt_func" = there; then
AC_DEFINE(HAVE_CRYPT, 1, [crypt() function])
fi
@@ -581,7 +568,7 @@ AC_ARG_ENABLE(bundled-libtom,
)
if test $BUNDLED_LIBTOM = 1 ; then
AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom)
AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom)
fi
AC_SUBST(LIBTOM_LIBS)
@@ -654,7 +641,7 @@ AC_ARG_ENABLE(pututxline,
AC_ARG_WITH(lastlog,
[ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
[
if test "x$withval" = "xno" ; then
if test "x$withval" = "xno" ; then
AC_DEFINE(DISABLE_LASTLOG)
else
conf_lastlog_location=$withval
@@ -729,7 +716,7 @@ fi
if test -n "$conf_lastlog_location"; then
AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location)
fi
fi
dnl utmp detection
AC_MSG_CHECKING([if your system defines UTMP_FILE])
@@ -759,7 +746,7 @@ if test -z "$conf_utmp_location"; then
fi
if test -n "$conf_utmp_location"; then
AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location)
fi
fi
dnl wtmp detection
AC_MSG_CHECKING([if your system defines WTMP_FILE])
@@ -791,7 +778,7 @@ if test -z "$conf_wtmp_location"; then
fi
if test -n "$conf_wtmp_location"; then
AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location)
fi
fi
dnl utmpx detection - I don't know any system so perverse as to require
@@ -819,7 +806,7 @@ if test -z "$conf_utmpx_location"; then
fi
else
AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location)
fi
fi
dnl wtmpx detection
AC_MSG_CHECKING([if your system defines WTMPX_FILE])
@@ -846,7 +833,7 @@ if test -z "$conf_wtmpx_location"; then
fi
else
AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location)
fi
fi
# Checks for library functions.
AC_PROG_GCC_TRADITIONAL
@@ -882,7 +869,7 @@ fi
AC_EXEEXT
if test $BUNDLED_LIBTOM = 1 ; then
(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv
(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv
LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile"
fi

3
crypto_desc.c
View File

@@ -34,6 +34,9 @@ void crypto_init() {
#if DROPBEAR_SHA1_HMAC
&sha1_desc,
#endif
#if DROPBEAR_MD5_HMAC
&md5_desc,
#endif
#if DROPBEAR_SHA256
&sha256_desc,
#endif

23
dbclient.1
View File

@@ -94,18 +94,7 @@ is performed at all, this is usually undesirable.
.B \-A
Forward agent connections to the remote host. dbclient will use any
OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for
public key authentication. Forwarding is only enabled if \fI-A\fR is specified.
Beware that a forwarded agent connection will allow the remote server to have
the same authentication credentials as you have used locally. A compromised
remote server could use that to log in to other servers.
In many situations Dropbear's multi-hop mode is a better and more secure alternative
to agent forwarding, avoiding having to trust the intermediate server.
If the SSH agent program is set to prompt when a key is used, the
\fI-o DisableTrivialAuth\fR option can prevent UI confusion.
public key authentication. Forwarding is only enabled if -A is specified.
.TP
.B \-W \fIwindowsize
Specify the per-channel receive window buffer size. Increasing this
@@ -122,9 +111,6 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
.B \-I \fIidle_timeout
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
.TP
.B \-z
By default Dropbear will send network traffic with the \fBAF21\fR setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, \fI-z\fR can be used to disable it.
.TP
.\" TODO: how to avoid a line break between these two -J arguments?
.B \-J \fIproxy_command
@@ -170,13 +156,6 @@ Send dbclient log messages to syslog in addition to stderr.
.TP
.B Port
Specify a listening port, like the \fI-p\fR argument.
.TP
.B DisableTrivialAuth
Disallow a server immediately
giving successful authentication (without presenting any password/pubkey prompt).
This avoids a UI confusion issue where it may appear that the user is accepting
a SSH agent prompt from their local machine, but are actually accepting a prompt
sent immediately by the remote server.
.RE
.TP
.B \-s

24
debian/changelog vendored
View File

@@ -1,9 +1,3 @@
dropbear (2022.83-0.1) unstable; urgency=low
* New upstream release.
-- Matt Johnston <matt@ucc.asn.au> Mon, 14 Nov 2022 22:51:57 +0800
dropbear (2022.82-0.1) unstable; urgency=low
* New upstream release.
@@ -179,6 +173,24 @@ dropbear (0.53-0.1) unstable; urgency=low
-- Matt Johnston <matt@ucc.asn.au> Thu, 24 Feb 2011 22:54:00 +0900
dropbear (0.52-2) unstable; urgency=low
* Make key utils part of dropbear-server package (since it's
required anyway, single binary saves space), rename -common to
-keyutils
* Don't make clean between builds, just rm *.o since only
top-level files change
-- Matt Johnston <matt@ucc.asn.au> Wed, 19 Nov 2008 21:54:00 +0900
dropbear (0.52-1) unstable; urgency=low
* Maemo port, split into 5 packages
(dropbear, dropbear-server, dropbear-client, dropbear-common, dropbear-scp).
This avoids conflicts with openssh package.
-- Matt Johnston <matt@ucc.asn.au> Wed, 19 Nov 2008 20:54:00 +0900
dropbear (0.52-0.1) unstable; urgency=low
* New upstream release.

79
debian/control vendored
View File

@@ -1,7 +1,7 @@
Source: dropbear
Section: net
Section: user/network
Priority: optional
Maintainer: Gerrit Pape <pape@smarden.org>
Maintainer: Matt Johnston <matt@ucc.asn.au>
Build-Depends: libz-dev
Standards-Version: 3.7.3.0
@@ -9,6 +9,9 @@ Package: dropbear
Architecture: any
Depends: ${shlibs:Depends}
Suggests: openssh-client, runit
Section: user/network
Conflicts: dropbear-server, dropbear-client, dropbear-keyutils, dropbear-scp
XB-Maemo-Display-Name: Dropbear SSH Client and Server
Description: lightweight SSH2 server and client
dropbear is a SSH 2 server and client designed to be small enough to
be used in small memory environments, while still being functional and
@@ -17,4 +20,76 @@ Description: lightweight SSH2 server and client
It implements most required features of the SSH 2 protocol, and other
features such as X11 and authentication agent forwarding.
.
This package provides Dropbear client and server as a single binary,
as well as key utilities and SCP.
.
See http://matt.ucc.asn.au/dropbear/dropbear.html
Package: dropbear-server
Architecture: any
Depends: ${shlibs:Depends}
Section: user/network
Conflicts: dropbear, dropbear-keyutils
Provides: dropbear-keyutils
Recommends: dropbear-scp
XB-Maemo-Display-Name: Dropbear SSH Server
Description: lightweight SSH2 server
dropbear is a SSH 2 server and client designed to be small enough to
be used in small memory environments, while still being functional and
secure enough for general use.
.
It implements most required features of the SSH 2 protocol, and other
features such as X11 and authentication agent forwarding.
.
This package provides only the Dropbear server.
.
See http://matt.ucc.asn.au/dropbear/dropbear.html
Package: dropbear-client
Architecture: any
Conflicts: dropbear
Section: user/network
Depends: ${shlibs:Depends}
Recommends: dropbear-scp
Suggests: dropbear-keyutils
XB-Maemo-Display-Name: Dropbear SSH Client
Description: lightweight SSH2 client
dropbear is a SSH 2 server and client designed to be small enough to
be used in small memory environments, while still being functional and
secure enough for general use.
.
It implements most required features of the SSH 2 protocol, and other
features such as X11 and authentication agent forwarding.
.
This package provides only the Dropbear client.
.
See http://matt.ucc.asn.au/dropbear/dropbear.html
Package: dropbear-keyutils
Architecture: any
Conflicts: dropbear, dropbear-server
Section: user/network
XB-Maemo-Display-Name: Dropbear SSH Key Utils
Depends: ${shlibs:Depends}
Description: lightweight SSH2, key management utilities
dropbear is a SSH 2 server and client designed to be small enough to
be used in small memory environments, while still being functional and
secure enough for general use.
.
This package provides dropbearkey and dropbearconvert programs,
for generating keys and converting to/from OpenSSH keys.
.
See http://matt.ucc.asn.au/dropbear/dropbear.html
Package: dropbear-scp
Architecture: any
Section: user/network
Conflicts: dropbear
XB-Maemo-Display-Name: Dropbear SCP
Depends: ${shlibs:Depends}
Description: lightweight SSH2 scp
dropbear is a SSH 2 server and client designed to be small enough to
be used in small memory environments, while still being functional and
secure enough for general use.
.
This dropbear-scp package provides /usr/bin/scp.

