# HG changeset patch # User Matt Johnston # Date 1519824539 -28800 # Node ID 61a793b6e4719dbc652cd697b5ea0ad1788ef7e9 # Parent bb8eaa26bc933a5eb82915d50d14ff169ca339c0# Parent 4c382cbb19e6aa27a4624d98d37b638cd6b30e3c merge from main diff -r bb8eaa26bc93 -r 61a793b6e471 .hgsigs --- a/.hgsigs Mon Feb 26 22:44:48 2018 +0800 +++ b/.hgsigs Wed Feb 28 21:28:59 2018 +0800 @@ -23,3 +23,4 @@ 70705edee9dd29cd3d410f19fbd15cc3489313e2 0 iQIcBAABCgAGBQJW7CQRAAoJEESTFJTynGdzTj0QAJL38CKSZthBAeI9c6B+IlwIeT6kPZaPqk1pkycCTWOe87NiNU9abrsF+JrjTuRQiO1EpM2IvfQEIXTijUcMxvld3PnzrZDDv6UvBLtOkn3i++HSVRO0MOuTKI8gFDEPUxRtcaCKXEbqYnf1OTK25FT09Vb//qP9mK1thvlLJmbV+D2a9MkMK66rom1d1h+347IsuwsM+ycHjB80VVAQLA7VYLC5YIwmL17dSmcQLvetfikAMwwmUE+KES4qiLSaqOcAWcKcU67RZzgMMv5o0rESlQmv1nj0mHZtHoUR71sd21emPaRXLOr0oT5YogWUphKq2qVthRn2B06+vd3hPdtn92CmJw9j7zT2jl4OeSjNm9qfAajsRzHIANssFxkGAb7w/LxcMoO29JC+01iUUJMdOVm+4Ns6wGI7qxssWPKdB+VbQUDlHrXLR+sopO524uhkYoWB6DVfTj4R6tImaHtj5/VXON0lsYaLGj8cSH60emL6nNQ0lYV/bSlk6l0s+0x3uXGZnp9oKA+vqMzHfG3vJeMm6KUqtFVjUsYx+q8nHm5/SlWxj1EwnkH8s8ELKZAUXjd76nWEwJ7JFRNRSQWvjOUh3/rsOo4JopzZXPsjCjm+Vql9TG0X6hB21noai32oD5RvfhtR/NX6sXNS5TKZz/j/cMsMnAAsSKb6W7Jm 9030ffdbe5625e35ed7189ab84a41dfc8d413e9c 0 iQIcBAABCgAGBQJXkOg0AAoJEESTFJTynGdzc1kP/3vSKCnhOOvjCjnpTQadYcCUq8vTNnfLHYVu0R4ItPa/jT6RmxoaYP+lZnLnnBx9+aX7kzwHsa9BUX3MbMEyLrOzX2I+bDJbNPhQyupyCuPYlf5Q9KVcO9YlpbsC4q5XBzCn3j2+pT8kSfi9uD8fgY3TgE4w9meINrfQAealfjwMLT8S/I49/ni0r+usSfk/dnSShJYDUO7Ja0VWbJea/GkkZTu30bCnMUZPjRApipU3hPP63WFjkSMT1rp2mAXbWqyr9lf8z32yxzM9nMSjq4ViRFzFlkGtE3EVRJ4PwkO7JuiWAMPJpiQcEr+r52cCsmWhiGyHuINo01MwoMO9/n6uL1WVa3mJcE9se3xBOvfgDu2FRFGCAdm1tef+AGVo9EG1uJXi0sX2yUc6DMeuYaRWrXMMlZh7zp9cuNU9Y/lLui9RFmq66yeXG3Z2B72doju3Ig5QGrNNw2AOsSzeHdAtOp6ychqPcl9QfIeJQG18KyPSefZKM3G8YRKBRIwXFEH6iZJe5ZIP4iXrHDMn2JqtTRtDqKR8VNDAgb9z4Ffx8QRxFyj5JzTTMM1GddHb9udLvTQlO0ULYG7hCSMRNzvUBE2aTw8frjLRyfyyg3QpDu/hz8op8s1ecE8rTCD8RuX9DiiylNozypPtGNS+UDbAmkc1PCWaRpPVl+9K6787 5c9207ceedaea794f958224c19214d66af6e2d56 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlkdtooACgkQRJMUlPKcZ3P6ZxAAmLy/buZB/d96DJF/pViRWt/fWdjQFC4MqWfeSLW02OZ8Qkm1vPL3ln6WPHC2thy3xZWVg2uan3pLk/XXnsIFu8Q7r1EAfFFpvlMUmdl7asE8V6ilaeqmiI7bIvGMFbf4cZkQliLjiFkJX56tFHRCNi+rb7WgRuru3/GzPXUq2AvXZvFpFJgik0B72TxVlmCKeBRZq1FvP0UhAH48RJWYJksdEyzh2paMfjX9ZO5Q2SFFrmPw6k2ArdJFC1AYcgceZC84y06RKJ0WiSntUPlEUXgQbQVVWbtQDhjfJXMr/beuroNdT/vsRraLVkAzvhaDXNnHlAJNLQxci+AcLpnzZhxMW+ax7RRtrpXGxRN4cs0lBGUcSkaDybFqMYXwEjXAE8w6fdJRWCIlxctkAW/iNEO4kAG97hI2Qwcw5oU2Ymnv09zyGR+XJE35pJqPulJHExdwanJHvmjH0QF7TNFS82yxS5dKnP954cj3Lu9SWGYWjxQJRmLtOwb+lqqol4VTxG7Ois4uef9/Tpp9skeMZXVeNlpn2wrp6iFcX3uiiVDg9VKkl3ig6UqCiqQSuiIN87RXwUOeHXlCnW3adz3Xei0ziBrwLSql7lBIHGEAlUUNmJ3CrR8IwQtcynGEMKfNIeZ/XK+uNlm9cJIqZf1fzqc8KexlyS9AS0i/kiYZTr4= +2f0c3f3361d3ea4eb9129ed8810699fda7e7a8ee 0 iQIzBAABCgAdFiEE9zR+8u4uB6JnYoypRJMUlPKcZ3MFAlqVb+IACgkQRJMUlPKcZ3OENA//R9HsOUJQB2QZjRgAvqgLn2AMLUvmWb2etTZEc3Nps957Fw1F4kjh6VGfIpWuytfsDx1W8qRx09ikTdb3YteMWCuX8/aFreSPrioYmzrAEcxkZdA7B/jciqU0iXuHiJ9saKk5TR70aNp+iRy0hjAgiYEsVMF9YKHzULOJcHr70x9XVKquubQkwNqJA+/b2JbK2j46wM5nVK/alGSI2kMmEzXmAHQxsvf1OLMvgH8ou/l0xsg/CuFEK299XKfZAbsFEXrjuoWZ1aSa6rTeOWsWli5T+czyyJHI4Eu0Sz/gaR8+MPhJSYes8YjvzEdv32rRMDVOdBq4e+HoTgFt/THYABP6/R1H5fX3Lm4K8u9F9SwJbb/YKRAIrfWDob8ApnGFHk2dyYO20Fskbbg6b1pC7ulDWsufu8lYkQyMlTc3dR6P4eTB6mKO4x+gMG6tIYZ60fiULoEnMJCgegPtevmz+TG1rzdjh3ljiw9Dxz5lNtL+W7sBKKHwhyG0u+bavgmvBMKNL/rdHEM+0yCIz1U6Lb8sVaST1E4zbdm7cWHbSozBij3G0GBSkLFEq7ZLlh8wco9rELRh0Y9fFsWY9j6H/PTOu0GfHrYluFb9WGywHAquQY8j2croRx+MrvTbR1wZrbevPNm9gqk3vgOiDWu7KwxLLqcj+dEQ7tccptVYtbM= diff -r bb8eaa26bc93 -r 61a793b6e471 .hgtags --- a/.hgtags Mon Feb 26 22:44:48 2018 +0800 +++ b/.hgtags Wed Feb 28 21:28:59 2018 +0800 @@ -55,3 +55,4 @@ 309e1c4a87682b6ca7d80b8555a1db416c3cb7ac DROPBEAR_2016.73 0ed3d2bbf956cb8a9bf0f4b5a86b7dd9688205cb DROPBEAR_2016.74 c31276613181c5cff7854e7ef586ace03424e55e DROPBEAR_2017.75 +1c66ca4f3791c82501c88e7637312182c7294978 DROPBEAR_2018.76 diff -r bb8eaa26bc93 -r 61a793b6e471 CHANGES --- a/CHANGES Mon Feb 26 22:44:48 2018 +0800 +++ b/CHANGES Wed Feb 28 21:28:59 2018 +0800 @@ -1,6 +1,7 @@ -Upcoming... +2018.76 - 27 February 2018 -- IMPORTANT: +> > > Configuration/compatibility changes + IMPORTANT Custom configuration is now specified in local_options.h rather than options.h Available options and defaults can be seen in default_options.h @@ -9,10 +10,10 @@ be put in localoptions.h - "configure --enable-static" should now be used instead of "make STATIC=1" + This will avoid 'hardened build' flags that conflict with static binaries -- Add group14-256 and group16 key exchange options - -- Set hardened build flags by default if supported by the compiler. +- Set 'hardened build' flags by default if supported by the compiler. + These can be disabled with configure --disable-harden if needed. -Wl,-pie -Wl,-z,now -Wl,-z,relro -fstack-protector-strong @@ -21,9 +22,24 @@ -mfunction-return=thunk -mindirect-branch=thunk - These can be disabled with configure --disable-harden if needed Spectre patch from Loganaden Velvindron +- "dropbear -r" option for hostkeys no longer attempts to load the default + hostkey paths as well. If desired these can be specified manually. + Patch from CamVan Nguyen + +- group1-sha1 key exchange is disabled in the server by default since + the fixed 1024-bit group may be