| Age | Commit message (Collapse) | Author |
|---|
|
tcpip-forward request can include hostname, which is later resolved by getaddrinfo() call.
Dropbear incorrectly assumes tcpip-forward includes only IP(v4) address. Fix this.
|
|
|
|
The current code assumes that all global requests want / need a reply.
This isn't always true and the request itself indicates if it wants a
reply or not.
It causes a specific problem with hostkeys-00@openssh.com messages.
These are sent by OpenSSH after authentication to inform the client of
potential other host keys for the host. This can be used to add a new
type of host key or to rotate host keys.
The initial information message from the server is sent as a global
request, but with want_reply set to false. This means that the server
doesn't expect an answer to this message. Instead the client needs to
send a prove request as a reply if it wants to receive proof of
ownership for the host keys.
The bug doesn't cause any current problems with due to how OpenSSH
treats receiving the failure message. It instead treats it as a
keepalive message and further ignores it.
Arguably this is a protocol violation though of Dropbear and it is only
accidental that it doesn't cause a problem with OpenSSH.
The bug was found when adding host keys support to libssh, which is more
strict protocol wise and treats the unexpected failure message an error,
also see https://gitlab.com/libssh/libssh-mirror/-/merge_requests/145
for more information.
The fix here is to honor the want_reply flag in the global request and
to only send a reply if the other side expects a reply.
|
|
|
|
|
|
lose exit status messages
|
|
|
|
|
|
|
|
|
|
For the sake of review, this commit alters only the code; the affiliated
comments within the source files also need to be updated, but doing so
now would obscure the operational changes that have been made here.
* All on/off options have been switched to the numeric `#if' variant;
that is the only way to make this `default_options.h.in' thing work
in a reasonable manner.
* There is now some very minor compile-time checking of the user's
choice of options.
* NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed.
* ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST,
and this commit completes that work.
* DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option,
which was added by the following commit:
commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039
Author: Matt Johnston <matt@ucc.asn.au>
Date: Tue May 23 22:29:21 2017 +0800
split out checkpubkey_line() separately
It has now been added to `sysoptions.h' and defined as `0' by default.
* The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in
`default_options.h.in'; it is no longer meant to be set by the user, and
is instead left to be defined in `sysoptions.h' (where it was already being
defined) as merely the name of the environment variable in question:
DROPBEAR_PASSWORD
To enable or disable use of that environment variable, the user must now
toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'.
* The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the
path of the sFTP server program is set independently through the usual
SFTPSERVER_PATH.
|
|
|
|
* replaces -b dummy option in dbclient to be similar with openssh -b option
* useful in multi-wan connections
|
|
Server chosen tcpfwd ports
|
|
|
|
|
|
|
|
|
|
|
|
fperrad-20151231_indent
|
|
|
|
|
|
|
|
reqname, bindaddr, request_addr, desthost and orighost to be exhaustive.
|
|
|
|
--HG--
branch : fastopen
|
|
--HG--
branch : fastopen
|
|
|
|
if (connecting || ptys || x11) tos = LOWDELAY;
else if (tcp_forwards) tos = 0;
else tos = BULK;
TCP forwards could be either lowdelay or bulk, hence the default priority.
|
|
|
|
|
|
if that wasn't what the client requested.
|
|
- Fix build if ENABLE_SVR_REMOTETCPFWD is disabled but ENABLE_SVR_LOCALTCPFWD
is enabled
|
|
--HG--
extra : convert_revision : 5c0a794976692a54ec36111291179020e2ae6c1e
|
|
--HG--
extra : convert_revision : 51ce088e100e9ea150efc6bf3d021f019a46b2f5
|
|
--HG--
extra : convert_revision : 48fdaa8706d1acda35e9d564adc9a1fbc96c18c8
|
|
Needs review.
--HG--
branch : pubkey-options
extra : convert_revision : 26872f944d79ddacff1070aab32115a6d726392c
|
|
cli-authpubkey.c:
fix leak of keybuf
cli-kex.c:
fix leak of fingerprint fp
cli-service.c:
remove commented out code
dropbearkey.c:
don't attepmt to free NULL key on failure
common-kex.c:
only free key if it is initialised
keyimport.c:
remove dead encrypted-key code
don't leak a FILE* loading OpenSSH keys
rsa.c, dss.c:
check return values for some libtommath functions
svr-kex.c:
check return value retrieving DH kex mpint
svr-tcpfwd.c:
fix null-dereference if remote tcp forward request fails
tcp-accept.c:
don't incorrectly free the tcpinfo var
--HG--
extra : convert_revision : 640a55bc710cbaa6d212453c750026c770e19193
|
|
--HG--
extra : convert_revision : f3f6f865b6d723add601feabf155a1fcc084b0aa
|
|
--HG--
extra : convert_revision : 826db75f8001f7da7b0b8c91dcf66a44bf107b49
|
|
hosts to connect to forwarded ports. Rearranged various some of the
tcp listening code.
* changed to /* */ style brackets in svr-authpam.c
--HG--
extra : convert_revision : c1e04e648867db464fe9818c4910e4320cd50c32
|
|
--HG--
extra : convert_revision : e3e7dc2cf75ad60c83a5b4307c210fee2fe90434
|
|
connect to auth socket (server)
* differentiate between get_byte and get_bool
* get rid of some // comments
* general tidying
--HG--
extra : convert_revision : fb8d188ce33b6b45804a5ce51b9f601f83bdf3d7
|
|
--HG--
extra : convert_revision : d928bc851e32be7bd429bf7504b148c0e4bf7e2f
|
|
disabled works OK.
--HG--
extra : convert_revision : cc92f744e34125062d052b757967e167f19d6db5
|
|
--HG--
extra : convert_revision : 75c02f80c4ed25bd4697e7f17ffac6eded54c148
|
|
--HG--
extra : convert_revision : 4c3428781bc8faf0fd7cadd7099fbd7f4ea386e7
|
|
--HG--
extra : convert_revision : 57dfb36d0d482ad84f31506904eb67863bd303ab
|
|
- still a checkpoint-ish commit
- sorted out listening on localhost only
--HG--
extra : convert_revision : c030ac0a3950dba81f2324e2ba9d4b77fc8f8149
|
|
--HG--
extra : convert_revision : fbbf404290f3fea3dfa9f6f53eba9389057e9044
|
