From 674a60748884dc55ee7091b7c23a41240e75f73c Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 1 Jun 2004 02:46:09 +0000 Subject: Makefile.in contains updated files required --HG-- extra : convert_revision : cc8a8c49dc70e632c352853a39801089b08149be --- includes.h | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 134 insertions(+) create mode 100644 includes.h (limited to 'includes.h') diff --git a/includes.h b/includes.h new file mode 100644 index 0000000..3fdd729 --- /dev/null +++ b/includes.h @@ -0,0 +1,134 @@ +/* + * Dropbear - a SSH2 server + * + * Copyright (c) 2002,2003 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#ifndef _INCLUDES_H_ +#define _INCLUDES_H_ + + +#include "config.h" +#include "options.h" +#include "debug.h" + +#include +#include +#include /* required for BSD4_4 define */ +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#ifdef HAVE_UTMP_H +#include +#endif + +#ifdef HAVE_UTMPX_H +#include +#endif + +#ifdef HAVE_PATHS_H +#include +#endif + +#ifdef HAVE_LASTLOG_H +#include +#endif + +#ifdef HAVE_NETINET_IN_H +#include +#endif + +#ifdef HAVE_NETINET_TCP_H +#include +#endif + +#ifdef HAVE_INTTYPES_H +#include +#endif + +#ifdef HAVE_LIBUTIL_H +#include +#endif + +#ifdef HAVE_CRYPT_H +#include +#endif + +#ifndef DISABLE_ZLIB +#include +#endif + +#ifdef HAVE_UTIL_H +#include +#endif + +#ifdef HAVE_SHADOW_H +#include +#endif + +#ifdef HAVE_LIBGEN_H +#include +#endif + +#ifdef HAVE_SYS_DIRENT_H +#include +#endif + +#include "libtomcrypt/mycrypt_custom.h" +#include "libtommath/tommath.h" + +#include "compat.h" + +#ifndef HAVE_UINT16_T +#ifndef HAVE_U_INT16_T +typedef unsigned short u_int16_t; +#endif /* HAVE_U_INT16_T */ +typedef u_int16_t uint16_t; +#endif /* HAVE_UINT16_T */ + +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + +#endif /* _INCLUDES_H_ */ -- cgit v1.2.3 From 96a0f77bb4d861d58e1bf36f480d14e8b20afb27 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 12 Aug 2004 14:39:17 +0000 Subject: fake-rfc stuff --HG-- extra : convert_revision : 796008def04e47dc990703134c9fe013f1919190 --- Makefile.in | 4 +-- configure.in | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- fake-rfc2553.c | 5 +++- fake-rfc2553.h | 5 ++-- includes.h | 1 + 5 files changed, 100 insertions(+), 7 deletions(-) (limited to 'includes.h') diff --git a/Makefile.in b/Makefile.in index 4ea2f28..f70bca2 100644 --- a/Makefile.in +++ b/Makefile.in @@ -34,7 +34,7 @@ CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ common-channel.o common-chansession.o termcodes.o loginrec.o \ tcp-accept.o listener.o process-packet.o \ - common-runopts.o + common-runopts.o fake-rfc2553.o KEYOBJS=dropbearkey.o gendss.o genrsa.o @@ -47,7 +47,7 @@ HEADERS=options.h dbutil.h session.h packet.h algo.h ssh.h buffer.h kex.h \ debug.h channel.h chansession.h config.h queue.h sshpty.h \ termcodes.h gendss.h genrsa.h authpubkey.h runopts.h includes.h \ loginrec.h atomicio.h x11fwd.h agentfwd.h tcpfwd.h compat.h \ - listener.h + listener.h fake-rfc2553.h dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS) dbclientobjs=$(COMMONOBJS) $(CLISVROBJS) $(CLIOBJS) diff --git a/configure.in b/configure.in index 47a9a29..bffd0da 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,9 @@ # -*- Autoconf -*- # Process this file with autoconf and autoheader to produce a configure script. -# This Autoconf file was cobbled from various locations. +# This Autoconf file was cobbled from various locations. In particular, a bunch +# of the platform checks have been taken straight from OpenSSH's configure.ac +# Huge thanks to them for dealing with the horrible platform-specifics :) AC_PREREQ(2.50) AC_INIT(buffer.c) @@ -50,10 +52,17 @@ case "$host" in *-*-aix*) AC_DEFINE(AIX,,Using AIX) + # OpenSSH thinks it's broken. If it isn't, let me know. + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) ;; *-*-hpux*) LIBS="$LIBS -lsec" + # It's probably broken. + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) + ;; +*-dec-osf*) + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) ;; esac @@ -205,6 +214,84 @@ AC_CHECK_TYPE([socklen_t], ,[ [#include #include ]) +# for the fake-rfc2553 stuff - straight from OpenSSH + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; ], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_in6 s; s.sin6_family = 0; ], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6,,Have struct sockaddr_in6) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct in6_addr s; s.s6_addr[0] = 0; ], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" ] + ) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_IN6_ADDR,,Have struct in6_addr) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" ] + ) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_ADDRINFO,,Have struct addrinfo) +fi + + +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS(gai_strerror,[ + AC_DEFINE(HAVE_GAI_STRERROR) + AC_TRY_COMPILE([ +#include +#include +#include + +const char *gai_strerror(int);],[ +char *str; + +str = gai_strerror(0);],[ + AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + [Define if gai_strerror() returns const char *])])]) # for loginrec.c @@ -462,7 +549,7 @@ AC_PROG_GCC_TRADITIONAL AC_FUNC_MEMCMP AC_FUNC_SELECT_ARGTYPES AC_TYPE_SIGNAL -AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty ]) +AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo]) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) @@ -483,6 +570,7 @@ if test -z "$no_ptc_check" ; then fi fi +AC_EXEEXT AC_CONFIG_HEADER(config.h) AC_OUTPUT(Makefile) AC_MSG_RESULT() diff --git a/fake-rfc2553.c b/fake-rfc2553.c index 0186b53..afbea88 100644 --- a/fake-rfc2553.c +++ b/fake-rfc2553.c @@ -1,4 +1,7 @@ /* + * + * Taken from OpenSSH 3.8.1p1 + * * Copyright (C) 2000-2003 Damien Miller. All rights reserved. * Copyright (C) 1999 WIDE Project. All rights reserved. * @@ -37,7 +40,7 @@ #include "includes.h" -RCSID("$Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $"); +/* RCSID("$.Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $");*/ #ifndef HAVE_GETNAMEINFO int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, diff --git a/fake-rfc2553.h b/fake-rfc2553.h index baea070..053e6a6 100644 --- a/fake-rfc2553.h +++ b/fake-rfc2553.h @@ -1,4 +1,6 @@ -/* $Id: fake-rfc2553.h,v 1.9 2004/03/10 10:06:33 dtucker Exp $ */ +/* Taken from OpenSSH 3.8.1p1 */ + +/* $.Id: fake-rfc2553.h,v 1.9 2004/03/10 10:06:33 dtucker Exp $ */ /* * Copyright (C) 2000-2003 Damien Miller. All rights reserved. @@ -41,7 +43,6 @@ #define _FAKE_RFC2553_H #include "includes.h" -#include "sys/types.h" /* * First, socket and INET6 related definitions diff --git a/includes.h b/includes.h index 3fdd729..52c48ed 100644 --- a/includes.h +++ b/includes.h @@ -119,6 +119,7 @@ #include "libtommath/tommath.h" #include "compat.h" +#include "fake-rfc2553.h" #ifndef HAVE_UINT16_T #ifndef HAVE_U_INT16_T -- cgit v1.2.3 From 8e1ec24f55be1a9af2595a58bb4b805bebd7fa9d Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 12 Aug 2004 16:41:58 +0000 Subject: Merging in the changes from 0.41-0.43 main Dropbear tree --HG-- extra : convert_revision : 4c3428781bc8faf0fd7cadd7099fbd7f4ea386e7 --- buffer.c | 9 +- channel.h | 3 + cli-tcpfwd.c | 9 +- common-channel.c | 27 +++++- configure.in | 2 +- dbutil.c | 6 +- debian/README.runit | 46 +++++++++ debian/changelog | 52 +++++++++++ debian/control | 24 +++-- debian/copyright.in | 6 +- debian/dropbear.README.Debian | 41 +++++++++ debian/dropbear.conffiles | 3 + debian/dropbear.docs | 3 + debian/dropbear.init | 60 ++++-------- debian/dropbear.postinst | 68 ++++++++++++++ debian/dropbear.postrm | 12 +++ debian/dropbear.prerm | 11 +++ debian/implicit | 79 ++++++++++++++++ debian/rules | 210 +++++++++++++++++------------------------- debian/service/log | 2 + debian/service/run | 3 + dropbearkey.c | 1 - dss.c | 4 +- gendss.c | 1 - includes.h | 6 +- options.h | 7 +- packet.c | 4 +- random.c | 5 +- rsa.c | 16 ++-- signkey.c | 4 +- svr-agentfwd.c | 4 +- svr-auth.c | 4 +- svr-authpasswd.c | 8 +- svr-authpubkey.c | 2 +- svr-chansession.c | 35 +++++-- svr-tcpfwd.c | 9 +- svr-x11fwd.c | 4 +- 37 files changed, 554 insertions(+), 236 deletions(-) create mode 100644 debian/README.runit create mode 100644 debian/dropbear.README.Debian create mode 100644 debian/dropbear.conffiles create mode 100644 debian/dropbear.docs create mode 100644 debian/dropbear.postinst create mode 100644 debian/dropbear.postrm create mode 100644 debian/dropbear.prerm create mode 100644 debian/implicit create mode 100644 debian/service/log create mode 100644 debian/service/run (limited to 'includes.h') diff --git a/buffer.c b/buffer.c index 7181fca..df608d9 100644 --- a/buffer.c +++ b/buffer.c @@ -34,8 +34,8 @@ #define BUF_MAX_INCR 1000000000 #define BUF_MAX_SIZE 1000000000 -/* avoid excessively large numbers, > 5000 bit */ -#define BUF_MAX_MPINT (5000 / 8) +/* avoid excessively large numbers, > ~8192 bits */ +#define BUF_MAX_MPINT (8240 / 8) /* Create (malloc) a new buffer of size */ buffer* buf_new(unsigned int size) { @@ -76,7 +76,8 @@ void buf_burn(buffer* buf) { } -/* resize a buffer, pos and len will be repositioned if required */ +/* resize a buffer, pos and len will be repositioned if required when + * downsizing */ void buf_resize(buffer *buf, unsigned int newsize) { if (newsize > BUF_MAX_SIZE) { @@ -151,6 +152,8 @@ void buf_incrpos(buffer* buf, int incr) { /* Get a byte from the buffer and increment the pos */ unsigned char buf_getbyte(buffer* buf) { + /* This check is really just ==, but the >= allows us to check for the + * assert()able case of pos > len, which should _never_ happen. */ if (buf->pos >= buf->len) { dropbear_exit("bad buf_getbyte"); } diff --git a/channel.h b/channel.h index e1bdae2..2289de1 100644 --- a/channel.h +++ b/channel.h @@ -41,6 +41,9 @@ #define SSH_OPEN_UNKNOWN_CHANNEL_TYPE 3 #define SSH_OPEN_RESOURCE_SHORTAGE 4 +/* Not a real type */ +#define SSH_OPEN_IN_PROGRESS 99 + #define MAX_CHANNELS 60 /* simple mem restriction, includes each tcp/x11 connection, so can't be _too_ small */ diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index 52268b9..8d8e605 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -120,7 +120,7 @@ static int newtcpforwarded(struct Channel * channel) { struct TCPFwdList * iter = NULL; char portstring[NI_MAXSERV]; int sock; - int ret = DROPBEAR_FAILURE; + int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; /* We don't care what address they connected to */ buf_eatstring(ses.payload); @@ -148,6 +148,7 @@ static int newtcpforwarded(struct Channel * channel) { sock = connect_remote(iter->connectaddr, portstring, 1, NULL); if (sock < 0) { TRACE(("leave newtcpdirect: sock failed")); + err = SSH_OPEN_CONNECT_FAILED; goto out; } @@ -160,9 +161,9 @@ static int newtcpforwarded(struct Channel * channel) { channel->infd = sock; channel->initconn = 1; - ret = DROPBEAR_SUCCESS; + err = SSH_OPEN_IN_PROGRESS; out: - TRACE(("leave newtcpdirect: ret %d", ret)); - return ret; + TRACE(("leave newtcpdirect: err %d", err)); + return err; } diff --git a/common-channel.c b/common-channel.c index 5079031..64ea466 100644 --- a/common-channel.c +++ b/common-channel.c @@ -172,6 +172,7 @@ void channelio(fd_set *readfd, fd_set *writefd) { struct Channel *channel; unsigned int i; + int ret; /* iterate through all the possible channels */ for (i = 0; i < ses.chansize; i++) { @@ -196,8 +197,15 @@ void channelio(fd_set *readfd, fd_set *writefd) { * see if it has errors */ if (channel->infd >= 0 && channel->infd != channel->outfd && FD_ISSET(channel->infd, readfd)) { - int ret; - ret = write(channel->infd, NULL, 0); + if (channel->initconn) { + /* Handling for "in progress" connection - this is needed + * to avoid spinning 100% CPU when we connect to a server + * which doesn't send anything (tcpfwding) */ + checkinitdone(channel); + continue; /* Important not to use the channel after + checkinitdone(), as it may be NULL */ + } + ret = write(channel->infd, NULL, 0); /* Fake write */ if (ret < 0 && errno != EINTR && errno != EAGAIN) { closeinfd(channel); } @@ -209,9 +217,8 @@ void channelio(fd_set *readfd, fd_set *writefd) { checkinitdone(channel); continue; /* Important not to use the channel after checkinitdone(), as it may be NULL */ - } else { - writechannel(channel); } + writechannel(channel); } /* now handle any of the channel-closing type stuff */ @@ -285,10 +292,14 @@ static void checkinitdone(struct Channel *channel) { if (getsockopt(channel->infd, SOL_SOCKET, SO_ERROR, &val, &vallen) || val != 0) { + send_msg_channel_open_failure(channel->remotechan, + SSH_OPEN_CONNECT_FAILED, "", ""); close(channel->infd); deletechannel(channel); TRACE(("leave checkinitdone: fail")); } else { + send_msg_channel_open_confirmation(channel, channel->recvwindow, + channel->recvmaxpacket); channel->outfd = channel->infd; channel->initconn = 0; TRACE(("leave checkinitdone: success")); @@ -489,6 +500,7 @@ static void removechannel(struct Channel * channel) { TRACE(("channel index is %d", channel->index)); buf_free(channel->writebuf); + channel->writebuf = NULL; /* close the FDs in case they haven't been done * yet (ie they were shutdown etc */ @@ -497,6 +509,7 @@ static void removechannel(struct Channel * channel) { if (channel->errfd >= 0) { close(channel->errfd); } + channel->typedata = NULL; deletechannel(channel); @@ -587,6 +600,7 @@ static void send_msg_channel_data(struct Channel *channel, int isextended, TRACE(("leave send_msg_channel_data: read err %d", channel->index)); } buf_free(buf); + buf = NULL; return; } buf_incrlen(buf, len); @@ -601,6 +615,7 @@ static void send_msg_channel_data(struct Channel *channel, int isextended, buf_putstring(ses.writepayload, buf_getptr(buf, len), len); buf_free(buf); + buf = NULL; channel->transwindow -= len; @@ -764,6 +779,10 @@ void recv_msg_channel_open() { if (channel->type->inithandler) { ret = channel->type->inithandler(channel); if (ret > 0) { + if (ret == SSH_OPEN_IN_PROGRESS) { + /* We'll send the confirmation later */ + goto cleanup; + } errtype = ret; deletechannel(channel); TRACE(("inithandler returned failure %d", ret)); diff --git a/configure.in b/configure.in index bffd0da..10988c2 100644 --- a/configure.in +++ b/configure.in @@ -169,7 +169,7 @@ AC_ARG_ENABLE(shadow, # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h sys/dirent.h]) +AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff --git a/dbutil.c b/dbutil.c index 5436cbb..30b5708 100644 --- a/dbutil.c +++ b/dbutil.c @@ -121,7 +121,7 @@ void dropbear_trace(const char* format, ...) { int dropbear_listen(const char* address, const char* port, int *socks, unsigned int sockcount, char **errstring, int *maxfd) { - struct addrinfo hints, *res, *res0; + struct addrinfo hints, *res = NULL, *res0 = NULL; int err; unsigned int nsock; struct linger linger; @@ -273,7 +273,7 @@ int connect_remote(const char* remotehost, const char* remoteport, } if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { - if (errno == EINPROGRESS) { + if (errno == EINPROGRESS && nonblocking) { TRACE(("Connect in progress")); break; } else { @@ -287,7 +287,7 @@ int connect_remote(const char* remotehost, const char* remoteport, break; /* Success */ } - if (sock < 0) { + if (sock < 0 && !(errno == EINPROGRESS && nonblocking)) { /* Failed */ if (errstring != NULL && *errstring == NULL) { int len; diff --git a/debian/README.runit b/debian/README.runit new file mode 100644 index 0000000..4ac2814 --- /dev/null +++ b/debian/README.runit @@ -0,0 +1,46 @@ +Using the dropbear SSH server with runit's services supervision +--------------------------------------------------------------- + +The dropbear SSH server is perfectly suited to be run under runit's +service supervision, and this package already has prepared an adequate +service directory. Follow these steps to enable the dropbear service +using the runit package. + +If not yet installed on your system, install the runit package, and make +sure its service supervision is enabled (it's by default) + + # apt-get install runit + +Make sure the dropbear service normally handled through the sysv init +script is stopped + + # /etc/init.d/dropbear stop + +Create the system user ``dropbearlog'' which will run the logger service, +and own the logs + + # adduser --system --home /var/log/dropbear --no-create-home dropbearlog + +Create the log directory and make the newly created system user the owner +of this directory + + # mkdir -p /var/log/dropbear && chown dropbearlog /var/log/dropbear + +Optionally adjust the configuration of the dropbear service by editing the +run script + + # vi /etc/dropbear/run + +Finally enable the service by linking dropbear's service directory to +/var/service/. The service will be started within five seconds, and +automatically at boot time. The sysv init script is disabled; see the +runsvctrl(8) program for information on how to control services handled by +runit. See the svlogd(8) program on how to configure the log service. + + # ln -s /etc/dropbear /var/service/ + +Optionally check the status of the service a few seconds later + + # runsvstat -l /var/service/dropbear + + -- Gerrit Pape , Sun, 16 May 2004 15:52:34 +0000 diff --git a/debian/changelog b/debian/changelog index cb7253f..d9da388 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,55 @@ +dropbear (0.43-1) unstable; urgency=high + + * New upstream release 0.43 + * SECURITY: Don't attempt to free uninitialised buffers in DSS verification + code + * Handle portforwarding to servers which don't send any initial data + (Closes: #258426) + + -- Matt Johnston Fri, 16 July 2004 17:44:54 +0800 + +dropbear (0.42-1) unstable; urgency=low + + * New upstream release 0.42 + + -- Matt Johnston Wed, 16 June 2004 12:44:54 +0800 + +dropbear (0.41-3) unstable; urgency=low + + * 1st upload to the Debian archive (closes: #216553). + * debian/diff/cvs-20040520.diff: new; stable cvs snapshot. + * debian/rules: new target patch: apply diffs in debian/diff/, reverse + apply in target clean; install man pages. + * debian/control: Priority: optional. + + -- Gerrit Pape Sun, 23 May 2004 08:32:37 +0000 + +dropbear (0.41-2) unstable; urgency=low + + * new maintainer. + * debian/control: no longer Build-Depends: debhelper; Build-Depends: + libz-dev; Standards-Version: 3.6.1.0; Suggests: runit; update + descriptions. + * debian/rules: stop using debhelper, use implicit rules; cleanup; + install dropbearconvert into /usr/lib/dropbear/. + * debian/impicit: new; implicit rules. + * debian/copyright.in: adapt. + * debian/dropbear.init: minor adaptions; test for dropbear service + directory. + * debian/README.runit: new; how to use dropbear with runit. + * debian/README.Debian, debian/docs: rename to debian/dropbear.*. + * debian/dropbear.docs: add debian/README.runit + * debian/conffiles: rename to debian/dropbear.conffiles; add init + script, and run scripts. + * debian/postinst: rename to debian/dropbear.postinst; adapt; use + invloke-rc.d dropbear start. + * debian/dropbear.prerm: new; invoke-rc.d dropbear stop. + * debian/postrm: rename to debian/dropbear.postrm; adapt; clean up + service directories. + * debian/compat, debian/dirs, dropbear.default: remove; obsolete. + + -- Gerrit Pape Sun, 16 May 2004 16:50:55 +0000 + dropbear (0.41-1) unstable; urgency=low * Updated to 0.41 release. diff --git a/debian/control b/debian/control index e528454..33c717c 100644 --- a/debian/control +++ b/debian/control @@ -1,14 +1,20 @@ Source: dropbear Section: net -Priority: standard -Maintainer: Grahame Bowland -Build-Depends: debhelper (>> 4.0.0), zlib1g-dev -Standards-Version: 3.5.8 +Priority: optional +Maintainer: Gerrit Pape +Build-Depends: libz-dev +Standards-Version: 3.6.1.0 Package: dropbear Architecture: any -Depends: ${shlibs:Depends} ${misc:Depends} -Suggests: ssh -Description: a minimal SSH2 server - A small secure shell version 2 server. - +Depends: ${shlibs:Depends} +Suggests: ssh, runit +Description: lightweight SSH2 server + dropbear is a SSH 2 server designed to be small enough to be used in small + memory environments, while still being functional and secure enough for + general use. + . + It implements most required features of the SSH 2 protocol, and other + features such as X11 and authentication agent forwarding. + . + See http://matt.ucc.asn.au/dropbear/dropbear.html diff --git a/debian/copyright.in b/debian/copyright.in index 015d9ab..79526d3 100644 --- a/debian/copyright.in +++ b/debian/copyright.in @@ -1,9 +1,11 @@ This package was debianized by Grahame Bowland on -Tue, 17 Jun 2003 15:04:47 +0800. +Tue, 17 Jun 2003 15:04:47 +0800, maintained temporarily by Matt Johnston +, and was adopted by Gerrit Pape on +Sun, 16 May 2004 14:38:33 +0000. It was downloaded from http://matt.ucc.asn.au/dropbear/ -Upstream Author(s): Matt Johnston +Upstream Author: Matt Johnston Copyright: diff --git a/debian/dropbear.README.Debian b/debian/dropbear.README.Debian new file mode 100644 index 0000000..8cdac38 --- /dev/null +++ b/debian/dropbear.README.Debian @@ -0,0 +1,41 @@ +Dropbear for Debian +------------------- + +This package will attempt to listen on port 22. If the OpenSSH +package ("ssh") is installed, the file /etc/default/dropbear +will be set up so that the server does not start by default. + +You can run Dropbear concurrently with OpenSSH 'sshd' by +modifying /etc/default/dropbear so that "NO_START" is set to +"0" and changing the port number that Dropbear runs on. Follow +the instructions in the file. + +This package suggests you install the "ssh" package. This package +provides the "ssh" client program, as well as the "/usr/bin/scp" +binary you will need to be able to retrieve files from a server +running Dropbear via SCP. + +Replacing OpenSSH "sshd" with Dropbear +-------------------------------------- + +You will still want to have the "ssh" package installed, as it +provides the "ssh" and "scp" binaries. When you install this +package, it checks for existing OpenSSH host keys and if found, +converts them to the Dropbear format. + +If this appears to have worked, you should be able to change over +by following these steps: + +1. Stop the OpenSSH server + % /etc/init.d/ssh stop +2. Prevent the OpenSSH server from starting in the future + % touch /etc/ssh/sshd_not_to_be_run +3. Modify the Dropbear defaults file, set NO_START to 0 and + ensure DROPBEAR_PORT is set to 22. + % editor /etc/default/dropbear +4. Restart the Dropbear server. + % /etc/init.d/dropbear restart + +See the Dropbear homepage for more information: + http://matt.ucc.asn.au/dropbear/dropbear.html + diff --git a/debian/dropbear.conffiles b/debian/dropbear.conffiles new file mode 100644 index 0000000..6919006 --- /dev/null +++ b/debian/dropbear.conffiles @@ -0,0 +1,3 @@ +/etc/init.d/dropbear +/etc/dropbear/run +/etc/dropbear/log/run diff --git a/debian/dropbear.docs b/debian/dropbear.docs new file mode 100644 index 0000000..599d48c --- /dev/null +++ b/debian/dropbear.docs @@ -0,0 +1,3 @@ +README +TODO +debian/README.runit diff --git a/debian/dropbear.init b/debian/dropbear.init index 25eda9f..d9578db 100644 --- a/debian/dropbear.init +++ b/debian/dropbear.init @@ -1,15 +1,4 @@ -#! /bin/sh -# -# skeleton example file to build /etc/init.d/ scripts. -# This file should be used to construct scripts for /etc/init.d. -# -# Written by Miquel van Smoorenburg . -# Modified for Debian -# by Ian Murdock . -# -# Version: @(#)skeleton 1.9 26-Feb-2001 miquels@cistron.nl -# - +#!/bin/sh # # Do not configure this file. Edit /etc/default/dropbear instead! # @@ -22,54 +11,45 @@ DESC="Dropbear SSH server" DROPBEAR_PORT=22 DROPBEAR_EXTRA_ARGS= NO_START=0 -set -e -test -f /etc/default/dropbear && . /etc/default/dropbear - -if [ -n "$DROPBEAR_BANNER" ]; then - DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER" -fi -if [ -z "$DROPBEAR_RSAKEY" ]; then - DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key" -fi - -if [ -z "$DROPBEAR_DSSKEY" ]; then - DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key" -fi +set -e -test "$NO_START" != "0" && exit 0 +test ! -r /etc/default/dropbear || . /etc/default/dropbear +test "$NO_START" = "0" || exit 0 +test -x "$DAEMON" || exit 0 +test ! -h /var/service/dropbear || exit 0 -test -x $DAEMON || exit 0 +test -z "$DROPBEAR_BANNER" || \ + DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER" +test -n "$DROPBEAR_RSAKEY" || \ + DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key" +test -n "$DROPBEAR_DSSKEY" || \ + DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key" case "$1" in start) echo -n "Starting $DESC: " - start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON -- -d $DROPBEAR_DSSKEY -r $DROPBEAR_RSAKEY -p $DROPBEAR_PORT $DROPBEAR_EXTRA_ARGS + start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \ + --exec "$DAEMON" -- -d "$DROPBEAR_DSSKEY" -r "$DROPBEAR_RSAKEY" \ + -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS echo "$NAME." ;; stop) echo -n "Stopping $DESC: " - start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/$NAME.pid + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid echo "$NAME." ;; restart|force-reload) - # - # If the "reload" option is implemented, move the "force-reload" - # option to the "reload" entry above. If not, "force-reload" is - # just the same as "restart". - # echo -n "Restarting $DESC: " - start-stop-daemon --stop --quiet --oknodo --pidfile \ - /var/run/$NAME.pid + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid sleep 1 - start-stop-daemon --start --quiet --pidfile /var/run/$NAME.pid \ - --exec $DAEMON -- -d $DROPBEAR_DSSKEY -r $DROPBEAR_RSAKEY -p $DROPBEAR_PORT $DROPBEAR_EXTRA_ARGS + start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \ + --exec "$DAEMON" -- -d "$DROPBEAR_DSSKEY" -r "$DROPBEAR_RSAKEY" \ + -p "$DROPBEAR_PORT" $DROPBEAR_EXTRA_ARGS echo "$NAME." ;; *) N=/etc/init.d/$NAME - # echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $N {start|stop|restart|force-reload}" >&2 exit 1 ;; diff --git a/debian/dropbear.postinst b/debian/dropbear.postinst new file mode 100644 index 0000000..749ffd1 --- /dev/null +++ b/debian/dropbear.postinst @@ -0,0 +1,68 @@ +#!/bin/sh +set -e + +test "$1" = 'configure' || exit 0 +test -n "$2" || chown log /etc/dropbear/log/main || true + +if test ! -e /etc/dropbear/dropbear_rsa_host_key; then + if test -f /etc/ssh/ssh_host_rsa_key; then + echo "Converting existing OpenSSH RSA host key to Dropbear format." + /usr/lib/dropbear/dropbearconvert openssh dropbear \ + /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key + else + echo "Generating Dropbear RSA key. Please wait." + dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key + fi +fi +if test ! -e /etc/dropbear/dropbear_dss_host_key; then + if test -f /etc/ssh/ssh_host_dsa_key; then + echo "Converting existing OpenSSH RSA host key to Dropbear format." + /usr/lib/dropbear/dropbearconvert openssh dropbear \ + /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key + else + echo "Generating Dropbear DSS key. Please wait." + dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key + fi +fi +if test ! -s /etc/default/dropbear; then + # check whether OpenSSH seems to be installed. + if test -x /usr/sbin/sshd; then + cat <>/etc/default/dropbear <>/etc/default/dropbear </dev/null + if test -x /usr/sbin/invoke-rc.d; then + invoke-rc.d dropbear start + else + /etc/init.d/dropbear start + fi +fi diff --git a/debian/dropbear.postrm b/debian/dropbear.postrm new file mode 100644 index 0000000..d09dab0 --- /dev/null +++ b/debian/dropbear.postrm @@ -0,0 +1,12 @@ +#! /bin/sh +set -e + +test "$1" = 'purge' || exit 0 +if test -e /etc/dropbear; then + rm -f /etc/dropbear/dropbear_rsa_host_key + rm -f /etc/dropbear/dropbear_dss_host_key + rmdir --ignore-fail-on-non-empty /etc/dropbear +fi +update-rc.d dropbear remove >/dev/null +rm -f /etc/default/dropbear +rm -rf /etc/dropbear/supervise /etc/dropbear/log/supervise diff --git a/debian/dropbear.prerm b/debian/dropbear.prerm new file mode 100644 index 0000000..89bb5b6 --- /dev/null +++ b/debian/dropbear.prerm @@ -0,0 +1,11 @@ +#!/bin/sh +set -u + +test "$1" = 'remove' || test "$1" = 'deconfigure' || exit 0 +if test -x /etc/init.d/dropbear; then + if test -x /usr/sbin/invoke-rc.d; then + invoke-rc.d dropbear stop + else + /etc/init.d/dropbear stop + fi +fi diff --git a/debian/implicit b/debian/implicit new file mode 100644 index 0000000..d28b629 --- /dev/null +++ b/debian/implicit @@ -0,0 +1,79 @@ +# $Id: implicit,v 1.1 2004/06/16 05:08:32 matt Exp $ + +.PHONY: deb-checkdir deb-checkuid + +deb-checkdir: + @test -e debian/control || sh -cx '! : wrong directory' +deb-checkuid: + @test "`id -u`" -eq 0 || sh -cx '! : need root privileges' + +%.deb: %.deb-docs %.deb-DEBIAN + @rm -f $*.deb $*.deb-checkdir $*.deb-docs $*.deb-docs-base \ + $*.deb-docs-docs $*.deb-docs-examples $*.deb-DEBIAN \ + $*.deb-DEBIAN-dir $*.deb-DEBIAN-scripts $*.deb-DEBIAN-md5sums + +%.deb-checkdir: + @test -d debian/$* || sh -cx '! : directory debian/$* missing' + @test "`id -u`" -eq 0 || sh -cx '! : need root privileges' + +%.deb-docs-base: + : implicit + @rm -f debian/$*/usr/share/doc/$*/* || : + @install -d -m0755 debian/$*/usr/share/doc/$* + : debian/$*/usr/share/doc/$*/ + @sh -cx 'install -m0644 debian/copyright debian/$*/usr/share/doc/$*/' + @sh -cx 'install -m0644 debian/changelog \ + debian/$*/usr/share/doc/$*/changelog.Debian' + @test ! -r changelog || \ + sh -cx 'install -m0644 changelog debian/$*/usr/share/doc/$*/' + @test -r debian/$*/usr/share/doc/$*/changelog || \ + sh -cx 'mv debian/$*/usr/share/doc/$*/changelog.Debian \ + debian/$*/usr/share/doc/$*/changelog' + @gzip -9 debian/$*/usr/share/doc/$*/changelog* +%.deb-docs-docs: + @for i in `cat debian/$*.docs 2>/dev/null || :`; do \ + sh -cx "install -m0644 $$i debian/$*/usr/share/doc/$*/" || exit 1; \ + done + @test ! -r debian/$*.README.Debian || \ + sh -cx 'install -m0644 debian/$*.README.Debian \ + debian/$*/usr/share/doc/$*/README.Debian' + @if test -r debian/$*.NEWS.Debian; then \ + sh -cx 'install -m0644 debian/$*.NEWS.Debian \ + debian/$*/usr/share/doc/$*/NEWS.Debian && \ + gzip -9 debian/$*/usr/share/doc/$*/NEWS.Debian'; \ + fi +%.deb-docs-examples: + @rm -rf debian/$*/usr/share/doc/$*/examples + : debian/$*/usr/share/doc/$*/examples/ + @test ! -r debian/$*.examples || \ + install -d -m0755 debian/$*/usr/share/doc/$*/examples + @for i in `cat debian/$*.examples 2>/dev/null || :`; do \ + sh -cx "install -m0644 $$i debian/$*/usr/share/doc/$*/examples/" \ + || exit 1; \ + done +%.deb-docs: %.deb-checkdir %.deb-docs-base %.deb-docs-docs %.deb-docs-examples + : debian/$*/usr/share/doc/$*/ ok + +%.deb-DEBIAN-base: + @rm -rf debian/$*/DEBIAN + : debian/$*/DEBIAN/ + @install -d -m0755 debian/$*/DEBIAN + @for i in conffiles shlibs; do \ + test ! -r debian/$*.$$i || \ + sh -cx "install -m0644 debian/$*.$$i debian/$*/DEBIAN/$$i" \ + || exit 1; \ + done +%.deb-DEBIAN-scripts: + @for i in preinst prerm postinst postrm; do \ + test ! -r debian/$*.$$i || \ + sh -cx "install -m0755 debian/$*.$$i debian/$*/DEBIAN/$$i" \ + || exit 1; \ + done +%.deb-DEBIAN-md5sums: + : debian/$*/DEBIAN/md5sums + @rm -f debian/$*/DEBIAN/md5sums + @cd debian/$* && find * -path 'DEBIAN' -prune -o \ + -type f -exec md5sum {} >>DEBIAN/md5sums \; +%.deb-DEBIAN: %.deb-checkdir %.deb-DEBIAN-base %.deb-DEBIAN-scripts \ + %.deb-DEBIAN-md5sums + : debian/$*/DEBIAN/ ok diff --git a/debian/rules b/debian/rules index 4d73093..ee7b14a 100644 --- a/debian/rules +++ b/debian/rules @@ -1,134 +1,96 @@ #!/usr/bin/make -f -# Sample debian/rules that uses debhelper. -# GNU copyright 1997 to 1999 by Joey Hess. -# -# Modified to make a template file for a multi-binary package with separated -# build-arch and build-indep targets by Bill Allombert 2001 -# Uncomment this to turn on verbose mode. -#export DH_VERBOSE=1 +#export DH_OPTIONS +DEB_HOST_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?=$(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) -# This has to be exported to make some magic below work. -export DH_OPTIONS - -# These are used for cross-compiling and for saving the configure script -# from having to guess our platform (since we know it already) -DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) -DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) - - -CFLAGS = -Wall -g +STRIP =strip +ifneq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + STRIP =: nostrip +endif +CFLAGS =-Wall -g ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 + CFLAGS +=-O0 else - CFLAGS += -O2 -endif -ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) - INSTALL_PROGRAM += -s + CFLAGS +=-O2 endif -config.status: configure - dh_testdir - # Add here commands to configure the package. - CFLAGS='-DSFTPSERVER_PATH="\"/usr/lib/sftp-server\""' ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info - - -#Architecture -build: build-arch #build-indep - -build-arch: build-arch-stamp -build-arch-stamp: config.status - - # Add here commands to compile the arch part of the package. - $(MAKE) CC=gcc LD=gcc - -build-indep: build-indep-stamp -build-indep-stamp: config.status - - # Add here commands to compile the indep part of the package. - #$(MAKE) doc - -clean: - dh_testdir - dh_testroot - rm -f build-arch-stamp build-indep-stamp config-stamp - - # Add here commands to clean up after the build process. - -$(MAKE) clean -ifneq "$(wildcard /usr/share/misc/config.sub)" "" - cp -f /usr/share/misc/config.sub config.sub -endif -ifneq "$(wildcard /usr/share/misc/config.guess)" "" - cp -f /usr/share/misc/config.guess config.guess +CC =gcc +ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS))) + CC =diet -v -Os gcc endif - - dh_clean - -install: install-indep install-arch -install-indep: - dh_testdir - dh_testroot - dh_clean -k -i - dh_installdirs -i - - # Add here commands to install the indep part of the package into - # debian/-doc. - #INSTALLDOC# - - dh_install -i - -install-arch: - dh_testdir - dh_testroot - dh_clean -k -a - dh_installdirs -a - dh_installdirs /etc/dropbear - - # Add here commands to install the arch part of the package into - # debian/tmp. - $(MAKE) install prefix=$(CURDIR)/debian/dropbear/usr - - dh_install -a -# Must not depend on anything. This is to be called by -# binary-arch/binary-multi -# in another 'make' thread. -binary-common: - cat $(CURDIR)/debian/copyright.in $(CURDIR)/LICENSE > $(CURDIR)/debian/copyright - dh_testdir - dh_testroot - dh_installchangelogs CHANGES - dh_installdocs - dh_installexamples -# dh_installmenu -# dh_installdebconf -# dh_installlogrotate -# dh_installemacsen -# dh_installpam -# dh_installmime - dh_installinit -# dh_installcron -# dh_installinfo - dh_installman - dh_link - dh_strip - dh_compress - dh_fixperms -# dh_perl -# dh_python - dh_makeshlibs - dh_installdeb - dh_gencontrol - dh_md5sums - dh_builddeb -# Build architecture independant packages using the common target. -binary-indep: build-indep install-indep - $(MAKE) -f debian/rules DH_OPTIONS=-i binary-common - -# Build architecture dependant packages using the common target. -binary-arch: build-arch install-arch - $(MAKE) -f debian/rules DH_OPTIONS=-a binary-common - -binary: binary-arch #binary-indep -.PHONY: build clean binary-indep binary-arch binary install install-indep install-arch +DIR=`pwd`/debian/dropbear + +patch: deb-checkdir patch-stamp +patch-stamp: +# no patches for now +# for i in debian/diff/*.diff; do patch -p0 <$$i || exit 1; done + touch patch-stamp + +config.status: patch-stamp configure + CFLAGS="$(CFLAGS)"' -DSFTPSERVER_PATH="\"/usr/lib/sftp-server\""' \ + ./configure --host="$(DEB_HOST_GNU_TYPE)" \ + --build="$(DEB_BUILD_GNU_TYPE)" --prefix=/usr \ + --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info + +build: deb-checkdir build-stamp +build-stamp: config.status + $(MAKE) CC="$(CC)" LD="$(CC)" + touch build-stamp + +clean: deb-checkdir deb-checkuid + -$(MAKE) distclean +# test ! -e patch-stamp || \ +# for i in debian/diff/*.diff; do patch -p0 -R <$$i; done + rm -f patch-stamp build-stamp config.log config.status + rm -rf "$(DIR)" + rm -f debian/files debian/substvars debian/copyright changelog + +install: deb-checkdir deb-checkuid build-stamp + rm -rf "$(DIR)" + install -d -m0755 "$(DIR)"/etc/dropbear + # programs + install -d -m0755 "$(DIR)"/usr/sbin + install -m0755 dropbear "$(DIR)"/usr/sbin/dropbear + install -d -m0755 "$(DIR)"/usr/bin + install -m0755 dropbearkey "$(DIR)"/usr/bin/dropbearkey + install -d -m0755 "$(DIR)"/usr/lib/dropbear + install -m0755 dropbearconvert \ + "$(DIR)"/usr/lib/dropbear/dropbearconvert + $(STRIP) -R .comment -R .note "$(DIR)"/usr/sbin/* \ + "$(DIR)"/usr/bin/* "$(DIR)"/usr/lib/dropbear/* + # init and run scripts + install -d -m0755 "$(DIR)"/etc/init.d + install -m0755 debian/dropbear.init "$(DIR)"/etc/init.d/dropbear + install -m0755 debian/service/run "$(DIR)"/etc/dropbear/run + install -d -m0755 "$(DIR)"/etc/dropbear/log + install -m0755 debian/service/log "$(DIR)"/etc/dropbear/log/run + ln -s /var/log/dropbear "$(DIR)"/etc/dropbear/log/main + ln -s /var/run/dropbear "$(DIR)"/etc/dropbear/supervise + ln -s /var/run/dropbear.log "$(DIR)"/etc/dropbear/log/supervise + # man pages + install -d -m0755 "$(DIR)"/usr/share/man/man8 + for i in dropbear.8 dropbearkey.8; do \ + install -m644 $$i "$(DIR)"/usr/share/man/man8/ || exit 1; \ + done + gzip -9 "$(DIR)"/usr/share/man/man8/*.8 + # copyright, changelog + cat debian/copyright.in LICENSE >debian/copyright + ln -s CHANGES changelog + +binary-indep: + +binary-arch: install dropbear.deb + test "$(CC)" != 'gcc' || \ + dpkg-shlibdeps "$(DIR)"/usr/sbin/* "$(DIR)"/usr/bin/* \ + "$(DIR)"/usr/lib/dropbear/* + dpkg-gencontrol -isp -pdropbear -P"$(DIR)" + dpkg -b "$(DIR)" .. + +binary: binary-arch binary-indep + +.PHONY: patch build clean install binary-indep binary-arch binary + +include debian/implicit diff --git a/debian/service/log b/debian/service/log new file mode 100644 index 0000000..2ffb13d --- /dev/null +++ b/debian/service/log @@ -0,0 +1,2 @@ +#!/bin/sh +exec chpst -udropbearlog svlogd -tt ./main diff --git a/debian/service/run b/debian/service/run new file mode 100644 index 0000000..f208085 --- /dev/null +++ b/debian/service/run @@ -0,0 +1,3 @@ +#!/bin/sh +exec 2>&1 +exec dropbear -d ./dropbear_dss_host_key -r ./dropbear_rsa_host_key -F -E -p 22 diff --git a/dropbearkey.c b/dropbearkey.c index eac0823..5d4475b 100644 --- a/dropbearkey.c +++ b/dropbearkey.c @@ -45,7 +45,6 @@ * */ #include "includes.h" -#include "runopts.h" #include "signkey.h" #include "buffer.h" #include "dbutil.h" diff --git a/dss.c b/dss.c index 74b92c7..9b56f10 100644 --- a/dss.c +++ b/dss.c @@ -171,6 +171,8 @@ int buf_dss_verify(buffer* buf, dss_key *key, const unsigned char* data, TRACE(("enter buf_dss_verify")); assert(key != NULL); + m_mp_init_multi(&val1, &val2, &val3, &val4, NULL); + /* get blob, check length */ string = buf_getstring(buf, &stringlen); if (stringlen != 2*SHA1_HASH_SIZE) { @@ -182,8 +184,6 @@ int buf_dss_verify(buffer* buf, dss_key *key, const unsigned char* data, sha1_process(&hs, data, len); sha1_done(&hs, msghash); - m_mp_init_multi(&val1, &val2, &val3, &val4, NULL); - /* create the signature - s' and r' are the received signatures in buf */ /* w = (s')-1 mod q */ /* let val1 = s' */ diff --git a/gendss.c b/gendss.c index 3e9db09..5a440a1 100644 --- a/gendss.c +++ b/gendss.c @@ -31,7 +31,6 @@ #include "gendss.h" #include "dss.h" -#define PSIZE 128 /* 1024 bit*/ #define QSIZE 20 /* 160 bit */ #ifdef DROPBEAR_DSS diff --git a/includes.h b/includes.h index 52c48ed..b37422b 100644 --- a/includes.h +++ b/includes.h @@ -38,7 +38,6 @@ #include #include #include -#include #include #include @@ -56,6 +55,7 @@ #include #include #include +#include #include @@ -111,10 +111,6 @@ #include #endif -#ifdef HAVE_SYS_DIRENT_H -#include -#endif - #include "libtomcrypt/mycrypt_custom.h" #include "libtommath/tommath.h" diff --git a/options.h b/options.h index f0831b9..c687a8c 100644 --- a/options.h +++ b/options.h @@ -47,6 +47,11 @@ * if you want to use this) */ /*#define NO_FAST_EXPTMOD*/ +/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save +several kB in binary size, however will make the symmetrical ciphers (AES, DES +etc) slower (perhaps by 50%). Recommended for most small systems. */ +#define DROPBEAR_SMALL_CODE + /* Enable X11 Forwarding - server only */ #define ENABLE_X11FWD @@ -175,7 +180,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "0.41-and-client" +#define DROPBEAR_VERSION "0.45-beta1" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION diff --git a/packet.c b/packet.c index 997bc6f..5e8e14d 100644 --- a/packet.c +++ b/packet.c @@ -50,7 +50,7 @@ static void buf_compress(buffer * dest, buffer * src, unsigned int len); void write_packet() { int len, written; - buffer * writebuf; + buffer * writebuf = NULL; TRACE(("enter write_packet")); assert(!isempty(&ses.writequeue)); @@ -80,6 +80,7 @@ void write_packet() { /* We've finished with the packet, free it */ dequeue(&ses.writequeue); buf_free(writebuf); + writebuf = NULL; } else { /* More packet left to write, leave it in the queue for later */ buf_incrpos(writebuf, written); @@ -503,6 +504,7 @@ void encrypt_packet() { /* clearwritebuf is finished with */ buf_free(clearwritebuf); + clearwritebuf = NULL; /* enqueue the packet for sending */ buf_setpos(writebuf, 0); diff --git a/random.c b/random.c index 725b29c..65a9c64 100644 --- a/random.c +++ b/random.c @@ -60,7 +60,7 @@ static void readrand(unsigned char* buf, unsigned int buflen) { #ifdef DROPBEAR_DEV_URANDOM readfd = open(DEV_URANDOM, O_RDONLY); - if (!readfd) { + if (readfd < 0) { dropbear_exit("couldn't open random device"); } #endif @@ -71,7 +71,8 @@ static void readrand(unsigned char* buf, unsigned int buflen) { strlcpy(egdsock.sun_path, DROPBEAR_EGD_SOCKET, sizeof(egdsock.sun_path)); - if ((readfd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { + readfd = socket(PF_UNIX, SOCK_STREAM, 0); + if (readfd < 0) { dropbear_exit("couldn't open random device"); } /* todo - try various common locations */ diff --git a/rsa.c b/rsa.c index 2d63c02..1130e93 100644 --- a/rsa.c +++ b/rsa.c @@ -244,8 +244,11 @@ int buf_rsa_verify(buffer * buf, rsa_key *key, const unsigned char* data, } out: - mp_clear_multi(rsa_em, &rsa_mdash, &rsa_s, NULL); - m_free(rsa_em); + if (rsa_em) { + mp_clear(rsa_em); + m_free(rsa_em); + } + mp_clear_multi(&rsa_mdash, &rsa_s, NULL); TRACE(("leave buf_rsa_verify: ret %d", ret)); return ret; @@ -260,15 +263,16 @@ void buf_put_rsa_sign(buffer* buf, rsa_key *key, const unsigned char* data, unsigned int nsize, ssize; unsigned int i; mp_int rsa_s; - mp_int *rsa_em; + mp_int *rsa_em = NULL; TRACE(("enter buf_put_rsa_sign")); assert(key != NULL); rsa_em = rsa_pad_em(key, data, len); - /* the actual signing of the padded data */ m_mp_init(&rsa_s); + + /* the actual signing of the padded data */ /* s = em^d mod n */ if (mp_exptmod(rsa_em, key->d, key->n, &rsa_s) != MP_OKAY) { dropbear_exit("rsa error"); @@ -322,10 +326,10 @@ static mp_int * rsa_pad_em(rsa_key * key, {0x00, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}; #define RSA_ASN1_MAGIC_LEN 16 - buffer * rsa_EM; + buffer * rsa_EM = NULL; hash_state hs; unsigned int nsize; - mp_int * rsa_em; + mp_int * rsa_em = NULL; assert(key != NULL); assert(data != NULL); diff --git a/signkey.c b/signkey.c index 3efcc2b..7ae08b8 100644 --- a/signkey.c +++ b/signkey.c @@ -194,7 +194,7 @@ void buf_put_pub_key(buffer* buf, sign_key *key, int type) { buffer *pubkeys; TRACE(("enter buf_put_pub_key")); - pubkeys = buf_new(1000); + pubkeys = buf_new(MAX_PUBKEY_SIZE); #ifdef DROPBEAR_DSS if (type == DROPBEAR_SIGNKEY_DSS) { @@ -356,7 +356,7 @@ void buf_put_sign(buffer* buf, sign_key *key, int type, buffer *sigblob; - sigblob = buf_new(1000); + sigblob = buf_new(MAX_PUBKEY_SIZE); #ifdef DROPBEAR_DSS if (type == DROPBEAR_SIGNKEY_DSS) { diff --git a/svr-agentfwd.c b/svr-agentfwd.c index b588586..4e9aa56 100644 --- a/svr-agentfwd.c +++ b/svr-agentfwd.c @@ -64,7 +64,7 @@ int agentreq(struct ChanSess * chansess) { /* create the unix socket dir and file */ if (bindagent(fd, chansess) == DROPBEAR_FAILURE) { - return DROPBEAR_FAILURE; + goto fail; } /* listen */ @@ -146,7 +146,7 @@ void agentcleanup(struct ChanSess * chansess) { chansess->agentlistener = NULL; } - if (chansess->agentfile && chansess->agentdir) { + if (chansess->agentfile != NULL && chansess->agentdir != NULL) { /* Remove the dir as the user. That way they can't cause problems except * for themselves */ diff --git a/svr-auth.c b/svr-auth.c index 314171f..ae7ead2 100644 --- a/svr-auth.c +++ b/svr-auth.c @@ -91,7 +91,7 @@ static void send_msg_userauth_banner() { * checking, and handle success or failure */ void recv_msg_userauth_request() { - unsigned char *username, *servicename, *methodname; + unsigned char *username = NULL, *servicename = NULL, *methodname = NULL; unsigned int userlen, servicelen, methodlen; TRACE(("enter recv_msg_userauth_request")); @@ -275,7 +275,7 @@ goodshell: * failures */ void send_msg_userauth_failure(int partial, int incrfail) { - buffer *typebuf; + buffer *typebuf = NULL; TRACE(("enter send_msg_userauth_failure")); diff --git a/svr-authpasswd.c b/svr-authpasswd.c index 7c6c7b7..6f7c909 100644 --- a/svr-authpasswd.c +++ b/svr-authpasswd.c @@ -37,14 +37,14 @@ void svr_auth_password() { #ifdef HAVE_SHADOW_H - struct spwd *spasswd; + struct spwd *spasswd = NULL; #endif - char * passwdcrypt; /* the crypt from /etc/passwd or /etc/shadow */ - char * testcrypt; /* crypt generated from the user's password sent */ + char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ + char * testcrypt = NULL; /* crypt generated from the user's password sent */ unsigned char * password; unsigned int passwordlen; - unsigned char changepw; + unsigned int changepw; passwdcrypt = ses.authstate.pw->pw_passwd; #ifdef HAVE_SHADOW_H diff --git a/svr-authpubkey.c b/svr-authpubkey.c index 9205078..14b5a78 100644 --- a/svr-authpubkey.c +++ b/svr-authpubkey.c @@ -53,7 +53,7 @@ void svr_auth_pubkey() { unsigned char testkey; /* whether we're just checking if a key is usable */ unsigned char* algo = NULL; /* pubkey algo */ unsigned int algolen; - unsigned char* keyblob; + unsigned char* keyblob = NULL; unsigned int keybloblen; buffer * signbuf = NULL; sign_key * key = NULL; diff --git a/svr-chansession.c b/svr-chansession.c index a0e877c..01612f4 100644 --- a/svr-chansession.c +++ b/svr-chansession.c @@ -273,7 +273,7 @@ static void closechansess(struct Channel *channel) { * or x11/authagent forwarding. These are passed to appropriate handlers */ static void chansessionrequest(struct Channel *channel) { - unsigned char * type; + unsigned char * type = NULL; unsigned int typelen; unsigned char wantreply; int ret = 1; @@ -320,7 +320,7 @@ static void chansessionrequest(struct Channel *channel) { out: if (wantreply) { - if (ret == 0) { + if (ret == DROPBEAR_SUCCESS) { send_msg_channel_success(channel); } else { send_msg_channel_failure(channel); @@ -336,7 +336,7 @@ out: static int sessionsignal(struct ChanSess *chansess) { int sig = 0; - unsigned char* signame; + unsigned char* signame = NULL; int i; if (chansess->pid == 0) { @@ -528,11 +528,14 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, int iscmd, int issubsys) { unsigned int cmdlen; + int ret; TRACE(("enter sessioncommand")); if (chansess->cmd != NULL) { - /* TODO - send error - multiple commands? */ + /* Note that only one command can _succeed_. The client might try + * one command (which fails), then try another. Ie fallback + * from sftp to scp */ return DROPBEAR_FAILURE; } @@ -541,6 +544,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, chansess->cmd = buf_getstring(ses.payload, &cmdlen); if (cmdlen > MAX_CMD_LEN) { + m_free(chansess->cmd); /* TODO - send error - too long ? */ return DROPBEAR_FAILURE; } @@ -552,6 +556,7 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, } else #endif { + m_free(chansess->cmd); return DROPBEAR_FAILURE; } } @@ -559,11 +564,16 @@ static int sessioncommand(struct Channel *channel, struct ChanSess *chansess, if (chansess->term == NULL) { /* no pty */ - return noptycommand(channel, chansess); + ret = noptycommand(channel, chansess); } else { /* want pty */ - return ptycommand(channel, chansess); + ret = ptycommand(channel, chansess); + } + + if (ret == DROPBEAR_FAILURE) { + m_free(chansess->cmd); } + return ret; } /* Execute a command and set up redirection of stdin/stdout/stderr without a @@ -650,7 +660,7 @@ static int noptycommand(struct Channel *channel, struct ChanSess *chansess) { static int ptycommand(struct Channel *channel, struct ChanSess *chansess) { pid_t pid; - struct logininfo *li; + struct logininfo *li = NULL; #ifdef DO_MOTD buffer * motdbuf = NULL; int len; @@ -778,8 +788,8 @@ static void addchildpid(struct ChanSess *chansess, pid_t pid) { static void execchild(struct ChanSess *chansess) { char *argv[4]; - char * usershell; - char * baseshell; + char * usershell = NULL; + char * baseshell = NULL; unsigned int i; /* wipe the hostkey */ @@ -863,6 +873,11 @@ static void execchild(struct ChanSess *chansess) { agentset(chansess); #endif + /* Re-enable SIGPIPE for the executed process */ + if (signal(SIGPIPE, SIG_DFL) == SIG_ERR) { + dropbear_exit("signal() error"); + } + baseshell = basename(usershell); if (chansess->cmd != NULL) { @@ -921,7 +936,7 @@ void svr_chansessinitialise() { /* add a new environment variable, allocating space for the entry */ void addnewvar(const char* param, const char* var) { - char* newvar; + char* newvar = NULL; int plen, vlen; plen = strlen(param); diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index 0eccae4..0f22a23 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -208,7 +208,7 @@ static int newtcpdirect(struct Channel * channel) { char portstring[NI_MAXSERV]; int sock; int len; - int ret = DROPBEAR_FAILURE; + int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; if (opts.nolocaltcp) { TRACE(("leave newtcpdirect: local tcp forwarding disabled")); @@ -240,6 +240,7 @@ static int newtcpdirect(struct Channel * channel) { snprintf(portstring, sizeof(portstring), "%d", destport); sock = connect_remote(desthost, portstring, 1, NULL); if (sock < 0) { + err = SSH_OPEN_CONNECT_FAILED; TRACE(("leave newtcpdirect: sock failed")); goto out; } @@ -253,13 +254,13 @@ static int newtcpdirect(struct Channel * channel) { channel->infd = sock; channel->initconn = 1; - ret = DROPBEAR_SUCCESS; + err = SSH_OPEN_IN_PROGRESS; out: m_free(desthost); m_free(orighost); - TRACE(("leave newtcpdirect: ret %d", ret)); - return ret; + TRACE(("leave newtcpdirect: err %d", err)); + return err; } #endif diff --git a/svr-x11fwd.c b/svr-x11fwd.c index 0f4f71e..a8d1cd5 100644 --- a/svr-x11fwd.c +++ b/svr-x11fwd.c @@ -131,7 +131,7 @@ static void x11accept(struct Listener* listener, int sock) { void x11setauth(struct ChanSess *chansess) { char display[20]; /* space for "localhost:12345.123" */ - FILE * authprog; + FILE * authprog = NULL; int val; if (chansess->x11listener == NULL) { @@ -187,7 +187,7 @@ static const struct ChanType chan_x11 = { static int send_msg_channel_open_x11(int fd, struct sockaddr_in* addr) { - char* ipstring; + char* ipstring = NULL; if (send_msg_channel_open_init(fd, &chan_x11) == DROPBEAR_SUCCESS) { ipstring = inet_ntoa(addr->sin_addr); -- cgit v1.2.3 From 51a74b47995cfe24ef190b7e254f768eb92735f5 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 26 Aug 2004 13:16:40 +0000 Subject: - added circular buffering for channels - added stderr support for the client - cleaned up a bunch of "unused" warnings, duplicated header definitions - added exit-status support for the client --HG-- extra : convert_revision : 5bdf806d8b440c87f7235414662f4189195618f4 --- TODO | 2 + buffer.c | 2 +- channel.h | 12 ++--- chansession.h | 5 -- circbuffer.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ circbuffer.h | 50 ++++++++++++++++++++ cli-chansession.c | 36 ++++++++++++-- cli-main.c | 3 +- cli-session.c | 5 +- cli-tcpfwd.c | 2 +- common-channel.c | 67 ++++++++++++++------------ common-session.c | 4 +- dbutil.c | 3 +- includes.h | 10 ++++ session.h | 5 +- svr-agentfwd.c | 2 +- svr-chansession.c | 10 +++- svr-main.c | 7 ++- tcpfwd.h | 3 +- 19 files changed, 302 insertions(+), 64 deletions(-) create mode 100644 circbuffer.c create mode 100644 circbuffer.h (limited to 'includes.h') diff --git a/TODO b/TODO index 0af56c9..4ac3757 100644 --- a/TODO +++ b/TODO @@ -2,6 +2,8 @@ Current: Things which might need doing: +- exit with returned exit codes? + - errfd needs fixing - Make options.h generated from configure perhaps? diff --git a/buffer.c b/buffer.c index df608d9..793eee1 100644 --- a/buffer.c +++ b/buffer.c @@ -1,5 +1,5 @@ /* - * Dropbear - a SSH2 server + * Dropbear SSH * * Copyright (c) 2002,2003 Matt Johnston * All rights reserved. diff --git a/channel.h b/channel.h index 3afd9f1..8a494c7 100644 --- a/channel.h +++ b/channel.h @@ -45,16 +45,15 @@ /* Not a real type */ #define SSH_OPEN_IN_PROGRESS 99 -#define MAX_CHANNELS 60 /* simple mem restriction, includes each tcp/x11 +#define MAX_CHANNELS 100 /* simple mem restriction, includes each tcp/x11 connection, so can't be _too_ small */ #define CHAN_EXTEND_SIZE 3 /* how many extra slots to add when we need more */ -#define RECV_MAXWINDOW 6000 /* tweak */ -#define RECV_WINDOWEXTEND (RECV_MAXWINDOW/2) /* We send a "window extend" every - RECV_WINDOWEXTEND bytes */ -#define RECV_MAXPACKET 1400 /* tweak */ -#define RECV_MINWINDOW 19000 /* when we get below this, we send a windowadjust */ +#define RECV_MAXWINDOW 4000 /* tweak */ +#define RECV_WINDOWEXTEND 500 /* We send a "window extend" every + RECV_WINDOWEXTEND bytes */ +#define RECV_MAXPACKET RECV_MAXWINDOW /* tweak */ struct ChanType; @@ -63,6 +62,7 @@ struct Channel { unsigned int index; /* the local channel index */ unsigned int remotechan; unsigned int recvwindow, transwindow; + unsigned int recvdonelen; unsigned int recvmaxpacket, transmaxpacket; void* typedata; /* a pointer to type specific data */ int infd; /* data to send over the wire */ diff --git a/chansession.h b/chansession.h index 3fb1901..84ca55a 100644 --- a/chansession.h +++ b/chansession.h @@ -68,11 +68,6 @@ struct ChildPid { }; -void chansessionrequest(struct Channel * channel); -void send_msg_chansess_exitstatus(struct Channel * channel, - struct ChanSess * chansess); -void send_msg_chansess_exitsignal(struct Channel * channel, - struct ChanSess * chansess); void addnewvar(const char* param, const char* var); void cli_send_chansess_request(); diff --git a/circbuffer.c b/circbuffer.c new file mode 100644 index 0000000..a2edcbb --- /dev/null +++ b/circbuffer.c @@ -0,0 +1,138 @@ +/* + * Dropbear SSH + * + * Copyright (c) 2002-2004 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#include "includes.h" +#include "dbutil.h" +#include "circbuffer.h" + +#define MAX_CBUF_SIZE 100000000 + +circbuffer * cbuf_new(unsigned int size) { + + circbuffer *cbuf = NULL; + + if (size > MAX_CBUF_SIZE) { + dropbear_exit("bad cbuf size"); + } + + cbuf = (circbuffer*)m_malloc(sizeof(circbuffer)); + cbuf->data = (unsigned char*)m_malloc(size); + cbuf->used = 0; + cbuf->readpos = 0; + cbuf->writepos = 0; + cbuf->size = size; + + return cbuf; +} + +void cbuf_free(circbuffer * cbuf) { + + m_free(cbuf->data); + m_free(cbuf); +} + +unsigned int cbuf_getused(circbuffer * cbuf) { + + return cbuf->used; + +} + +unsigned int cbuf_getavail(circbuffer * cbuf) { + + return cbuf->size - cbuf->used; + +} + +unsigned int cbuf_readlen(circbuffer *cbuf) { + + assert(((2*cbuf->size)+cbuf->writepos-cbuf->readpos)%cbuf->size == cbuf->used%cbuf->size); + assert(((2*cbuf->size)+cbuf->readpos-cbuf->writepos)%cbuf->size == (cbuf->size-cbuf->used)%cbuf->size); + + if (cbuf->used == 0) { + TRACE(("cbuf_readlen: unused buffer")); + return 0; + } + + if (cbuf->readpos < cbuf->writepos) { + return cbuf->writepos - cbuf->readpos; + } + + return cbuf->size - cbuf->readpos; +} + +unsigned int cbuf_writelen(circbuffer *cbuf) { + + assert(cbuf->used <= cbuf->size); + assert(((2*cbuf->size)+cbuf->writepos-cbuf->readpos)%cbuf->size == cbuf->used%cbuf->size); + assert(((2*cbuf->size)+cbuf->readpos-cbuf->writepos)%cbuf->size == (cbuf->size-cbuf->used)%cbuf->size); + + if (cbuf->used == cbuf->size) { + TRACE(("cbuf_writelen: full buffer")); + return 0; /* full */ + } + + if (cbuf->writepos < cbuf->readpos) { + return cbuf->readpos - cbuf->writepos; + } + + return cbuf->size - cbuf->writepos; +} + +unsigned char* cbuf_readptr(circbuffer *cbuf, unsigned int len) { + if (len > cbuf_readlen(cbuf)) { + dropbear_exit("bad cbuf read"); + } + + return &cbuf->data[cbuf->readpos]; +} + +unsigned char* cbuf_writeptr(circbuffer *cbuf, unsigned int len) { + + if (len > cbuf_writelen(cbuf)) { + dropbear_exit("bad cbuf write"); + } + + return &cbuf->data[cbuf->writepos]; +} + +void cbuf_incrwrite(circbuffer *cbuf, unsigned int len) { + if (len > cbuf_writelen(cbuf)) { + dropbear_exit("bad cbuf write"); + } + + cbuf->used += len; + assert(cbuf->used <= cbuf->size); + cbuf->writepos = (cbuf->writepos + len) % cbuf->size; +} + + +void cbuf_incrread(circbuffer *cbuf, unsigned int len) { + if (len > cbuf_readlen(cbuf)) { + dropbear_exit("bad cbuf read"); + } + + assert(cbuf->used >= len); + cbuf->used -= len; + cbuf->readpos = (cbuf->readpos + len) % cbuf->size; +} diff --git a/circbuffer.h b/circbuffer.h new file mode 100644 index 0000000..21c5134 --- /dev/null +++ b/circbuffer.h @@ -0,0 +1,50 @@ +/* + * Dropbear SSH + * + * Copyright (c) 2002-2004 Matt Johnston + * All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. */ + +#ifndef _CIRCBUFFER_H_ +#define _CIRCBUFFER_H_ +struct circbuf { + + unsigned int size; + unsigned int readpos; + unsigned int writepos; + unsigned int used; + unsigned char* data; +}; + +typedef struct circbuf circbuffer; + +circbuffer * cbuf_new(unsigned int size); +void cbuf_free(circbuffer * cbuf); + +unsigned int cbuf_getused(circbuffer * cbuf); /* how much data stored */ +unsigned int cbuf_getavail(circbuffer * cbuf); /* how much we can write */ +unsigned int cbuf_readlen(circbuffer *cbuf); /* max linear read len */ +unsigned int cbuf_writelen(circbuffer *cbuf); /* max linear write len */ + +unsigned char* cbuf_readptr(circbuffer *cbuf, unsigned int len); +unsigned char* cbuf_writeptr(circbuffer *cbuf, unsigned int len); +void cbuf_incrwrite(circbuffer *cbuf, unsigned int len); +void cbuf_incrread(circbuffer *cbuf, unsigned int len); +#endif diff --git a/cli-chansession.c b/cli-chansession.c index df6eb45..50226dd 100644 --- a/cli-chansession.c +++ b/cli-chansession.c @@ -32,9 +32,11 @@ #include "ssh.h" #include "runopts.h" #include "termcodes.h" +#include "chansession.h" static void cli_closechansess(struct Channel *channel); static int cli_initchansess(struct Channel *channel); +static void cli_chansessreq(struct Channel *channel); static void start_channel_request(struct Channel *channel, unsigned char *type); @@ -42,19 +44,43 @@ static void send_chansess_pty_req(struct Channel *channel); static void send_chansess_shell_req(struct Channel *channel); static void cli_tty_setup(); -void cli_tty_cleanup(); const struct ChanType clichansess = { 0, /* sepfds */ "session", /* name */ cli_initchansess, /* inithandler */ NULL, /* checkclosehandler */ - NULL, /* reqhandler */ + cli_chansessreq, /* reqhandler */ cli_closechansess, /* closehandler */ }; +static void cli_chansessreq(struct Channel *channel) { + + unsigned char* type = NULL; + int wantreply; + + TRACE(("enter cli_chansessreq")); + + type = buf_getstring(ses.payload, NULL); + wantreply = buf_getbyte(ses.payload); + + if (strcmp(type, "exit-status") != 0) { + TRACE(("unknown request '%s'", type)); + send_msg_channel_failure(channel); + goto out; + } + + /* We'll just trust what they tell us */ + cli_ses.retval = buf_getint(ses.payload); + TRACE(("got exit-status of '%d'", cli_ses.retval)); + +out: + m_free(type); +} + + /* If the main session goes, we close it up */ -static void cli_closechansess(struct Channel *channel) { +static void cli_closechansess(struct Channel *UNUSED(channel)) { /* This channel hasn't gone yet, so we have > 1 */ if (ses.chancount > 1) { @@ -228,7 +254,7 @@ static void put_winsize() { } -static void sigwinch_handler(int dummy) { +static void sigwinch_handler(int UNUSED(unused)) { cli_ses.winchange = 1; @@ -317,7 +343,7 @@ static int cli_initchansess(struct Channel *channel) { channel->infd = STDOUT_FILENO; channel->outfd = STDIN_FILENO; channel->errfd = STDERR_FILENO; - channel->extrabuf = buf_new(RECV_MAXWINDOW); + channel->extrabuf = cbuf_new(RECV_MAXWINDOW); if (cli_opts.wantpty) { send_chansess_pty_req(channel); diff --git a/cli-main.c b/cli-main.c index 659177e..34a1e42 100644 --- a/cli-main.c +++ b/cli-main.c @@ -96,7 +96,8 @@ static void cli_dropbear_exit(int exitcode, const char* format, va_list param) { exit(exitcode); } -static void cli_dropbear_log(int priority, const char* format, va_list param) { +static void cli_dropbear_log(int UNUSED(priority), + const char* format, va_list param) { char printbuf[1024]; diff --git a/cli-session.c b/cli-session.c index b51e20f..671735c 100644 --- a/cli-session.c +++ b/cli-session.c @@ -118,6 +118,9 @@ static void cli_session_init() { cli_ses.stdincopy = dup(STDIN_FILENO); cli_ses.stdinflags = fcntl(STDIN_FILENO, F_GETFL, 0); + cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a + specific exit status */ + /* Auth */ cli_ses.lastpubkey = NULL; cli_ses.lastauthtype = NULL; @@ -261,7 +264,7 @@ static void cli_finished() { common_session_cleanup(); fprintf(stderr, "Connection to %s@%s:%s closed.\n", cli_opts.username, cli_opts.remotehost, cli_opts.remoteport); - exit(EXIT_SUCCESS); + exit(cli_ses.retval); } diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index 747d8db..4dbef01 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -89,7 +89,7 @@ static int cli_localtcp(unsigned int listenport, const char* remoteaddr, remoteport)); tcpinfo = (struct TCPListener*)m_malloc(sizeof(struct TCPListener*)); - tcpinfo->sendaddr = remoteaddr; + tcpinfo->sendaddr = m_strdup(remoteaddr); tcpinfo->sendport = remoteport; tcpinfo->listenport = listenport; tcpinfo->chantype = &cli_chan_tcplocal; diff --git a/common-channel.c b/common-channel.c index 41a7208..a4cc44b 100644 --- a/common-channel.c +++ b/common-channel.c @@ -40,7 +40,7 @@ static void send_msg_channel_open_failure(unsigned int remotechan, int reason, static void send_msg_channel_open_confirmation(struct Channel* channel, unsigned int recvwindow, unsigned int recvmaxpacket); -static void writechannel(struct Channel *channel); +static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf); static void send_msg_channel_window_adjust(struct Channel *channel, unsigned int incr); static void send_msg_channel_data(struct Channel *channel, int isextended, @@ -151,6 +151,7 @@ struct Channel* newchannel(unsigned int remotechan, newchan->writebuf = cbuf_new(RECV_MAXWINDOW); newchan->extrabuf = NULL; /* The user code can set it up */ newchan->recvwindow = RECV_MAXWINDOW; + newchan->recvdonelen = 0; newchan->recvmaxpacket = RECV_MAXPACKET; ses.channels[i] = newchan; @@ -220,7 +221,13 @@ void channelio(fd_set *readfd, fd_set *writefd) { continue; /* Important not to use the channel after checkinitdone(), as it may be NULL */ } - writechannel(channel); + writechannel(channel, channel->infd, channel->writebuf); + } + + /* stderr for client mode */ + if (channel->extrabuf != NULL + && channel->errfd >= 0 && FD_ISSET(channel->errfd, writefd)) { + writechannel(channel, channel->errfd, channel->extrabuf); } /* now handle any of the channel-closing type stuff */ @@ -350,33 +357,30 @@ static void send_msg_channel_eof(struct Channel *channel) { /* Called to write data out to the local side of the channel. * Only called when we know we can write to a channel, writes as much as * possible */ -static void writechannel(struct Channel* channel) { +static void writechannel(struct Channel* channel, int fd, circbuffer *cbuf) { int len, maxlen; - circbuffer *cbuf; TRACE(("enter writechannel")); - cbuf = channel->writebuf; maxlen = cbuf_readlen(cbuf); - TRACE(("maxlen = %d", maxlen)); - /* Write the data out */ - len = write(channel->infd, cbuf_readptr(cbuf, maxlen), maxlen); + len = write(fd, cbuf_readptr(cbuf, maxlen), maxlen); if (len <= 0) { if (len < 0 && errno != EINTR) { - /* no more to write */ + /* no more to write - we close it even if the fd was stderr, since + * that's a nasty failure too */ closeinfd(channel); } TRACE(("leave writechannel: len <= 0")); return; } - TRACE(("len = %d", len)); cbuf_incrread(cbuf, len); + channel->recvdonelen += len; - if (len == maxlen && channel->recveof) { + if (fd == channel->infd && len == maxlen && channel->recveof) { /* Check if we're closing up */ closeinfd(channel); return; @@ -385,12 +389,17 @@ static void writechannel(struct Channel* channel) { } /* Window adjust handling */ - if (channel->recvwindow < (RECV_MAXWINDOW - RECV_WINDOWEXTEND)) { + if (channel->recvdonelen >= RECV_WINDOWEXTEND) { /* Set it back to max window */ - send_msg_channel_window_adjust(channel, RECV_MAXWINDOW - - channel->recvwindow); - channel->recvwindow = RECV_MAXWINDOW; + send_msg_channel_window_adjust(channel, channel->recvdonelen); + channel->recvwindow += channel->recvdonelen; + channel->recvdonelen = 0; } + + assert(channel->recvwindow <= RECV_MAXWINDOW); + assert(channel->recvwindow <= cbuf_getavail(channel->writebuf)); + assert(channel->extrabuf == NULL || + channel->recvwindow <= cbuf_getavail(channel->extrabuf)); TRACE(("leave writechannel")); @@ -424,6 +433,8 @@ void setchannelfds(fd_set *readfd, fd_set *writefd) { /* For checking FD status (ie closure etc) - we don't actually * read data from infd */ + TRACE(("infd = %d, outfd %d, bufused %d", channel->infd, channel->outfd, + cbuf_getused(channel->writebuf) )); if (channel->infd >= 0 && channel->infd != channel->outfd) { FD_SET(channel->infd, readfd); } @@ -435,12 +446,10 @@ void setchannelfds(fd_set *readfd, fd_set *writefd) { FD_SET(channel->infd, writefd); } - /* if (channel->extrabuf != NULL && channel->errfd >= 0 - && cbuf_getavail(channel->extrabuf) > 0 ) { + && cbuf_getused(channel->extrabuf) > 0 ) { FD_SET(channel->errfd, writefd); } - */ } /* foreach channel */ @@ -468,7 +477,9 @@ void recv_msg_channel_eof() { } channel->recveof = 1; - if (cbuf_getused(channel->writebuf) == 0) { + if (cbuf_getused(channel->writebuf) == 0 + && (channel->extrabuf == NULL + || cbuf_getused(channel->extrabuf) == 0)) { closeinfd(channel); } @@ -678,36 +689,34 @@ void common_recv_msg_channel_data(struct Channel *channel, int fd, datalen = buf_getint(ses.payload); - TRACE(("datalen = %d", datalen)); - /* if the client is going to send us more data than we've allocated, then - * it has ignored the windowsize, so we "MAY ignore all extra data" */ maxdata = cbuf_getavail(cbuf); - TRACE(("maxdata = %d", maxdata)); + + /* Whilst the spec says we "MAY ignore data past the end" this could + * lead to corrupted file transfers etc (chunks missed etc). It's better to + * just die horribly */ if (datalen > maxdata) { - TRACE(("Warning: recv_msg_channel_data: extra data past window")); - datalen = maxdata; + dropbear_exit("Oversized packet"); } - /* We may have to run throught twice, if the buffer wraps around. Can't * just "leave it for next time" like with writechannel, since this * is payload data */ len = datalen; while (len > 0) { buflen = cbuf_writelen(cbuf); - TRACE(("buflen = %d", buflen)); buflen = MIN(buflen, len); - TRACE(("buflenmin = %d", buflen)); memcpy(cbuf_writeptr(cbuf, buflen), buf_getptr(ses.payload, buflen), buflen); cbuf_incrwrite(cbuf, buflen); + buf_incrpos(ses.payload, buflen); len -= buflen; - TRACE(("len = %d", buflen)); } + assert(channel->recvwindow > datalen); channel->recvwindow -= datalen; + assert(channel->recvwindow <= RECV_MAXWINDOW); TRACE(("leave recv_msg_channel_data")); } diff --git a/common-session.c b/common-session.c index 1888eb7..f220753 100644 --- a/common-session.c +++ b/common-session.c @@ -35,6 +35,8 @@ #include "channel.h" #include "atomicio.h" +static void checktimeouts(); +static int ident_readln(int fd, char* buf, int count); struct sshsession ses; /* GLOBAL */ @@ -46,8 +48,6 @@ int sessinitdone = 0; /* GLOBAL */ int exitflag = 0; /* GLOBAL */ -static void checktimeouts(); -static int ident_readln(int fd, char* buf, int count); /* called only at the start of a session, set up initial state */ void common_session_init(int sock, char* remotehost) { diff --git a/dbutil.c b/dbutil.c index 0896bc9..a1ec3ed 100644 --- a/dbutil.c +++ b/dbutil.c @@ -111,7 +111,7 @@ static void generic_dropbear_exit(int exitcode, const char* format, exit(exitcode); } -static void generic_dropbear_log(int priority, const char* format, +static void generic_dropbear_log(int UNUSED(priority), const char* format, va_list param) { char printbuf[1024]; @@ -146,7 +146,6 @@ void dropbear_trace(const char* format, ...) { fprintf(stderr, "TRACE: "); vfprintf(stderr, format, param); fprintf(stderr, "\n"); - fflush(stderr); va_end(param); } #endif /* DEBUG_TRACE */ diff --git a/includes.h b/includes.h index b37422b..ceeb561 100644 --- a/includes.h +++ b/includes.h @@ -128,4 +128,14 @@ typedef u_int16_t uint16_t; #define LOG_AUTHPRIV LOG_AUTH #endif +/* so we can avoid warnings about unused params (ie in signal handlers etc) */ +#ifdef UNUSED +#elif defined(__GNUC__) +# define UNUSED(x) UNUSED_ ## x __attribute__((unused)) +#elif defined(__LCLINT__) +# define UNUSED(x) /*@unused@*/ x +#else +# define UNUSED(x) x +#endif + #endif /* _INCLUDES_H_ */ diff --git a/session.h b/session.h index 6afca85..40889a1 100644 --- a/session.h +++ b/session.h @@ -43,7 +43,6 @@ extern int exitflag; void common_session_init(int sock, char* remotehost); void session_loop(void(*loophandler)()); void common_session_cleanup(); -void checktimeouts(); void session_identification(); @@ -54,8 +53,6 @@ void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ void cli_session(int sock, char *remotehost); -void cli_dropbear_exit(int exitcode, const char* format, va_list param); -void cli_dropbear_log(int priority, const char* format, va_list param); void cli_session_cleanup(); void cleantext(unsigned char* dirtytext); @@ -220,6 +217,8 @@ struct clientsession { int lastauthtype; /* either AUTH_TYPE_PUBKEY or AUTH_TYPE_PASSWORD, for the last type of auth we tried */ struct PubkeyList *lastpubkey; + + int retval; /* What the command exit status was - we emulate it */ #if 0 TODO struct AgentkeyList *agentkeys; /* Keys to use for public-key auth */ diff --git a/svr-agentfwd.c b/svr-agentfwd.c index 4e9aa56..2674138 100644 --- a/svr-agentfwd.c +++ b/svr-agentfwd.c @@ -97,7 +97,7 @@ fail: /* accepts a connection on the forwarded socket and opens a new channel for it * back to the client */ /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ -static void agentaccept(struct Listener * listener, int sock) { +static void agentaccept(struct Listener *UNUSED(listener), int sock) { int fd; diff --git a/svr-chansession.c b/svr-chansession.c index d56fb2c..8c9fa3b 100644 --- a/svr-chansession.c +++ b/svr-chansession.c @@ -55,6 +55,10 @@ static int newchansess(struct Channel *channel); static void chansessionrequest(struct Channel *channel); static void send_exitsignalstatus(struct Channel *channel); +static void send_msg_chansess_exitstatus(struct Channel * channel, + struct ChanSess * chansess); +static void send_msg_chansess_exitsignal(struct Channel * channel, + struct ChanSess * chansess); static int sesscheckclose(struct Channel *channel); static void get_termmodes(struct ChanSess *chansess); @@ -68,7 +72,7 @@ static int sesscheckclose(struct Channel *channel) { } /* handler for childs exiting, store the state for return to the client */ -static void sesssigchild_handler(int dummy) { +static void sesssigchild_handler(int UNUSED(dummy)) { int status; pid_t pid; @@ -498,7 +502,9 @@ static int sessionpty(struct ChanSess * chansess) { } /* allocate the pty */ - assert(chansess->master == -1); /* haven't already got one */ + if (chansess->master != -1) { + dropbear_exit("multiple pty requests"); + } if (pty_allocate(&chansess->master, &chansess->slave, namebuf, 64) == 0) { TRACE(("leave sessionpty: failed to allocate pty")); return DROPBEAR_FAILURE; diff --git a/svr-main.c b/svr-main.c index 55c4106..7dc3722 100644 --- a/svr-main.c +++ b/svr-main.c @@ -123,7 +123,6 @@ void main_noinetd() { pid_t childpid; int childpipe[2]; - struct sigaction sa_chld; /* fork */ if (svr_opts.forkbg) { int closefds = 0; @@ -303,7 +302,7 @@ void main_noinetd() { /* catch + reap zombie children */ -static void sigchld_handler(int fish) { +static void sigchld_handler(int UNUSED(unused)) { struct sigaction sa_chld; while(waitpid(-1, NULL, WNOHANG) > 0); @@ -316,14 +315,14 @@ static void sigchld_handler(int fish) { } /* catch any segvs */ -static void sigsegv_handler(int fish) { +static void sigsegv_handler(int UNUSED(unused)) { fprintf(stderr, "Aiee, segfault! You should probably report " "this as a bug to the developer\n"); exit(EXIT_FAILURE); } /* catch ctrl-c or sigterm */ -static void sigintterm_handler(int fish) { +static void sigintterm_handler(int UNUSED(unused)) { exitflag = 1; } diff --git a/tcpfwd.h b/tcpfwd.h index 569d59d..504a8d3 100644 --- a/tcpfwd.h +++ b/tcpfwd.h @@ -47,7 +47,7 @@ struct TCPListener { /* A link in a list of forwards */ struct TCPFwdList { - char* connectaddr; + const unsigned char* connectaddr; unsigned int connectport; unsigned int listenport; struct TCPFwdList * next; @@ -60,6 +60,7 @@ extern const struct ChanType svr_chan_tcpdirect; /* Client */ void setup_localtcp(); +void setup_remotetcp(); extern const struct ChanType cli_chan_tcpremote; /* Common */ -- cgit v1.2.3 From 8b32e8a08cb381eee3ffa3ad430b1517f39bac88 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 19 Dec 2004 16:28:08 +0000 Subject: includes.h: include mycrypt.h rather than mycrypt_custom.h --HG-- extra : convert_revision : 63ea0f9a911a31bd88913afdfc31582240b0acfb --- includes.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'includes.h') diff --git a/includes.h b/includes.h index ceeb561..50f2b7b 100644 --- a/includes.h +++ b/includes.h @@ -111,7 +111,7 @@ #include #endif -#include "libtomcrypt/mycrypt_custom.h" +#include "libtomcrypt/mycrypt.h" #include "libtommath/tommath.h" #include "compat.h" -- cgit v1.2.3 From 7b403dc57f0309360e6e431f2bf415cc8100024e Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 9 May 2005 09:32:33 +0000 Subject: Switching to libtomcrypt 1.02 (still has problems) --HG-- extra : convert_revision : 4dfd70544ed9a766876ddda9f6ac3f26054eb3db --- algo.h | 4 ++-- common-algo.c | 4 ++-- includes.h | 2 +- packet.c | 3 +++ 4 files changed, 8 insertions(+), 5 deletions(-) (limited to 'includes.h') diff --git a/algo.h b/algo.h index 3e8ebb5..5ed01cc 100644 --- a/algo.h +++ b/algo.h @@ -51,13 +51,13 @@ extern const struct dropbear_cipher dropbear_nocipher; extern const struct dropbear_hash dropbear_nohash; struct dropbear_cipher { - const struct _cipher_descriptor *cipherdesc; + const struct ltc_cipher_descriptor *cipherdesc; unsigned long keysize; unsigned char blocksize; }; struct dropbear_hash { - const struct _hash_descriptor *hashdesc; + const struct ltc_hash_descriptor *hashdesc; unsigned long keysize; unsigned char hashsize; }; diff --git a/common-algo.c b/common-algo.c index 1975864..ea9c311 100644 --- a/common-algo.c +++ b/common-algo.c @@ -125,7 +125,7 @@ algo_type sshkex[] = { * This should be run before using any of the ciphers/hashes */ void crypto_init() { - const struct _cipher_descriptor *regciphers[] = { + const struct ltc_cipher_descriptor *regciphers[] = { #ifdef DROPBEAR_AES128_CBC &aes_desc, #endif @@ -141,7 +141,7 @@ void crypto_init() { NULL }; - const struct _hash_descriptor *reghashes[] = { + const struct ltc_hash_descriptor *reghashes[] = { /* we need sha1 for hostkey stuff regardless */ &sha1_desc, #ifdef DROPBEAR_MD5_HMAC diff --git a/includes.h b/includes.h index 50f2b7b..6c9f084 100644 --- a/includes.h +++ b/includes.h @@ -111,7 +111,7 @@ #include #endif -#include "libtomcrypt/mycrypt.h" +#include "libtomcrypt/src/headers/tomcrypt.h" #include "libtommath/tommath.h" #include "compat.h" diff --git a/packet.c b/packet.c index 56b31c2..ecda410 100644 --- a/packet.c +++ b/packet.c @@ -201,6 +201,7 @@ static void read_packet_init() { /* decrypt it */ if (cbc_decrypt(buf_getptr(ses.readbuf, blocksize), buf_getwriteptr(ses.decryptreadbuf,blocksize), + blocksize, &ses.keys->recv_symmetric_struct) != CRYPT_OK) { dropbear_exit("error decrypting"); } @@ -254,6 +255,7 @@ void decrypt_packet() { while (ses.readbuf->pos < ses.readbuf->len - macsize) { if (cbc_decrypt(buf_getptr(ses.readbuf, blocksize), buf_getwriteptr(ses.decryptreadbuf, blocksize), + blocksize, &ses.keys->recv_symmetric_struct) != CRYPT_OK) { dropbear_exit("error decrypting"); } @@ -491,6 +493,7 @@ void encrypt_packet() { while (clearwritebuf->pos < clearwritebuf->len) { if (cbc_encrypt(buf_getptr(clearwritebuf, blocksize), buf_getwriteptr(writebuf, blocksize), + blocksize, &ses.keys->trans_symmetric_struct) != CRYPT_OK) { dropbear_exit("error encrypting"); } -- cgit v1.2.3 From a2d343b1089b0419bb3f297d5df584483c8c896a Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 21 Sep 2005 15:58:19 +0000 Subject: - new function to set "low delay" for a packet, set the ip TOS bit (can help significantly over some links) --HG-- extra : convert_revision : 685c1004b66533aebbd45810533de698a786a4ea --- dbutil.c | 30 ++++++++++++++++++++++++++---- includes.h | 1 + 2 files changed, 27 insertions(+), 4 deletions(-) (limited to 'includes.h') diff --git a/dbutil.c b/dbutil.c index b401ac6..3067d5f 100644 --- a/dbutil.c +++ b/dbutil.c @@ -153,6 +153,30 @@ void dropbear_trace(const char* format, ...) { } #endif /* DEBUG_TRACE */ +static void set_sock_priority(int sock) { + + int val; + + /* disable nagle */ + val = 1; + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); + + /* set the TOS bit. note that this will fail for ipv6, I can't find any + * equivalent. */ +#ifdef IPTOS_LOWDELAY + val = IPTOS_LOWDELAY; + setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); +#endif + +#ifdef SO_PRIORITY + /* linux specific, sets QoS class. + * 6 looks to be optimal for interactive traffic (see tc-prio(8) ). */ + val = 6; + setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); +#endif + +} + /* Listen on address:port. Unless address is NULL, in which case listen on * everything. If called with address == "", we'll listen on localhost/loopback. * Returns the number of sockets bound on success, or -1 on failure. On @@ -223,8 +247,7 @@ int dropbear_listen(const char* address, const char* port, linger.l_linger = 5; setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); - /* disable nagle */ - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); + set_sock_priority(sock); if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { err = errno; @@ -347,8 +370,7 @@ int connect_remote(const char* remotehost, const char* remoteport, TRACE(("Error connecting: %s", strerror(err))) } else { /* Success */ - /* (err is used as a dummy var here) */ - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&err, sizeof(err)); + set_sock_priority(sock); } freeaddrinfo(res0); diff --git a/includes.h b/includes.h index 6c9f084..ceea160 100644 --- a/includes.h +++ b/includes.h @@ -45,6 +45,7 @@ #include #include #include +#include #include #include #include -- cgit v1.2.3 From f1d36b19702b6af35df2801d0c51eb113ee81495 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Mon, 31 Oct 2005 07:49:57 +0000 Subject: * include netinet/in_systm.h if available before netinet/ip.h, since netbsd seems to require it for some reason. hooray for many unices. --HG-- extra : convert_revision : 762eefb16551bf355cbaffb85453a34221c7a2ff --- configure.in | 2 +- includes.h | 14 ++++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'includes.h') diff --git a/configure.in b/configure.in index e327ea7..cdafb99 100644 --- a/configure.in +++ b/configure.in @@ -206,7 +206,7 @@ AC_ARG_ENABLE(shadow, # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h]) +AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST diff --git a/includes.h b/includes.h index ceea160..02e8877 100644 --- a/includes.h +++ b/includes.h @@ -44,8 +44,6 @@ #include #include #include -#include -#include #include #include #include @@ -58,8 +56,6 @@ #include #include -#include - #ifdef HAVE_UTMP_H #include #endif @@ -76,10 +72,20 @@ #include #endif +#include + #ifdef HAVE_NETINET_IN_H #include #endif +/* netbsd 1.6 needs this to be included before netinet/ip.h for some + * undocumented reason */ +#ifdef HAVE_NETINET_IN_SYSTM_H +#include +#endif + +#include + #ifdef HAVE_NETINET_TCP_H #include #endif -- cgit v1.2.3 From 9a07b93cb3f5ab210485e88f6a476dbceb08bfaf Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Tue, 6 Dec 2005 17:49:59 +0000 Subject: * workaround for systems such as glibc 2.1 that have sockaddr_storage.__ss_family rather than sockaddr_storage.ss_family --HG-- extra : convert_revision : 702c67055040d451a946e8c6aadbb6f7af1d3999 --- configure.in | 3 ++- includes.h | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'includes.h') diff --git a/configure.in b/configure.in index cdafb99..e860831 100644 --- a/configure.in +++ b/configure.in @@ -339,8 +339,9 @@ AC_CHECK_MEMBERS([struct utmp.ut_host, struct utmp.ut_pid, struct utmp.ut_type, #endif ]) -AC_CHECK_MEMBERS([struct utmpx.ut_host, struct utmpx.ut_syslen, struct utmpx.ut_type, struct utmpx.ut_id, struct utmpx.ut_addr, struct utmpx.ut_addr_v6, struct utmpx.ut_time, struct utmpx.ut_tv],,,[ +AC_CHECK_MEMBERS([struct utmpx.ut_host, struct utmpx.ut_syslen, struct utmpx.ut_type, struct utmpx.ut_id, struct utmpx.ut_addr, struct utmpx.ut_addr_v6, struct utmpx.ut_time, struct utmpx.ut_tv, struct sockaddr_storage.ss_family, struct sockadd_storage.__family],,,[ #include +#include #if HAVE_UTMPX_H #include #endif diff --git a/includes.h b/includes.h index 02e8877..06c9692 100644 --- a/includes.h +++ b/includes.h @@ -135,6 +135,13 @@ typedef u_int16_t uint16_t; #define LOG_AUTHPRIV LOG_AUTH #endif +/* glibc 2.1.3 systems have sockaddr_storage.__ss_family rather than + * sockaddr_storage.ss_family */ +#if !defined(HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY) \ + && defined(HAVE_STRUCT_SOCKADDR_STORAGE___SS_FAMILY) +#define ss_family __ss_family +#endif + /* so we can avoid warnings about unused params (ie in signal handlers etc) */ #ifdef UNUSED #elif defined(__GNUC__) -- cgit v1.2.3