3
debian/dropbear-server.conffiles vendored Normal file
View File

@@ -0,0 +1,3 @@
/etc/init.d/dropbear
/etc/dropbear/run
/etc/dropbear/log/run

79
debian/dropbear-server.postinst vendored Normal file
View File

@@ -0,0 +1,79 @@
#!/bin/sh
set -e
test "$1" = 'configure' || exit 0
if test ! -e /etc/dropbear/dropbear_rsa_host_key; then
if test -f /etc/ssh/ssh_host_rsa_key; then
echo "Converting existing OpenSSH RSA host key to Dropbear format."
/usr/lib/dropbear/dropbearconvert openssh dropbear \
/etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
else
echo "Generating Dropbear RSA key. Please wait."
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
fi
fi
if test ! -e /etc/dropbear/dropbear_dss_host_key; then
if test -f /etc/ssh/ssh_host_dsa_key; then
echo "Converting existing OpenSSH RSA host key to Dropbear format."
/usr/lib/dropbear/dropbearconvert openssh dropbear \
/etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key
else
echo "Generating Dropbear DSS key. Please wait."
dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
fi
fi
if test ! -s /etc/default/dropbear; then
# check whether OpenSSH seems to be installed.
if test -x /usr/sbin/sshd; then
cat <<EOT
OpenSSH appears to be installed. Setting /etc/default/dropbear so that
Dropbear will not start by default. Edit this file to change this behaviour.
EOT
cat >>/etc/default/dropbear <<EOT
# disabled because OpenSSH is installed
# change to NO_START=0 to enable Dropbear
NO_START=1
EOT
fi
cat >>/etc/default/dropbear <<EOT
# the TCP port that Dropbear listens on
DROPBEAR_PORT=22
# any additional arguments for Dropbear
DROPBEAR_EXTRA_ARGS=
# specify an optional banner file containing a message to be
# sent to clients before they connect, such as "/etc/issue.net"
DROPBEAR_BANNER=""
# RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
#DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key"
# DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
#DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key"
# Receive window size - this is a tradeoff between memory and
# network performance
DROPBEAR_RECEIVE_WINDOW=65536
EOT
fi
if test -x /etc/init.d/dropbear; then
update-rc.d dropbear defaults >/dev/null
if test -x /usr/sbin/invoke-rc.d; then
invoke-rc.d dropbear restart
else
/etc/init.d/dropbear restart
fi
fi
if test -n "$2" && dpkg --compare-versions "$2" lt '0.50-4' &&
update-service --check dropbear 2>/dev/null; then
update-service --remove /etc/dropbear 2>/dev/null || :
sleep 6
rm -rf /var/run/dropbear /var/run/dropbear.log
update-service --add /etc/dropbear || :
fi

12
debian/dropbear-server.postrm vendored Normal file
View File

@@ -0,0 +1,12 @@
#! /bin/sh
set -e
test "$1" = 'purge' || exit 0
if test -e /etc/dropbear; then
rm -f /etc/dropbear/dropbear_rsa_host_key
rm -f /etc/dropbear/dropbear_dss_host_key
rmdir --ignore-fail-on-non-empty /etc/dropbear
fi
update-rc.d dropbear remove >/dev/null
rm -f /etc/default/dropbear
rm -rf /etc/dropbear/supervise /etc/dropbear/log/supervise

11
debian/dropbear-server.prerm vendored Normal file
View File

@@ -0,0 +1,11 @@
#!/bin/sh
set -e
test "$1" = 'remove' || test "$1" = 'deconfigure' || exit 0
if test -x /etc/init.d/dropbear; then
if test -x /usr/sbin/invoke-rc.d; then
invoke-rc.d dropbear stop
else
/etc/init.d/dropbear stop
fi
fi

6
debian/dropbear.init vendored
View File

@@ -25,7 +25,7 @@ set -e
cancel() { echo "$1" >&2; exit 0; };
test ! -r /etc/default/dropbear || . /etc/default/dropbear
test -x "$DAEMON" || cancel "$DAEMON does not exist or is not executable."
test ! -x /usr/sbin/update-service || ! update-service --check dropbear || \
test ! -x /usr/sbin/update-service || ! update-service --check dropbear ||
cancel 'The dropbear service is controlled through runit, use the sv(8) program'
test -z "$DROPBEAR_BANNER" || \
@@ -39,7 +39,7 @@ test -n "$DROPBEAR_RECEIVE_WINDOW" || \
case "$1" in
start)
test "$NO_START" = "0" || cancel 'NO_START is not set to zero.'
test "$NO_START" = "0" || cancel '/etc/default/dropbear NO_START is set, Dropbear will not run.'
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \
--exec "$DAEMON" -- -d "$DROPBEAR_DSSKEY" -r "$DROPBEAR_RSAKEY" \
@@ -52,7 +52,7 @@ case "$1" in
echo "$NAME."
;;
restart|force-reload)
test "$NO_START" = "0" || cancel 'NO_START is not set to zero.'
test "$NO_START" = "0" || cancel '/etc/default/dropbear NO_START is set, Dropbear will not run.'
echo -n "Restarting $DESC: "
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid
sleep 1

148
debian/rules vendored
View File

@@ -20,8 +20,6 @@ ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS)))
CC =diet -v -Os gcc -nostdinc
endif
DIR =$(shell pwd)/debian/dropbear
patch: deb-checkdir patch-stamp
patch-stamp:
for i in `ls -1 debian/diff/*.diff || :`; do \
@@ -36,13 +34,15 @@ config.status: patch-stamp configure
--build='$(DEB_BUILD_GNU_TYPE)' --prefix=/usr \
--mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
$(CONFFLAGS)
$(MAKE) clean
build: deb-checkdir build-stamp
build-stamp: config.status
$(MAKE) CC='$(CC)' LD='$(CC)'
touch build-stamp
clean: deb-checkdir deb-checkuid
clean: DIR=$(shell pwd)/debian/dropbear
clean: deb-checkdir deb-checkuid
test ! -r Makefile || $(MAKE) distclean
rm -f libtomcrypt/Makefile libtommath/Makefile
test ! -e patch-stamp || \
@@ -51,22 +51,117 @@ clean: deb-checkdir deb-checkuid
done
rm -f patch-stamp build-stamp config.log config.status
rm -rf '$(DIR)'
rm -rf '$(DIR)'-client
rm -rf '$(DIR)'-server
rm -rf '$(DIR)'-keyutils
rm -rf '$(DIR)'-scp
rm -f debian/files debian/substvars debian/copyright changelog
install: deb-checkdir deb-checkuid build-stamp
rm -rf '$(DIR)'
install-server: DIR=$(shell pwd)/debian/dropbear-server
install-server: deb-checkdir deb-checkuid config.status
rm -f '$(DIR)'
rm *.o
$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbear dropbearkey dropbearconvert" MULTI=1
install -d -m0755 '$(DIR)'/etc/dropbear
# programs
install -d -m0755 '$(DIR)'/usr/sbin
install -m0755 dropbear '$(DIR)'/usr/sbin/dropbear
install -d -m0755 '$(DIR)'/usr/bin
install -m0755 dbclient '$(DIR)'/usr/bin/dbclient
install -m0755 dropbearkey '$(DIR)'/usr/bin/dropbearkey
install -d -m0755 '$(DIR)'/usr/sbin
install -d -m0755 '$(DIR)'/usr/lib/dropbear
install -m0755 dropbearconvert \
'$(DIR)'/usr/lib/dropbear/dropbearconvert
$(STRIP) -R .comment -R .note '$(DIR)'/usr/sbin/* \
'$(DIR)'/usr/bin/* '$(DIR)'/usr/lib/dropbear/*
install -m0755 dropbearmulti \
'$(DIR)'/usr/lib/dropbear/dropbearmulti
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/sbin/dropbear
ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
# init and run scripts
install -d -m0755 '$(DIR)'/etc/init.d
install -m0755 debian/dropbear.init '$(DIR)'/etc/init.d/dropbear
install -m0755 debian/service/run '$(DIR)'/etc/dropbear/run
install -d -m0755 '$(DIR)'/etc/dropbear/log
install -m0755 debian/service/log '$(DIR)'/etc/dropbear/log/run
ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main
install -d -m0755 '$(DIR)'/usr/share/man/man8
for i in dropbear.8 ; do \
install -m644 $$i '$(DIR)'/usr/share/man/man8/ || exit 1; \
done
gzip -9 '$(DIR)'/usr/share/man/man8/*.8
# copyright, changelog
cat debian/copyright.in LICENSE > debian/copyright
test -r changelog || ln -s CHANGES changelog
$(STRIP) -R .comment -R .note '$(DIR)'/usr/lib/dropbear/*
install -d -m0755 '$(DIR)'/DEBIAN
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
install-client: DIR=$(shell pwd)/debian/dropbear-client
install-client: deb-checkdir deb-checkuid config.status
rm -f '$(DIR)'
rm *.o
$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS=dbclient dbclient
install -d -m0755 '$(DIR)'/usr/bin
install -m0755 dbclient '$(DIR)'/usr/bin/dbclient
install -d -m0755 '$(DIR)'/usr/share/man/man1
install -m644 dbclient.1 '$(DIR)'/usr/share/man/man1/
gzip -9 '$(DIR)'/usr/share/man/man1/*.1
$(STRIP) -R .comment -R .note '$(DIR)'/usr/bin/*
install -d -m0755 '$(DIR)'/DEBIAN
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/bin/*
install-keyutils: DIR=$(shell pwd)/debian/dropbear-keyutils
install-keyutils: deb-checkdir deb-checkuid config.status
rm -f '$(DIR)'
rm *.o
$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbearkey dropbearconvert" MULTI=1
install -d -m0755 '$(DIR)'/usr/bin
install -d -m0755 '$(DIR)'/usr/lib/dropbear
install -m0755 dropbearmulti \
'$(DIR)'/usr/lib/dropbear/dropbearmulti
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
install -d -m0755 '$(DIR)'/usr/share/man/man8
for i in dropbearkey.8; do \
install -m644 $$i '$(DIR)'/usr/share/man/man8/ || exit 1; \
done
gzip -9 '$(DIR)'/usr/share/man/man8/*.8
$(STRIP) -R .comment -R .note \
'$(DIR)'/usr/lib/dropbear/*
install -d -m0755 '$(DIR)'/DEBIAN
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
install-scp: DIR=$(shell pwd)/debian/dropbear-scp
install-scp: deb-checkdir deb-checkuid config.status
rm -f '$(DIR)'
rm *.o
$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="scp" scp
install -d -m0755 '$(DIR)'/usr/bin
install -m0755 scp '$(DIR)'/usr/bin/scp
$(STRIP) -R .comment -R .note '$(DIR)'/usr/bin/*
install -d -m0755 '$(DIR)'/DEBIAN
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/bin/*
install-multi: DIR=$(shell pwd)/debian/dropbear
install-multi: deb-checkdir deb-checkuid config.status
rm -f '$(DIR)'
rm *.o
$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbearkey dropbearconvert scp dropbear dbclient" MULTI=1
install -d -m0755 '$(DIR)'/etc/dropbear
# programs
install -d -m0755 '$(DIR)'/usr/bin
install -d -m0755 '$(DIR)'/usr/sbin
install -d -m0755 '$(DIR)'/usr/lib/dropbear
install -m0755 dropbearmulti \
'$(DIR)'/usr/lib/dropbear/dropbearmulti
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dbclient
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/scp
ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/sbin/dropbear
ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
# init and run scripts
install -d -m0755 '$(DIR)'/etc/init.d
install -m0755 debian/dropbear.init '$(DIR)'/etc/init.d/dropbear
@@ -74,7 +169,6 @@ install: deb-checkdir deb-checkuid build-stamp
install -d -m0755 '$(DIR)'/etc/dropbear/log
install -m0755 debian/service/log '$(DIR)'/etc/dropbear/log/run
ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main
# man pages
install -d -m0755 '$(DIR)'/usr/share/man/man8
install -d -m0755 '$(DIR)'/usr/share/man/man1
install -m644 dropbear.8 '$(DIR)'/usr/share/man/man8/
@@ -83,18 +177,26 @@ install: deb-checkdir deb-checkuid build-stamp
done
gzip -9 '$(DIR)'/usr/share/man/man8/*.8
gzip -9 '$(DIR)'/usr/share/man/man1/*.1
# copyright, changelog
cat debian/copyright.in LICENSE >debian/copyright
test -r changelog || ln -s CHANGES changelog
$(STRIP) -R .comment -R .note '$(DIR)'/usr/lib/dropbear/*
install -d -m0755 '$(DIR)'/DEBIAN
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
install: install-client install-server install-keyutils install-multi install-scp
binary-indep:
binary-arch: install dropbear.deb
test '$(CC)' != 'gcc' || \
dpkg-shlibdeps '$(DIR)'/usr/sbin/* '$(DIR)'/usr/bin/* \
'$(DIR)'/usr/lib/dropbear/*
dpkg-gencontrol -isp -pdropbear -P'$(DIR)'
dpkg -b '$(DIR)' ..
binary-arch: install dropbear.deb dropbear-server.deb dropbear-keyutils.deb dropbear-scp.deb dropbear-client.deb
dpkg-gencontrol -isp -pdropbear -P'$(shell pwd)/debian'/dropbear
dpkg-gencontrol -isp -pdropbear-server -P'$(shell pwd)/debian'/dropbear-server
dpkg-gencontrol -isp -pdropbear-client -P'$(shell pwd)/debian'/dropbear-client
dpkg-gencontrol -isp -pdropbear-keyutils -P'$(shell pwd)/debian'/dropbear-keyutils
dpkg-gencontrol -isp -pdropbear-scp -P'$(shell pwd)/debian'/dropbear-scp
dpkg -b '$(shell pwd)/debian'/dropbear ..
dpkg -b '$(shell pwd)/debian'/dropbear-server ..
dpkg -b '$(shell pwd)/debian'/dropbear-keyutils ..
dpkg -b '$(shell pwd)/debian'/dropbear-scp ..
dpkg -b '$(shell pwd)/debian'/dropbear-client ..
binary: binary-arch binary-indep

27
default_options.h
View File

@@ -122,43 +122,30 @@ IMPORTANT: Some options will require "make clean" after changes */
sha1 for compatibility */
#define DROPBEAR_SHA1_HMAC 1
#define DROPBEAR_SHA2_256_HMAC 1
#define DROPBEAR_SHA2_512_HMAC 0
#define DROPBEAR_SHA1_96_HMAC 0
/* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth.
* Removing either of these won't save very much space.
* RSA is recommended.
*
* DSS may be necessary to connect to some systems though
* is not recommended for new keys.
* See: RSA_PRIV_FILENAME and DSS_PRIV_FILENAME */
#define DROPBEAR_RSA 1
/* Newer SSH implementations use SHA256 for RSA signatures. SHA1
* support is required to communicate with some older implementations.
* It will be removed in future due to SHA1 insecurity, it can be
* disabled with DROPBEAR_RSA_SHA1 set to 0 */
#define DROPBEAR_RSA_SHA1 1
/* DSS may be necessary to connect to some systems but is not
* recommended for new keys (1024 bits is small, and it uses SHA1).
* RSA key generation will be faster with bundled libtommath
* if DROPBEAR_DSS is disabled.
* https://github.com/mkj/dropbear/issues/174#issuecomment-1267374858 */
#define DROPBEAR_DSS 0
#define DROPBEAR_DSS 1
/* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
* code (either ECDSA or ECDH) increases binary size - around 30kB
* on x86-64.
* See: ECDSA_PRIV_FILENAME */
#define DROPBEAR_ECDSA 1
/* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
* binary size - around 7,5kB on x86-64.
* See: ED25519_PRIV_FILENAME */
#define DROPBEAR_ED25519 1
/* Allow U2F security keys for public key auth, with
* sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com keys.
* The corresponding DROPBEAR_ECDSA or DROPBEAR_ED25519 also needs to be set.
/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
* This is currently server-only. */
#define DROPBEAR_SK_KEYS 1
#define DROPBEAR_SK_ECDSA 1
#define DROPBEAR_SK_ED25519 1
/* RSA must be >=1024 */
#define DROPBEAR_DEFAULT_RSA_SIZE 2048

15
dropbear.8
View File

@@ -53,10 +53,6 @@ Disable password logins.
.B \-g
Disable password logins for root.
.TP
.B \-t
Enable two-factor authentication. Both password login and public key authentication are
required. Should not be used with the '-s' option.
.TP
.B \-j
Disable local port forwarding.
.TP
@@ -101,9 +97,6 @@ of 0 disables keepalives. If no response is received for 3 consecutive keepalive
.B \-I \fIidle_timeout
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
.TP
.B \-z
By default Dropbear will send network traffic with the \fBAF21\fR setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, \fI-z\fR can be used to disable it.
.TP
.B \-T \fImax_authentication_attempts
Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)
.TP
@@ -151,14 +144,6 @@ same functionality with other means even if no-pty is set.
.B restrict
Applies all the no- restrictions listed above.
.TP
.B permitopen=\fR"\fIhost:port\fR"
Restrict local port forwarding so that connection is allowed only to the
specified host and port. Multiple permitopen options separated by commas
can be set in authorized_keys. Wildcard character ('*') may be used in
port specification for matching any port. Hosts must be literal domain names or
IP addresses.
.TP
.B command=\fR"\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR.

2
dropbear_lint.sh
View File

@@ -3,6 +3,6 @@
EXITCODE=0
# #ifdef instead of #if
grep '#ifdef DROPBEAR' -I -- *.c *.h && EXITCODE=1
grep '#ifdef DROPBEAR' -I *.c *.h && EXITCODE=1
exit $EXITCODE

6
dropbearkey.c
View File

@@ -127,13 +127,13 @@ static void check_signkey_bits(enum signkey_type type, int bits)
#endif
#if DROPBEAR_RSA
case DROPBEAR_SIGNKEY_RSA:
if (bits < 1024 || bits > 4096 || (bits % 8 != 0)) {
dropbear_exit("Bits must satisfy 1024 <= bits <= 4096, and be a"
if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a"
" multiple of 8\n");
}
break;
#endif
#if DROPBEAR_DSS
#if DROPEAR_DSS
case DROPBEAR_SIGNKEY_DSS:
if (bits != 1024) {
dropbear_exit("DSS keys have a fixed size of 1024 bits\n");

16
fuzz/fuzzer-verify.c
View File

@@ -3,7 +3,6 @@
#include "fuzz-wrapfd.h"
#include "debug.h"
#include "dss.h"
#include "ed25519.h"
static void setup_fuzzer(void) {
fuzz_common_setup();
@@ -60,21 +59,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
/* Could also check g**q mod p == 1 */
}
if (keytype == DROPBEAR_SIGNKEY_SK_ED25519 || keytype == DROPBEAR_SIGNKEY_ED25519) {
dropbear_ed25519_key **eck = (dropbear_ed25519_key**)signkey_key_ptr(key, keytype);
if (eck && *eck) {
int i;
/* we've seen all-zero keys validate */
boguskey = 1;
for (i = 0; i < CURVE25519_LEN; i++) {
if ((*eck)->priv[i] != 0x00 || (*eck)->pub[i] != 0x00) {
boguskey = 0;
}
}
}
}
if (!boguskey) {
printf("Random key/signature managed to verify!\n");
abort();

11
keyimport.c
View File

@@ -302,7 +302,6 @@ static int ber_read_id_len(void *source, int sourcelen,
* Will avoid writing anything if dest is NULL, but still return
* amount of space required.
*/
#if DROPBEAR_DSS
static int ber_write_id_len(void *dest, int id, int length, int flags)
{
unsigned char *d = (unsigned char *)dest;
@@ -357,7 +356,6 @@ static int ber_write_id_len(void *dest, int id, int length, int flags)
return len;
}
#endif /* DROPBEAR_DSS */
/* Simple structure to point to an mp-int within a blob. */
@@ -901,16 +899,15 @@ static int openssh_write(const char *filename, sign_key *key,
buffer * extrablob = NULL; /* used for calculated values to write */
unsigned char *outblob = NULL;
int outlen = -9999;
int pos = 0, len = 0, i;
struct mpint_pos numbers[9];
int nnumbers = -1, pos = 0, len = 0, seqlen, i;
char *header = NULL, *footer = NULL;
char zero[1];
int ret = 0;
FILE *fp;
#if DROPBEAR_DSS
if (key->type == DROPBEAR_SIGNKEY_DSS) {
char zero[1];
struct mpint_pos numbers[9];
int nnumbers = -1, seqlen;
/*
* Fetch the key blobs.
*/
@@ -927,6 +924,7 @@ static int openssh_write(const char *filename, sign_key *key,
*/
numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0';
#if DROPBEAR_DSS
if (key->type == DROPBEAR_SIGNKEY_DSS) {
/* p */
@@ -958,6 +956,7 @@ static int openssh_write(const char *filename, sign_key *key,
header = "-----BEGIN DSA PRIVATE KEY-----\n";
footer = "-----END DSA PRIVATE KEY-----\n";
}
#endif /* DROPBEAR_DSS */
/*
* Now count up the total size of the ASN.1 encoded integers,

4
libtomcrypt/src/headers/tomcrypt_dropbear.h
View File

@@ -54,6 +54,10 @@
#define LTC_SHA1
#endif
#if DROPBEAR_MD5
#define LTC_MD5
#endif
/* ECC */
#if DROPBEAR_ECC
#define LTC_MECC

