# HG changeset patch # User Matt Johnston # Date 1433427928 -28800 # Node ID bb3a03feb31f2d1e4759dce39b7be564287dcad8 # Parent 1e486f368ec335dfef0e849e291b6ef5d11e6a03# Parent 391bb7d560c68e285e3e4cd63511632eeac2443c Merge pull request #13 from gazoo74/fix-warnings Fix warnings diff -r 391bb7d560c6 -r bb3a03feb31f cli-runopts.c --- a/cli-runopts.c Tue May 05 20:42:38 2015 +0200 +++ b/cli-runopts.c Thu Jun 04 22:25:28 2015 +0800 @@ -447,7 +447,7 @@ } #endif -#ifdef DROPBEAR_DEFAULT_CLI_AUTHKEY +#if defined(DROPBEAR_DEFAULT_CLI_AUTHKEY) && defined(ENABLE_CLI_PUBKEY_AUTH) { char *expand_path = expand_tilde(DROPBEAR_DEFAULT_CLI_AUTHKEY); loadidentityfile(expand_path, 0); @@ -498,11 +498,14 @@ m_list_elem *iter; /* Fill out -i, -y, -W options that make sense for all * the intermediate processes */ +#ifdef ENABLE_CLI_PUBKEY_AUTH for (iter = cli_opts.privkeys->first; iter; iter = iter->next) { sign_key * key = (sign_key*)iter->item; len += 3 + strlen(key->filename); } +#endif /* ENABLE_CLI_PUBKEY_AUTH */ + len += 30; /* space for -W , terminator. */ ret = m_malloc(len); total = 0; @@ -524,6 +527,7 @@ total += written; } +#ifdef ENABLE_CLI_PUBKEY_AUTH for (iter = cli_opts.privkeys->first; iter; iter = iter->next) { sign_key * key = (sign_key*)iter->item; @@ -532,6 +536,7 @@ dropbear_assert((unsigned int)written < size); total += written; } +#endif /* ENABLE_CLI_PUBKEY_AUTH */ /* if args were passed, total will be not zero, and it will have a space at the end, so remove that */ if (total > 0) diff -r 391bb7d560c6 -r bb3a03feb31f cli-session.c --- a/cli-session.c Tue May 05 20:42:38 2015 +0200 +++ b/cli-session.c Thu Jun 04 22:25:28 2015 +0800 @@ -124,6 +124,8 @@ /* Exchange identification */ send_session_identification(); + kexfirstinitialise(); /* initialise the kex state */ + send_msg_kexinit(); session_loop(cli_sessionloop); diff -r 391bb7d560c6 -r bb3a03feb31f common-algo.c --- a/common-algo.c Tue May 05 20:42:38 2015 +0200 +++ b/common-algo.c Thu Jun 04 22:25:28 2015 +0800 @@ -144,12 +144,15 @@ #ifdef DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif +#ifdef DROPBEAR_TWOFISH_CTR +/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */ #ifdef DROPBEAR_TWOFISH256 {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr}, #endif #ifdef DROPBEAR_TWOFISH128 {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr}, #endif +#endif /* DROPBEAR_TWOFISH_CTR */ #endif /* DROPBEAR_ENABLE_CTR_MODE */ #ifdef DROPBEAR_ENABLE_CBC_MODE diff -r 391bb7d560c6 -r bb3a03feb31f common-session.c --- a/common-session.c Tue May 05 20:42:38 2015 +0200 +++ b/common-session.c Thu Jun 04 22:25:28 2015 +0800 @@ -90,8 +90,6 @@ ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[0]); ses.maxfd = MAX(ses.maxfd, ses.signal_pipe[1]); - kexfirstinitialise(); /* initialise the kex state */ - ses.writepayload = buf_new(TRANS_MAX_PAYLOAD_LEN); ses.transseq = 0; diff -r 391bb7d560c6 -r bb3a03feb31f netio.c --- a/netio.c Tue May 05 20:42:38 2015 +0200 +++ b/netio.c Thu Jun 04 22:25:28 2015 +0800 @@ -70,7 +70,7 @@ struct addrinfo *r; int res = 0; int fastopen = 0; -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN struct msghdr message; #endif @@ -91,14 +91,13 @@ set_piggyback_ack(c->sock); #endif -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_CLIENT_TCP_FAST_OPEN fastopen = (c->writequeue != NULL); - memset(&message, 0x0, sizeof(message)); - message.msg_name = r->ai_addr; - message.msg_namelen = r->ai_addrlen; - - if (c->writequeue) { + if (fastopen) { + memset(&message, 0x0, sizeof(message)); + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; /* 6 is arbitrary, enough to hold initial packets */ unsigned int iovlen = 6; /* Linux msg_iovlen is a size_t */ struct iovec iov[6]; @@ -106,18 +105,22 @@ message.msg_iov = iov; message.msg_iovlen = iovlen; res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0 && errno != EINPROGRESS) { - m_free(c->errstring); - c->errstring = m_strdup(strerror(errno)); - /* Not entirely sure which kind of errors are normal - 2.6.32 seems to - return EPIPE for any (nonblocking?) sendmsg(). just fall back */ - TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); - /* No kernel MSG_FASTOPEN support. Fall back below */ - fastopen = 0; - /* Set to NULL to avoid trying again */ - c->writequeue = NULL; + /* Returns EINPROGRESS if FASTOPEN wasn't available */ + if (res < 0) { + if (errno != EINPROGRESS) { + m_free(c->errstring); + c->errstring = m_strdup(strerror(errno)); + /* Not entirely sure which kind of errors are normal - 2.6.32 seems to + return EPIPE for any (nonblocking?) sendmsg(). just fall back */ + TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); + /* No kernel MSG_FASTOPEN support. Fall back below */ + fastopen = 0; + /* Set to NULL to avoid trying again */ + c->writequeue = NULL; + } + } else { + packet_queue_consume(c->writequeue, res); } - packet_queue_consume(c->writequeue, res); } #endif @@ -310,7 +313,7 @@ setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); } -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN void set_listen_fast_open(int sock) { int qlen = MAX(MAX_UNAUTH_PER_IP, 5); if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { diff -r 391bb7d560c6 -r bb3a03feb31f netio.h --- a/netio.h Tue May 05 20:42:38 2015 +0200 +++ b/netio.h Thu Jun 04 22:25:28 2015 +0800 @@ -48,7 +48,7 @@ void packet_queue_to_iovec(struct Queue *queue, struct iovec *iov, unsigned int *iov_count); void packet_queue_consume(struct Queue *queue, ssize_t written); -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN /* Try for any Linux builds, will fall back if the kernel doesn't support it */ void set_listen_fast_open(int sock); /* Define values which may be supported by the kernel even if the libc is too old */ diff -r 391bb7d560c6 -r bb3a03feb31f options.h --- a/options.h Tue May 05 20:42:38 2015 +0200 +++ b/options.h Thu Jun 04 22:25:28 2015 +0800 @@ -103,10 +103,15 @@ #define DROPBEAR_ENABLE_CBC_MODE /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary - * size and is recommended for most cases */ + * CBC mode against certain attacks. It is recommended for security + * and forwards compatibility */ #define DROPBEAR_ENABLE_CTR_MODE +/* Twofish counter mode is disabled by default because it +has not been tested for interoperability with other SSH implementations. +If you test it please contact the Dropbear author */ +/* #define DROPBEAR_TWOFISH_CTR */ + /* You can compile with no encryption if you want. In some circumstances * this could be safe security-wise, though make sure you know what * you're doing. Anyone can see everything that goes over the wire, so diff -r 391bb7d560c6 -r bb3a03feb31f svr-authpasswd.c --- a/svr-authpasswd.c Tue May 05 20:42:38 2015 +0200 +++ b/svr-authpasswd.c Thu Jun 04 22:25:28 2015 +0800 @@ -33,6 +33,8 @@ #ifdef ENABLE_SVR_PASSWORD_AUTH +/* not constant time when strings are differing lengths. + string content isn't leaked, and crypt hashes are predictable length. */ static int constant_time_strcmp(const char* a, const char* b) { size_t la = strlen(a); size_t lb = strlen(b); diff -r 391bb7d560c6 -r bb3a03feb31f svr-main.c --- a/svr-main.c Tue May 05 20:42:38 2015 +0200 +++ b/svr-main.c Thu Jun 04 22:25:28 2015 +0800 @@ -429,7 +429,7 @@ for (n = 0; n < (unsigned int)nsock; n++) { int sock = socks[sockpos + n]; set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY); -#ifdef DROPBEAR_TCP_FAST_OPEN +#ifdef DROPBEAR_SERVER_TCP_FAST_OPEN set_listen_fast_open(sock); #endif } diff -r 391bb7d560c6 -r bb3a03feb31f svr-session.c --- a/svr-session.c Tue May 05 20:42:38 2015 +0200 +++ b/svr-session.c Thu Jun 04 22:25:28 2015 +0800 @@ -138,6 +138,8 @@ /* exchange identification, version etc */ send_session_identification(); + + kexfirstinitialise(); /* initialise the kex state */ /* start off with key exchange */ send_msg_kexinit(); diff -r 391bb7d560c6 -r bb3a03feb31f sysoptions.h --- a/sysoptions.h Tue May 05 20:42:38 2015 +0200 +++ b/sysoptions.h Thu Jun 04 22:25:28 2015 +0800 @@ -262,9 +262,12 @@ /* Use this string since some implementations might special-case it */ #define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com" -/* Linux will attempt TCP fast open, falling back if not supported by the kernel */ +/* Linux will attempt TCP fast open, falling back if not supported by the kernel. + * Currently server is enabled but client is disabled by default until there + * is further compatibility testing */ #ifdef __linux__ -#define DROPBEAR_TCP_FAST_OPEN 1 +#define DROPBEAR_SERVER_TCP_FAST_OPEN +/* #define DROPBEAR_CLIENT_TCP_FAST_OPEN */ #endif /* no include guard for this file */