Hello community, here is the log from the commit of package dropbear for openSUSE:Factory checked in at 2015-12-06 07:44:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/dropbear (Old) and /work/SRC/openSUSE:Factory/.dropbear.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "dropbear" Changes: -------- --- /work/SRC/openSUSE:Factory/dropbear/dropbear.changes 2015-08-21 07:42:16.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.dropbear.new/dropbear.changes 2015-12-06 07:44:04.000000000 +0100 @@ -1,0 +2,29 @@ +Fri Dec 4 15:39:10 UTC 2015 - [email protected] + +- updated to upstream version 2015.71 + * Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 + * Fix crash on exit when -p address:port is used, broke in 2015.68 + * Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev + * Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, + broke in 2015.70 + * Fix server race condition that could cause sessions to hang on exit, + https://github.com/robotframework/SSHLibrary/issues/128 + +------------------------------------------------------------------- +Thu Nov 26 15:40:52 UTC 2015 - [email protected] + +- updated to upstream version 2015.70 + * Fix server password authentication on Linux, broke in 2015.69 + * Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68) + * Avoid hang on session close when multiple sessions are started, affects Qt Creator + Patch from Andrzej Szombierski + * Reduce per-channel memory consumption in common case, increase default + channel limit from 100 to 1000 which should improve SOCKS forwarding for modern + webpages + * Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin + * Manpage improvements from Guilhem Moulin + * Build fixes for Android from Mike Frysinger + * Don't display the MOTD when an explicit command is run from Guilhem Moulin + * Check curve25519 shared secret isn't zero + +------------------------------------------------------------------- Old: ---- dropbear-2015.68.tar.bz2 dropbear-2015.68.tar.bz2.asc New: ---- dropbear-2015.71.tar.bz2 dropbear-2015.71.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dropbear.spec ++++++ --- /var/tmp/diff_new_pack.nFWLTF/_old 2015-12-06 07:44:05.000000000 +0100 +++ /var/tmp/diff_new_pack.nFWLTF/_new 2015-12-06 07:44:05.000000000 +0100 @@ -21,7 +21,7 @@ %endif Name: dropbear -Version: 2015.68 +Version: 2015.71 Release: 0 Summary: A relatively small SSH 2 server and client License: MIT ++++++ dropbear-2015.68.tar.bz2 -> dropbear-2015.71.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/.hg_archival.txt new/dropbear-2015.71/.hg_archival.txt --- old/dropbear-2015.68/.hg_archival.txt 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/.hg_archival.txt 2015-12-03 14:23:59.000000000 +0100 @@ -1,6 +1,6 @@ repo: d7da3b1e15401eb234ec866d5eac992fc4cd5878 -node: 809feaa9408f036734129c77f2b3c7e779d4f099 +node: 9a944a243f08be6b22d32f166a0690eb4872462b branch: default -latesttag: DROPBEAR_2015.67 -latesttagdistance: 105 -changessincelatesttag: 125 +latesttag: DROPBEAR_2015.70 +latesttagdistance: 10 +changessincelatesttag: 11 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/.hgsigs new/dropbear-2015.71/.hgsigs --- old/dropbear-2015.68/.hgsigs 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/.hgsigs 2015-12-03 14:23:59.000000000 +0100 @@ -14,3 +14,7 @@ caac692b366c153cea0e9cd59aa2d79a7d843d4e 0 iEYEABECAAYFAlPk1mcACgkQjPn4sExkf7wLpgCeOqMYqpkf4lYUuyrn9VYThNpc7PkAn3JOSNgIqkKUcmSy6FstrI8jwJzq 2d421bc0545d1be6d59a4ebfe61606d94b124b0c 0 iEYEABECAAYFAlRJDCQACgkQjPn4sExkf7xUYACcCwVJkYWXJn5x/D5A+qMupy778lEAn0rg1oNiq96YU/4jOPsS5IMItihu 1d2d81b1b7c1b100e9c369e40b9fa5b2d491eea9 0 iEYEABECAAYFAlTKOKUACgkQjPn4sExkf7xWMACfYFozyHiRk5GaocTa5z6Ws1uyB4kAoLubxoxcnM3E7AA9mHAzc3OB5M0Y +a687f835236c7025b5cb2968fe9c4ebc4a49f0ea 0 iQIcBAABCgAGBQJVxg62AAoJEPSYMBLCC7qsC+EQAKw8YWogrVHhIFct2fx/nqybSPVrhFyKFKHhq7K/lZeVm0MGIWdSyVcQgP+Hs2jWNBWzG4AJ1BtifHWQH6IDh7W5RuwOXu5KobgPW9BsN3EVE9KIR+xe9jCAmFl9rIw0tNpy1q6R0TpYXx/sWlMilxecyEGyr2Ias2Sm19aY2mOEv8PLfh9BLfrJEKtt2NxL7TX8ScPwJXJMmVIQjN9WK4Ptx3tjcGNRivEVR/dftP5sJx2DBJx9avyDqrfloMW7Q7sPgJ88MPruCDxedOkbzH7JdHe3Humr2G4LsI0KPU7pNN6EBDjhJ+SVXuOyAgu5j/C0R+0ggGfjSrjDu8WjHyclFlwwu2MSGuHf111I1qkLtaRY3H1FZO5Y2gbLwBLQ82svA4klcBIxtP5jKAZDTh1jQMYsfKotvZdawOWrPDkNmKoUg2JXLHAtj9Dd0uGIhqfspZY3qlpzxw9uCkljWclUBD097ygotwAb2XdLoAWZ3KdvoPM+k448vIAQ7Q/aqcnm/dLQJr3Le029gpkOKoWKaQTlk0itrRGpgETHAhE2LnmWxYSKp6NYSKMgEONbfDiVNLyDTOlvpPiEb20RsOP64xA4wVDGmPenCURmMYoepQK6oJdtkNtCdth2S49KxPQAC+Dem4YZ7b+5b+cXrK5Nz7elBxZzRQWdjmZ4JDQK +ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA +af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe +5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/CHANGES new/dropbear-2015.71/CHANGES --- old/dropbear-2015.68/CHANGES 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/CHANGES 2015-12-03 14:23:59.000000000 +0100 @@ -1,3 +1,42 @@ +2015.71 - 3 December 2015 + +- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 + +- Fix crash on exit when -p address:port is used, broke in 2015.68 + +- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev + +- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, + broke in 2015.70 + +- Fix server race condition that could cause sessions to hang on exit, + https://github.com/robotframework/SSHLibrary/issues/128 + +2015.70 - 26 November 2015 + +- Fix server password authentication on Linux, broke in 2015.69 + +2015.69 - 25 November 2015 + +- Fix crash when forwarded TCP connections fail to connect (bug introduced in 2015.68) + +- Avoid hang on session close when multiple sessions are started, affects Qt Creator + Patch from Andrzej Szombierski + +- Reduce per-channel memory consumption in common case, increase default + channel limit from 100 to 1000 which should improve SOCKS forwarding for modern + webpages + +- Handle multiple command line arguments in a single flag, thanks to Guilhem Moulin + +- Manpage improvements from Guilhem Moulin + +- Build fixes for Android from Mike Frysinger + +- Don't display the MOTD when an explicit command is run from Guilhem Moulin + +- Check curve25519 shared secret isn't zero + 2015.68 - Saturday 8 August 2015 - Reduce local data copying for improved efficiency. Measured 30% diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/circbuffer.c new/dropbear-2015.71/circbuffer.c --- old/dropbear-2015.68/circbuffer.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/circbuffer.c 2015-12-03 14:23:59.000000000 +0100 @@ -37,9 +37,8 @@ } cbuf = (circbuffer*)m_malloc(sizeof(circbuffer)); - if (size > 0) { - cbuf->data = (unsigned char*)m_malloc(size); - } + /* data is malloced on first write */ + cbuf->data = NULL; cbuf->used = 0; cbuf->readpos = 0; cbuf->writepos = 0; @@ -50,8 +49,10 @@ void cbuf_free(circbuffer * cbuf) { - m_burn(cbuf->data, cbuf->size); - m_free(cbuf->data); + if (cbuf->data) { + m_burn(cbuf->data, cbuf->size); + m_free(cbuf->data); + } m_free(cbuf); } @@ -106,6 +107,11 @@ dropbear_exit("Bad cbuf write"); } + if (!cbuf->data) { + /* lazy allocation */ + cbuf->data = (unsigned char*)m_malloc(cbuf->size); + } + return &cbuf->data[cbuf->writepos]; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/cli-auth.c new/dropbear-2015.71/cli-auth.c --- old/dropbear-2015.68/cli-auth.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/cli-auth.c 2015-12-03 14:23:59.000000000 +0100 @@ -324,6 +324,7 @@ return DROPBEAR_FAILURE; } +#if defined(ENABLE_CLI_PASSWORD_AUTH) || defined(ENABLE_CLI_INTERACT_AUTH) /* A helper for getpass() that exits if the user cancels. The returned * password is statically allocated by getpass() */ char* getpass_or_cancel(char* prompt) @@ -347,3 +348,4 @@ } return password; } +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/cli-runopts.c new/dropbear-2015.71/cli-runopts.c --- old/dropbear-2015.68/cli-runopts.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/cli-runopts.c 2015-12-03 14:23:59.000000000 +0100 @@ -105,25 +105,30 @@ void cli_getopts(int argc, char ** argv) { unsigned int i, j; char ** next = 0; - unsigned int cmdlen; + enum { #ifdef ENABLE_CLI_PUBKEY_AUTH - int nextiskey = 0; /* A flag if the next argument is a keyfile */ + OPT_AUTHKEY, #endif #ifdef ENABLE_CLI_LOCALTCPFWD - int nextislocal = 0; + OPT_LOCALTCPFWD, #endif #ifdef ENABLE_CLI_REMOTETCPFWD - int nextisremote = 0; + OPT_REMOTETCPFWD, #endif #ifdef ENABLE_CLI_NETCAT - int nextisnetcat = 0; + OPT_NETCAT, #endif + /* a flag (no arg) if 'next' is NULL, a string-valued option otherwise */ + OPT_OTHER + } opt; + unsigned int cmdlen; char* dummy = NULL; /* Not used for anything real */ char* recv_window_arg = NULL; char* keepalive_arg = NULL; char* idle_timeout_arg = NULL; char *host_arg = NULL; + char c; /* see printhelp() for options */ cli_opts.progname = argv[0]; @@ -172,54 +177,23 @@ fill_own_user(); - /* Iterate all the arguments */ for (i = 1; i < (unsigned int)argc; i++) { -#ifdef ENABLE_CLI_PUBKEY_AUTH - if (nextiskey) { - /* Load a hostkey since the previous argument was "-i" */ - loadidentityfile(argv[i], 1); - nextiskey = 0; - continue; - } -#endif -#ifdef ENABLE_CLI_REMOTETCPFWD - if (nextisremote) { - TRACE(("nextisremote true")) - addforward(argv[i], cli_opts.remotefwds); - nextisremote = 0; - continue; - } -#endif -#ifdef ENABLE_CLI_LOCALTCPFWD - if (nextislocal) { - TRACE(("nextislocal true")) - addforward(argv[i], cli_opts.localfwds); - nextislocal = 0; - continue; - } -#endif -#ifdef ENABLE_CLI_NETCAT - if (nextisnetcat) { - TRACE(("nextisnetcat true")) - add_netcat(argv[i]); - nextisnetcat = 0; - continue; - } -#endif - if (next) { - /* The previous flag set a value to assign */ - *next = argv[i]; - if (*next == NULL) { - dropbear_exit("Invalid null argument"); + /* Handle non-flag arguments such as hostname or commands for the remote host */ + if (argv[i][0] != '-') + { + if (host_arg == NULL) { + host_arg = argv[i]; + continue; } - next = NULL; - continue; + /* Commands to pass to the remote host. No more flag handling, + commands are consumed below */ + break; } - if (argv[i][0] == '-') { - /* A flag *waves* */ - - switch (argv[i][1]) { + /* Begins with '-' */ + opt = OPT_OTHER; + for (j = 1; (c = argv[i][j]) != '\0' && !next && opt == OPT_OTHER; j++) { + switch (c) { case 'y': /* always accept the remote hostkey */ if (cli_opts.always_accept_key) { /* twice means no checking at all */ @@ -232,12 +206,7 @@ break; #ifdef ENABLE_CLI_PUBKEY_AUTH case 'i': /* an identityfile */ - /* Keep scp happy when it changes "-i file" to "-ifile" */ - if (strlen(argv[i]) > 2) { - loadidentityfile(&argv[i][2], 1); - } else { - nextiskey = 1; - } + opt = OPT_AUTHKEY; break; #endif case 't': /* we want a pty */ @@ -257,7 +226,7 @@ break; #ifdef ENABLE_CLI_LOCALTCPFWD case 'L': - nextislocal = 1; + opt = OPT_LOCALTCPFWD; break; case 'g': opts.listen_fwd_all = 1; @@ -265,12 +234,12 @@ #endif #ifdef ENABLE_CLI_REMOTETCPFWD case 'R': - nextisremote = 1; + opt = OPT_REMOTETCPFWD; break; #endif #ifdef ENABLE_CLI_NETCAT case 'B': - nextisnetcat = 1; + opt = OPT_NETCAT; break; #endif #ifdef ENABLE_CLI_PROXYCMD @@ -336,50 +305,85 @@ case 'b': next = &dummy; default: - fprintf(stderr, - "WARNING: Ignoring unknown argument '%s'\n", argv[i]); + fprintf(stderr, + "WARNING: Ignoring unknown option -%c\n", c); break; } /* Switch */ - - /* Now we handle args where they might be "-luser" (no spaces)*/ - if (next && strlen(argv[i]) > 2) { - *next = &argv[i][2]; - next = NULL; - } + } - continue; /* next argument */ + if (!next && opt == OPT_OTHER) /* got a flag */ + continue; - } else { - TRACE(("non-flag arg: '%s'", argv[i])) + if (c == '\0') { + i++; + j = 0; + if (!argv[i]) + dropbear_exit("Missing argument"); + } - /* Either the hostname or commands */ +#ifdef ENABLE_CLI_PUBKEY_AUTH + if (opt == OPT_AUTHKEY) { + TRACE(("opt authkey")) + loadidentityfile(&argv[i][j], 1); + } + else +#endif +#ifdef ENABLE_CLI_REMOTETCPFWD + if (opt == OPT_REMOTETCPFWD) { + TRACE(("opt remotetcpfwd")) + addforward(&argv[i][j], cli_opts.remotefwds); + } + else +#endif +#ifdef ENABLE_CLI_LOCALTCPFWD + if (opt == OPT_LOCALTCPFWD) { + TRACE(("opt localtcpfwd")) + addforward(&argv[i][j], cli_opts.localfwds); + } + else +#endif +#ifdef ENABLE_CLI_NETCAT + if (opt == OPT_NETCAT) { + TRACE(("opt netcat")) + add_netcat(&argv[i][j]); + } + else +#endif + if (next) { + /* The previous flag set a value to assign */ + *next = &argv[i][j]; + if (*next == NULL) + dropbear_exit("Invalid null argument"); + next = NULL; + } + } - if (host_arg == NULL) { - host_arg = argv[i]; - } else { + /* Done with options/flags; now handle the hostname (which may not + * start with a hyphen) and optional command */ - /* this is part of the commands to send - after this we - * don't parse any more options, and flags are sent as the - * command */ - cmdlen = 0; - for (j = i; j < (unsigned int)argc; j++) { - cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */ - } - /* Allocate the space */ - cli_opts.cmd = (char*)m_malloc(cmdlen); - cli_opts.cmd[0] = '\0'; - - /* Append all the bits */ - for (j = i; j < (unsigned int)argc; j++) { - strlcat(cli_opts.cmd, argv[j], cmdlen); - strlcat(cli_opts.cmd, " ", cmdlen); - } - /* It'll be null-terminated here */ + if (host_arg == NULL) { /* missing hostname */ + printhelp(); + exit(EXIT_FAILURE); + } + TRACE(("host is: %s", host_arg)) - /* We've eaten all the options and flags */ - break; - } + if (i < (unsigned int)argc) { + /* Build the command to send */ + cmdlen = 0; + for (j = i; j < (unsigned int)argc; j++) + cmdlen += strlen(argv[j]) + 1; /* +1 for spaces */ + + /* Allocate the space */ + cli_opts.cmd = (char*)m_malloc(cmdlen); + cli_opts.cmd[0] = '\0'; + + /* Append all the bits */ + for (j = i; j < (unsigned int)argc; j++) { + strlcat(cli_opts.cmd, argv[j], cmdlen); + strlcat(cli_opts.cmd, " ", cmdlen); } + /* It'll be null-terminated here */ + TRACE(("cmd is: %s", cli_opts.cmd)) } /* And now a few sanity checks and setup */ @@ -388,11 +392,6 @@ parse_ciphers_macs(); #endif - if (host_arg == NULL) { - printhelp(); - exit(EXIT_FAILURE); - } - #ifdef ENABLE_CLI_PROXYCMD if (cli_opts.proxycmd) { /* To match the common path of m_freeing it */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-channel.c new/dropbear-2015.71/common-channel.c --- old/dropbear-2015.68/common-channel.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/common-channel.c 2015-12-03 14:23:59.000000000 +0100 @@ -42,7 +42,7 @@ static void send_msg_channel_open_confirmation(struct Channel* channel, unsigned int recvwindow, unsigned int recvmaxpacket); -static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, +static int writechannel(struct Channel* channel, int fd, circbuffer *cbuf, const unsigned char *moredata, unsigned int *morelen); static void send_msg_channel_window_adjust(struct Channel *channel, unsigned int incr); @@ -100,15 +100,6 @@ TRACE(("leave chancleanup")) } -static void -chan_initwritebuf(struct Channel *channel) -{ - dropbear_assert(channel->writebuf->size == 0 && channel->recvwindow == 0); - cbuf_free(channel->writebuf); - channel->writebuf = cbuf_new(opts.recv_window); - channel->recvwindow = opts.recv_window; -} - /* Create a new channel entry, send a reply confirm or failure */ /* If remotechan, transwindow and transmaxpacket are not know (for a new * outgoing connection, with them to be filled on confirmation), they should @@ -167,8 +158,8 @@ newchan->await_open = 0; newchan->flushing = 0; - newchan->writebuf = cbuf_new(0); /* resized later by chan_initwritebuf */ - newchan->recvwindow = 0; + newchan->writebuf = cbuf_new(opts.recv_window); + newchan->recvwindow = opts.recv_window; newchan->extrabuf = NULL; /* The user code can set it up */ newchan->recvdonelen = 0; @@ -256,7 +247,6 @@ if (ses.channel_signal_pending) { /* SIGCHLD can change channel state for server sessions */ do_check_close = 1; - ses.channel_signal_pending = 0; } /* handle any channel closing etc */ @@ -378,7 +368,6 @@ { channel->readfd = channel->writefd = sock; channel->conn_pending = NULL; - chan_initwritebuf(channel); send_msg_channel_open_confirmation(channel, channel->recvwindow, channel->recvmaxpacket); TRACE(("leave channel_connect_done: success")) @@ -435,7 +424,7 @@ } #ifndef HAVE_WRITEV -static void writechannel_fallback(struct Channel* channel, int fd, circbuffer *cbuf, +static int writechannel_fallback(struct Channel* channel, int fd, circbuffer *cbuf, const unsigned char *UNUSED(moredata), unsigned int *morelen) { unsigned char *circ_p1, *circ_p2; @@ -454,16 +443,18 @@ if (errno != EINTR && errno != EAGAIN) { TRACE(("channel IO write error fd %d %s", fd, strerror(errno))) close_chan_fd(channel, fd, SHUT_WR); + return DROPBEAR_FAILURE; } } else { cbuf_incrread(cbuf, written); channel->recvdonelen += written; } + return DROPBEAR_SUCCESS; } #endif /* !HAVE_WRITEV */ #ifdef HAVE_WRITEV -static void writechannel_writev(struct Channel* channel, int fd, circbuffer *cbuf, +static int writechannel_writev(struct Channel* channel, int fd, circbuffer *cbuf, const unsigned char *moredata, unsigned int *morelen) { struct iovec iov[3]; @@ -502,7 +493,7 @@ From common_recv_msg_channel_data() then channelio(). The second call may not have any data to write, so we just return. */ TRACE(("leave writechannel, no data")) - return; + return DROPBEAR_SUCCESS; } if (morelen) { @@ -516,6 +507,7 @@ if (errno != EINTR && errno != EAGAIN) { TRACE(("channel IO write error fd %d %s", fd, strerror(errno))) close_chan_fd(channel, fd, SHUT_WR); + return DROPBEAR_FAILURE; } } else { int cbuf_written = MIN(circ_len1+circ_len2, (unsigned int)written); @@ -525,20 +517,22 @@ } channel->recvdonelen += written; } - + return DROPBEAR_SUCCESS; } #endif /* HAVE_WRITEV */ /* Called to write data out to the local side of the channel. Writes the circular buffer contents and also the "moredata" buffer - if not null. Will ignore EAGAIN */ -static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf, + if not null. Will ignore EAGAIN. + Returns DROPBEAR_FAILURE if writing to fd had an error and the channel is being closed, DROPBEAR_SUCCESS otherwise */ +static int writechannel(struct Channel* channel, int fd, circbuffer *cbuf, const unsigned char *moredata, unsigned int *morelen) { + int ret = DROPBEAR_SUCCESS; TRACE(("enter writechannel fd %d", fd)) #ifdef HAVE_WRITEV - writechannel_writev(channel, fd, cbuf, moredata, morelen); + ret = writechannel_writev(channel, fd, cbuf, moredata, morelen); #else - writechannel_fallback(channel, fd, cbuf, moredata, morelen); + ret = writechannel_fallback(channel, fd, cbuf, moredata, morelen); #endif /* Window adjust handling */ @@ -554,6 +548,7 @@ channel->recvwindow <= cbuf_getavail(channel->extrabuf)); TRACE(("leave writechannel")) + return ret; } @@ -828,6 +823,7 @@ unsigned int buflen; unsigned int len; unsigned int consumed; + int res; TRACE(("enter recv_msg_channel_data")) @@ -860,7 +856,7 @@ /* Attempt to write the data immediately without having to put it in the circular buffer */ consumed = datalen; - writechannel(channel, fd, cbuf, buf_getptr(ses.payload, datalen), &consumed); + res = writechannel(channel, fd, cbuf, buf_getptr(ses.payload, datalen), &consumed); datalen -= consumed; buf_incrpos(ses.payload, consumed); @@ -868,17 +864,20 @@ /* We may have to run throught twice, if the buffer wraps around. Can't * just "leave it for next time" like with writechannel, since this - * is payload data */ - len = datalen; - while (len > 0) { - buflen = cbuf_writelen(cbuf); - buflen = MIN(buflen, len); - - memcpy(cbuf_writeptr(cbuf, buflen), - buf_getptr(ses.payload, buflen), buflen); - cbuf_incrwrite(cbuf, buflen); - buf_incrpos(ses.payload, buflen); - len -= buflen; + * is payload data. + * If the writechannel() failed then remaining data is discarded */ + if (res == DROPBEAR_SUCCESS) { + len = datalen; + while (len > 0) { + buflen = cbuf_writelen(cbuf); + buflen = MIN(buflen, len); + + memcpy(cbuf_writeptr(cbuf, buflen), + buf_getptr(ses.payload, buflen), buflen); + cbuf_incrwrite(cbuf, buflen); + buf_incrpos(ses.payload, buflen); + len -= buflen; + } } TRACE(("leave recv_msg_channel_data")) @@ -970,6 +969,7 @@ if (channel == NULL) { TRACE(("newchannel returned NULL")) + errtype = SSH_OPEN_RESOURCE_SHORTAGE; goto failure; } @@ -991,8 +991,6 @@ channel->prio = DROPBEAR_CHANNEL_PRIO_BULK; } - chan_initwritebuf(channel); - /* success */ send_msg_channel_open_confirmation(channel, channel->recvwindow, channel->recvmaxpacket); @@ -1135,7 +1133,6 @@ /* Outbound opened channels don't make use of in-progress connections, * we can set it up straight away */ - chan_initwritebuf(chan); /* set fd non-blocking */ setnonblocking(fd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-kex.c new/dropbear-2015.71/common-kex.c --- old/dropbear-2015.68/common-kex.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/common-kex.c 2015-12-03 14:23:59.000000000 +0100 @@ -760,6 +760,7 @@ unsigned char out[CURVE25519_LEN]; const unsigned char* Q_C = NULL; const unsigned char* Q_S = NULL; + char zeroes[CURVE25519_LEN] = {0}; if (buf_pub_them->len != CURVE25519_LEN) { @@ -767,6 +768,11 @@ } curve25519_donna(out, param->priv, buf_pub_them->data); + + if (constant_time_memcmp(zeroes, out, CURVE25519_LEN) == 0) { + dropbear_exit("Bad curve25519"); + } + m_mp_alloc_init_multi(&ses.dh_K, NULL); bytes_to_mp(ses.dh_K, out, CURVE25519_LEN); m_burn(out, sizeof(out)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/common-session.c new/dropbear-2015.71/common-session.c --- old/dropbear-2015.68/common-session.c 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/common-session.c 2015-12-03 14:23:59.000000000 +0100 @@ -159,6 +159,17 @@ FD_ZERO(&readfd); dropbear_assert(ses.payload == NULL); + /* We get woken up when signal handlers write to this pipe. + SIGCHLD in svr-chansession is the only one currently. */ + FD_SET(ses.signal_pipe[0], &readfd); + ses.channel_signal_pending = 0; + + /* set up for channels which can be read/written */ + setchannelfds(&readfd, &writefd, writequeue_has_space); + + /* Pending connections to test */ + set_connect_fds(&writefd); + /* We delay reading from the input socket during initial setup until after we have written out our initial KEXINIT packet (empty writequeue). This means our initial packet can be in-flight while we're