6
libtommath/Makefile.in
View File

@@ -25,14 +25,8 @@ endif
coverage: LIBNAME:=-Wl,--whole-archive $(LIBNAME) -Wl,--no-whole-archive
# Dropbear sets its own flags below
IGNORE_SPEED=1
include $(srcdir)/makefile_include.mk
# override makefile_include.mk flags
LTM_CFLAGS += @DROPBEAR_LTM_CFLAGS@
%.o: %.c $(HEADERS)
ifneq ($V,1)
@echo " * ${CC} $@"

2
libtommath/makefile_include.mk
View File

@@ -104,7 +104,7 @@ LIBTOOLFLAGS += -no-undefined
endif
# add in the standard FLAGS
LTM_CFLAGS := $(CFLAGS) $(LTM_CFLAGS)
LTM_CFLAGS += $(CFLAGS)
LTM_LFLAGS += $(LFLAGS)
LTM_LDFLAGS += $(LDFLAGS)
LTM_LIBTOOLFLAGS += $(LIBTOOLFLAGS)

2
loginrec.c
View File

@@ -829,7 +829,7 @@ utmpx_perform_login(struct logininfo *li)
return 0;
}
# else
if (!utmpx_write_direct(li, &utx)) {
if (!utmpx_write_direct(li, &ut)) {
dropbear_log(LOG_WARNING, "utmpx_perform_login: utmp_write_direct() failed");
return 0;
}

3
netio.c
View File

@@ -3,7 +3,6 @@
#include "dbutil.h"
#include "session.h"
#include "debug.h"
#include "runopts.h"
struct dropbear_progress_connection {
struct addrinfo *res;
@@ -378,7 +377,6 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
/* Don't log ENOTSOCK errors so that this can harmlessly be called
* on a client '-J' proxy pipe */
if (opts.disable_ip_tos == 0) {
#ifdef IP_TOS
/* Set the DSCP field for outbound IP packet priority.
rfc4594 has some guidance to meanings.
@@ -411,7 +409,6 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
TRACE(("Couldn't set IP_TOS (%s)", strerror(errno)));
}
#endif /* IP_TOS */
}
#ifdef HAVE_LINUX_PKT_SCHED_H
/* Set scheduling priority within the local Linux network stack */

54
packet.c
View File

@@ -430,32 +430,44 @@ static buffer* buf_decompress(const buffer* buf, unsigned int len) {
z_streamp zstream;
zstream = ses.keys->recv.zstream;
/* We use RECV_MAX_PAYLOAD_LEN+1 here to ensure that
we can detect an oversized payload after inflate() */
ret = buf_new(RECV_MAX_PAYLOAD_LEN+1);
ret = buf_new(len);
zstream->avail_in = len;
zstream->next_in = buf_getptr(buf, len);
zstream->avail_out = ret->size;
zstream->next_out = ret->data;
result = inflate(zstream, Z_SYNC_FLUSH);
if (result != Z_OK) {
dropbear_exit("zlib error");
/* decompress the payload, incrementally resizing the output buffer */
while (1) {
zstream->avail_out = ret->size - ret->pos;
zstream->next_out = buf_getwriteptr(ret, zstream->avail_out);
result = inflate(zstream, Z_SYNC_FLUSH);
buf_setlen(ret, ret->size - zstream->avail_out);
buf_setpos(ret, ret->len);
if (result != Z_BUF_ERROR && result != Z_OK) {
dropbear_exit("zlib error");
}
if (zstream->avail_in == 0 &&
(zstream->avail_out != 0 || result == Z_BUF_ERROR)) {
/* we can only exit if avail_out hasn't all been used,
* and there's no remaining input */
return ret;
}
if (zstream->avail_out == 0) {
int new_size = 0;
if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
/* Already been increased as large as it can go,
* yet didn't finish up the decompression */
dropbear_exit("bad packet, oversized decompressed");
}
new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
ret = buf_resize(ret, new_size);
}
}
buf_setlen(ret, ret->size - zstream->avail_out);
if (zstream->avail_in > 0 || ret->len > RECV_MAX_PAYLOAD_LEN) {
/* The remote side sent larger than a payload size
* of uncompressed data.
*/
dropbear_exit("bad packet, oversized decompressed");
}
/* Success. All input was consumed and avail_out > 0 */
return ret;
}
#endif

13
runopts.h
View File

@@ -33,7 +33,6 @@
typedef struct runopts {
int disable_ip_tos;
#if DROPBEAR_SVR_REMOTETCPFWD || DROPBEAR_CLI_LOCALTCPFWD \
|| DROPBEAR_CLI_REMOTETCPFWD
int listen_fwd_all;
@@ -80,9 +79,8 @@ typedef struct svr_runopts {
char *addresses[DROPBEAR_MAX_PORTS];
int inetdmode;
/* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself,
stores the childpipe preauth file descriptor. Set to -1 otherwise. */
int reexec_childpipe;
/* Hidden "-2" flag indicates it's re-executing itself */
int reexec_child;
/* Flags indicating whether to use ipv4 and ipv6 */
/* not used yet
@@ -107,7 +105,6 @@ typedef struct svr_runopts {
int noauthpass;
int norootpass;
int allowblankpass;
int multiauthmethod;
unsigned int maxauthtries;
#if DROPBEAR_SVR_REMOTETCPFWD
@@ -130,10 +127,8 @@ typedef struct svr_runopts {
char * forced_command;
#if DROPBEAR_PLUGIN
/* malloced */
char *pubkey_plugin;
/* points into pubkey_plugin */
char *pubkey_plugin_options;
char *pubkey_plugin;
char *pubkey_plugin_options;
#endif
int pass_on_env;

6
signkey.c
View File

@@ -587,7 +587,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signature_type sigtype,
buffer *sigblob = buf_new(MAX_PUBKEY_SIZE);
enum signkey_type keytype = signkey_type_from_signature(sigtype);
#if DEBUG_TRACE > DROPBEAR_VERBOSE_LEVEL
#if DEBUG_TRACE
{
const char* signame = signature_name_from_type(sigtype, NULL);
TRACE(("buf_put_sign type %d %s", sigtype, signame));
@@ -688,7 +688,7 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
if (keytype == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256) {
ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
if (eck && *eck) {
return buf_sk_ecdsa_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask);
return buf_sk_ecdsa_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen);
}
}
#endif
@@ -696,7 +696,7 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
if (keytype == DROPBEAR_SIGNKEY_SK_ED25519) {
dropbear_ed25519_key **eck = (dropbear_ed25519_key**)signkey_key_ptr(key, keytype);
if (eck && *eck) {
return buf_sk_ed25519_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask);
return buf_sk_ed25519_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen);
}
}
#endif

1
signkey.h
View File

@@ -127,7 +127,6 @@ struct SIGN_key {
/* application ID for U2F/FIDO key types, a malloced string */
char * sk_app;
unsigned int sk_applen;
unsigned char sk_flags_mask;
#endif
};

13
sk-ecdsa.c
View File

@@ -8,9 +8,7 @@
#include "sk-ecdsa.h"
#include "ssh.h"
int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
const char* app, unsigned int applen,
unsigned char sk_flags_mask) {
int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
hash_state hs;
unsigned char subhash[SHA256_HASH_SIZE];
buffer *sk_buffer = NULL, *sig_buffer = NULL;
@@ -43,18 +41,13 @@ int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
buf_free(sk_buffer);
buf_free(sig_buffer);
if (~flags & sk_flags_mask & SSH_SK_USER_PRESENCE_REQD) {
/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
}
ret = DROPBEAR_FAILURE;
}
if (~flags & sk_flags_mask & SSH_SK_USER_VERIFICATION_REQD) {
if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-verification not set");
}
ret = DROPBEAR_FAILURE;
}
TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret))
return ret;

