Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2015-02-06 10:23:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2014-12-16 14:47:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2015-02-06 10:23:30.000000000 +0100 @@ -1,0 +2,26 @@ +Thu Feb 5 16:26:06 UTC 2015 - [email protected] + +- fixed checksum URL + +------------------------------------------------------------------- +Wed Jan 28 21:40:28 UTC 2015 - [email protected] + +- updated to upstream version 2015.67 + * Call fsync() after generating private keys to ensure they aren't lost if a + reboot occurs. Thanks to Peter Korsgaard + * Disable non-delayed zlib compression by default on the server. Can be + enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB + * Default client key path ~/.ssh/id_dropbear + * Prefer stronger algorithms by default, from Fedor Brunner. + AES256 over 3DES + Diffie-hellman group14 over group1 + * Add option to disable CBC ciphers. + * Disable twofish in default options.h + * Enable sha2 HMAC algorithms by default, the code was already required + for ECC key exchange. sha1 is the first preference still for performance. + * Fix installing dropbear.8 in a separate build directory, from Like Ma + * Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe + * Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea + * Minor bug fixes, a few issues found by Coverity scan + +------------------------------------------------------------------- Old: ---- dropbear-2014.66.tar.bz2 dropbear-2014.66.tar.bz2.asc New: ---- dropbear-2015.67.tar.bz2 dropbear-2015.67.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dropbear.spec ++++++ --- /var/tmp/diff_new_pack.6uiw4j/_old 2015-02-06 10:23:31.000000000 +0100 +++ /var/tmp/diff_new_pack.6uiw4j/_new 2015-02-06 10:23:31.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package dropbear # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,14 +21,14 @@ %endif Name: dropbear -Version: 2014.66 +Version: 2015.67 Release: 0 Summary: A relatively small SSH 2 server and client License: MIT Group: Productivity/Networking/SSH Url: http://matt.ucc.asn.au/dropbear/dropbear.html Source0: http://matt.ucc.asn.au/dropbear/releases/%{name}-%{version}.tar.bz2 -Source1: https://matt.ucc.asn.au/dropbear/SHA1SUM.asc#/%{name}-%{version}.tar.bz2.asc +Source1: https://matt.ucc.asn.au/dropbear/SHA256SUM.asc#/%{name}-%{version}.tar.bz2.asc Source2: dropbear.keyring Source3: dropbear.service Source4: dropbear-keygen.service ++++++ dropbear-2014.66.tar.bz2 -> dropbear-2015.67.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/.hg_archival.txt new/dropbear-2015.67/.hg_archival.txt --- old/dropbear-2014.66/.hg_archival.txt 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/.hg_archival.txt 2015-01-28 15:57:36.000000000 +0100 @@ -1,5 +1,5 @@ repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878 -node: 735511a4c761141416ad0e6728989d2dafa55bc2 +node: 48a0ba346de446e413433f93b731187fb4772508 branch: default -latesttag: DROPBEAR_2014.65 -latesttagdistance: 12 +latesttag: DROPBEAR_2015.67 +latesttagdistance: 2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/.hgsigs new/dropbear-2015.67/.hgsigs --- old/dropbear-2014.66/.hgsigs 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/.hgsigs 2015-01-28 15:57:36.000000000 +0100 @@ -12,3 +12,4 @@ 277429102f1337bd10c89107d3e01de509cc1a7e 0 iEYEABECAAYFAlMEvF4ACgkQjPn4sExkf7xeVQCgtbxJ4G3hsFwUOM0K1WGr1J2vsbEAoMM8dEyr1mdrbgO1tzNLfD1nxbyn 96584b934d04ebab443f603e78d38fe692d36313 0 iEYEABECAAYFAlPVFrQACgkQjPn4sExkf7xr6ACglRiLE21vRrS1rJ809o2yMADIKtwAn1f5SyZUngSde8eE55JxCMwtMC5m caac692b366c153cea0e9cd59aa2d79a7d843d4e 0 iEYEABECAAYFAlPk1mcACgkQjPn4sExkf7wLpgCeOqMYqpkf4lYUuyrn9VYThNpc7PkAn3JOSNgIqkKUcmSy6FstrI8jwJzq +2d421bc0545d1be6d59a4ebfe61606d94b124b0c 0 iEYEABECAAYFAlRJDCQACgkQjPn4sExkf7xUYACcCwVJkYWXJn5x/D5A+qMupy778lEAn0rg1oNiq96YU/4jOPsS5IMItihu diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/.hgtags new/dropbear-2015.67/.hgtags --- old/dropbear-2014.66/.hgtags 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/.hgtags 2015-01-28 15:57:36.000000000 +0100 @@ -45,3 +45,5 @@ 2351b2da8e0d08dcc6e64fcc328b53b9630bda68 DROPBEAR_2014.63 0d2d39957c029adb7f4327d37fe6b4900f0736d9 DROPBEAR_2014.64 e9579816f20ea85affc6135e87f8477992808948 DROPBEAR_2014.65 +735511a4c761141416ad0e6728989d2dafa55bc2 DROPBEAR_2014.66 +cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/CHANGES new/dropbear-2015.67/CHANGES --- old/dropbear-2014.66/CHANGES 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/CHANGES 2015-01-28 15:57:36.000000000 +0100 @@ -1,3 +1,32 @@ +2015.67 - Wednesday 28 January 2015 + +- Call fsync() after generating private keys to ensure they aren't lost if a + reboot occurs. Thanks to Peter Korsgaard + +- Disable non-delayed zlib compression by default on the server. Can be + enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB + +- Default client key path ~/.ssh/id_dropbear + +- Prefer stronger algorithms by default, from Fedor Brunner. + AES256 over 3DES + Diffie-hellman group14 over group1 + +- Add option to disable CBC ciphers. + +- Disable twofish in default options.h + +- Enable sha2 HMAC algorithms by default, the code was already required + for ECC key exchange. sha1 is the first preference still for performance. + +- Fix installing dropbear.8 in a separate build directory, from Like Ma + +- Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe + +- Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea + +- Minor bug fixes, a few issues found by Coverity scan + 2014.66 - Thursday 23 October 2014 - Use the same keepalive handling behaviour as OpenSSH. This will work better diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/Makefile.in new/dropbear-2015.67/Makefile.in --- old/dropbear-2014.66/Makefile.in 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/Makefile.in 2015-01-28 15:57:36.000000000 +0100 @@ -131,7 +131,7 @@ -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man8 - $(INSTALL) -m 644 dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 + $(INSTALL) -m 644 $(srcdir)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 insmulti%: dropbearmulti $(INSTALL) -d $(DESTDIR)$(bindir) @@ -145,7 +145,7 @@ $(INSTALL) -d $(DESTDIR)$(sbindir) $(INSTALL) dropbear$(EXEEXT) $(DESTDIR)$(sbindir) $(INSTALL) -d $(DESTDIR)$(mandir)/man8 - $(INSTALL) -m 644 dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 + $(INSTALL) -m 644 $(srcdir)/dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 inst_%: % $(INSTALL) -d $(DESTDIR)$(bindir) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/algo.h new/dropbear-2015.67/algo.h --- old/dropbear-2014.66/algo.h 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/algo.h 2015-01-28 15:57:36.000000000 +0100 @@ -51,6 +51,7 @@ extern algo_type sshciphers[]; extern algo_type sshhashes[]; extern algo_type ssh_compress[]; +extern algo_type ssh_delaycompress[]; extern algo_type ssh_nocompress[]; extern const struct dropbear_cipher dropbear_nocipher; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/cli-agentfwd.c new/dropbear-2015.67/cli-agentfwd.c --- old/dropbear-2014.66/cli-agentfwd.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/cli-agentfwd.c 2015-01-28 15:57:36.000000000 +0100 @@ -210,13 +210,14 @@ ret = buf_get_pub_key(key_buf, pubkey, &key_type); buf_free(key_buf); if (ret != DROPBEAR_SUCCESS) { - /* This is slack, properly would cleanup vars etc */ - dropbear_exit("Bad pubkey received from agent"); - } - pubkey->type = key_type; - pubkey->source = SIGNKEY_SOURCE_AGENT; + TRACE(("Skipping bad/unknown type pubkey from agent")); + sign_key_free(pubkey); + } else { + pubkey->type = key_type; + pubkey->source = SIGNKEY_SOURCE_AGENT; - list_append(ret_list, pubkey); + list_append(ret_list, pubkey); + } /* We'll ignore the comment for now. might want it later.