# HG changeset patch # User Matt Johnston # Date 1450189474 -28800 # Node ID 84cf9062718d7996f62648cfec4f24c38a00743c # Parent a2955908662807a3cc6345b29a4b160ae6451d76# Parent b73c078e11e99ae4cbd249a6329a7b9a56b1a4bf merge diff -r a29559086628 -r 84cf9062718d .hgsigs --- a/.hgsigs Wed Dec 02 22:37:51 2015 +0800 +++ b/.hgsigs Tue Dec 15 22:24:34 2015 +0800 @@ -18,3 +18,4 @@ ef4b26364b0cdda1084751d7de3d76c589e2d9cb 0 iQIcBAABCgAGBQJVxg7BAAoJEESTFJTynGdz9Q4P/A0Kq4H52rQqxq42PoEMFbVQIUfkFzyWjAz8eEGLmP5x5/sdpyxZDEyBSUG55uyNvOPTHE+Sd3t2h2Iieq749qwYgqggXC0P+C0zGzW3hB5Rv6dTUrKN1yCyaWE2tY488RsyVlcAs4vrp1Cum5Gv8/BUVKjzZmkZ1iq/3RyrvbLEiLoMrcLnQ+sUdaYHvfEwxDbzpOEvepg8iDJBitTrfG9xHp9otX6ucahwn1EumFvC5mvUxbiQ9jv76t4FJztjMoB24hPCH9T1FjB8uNsoM+j2Z67r81eJrGgNpJzjX0S3lY/AADZGhfGnfybTM9gFuQayIJuCJqduQibVwYkAAnPi17NmbdwPu0Rdz55oU+ft09XLVm/qkQcD1EP5bxYWnLIEMkkZQnFx7WdMpjKK9oGxZHeFYAKEgPgePCkk4TQ4PxNa+3854H19AUssQlaueGcbDLyPIRiSyqhleXawGfaJi+1jBt0DM7CNbAHAUWUE07VhQzNGWjabdEk4eXKTmDL+mZJFdHGBhyCve8sPmZBYJvM2PRgcXe8fwFh+R7gVj6kFbZJvgM9kG7EeF+4ZMEXG4yKpV/SKfMMeEPBCZjFxZhlJJ0fsZbB1Y/iLw8LXnJ0fa/5xFYv6k+iytfom/rqS4iUD7NWTjcEYHjd4EO4QlPD2Ef/AWOO8YBUBv8kA af074dbcb68ff8670b3818e0d66d5dc6f1bd5877 0 iQIcBAABCgAGBQJWVdQfAAoJEPSYMBLCC7qs+n4P/RgZU3GsLFJN7v7Cn6NOdKdfjJBmlbCtK9KwlZZaj8fW4noqnLDcDd6a2xT4mDV3rCE6+QYialGXjNkkNCBwD9Z+gFc8spOtThrpQ54dgWzbgDlYB1y7Hp7DoWoJQIlU6Od9nWBemcSrAviOFNAX8+S6poRdEhrHgMcv2xJoqHjvT7X8gob0RnJcYxW5nLWzDaJV58QnX6QlXg4ClSB6IoCeEawdW6WzXlZ9MGsRycTtx1ool7Uo6Vo2xg48n9TaJqM/lbSsMAjHxO/fdTJMWzTId1fuZxJGFVeJbkhjSwlf7fkVXxrgDxjvIAmFDR8TSTfJo50CD82j5rPcd7KSEpQ12ImBUsntPDgOtt/mJZ3HcFds86OZ7NkPpqoJGVFFQ8yUpe//DNSB2Ovg1FrwhSKOq/9N61BBwk1INVFDp1hMq45PIa9gI9zW/99inGDeSSQlxa4iafEUEjXZTRYuX7mFjnWm5q7r134J7kyWQtN/jNUZ71F0mvhnemufgpNY/I/D7K6qkONpbDZ2nuzkhfoqugzhHYp467UePM0qmLTLdXGPPMukoGorpWeiSb2T25AEKm7N4A9NwPmdAnoFjAibjF9FAuU03sl+pu9MqFb+1ldsqjNfxhcJmoAUR5vy3pED9ailCb/OCBVTHkDPfTEhGU3waO9tPM+5x2rGB5fe 5bb5976e6902a0c9fba974a880c68c9487ee1e77 0 iQIcBAABCgAGBQJWVyIKAAoJEESTFJTynGdzQosP/0k5bVTerpUKZLjyNuMU8o0eyc7njkX8EyMOyGbtcArKpzO2opSBTRsuCT9Zsk1iiQ1GMTY1quKD7aNr86Hipqo4th/+ZXmLe9mmaCDukKjD0ZYC4dBVUy6RSUAMvdkDP9sZs7CMTO/22a9SqOsKTv3s2NN6XnsBGnmNbvVx5hkAk5hMVNFrjKIaexzI/7bWQIDRo2HQCaWaL06JvWEDSEQd2mynGSXxT/+m4hBnuGg6qxn2pd4XfG0g10tDAFx64HQkWgZqSB+F8z71Cvfjondy1zjJYgtABqNlwCKQJZhRUW2+PblqQnz08TUy83XN2vtisOju4avGcHSaBgBbMvg8Wx4ZtM7sPP9pLrhhOTd5ceERHeTceTJy+iI1SQFvccjrRfs5aJ0zAQX5q6f4bV0zp5SmxkvnZUEkZIoetkM8VrPOYugqx31LtHAWfVT9NM+VkV/rrxLhk6J0giIQvC9MPWxRDileFVDszPiOgTLcxWjOziOLT+xijcj7dtx1b/f2bNCduN5G7i+icjjTlCNtyRPRqhBqn705W7F+xESP2gsscM/1BjQ7TGidU5m1njdkUjbrqm3+Qic6iqkG7SfETHmQB9mHqpJ0hACRPvZlhwB7oimNHllkrlw8UJw9f0SiuLjfERIgVS2EOp+mAia0RU7MlTt19o017M1ffEYL +926e7275cef4f4f2a4251597ee4814748394824c 0 