summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.hgsigs1
-rw-r--r--.hgtags1
-rw-r--r--CHANGES3
-rw-r--r--Makefile.in2
-rw-r--r--cli-kex.c4
-rw-r--r--cli-main.c45
-rw-r--r--cli-runopts.c93
-rw-r--r--cli-session.c29
-rw-r--r--cli-tcpfwd.c24
-rw-r--r--common-algo.c22
-rw-r--r--common-kex.c43
-rw-r--r--dbclient.119
-rw-r--r--dbutil.c4
-rw-r--r--dbutil.h2
-rw-r--r--debian/dropbear.init1
-rw-r--r--dh_groups.c128
-rw-r--r--dh_groups.h24
-rw-r--r--kex.h5
-rw-r--r--options.h5
-rw-r--r--runopts.h5
-rw-r--r--scp.c11
-rw-r--r--scpmisc.c4
-rw-r--r--session.h4
-rw-r--r--svr-main.c6
-rw-r--r--svr-runopts.c4
-rw-r--r--svr-session.c5
26 files changed, 403 insertions, 91 deletions
diff --git a/.hgsigs b/.hgsigs
index 683577c..fb2aa02 100644
--- a/.hgsigs
+++ b/.hgsigs
@@ -18,4 +18,5 @@ a687f835236c7025b5cb2968fe9c4ebc4a49f0ea 0 iQIcBAABCgAGBQJVxg62AAoJEPSYMBLCC7qsC
ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA
af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe
5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL
+926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW
fd1981f41c626a969f07b4823848deaefef3c8aa 0 iQIcBAABCgAGBQJW4W2TAAoJEESTFJTynGdzuOcP/j6tvB2WRwSj39KoJuRcRebFWWv4ZHiQXYMXWa3X0Ppzz52r9W0cXDjjlp5FyGdovCQsK+IXmjPo5cCvWBrZJYA6usFr9ssnUtTC+45lvPxPYwj47ZGPngCXDt7LD+v08XhqCu4LsctXIP/zejd30KVS1eR2RHI+tnEyaIKC0Xaa0igcv74MZX7Q8/U+B730QMX5adfYAHoeyRhoctRWaxVV3To7Vadd9jNXP45MRY5auhRcK7XyQcS85vJeCRoysfDUas4ERRQWYkX+68GyzO9GrkYFle931Akw2K6ZZfUuiC2TrF5xv1eRP1Zm2GX481U4ZGFTI8IzZL8sVQ6tvzq2Mxsecu589JNui9aB2d8Gp2Su/E2zn0h0ShIRmviGzf2HiBt+Bnji5X2h/fJKWbLaWge0MdOU5Jidfyh9k0YT7xo4piJLJYSaZ3nv+j4jTYnTfL7uYvuWbYkJ1T32aQVCan7Eup3BFAgQjzbWYi1XQVg6fvu8uHPpS3tNNA9EAMeeyTyg1l6zI2EIU5gPfd/dKmdyotY2lZBkFZNJqFkKRZuzjWekcw7hAxS+Bd68GKklt/DGrQiVycAgimqwXrfkzzQagawq2fXL2uXB8ghlsyxKLSQPnAtBF2Jcn5FH2z7HOQ+e18ZrFfNy0cYa/4OdH6K5aK1igTzhZZP2Urn0
diff --git a/.hgtags b/.hgtags
index cf18375..e9263f5 100644
--- a/.hgtags
+++ b/.hgtags
@@ -50,4 +50,5 @@ cbd674d63cd4f3781464a8d4056a5506c8ae926f DROPBEAR_2015.67
809feaa9408f036734129c77f2b3c7e779d4f099 DROPBEAR_2015.68
1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69
79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70
+9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71
78b12b6549be08b0bea3da329b2578060a76ca31 DROPBEAR_2016.72
diff --git a/CHANGES b/CHANGES
index d9d6029..a6cd0b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,8 @@
- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69
-- Fix crash on exit when -p address:port is used, broke in 2015.68
+- Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to
+ Frank Stollenwerk for reporting and investigation
- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev
diff --git a/Makefile.in b/Makefile.in
index b2e7a27..becc4ab 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -44,7 +44,7 @@ CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \
common-channel.o common-chansession.o termcodes.o loginrec.o \
- tcp-accept.o listener.o process-packet.o \
+ tcp-accept.o listener.o process-packet.o dh_groups.o \
common-runopts.o circbuffer.o curve25519-donna.o list.o netio.o
KEYOBJS=dropbearkey.o
diff --git a/cli-kex.c b/cli-kex.c
index 07ee431..077fec9 100644
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -190,7 +190,7 @@ static void ask_to_confirm(unsigned char* keyblob, unsigned int keybloblen,