*/ buf_eatstring(inbuf); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/cli-runopts.c new/dropbear-2015.67/cli-runopts.c --- old/dropbear-2014.66/cli-runopts.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/cli-runopts.c 2015-01-28 15:57:36.000000000 +0100 @@ -38,7 +38,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0); static void fill_own_user(); #ifdef ENABLE_CLI_PUBKEY_AUTH -static void loadidentityfile(const char* filename); +static void loadidentityfile(const char* filename, int warnfail); #endif #ifdef ENABLE_CLI_ANYTCPFWD static void addforward(const char* str, m_list *fwdlist); @@ -65,7 +65,7 @@ "-y -y Don't perform any remote host key checking (caution)\n" "-s Request a subsystem (use by external sftp)\n" #ifdef ENABLE_CLI_PUBKEY_AUTH - "-i <identityfile> (multiple allowed)\n" + "-i <identityfile> (multiple allowed, default %s)\n" #endif #ifdef ENABLE_CLI_AGENTFWD "-A Enable agent auth forwarding\n" @@ -95,6 +95,9 @@ "-v verbose (compiled with DEBUG_TRACE)\n" #endif ,DROPBEAR_VERSION, cli_opts.progname, +#ifdef ENABLE_CLI_PUBKEY_AUTH + DROPBEAR_DEFAULT_CLI_AUTHKEY, +#endif DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); } @@ -153,7 +156,7 @@ cli_opts.proxycmd = NULL; #endif #ifndef DISABLE_ZLIB - opts.enable_compress = 1; + opts.compress_mode = DROPBEAR_COMPRESS_ON; #endif #ifdef ENABLE_USER_ALGO_LIST opts.cipher_list = NULL; @@ -174,7 +177,7 @@ #ifdef ENABLE_CLI_PUBKEY_AUTH if (nextiskey) { /* Load a hostkey since the previous argument was "-i" */ - loadidentityfile(argv[i]); + loadidentityfile(argv[i], 1); nextiskey = 0; continue; } @@ -231,7 +234,7 @@ case 'i': /* an identityfile */ /* Keep scp happy when it changes "-i file" to "-ifile" */ if (strlen(argv[i]) > 2) { - loadidentityfile(&argv[i][2]); + loadidentityfile(&argv[i][2], 1); } else { nextiskey = 1; } @@ -444,6 +447,14 @@ } #endif +#ifdef DROPBEAR_DEFAULT_CLI_AUTHKEY + { + char *expand_path = expand_tilde(DROPBEAR_DEFAULT_CLI_AUTHKEY); + loadidentityfile(expand_path, 0); + m_free(expand_path); + } +#endif + /* The hostname gets set up last, since * in multi-hop mode it will require knowledge * of other flags such as -i */ @@ -455,14 +466,18 @@ } #ifdef ENABLE_CLI_PUBKEY_AUTH -static void loadidentityfile(const char* filename) { +static void loadidentityfile(const char* filename, int warnfail) { sign_key *key; enum signkey_type keytype; + TRACE(("loadidentityfile %s", filename)) + key = new_sign_key(); keytype = DROPBEAR_SIGNKEY_ANY; if ( readhostkey(filename, key, &keytype) != DROPBEAR_SUCCESS ) { - fprintf(stderr, "Failed loading keyfile '%s'\n", filename); + if (warnfail) { + fprintf(stderr, "Failed loading keyfile '%s'\n", filename); + } sign_key_free(key); } else { key->type = keytype; @@ -594,7 +609,7 @@ passthrough_args, remainder); #ifndef DISABLE_ZLIB /* The stream will be incompressible since it's encrypted. */ - opts.enable_compress = 0; + opts.compress_mode = DROPBEAR_COMPRESS_OFF; #endif m_free(passthrough_args); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/common-algo.c new/dropbear-2015.67/common-algo.c --- old/dropbear-2014.66/common-algo.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/common-algo.c 2015-01-28 15:57:36.000000000 +0100 @@ -84,10 +84,14 @@ /* A few void* s are required to silence warnings * about the symmetric_CBC vs symmetric_CTR cipher_state pointer */ +#ifdef DROPBEAR_ENABLE_CBC_MODE const struct dropbear_cipher_mode dropbear_mode_cbc = {(void*)cbc_start, (void*)cbc_encrypt, (void*)cbc_decrypt}; +#endif // DROPBEAR_ENABLE_CBC_MODE + const struct dropbear_cipher_mode dropbear_mode_none = {void_start, void_cipher, void_cipher}; + #ifdef DROPBEAR_ENABLE_CTR_MODE /* a wrapper to make ctr_start and cbc_start look the same */ static int dropbear_big_endian_ctr_start(int cipher, @@ -98,7 +102,7 @@ } const struct dropbear_cipher_mode dropbear_mode_ctr = {(void*)dropbear_big_endian_ctr_start, (void*)ctr_encrypt, (void*)ctr_decrypt}; -#endif +#endif // DROPBEAR_ENABLE_CTR_MODE /* Mapping of ssh hashes to libtomcrypt hashes, including keysize etc. {&hash_desc, keysize, hashsize} */ @@ -137,21 +141,15 @@ #ifdef DROPBEAR_AES128 {"aes128-ctr", 0, &dropbear_aes128, 1, &dropbear_mode_ctr}, #endif -#ifdef DROPBEAR_3DES - {"3des-ctr", 0, &dropbear_3des, 1, &dropbear_mode_ctr}, -#endif #ifdef DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif #endif /* DROPBEAR_ENABLE_CTR_MODE */ -/* CBC modes are always enabled */ +#ifdef DROPBEAR_ENABLE_CBC_MODE #ifdef DROPBEAR_AES128 {"aes128-cbc", 0, &dropbear_aes128, 1, &dropbear_mode_cbc}, #endif -#ifdef DROPBEAR_3DES - {"3des-cbc", 0, &dropbear_3des, 1, &dropbear_mode_cbc}, -#endif #ifdef DROPBEAR_AES256 {"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc}, #endif @@ -162,9 +160,16 @@ #ifdef DROPBEAR_TWOFISH128 {"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc}, #endif +#ifdef DROPBEAR_3DES + {"3des-ctr", 0, &dropbear_3des, 1, &dropbear_mode_ctr}, +#endif +#ifdef DROPBEAR_3DES + {"3des-cbc", 0, &dropbear_3des, 1, &dropbear_mode_cbc}, +#endif #ifdef DROPBEAR_BLOWFISH {"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc}, #endif +#endif /* DROPBEAR_ENABLE_CBC_MODE */ #ifdef DROPBEAR_NONE_CIPHER {"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none}, #endif @@ -195,7 +200,13 @@ #ifndef DISABLE_ZLIB algo_type ssh_compress[] = { + {"[email protected]", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL}, {"zlib", DROPBEAR_COMP_ZLIB, NULL, 1, NULL}, + {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL}, + {NULL, 0, NULL, 0, NULL} +}; + +algo_type ssh_delaycompress[] = { {"[email protected]", DROPBEAR_COMP_ZLIB_DELAY, NULL, 1, NULL}, {"none", DROPBEAR_COMP_NONE, NULL, 1, NULL}, {NULL, 0, NULL, 0, NULL} @@ -265,8 +276,8 @@ {"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL}, #endif #endif - {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL}, + {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, #ifdef USE_KEXGUESS2 {KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL}, #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/common-kex.c new/dropbear-2015.67/common-kex.c --- old/dropbear-2014.66/common-kex.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/common-kex.c 2015-01-28 15:57:36.000000000 +0100 @@ -238,14 +238,24 @@ void kexfirstinitialise() { ses.kexstate.donefirstkex = 0; -#ifndef DISABLE_ZLIB - if (opts.enable_compress) { - ses.compress_algos = ssh_compress; - } else -#endif +#ifdef DISABLE_ZLIB + ses.compress_algos = ssh_nocompress; +#else + switch (opts.compress_mode) { - ses.compress_algos = ssh_nocompress; + case DROPBEAR_COMPRESS_DELAYED: + ses.compress_algos = ssh_delaycompress; + break; + + case DROPBEAR_COMPRESS_ON: + ses.compress_algos = ssh_compress; + break; + + case DROPBEAR_COMPRESS_OFF: + ses.compress_algos = ssh_nocompress; + break; } +#endif kexinitialise(); } @@ -303,7 +313,7 @@ hash_desc->done(&hs2, tmpout); memcpy(&out[offset], tmpout, MIN(outlen - offset, hash_desc->hashsize)); } - + m_burn(&hs2, sizeof(hash_state)); } /* Generate the actual encryption/integrity keys, using the results of the @@ -403,6 +413,7 @@ m_burn(C2S_key, sizeof(C2S_key)); m_burn(S2C_IV, sizeof(S2C_IV)); m_burn(S2C_key, sizeof(S2C_key)); + m_burn(&hs, sizeof(hash_state)); TRACE(("leave gen_new_keys")) } @@ -798,6 +809,7 @@ buf_burn(ses.kexhashbuf); buf_free(ses.kexhashbuf); + m_burn(&hs, sizeof(hash_state)); ses.kexhashbuf = NULL; /* first time around, we set the session_id to H */ @@ -805,7 +817,6 @@ /* create the session_id, this never needs freeing */ ses.session_id = buf_newcopy(ses.hash); } - } /* read the other side's algo list. buf_match_algo is a callback to match diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/configure new/dropbear-2015.67/configure --- old/dropbear-2014.66/configure 2014-10-23 15:43:39.000000000 +0200 +++ new/dropbear-2015.67/configure 2015-01-28 15:57:37.000000000 +0100 @@ -6798,6 +6798,7 @@ # XXX there must be a nicer way to do this +if test $BUNDLED_LIBTOM = 1 ; then as_dir=libtomcrypt/src/ciphers/aes; as_fn_mkdir_p as_dir=libtomcrypt/src/ciphers/safer; as_fn_mkdir_p as_dir=libtomcrypt/src/ciphers/twofish; as_fn_mkdir_p @@ -6848,9 +6849,11 @@ as_dir=libtomcrypt/src/pk/pkcs1; as_fn_mkdir_p as_dir=libtomcrypt/src/pk/rsa; as_fn_mkdir_p as_dir=libtomcrypt/src/prngs; as_fn_mkdir_p +LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile" +fi ac_config_headers="$ac_config_headers config.h" -ac_config_files="$ac_config_files Makefile libtomcrypt/Makefile libtommath/Makefile" +ac_config_files="$ac_config_files Makefile $LIBTOM_FILES" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -7543,8 +7546,7 @@ case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; - "libtomcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES libtomcrypt/Makefile" ;; - "libtommath/Makefile") CONFIG_FILES="$CONFIG_FILES libtommath/Makefile" ;; + "$LIBTOM_FILES") CONFIG_FILES="$CONFIG_FILES $LIBTOM_FILES" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/configure.ac new/dropbear-2015.67/configure.ac --- old/dropbear-2014.66/configure.ac 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/configure.ac 2015-01-28 15:57:36.000000000 +0100 @@ -660,6 +660,7 @@ AC_EXEEXT # XXX there must be a nicer way to do this +if test $BUNDLED_LIBTOM = 1 ; then AS_MKDIR_P(libtomcrypt/src/ciphers/aes) AS_MKDIR_P(libtomcrypt/src/ciphers/safer) AS_MKDIR_P(libtomcrypt/src/ciphers/twofish) @@ -710,8 +711,10 @@ AS_MKDIR_P(libtomcrypt/src/pk/pkcs1) AS_MKDIR_P(libtomcrypt/src/pk/rsa) AS_MKDIR_P(libtomcrypt/src/prngs) +LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile" +fi AC_CONFIG_HEADER(config.h) -AC_CONFIG_FILES(Makefile libtomcrypt/Makefile libtommath/Makefile) +AC_CONFIG_FILES(Makefile $LIBTOM_FILES) AC_OUTPUT AC_MSG_NOTICE() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dbclient.1 new/dropbear-2015.67/dbclient.1 --- old/dropbear-2014.66/dbclient.1 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dbclient.1 2015-01-28 15:57:36.000000000 +0100 @@ -33,7 +33,7 @@ Read the identity key from file .I idfile (multiple allowed). This file is created with dropbearkey(1) or converted -from OpenSSH with dropbearconvert(1). +from OpenSSH with dropbearconvert(1). The default path ~/.ssh/id_dropbear is used .TP .B \-L [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR Local port forwarding. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dbutil.c new/dropbear-2015.67/dbutil.c --- old/dropbear-2014.66/dbutil.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dbutil.c 2015-01-28 15:57:36.000000000 +0100 @@ -936,6 +936,23 @@ } } +/* Returns malloced path. Only expands ~ in first character */ +char * expand_tilde(const char *inpath) { + struct passwd *pw = NULL; + if (inpath[0] == '~') { + pw = getpwuid(getuid()); + if (pw && pw->pw_dir) { + int len = strlen(inpath) + strlen(pw->pw_dir) + 1; + char *buf = m_malloc(len); + snprintf(buf, len, "%s/%s", pw->pw_dir, &inpath[1]); + return buf; + } + } + + /* Fallback */ + return m_strdup(inpath); +} + int constant_time_memcmp(const void* a, const void *b, size_t n) { const char *xa = a, *xb = b; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dbutil.h new/dropbear-2015.67/dbutil.h --- old/dropbear-2014.66/dbutil.h 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dbutil.h 2015-01-28 15:57:36.000000000 +0100 @@ -91,7 +91,7 @@ void * m_malloc(size_t size); void * m_strdup(const char * str); void * m_realloc(void* ptr, size_t size); -#define m_free(X) free(X); (X) = NULL; +#define m_free(X) do {free(X); (X) = NULL;} while (0); void