iQIcBAABCgAGBQJWYES4AAoJEESTFJTynGdzdT0P/0O/1frevtr698DwMe6kmJx35P6Bqq8szntMxYucv0HROTfr85JRcCCSvl/2SflDS215QmOxdvYLGLUWPJNz/gURCLpzsT88KLF68Y1tC72nl4Fj+LGIOlsWsvwEqQqw0v4iQkHIfcxI6q7g1r9Hfldf/ju4bzQ4HnKLxm6KNcLLoAsuehVpQ+njHpLmlLAGHU5a84B7xeXHFR+U/EBPxSdm637rNhmpLpkuK2Mym/Mzv7BThKDstpB8lhFHIwAVNqi3Cy4nGYxFZOJpooUN9pDornqAwuzHmOAMs9+49L8GZ1de5PBRGyFKibzjBIUWPEU9EIkfJVaVwTlqYK8Q/IRi9HjITPx6GpE8cZhdSvAibrQdb6BbIDrZ8eCvD9vnod6Uk0Jb9/ui6nCF9x+CN/3Qez4epV5+JCMYsqCiXFkVPm9Lab6L2eGZis7Q2TXImA/sSV+E4BGfH2urpkKlnuXTTtDp4XRG+lOISkIBXgjVY+uy8soVKNdx1gv+LeY8hu/oQ2NyOlaOeL47aSQ3who4Pk6pVRUOl6zfcKo9Vs6xDWm35A3Z6x/mrAENaXasB0JrfY5nIbefJUpbeSmi76fYldU98HdQNHPHCSeiKVYl7v/B6gi2JXp5xngLZz/5VVAurago7sRmpIp7G/AqU6LNE85IUzG8aQz8AfR0d1dW diff -r a29559086628 -r 84cf9062718d .hgtags --- a/.hgtags Wed Dec 02 22:37:51 2015 +0800 +++ b/.hgtags Tue Dec 15 22:24:34 2015 +0800 @@ -50,3 +50,4 @@ 809feaa9408f036734129c77f2b3c7e779d4f099 DROPBEAR_2015.68 1637dbd262124d113e52967df46afd6c715e4fad DROPBEAR_2015.69 79a6ef02307d05cb9dda10465cb5b807baa8f62e DROPBEAR_2015.70 +9a944a243f08be6b22d32f166a0690eb4872462b DROPBEAR_2015.71 diff -r a29559086628 -r 84cf9062718d CHANGES --- a/CHANGES Wed Dec 02 22:37:51 2015 +0800 +++ b/CHANGES Tue Dec 15 22:24:34 2015 +0800 @@ -1,3 +1,18 @@ +2015.71 - 3 December 2015 + +- Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 + +- Fix crash on exit when -p address:port is used, broke in 2015.68, thanks to + Frank Stollenwerk for reporting and investigation + +- Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin Tokarev + +- Fix bad configure script test which didn't work with dash shell, patch from Juergen Daubert, + broke in 2015.70 + +- Fix server race condition that could cause sessions to hang on exit, + https://github.com/robotframework/SSHLibrary/issues/128 + 2015.70 - 26 November 2015 - Fix server password authentication on Linux, broke in 2015.69 diff -r a29559086628 -r 84cf9062718d cli-kex.c --- a/cli-kex.c Wed Dec 02 22:37:51 2015 +0800 +++ b/cli-kex.c Tue Dec 15 22:24:34 2015 +0800 @@ -190,7 +190,7 @@ fp = sign_key_fingerprint(keyblob, keybloblen); if (cli_opts.always_accept_key) { - fprintf(stderr, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n", + dropbear_log(LOG_INFO, "\nHost '%s' key accepted unconditionally.\n(%s fingerprint %s)\n", cli_opts.remotehost, algoname, fp); @@ -290,7 +290,7 @@ int ret; if (cli_opts.no_hostkey_check) { - fprintf(stderr, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost); + dropbear_log(LOG_INFO, "Caution, skipping hostkey check for %s\n", cli_opts.remotehost); return; } diff -r a29559086628 -r 84cf9062718d cli-main.c --- a/cli-main.c Wed Dec 02 22:37:51 2015 +0800 +++ b/cli-main.c Tue Dec 15 22:24:34 2015 +0800 @@ -36,7 +36,8 @@ static void cli_dropbear_log(int priority, const char* format, va_list param); #ifdef ENABLE_CLI_PROXYCMD -static void cli_proxy_cmd(int *sock_in, int *sock_out); +static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out); +static void kill_proxy_sighandler(int signo); #endif #if defined(DBMULTI_dbclient) || !defined(DROPBEAR_MULTI) @@ -59,6 +60,12 @@ cli_getopts(argc, argv); +#ifndef DISABLE_SYSLOG + if (opts.usingsyslog) { + startsyslog("dbclient"); + } +#endif + TRACE(("user='%s' host='%s' port='%s'", cli_opts.username, cli_opts.remotehost, cli_opts.remoteport)) @@ -66,10 +73,16 @@ dropbear_exit("signal() error"); } + pid_t proxy_cmd_pid = 0; #ifdef ENABLE_CLI_PROXYCMD if (cli_opts.proxycmd) { - cli_proxy_cmd(&sock_in, &sock_out); + cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid); m_free(cli_opts.proxycmd); + if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR || + signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR || + signal(SIGHUP, kill_proxy_sighandler) == SIG_ERR) { + dropbear_exit("signal() error"); + } } else #endif { @@ -77,7 +90,7 @@ sock_in = sock_out = -1; } - cli_session(sock_in, sock_out, progress); + cli_session(sock_in, sock_out, progress, proxy_cmd_pid); /* not reached */ return -1; @@ -111,13 +124,19 @@ exit(exitcode); } -static void cli_dropbear_log(int UNUSED(priority), +static void cli_dropbear_log(int priority, const char* format, va_list param) { char printbuf[1024]; vsnprintf(printbuf, sizeof(printbuf), format, param); +#ifndef DISABLE_SYSLOG + if (opts.usingsyslog) { + syslog(priority, "%s", printbuf); + } +#endif + fprintf(stderr, "%s: %s\n", cli_opts.progname, printbuf); fflush(stderr); } @@ -132,16 +151,21 @@ } #ifdef ENABLE_CLI_PROXYCMD -static void cli_proxy_cmd(int *sock_in, int *sock_out) { +static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) { int ret; fill_passwd(cli_opts.own_user); ret = spawn_command(exec_proxy_cmd, cli_opts.proxycmd, - sock_out, sock_in, NULL, NULL); + sock_out, sock_in, NULL, pid_out); if (ret == DROPBEAR_FAILURE) { dropbear_exit("Failed running proxy command"); *sock_in = *sock_out = -1; } } + +static void kill_proxy_sighandler(int UNUSED(signo)) { + kill_proxy_command(); + _exit(1); +} #endif /* ENABLE_CLI_PROXYCMD */ diff -r a29559086628 -r 84cf9062718d cli-runopts.c --- a/cli-runopts.c Wed Dec 02 22:37:51 2015 +0800 +++ b/cli-runopts.c Tue Dec 15 22:24:34 2015 +0800 @@ -46,6 +46,7 @@ #ifdef ENABLE_CLI_NETCAT static void add_netcat(const char *str); #endif +static void add_extendedopt(const char *str); static void printhelp() { @@ -64,6 +65,7 @@ "-y Always accept remote host key if unknown\n" "-y -y Don't perform any remote host key checking (caution)\n" "-s Request a subsystem (use by external sftp)\n" + "-o option Set option in OpenSSH-like format ('-o help' to list options)\n" #ifdef ENABLE_CLI_PUBKEY_AUTH "-i (multiple allowed, default %s)\n" #endif @@ -106,6 +108,7 @@ unsigned int i, j; char ** next = 0; enum { + OPT_EXTENDED_OPTIONS, #ifdef ENABLE_CLI_PUBKEY_AUTH OPT_AUTHKEY, #endif @@ -145,6 +148,9 @@ #ifdef ENABLE_CLI_PUBKEY_AUTH cli_opts.privkeys = list_new(); #endif +#ifdef ENABLE_CLI_ANYTCPFWD + cli_opts.exit_on_fwd_failure = 0; +#endif #ifdef ENABLE_CLI_LOCALTCPFWD cli_opts.localfwds = list_new(); opts.listen_fwd_all = 0; @@ -167,6 +173,9 @@ opts.cipher_list = NULL; opts.mac_list = NULL; #endif +#ifndef DISABLE_SYSLOG + opts.usingsyslog = 0; +#endif /* not yet opts.ipv4 = 1; opts.ipv6 = 1; @@ -224,6 +233,9 @@ case 's': cli_opts.is_subsystem = 1; break; + case 'o': + opt = OPT_EXTENDED_OPTIONS; + break; #ifdef ENABLE_CLI_LOCALTCPFWD case 'L': opt = OPT_LOCALTCPFWD; @@ -301,7 +313,6 @@ print_version(); exit(EXIT_SUCCESS); break; - case 'o': case 'b': next = &dummy; default: @@ -321,6 +332,11 @@ dropbear_exit("Missing argument"); } + if (opt == OPT_EXTENDED_OPTIONS) { + TRACE(("opt extended")) + add_extendedopt(&argv[i][j]); + } + else #ifdef ENABLE_CLI_PUBKEY_AUTH if (opt == OPT_AUTHKEY) { TRACE(("opt authkey")) @@ -475,7 +491,7 @@ keytype = DROPBEAR_SIGNKEY_ANY; if ( readhostkey(filename, key, &keytype) != DROPBEAR_SUCCESS ) { if (warnfail) { - fprintf(stderr, "Failed loading keyfile '%s'\n", filename); + dropbear_log(LOG_WARNING, "Failed loading keyfile '%s'\n", filename); } sign_key_free(key); } else { @@ -806,3 +822,64 @@ dropbear_exit("Bad TCP port in '%s'", origstr); } #endif + +static int match_extendedopt(const char** strptr, const char *optname) { + int optlen = strlen(optname); + const char *str = *strptr; + + if (strncasecmp(str, optname, optlen) != 0) { + return DROPBEAR_FAILURE; + } + + str += optlen; + + if (*str == '=') { + *strptr = str+1; + return DROPBEAR_SUCCESS; + } else { + return DROPBEAR_FAILURE; + } + +} + +static int parse_flag_value(const char *value) { + if (strcmp(value, "yes") == 0 || strcmp(value, "true") == 0) { + return 1; + } else if (strcmp(value, "no") == 0 || strcmp(value, "false") == 0) { + return 0; + } + + dropbear_exit("Bad yes/no argument '%s'", value); +} + +static void add_extendedopt(const char* origstr) { + const char *optstr = origstr; + + if (strcmp(origstr, "help") == 0) { + dropbear_log(LOG_INFO, "Available options:\n" +#ifdef ENABLE_CLI_ANYTCPFWD + "\tExitOnForwardFailure\n" +#endif +#ifndef DISABLE_SYSLOG + "\tUseSyslog\n" +#endif + ); + exit(EXIT_SUCCESS); + } + +#ifdef ENABLE_CLI_ANYTCPFWD + if (match_extendedopt(&optstr, "ExitOnForwardFailure") == DROPBEAR_SUCCESS) { + cli_opts.exit_on_fwd_failure = parse_flag_value(optstr); + return; + } +#endif + +#ifndef DISABLE_SYSLOG + if (match_extendedopt(&optstr, "UseSyslog") == DROPBEAR_SUCCESS) { + opts.usingsyslog = parse_flag_value(optstr); + return; + } +#endif + + dropbear_log(LOG_WARNING, "Ignoring unknown configuration option '%s'", origstr); +} diff -r a29559086628 -r 84cf9062718d cli-session.c --- a/cli-session.c Wed Dec 02 22:37:51 2015 +0800 +++ b/cli-session.c Tue Dec 15 22:24:34 2015 +0800 @@ -41,7 +41,7 @@ static void cli_remoteclosed() ATTRIB_NORETURN; static void cli_sessionloop(); -static void cli_session_init(); +static void cli_session_init(pid_t proxy_cmd_pid); static void cli_finished() ATTRIB_NORETURN; static void recv_msg_service_accept(void); static void cli_session_cleanup(void); @@ -104,7 +104,7 @@ update_channel_prio(); } -void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) { +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) { common_session_init(sock_in, sock_out); @@ -115,8 +115,7 @@ chaninitialise(cli_chantypes); /* Set up cli_ses vars */ - cli_session_init(); - + cli_session_init(proxy_cmd_pid); /* Ready to go */ sessinitdone = 1; @@ -140,7 +139,7 @@ } #endif -static void cli_session_init() { +static void cli_session_init(pid_t proxy_cmd_pid) { cli_ses.state = STATE_NOTHING; cli_ses.kex_state = KEX_NOTHING; @@ -159,6 +158,8 @@ cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a specific exit status */ + cli_ses.proxy_cmd_pid = proxy_cmd_pid; + TRACE(("proxy command PID='%d'", proxy_cmd_pid)); /* Auth */ cli_ses.lastprivkey = NULL; @@ -268,6 +269,11 @@ return; case USERAUTH_SUCCESS_RCVD: +#ifndef DISABLE_SYSLOG + if (opts.usingsyslog) { + dropbear_log(LOG_INFO, "Authentication succeeded."); + } +#endif #ifdef DROPBEAR_NONE_CIPHER if (cli_ses.cipher_none_after_auth) @@ -334,12 +340,25 @@ } +void kill_proxy_command(void) { + /* + * Send SIGHUP to proxy command if used. We don't wait() in + * case it hangs and instead rely on init to reap the child + */ + if (cli_ses.proxy_cmd_pid > 1) { + TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid)); + kill(cli_ses.proxy_cmd_pid, SIGHUP); + } +} + static void cli_session_cleanup(void) { if (!sessinitdone) { return; } + kill_proxy_command(); + /* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if * we don't revert the flags */ fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags); diff -r a29559086628 -r 84cf9062718d cli-tcpfwd.c --- a/cli-tcpfwd.c Wed Dec 02 22:37:51 2015 +0800 +++ b/cli-tcpfwd.c Tue Dec 15 22:24:34 2015 +0800 @@ -60,6 +60,23 @@ }; #endif +#ifdef ENABLE_CLI_ANYTCPFWD +static void fwd_failed(const char* format, ...) ATTRIB_PRINTF(1,2); +void fwd_failed(const char* format, ...) +{ + va_list param; + va_start(param, format); + + if (cli_opts.exit_on_fwd_failure) { + _dropbear_exit(EXIT_FAILURE, format, param); + } else { + _dropbear_log(LOG_WARNING, format, param); + } + + va_end(param); +} +#endif + #ifdef ENABLE_CLI_LOCALTCPFWD void setup_localtcp() { m_list_elem *iter; @@ -75,7 +92,7 @@ fwd->connectaddr, fwd->connectport); if (ret == DROPBEAR_FAILURE) { - dropbear_log(LOG_WARNING, "Failed local port forward %s:%d:%s:%d", + fwd_failed("Failed local port forward %s:%d:%s:%d", fwd->listenaddr, fwd->listenport, fwd->connectaddr, @@ -181,7 +198,10 @@ struct TCPFwdEntry *fwd = (struct TCPFwdEntry*)iter->item; if (!fwd->have_reply) { fwd->have_reply = 1; - dropbear_log(LOG_WARNING, "Remote TCP forward request failed (port %d -> %s:%d)", fwd->listenport, fwd->connectaddr, fwd->connectport); + fwd_failed("Remote TCP forward request failed (port %d -> %s:%d)", + fwd->listenport, + fwd->connectaddr, + fwd->connectport); return; } } diff -r a29559086628 -r 84cf9062718d common-algo.c --- a/common-algo.c Wed Dec 02 22:37:51 2015 +0800 +++ b/common-algo.c Tue Dec 15 22:24:34 2015 +0800 @@ -249,7 +249,8 @@ }; static const struct dropbear_kex kex_dh_group1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_1, DH_P_1_LEN, NULL, &sha1_desc }; -static const struct dropbear_kex kex_dh_group14 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; +static const struct dropbear_kex kex_dh_group14_sha1 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha1_desc }; +static const struct dropbear_kex kex_dh_group14_sha256 = {DROPBEAR_KEX_NORMAL_DH, dh_p_14, DH_P_14_LEN, NULL, &sha256_desc }; /* These can't be const since dropbear_ecc_fill_dp() fills out ecc_curve at runtime */ @@ -285,7 +286,8 @@ {"ecdh-sha2-nistp256", 0, &kex_ecdh_nistp256, 1, NULL}, #endif #endif - {"diffie-hellman-group14-sha1", 0, &kex_dh_group14, 1, NULL}, + {"diffie-hellman-group14-sha256", 0, &kex_dh_group14_sha256, 1, NULL}, + {"diffie-hellman-group14-sha1", 0, &kex_dh_group14_sha1, 1, NULL}, {"diffie-hellman-group1-sha1", 0, &kex_dh_group1, 1, NULL}, #ifdef USE_KEXGUESS2 {KEXGUESS2_ALGO_NAME, KEXGUESS2_ALGO_ID, NULL, 1, NULL}, diff -r a29559086628 -r 84cf9062718d dbclient.1 --- a/dbclient.1 Wed Dec 02 22:37:51 2015 +0800 +++ b/dbclient.1 Tue Dec 15 22:24:34 2015 +0800 @@ -127,6 +127,22 @@ .B \-m \fIMAClist Specify a comma separated list of authentication MACs to enable. Use \fI-m help\fR to list possibilities. .TP +.B \-o \fIoption +Can be used to give options in the format used by OpenSSH config file. This is +useful for specifying options for which there is no separate command-line flag. +For full details of the options listed below, and their possible values, see +ssh_config(5). + +For now following options have been implemented: +.RS +.TP +.B ExitOnForwardFailure +Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be “yes” or “no”. The default is “no”. +.TP +.B UseSyslog +Send dbclient log messages to syslog in addition to stderr. +.RE +.TP .B \-s The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp client can be used eg \fIsftp -S dbclient user@host\fR .TP diff -r a29559086628 -r 84cf9062718d dbutil.c --- a/dbutil.c Wed Dec 02 22:37:51 2015 +0800 +++ b/dbutil.c Tue Dec 15 22:24:34 2015 +0800 @@ -84,9 +84,9 @@ #endif #ifndef DISABLE_SYSLOG -void startsyslog() { +void startsyslog(const char *ident) { - openlog(PROGNAME, LOG_PID, LOG_AUTHPRIV); + openlog(ident, LOG_PID, LOG_AUTHPRIV); } #endif /* DISABLE_SYSLOG */ diff -r a29559086628 -r 84cf9062718d dbutil.h --- a/dbutil.h Wed Dec 02 22:37:51 2015 +0800 +++ b/dbutil.h Tue Dec 15 22:24:34 2015 +0800 @@ -31,7 +31,7 @@ #include "queue.h" #ifndef DISABLE_SYSLOG -void startsyslog(); +void startsyslog(const char *ident); #endif #ifdef __GNUC__ diff -r a29559086628 -r 84cf9062718d debian/changelog --- a/debian/changelog Wed Dec 02 22:37:51 2015 +0800 +++ b/debian/changelog Tue Dec 15 22:24:34 2015 +0800 @@ -1,3 +1,9 @@ +dropbear (2015.71-0.1) unstable; urgency=low + + * New upstream release. + + -- Matt Johnston Thu, 3 Dec 2015 22:52:58 +0800 + dropbear (2015.70-0.1) unstable; urgency=low * New upstream release. diff -r a29559086628 -r 84cf9062718d runopts.h --- a/runopts.h Wed Dec 02 22:37:51 2015 +0800 +++ b/runopts.h Tue Dec 15 22:24:34 2015 +0800 @@ -40,6 +40,7 @@ unsigned int recv_window; time_t keepalive_secs; /* Time between sending keepalives. 0 is off */ time_t idle_timeout_secs; /* Exit if no traffic is sent/received in this time */ + int usingsyslog; #ifndef DISABLE_ZLIB /* TODO: add a commandline flag. Currently this is on by default if compression @@ -70,9 +71,9 @@ char * bannerfile; int forkbg; - int usingsyslog; - /* ports is an array of the portcount listening ports */ + /* ports and addresses are arrays of the portcount + listening ports. strings are malloced. */ char *ports[DROPBEAR_MAX_PORTS]; unsigned int portcount; char *addresses[DROPBEAR_MAX_PORTS]; @@ -139,6 +140,9 @@ #ifdef ENABLE_CLI_PUBKEY_AUTH m_list *privkeys; /* Keys to use for public-key auth */ #endif +#ifdef ENABLE_CLI_ANYTCPFWD + int exit_on_fwd_failure; +#endif #ifdef ENABLE_CLI_REMOTETCPFWD m_list * remotefwds; #endif diff -r a29559086628 -r 84cf9062718d session.h --- a/session.h Wed Dec 02 22:37:51 2015 +0800 +++ b/session.h Tue Dec 15 22:24:34 2015 +0800 @@ -61,9 +61,10 @@ void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ -void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN; +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) ATTRIB_NORETURN; void cli_connected(int result, int sock, void* userdata, const char *errstring); void cleantext(char* dirtytext); +void kill_proxy_command(); /* crypto parameters that are stored individually for transmit and receive */ struct key_context_directional { @@ -304,6 +305,7 @@ struct AgentkeyList *agentkeys; /* Keys to use for public-key auth */ #endif + pid_t proxy_cmd_pid; }; /* Global structs storing the state */ diff -r a29559086628 -r 84cf9062718d svr-main.c --- a/svr-main.c Wed Dec 02 22:37:51 2015 +0800 +++ b/svr-main.c Tue Dec 15 22:24:34 2015 +0800 @@ -145,7 +145,7 @@ if (svr_opts.forkbg) { int closefds = 0; #ifndef DEBUG_TRACE - if (!svr_opts.usingsyslog) { + if (!opts.usingsyslog) { closefds = 1; } #endif @@ -367,8 +367,8 @@ struct sigaction sa_chld; #ifndef DISABLE_SYSLOG - if (svr_opts.usingsyslog) { - startsyslog(); + if (opts.usingsyslog) { + startsyslog(PROGNAME); } #endif diff -r a29559086628 -r 84cf9062718d svr-runopts.c --- a/svr-runopts.c Wed Dec 02 22:37:51 2015 +0800 +++ b/svr-runopts.c Tue Dec 15 22:24:34 2015 +0800 @@ -33,7 +33,7 @@ svr_runopts svr_opts; /* GLOBAL */ static void printhelp(const char * progname); -static void addportandaddress(char* spec); +static void addportandaddress(const char* spec); static void loadhostkey(const char *keyfile, int fatal_duplicate); static void addhostkey(const char *keyfile); @@ -158,7 +158,7 @@ svr_opts.domotd = 1; #endif #ifndef DISABLE_SYSLOG - svr_opts.usingsyslog = 1; + opts.usingsyslog = 1; #endif opts.recv_window = DEFAULT_RECV_WINDOW; opts.keepalive_secs = DEFAULT_KEEPALIVE; @@ -189,7 +189,7 @@ break; #ifndef DISABLE_SYSLOG case 'E': - svr_opts.usingsyslog = 0; + opts.usingsyslog = 0; break; #endif #ifdef ENABLE_SVR_LOCALTCPFWD @@ -348,54 +348,56 @@ } } -static void addportandaddress(char* spec) { - - char *myspec = NULL; +static void addportandaddress(const char* spec) { + char *spec_copy = NULL, *myspec = NULL, *port = NULL, *address = NULL; if (svr_opts.portcount < DROPBEAR_MAX_PORTS) { /* We don't free it, it becomes part of the runopt state */ - myspec = m_strdup(spec); + spec_copy = m_strdup(spec); + myspec = spec_copy; if (myspec[0] == '[') { myspec++; - svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']'); - if (svr_opts.ports[svr_opts.portcount] == NULL) { + port = strchr(myspec, ']'); + if (!port) { /* Unmatched [ -> exit */ dropbear_exit("Bad listen address"); } - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - if (svr_opts.ports[svr_opts.portcount][0] != ':') { + port[0] = '\0'; + port++; + if (port[0] != ':') { /* Missing port -> exit */ dropbear_exit("Missing port"); } } else { /* search for ':', that separates address and port */ - svr_opts.ports[svr_opts.portcount] = strrchr(myspec, ':'); + port = strrchr(myspec, ':'); } - if (svr_opts.ports[svr_opts.portcount] == NULL) { + if (!port) { /* no ':' -> the whole string specifies just a port */ - svr_opts.ports[svr_opts.portcount] = myspec; + port = myspec; } else { /* Split the address/port */ - svr_opts.ports[svr_opts.portcount][0] = '\0'; - svr_opts.ports[svr_opts.portcount]++; - svr_opts.addresses[svr_opts.portcount] = myspec; + port[0] = '\0'; + port++; + address = myspec; } - if (svr_opts.addresses[svr_opts.portcount] == NULL) { + if (!address) { /* no address given -> fill in the default address */ - svr_opts.addresses[svr_opts.portcount] = m_strdup(DROPBEAR_DEFADDRESS); + address = DROPBEAR_DEFADDRESS; } - if (svr_opts.ports[svr_opts.portcount][0] == '\0') { + if (port[0] == '\0') { /* empty port -> exit */ dropbear_exit("Bad port"); } - + svr_opts.ports[svr_opts.portcount] = m_strdup(port); + svr_opts.addresses[svr_opts.portcount] = m_strdup(address); svr_opts.portcount++; + m_free(spec_copy); } } diff -r a29559086628 -r 84cf9062718d svr-session.c --- a/svr-session.c Wed Dec 02 22:37:51 2015 +0800 +++ b/svr-session.c Tue Dec 15 22:24:34 2015 +0800 @@ -204,7 +204,7 @@ vsnprintf(printbuf, sizeof(printbuf), format, param); #ifndef DISABLE_SYSLOG - if (svr_opts.usingsyslog) { + if (opts.usingsyslog) { syslog(priority, "%s", printbuf); } #endif @@ -215,8 +215,7 @@ havetrace = debug_trace; #endif - if (!svr_opts.usingsyslog || havetrace) - { + if (!opts.usingsyslog || havetrace) { struct tm * local_tm = NULL; timesec = time(NULL); local_tm = localtime(×ec); diff -r a29559086628 -r 84cf9062718d sysoptions.h --- a/sysoptions.h Wed Dec 02 22:37:51 2015 +0800 +++ b/sysoptions.h Tue Dec 15 22:24:34 2015 +0800 @@ -4,7 +4,7 @@ *******************************************************************/ #ifndef DROPBEAR_VERSION -#define DROPBEAR_VERSION "2015.70" +#define DROPBEAR_VERSION "2015.71" #endif #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION