# HG changeset patch # User Matt Johnston # Date 1519312005 -28800 # Node ID b918ad1c5b256e4cf3e4b6a98e4c104a1fe69db7 # Parent 2e9b6d9c7e7d55e4a86e7ffd1345a73ed9bd484d# Parent ed930fd6f60f35ad4f83a4cf05a433a8a593f778 Merge branch 'master' of git://github.com/stellarpower/dropbear into stellarpower-master diff -r ed930fd6f60f -r b918ad1c5b25 CHANGES --- a/CHANGES Tue Feb 20 02:11:55 2018 +0000 +++ b/CHANGES Thu Feb 22 23:06:45 2018 +0800 @@ -2,7 +2,7 @@ - IMPORTANT: Custom configuration is now specified in local_options.h rather than options.h - Available options and defaults can be seen in default_options.h.in + Available options and defaults can be seen in default_options.h To migrate your configuration, compare your customised options.h against the upstream options.h from your relevant version. Any customised options should diff -r ed930fd6f60f -r b918ad1c5b25 INSTALL --- a/INSTALL Tue Feb 20 02:11:55 2018 +0000 +++ b/INSTALL Thu Feb 22 23:06:45 2018 +0800 @@ -1,7 +1,7 @@ Basic Dropbear build instructions: - Edit localoptions.h to set which features you want. Available options - are described in default_options.h.in, these will be overridden by + are described in default_options.h, these will be overridden by anything set in localoptions.h - If using a Mercurial or Git checkout, "autoconf; autoheader" diff -r ed930fd6f60f -r b918ad1c5b25 TODO --- a/TODO Tue Feb 20 02:11:55 2018 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,27 +0,0 @@ -Current: - -Things which might need doing: - -- default private dbclient keys - -- Make options.h generated from configure perhaps? - -- handle /etc/environment in AIX - -- check that there aren't timing issues with valid/invalid user authentication - feedback. - -- Binding to different interfaces - -- CTR mode -- SSH_MSG_IGNORE sending to improve CBC security -- DH Group Exchange possibly, or just add group14 (whatever it's called today) - -- fix scp.c for IRIX - -- Be able to use OpenSSH keys for the client? or at least have some form of - encrypted keys. - -- Client agent forwarding - -- Handle restrictions in ~/.ssh/authorized_keys ? diff -r ed930fd6f60f -r b918ad1c5b25 common-algo.c --- a/common-algo.c Tue Feb 20 02:11:55 2018 +0000 +++ b/common-algo.c Thu Feb 22 23:06:45 2018 +0800 @@ -276,6 +276,7 @@ algo_type sshkex[] = { #if DROPBEAR_CURVE25519 + {"curve25519-sha256", 0, &kex_curve25519, 1, NULL}, {"curve25519-sha256@libssh.org", 0, &kex_curve25519, 1, NULL}, #endif #if DROPBEAR_ECDH diff -r ed930fd6f60f -r b918ad1c5b25 common-session.c --- a/common-session.c Tue Feb 20 02:11:55 2018 +0000 +++ b/common-session.c Thu Feb 22 23:06:45 2018 +0800 @@ -136,7 +136,7 @@ TRACE(("leave session_init")) } -void session_loop(void(*loophandler)()) { +void session_loop(void(*loophandler)(void)) { fd_set readfd, writefd; struct timeval timeout; diff -r ed930fd6f60f -r b918ad1c5b25 dropbear.8 --- a/dropbear.8 Tue Feb 20 02:11:55 2018 +0000 +++ b/dropbear.8 Thu Feb 22 23:06:45 2018 +0800 @@ -148,8 +148,10 @@ Host key files are read at startup from a standard location, by default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and /etc/dropbear/dropbear_ecdsa_host_key -or specified on the commandline with -r. These are of the form generated -by dropbearkey. The -R option can be used to automatically generate keys + +If the -r command line option is specified the default files are not loaded. +Host key files are of the form generated by dropbearkey. +The -R option can be used to automatically generate keys in the default location - keys will be generated after startup when the first connection is established. This had the benefit that the system /dev/urandom random number source has a better chance of being securely seeded. diff -r ed930fd6f60f -r b918ad1c5b25 rsa.c --- a/rsa.c Tue Feb 20 02:11:55 2018 +0000 +++ b/rsa.c Thu Feb 22 23:06:45 2018 +0800 @@ -68,6 +68,12 @@ goto out; } + /* 64 bit is limit used by openssl, so we won't block any keys in the wild */ + if (mp_count_bits(key->e) > 64) { + dropbear_log(LOG_WARNING, "RSA key bad e"); + goto out; + } + TRACE(("leave buf_get_rsa_pub_key: success")) ret = DROPBEAR_SUCCESS; out: diff -r ed930fd6f60f -r b918ad1c5b25 session.h --- a/session.h Tue Feb 20 02:11:55 2018 +0000 +++ b/session.h Thu Feb 22 23:06:45 2018 +0800 @@ -40,7 +40,7 @@ #include "netio.h" void common_session_init(int sock_in, int sock_out); -void session_loop(void(*loophandler)()) ATTRIB_NORETURN; +void session_loop(void(*loophandler)(void)) ATTRIB_NORETURN; void session_cleanup(void); void send_session_identification(void); void send_msg_ignore(void); diff -r ed930fd6f60f -r b918ad1c5b25 svr-runopts.c --- a/svr-runopts.c Tue Feb 20 02:11:55 2018 +0000 +++ b/svr-runopts.c Thu Feb 22 23:06:45 2018 +0800 @@ -532,17 +532,20 @@ m_free(hostkey_file); } + /* Only load default host keys if a host key is not specified by the user */ + if (svr_opts.num_hostkey_files == 0) { #if DROPBEAR_RSA - loadhostkey(RSA_PRIV_FILENAME, 0); + loadhostkey(RSA_PRIV_FILENAME, 0); #endif #if DROPBEAR_DSS - loadhostkey(DSS_PRIV_FILENAME, 0); + loadhostkey(DSS_PRIV_FILENAME, 0); #endif #if DROPBEAR_ECDSA - loadhostkey(ECDSA_PRIV_FILENAME, 0); + loadhostkey(ECDSA_PRIV_FILENAME, 0); #endif + } #if DROPBEAR_DELAY_HOSTKEY if (svr_opts.delay_hostkey) {