Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2014-02-22 18:09:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2013-12-13 11:56:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2014-02-22 18:09:15.000000000 +0100 @@ -1,0 +2,32 @@ +Thu Feb 20 09:25:00 UTC 2014 - [email protected] + +- fixed automatic tarball verfication +- updated regular init script to also create ECDSA keys + +------------------------------------------------------------------- +Wed Feb 19 14:40:50 UTC 2014 - [email protected] + +- update to upstream version 2014.63 + * Fix ~. to terminate a client interactive session after waking a laptop + from sleep. + * Changed port separator syntax again, now using host^port. This is because + IPv6 link-local addresses use %. Reported by Gui Iribarren + * Avoid constantly relinking dropbearmulti target, fix "make install" + for multi target, thanks to Mike Frysinger + * Avoid getting stuck in a loop writing huge key files, reported by Bruno + Thomsen + * Don't link dropbearkey or dropbearconvert to libz or libutil, + thanks to Nicolas Boos + * Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos + * Avoid crash on exit due to cleaned up keys before last packets are sent, + debugged by Ronald Wahl + * Fix a race condition in rekeying where Dropbear would exit if it received a + still-in-flight packet after initiating rekeying. Reported by Oliver Metz. + This is a longstanding bug but is triggered more easily since 2013.57 + * [...] +- updated service files and activated building of ecdsa keys +- only package the old init service in distributions without systemd +- adapted spec to follow systemd package guidelines +- cleaned up spec file + +------------------------------------------------------------------- Old: ---- dropbear-2013.62.tar.bz2 rcdropbear New: ---- dropbear-2014.63.tar.bz2 dropbear.init ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dropbear.spec ++++++ --- /var/tmp/diff_new_pack.spKV0b/_old 2014-02-22 18:09:16.000000000 +0100 +++ /var/tmp/diff_new_pack.spKV0b/_new 2014-02-22 18:09:16.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package dropbear # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,8 +16,12 @@ # +%if 0%{?suse_version} >= 1230 + %define using_systemd 1 +%endif + Name: dropbear -Version: 2013.62 +Version: 2014.63 Release: 0 Summary: A relatively small SSH 2 server and client License: MIT @@ -29,18 +33,19 @@ Source3: dropbear.service Source4: dropbear-keygen.service Source5: dropbear.sysconfig -Source6: rcdropbear +Source6: dropbear.init BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: zlib-devel %if 0%{?suse_version} >= 1230 BuildRequires: gpg-offline %endif -Requires(post): %fillup_prereq %insserv_prereq -%if 0%{?suse_version} >= 1210 -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +%if 0%{?using_systemd} +BuildRequires: systemd +%else +Requires(pre): %insserv_prereq +%{?systemd_requires} %endif +Requires(pre): %fillup_prereq %description Dropbear is a SSH 2 server and client designed to be small enough to be used in small memory environments, while still being functional and secure enough for general use. @@ -48,7 +53,14 @@ It implements most required features of the SSH 2 protocol, and other features such as X11 and authentication agent forwarding. %prep -%{?gpg_verify: %gpg_verify %{SOURCE1}} +%if 0%{?suse_version} >= 1230 +#gpg_verify doesn't work because of dropbear's sha1sum structure +gpg-offline -f "%{SOURCE2}" --verify "%{SOURCE1}" +pushd %{_sourcedir} + grep %{name}-%{version}.tar.bz2 %{SOURCE1} > sha1sum + sha1sum -c sha1sum +popd +%endif %setup -q %build @@ -59,45 +71,43 @@ make install DESTDIR=%{buildroot} install -d %{buildroot}%{_sysconfdir}/%{name} install -D -m 0644 %{SOURCE5} "%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}" -#no init service needed anymore for 12.3+ -install -D -m0755 %{SOURCE6} "%{buildroot}%{_initrddir}/%{name}" -ln -sf ../../%{_initrddir}/%{name} "%{buildroot}%{_sbindir}/rc%{name}" -%if 0%{?suse_version} >= 1210 - # systemd unit files +%if 0%{?using_systemd} install -d %{buildroot}%{_unitdir} install -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.service - install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dropbear-keygen.service + install -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/%{name}-keygen.service + ln -sf /usr/sbin/service %{buildroot}%{_sbindir}/rc%{name} +%else + install -D -m0755 %{SOURCE6} "%{buildroot}%{_initrddir}/%{name}" + ln -sf ../../%{_initrddir}/%{name} "%{buildroot}%{_sbindir}/rc%{name}" +%endif + +%pre +%if 0%{?using_systemd} + %service_add_pre %{name}.service %endif %post -%if 0%{?suse_version} >= 1210 - if [ $1 -eq 1 ] ; then - # Initial installation - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - fi +%if 0%{?using_systemd} + %fillup_only + %service_add_post %{name}.service +%else + %{fillup_and_insserv %{name}} %endif -%{fillup_and_insserv %{name}} %preun -%if 0%{?suse_version} >= 1210 - if [ $1 -eq 0 ] ; then - # Package removal, not upgrade - /bin/systemctl --no-reload disable %{name}.service > /dev/null 2>&1 || : - /bin/systemctl stop %{name}.service > /dev/null 2>&1 || : - fi +%if 0%{?using_systemd} + %service_del_preun %{name}.service +%else + %stop_on_removal %{name} %endif -%stop_on_removal %{name} %postun -%if 0%{?suse_version} >= 1210 - /bin/systemctl daemon-reload >/dev/null 2>&1 || : - if [ $1 -ge 1 ] ; then - # Package upgrade, not uninstall - /bin/systemctl try-restart %{name}.service >/dev/null 2>&1 || : - fi +%if 0%{?using_systemd} + %service_del_postun %{name}.service +%else + %restart_on_update %{name} + %insserv_cleanup %endif -%restart_on_update %{name} -%insserv_cleanup %files %defattr(-,root,root) @@ -106,10 +116,11 @@ %{_bindir}/dropbearkey %{_sbindir}/dropbear %{_sbindir}/rcdropbear -%{_initrddir}/%{name} -%if 0%{?suse_version} >= 1210 +%if 0%{?using_systemd} %{_unitdir}/%{name}.service %{_unitdir}/dropbear-keygen.service +%else + %{_initrddir}/%{name} %endif %dir %{_sysconfdir}/%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} ++++++ SHA1SUM.asc ++++++ --- /var/tmp/diff_new_pack.spKV0b/_old 2014-02-22 18:09:16.000000000 +0100 +++ /var/tmp/diff_new_pack.spKV0b/_new 2014-02-22 18:09:16.000000000 +0100 @@ -1,13 +1,13 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -6ff1ca3b0cf567e19e3384493689813b49915bdc CHANGES -5a322945e97d7433cfd829e3a089f2b6c43cbb80 dropbear-2013.60.tar.bz2 +a99b392e6ed99706b3eb787a75b95651775ca893 CHANGES 1d0abb6c46206a2c95b26a6f454844855f585403 dropbear-2013.62.tar.bz2 +63bbb967feb1df8bc1a7cb7d96925ed653960078 dropbear-2014.63.tar.bz2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) -iEYEARECAAYFAlKd4i4ACgkQjPn4sExkf7yGnACfbXTlhPlW1C3B2n+xG7+ldbX0 -6QsAn0iYdMrXkEgEFu9uyUWtPKApqh16 -=YM/F +iEYEARECAAYFAlMEuzkACgkQjPn4sExkf7xLXACg1OOvq8Nw4nc4qJ4ycGS/PKcD +pvwAn3rTkHcCDTc0hGqCDO3Cqlq7wO4S +=420e -----END PGP SIGNATURE----- ++++++ dropbear-2013.62.tar.bz2 -> dropbear-2014.63.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/.hg_archival.txt new/dropbear-2014.63/.hg_archival.txt --- old/dropbear-2013.62/.hg_archival.txt 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/.hg_archival.txt 2014-02-19 15:05:24.000000000 +0100 @@ -1,5 +1,5 @@ repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878 -node: 3d1d7d151c0ce3a79da62e86463f5632fa2b144a +node: 2351b2da8e0d08dcc6e64fcc328b53b9630bda68 branch: default -latesttag: DROPBEAR_2013.61test -latesttagdistance: 16 +latesttag: DROPBEAR_2013.62 +latesttagdistance: 24 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/.hgsigs new/dropbear-2014.63/.hgsigs --- old/dropbear-2013.62/.hgsigs 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/.hgsigs 2014-02-19 15:05:24.000000000 +0100 @@ -8,3 +8,4 @@ 025237c9f0a1a60a616f984d82fb2a9270d3b0ea 0 iEYEABECAAYFAlJeqDYACgkQjPn4sExkf7y5nQCfW6t+TJySBTTo+gCfDUBPRVxvNe8AoIn/15aWfqH/A2G9uikfoVtWK3pd a50a1dc743317fad9b3737bc68fbca640659bb6d 0 iEYEABECAAYFAlJeqL0ACgkQjPn4sExkf7yVqACg6IP0fU29+Feh/TDeemDA+2XAzrIAoIdZfMDvVYlDoWotZD8ACFnf5H1P 9ec083a21adfcb099f21eb03704b66d14a4ba800 0 iEYEABECAAYFAlKE4JoACgkQjPn4sExkf7wLDgCghkVGwMjI138bEv+ORVzN7zIH7cEAoLckaxZc1k1aXlmlSCRlP8cuKH3o +3d1d7d151c0ce3a79da62e86463f5632fa2b144a 0 iEYEABECAAYFAlKd5AEACgkQjPn4sExkf7wzWgCfdvPEEIdlMPqcbOQMJ7b+eAyy164An2ip1lPh1eS5g26/gSfruvWBVym4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/.hgtags new/dropbear-2014.63/.hgtags --- old/dropbear-2013.62/.hgtags 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/.hgtags 2014-02-19 15:05:24.000000000 +0100 @@ -41,3 +41,4 @@ 7b68e581985fd4ea50869f8608ab95cda5d17876 DROPBEAR_2013.59 a50a1dc743317fad9b3737bc68fbca640659bb6d DROPBEAR_2013.60 e894dbc015ba7ff4c3bf897ee20e28ca90c55a16 DROPBEAR_2013.61test +3d1d7d151c0ce3a79da62e86463f5632fa2b144a DROPBEAR_2013.62 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/CHANGES new/dropbear-2014.63/CHANGES --- old/dropbear-2013.62/CHANGES 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/CHANGES 2014-02-19 15:05:24.000000000 +0100 @@ -1,3 +1,47 @@ +2014.63 - Wednesday 19 February 2014 + +- Fix ~. to terminate a client interactive session after waking a laptop + from sleep. + +- Changed port separator syntax again, now using host^port. This is because + IPv6 link-local addresses use %. Reported by Gui Iribarren + +- Avoid constantly relinking dropbearmulti target, fix "make install" + for multi target, thanks to Mike Frysinger + +- Avoid getting stuck in a loop writing huge key files, reported by Bruno + Thomsen + +- Don't link dropbearkey or dropbearconvert to libz or libutil, + thanks to Nicolas Boos + +- Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos + +- Avoid crash on exit due to cleaned up keys before last packets are sent, + debugged by Ronald Wahl + +- Fix a race condition in rekeying where Dropbear would exit if it received a + still-in-flight packet after initiating rekeying. Reported by Oliver Metz. + This is a longstanding bug but is triggered more easily since 2013.57 + +- Fix README for ecdsa keys, from Caralin Patulea + +- Ensure that generated RSA keys are always exactly the length + requested. Previously Dropbear always generated N+16 or N+15 bit keys. + Thanks to Unit 193 + +- Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the + first public key succeeds. Still not enabled by default, needs more + compatibility testing with other implementations. + +- Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD. Thanks to + +- Fix for bad system linux/pkt-sched.h header file with older Linux +kernels, from Steve Dover + +- Fix signal handlers so that errno is saved, thanks to Erik Ahlén for a patch + and Mark Wickham for independently spotting the same problem. + 2013.62 - Tuesday 3 December 2013 - Disable "interactive" QoS connection options when a connection doesn't diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/Makefile.in new/dropbear-2014.63/Makefile.in --- old/dropbear-2013.62/Makefile.in 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/Makefile.in 2014-02-19 15:05:24.000000000 +0100 @@ -13,13 +13,15 @@ PROGRAMS=dropbear dbclient dropbearkey dropbearconvert endif -LTC=libtomcrypt/libtomcrypt.a -LTM=libtommath/libtommath.a +STATIC_LTC=libtomcrypt/libtomcrypt.a +STATIC_LTM=libtommath/libtommath.a + +LIBTOM_LIBS=@LIBTOM_LIBS@ ifeq (@BUNDLED_LIBTOM@, 1) -LIBTOM_DEPS=$(LTC) $(LTM) +LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ -LIBS+=$(LTC) $(LTM) +LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) endif COMMONOBJS=dbutil.o buffer.o \ @@ -58,7 +60,7 @@ loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ listener.h fake-rfc2553.h ecc.h ecdsa.h -dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) @CRYPTLIB@ +dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) dropbearkeyobjs=$(COMMONOBJS) $(KEYOBJS) dropbearconvertobjs=$(COMMONOBJS) $(CONVERTOBJS) @@ -136,7 +138,7 @@ -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man1 - $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1 + if test -e $*.1; then $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi # dropbear should go in sbin, so it needs a seperate rule inst_dropbear: dropbear @@ -160,8 +162,14 @@ dropbearkey: $(dropbearkeyobjs) dropbearconvert: $(dropbearconvertobjs) -dropbear dbclient dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile - $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBS) +dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile + $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ + +dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile + $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) + +dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile + $(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) # scp doesn't use the libs so is special. scp: $(SCPOBJS) $(HEADERS) Makefile @@ -171,14 +179,14 @@ # multi-binary compilation. MULTIOBJS= ifeq ($(MULTI),1) - MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) @CRYPTLIB@ + MULTIOBJS=dbmulti.o $(sort $(foreach prog, $(PROGRAMS), $($(prog)objs))) CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI endif -dropbearmulti: multilink +dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile + $(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ -multibinary: $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile - $(CC) $(LDFLAGS) -o dropbearmulti$(EXEEXT) $(MULTIOBJS) $(LIBS) +multibinary: dropbearmulti$(EXEEXT) multilink: multibinary $(addprefix link, $(PROGRAMS)) @@ -186,10 +194,10 @@ -rm -f $*$(EXEEXT) -ln -s dropbearmulti$(EXEEXT) $*$(EXEEXT) -$(LTC): options.h +$(STATIC_LTC): options.h cd libtomcrypt && $(MAKE) -$(LTM): options.h +$(STATIC_LTM): options.h cd libtommath && $(MAKE) .PHONY : clean sizes thisclean distclean tidy ltc-clean ltm-clean diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/README new/dropbear-2014.63/README --- old/dropbear-2013.62/README 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/README 2014-02-19 15:05:24.000000000 +0100 @@ -54,7 +54,7 @@ To run the server, you need to server keys, this is one-off: ./dropbearkey -t rsa -f dropbear_rsa_host_key ./dropbearkey -t dss -f dropbear_dss_host_key -./dropbearkey -t ecdsa -f dropbear_dss_host_key +./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key or alternatively convert OpenSSH keys to Dropbear: ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/cli-auth.c new/dropbear-2014.63/cli-auth.c --- old/dropbear-2013.62/cli-auth.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/cli-auth.c 2014-02-19 15:05:24.000000000 +0100 @@ -41,16 +41,6 @@ /* Send a "none" auth request to get available methods */ void cli_auth_getmethods() { TRACE(("enter cli_auth_getmethods")) -#ifdef CLI_IMMEDIATE_AUTH - ses.authstate.authtypes = AUTH_TYPE_PUBKEY; - if (getenv(DROPBEAR_PASSWORD_ENV)) { - ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; - } - if (cli_auth_try() == DROPBEAR_SUCCESS) { - TRACE(("skipped initial none auth query")) - return; - } -#endif CHECKCLEARTOWRITE(); buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_REQUEST); buf_putstring(ses.writepayload, cli_opts.username, @@ -60,6 +50,26 @@ buf_putstring(ses.writepayload, "none", 4); /* 'none' method */ encrypt_packet(); + +#ifdef DROPBEAR_CLI_IMMEDIATE_AUTH + /* We can't haven't two auth requests in-flight with delayed zlib mode + since if the first one succeeds then the remote side will + expect the second one to be compressed. + Race described at + http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/zlib-openssh.html + */ + if (ses.keys->trans.algo_comp != DROPBEAR_COMP_ZLIB_DELAY) { + ses.authstate.authtypes = AUTH_TYPE_PUBKEY; + if (getenv(DROPBEAR_PASSWORD_ENV)) { + ses.authstate.authtypes |= AUTH_TYPE_PASSWORD | AUTH_TYPE_INTERACT; + } + if (cli_auth_try() == DROPBEAR_SUCCESS) { + TRACE(("skipped initial none auth query")) + /* Note that there will be two auth responses in-flight */ + cli_ses.ignore_next_auth_response = 1; + } + } +#endif TRACE(("leave cli_auth_getmethods")) } @@ -150,31 +160,46 @@ TRACE(("<- MSG_USERAUTH_FAILURE")) TRACE(("enter recv_msg_userauth_failure")) + if (ses.authstate.authdone) { + TRACE(("leave recv_msg_userauth_failure, already authdone.")) + return; + } + if (cli_ses.state != USERAUTH_REQ_SENT) { /* Perhaps we should be more fatal? */ dropbear_exit("Unexpected userauth failure"); } + /* When DROPBEAR_CLI_IMMEDIATE_AUTH is set there will be an initial response for + the "none" auth request, and then a response to the immediate auth request. + We need to be careful handling them. */ + if (cli_ses.ignore_next_auth_response) { + TRACE(("ignore next response, state set to USERAUTH_REQ_SENT")) + cli_ses.state = USERAUTH_REQ_SENT; + } else { + cli_ses.state = USERAUTH_FAIL_RCVD; + cli_ses.lastauthtype = AUTH_TYPE_NONE; #ifdef ENABLE_CLI_PUBKEY_AUTH - /* If it was a pubkey auth request, we should cross that key - * off the list. */ - if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { - cli_pubkeyfail(); - } + /* If it was a pubkey auth request, we should cross that key + * off the list. */ + if (cli_ses.lastauthtype == AUTH_TYPE_PUBKEY) { + cli_pubkeyfail(); + } #endif #ifdef ENABLE_CLI_INTERACT_AUTH - /* If we get a failure message for keyboard interactive without - * receiving any request info packet, then we don't bother trying - * keyboard interactive again */ - if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT - && !cli_ses.interact_request_received) { - TRACE(("setting auth_interact_failed = 1")) - cli_ses.auth_interact_failed = 1; - } + /* If we get a failure message for keyboard interactive without + * receiving any request info packet, then we don't bother trying + * keyboard interactive again */ + if (cli_ses.lastauthtype == AUTH_TYPE_INTERACT + && !cli_ses.interact_request_received) { + TRACE(("setting auth_interact_failed = 1")) + cli_ses.auth_interact_failed = 1; + } #endif + } - cli_ses.lastauthtype = AUTH_TYPE_NONE; + cli_ses.ignore_next_auth_response = 0; methods = buf_getstring(ses.payload, &methlen); @@ -227,13 +252,14 @@ } m_free(methods); - - cli_ses.state = USERAUTH_FAIL_RCVD; TRACE(("leave recv_msg_userauth_failure")) } void recv_msg_userauth_success() { + /* This function can validly get called multiple times + if DROPBEAR_CLI_IMMEDIATE_AUTH is set */ + TRACE(("received msg_userauth_success")) /* Note: in delayed-zlib mode, setting authdone here * will enable compression in the transport layer */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/cli-kex.c new/dropbear-2014.63/cli-kex.c --- old/dropbear-2013.62/cli-kex.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/cli-kex.c 2014-02-19 15:05:24.000000000 +0100 @@ -86,8 +86,6 @@ cli_ses.param_kex_algo = ses.newkeys->algo_kex; encrypt_packet(); - ses.requirenext[0] = SSH_MSG_KEXDH_REPLY; - ses.requirenext[1] = SSH_MSG_KEXINIT; } /* Handle a diffie-hellman key exchange reply. */ @@ -179,8 +177,7 @@ hostkey = NULL; send_msg_newkeys(); - ses.requirenext[0] = SSH_MSG_NEWKEYS; - ses.requirenext[1] = 0; + ses.requirenext = SSH_MSG_NEWKEYS; TRACE(("leave recv_msg_kexdh_init")) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/cli-runopts.c new/dropbear-2014.63/cli-runopts.c --- old/dropbear-2013.62/cli-runopts.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/cli-runopts.c 2014-02-19 15:05:24.000000000 +0100 @@ -617,7 +617,7 @@ cli_opts.username = m_strdup(cli_opts.own_user); } - port = strchr(cli_opts.remotehost, '%'); + port = strchr(cli_opts.remotehost, '^'); if (!port) { /* legacy separator */ port = strchr(cli_opts.remotehost, '/'); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/cli-session.c new/dropbear-2014.63/cli-session.c --- old/dropbear-2013.62/cli-session.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/cli-session.c 2014-02-19 15:05:24.000000000 +0100 @@ -228,6 +228,10 @@ cli_ses.state = USERAUTH_REQ_SENT; TRACE(("leave cli_sessionloop: sent userauth methods req")) return; + + case USERAUTH_REQ_SENT: + TRACE(("leave cli_sessionloop: waiting, req_sent")) + return; case USERAUTH_FAIL_RCVD: if (cli_auth_try() == DROPBEAR_FAILURE) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/cli-tcpfwd.c new/dropbear-2014.63/cli-tcpfwd.c --- old/dropbear-2013.62/cli-tcpfwd.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/cli-tcpfwd.c 2014-02-19 15:05:24.000000000 +0100 @@ -161,9 +161,10 @@ if (!fwd->have_reply) { fwd->have_reply = 1; if (fwd->listenport == 0) { - /* The server should let us know which port was allocated if we requestd port 0 */ + /* The server should let us know which port was allocated if we requested port 0 */ int allocport = buf_getint(ses.payload); if (allocport > 0) { + fwd->listenport = allocport; dropbear_log(LOG_INFO, "Allocated port %d for remote forward to %s:%d", allocport, fwd->connectaddr, fwd->connectport); } @@ -220,18 +221,33 @@ origaddr = buf_getstring(ses.payload, NULL); origport = buf_getint(ses.payload); - /* Find which port corresponds */ + /* Find which port corresponds. First try and match address as well as port, + in case they want to forward different ports separately ... */ for (iter = cli_opts.remotefwds->first; iter; iter = iter->next) { fwd = (struct TCPFwdEntry*)iter->item; if (origport == fwd->listenport - && (strcmp(origaddr, fwd->listenaddr) == 0)) { + && strcmp(origaddr, fwd->listenaddr) == 0) { break; } } + if (!iter) + { + /* ... otherwise try to generically match the only forwarded port + without address (also handles ::1 vs 127.0.0.1 vs localhost case). + rfc4254 is vague about the definition of "address that was connected" */ + for (iter = cli_opts.remotefwds->first; iter; iter = iter->next) { + fwd = (struct TCPFwdEntry*)iter->item; + if (origport == fwd->listenport) { + break; + } + } + } + + if (iter == NULL) { /* We didn't request forwarding on that port */ - cleantext(origaddr); + cleantext(origaddr); dropbear_log(LOG_INFO, "Server sent unrequested forward from \"%s:%d\"", origaddr, origport); goto out; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/common-channel.c new/dropbear-2014.63/common-channel.c --- old/dropbear-2013.62/common-channel.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/common-channel.c 2014-02-19 15:05:24.000000000 +0100 @@ -474,8 +474,13 @@ continue; } - /* Stuff to put over the wire */ - if (channel->transwindow > 0) { + /* Stuff to put over the wire. + Avoid queueing data to send if we're in the middle of a + key re-exchange (!dataallowed), but still read from the + FD if there's the possibility of "~."" to kill an + interactive session (the read_mangler) */ + if (channel->transwindow > 0 + && (ses.dataallowed || channel->read_mangler)) { if (channel->readfd >= 0) { FD_SET(channel->readfd, readfds); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/common-kex.c new/dropbear-2014.63/common-kex.c --- old/dropbear-2013.62/common-kex.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/common-kex.c 2014-02-19 15:05:24.000000000 +0100 @@ -483,9 +483,6 @@ * and we calculate the first portion of the key-exchange-hash for used * later in the key exchange. No response is sent, as the client should * initiate the diffie-hellman key exchange */ - -/* Originally from kex.c, generalized for cli/svr mode --mihnea */ -/* Belongs in common_kex.c where it should be moved after review */ void recv_msg_kexinit() { unsigned int kexhashbuf_len = 0; @@ -528,7 +525,7 @@ /* I_S, the payload of the server's SSH_MSG_KEXINIT */ buf_setpos(ses.payload, 0); buf_putstring(ses.kexhashbuf, ses.payload->data, ses.payload->len); - + ses.requirenext = SSH_MSG_KEXDH_REPLY; } else { /* SERVER */ @@ -548,7 +545,7 @@ buf_putstring(ses.kexhashbuf, ses.transkexinit->data, ses.transkexinit->len); - ses.requirenext[0] = SSH_MSG_KEXDH_INIT; + ses.requirenext = SSH_MSG_KEXDH_INIT; } buf_free(ses.transkexinit); @@ -792,6 +789,11 @@ hash_desc->done(&hs, buf_getwriteptr(ses.hash, hash_desc->hashsize)); buf_setlen(ses.hash, hash_desc->hashsize); +#ifdef DEBUG_KEXHASH + printhex("kexhashbuf", ses.kexhashbuf->data, ses.kexhashbuf->len); + printhex("kexhash", ses.hash->data, ses.hash->len); +#endif + buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); ses.kexhashbuf = NULL; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/common-session.c new/dropbear-2014.63/common-session.c --- old/dropbear-2013.62/common-session.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/common-session.c 2014-02-19 15:05:24.000000000 +0100 @@ -82,7 +82,7 @@ initqueue(&ses.writequeue); - ses.requirenext[0] = SSH_MSG_KEXINIT; + ses.requirenext = SSH_MSG_KEXINIT; ses.dataallowed = 1; /* we can send data until we actually send the SSH_MSG_KEXINIT */ ses.ignorenext = 0; @@ -153,10 +153,9 @@ SIGCHLD in svr-chansession is the only one currently. */ FD_SET(ses.signal_pipe[0], &readfd); - /* set up for channels which require reading/writing */ - if (ses.dataallowed) { - setchannelfds(&readfd, &writefd); - } + /* set up for channels which can be read/written */ + setchannelfds(&readfd, &writefd); + val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout); if (exitflag) { @@ -217,9 +216,7 @@ /* process pipes etc for the channels, ses.dataallowed == 0 * during rekeying ) */ - if (ses.dataallowed) { - channelio(&readfd, &writefd); - } + channelio(&readfd, &writefd); if (loophandler) { loophandler(); @@ -244,7 +241,11 @@ if (ses.extra_session_cleanup) { ses.extra_session_cleanup(); } + + chancleanup(); + /* Cleaning up keys must happen after other cleanup + functions which might queue packets */ if (ses.session_id) { buf_burn(ses.session_id); buf_free(ses.session_id); @@ -258,8 +259,6 @@ m_burn(ses.keys, sizeof(struct key_context)); m_free(ses.keys); - chancleanup(); - TRACE(("leave session_cleanup")) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/config.h.in new/dropbear-2014.63/config.h.in --- old/dropbear-2013.62/config.h.in 2013-12-03 14:39:25.000000000 +0100 +++ new/dropbear-2014.63/config.h.in 2014-02-19 15:05:32.000000000 +0100 @@ -138,12 +138,6 @@ /* Define to 1 if you have the `pam' library (-lpam). */ #undef HAVE_LIBPAM -/* Define to 1 if you have the `tomcrypt' library (-ltomcrypt). */ -#undef HAVE_LIBTOMCRYPT - -/* Define to 1 if you have the `tommath' library (-ltommath). */ -#undef HAVE_LIBTOMMATH - /* Define to 1 if you have the <libutil.h> header file. */ #undef HAVE_LIBUTIL_H diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/configure new/dropbear-2014.63/configure --- old/dropbear-2013.62/configure 2013-12-03 14:39:25.000000000 +0100 +++ new/dropbear-2014.63/configure 2014-02-19 15:05:32.000000000 +0100 @@ -622,6 +622,7 @@ ac_subst_vars='LTLIBOBJS LIBOBJS BUNDLED_LIBTOM +LIBTOM_LIBS CRYPTLIB EGREP GREP @@ -5900,14 +5901,9 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tommath_mp_exptmod" >&5 $as_echo "$ac_cv_lib_tommath_mp_exptmod" >&6; } if test "x$ac_cv_lib_tommath_mp_exptmod" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBTOMMATH 1 -_ACEOF - - LIBS="-ltommath $LIBS" - + LIBTOM_LIBS="$LIBTOM_LIBS -ltommath" else - as_fn_error $? "Missing system libtomcrypt and --disable-bundled-libtom was specified" "$LINENO" 5 + as_fn_error $? "Missing system libtommath and --disable-bundled-libtom was specified" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for register_cipher in -ltomcrypt" >&5 @@ -5947,12 +5943,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tomcrypt_register_cipher" >&5 $as_echo "$ac_cv_lib_tomcrypt_register_cipher" >&6; } if test "x$ac_cv_lib_tomcrypt_register_cipher" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBTOMCRYPT 1 -_ACEOF - - LIBS="-ltomcrypt $LIBS" - + LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt" else as_fn_error $? "Missing system libtomcrypt and --disable-bundled-libtom was specified" "$LINENO" 5 fi @@ -5999,12 +5990,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tommath_mp_exptmod" >&5 $as_echo "$ac_cv_lib_tommath_mp_exptmod" >&6; } if test "x$ac_cv_lib_tommath_mp_exptmod" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBTOMMATH 1 -_ACEOF - - LIBS="-ltommath $LIBS" - + LIBTOM_LIBS="$LIBTOM_LIBS -ltommath" else BUNDLED_LIBTOM=1 fi @@ -6046,12 +6032,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tomcrypt_register_cipher" >&5 $as_echo "$ac_cv_lib_tomcrypt_register_cipher" >&6; } if test "x$ac_cv_lib_tomcrypt_register_cipher" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBTOMCRYPT 1 -_ACEOF - - LIBS="-ltomcrypt $LIBS" - + LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt" else BUNDLED_LIBTOM=1 fi @@ -6069,6 +6050,7 @@ + # Check whether --enable-lastlog was given. if test "${enable_lastlog+set}" = set; then : diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/configure.ac new/dropbear-2014.63/configure.ac --- old/dropbear-2013.62/configure.ac 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/configure.ac 2014-02-19 15:05:24.000000000 +0100 @@ -371,16 +371,16 @@ AC_MSG_NOTICE(Forcing bundled libtom*) else BUNDLED_LIBTOM=0 - AC_CHECK_LIB(tommath, mp_exptmod, , - [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) - AC_CHECK_LIB(tomcrypt, register_cipher, , + AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", + [AC_MSG_ERROR([Missing system libtommath and --disable-bundled-libtom was specified])] ) + AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) fi ], [ BUNDLED_LIBTOM=0 - AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1) - AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) + AC_CHECK_LIB(tommath, mp_exptmod, LIBTOM_LIBS="$LIBTOM_LIBS -ltommath", BUNDLED_LIBTOM=1) + AC_CHECK_LIB(tomcrypt, register_cipher, LIBTOM_LIBS="$LIBTOM_LIBS -ltomcrypt", BUNDLED_LIBTOM=1) ] ) @@ -388,6 +388,7 @@ AC_DEFINE(BUNDLED_LIBTOM,,Use bundled libtom) fi +AC_SUBST(LIBTOM_LIBS) AC_SUBST(BUNDLED_LIBTOM) dnl Added from OpenSSH 3.6.1p2's configure.ac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/dbclient.1 new/dropbear-2014.63/dbclient.1 --- old/dropbear-2013.62/dbclient.1 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/dbclient.1 2014-02-19 15:05:24.000000000 +0100 @@ -15,7 +15,7 @@ .B dbclient [ .I args ] -.I [user1]@host1[%port1],[user2]@host2[%port2],... +.I [user1]@host1[^port1],[user2]@host2[^port2],... .SH DESCRIPTION .B dbclient @@ -26,7 +26,7 @@ .B \-p \fIport Connect to .I port -on the remote host. Alternatively a port can be specified as hostname%port. +on the remote host. Alternatively a port can be specified as hostname^port. Default is 22. .TP .B \-i \fIidfile @@ -127,7 +127,7 @@ this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. -A port for a host can be specified with a hash (eg matt@martello%44 ). +A port for a host can be specified with a hash (eg matt@martello^44 ). This syntax can also be used with scp or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/dbutil.c new/dropbear-2014.63/dbutil.c --- old/dropbear-2013.62/dbutil.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/dbutil.c 2014-02-19 15:05:24.000000000 +0100 @@ -812,6 +812,10 @@ /* make sure that the socket closes */ void m_close(int fd) { + if (fd == -1) { + return; + } + int val; do { val = close(fd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/debian/changelog new/dropbear-2014.63/debian/changelog --- old/dropbear-2013.62/debian/changelog 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/debian/changelog 2014-02-19 15:05:24.000000000 +0100 @@ -1,3 +1,9 @@ +dropbear (2014.63-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <[email protected]> Wed, 19 Feb 2014 22:54:00 +0800 + dropbear (2013.62) unstable; urgency=low * New upstream release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/genrsa.c new/dropbear-2014.63/genrsa.c --- old/dropbear-2013.62/genrsa.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/genrsa.c 2014-02-19 15:05:24.000000000 +0100 @@ -58,12 +58,18 @@ exit(1); } - getrsaprime(key->p, &pminus, key->e, size/16); - getrsaprime(key->q, &qminus, key->e, size/16); + while (1) { + getrsaprime(key->p, &pminus, key->e, size/16); + getrsaprime(key->q, &qminus, key->e, size/16); - if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { - fprintf(stderr, "RSA generation failed\n"); - exit(1); + if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { + fprintf(stderr, "RSA generation failed\n"); + exit(1); + } + + if ((unsigned int)mp_count_bits(key->n) == size) { + break; + } } /* lcm(p-1, q-1) */ @@ -91,16 +97,16 @@ unsigned char *buf; DEF_MP_INT(temp_gcd); - buf = (unsigned char*)m_malloc(size_bytes+1); + buf = (unsigned char*)m_malloc(size_bytes); m_mp_init(&temp_gcd); do { /* generate a random odd number with MSB set, then find the the next prime above it */ - genrandom(buf, size_bytes+1); - buf[0] |= 0x80; /* MSB set */ + genrandom(buf, size_bytes); + buf[0] |= 0x80; - bytes_to_mp(prime, buf, size_bytes+1); + bytes_to_mp(prime, buf, size_bytes); /* find the next integer which is prime, 8 round of miller-rabin */ if (mp_prime_next_prime(prime, 8, 0) != MP_OKAY) { @@ -122,7 +128,7 @@ /* now we have a good value for result */ mp_clear(&temp_gcd); - m_burn(buf, size_bytes+1); + m_burn(buf, size_bytes); m_free(buf); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/gensignkey.c new/dropbear-2014.63/gensignkey.c --- old/dropbear-2013.62/gensignkey.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/gensignkey.c 2014-02-19 15:05:24.000000000 +0100 @@ -26,7 +26,7 @@ while (buf->pos != buf->len) { int len = write(fd, buf_getptr(buf, buf->len - buf->pos), buf->len - buf->pos); - if (errno == EINTR) { + if (len == -1 && errno == EINTR) { continue; } if (len <= 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/includes.h new/dropbear-2014.63/includes.h --- old/dropbear-2013.62/includes.h 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/includes.h 2014-02-19 15:05:24.000000000 +0100 @@ -157,6 +157,7 @@ #endif /* HAVE_UINT32_T */ #ifdef SO_PRIORITY +#include <linux/types.h> #include <linux/pkt_sched.h> #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/options.h new/dropbear-2014.63/options.h --- old/dropbear-2013.62/options.h 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/options.h 2014-02-19 15:05:24.000000000 +0100 @@ -222,12 +222,11 @@ * return the password on standard output */ /*#define ENABLE_CLI_ASKPASS_HELPER*/ -/* Send a real auth request first rather than requesting a list of available methods. - * It saves a network round trip at login but prevents immediate login to - * accounts with no password, and might be rejected by some strict servers (none - * encountered yet) - hence it isn't enabled by default. */ -/* #define CLI_IMMEDIATE_AUTH */ - +/* Save a network roundtrip by sendng a real auth request immediately after + * sending a query for the available methods. It is at the expense of < 100 + * bytes of extra network traffic. This is not yet enabled by default since it + * could cause problems with non-compliant servers */ +/* #define DROPBEAR_CLI_IMMEDIATE_AUTH */ /* Source for randomness. This must be able to provide hundreds of bytes per SSH * connection without blocking. In addition /dev/random is used for seeding diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/process-packet.c new/dropbear-2014.63/process-packet.c --- old/dropbear-2013.62/process-packet.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/process-packet.c 2014-02-19 15:05:24.000000000 +0100 @@ -74,15 +74,32 @@ /* This applies for KEX, where the spec says the next packet MUST be * NEWKEYS */ - if (ses.requirenext[0] != 0) { - if (ses.requirenext[0] != type - && (ses.requirenext[1] == 0 || ses.requirenext[1] != type)) { - dropbear_exit("Unexpected packet type %d, expected [%d,%d]", type, - ses.requirenext[0], ses.requirenext[1]); - } else { + if (ses.requirenext != 0) { + if (ses.requirenext == type) + { /* Got what we expected */ - ses.requirenext[0] = 0; - ses.requirenext[1] = 0; + TRACE(("got expected packet %d during kexinit", type)) + } + else + { + /* RFC4253 7.1 - various messages are allowed at this point. + The only ones we know about have already been handled though, + so just return "unimplemented" */ + if (type >= 1 && type <= 49 + && type != SSH_MSG_SERVICE_REQUEST + && type != SSH_MSG_SERVICE_ACCEPT + && type != SSH_MSG_KEXINIT) + { + TRACE(("unknown allowed packet during kexinit")) + recv_unimplemented(); + goto out; + } + else + { + TRACE(("disallowed packet during kexinit")) + dropbear_exit("Unexpected packet type %d, expected %d", type, + ses.requirenext); + } } } @@ -94,6 +111,12 @@ goto out; } + /* Only clear the flag after we have checked ignorenext */ + if (ses.requirenext != 0 && ses.requirenext == type) + { + ses.requirenext = 0; + } + /* Kindly the protocol authors gave all the preauth packets type values * less-than-or-equal-to 60 ( == MAX_UNAUTH_PACKET_TYPE ). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/session.h new/dropbear-2014.63/session.h --- old/dropbear-2013.62/session.h 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/session.h 2014-02-19 15:05:24.000000000 +0100 @@ -135,9 +135,8 @@ unsigned dataallowed : 1; /* whether we can send data packets or we are in the middle of a KEX or something */ - unsigned char requirenext[2]; /* bytes indicating what packets we require next, - or 0x00 for any. Second option can only be - used if the first byte is also set */ + unsigned char requirenext; /* byte indicating what packets we require next, + or 0x00 for any. */ unsigned char ignorenext; /* whether to ignore the next packet, used for kex_follows stuff */ @@ -233,6 +232,7 @@ typedef enum { STATE_NOTHING, + USERAUTH_WAIT, USERAUTH_REQ_SENT, USERAUTH_FAIL_RCVD, USERAUTH_SUCCESS_RCVD, @@ -267,6 +267,7 @@ int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ + int ignore_next_auth_response; #ifdef ENABLE_CLI_INTERACT_AUTH int auth_interact_failed; /* flag whether interactive auth can still be used */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/svr-chansession.c new/dropbear-2014.63/svr-chansession.c --- old/dropbear-2013.62/svr-chansession.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/svr-chansession.c 2014-02-19 15:05:24.000000000 +0100 @@ -87,6 +87,8 @@ struct sigaction sa_chld; struct exitinfo *exit = NULL; + const int saved_errno = errno; + TRACE(("enter sigchld handler")) while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { TRACE(("sigchld handler: pid %d", pid)) @@ -140,6 +142,8 @@ sigemptyset(&sa_chld.sa_mask); sigaction(SIGCHLD, &sa_chld, NULL); TRACE(("leave sigchld handler")) + + errno = saved_errno; } /* send the exit status or the signal causing termination for a session */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/svr-kex.c new/dropbear-2014.63/svr-kex.c --- old/dropbear-2013.62/svr-kex.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/svr-kex.c 2014-02-19 15:05:24.000000000 +0100 @@ -80,8 +80,7 @@ } send_msg_newkeys(); - ses.requirenext[0] = SSH_MSG_NEWKEYS; - ses.requirenext[1] = 0; + ses.requirenext = SSH_MSG_NEWKEYS; TRACE(("leave recv_msg_kexdh_init")) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/svr-main.c new/dropbear-2014.63/svr-main.c --- old/dropbear-2013.62/svr-main.c 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/svr-main.c 2014-02-19 15:05:24.000000000 +0100 @@ -337,6 +337,8 @@ static void sigchld_handler(int UNUSED(unused)) { struct sigaction sa_chld; + const int saved_errno = errno; + while(waitpid(-1, NULL, WNOHANG) > 0); sa_chld.sa_handler = sigchld_handler; @@ -344,13 +346,14 @@ if (sigaction(SIGCHLD, &sa_chld, NULL) < 0) { dropbear_exit("signal() error"); } + errno = saved_errno; } /* catch any segvs */ static void sigsegv_handler(int UNUSED(unused)) { fprintf(stderr, "Aiee, segfault! You should probably report " "this as a bug to the developer\n"); - exit(EXIT_FAILURE); + _exit(EXIT_FAILURE); } /* catch ctrl-c or sigterm */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2013.62/sysoptions.h new/dropbear-2014.63/sysoptions.h --- old/dropbear-2013.62/sysoptions.h 2013-12-03 14:39:15.000000000 +0100 +++ new/dropbear-2014.63/sysoptions.h 2014-02-19 15:05:24.000000000 +0100 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2013.62" +#define DROPBEAR_VERSION "2014.63" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION @@ -176,6 +176,7 @@ accept for keyb-interactive auth */ + #if defined(DROPBEAR_AES256) || defined(DROPBEAR_AES128) #define DROPBEAR_AES #endif ++++++ dropbear-keygen.service ++++++ --- /var/tmp/diff_new_pack.spKV0b/_old 2014-02-22 18:09:17.000000000 +0100 +++ /var/tmp/diff_new_pack.spKV0b/_new 2014-02-22 18:09:17.000000000 +0100 @@ -1,12 +1,14 @@ [Unit] Description=Dropbear SSH Key Generator +Documentation=man:dropbearkey(8) Before=dropbear.service ConditionPathExists=!/etc/dropbear/dropbear_rsa_host_key ConditionPathExists=!/etc/dropbear/dropbear_dss_host_key +ConditionPathExists=!/etc/dropbear/dropbear_ecdsa_host_key [Service] Type=oneshot ExecStart=/usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key ExecStart=/usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key -RemainAfterExit=no - +ExecStart=/usr/bin/dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key +RemainAfterExit=yes ++++++ dropbear.init ++++++ #!/bin/sh # Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # Startup script for Dropbear # # /etc/init.d/dropbear # # and its symbolic link # /usr/sbin/rcdropbear # ### BEGIN INIT INFO # Provides: dropbear # Required-Start: $network $remote_fs # Required-Stop: $network $remote_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: Dropbear # Description: Dropbear is a relatively small SSH 2 server. ### END INIT INFO # Note on runlevels: # 0 - halt/poweroff 6 - reboot # 1 - single user 2 - multiuser without network exported # 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) . /etc/rc.status DROPBEAR_BIN="/usr/sbin/dropbear" DROPBEAR_LOCKFILE="/var/run/dropbear.pid" DROPBEAR_SYSCONFIG="/etc/sysconfig/dropbear" DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key" DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key" DROPBEAR_ECDSAKEY="/etc/dropbear/dropbear_ecdsa_host_key" test -x $DROPBEAR_BIN || { echo "$DROPBEAR_BIN not installed"; if [ "$1" = "stop" ]; then exit 0; else exit 5; fi; } # Check for existence of sysconfig file and read it if [ -r "$DROPBEAR_SYSCONFIG" ]; then . "$DROPBEAR_SYSCONFIG" fi # Reset status of this service rc_reset case "$1" in start) echo -n "Starting Dropbear " if [ ! -r "$DROPBEAR_DSSKEY" ] || [ ! -r "$DROPBEAR_RSAKEY" ] || [ ! -r "$DROPBEAR_ECDSAKEY" ]; then $0 keygen fi startproc -p "$DROPBEAR_LOCKFILE" "$DROPBEAR_BIN" $OPTIONS # Remember status and be verbose rc_status -v ;; stop) echo -n "Shutting down Dropbear " killproc -p "$DROPBEAR_LOCKFILE" -TERM "$DROPBEAR_BIN" rc_status -v ;; try-restart) ## Do a restart only if the service was active before. $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi rc_status ;; restart|reload) $0 stop $0 start rc_status ;; status) echo -n "Checking for Dropbear " checkproc -p "$DROPBEAR_LOCKFILE" "$DROPBEAR_BIN" rc_status -v ;; keygen) echo "Creating keys for Dropbear " if [ ! -r "$DROPBEAR_DSSKEY" ]; then dropbearkey -t dss -f "$DROPBEAR_DSSKEY" fi if [ ! -r "$DROPBEAR_RSAKEY" ]; then dropbearkey -t rsa -f "$DROPBEAR_RSAKEY" fi if [ ! -r "$DROPBEAR_ECDSAKEY" ]; then dropbearkey -t ecdsa -f "$DROPBEAR_ECDSAKEY" fi rc_status ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|reload|keygen}" exit 1 ;; esac rc_exit ++++++ dropbear.service ++++++ --- /var/tmp/diff_new_pack.spKV0b/_old 2014-02-22 18:09:17.000000000 +0100 +++ /var/tmp/diff_new_pack.spKV0b/_new 2014-02-22 18:09:17.000000000 +0100 @@ -1,13 +1,12 @@ [Unit] Description=Dropbear SSH Server Daemon +Documentation=man:dropbear(8) Wants=dropbear-keygen.service After=network.target [Service] -Type=forking -PIDFile=/run/dropbear.pid EnvironmentFile=-/etc/sysconfig/dropbear -ExecStart=/usr/sbin/dropbear $OPTIONS +ExecStart=/usr/sbin/dropbear -E -F $OPTIONS [Install] WantedBy=multi-user.target -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