4
sk-ecdsa.h
View File

@@ -8,9 +8,7 @@
#include "buffer.h"
#include "signkey.h"
int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
const char* app, unsigned int applen,
unsigned char sk_flags_mask);
int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen);
#endif

13
sk-ed25519.c
View File

@@ -8,9 +8,7 @@
#include "ed25519.h"
#include "ssh.h"
int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf,
const char* app, unsigned int applen,
unsigned char sk_flags_mask) {
int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
int ret = DROPBEAR_FAILURE;
unsigned char *s;
@@ -54,18 +52,13 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu
ret = DROPBEAR_SUCCESS;
}
if (~flags & sk_flags_mask & SSH_SK_USER_PRESENCE_REQD) {
/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
}
ret = DROPBEAR_FAILURE;
}
if (~flags & sk_flags_mask & SSH_SK_USER_VERIFICATION_REQD) {
if (ret == DROPBEAR_SUCCESS) {
dropbear_log(LOG_WARNING, "Rejecting, user-verification not set");
}
ret = DROPBEAR_FAILURE;
}
out:
buf_free(sk_buffer);
TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))

4
sk-ed25519.h
View File

@@ -8,9 +8,7 @@
#include "buffer.h"
#include "ed25519.h"
int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf,
const char* app, unsigned int applen,
unsigned char sk_flags_mask);
int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen);
#endif

23
svr-authpam.c
View File

@@ -30,7 +30,6 @@
#include "buffer.h"
#include "dbutil.h"
#include "auth.h"
#include "runopts.h"
#if DROPBEAR_SVR_PAM_AUTH
@@ -279,22 +278,12 @@ void svr_auth_pam(int valid_user) {
goto cleanup;
}
if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PASSWORD)) {
/* successful PAM password authentication, but extra auth required */
dropbear_log(LOG_NOTICE,
"PAM password auth succeeded for '%s' from %s, extra auth required",
ses.authstate.pw_name,
svr_ses.addrstring);
ses.authstate.authtypes &= ~AUTH_TYPE_PASSWORD; /* PAM password auth ok, delete the method flag */
send_msg_userauth_failure(1, 0); /* Send partial success */
} else {
/* successful authentication */
dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
ses.authstate.pw_name,
svr_ses.addrstring);
send_msg_userauth_success();
}
/* successful authentication */
dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
ses.authstate.pw_name,
svr_ses.addrstring);
send_msg_userauth_success();
cleanup:
if (password != NULL) {
m_burn(password, passwordlen);

22
svr-authpasswd.c
View File

@@ -106,22 +106,12 @@ void svr_auth_password(int valid_user) {
}
if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PASSWORD)) {
/* successful password authentication, but extra auth required */
dropbear_log(LOG_NOTICE,
"Password auth succeeded for '%s' from %s, extra auth required",
ses.authstate.pw_name,
svr_ses.addrstring);
ses.authstate.authtypes &= ~AUTH_TYPE_PASSWORD; /* password auth ok, delete the method flag */
send_msg_userauth_failure(1, 0); /* Send partial success */
} else {
/* successful authentication */
dropbear_log(LOG_NOTICE,
"Password auth succeeded for '%s' from %s",
ses.authstate.pw_name,
svr_ses.addrstring);
send_msg_userauth_success();
}
/* successful authentication */
dropbear_log(LOG_NOTICE,
"Password auth succeeded for '%s' from %s",
ses.authstate.pw_name,
svr_ses.addrstring);
send_msg_userauth_success();
} else {
dropbear_log(LOG_WARNING,
"Bad password attempt for '%s' from %s",

37
svr-authpubkey.c
View File

@@ -64,7 +64,6 @@
#include "ssh.h"
#include "packet.h"
#include "algo.h"
#include "runopts.h"
#if DROPBEAR_SVR_PUBKEY_AUTH
@@ -183,16 +182,6 @@ void svr_auth_pubkey(int valid_user) {
goto out;
}
#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
key->sk_flags_mask = SSH_SK_USER_PRESENCE_REQD;
if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->no_touch_required_flag) {
key->sk_flags_mask &= ~SSH_SK_USER_PRESENCE_REQD;
}
if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->verify_required_flag) {
key->sk_flags_mask |= SSH_SK_USER_VERIFICATION_REQD;
}
#endif
/* create the data which has been signed - this a string containing
* session_id, concatenated with the payload packet up to the signature */
assert(ses.payload_beginning <= ses.payload->pos);
@@ -212,24 +201,12 @@ void svr_auth_pubkey(int valid_user) {
/* ... and finally verify the signature */
fp = sign_key_fingerprint(keyblob, keybloblen);
if (buf_verify(ses.payload, key, sigtype, signbuf) == DROPBEAR_SUCCESS) {
if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PUBKEY)) {
/* successful pubkey authentication, but extra auth required */
dropbear_log(LOG_NOTICE,
"Pubkey auth succeeded for '%s' with %s key %s from %s, extra auth required",
ses.authstate.pw_name,
signkey_name_from_type(keytype, NULL), fp,
svr_ses.addrstring);
ses.authstate.authtypes &= ~AUTH_TYPE_PUBKEY; /* pubkey auth ok, delete the method flag */
send_msg_userauth_failure(1, 0); /* Send partial success */
} else {
/* successful authentication */
dropbear_log(LOG_NOTICE,
"Pubkey auth succeeded for '%s' with %s key %s from %s",
ses.authstate.pw_name,
signkey_name_from_type(keytype, NULL), fp,
svr_ses.addrstring);
send_msg_userauth_success();
}
dropbear_log(LOG_NOTICE,
"Pubkey auth succeeded for '%s' with %s key %s from %s",
ses.authstate.pw_name,
signkey_name_from_type(keytype, NULL), fp,
svr_ses.addrstring);
send_msg_userauth_success();
#if DROPBEAR_PLUGIN
if ((ses.plugin_session != NULL) && (svr_ses.plugin_instance->auth_success != NULL)) {
/* Was authenticated through the external plugin. tell plugin that signature verification was ok */
@@ -603,7 +580,7 @@ static int checkfileperm(char * filename) {
if (badperm) {
if (!ses.authstate.perm_warn) {
ses.authstate.perm_warn = 1;
dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by group or others", filename);
dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
}
TRACE(("leave checkfileperm: failure perms/owner"))
return DROPBEAR_FAILURE;

97
svr-authpubkeyoptions.c
View File

@@ -46,7 +46,6 @@
#include "dbutil.h"
#include "signkey.h"
#include "auth.h"
#include "runopts.h"
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
@@ -89,29 +88,6 @@ int svr_pubkey_allows_pty() {
return 1;
}
/* Returns 1 if pubkey allows local tcp fowarding to the provided destination,
* 0 otherwise */
int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port) {
if (ses.authstate.pubkey_options
&& ses.authstate.pubkey_options->permit_open_destinations) {
m_list_elem *iter = ses.authstate.pubkey_options->permit_open_destinations->first;
while (iter) {
struct PermitTCPFwdEntry *entry = (struct PermitTCPFwdEntry*)iter->item;
if (strcmp(entry->host, host) == 0) {
if ((entry->port == PUBKEY_OPTIONS_ANY_PORT) || (entry->port == port)) {
return 1;
}
}
iter = iter->next;
}
return 0;
}
return 1;
}
/* Set chansession command to the one forced
* by any 'command' public key option. */
void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
@@ -137,16 +113,6 @@ void svr_pubkey_options_cleanup() {
if (ses.authstate.pubkey_options->forced_command) {
m_free(ses.authstate.pubkey_options->forced_command);
}
if (ses.authstate.pubkey_options->permit_open_destinations) {
m_list_elem *iter = ses.authstate.pubkey_options->permit_open_destinations->first;
while (iter) {
struct PermitTCPFwdEntry *entry = (struct PermitTCPFwdEntry*)list_remove(iter);
m_free(entry->host);
m_free(entry);
iter = ses.authstate.pubkey_options->permit_open_destinations->first;
}
m_free(ses.authstate.pubkey_options->permit_open_destinations);
}
m_free(ses.authstate.pubkey_options);
}
if (ses.authstate.pubkey_info) {
@@ -240,69 +206,6 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
goto bad_option;
}
if (match_option(options_buf, "permitopen=\"") == DROPBEAR_SUCCESS) {
int valid_option = 0;
const unsigned char* permitopen_start = buf_getptr(options_buf, 0);
if (!ses.authstate.pubkey_options->permit_open_destinations) {
ses.authstate.pubkey_options->permit_open_destinations = list_new();
}
while (options_buf->pos < options_buf->len) {
const char c = buf_getbyte(options_buf);
if (c == '"') {
char *spec = NULL;
char *portstring = NULL;
const int permitopen_len = buf_getptr(options_buf, 0) - permitopen_start;
struct PermitTCPFwdEntry *entry =
(struct PermitTCPFwdEntry*)m_malloc(sizeof(struct PermitTCPFwdEntry));
list_append(ses.authstate.pubkey_options->permit_open_destinations, entry);
spec = m_malloc(permitopen_len);
memcpy(spec, permitopen_start, permitopen_len - 1);
spec[permitopen_len - 1] = '\0';
if ((split_address_port(spec, &entry->host, &portstring) == DROPBEAR_SUCCESS)
&& entry->host && portstring) {
if (strcmp(portstring, "*") == 0) {
valid_option = 1;
entry->port = PUBKEY_OPTIONS_ANY_PORT;
TRACE(("local port forwarding allowed to host '%s'", entry->host));
} else if (m_str_to_uint(portstring, &entry->port) == DROPBEAR_SUCCESS) {
valid_option = 1;
TRACE(("local port forwarding allowed to host '%s' and port '%u'",
entry->host, entry->port));
}
}
m_free(spec);
m_free(portstring);
break;
}
}
if (valid_option) {
goto next_option;
} else {
dropbear_log(LOG_WARNING, "Badly formatted permitopen= authorized_keys option");
goto bad_option;
}
}
if (match_option(options_buf, "no-touch-required") == DROPBEAR_SUCCESS) {
#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
dropbear_log(LOG_WARNING, "No user presence check required for U2F/FIDO key.");
ses.authstate.pubkey_options->no_touch_required_flag = 1;
#endif
goto next_option;
}
if (match_option(options_buf, "verify-required") == DROPBEAR_SUCCESS) {
#if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
dropbear_log(LOG_WARNING, "User verification required for U2F/FIDO key.");
ses.authstate.pubkey_options->verify_required_flag = 1;
#endif
goto next_option;
}
next_option:
/*
* Skip the comma, and move to the next option

8
svr-chansession.c
View File

@@ -1040,11 +1040,9 @@ static void execchild(const void *user_data) {
if (chansess->original_command) {
addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
}
#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
if (ses.authstate.pubkey_info != NULL) {
addnewvar("SSH_PUBKEYINFO", ses.authstate.pubkey_info);
}
#endif
if (ses.authstate.pubkey_info != NULL) {
addnewvar("SSH_PUBKEYINFO", ses.authstate.pubkey_info);
}
/* change directory */
if (chdir(ses.authstate.pw_dir) < 0) {

23
svr-main.c
View File

@@ -71,7 +71,7 @@ int main(int argc, char ** argv)
#endif
#if DROPBEAR_DO_REEXEC
if (svr_opts.reexec_childpipe >= 0) {
if (svr_opts.reexec_child) {
#ifdef PR_SET_NAME
/* Fix the "Name:" in /proc/pid/status, otherwise it's
a FD number from fexecve.
@@ -102,7 +102,7 @@ static void main_inetd() {
seedrandom();
if (svr_opts.reexec_childpipe < 0) {
if (!svr_opts.reexec_child) {
/* In case our inetd was lax in logging source addresses */
get_socket_address(0, NULL, NULL, &host, &port, 0);
dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
@@ -115,8 +115,10 @@ static void main_inetd() {
setsid();
}
/* -1 for childpipe in the inetd case is discarded */
svr_session(0, svr_opts.reexec_childpipe);
/* Start service program
* -1 is a dummy childpipe, just something we can close() without
* mattering. */
svr_session(0, -1);
/* notreached */
}
@@ -330,7 +332,7 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
m_free(remote_host);
m_free(remote_port);
#if !DEBUG_NOFORK
#ifndef DEBUG_NOFORK
if (setsid() < 0) {
dropbear_exit("setsid: %s", strerror(errno));
}
@@ -345,10 +347,9 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
if (execfd >= 0) {
#if DROPBEAR_DO_REEXEC
/* Add "-2 childpipe[1]" to the args and re-execute ourself. */
char **new_argv = m_malloc(sizeof(char*) * (argc+4));
char buf[10];
int pos0 = 0, new_argc = argc+2;
/* Add "-2" to the args and re-execute ourself. */
char **new_argv = m_malloc(sizeof(char*) * (argc+3));
int pos0 = 0, new_argc = argc+1;
/* We need to specially handle "dropbearmulti dropbear". */
if (multipath) {
@@ -358,9 +359,7 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
}
memcpy(&new_argv[pos0], argv, sizeof(char*) * argc);
new_argv[new_argc-2] = "-2";
snprintf(buf, sizeof(buf), "%d", childpipe[1]);
new_argv[new_argc-1] = buf;
new_argv[new_argc-1] = "-2";
new_argv[new_argc] = NULL;
if ((dup2(childsock, STDIN_FILENO) < 0)) {

47
svr-runopts.c
View File

@@ -81,7 +81,6 @@ static void printhelp(const char * progname) {
"-s Disable password logins\n"
"-g Disable password logins for root\n"
"-B Allow blank password logins\n"
"-t Enable two-factor authentication (both password and public key required)\n"
#endif
"-T Maximum authentication tries (default %d)\n"
#if DROPBEAR_SVR_LOCALTCPFWD
@@ -104,7 +103,6 @@ static void printhelp(const char * progname) {
"-W <receive_window_buffer> (default %d, larger may be faster, max 10MB)\n"
"-K <keepalive> (0 is never, default %d, in seconds)\n"
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
"-z disable QoS\n"
#if DROPBEAR_PLUGIN
"-A <authplugin>[,<options>]\n"
" Enable external public key auth through <authplugin>\n"
@@ -140,7 +138,6 @@ void svr_getopts(int argc, char ** argv) {
char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL;
char* maxauthtries_arg = NULL;
char* reexec_fd_arg = NULL;
char* keyfile = NULL;
char c;
#if DROPBEAR_PLUGIN
@@ -161,7 +158,6 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.noauthpass = 0;
svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0;
svr_opts.multiauthmethod = 0;
svr_opts.maxauthtries = MAX_AUTH_TRIES;
svr_opts.inetdmode = 0;
svr_opts.portcount = 0;
@@ -179,7 +175,6 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.pubkey_plugin_options = NULL;
#endif
svr_opts.pass_on_env = 0;
svr_opts.reexec_childpipe = -1;
#ifndef DISABLE_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
@@ -202,7 +197,6 @@ void svr_getopts(int argc, char ** argv) {
#if DROPBEAR_SVR_REMOTETCPFWD
opts.listen_fwd_all = 0;
#endif
opts.disable_ip_tos = 0;
for (i = 1; i < (unsigned int)argc; i++) {
if (argv[i][0] != '-' || argv[i][1] == '\0')
@@ -256,12 +250,12 @@ void svr_getopts(int argc, char ** argv) {
#if DROPBEAR_DO_REEXEC && NON_INETD_MODE
/* For internal use by re-exec */
case '2':
next = &reexec_fd_arg;
svr_opts.reexec_child = 1;
break;
#endif
case 'p':
nextisport = 1;
break;
nextisport = 1;
break;
case 'P':
next = &svr_opts.pidfile;
break;
@@ -301,9 +295,6 @@ void svr_getopts(int argc, char ** argv) {
case 'B':
svr_opts.allowblankpass = 1;
break;
case 't':
svr_opts.multiauthmethod = 1;
break;
#endif
case 'h':
printhelp(argv[0]);
@@ -326,9 +317,6 @@ void svr_getopts(int argc, char ** argv) {
print_version();
exit(EXIT_SUCCESS);
break;
case 'z':
opts.disable_ip_tos = 1;
break;
default:
fprintf(stderr, "Invalid option -%c\n", c);
printhelp(argv[0]);
@@ -438,13 +426,6 @@ void svr_getopts(int argc, char ** argv) {
dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
}
if (reexec_fd_arg) {
if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
|| svr_opts.reexec_childpipe < 0) {
dropbear_exit("Bad -2");
}
}
#if INETD_MODE
if (svr_opts.inetdmode && (
opts.usingsyslog == 0
@@ -457,20 +438,16 @@ void svr_getopts(int argc, char ** argv) {
}
#endif
if (svr_opts.multiauthmethod && svr_opts.noauthpass) {
dropbear_exit("-t and -s are incompatible");
}
#if DROPBEAR_PLUGIN
if (pubkey_plugin) {
svr_opts.pubkey_plugin = m_strdup(pubkey_plugin);
char *args = strchr(svr_opts.pubkey_plugin, ',');
if (args) {
*args='\0';
++args;
}
svr_opts.pubkey_plugin_options = args;
}
if (pubkey_plugin) {
char *args = strchr(pubkey_plugin, ',');
if (args) {
*args='\0';
++args;
}
svr_opts.pubkey_plugin = pubkey_plugin;
svr_opts.pubkey_plugin_options = args;
}
#endif
}

12
svr-session.c
View File

@@ -208,7 +208,7 @@ void svr_session(int sock, int childpipe) {
}
/* cleanup and exit - format must be <= 100 chars */
/* failure exit - format must be <= 100 chars */
void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
char exitmsg[150];
char fullmsg[300];
@@ -217,12 +217,10 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
int add_delay = 0;
#if DROPBEAR_PLUGIN
if ((ses.plugin_session != NULL)) {
svr_ses.plugin_instance->delete_session(ses.plugin_session);
}
ses.plugin_session = NULL;
svr_opts.pubkey_plugin_options = NULL;
m_free(svr_opts.pubkey_plugin);
if ((ses.plugin_session != NULL)) {
svr_ses.plugin_instance->delete_session(ses.plugin_session);
}
ses.plugin_session = NULL;
#endif
/* Render the formatted exit message */

5
svr-tcpfwd.c
View File

@@ -289,11 +289,6 @@ static int newtcpdirect(struct Channel * channel) {
goto out;
}
if (!svr_pubkey_allows_local_tcpfwd(desthost, destport)) {
TRACE(("leave newtcpdirect: local tcp forwarding not permitted to requested destination"));
goto out;
}
snprintf(portstring, sizeof(portstring), "%u", destport);
channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done,
channel, NULL, NULL, DROPBEAR_PRIO_NORMAL);

2
svr-x11fwd.c
View File

@@ -206,7 +206,7 @@ void x11cleanup(struct ChanSess *chansess) {
}
static int x11_inithandler(struct Channel *channel) {
channel->prio = DROPBEAR_PRIO_LOWDELAY;
channel->prio = DROPBEAR_CHANNEL_PRIO_INTERACTIVE;
return 0;
}

52
sysoptions.h
View File

@@ -1,10 +1,10 @@
/*******************************************************************
* You shouldn't edit this file unless you know you need to.
* You shouldn't edit this file unless you know you need to.
* This file is only included from options.h
*******************************************************************/
#ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "2022.83"
#define DROPBEAR_VERSION "2022.82"
#endif
#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -68,6 +68,7 @@
#define MAX_TERM_LEN 200 /* max length of TERM name */
#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
ipv4 and ipv6 don't count twice */
@@ -79,21 +80,12 @@
#define _PATH_CP "/bin/cp"
/* Default contents of /etc/shells if system getusershell() doesn't exist.
* Paths taken from getusershell(3) manpage. These can be customised
* on other platforms. One the commandline for CFLAGS it would look like eg
-DCOMPAT_USER_SHELLS='"/bin/sh","/apps/bin/sh","/data/bin/zsh"'
*/
#ifndef COMPAT_USER_SHELLS
#define COMPAT_USER_SHELLS "/bin/sh","/bin/csh"
#endif
#define DROPBEAR_ESCAPE_CHAR '~'
/* success/failure defines */
#define DROPBEAR_SUCCESS 0
#define DROPBEAR_FAILURE -1
#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
#define DROPBEAR_NGROUP_MAX 1024
@@ -111,6 +103,7 @@
#define SHA1_HASH_SIZE 20
#define SHA256_HASH_SIZE 32
#define MD5_HASH_SIZE 16
#define MAX_HASH_SIZE 64 /* sha512 */
#if DROPBEAR_CHACHA20POLY1305
@@ -133,6 +126,11 @@
#define DROPBEAR_SHA2_512_HMAC 0
#endif
/* might be needed for compatibility with very old implementations */
#ifndef DROPBEAR_MD5_HMAC
#define DROPBEAR_MD5_HMAC 0
#endif
#define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
/* Debian doesn't define this in system headers */
@@ -158,15 +156,6 @@
#define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
#endif
/* Miller-Rabin primality testing is sufficient for RSA but not DSS.
* It's a compile-time setting for libtommath, we can get a speedup
* for key generation if DSS is disabled.
* https://github.com/mkj/dropbear/issues/174#issuecomment-1267374858
*/
#if !DROPBEAR_DSS
#define LTM_USE_ONLY_MR 1
#endif
/* hashes which will be linked and registered */
#define DROPBEAR_SHA1 (DROPBEAR_RSA_SHA1 || DROPBEAR_DSS \
|| DROPBEAR_SHA1_HMAC || DROPBEAR_SHA1_96_HMAC \
@@ -178,18 +167,12 @@
#define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
|| (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \
|| (DROPBEAR_ED25519))
#define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
#define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
#define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
#ifndef DROPBEAR_SK_ECDSA
#define DROPBEAR_SK_ECDSA DROPBEAR_SK_KEYS
#endif
#ifndef DROPBEAR_SK_ED25519
#define DROPBEAR_SK_ED25519 DROPBEAR_SK_KEYS
#endif
/* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
#define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
&& ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH)))
@@ -374,18 +357,5 @@
#define DROPBEAR_MSAN 0
#endif
#ifndef DEBUG_DSS_VERIFY
#define DEBUG_DSS_VERIFY 0
#endif
#ifndef DROPBEAR_MULTI
#define DROPBEAR_MULTI 0
#endif
/* Fuzzing expects all key types to be enabled */
#if defined(DROPBEAR_DSS)
#undef DROPBEAR_DSS
#endif
#define DROPBEAR_DSS 1
/* no include guard for this file */