ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-02-07 13:21:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
91e537e427
dropbear/svr-runopts.c
Vladislav Grishenko 3d12521735
Add Ed25519 support (#91) 
* Add support for Ed25519 as a public key type

Ed25519 is a elliptic curve signature scheme that offers
better security than ECDSA and DSA and good performance. It may be
used for both user and host keys.

OpenSSH key import and fuzzer are not supported yet.

Initially inspired by Peter Szabo.

* Add curve25519 and ed25519 fuzzers

* Add import and export of Ed25519 keys
2020-03-12 00:09:45 +08:00

673 lines
17 KiB
C
Raw Blame History

/*
* Dropbear - a SSH2 server
*
* Copyright (c) 2002,2003 Matt Johnston
* All rights reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE. */
#include "includes.h"
#include "runopts.h"
#include "signkey.h"
#include "buffer.h"
#include "dbutil.h"
#include "algo.h"
#include "ecdsa.h"
#include <grp.h>
svr_runopts svr_opts; /* GLOBAL */
static void printhelp(const char * progname);
static void addportandaddress(const char* spec);
static void loadhostkey(const char *keyfile, int fatal_duplicate);
static void addhostkey(const char *keyfile);
static void printhelp(const char * progname) {
fprintf(stderr, "Dropbear server v%s https://matt.ucc.asn.au/dropbear/dropbear.html\n"
"Usage: %s [options]\n"
"-b bannerfile Display the contents of bannerfile"
" before user login\n"
" (default: none)\n"
"-r keyfile Specify hostkeys (repeatable)\n"
" defaults: \n"
#if DROPBEAR_DSS
" - dss %s\n"
#endif
#if DROPBEAR_RSA
" - rsa %s\n"
#endif
#if DROPBEAR_ECDSA
" - ecdsa %s\n"
#endif
#if DROPBEAR_ED25519
" - ed25519 %s\n"
#endif
#if DROPBEAR_DELAY_HOSTKEY
"-R Create hostkeys as required\n"
#endif
"-F Don't fork into background\n"
#ifdef DISABLE_SYSLOG
"(Syslog support not compiled in, using stderr)\n"
#else
"-E Log to stderr rather than syslog\n"
#endif
#if DO_MOTD
"-m Don't display the motd on login\n"
#endif
"-w Disallow root logins\n"
#ifdef HAVE_GETGROUPLIST
"-G Restrict logins to members of specified group\n"
#endif
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
"-s Disable password logins\n"
"-g Disable password logins for root\n"
"-B Allow blank password logins\n"
#endif
"-T Maximum authentication tries (default %d)\n"
#if DROPBEAR_SVR_LOCALTCPFWD
"-j Disable local port forwarding\n"
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
"-k Disable remote port forwarding\n"
"-a Allow connections to forwarded ports from any host\n"
"-c command Force executed command\n"
#endif
"-p [address:]port\n"
" Listen on specified tcp port (and optionally address),\n"
" up to %d can be specified\n"
" (default port is %s if none specified)\n"
"-P PidFile Create pid file PidFile\n"
" (default %s)\n"
#if INETD_MODE
"-i Start for inetd\n"
#endif
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
"-K <keepalive> (0 is never, default %d, in seconds)\n"
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
#if DROPBEAR_PLUGIN
"-A <authplugin>[,<options>]\n"
" Enable external public key auth through <authplugin>\n"
#endif
"-V Version\n"
#if DEBUG_TRACE
"-v verbose (compiled with DEBUG_TRACE)\n"
#endif
,DROPBEAR_VERSION, progname,
#if DROPBEAR_DSS
DSS_PRIV_FILENAME,
#endif
#if DROPBEAR_RSA
RSA_PRIV_FILENAME,
#endif
#if DROPBEAR_ECDSA
ECDSA_PRIV_FILENAME,
#endif
#if DROPBEAR_ED25519
ED25519_PRIV_FILENAME,
#endif
MAX_AUTH_TRIES,
DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
}
void svr_getopts(int argc, char ** argv) {
unsigned int i, j;
char ** next = NULL;
int nextisport = 0;
char* recv_window_arg = NULL;
char* keepalive_arg = NULL;
char* idle_timeout_arg = NULL;
char* maxauthtries_arg = NULL;
char* keyfile = NULL;
char c;
#if DROPBEAR_PLUGIN
char* pubkey_plugin = NULL;
#endif
