diff options
| -rw-r--r-- | .hgsigs | 1 | ||||
| -rw-r--r-- | .hgtags | 1 | ||||
| -rw-r--r-- | CHANGES | 15 | ||||
| -rw-r--r-- | cli-runopts.c | 70 | ||||
| -rw-r--r-- | cli-tcpfwd.c | 23 | ||||
| -rw-r--r-- | common-algo.c | 6 | ||||
| -rw-r--r-- | dbclient.1 | 14 | ||||
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | runopts.h | 6 | ||||
| -rw-r--r-- | svr-runopts.c | 42 | ||||
| -rw-r--r-- | sysoptions.h | 2 |
11 files changed, 159 insertions, 27 deletions
@@ -18,3 +18,4 @@ a687f835236c7025b5cb2968fe9c4ebc4a49f0ea 0 iQIcBAABCgAGBQJVxg62AAoJEPSYMBLCC7qsC ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe 5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL +926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW @@ -50,3 +50,4 @@ cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67 809feaa9408f036734129c77f2b3c7e779d4f099 DROPBEAR_2015.68 1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69 79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70 +9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71 @@ -1,3 +1,18 @@ +2015.71 - 3 December 2015 + +- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 + +- Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to + Frank Stollenwerk for reporting and investigation + +- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev + +- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, + broke in 2015.70 + +- Fix server race condition that could cause sessions to hang on exit, + https://github.com/robotframework/SSHLibrary/issues/128 + 2015.70 - 26 November 2015 - Fix server password authentication on Linux, broke in 2015.69 diff --git a/cli-runopts.c b/cli-runopts.c index e8cb313..0522221 100644 --- a/cli-runopts.c +++ b/cli-runopts.c @@ -46,6 +46,7 @@ static void addforward(const char* str, m_list *fwdlist); #ifdef ENABLE_CLI_NETCAT static void add_netcat(const char *str); #endif +static void add_extendedopt(const char *str); static void printhelp() { @@ -64,6 +65,7 @@ static void printhelp() { "-y Always accept remote host key if unknown\n" "-y -y Don't perform any remote host key checking (caution)\n" "-s Request a subsystem (use by external sftp)\n" + "-o option Set option in OpenSSH-like format ('-o help' to list options)\n" #ifdef ENABLE_CLI_PUBKEY_AUTH "-i <identityfile> (multiple allowed, default %s)\n" #endif @@ -106,6 +108,7 @@ void cli_getopts(int argc, char ** argv) { unsigned int i, j; char ** next = 0; enum { + OPT_EXTENDED_OPTIONS, #ifdef ENABLE_CLI_PUBKEY_AUTH OPT_AUTHKEY, #endif @@ -145,6 +148,9 @@ void cli_getopts(int argc, char ** argv) { #ifdef ENABLE_CLI_PUBKEY_AUTH cli_opts.privkeys = list_new(); #endif +#ifdef ENABLE_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; +#endif #ifdef ENABLE_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -224,6 +230,9 @@ void cli_getopts(int argc, char ** argv) { case 's': cli_opts.is_subsystem = 1; break; + case 'o': + opt = OPT_EXTENDED_OPTIONS; + break; #ifdef ENABLE_CLI_LOCALTCPFWD case 'L': opt = OPT_LOCALTCPFWD; @@ -301,7 +310,6 @@ void cli_getopts(int argc, char ** argv) { print_version(); exit(EXIT_SUCCESS); break; - case 'o': case 'b': next = &dummy; default: @@ -321,6 +329,11 @@ void cli_getopts(int argc, char ** argv) { dropbear_exit("Missing argument"); } + if (opt == OPT_EXTENDED_OPTIONS) { + TRACE(("opt extended")) + add_extendedopt(&argv[i][j]); + } + else #ifdef ENABLE_CLI_PUBKEY_AUTH if (opt == OPT_AUTHKEY) { TRACE(("opt authkey")) @@ -806,3 +819,58 @@ badport: dropbear_exit("Bad TCP port in '%s'", origstr); } #endif + +static int match_extendedopt(const char** strptr, const char *optname) { + int seen_eq = 0; + int optlen = strlen(optname); + const char *str = *strptr; + + while (isspace(*str)) + ++str; + + if (strncasecmp(str, optname, optlen) != 