m_burn(void* data, unsigned int len); void setnonblocking(int fd); void disallow_core(); @@ -110,5 +110,6 @@ a real-world clock */ time_t monotonic_now(); +char * expand_tilde(const char *inpath); #endif /* _DBUTIL_H_ */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/debian/changelog new/dropbear-2015.67/debian/changelog --- old/dropbear-2014.66/debian/changelog 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/debian/changelog 2015-01-28 15:57:36.000000000 +0100 @@ -1,3 +1,9 @@ +dropbear (2015.67-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <[email protected]> Wed, 28 Jan 2015 22:53:59 +0800 + dropbear (2014.66-0.1) unstable; urgency=low * New upstream release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dropbearconvert.1 new/dropbear-2015.67/dropbearconvert.1 --- old/dropbear-2014.66/dropbearconvert.1 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dropbearconvert.1 2015-01-28 15:57:36.000000000 +0100 @@ -39,9 +39,9 @@ An existing Dropbear or OpenSSH private key file .TP .B output file -The path to write the converted private key file +The path to write the converted private key file. For client authentication ~/.ssh/id_dropbear is loaded by default .SH EXAMPLE - # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/dropbear_priv + # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_dropbear .SH AUTHOR Matt Johnston ([email protected]). .SH SEE ALSO diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dropbearkey.1 new/dropbear-2015.67/dropbearkey.1 --- old/dropbear-2014.66/dropbearkey.1 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dropbearkey.1 2015-01-28 15:57:36.000000000 +0100 @@ -33,7 +33,7 @@ .TP .B \-f \fIfile Write the secret key to the file -.IR file . +.IR file . For client authentication ~/.ssh/id_dropbear is loaded by default .TP .B \-s \fIbits Set the key size to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/dropbearkey.c new/dropbear-2015.67/dropbearkey.c --- old/dropbear-2014.66/dropbearkey.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/dropbearkey.c 2015-01-28 15:57:36.000000000 +0100 @@ -76,7 +76,8 @@ #ifdef DROPBEAR_ECDSA " ecdsa\n" #endif - "-f filename Use filename for the secret key\n" + "-f filename Use filename for the secret key.\n" + " ~/.ssh/id_dropbear is recommended for client keys.\n" "-s bits Key size in bits, should be a multiple of 8 (optional)\n" #ifdef DROPBEAR_DSS " DSS has a fixed size of 1024 bits\n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/ecdsa.c new/dropbear-2015.67/ecdsa.c --- old/dropbear-2014.66/ecdsa.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/ecdsa.c 2015-01-28 15:57:36.000000000 +0100 @@ -131,6 +131,7 @@ if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) { ecc_free(new_key); + m_free(new_key); return NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/gensignkey.c new/dropbear-2015.67/gensignkey.c --- old/dropbear-2014.66/gensignkey.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/gensignkey.c 2015-01-28 15:57:36.000000000 +0100 @@ -41,6 +41,9 @@ out: if (fd >= 0) { + if (fsync(fd) != 0) { + dropbear_log(LOG_ERR, "fsync of %s failed: %s", filename, strerror(errno)); + } m_close(fd); } return ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/keyimport.c new/dropbear-2015.67/keyimport.c --- old/dropbear-2014.66/keyimport.