/* see printhelp() for options */
svr_opts.bannerfile = NULL;
svr_opts.banner = NULL;
svr_opts.forced_command = NULL;
svr_opts.forkbg = 1;
svr_opts.norootlogin = 0;
#ifdef HAVE_GETGROUPLIST
svr_opts.restrict_group = NULL;
svr_opts.restrict_group_gid = 0;
#endif
svr_opts.noauthpass = 0;
svr_opts.norootpass = 0;
svr_opts.allowblankpass = 0;
svr_opts.maxauthtries = MAX_AUTH_TRIES;
svr_opts.inetdmode = 0;
svr_opts.portcount = 0;
svr_opts.hostkey = NULL;
svr_opts.delay_hostkey = 0;
svr_opts.pidfile = DROPBEAR_PIDFILE;
#if DROPBEAR_SVR_LOCALTCPFWD
svr_opts.nolocaltcp = 0;
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
svr_opts.noremotetcp = 0;
#endif
#if DROPBEAR_PLUGIN
svr_opts.pubkey_plugin = NULL;
svr_opts.pubkey_plugin_options = NULL;
#endif
#ifndef DISABLE_ZLIB
opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
#endif
/* not yet
opts.ipv4 = 1;
opts.ipv6 = 1;
*/
#if DO_MOTD
svr_opts.domotd = 1;
#endif
#ifndef DISABLE_SYSLOG
opts.usingsyslog = 1;
#endif
opts.recv_window = DEFAULT_RECV_WINDOW;
opts.keepalive_secs = DEFAULT_KEEPALIVE;
opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
#if DROPBEAR_SVR_REMOTETCPFWD
opts.listen_fwd_all = 0;
#endif
for (i = 1; i < (unsigned int)argc; i++) {
if (argv[i][0] != '-' || argv[i][1] == '\0')
dropbear_exit("Invalid argument: %s", argv[i]);
for (j = 1; (c = argv[i][j]) != '\0' && !next && !nextisport; j++) {
switch (c) {
case 'b':
next = &svr_opts.bannerfile;
break;
case 'c':
next = &svr_opts.forced_command;
break;
case 'd':
case 'r':
next = &keyfile;
break;
case 'R':
svr_opts.delay_hostkey = 1;
break;
case 'F':
svr_opts.forkbg = 0;
break;
#ifndef DISABLE_SYSLOG
case 'E':
opts.usingsyslog = 0;
break;
#endif
#if DROPBEAR_SVR_LOCALTCPFWD
case 'j':
svr_opts.nolocaltcp = 1;
break;
#endif
#if DROPBEAR_SVR_REMOTETCPFWD
case 'k':
svr_opts.noremotetcp = 1;
break;
case 'a':
opts.listen_fwd_all = 1;
break;
#endif
#if INETD_MODE
case 'i':
svr_opts.inetdmode = 1;
break;
#endif
case 'p':
nextisport = 1;
break;
case 'P':
next = &svr_opts.pidfile;
break;
#if DO_MOTD
/* motd is displayed by default, -m turns it off */
case 'm':
svr_opts.domotd = 0;
break;
#endif
case 'w':
svr_opts.norootlogin = 1;
break;
#ifdef HAVE_GETGROUPLIST
case 'G':
next = &svr_opts.restrict_group;
break;
#endif
case 'W':
next = &recv_window_arg;
break;
case 'K':
next = &keepalive_arg;
break;
case 'I':
next = &idle_timeout_arg;
break;
case 'T':
next = &maxauthtries_arg;
break;
#if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH
case 's':
svr_opts.noauthpass = 1;
break;
case 'g':
svr_opts.norootpass = 1;
break;
case 'B':
svr_opts.allowblankpass = 1;
break;
#endif
case 'h':
printhelp(argv[0]);
exit(EXIT_SUCCESS);
break;
case 'u':
/* backwards compatibility with old urandom option */
break;
#if DROPBEAR_PLUGIN
case 'A':
next = &pubkey_plugin;
break;
#endif
#if DEBUG_TRACE
case 'v':
debug_trace = 1;
break;
#endif
case 'V':
print_version();
exit(EXIT_SUCCESS);
break;
default:
fprintf(stderr, "Invalid option -%c\n", c);
printhelp(argv[0]);
exit(EXIT_FAILURE);
break;
}
}
if (!next && !nextisport)
continue;
if (c == '\0') {
i++;
j = 0;
if (!argv[i]) {
dropbear_exit("Missing argument");
}
}
if (nextisport) {
addportandaddress(&argv[i][j]);
nextisport = 0;
} else if (next) {
*next = &argv[i][j];
if (*next == NULL) {
dropbear_exit("Invalid null argument");
}
next = NULL;
if (keyfile) {
addhostkey(keyfile);
keyfile = NULL;
}
}
}
/* Set up listening ports */
if (svr_opts.portcount == 0) {
svr_opts.ports[0] = m_strdup(DROPBEAR_DEFPORT);
svr_opts.addresses[0] = m_strdup(DROPBEAR_DEFADDRESS);
svr_opts.portcount = 1;
}
if (svr_opts.bannerfile) {
struct stat buf;
if (stat(svr_opts.bannerfile, &buf) != 0) {
dropbear_exit("Error opening banner file '%s'",
svr_opts.bannerfile);
}
if (buf.st_size > MAX_BANNER_SIZE) {
dropbear_exit("Banner file too large, max is %d bytes",
MAX_BANNER_SIZE);
}
svr_opts.banner = buf_new(buf.st_size);
if (buf_readfile(svr_opts.banner, svr_opts.bannerfile)!=DROPBEAR_SUCCESS) {
dropbear_exit("Error reading banner file '%s'",
svr_opts.bannerfile);
}
buf_setpos(svr_opts.banner, 0);
}
#ifdef HAVE_GETGROUPLIST
if (svr_opts.restrict_group) {
struct group *restrictedgroup = getgrnam(svr_opts.restrict_group);
if (restrictedgroup){
svr_opts.restrict_group_gid = restrictedgroup->gr_gid;
} else {
dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group);
}
}
#endif
if (recv_window_arg) {
opts.recv_window = atol(recv_window_arg);
if (opts.recv_window == 0 || opts.recv_window > MAX_RECV_WINDOW) {
dropbear_exit("Bad recv window '%s'", recv_window_arg);
}
}
if (maxauthtries_arg) {
unsigned int val = 0;
if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE
|| val == 0) {
dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
}
svr_opts.maxauthtries = val;
}
if (keepalive_arg) {
unsigned int val;
if (m_str_to_uint(keepalive_arg, &val) == DROPBEAR_FAILURE) {
dropbear_exit("Bad keepalive '%s'", keepalive_arg);
}
opts.keepalive_secs = val;
}
if (idle_timeout_arg) {
unsigned int val;
if (m_str_to_uint(idle_timeout_arg, &val) == DROPBEAR_FAILURE) {
dropbear_exit("Bad idle_timeout '%s'", idle_timeout_arg);
}
opts.idle_timeout_secs = val;
}
if (svr_opts.forced_command) {
dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
}
#if DROPBEAR_PLUGIN
if (pubkey_plugin) {
char *args = strchr(pubkey_plugin, ',');
if (args) {
*args='\0';
++args;
}
svr_opts.pubkey_plugin = pubkey_plugin;
svr_opts.pubkey_plugin_options = args;
}
#endif
}
static void addportandaddress(const char* spec) {
char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL;
if (svr_opts.portcount < DROPBEAR_MAX_PORTS) {
/* We don't free it, it becomes part of the runopt state */
spec_copy = m_strdup(spec);
myspec = spec_copy;
if (myspec[0] == '[') {
myspec++;
port = strchr(myspec, ']');
if (!port) {
/* Unmatched [ -> exit */
dropbear_exit("Bad listen address");
}
port[0] = '\0';
port++;
if (port[0] != ':') {
/* Missing port -> exit */
dropbear_exit("Missing port");
}
} else {
/* search for ':', that separates address and port */
port = strrchr(myspec, ':');
}
if (!port) {
/* no ':' -> the whole string specifies just a port */
port = myspec;
} else {
/* Split the address/port */
port[0] = '\0';
port++;
address = myspec;
}
if (!address) {
/* no address given -> fill in the default address */
address = DROPBEAR_DEFADDRESS;
}
if (port[0] == '\0') {
/* empty port -> exit */
dropbear_exit("Bad port");
}
svr_opts.ports[svr_opts.portcount] = m_strdup(port);
svr_opts.addresses[svr_opts.portcount] = m_strdup(address);
svr_opts.portcount++;
m_free(spec_copy);
}
}
static void disablekey(int type) {
int i;
TRACE(("Disabling key type %d", type))
for (i = 0; sshhostkey[i].name != NULL; i++) {
if (sshhostkey[i].val == type) {
sshhostkey[i].usable = 0;
break;
}
}
}
static void loadhostkey_helper(const char *name, void** src, void** dst, int fatal_duplicate) {
if (*dst) {
if (fatal_duplicate) {
dropbear_exit("Only one %s key can be specified", name);
}
} else {
*dst = *src;
*src = NULL;
}
}
/* Must be called after syslog/etc is working */
static void loadhostkey(const char *keyfile, int fatal_duplicate) {
sign_key * read_key = new_sign_key();
enum signkey_type type = DROPBEAR_SIGNKEY_ANY;
if (readhostkey(keyfile, read_key, &type) == DROPBEAR_FAILURE) {
if (!svr_opts.delay_hostkey) {
dropbear_log(LOG_WARNING, "Failed loading %s", keyfile);
}
}
#if DROPBEAR_RSA
if (type == DROPBEAR_SIGNKEY_RSA) {
loadhostkey_helper("RSA", (void**)&read_key->rsakey, (void**)&svr_opts.hostkey->rsakey, fatal_duplicate);
}
#endif
#if DROPBEAR_DSS
if (type == DROPBEAR_SIGNKEY_DSS) {
loadhostkey_helper("DSS", (void**)&read_key->dsskey, (void**)&svr_opts.hostkey->dsskey, fatal_duplicate);
}
#endif
#if DROPBEAR_ECDSA
#if DROPBEAR_ECC_256
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP256) {
loadhostkey_helper("ECDSA256", (void**)&read_key->ecckey256, (void**)&svr_opts.hostkey->ecckey256, fatal_duplicate);
}
#endif
#if DROPBEAR_ECC_384
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP384) {
loadhostkey_helper("ECDSA384", (void**)&read_key->ecckey384, (void**)&svr_opts.hostkey->ecckey384, fatal_duplicate);
}
#endif
#if DROPBEAR_ECC_521
if (type == DROPBEAR_SIGNKEY_ECDSA_NISTP521) {
loadhostkey_helper("ECDSA521", (void**)&read_key->ecckey521, (void**)&svr_opts.hostkey->ecckey521, fatal_duplicate);
}
#endif
#endif /* DROPBEAR_ECDSA */
#if DROPBEAR_ED25519
if (type == DROPBEAR_SIGNKEY_ED25519) {
loadhostkey_helper("ed25519", (void**)&read_key->ed25519key, (void**)&svr_opts.hostkey->ed25519key, fatal_duplicate);
}
#endif
sign_key_free(read_key);
TRACE(("leave loadhostkey"))
}
static void addhostkey(const char *keyfile) {
if (svr_opts.num_hostkey_files >= MAX_HOSTKEYS) {
dropbear_exit("Too many hostkeys");
}
svr_opts.hostkey_files[svr_opts.num_hostkey_files] = m_strdup(keyfile);
svr_opts.num_hostkey_files++;
}
void load_all_hostkeys() {
int i;
int any_keys = 0;
#ifdef DROPBEAR_ECDSA
int loaded_any_ecdsa = 0;
#endif
svr_opts.hostkey = new_sign_key();
for (i = 0; i < svr_opts.num_hostkey_files; i++) {
char *hostkey_file = svr_opts.hostkey_files[i];
loadhostkey(hostkey_file, 1);
m_free(hostkey_file);
}
/* Only load default host keys if a host key is not specified by the user */
if (svr_opts.num_hostkey_files == 0) {
#if DROPBEAR_RSA
loadhostkey(RSA_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_DSS
loadhostkey(DSS_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_ECDSA
loadhostkey(ECDSA_PRIV_FILENAME, 0);
#endif
#if DROPBEAR_ED25519
loadhostkey(ED25519_PRIV_FILENAME, 0);
#endif
}
#if DROPBEAR_RSA
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->rsakey) {
disablekey(DROPBEAR_SIGNKEY_RSA);
} else {
any_keys = 1;
}
#endif
#if DROPBEAR_DSS
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->dsskey) {
disablekey(DROPBEAR_SIGNKEY_DSS);
} else {
any_keys = 1;
}
#endif
#if DROPBEAR_ECDSA
/* We want to advertise a single ecdsa algorithm size.
- If there is a ecdsa hostkey at startup we choose that that size.
- If we generate at runtime we choose the default ecdsa size.
- Otherwise no ecdsa keys will be advertised */
/* check if any keys were loaded at startup */
loaded_any_ecdsa =
0
#if DROPBEAR_ECC_256
|| svr_opts.hostkey->ecckey256
#endif
#if DROPBEAR_ECC_384
|| svr_opts.hostkey->ecckey384
#endif
#if DROPBEAR_ECC_521
|| svr_opts.hostkey->ecckey521
#endif
;
any_keys |= loaded_any_ecdsa;
/* Or an ecdsa key could be generated at runtime */
any_keys |= svr_opts.delay_hostkey;
/* At most one ecdsa key size will be left enabled */
#if DROPBEAR_ECC_256
if (!svr_opts.hostkey->ecckey256
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 256 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP256);
}
#endif
#if DROPBEAR_ECC_384
if (!svr_opts.hostkey->ecckey384
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 384 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP384);
}
#endif
#if DROPBEAR_ECC_521
if (!svr_opts.hostkey->ecckey521
&& (!svr_opts.delay_hostkey || loaded_any_ecdsa || ECDSA_DEFAULT_SIZE != 521 )) {
disablekey(DROPBEAR_SIGNKEY_ECDSA_NISTP521);
}
#endif
#endif /* DROPBEAR_ECDSA */
#if DROPBEAR_ED25519
if (!svr_opts.delay_hostkey && !svr_opts.hostkey->ed25519key) {
disablekey(DROPBEAR_SIGNKEY_ED25519);
} else {
any_keys = 1;
}
#endif
if (!any_keys) {
dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey.");
}
}
Reference in New Issue View Git Blame Copy Permalink