0) + return DROPBEAR_FAILURE; + + str += optlen; + + while (isspace(*str) || (!seen_eq && *str == '=')) { + if (*str == '=') + seen_eq = 1; + ++str; + } + + *strptr = str; + return DROPBEAR_SUCCESS; +} + +static int parse_flag_value(const char *value) +{ + if (strcmp(value, "yes") == 0 || strcmp(value, "true") == 0) + return 1; + else if (strcmp(value, "no") == 0 || strcmp(value, "false") == 0) + return 0; + + dropbear_exit("Bad yes/no argument '%s'", value); +} + +static void add_extendedopt(const char* origstr) { + const char *optstr = origstr; + + if (strcmp(origstr, "help") == 0) { + dropbear_log(LOG_INFO, "Available options:\n" +#ifdef ENABLE_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" +#endif + ); + exit(EXIT_SUCCESS); + } + +#ifdef ENABLE_CLI_ANYTCPFWD + if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) { + cli_opts.exit_on_fwd_failure = parse_flag_value(optstr); + return; + } +#endif + + dropbear_exit("Bad configuration option '%s'", origstr); +} diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index ec65f41..4d46b94 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -60,6 +60,22 @@ static const struct ChanType cli_chan_tcplocal = { }; #endif +#ifdef ENABLE_CLI_ANYTCPFWD +static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2); +void fwd_failed(const char* format, ...) +{ + va_list param; + va_start(param, format); + + if (cli_opts.exit_on_fwd_failure) + _dropbear_exit(EXIT_FAILURE, format, param); + else + _dropbear_log(LOG_WARNING, format, param); + + va_end(param); +} +#endif + #ifdef ENABLE_CLI_LOCALTCPFWD void setup_localtcp() { m_list_elem *iter; @@ -75,7 +91,7 @@ void setup_localtcp() { fwd->connectaddr, fwd->connectport); if (ret == DROPBEAR_FAILURE) { - dropbear_log(LOG_WARNING, "Failed local port forward %s:%d:%s:%d", + fwd_failed("Failed local port forward %s:%d:%s:%d", fwd->listenaddr, fwd->listenport, fwd->connectaddr, @@ -181,7 +197,10 @@ void cli_recv_msg_request_failure() { struct TCPFwdEntry *fwd = (struct TCPFwdEntry*)iter->item; if (!fwd->have_reply) { fwd->have_reply = 1; - dropbear_log(LOG_WARNING, "Remote TCP forward request failed (port %d -> %s:%d)", fwd->listenport, fwd->connectaddr, fwd->connectport); + fwd_failed("Remote TCP forward request failed (port %d -> %s:%d)", + fwd->listenport, + fwd->connectaddr, + fwd->connectport); return; } } diff --git a/common-algo.c b/common-algo.c index 002ae66..51907d0 100644 --- a/common-algo.c +++ b/common-algo.c @@ -249,7 +249,8 @@ algo_type sshhostkey[] = { }; static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc }; -static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; +static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; +static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc }; /* These can't be const since dropbear_ecc_fill_dp() fills out ecc_curve at runtime */ @@ -285,7 +286,8 @@ algo_type sshkex[] = { {"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL}, #endif #endif - {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL}, + {"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL}, + {"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL}, {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, #ifdef USE_KEXGUESS2 {KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL}, @@ -127,6 +127,20 @@ Specify a comma separated list of ciphers to enable. Use \fI-c help\fR to list p .B \-m \fIMAClist Specify a comma separated list of authentication MACs to enable. Use \fI-m help\fR to list possibilities. .TP +.B \-o \fIoption +Can be used to give options in the format used by OpenSSH config file. This is +useful for specifying options for which there is no separate command-line flag. +For full details of the options listed below, and their possible values, see +ssh_config(5). + +For now only following options have been implemented: +.RS +.RS +.TP +ExitOnForwardFailure +.RE +.RE +.TP .B \-s The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp client can be used eg \fIsftp -S dbclient user@host\fR .TP diff --git a/debian/changelog b/debian/changelog index 7de6617..79ea117 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +dropbear (2015.71-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston <matt@ucc.asn.au> Thu, 3 Dec 2015 22:52:58 +0800 + dropbear (2015.70-0.1) unstable; urgency=low * New upstream release. @@ -72,7 +72,8 @@ typedef struct svr_runopts { int forkbg; int usingsyslog; - /* ports is an array of the portcount listening ports */ + /* ports and addresses are arrays of the portcount + listening ports. strings are malloced. */ char *ports[DROPBEAR_MAX_PORTS]; unsigned int portcount; char *addresses[DROPBEAR_MAX_PORTS]; @@ -139,6 +140,9 @@ typedef struct cli_runopts { #ifdef ENABLE_CLI_PUBKEY_AUTH m_list *privkeys; /* Keys to use for public-key auth */ #endif +#ifdef ENABLE_CLI_ANYTCPFWD + int exit_on_fwd_failure; +#endif #ifdef ENABLE_CLI_REMOTETCPFWD m_list * remotefwds; #endif diff --git a/svr-runopts.c b/svr-runopts.c index 5bb51f2..0e70998 100644 --- a/svr-runopts.c +++ b/svr-runopts.c @@ -33,7 +33,7 @@ svr_runopts svr_opts; /* GLOBAL */ static void printhelp(const char * progname); -static void addportandaddress(char* spec); +static void addportandaddress(const char* spec); static void loadhostkey(const char *keyfile, int fatal_duplicate); static void addhostkey(const char *keyfile); @@ -348,54 +348,56 @@ void svr_getopts(int argc, char ** argv) { } } -static void addportandaddress(char* spec) { - - char *myspec = NULL; +static void addportandaddress(const char* spec) { + char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL; if (svr_opts.portcount < DROPBEAR_MAX_PORTS) { /* We don't free it, it becomes part of the runopt state */ - myspec = m_strdup(spec); + spec_copy = m_strdup(spec); + myspec = spec_copy; if (myspec[0] == '[') { myspec++; - svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']'); - if (svr_opts.ports[svr_opts.portcount] == NULL) { + port = strchr(myspec, ']'); + if (!port) { /* Unmatched [ -> exit */ dropbear_exit("Bad listen address"); } - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - if (svr_opts.ports[svr_opts.portcount][0] != ':') { + port[0] = '\0'; + port++; + if (port[0] != ':') { /* Missing port -> exit */ dropbear_exit("Missing port"); } } else { /* search for ':', that separates address and port */ - svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + port = strrchr(myspec, ':'); } - if (svr_opts.ports[svr_opts.portcount] == NULL) { + if (!port) { /* no ':' -> the whole string specifies just a port */ - svr_opts.ports[svr_opts.portcount] = myspec; + port = myspec; } else { /* Split the address/port */ - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - svr_opts.addresses[svr_opts.portcount] = myspec; + port[0] = '\0'; + port++; + address = myspec; } - if (svr_opts.addresses[svr_opts.portcount] == NULL) { + if (!address) { /* no address given -> fill in the default address */ - svr_opts.addresses[svr_opts.portcount] = m_strdup(DROPBEAR_DEFADDRESS); + address = DROPBEAR_DEFADDRESS; } - if (svr_opts.ports[svr_opts.portcount][0] == '\0') { + if (port[0] == '\0') { /* empty port -> exit */ dropbear_exit("Bad port"); } - + svr_opts.ports[svr_opts.portcount] = m_strdup(port); + svr_opts.addresses[svr_opts.portcount] = m_strdup(address); svr_opts.portcount++; + m_free(spec_copy); } } diff --git a/sysoptions.h b/sysoptions.h index 0ca491a..a29cbbe 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.70" +#define DROPBEAR_VERSION "2015.71" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION |