diff options
| -rw-r--r-- | CHANGES | 36 | ||||
| -rw-r--r-- | cli-kex.c | 7 | ||||
| -rw-r--r-- | common-kex.c | 2 | ||||
| -rw-r--r-- | common-session.c | 2 | ||||
| -rw-r--r-- | debug.h | 2 | ||||
| -rw-r--r-- | process-packet.c | 9 | ||||
| -rw-r--r-- | session.h | 5 | ||||
| -rw-r--r-- | svr-kex.c | 3 |
8 files changed, 53 insertions, 13 deletions
@@ -1,3 +1,39 @@ +2013.57 - + +- Improved initial connection time particularly with high latency connections. + The number of round trips has been reduced for both client and server. + CPU time hasn't been changed. + +- Client will attempt to send an initial key exchange packet to save a round + trip. Dropbear implements an extension kexguess2@matt.ucc.asn.au to allow + the first packet guess to succeed in wider circumstances than the standard + behaviour. When communicating with other implementations the standard + behaviour is used. + +- Client side: when public key or password authentication with + $DROPBEAR_PASSWORD is used, an initial authentication request will + be sent immediately rather than querying the list of available methods. + This behaviour is enabled by CLI_IMMEDIATE_AUTH option (on by default), + please let the Dropbear author know if it causes any interoperability + problems. + +- Implement client escape characters ~. (terminate session) and + ~^Z (background session) + +- Server will more reliably clean up utmp when connection is closed + +- Don't crash if /dev/urandom isn't writable (RHEL5), thanks to Scott Case + +- Add "-y -y" client option to skip host key checking, thanks to Hans Harder + +- scp didn't work properly on systems using vfork(), thanks to Frank Van Uffelen + +- Added IUTF8 terminal mode support. Not yet standardised though seems that it + will soon be + +- Some verbose DROPBEAR_TRACE output is now hidden unless $DROPBEAR_TRACE2 + enviroment variable is set + 2013.56 - Thursday 21 March 2013 - Allow specifying cipher (-c) and MAC (-m) lists for dbclient @@ -61,8 +61,8 @@ void send_msg_kexdh_init() { buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); buf_putmpint(ses.writepayload, cli_ses.dh_e); encrypt_packet(); - // XXX fixme - //ses.requirenext = SSH_MSG_KEXDH_REPLY; + ses.requirenext[0] = SSH_MSG_KEXDH_REPLY; + ses.requirenext[1] = SSH_MSG_KEXINIT; } /* Handle a diffie-hellman key exchange reply. */ @@ -118,7 +118,8 @@ void recv_msg_kexdh_reply() { hostkey = NULL; send_msg_newkeys(); - ses.requirenext = SSH_MSG_NEWKEYS; + ses.requirenext[0] = SSH_MSG_NEWKEYS; + ses.requirenext[1] = 0; TRACE(("leave recv_msg_kexdh_init")) } diff --git a/common-kex.c b/common-kex.c index 530de0b..ba06e4f 100644 --- a/common-kex.c +++ b/common-kex.c @@ -542,7 +542,7 @@ void recv_msg_kexinit() { buf_putstring(ses.kexhashbuf, ses.transkexinit->data, ses.transkexinit->len); - ses.requirenext = SSH_MSG_KEXDH_INIT; + ses.requirenext[0] = SSH_MSG_KEXDH_INIT; } buf_free(ses.transkexinit); diff --git a/common-session.c b/common-session.c index 6b357bf..9df0f3d 100644 --- a/common-session.c +++ b/common-session.c @@ -82,7 +82,7 @@ void common_session_init(int sock_in, int sock_out) { initqueue(&ses.writequeue); - ses.requirenext = SSH_MSG_KEXINIT; + ses.requirenext[0] = SSH_MSG_KEXINIT; ses.dataallowed = 1; /* we can send data until we actually send the SSH_MSG_KEXINIT */ ses.ignorenext = 0; @@ -39,7 +39,7 @@ * Caution: Don't use this in an unfriendly environment (ie unfirewalled), * since the printing may not sanitise strings etc. This will add a reasonable * amount to your executable size. */ -#define DEBUG_TRACE +/* #define DEBUG_TRACE */ /* All functions writing to the cleartext payload buffer call * CHECKCLEARTOWRITE() before writing. This is only really useful if you're diff --git a/process-packet.c b/process-packet.c index 128eb72..3ac0c1b 100644 --- a/process-packet.c +++ b/process-packet.c @@ -74,14 +74,15 @@ void process_packet() { /* This applies for KEX, where the spec says the next packet MUST be * NEWKEYS */ - if (ses.requirenext != 0) { - if (ses.requirenext != type) { - /* TODO send disconnect? */ + if (ses.requirenext[0] != 0) { + if (ses.requirenext[0] != type + && (ses.requirenext[1] == 0 || ses.requirenext[1] != type)) { dropbear_exit("Unexpected packet type %d, expected %d", type, ses.requirenext); } else { /* Got what we expected */ - ses.requirenext = 0; + ses.requirenext[0] = 0; + ses.requirenext[1] = 0; } } @@ -135,8 +135,9 @@ struct sshsession { unsigned dataallowed : 1; /* whether we can send data packets or we are in the middle of a KEX or something */ - unsigned char requirenext; /* byte indicating what packet we require next, - or 0x00 for any */ + unsigned char requirenext[2]; /* bytes indicating what packets we require next, + or 0x00 for any. Second option can only be + used if the first byte is also set */ unsigned char ignorenext; /* whether to ignore the next packet, used for kex_follows stuff */ @@ -61,7 +61,8 @@ void recv_msg_kexdh_init() { mp_clear(&dh_e); send_msg_newkeys(); - ses.requirenext = SSH_MSG_NEWKEYS; + ses.requirenext[0] = SSH_MSG_NEWKEYS; + ses.requirenext[1] = 0; TRACE(("leave recv_msg_kexdh_init")) } |