doing a blocking @@ -170,19 +181,12 @@ && writequeue_has_space) { FD_SET(ses.sock_in, &readfd); } + + /* Ordering is important, this test must occur after any other function + might have queued packets (such as connection handlers) */ if (ses.sock_out != -1 && !isempty(&ses.writequeue)) { FD_SET(ses.sock_out, &writefd); } - - /* We get woken up when signal handlers write to this pipe. - SIGCHLD in svr-chansession is the only one currently. */ - FD_SET(ses.signal_pipe[0], &readfd); - - /* set up for channels which can be read/written */ - setchannelfds(&readfd, &writefd, writequeue_has_space); - - /* Pending connections to test */ - set_connect_fds(&writefd); val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout); @@ -208,7 +212,9 @@ wake up the select() above. */ if (FD_ISSET(ses.signal_pipe[0], &readfd)) { char x; + TRACE(("signal pipe set")) while (read(ses.signal_pipe[0], &x, 1) > 0) {} + ses.channel_signal_pending = 1; } /* check for auth timeout, rekeying required etc */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/config.h.in new/dropbear-2015.71/config.h.in --- old/dropbear-2015.68/config.h.in 2015-08-08 14:35:35.000000000 +0200 +++ new/dropbear-2015.71/config.h.in 2015-12-03 14:24:01.000000000 +0100 @@ -63,6 +63,9 @@ /* Define if gai_strerror() returns const char * */ #undef HAVE_CONST_GAI_STRERROR_PROTO +/* crypt() function */ +#undef HAVE_CRYPT + /* Define to 1 if you have the <crypt.h> header file. */ #undef HAVE_CRYPT_H @@ -99,6 +102,9 @@ /* Define to 1 if you have the `getnameinfo' function. */ #undef HAVE_GETNAMEINFO +/* Define to 1 if you have the `getpass' function. */ +#undef HAVE_GETPASS + /* Define to 1 if you have the `getspnam' function. */ #undef HAVE_GETSPNAM diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/configure new/dropbear-2015.71/configure --- old/dropbear-2015.68/configure 2015-08-08 14:35:35.000000000 +0200 +++ new/dropbear-2015.71/configure 2015-12-03 14:24:01.000000000 +0100 @@ -4349,7 +4349,11 @@ fi -# Checks for libraries. +ac_fn_c_check_func "$LINENO" "crypt" "ac_cv_func_crypt" +if test "x$ac_cv_func_crypt" = xyes; then : + found_crypt_func=here +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for crypt in -lcrypt" >&5 $as_echo_n "checking for crypt in -lcrypt... " >&6; } if ${ac_cv_lib_crypt_crypt+:} false; then : @@ -4387,10 +4391,18 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypt_crypt" >&5 $as_echo "$ac_cv_lib_crypt_crypt" >&6; } if test "x$ac_cv_lib_crypt_crypt" = xyes; then : - CRYPTLIB="-lcrypt" + + CRYPTLIB="-lcrypt" + found_crypt_func=here + fi +if test "t$found_crypt_func" = there; then + +$as_echo "#define HAVE_CRYPT 1" >>confdefs.h + +fi # Check if zlib is needed @@ -6697,7 +6709,7 @@ rm -f conftest* -for ac_func in dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev +for ac_func in dup2 getpass getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -8139,6 +8151,21 @@ $as_echo "$as_me: Using system libtomcrypt and libtommath" >&6;} fi + +if test "x$ac_cv_func_getpass" != xyes; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: " >&5 +$as_echo "$as_me: " >&6;} +{ $as_echo "$as_me:${as_lineno-$LINENO}: getpass() not available, dbclient will only have public-key authentication" >&5 +$as_echo "$as_me: getpass() not available, dbclient will only have public-key authentication" >&6;} +fi + +if test "t$found_crypt_func" != there; then +{ $as_echo "$as_me:${as_lineno-$LINENO}: " >&5 +$as_echo "$as_me: " >&6;} +{ $as_echo "$as_me:${as_lineno-$LINENO}: crypt() not available, dropbear server will not have password authentication" >&5 +$as_echo "$as_me: crypt() not available, dropbear server will not have password authentication" >&6;} +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: " >&5 $as_echo "$as_me: " >&6;} { $as_echo "$as_me:${as_lineno-$LINENO}: Now edit options.h to choose features." >&5 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/configure.ac new/dropbear-2015.71/configure.ac --- old/dropbear-2015.68/configure.ac 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/configure.ac 2015-12-03 14:23:59.000000000 +0100 @@ -82,9 +82,19 @@ AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.]) ],,,) -# Checks for libraries. -AC_CHECK_LIB(crypt, crypt, CRYPTLIB="-lcrypt") +dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt +dnl but we don't want link all binaries to -lcrypt, just dropbear server. +dnl OS X doesn't need -lcrypt +AC_CHECK_FUNC(crypt, found_crypt_func=here) +AC_CHECK_LIB(crypt, crypt, + [ + CRYPTLIB="-lcrypt" + found_crypt_func=here + ]) AC_SUBST(CRYPTLIB) +if test "t$found_crypt_func" = there; then +AC_DEFINE(HAVE_CRYPT, 1, [crypt() function]) +fi # Check if zlib is needed AC_ARG_WITH(zlib, @@ -632,7 +642,7 @@ AC_PROG_GCC_TRADITIONAL AC_FUNC_MEMCMP AC_FUNC_SELECT_ARGTYPES -AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev]) +AC_CHECK_FUNCS([dup2 getpass getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev]) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) @@ -719,10 +729,21 @@ AC_MSG_NOTICE() if test $BUNDLED_LIBTOM = 1 ; then -AC_MSG_NOTICE(Using bundled libtomcrypt and libtommath) +AC_MSG_NOTICE([Using bundled libtomcrypt and libtommath]) else -AC_MSG_NOTICE(Using system libtomcrypt and libtommath) +AC_MSG_NOTICE([Using system libtomcrypt and libtommath]) +fi + + +if test "x$ac_cv_func_getpass" != xyes; then +AC_MSG_NOTICE() +AC_MSG_NOTICE([getpass() not available, dbclient will only have public-key authentication]) +fi + +if test "t$found_crypt_func" != there; then +AC_MSG_NOTICE() +AC_MSG_NOTICE([crypt() not available, dropbear server will not have password authentication]) fi AC_MSG_NOTICE() -AC_MSG_NOTICE(Now edit options.h to choose features.) +AC_MSG_NOTICE([Now edit options.h to choose features.]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/dbclient.1 new/dropbear-2015.71/dbclient.1 --- old/dropbear-2015.68/dbclient.1 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/dbclient.1 2015-12-03 14:23:59.000000000 +0100 @@ -3,25 +3,32 @@ dbclient \- lightweight SSH client .SH SYNOPSIS .B dbclient -[\-Tt] [\-p +[\fIflag arguments\fR] [\-p .I port\fR] [\-i .I id\fR] [\-L -.I l\fR:\fIh\fR:\fIr\fR] [\-R -.I l\fR:\fIh\fR:\fIr\fR] [\-l +.I l\fR:\fIh\fR:\fIp\fR] [\-R +.I l\fR:\fIh\fR:\fIp\fR] [\-l .IR user ] .I host +.RI [ \fImore\ flags\fR ] .RI [ command ] .B dbclient -[ -.I args ] -.I [user1]@host1[^port1],[user2]@host2[^port2],... +[\fIargs\fR] +[\fIuser1\fR]@\fIhost1\fR[^\fIport1\fR],[\fIuser2\fR]@\fIhost2\fR[^\fIport2\fR],... .SH DESCRIPTION .B dbclient is a small SSH client .SH OPTIONS .TP +.TP +.B command +A command to run on the remote host. This will normally be run by the remote host +using the user's shell. The command begins at the first hyphen argument after the +host argument. If no command is specified an interactive terminal will be opened +(see -t and -T). +.TP .B \-p \fIport Connect to .I port @@ -35,7 +42,7 @@ (multiple allowed). This file is created with dropbearkey(1) or converted from OpenSSH with dropbearconvert(1). The default path ~/.ssh/id_dropbear is used .TP -.B \-L [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR +.B \-L\fR [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR Local port forwarding. Forward the port .I listenport @@ -44,7 +51,7 @@ on the host .IR host . .TP -.B \-R [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR +.B \-R\fR [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR Remote port forwarding. Forward the port .I listenport @@ -60,10 +67,12 @@ on the remote host. .TP .B \-t -Allocate a PTY. +Allocate a PTY. This is the default when no command is given, it gives a full +interactive remote session. The main effect is that keystrokes are sent remotely +immediately as opposed to local line-based editing. .TP .B \-T -Don't allocate a PTY. +Don't allocate a PTY. This is the default a command is given. See -t. .TP .B \-N Don't request a remote shell or run any commands. Any command arguments are ignored. @@ -129,7 +138,7 @@ this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. -A port for a host can be specified with a hash (eg matt@martello^44 ). +A port for a host can be specified with a caret (eg matt@martello^44 ). This syntax can also be used with scp or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg @@ -157,6 +166,10 @@ on standard output. This program will only be used if either DISPLAY is set and standard input is not a TTY, or the environment variable SSH_ASKPASS_ALWAYS is set. +.SH NOTES +If compiled with zlib support and if the server supports it, dbclient will +always use compression. + .SH AUTHOR Matt Johnston ([email protected]). .br diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/debian/changelog new/dropbear-2015.71/debian/changelog --- old/dropbear-2015.68/debian/changelog 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/debian/changelog 2015-12-03 14:23:59.000000000 +0100 @@ -1,3 +1,21 @@ +dropbear (2015.71-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <[email protected]> Thu, 3 Dec 2015 22:52:58 +0800 + +dropbear (2015.70-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <[email protected]> Thu, 26 Nov 2015 22:52:58 +0800 + +dropbear (2015.69-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <[email protected]> Wed, 25 Nov 2015 22:52:58 +0800 + dropbear (2015.68-0.1) unstable; urgency=low * New upstream release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/dropbear.8 new/dropbear-2015.71/dropbear.8 --- old/dropbear-2015.68/dropbear.8 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/dropbear.8 2015-12-03 14:23:59.000000000 +0100 @@ -3,11 +3,10 @@ dropbear \- lightweight SSH server .SH SYNOPSIS .B dropbear -[\-RFEmwsgjki] [\-b +[\fIflag arguments\fR] [\-b .I banner\fR] [\-r -.I hostkeyfile\fR] [\-p -.IR [address:]port ] +.I hostkeyfile\fR] [\-p [\fIaddress\fR:]\fIport\fR] .SH DESCRIPTION .B dropbear is a small SSH server @@ -54,7 +53,7 @@ .B \-k Disable remote port forwarding. .TP -.B \-p \fI[address:]port +.B \-p\fR [\fIaddress\fR:]\fIport Listen on specified .I address and TCP @@ -128,7 +127,7 @@ same functionality with other means even if no-pty is set. .TP -.B command="\fIforced_command\fR" +.B command=\fR"\fIforced_command\fR" Disregard the command provided by the user and always run \fIforced_command\fR. The authorized_keys file and its containing ~/.ssh directory must only be diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/dropbearconvert.1 new/dropbear-2015.71/dropbearconvert.1 --- old/dropbear-2015.68/dropbearconvert.1 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/dropbearconvert.1 2015-12-03 14:23:59.000000000 +0100 @@ -21,24 +21,24 @@ .P Encrypted private keys are not supported, use ssh-keygen(1) to decrypt them first. -.SH OPTIONS +.SH ARGUMENTS .TP -.B input type +.I input_type Either .I dropbear or .I openssh .TP -.B output type +.I output_type Either .I dropbear or .I openssh .TP -.B input file +.I input_file An existing Dropbear or OpenSSH private key file .TP -.B output file +.I output_file The path to write the converted private key file. For client authentication ~/.ssh/id_dropbear is loaded by default .SH EXAMPLE # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_dropbear diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/dropbearkey.1 new/dropbear-2015.71/dropbearkey.1 --- old/dropbear-2015.68/dropbearkey.1 2015-08-08 14:35:33.000000000 +0200 +++ new/dropbear-2015.71/dropbearkey.1 2015-12-03 14:23:59.000000000 +0100 @@ -9,13 +9,11 @@ .I file [\-s .IR bits ] +[\-y] .SH DESCRIPTION .B dropbearkey generates a -.I RSA -.I DSS, -or -.I ECDSA +\fIRSA\fR, \fIDSS\fR, or \fIECDSA\fR format SSH private key, and saves it to a file for the use with the Dropbear client or server. Note that @@ -33,18 +31,25 @@ .TP .B \-f \fIfile Write the secret key to the file -.IR file . For client authentication ~/.ssh/id_dropbear is loaded by default +\fIfile\fR. For client authentication ~/.ssh/id_dropbear is loaded by default .TP .B \-s \fIbits Set the key size to .I bits bits, should be multiple of 8 (optional). +.TP +.B \-y +Just print the publickey and fingerprint for the private key in \fIfile\fR. .SH NOTES The program dropbearconvert(1) can be used to convert between Dropbear and OpenSSH key formats. .P Dropbear does not support encrypted keys. .SH EXAMPLE +generate a host-key: # dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key + +extract a public key suitable for authorized_keys from private key: + # dropbearkey -y -f id_rsa | grep "^ssh-rsa " >> authorized_keys .SH AUTHOR Matt Johnston ([email protected]). .br diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/netio.c new/dropbear-2015.71/netio.c --- old/dropbear-2015.68/netio.c 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/netio.c 2015-12-03 14:24:00.000000000 +0100 @@ -174,28 +174,26 @@ void set_connect_fds(fd_set *writefd) { m_list_elem *iter; - TRACE(("enter handle_connect_fds")) - for (iter = ses.conn_pending.first; iter; iter = iter->next) { + TRACE(("enter set_connect_fds")) + iter = ses.conn_pending.first; + while (iter) { + m_list_elem *next_iter = iter->next; struct dropbear_progress_connection *c = iter->item; /* Set one going */ - while (c->res_iter && c->sock < 0) - { + while (c->res_iter && c->sock < 0) { connect_try_next(c); } if (c->sock >= 0) { FD_SET(c->sock, writefd); } else { - m_list_elem *remove_iter; /* Final failure */ if (!c->errstring) { c->errstring = m_strdup("unexpected failure"); } c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); - /* Safely remove without invalidating iter */ - remove_iter = iter; - iter = iter->prev; - remove_connect(c, remove_iter); + remove_connect(c, iter); } + iter = next_iter; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/options.h new/dropbear-2015.71/options.h --- old/dropbear-2015.68/options.h 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/options.h 2015-12-03 14:24:00.000000000 +0100 @@ -206,7 +206,10 @@ * PAM challenge/response. * You can't enable both PASSWORD and PAM. */ +/* This requires crypt() */ +#ifdef HAVE_CRYPT #define ENABLE_SVR_PASSWORD_AUTH +#endif /* PAM requires ./configure --enable-pam */ /*#define ENABLE_SVR_PAM_AUTH */ #define ENABLE_SVR_PUBKEY_AUTH @@ -217,9 +220,12 @@ #define ENABLE_SVR_PUBKEY_OPTIONS #endif +/* This requires getpass. */ +#ifdef HAVE_GETPASS #define ENABLE_CLI_PASSWORD_AUTH -#define ENABLE_CLI_PUBKEY_AUTH #define ENABLE_CLI_INTERACT_AUTH +#endif +#define ENABLE_CLI_PUBKEY_AUTH /* A default argument for dbclient -i <privatekey>. Homedir is prepended unless path begins with / */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/release.sh new/dropbear-2015.71/release.sh --- old/dropbear-2015.68/release.sh 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/release.sh 2015-12-03 14:24:00.000000000 +0100 @@ -39,4 +39,7 @@ ls -l $ARCHIVE openssl sha -sha256 $ARCHIVE -echo "Done to $ARCHIVE" +echo Done to +echo "$ARCHIVE" +echo Sign it with +echo gpg2 --detach-sign -a -u F29C6773 "$ARCHIVE" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/runopts.h new/dropbear-2015.71/runopts.h --- old/dropbear-2015.68/runopts.h 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/runopts.h 2015-12-03 14:24:00.000000000 +0100 @@ -33,7 +33,8 @@ typedef struct runopts { -#if defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) +#if defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) \ + || defined(ENABLE_CLI_REMOTETCPFWD) int listen_fwd_all; #endif unsigned int recv_window; @@ -71,7 +72,8 @@ int forkbg; int usingsyslog; - /* ports is an array of the portcount listening ports */ + /* ports and addresses are arrays of the portcount + listening ports. strings are malloced. */ char *ports[DROPBEAR_MAX_PORTS]; unsigned int portcount; char *addresses[DROPBEAR_MAX_PORTS]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/scp.c new/dropbear-2015.71/scp.c --- old/dropbear-2015.68/scp.c 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/scp.c 2015-12-03 14:24:00.000000000 +0100 @@ -992,7 +992,7 @@ continue; } omode = mode; - mode |= S_IWRITE; + mode |= S_IWUSR; if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); continue; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/session.h new/dropbear-2015.71/session.h --- old/dropbear-2015.68/session.h 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/session.h 2015-12-03 14:24:00.000000000 +0100 @@ -293,10 +293,9 @@ int interact_request_received; /* flag whether we've received an info request from the server for interactive auth.*/ - +#endif int cipher_none_after_auth; /* Set to 1 if the user requested "none" auth */ -#endif sign_key *lastprivkey; int retval; /* What the command exit status was - we emulate it */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/svr-chansession.c new/dropbear-2015.71/svr-chansession.c --- old/dropbear-2015.68/svr-chansession.c 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/svr-chansession.c 2015-12-03 14:24:00.000000000 +0100 @@ -814,7 +814,7 @@ login_free_entry(li); #ifdef DO_MOTD - if (svr_opts.domotd) { + if (svr_opts.domotd && !chansess->cmd) { /* don't show the motd if ~/.hushlogin exists */ /* 12 == strlen("/.hushlogin\0") */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/svr-runopts.c new/dropbear-2015.71/svr-runopts.c --- old/dropbear-2015.68/svr-runopts.c 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/svr-runopts.c 2015-12-03 14:24:00.000000000 +0100 @@ -33,7 +33,7 @@ svr_runopts svr_opts; /* GLOBAL */ static void printhelp(const char * progname); -static void addportandaddress(char* spec); +static void addportandaddress(const char* spec); static void loadhostkey(const char *keyfile, int fatal_duplicate); static void addhostkey(const char *keyfile); @@ -112,13 +112,14 @@ void svr_getopts(int argc, char ** argv) { - unsigned int i; + unsigned int i, j; char ** next = 0; int nextisport = 0; char* recv_window_arg = NULL; char* keepalive_arg = NULL; char* idle_timeout_arg = NULL; char* keyfile = NULL; + char c; /* see printhelp() for options */ @@ -168,28 +169,11 @@ #endif for (i = 1; i < (unsigned int)argc; i++) { - if (nextisport) { - addportandaddress(argv[i]); - nextisport = 0; - continue; - } - - if (next) { - *next = argv[i]; - if (*next == NULL) { - dropbear_exit("Invalid null argument"); - } - next = 0x00; - - if (keyfile) { - addhostkey(keyfile); - keyfile = NULL; - } - continue; - } + if (argv[i][0] != '-' || argv[i][1] == '\0') + dropbear_exit("Invalid argument: %s", argv[i]); - if (argv[i][0] == '-') { - switch (argv[i][1]) { + for (j = 1; (c = argv[i][j]) != '\0' && !next && !nextisport; j++) { + switch (c) { case 'b': next = &svr_opts.bannerfile; break; @@ -278,12 +262,39 @@ exit(EXIT_SUCCESS); break; default: - fprintf(stderr, "Unknown argument %s\n", argv[i]); + fprintf(stderr, "Invalid option -%c\n", c); printhelp(argv[0]); exit(EXIT_FAILURE); break; } } + + if (!next && !nextisport) + continue; + + if (c == '\0') { + i++; + j = 0; + if (!argv[i]) { + dropbear_exit("Missing argument"); + } + } + + if (nextisport) { + addportandaddress(&argv[i][j]); + nextisport = 0; + } else if (next) { + *next = &argv[i][j]; + if (*next == NULL) { + dropbear_exit("Invalid null argument"); + } + next = 0x00; + + if (keyfile) { + addhostkey(keyfile); + keyfile = NULL; + } + } } /* Set up listening ports */ @@ -337,54 +348,56 @@ } } -static void addportandaddress(char* spec) { - - char *myspec = NULL; +static void addportandaddress(const char* spec) { + char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL; if (svr_opts.portcount < DROPBEAR_MAX_PORTS) { /* We don't free it, it becomes part of the runopt state */ - myspec = m_strdup(spec); + spec_copy = m_strdup(spec); + myspec = spec_copy; if (myspec[0] == '[') { myspec++; - svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']'); - if (svr_opts.ports[svr_opts.portcount] == NULL) { + port = strchr(myspec, ']'); + if (!port) { /* Unmatched [ -> exit */ dropbear_exit("Bad listen address"); } - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - if (svr_opts.ports[svr_opts.portcount][0] != ':') { + port[0] = '\0'; + port++; + if (port[0] != ':') { /* Missing port -> exit */ dropbear_exit("Missing port"); } } else { /* search for ':', that separates address and port */ - svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + port = strrchr(myspec, ':'); } - if (svr_opts.ports[svr_opts.portcount] == NULL) { + if (!port) { /* no ':' -> the whole string specifies just a port */ - svr_opts.ports[svr_opts.portcount] = myspec; + port = myspec; } else { /* Split the address/port */ - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - svr_opts.addresses[svr_opts.portcount] = myspec; + port[0] = '\0'; + port++; + address = myspec; } - if (svr_opts.addresses[svr_opts.portcount] == NULL) { + if (!address) { /* no address given -> fill in the default address */ - svr_opts.addresses[svr_opts.portcount] = m_strdup(DROPBEAR_DEFADDRESS); + address = DROPBEAR_DEFADDRESS; } - if (svr_opts.ports[svr_opts.portcount][0] == '\0') { + if (port[0] == '\0') { /* empty port -> exit */ dropbear_exit("Bad port"); } - + svr_opts.ports[svr_opts.portcount] = m_strdup(port); + svr_opts.addresses[svr_opts.portcount] = m_strdup(address); svr_opts.portcount++; + m_free(spec_copy); } } @@ -540,6 +553,6 @@ #endif /* DROPBEAR_ECDSA */ if (!any_keys) { - dropbear_exit("No hostkeys available"); + dropbear_exit("No hostkeys available. 'dropbear -R' may be useful or run dropbearkey."); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dropbear-2015.68/sysoptions.h new/dropbear-2015.71/sysoptions.h --- old/dropbear-2015.68/sysoptions.h 2015-08-08 14:35:34.000000000 +0200 +++ new/dropbear-2015.71/sysoptions.h 2015-12-03 14:24:00.000000000 +0100 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.68" +#define DROPBEAR_VERSION "2015.71" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION @@ -150,7 +150,7 @@ RECV_WINDOWEXTEND bytes */ #define MAX_RECV_WINDOW (1024*1024) /* 1 MB should be enough */ -#define MAX_CHANNELS 100 /* simple mem restriction, includes each tcp/x11 +#define MAX_CHANNELS 1000 /* simple mem restriction, includes each tcp/x11 connection, so can't be _too_ small */ #define MAX_STRING_LEN (MAX(MAX_CMD_LEN, 2400)) /* Sun SSH needs 2400 for algos,
