# HG changeset patch # User Matt Johnston # Date 1298901094 0 # Node ID e4991659fc1036d74a3997b62c196cd1ae57b5d9 # Parent 810dfc792ca99fb8365d9323ccd475872b2d20c9# Parent 53c21d4ec98a983426f9175305a5f2ac8820a8b7 merge of '8a608f0ed5e4b491dba4bf330e560636ec7376fd' and 'b31879a384d3bf8cbcbe2ed731d7d79d49799b1d' diff -r 53c21d4ec98a -r e4991659fc10 CHANGES --- a/CHANGES Mon Feb 28 13:51:27 2011 +0000 +++ b/CHANGES Mon Feb 28 13:51:34 2011 +0000 @@ -1,3 +1,7 @@ +0.53.1 + +- -lcrypt needs to be before object files for static linking + 0.53 - Thurs 24 February 2011 - Various performance/memory use improvements @@ -19,6 +23,8 @@ - Make -K (keepalive) and -I (idle timeout) work together sensibly in the client. The idle timeout is no longer reset by SSH_MSG_IGNORE packets. +- Add diffie-hellman-group14-sha1 key exchange method + - Compile fix if ENABLE_CLI_PROXYCMD is disabled - /usr/bin/X11/xauth is now the default path diff -r 53c21d4ec98a -r e4991659fc10 Makefile.in --- a/Makefile.in Mon Feb 28 13:51:27 2011 +0000 +++ b/Makefile.in Mon Feb 28 13:51:34 2011 +0000 @@ -28,10 +28,10 @@ queue.o \ atomicio.o compat.o fake-rfc2553.o -SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ +SVROBJS=@CRYPTLIB@ svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ - svr-tcpfwd.o svr-authpam.o @CRYPTLIB@ + svr-tcpfwd.o svr-authpam.o CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \ diff -r 53c21d4ec98a -r e4991659fc10 common-kex.c --- a/common-kex.c Mon Feb 28 13:51:27 2011 +0000 +++ b/common-kex.c Mon Feb 28 13:51:34 2011 +0000 @@ -272,8 +272,8 @@ } /* Generate the actual encryption/integrity keys, using the results of the - * key exchange, as specified in section 5.2 of the IETF secsh-transport - * draft. This occurs after the DH key-exchange. + * key exchange, as specified in section 7.2 of the transport rfc 4253. + * This occurs after the DH key-exchange. * * ses.newkeys is the new set of keys which are generated, these are only * taken into use after both sides have sent a newkeys message */ @@ -532,7 +532,7 @@ } /* Initialises and generate one side of the diffie-hellman key exchange values. - * See the ietf-secsh-transport draft, section 6, for details */ + * See the transport rfc 4253 section 8 for details */ /* dh_pub and dh_priv MUST be already initialised */ void gen_kexdh_vals(mp_int *dh_pub, mp_int *dh_priv) { diff -r 53c21d4ec98a -r e4991659fc10 dropbearkey.c --- a/dropbearkey.c Mon Feb 28 13:51:27 2011 +0000 +++ b/dropbearkey.c Mon Feb 28 13:51:34 2011 +0000 @@ -23,7 +23,7 @@ * SOFTWARE. */ /* The format of the keyfiles is basically a raw dump of the buffer. Data types - * are specified in the transport draft - string is a 32-bit len then the + * are specified in the transport rfc 4253 - string is a 32-bit len then the * non-null-terminated string, mp_int is a 32-bit len then the bignum data. * The actual functions are buf_put_rsa_priv_key() and buf_put_dss_priv_key() diff -r 53c21d4ec98a -r e4991659fc10 options.h --- a/options.h Mon Feb 28 13:51:27 2011 +0000 +++ b/options.h Mon Feb 28 13:51:34 2011 +0000 @@ -64,7 +64,7 @@ #define ENABLE_SVR_LOCALTCPFWD #define ENABLE_SVR_REMOTETCPFWD -/* Enable Authentication Agent Forwarding - server only for now */ +/* Enable Authentication Agent Forwarding */ #define ENABLE_SVR_AGENTFWD #define ENABLE_CLI_AGENTFWD diff -r 53c21d4ec98a -r e4991659fc10 random.c --- a/random.c Mon Feb 28 13:51:27 2011 +0000 +++ b/random.c Mon Feb 28 13:51:34 2011 +0000 @@ -74,11 +74,6 @@ if (readfd < 0) { dropbear_exit("Couldn't open random device"); } - /* todo - try various common locations */ - if (connect(readfd, (struct sockaddr*)&egdsock, - sizeof(struct sockaddr_un)) < 0) { - dropbear_exit("Couldn't open random device"); - } if (buflen > 255) dropbear_exit("Can't request more than 255 bytes from egd"); diff -r 53c21d4ec98a -r e4991659fc10 svr-agentfwd.c --- a/svr-agentfwd.c Mon Feb 28 13:51:27 2011 +0000 +++ b/svr-agentfwd.c Mon Feb 28 13:51:34 2011 +0000 @@ -27,7 +27,7 @@ #include "includes.h" -#ifndef DISABLE_AGENTFWD +#ifdef ENABLE_SVR_AGENTFWD #include "agentfwd.h" #include "session.h" diff -r 53c21d4ec98a -r e4991659fc10 svr-chansession.c --- a/svr-chansession.c Mon Feb 28 13:51:27 2011 +0000 +++ b/svr-chansession.c Mon Feb 28 13:51:34 2011 +0000 @@ -240,7 +240,7 @@ chansess->x11authcookie = NULL; #endif -#ifndef DISABLE_AGENTFWD +#ifdef ENABLE_AGENTFWD chansess->agentlistener = NULL; chansess->agentfile = NULL; chansess->agentdir = NULL; @@ -293,7 +293,7 @@ x11cleanup(chansess); #endif -#ifndef DISABLE_AGENTFWD +#ifdef ENABLE_AGENTFWD svr_agentcleanup(chansess); #endif @@ -351,7 +351,7 @@ } else if (strcmp(type, "x11-req") == 0) { ret = x11req(chansess); #endif -#ifndef DISABLE_AGENTFWD +#ifdef ENABLE_AGENTFWD } else if (strcmp(type, "auth-agent-req@openssh.com") == 0) { ret = svr_agentreq(chansess); #endif @@ -937,7 +937,7 @@ /* set up X11 forwarding if enabled */ x11setauth(chansess); #endif -#ifndef DISABLE_AGENTFWD +#ifdef ENABLE_AGENTFWD /* set up agent env variable */ svr_agentset(chansess); #endif diff -r 53c21d4ec98a -r e4991659fc10 svr-kex.c --- a/svr-kex.c Mon Feb 28 13:51:27 2011 +0000 +++ b/svr-kex.c Mon Feb 28 13:51:34 2011 +0000 @@ -70,7 +70,7 @@ * that, the session hash is calculated, and signed with RSA or DSS. The * result is sent to the client. * - * See the ietf-secsh-transport draft, section 6, for details */ + * See the transport rfc 4253 section 8 for details */ static void send_msg_kexdh_reply(mp_int *dh_e) { DEF_MP_INT(dh_y); diff -r 53c21d4ec98a -r e4991659fc10 sysoptions.h --- a/sysoptions.h Mon Feb 28 13:51:27 2011 +0000 +++ b/sysoptions.h Mon Feb 28 13:51:34 2011 +0000 @@ -99,6 +99,7 @@ #define MAX_PROPOSED_ALGO 20 /* size/count limits */ +/* From transport rfc */ #define MIN_PACKET_LEN 16 #define RECV_MAX_PACKET_LEN (MAX(35000, ((RECV_MAX_PAYLOAD_LEN)+100))) @@ -123,7 +124,7 @@ #define MAX_PRIVKEY_SIZE 1700 /* The maximum size of the bignum portion of the kexhash buffer */ -/* Sect. 8 of the transport draft, K_S + e + f + K */ +/* Sect. 8 of the transport rfc 4253, K_S + e + f + K */ #define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130) #define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit @@ -161,6 +162,10 @@ #define USING_LISTENERS #endif +#if defined(ENABLE_SVR_AGENTFWD) || defined(ENABLE_CLI_LOCALTCPFWD) +#define ENABLE_AGENTFWD +#endif + #if defined(ENABLE_CLI_NETCAT) && defined(ENABLE_CLI_PROXYCMD) #define ENABLE_CLI_MULTIHOP #endif