susceptible to attacks + +- twofish ciphers are now disabled in the default configuration + +- Default generated ECDSA key size is now 256 (rather than 521) + for better interoperability + +- Minimum RSA key length has been increased to 1024 bits + +> > > Other features and fixes + - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. @@ -31,18 +47,25 @@ - Add "-c forced_command" option. Patch from Jeremy Kerr +- Restricted group -G option added with patch from stellarpower + - Support server-chosen TCP forwarding ports, patch from houseofkodai - Allow choosing outgoing address for dbclient with -b [bind_address][:bind_port] Patch from houseofkodai -- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 +- Makefile will now rebuild object files when header files are modified + +- Add group14-256 and group16 key exchange options -- Minimum RSA key length has been increased to 1024 bits +- curve25519-sha256 also supported without @libssh.org suffix + +- Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 + This fixes building with some recent versions of clang - Set PAM_RHOST which is needed by modules such as pam_abl -- Improvements to DSS public key validation, found by OSS-Fuzz. +- Improvements to DSS and RSA public key validation, found by OSS-Fuzz. - Don't exit when an authorized_keys file has malformed entries. Found by OSS-Fuzz diff -r bb8eaa26bc93 -r 61a793b6e471 Makefile.in --- a/Makefile.in Mon Feb 26 22:44:48 2018 +0800 +++ b/Makefile.in Wed Feb 28 21:28:59 2018 +0800 @@ -19,6 +19,7 @@ ifeq (@BUNDLED_LIBTOM@, 1) LIBTOM_DEPS=$(STATIC_LTC) $(STATIC_LTM) +LIBTOM_CLEAN=ltc-clean ltm-clean CFLAGS+=-I$(srcdir)/libtomcrypt/src/headers/ LIBTOM_LIBS=$(STATIC_LTC) $(STATIC_LTM) endif @@ -226,7 +227,7 @@ sizes: dropbear objdump -t dropbear|grep ".text"|cut -d "." -f 2|sort -rn -clean: ltc-clean ltm-clean thisclean +clean: $(LIBTOM_CLEAN) thisclean thisclean: -rm -f dropbear$(EXEEXT) dbclient$(EXEEXT) dropbearkey$(EXEEXT) \ diff -r bb8eaa26bc93 -r 61a793b6e471 README --- a/README Mon Feb 26 22:44:48 2018 +0800 +++ b/README Wed Feb 28 21:28:59 2018 +0800 @@ -8,8 +8,8 @@ SMALL has some tips on creating small binaries. -See TODO for a few of the things I know need looking at, and please contact -me if you have any questions/bugs found/features/ideas/comments etc :) +Please contact me if you have any questions/bugs found/features/ideas/comments etc :) +There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear Matt Johnston matt@ucc.asn.au diff -r bb8eaa26bc93 -r 61a793b6e471 configure.ac --- a/configure.ac Mon Feb 26 22:44:48 2018 +0800 +++ b/configure.ac Wed Feb 28 21:28:59 2018 +0800 @@ -339,9 +339,9 @@ # Checks for header files. AC_HEADER_STDC AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h \ - string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h \ - pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h \ +AC_CHECK_HEADERS([netinet/in.h netinet/tcp.h \ + crypt.h \ + pty.h libutil.h libgen.h inttypes.h stropts.h utmp.h \ utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h \ pam/pam_appl.h netinet/in_systm.h sys/uio.h linux/pkt_sched.h]) @@ -498,7 +498,6 @@ AC_CHECK_FUNCS(explicit_bzero memset_s) - AC_ARG_ENABLE(bundled-libtom, [ --enable-bundled-libtom Force using bundled libtomcrypt/libtommath even if a system version exists. --disable-bundled-libtom Force using system libtomcrypt/libtommath, fail if it does not exist. @@ -794,7 +793,9 @@ AC_PROG_GCC_TRADITIONAL AC_FUNC_MEMCMP AC_FUNC_SELECT_ARGTYPES -AC_CHECK_FUNCS([dup2 getpass getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev]) +AC_CHECK_FUNCS([getpass getspnam getusershell putenv]) +AC_CHECK_FUNCS([clearenv strlcpy strlcat daemon basename _getpty getaddrinfo ]) +AC_CHECK_FUNCS([freeaddrinfo getnameinfo fork writev getgrouplist]) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) diff -r bb8eaa26bc93 -r 61a793b6e471 debian/changelog --- a/debian/changelog Mon Feb 26 22:44:48 2018 +0800 +++ b/debian/changelog Wed Feb 28 21:28:59 2018 +0800 @@ -1,3 +1,9 @@ +dropbear (2018.76-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston Tue, 27 Feb 2018 22:51:57 +0800 + dropbear (2017.75-0.1) unstable; urgency=low * New upstream release. diff -r bb8eaa26bc93 -r 61a793b6e471 debian/dropbear.docs --- a/debian/dropbear.docs Mon Feb 26 22:44:48 2018 +0800 +++ b/debian/dropbear.docs Wed Feb 28 21:28:59 2018 +0800 @@ -1,4 +1,3 @@ README -TODO debian/README.runit debian/README.Debian.diet diff -r bb8eaa26bc93 -r 61a793b6e471 runopts.h --- a/runopts.h Mon Feb 26 22:44:48 2018 +0800 +++ b/runopts.h Wed Feb 28 21:28:59 2018 +0800 @@ -92,8 +92,14 @@ #endif int norootlogin; + +#ifdef HAVE_GETGROUPLIST + /* restrict_group is the group name if group restriction was enabled, + NULL otherwise */ char *restrict_group; + /* restrict_group_gid is only valid if restrict_group is set */ gid_t restrict_group_gid; +#endif int noauthpass; int norootpass; diff -r bb8eaa26bc93 -r 61a793b6e471 svr-auth.c --- a/svr-auth.c Mon Feb 26 22:44:48 2018 +0800 +++ b/svr-auth.c Wed Feb 28 21:28:59 2018 +0800 @@ -197,6 +197,7 @@ m_free(methodname); } +#ifdef HAVE_GETGROUPLIST /* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */ static int check_group_membership(gid_t check_gid, const char* username, gid_t user_gid) { int ngroups, i, ret; @@ -230,7 +231,7 @@ return match; } - +#endif /* Check that the username exists and isn't disallowed (root), and has a valid shell. * returns DROPBEAR_SUCCESS on valid username, DROPBEAR_FAILURE on failure */ @@ -300,6 +301,7 @@ } /* check for login restricted to certain group if desired */ +#ifdef HAVE_GETGROUPLIST if (svr_opts.restrict_group) { if (check_group_membership(svr_opts.restrict_group_gid, ses.authstate.pw_name, ses.authstate.pw_gid) == DROPBEAR_FAILURE) { @@ -310,6 +312,7 @@ return DROPBEAR_FAILURE; } } +#endif HAVE_GETGROUPLIST TRACE(("shell is %s", ses.authstate.pw_shell)) diff -r bb8eaa26bc93 -r 61a793b6e471 svr-runopts.c --- a/svr-runopts.c Mon Feb 26 22:44:48 2018 +0800 +++ b/svr-runopts.c Wed Feb 28 21:28:59 2018 +0800 @@ -70,7 +70,9 @@ "-m Don't display the motd on login\n" #endif "-w Disallow root logins\n" +#ifdef HAVE_GETGROUPLIST "-G Restrict logins to members of specified group\n" +#endif #if DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH "-s Disable password logins\n" "-g Disable password logins for root\n" @@ -135,8 +137,10 @@ svr_opts.forced_command = NULL; svr_opts.forkbg = 1; svr_opts.norootlogin = 0; +#ifdef HAVE_GETGROUPLIST svr_opts.restrict_group = NULL; svr_opts.restrict_group_gid = 0; +#endif svr_opts.noauthpass = 0; svr_opts.norootpass = 0; svr_opts.allowblankpass = 0; @@ -235,9 +239,11 @@ case 'w': svr_opts.norootlogin = 1; break; +#ifdef HAVE_GETGROUPLIST case 'G': next = &svr_opts.restrict_group; break; +#endif case 'W': next = &recv_window_arg; break; @@ -340,6 +346,7 @@ buf_setpos(svr_opts.banner, 0); } +#ifdef HAVE_GETGROUPLIST if (svr_opts.restrict_group) { struct group *restrictedgroup = getgrnam(svr_opts.restrict_group); @@ -348,8 +355,8 @@ } else { dropbear_exit("Cannot restrict logins to group '%s' as the group does not exist", svr_opts.restrict_group); } - } +#endif if (recv_window_arg) { opts.recv_window = atol(recv_window_arg); diff -r bb8eaa26bc93 -r 61a793b6e471 svr-tcpfwd.c --- a/svr-tcpfwd.c Mon Feb 26 22:44:48 2018 +0800 +++ b/svr-tcpfwd.c Wed Feb 28 21:28:59 2018 +0800 @@ -86,7 +86,7 @@ } if (strcmp("tcpip-forward", reqname) == 0) { - int allocated_listen_port; + int allocated_listen_port = 0; ret = svr_remotetcpreq(&allocated_listen_port); /* client expects-port-number-to-make-use-of-server-allocated-ports */ if (DROPBEAR_SUCCESS == ret) { diff -r bb8eaa26bc93 -r 61a793b6e471 sysoptions.h --- a/sysoptions.h Mon Feb 26 22:44:48 2018 +0800 +++ b/sysoptions.h Wed Feb 28 21:28:59 2018 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2017.75" +#define DROPBEAR_VERSION "2018.76" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION