Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -burNx debian dropbear-2016.73/cli-main.c dropbear-2015.XX/cli-main.c
- --- dropbear-2016.73/cli-main.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/cli-main.c 2016-08-14 19:43:25.229228227 +0300
- @@ -86,7 +86,8 @@
- } else
- #endif
- {
- - progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, &ses);
- + progress = connect_remote(cli_opts.ipfamily, cli_opts.remotehost,
- + cli_opts.remoteport, cli_connected, &ses);
- sock_in = sock_out = -1;
- }
- diff -burNx debian dropbear-2016.73/cli-runopts.c dropbear-2015.XX/cli-runopts.c
- --- dropbear-2016.73/cli-runopts.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/cli-runopts.c 2016-08-14 19:43:25.229228227 +0300
- @@ -56,6 +56,9 @@
- #else
- "Usage: %s [options] [user@]host[/port] [command]\n"
- #endif
- +#if defined AF_INET6 && AF_INET6 < AF_MAX
- + "-4,-6 Explicitly force IPv4 or IPv6 usage\n"
- +#endif
- "-p <remoteport>\n"
- "-l <username>\n"
- "-t Allocate a pty\n"
- @@ -176,10 +179,7 @@
- #ifndef DISABLE_SYSLOG
- opts.usingsyslog = 0;
- #endif
- - /* not yet
- - opts.ipv4 = 1;
- - opts.ipv6 = 1;
- - */
- + cli_opts.ipfamily = AF_UNSPEC;
- opts.recv_window = DEFAULT_RECV_WINDOW;
- opts.keepalive_secs = DEFAULT_KEEPALIVE;
- opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
- @@ -210,6 +210,14 @@
- }
- cli_opts.always_accept_key = 1;
- break;
- +#if defined AF_INET6 && AF_INET6 < AF_MAX
- + case '4':
- + cli_opts.ipfamily = AF_INET;
- + break;
- + case '6':
- + cli_opts.ipfamily = AF_INET6;
- + break;
- +#endif
- case 'p': /* remoteport */
- next = &cli_opts.remoteport;
- break;
- diff -burNx debian dropbear-2016.73/cli-tcpfwd.c dropbear-2015.XX/cli-tcpfwd.c
- --- dropbear-2016.73/cli-tcpfwd.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/cli-tcpfwd.c 2016-08-14 19:43:25.229228227 +0300
- @@ -274,7 +274,8 @@
- }
- snprintf(portstring, sizeof(portstring), "%u", fwd->connectport);
- - channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel);
- + channel->conn_pending = connect_remote(AF_UNSPEC, fwd->connectaddr,
- + portstring, channel_connect_done, channel);
- channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
- diff -burNx debian dropbear-2016.73/common-session.c dropbear-2015.XX/common-session.c
- --- dropbear-2016.73/common-session.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/common-session.c 2016-08-14 19:43:25.237228509 +0300
- @@ -550,10 +550,12 @@
- static long select_timeout() {
- /* determine the minimum timeout that might be required, so
- as to avoid waking when unneccessary */
- - long timeout = LONG_MAX;
- + long timeout = KEX_REKEY_TIMEOUT;
- long now = monotonic_now();
- + if (!ses.kexstate.sentkexinit) {
- update_timeout(KEX_REKEY_TIMEOUT, now, ses.kexstate.lastkextime, &timeout);
- + }
- if (ses.authstate.authdone != 1 && IS_DROPBEAR_SERVER) {
- /* AUTH_TIMEOUT is only relevant before authdone */
- diff -burNx debian dropbear-2016.73/kex.h dropbear-2015.XX/kex.h
- --- dropbear-2016.73/kex.h 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/kex.h 2016-08-14 19:43:25.357232748 +0300
- @@ -106,6 +106,6 @@
- #endif
- -#define MAX_KEXHASHBUF 2000
- +#define MAX_KEXHASHBUF 3000
- #endif /* DROPBEAR_KEX_H_ */
- diff -burNx debian dropbear-2016.73/netio.c dropbear-2015.XX/netio.c
- --- dropbear-2016.73/netio.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/netio.c 2016-08-14 19:43:25.557239816 +0300
- @@ -129,8 +129,8 @@
- }
- /* Connect via TCP to a host. */
- -struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport,
- - connect_callback cb, void* cb_data)
- +struct dropbear_progress_connection *connect_remote(int family, const char* remotehost,
- + const char* remoteport, connect_callback cb, void* cb_data)
- {
- struct dropbear_progress_connection *c = NULL;
- int err;
- @@ -147,7 +147,7 @@
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_STREAM;
- - hints.ai_family = AF_UNSPEC;
- + hints.ai_family = family;
- err = getaddrinfo(remotehost, remoteport, &hints, &c->res);
- if (err) {
- @@ -354,7 +354,7 @@
- * Returns the number of sockets bound on success, or -1 on failure. On
- * failure, if errstring wasn't NULL, it'll be a newly malloced error
- * string.*/
- -int dropbear_listen(const char* address, const char* port,
- +int dropbear_listen(int family, const char* address, const char* port,
- int *socks, unsigned int sockcount, char **errstring, int *maxfd) {
- struct addrinfo hints, *res = NULL, *res0 = NULL;
- @@ -367,7 +367,7 @@
- TRACE(("enter dropbear_listen"))
- memset(&hints, 0, sizeof(hints));
- - hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */
- + hints.ai_family = family;
- hints.ai_socktype = SOCK_STREAM;
- /* for calling getaddrinfo:
- diff -burNx debian dropbear-2016.73/netio.h dropbear-2015.XX/netio.h
- --- dropbear-2016.73/netio.h 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/netio.h 2016-08-14 19:43:25.557239816 +0300
- @@ -18,7 +18,7 @@
- char **remote_host, char **remote_port, int host_lookup);
- void getaddrstring(struct sockaddr_storage* addr,
- char **ret_host, char **ret_port, int host_lookup);
- -int dropbear_listen(const char* address, const char* port,
- +int dropbear_listen(int family, const char* address, const char* port,
- int *socks, unsigned int sockcount, char **errstring, int *maxfd);
- struct dropbear_progress_connection;
- @@ -28,8 +28,8 @@
- typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring);
- /* Always returns a progress connection, if it fails it will call the callback at a later point */
- -struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport,
- - connect_callback cb, void *cb_data);
- +struct dropbear_progress_connection * connect_remote (int family, const char* remotehost,
- + const char* remoteport, connect_callback cb, void *cb_data);
- /* Sets up for select() */
- void set_connect_fds(fd_set *writefd);
- diff -burNx debian dropbear-2016.73/options.h dropbear-2015.XX/options.h
- --- dropbear-2016.73/options.h 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/options.h 2016-08-14 19:43:25.557239816 +0300
- @@ -21,13 +21,13 @@
- /* Default hostkey paths - these can be specified on the command line */
- #ifndef DSS_PRIV_FILENAME
- -#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
- +#define DSS_PRIV_FILENAME "/etc/storage/dropbear/dss_host_key"
- #endif
- #ifndef RSA_PRIV_FILENAME
- -#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
- +#define RSA_PRIV_FILENAME "/etc/storage/dropbear/rsa_host_key"
- #endif
- #ifndef ECDSA_PRIV_FILENAME
- -#define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
- +#define ECDSA_PRIV_FILENAME "/etc/storage/dropbear/ecdsa_host_key"
- #endif
- /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
- @@ -41,7 +41,7 @@
- * Both of these flags can be defined at once, don't compile without at least
- * one of them. */
- #define NON_INETD_MODE
- -#define INETD_MODE
- +/*#define INETD_MODE*/
- /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
- * perhaps 20% slower for pubkey operations (it is probably worth experimenting
- @@ -52,7 +52,7 @@
- several kB in binary size however will make the symmetrical ciphers and hashes
- slower, perhaps by 50%. Recommended for small systems that aren't doing
- much traffic. */
- -#define DROPBEAR_SMALL_CODE
- +/*#define DROPBEAR_SMALL_CODE*/
- /* Enable X11 Forwarding - server only */
- #define ENABLE_X11FWD
- @@ -81,7 +81,7 @@
- /* Enable "Netcat mode" option. This will forward standard input/output
- * to a remote TCP-forwarded connection */
- -#define ENABLE_CLI_NETCAT
- +/*#define ENABLE_CLI_NETCAT*/
- /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
- #define ENABLE_USER_ALGO_LIST
- @@ -95,8 +95,8 @@
- #define DROPBEAR_AES256
- /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
- /*#define DROPBEAR_BLOWFISH*/
- -#define DROPBEAR_TWOFISH256
- -#define DROPBEAR_TWOFISH128
- +/*#define DROPBEAR_TWOFISH256*/
- +/*#define DROPBEAR_TWOFISH128*/
- /* Enable CBC mode for ciphers. This has security issues though
- * is the most compatible with older SSH implementations */
- @@ -157,12 +157,12 @@
- with badly seeded /dev/urandom when systems first boot.
- This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly
- anything if dropbearkey is linked in a "dropbearmulti" binary) */
- -#define DROPBEAR_DELAY_HOSTKEY
- +/*#define DROPBEAR_DELAY_HOSTKEY*/
- /* Enable Curve25519 for key exchange. This is another elliptic
- * curve method with good security properties. Increases binary size
- * by ~8kB on x86-64 */
- -#define DROPBEAR_CURVE25519
- +/*#define DROPBEAR_CURVE25519*/
- /* Enable elliptic curve Diffie Hellman key exchange, see note about
- * ECDSA above */
- @@ -190,11 +190,11 @@
- #define DROPBEAR_SERVER_DELAY_ZLIB 1
- /* Whether to do reverse DNS lookups. */
- -/*#define DO_HOST_LOOKUP */
- +/*#define DO_HOST_LOOKUP*/
- /* Whether to print the message of the day (MOTD). This doesn't add much code
- * size */
- -#define DO_MOTD
- +/*#define DO_MOTD*/
- /* The MOTD file path */
- #ifndef MOTD_FILENAME
- @@ -216,7 +216,7 @@
- #define ENABLE_SVR_PASSWORD_AUTH
- #endif
- /* PAM requires ./configure --enable-pam */
- -/*#define ENABLE_SVR_PAM_AUTH */
- +/*#define ENABLE_SVR_PAM_AUTH*/
- #define ENABLE_SVR_PUBKEY_AUTH
- /* Whether to take public key options in
- @@ -270,18 +270,18 @@
- * not yet authenticated. After this limit, connections are rejected */
- /* The first setting is per-IP, to avoid denial of service */
- #ifndef MAX_UNAUTH_PER_IP
- -#define MAX_UNAUTH_PER_IP 5
- +#define MAX_UNAUTH_PER_IP 3
- #endif
- /* And then a global limit to avoid chewing memory if connections
- * come from many IPs */
- #ifndef MAX_UNAUTH_CLIENTS
- -#define MAX_UNAUTH_CLIENTS 30
- +#define MAX_UNAUTH_CLIENTS 10
- #endif
- /* Maximum number of failed authentication tries (server option) */
- #ifndef MAX_AUTH_TRIES
- -#define MAX_AUTH_TRIES 10
- +#define MAX_AUTH_TRIES 4
- #endif
- /* The default file to store the daemon's process ID, for shutdown
- @@ -293,19 +293,19 @@
- /* The command to invoke for xauth when using X11 forwarding.
- * "-q" for quiet */
- #ifndef XAUTH_COMMAND
- -#define XAUTH_COMMAND "/usr/bin/xauth -q"
- +#define XAUTH_COMMAND "/opt/bin/xauth -q"
- #endif
- /* if you want to enable running an sftp server (such as the one included with
- * OpenSSH), set the path below. If the path isn't defined, sftp will not
- * be enabled */
- #ifndef SFTPSERVER_PATH
- -#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
- +#define SFTPSERVER_PATH "/opt/libexec/sftp-server"
- #endif
- /* This is used by the scp binary when used as a client binary. If you're
- * not using the Dropbear client, you'll need to change it */
- -#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
- +#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/ssh"
- /* Whether to log commands executed by a client. This only logs the
- * (single) command sent to the server, not what a user did in a
- diff -burNx debian dropbear-2016.73/release.sh dropbear-2015.XX/release.sh
- --- dropbear-2016.73/release.sh 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/release.sh 1970-01-01 03:00:00.000000000 +0300
- @@ -1,45 +0,0 @@
- -#!/bin/sh
- -VERSION=$(echo '#include "sysoptions.h"\necho DROPBEAR_VERSION' | cpp - | sh)
- -echo Releasing version "$VERSION" ...
- -if ! head -n1 CHANGES | grep -q $VERSION ; then
- - echo "CHANGES needs updating"
- - exit 1
- -fi
- -
- -if ! head -n1 debian/changelog | grep -q $VERSION ; then
- - echo "debian/changelog needs updating"
- - exit 1
- -fi
- -
- -head -n1 CHANGES
- -
- -#sleep 3
- -
- -RELDIR=$PWD/../dropbear-$VERSION
- -ARCHIVE=${RELDIR}.tar.bz2
- -if test -e $RELDIR; then
- - echo "$RELDIR exists"
- - exit 1
- -fi
- -
- -if test -e $ARCHIVE; then
- - echo "$ARCHIVE exists"
- - exit 1
- -fi
- -
- -hg archive "$RELDIR" || exit 2
- -
- -(cd "$RELDIR" && autoconf && autoheader) || exit 2
- -
- -rm -r "$RELDIR/autom4te.cache" || exit 2
- -
- -rm "$RELDIR/.hgtags"
- -
- -(cd "$RELDIR/.." && tar cjf $ARCHIVE `basename "$RELDIR"`) || exit 2
- -
- -ls -l $ARCHIVE
- -openssl sha -sha256 $ARCHIVE
- -echo Done to
- -echo "$ARCHIVE"
- -echo Sign it with
- -echo gpg2 --detach-sign -a -u F29C6773 "$ARCHIVE"
- diff -burNx debian dropbear-2016.73/runopts.h dropbear-2015.XX/runopts.h
- --- dropbear-2016.73/runopts.h 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/runopts.h 2016-08-14 19:43:25.557239816 +0300
- @@ -80,11 +80,8 @@
- int inetdmode;
- - /* Flags indicating whether to use ipv4 and ipv6 */
- - /* not used yet
- - int ipv4;
- - int ipv6;
- - */
- + /* ip protocol family to use */
- + int ipfamily;
- #ifdef DO_MOTD
- /* whether to print the MOTD */
- @@ -124,6 +121,10 @@
- typedef struct cli_runopts {
- char *progname;
- +
- + /* ip protocol family to use */
- + int ipfamily;
- +
- char *remotehost;
- char *remoteport;
- diff -burNx debian dropbear-2016.73/signkey.c dropbear-2015.XX/signkey.c
- --- dropbear-2016.73/signkey.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/signkey.c 2016-08-14 19:43:25.557239816 +0300
- @@ -410,7 +410,8 @@
- /* skip the size int of the string - this is a bit messy */
- md5_process(&hs, keyblob, keybloblen);
- - md5_done(&hs, hash);
- + if (md5_done(&hs, hash) != CRYPT_OK)
- + return NULL;
- /* "md5 hexfingerprinthere\0", each hex digit is "AB:" etc */
- buflen = 4 + 3*MD5_HASH_SIZE;
- diff -burNx debian dropbear-2016.73/svr-main.c dropbear-2015.XX/svr-main.c
- --- dropbear-2016.73/svr-main.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/svr-main.c 2016-08-14 19:43:25.557239816 +0300
- @@ -119,6 +119,7 @@
- int childsock;
- int childpipe[2];
- + memset(listensocks, 0, sizeof(listensocks));
- /* Note: commonsetup() must happen before we daemon()ise. Otherwise
- daemon() will chdir("/"), and we won't be able to find local-dir
- hostkeys. */
- @@ -415,7 +416,8 @@
- TRACE(("listening on '%s:%s'", svr_opts.addresses[i], svr_opts.ports[i]))
- - nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos],
- + nsock = dropbear_listen(svr_opts.ipfamily,
- + svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos],
- sockcount - sockpos,
- &errstring, maxfd);
- diff -burNx debian dropbear-2016.73/svr-runopts.c dropbear-2015.XX/svr-runopts.c
- --- dropbear-2016.73/svr-runopts.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/svr-runopts.c 2016-08-14 19:43:25.561239956 +0300
- @@ -80,6 +80,9 @@
- "-k Disable remote port forwarding\n"
- "-a Allow connections to forwarded ports from any host\n"
- #endif
- +#if defined AF_INET6 && AF_INET6 < AF_MAX
- + "-4,-6 Explicitly force IPv4 or IPv6 usage\n"
- +#endif
- "-p [address:]port\n"
- " Listen on specified tcp port (and optionally address),\n"
- " up to %d can be specified\n"
- @@ -149,17 +152,13 @@
- opts.compress_mode = DROPBEAR_COMPRESS_ON;
- #endif
- #endif
- -
- - /* not yet
- - opts.ipv4 = 1;
- - opts.ipv6 = 1;
- - */
- #ifdef DO_MOTD
- svr_opts.domotd = 1;
- #endif
- #ifndef DISABLE_SYSLOG
- opts.usingsyslog = 1;
- #endif
- + svr_opts.ipfamily = AF_UNSPEC;
- opts.recv_window = DEFAULT_RECV_WINDOW;
- opts.keepalive_secs = DEFAULT_KEEPALIVE;
- opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
- @@ -210,6 +209,14 @@
- svr_opts.inetdmode = 1;
- break;
- #endif
- +#if defined AF_INET6 && AF_INET6 < AF_MAX
- + case '4':
- + svr_opts.ipfamily = AF_INET;
- + break;
- + case '6':
- + svr_opts.ipfamily = AF_INET6;
- + break;
- +#endif
- case 'p':
- nextisport = 1;
- break;
- diff -burNx debian dropbear-2016.73/svr-tcpfwd.c dropbear-2015.XX/svr-tcpfwd.c
- --- dropbear-2016.73/svr-tcpfwd.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/svr-tcpfwd.c 2016-08-14 19:43:25.561239956 +0300
- @@ -270,7 +270,8 @@
- }
- snprintf(portstring, sizeof(portstring), "%u", destport);
- - channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel);
- + channel->conn_pending = connect_remote(AF_UNSPEC, desthost, portstring,
- + channel_connect_done, channel);
- channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE;
- diff -burNx debian dropbear-2016.73/tcp-accept.c dropbear-2015.XX/tcp-accept.c
- --- dropbear-2016.73/tcp-accept.c 2016-03-18 17:44:43.000000000 +0300
- +++ dropbear-2015.XX/tcp-accept.c 2016-08-14 19:43:25.561239956 +0300
- @@ -123,7 +123,7 @@
- /* first we try to bind, so don't need to do so much cleanup on failure */
- snprintf(portstring, sizeof(portstring), "%u", tcpinfo->listenport);
- - nsocks = dropbear_listen(tcpinfo->listenaddr, portstring, socks,
- + nsocks = dropbear_listen(AF_UNSPEC, tcpinfo->listenaddr, portstring, socks,
- DROPBEAR_MAX_SOCKS, &errstring, &ses.maxfd);
- if (nsocks < 0) {
- dropbear_log(LOG_INFO, "TCP forward failed: %s", errstring);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement