Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2013-10-15 10:40:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2013-04-29 09:52:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2013-10-15 10:40:04.000000000 +0200 @@ -1,0 +2,30 @@ +Thu Oct 10 07:29:00 UTC 2013 - [email protected] + +- provided links for download sources +- employed gpg-offline - verify sources + +------------------------------------------------------------------- +Mon Oct 7 08:10:32 UTC 2013 - [email protected] + +- imported upstream version 2013.59 + * Fix crash from -J command + Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches + * Avoid reading too much from /proc/net/rt_cache since that causes + system slowness. + * Improve EOF handling for half-closed connections + Thanks to Catalin Patulea + * Send a banner message to report PAM error messages intended for the user + Patch from Martin Donnelly + * Limit the size of decompressed payloads, avoids memory exhaustion denial + of service + Thanks to Logan Lamb for reporting and investigating it + * Avoid disclosing existence of valid users through inconsistent delays + Thanks to Logan Lamb for reporting + * Update config.guess and config.sub for newer architectures + * Avoid segfault in server for locked accounts + * "make install" now installs manpages + dropbearkey.8 has been renamed to dropbearkey.1 + manpage added for dropbearconvert + * Get rid of one second delay when running non-interactive commands + +------------------------------------------------------------------- Old: ---- dropbear-2013.58.tar.bz2 New: ---- SHA1SUM.asc dropbear-2013.59.tar.bz2 dropbear.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dropbear.spec ++++++ --- /var/tmp/diff_new_pack.b4qtdp/_old 2013-10-15 10:40:05.000000000 +0200 +++ /var/tmp/diff_new_pack.b4qtdp/_new 2013-10-15 10:40:05.000000000 +0200 @@ -17,19 +17,24 @@ Name: dropbear -Version: 2013.58 +Version: 2013.59 Release: 0 Summary: A relatively small SSH 2 server and client License: MIT Group: Productivity/Networking/SSH Url: http://matt.ucc.asn.au/dropbear/dropbear.html Source0: http://matt.ucc.asn.au/dropbear/releases/%{name}-%{version}.tar.bz2 -Source1: dropbear.service -Source2: dropbear-keygen.service -Source3: dropbear.sysconfig -Source4: rcdropbear +Source1: https://matt.ucc.asn.au/dropbear/SHA1SUM.asc +Source2: dropbear.keyring +Source3: dropbear.service +Source4: dropbear-keygen.service +Source5: dropbear.sysconfig +Source6: rcdropbear BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: zlib-devel +%if 0%{?suse_version} >= 1230 +BuildRequires: gpg-offline +%endif Requires(post): %fillup_prereq %insserv_prereq %if 0%{?suse_version} >= 1210 Requires(post): systemd @@ -43,6 +48,7 @@ It implements most required features of the SSH 2 protocol, and other features such as X11 and authentication agent forwarding. %prep +%{?gpg_verify: %gpg_verify %{SOURCE1}} %setup -q %build @@ -52,21 +58,16 @@ %install make install DESTDIR=%{buildroot} install -d %{buildroot}%{_sysconfdir}/%{name} -install -D -m 0644 %{SOURCE3} "%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}" +install -D -m 0644 %{SOURCE5} "%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}" #no init service needed anymore for 12.3+ -install -D -m0755 %{SOURCE4} "%{buildroot}%{_initrddir}/%{name}" +install -D -m0755 %{SOURCE6} "%{buildroot}%{_initrddir}/%{name}" ln -sf ../../%{_initrddir}/%{name} "%{buildroot}%{_sbindir}/rc%{name}" %if 0%{?suse_version} >= 1210 # systemd unit files install -d %{buildroot}%{_unitdir} - install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service - install -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/dropbear-keygen.service + install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.service + install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dropbear-keygen.service %endif -install -d "%{buildroot}%{_mandir}/man1/" -install -m644 dbclient.1 "%{buildroot}%{_mandir}/man1/" -install -d "%{buildroot}%{_mandir}/man8/" -install -m644 dropbear.8 "%{buildroot}%{_mandir}/man8/" -install -m644 dropbearkey.8 "%{buildroot}%{_mandir}/man8/" %post %if 0%{?suse_version} >= 1210 @@ -112,8 +113,9 @@ %endif %dir %{_sysconfdir}/%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} -%{_mandir}/man1/dbclient.1.gz %{_mandir}/man8/dropbear.8.gz -%{_mandir}/man8/dropbearkey.8.gz +%{_mandir}/man1/dbclient.1.gz +%{_mandir}/man1/dropbearkey.1.gz +%{_mandir}/man1/dropbearconvert.1.gz %changelog ++++++ SHA1SUM.asc ++++++ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 4f2563ddb5eb82868b5ae0648f24a2ac5fc781fc CHANGES fdbc0ed332b17fc7579dbce6d95d585cf5d653d7 dropbear-2013.58.tar.bz2 86849db6a4cf9dd99c97329ca6446d91f2143f75 dropbear-2013.59.tar.bz2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iEYEARECAAYFAlJO0C4ACgkQjPn4sExkf7yohgCgpLGAJe7QeUvBmf7A0qw3sLQp baAAmwZpxoWzQHgWQTO+xj7oqLLAfKLc =JdsI -----END PGP SIGNATURE----- ++++++ dropbear-2013.58.tar.bz2 -> dropbear-2013.59.tar.bz2 ++++++ ++++ 2763 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/.hg_archival.txt new/dropbear-2013.59/.hg_archival.txt --- old/dropbear-2013.58/.hg_archival.txt 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/.hg_archival.txt 2013-10-04 16:23:03.000000000 +0200 @@ -1,5 +1,5 @@ repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878 -node: e76614145aea67f66e4a4257685c771efba21aa1 +node: 7b68e581985fd4ea50869f8608ab95cda5d17876 branch: default -latesttag: DROPBEAR_2013.57 -latesttagdistance: 8 +latesttag: DROPBEAR_2013.58 +latesttagdistance: 21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/.hgsigs new/dropbear-2013.59/.hgsigs --- old/dropbear-2013.58/.hgsigs 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/.hgsigs 2013-10-04 16:23:03.000000000 +0200 @@ -3,3 +3,4 @@ 85f835f2fe0ac2c503c50a414de127222fb0a57c 0 iD8DBQBPRkMUjPn4sExkf7wRAvM4AJ9mw2OAkyjhSbamM1MizlEJUX18HACgoFKQkYf6BnYxN34Nv2HhM0cmzUc= 9b80981212fe6c01b7c16b3ca7c4e66af56f12f1 0 iEYEABECAAYFAlFLKKcACgkQjPn4sExkf7xK7wCfcioCmJPsysSbQO6+4qZMVe0mmLwAn2/o+wRf4MrUXlohrr7aXEF9vdSB 095b46180bbc412b029420587736a6185afc17e1 0 iEYEABECAAYFAlFsCnkACgkQjPn4sExkf7xLrwCfeMWjUaSmfU/fvseT5TdrYRqBEVQAoLz5SFLEA40C5f8zE8Ma/vgVJVIC +f168962bab857ca030829e4cd73d9b32c868c874 0 iEYEABECAAYFAlFwDNwACgkQjPn4sExkf7wJ6QCePVovn/avKXUyNwNBYCcov6JLYqkAnRCPQdkXgv20N3t10r6PRMBBo1/S diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/.hgtags new/dropbear-2013.59/.hgtags --- old/dropbear-2013.58/.hgtags 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/.hgtags 2013-10-04 16:23:03.000000000 +0200 @@ -37,3 +37,4 @@ 0000000000000000000000000000000000000000 t:ltc-0.95-db-merge1 1b8b2b9d6e94bc3cc5e61b620476ea36cc466e1b DROPBEAR_2013.56 96b8bcb88017815040949a417caa55686271e8a9 DROPBEAR_2013.57 +e76614145aea67f66e4a4257685c771efba21aa1 DROPBEAR_2013.58 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/CHANGES new/dropbear-2013.59/CHANGES --- old/dropbear-2013.58/CHANGES 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/CHANGES 2013-10-04 16:23:03.000000000 +0200 @@ -1,3 +1,35 @@ +2013.59 - Friday 4 October 2013 + +- Fix crash from -J command + Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches + +- Avoid reading too much from /proc/net/rt_cache since that causes + system slowness. + +- Improve EOF handling for half-closed connections + Thanks to Catalin Patulea + +- Send a banner message to report PAM error messages intended for the user + Patch from Martin Donnelly + +- Limit the size of decompressed payloads, avoids memory exhaustion denial + of service + Thanks to Logan Lamb for reporting and investigating it + +- Avoid disclosing existence of valid users through inconsistent delays + Thanks to Logan Lamb for reporting + +- Update config.guess and config.sub for newer architectures + +- Avoid segfault in server for locked accounts + +- "make install" now installs manpages + dropbearkey.8 has been renamed to dropbearkey.1 + manpage added for dropbearconvert + +- Get rid of one second delay when running non-interactive commands + + 2013.58 - Thursday 18 April 2013 - Fix building with Zlib disabled, thanks to Hans Harder and cuma@freetz @@ -31,7 +63,7 @@ ~^Z (background session) - Server will more reliably clean up utmp when connection is closed, reported by - Mattias Walstr�m + Mattias Walström - Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case @@ -71,10 +103,10 @@ - Allow using IPv6 bracket notation for addresses in server "-p" option, from Ben Jencks -- A few improvements for Android from Reimar D�ffinger +- A few improvements for Android from Reimar Döffinger - Fix memory leak for TCP forwarded connections to hosts that timed out, - reported by Norbert