fp = sign_key_fingerprint(keyblob, keybloblen);
if (cli_opts.always_accept_key) {
- fprintf(stderr, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n",
+ dropbear_log(LOG_INFO, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n",
cli_opts.remotehost,
algoname,
fp);
@@ -290,7 +290,7 @@ static void checkhostkey(unsigned char* keyblob, unsigned int keybloblen) {
int ret;
if (cli_opts.no_hostkey_check) {
- fprintf(stderr, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost);
+ dropbear_log(LOG_INFO, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost);
return;
}
diff --git a/cli-main.c b/cli-main.c
index c7c9035..787d770 100644
--- a/cli-main.c
+++ b/cli-main.c
@@ -36,7 +36,8 @@ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) A
static void cli_dropbear_log(int priority, const char* format, va_list param);
#ifdef ENABLE_CLI_PROXYCMD
-static void cli_proxy_cmd(int *sock_in, int *sock_out);
+static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out);
+static void kill_proxy_sighandler(int signo);
#endif
#if defined(DBMULTI_dbclient) || !defined(DROPBEAR_MULTI)
@@ -59,6 +60,12 @@ int main(int argc, char ** argv) {
cli_getopts(argc, argv);
+#ifndef DISABLE_SYSLOG
+ if (opts.usingsyslog) {
+ startsyslog("dbclient");
+ }
+#endif
+
TRACE(("user='%s' host='%s' port='%s'", cli_opts.username,
cli_opts.remotehost, cli_opts.remoteport))
@@ -66,10 +73,16 @@ int main(int argc, char ** argv) {
dropbear_exit("signal() error");
}
+ pid_t proxy_cmd_pid = 0;
#ifdef ENABLE_CLI_PROXYCMD
if (cli_opts.proxycmd) {
- cli_proxy_cmd(&sock_in, &sock_out);
+ cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
m_free(cli_opts.proxycmd);
+ if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+ signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+ signal(SIGHUP, kill_proxy_sighandler) == SIG_ERR) {
+ dropbear_exit("signal() error");
+ }
} else
#endif
{
@@ -77,7 +90,7 @@ int main(int argc, char ** argv) {
sock_in = sock_out = -1;
}
- cli_session(sock_in, sock_out, progress);
+ cli_session(sock_in, sock_out, progress, proxy_cmd_pid);
/* not reached */
return -1;
@@ -111,13 +124,19 @@ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) {
exit(exitcode);
}
-static void cli_dropbear_log(int UNUSED(priority),
+static void cli_dropbear_log(int priority,
const char* format, va_list param) {
char printbuf[1024];
vsnprintf(printbuf, sizeof(printbuf), format, param);
+#ifndef DISABLE_SYSLOG
+ if (opts.usingsyslog) {
+ syslog(priority, "%s", printbuf);
+ }
+#endif
+
fprintf(stderr, "%s: %s\n", cli_opts.progname, printbuf);
fflush(stderr);
}
@@ -132,16 +151,28 @@ static void exec_proxy_cmd(void *user_data_cmd) {
}
#ifdef ENABLE_CLI_PROXYCMD
-static void cli_proxy_cmd(int *sock_in, int *sock_out) {
+static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ char * ex_cmd = NULL;
+ size_t ex_cmdlen;
int ret;
fill_passwd(cli_opts.own_user);
- ret = spawn_command(exec_proxy_cmd, cli_opts.proxycmd,
- sock_out, sock_in, NULL, NULL);
+ ex_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
+ ex_cmd = m_malloc(ex_cmdlen);
+ snprintf(ex_cmd, ex_cmdlen, "exec %s", cli_opts.proxycmd);
+
+ ret = spawn_command(exec_proxy_cmd, ex_cmd,
+ sock_out, sock_in, NULL, pid_out);
+ m_free(ex_cmd);
if (ret == DROPBEAR_FAILURE) {
dropbear_exit("Failed running proxy command");
*sock_in = *sock_out = -1;
}
}
+
+static void kill_proxy_sighandler(int UNUSED(signo)) {
+ kill_proxy_command();
+ _exit(1);
+}
#endif /* ENABLE_CLI_PROXYCMD */
diff --git a/cli-runopts.c b/cli-runopts.c
index e8cb313..ab25d37 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -46,6 +46,7 @@ static void addforward(const char* str, m_list *fwdlist);
#ifdef ENABLE_CLI_NETCAT
static void add_netcat(const char *str);
#endif
+static void add_extendedopt(const char *str);
static void printhelp() {
@@ -64,6 +65,7 @@ static void printhelp() {
"-y Always accept remote host key if unknown\n"
"-y -y Don't perform any remote host key checking (caution)\n"
"-s Request a subsystem (use by external sftp)\n"
+ "-o option Set option in OpenSSH-like format ('-o help' to list options)\n"
#ifdef ENABLE_CLI_PUBKEY_AUTH
"-i <identityfile> (multiple allowed, default %s)\n"
#endif
@@ -106,6 +108,7 @@ void cli_getopts(int argc, char ** argv) {
unsigned int i, j;
char ** next = 0;
enum {
+ OPT_EXTENDED_OPTIONS,
#ifdef ENABLE_CLI_PUBKEY_AUTH
OPT_AUTHKEY,
#endif
@@ -145,6 +148,9 @@ void cli_getopts(int argc, char ** argv) {
#ifdef ENABLE_CLI_PUBKEY_AUTH
cli_opts.privkeys = list_new();
#endif
+#ifdef ENABLE_CLI_ANYTCPFWD
+ cli_opts.exit_on_fwd_failure = 0;
+#endif
#ifdef ENABLE_CLI_LOCALTCPFWD
cli_opts.localfwds = list_new();
opts.listen_fwd_all = 0;
@@ -167,6 +173,9 @@ void cli_getopts(int argc, char ** argv) {
opts.cipher_list = NULL;
opts.mac_list = NULL;
#endif
+#ifndef DISABLE_SYSLOG
+ opts.usingsyslog = 0;
+#endif
/* not yet
opts.ipv4 = 1;
opts.ipv6 = 1;
@@ -224,6 +233,9 @@ void cli_getopts(int argc, char ** argv) {
case 's':
cli_opts.is_subsystem = 1;
break;
+ case 'o':
+ opt = OPT_EXTENDED_OPTIONS;
+ break;
#ifdef ENABLE_CLI_LOCALTCPFWD
case 'L':
opt = OPT_LOCALTCPFWD;
@@ -301,7 +313,6 @@ void cli_getopts(int argc, char ** argv) {
print_version();
exit(EXIT_SUCCESS);
break;
- case 'o':
case 'b':
next = &dummy;
default:
@@ -321,6 +332,11 @@ void cli_getopts(int argc, char ** argv) {
dropbear_exit("Missing argument");
}
+ if (opt == OPT_EXTENDED_OPTIONS) {
+ TRACE(("opt extended"))
+ add_extendedopt(&argv[i][j]);
+ }
+ else
#ifdef ENABLE_CLI_PUBKEY_AUTH
if (opt == OPT_AUTHKEY) {
TRACE(("opt authkey"))
@@ -475,7 +491,7 @@ static void loadidentityfile(const char* filename, int warnfail) {
keytype = DROPBEAR_SIGNKEY_ANY;
if ( readhostkey(filename, key, &keytype) != DROPBEAR_SUCCESS ) {
if (warnfail) {
- fprintf(stderr, "Failed loading keyfile '%s'\n", filename);
+ dropbear_log(LOG_WARNING, "Failed loading keyfile '%s'\n", filename);
}
sign_key_free(key);
} else {
@@ -806,3 +822,76 @@ badport:
dropbear_exit("Bad TCP port in '%s'", origstr);
}
#endif
+
+static int match_extendedopt(const char** strptr, const char *optname) {
+ int seen_eq = 0;
+ int optlen = strlen(optname);
+ const char *str = *strptr;
+
+ while (isspace(*str)) {
+ ++str;
+ }
+
+ if (strncasecmp(str, optname, optlen) != 0) {
+ return DROPBEAR_FAILURE;
+ }
+
+ str += optlen;
+
+ while (isspace(*str) || (!seen_eq && *str == '=')) {
+ if (*str == '=') {
+ seen_eq = 1;
+ }
+ ++str;
+ }
+
+ if (str-*strptr == optlen) {
+ /* matched just a prefix of optname */
+ return DROPBEAR_FAILURE;
+ }
+
+ *strptr = str;
+ return DROPBEAR_SUCCESS;
+}
+
+static int parse_flag_value(const char *value) {
+ if (strcmp(value, "yes") == 0 || strcmp(value, "true") == 0) {
+ return 1;
+ } else if (strcmp(value, "no") == 0 || strcmp(value, "false") == 0) {
+ return 0;
+ }
+
+ dropbear_exit("Bad yes/no argument '%s'", value);
+}
+
+static void add_extendedopt(const char* origstr) {
+ const char *optstr = origstr;
+
+ if (strcmp(origstr, "help") == 0) {
+ dropbear_log(LOG_INFO, "Available options:\n"
+#ifdef ENABLE_CLI_ANYTCPFWD
+ "\tExitOnForwardFailure\n"
+#endif
+#ifndef DISABLE_SYSLOG
+ "\tUseSyslog\n"
+#endif
+ );
+ exit(EXIT_SUCCESS);
+ }
+
+#ifdef ENABLE_CLI_ANYTCPFWD
+ if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) {
+ cli_opts.exit_on_fwd_failure = parse_flag_value(optstr);
+ return;
+ }
+#endif
+
+#ifndef DISABLE_SYSLOG
+ if (match_extendedopt(&optstr, "UseSyslog") == DROPBEAR_SUCCESS) {
+ opts.usingsyslog = parse_flag_value(optstr);
+ return;
+ }
+#endif
+
+ dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr);
+}
diff --git a/cli-session.c b/cli-session.c
index 10244a7..a93d192 100644
--- a/cli-session.c
+++ b/cli-session.c
@@ -41,7 +41,7 @@
static void cli_remoteclosed() ATTRIB_NORETURN;
static void cli_sessionloop();
-static void cli_session_init();
+static void cli_session_init(pid_t proxy_cmd_pid);
static void cli_finished() ATTRIB_NORETURN;
static void recv_msg_service_accept(void);
static void cli_session_cleanup(void);
@@ -104,7 +104,7 @@ void cli_connected(int result, int sock, void* userdata, const char *errstring)
update_channel_prio();
}
-void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) {
+void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) {
common_session_init(sock_in, sock_out);
@@ -115,8 +115,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection
chaninitialise(cli_chantypes);
/* Set up cli_ses vars */
- cli_session_init();
-
+ cli_session_init(proxy_cmd_pid);
/* Ready to go */
sessinitdone = 1;
@@ -140,7 +139,7 @@ static void cli_send_kex_first_guess() {
}
#endif
-static void cli_session_init() {
+static void cli_session_init(pid_t proxy_cmd_pid) {
cli_ses.state = STATE_NOTHING;
cli_ses.kex_state = KEX_NOTHING;
@@ -159,6 +158,8 @@ static void cli_session_init() {
cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a
specific exit status */
+ cli_ses.proxy_cmd_pid = proxy_cmd_pid;
+ TRACE(("proxy command PID='%d'", proxy_cmd_pid));
/* Auth */
cli_ses.lastprivkey = NULL;
@@ -268,6 +269,11 @@ static void cli_sessionloop() {
return;
case USERAUTH_SUCCESS_RCVD:
+#ifndef DISABLE_SYSLOG
+ if (opts.usingsyslog) {
+ dropbear_log(LOG_INFO, "Authentication succeeded.");
+ }
+#endif
#ifdef DROPBEAR_NONE_CIPHER
if (cli_ses.cipher_none_after_auth)
@@ -334,12 +340,25 @@ static void cli_sessionloop() {
}
+void kill_proxy_command(void) {
+ /*
+ * Send SIGHUP to proxy command if used. We don't wait() in
+ * case it hangs and instead rely on init to reap the child
+ */
+ if (cli_ses.proxy_cmd_pid > 1) {
+ TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid));
+ kill(cli_ses.proxy_cmd_pid, SIGHUP);
+ }
+}
+
static void cli_session_cleanup(void) {
if (!sessinitdone) {
return;
}
+ kill_proxy_command();
+
/* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if
* we don't revert the flags */
fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags);
diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c
index ec65f41..fec5dba 100644
--- a/cli-tcpfwd.c
+++ b/cli-tcpfwd.c
@@ -60,6 +60,23 @@ static const struct ChanType cli_chan_tcplocal = {
};
#endif
+#ifdef ENABLE_CLI_ANYTCPFWD
+static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2);
+void fwd_failed(const char* format, ...)
+{
+ va_list param;
+ va_start(param, format);
+
+ if (cli_opts.exit_on_fwd_failure) {
+ _dropbear_exit(EXIT_FAILURE, format, param);
+ } else {
+ _dropbear_log(LOG_WARNING, format, param);
+ }
+
+ va_end(param);
+}
+#endif
+
#ifdef ENABLE_CLI_LOCALTCPFWD
void setup_localtcp() {
m_list_elem *iter;
@@ -75,7 +92,7 @@ void setup_localtcp() {
fwd->connectaddr,
fwd->connectport);
if (ret == DROPBEAR_FAILURE) {
- dropbear_log(LOG_WARNING, "Failed local port forward %s:%d:%s:%d",
+ fwd_failed("Failed local port forward %s:%d:%s:%d",
fwd->listenaddr,
fwd->listenport,
fwd->connectaddr,
@@ -181,7 +198,10 @@ void cli_recv_msg_request_failure() {
struct TCPFwdEntry *fwd = (struct TCPFwdEntry*)iter->item;
if (!fwd->have_reply) {
fwd->have_reply = 1;
- dropbear_log(LOG_WARNING, "Remote TCP forward request failed (port %d -> %s:%d)", fwd->listenport, fwd->connectaddr, fwd->connectport);
+ fwd_failed("Remote TCP forward request failed (port %d -> %s:%d)",
+ fwd->listenport,
+ fwd->connectaddr,
+ fwd->connectport);
return;
}
}
diff --git a/common-algo.c b/common-algo.c
index 002ae66..1841d67 100644
--- a/common-algo.c
+++ b/common-algo.c
@@ -27,7 +27,7 @@
#include "algo.h"
#include "session.h"
#include "dbutil.h"
-#include "kex.h"
+#include "dh_groups.h"
#include "ltc_prng.h"
#include "ecc.h"
@@ -249,7 +249,14 @@ algo_type sshhostkey[] = {
};
static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc };
-static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
+static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc };
+static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc };
+#ifdef DROPBEAR_DH_GROUP15
+static const struct dropbear_kex kex_dh_group15_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_15, DH_P_15_LEN, NULL, &sha256_desc };
+#endif
+#ifdef DROPBEAR_DH_GROUP16
+static const struct dropbear_kex kex_dh_group16_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_16, DH_P_16_LEN, NULL, &sha256_desc };
+#endif
/* These can't be const since dropbear_ecc_fill_dp() fills out
ecc_curve at runtime */
@@ -285,8 +292,15 @@ algo_type sshkex[] = {
{"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL},
#endif
#endif
- {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL},
+ {"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL},
+ {"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL},
{"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL},
+#ifdef DROPBEAR_DH_GROUP15
+ {"diffie-hellman-group15-sha256", 0, &kex_dh_group15_sha256, 1, NULL},
+#endif
+#ifdef DROPBEAR_DH_GROUP16
+ {"diffie-hellman-group16-sha256", 0, &kex_dh_group16_sha256, 1, NULL},
+#endif
#ifdef USE_KEXGUESS2
{KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL},
#endif
@@ -318,7 +332,7 @@ void buf_put_algolist(buffer * buf, algo_type localalgos[]) {
unsigned int donefirst = 0;
buffer *algolist = NULL;
- algolist = buf_new(200);
+ algolist = buf_new(300);
for (i = 0; localalgos[i].name != NULL; i++) {
if (localalgos[i].usable) {
if (donefirst)
diff --git a/common-kex.c b/common-kex.c
index b233819..d403bd2 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -29,6 +29,7 @@
#include "buffer.h"
#include "session.h"
#include "kex.h"
+#include "dh_groups.h"
#include "ssh.h"
#include "packet.h"
#include "bignum.h"
@@ -37,48 +38,6 @@
#include "ecc.h"
#include "crypto_desc.h"
-/* diffie-hellman-group1-sha1 value for p */
-const unsigned char dh_p_1[DH_P_1_LEN] = {
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
- 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
- 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
- 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
- 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
- 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
-
-/* diffie-hellman-group14-sha1 value for p */
-const unsigned char dh_p_14[DH_P_14_LEN] = {
- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
- 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
- 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
- 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
- 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
- 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
- 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
- 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
- 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
- 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
- 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF};
-
-/* Same for group1 and group14 */
-static const int DH_G_VAL = 2;
-
static void kexinitialise();
static void gen_new_keys();
#ifndef DISABLE_ZLIB
diff --git a/dbclient.1 b/dbclient.1
index d9e7631..fee23c6 100644
--- a/dbclient.1
+++ b/dbclient.1
@@ -114,7 +114,8 @@ Disconnect the session if no traffic is transmitted or received for \fIidle_time
.B \-J \fIproxy_command
Use the standard input/output of the program \fIproxy_command\fR rather than using
a normal TCP connection. A hostname should be still be provided, as this is used for
-comparing saved hostkeys.
+comparing saved hostkeys. This command will be executed as "exec proxy_command ..." with the
+default shell.
.TP
.B \-B \fIendhost:endport
"Netcat-alike" mode, where Dropbear will connect to the given host, then create a
@@ -127,6 +128,22 @@ Specify a comma separated list of ciphers to enable. Use \fI-c help\fR to list p
.B \-m \fIMAClist
Specify a comma separated list of authentication MACs to enable. Use \fI-m help\fR to list possibilities.
.TP
+.B \-o \fIoption
+Can be used to give options in the format used by OpenSSH config file. This is
+useful for specifying options for which there is no separate command-line flag.
+For full details of the options listed below, and their possible values, see
+ssh_config(5).
+
+For now following options have been implemented:
+.RS
+.TP
+.B ExitOnForwardFailure
+Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be “yes” or “no”. The default is “no”.
+.TP
+.B UseSyslog
+Send dbclient log messages to syslog in addition to stderr.
+.RE
+.TP
.B \-s
The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp client can be used eg \fIsftp -S dbclient user@host\fR
.TP
diff --git a/dbutil.c b/dbutil.c
index d87835b..7c7c069 100644
--- a/dbutil.c
+++ b/dbutil.c
@@ -84,9 +84,9 @@ int debug_trace = 0;
#endif
#ifndef DISABLE_SYSLOG
-void startsyslog() {
+void startsyslog(const char *ident) {
- openlog(PROGNAME, LOG_PID, LOG_AUTHPRIV);
+ openlog(ident, LOG_PID, LOG_AUTHPRIV);
}
#endif /* DISABLE_SYSLOG */
diff --git a/dbutil.h b/dbutil.h
index e1db328..098563d 100644
--- a/dbutil.h
+++ b/dbutil.h
@@ -31,7 +31,7 @@
#include "queue.h"
#ifndef DISABLE_SYSLOG
-void startsyslog();
+void startsyslog(const char *ident);
#endif
#ifdef __GNUC__
diff --git a/debian/dropbear.init b/debian/dropbear.init
index 1705330..ef3ec3f 100644
--- a/debian/dropbear.init
+++ b/debian/dropbear.init
@@ -5,6 +5,7 @@
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
+# Short-Description: Dropbear SSH server
### END INIT INFO
#
# Do not configure this file. Edit /etc/default/dropbear instead!
diff --git a/dh_groups.c b/dh_groups.c
new file mode 100644
index 0000000..205dea3
--- /dev/null
+++ b/dh_groups.c
@@ -0,0 +1,128 @@
+#include "options.h"
+#include "dh_groups.h"
+
+/* diffie-hellman-group1-sha1 value for p */
+const unsigned char dh_p_1[DH_P_1_LEN] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE6, 0x53, 0x81,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+
+/* diffie-hellman-group14-sha1 value for p */
+const unsigned char dh_p_14[DH_P_14_LEN] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF};
+
+#ifdef DROPBEAR_DH_GROUP15
+/* diffie-hellman-group15-sha256 value for p */
+const unsigned char dh_p_15[DH_P_15_LEN] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D,
+ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+ 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57,
+ 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+ 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0,
+ 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73,
+ 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0,
+ 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+ 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20,
+ 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+#endif /* DROPBEAR_DH_GROUP15 */
+
+
+#ifdef DROPBEAR_DH_GROUP16
+/* diffie-hellman-group16-256 value for p */
+const unsigned char dh_p_16[DH_P_16_LEN] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21,
+ 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02,
+ 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B,
+ 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, 0x95, 0x19, 0xB3,
+ 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, 0x4F,
+ 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E,
+ 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C,
+ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+ 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC,
+ 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA,
+ 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF,
+ 0x5F, 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67,
+ 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18,
+ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77,
+ 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+ 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95,
+ 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2,
+ 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4,
+ 0x2D, 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB,
+ 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A,
+ 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1,
+ 0xE4, 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94,
+ 0xE0, 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73, 0x3E,
+ 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, 0xBB, 0xE1,
+ 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46,
+ 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC,
+ 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, 0x1A,
+ 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA,
+ 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68,
+ 0x34, 0xB6, 0x15, 0x0B, 0xDA, 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+ 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F,
+ 0xBE, 0xCA, 0xA6, 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2,
+ 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7,
+ 0xED, 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76,
+ 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, 0x93,
+ 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6,
+ 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+#endif /* DROPBEAR_DH_GROUP16 */
+
+/* Same for group1 and group14 */
+const int DH_G_VAL = 2;
+
diff --git a/dh_groups.h b/dh_groups.h
new file mode 100644
index 0000000..7fadac2
--- /dev/null
+++ b/dh_groups.h
@@ -0,0 +1,24 @@
+#ifndef DROPBEAR_DH_GROUPS_H
+#define DROPBEAR_DH_GROUPS_H
+#include "options.h"
+
+#define DH_P_1_LEN 128
+extern const unsigned char dh_p_1[DH_P_1_LEN];
+#define DH_P_14_LEN 256
+extern const unsigned char dh_p_14[DH_P_14_LEN];
+
+#ifdef DROPBEAR_DH_GROUP15
+#define DH_P_15_LEN 384
+extern const unsigned char dh_p_15[DH_P_15_LEN];
+#endif
+
+#ifdef DROPBEAR_DH_GROUP16
+#define DH_P_16_LEN 512
+extern const unsigned char dh_p_16[DH_P_16_LEN];
+#endif
+
+
+extern const int DH_G_VAL;
+
+
+#endif
diff --git a/kex.h b/kex.h
index 4cee8e3..126c19e 100644
--- a/kex.h
+++ b/kex.h
@@ -83,11 +83,6 @@ struct KEXState {
};
-#define DH_P_1_LEN 128
-extern const unsigned char dh_p_1[DH_P_1_LEN];
-#define DH_P_14_LEN 256
-extern const unsigned char dh_p_14[DH_P_14_LEN];
-
struct kex_dh_param {
mp_int pub; /* e */
mp_int priv; /* x */
diff --git a/options.h b/options.h
index 27e2a02..1be412b 100644
--- a/options.h
+++ b/options.h
@@ -152,6 +152,11 @@ If you test it please contact the Dropbear author */
* on x86-64 */
#define DROPBEAR_ECDSA
+/* These larger DH groups (3072 and 4096 bit respectively) add to binary size
+ and may be significantly slower. Usually ECDH or curve25519 will be a better option */
+/*#define DROPBEAR_DH_GROUP15*/
+/*#define DROPBEAR_DH_GROUP16*/
+
/* Generate hostkeys as-needed when the first connection using that key type occurs.
This avoids the need to otherwise run "dropbearkey" and avoids some problems
with badly seeded /dev/urandom when systems first boot.
diff --git a/runopts.h b/runopts.h
index 7d6ae06..613ccf1 100644
--- a/runopts.h
+++ b/runopts.h
@@ -40,6 +40,7 @@ typedef struct runopts {
unsigned int recv_window;
time_t keepalive_secs; /* Time between sending keepalives. 0 is off */
time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */
+ int usingsyslog;
#ifndef DISABLE_ZLIB
/* TODO: add a commandline flag. Currently this is on by default if compression
@@ -70,7 +71,6 @@ typedef struct svr_runopts {
char * bannerfile;
int forkbg;
- int usingsyslog;
/* ports and addresses are arrays of the portcount
listening ports. strings are malloced. */
@@ -140,6 +140,9 @@ typedef struct cli_runopts {
#ifdef ENABLE_CLI_PUBKEY_AUTH
m_list *privkeys; /* Keys to use for public-key auth */
#endif
+#ifdef ENABLE_CLI_ANYTCPFWD
+ int exit_on_fwd_failure;
+#endif
#ifdef ENABLE_CLI_REMOTETCPFWD
m_list * remotefwds;
#endif
diff --git a/scp.c b/scp.c
index 70f45e3..8c94ec8 100644
--- a/scp.c
+++ b/scp.c
@@ -1,3 +1,6 @@
+/* Dropbear Note: This file is based on OpenSSH 4.3p2. Avoid unnecessary
+ changes to simplify future updates */
+
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -286,7 +289,6 @@ int okname(char *);
void run_err(const char *,...);
void verifydir(char *);
-struct passwd *pwd;
uid_t userid;
int errs, remin, remout;
int pflag, iamremote, iamrecursive, targetshouldbedirectory;
@@ -393,9 +395,6 @@ main(int argc, char **argv)
argc -= optind;
argv += optind;
- if ((pwd = getpwuid(userid = getuid())) == NULL)
- fatal("unknown user %u", (u_int) userid);
-
if (!isatty(STDERR_FILENO))
showprogress = 0;
@@ -511,7 +510,7 @@ toremote(char *targ, int argc, char **argv)
host = cleanhostname(host);
suser = argv[i];
if (*suser == '\0')
- suser = pwd->pw_name;
+ continue; /* pretend there wasn't any @ at all */
else if (!okname(suser))
continue;
addargs(&alist, "-l");
@@ -579,7 +578,7 @@ tolocal(int argc, char **argv)
*host++ = 0;
suser = argv[i];
if (*suser == '\0')
- suser = pwd->pw_name;
+ suser = NULL;
}
host = cleanhostname(host);
len = strlen(src) + CMDNEEDS + 20;
diff --git a/scpmisc.c b/scpmisc.c
index ec4df35..d99e358 100644
--- a/scpmisc.c
+++ b/scpmisc.c
@@ -1,3 +1,6 @@
+/* Dropbear Note: This file is based on OpenSSH 4.3p2. Avoid unnecessary
+ changes to simplify future updates */
+
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -223,6 +226,7 @@ void fatal(char* fmt,...)
va_start(args, fmt);
vfprintf(stderr, fmt, args);
va_end(args);
+ fputc('\n', stderr);
exit(255);
}
diff --git a/session.h b/session.h
index debebab..77e1bcd 100644
--- a/session.h
+++ b/session.h
@@ -61,9 +61,10 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_N
void svr_dropbear_log(int priority, const char* format, va_list param);
/* Client */
-void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN;
+void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) ATTRIB_NORETURN;
void cli_connected(int result, int sock, void* userdata, const char *errstring);
void cleantext(char* dirtytext);
+void kill_proxy_command();
/* crypto parameters that are stored individually for transmit and receive */
struct key_context_directional {
@@ -304,6 +305,7 @@ struct clientsession {
struct AgentkeyList *agentkeys; /* Keys to use for public-key auth */
#endif
+ pid_t proxy_cmd_pid;
};
/* Global structs storing the state */
diff --git a/svr-main.c b/svr-main.c
index cc59332..af56a7c 100644
--- a/svr-main.c
+++ b/svr-main.c
@@ -145,7 +145,7 @@ void main_noinetd() {
if (svr_opts.forkbg) {
int closefds = 0;
#ifndef DEBUG_TRACE
- if (!svr_opts.usingsyslog) {
+ if (!opts.usingsyslog) {
closefds = 1;
}
#endif
@@ -367,8 +367,8 @@ static void commonsetup() {
struct sigaction sa_chld;
#ifndef DISABLE_SYSLOG
- if (svr_opts.usingsyslog) {
- startsyslog();
+ if (opts.usingsyslog) {
+ startsyslog(PROGNAME);
}
#endif
diff --git a/svr-runopts.c b/svr-runopts.c
index 0e70998..8f60059 100644
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -158,7 +158,7 @@ void svr_getopts(int argc, char ** argv) {
svr_opts.domotd = 1;
#endif
#ifndef DISABLE_SYSLOG
- svr_opts.usingsyslog = 1;
+ opts.usingsyslog = 1;
#endif
opts.recv_window = DEFAULT_RECV_WINDOW;
opts.keepalive_secs = DEFAULT_KEEPALIVE;
@@ -189,7 +189,7 @@ void svr_getopts(int argc, char ** argv) {
break;
#ifndef DISABLE_SYSLOG
case 'E':
- svr_opts.usingsyslog = 0;
+ opts.usingsyslog = 0;
break;
#endif
#ifdef ENABLE_SVR_LOCALTCPFWD
diff --git a/svr-session.c b/svr-session.c
index ea9ca7e..f777b5f 100644
--- a/svr-session.c
+++ b/svr-session.c
@@ -204,7 +204,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param) {
vsnprintf(printbuf, sizeof(printbuf), format, param);
#ifndef DISABLE_SYSLOG
- if (svr_opts.usingsyslog) {
+ if (opts.usingsyslog) {
syslog(priority, "%s", printbuf);
}
#endif
@@ -215,8 +215,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param) {
havetrace = debug_trace;
#endif
- if (!svr_opts.usingsyslog || havetrace)
- {
+ if (!opts.usingsyslog || havetrace) {
struct tm * local_tm = NULL;
timesec = time(NULL);
local_tm = localtime(&timesec);
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-04 17:56:46 +0000