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/keyimport.c 2015-01-28 15:57:36.000000000 +0100 @@ -627,7 +627,7 @@ if (i == 0) { /* First integer is a version indicator */ - int expected; + int expected = -1; switch (key->type) { case OSSH_RSA: case OSSH_DSA: @@ -810,7 +810,7 @@ } m_burn(key->keyblob, key->keyblob_size); m_free(key->keyblob); - m_burn(key, sizeof(key)); + m_burn(key, sizeof(*key)); m_free(key); if (errmsg) { fprintf(stderr, "Error: %s\n", errmsg); @@ -826,7 +826,7 @@ unsigned char *outblob = NULL; int outlen = -9999; struct mpint_pos numbers[9]; - int nnumbers = -1, pos, len, seqlen, i; + int nnumbers = -1, pos = 0, len = 0, seqlen, i; char *header = NULL, *footer = NULL; char zero[1]; int ret = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/options.h new/dropbear-2015.67/options.h --- old/dropbear-2014.66/options.h 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/options.h 2015-01-28 15:57:37.000000000 +0100 @@ -95,8 +95,12 @@ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ -#define DROPBEAR_TWOFISH256 -#define DROPBEAR_TWOFISH128 +/*#define DROPBEAR_TWOFISH256*/ +/*#define DROPBEAR_TWOFISH128*/ + +/* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +#define DROPBEAR_ENABLE_CBC_MODE /* Enable "Counter Mode" for ciphers. This is more secure than normal * CBC mode against certain attacks. This adds around 1kB to binary @@ -123,8 +127,8 @@ * which are not the standard form. */ #define DROPBEAR_SHA1_HMAC #define DROPBEAR_SHA1_96_HMAC -/*#define DROPBEAR_SHA2_256_HMAC*/ -/*#define DROPBEAR_SHA2_512_HMAC*/ +#define DROPBEAR_SHA2_256_HMAC +#define DROPBEAR_SHA2_512_HMAC #define DROPBEAR_MD5_HMAC /* You can also disable integrity. Don't bother disabling this if you're @@ -170,6 +174,11 @@ #define DROPBEAR_ZLIB_WINDOW_BITS 15 #endif +/* Server won't allow zlib compression until after authentication. Prevents + flaws in the zlib library being unauthenticated exploitable flaws. + Some old ssh clients may not support the alternative [email protected] method */ +#define DROPBEAR_SERVER_DELAY_ZLIB 1 + /* Whether to do reverse DNS lookups. */ /*#define DO_HOST_LOOKUP */ @@ -207,6 +216,10 @@ #define ENABLE_CLI_PUBKEY_AUTH #define ENABLE_CLI_INTERACT_AUTH +/* A default argument for dbclient -i <privatekey>. + leading "~" is expanded */ +#define DROPBEAR_DEFAULT_CLI_AUTHKEY "~/.ssh/id_dropbear" + /* This variable can be used to set a password for client * authentication on the commandline. Beware of platforms * that don't protect environment variables of processes etc. Also diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/packet.c new/dropbear-2015.67/packet.c --- old/dropbear-2014.66/packet.c 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/packet.c 2015-01-28 15:57:37.000000000 +0100 @@ -283,14 +283,14 @@ } len = buf_getint(ses.readbuf) + 4 + macsize; - TRACE2(("packet size is %d, block %d mac %d", len, blocksize, macsize)) + TRACE2(("packet size is %u, block %u mac %u", len, blocksize, macsize)) /* check packet length */ if ((len > RECV_MAX_PACKET_LEN) || (len < MIN_PACKET_LEN + macsize) || ((len - macsize) % blocksize != 0)) { - dropbear_exit("Integrity error (bad packet size %d)", len); + dropbear_exit("Integrity error (bad packet size %u)", len); } if (len > ses.readbuf->size) { @@ -342,7 +342,7 @@ /* - 4 - 1 is for LEN and PADLEN values */ len = ses.readbuf->len - padlen - 4 - 1 - macsize; if ((len > RECV_MAX_PAYLOAD_LEN+ZLIB_COMPRESS_EXPANSION) || (len < 1)) { - dropbear_exit("Bad packet size %d", len); + dropbear_exit("Bad packet size %u", len); } buf_setpos(ses.readbuf, PACKET_PAYLOAD_OFF); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/release.sh new/dropbear-2015.67/release.sh --- old/dropbear-2014.66/release.sh 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/release.sh 2015-01-28 15:57:37.000000000 +0100 @@ -7,7 +7,7 @@ fi if ! head -n1 debian/changelog | grep -q $VERSION ; then - echo "CHANGES needs updating" + echo "debian/changelog needs updating" exit 1 fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/runopts.h new/dropbear-2015.67/runopts.h --- old/dropbear-2014.66/runopts.h 2014-10-23 15:43:38.000000000 +0200 +++ new/dropbear-2015.67/runopts.h 2015-01-28 15:57:37.000000000 +0100 @@ -44,7 +44,11 @@ /* TODO: add a commandline flag. Currently this is on by default if compression * is compiled in, but disabled for a client's non-final multihop stages. (The * intermediate stages are compressed streams, so are uncompressible. */ - int enable_compress; + enum { + DROPBEAR_COMPRESS_DELAYED, /* Server only */ + DROPBEAR_COMPRESS_ON, + DROPBEAR_COMPRESS_OFF, + } compress_mode; #endif #ifdef ENABLE_USER_ALGO_LIST diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/svr-kex.c new/dropbear-2015.67/svr-kex.c --- old/dropbear-2014.66/svr-kex.c 2014-10-23 15:43:39.000000000 +0200 +++ new/dropbear-2015.67/svr-kex.c 2015-01-28 15:57:37.000000000 +0100 @@ -84,7 +84,28 @@ TRACE(("leave recv_msg_kexdh_init")) } + #ifdef DROPBEAR_DELAY_HOSTKEY + +static void fsync_parent_dir(const char* fn) { +#ifdef HAVE_LIBGEN_H + char *fn_dir = m_strdup(fn); + char *dir = dirname(fn_dir); + int dirfd = open(dir, O_RDONLY); + + if (dirfd != -1) { + if (fsync(dirfd) != 0) { + TRACE(("fsync of directory %s failed: %s", dir, strerror(errno))) + } + m_close(dirfd); + } else { + TRACE(("error opening directory %s for fsync: %s", dir, strerror(errno))) + } + + free(fn_dir); +#endif +} + static void svr_ensure_hostkey() { const char* fn = NULL; @@ -142,6 +163,10 @@ } } + /* ensure directory update is flushed to disk, otherwise we can end up + with zero-byte hostkey files if the power goes off */ + fsync_parent_dir(fn); + ret = readhostkey(fn, svr_opts.hostkey, &type); if (ret == DROPBEAR_SUCCESS) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/svr-main.c new/dropbear-2015.67/svr-main.c --- old/dropbear-2014.66/svr-main.c 2014-10-23 15:43:39.000000000 +0200 +++ new/dropbear-2015.67/svr-main.c 2015-01-28 15:57:37.000000000 +0100 @@ -343,6 +343,7 @@ sa_chld.sa_handler = sigchld_handler; sa_chld.sa_flags = SA_NOCLDSTOP; + sigemptyset(&sa_chld.sa_mask); if (sigaction(SIGCHLD, &sa_chld, NULL) < 0) { dropbear_exit("signal() error"); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/svr-runopts.c new/dropbear-2015.67/svr-runopts.c --- old/dropbear-2014.66/svr-runopts.c 2014-10-23 15:43:39.000000000 +0200 +++ new/dropbear-2015.67/svr-runopts.c 2015-01-28 15:57:37.000000000 +0100 @@ -140,9 +140,15 @@ #ifdef ENABLE_SVR_REMOTETCPFWD svr_opts.noremotetcp = 0; #endif + #ifndef DISABLE_ZLIB - opts.enable_compress = 1; +#if DROPBEAR_SERVER_DELAY_ZLIB + opts.compress_mode = DROPBEAR_COMPRESS_DELAYED; +#else + opts.compress_mode = DROPBEAR_COMPRESS_ON; #endif +#endif + /* not yet opts.ipv4 = 1; opts.ipv6 = 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2014.66/sysoptions.h new/dropbear-2015.67/sysoptions.h --- old/dropbear-2014.66/sysoptions.h 2014-10-23 15:43:39.000000000 +0200 +++ new/dropbear-2015.67/sysoptions.h 2015-01-28 15:57:37.000000000 +0100 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2014.66" +#define DROPBEAR_VERSION "2015.67" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION ++++++ dropbear-2014.66.tar.bz2.asc -> dropbear-2015.67.tar.bz2.asc ++++++ --- /work/SRC/openSUSE:Factory/dropbear/dropbear-2014.66.tar.bz2.asc 2014-12-16 14:47:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear-2015.67.tar.bz2.asc 2015-02-06 10:23:30.000000000 +0100 @@ -1,13 +1,13 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 -07a147b70a5402f38b2965e386cbe63dee1afd69 CHANGES -a7b04ff3c27059477ecdd8dccef7d43f644abe46 dropbear-2014.65.tar.bz2 -793f5f1bb465b3c55e795d607932e8b21c130e95 dropbear-2014.66.tar.bz2 +bf2c24b108f18feff2ddcd72df472ad73c2752f5a2fdba6597663a9ab505f6fb CHANGES +ab3fe2670a517cc0bbe398ff5d15e9ca12cd14f2fc18930a8111ae2baa64ab76 dropbear-2014.66.tar.bz2 +7e690594645dfde5787065c78a5d2e4d15e288babfa06e140197ce05f698c8e5 dropbear-2015.67.tar.bz2 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.13 (Darwin) +Version: GnuPG v1 -iEYEARECAAYFAlRJDGYACgkQjPn4sExkf7wHRgCdH3TEUSKebFmT74e6NIuAAkpB -m78AoNIly2cnFzoimxixnNa7LDDRi64y -=MfF3 +iEYEARECAAYFAlTI/lwACgkQjPn4sExkf7z7pgCcDIHfYzAtY7oshpuICvjWPRVg +bBoAoIoOBJWte6SitKOH3zaNOfHT85DG +=nnPU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