Bencz�r. Appears to be a very long-standing bug. + reported by Norbert Benczúr. Appears to be a very long-standing bug. - Fix "make clean" for out of tree builds @@ -700,7 +732,7 @@ Lobenstock and Mihnea Stoenescu - Use daemon() function if available (or our own copy) rather than separate - code (thanks to Fr�d�ric Lavernhe for the report and debugging, and Bernard + code (thanks to Frédéric Lavernhe for the report and debugging, and Bernard Blackham for his suggestion on what to look at) - Fixed up support for first_kex_packet_follows, required to talk to ssh.com @@ -819,7 +851,7 @@ - Various signedness fixes - Can listen on multiple ports - added option to disable openpty with configure script, - (from K.-P. Kirchd�rfer <kapeka at epost.de>) + (from K.-P. Kirchdörfer <kapeka at epost.de>) - Various cleanups to bignum code (thanks to Tom St Denis <tomstdenis at iahu.ca>) - Fix compile error when disabling RSA diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/LICENSE new/dropbear-2013.59/LICENSE --- old/dropbear-2013.58/LICENSE 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/LICENSE 2013-10-04 16:23:03.000000000 +0200 @@ -8,7 +8,7 @@ Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the same license: -Copyright (c) 2002-2008 Matt Johnston +Copyright (c) 2002-2013 Matt Johnston Portions copyright (c) 2004 Mihnea Stoenescu All rights reserved. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/README new/dropbear-2013.59/README --- old/dropbear-2013.58/README 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/README 2013-10-04 16:23:03.000000000 +0200 @@ -1,4 +1,4 @@ -This is Dropbear, a smallish SSH 2 server and client. +This is Dropbear, a smallish SSH server and client. https://matt.ucc.asn.au/dropbear/dropbear.html INSTALL has compilation instructions. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/auth.h new/dropbear-2013.59/auth.h --- old/dropbear-2013.58/auth.h 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/auth.h 2013-10-04 16:23:03.000000000 +0200 @@ -36,6 +36,7 @@ void recv_msg_userauth_request(); void send_msg_userauth_failure(int partial, int incrfail); void send_msg_userauth_success(); +void send_msg_userauth_banner(buffer *msg); void svr_auth_password(); void svr_auth_pubkey(); void svr_auth_pam(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/cli-chansession.c new/dropbear-2013.59/cli-chansession.c --- old/dropbear-2013.58/cli-chansession.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/cli-chansession.c 2013-10-04 16:23:03.000000000 +0200 @@ -71,7 +71,9 @@ TRACE(("got exit-signal, ignoring it")) } else { TRACE(("unknown request '%s'", type)) - send_msg_channel_failure(channel); + if (wantreply) { + send_msg_channel_failure(channel); + } goto out; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/cli-runopts.c new/dropbear-2013.59/cli-runopts.c --- old/dropbear-2013.58/cli-runopts.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/cli-runopts.c 2013-10-04 16:23:03.000000000 +0200 @@ -383,6 +383,13 @@ exit(EXIT_FAILURE); } +#ifdef ENABLE_CLI_PROXYCMD + if (cli_opts.proxycmd) { + /* To match the common path of m_freeing it */ + cli_opts.proxycmd = m_strdup(cli_opts.proxycmd); + } +#endif + if (cli_opts.remoteport == NULL) { cli_opts.remoteport = "22"; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/common-channel.c new/dropbear-2013.59/common-channel.c --- old/dropbear-2013.58/common-channel.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/common-channel.c 2013-10-04 16:23:03.000000000 +0200 @@ -307,7 +307,9 @@ return; } - if (channel->recv_eof && !write_pending(channel)) { + if ((channel->recv_eof && !write_pending(channel)) + /* have a server "session" and child has exited */ + || (channel->type->check_close && close_allowed)) { close_chan_fd(channel, channel->writefd, SHUT_WR); } @@ -336,6 +338,7 @@ /* And if we can't receive any more data from them either, close up */ if (channel->readfd == FD_CLOSED + && channel->writefd == FD_CLOSED && (ERRFD_IS_WRITE(channel) || channel->errfd == FD_CLOSED) && !channel->sent_close && close_allowed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/config.h.in new/dropbear-2013.59/config.h.in --- old/dropbear-2013.58/config.h.in 2013-04-18 16:58:25.000000000 +0200 +++ new/dropbear-2013.59/config.h.in 2013-10-04 16:23:13.000000000 +0200 @@ -174,8 +174,8 @@ /* Define to 1 if you have the <netinet/in.h> header file. */ #undef HAVE_NETINET_IN_H -/* Define to 1 if you have the <netinet/in_systm.h,> header file. */ -#undef HAVE_NETINET_IN_SYSTM_H_ +/* Define to 1 if you have the <netinet/in_systm.h> header file. */ +#undef HAVE_NETINET_IN_SYSTM_H /* Define to 1 if you have the <netinet/tcp.h> header file. */ #undef HAVE_NETINET_TCP_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/configure.ac new/dropbear-2013.59/configure.ac --- old/dropbear-2013.58/configure.ac 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/configure.ac 2013-10-04 16:23:03.000000000 +0200 @@ -211,7 +211,7 @@ # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h, sys/uio.h]) +AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h sys/uio.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dbclient.1 new/dropbear-2013.59/dbclient.1 --- old/dropbear-2013.58/dbclient.1 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/dbclient.1 2013-10-04 16:23:03.000000000 +0200 @@ -1,6 +1,6 @@ .TH dbclient 1 .SH NAME -dbclient \- lightweight SSH2 client +dbclient \- lightweight SSH client .SH SYNOPSIS .B dbclient [\-Tt] [\-p @@ -19,7 +19,7 @@ .SH DESCRIPTION .B dbclient -is a SSH 2 client designed to be small enough to be used in small memory +is a SSH client designed to be small enough to be used in small memory environments, while still being functional and secure enough for general use. .SH OPTIONS .TP @@ -31,9 +31,10 @@ .TP .B \-i \fIidfile Identity file. -Read the identity from file +Read the identity key from file .I idfile -(multiple allowed). +(multiple allowed). This file is created with dropbearkey(1) or converted +from OpenSSH with dropbearconvert(1). .TP .B \-L [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR Local port forwarding. @@ -161,6 +162,6 @@ .br Gerrit Pape ([email protected]) wrote this manual page. .SH SEE ALSO -dropbear(8), dropbearkey(8) +dropbear(8), dropbearkey(1) .P https://matt.ucc.asn.au/dropbear/dropbear.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dbutil.c new/dropbear-2013.59/dbutil.c --- old/dropbear-2013.58/dbutil.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/dbutil.c 2013-10-04 16:23:03.000000000 +0200 @@ -884,3 +884,16 @@ return DROPBEAR_SUCCESS; } } + +int constant_time_memcmp(const void* a, const void *b, size_t n) +{ + const char *xa = a, *xb = b; + uint8_t c = 0; + size_t i; + for (i = 0; i < n; i++) + { + c |= (xa[i] ^ xb[i]); + } + return c; +} + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dbutil.h new/dropbear-2013.59/dbutil.h --- old/dropbear-2013.58/dbutil.h 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/dbutil.h 2013-10-04 16:23:03.000000000 +0200 @@ -94,4 +94,7 @@ /* Dropbear assertion */ #define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0) +/* Returns 0 if a and b have the same contents */ +int constant_time_memcmp(const void* a, const void *b, size_t n); + #endif /* _DBUTIL_H_ */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/debian/changelog new/dropbear-2013.59/debian/changelog --- old/dropbear-2013.58/debian/changelog 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/debian/changelog 2013-10-04 16:23:03.000000000 +0200 @@ -1,3 +1,10 @@ +dropbear (2013.59-0.1) unstable; urgency=low + + * New upstream release. + * Build with DEB_BUILD_MAINT_OPTIONS = hardening=+all + + -- Matt Johnston <[email protected]> Fri, 4 Oct 2013 22:54:00 +0800 + dropbear (2013.58-0.1) unstable; urgency=low * New upstream release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/debian/rules new/dropbear-2013.59/debian/rules --- old/dropbear-2013.58/debian/rules 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/debian/rules 2013-10-04 16:23:03.000000000 +0200 @@ -1,5 +1,9 @@ #!/usr/bin/make -f +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/buildflags.mk + #export DH_OPTIONS DEB_HOST_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) @@ -9,13 +13,6 @@ STRIP =: nostrip endif -CFLAGS =-Wall -g -ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS +=-O0 -else - CFLAGS +=-O2 -endif - CONFFLAGS = CC =gcc ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS))) @@ -79,12 +76,12 @@ ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main # man pages install -d -m0755 '$(DIR)'/usr/share/man/man8 - for i in dropbear.8 dropbearkey.8; do \ - install -m644 $$i '$(DIR)'/usr/share/man/man8/ || exit 1; \ + install -d -m0755 '$(DIR)'/usr/share/man/man1 + install -m644 dropbear.8 '$(DIR)'/usr/share/man/man8/ + for i in dbclient.1 dropbearkey.1 dropbearconvert.1; do \ + install -m644 $$i '$(DIR)'/usr/share/man/man1/ || exit 1; \ done gzip -9 '$(DIR)'/usr/share/man/man8/*.8 - install -d -m0755 '$(DIR)'/usr/share/man/man1 - install -m644 dbclient.1 '$(DIR)'/usr/share/man/man1/ gzip -9 '$(DIR)'/usr/share/man/man1/*.1 # copyright, changelog cat debian/copyright.in LICENSE >debian/copyright diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dropbear.8 new/dropbear-2013.59/dropbear.8 --- old/dropbear-2013.58/dropbear.8 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/dropbear.8 2013-10-04 16:23:03.000000000 +0200 @@ -1,6 +1,6 @@ .TH dropbear 8 .SH NAME -dropbear \- lightweight SSH2 server +dropbear \- lightweight SSH server .SH SYNOPSIS .B dropbear [\-FEmwsgjki] [\-b @@ -10,7 +10,7 @@ .IR [address:]port ] .SH DESCRIPTION .B dropbear -is a SSH 2 server designed to be small enough to be used in small memory +is a SSH server designed to be small enough to be used in small memory environments, while still being functional and secure enough for general use. .SH OPTIONS .TP @@ -29,7 +29,7 @@ some SSH implementations use the term "DSA" rather than "DSS", they mean the same thing. This file is generated with -.BR dropbearkey (8). +.BR dropbearkey (1). .TP .B \-r \fIrsakey rsakeyfile. @@ -37,7 +37,7 @@ .I rsakey for the rsa host key (default: /etc/dropbear/dropbear_rsa_host_key). This file is generated with -.BR dropbearkey (8). +.BR dropbearkey (1). .TP .B \-F Don't fork into background. @@ -180,13 +180,14 @@ .B SSH_AUTH_SOCK Set to a forwarded ssh-agent connection. - +.SH NOTES +Dropbear only supports SSH protocol version 2. .SH AUTHOR Matt Johnston ([email protected]). .br Gerrit Pape ([email protected]) wrote this manual page. .SH SEE ALSO -dropbearkey(8), dbclient(1) +dropbearkey(1), dbclient(1), dropbearconvert(1) .P https://matt.ucc.asn.au/dropbear/dropbear.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dropbearconvert.1 new/dropbear-2013.59/dropbearconvert.1 --- old/dropbear-2013.58/dropbearconvert.1 1970-01-01 01:00:00.000000000 +0100 +++ new/dropbear-2013.59/dropbearconvert.1 2013-10-04 16:23:03.000000000 +0200 @@ -0,0 +1,50 @@ +.TH dropbearconvert 1 +.SH NAME +dropbearconvert \- convert between Dropbear and OpenSSH private key formats +.SH SYNOPSIS +.B dropbearconvert +.I input_type +.I output_type +.I input_file +.I output_file +.SH DESCRIPTION +.B Dropbear +and +.B OpenSSH +SSH implementations have different private key formats. +.B dropbearconvert +can convert between the two. +.P +Dropbear uses the same SSH public key format as OpenSSH, it can be extracted +from a private key by using +.B dropbearkey \-y +.P +Encrypted private keys are not supported, use ssh-keygen(1) to decrypt them +first. +.SH OPTIONS +.TP +.B input type +Either +.I dropbear +or +.I openssh +.TP +.B output type +Either +.I dropbear +or +.I openssh +.TP +.B input file +An existing Dropbear or OpenSSH private key file +.TP +.B output file +The path to write the converted private key file +.SH EXAMPLE + # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/dropbear_priv +.SH AUTHOR +Matt Johnston ([email protected]). +.SH SEE ALSO + dropbearkey(1), ssh-keygen(1) +.P +https://matt.ucc.asn.au/dropbear/dropbear.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dropbearkey.1 new/dropbear-2013.59/dropbearkey.1 --- old/dropbear-2013.58/dropbearkey.1 1970-01-01 01:00:00.000000000 +0100 +++ new/dropbear-2013.59/dropbearkey.1 2013-10-04 16:23:03.000000000 +0200 @@ -0,0 +1,53 @@ +.TH dropbearkey 1 +.SH NAME +dropbearkey \- create private keys for the use with dropbear(8) or dbclient(1) +.SH SYNOPSIS +.B dropbearkey +\-t +.I type +\-f +.I file +[\-s +.IR bits ] +.SH DESCRIPTION +.B dropbearkey +generates a +.I RSA +or +.I DSS +format SSH private key, and saves it to a file for the use with the +Dropbear client or server. +Note that +some SSH implementations +use the term "DSA" rather than "DSS", they mean the same thing. +.SH OPTIONS +.TP +.B \-t \fItype +Type of key to generate. +Must be one of +.I rsa +or +.IR dss . +.TP +.B \-f \fIfile +Write the secret key to the file +.IR file . +.TP +.B \-s \fIbits +Set the key size to +.I bits +bits, should be multiple of 8 (optional). +.SH NOTES +The program dropbearconvert(1) can be used to convert between Dropbear and OpenSSH key formats. +.P +Dropbear does not support encrypted keys. +.SH EXAMPLE + # dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key +.SH AUTHOR +Matt Johnston ([email protected]). +.br +Gerrit Pape ([email protected]) wrote this manual page. +.SH SEE ALSO +dropbear(8), dbclient(1), dropbearconvert(1) +.P +https://matt.ucc.asn.au/dropbear/dropbear.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/dropbearkey.8 new/dropbear-2013.59/dropbearkey.8 --- old/dropbear-2013.58/dropbearkey.8 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/dropbearkey.8 1970-01-01 01:00:00.000000000 +0100 @@ -1,50 +0,0 @@ -.TH dropbearkey 8 -.SH NAME -dropbearkey \- create private keys for the use with dropbear(8) -.SH SYNOPSIS -.B dropbearkey -\-t -.I type -\-f -.I file -[\-s -.IR bits ] -.SH DESCRIPTION -.B dropbearkey -generates a -.I RSA -or -.I DSS -format SSH private key, and saves it to a file for the use with the -.BR dropbear (8) -SSH 2 server. -Note that -some SSH implementations -use the term "DSA" rather than "DSS", they mean the same thing. -.SH OPTIONS -.TP -.B \-t \fItype -Type of key to generate. -Must be one of -.I rsa -or -.IR dss . -.TP -.B \-f \fIfile -Write the secret key to the file -.IR file . -.TP -.B \-s \fIbits -Set the key size to -.I bits -bits, should be multiple of 8 (optional). -.SH EXAMPLE - # dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -.SH AUTHOR -Matt Johnston ([email protected]). -.br -Gerrit Pape ([email protected]) wrote this manual page. -.SH SEE ALSO -dropbear(8), dbclient(1) -.P -https://matt.ucc.asn.au/dropbear/dropbear.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/packet.c new/dropbear-2013.59/packet.c --- old/dropbear-2013.58/packet.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/packet.c 2013-10-04 16:23:04.000000000 +0200 @@ -42,7 +42,7 @@ static int checkmac(); #define ZLIB_COMPRESS_INCR 100 -#define ZLIB_DECOMPRESS_INCR 100 +#define ZLIB_DECOMPRESS_INCR 1024 #ifndef DISABLE_ZLIB static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); @@ -376,7 +376,7 @@ /* compare the hash */ buf_setpos(ses.readbuf, contents_len); - if (memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) { + if (constant_time_memcmp(mac_bytes, buf_getptr(ses.readbuf, mac_size), mac_size) != 0) { return DROPBEAR_FAILURE; } else { return DROPBEAR_SUCCESS; @@ -420,7 +420,12 @@ } if (zstream->avail_out == 0) { - buf_resize(ret, ret->size + ZLIB_DECOMPRESS_INCR); + int new_size = 0; + if (ret->size >= RECV_MAX_PAYLOAD_LEN) { + dropbear_exit("bad packet, oversized decompressed"); + } + new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR); + buf_resize(ret, new_size); } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/random.c new/dropbear-2013.59/random.c --- old/dropbear-2013.58/random.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/random.c 2013-10-04 16:23:04.000000000 +0200 @@ -77,7 +77,7 @@ while (len == 0 || readcount < len) { int readlen, wantread; - unsigned char readbuf[2048]; + unsigned char readbuf[4096]; if (!already_blocked) { int ret; @@ -208,12 +208,13 @@ process_file(&hs, "/proc/loadavg", 0, 0); process_file(&hs, "/proc/sys/kernel/random/entropy_avail", 0, 0); - /* Mostly network visible but useful in some situations */ - process_file(&hs, "/proc/net/netstat", 0, 0); - process_file(&hs, "/proc/net/dev", 0, 0); - process_file(&hs, "/proc/net/tcp", 0, 0); + /* Mostly network visible but useful in some situations. + * Limit size to avoid slowdowns on systems with lots of routes */ + process_file(&hs, "/proc/net/netstat", 4096, 0); + process_file(&hs, "/proc/net/dev", 4096, 0); + process_file(&hs, "/proc/net/tcp", 4096, 0); /* Also includes interface lo */ - process_file(&hs, "/proc/net/rt_cache", 0, 0); + process_file(&hs, "/proc/net/rt_cache", 4096, 0); process_file(&hs, "/proc/vmstat", 0, 0); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/svr-auth.c new/dropbear-2013.59/svr-auth.c --- old/dropbear-2013.58/svr-auth.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/svr-auth.c 2013-10-04 16:23:04.000000000 +0200 @@ -37,7 +37,6 @@ static void authclear(); static int checkusername(unsigned char *username, unsigned int userlen); -static void send_msg_userauth_banner(); /* initialise the first time for a session, resetting all parameters */ void svr_authinitialise() { @@ -82,24 +81,18 @@ /* Send a banner message if specified to the client. The client might * ignore this, but possibly serves as a legal "no trespassing" sign */ -static void send_msg_userauth_banner() { +void send_msg_userauth_banner(buffer *banner) { TRACE(("enter send_msg_userauth_banner")) - if (svr_opts.banner == NULL) { - TRACE(("leave send_msg_userauth_banner: banner is NULL")) - return; - } CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER); - buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner, - svr_opts.banner->len), svr_opts.banner->len); + buf_putstring(ses.writepayload, buf_getptr(banner, banner->len), + banner->len); buf_putstring(ses.writepayload, "en", 2); encrypt_packet(); - buf_free(svr_opts.banner); - svr_opts.banner = NULL; TRACE(("leave send_msg_userauth_banner")) } @@ -110,6 +103,7 @@ unsigned char *username = NULL, *servicename = NULL, *methodname = NULL; unsigned int userlen, servicelen, methodlen; + int valid_user = 0; TRACE(("enter recv_msg_userauth_request")) @@ -121,10 +115,11 @@ /* send the banner if it exists, it will only exist once */ if (svr_opts.banner) { - send_msg_userauth_banner(); + send_msg_userauth_banner(svr_opts.banner); + buf_free(svr_opts.banner); + svr_opts.banner = NULL; } - username = buf_getstring(ses.payload, &userlen); servicename = buf_getstring(ses.payload, &servicelen); methodname = buf_getstring(ses.payload, &methodlen); @@ -141,12 +136,12 @@ dropbear_exit("unknown service in auth"); } - /* check username is good before continuing */ - if (checkusername(username, userlen) == DROPBEAR_FAILURE) { - /* username is invalid/no shell/etc - send failure */ - TRACE(("sending checkusername failure")) - send_msg_userauth_failure(0, 1); - goto out; + /* check username is good before continuing. + * the 'incrfail' varies depending on the auth method to + * avoid giving away which users exist on the system through + * the time delay. */ + if (checkusername(username, userlen) == DROPBEAR_SUCCESS) { + valid_user = 1; } /* user wants to know what methods are supported */ @@ -154,7 +149,8 @@ strncmp(methodname, AUTH_METHOD_NONE, AUTH_METHOD_NONE_LEN) == 0) { TRACE(("recv_msg_userauth_request: 'none' request")) - if (svr_opts.allowblankpass + if (valid_user + && svr_opts.allowblankpass && !svr_opts.noauthpass && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) && ses.authstate.pw_passwd[0] == '\0') @@ -168,6 +164,7 @@ } else { + /* 'none' has no failure delay */ send_msg_userauth_failure(0, 0); goto out; } @@ -180,8 +177,10 @@ if (methodlen == AUTH_METHOD_PASSWORD_LEN && strncmp(methodname, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_password(); - goto out; + if (valid_user) { + svr_auth_password(); + goto out; + } } } #endif @@ -193,8 +192,10 @@ if (methodlen == AUTH_METHOD_PASSWORD_LEN && strncmp(methodname, AUTH_METHOD_PASSWORD, AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_pam(); - goto out; + if (valid_user) { + svr_auth_pam(); + goto out; + } } } #endif @@ -204,12 +205,17 @@ if (methodlen == AUTH_METHOD_PUBKEY_LEN && strncmp(methodname, AUTH_METHOD_PUBKEY, AUTH_METHOD_PUBKEY_LEN) == 0) { - svr_auth_pubkey(); + if (valid_user) { + svr_auth_pubkey(); + } else { + /* pubkey has no failure delay */ + send_msg_userauth_failure(0, 0); + } goto out; } #endif - /* nothing matched, we just fail */ + /* nothing matched, we just fail with a delay */ send_msg_userauth_failure(0, 1); out: @@ -252,7 +258,6 @@ dropbear_log(LOG_WARNING, "Login attempt for nonexistent user from %s", svr_ses.addrstring); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -264,7 +269,6 @@ "Login attempt with wrong user %s from %s", ses.authstate.pw_name, svr_ses.addrstring); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -272,7 +276,6 @@ if (svr_opts.norootlogin && ses.authstate.pw_uid == 0) { TRACE(("leave checkusername: root login disabled")) dropbear_log(LOG_WARNING, "root login rejected"); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } @@ -301,7 +304,6 @@ TRACE(("no matching shell")) dropbear_log(LOG_WARNING, "User '%s' has invalid shell, rejected", ses.authstate.pw_name); - send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; goodshell: @@ -311,7 +313,6 @@ TRACE(("uid = %d", ses.authstate.pw_uid)) TRACE(("leave checkusername")) return DROPBEAR_SUCCESS; - } /* Send a failure message to the client, in responds to a userauth_request. @@ -358,8 +359,8 @@ if (incrfail) { unsigned int delay; genrandom((unsigned char*)&delay, sizeof(delay)); - /* We delay for 300ms +- 50ms, 0.1ms granularity */ - delay = 250000 + (delay % 1000)*100; + /* We delay for 300ms +- 50ms */ + delay = 250000 + (delay % 100000); usleep(delay); ses.authstate.failcount++; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/svr-authpam.c new/dropbear-2013.59/svr-authpam.c --- old/dropbear-2013.58/svr-authpam.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/svr-authpam.c 2013-10-04 16:23:04.000000000 +0200 @@ -142,6 +142,22 @@ (*respp) = resp; break; + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + + if (msg_len > 0) { + buffer * pam_err = buf_new(msg_len + 4); + buf_setpos(pam_err, 0); + buf_putbytes(pam_err, "\r\n", 2); + buf_putbytes(pam_err, (*msg)->msg, msg_len); + buf_putbytes(pam_err, "\r\n", 2); + buf_setpos(pam_err, 0); + + send_msg_userauth_banner(pam_err); + buf_free(pam_err); + } + break; + default: TRACE(("Unknown message type")) rc = PAM_CONV_ERR; @@ -196,14 +212,14 @@ /* Init pam */ if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n", + dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; } /* just to set it to something */ if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) { - dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n", + dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); goto cleanup; } @@ -216,7 +232,7 @@ /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */ if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n", + dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); dropbear_log(LOG_WARNING, "Bad PAM password attempt for '%s' from %s", @@ -227,7 +243,7 @@ } if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) { - dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n", + dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s", rc, pam_strerror(pamHandlep, rc)); dropbear_log(LOG_WARNING, "Bad PAM password attempt for '%s' from %s", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/svr-authpasswd.c new/dropbear-2013.59/svr-authpasswd.c --- old/dropbear-2013.58/svr-authpasswd.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/svr-authpasswd.c 2013-10-04 16:23:04.000000000 +0200 @@ -33,6 +33,17 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +static int constant_time_strcmp(const char* a, const char* b) { + size_t la = strlen(a); + size_t lb = strlen(b); + + if (la != lb) { + return 1; + } + + return constant_time_memcmp(a, b, la); +} + /* Process a password auth request, sending success or failure messages as * appropriate */ void svr_auth_password() { @@ -66,6 +77,14 @@ m_burn(password, passwordlen); m_free(password); + if (testcrypt == NULL) { + /* crypt() with an invalid salt like "!!" */ + dropbear_log(LOG_WARNING, "User account '%s' is locked", + ses.authstate.pw_name); + send_msg_userauth_failure(0, 1); + return; + } + /* check for empty password */ if (passwdcrypt[0] == '\0') { dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", @@ -74,7 +93,7 @@ return; } - if (strcmp(testcrypt, passwdcrypt) == 0) { + if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) { /* successful authentication */ dropbear_log(LOG_NOTICE, "Password auth succeeded for '%s' from %s", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/svr-chansession.c new/dropbear-2013.59/svr-chansession.c --- old/dropbear-2013.58/svr-chansession.c 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/svr-chansession.c 2013-10-04 16:23:04.000000000 +0200 @@ -699,8 +699,6 @@ ses.maxfd = MAX(ses.maxfd, channel->readfd); ses.maxfd = MAX(ses.maxfd, channel->errfd); - sleep(1); - addchildpid(chansess, chansess->pid); if (svr_ses.lastexit.exitpid != -1) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/dropbear-2013.58/sysoptions.h new/dropbear-2013.59/sysoptions.h --- old/dropbear-2013.58/sysoptions.h 2013-04-18 16:58:14.000000000 +0200 +++ new/dropbear-2013.59/sysoptions.h 2013-10-04 16:23:04.000000000 +0200 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2013.58" +#define DROPBEAR_VERSION "2013.59" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
