# HG changeset patch # User Matt Johnston # Date 1422456595 -28800 # Node ID 0aa1feb8addaef534ba63d3a94c36827bffa38d8 # Parent e753169068525723da0114fed3acb5a633be6870# Parent f19be6a28d7e258ec9048041c85b48a3f100ebbf merge diff -r e75316906852 -r 0aa1feb8adda CHANGES --- a/CHANGES Wed Jan 28 21:40:34 2015 +0800 +++ b/CHANGES Wed Jan 28 22:49:55 2015 +0800 @@ -1,3 +1,32 @@ +2015.67 - Wednesday 28 January 2015 + +- Call fsync() after generating private keys to ensure they aren't lost if a + reboot occurs. Thanks to Peter Korsgaard + +- Disable non-delayed zlib compression by default on the server. Can be + enabled if required for old clients with DROPBEAR_SERVER_DELAY_ZLIB + +- Default client key path ~/.ssh/id_dropbear + +- Prefer stronger algorithms by default, from Fedor Brunner. + AES256 over 3DES + Diffie-hellman group14 over group1 + +- Add option to disable CBC ciphers. + +- Disable twofish in default options.h + +- Enable sha2 HMAC algorithms by default, the code was already required + for ECC key exchange. sha1 is the first preference still for performance. + +- Fix installing dropbear.8 in a separate build directory, from Like Ma + +- Allow configure to succeed if libtomcrypt/libtommath are missing, from Elan Ruusamäe + +- Don't crash if ssh-agent provides an unknown type of key. From Catalin Patulea + +- Minor bug fixes, a few issues found by Coverity scan + 2014.66 - Thursday 23 October 2014 - Use the same keepalive handling behaviour as OpenSSH. This will work better diff -r e75316906852 -r 0aa1feb8adda configure.ac --- a/configure.ac Wed Jan 28 21:40:34 2015 +0800 +++ b/configure.ac Wed Jan 28 22:49:55 2015 +0800 @@ -660,6 +660,7 @@ AC_EXEEXT # XXX there must be a nicer way to do this +if test $BUNDLED_LIBTOM = 1 ; then AS_MKDIR_P(libtomcrypt/src/ciphers/aes) AS_MKDIR_P(libtomcrypt/src/ciphers/safer) AS_MKDIR_P(libtomcrypt/src/ciphers/twofish) @@ -710,8 +711,10 @@ AS_MKDIR_P(libtomcrypt/src/pk/pkcs1) AS_MKDIR_P(libtomcrypt/src/pk/rsa) AS_MKDIR_P(libtomcrypt/src/prngs) +LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile" +fi AC_CONFIG_HEADER(config.h) -AC_CONFIG_FILES(Makefile libtomcrypt/Makefile libtommath/Makefile) +AC_CONFIG_FILES(Makefile $LIBTOM_FILES) AC_OUTPUT AC_MSG_NOTICE() diff -r e75316906852 -r 0aa1feb8adda dbclient.1 --- a/dbclient.1 Wed Jan 28 21:40:34 2015 +0800 +++ b/dbclient.1 Wed Jan 28 22:49:55 2015 +0800 @@ -33,7 +33,7 @@ Read the identity key from file .I idfile (multiple allowed). This file is created with dropbearkey(1) or converted -from OpenSSH with dropbearconvert(1). +from OpenSSH with dropbearconvert(1). The default path ~/.ssh/id_dropbear is used .TP .B \-L [\fIlistenaddress\fR]:\fIlistenport\fR:\fIhost\fR:\fIport\fR Local port forwarding. diff -r e75316906852 -r 0aa1feb8adda dbutil.h --- a/dbutil.h Wed Jan 28 21:40:34 2015 +0800 +++ b/dbutil.h Wed Jan 28 22:49:55 2015 +0800 @@ -91,7 +91,7 @@ void * m_malloc(size_t size); void * m_strdup(const char * str); void * m_realloc(void* ptr, size_t size); -#define m_free(X) free(X); (X) = NULL; +#define m_free(X) do {free(X); (X) = NULL;} while (0); void m_burn(void* data, unsigned int len); void setnonblocking(int fd); void disallow_core(); diff -r e75316906852 -r 0aa1feb8adda dropbearconvert.1 --- a/dropbearconvert.1 Wed Jan 28 21:40:34 2015 +0800 +++ b/dropbearconvert.1 Wed Jan 28 22:49:55 2015 +0800 @@ -39,9 +39,9 @@ An existing Dropbear or OpenSSH private key file .TP .B output file -The path to write the converted private key file +The path to write the converted private key file. For client authentication ~/.ssh/id_dropbear is loaded by default .SH EXAMPLE - # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/dropbear_priv + # dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_dropbear .SH AUTHOR Matt Johnston (matt@ucc.asn.au). .SH SEE ALSO diff -r e75316906852 -r 0aa1feb8adda dropbearkey.1 --- a/dropbearkey.1 Wed Jan 28 21:40:34 2015 +0800 +++ b/dropbearkey.1 Wed Jan 28 22:49:55 2015 +0800 @@ -33,7 +33,7 @@ .TP .B \-f \fIfile Write the secret key to the file -.IR file . +.IR file . For client authentication ~/.ssh/id_dropbear is loaded by default .TP .B \-s \fIbits Set the key size to diff -r e75316906852 -r 0aa1feb8adda ecdsa.c --- a/ecdsa.c Wed Jan 28 21:40:34 2015 +0800 +++ b/ecdsa.c Wed Jan 28 22:49:55 2015 +0800 @@ -131,6 +131,7 @@ if (buf_getmpint(buf, new_key->k) != DROPBEAR_SUCCESS) { ecc_free(new_key); + m_free(new_key); return NULL; } diff -r e75316906852 -r 0aa1feb8adda keyimport.c --- a/keyimport.c Wed Jan 28 21:40:34 2015 +0800 +++ b/keyimport.c Wed Jan 28 22:49:55 2015 +0800 @@ -810,7 +810,7 @@ } m_burn(key->keyblob, key->keyblob_size); m_free(key->keyblob); - m_burn(key, sizeof(key)); + m_burn(key, sizeof(*key)); m_free(key); if (errmsg) { fprintf(stderr, "Error: %s\n", errmsg); diff -r e75316906852 -r 0aa1feb8adda svr-main.c --- a/svr-main.c Wed Jan 28 21:40:34 2015 +0800 +++ b/svr-main.c Wed Jan 28 22:49:55 2015 +0800 @@ -343,6 +343,7 @@ sa_chld.sa_handler = sigchld_handler; sa_chld.sa_flags = SA_NOCLDSTOP; + sigemptyset(&sa_chld.sa_mask); if (sigaction(SIGCHLD, &sa_chld, NULL) < 0) { dropbear_exit("signal() error"); }